--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * Common data for krb425 library
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_425data_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+char _krb425_local_realm[REALM_SZ+1] = { 0 };
+krb5_ccache _krb425_ccache = 0;
+int _krb425_error_init = 0;
+
+#ifdef EBUG
+char *
+basename(s)
+char *s;
+{
+ char *r;
+ char *rindex();
+
+ if (r = rindex(s, '/'))
+ return(r+1);
+ return(s);
+}
+#endif
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * convert error codes from v5 to v4
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_425error_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include <krb.h>
+#include <krb5/krb5.h>
+
+int
+krb425error(e)
+krb5_error_code e;
+{
+ /*
+ * This is not a very good switch.
+ * Probably needs to be rewritten.
+ */
+ switch (e) {
+ case 0: /* No error */
+ return(KSUCCESS);
+
+ case KDC_ERR_NAME_EXP: /* Client's entry in DB expired */
+ return(KDC_NAME_EXP);
+
+ case KDC_ERR_SERVICE_EXP: /* Server's entry in DB expired */
+ return(KDC_SERVICE_EXP);
+
+ case KDC_ERR_BAD_PVNO: /* Requested pvno not supported */
+ return(KDC_PKT_VER);
+
+ case KDC_ERR_C_OLD_MAST_KVNO: /* C's key encrypted in old master */
+ return(KDC_P_MKEY_VER);
+
+ case KDC_ERR_S_OLD_MAST_KVNO: /* S's key encrypted in old master */
+ return(KDC_S_MKEY_VER);
+
+ case KDC_ERR_C_PRINCIPAL_UNKNOWN:/* Client not found in Kerberos DB */
+ case KDC_ERR_S_PRINCIPAL_UNKNOWN:/* Server not found in Kerberos DB */
+ return(KDC_PR_UNKNOWN);
+
+ case KDC_ERR_PRINCIPAL_NOT_UNIQUE:/* Multiple entries in Kerberos DB */
+ return(KDC_PR_N_UNIQUE);
+
+ case KDC_ERR_NULL_KEY: /* The C or S has a null key */
+ return(KDC_NULL_KEY);
+
+ case KDC_ERR_CANNOT_POSTDATE: /* Tkt ineligible for postdating */
+ case KDC_ERR_NEVER_VALID: /* Requested starttime > endtime */
+ case KDC_ERR_POLICY: /* KDC policy rejects request */
+ case KDC_ERR_BADOPTION: /* KDC can't do requested opt. */
+ case KDC_ERR_ETYPE_NOSUPP: /* No support for encryption type */
+ return(KDC_GEN_ERR);
+
+ case KRB_AP_ERR_BAD_INTEGRITY: /* Decrypt integrity check failed */
+ return(RD_AP_UNDEC);
+
+ case KRB_AP_ERR_TKT_EXPIRED: /* Ticket expired */
+ return(RD_AP_EXP);
+
+ case KRB_AP_ERR_TKT_NYV: /* Ticket not yet valid */
+ return(RD_AP_NYV);
+
+ case KRB_AP_ERR_REPEAT: /* Request is a replay */
+ return(RD_AP_REPEAT);
+
+ case KRB_AP_ERR_NOT_US: /* The ticket isn't for us */
+ return(RD_AP_NOT_US);
+
+ case KRB_AP_ERR_BADMATCH: /* Ticket/authenticator don't match */
+ return(RD_AP_INCON);
+
+ case KRB_AP_ERR_SKEW: /* Clock skew too great */
+ return(RD_AP_TIME);
+
+ case KRB_AP_ERR_BADADDR: /* Incorrect net address */
+ return(RD_AP_BADD);
+
+ case KRB_AP_ERR_BADVERSION: /* Protocol version mismatch */
+ return(RD_AP_VERSION);
+
+ case KRB_AP_ERR_MSG_TYPE: /* Invalid message type */
+ return(RD_AP_MSG_TYPE);
+
+ case KRB_AP_ERR_MODIFIED: /* Message stream modified */
+ return(RD_AP_MODIFIED);
+
+ case KRB_AP_ERR_BADORDER: /* Message out of order */
+ return(RD_AP_ORDER);
+
+ case KRB_AP_ERR_BADKEYVER: /* Key version is not available */
+ case KRB_AP_ERR_NOKEY: /* Service key not available */
+ case KRB_AP_ERR_MUT_FAIL: /* Mutual authentication failed */
+ return(RD_AP_INCON);
+
+ case KRB_ERR_FIELD_TOOLONG: /* Field is too long for impl. */
+ default:
+ return(KFAILURE);
+ }
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * dummy function for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_des_sched_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+/*
+ * This is a no-op because V5 will always creates it when needed.
+ */
+int
+des_key_sched(k, s)
+des_cblock k;
+des_key_schedule s;
+{
+ /*
+ * Use the variables so saber does not get mad...
+ */
+ if (k || s)
+ return(0);
+ return(0);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+
+#include <mit-copyright.h>
+
+/*
+ * This file contains an array of error text strings.
+ * The associated error codes (which are defined in "krb.h")
+ * follow the string in the comments at the end of each line.
+ */
+
+char *krb_err_txt[256] = {
+ "OK", /* 000 */
+ "Principal expired (kerberos)", /* 001 */
+ "Service expired (kerberos)", /* 002 */
+ "Authentication expired (kerberos)", /* 003 */
+ "Unknown protocol version number (kerberos)", /* 004 */
+ "Principal: Incorrect master key version (kerberos)", /* 005 */
+ "Service: Incorrect master key version (kerberos)", /* 006 */
+ "Bad byte order (kerberos)", /* 007 */
+ "Principal unknown (kerberos)", /* 008 */
+ "Principal not unique (kerberos)", /* 009 */
+ "Principal has null key (kerberos)", /* 010 */
+ "Reserved error message 11 (kerberos)", /* 011 */
+ "Reserved error message 12 (kerberos)", /* 012 */
+ "Reserved error message 13 (kerberos)", /* 013 */
+ "Reserved error message 14 (kerberos)", /* 014 */
+ "Reserved error message 15 (kerberos)", /* 015 */
+ "Reserved error message 16 (kerberos)", /* 016 */
+ "Reserved error message 17 (kerberos)", /* 017 */
+ "Reserved error message 18 (kerberos)", /* 018 */
+ "Reserved error message 19 (kerberos)", /* 019 */
+ "Permission Denied (kerberos)", /* 020 */
+ "Can't read ticket file (krb_get_cred)", /* 021 */
+ "Can't find ticket (krb_get_cred)", /* 022 */
+ "Reserved error message 23 (krb_get_cred)", /* 023 */
+ "Reserved error message 24 (krb_get_cred)", /* 024 */
+ "Reserved error message 25 (krb_get_cred)", /* 025 */
+ "Ticket granting ticket expired (krb_mk_req)", /* 026 */
+ "Reserved error message 27 (krb_mk_req)", /* 027 */
+ "Reserved error message 28 (krb_mk_req)", /* 028 */
+ "Reserved error message 29 (krb_mk_req)", /* 029 */
+ "Reserved error message 30 (krb_mk_req)", /* 030 */
+ "Can't decode authenticator (krb_rd_req)", /* 031 */
+ "Ticket expired (krb_rd_req)", /* 032 */
+ "Ticket issue date too far in the future (krb_rd_req)",/* 033 */
+ "Repeat request (krb_rd_req)", /* 034 */
+ "Ticket for wrong server (krb_rd_req)", /* 035 */
+ "Request inconsistent (krb_rd_req)", /* 036 */
+ "Time is out of bounds (krb_rd_req)", /* 037 */
+ "Incorrect network address (krb_rd_req)", /* 038 */
+ "Protocol version mismatch (krb_rd_req)", /* 039 */
+ "Illegal message type (krb_rd_req)", /* 040 */
+ "Message integrity error (krb_rd_req)", /* 041 */
+ "Message duplicate or out of order (krb_rd_req)", /* 042 */
+ "Unauthorized request (krb_rd_req)", /* 043 */
+ "Reserved error message 44 (krb_rd_req)", /* 044 */
+ "Reserved error message 45 (krb_rd_req)", /* 045 */
+ "Reserved error message 46 (krb_rd_req)", /* 046 */
+ "Reserved error message 47 (krb_rd_req)", /* 047 */
+ "Reserved error message 48 (krb_rd_req)", /* 048 */
+ "Reserved error message 49 (krb_rd_req)", /* 049 */
+ "Reserved error message 50 (krb_rd_req)", /* 050 */
+ "Current password is NULL (get_pw_tkt)", /* 051 */
+ "Current password incorrect (get_pw_tkt)", /* 052 */
+ "Protocol error (gt_pw_tkt)", /* 053 */
+ "Error returned by KDC (gt_pw_tkt)", /* 054 */
+ "Null ticket returned by KDC (gt_pw_tkt)", /* 055 */
+ "Retry count exceeded (send_to_kdc)", /* 056 */
+ "Can't send request (send_to_kdc)", /* 057 */
+ "Reserved error message 58 (send_to_kdc)", /* 058 */
+ "Reserved error message 59 (send_to_kdc)", /* 059 */
+ "Reserved error message 60 (send_to_kdc)", /* 060 */
+ "Warning: Not ALL tickets returned", /* 061 */
+ "Password incorrect", /* 062 */
+ "Protocol error (get_intkt)", /* 063 */
+ "Reserved error message 64 (get_in_tkt)", /* 064 */
+ "Reserved error message 65 (get_in_tkt)", /* 065 */
+ "Reserved error message 66 (get_in_tkt)", /* 066 */
+ "Reserved error message 67 (get_in_tkt)", /* 067 */
+ "Reserved error message 68 (get_in_tkt)", /* 068 */
+ "Reserved error message 69 (get_in_tkt)", /* 069 */
+ "Generic error (get_intkt)", /* 070 */
+ "Don't have ticket granting ticket (get_ad_tkt)", /* 071 */
+ "Reserved error message 72 (get_ad_tkt)", /* 072 */
+ "Reserved error message 73 (get_ad_tkt)", /* 073 */
+ "Reserved error message 74 (get_ad_tkt)", /* 074 */
+ "Reserved error message 75 (get_ad_tkt)", /* 075 */
+ "No ticket file (tf_util)", /* 076 */
+ "Can't access ticket file (tf_util)", /* 077 */
+ "Can't lock ticket file; try later (tf_util)", /* 078 */
+ "Bad ticket file format (tf_util)", /* 079 */
+ "Read ticket file before tf_init (tf_util)", /* 080 */
+ "Bad Kerberos name format (kname_parse)", /* 081 */
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "(reserved)",
+ "Generic kerberos error (kfailure)", /* 255 */
+};
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_get_cred for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_get_cred_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_get_cred(service, instance, realm, c)
+char *service;
+char *instance;
+char *realm;
+CREDENTIALS *c;
+{
+ static krb5_principal client_principal = { 0 };
+
+ krb5_creds creds;
+ krb5_data *server[4];
+ krb5_data srvdata[3];
+ krb5_error_code r;
+ krb5_ticket *ticket;
+
+ set_data5(srvdata[0], realm);
+ set_data5(srvdata[1], service);
+ set_data5(srvdata[2], instance);
+
+ server[0] = &srvdata[0];
+ server[1] = &srvdata[1];
+ server[2] = &srvdata[2];
+ server[3] = 0;
+
+ if (!_krb425_ccache)
+ krb5_cc_default(&_krb425_ccache);
+ if (!client_principal)
+ krb5_cc_get_principal(_krb425_ccache, &client_principal);
+
+ creds.client = client_principal;
+ creds.server = server;
+ creds.times.endtime = 0;
+ creds.keyblock.keytype = KEYTYPE_DES;
+
+ if (r = krb5_get_credentials(0, _krb425_ccache, &creds))
+ return(krb425error(r));
+
+#ifdef EBUG
+ {
+ int i;
+ i = 0;
+ if (creds.server)
+ while (creds.server[i]) {
+ EPRINT "server: %d: ``%.*s''\n", i,
+ creds.server[i]->length,
+ creds.server[i]->data
+ ? creds.server[i]->data : "");
+ ++i;
+ }
+ i = 0;
+ if (creds.client)
+ while (creds.client[i]) {
+ EPRINT "client: %d: ``%.*s''\n", i,
+ creds.client[i]->length,
+ creds.client[i]->data
+ ? creds.client[i]->data : "");
+ ++i;
+ }
+ }
+#endif
+ set_string(c->pname, ANAME_SZ, creds.client[1]);
+ set_string(c->pinst, INST_SZ, creds.client[2]);
+
+ set_string(c->realm, REALM_SZ, creds.server[0]);
+ set_string(c->service, REALM_SZ, creds.server[1]);
+ set_string(c->instance, REALM_SZ, creds.server[2]);
+
+ c->ticket_st.length = creds.ticket.length;
+ bcopy(creds.ticket.data,
+ c->ticket_st.dat,
+ min(c->ticket_st.length, MAX_KTXT_LEN));
+ c->ticket_st.mbz = 0;
+
+ bcopy(creds.keyblock.contents,
+ (char*)c->session, sizeof(C_Block));
+
+ c->issue_date = creds.times.starttime;
+ c->lifetime = creds.times.endtime;
+
+ decode_krb5_ticket(&creds.ticket, &ticket);
+ c->kvno = ticket->enc_part.kvno;
+ krb5_free_ticket(ticket);
+ return(KSUCCESS);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_get_krbhst for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_get_krbhst_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_get_krbhst(host, realm, n)
+char *host;
+char *realm;
+int n;
+{
+ krb5_data realm5;
+ char **hosts;
+ krb5_error_code r;
+ int i = 0;
+
+ if (n < 1)
+ n = 1;
+
+ set_data5(realm5, realm);
+
+ if (r = krb5_get_krbhst(&realm5, &hosts)) {
+ return(krb425error(r));
+ }
+ if (!hosts)
+ return(KFAILURE);
+
+ while (i < n)
+ if (!hosts[i++]) {
+ krb5_free_krbhst(hosts);
+ return(KFAILURE);
+ }
+
+ strncpy(host, hosts[n-1], REALM_SZ);
+ krb5_free_krbhst(hosts);
+ return(KSUCCESS);
+}
+
+#ifdef NOT_IMPLEMENTED
+krb_get_admhst(host, realm, n)
+char *host;
+char *realm;
+int n;
+{
+
+}
+#endif
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_get_lrealm for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_get_lrealm_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_get_lrealm(realm, n)
+char *realm;
+int n;
+{
+ krb5_error_code r;
+ char **realms;
+ int i = 0;
+
+ if (r = krb5_get_host_realm(0, &realms))
+ return(krb425error(r));
+
+ if (!realms)
+ return(KFAILURE);
+
+ while (i < n)
+ if (!realms[i++]) {
+ krb5_free_host_realm(realms);
+ return(KFAILURE);
+ }
+
+ strncpy(realm, realms[n-1], REALM_SZ);
+ krb5_free_host_realm(realms);
+ return(KSUCCESS);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_get_phost for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_get_phost_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+char *
+krb_get_phost(alias)
+char *alias;
+{
+ struct hostent *h;
+ char *phost = alias;
+
+ if ((h = gethostbyname(alias)) != (struct hostent *)0 ) {
+ char *p;
+#ifdef OLD_CRUFT
+ if (p = index( h->h_name, '.' ))
+ *p = 0;
+#endif
+ p = phost = h->h_name;
+ do {
+ if (isupper(*p)) *p=tolower(*p);
+ } while (*p++);
+ }
+ return(phost);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+#include <mit-copyright.h>
+
+#include <stdio.h>
+#include <krb.h>
+#include <strings.h>
+
+/* max size of full name */
+#define FULL_SZ (ANAME_SZ + INST_SZ + REALM_SZ)
+
+#define NAME 0 /* which field are we in? */
+#define INST 1
+#define REALM 2
+
+extern char *krb_err_txt[];
+
+/*
+ * This file contains four routines for handling Kerberos names.
+ *
+ * kname_parse() breaks a Kerberos name into its name, instance,
+ * and realm components.
+ *
+ * k_isname(), k_isinst(), and k_isrealm() check a given string to see if
+ * it's a syntactically legitimate respective part of a Kerberos name,
+ * returning 1 if it is, 0 if it isn't.
+ *
+ * Definition of "syntactically legitimate" names is according to
+ * the Project Athena Technical Plan Section E.2.1, page 7 "Specifying
+ * names", version dated 21 Dec 1987.
+ */
+
+/*
+ * kname_parse() takes a Kerberos name "fullname" of the form:
+ *
+ * username[.instance][@realm]
+ *
+ * and returns the three components ("name", "instance", and "realm"
+ * in the example above) in the given arguments "np", "ip", and "rp".
+ *
+ * If successful, it returns KSUCCESS. If there was an error,
+ * KNAME_FMT is returned.
+ */
+
+int
+kname_parse(np, ip, rp, fullname)
+ char *np, *ip, *rp, *fullname;
+{
+ static char buf[FULL_SZ];
+ char *rnext, *wnext; /* next char to read, write */
+ register char c;
+ int backslash;
+ int field;
+
+ backslash = 0;
+ rnext = buf;
+ wnext = np;
+ field = NAME;
+
+ if (strlen(fullname) > FULL_SZ)
+ return KNAME_FMT;
+ (void) strcpy(buf, fullname);
+
+ while (c = *rnext++) {
+ if (backslash) {
+ *wnext++ = c;
+ backslash = 0;
+ continue;
+ }
+ switch (c) {
+ case '\\':
+ backslash++;
+ break;
+ case '.':
+ switch (field) {
+ case NAME:
+ if (wnext == np)
+ return KNAME_FMT;
+ *wnext = '\0';
+ field = INST;
+ wnext = ip;
+ break;
+ case INST:
+ return KNAME_FMT;
+ /* break; */
+ case REALM:
+ *wnext++ = c;
+ break;
+ default:
+ fprintf(stderr, "unknown field value\n");
+ exit(1);
+ }
+ break;
+ case '@':
+ switch (field) {
+ case NAME:
+ if (wnext == np)
+ return KNAME_FMT;
+ *ip = '\0';
+ /* fall through */
+ case INST:
+ *wnext = '\0';
+ field = REALM;
+ wnext = rp;
+ break;
+ case REALM:
+ return KNAME_FMT;
+ default:
+ fprintf(stderr, "unknown field value\n");
+ exit(1);
+ }
+ break;
+ default:
+ *wnext++ = c;
+ }
+ }
+ *wnext = '\0';
+ if ((strlen(np) > ANAME_SZ - 1) ||
+ (strlen(ip) > INST_SZ - 1) ||
+ (strlen(rp) > REALM_SZ - 1))
+ return KNAME_FMT;
+ return KSUCCESS;
+}
+
+/*
+ * k_isname() returns 1 if the given name is a syntactically legitimate
+ * Kerberos name; returns 0 if it's not.
+ */
+int
+k_isname(s)
+ char *s;
+{
+ register char c;
+ int backslash = 0;
+
+ if (!*s)
+ return 0;
+ if (strlen(s) > ANAME_SZ - 1)
+ return 0;
+ while(c = *s++) {
+ if (backslash) {
+ backslash = 0;
+ continue;
+ }
+ switch(c) {
+ case '\\':
+ backslash = 1;
+ break;
+ case '.':
+ return 0;
+ /* break; */
+ case '@':
+ return 0;
+ /* break; */
+ }
+ }
+ return 1;
+}
+
+
+/*
+ * k_isinst() returns 1 if the given name is a syntactically legitimate
+ * Kerberos instance; returns 0 if it's not.
+ */
+int
+k_isinst(s)
+ char *s;
+{
+ register char c;
+ int backslash = 0;
+
+ if (strlen(s) > INST_SZ - 1)
+ return 0;
+ while(c = *s++) {
+ if (backslash) {
+ backslash = 0;
+ continue;
+ }
+ switch(c) {
+ case '\\':
+ backslash = 1;
+ break;
+ case '.':
+ return 0;
+ /* break; */
+ case '@':
+ return 0;
+ /* break; */
+ }
+ }
+ return 1;
+}
+
+/*
+ * k_isrealm() returns 1 if the given name is a syntactically legitimate
+ * Kerberos realm; returns 0 if it's not.
+ */
+int
+k_isrealm(s)
+ char *s;
+{
+ register char c;
+ int backslash = 0;
+
+ if (!*s)
+ return 0;
+ if (strlen(s) > REALM_SZ - 1)
+ return 0;
+ while(c = *s++) {
+ if (backslash) {
+ backslash = 0;
+ continue;
+ }
+ switch(c) {
+ case '\\':
+ backslash = 1;
+ break;
+ case '@':
+ return 0;
+ /* break; */
+ }
+ }
+ return 1;
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_kntoln for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_kntoln_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_kntoln(ad,lname)
+AUTH_DAT *ad;
+char *lname;
+{
+ if (!_krb425_local_realm[0])
+ krb5_get_default_realm(REALM_SZ, _krb425_local_realm);
+
+ if (strcmp(ad->pinst,""))
+ return(KFAILURE);
+ if (strcmp(ad->prealm, _krb425_local_realm))
+ return(KFAILURE);
+
+ (void) strcpy(lname,ad->pname);
+ return(KSUCCESS);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ * $Id$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb425.h
+ */
+
+
+#ifndef KRB5_krb425__
+#define KRB5_krb425__
+
+#include <krb5/copyright.h>
+#include <ctype.h>
+#include <netdb.h>
+#include <krb.h>
+#include <krb5/krb5.h>
+#include <krb5/libos-proto.h>
+#include <krb5/asn1.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#ifdef USE_STRING_H
+#include <string.h>
+#else
+#include <strings.h>
+#endif
+
+#define min(a,b) ((a) < (b) ? (a) : (b))
+
+#define set_data5(d5,s) d5.length = strlen(s); d5.data = s
+
+#define set_cksum(ck,v) { \
+ ck.checksum_type = CKSUMTYPE_CRC32; \
+ ck.length = sizeof(v); \
+ ck.contents = (krb5_octet *)&v; \
+}
+
+#define set_string(str,sz,d5) { \
+ if (d5) { \
+ int x; \
+ x = min(sz-1, d5->length); \
+ strncpy(str, d5->data, x); \
+ str[x] = 0; \
+ } else \
+ str[0] = 0; \
+}
+
+extern char _krb425_local_realm[REALM_SZ+1];
+extern krb5_ccache _krb425_ccache;
+extern int _krb425_error_init;
+
+
+extern int krb425error();
+
+extern char *malloc();
+extern char *basename();
+extern int atoi();
+extern void bzero();
+extern void bcopy();
+extern int read();
+extern void free();
+extern int des_key_sched();
+extern int kname_parse();
+extern int krb_get_cred();
+extern int krb_get_lrealm();
+extern int krb_kntoln();
+extern long krb_mk_priv();
+extern int krb_mk_req();
+extern int krb_net_read();
+extern int krb_net_write();
+extern long krb_rd_priv();
+extern int krb_rd_req();
+extern int mit_des_string_to_key();
+
+
+#ifdef EBUG
+#define PLINE { fprintf(stderr, "%26s:%4d\n", basename(__FILE__),__LINE__); \
+ fflush(stderr); }
+#define show5(x) fprintf(stderr, "``%.*s''", x.length, x.data)
+#define EPRINT fprintf(stderr, "%26s:%4d: ", basename(__FILE__), __LINE__), \
+ fprintf(stderr,
+#define ENEWLINE fprintf(stderr, "\n");
+#define ERROR(error) { \
+ if (!_krb425_error_init) { \
+ _krb425_error_init = 1; \
+ krb5_init_ets(); \
+ } \
+ fprintf(stderr, "%26s:%4d: %s (%d)\n", basename(__FILE__), __LINE__, \
+ error_message(error), error); \
+}
+#else
+#define PLINE
+#endif
+
+#endif /* KRB5_krb425__ */
+
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ * $Id$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_err.h for krb425
+ */
+
+#ifndef KRB5_KRB_ERR_H__
+#define KRB5_KRB_ERR_H__
+
+#include <krb5/copyright.h>
+#define KRBET_KSUCCESS ((int)39525376)
+#define KRBET_KDC_NAME_EXP ((int)39525377)
+#define KRBET_KDC_SERVICE_EXP ((int)39525378)
+#define KRBET_KDC_AUTH_EXP ((int)39525379)
+#define KRBET_KDC_PKT_VER ((int)39525380)
+#define KRBET_KDC_P_MKEY_VER ((int)39525381)
+#define KRBET_KDC_S_MKEY_VER ((int)39525382)
+#define KRBET_KDC_BYTE_ORDER ((int)39525383)
+#define KRBET_KDC_PR_UNKNOWN ((int)39525384)
+#define KRBET_KDC_PR_N_UNIQUE ((int)39525385)
+#define KRBET_KDC_NULL_KEY ((int)39525386)
+#define KRBET_KRB_RES11 ((int)39525387)
+#define KRBET_KRB_RES12 ((int)39525388)
+#define KRBET_KRB_RES13 ((int)39525389)
+#define KRBET_KRB_RES14 ((int)39525390)
+#define KRBET_KRB_RES15 ((int)39525391)
+#define KRBET_KRB_RES16 ((int)39525392)
+#define KRBET_KRB_RES17 ((int)39525393)
+#define KRBET_KRB_RES18 ((int)39525394)
+#define KRBET_KRB_RES19 ((int)39525395)
+#define KRBET_KDC_GEN_ERR ((int)39525396)
+#define KRBET_GC_TKFIL ((int)39525397)
+#define KRBET_GC_NOTKT ((int)39525398)
+#define KRBET_KRB_RES23 ((int)39525399)
+#define KRBET_KRB_RES24 ((int)39525400)
+#define KRBET_KRB_RES25 ((int)39525401)
+#define KRBET_MK_AP_TGTEXP ((int)39525402)
+#define KRBET_KRB_RES27 ((int)39525403)
+#define KRBET_KRB_RES28 ((int)39525404)
+#define KRBET_KRB_RES29 ((int)39525405)
+#define KRBET_KRB_RES30 ((int)39525406)
+#define KRBET_RD_AP_UNDEC ((int)39525407)
+#define KRBET_RD_AP_EXP ((int)39525408)
+#define KRBET_RD_AP_NYV ((int)39525409)
+#define KRBET_RD_AP_REPEAT ((int)39525410)
+#define KRBET_RD_AP_NOT_US ((int)39525411)
+#define KRBET_RD_AP_INCON ((int)39525412)
+#define KRBET_RD_AP_TIME ((int)39525413)
+#define KRBET_RD_AP_BADD ((int)39525414)
+#define KRBET_RD_AP_VERSION ((int)39525415)
+#define KRBET_RD_AP_MSG_TYPE ((int)39525416)
+#define KRBET_RD_AP_MODIFIED ((int)39525417)
+#define KRBET_RD_AP_ORDER ((int)39525418)
+#define KRBET_RD_AP_UNAUTHOR ((int)39525419)
+#define KRBET_KRB_RES44 ((int)39525420)
+#define KRBET_KRB_RES45 ((int)39525421)
+#define KRBET_KRB_RES46 ((int)39525422)
+#define KRBET_KRB_RES47 ((int)39525423)
+#define KRBET_KRB_RES48 ((int)39525424)
+#define KRBET_KRB_RES49 ((int)39525425)
+#define KRBET_KRB_RES50 ((int)39525426)
+#define KRBET_GT_PW_NULL ((int)39525427)
+#define KRBET_GT_PW_BADPW ((int)39525428)
+#define KRBET_GT_PW_PROT ((int)39525429)
+#define KRBET_GT_PW_KDCERR ((int)39525430)
+#define KRBET_GT_PW_NULLTKT ((int)39525431)
+#define KRBET_SKDC_RETRY ((int)39525432)
+#define KRBET_SKDC_CANT ((int)39525433)
+#define KRBET_KRB_RES58 ((int)39525434)
+#define KRBET_KRB_RES59 ((int)39525435)
+#define KRBET_KRB_RES60 ((int)39525436)
+#define KRBET_INTK_W_NOTALL ((int)39525437)
+#define KRBET_INTK_BADPW ((int)39525438)
+#define KRBET_INTK_PROT ((int)39525439)
+#define KRBET_KRB_RES64 ((int)39525440)
+#define KRBET_KRB_RES65 ((int)39525441)
+#define KRBET_KRB_RES66 ((int)39525442)
+#define KRBET_KRB_RES67 ((int)39525443)
+#define KRBET_KRB_RES68 ((int)39525444)
+#define KRBET_KRB_RES69 ((int)39525445)
+#define KRBET_INTK_ERR ((int)39525446)
+#define KRBET_AD_NOTGT ((int)39525447)
+#define KRBET_KRB_RES72 ((int)39525448)
+#define KRBET_KRB_RES73 ((int)39525449)
+#define KRBET_KRB_RES74 ((int)39525450)
+#define KRBET_KRB_RES75 ((int)39525451)
+#define KRBET_NO_TKT_FIL ((int)39525452)
+#define KRBET_TKT_FIL_ACC ((int)39525453)
+#define KRBET_TKT_FIL_LCK ((int)39525454)
+#define KRBET_TKT_FIL_FMT ((int)39525455)
+#define KRBET_TKT_FIL_INI ((int)39525456)
+#define KRBET_KNAME_FMT ((int)39525457)
+extern int init_krb_err_tbl();
+extern int krb_err_base;
+
+#endif /* __KRB5_KRB_ERR_H__ */
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * kuserok: check if a kerberos principal has
+ * access to a local account
+ */
+
+#include "krb425.h"
+
+#include <pwd.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/file.h>
+
+#define OK 0
+#ifdef NOTOK
+#undef NOTOK
+#endif
+#define NOTOK 1
+#define MAX_USERNAME 10
+
+/*
+ * Given a Kerberos principal "kdata", and a local username "luser",
+ * determine whether user is authorized to login according to the
+ * authorization file ("~luser/.klogin" by default). Returns OK
+ * if authorized, NOTOK if not authorized.
+ *
+ * If there is no account for "luser" on the local machine, returns
+ * NOTOK. If there is no authorization file, and the given Kerberos
+ * name "kdata" translates to the same name as "luser" (using
+ * krb_kntoln()), returns OK. Otherwise, if the authorization file
+ * can't be accessed, returns NOTOK. Otherwise, the file is read for
+ * a matching principal name, instance, and realm. If one is found,
+ * returns OK, if none is found, returns NOTOK.
+ *
+ * The file entries are in the format:
+ *
+ * name.instance@realm
+ *
+ * one entry per line.
+ *
+ * The ATHENA_COMPAT code supports old-style Athena ~luser/.klogin
+ * file entries. See the file "kparse.c".
+ */
+
+#ifdef ATHENA_COMPAT
+
+
+/*
+ * The parmtable defines the keywords we will recognize with their
+ * default values, and keeps a pointer to the found value. The found
+ * value should be filled in with strsave(), since FreeParameterSet()
+ * will release memory for all non-NULL found strings.
+ *
+*** NOTE WELL! ***
+ *
+ * The table below is very nice, but we cannot hard-code a default for the
+ * realm: we have to get the realm via krb_get_lrealm(). Even though the
+ * default shows as "from krb_get_lrealm, below", it gets changed in
+ * kuserok to whatever krb_get_lrealm() tells us. That code assumes that
+ * the realm will be the entry number in the table below, so if you
+ * change the order of the entries below, you have to change the
+ * #definition of REALM_SCRIPT to reflect it.
+ */
+#define REALM_SUBSCRIPT 1
+parmtable kparm[] = {
+
+/* keyword default found value */
+{"user", "", (char *) NULL},
+{"realm", "see krb_get_lrealm, below", (char *) NULL},
+{"instance", "", (char *) NULL},
+};
+#define KPARMS kparm,PARMCOUNT(kparm)
+#endif /* ATHENA_COMPAT */
+
+int
+kuserok(kdata, luser)
+ AUTH_DAT *kdata;
+ char *luser;
+{
+ struct stat sbuf;
+ struct passwd *pwd;
+ char pbuf[MAXPATHLEN];
+ int isok = NOTOK, rc;
+ FILE *fp;
+ char kuser[MAX_USERNAME];
+ char principal[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+ char linebuf[BUFSIZ];
+ char *newline;
+ int gobble;
+#ifdef ATHENA_COMPAT
+ char local_realm[REALM_SZ];
+#endif /* ATHENA_COMPAT */
+
+ /* no account => no access */
+ if ((pwd = getpwnam(luser)) == NULL) {
+ return(NOTOK);
+ }
+ (void) strcpy(pbuf, pwd->pw_dir);
+ (void) strcat(pbuf, "/.klogin");
+
+ if (access(pbuf, F_OK)) { /* not accessible */
+ /*
+ * if he's trying to log in as himself, and there is no .klogin file,
+ * let him. To find out, call
+ * krb_kntoln to convert the triple in kdata to a name which we can
+ * string compare.
+ */
+ if (!krb_kntoln(kdata, kuser) && (strcmp(kuser, luser) == 0)) {
+ return(OK);
+ }
+ }
+ /* open ~/.klogin */
+ if ((fp = fopen(pbuf, "r")) == NULL) {
+ return(NOTOK);
+ }
+ /*
+ * security: if the user does not own his own .klogin file,
+ * do not grant access
+ */
+ if (fstat(fileno(fp), &sbuf)) {
+ fclose(fp);
+ return(NOTOK);
+ }
+ if (sbuf.st_uid != pwd->pw_uid) {
+ fclose(fp);
+ return(NOTOK);
+ }
+
+#ifdef ATHENA_COMPAT
+ /* Accept old-style .klogin files */
+
+ /*
+ * change the default realm from the hard-coded value to the
+ * accepted realm that Kerberos specifies.
+ */
+ rc = krb_get_lrealm(local_realm, 1);
+ if (rc == KSUCCESS)
+ kparm[REALM_SUBSCRIPT].defvalue = local_realm;
+ else
+ return (rc);
+
+ /* check each line */
+ while ((isok != OK) && (rc = fGetParameterSet(fp, KPARMS)) != PS_EOF) {
+ switch (rc) {
+ case PS_BAD_KEYWORD:
+ case PS_SYNTAX:
+ while (((gobble = fGetChar(fp)) != EOF) && (gobble != '\n'));
+ break;
+
+ case PS_OKAY:
+ isok = (ParmCompare(KPARMS, "user", kdata->pname) ||
+ ParmCompare(KPARMS, "instance", kdata->pinst) ||
+ ParmCompare(KPARMS, "realm", kdata->prealm));
+ break;
+
+ default:
+ break;
+ }
+ FreeParameterSet(kparm, PARMCOUNT(kparm));
+ }
+ /* reset the stream for parsing new-style names, if necessary */
+ rewind(fp);
+#endif /* ATHENA_COMPAT */
+
+ /* check each line */
+ while ((isok != OK) && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
+ /* null-terminate the input string */
+ linebuf[BUFSIZ-1] = '\0';
+ newline = NULL;
+ /* nuke the newline if it exists */
+ if (newline = index(linebuf, '\n'))
+ *newline = '\0';
+ rc = kname_parse(principal, inst, realm, linebuf);
+ if (rc == KSUCCESS) {
+ isok = (strncmp(kdata->pname, principal, ANAME_SZ) ||
+ strncmp(kdata->pinst, inst, INST_SZ) ||
+ strncmp(kdata->prealm, realm, REALM_SZ));
+ }
+ /* clean up the rest of the line if necessary */
+ if (!newline)
+ while (((gobble = getc(fp)) != EOF) && gobble != '\n');
+ }
+ fclose(fp);
+ return(isok);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_mk_priv for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_mk_priv_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+long
+krb_mk_priv(in, out, in_length, sched, key, sender, receiver)
+u_char *in;
+u_char *out;
+u_long in_length;
+Key_schedule sched; /* ignored */
+des_cblock key;
+struct sockaddr_in *sender;
+struct sockaddr_in *receiver;
+{
+ krb5_data inbuf;
+ krb5_data out5;
+ krb5_keyblock keyb;
+ krb5_fulladdr sfaddr;
+ krb5_fulladdr rfaddr;
+ krb5_address saddr;
+ krb5_address raddr;
+ krb5_error_code r;
+ char sa[4], ra[4];
+
+ keyb.keytype = KEYTYPE_DES;
+ keyb.length = sizeof(des_cblock);
+ keyb.contents = (krb5_octet *)key;
+
+ saddr.addrtype = ADDRTYPE_INET;
+ saddr.length = 4;
+ saddr.contents = (krb5_octet *)sa;
+
+ raddr.addrtype = ADDRTYPE_INET;
+ raddr.length = 4;
+ raddr.contents = (krb5_octet *)ra;
+
+ bcopy((char *)&sender->sin_addr, sa, 4);
+ bcopy((char *)&receiver->sin_addr, ra, 4);
+
+ sfaddr.address = &saddr;
+ sfaddr.port = sender->sin_port;
+
+ rfaddr.address = &raddr;
+ rfaddr.port = receiver->sin_port;
+
+ inbuf.data = (char *)in;
+ inbuf.length = in_length;
+
+ if (r = krb5_mk_priv(&inbuf,
+ KEYTYPE_DES,
+ &keyb,
+ &sfaddr, &rfaddr,
+ 0, &out5)) {
+#ifdef EBUG
+ ERROR(r);
+#endif
+ return(-1);
+ }
+
+ bcopy(out5.data, out, out5.length);
+ free(out5.data);
+ return(out5.length);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_mk_req for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_mk_req_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_mk_req(authent, service, instance, realm, checksum)
+KTEXT authent;
+char *service;
+char *instance;
+char *realm;
+u_long checksum;
+{
+ krb5_data *server[4];
+ krb5_data srvdata[3];
+ krb5_error_code r;
+ krb5_data outbuf;
+ krb5_checksum ck;
+
+ set_data5(srvdata[0], realm);
+ set_data5(srvdata[1], service);
+ set_data5(srvdata[2], instance);
+
+ server[0] = &srvdata[0];
+ server[1] = &srvdata[1];
+ server[2] = &srvdata[2];
+ server[3] = 0;
+
+ if (!_krb425_ccache)
+ krb5_cc_default(&_krb425_ccache);
+
+#ifdef EBUG
+ EPRINT "Calling krb5_mk_req with:\n");
+ EPRINT " Realm : "); show5(srvdata[0]); ENEWLINE
+ EPRINT " Service : "); show5(srvdata[1]); ENEWLINE
+ EPRINT " Instance: "); show5(srvdata[2]); ENEWLINE
+ EPRINT " CheckSum: %08x\n", checksum);
+#endif
+ set_cksum(ck, checksum)
+
+ r = krb5_mk_req((krb5_principal)server,
+ (krb5_flags)0,
+ &ck,
+ _krb425_ccache,
+ &outbuf);
+#ifdef EBUG
+ if (r)
+ ERROR(r)
+#endif
+ if (!r) {
+ if (outbuf.length > MAX_KTXT_LEN) {
+#ifdef EBUG
+ EPRINT "Return to long (%d > %d)\n",
+ outbuf.length, MAX_KTXT_LEN);
+#endif
+ free((char *)outbuf.data);
+ return(KFAILURE);
+ }
+ authent->length = outbuf.length;
+ bcopy((char *)outbuf.data, (char *)authent->dat, outbuf.length);
+ free((char *)outbuf.data);
+ }
+ return(krb425error(r));
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_mk_safe for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_mk_safe_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+long
+krb_mk_safe(in, out, in_length, key, sender, receiver)
+u_char *in;
+u_char *out;
+u_long in_length;
+des_cblock key;
+struct sockaddr_in *sender;
+struct sockaddr_in *receiver;
+{
+ krb5_data inbuf;
+ krb5_data out5;
+ krb5_keyblock keyb;
+ krb5_fulladdr sfaddr;
+ krb5_fulladdr rfaddr;
+ krb5_address saddr;
+ krb5_address raddr;
+ krb5_error_code r;
+ char sa[4], ra[4];
+
+ keyb.keytype = KEYTYPE_DES;
+ keyb.length = sizeof(des_cblock);
+ keyb.contents = (krb5_octet *)key;
+
+ saddr.addrtype = ADDRTYPE_INET;
+ saddr.length = 4;
+ saddr.contents = (krb5_octet *)sa;
+
+ raddr.addrtype = ADDRTYPE_INET;
+ raddr.length = 4;
+ raddr.contents = (krb5_octet *)ra;
+
+ bcopy((char *)&sender->sin_addr, sa, 4);
+ bcopy((char *)&receiver->sin_addr, ra, 4);
+
+ sfaddr.address = &saddr;
+ sfaddr.port = sender->sin_port;
+
+ rfaddr.address = &raddr;
+ rfaddr.port = receiver->sin_port;
+
+ inbuf.data = (char *)in;
+ inbuf.length = in_length;
+
+ if (r = krb5_mk_safe(&inbuf,
+ CKSUMTYPE_CRC32,
+ &keyb,
+ &sfaddr, &rfaddr,
+ &out5)) {
+#ifdef EBUG
+ ERROR(r);
+#endif
+ return(-1);
+ }
+
+ bcopy(out5.data, out, out5.length);
+ free(out5.data);
+ return(out5.length);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_net_read for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_net_read_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_net_read(fd,buf,len)
+int fd;
+char *buf;
+int len;
+{
+ extern int read();
+ int cc, len2 = 0;
+#ifdef EBUG
+ char *obuf = buf;
+#endif
+
+ do {
+ cc = read(fd, buf, len);
+ if (cc < 0)
+ return(cc); /* errno is already set */
+ else if (cc == 0) {
+ return(len2);
+ } else {
+ buf += cc;
+ len2 += cc;
+ len -= cc;
+ }
+ } while (len > 0);
+#ifdef EBUG
+ buf = obuf;
+ EPRINT "Read data: ``");
+ for (cc = 0; cc < len2 && cc < 24; ++cc) {
+ fprintf(stderr, "%c", (buf[cc] < ' ' || buf[cc] > '~') ? '.' : buf[cc]);
+ }
+ if (cc < len2) {
+ fprintf(stderr, "''(%d)\n", len2);
+ } else {
+ fprintf(stderr, "''\n");
+ }
+#endif
+ return(len2);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_net_write for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_net_write_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_net_write(fd,buf,len)
+int fd;
+char *buf;
+int len;
+{
+ int cc;
+ extern int write();
+ register int wrlen = len;
+#ifdef EBUG
+ EPRINT "Write data: ``");
+ for (cc = 0; cc < len && cc < 24; ++cc) {
+ fprintf(stderr, "%c", (buf[cc] < ' ' || buf[cc] > '~') ? '.' : buf[cc]);
+ }
+ if (cc < len) {
+ fprintf(stderr, "''(%d)\n", len);
+ } else {
+ fprintf(stderr, "''\n");
+ }
+#endif
+ do {
+ cc = write(fd, buf, wrlen);
+ if (cc < 0)
+ return(cc);
+ else {
+ buf += cc;
+ wrlen -= cc;
+ }
+ } while (wrlen > 0);
+ return(len);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_rd_priv for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_rd_priv_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+long
+krb_rd_priv(in, in_length, sched, key, sender, receiver, msg)
+u_char *in;
+u_long in_length;
+Key_schedule sched; /* ignored */
+des_cblock key;
+struct sockaddr_in *sender;
+struct sockaddr_in *receiver;
+MSG_DAT *msg;
+{
+ krb5_data inbuf;
+ krb5_data out;
+ krb5_keyblock keyb;
+ krb5_fulladdr sfaddr;
+ krb5_fulladdr rfaddr;
+ krb5_address saddr;
+ krb5_address raddr;
+ krb5_error_code r;
+ char sa[4], ra[4];
+
+ keyb.keytype = KEYTYPE_DES;
+ keyb.length = sizeof(des_cblock);
+ keyb.contents = (krb5_octet *)key;
+
+ saddr.addrtype = ADDRTYPE_INET;
+ saddr.length = 4;
+ saddr.contents = (krb5_octet *)sa;
+
+ raddr.addrtype = ADDRTYPE_INET;
+ raddr.length = 4;
+ raddr.contents = (krb5_octet *)ra;
+
+ bcopy((char *)&sender->sin_addr, sa, 4);
+ bcopy((char *)&receiver->sin_addr, ra, 4);
+
+ sfaddr.address = &saddr;
+ sfaddr.port = sender->sin_port;
+
+ rfaddr.address = &raddr;
+ rfaddr.port = receiver->sin_port;
+
+ inbuf.data = (char *)in;
+ inbuf.length = in_length;
+
+ if (r = krb5_rd_priv(&inbuf, &keyb, &sfaddr, &rfaddr, 0, &out)) {
+#ifdef EBUG
+ ERROR(r)
+#endif
+ return(-1);
+ }
+
+ msg->app_data = (u_char *)out.data;
+ msg->app_length = out.length;
+ msg->hash = 0L;
+ msg->swap = 0;
+ msg->time_sec = 0;
+ msg->time_5ms = 0;
+ return(KSUCCESS);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_rd_req for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_rd_req_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_rd_req(authent, service, instance, from_addr, ad, fn)
+KTEXT authent;
+char *service;
+char *instance;
+u_long from_addr;
+AUTH_DAT *ad;
+char *fn;
+{
+ krb5_address peer;
+ krb5_tkt_authent authd;
+ char addr[4];
+ krb5_data *server[4];
+ krb5_data srvdata[3];
+ krb5_error_code r;
+ krb5_data authe;
+ extern int gethostname();
+
+
+ if (from_addr) {
+ peer.addrtype = ADDRTYPE_INET;
+ peer.length = 4;
+ peer.contents = (krb5_octet *)addr;
+ bcopy((char *)&from_addr + (sizeof(from_addr) - 4), addr, 4);
+ }
+
+ if (!_krb425_local_realm[0])
+ krb5_get_default_realm(REALM_SZ, _krb425_local_realm);
+
+ if (!strcmp(instance, "*")) {
+ static char hostname[64] = { 0 };
+
+ if (!hostname[0]) {
+ struct hostent *h;
+
+ gethostname(hostname, sizeof(hostname));
+ if (h = gethostbyname(hostname)) {
+ char *p;
+
+ strncpy(hostname, h->h_name, sizeof(hostname));
+ hostname[sizeof(hostname)-1] = 0;
+ p = hostname;
+ do {
+ if (isupper(*p)) *p=tolower(*p);
+ } while (*p++);
+ }
+ }
+ instance = hostname;
+ }
+ set_data5(srvdata[0], _krb425_local_realm);
+ set_data5(srvdata[1], service);
+ set_data5(srvdata[2], instance);
+
+ server[0] = &srvdata[0];
+ server[1] = &srvdata[1];
+ server[2] = &srvdata[2];
+ server[3] = 0;
+
+
+ authe.length = authent->length;
+ authe.data = (char *)authent->dat;
+ if (!*fn)
+ fn = (char *)0;
+#ifdef EBUG
+ EPRINT "Calling krb5_rd_req with:\n");
+ EPRINT " Realm : "); show5(srvdata[0]); ENEWLINE
+ EPRINT " Service : "); show5(srvdata[1]); ENEWLINE
+ EPRINT " Instance: "); show5(srvdata[2]); ENEWLINE
+ EPRINT "Authenenticator : %d bytes\n", authe.length);
+ EPRINT "Filename : %s\n", fn ? fn : "none given");
+ if (from_addr) {
+ EPRINT "Address type : %s\n",
+ peer.addrtype == ADDRTYPE_INET ? "inet" :
+ peer.addrtype == ADDRTYPE_CHAOS ? "chaos" :
+ peer.addrtype == ADDRTYPE_XNS ? "xns" :
+ peer.addrtype == ADDRTYPE_ISO ? "iso" :
+ peer.addrtype == ADDRTYPE_DDP ? "ddp" : "unknown type");
+ EPRINT "Address length : %d\n", peer.length);
+ EPRINT "Address :");
+ {
+ int x;
+ for (x = 0; x < peer.length && x < 8; ++x)
+ fprintf(stderr, " %d", peer.contents[x]);
+ if (x < peer.length)
+ fprintf(stderr, " (%d)", peer.length);
+ fprintf(stderr, "\n");
+ }
+ }
+#endif
+
+ if (r = krb5_rd_req(&authe,
+ (krb5_principal)server,
+ from_addr ? &peer : 0,
+ fn, 0, 0, 0, &authd)) {
+#ifdef EBUG
+ ERROR(r)
+#endif
+ return(krb425error(r));
+ }
+
+ ad->k_flags = 0;
+
+#ifdef EBUG
+ r = 0;
+ while (authd.authenticator->client[r]) {
+ EPRINT "Client[%d]: ", r); show5((*authd.authenticator->client[r])); ENEWLINE
+ ++r;
+ }
+ r = 0;
+ while (authd.ticket->server[r]) {
+ EPRINT "Server[%d]: ", r); show5((*authd.ticket->server[r])); ENEWLINE
+ ++r;
+ }
+ r = 0;
+#endif
+ set_string(ad->pname, ANAME_SZ, authd.authenticator->client[1]);
+ set_string(ad->pinst, INST_SZ, authd.authenticator->client[2]);
+ set_string(ad->prealm, REALM_SZ, authd.authenticator->client[0]);
+
+ ad->checksum = *(long *)authd.authenticator->checksum->contents;
+
+ if (authd.ticket->enc_part2->session->keytype != KEYTYPE_DES) {
+ r = KFAILURE;
+ goto out;
+ } else
+ bcopy(authd.ticket->enc_part2->session->contents,
+ (char*)ad->session, sizeof(C_Block));
+
+ ad->life = authd.ticket->enc_part2->times.endtime;
+ ad->time_sec = authd.authenticator->ctime;
+ ad->address = 0;
+
+ if (authd.ticket->enc_part2->caddrs[0]->addrtype != ADDRTYPE_INET) {
+ r = KFAILURE;
+ goto out;
+ } else
+ bcopy(authd.ticket->enc_part2->caddrs[0]->contents,
+ (char *)&ad->address + sizeof(ad->address) - 4, 4);
+
+ if (authd.ticket->enc_part2->authorization_data &&
+ authd.ticket->enc_part2->authorization_data[0]) {
+ ad->reply.length = authd.ticket->enc_part2->authorization_data[0]->length;
+ bcopy(authd.ticket->enc_part2->authorization_data[0]->contents,
+ ad->reply.dat,
+ min(ad->reply.length, MAX_KTXT_LEN));
+ ad->reply.mbz = 0;
+ }
+out:
+ krb5_free_ticket(authd.ticket);
+ krb5_free_authenticator(authd.authenticator);
+ return(r);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_rd_safe for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_rd_safe_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+long
+krb_rd_safe(in, in_length, key, sender, receiver, msg)
+u_char *in;
+u_long in_length;
+des_cblock key;
+struct sockaddr_in *sender;
+struct sockaddr_in *receiver;
+MSG_DAT *msg;
+{
+ krb5_data inbuf;
+ krb5_data out;
+ krb5_keyblock keyb;
+ krb5_fulladdr sfaddr;
+ krb5_fulladdr rfaddr;
+ krb5_address saddr;
+ krb5_address raddr;
+ krb5_error_code r;
+ char sa[4], ra[4];
+
+ keyb.keytype = KEYTYPE_DES;
+ keyb.length = sizeof(des_cblock);
+ keyb.contents = (krb5_octet *)key;
+
+ saddr.addrtype = ADDRTYPE_INET;
+ saddr.length = 4;
+ saddr.contents = (krb5_octet *)sa;
+
+ raddr.addrtype = ADDRTYPE_INET;
+ raddr.length = 4;
+ raddr.contents = (krb5_octet *)ra;
+
+ bcopy((char *)&sender->sin_addr, sa, 4);
+ bcopy((char *)&receiver->sin_addr, ra, 4);
+
+ sfaddr.address = &saddr;
+ sfaddr.port = sender->sin_port;
+
+ rfaddr.address = &raddr;
+ rfaddr.port = receiver->sin_port;
+
+ inbuf.data = (char *)in;
+ inbuf.length = in_length;
+
+ if (r = krb5_rd_safe(&inbuf, &keyb, &sfaddr, &rfaddr, &out)) {
+#ifdef EBUG
+ ERROR(r)
+#endif
+ return(-1);
+ }
+
+ msg->app_data = (u_char *)out.data;
+ msg->app_length = out.length;
+ msg->hash = 0L;
+ msg->swap = 0;
+ msg->time_sec = 0;
+ msg->time_5ms = 0;
+ return(KSUCCESS);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_realmofhost for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_realmhost_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+char *
+krb_realmofhost(host)
+char *host;
+{
+ char **realms;
+ char *domain;
+ static char ret_realm[REALM_SZ+1];
+
+
+ domain = index(host, '.');
+
+ /* prepare default */
+ if (domain) {
+ char *cp;
+
+ strncpy(ret_realm, &domain[1], REALM_SZ);
+ ret_realm[REALM_SZ] = '\0';
+ /* Upper-case realm */
+ for (cp = ret_realm; *cp; cp++)
+ if (islower(*cp))
+ *cp = toupper(*cp);
+ } else {
+ if (krb5_get_default_realm(REALM_SZ, ret_realm))
+ ret_realm[0] = 0;
+ }
+
+ if (krb5_get_host_realm(host, &realms)) {
+ return(ret_realm);
+ }
+ strncpy(ret_realm, realms[0], REALM_SZ);
+ krb5_free_host_realm(realms);
+ return(ret_realm);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+#include "krb425.h"
+
+
+#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN
+ chars */
+
+/*
+ * If the protocol changes, you will need to change the version string
+ * and make appropriate changes in krb_sendauth.c
+ * be sure to support old versions of krb_sendauth!
+ */
+
+extern int errno;
+
+/*
+ * krb_recvauth() reads (and optionally responds to) a message sent
+ * using krb_sendauth(). The "options" argument is a bit-field of
+ * selected options (see "sendauth.c" for options description).
+ * The only option relevant to krb_recvauth() is KOPT_DO_MUTUAL
+ * (mutual authentication requested). The "fd" argument supplies
+ * a file descriptor to read from (and write to, if mutual authenti-
+ * cation is requested).
+ *
+ * Part of the received message will be a Kerberos ticket sent by the
+ * client; this is read into the "ticket" argument. The "service" and
+ * "instance" arguments supply the server's Kerberos name. If the
+ * "instance" argument is the string "*", it is treated as a wild card
+ * and filled in during the krb_rd_req() call (see read_service_key()).
+ *
+ * The "faddr" and "laddr" give the sending (client) and receiving
+ * (local server) network addresses. ("laddr" may be left NULL unless
+ * mutual authentication is requested, in which case it must be set.)
+ *
+ * The authentication information extracted from the message is returned
+ * in "kdata". The "filename" argument indicates the file where the
+ * server's key can be found. (It is passed on to krb_rd_req().) If
+ * left null, the default "/etc/srvtab" will be used.
+ *
+ * If mutual authentication is requested, the session key schedule must
+ * be computed in order to reply; this schedule is returned in the
+ * "schedule" argument. A string containing the application version
+ * number from the received message is returned in "version", which
+ * should be large enough to hold a KRB_SENDAUTH_VLEN-character string.
+ *
+ * See krb_sendauth() for the format of the received client message.
+ *
+ * This routine supports another client format, for backward
+ * compatibility, consisting of:
+ *
+ * Size Variable Field
+ * ---- -------- -----
+ *
+ * string tmp_buf, tkt_len length of ticket, in
+ * ascii
+ *
+ * char ' ' (space char) separator
+ *
+ * tkt_len ticket->dat the ticket
+ *
+ * This old-style version does not support mutual authentication.
+ *
+ * krb_recvauth() first reads the protocol version string from the
+ * given file descriptor. If it doesn't match the current protocol
+ * version (KRB_SENDAUTH_VERS), the old-style format is assumed. In
+ * that case, the string of characters up to the first space is read
+ * and interpreted as the ticket length, then the ticket is read.
+ *
+ * If the first string did match KRB_SENDAUTH_VERS, krb_recvauth()
+ * next reads the application protocol version string. Then the
+ * ticket length and ticket itself are read.
+ *
+ * The ticket is decrypted and checked by the call to krb_rd_req().
+ * If no mutual authentication is required, the result of the
+ * krb_rd_req() call is retured by this routine. If mutual authenti-
+ * cation is required, a message in the following format is returned
+ * on "fd":
+ *
+ * Size Variable Field
+ * ---- -------- -----
+ *
+ * 4 bytes tkt_len length of ticket or -1
+ * if error occurred
+ *
+ * priv_len tmp_buf "private" message created
+ * by krb_mk_priv() which
+ * contains the incremented
+ * checksum sent by the client
+ * encrypted in the session
+ * key. (This field is not
+ * present in case of error.)
+ *
+ * If all goes well, KSUCCESS is returned; otherwise KFAILURE or some
+ * other error code is returned.
+ */
+
+#ifndef max
+#define max(a,b) (((a) > (b)) ? (a) : (b))
+#endif /* max */
+
+int
+krb_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata,
+ filename, schedule, version)
+long options; /* bit-pattern of options */
+int fd; /* file descr. to read from */
+KTEXT ticket; /* storage for client's ticket */
+char *service; /* service expected */
+char *instance; /* inst expected (may be filled in) */
+struct sockaddr_in *faddr; /* address of foreign host on fd */
+struct sockaddr_in *laddr; /* local address */
+AUTH_DAT *kdata; /* kerberos data (returned) */
+char *filename; /* name of file with service keys */
+Key_schedule schedule; /* key schedule (return) */
+char *version; /* version string (filled in) */
+{
+
+ int i, cc, old_vers = 0;
+ char krb_vers[KRB_SENDAUTH_VLEN + 1]; /* + 1 for the null terminator */
+ char *cp;
+ int rem;
+ long tkt_len, priv_len;
+ u_long cksum;
+ u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)];
+
+ /* read the protocol version number */
+ if (krb_net_read(fd, krb_vers, KRB_SENDAUTH_VLEN) !=
+ KRB_SENDAUTH_VLEN)
+ return(errno);
+ krb_vers[KRB_SENDAUTH_VLEN] = '\0';
+
+ /* check version string */
+ if (strcmp(krb_vers,KRB_SENDAUTH_VERS)) {
+ /* Assume the old version of sendkerberosdata: send ascii
+ length, ' ', and ticket. */
+ if (options & KOPT_DO_MUTUAL)
+ return(KFAILURE); /* XXX can't do old style with mutual auth */
+ old_vers = 1;
+
+ /* copy what we have read into tmp_buf */
+ (void) bcopy(krb_vers, (char *) tmp_buf, KRB_SENDAUTH_VLEN);
+
+ /* search for space, and make it a null */
+ for (i = 0; i < KRB_SENDAUTH_VLEN; i++)
+ if (tmp_buf[i]== ' ') {
+ tmp_buf[i] = '\0';
+ /* point cp to the beginning of the real ticket */
+ cp = (char *) &tmp_buf[i+1];
+ break;
+ }
+
+ if (i == KRB_SENDAUTH_VLEN)
+ /* didn't find the space, keep reading to find it */
+ for (; i<20; i++) {
+ if (read(fd, (char *)&tmp_buf[i], 1) != 1) {
+ return(KFAILURE);
+ }
+ if (tmp_buf[i] == ' ') {
+ tmp_buf[i] = '\0';
+ /* point cp to the beginning of the real ticket */
+ cp = (char *) &tmp_buf[i+1];
+ break;
+ }
+ }
+
+ tkt_len = (long) atoi((char *) tmp_buf);
+
+ /* sanity check the length */
+ if ((i==20)||(tkt_len<=0)||(tkt_len>MAX_KTXT_LEN))
+ return(KFAILURE);
+
+ if (i < KRB_SENDAUTH_VLEN) {
+ /* since we already got the space, and part of the ticket,
+ we read fewer bytes to get the rest of the ticket */
+ if (krb_net_read(fd, (char *)(tmp_buf+KRB_SENDAUTH_VLEN),
+ (int) (tkt_len - KRB_SENDAUTH_VLEN + 1 + i))
+ != (int)(tkt_len - KRB_SENDAUTH_VLEN + 1 + i))
+ return(errno);
+ } else {
+ if (krb_net_read(fd, (char *)(tmp_buf+i), (int)tkt_len) !=
+ (int) tkt_len)
+ return(errno);
+ }
+ ticket->length = tkt_len;
+ /* copy the ticket into the struct */
+ (void) bcopy(cp, (char *) ticket->dat, ticket->length);
+
+ } else {
+ /* read the application version string */
+ if (krb_net_read(fd, version, KRB_SENDAUTH_VLEN) !=
+ KRB_SENDAUTH_VLEN)
+ return(errno);
+ version[KRB_SENDAUTH_VLEN] = '\0';
+
+ /* get the length of the ticket */
+ if (krb_net_read(fd, (char *)&tkt_len, sizeof(tkt_len)) !=
+ sizeof(tkt_len))
+ return(errno);
+
+ /* sanity check */
+ ticket->length = ntohl((unsigned long)tkt_len);
+ if ((ticket->length <= 0) || (ticket->length > MAX_KTXT_LEN)) {
+ if (options & KOPT_DO_MUTUAL) {
+ rem = KFAILURE;
+ goto mutual_fail;
+ } else
+ return(KFAILURE); /* XXX there may still be junk on the fd? */
+ }
+
+ /* read the ticket */
+ if (krb_net_read(fd, (char *) ticket->dat, ticket->length)
+ != ticket->length)
+ return(errno);
+ }
+ /*
+ * now have the ticket. decrypt it to get the authenticated
+ * data.
+ */
+ rem = krb_rd_req(ticket,service,instance,faddr->sin_addr.s_addr,
+ kdata,filename);
+
+ if (old_vers) return(rem); /* XXX can't do mutual with old client */
+
+ /* if we are doing mutual auth, compose a response */
+ if (options & KOPT_DO_MUTUAL) {
+ if (rem != KSUCCESS) {
+#ifdef EBUG
+ ERROR(rem)
+#endif
+ /* the krb_rd_req failed */
+ goto mutual_fail;
+ }
+
+ /* add one to the (formerly) sealed checksum, and re-seal it
+ for return to the client */
+ cksum = kdata->checksum + 1;
+ cksum = htonl(cksum);
+#ifndef NOENCRYPTION
+ key_sched(kdata->session,schedule);
+#endif /* !NOENCRYPTION */
+ priv_len = krb_mk_priv((unsigned char *)&cksum,
+ tmp_buf,
+ (unsigned long) sizeof(cksum),
+ schedule,
+ kdata->session,
+ laddr,
+ faddr);
+ if (priv_len < 0) {
+ /* re-sealing failed; notify the client */
+ rem = KFAILURE; /* XXX */
+mutual_fail:
+ priv_len = -1;
+ tkt_len = htonl((unsigned long) priv_len);
+ /* a length of -1 is interpreted as an authentication
+ failure by the client */
+ if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len)))
+ != sizeof(tkt_len))
+ return(cc);
+ return(rem);
+ } else {
+ /* re-sealing succeeded, send the private message */
+ tkt_len = htonl((unsigned long)priv_len);
+ if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len)))
+ != sizeof(tkt_len))
+ return(cc);
+ if ((cc = krb_net_write(fd, (char *)tmp_buf, (int) priv_len))
+ != (int) priv_len)
+ return(cc);
+ }
+ }
+ return(rem);
+}
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ */
+
+#include <mit-copyright.h>
+#include "krb425.h"
+
+#include <sys/types.h>
+#include <syslog.h>
+#include <errno.h>
+#include <stdio.h>
+#include <strings.h>
+
+#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */
+/*
+ * If the protocol changes, you will need to change the version string
+ * and make appropriate changes in krb_recvauth.c
+ */
+
+extern int errno;
+
+extern char *krb_get_phost();
+
+/*
+ * This file contains two routines: krb_sendauth() and krb_sendsrv().
+ *
+ * krb_sendauth() transmits a ticket over a file descriptor for a
+ * desired service, instance, and realm, doing mutual authentication
+ * with the server if desired.
+ *
+ * krb_sendsvc() sends a service name to a remote knetd server.
+ */
+
+/*
+ * The first argument to krb_sendauth() contains a bitfield of
+ * options (the options are defined in "krb.h"):
+ *
+ * KOPT_DONT_CANON Don't canonicalize instance as a hostname.
+ * (If this option is not chosen, krb_get_phost()
+ * is called to canonicalize it.)
+ *
+ * KOPT_DONT_MK_REQ Don't request server ticket from Kerberos.
+ * A ticket must be supplied in the "ticket"
+ * argument.
+ * (If this option is not chosen, and there
+ * is no ticket for the given server in the
+ * ticket cache, one will be fetched using
+ * krb_mk_req() and returned in "ticket".)
+ *
+ * KOPT_DO_MUTUAL Do mutual authentication, requiring that the
+ * receiving server return the checksum+1 encrypted
+ * in the session key. The mutual authentication
+ * is done using krb_mk_priv() on the other side
+ * (see "recvauth.c") and krb_rd_priv() on this
+ * side.
+ *
+ * The "fd" argument is a file descriptor to write to the remote
+ * server on. The "ticket" argument is used to store the new ticket
+ * from the krb_mk_req() call. If the KOPT_DONT_MK_REQ options is
+ * chosen, the ticket must be supplied in the "ticket" argument.
+ * The "service", "inst", and "realm" arguments identify the ticket.
+ * If "realm" is null, the local realm is used.
+ *
+ * The following arguments are only needed if the KOPT_DO_MUTUAL option
+ * is chosen:
+ *
+ * The "checksum" argument is a number that the server will add 1 to
+ * to authenticate itself back to the client; the "msg_data" argument
+ * holds the returned mutual-authentication message from the server
+ * (i.e., the checksum+1); the "cred" structure is used to hold the
+ * session key of the server, extracted from the ticket file, for use
+ * in decrypting the mutual authentication message from the server;
+ * and "schedule" holds the key schedule for that decryption. The
+ * the local and server addresses are given in "laddr" and "faddr".
+ *
+ * The application protocol version number (of up to KRB_SENDAUTH_VLEN
+ * characters) is passed in "version".
+ *
+ * If all goes well, KSUCCESS is returned, otherwise some error code.
+ *
+ * The format of the message sent to the server is:
+ *
+ * Size Variable Field
+ * ---- -------- -----
+ *
+ * KRB_SENDAUTH_VLEN KRB_SENDAUTH_VER sendauth protocol
+ * bytes version number
+ *
+ * KRB_SENDAUTH_VLEN version application protocol
+ * bytes version number
+ *
+ * 4 bytes ticket->length length of ticket
+ *
+ * ticket->length ticket->dat ticket itself
+ */
+
+/*
+ * XXX: Note that krb_rd_priv() is coded in such a way that
+ * "msg_data->app_data" will be pointing into "priv_buf", which
+ * will disappear when krb_sendauth() returns.
+ */
+
+int
+krb_sendauth(options, fd, ticket, service, inst, realm, checksum,
+ msg_data, cred, schedule, laddr, faddr, version)
+long options; /* bit-pattern of options */
+int fd; /* file descriptor to write onto */
+KTEXT ticket; /* where to put ticket (return); or
+ * supplied in case of KOPT_DONT_MK_REQ */
+char *service, *inst, *realm; /* service name, instance, realm */
+u_long checksum; /* checksum to include in request */
+MSG_DAT *msg_data; /* mutual auth MSG_DAT (return) */
+CREDENTIALS *cred; /* credentials (return) */
+Key_schedule schedule; /* key schedule (return) */
+struct sockaddr_in *laddr; /* local address */
+struct sockaddr_in *faddr; /* address of foreign host on fd */
+char *version; /* version string */
+{
+ int rem, i, cc;
+ char srv_inst[INST_SZ];
+ char krb_realm[REALM_SZ];
+ char buf[BUFSIZ];
+ long tkt_len;
+ u_char priv_buf[1024];
+ u_long cksum;
+
+ rem=KSUCCESS;
+
+ /* get current realm if not passed in */
+ if (!realm) {
+ rem = krb_get_lrealm(krb_realm,1);
+ if (rem != KSUCCESS)
+ return(rem);
+ realm = krb_realm;
+ }
+
+ /* copy instance into local storage, canonicalizing if desired */
+ if (options & KOPT_DONT_CANON)
+ (void) strncpy(srv_inst, inst, INST_SZ);
+ else
+ (void) strncpy(srv_inst, krb_get_phost(inst), INST_SZ);
+
+ /* get the ticket if desired */
+ if (!(options & KOPT_DONT_MK_REQ)) {
+ rem = krb_mk_req(ticket, service, srv_inst, realm, checksum);
+ if (rem != KSUCCESS)
+ return(rem);
+ }
+
+ /* if mutual auth, get credentials so we have service session
+ keys for decryption below */
+ if (options & KOPT_DO_MUTUAL)
+ if (cc = krb_get_cred(service, srv_inst, realm, cred))
+ return(cc);
+
+ /* zero the buffer */
+ (void) bzero(buf, BUFSIZ);
+
+ /* insert version strings */
+ (void) strncpy(buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN);
+ (void) strncpy(buf+KRB_SENDAUTH_VLEN, version, KRB_SENDAUTH_VLEN);
+
+ /* increment past vers strings */
+ i = 2*KRB_SENDAUTH_VLEN;
+
+ /* put ticket length into buffer */
+ tkt_len = htonl((unsigned long) ticket->length);
+ (void) bcopy((char *) &tkt_len, buf+i, sizeof(tkt_len));
+ i += sizeof(tkt_len);
+
+ /* put ticket into buffer */
+ (void) bcopy((char *) ticket->dat, buf+i, ticket->length);
+ i += ticket->length;
+
+ /* write the request to the server */
+ if ((cc = krb_net_write(fd, buf, i)) != i)
+ return(cc);
+
+ /* mutual authentication, if desired */
+ if (options & KOPT_DO_MUTUAL) {
+ int r;
+ /* get the length of the reply */
+ if ((r = krb_net_read(fd, (char *) &tkt_len, sizeof(tkt_len))) !=
+ sizeof(tkt_len)) {
+#ifdef EBUG
+ EPRINT "krb_net_read(%d, tkt_len, %d) returns %d\n",
+ fd, sizeof(tkt_len), r);
+ ERROR(errno);
+#endif
+ return(errno);
+ }
+ tkt_len = ntohl((unsigned long)tkt_len);
+
+ /* if the length is negative, the server failed to recognize us. */
+ if ((tkt_len < 0) || (tkt_len > sizeof(priv_buf)))
+ return(KFAILURE); /* XXX */
+ /* read the reply... */
+ if (krb_net_read(fd, (char *)priv_buf, (int) tkt_len) != (int) tkt_len)
+ return(errno);
+
+ /* ...and decrypt it */
+#ifndef NOENCRYPTION
+ key_sched(cred->session, schedule);
+#endif /* !NOENCRYPTION */
+ if (cc = krb_rd_priv(priv_buf,(unsigned long) tkt_len, schedule,
+ cred->session, faddr, laddr, msg_data))
+ return(cc);
+
+ /* fetch the (modified) checksum */
+ (void) bcopy((char *)msg_data->app_data, (char *)&cksum,
+ sizeof(cksum));
+ cksum = ntohl(cksum);
+
+ /* if it doesn't match, fail */
+ if (cksum != checksum + 1)
+ return(KFAILURE); /* XXX */
+ }
+ return(KSUCCESS);
+}
+
+#ifdef ATHENA_COMPAT
+/*
+ * krb_sendsvc
+ */
+
+int
+krb_sendsvc(fd, service)
+int fd;
+char *service;
+{
+ /* write the service name length and then the service name to
+ the fd */
+ long serv_length;
+ int cc;
+
+ serv_length = htonl((unsigned long)strlen(service));
+ if ((cc = krb_net_write(fd, (char *) &serv_length,
+ sizeof(serv_length)))
+ != sizeof(serv_length))
+ return(cc);
+ if ((cc = krb_net_write(fd, service, strlen(service)))
+ != strlen(service))
+ return(cc);
+ return(KSUCCESS);
+}
+#endif ATHENA_COMPAT
--- /dev/null
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <krb5/copyright.h>.
+ *
+ * krb_set_key for krb425
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_set_key_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+#include "krb425.h"
+
+int
+krb_set_key(key, cvt)
+char *key;
+int cvt;
+{
+ static krb5_keyblock keyblock;
+
+ if (cvt) {
+ if (keyblock.contents)
+ free((char *)keyblock.contents);
+ mit_des_string_to_key(KEYTYPE_DES, &keyblock, 0, 0);
+ } else {
+ if (!keyblock.contents &&
+ !(keyblock.contents = (krb5_octet *)malloc(8))) {
+ return(KFAILURE);
+ }
+ keyblock.length = 8;
+ keyblock.keytype = KEYTYPE_DES;
+ bcopy(key, keyblock.contents,8);
+ }
+ return(KSUCCESS);
+}
projects / krb5.git / commitdiff