#define KRB524_SERVICE "krb524"
#define KRB524_PORT 4444
-/* v4lifetime.c */
-extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
-extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
-
-/* conv_creds.c */
-int krb5int_encode_v4tkt
- (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
-
-/* send524.c */
-int krb5int_524_sendto_kdc
- (krb5_context context, const krb5_data * message,
- const krb5_data * realm, krb5_data * reply,
- struct sockaddr *, socklen_t *);
-
/* temporary -- this should be under lib/krb5/ccache somewhere */
struct _krb5_ccache {
str_conv.o \
tgtname.o \
unparse.o \
- v4lifetime.o \
valid_times.o \
vfy_increds.o \
vic_opt.o \
$(OUTPRE)str_conv.$(OBJEXT) \
$(OUTPRE)tgtname.$(OBJEXT) \
$(OUTPRE)unparse.$(OBJEXT) \
- $(OUTPRE)v4lifetime.$(OBJEXT) \
$(OUTPRE)valid_times.$(OBJEXT) \
$(OUTPRE)vfy_increds.$(OBJEXT) \
$(OUTPRE)vic_opt.$(OBJEXT) \
$(srcdir)/str_conv.c \
$(srcdir)/tgtname.c \
$(srcdir)/unparse.c \
- $(srcdir)/v4lifetime.c \
$(srcdir)/valid_times.c \
$(srcdir)/vfy_increds.c \
$(srcdir)/vic_opt.c \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
unparse.c
-v4lifetime.so v4lifetime.po $(OUTPRE)v4lifetime.$(OBJEXT): \
- $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h v4lifetime.c
valid_times.so valid_times.po $(OUTPRE)valid_times.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
#include "port-sockets.h"
#include "socket-utils.h"
-#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck */
-#include "kerberosIV/krb.h"
-
-#ifdef USE_CCAPI
-#include <CredentialsCache.h>
-#endif
-
-#define krb524_debug krb5int_krb524_debug
-int krb524_debug = 0;
-
-static krb5_error_code krb524_convert_creds_plain
-(krb5_context context, krb5_creds *v5creds,
- CREDENTIALS *v4creds);
-
-static int decode_v4tkt
- (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
-
-krb5_error_code KRB5_CALLCONV
-krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
- CREDENTIALS *v4creds)
-{
- krb5_error_code ret;
- krb5_data reply;
- char *p;
- struct sockaddr_storage ss;
- socklen_t slen = sizeof(ss);
-
- ret = krb524_convert_creds_plain(context, v5creds, v4creds);
- if (ret)
- return ret;
-
- reply.data = NULL;
- ret = krb5int_524_sendto_kdc(context, &v5creds->ticket,
- &v5creds->server->realm, &reply,
- ss2sa(&ss), &slen);
- if (ret)
- return ret;
-
-#if TARGET_OS_MAC
-#ifdef USE_CCAPI
- v4creds->stk_type = cc_v4_stk_des;
-#endif
- if (slen == sizeof(struct sockaddr_in)
- && ss2sa(&ss)->sa_family == AF_INET) {
- v4creds->address = ss2sin(&ss)->sin_addr.s_addr;
- }
- /* Otherwise, leave it set to all-zero. */
-#endif
-
- p = reply.data;
- ret = ntohl(*((krb5_error_code *) p));
- p += sizeof(krb5_int32);
- reply.length -= sizeof(krb5_int32);
- if (ret)
- goto fail;
-
- v4creds->kvno = ntohl(*((krb5_error_code *) p));
- p += sizeof(krb5_int32);
- reply.length -= sizeof(krb5_int32);
- ret = decode_v4tkt(&v4creds->ticket_st, p, &reply.length);
-
-fail:
- if (reply.data)
- free(reply.data);
- reply.data = NULL;
- return ret;
-}
-
-static krb5_error_code
-krb524_convert_creds_plain(context, v5creds, v4creds)
- krb5_context context;
- krb5_creds *v5creds;
- CREDENTIALS *v4creds;
-{
- int ret;
- krb5_timestamp endtime;
- char dummy[REALM_SZ];
- memset((char *) v4creds, 0, sizeof(CREDENTIALS));
-
- if ((ret = krb5_524_conv_principal(context, v5creds->client,
- v4creds->pname, v4creds->pinst,
- dummy)))
- return ret;
- if ((ret = krb5_524_conv_principal(context, v5creds->server,
- v4creds->service, v4creds->instance,
- v4creds->realm)))
- return ret;
-
- /* Check enctype too */
- if (v5creds->keyblock.length != sizeof(C_Block)) {
- if (krb524_debug)
- fprintf(stderr, "v5 session keyblock length %d != C_Block size %d\n",
- v5creds->keyblock.length,
- (int) sizeof(C_Block));
- return KRB524_BADKEY;
- } else
- memcpy(v4creds->session, (char *) v5creds->keyblock.contents,
- sizeof(C_Block));
-
- /* V4 has no concept of authtime or renew_till, so ignore them */
- v4creds->issue_date = v5creds->times.starttime;
- v4creds->lifetime = krb5int_krb_time_to_life(v5creds->times.starttime,
- v5creds->times.endtime);
- endtime = krb5int_krb_life_to_time(v4creds->issue_date,
- v4creds->lifetime);
- /*
- * Adjust start time backwards to deal with rounding up in
- * krb_time_to_life(), to match code on server side.
- */
- if (endtime > v5creds->times.endtime)
- v4creds->issue_date -= endtime - v5creds->times.endtime;
-
- return 0;
-}
-
-/* this used to be krb524/encode.c, under same copyright as above */
-/*
- * I'm sure that this is reinventing the wheel, but I don't know where
- * the wheel is hidden.
- */
-
-int encode_v4tkt (KTEXT_ST *, char *, unsigned int *);
-static int encode_bytes (char **, int *, char *, unsigned int),
- encode_int32 (char **, int *, krb5_int32 *);
-
-static int decode_bytes (char **, int *, char *, unsigned int),
- decode_int32 (char **, int *, krb5_int32 *);
-
-static int encode_bytes(out, outlen, in, len)
- char **out;
- int *outlen;
- char *in;
- unsigned int len;
-{
- if (len > *outlen)
- return KRB524_ENCFULL;
- memcpy(*out, in, len);
- *out += len;
- *outlen -= len;
- return 0;
-}
-
-static int encode_int32(out, outlen, v)
- char **out;
- int *outlen;
- krb5_int32 *v;
-{
- krb5_int32 nv; /* Must be 4 bytes */
-
- nv = htonl(*v);
- return encode_bytes(out, outlen, (char *) &nv, sizeof(nv));
-}
-
-int krb5int_encode_v4tkt(v4tkt, buf, encoded_len)
- KTEXT_ST *v4tkt;
- char *buf;
- unsigned int *encoded_len;
-{
- int buflen, ret;
- krb5_int32 temp;
-
- buflen = *encoded_len;
-
- if (v4tkt->length < MAX_KTXT_LEN)
- memset(v4tkt->dat + v4tkt->length, 0,
- (unsigned int) (MAX_KTXT_LEN - v4tkt->length));
- temp = v4tkt->length;
- if ((ret = encode_int32(&buf, &buflen, &temp)))
- return ret;
- if ((ret = encode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
- return ret;
- temp = v4tkt->mbz;
- if ((ret = encode_int32(&buf, &buflen, &temp)))
- return ret;
-
- *encoded_len -= buflen;
- return 0;
-}
-
-/* decode functions */
-
-static int decode_bytes(out, outlen, in, len)
- char **out;
- int *outlen;
- char *in;
- unsigned int len;
-{
- if (len > *outlen)
- return KRB524_DECEMPTY;
- memcpy(in, *out, len);
- *out += len;
- *outlen -= len;
- return 0;
-}
-
-static int decode_int32(out, outlen, v)
- char **out;
- int *outlen;
- krb5_int32 *v;
-{
- int ret;
- krb5_int32 nv; /* Must be four bytes */
-
- if ((ret = decode_bytes(out, outlen, (char *) &nv, sizeof(nv))))
- return ret;
- *v = ntohl(nv);
- return 0;
-}
-
-static int decode_v4tkt(v4tkt, buf, encoded_len)
- KTEXT_ST *v4tkt;
- char *buf;
- unsigned int *encoded_len;
-{
- int buflen, ret;
- krb5_int32 temp;
-
- buflen = *encoded_len;
- if ((ret = decode_int32(&buf, &buflen, &temp)))
- return ret;
- v4tkt->length = temp;
- if ((ret = decode_bytes(&buf, &buflen, (char *)v4tkt->dat, MAX_KTXT_LEN)))
- return ret;
- if ((ret = decode_int32(&buf, &buflen, &temp)))
- return ret;
- v4tkt->mbz = temp;
- *encoded_len -= buflen;
- return 0;
-}
-
-#else /* no krb4 compat */
-
krb5_error_code KRB5_CALLCONV
krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds,
struct credentials *v4creds)
return KRB524_KRB4_DISABLED;
}
-#endif
-
/* These may be needed for object-level backwards compatibility on Mac
OS and UNIX, but Windows should be okay. */
#ifndef _WIN32
krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds,
struct credentials *v4creds)
{
- return krb5_524_convert_creds(context, v5creds, v4creds);
+ return KRB524_KRB4_DISABLED;
}
void KRB5_CALLCONV krb524_init_ets ()
+++ /dev/null
-/*
- * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-#include "k5-int.h"
-
-/*
- * Only lifetime bytes values less than 128 are on a linear scale.
- * The following table contains an exponential scale that covers the
- * lifetime values 128 to 191 inclusive (a total of 64 values).
- * Values greater than 191 get interpreted the same as 191, but they
- * will never be generated by the functions in this file.
- *
- * The ratio is approximately 1.069144898 (actually exactly
- * exp(log(67.5)/63), where 67.5 = 2592000/38400, and 259200 = 30
- * days, and 38400 = 128*5 minutes. This allows a lifetime byte of
- * 191 to correspond to a ticket life of exactly 30 days and a
- * lifetime byte of 128 to correspond to exactly 128*5 minutes, with
- * the other values spread on an exponential curve fit in between
- * them. This table should correspond exactly to the set of extended
- * ticket lifetime values used by AFS and CMU.
- *
- * The following awk script is sufficient to reproduce the table:
- * BEGIN {
- * r = exp(log(2592000/38400)/63);
- * x = 38400;
- * for (i=0;i<64;i++) {
- * printf("%d\n",x+0.5);
- * x *= r;
- * }
- * }
- */
-#ifndef SHORT_LIFETIME
-#define NLIFETIMES 64
-static const krb5_int32 lifetimes[NLIFETIMES] = {
- 38400, 41055, /* 00:10:40:00, 00:11:24:15 */
- 43894, 46929, /* 00:12:11:34, 00:13:02:09 */
- 50174, 53643, /* 00:13:56:14, 00:14:54:03 */
- 57352, 61318, /* 00:15:55:52, 00:17:01:58 */
- 65558, 70091, /* 00:18:12:38, 00:19:28:11 */
- 74937, 80119, /* 00:20:48:57, 00:22:15:19 */
- 85658, 91581, /* 00:23:47:38, 01:01:26:21 */
- 97914, 104684, /* 01:03:11:54, 01:05:04:44 */
- 111922, 119661, /* 01:07:05:22, 01:09:14:21 */
- 127935, 136781, /* 01:11:32:15, 01:13:59:41 */
- 146239, 156350, /* 01:16:37:19, 01:19:25:50 */
- 167161, 178720, /* 01:22:26:01, 02:01:38:40 */
- 191077, 204289, /* 02:05:04:37, 02:08:44:49 */
- 218415, 233517, /* 02:12:40:15, 02:16:51:57 */
- 249664, 266926, /* 02:21:21:04, 03:02:08:46 */
- 285383, 305116, /* 03:07:16:23, 03:12:45:16 */
- 326213, 348769, /* 03:18:36:53, 04:00:52:49 */
- 372885, 398668, /* 04:07:34:45, 04:14:44:28 */
- 426234, 455705, /* 04:22:23:54, 05:06:35:05 */
- 487215, 520904, /* 05:15:20:15, 06:00:41:44 */
- 556921, 595430, /* 06:10:42:01, 06:21:23:50 */
- 636601, 680618, /* 07:08:50:01, 07:21:03:38 */
- 727680, 777995, /* 08:10:08:00, 09:00:06:35 */
- 831789, 889303, /* 09:15:03:09, 10:07:01:43 */
- 950794, 1016537, /* 11:00:06:34, 11:18:22:17 */
- 1086825, 1161973, /* 12:13:53:45, 13:10:46:13 */
- 1242318, 1328218, /* 14:09:05:18, 15:08:56:58 */
- 1420057, 1518247, /* 16:10:27:37, 17:13:44:07 */
- 1623226, 1735464, /* 18:18:53:46, 20:02:04:24 */
- 1855462, 1983758, /* 21:11:24:22, 22:23:02:38 */
- 2120925, 2267576, /* 24:13:08:45, 26:05:52:56 */
- 2424367, 2592000 /* 28:01:26:07, 30:00:00:00 */
-};
-#define MINFIXED 0x80
-#define MAXFIXED (MINFIXED + NLIFETIMES - 1)
-#endif /* !SHORT_LIFETIME */
-
-/*
- * krb_life_to_time
- *
- * Given a start date and a lifetime byte, compute the expiration
- * date.
- */
-krb5_int32
-krb5int_krb_life_to_time(krb5_int32 start, int life)
-{
- if (life < 0 || life > 255) /* possibly sign botch in caller */
- return start;
-#ifndef SHORT_LIFETIME
- if (life < MINFIXED)
- return start + life * 5 * 60;
- if (life > MAXFIXED)
- return start + lifetimes[NLIFETIMES - 1];
- return start + lifetimes[life - MINFIXED];
-#else /* SHORT_LIFETIME */
- return start + life * 5 * 60;
-#endif /* SHORT_LIFETIME */
-}
-
-/*
- * krb_time_to_life
- *
- * Given the start date and the end date, compute the lifetime byte.
- * Round up, since we can adjust the start date backwards if we are
- * issuing the ticket to cause it to expire at the correct time.
- */
-int
-krb5int_krb_time_to_life(krb5_int32 start, krb5_int32 end)
-{
- krb5_int32 dt;
-#ifndef SHORT_LIFETIME
- int i;
-#endif
-
- dt = end - start;
- if (dt <= 0)
- return 0;
-#ifndef SHORT_LIFETIME
- if (dt < lifetimes[0])
- return (dt + 5 * 60 - 1) / (5 * 60);
- /* This depends on the array being ordered. */
- for (i = 0; i < NLIFETIMES; i++) {
- if (lifetimes[i] >= dt)
- return i + MINFIXED;
- }
- return MAXFIXED;
-#else /* SHORT_LIFETIME */
- if (dt > 5 * 60 * 255)
- return 255;
- else
- return (dt + 5 * 60 - 1) / (5 * 60);
-#endif /* SHORT_LIFETIME */
-}
read_pwd.o \
realm_dom.o \
realm_iter.o \
- send524.o \
sendto_kdc.o \
sn2princ.o \
thread_safe.o \
$(OUTPRE)read_pwd.$(OBJEXT) \
$(OUTPRE)realm_dom.$(OBJEXT) \
$(OUTPRE)realm_iter.$(OBJEXT) \
- $(OUTPRE)send524.$(OBJEXT) \
$(OUTPRE)sendto_kdc.$(OBJEXT) \
$(OUTPRE)sn2princ.$(OBJEXT) \
$(OUTPRE)thread_safe.$(OBJEXT) \
$(srcdir)/realm_dom.c \
$(srcdir)/realm_iter.c \
$(srcdir)/port2ip.c \
- $(srcdir)/send524.c \
$(srcdir)/sendto_kdc.c \
$(srcdir)/sn2princ.c \
$(srcdir)/thread_safe.c \
$(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
$(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
os-proto.h port2ip.c
-send524.so send524.po $(OUTPRE)send524.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
- $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
- $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
- $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
- $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
- $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
- $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h os-proto.h send524.c
sendto_kdc.so sendto_kdc.po $(OUTPRE)sendto_kdc.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
SC (use_dns_kdc, _krb5_use_dns_kdc),
#undef SC
-#ifdef KRB5_KRB4_COMPAT
-#define SC(FIELD, VAL) S(FIELD, VAL)
-#else /* disable */
-#define SC(FIELD, VAL) S(FIELD, 0)
-#endif
- SC (krb_life_to_time, krb5int_krb_life_to_time),
- SC (krb_time_to_life, krb5int_krb_time_to_life),
- SC (krb524_encode_v4tkt, krb5int_encode_v4tkt),
-#undef SC
+ S (krb_life_to_time, 0),
+ S (krb_time_to_life, 0),
+ S (krb524_encode_v4tkt, 0),
S (krb5int_c_mandatory_cksumtype, krb5int_c_mandatory_cksumtype),
#ifndef LEAN_CLIENT
+++ /dev/null
-/*
- * Copyright 1990,1991,1997 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * Send a packet to a service and await a reply, using an exponential
- * backoff retry algorithm. This is based on krb5_sendto_kdc.
- */
-
-/* Grab socket stuff. This might want to go away later. */
-#include "fake-addrinfo.h" /* for custom addrinfo if needed */
-#include "k5-int.h"
-
-#ifndef _WIN32
-#include <unistd.h>
-#include <sys/time.h>
-#endif
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "os-proto.h"
-
-/*
- * krb524_sendto_kdc:
- *
- * A slightly modified version of krb5_sendto_kdc.
- *
- * send the formatted request 'message' to a KDC for realm 'realm' and
- * return the response (if any) in 'reply'.
- *
- * If the message is sent and a response is received, 0 is returned,
- * otherwise an error code is returned.
- *
- * The storage for 'reply' is allocated and should be freed by the caller
- * when finished.
- */
-
-krb5_error_code
-krb5int_524_sendto_kdc (context, message, realm, reply, addr, addrlen)
- krb5_context context;
- const krb5_data * message;
- const krb5_data * realm;
- krb5_data * reply;
- struct sockaddr *addr;
- socklen_t *addrlen;
-{
-#if defined(KRB5_KRB4_COMPAT) || defined(_WIN32) /* yuck! */
- int i;
- struct addrlist al = ADDRLIST_INIT;
- struct servent *serv;
- krb5_error_code retval;
- int port;
-
- /*
- * find KDC location(s) for realm
- */
-
- serv = getservbyname(KRB524_SERVICE, "udp");
- port = serv ? serv->s_port : htons (KRB524_PORT);
-
- retval = krb5int_locate_server(context, realm, &al, locate_service_krb524,
- SOCK_DGRAM, PF_INET);
- if (retval == KRB5_REALM_CANT_RESOLVE || retval == KRB5_REALM_UNKNOWN) {
- /* Fallback heuristic: Assume krb524 port on every KDC might
- work. */
- retval = krb5_locate_kdc(context, realm, &al, 0, SOCK_DGRAM, PF_INET);
- /*
- * Bash the ports numbers.
- */
- if (retval == 0)
- for (i = 0; i < al.naddrs; i++) {
- al.addrs[i].ai->ai_socktype = SOCK_DGRAM;
- if (al.addrs[i].ai->ai_family == AF_INET)
- sa2sin (al.addrs[i].ai->ai_addr)->sin_port = port;
- }
- }
- if (retval)
- return retval;
- if (al.naddrs == 0)
- return KRB5_REALM_UNKNOWN;
-
- retval = krb5int_sendto (context, message, &al, NULL, reply, addr, addrlen, NULL, 0, NULL, NULL, NULL);
- krb5int_free_addrlist (&al);
- return retval;
-#else
- return KRB524_KRB4_DISABLED;
-#endif
-}