+++ /dev/null
-WARNING! The contents of this directory are Alpha-test quality at
-best. The definition of the GSS API is still in flux, and this code
-has not really been tested due to a lack of an implementation to link
-against.
-
-Look in doc/gss/* for more information.
-
-
+++ /dev/null
-/*
- * ac_cred.c --- gss_acquire_cred
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-/*
- * Note: There are really two kinds of credentials in Kerberos V5...
- * the first kind is for users, and we use a krb5_ccache to get at
- * that. The second kind is for servers, and we use a krb5_keytab to
- * point at that.
- *
- * It is possible to convert from one to another, but we don't address
- * that right now.
- *
- * XXX We need to do something with time_rec.
- */
-
-#include <gssapi.h>
-
-char *gss_krb5_fetchfrom = NULL;
-
-OM_uint32 gss_acquire_cred(minor_status, desired_name, time_req,
- desired_mechs, cred_usage, output_cred_handle,
- actual_mechs, time_rec)
- OM_uint32 *minor_status;
- gss_name_t desired_name;
- OM_uint32 time_req;
- gss_OID_set desired_mechs;
- int cred_usage;
- gss_cred_id_t *output_cred_handle;
- gss_OID_set *actual_mechs;
- OM_uint32 *time_rec;
-{
- krb5_keytab_entry entry;
- krb5_keytab keytabid;
- int do_kerberos = 0;
- int i;
- krb5_error_code retval;
-
- *minor_status = 0;
-
- /*
- * Figure out which mechanism we should be using.
- */
- if (desired_mechs == GSS_C_NULL_OID_SET)
- do_kerberos++;
- else {
- for (i = 0; i <= desired_mechs->count; i++) {
- if (gss_compare_OID(&desired_mechs->elements[i],
- &gss_OID_krb5))
- do_kerberos++;
- }
- }
-
- /*
- * Should we return failure here?
- */
- if (!do_kerberos)
- return(GSS_S_FAILURE);
- output_cred_handle->cred_flags = 0;
-
- /*
- * This is Kerberos V5 specific stuff starting here.
- * First, let's try to search the keytab file.
- * Applications that know what they are doing can mess with
- * the variable gss_krb_fetchfrom. Otherwise, we use the
- * system default keytab file.
- */
- if (*minor_status = krb5_copy_principal(desired_name,
- &output_cred_handle->principal)) {
- return(GSS_S_FAILURE);
- }
- if (gss_krb5_fetchfrom) {
- /* use the named keytab */
- retval = krb5_kt_resolve(gss_krb5_fetchfrom, &keytabid);
- } else {
- /* use default keytab */
- retval = krb5_kt_default(&keytabid);
- }
- if (!retval) {
- retval = krb5_kt_get_entry(keytabid, desired_name, 0,
- &entry);
- (void) krb5_kt_close(keytabid);
- if (!retval) {
- output_cred_handle->cred_flags |= GSS_KRB_HAS_SRVTAB;
- output_cred_handle->kvno = entry.vno;
- output_cred_handle->srvtab = entry.key;
- krb5_free_principal(entry.principal);
- }
- }
- /*
- * Now let's try opening the default credentials file and see
- * if it contains the desired name. We could try searching
- * some directory (like /tmp) if we really cared, but not for
- * now.
- *
- * We're not even looking in the default credentials file
- * right now. XXX
- */
-
- /*
- * We're done, clean up and get out.
- */
- if (actual_mechs) {
- gss_OID_set set;
-
- if (!(set = (gss_OID_set)
- malloc (sizeof(struct gss_OID_set_desc)))) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- set->count = 1;
- set->elements = &gss_OID_krb5;
- *actual_mechs = set;
- }
- return(GSS_S_COMPLETE);
-
-}
-
+++ /dev/null
-/*
- * acc_sec.c --- accept security context
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-extern krb5_flags krb5_kdc_default_options;
-
-/*
- * To do in the future:
- *
- * * Support replay cache
- *
- * * Support delegation of credentials
- *
- * * Do something with time_rec
- *
- * * Should handle Kerberos error packets being sent back and
- * forth.
- */
-
-static krb5_error_code gss_krb5_keyproc(DECLARG(krb5_pointer, cred_handle),
- DECLARG(krb5_principal, principal),
- DECLARG(krb5_kvno, vno),
- DECLARG(krb5_keyblock **, key))
-OLDDECLARG(krb5_pointer, cred_handle)
-OLDDECLARG(krb5_principal, principal)
-OLDDECLARG(krb5_kvno, vno)
-OLDDECLARG(krb5_keyblock **, key)
-{
- gss_cred_id_t *creds;
-
- creds = (gss_cred_id_t *) cred_handle;
-
- if (krb5_principal_compare(creds->principal, principal)) {
- if (creds->cred_flags & GSS_KRB_HAS_SRVTAB) {
- *key = &creds->srvtab;
- return(0);
- } else
- return(KRB5_KT_NOTFOUND);
- } else
- return(KRB5_KT_NOTFOUND);
-}
-
-
-OM_uint32 gss_accept_sec_context(minor_status, context_handle,
- verifier_cred_handle, input_token,
- channel, src_name,
- mech_type, output_token,
- ret_flags, time_rec,
- delegated_cred_handle)
- OM_uint32 *minor_status;
- gss_ctx_id_t *context_handle;
- gss_cred_id_t verifier_cred_handle;
- gss_buffer_t input_token;
- gss_channel_bindings channel;
- gss_name_t *src_name;
- gss_OID *mech_type;
- gss_buffer_t output_token;
- int *ret_flags;
- OM_uint32 *time_rec;
- gss_cred_id_t *delegated_cred_handle;
-{
- krb5_rcache rcache;
- krb5_address sender_addr;
- krb5_data inbuf, outbuf;
- krb5_principal server;
- krb5_tkt_authent *authdat;
- OM_uint32 retval;
- gss_ctx_id_t context;
-
- *minor_status = 0;
-
- if (!context_handle) {
- /*
- * This is first call to accept_sec_context
- *
- * Make sure the input token is sane.
- */
- if (retval = gss_check_token(minor_status, input_token,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_REQ))
- return(retval);
- inbuf.length = input_token->length-5;
- inbuf.data = ( (char *) input_token->value)+5;
- sender_addr.addrtype = channel->initiator_addrtype;
- sender_addr.length = channel->initiator_address.length;
- sender_addr.contents = (krb5_octet *)
- channel->initiator_address.value;
- server = verifier_cred_handle.principal;
- /*
- * Setup the replay cache.
- */
- if (*minor_status =
- krb5_get_server_rcache(krb5_princ_component(server, 1),
- &rcache))
- return(GSS_S_FAILURE);
- /*
- * Now let's rip apart the packet
- */
- if (*minor_status = krb5_rd_req(&inbuf, server, &sender_addr,
- 0, gss_krb5_keyproc,
- (krb5_pointer)&verifier_cred_handle,
- rcache, &authdat))
- return(GSS_S_FAILURE);
- if (*minor_status = krb5_rc_close(rcache))
- return(GSS_S_FAILURE);
-
- /*
- * Allocate the context handle structure
- */
- if (!(context = (gss_ctx_id_t)
- malloc(sizeof(struct gss_ctx_id_desc)))) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- context->mech_type = &gss_OID_krb5;
- context->flags = 0;
- context->state = GSS_KRB_STATE_DOWN;
- context->am_client = 0;
- context->rcache = NULL;
-
- context->my_address.addrtype = channel->initiator_addrtype;
- context->my_address.length = channel->initiator_address.length;
- if (!(context->my_address.contents = (krb5_octet *)
- malloc(context->my_address.length))) {
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- memcpy((char *) context->my_address.contents,
- (char *) channel->initiator_address.value,
- context->my_address.length);
- context->his_address.addrtype = channel->acceptor_addrtype;
- context->his_address.length = channel->acceptor_address.length;
- if (!(context->his_address.contents = (krb5_octet *)
- malloc(context->my_address.length))) {
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- memcpy((char *) context->his_address.contents,
- (char *) channel->acceptor_address.value,
- context->his_address.length);
-
- /*
- * Do mutual authentication if requested.
- */
- output_token->length = 0;
- if ((authdat->ap_options & AP_OPTS_MUTUAL_REQUIRED)) {
- krb5_ap_rep_enc_part repl;
- /*
- * Generate a random sequence number
- */
- if (*minor_status =
- krb5_generate_seq_number(authdat->ticket->enc_part2->session,
- &context->my_seq_num)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- krb5_free_tkt_authent(authdat);
- return(GSS_S_FAILURE);
- }
-
- repl.ctime = authdat->authenticator->ctime;
- repl.cusec = authdat->authenticator->cusec;
- repl.subkey = authdat->authenticator->subkey;
- repl.seq_number = context->my_seq_num;
-
- if (*minor_status =
- krb5_mk_rep(&repl,
- authdat->ticket->enc_part2->session,
- &outbuf)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- krb5_free_tkt_authent(authdat);
- return(GSS_S_FAILURE);
- }
- if (*minor_status = gss_make_token(minor_status,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_REQ,
- outbuf.length,
- outbuf.data,
- output_token)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- krb5_xfree(outbuf.data);
- krb5_free_tkt_authent(authdat);
- return(GSS_S_FAILURE);
- }
- }
-
- /*
- * Fill in context handle structure
- */
- if (*minor_status =
- krb5_copy_principal(verifier_cred_handle.principal,
- &context->me)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- if (*minor_status =
- krb5_copy_principal(authdat->authenticator->client,
- &context->him)) {
- krb5_free_principal(context->me);
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- if (*minor_status =
- krb5_copy_keyblock(authdat->ticket->enc_part2->session,
- &context->session_key)) {
- krb5_free_principal(context->me);
- krb5_free_principal(context->him);
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- context->his_seq_num = authdat->authenticator->seq_number;
- context->cusec = authdat->authenticator->cusec;
- context->ctime = authdat->authenticator->ctime;
- context->flags = ((char *) input_token->value)[4];
- /*
- * Strip out flags we don't support (yet) XXX
- */
- context->flags &= ~(GSS_C_DELEG_FLAG | GSS_C_REPLAY_FLAG);
- /*
- * Deliver output parameters
- */
- if (src_name) {
- if (*minor_status = krb5_copy_principal(context->him,
- src_name)) {
- krb5_xfree(context->session_key->contents);
- krb5_free_principal(context->me);
- krb5_free_principal(context->him);
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- }
- if (mech_type)
- *mech_type = &gss_OID_krb5;
- *ret_flags = context->flags;
- if (time_rec)
- *time_rec = GSS_TIME_REC_INDEFINITE;
- return(GSS_S_COMPLETE);
- } else {
- /*
- * Context is non-null, this is the second time through....
- */
- return(GSS_S_FAILURE);
- }
-}
-
+++ /dev/null
-/*
- * check_tok.c --- Read a GSS API token and do error checking
- * checking on it.
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_check_token(DECLARG(OM_uint32 *, minor_status),
- DECLARG(gss_buffer_t, input_token),
- DECLARG(unsigned int, mechanism),
- DECLARG(unsigned int, type))
-OLDDECLARG(OM_uint32 *, minor_status)
-OLDDECLARG(gss_buffer_t, input_token)
-OLDDECLARG(unsigned int, mechanism)
-OLDDECLARG(unsigned int, type)
-{
- char *buf;
-
- *minor_status = 0;
-
- if (!input_token)
- return(GSS_S_CALL_INACCESSIBLE_READ);
-
- if (input_token->length < 4)
- return(GSS_S_DEFECTIVE_TOKEN);
-
- buf = input_token->value;
-
- if (buf[0] != GSS_API_IMPL_VERSION)
- return(GSS_S_DEFECTIVE_TOKEN);
-
- if (mechanism && (mechanism != buf[1]))
- return(GSS_S_BAD_MECH);
-
- if (type && (type != buf[2]))
- return(GSS_S_FAILURE | GSS_S_UNSEQ_TOKEN);
-
- return(GSS_S_COMPLETE);
-}
+++ /dev/null
-/*
- * imp_name.c --- import_name
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_compare_name(minor_status, name1, name2, name_equal)
- OM_uint32 *minor_status;
- gss_name_t name1, name2;
- int *name_equal;
-{
- *minor_status = 0;
-
- *name_equal = krb5_principal_compare(name1, name2);
- return(GSS_S_COMPLETE);
-}
-
+++ /dev/null
-/*
- * comp_oid.c --- compare OID's
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-int gss_compare_OID(oid1, oid2)
- gss_OID oid1, oid2;
-{
- if (oid1->length != oid2->length)
- return(0);
- return (!memcmp(oid1->elements, oid2->elements, oid1->length));
-}
+++ /dev/null
-/*
- * dsp_name.c --- display_name
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_display_name(minor_status, input_name, output_name_buffer,
- output_name_type)
- OM_uint32 *minor_status;
- gss_name_t input_name;
- gss_buffer_t output_name_buffer;
- gss_OID *output_name_type;
-{
- char *str;
-
- if (*minor_status = krb5_unparse_name(input_name, &str))
- return(GSS_S_FAILURE);
- output_name_buffer->value = str;
- output_name_buffer->length = strlen(str);
- if (output_name_type)
- *output_name_type = &gss_OID_krb5;
-
- return(GSS_S_COMPLETE);
-}
+++ /dev/null
-/*
- * dsp_status.c --- display_status
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-#define GSS_CE_MASK 0xFF000000
-#define GSS_RE_MASK 0x00FF0000
-#define GSS_SS_MASK 0x0000FFFF
-
-#define GSS_CONTEXT_THIS(i) ((i) & 0xFFFF)
-#define GSS_CONTEXT_NEXT(i) ((i) >> 16)
-
-struct gss_error_table {
- int code;
- int mask;
- char *string;
-};
-
-static struct gss_error_table table[] = {
- { GSS_S_CALL_INACCESSIBLE_READ, GSS_CE_MASK,
- "GSSAPI Calling Error: Inaccessible read" },
- { GSS_S_CALL_INACCESSIBLE_WRITE, GSS_CE_MASK,
- "GSSAPI Calling Error: Inaccessible write" },
- { GSS_S_CALL_BAD_STRUCTURE, GSS_CE_MASK,
- "GSSAPI Calling Error: Bad Structure" },
- { GSS_S_BAD_MECH, GSS_RE_MASK,
- "GSSAPI Routine Error: Bad Mechanism" },
- { GSS_S_BAD_NAME, GSS_RE_MASK,
- "GSSAPI Routine Error: Bad Name" },
- { GSS_S_BAD_NAMETYPE, GSS_RE_MASK,
- "GSSAPI Routine Error: Bad Nametype" },
- { GSS_S_BAD_BINDINGS, GSS_RE_MASK,
- "GSSAPI Routine Error: Bad Bindings" },
- { GSS_S_BAD_STATUS, GSS_RE_MASK,
- "GSSAPI Routine Error: Bad Status" },
- { GSS_S_BAD_SIG, GSS_RE_MASK,
- "GSSAPI Routine Error: Invalid Signature" },
- { GSS_S_NO_CRED, GSS_RE_MASK,
- "GSSAPI Routine Error: Missing Credentials" },
- { GSS_S_NO_CONTEXT, GSS_RE_MASK,
- "GSSAPI Routine Error: Missing Context" },
- { GSS_S_DEFECTIVE_TOKEN, GSS_RE_MASK,
- "GSSAPI Routine Error: Defective Token" },
- { GSS_S_DEFECTIVE_CREDENTIAL, GSS_RE_MASK,
- "GSSAPI Routine Error: Defective Credential" },
- { GSS_S_CREDENTIALS_EXPIRED, GSS_RE_MASK,
- "GSSAPI Routine Error: Credentials Expired" },
- { GSS_S_CONTEXT_EXPIRED, GSS_RE_MASK,
- "GSSAPI Routine Error: Context expired" },
- { GSS_S_FAILURE, GSS_RE_MASK,
- "GSSAPI Routine Error: Mechanism-specific failure" },
-};
-static int nentries = sizeof (struct gss_error_table) / sizeof (*table);
-
-OM_uint32 gss_display_status(minor_status, status_value, status_type,
- mech_type, message_context, status_string)
- OM_uint32 *minor_status;
- int status_value;
- int status_type;
- gss_OID mech_type;
- int *message_context;
- gss_buffer_t status_string;
-{
- const char *str;
- int next;
- int retval;
-
- *minor_status = 0;
-
- if (status_type == GSS_C_MECH_CODE) {
- /*
- * We only handle Kerberos V5...
- */
- if ((mech_type != GSS_C_NULL_OID) &&
- !gss_compare_OID(mech_type, &gss_OID_krb5)) {
- return(GSS_S_BAD_MECH);
- }
- str = error_message(status_value);
- retval = GSS_S_COMPLETE;
- goto return_message_found;
- } else {
- next = *message_context;
-
- if (next < 0 || next >= nentries) {
- return(GSS_S_FAILURE);
- }
- if (next == 0) {
- while (next < nentries) {
- if ((status_value & table[next].mask) ==
- table[next].code)
- break;
- next++;
- }
- if (next >= nentries)
- return(GSS_S_BAD_STATUS);
- }
- str = table[next].string;
- next++;
- while (next < nentries) {
- if ((status_value & table[next].mask) ==
- table[next].code)
- break;
- next++;
- }
- if (next >= nentries)
- retval = GSS_S_COMPLETE;
- else
- retval = GSS_S_CONTINUE_NEEDED;
- *message_context = next;
- }
-
-return_message_found:
- status_string->length = strlen(str);
- if (!(status_string->value = malloc(status_string->length))) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- strcpy(status_string->value, str);
- return(GSS_S_COMPLETE);
-}
-
+++ /dev/null
-/*
- * gssapi.h --- header file for the Kerberos 5 GSS API layer
- */
-
-#include <krb5/krb5.h>
-#include <krb5/osconf.h>
-#include <krb5/ext-proto.h>
-#include <krb5/los-proto.h>
-#include <krb5/func-proto.h>
-#include <com_err.h>
-
-/*
- * Some compilers can't handle void *
- */
-#ifdef __STDC__
-#define Voidptr void *
-#else
-#define Voidptr char *
-#endif
-
-typedef unsigned int OM_uint32;
-typedef unsigned short OM_uint16;
-
-typedef struct gss_buffer_desc_struct {
- size_t length;
- Voidptr value;
-} gss_buffer_desc, *gss_buffer_t;
-
-typedef struct gss_OID_desc {
- OM_uint32 length;
- void *elements;
-} *gss_OID;
-
-typedef struct gss_OID_set_desc {
- OM_uint32 count;
- struct gss_OID_desc *elements;
-} *gss_OID_set;
-
-typedef struct gss_ctx_id_desc {
- gss_OID mech_type;
- int state;
- int flags; /* gss_init_sec_context flags */
- krb5_boolean am_client; /* True if I am the client */
- krb5_principal me;
- krb5_principal him; /* Principal of the other side */
- krb5_address my_address;
- krb5_address his_address;
- krb5_keyblock *session_key;
- krb5_rcache rcache;
- krb5_int32 my_seq_num;
- krb5_int32 his_seq_num;
- krb5_int32 cusec; /* Client usec portion */
- krb5_timestamp ctime; /* Client sec portion */
-} *gss_ctx_id_t;
-
-/* structure for address */
-typedef struct gss_channel_bindings_struct {
- OM_uint32 initiator_addrtype;
- gss_buffer_desc initiator_address;
- OM_uint32 acceptor_addrtype;
- gss_buffer_desc acceptor_address;
- gss_buffer_desc application_data;
-} *gss_channel_bindings;
-
-#define GSS_C_AF_INET 0x0002
-#define GSS_C_AF_CHAOS 0x0005
-#define GSS_C_AF_XNS 0x0006
-#define GSS_C_AF_ISO 0x0007
-#define GSS_C_AF_DDP 0x0010
-
-#define GSS_KRB_STATE_DOWN 1
-#define GSS_KRB_STATE_MUTWAIT 2
-#define GSS_KRB_STATE_UP 3
-
-typedef krb5_principal gss_name_t;
-
-typedef struct gss_cred_id_desc {
- krb5_principal principal;
- gss_OID mech_type;
- int cred_flags;
- /* Client information */
- krb5_ccache ccache;
- /* Server information */
- krb5_kvno kvno;
- krb5_keyblock srvtab;
-} gss_cred_id_t;
-
-#define GSS_KRB_HAS_CCACHE 0x0001
-#define GSS_KRB_HAS_SRVTAB 0x0002
-
-/*
- * Optional parameters
- */
-
-#define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
-#define GSS_C_NULL_OID ((gss_OID) 0)
-#define GSS_C_NULL_OID_SET ((gss_OID_set) 0)
-#define GSS_C_NO_CREDENTIAL (gss_default_credentials)
-
-extern gss_cred_id_t gss_default_credentials;
-
-/*
- * Indefinite time
- */
-#define GSS_TIME_REC_INDEFINITE 2147483647
-
-/*
- * Token format:
- *
- * Byte 0: GSS API Implementation Version (currently 1)
- * Byte 1: Mechanism Identifier (currently 1 means Kerberos V5)
- * Byte 2: Token type
- * Byte 3: Reserved
- * Byte 4--n: Mechanism/Token information
- */
-
-#define GSS_API_IMPL_VERSION 1
-
-#define GSS_API_KRB5_TYPE 1
-
-/* Token types */
-#define GSS_API_KRB5_REQ 1
-#define GSS_API_KRB5_REP 2
-#define GSS_API_KRB5_SAFE 3
-#define GSS_API_KRB5_PRIV 4
-#define GSS_API_KRB5_SIGN 5
-#define GSS_API_KRB5_ERROR 6
-#define GSS_API_KRB5_SHUTDOWN 31
-
-/*
- * Calling errors
- */
-#define GSS_S_CALL_INACCESSIBLE_READ (1 << 24)
-#define GSS_S_CALL_INACCESSIBLE_WRITE (2 << 24)
-#define GSS_S_CALL_BAD_STRUCTURE (3 << 24)
-
-/*
- * Routine Errors
- */
-#define GSS_S_BAD_MECH (1 << 16)
-#define GSS_S_BAD_NAME (2 << 16)
-#define GSS_S_BAD_NAMETYPE (3 << 16)
-#define GSS_S_BAD_BINDINGS (4 << 16)
-#define GSS_S_BAD_STATUS (5 << 16)
-#define GSS_S_BAD_SIG (6 << 16)
-#define GSS_S_NO_CRED (7 << 16)
-#define GSS_S_NO_CONTEXT (8 << 16)
-#define GSS_S_DEFECTIVE_TOKEN (9 << 16)
-#define GSS_S_DEFECTIVE_CREDENTIAL (10 << 16)
-#define GSS_S_CREDENTIALS_EXPIRED (11 << 16)
-#define GSS_S_CONTEXT_EXPIRED (12 << 16)
-#define GSS_S_FAILURE (13 << 16)
-
-/*
- * Supplementary Status Bits
- */
-#define GSS_S_CONTINUE_NEEDED (1 << 0)
-#define GSS_S_DUPLICATE_TOKEN (1 << 1)
-#define GSS_S_OLD_TOKEN (1 << 2)
-#define GSS_S_UNSEQ_TOKEN (1 << 3)
-
-#define GSS_S_COMPLETE 0
-
-/*
- * Macros to break apart a return code
- */
-
-#define gss_calling_error(r) ((r) & 0xff000000)
-#define gss_routine_error(r) ((r) & 0x00ff0000)
-#define gss_supplementary_info(r) ((r) & 0x0000ffff)
-
-/*
- * gss_acquire_cred --- cred_usage values
- */
-#define GSS_C_INITIATE 0x0001
-#define GSS_C_ACCEPT 0x0002
-#define GSS_C_BOTH 0x0003
-
-/*
- * gss_init_sec_context flags
- */
-#define GSS_C_DELEG_FLAG 0x0001
-#define GSS_C_MUTUAL_FLAG 0x0002
-#define GSS_C_REPLAY_FLAG 0x0004
-#define GSS_C_SEQUENCE_FLAG 0x0008
-#define GSS_C_CONF_FLAG 0x0010
-
-/*
- * Values for qop_req
- */
-#define GSS_C_QOP_DEFAULT 0
-
-/*
- * Values for gss_display_status
- */
-#define GSS_C_GSS_CODE 1
-#define GSS_C_MECH_CODE 2
-
-/*
- * OID declarations
- */
-extern struct gss_OID_desc gss_OID_krb5;
-extern struct gss_OID_desc gss_OID_krb5_name;
-
-/*
- * XXX Stuff to make Kannan's flogin stuff happy.
- */
-#define GSS_C_MAX_TOKEN 1024
-#define GSS_C_MAX_PRINTABLE_NAME 1024
-
-#define GSS_C_READ (1 << 0)
-#define GSS_C_WRITE (1 << 1)
-#define GSS_C_EXECUTE (1 << 2)
-
-/*
- * Function declaragions, generated by mkptypes
- */
-/* ac_cred.c */
-OM_uint32 gss_acquire_cred PROTOTYPE((OM_uint32 *minor_status,
- gss_name_t desired_name,
- OM_uint32 time_req,
- gss_OID_set desired_mechs,
- int cred_usage,
- gss_cred_id_t *output_cred_handle,
- gss_OID_set *actual_mechs,
- OM_uint32 *time_rec));
-
-/* acc_sec.c */
-OM_uint32 gss_accept_sec_context PROTOTYPE((OM_uint32 *minor_status,
- gss_ctx_id_t *context_handle,
- gss_cred_id_t verifier_cred_handle,
- gss_buffer_t input_token,
- gss_channel_bindings channel,
- gss_name_t *src_name,
- gss_OID *mech_type,
- gss_buffer_t output_token,
- int *ret_flags,
- OM_uint32 *time_rec,
- gss_cred_id_t *delegated_cred_handle));
-
-/* check_tok.c */
-OM_uint32 gss_check_token PROTOTYPE((OM_uint32 *minor_status,
- gss_buffer_t input_token,
- unsigned int mechanism,
- unsigned int type));
-
-/* cmp_name.c */
-OM_uint32 gss_compare_name PROTOTYPE((OM_uint32 *minor_status,
- gss_name_t name1,
- gss_name_t name2,
- int *name_equal));
-
-/* comp_oid.c */
-int gss_compare_OID PROTOTYPE((gss_OID oid1,
- gss_OID oid2));
-
-/* dsp_name.c */
-OM_uint32 gss_display_name PROTOTYPE((OM_uint32 *minor_status,
- gss_name_t input_name,
- gss_buffer_t output_name_buffer,
- gss_OID *output_name_type));
-
-/* imp_name.c */
-OM_uint32 gss_import_name PROTOTYPE((OM_uint32 *minor_status,
- gss_buffer_t input_name_buffer,
- gss_OID input_name_type,
- gss_name_t *output_name));
-OM_uint32 gss_service_import_name PROTOTYPE((OM_uint32 *minor_status,
- gss_buffer_t input_name_buffer,
- gss_name_t *output_name));
-
-/* ind_mechs.c */
-OM_uint32 gss_indicate_mechs PROTOTYPE((OM_uint32 *minor_status,
- gss_OID_set *mech_set));
-
-/* init_sec.c */
-OM_uint32 gss_init_sec_context PROTOTYPE((OM_uint32 *minor_status,
- gss_cred_id_t claimant_cred_handle,
- gss_ctx_id_t *context_handle,
- gss_name_t target_name,
- gss_OID mech_type,
- int req_flags,
- int time_req,
- gss_channel_bindings channel,
- gss_buffer_t input_token,
- gss_OID *actual_mech_type,
- gss_buffer_t output_token,
- int *ret_flags,
- OM_uint32 *time_rec));
-
-/* make_tok.c */
-OM_uint32 gss_make_token PROTOTYPE((OM_uint32 *minor_status,
- unsigned int mechanism,
- unsigned int type,
- size_t length,
- Voidptr data,
- gss_buffer_t output_token));
-
-/* rel_buffer.c */
-OM_uint32 gss_release_buffer PROTOTYPE((OM_uint32 *minor_status,
- gss_buffer_t buffer));
-
-/* rel_cred.c */
-OM_uint32 gss_release_cred PROTOTYPE((OM_uint32 *minor_status,
- gss_cred_id_t *cred_handle));
-
-/* rel_name.c */
-OM_uint32 gss_release_name PROTOTYPE((OM_uint32 *minor_status,
- gss_name_t *name));
-
-/* rel_oidset.c */
-OM_uint32 gss_release_oid_set PROTOTYPE((OM_uint32 *minor_status,
- gss_OID_set set));
-
-/* rel_sec.c */
-OM_uint32 gss_release_security_context PROTOTYPE((OM_uint32 *minor_status,
- gss_ctx_id_t context));
-
-/* seal.c */
-OM_uint32 gss_seal PROTOTYPE((OM_uint32 *minor_status,
- gss_ctx_id_t context,
- int conf_req_flag,
- int qop_req,
- gss_buffer_t input_message_buffer,
- int *conf_state,
- gss_buffer_t output_message_buffer));
-OM_uint32 gss_sign PROTOTYPE((OM_uint32 *minor_status,
- gss_ctx_id_t context,
- int qop_req,
- gss_buffer_t input_message_buffer,
- gss_buffer_t output_message_buffer));
-
-/* sign.c */
-OM_uint32 gss_sign PROTOTYPE((OM_uint32 *minor_status,
- gss_ctx_id_t context,
- int qop_req,
- gss_buffer_t input_message_buffer,
- gss_buffer_t output_message_buffer));
-
-/* unseal.c */
-OM_uint32 gss_unseal PROTOTYPE((OM_uint32 *minor_status,
- gss_ctx_id_t context,
- gss_buffer_t input_message_buffer,
- gss_buffer_t output_message_buffer,
- int *conf_state,
- int *qop_state));
-OM_uint32 gss_verify PROTOTYPE((OM_uint32 *minor_status,
- gss_ctx_id_t context,
- gss_buffer_t message_buffer,
- gss_buffer_t token_buffer,
- int *qop_state));
-
-/* verify.c */
-OM_uint32 gss_verify PROTOTYPE((OM_uint32 *minor_status,
- gss_ctx_id_t context,
- gss_buffer_t message_buffer,
- gss_buffer_t token_buffer,
- int *qop_state));
-
+++ /dev/null
-/*
- * imp_name.c --- import_name
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_service_import_name();
-
-OM_uint32 gss_import_name(minor_status, input_name_buffer, input_name_type,
- output_name)
- OM_uint32 *minor_status;
- gss_buffer_t input_name_buffer;
- gss_OID input_name_type;
- gss_name_t *output_name;
-{
- *minor_status = 0;
-
- if ((input_name_type == GSS_C_NULL_OID) ||
- gss_compare_OID(input_name_type, &gss_OID_krb5)) {
- /*
- * Kerberos V5 name
- */
- if (!strncasecmp("service:", input_name_buffer->value, 8) &&
- input_name_buffer->length >= 8) {
- return(gss_service_import_name(minor_status,
- input_name_buffer,
- output_name));
- }
- if (*minor_status = krb5_parse_name(input_name_buffer->value,
- output_name))
- return(GSS_S_FAILURE);
- else
- return(GSS_S_COMPLETE);
- }
- /*
- * It's of an unknown type. We don't know how to deal.
- */
- return(GSS_S_BAD_NAMETYPE);
-}
-
-
-OM_uint32 gss_service_import_name(minor_status, input_name_buffer, output_name)
- OM_uint32 *minor_status;
- gss_buffer_t input_name_buffer;
- gss_name_t *output_name;
-{
- char *str, *cp;
- char *service, *kservice;
- char *host;
- char buf[512];
-
- if (!(str = malloc(input_name_buffer->length+1))) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- memcpy(str, input_name_buffer->value, input_name_buffer->length);
- str[input_name_buffer->length] = '\0';
-
- /*
- * Assume the first eight characters are "service:"
- */
- service = cp = str + 8;
- if (!(cp = strchr(cp, '@'))) {
- free(str);
- return(GSS_S_BAD_NAME);
- }
- *cp++ = 0;
- host = cp;
- /*
- * We will need to do some mapping here later... XXX
- */
- kservice = service;
-
- sprintf(buf, "%s/%s", kservice, host);
-
- if (*minor_status = krb5_parse_name(buf, output_name))
- return(GSS_S_FAILURE);
- else
- return(GSS_S_COMPLETE);
-}
-
+++ /dev/null
-/*
- * ind_mechs.c --- Indicate mechanisms (also where the OID's are declared)
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-struct gss_OID_desc gss_OID_krb5 = { 15, "KRB5.OSI.SUCKS"};
-struct gss_OID_desc gss_OID_krb5_name = { 20, "KRB5.NAME.OSI.SUCKS" };
-
-OM_uint32 gss_indicate_mechs(minor_status, mech_set)
- OM_uint32 *minor_status;
- gss_OID_set *mech_set;
-{
- gss_OID_set set;
-
- *minor_status = 0;
- if (!(set = (gss_OID_set) malloc (sizeof(struct gss_OID_set_desc)))) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- set->count = 1;
- set->elements = &gss_OID_krb5;
- *mech_set = set;
- return(GSS_S_COMPLETE);
-}
-
-
+++ /dev/null
-/*
- * init_sec.c --- initialize security context
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-extern krb5_flags krb5_kdc_default_options;
-
-/*
- * To do in the future:
- *
- * * Support replay cache
- *
- * * Support delegation of credentials
- *
- * * Do something with time_rec
- *
- * * Should handle Kerberos error packets being sent back and
- * forth.
- */
-
-gss_cred_id_t gss_default_credentials = {
- (krb5_principal) NULL, (gss_OID) NULL, 0, (krb5_ccache) NULL,
- (krb5_kvno) 0, { (krb5_keytype) 0, 0, (krb5_octet *) NULL }
-};
-
-
-OM_uint32 gss_init_sec_context(minor_status, claimant_cred_handle,
- context_handle, target_name,
- mech_type, req_flags, time_req,
- channel, input_token,
- actual_mech_type, output_token,
- ret_flags, time_rec)
- OM_uint32 *minor_status;
- gss_cred_id_t claimant_cred_handle;
- gss_ctx_id_t *context_handle;
- gss_name_t target_name;
- gss_OID mech_type;
- int req_flags;
- int time_req;
- gss_channel_bindings channel;
- gss_buffer_t input_token;
- gss_OID *actual_mech_type;
- gss_buffer_t output_token;
- int *ret_flags;
- OM_uint32 *time_rec;
-{
- krb5_flags kdc_options = krb5_kdc_default_options;
- krb5_flags ap_req_options = 0;
- krb5_ccache ccache;
- krb5_creds creds;
- krb5_authenticator authent;
- krb5_data inbuf, outbuf;
- krb5_ap_rep_enc_part *repl;
- OM_uint32 retval;
- gss_ctx_id_t context;
-
- *minor_status = 0;
-
- if (!context_handle) {
- /*
- * This is first call to init_sec_context
- *
- * We only handle Kerberos V5...
- */
- if ((mech_type != GSS_C_NULL_OID) &&
- !gss_compare_OID(mech_type, &gss_OID_krb5)) {
- return(GSS_S_BAD_MECH);
- }
- if (actual_mech_type)
- *actual_mech_type = &gss_OID_krb5;
- /*
- * Sanitize the incoming flags
- *
- * We don't support delegation or replay detection --- yet.
- */
- req_flags &= ~GSS_C_DELEG_FLAG;
- req_flags &= ~GSS_C_REPLAY_FLAG;
- /*
- * If no credentials were passed in, get our own
- */
- if (claimant_cred_handle.ccache)
- ccache = claimant_cred_handle.ccache;
- else {
- /*
- * Default (or NULL) credentials, we need to
- * fill in with defaults.
- */
- if (*minor_status = krb5_cc_default(&ccache)) {
- return(GSS_S_FAILURE);
- }
- claimant_cred_handle.ccache = ccache;
- if (*minor_status =
- krb5_cc_get_principal(ccache,
- &claimant_cred_handle.principal))
- return(GSS_S_FAILURE);
- }
- /*
- * Allocate the context handle structure
- */
- if (!(context = (gss_ctx_id_t)
- malloc(sizeof(struct gss_ctx_id_desc)))) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- context->mech_type = &gss_OID_krb5;
- context->state = GSS_KRB_STATE_DOWN;
- /*
- * Fill in context handle structure
- */
- if (*minor_status =
- krb5_copy_principal(claimant_cred_handle.principal,
- &context->me))
- return(GSS_S_FAILURE);
- if (*minor_status =
- krb5_copy_principal(target_name,
- &context->him))
- return(GSS_S_FAILURE);
- context->flags = req_flags | GSS_C_CONF_FLAG;;
- context->am_client = 1;
- context->session_key = NULL;
- context->rcache = NULL;
- context->my_address.addrtype = channel->initiator_addrtype;
- context->my_address.length = channel->initiator_address.length;
- if (!(context->my_address.contents = (krb5_octet *)
- malloc(context->my_address.length))) {
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- memcpy((char *) context->my_address.contents,
- (char *) channel->initiator_address.value,
- context->my_address.length);
- context->his_address.addrtype = channel->acceptor_addrtype;
- context->his_address.length = channel->acceptor_address.length;
- if (!(context->his_address.contents = (krb5_octet *)
- malloc(context->my_address.length))) {
- krb5_xfree(context->my_address.contents);
- krb5_xfree(context);
- return(GSS_S_FAILURE);
- }
- memcpy((char *) context->his_address.contents,
- (char *) channel->acceptor_address.value,
- context->his_address.length);
- /*
- * Generate a random sequence number
- */
- if (*minor_status =
- krb5_generate_seq_number(&creds.keyblock,
- &context->my_seq_num)) {
- krb5_xfree(context->his_address.contents);
- krb5_xfree(context->my_address.contents);
- free((char *)context);
- return(GSS_S_FAILURE);
- }
- context->his_seq_num = 0;
- /*
- * Make a credentials structure
- */
- memset((char *)&creds, 0, sizeof(creds));
- creds.server = context->him;
- creds.client = context->me;
- /* creds.times.endtime = 0; -- memset 0 takes care of this
- zero means "as long as possible" */
- /* creds.keyblock.keytype = 0; -- as well as this.
- zero means no session keytype
- preference */
- if (*minor_status = krb5_get_credentials(0,
- ccache,
- &creds)) {
- krb5_free_cred_contents(&creds);
- free((char *)context);
- return(GSS_S_FAILURE);
- }
- /*
- * Setup the ap_req_options
- */
- if ((req_flags & GSS_C_MUTUAL_FLAG) ||
- (req_flags & GSS_C_SEQUENCE_FLAG))
- ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
- /*
- * OK, get the authentication header!
- */
- if (*minor_status = krb5_mk_req_extended(ap_req_options, 0,
- kdc_options,
- context->my_seq_num, 0,
- ccache, &creds, &authent,
- &outbuf)) {
- memset((char *)&authent, 0, sizeof(authent));
- krb5_free_cred_contents(&creds);
- free((char *)context);
- return(GSS_S_FAILURE);
- }
- context->cusec = authent.cusec;
- context->ctime = authent.ctime;
- memset((char *)&authent, 0, sizeof(authent));
-
- if (*minor_status =
- krb5_copy_keyblock(&creds.keyblock,
- &context->session_key)) {
- krb5_xfree(outbuf.data);
- krb5_free_cred_contents(&creds);
- free((char *)context);
- return(GSS_S_FAILURE);
- }
-
- if (*minor_status = gss_make_token(minor_status,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_REQ,
- outbuf.length,
- outbuf.data,
- output_token)) {
- krb5_xfree(outbuf.data);
- krb5_free_cred_contents(&creds);
- free((char *) context);
- return(GSS_S_FAILURE);
- }
- /*
- * Send over the requested flags information
- */
- ((char *) output_token->value)[4] = context->flags;
- krb5_xfree(outbuf.data);
- *context_handle = context;
- context->state = GSS_KRB_STATE_DOWN;
- *ret_flags = context->flags;
- /*
- * Don't free server and client because we need them
- * for the context structure.
- */
- creds.server = 0;
- creds.client = 0;
- krb5_free_cred_contents(&creds);
- if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
- context->state = GSS_KRB_STATE_MUTWAIT;
- return(GSS_S_CONTINUE_NEEDED);
- } else {
- context->state = GSS_KRB_STATE_UP;
- return(GSS_S_COMPLETE);
- }
-
- } else {
- context = *context_handle;
-
- if (context->state != GSS_KRB_STATE_MUTWAIT)
- return(GSS_S_FAILURE);
- if (retval = gss_check_token(minor_status, input_token,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_REP))
- return(retval);
- inbuf.length = input_token->length-4;
- inbuf.data = ((char *)input_token->value)+4;
-
- if (*minor_status = krb5_rd_rep(&inbuf, context->session_key,
- &repl))
- return(GSS_S_FAILURE);
- if ((repl->ctime != context->ctime) ||
- (repl->cusec != context->cusec)) {
- *minor_status = KRB5_SENDAUTH_MUTUAL_FAILED;
- return(GSS_S_FAILURE);
- }
- context->his_seq_num = repl->seq_number;
- context->state = GSS_KRB_STATE_UP;
- krb5_free_ap_rep_enc_part(repl);
- return(GSS_S_COMPLETE);
- }
-}
+++ /dev/null
-/*
- * make_tok.c --- Make a GSS API token
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_make_token(minor_status, mechanism, type, length, data,
- output_token)
- OM_uint32 *minor_status;
- unsigned int mechanism;
- unsigned int type;
- size_t length;
- Voidptr data;
- gss_buffer_t output_token;
-{
- char *buf;
- int offset = 4;
-
- *minor_status = 0;
- /*
- * The Kerberos initial request token needs an extra byte of
- * flag information, so we reserve it here.
- */
- if ((mechanism == GSS_API_KRB5_TYPE) && (type == GSS_API_KRB5_REQ))
- offset++;
- if (!(buf = malloc(length+offset))) {
- *minor_status = ENOMEM;
- return(GSS_S_FAILURE);
- }
- output_token->value = (Voidptr) buf;
- output_token->length = length+4;
- buf[0] = GSS_API_IMPL_VERSION;
- buf[1] = mechanism; /* Authentication mechanism */
- buf[2] = type; /* Token type */
- buf[3] = 0; /* Reserved */
- memcpy(buf+offset, data, length);
- return(GSS_S_COMPLETE);
-}
+++ /dev/null
-/*
- * rel_buffer.c --- release a gss_buffer_t
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_release_buffer(minor_status, buffer)
- OM_uint32 *minor_status;
- gss_buffer_t buffer;
-{
- *minor_status = 0;
-
- free(buffer->value);
- return(GSS_S_COMPLETE);
-}
-
-
+++ /dev/null
-/*
- * rel_cred.c --- release a gss_cred_id_t
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_release_cred(minor_status, cred_handle)
- OM_uint32 *minor_status;
- gss_cred_id_t *cred_handle;
-{
- krb5_free_principal(cred_handle->principal);
- if (*minor_status = krb5_cc_close(cred_handle->ccache))
- return(GSS_S_FAILURE);
- krb5_xfree(cred_handle->srvtab.contents);
- return(GSS_S_COMPLETE);
-}
-
-
+++ /dev/null
-/*
- * rel_name.c --- release a gss_name_t
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_release_name(minor_status, name)
- OM_uint32 *minor_status;
- gss_name_t *name;
-{
- *minor_status = 0;
-
- krb5_free_principal(*name);
- return(GSS_S_COMPLETE);
-}
-
-
+++ /dev/null
-/*
- * rel_oidset.c --- release a fgss_oid_set
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_release_oid_set(minor_status, set)
- OM_uint32 *minor_status;
- gss_OID_set set;
-{
- *minor_status = 0;
-
- /*
- * We don't free the OID parts themselves, since they will all
- * be constant structures in this version
- */
- free((char *)set);
- return(GSS_S_COMPLETE);
-}
-
-
+++ /dev/null
-/*
- * rel_buffer.c --- release a security context
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_release_security_context(minor_status, context)
- OM_uint32 *minor_status;
- gss_ctx_id_t context;
-{
- *minor_status = 0;
-
- krb5_free_principal(context->me);
- krb5_free_principal(context->him);
-
- context->state = GSS_KRB5_STATE_DOWN;
- return(GSS_S_COMPLETE);
-}
-
-
+++ /dev/null
-# $Source$
-# $Author$
-# $Id$
-#
-# Copyright 1991 by the Massachusetts Institute of Technology.
-# All Rights Reserved.
-#
-# For copying and distribution information, please see the file
-# <krb5/copyright.h>.
-#
-
- DEPLIBS = ../libgssapi.a $(DEPKLIB)
-LOCAL_LIBRARIES = ../libgssapi.a $(KLIB)
- DEFINES = -DDEBUG
-
-SRCS = flogin.c fcmd.c flogind.c fsh.c fcp.c login.c logutil.c
-OBJS = flogin.o fcmd.o flogind.o fsh.o fcp.o login.o logutil.o
-
-FLOGINSRCS = flogin.c fcmd.c
-FLOGINOBJS = flogin.o fcmd.o
-
-LOGINSRCS = login.c logutil.c
-LOGINOBJS = login.o logutil.o
-
-FLOGINDSRCS = flogind.c logutil.c
-FLOGINDOBJS = flogind.o logutil.o
-
-FSHSRCS = fsh.c fcmd.c
-FSHOBJS = fsh.o fcmd.o
-
-FSHDSRCS = fshd.c
-FSHDOBJS = fshd.o
-
-FCPSRCS = fcp.c fcmd.c
-FCPOBJS = fcp.o fcmd.o
-
-all:: flogin login.gssapi flogind
-
-NormalProgramTarget(flogin,$(FLOGINOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),)
-NormalProgramTarget(login.gssapi,$(LOGINOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),)
-NormalProgramTarget(flogind,$(FLOGINDOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),)
-NormalProgramTarget(fsh,$(FSHOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),)
-NormalProgramTarget(fshd,$(FSHDOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),)
-NormalProgramTarget(fcp,$(FCPOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),)
-
-SaberProgramTarget(flogin, $(FLOGINSRCS), $(FLOGINOBJS),
- $(DEPLIBS) $(LOCAL_LIBRARIES),)
-SaberProgramTarget(login.gssapi, $(LOGINSRCS), $(LOGINOBJS),
- $(DEPLIBS) $(LOCAL_LIBRARIES),)
-SaberProgramTarget(flogind, $(FLOGINDSRCS), $(FLOGINDOBJS),
- $(DEPLIBS) $(LOCAL_LIBRARIES),)
-SaberProgramTarget(fsh, $(FSHSRCS), $(FSHOBJS),
- $(DEPLIBS) $(LOCAL_LIBRARIES),)
-SaberProgramTarget(fshd, $(FSHDSRCS), $(FSHDOBJS),
- $(DEPLIBS) $(LOCAL_LIBRARIES),)
-SaberProgramTarget(fcp, $(FCPSRCS), $(FCPOBJS),
- $(DEPLIBS) $(LOCAL_LIBRARIES),)
-
-DependTarget()
+++ /dev/null
-Received: by E40-PO.MIT.EDU (5.45/4.7) id AA17675; Fri, 24 May 91 14:58:47 EDT
-Received: from uucp-gw-1.pa.dec.com by ATHENA.MIT.EDU with SMTP
- id AA18573; Fri, 24 May 91 14:58:33 EDT
-Received: by uucp-gw-1.pa.dec.com; id AA01785; Fri, 24 May 91 11:56:31 -0700
-Received: by sejour.lkg.dec.com (5.57/Ultrix4.0)
- id AA15569; Fri, 24 May 91 15:00:01 -0400
-Message-Id: <9105241900.AA15569@sejour.lkg.dec.com>
-To: tytso@ATHENA.MIT.EDU
-Cc: kannan@sejour.lkg.dec.com
-Subject: GSS API for SPX ready for testing
-Date: Fri, 24 May 91 15:00:00 EDT
-From: kannan@sejour.lkg.dec.com
-
-Ted,
-
-I have completed the initial implementation of the GSS API for the SPX
-mechanism and I've modified the flogin program to use this new
-interface. My "standard" GSS library includes the following routines:
-
-/*
- * Offering "standard" GSS API for following mechanism(s) : SPX
- *
- * Supported jacket routines :
- *
- * gss_acquire_cred Assume a global identity
- *
- * gss_release_cred Discard credentials
- *
- * gss_init_sec_context Initiate a security context with a
- * peer application
- *
- * gss_accept_sec_context Accept a security context from a
- * peer application
- *
- * gss_display_status Convert an API status code to text
- *
- * gss_indicate_mechs Determine underlying mechanism
- *
- * gss_display_name Convert opaque name to text
- *
- * gss_import_name Convert a textual name to API-format
- *
- * gss_release_name Deallocate API internal name
- *
- * gss_release_buffer Deallocate a buffer descriptor
- *
- * gss_release_oid_set Deallocate a set of object identifiers
- *
- * Unofficial jacket routines :
- *
- * gss__stash_default_cred Bind credential handle as default
- *
- * gss__check_authorization Check authorization rights for principal
- *
- */
-
-As you can tell, I have two unofficial routines referred to as "gss__"
-instead of "gss_".
-
-The first, gss__stash_default_cred will set the specified credential as
-the default for a process. After calling this routine, GSS_C_NULL_CREDENTIAL
-can be used by the calling application to reference the stashed credentials.
-Note, if GSS_C_NULL_CREDENTIAL is passed to this routine, success is returned.
-
-/*
- * WARNING: UNOFFICIAL GSSAPI ROUTINE!!
- *
- * gss__stash_default_cred() - Allows remote peer to bind delegated credential
- * handle with remote application. Called by applications to set the
- * delegated credentials as the default credentials for a process.
- *
- * OM_uint32 *minor_status (output) - mechanism specific status code
- * gss_cred_id_t delegated_cred_handle (input) - handle for credentials
- * received from context initiator.
- *
- */
-
-The second, gss__check_authorization is a bit more controversial. This
-routine will check access rights for a principal against an ACL file.
-I've added a few additional arguments to make this routine more robust
-so that access control decisions can be based on a per service and
-possible per resource basis.
-
-/*
- * WARNING: UNOFFICIAL GSSAPI ROUTINE!!
- *
- * gss__check_authorization() - Check authorization rights for principal
- * using the ACL file specified.
- *
- * OM_uint32 *minor_status (output) - mechanism specific status code
- * gss_buffer_t fullname_buffer (input) - principal's printable name
- * gss_buffer_t luser_buffer (input) - local user name
- * gss_buffer_t acl_file_buffer (input) - acl file name
- * gss_buffer_t service_buffer (input) - service name
- * int access_mode (input) - type of access (rwx, etc.)
- * gss_buffer_t resource_buffer (input) - resource name
- *
- */
-
-I've also defined 3 unofficial constants to describe the access modes.
-
-#define GSS_C_READ (1 << 0)
-#define GSS_C_WRITE (1 << 1)
-#define GSS_C_EXECUTE (1 << 2)
-
-You look at the application source code to see how these routines are
-being used. The next message will contain the following files:
-
- - Makefile, flogin.c fcmd.c flogind.c login.c
-
-Talk to you later.
-
- -kannan
-
+++ /dev/null
-# Makefile generated by imake - do not edit!
-# $XConsortium: imake.c,v 1.51 89/12/12 12:37:30 jim Exp $
-
-# $Source$
-# $Author$
-# $Id$
-#
-
-###########################################################################
-# Makefile generated from "Imake.tmpl" and </tmp/IIf.002934>
-# $XConsortium: Imake.tmpl,v 1.77 89/12/18 17:01:37 jim Exp $
-#
-# Platform-specific parameters may be set in the appropriate .cf
-# configuration files. Site-wide parameters may be set in the file
-# site.def. Full rebuilds are recommended if any parameters are changed.
-#
-# If your C preprocessor doesn't define any unique symbols, you'll need
-# to set BOOTSTRAPCFLAGS when rebuilding imake (usually when doing
-# "make Makefile", "make Makefiles", or "make World").
-#
-# If you absolutely can't get imake to work, you'll need to set the
-# variables at the top of each Makefile as well as the dependencies at the
-# bottom (makedepend will do this automatically).
-#
-
-###########################################################################
-# platform-specific configuration parameters - edit vaxbsd.cf to change
-
-# $Source$
-# $Author$
-# $Id$
-#
-
-###########################################################################
-# site-specific configuration parameters - edit site.def to change
-
-# $Source$
-# $Author$
-# $Id$
-#
-
-# site: $XConsortium: site.def,v 1.21 89/12/06 11:46:50 jim Exp $
-
- SHELL = /bin/sh
-
- TOP = ../../../.
- CURRENT_DIR = ./lib/gssapi/sample
-
- AR = ar cq
- BOOTSTRAPCFLAGS =
- CC = gcc -fstrength-reduce -fpcc-struct-return -pedantic -ansi -Wall -Dunix -Dvax
-
- COMPRESS = compress
- CPP = /lib/cpp $(STD_CPP_DEFINES)
- PREPROCESSCMD = gcc -fstrength-reduce -fpcc-struct-return -pedantic -ansi -Wall -Dunix -Dvax -E $(STD_CPP_DEFINES)
- INSTALL = install
- LD = ld
- LDLOCATIONS =
- LINT = lint
- LINTLIBFLAG = -C
- LINTOPTS = -axz
- LN = ln -s
- MAKE = make
- MV = mv
- CP = cp
- RANLIB = ranlib
- RANLIBINSTFLAGS =
- RM = rm -f
- STD_INCLUDES =
- STD_CPP_DEFINES =
- STD_DEFINES =
- SABER_DEFINES = -I/mit/gnu/vaxlib/gcc-include -Dconst=
- EXTRA_LOAD_FLAGS = -Z
- EXTRA_LIBRARIES =
- TAGS = ctags
- ETAGS = etags
-STDC_TOP_INCLUDES = -I$(TOP)/include/stdc-incl
-
- SIGNAL_DEFINES = -DSIGNALRETURNSINT
-
- INSTPGMFLAGS = -s
-
- INSTSCRFLAGS =
- INSTBINFLAGS = -m 0755
- INSTUIDFLAGS = -o root -m 4755
- INSTLIBFLAGS = -m 0664
- INSTINCFLAGS = -m 0444
- INSTMANFLAGS = -m 0444
- INSTDATFLAGS = -m 0444
- INSTKMEMFLAGS = -o root -m 4755
-
- DESTDIR =
-
- TOP_INCLUDES = -I$(TOP)
-
- CDEBUGFLAGS = -O
- CCOPTIONS =
- COMPATFLAGS =
-
- ALLINCLUDES = $(INCLUDES) $(STD_INCLUDES) $(TOP_INCLUDES) $(EXTRA_INCLUDES)
- ALLDEFINES = $(ALLINCLUDES) $(STD_DEFINES) $(PROTO_DEFINES) $(DEFINES) $(COMPATFLAGS)
- CFLAGS = $(CDEBUGFLAGS) $(CCOPTIONS) $(ALLDEFINES)
- LINTFLAGS = $(LINTOPTS) -DLINT $(ALLDEFINES)
- LDLIBS = $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
- LDOPTIONS = $(CDEBUGFLAGS) $(CCOPTIONS) $(LDLOCATIONS)
- LDCOMBINEFLAGS = -X -r
- MDFLAGS = -D__STDC__ -I/mit/gnu/vaxlib/gcc-include
-
- MACROFILE = vaxbsd.cf
- RM_CMD = $(RM) *.CKP *.ln *.BAK *.bak *.o core errs ,* *~ *.a .emacs_* tags TAGS make.log MakeOut
-
- IMAKE_DEFINES =
-
- IRULESRC = $(CONFIGSRC)
-
- IMAKE_CMD = $(IMAKE) -I$(NEWTOP)$(IRULESRC) $(IMAKE_DEFINES)
-
- ICONFIGFILES = $(IRULESRC)/Imake.tmpl $(IRULESRC)/Imake.rules \
- $(IRULESRC)/Project.tmpl $(IRULESRC)/site.def \
- $(IRULESRC)/$(MACROFILE) $(EXTRA_ICONFIGFILES)
-
-# Kerberos version 5 Build Parameters
-#
-# $Source$
-# $Author$
-# $Id$
-
-P_TERMIOS=-UHasPosixTermiosTrue
-
-P_FLOCKS=-UHasPosixFileLocksTrue
-
-P_TYPES=-UHasPosixTypesTrue
-
-P_SIGTYPE=-UHasVoidSignalReturnTrue
-
-P_STRINGH=-DHasStringHTrue
-
-P_BITSIZE=-DBitsize32 -UBitsize16 -UBitsize64
-
-P_DBM=-DHasNdbmTrue
-
-P_INET=-DHasInetTrue
-
-P_STDLIBH=-UHasStdlibHTrue -UForceStdlibH
-
-P_TIME_DEFS=-DUseSysTimeH -UUseTimeH
-
-P_PROTOS=-UProvidePrototypes
-
-P_NPROTO=-UUseNarrowPrototypes
-
-P_STDARG=-UUseStdarg
-
- ARADD = ar cruv
- TOP_INCLUDES = -I$(TOP)/include $(STDC_TOP_INCLUDES)
- CONFIGSRC = $(TOP)/config
- ISODE = /mit/isode/isode-6.8
- PSYFLAGS = -f -h0 -a -s
- PEPSY = $(ISODE)/@sys/bin/pepsy
- TOUCH = touch
- IMAKE = imake
- DEPEND = makedepend
- UNIFDEF = unifdef
- HESDEFS = -DHESIOD
- HESLIBS = -lhesiod
-
- PROCESS_DEFINES = $(P_TERMIOS) $(P_FLOCKS) $(P_TYPES) $(P_SIGTYPE) $(P_STRINGH) $(P_BITSIZE) $(P_DBM) $(P_INET) $(P_STDLIBH) $(P_TIME_DEFS) $(P_PROTOS) $(P_NPROTO) $(P_STDARG) -DUnifdefRan
- DESDEFINES = -DBIG -DLSBFIRST
- TOPLIBD = $(TOP)/lib
- OSLIB = os
- OSDEPLIB = $(TOPLIBD)/libos.a
- DESLIB = des5
- DESDEPLIB = $(TOPLIBD)/libdes5.a
- RSAMD4LIB = md4
- RSAMD4DEPLIB = $(TOPLIBD)/libmd4.a
- KRB5LIB = krb5
- KRB5DEPLIB = $(TOPLIBD)/libkrb5.a
- CRCLIB = crc32
- CRCDEPLIB = $(TOPLIBD)/libcrc32.a
- ISODELIB = -L/mit/isode/isode-6.8/@sys/lib -lisode
-
- DBMLIB =
- DEPKLIB = $(KRB5DEPLIB) $(DESDEPLIB) $(OSDEPLIB)
- KLIBLOC = -L$(TOPLIBD)
- KLIB = $(KLIBLOC) -l$(KRB5LIB) -l$(DESLIB) -l$(OSLIB) $(ISODELIB) $(COMERRLIB) $(DBMLIB)
- KDBDEPLIB = $(TOPLIBD)/libkdb.a
- KDBLIB = $(KLIBLOC) -lkdb
- KRB425DEPLIB = $(TOPLIBD)/libkrb425.a
- KRB425LIB = krb425
- DES425DEPLIB = $(TOPLIBD)/libdes425.a
- DES425LIB = des425
- KRB4LIB = -lkrb $(KLIBLOC) -l$(DES425LIB)
- KRB4INCLUDES = -I$(TOP)/include/kerberosIV
- KRB4DEPLIB = $(DES425DEPLIB)
-
- SSLIB = -lss
- MK_CMDS = mk_cmds
- COMERRLIB = -lcom_err
- COMPILE_ET = compile_et
-
- ADMIN_BINDIR = /krb5/admin
- ADMIN_MANSUFFIX = 8
- ADMIN_MANDIR = /krb5/man/man8
- SERVER_BINDIR = /krb5/sbin
- SERVER_MANSUFFIX = 8
- SERVER_MANDIR = /krb5/man/man8
- CLIENT_BINDIR = /krb5/bin
- CLIENT_MANSUFFIX = 1
- CLIENT_MANDIR = /krb5/man/man1
-
-# $Source$
-# $Author$
-# $Id$
-#
-
-###########################################################################
-# Imake rules for building libraries, programs, scripts, and data files
-# rules: $XConsortium: Imake.rules,v 1.67 89/12/18 17:14:15 jim Exp $
-
-###########################################################################
-# start of Imakefile
-
-# $Source$
-# $Author$
-# $Id$
-#
-# Copyright 1991 by the Massachusetts Institute of Technology.
-# All Rights Reserved.
-#
-# For copying and distribution information, please see the file
-# <krb5/copyright.h>.
-#
-
- DEPLIBS = $(DEPKLIB) ../libgssapi.a
-LOCAL_LIBRARIES = $(KLIB) ../libgssapi.a
- DEFINES = -DDEBUG
-
-SRCS = flogin.c fcmd.c flogind.c fsh.c fcp.c login.c logutil.c
-OBJS = flogin.o fcmd.o flogind.o fsh.o fcp.o login.o logutil.o
-
-FLOGINSRCS = flogin.c fcmd.c
-FLOGINOBJS = flogin.o fcmd.o
-
-LOGINSRCS = login.c logutil.c
-LOGINOBJS = login.o logutil.o
-
-FLOGINDSRCS = flogind.c logutil.c
-FLOGINDOBJS = flogind.o logutil.o
-
-FSHSRCS = fsh.c fcmd.c
-FSHOBJS = fsh.o fcmd.o
-
-FSHDSRCS = fshd.c
-FSHDOBJS = fshd.o
-
-FCPSRCS = fcp.c fcmd.c
-FCPOBJS = fcp.o fcmd.o
-
-all:: flogin login.gssapi flogind
-
-flogin: $(FLOGINOBJS) $(DEPLIBS)
- $(RM) $@
- $(CC) -o $@ $(FLOGINOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS)
-
-clean::
- $(RM) flogin
-
-login.gssapi: $(LOGINOBJS) $(DEPLIBS)
- $(RM) $@
- $(CC) -o $@ $(LOGINOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS)
-
-clean::
- $(RM) login.gssapi
-
-flogind: $(FLOGINDOBJS) $(DEPLIBS)
- $(RM) $@
- $(CC) -o $@ $(FLOGINDOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS)
-
-clean::
- $(RM) flogind
-
-fsh: $(FSHOBJS) $(DEPLIBS)
- $(RM) $@
- $(CC) -o $@ $(FSHOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS)
-
-clean::
- $(RM) fsh
-
-fshd: $(FSHDOBJS) $(DEPLIBS)
- $(RM) $@
- $(CC) -o $@ $(FSHDOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS)
-
-clean::
- $(RM) fshd
-
-fcp: $(FCPOBJS) $(DEPLIBS)
- $(RM) $@
- $(CC) -o $@ $(FCPOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS)
-
-clean::
- $(RM) fcp
-
-saber_flogin:
- #load $(ALLDEFINES) $(FLOGINSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-osaber_flogin:
- #load $(ALLDEFINES) $(FLOGINOBJS)
- $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-saber_login.gssapi:
- #load $(ALLDEFINES) $(LOGINSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-osaber_login.gssapi:
- #load $(ALLDEFINES) $(LOGINOBJS)
- $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-saber_flogind:
- #load $(ALLDEFINES) $(FLOGINDSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-osaber_flogind:
- #load $(ALLDEFINES) $(FLOGINDOBJS)
- $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-saber_fsh:
- #load $(ALLDEFINES) $(FSHSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-osaber_fsh:
- #load $(ALLDEFINES) $(FSHOBJS)
- $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-saber_fshd:
- #load $(ALLDEFINES) $(FSHDSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-osaber_fshd:
- #load $(ALLDEFINES) $(FSHDOBJS)
- $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-saber_fcp:
- #load $(ALLDEFINES) $(FCPSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-osaber_fcp:
- #load $(ALLDEFINES) $(FCPOBJS)
- $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
-
-SRCS=$(SERVERSRCS) $(CLIENTSRCS)
-
-depend::
- $(DEPEND) -s "# DO NOT DELETE" -- $(ALLDEFINES) $(MDFLAGS) -- $(SRCS)
-
-###########################################################################
-# common rules for all Makefiles - do not edit
-
-emptyrule::
-
-clean::
- $(RM_CMD) \#*
-
-Makefile:: Imakefile
- $(IMAKE_CMD) -DTOPDIR=$(TOP) -DCURDIR=$(CURRENT_DIR) -s Makefile.new
- $(MAKE) -f Makefile.new noop
- -@if [ -f Makefile ]; then \
- echo "$(RM) Makefile.bak; $(MV) Makefile Makefile.bak"; \
- $(RM) Makefile.bak; $(MV) Makefile Makefile.bak; \
- fi
- $(MV) Makefile.new Makefile
-
-noop::
-
-tags::
- $(TAGS) -w *.[ch]
- $(ETAGS) *.[ch]
-
-saber:
- #load $(ALLDEFINES) $(SABER_DEFINES) $(SRCS)
- #setopt load_flags $(ALLDEFINES) $(SABER_DEFINES)
-
-osaber:
- #load $(ALLDEFINES) $(OBJS)
-
-###########################################################################
-# empty rules for directories that do not have SUBDIRS - do not edit
-
-install::
- @echo "install in $(CURRENT_DIR) done"
-
-install.man::
- @echo "install.man in $(CURRENT_DIR) done"
-
-Makefiles::
-
-includes::
-
-###########################################################################
-# dependencies generated by makedepend
-
-# DO NOT DELETE
+++ /dev/null
-/*
- * Copyright (c) 1983 Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that: (1) source distributions retain this entire copyright
- * notice and comment, and (2) distributions including binaries display
- * the following acknowledgement: ``This product includes software
- * developed by the University of California, Berkeley and its contributors''
- * in the documentation or other materials provided with the distribution
- * and in all advertising materials mentioning features or use of this
- * software. Neither the name of the University nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)rcmd.c 5.22 (Berkeley) 6/1/90";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * 2-14-91 ka
- * Modified sources to add SPX strong authentication, called fcmd.c
- *
- * 5-24-91 ka
- * Modified sources to remove SPX and Kerberos specific authentication.
- * Replaced with GSS API
- *
- */
-
-#include <stdio.h>
-#include <ctype.h>
-#include <pwd.h>
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/signal.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-
-#include <netinet/in.h>
-
-#include <netdb.h>
-#include <errno.h>
-
-#include <syslog.h>
-#include "gssapi_defs.h"
-
-#define START_PORT 5120
-
-#define TOKEN_MAJIC_NUMBER_BYTE0 1
-#define TOKEN_MAJIC_NUMBER_BYTE1 1
-
-extern errno;
-char *index();
-
-fcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, targetname,
-context_handle, mutual_flag, deleg_flag, debugflag)
- int *sock;
- char **ahost;
- int rport;
- char *locuser, *remuser, *cmd;
- int *fd2p;
- char *targetname;
- int *context_handle;
- int mutual_flag, deleg_flag, debugflag;
-{
- int s, timo = 1, pid;
- long oldmask;
- struct sockaddr_in sin, sin2, from;
- char c;
- int lport = START_PORT;
- struct hostent *hp;
- fd_set reads;
-
- unsigned char token[GSS_C_MAX_TOKEN], chanbinding[8];
- unsigned char *charp;
- char tokenheader[4], recv_tokenheader[4];
- int tokenlen, i, j, status = 0, hostlen, xcc, cc, mutual_len;
- int replay_flag=0, seq_flag=0;
- char mutual_resp[GSS_C_MAX_TOKEN];
- char targ_printable[GSS_C_MAX_PRINTABLE_NAME];
-/*
- * GSS API support
- */
- gss_OID actual_mech_type, output_name_type;
- gss_ctx_id_t actual_ctxhandle;
- int msg_ctx = 0, new_status;
- int req_flags = 0, ret_flags, lifetime_rec, major_status;
- gss_buffer_desc output_token, input_token, input_name_buffer;
- gss_buffer_desc output_name_buffer, status_string;
- gss_name_t desired_targname;
- gss_channel_bindings input_chan_bindings;
-
- pid = getpid();
- hp = gethostbyname(*ahost);
- if (hp == 0) {
- fprintf(stderr, "%s : unknown host\n", *ahost);
- return (-1);
- }
- *ahost = hp->h_name;
- oldmask = sigblock(sigmask(SIGURG));
- for (;;) {
- s = rresvport(&lport);
- if (s < 0) {
- if (errno == EAGAIN)
- fprintf(stderr, "socket: All ports in use\n");
- else
- perror("rcmd: socket");
- sigsetmask(oldmask);
- return (-1);
- }
- fcntl(s, F_SETOWN, pid);
- sin.sin_family = hp->h_addrtype;
- bcopy(hp->h_addr_list[0], (caddr_t)&sin.sin_addr, hp->h_length);
- sin.sin_port = rport;
- if (connect(s, (caddr_t)&sin, sizeof (sin)) >= 0)
- break;
- (void) close(s);
- if (errno == EADDRINUSE) {
- lport--;
- continue;
- }
- if (errno == ECONNREFUSED && timo <= 16) {
- sleep(timo);
- timo *= 2;
- continue;
- }
- if (hp->h_addr_list[1] != NULL) {
- int oerrno = errno;
-
- fprintf(stderr,
- "connect to address %s: ", inet_ntoa(sin.sin_addr));
- errno = oerrno;
- perror(0);
- hp->h_addr_list++;
- bcopy(hp->h_addr_list[0], (caddr_t)&sin.sin_addr,
- hp->h_length);
- fprintf(stderr, "Trying %s...\n",
- inet_ntoa(sin.sin_addr));
- continue;
- }
- perror(hp->h_name);
- sigsetmask(oldmask);
- return (-1);
- }
-
- lport--;
- if (fd2p == 0) {
- write(s, "", 1);
- lport = 0;
- } else {
- char num[8];
- int s2 = rresvport(&lport), s3;
- int len = sizeof (from);
-
- if (s2 < 0)
- goto bad;
- listen(s2, 1);
- (void) sprintf(num, "%d", lport);
- if (write(s, num, strlen(num)+1) != strlen(num)+1) {
- perror("write: setting up stderr");
- (void) close(s2);
- goto bad;
- }
- FD_ZERO(&reads);
- FD_SET(s, &reads);
- FD_SET(s2, &reads);
- errno = 0;
- if (select(32, &reads, 0, 0, 0) < 1 ||
- !FD_ISSET(s2, &reads)) {
- if (errno != 0)
- perror("select: setting up stderr");
- else
- fprintf(stderr,
- "select: protocol failure in circuit setup.\n");
- (void) close(s2);
- goto bad;
- }
- s3 = accept(s2, &from, &len);
- (void) close(s2);
- if (s3 < 0) {
- perror("accept");
- lport = 0;
- goto bad;
- }
- *fd2p = s3;
- from.sin_port = ntohs((u_short)from.sin_port);
- if (from.sin_family != AF_INET ||
- from.sin_port >= IPPORT_RESERVED) {
- fprintf(stderr,
- "socket: protocol failure in circuit setup.\n");
- goto bad2;
- }
- }
-/*
- * GSS API authentication
- * import name
- * init context
- * send token
- * if (mutual) init context
- *
- */
- {
- char myhost[32];
- char *address;
- int from_addr=0, to_addr=0, myhostlen, j;
- struct hostent *my_hp;
-
- strcpy(targ_printable, "SERVICE:rlogin@");
- strcat(targ_printable, targetname);
- if (debugflag) {
- printf("call gss_import_name for '%s'\n", targ_printable);
- }
-
- input_name_buffer.length = strlen(targ_printable);
- input_name_buffer.value = targ_printable;
-
- major_status = gss_import_name(&status,
- &input_name_buffer,
- GSS_C_NULL_OID,
- &desired_targname);
-
- major_status = gss_display_name(&status,
- desired_targname,
- &output_name_buffer,
- &output_name_type);
-
- printf("target is '%s'\n", output_name_buffer.value);
-
- major_status = gss_release_buffer(&status, &output_name_buffer);
-
- j=gethostname(myhost, sizeof(myhost));
- my_hp=gethostbyname(myhost);
- if (my_hp != 0) {
- bcopy(my_hp->h_addr_list[0],
- (caddr_t)&sin2.sin_addr, my_hp->h_length);
-#ifdef ultrix
- from_addr = sin2.sin_addr.S_un.S_addr;
-#else
- from_addr = sin2.sin_addr.s_addr;
-#endif
- from_addr = htonl(from_addr);
- }
-#ifdef ultrix
- to_addr = sin.sin_addr.S_un.S_addr;
-#else
- to_addr = sin.sin_addr.s_addr;
-#endif
- to_addr = htonl(to_addr);
-
- input_chan_bindings = (gss_channel_bindings)
- malloc(sizeof(struct gss_channel_bindings_desc));
-
- input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
- input_chan_bindings->initiator_address.length = 4;
- address = (char *) malloc(4);
- input_chan_bindings->initiator_address.value = (char *) address;
- address[0] = ((from_addr & 0xff000000) >> 24);
- address[1] = ((from_addr & 0xff0000) >> 16);
- address[2] = ((from_addr & 0xff00) >> 8);
- address[3] = (from_addr & 0xff);
- input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
- input_chan_bindings->acceptor_address.length = 4;
- address = (char *) malloc(4);
- input_chan_bindings->acceptor_address.value = (char *) address;
- address[0] = ((to_addr & 0xff000000) >> 24);
- address[1] = ((to_addr & 0xff0000) >> 16);
- address[2] = ((to_addr & 0xff00) >> 8);
- address[3] = (to_addr & 0xff);
- input_chan_bindings->application_data.length = 0;
- }
-
- req_flags = 0;
- if (deleg_flag) req_flags = req_flags | 1;
- if (mutual_flag) req_flags = req_flags | 2;
- if (replay_flag) req_flags = req_flags | 4;
- if (seq_flag) req_flags = req_flags | 8;
-
- major_status = gss_init_sec_context(&status, /* minor status */
- GSS_C_NO_CREDENTIAL, /* cred handle */
- &actual_ctxhandle, /* ctx handle */
- desired_targname, /* target name */
- GSS_C_NULL_OID, /* mech type */
- req_flags, /* req flags */
- 0, /* time req */
- input_chan_bindings, /* chan binding */
- GSS_C_NO_BUFFER, /* input token */
- &actual_mech_type, /* actual mech */
- &output_token, /* output token */
- &ret_flags, /* ret flags */
- &lifetime_rec); /* time rec */
-
-
- if ((major_status!=GSS_S_COMPLETE)&&
- (major_status!=GSS_S_CONTINUE_NEEDED)) {
- gss_display_status(&new_status,
- status,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &msg_ctx,
- &status_string);
- printf("%s\n", status_string.value);
- return(-1);
- }
-
- tokenheader[0] = TOKEN_MAJIC_NUMBER_BYTE0;
- tokenheader[1] = TOKEN_MAJIC_NUMBER_BYTE1;
- tokenheader[2] = ((output_token.length & 0xff00) >> 8);
- tokenheader[3] = (output_token.length & 0xff);
-
- j = sphinx_net_write(s, tokenheader, 4);
-
- j = sphinx_net_write(s, output_token.value, output_token.length);
-
- (void) write(s, locuser, strlen(locuser)+1);
- (void) write(s, remuser, strlen(remuser)+1);
- (void) write(s, cmd, strlen(cmd)+1);
-
- if (read(s, &c, 1) != 1) {
- perror(*ahost);
- goto bad2;
- }
-
- i = 0;
- if (major_status == GSS_S_CONTINUE_NEEDED) {
-
- xcc = 4;
- while (xcc > 0) {
- if ((cc = read(s, &recv_tokenheader[i], xcc)) < 0) {
- syslog(LOG_INFO,"read(s, recv_tokenheader, %d): %m",xcc);
- break;
- }
- i +=cc;
- xcc -= cc;
- }
-
- if ((recv_tokenheader[0] != TOKEN_MAJIC_NUMBER_BYTE0) ||
- (recv_tokenheader[1] != TOKEN_MAJIC_NUMBER_BYTE1)) {
- printf("illegal mutual response token format\n");
- syslog(LOG_INFO, "cannot go from v2.1 client to v2.0 server");
- return(-1);
- }
- xcc = recv_tokenheader[2] * 256 + recv_tokenheader[3];
-
- mutual_len = 0;
- while (xcc > 0) {
- if ((cc = read(s, &mutual_resp[mutual_len], xcc)) < 0) {
- syslog(LOG_INFO,"read(s, mutual_resp, %d): %m",xcc);
- break;
- }
- mutual_len +=cc;
- xcc -= cc;
- }
-
- input_token.length = mutual_len;
- input_token.value = mutual_resp;
-
- major_status = gss_init_sec_context(&status, /* minor status */
- GSS_C_NO_CREDENTIAL, /* cred handle */
- &actual_ctxhandle, /* ctx handle */
- desired_targname, /* target name */
- GSS_C_NULL_OID, /* mech type */
- req_flags, /* req flags */
- 0, /* time req */
- input_chan_bindings, /* chan binding */
- &input_token, /* input token */
- &actual_mech_type, /* actual mech */
- &output_token, /* output token */
- &ret_flags, /* ret flags */
- &lifetime_rec); /* time rec */
-
- if (major_status!=GSS_S_COMPLETE) {
- gss_display_status(&new_status,
- status,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &msg_ctx,
- &status_string);
- printf("%s\n", status_string.value);
- return(-1);
- }
- }
-
- major_status = gss_release_name(&status, desired_targname);
-
-#ifdef SPX_CHALLENGE
- /*
- * if trying to login to root account, make up response proving
- * that the user is interactive.
- *
- * response is the signed mutual response with the user's long term
- * private key.
- *
- */
- if (strcmp(remuser, "root")==0) {
- major_status = spx_make_response(&status,
- GSS_C_NO_CREDENTIAL,
- actual_ctxhandle,
- token,
- &tokenlen);
-
- if (major_status != GSS_S_COMPLETE) {
- gss_display_status(&new_status,
- status,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &msg_ctx,
- &status_string);
- printf("%s\n", status_string.value);
- return(-1);
- }
-
- tokenheader[0] = TOKEN_MAJIC_NUMBER_BYTE0;
- tokenheader[1] = TOKEN_MAJIC_NUMBER_BYTE1;
- tokenheader[2] = ((tokenlen & 0xff00) >> 8);
- tokenheader[3] = (tokenlen & 0xff);
-
- j = sphinx_net_write(s, tokenheader, 4);
-
- charp = token;
- j = sphinx_net_write(s, (char *)charp, tokenlen);
-
- }
-#endif /* SPX_CHALLENGE */
- *context_handle = actual_ctxhandle;
-
- if (c != 0) {
- while (read(s, &c, 1) == 1) {
- (void) write(2, &c, 1);
- if (c == '\n')
- break;
- }
- goto bad2;
- }
- sigsetmask(oldmask);
- return (s);
-bad2:
- if (lport)
- (void) close(*fd2p);
-bad:
- (void) close(s);
- sigsetmask(oldmask);
- return (-1);
-}
-
-rresvport(alport)
- int *alport;
-{
- struct sockaddr_in sin;
- int s;
-
- sin.sin_family = AF_INET;
- sin.sin_addr.s_addr = INADDR_ANY;
- s = socket(AF_INET, SOCK_STREAM, 0);
- if (s < 0)
- return (-1);
- for (;;) {
- sin.sin_port = htons((u_short)*alport);
- if (bind(s, (caddr_t)&sin, sizeof (sin)) >= 0)
- return (s);
- if (errno != EADDRINUSE) {
- (void) close(s);
- return (-1);
- }
- (*alport)--;
- if (*alport == IPPORT_RESERVED/2) {
- (void) close(s);
- errno = EAGAIN; /* close */
- return (-1);
- }
- }
-}
-
-int _check_rhosts_file = 1;
-
-ruserok(rhost, superuser, ruser, luser)
- char *rhost;
- int superuser;
- char *ruser, *luser;
-{
- FILE *hostf;
- char fhost[MAXHOSTNAMELEN];
- int first = 1;
- register char *sp, *p;
- int baselen = -1;
-
- sp = rhost;
- p = fhost;
- while (*sp) {
- if (*sp == '.') {
- if (baselen == -1)
- baselen = sp - rhost;
- *p++ = *sp++;
- } else {
- *p++ = isupper(*sp) ? tolower(*sp++) : *sp++;
- }
- }
- *p = '\0';
- hostf = superuser ? (FILE *)0 : fopen("/etc/hosts.equiv", "r");
-again:
- if (hostf) {
- if (!_validuser(hostf, fhost, luser, ruser, baselen)) {
- (void) fclose(hostf);
- return(0);
- }
- (void) fclose(hostf);
- }
- if (first == 1 && (_check_rhosts_file || superuser)) {
- struct stat sbuf;
- struct passwd *pwd;
- char pbuf[MAXPATHLEN];
-
- first = 0;
- if ((pwd = getpwnam(luser)) == NULL)
- return(-1);
- (void)strcpy(pbuf, pwd->pw_dir);
- (void)strcat(pbuf, "/.rhosts");
- if ((hostf = fopen(pbuf, "r")) == NULL)
- return(-1);
- /*
- * if owned by someone other than user or root or if
- * writeable by anyone but the owner, quit
- */
- if (fstat(fileno(hostf), &sbuf) ||
- sbuf.st_uid && sbuf.st_uid != pwd->pw_uid ||
- sbuf.st_mode&022) {
- fclose(hostf);
- return(-1);
- }
- goto again;
- }
- return (-1);
-}
-
-/* don't make static, used by lpd(8) */
-_validuser(hostf, rhost, luser, ruser, baselen)
- char *rhost, *luser, *ruser;
- FILE *hostf;
- int baselen;
-{
- char *user;
- char ahost[MAXHOSTNAMELEN];
- register char *p;
-
- while (fgets(ahost, sizeof (ahost), hostf)) {
- p = ahost;
- while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') {
- *p = isupper(*p) ? tolower(*p) : *p;
- p++;
- }
- if (*p == ' ' || *p == '\t') {
- *p++ = '\0';
- while (*p == ' ' || *p == '\t')
- p++;
- user = p;
- while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0')
- p++;
- } else
- user = p;
- *p = '\0';
- if (_checkhost(rhost, ahost, baselen) &&
- !strcmp(ruser, *user ? user : luser)) {
- return (0);
- }
- }
- return (-1);
-}
-
-static
-_checkhost(rhost, lhost, len)
- char *rhost, *lhost;
- int len;
-{
- static char ldomain[MAXHOSTNAMELEN + 1];
- static char *domainp = NULL;
- static int nodomain = 0;
- register char *cp;
-
- if (len == -1)
- return(!strcmp(rhost, lhost));
- if (strncmp(rhost, lhost, len))
- return(0);
- if (!strcmp(rhost, lhost))
- return(1);
- if (*(lhost + len) != '\0')
- return(0);
- if (nodomain)
- return(0);
- if (!domainp) {
- if (gethostname(ldomain, sizeof(ldomain)) == -1) {
- nodomain = 1;
- return(0);
- }
- ldomain[MAXHOSTNAMELEN] = NULL;
- if ((domainp = index(ldomain, '.')) == (char *)NULL) {
- nodomain = 1;
- return(0);
- }
- for (cp = ++domainp; *cp; ++cp)
- if (isupper(*cp))
- *cp = tolower(*cp);
- }
- return(!strcmp(domainp, rhost + len +1));
-}
+++ /dev/null
-/*
- * Copyright (c) 1983, 1990 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted provided
- * that: (1) source distributions retain this entire copyright notice and
- * comment, and (2) distributions including binaries display the following
- * acknowledgement: ``This product includes software developed by the
- * University of California, Berkeley and its contributors'' in the
- * documentation or other materials provided with the distribution and in
- * all advertising materials mentioning features or use of this software.
- * Neither the name of the University nor the names of its contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-char copyright[] =
-"@(#) Copyright (c) 1983, 1990 The Regents of the University of California.\n\
- All rights reserved.\n";
-#endif /* not lint */
-
-#ifndef lint
-static char sccsid[] = "@(#)rlogin.c 5.29 (Berkeley) 6/27/90";
-#endif /* not lint */
-
-/*
- * $Source$
- * $Header: mit/rlogin/RCS/rlogin.c,v 5.2 89/07/26 12:11:21 kfall
- * Exp Locker: kfall $
- */
-
-/*
- * 2-14-91 ka
- * Modified sources to add SPX strong authentication, called flogin.c
- *
- * 5-24-91 ka
- * Modified sources to remove SPX and Kerberos specific authentication.
- * Replaced with GSS API
- *
- */
-
-/*
- * rlogin - remote login
- */
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/signal.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-#include <sys/wait.h>
-
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netdb.h>
-
-#include <sgtty.h>
-#include <setjmp.h>
-#include <errno.h>
-#include <pwd.h>
-#include <stdio.h>
-#ifdef ultrix
-#include <unistd.h>
-#endif
-#include <string.h>
-
-#include "gssapi_defs.h"
-
-#ifndef STDIN_FILENO
-#define STDIN_FILENO 0 /* standard in */
-#endif
-
-#define FLOGIN_PORT 221
-
-#ifndef TIOCPKT_WINDOW
-#define TIOCPKT_WINDOW 0x80
-#endif
-
-/* concession to Sun */
-#ifndef SIGUSR1
-#define SIGUSR1 30
-#endif
-
-extern int errno;
-int eight, litout, rem;
-char cmdchar;
-char *speeds[] = {
- "0", "50", "75", "110", "134", "150", "200", "300", "600", "1200",
- "1800", "2400", "4800", "9600", "19200", "38400"
-};
-
-#ifdef sun
-struct winsize {
- unsigned short ws_row, ws_col;
- unsigned short ws_xpixel, ws_ypixel;
-};
-#endif
-struct winsize winsize;
-
-#ifndef sun
-#define get_window_size(fd, wp) ioctl(fd, TIOCGWINSZ, wp)
-#endif
-
-main(argc, argv)
- int argc;
- char **argv;
-{
- extern char *optarg;
- extern int optind;
- struct passwd *pw;
- struct servent *sp;
- struct sgttyb ttyb;
- long omask;
- int argoff, ch, dflag, one, uid;
- char *host, *p, *user, term[1024];
- void lostpeer();
- char *getenv();
- int mutual_flag = 1, deleg_flag = 1, sock = 0;
- int debugflag = 0;
- gss_cred_id_t context_handle;
-
- argoff = dflag = 0;
- one = 1;
- host = user = NULL;
- cmdchar = '~';
-
- if (p = rindex(argv[0], '/'))
- ++p;
- else
- p = argv[0];
-
- /* handle "flogin host flags" */
- if (!host && argc > 2 && argv[1][0] != '-') {
- host = argv[1];
- argoff = 1;
- }
-
-#define OPTIONS "8Lde:l:vn"
-
- while ((ch = getopt(argc - argoff, argv + argoff, OPTIONS)) != EOF)
- switch(ch) {
- case '8':
- eight = 1;
- break;
- case 'L':
- litout = 1;
- break;
- case 'd':
- dflag = 1;
- break;
- case 'e':
- cmdchar = optarg[0];
- break;
- case 'l':
- user = optarg;
- break;
- case 'v':
- debugflag = 1;
- break;
- case 'n':
- deleg_flag = 0;
- break;
- case '?':
- default:
- usage();
- }
- optind += argoff;
- argc -= optind;
- argv += optind;
-
- /* if haven't gotten a host yet, do so */
- if (!host && !(host = *argv++))
- usage();
-
- if (*argv)
- usage();
-
- if (!(pw = getpwuid(uid = getuid()))) {
- (void)fprintf(stderr, "flogin: unknown user id.\n");
- exit(1);
- }
- if (!user)
- user = pw->pw_name;
-
- sp = NULL;
-
- /*
- * if remote login to root account, force no delegation
- */
- if (strcmp(user, "root")==0) deleg_flag=0;
- sp = getservbyname("flogin", "tcp");
- if (sp == NULL) {
- sp = (struct servent *) malloc(sizeof(struct servent));
- sp->s_port = htons(FLOGIN_PORT);
- }
-
- if (sp == NULL)
- sp = getservbyname("login", "tcp");
- if (sp == NULL) {
- (void)fprintf(stderr, "rlogin: login/tcp: unknown service.\n");
- exit(1);
- }
-
- (void)strcpy(term, (p = getenv("TERM")) ? p : "network");
- if (ioctl(0, TIOCGETP, &ttyb) == 0) {
- (void)strcat(term, "/");
- (void)strcat(term, speeds[ttyb.sg_ospeed]);
- }
-
- (void)get_window_size(0, &winsize);
-
- (void)signal(SIGPIPE, lostpeer);
- /* will use SIGUSR1 for window size hack, so hold it off */
- omask = sigblock(sigmask(SIGURG) | sigmask(SIGUSR1));
-
- rem = fcmd(&sock, &host, sp->s_port, pw->pw_name,
- user, term, 0, host, &context_handle,
- mutual_flag, deleg_flag, debugflag);
-
- if (rem < 0)
- exit(1);
-
- if (dflag &&
- setsockopt(rem, SOL_SOCKET, SO_DEBUG, &one, sizeof(one)) < 0)
- (void)fprintf(stderr, "flogin: setsockopt: errno %d.\n",
- errno);
-
- (void)setuid(uid);
- doit(omask);
- /*NOTREACHED*/
-}
-
-int child, defflags, deflflags, tabflag;
-char deferase, defkill;
-struct tchars deftc;
-struct ltchars defltc;
-struct tchars notc = { -1, -1, -1, -1, -1, -1 };
-struct ltchars noltc = { -1, -1, -1, -1, -1, -1 };
-
-doit(omask)
- long omask;
-{
- struct sgttyb sb;
- void catch_child(), copytochild(), exit(), writeroob();
-
- (void)ioctl(0, TIOCGETP, (char *)&sb);
- defflags = sb.sg_flags;
- tabflag = defflags & TBDELAY;
- defflags &= ECHO | CRMOD;
- deferase = sb.sg_erase;
- defkill = sb.sg_kill;
- (void)ioctl(0, TIOCLGET, (char *)&deflflags);
- (void)ioctl(0, TIOCGETC, (char *)&deftc);
- notc.t_startc = deftc.t_startc;
- notc.t_stopc = deftc.t_stopc;
- (void)ioctl(0, TIOCGLTC, (char *)&defltc);
- (void)signal(SIGINT, SIG_IGN);
- setsignal(SIGHUP, exit);
- setsignal(SIGQUIT, exit);
- child = fork();
- if (child == -1) {
- (void)fprintf(stderr, "rlogin: fork: errno %d.\n", errno);
- done(1);
- }
- if (child == 0) {
- mode(1);
- if (reader(omask) == 0) {
- msg("connection closed.");
- exit(0);
- }
- sleep(1);
- msg("\007connection closed.");
- exit(1);
- }
-
- /*
- * We may still own the socket, and may have a pending SIGURG (or might
- * receive one soon) that we really want to send to the reader. Set a
- * trap that simply copies such signals to the child.
- */
- (void)signal(SIGURG, copytochild);
- (void)signal(SIGUSR1, writeroob);
- (void)sigsetmask(omask);
- (void)signal(SIGCHLD, catch_child);
- writer();
- msg("closed connection.");
- done(0);
-}
-
-/* trap a signal, unless it is being ignored. */
-setsignal(sig, act)
- int sig;
- void (*act)();
-{
- int omask = sigblock(sigmask(sig));
-
- if (signal(sig, act) == SIG_IGN)
- (void)signal(sig, SIG_IGN);
- (void)sigsetmask(omask);
-}
-
-done(status)
- int status;
-{
- int w;
-
- mode(0);
- if (child > 0) {
- /* make sure catch_child does not snap it up */
- (void)signal(SIGCHLD, SIG_DFL);
- if (kill(child, SIGKILL) >= 0)
- while ((w = wait((union wait *)0)) > 0 && w != child);
- }
- exit(status);
-}
-
-int dosigwinch;
-
-/*
- * This is called when the reader process gets the out-of-band (urgent)
- * request to turn on the window-changing protocol.
- */
-void
-writeroob()
-{
- void sigwinch();
-
- if (dosigwinch == 0) {
- sendwindow();
- (void)signal(SIGWINCH, sigwinch);
- }
- dosigwinch = 1;
-}
-
-void
-catch_child()
-{
- union wait status;
- int pid;
-
- for (;;) {
- pid = wait3(&status, WNOHANG|WUNTRACED, (struct rusage *)0);
- if (pid == 0)
- return;
- /* if the child (reader) dies, just quit */
- if (pid < 0 || pid == child && !WIFSTOPPED(status))
- done((int)(status.w_termsig | status.w_retcode));
- }
- /* NOTREACHED */
-}
-
-/*
- * writer: write to remote: 0 -> line.
- * ~. terminate
- * ~^Z suspend rlogin process.
- * ~^Y suspend rlogin process, but leave reader alone.
- */
-writer()
-{
- char c;
- register int bol, local, n;
-
- bol = 1; /* beginning of line */
- local = 0;
- for (;;) {
- n = read(STDIN_FILENO, &c, 1);
- if (n <= 0) {
- if (n < 0 && errno == EINTR)
- continue;
- break;
- }
- /*
- * If we're at the beginning of the line and recognize a
- * command character, then we echo locally. Otherwise,
- * characters are echo'd remotely. If the command character
- * is doubled, this acts as a force and local echo is
- * suppressed.
- */
- if (bol) {
- bol = 0;
- if (c == cmdchar) {
- bol = 0;
- local = 1;
- continue;
- }
- } else if (local) {
- local = 0;
- if (c == '.' || c == deftc.t_eofc) {
- echo(c);
- break;
- }
- if (c == defltc.t_suspc || c == defltc.t_dsuspc) {
- bol = 1;
- echo(c);
- stop(c);
- continue;
- }
- if (c != cmdchar) {
- (void)write(rem, &cmdchar, 1);
- }
- }
-
- if (write(rem, &c, 1) == 0) {
- msg("line gone");
- break;
- }
- bol = c == defkill || c == deftc.t_eofc ||
- c == deftc.t_intrc || c == defltc.t_suspc ||
- c == '\r' || c == '\n';
- }
-}
-
-echo(c)
-register char c;
-{
- register char *p;
- char buf[8];
-
- p = buf;
- c &= 0177;
- *p++ = cmdchar;
- if (c < ' ') {
- *p++ = '^';
- *p++ = c + '@';
- } else if (c == 0177) {
- *p++ = '^';
- *p++ = '?';
- } else
- *p++ = c;
- *p++ = '\r';
- *p++ = '\n';
- (void)write(1, buf, p - buf);
-}
-
-stop(cmdc)
- char cmdc;
-{
- mode(0);
- (void)signal(SIGCHLD, SIG_IGN);
- (void)kill(cmdc == defltc.t_suspc ? 0 : getpid(), SIGTSTP);
- (void)signal(SIGCHLD, catch_child);
- mode(1);
- sigwinch(); /* check for size changes */
-}
-
-void
-sigwinch()
-{
- struct winsize ws;
-
- if (dosigwinch && get_window_size(0, &ws) == 0 &&
- bcmp(&ws, &winsize, sizeof(ws))) {
- winsize = ws;
- sendwindow();
- }
-}
-
-/*
- * Send the window size to the server via the magic escape
- */
-sendwindow()
-{
- struct winsize *wp;
- char obuf[4 + sizeof (struct winsize)];
-
- wp = (struct winsize *)(obuf+4);
- obuf[0] = 0377;
- obuf[1] = 0377;
- obuf[2] = 's';
- obuf[3] = 's';
- wp->ws_row = htons(winsize.ws_row);
- wp->ws_col = htons(winsize.ws_col);
- wp->ws_xpixel = htons(winsize.ws_xpixel);
- wp->ws_ypixel = htons(winsize.ws_ypixel);
-
- (void)write(rem, obuf, sizeof(obuf));
-}
-
-/*
- * reader: read from remote: line -> 1
- */
-#define READING 1
-#define WRITING 2
-
-jmp_buf rcvtop;
-int ppid, rcvcnt, rcvstate;
-char rcvbuf[8 * 1024];
-
-void
-oob()
-{
- struct sgttyb sb;
- int atmark, n, out, rcvd;
- char waste[BUFSIZ], mark;
-
- out = O_RDWR;
- rcvd = 0;
- while (recv(rem, &mark, 1, MSG_OOB) < 0)
- switch (errno) {
- case EWOULDBLOCK:
- /*
- * Urgent data not here yet. It may not be possible
- * to send it yet if we are blocked for output and
- * our input buffer is full.
- */
- if (rcvcnt < sizeof(rcvbuf)) {
- n = read(rem, rcvbuf + rcvcnt,
- sizeof(rcvbuf) - rcvcnt);
- if (n <= 0)
- return;
- rcvd += n;
- } else {
- n = read(rem, waste, sizeof(waste));
- if (n <= 0)
- return;
- }
- continue;
- default:
- return;
- }
- if (mark & TIOCPKT_WINDOW) {
- /* Let server know about window size changes */
- (void)kill(ppid, SIGUSR1);
- }
- if (!eight && (mark & TIOCPKT_NOSTOP)) {
- (void)ioctl(0, TIOCGETP, (char *)&sb);
- sb.sg_flags &= ~CBREAK;
- sb.sg_flags |= RAW;
- (void)ioctl(0, TIOCSETN, (char *)&sb);
- notc.t_stopc = -1;
- notc.t_startc = -1;
- (void)ioctl(0, TIOCSETC, (char *)¬c);
- }
- if (!eight && (mark & TIOCPKT_DOSTOP)) {
- (void)ioctl(0, TIOCGETP, (char *)&sb);
- sb.sg_flags &= ~RAW;
- sb.sg_flags |= CBREAK;
- (void)ioctl(0, TIOCSETN, (char *)&sb);
- notc.t_stopc = deftc.t_stopc;
- notc.t_startc = deftc.t_startc;
- (void)ioctl(0, TIOCSETC, (char *)¬c);
- }
- if (mark & TIOCPKT_FLUSHWRITE) {
- (void)ioctl(1, TIOCFLUSH, (char *)&out);
- for (;;) {
- if (ioctl(rem, SIOCATMARK, &atmark) < 0) {
- (void)fprintf(stderr, "rlogin: ioctl: errno %d.\n",
- errno);
- break;
- }
- if (atmark)
- break;
- n = read(rem, waste, sizeof (waste));
- if (n <= 0)
- break;
- }
- /*
- * Don't want any pending data to be output, so clear the recv
- * buffer. If we were hanging on a write when interrupted,
- * don't want it to restart. If we were reading, restart
- * anyway.
- */
- rcvcnt = 0;
- longjmp(rcvtop, 1);
- }
-
- /* oob does not do FLUSHREAD (alas!) */
-
- /*
- * If we filled the receive buffer while a read was pending, longjmp
- * to the top to restart appropriately. Don't abort a pending write,
- * however, or we won't know how much was written.
- */
- if (rcvd && rcvstate == READING)
- longjmp(rcvtop, 1);
-}
-
-/* reader: read from remote: line -> 1 */
-reader(omask)
- int omask;
-{
- void oob();
-
-#if !defined(BSD) || BSD < 43
- int pid = -getpid();
-#else
- int pid = getpid();
-#endif
- int n, remaining;
- char *bufp = rcvbuf;
-
- (void)signal(SIGTTOU, SIG_IGN);
- (void)signal(SIGURG, oob);
- ppid = getppid();
- (void)fcntl(rem, F_SETOWN, pid);
- (void)setjmp(rcvtop);
- (void)sigsetmask(omask);
- for (;;) {
- while ((remaining = rcvcnt - (bufp - rcvbuf)) > 0) {
- rcvstate = WRITING;
- n = write(1, bufp, remaining);
- if (n < 0) {
- if (errno != EINTR)
- return(-1);
- continue;
- }
- bufp += n;
- }
- bufp = rcvbuf;
- rcvcnt = 0;
- rcvstate = READING;
-
- rcvcnt = read(rem, rcvbuf, sizeof (rcvbuf));
- if (rcvcnt == 0)
- return (0);
- if (rcvcnt < 0) {
- if (errno == EINTR)
- continue;
- (void)fprintf(stderr, "rlogin: read: errno %d.\n",
- errno);
- return(-1);
- }
- }
-}
-
-mode(f)
-{
- struct ltchars *ltc;
- struct sgttyb sb;
- struct tchars *tc;
- int lflags;
-
- (void)ioctl(0, TIOCGETP, (char *)&sb);
- (void)ioctl(0, TIOCLGET, (char *)&lflags);
- switch(f) {
- case 0:
- sb.sg_flags &= ~(CBREAK|RAW|TBDELAY);
- sb.sg_flags |= defflags|tabflag;
- tc = &deftc;
- ltc = &defltc;
- sb.sg_kill = defkill;
- sb.sg_erase = deferase;
- lflags = deflflags;
- break;
- case 1:
- sb.sg_flags |= (eight ? RAW : CBREAK);
- sb.sg_flags &= ~defflags;
- /* preserve tab delays, but turn off XTABS */
- if ((sb.sg_flags & TBDELAY) == XTABS)
- sb.sg_flags &= ~TBDELAY;
- tc = ¬c;
- ltc = &noltc;
- sb.sg_kill = sb.sg_erase = -1;
- if (litout)
- lflags |= LLITOUT;
- break;
- default:
- return;
- }
- (void)ioctl(0, TIOCSLTC, (char *)ltc);
- (void)ioctl(0, TIOCSETC, (char *)tc);
- (void)ioctl(0, TIOCSETN, (char *)&sb);
- (void)ioctl(0, TIOCLSET, (char *)&lflags);
-}
-
-void
-lostpeer()
-{
- (void)signal(SIGPIPE, SIG_IGN);
- msg("\007connection closed.");
- done(1);
-}
-
-/* copy SIGURGs to the child process. */
-void
-copytochild()
-{
- (void)kill(child, SIGURG);
-}
-
-msg(str)
- char *str;
-{
- (void)fprintf(stderr, "flogin: %s\r\n", str);
-}
-
-warning(msg)
-char *msg;
-{
- (void) fprintf(stderr, msg);
- fflush(stderr);
-}
-
-
-usage()
-{
- (void)fprintf(stderr,
- "usage: rlogin [ -%s]%s[-e char] [ -l username ] host\n",
- "8L", " ");
- exit(1);
-}
-
-/*
- * The following routine provides compatibility (such as it is) between 4.2BSD
- * Suns and others. Suns have only a `ttysize', so we convert it to a winsize.
- */
-#ifdef sun
-int
-get_window_size(fd, wp)
- int fd;
- struct winsize *wp;
-{
- struct ttysize ts;
- int error;
-
- if ((error = ioctl(0, TIOCGSIZE, &ts)) != 0)
- return(error);
- wp->ws_row = ts.ts_lines;
- wp->ws_col = ts.ts_cols;
- wp->ws_xpixel = 0;
- wp->ws_ypixel = 0;
- return(0);
-}
-#endif
+++ /dev/null
-/*
- * Copyright (c) 1983 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley. The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-char copyright[] =
-"@(#) Copyright (c) 1983 The Regents of the University of California.\n\
- All rights reserved.\n";
-#endif /* not lint */
-
-#ifndef lint
-static char sccsid[] = "@(#)rlogind.c 5.17 (Berkeley) 8/31/88";
-#endif /* not lint */
-
-/*
- * remote login server:
- * remuser\0
- * locuser\0
- * terminal info\0
- * data
- */
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/wait.h>
-#include <sys/file.h>
-
-#include <netinet/in.h>
-
-#include <errno.h>
-#include <pwd.h>
-#include <signal.h>
-#include <sgtty.h>
-#include <netdb.h>
-#include <syslog.h>
-#include <strings.h>
-
-#define LOGIN_PROGRAM "/usr/etc/login.sphinx"
-
-#define des_read read
-#define des_write write
-
-# ifndef TIOCPKT_WINDOW
-# define TIOCPKT_WINDOW 0x80
-# endif TIOCPKT_WINDOW
-
-extern int errno;
-int reapchild();
-struct passwd *getpwnam();
-char *malloc();
-
-int Pfd;
-
-/* ARGSUSED */
-main(argc, argv)
- int argc;
- char **argv;
-{
- int on = 1, fromlen;
- struct sockaddr_in from;
-
- fromlen = sizeof (from);
- if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
- fprintf(stderr, "%s: ", argv[0]);
- perror("getpeername");
- _exit(1);
- }
- if (setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof (on)) < 0) {
- syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
- }
- doit(0, &from);
-}
-
-int child;
-int cleanup();
-int netf;
-char *line;
-extern char *inet_ntoa();
-
-struct winsize win = { 0, 0, 0, 0 };
-
-
-doit(f, fromp)
- int f;
- struct sockaddr_in *fromp;
-{
- int i, p, t, pid, on = 1;
- int pipes[2];
-
- register struct hostent *hp;
- struct hostent hostent;
- char c;
-
- alarm(60);
- read(f, &c, 1);
- if (c != 0)
- exit(1);
- alarm(0);
- fromp->sin_port = ntohs((u_short)fromp->sin_port);
- hp = gethostbyaddr(&fromp->sin_addr, sizeof (struct in_addr),
- fromp->sin_family);
- if (hp == 0) {
- /*
- * Only the name is used below.
- */
- hp = &hostent;
- hp->h_name = inet_ntoa(fromp->sin_addr);
- }
-
- if (fromp->sin_family != AF_INET ||
- fromp->sin_port < IPPORT_RESERVED)
- fatal(f, "Permission denied");
-
- write(f, "", 1);
- for (c = 'p'; c <= 's'; c++) {
- struct stat stb;
- line = "/dev/ptyXX";
- line[strlen("/dev/pty")] = c;
- line[strlen("/dev/ptyp")] = '0';
- if (stat(line, &stb) < 0)
- break;
- for (i = 0; i < 16; i++) {
- line[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i];
- p = open(line, O_RDWR);
- if (p > 0)
- goto gotpty;
- }
- }
- fatal(f, "Out of ptys");
- /*NOTREACHED*/
-gotpty:
- (void) ioctl(p, TIOCSWINSZ, &win);
- netf = f;
- line[strlen("/dev/")] = 't';
- t = open(line, O_RDWR);
- if (t < 0)
- fatalperror(f, line);
- if (fchmod(t, 0))
- fatalperror(f, line);
- (void)signal(SIGHUP, SIG_IGN);
- vhangup();
- (void)signal(SIGHUP, SIG_DFL);
- t = open(line, O_RDWR);
- if (t < 0)
- fatalperror(f, line);
- {
- struct sgttyb b;
-
- (void)ioctl(t, TIOCGETP, &b);
- b.sg_flags = RAW|ANYP;
- (void)ioctl(t, TIOCSETP, &b);
- }
-#ifdef DEBUG
- {
- int tt = open("/dev/tty", O_RDWR);
- if (tt > 0) {
- (void) ioctl(tt, TIOCNOTTY, 0);
- (void) close(tt);
- }
- }
-#endif
- t = open(line, 2);
- if (t < 0)
- fatalperror(f, line, errno);
- { struct sgttyb b;
- gtty(t, &b); b.sg_flags = RAW|ANYP; stty(t, &b);
- }
-
- if (pipe(pipes) < 0) {
- fatalperror(2, "pipe", errno);
- }
-
- pid = fork();
- if (pid < 0)
- fatalperror(f, "", errno);
- if (pid == 0) {
- close(f), close(p);
- close(pipes[1]);
- dup2(t, 0), dup2(t, 1), dup2(t, 2);
- if (pipes[0] != 3) { dup2(pipes[0], 3); close(pipes[0]); }
- close(t);
-
- /* Under Ultrix 3.0, the pgrp of the slave pty terminal
- needs to be set explicitly. Why rlogind works at all
- without this on 4.3BSD is a mystery.
- It seems to work fine on 4.3BSD with this code enabled.
- */
- pid = getpgrp(getpid());
- ioctl(0, TIOCSPGRP, &pid);
- execl("/usr/etc/login.sphinx", "login.sphinx", "-g", hp->h_name, 0);
- fatalperror(2, "/usr/etc/login.sphinx", errno);
- /*NOTREACHED*/
- }
- close(t);
- close(pipes[0]);
- ioctl(f, FIONBIO, &on);
- ioctl(p, FIONBIO, &on);
- ioctl(p, TIOCPKT, &on);
- signal(SIGTSTP, SIG_IGN);
- signal(SIGCHLD, cleanup);
- setpgrp(0, 0);
- protocol(f, p, pipes[1]);
- signal(SIGCHLD, SIG_IGN);
- cleanup();
-}
-
-char magic[2] = { 0377, 0377 };
-char oobdata[] = {TIOCPKT_WINDOW};
-
-/*
- * Handle a "control" request (signaled by magic being present)
- * in the data stream. For now, we are only willing to handle
- * window size changes.
- */
-control(pty, cp, n)
- int pty;
- char *cp;
- int n;
-{
- struct winsize w;
-
- if (n < 4+sizeof (w) || cp[2] != 's' || cp[3] != 's')
- return (0);
- oobdata[0] &= ~TIOCPKT_WINDOW; /* we know he heard */
- bcopy(cp+4, (char *)&w, sizeof(w));
- w.ws_row = ntohs(w.ws_row);
- w.ws_col = ntohs(w.ws_col);
- w.ws_xpixel = ntohs(w.ws_xpixel);
- w.ws_ypixel = ntohs(w.ws_ypixel);
- (void)ioctl(pty, TIOCSWINSZ, &w);
- return (4+sizeof (w));
-}
-
-/*
- * flogin "protocol" machine.
- */
-protocol(f, p, pipe)
- int f, p, pipe;
-{
- char pibuf[1024], fibuf[1024], *pbp, *fbp;
- register pcc = 0, fcc = 0;
- int cc;
- int on = 1, off = 0, done = 0;
- char cntl;
-
- /*
- * Must ignore SIGTTOU, otherwise we'll stop
- * when we try and set slave pty's window shape
- * (our controlling tty is the master pty).
- */
- (void) signal(SIGTTOU, SIG_IGN);
- send(f, oobdata, 1, MSG_OOB); /* indicate new rlogin */
- ioctl(f, FIONBIO, &off);
- for (cc = 0; cc < 4; cc++) {
- if (1 != read(f, &fibuf[cc], 1)) {
- done = 1;
- break;
- }
- }
- if (!done) {
- int len = ((u_char *)fibuf)[2] * 256 + ((u_char *)fibuf)[3];
- pcc = write(pipe, fibuf, cc);
- if (pcc <= 0) {
- done = 1;
- syslog(LOG_INFO, "write(pipe [%d], fibuf, %d): %d: %m",
- pipe, cc, pcc);
- }
- while (!done && len > 0) {
- char *fbp = fibuf;
- cc = read(f, fibuf, len);
- if (cc <= 0) {
- done = 1;
- syslog(LOG_INFO, "read(f, fibuf, %d): %d: %m",len, cc);
- break;
- }
- len -= cc;
- while (cc > 0) {
- pcc = write(pipe, fbp, cc);
- if (pcc <= 0) {
- done = 1;
- syslog(LOG_INFO, "write(pipe [%d], fbp, %d): %d: %m",
- pipe, cc, pcc);
- break;
- }
- cc -= pcc;
- fbp += pcc;
- }
- }
- }
- ioctl(f, FIONBIO, &on);
-
- close(pipe); fcc = 0; pcc = 0;
- for (;;) {
- int ibits, obits, ebits;
-
- ibits = 0;
- obits = 0;
- if (fcc)
- obits |= (1<<p);
- else
- ibits |= (1<<f);
- if (pcc >= 0)
- if (pcc)
- obits |= (1<<f);
- else
- ibits |= (1<<p);
- ebits = (1<<p);
- if (select(32, &ibits, &obits, &ebits, 0) < 0) {
- if (errno == EINTR)
- continue;
- fatalperror(f, "select");
- }
- if (ibits == 0 && obits == 0 && ebits == 0) {
- /* shouldn't happen... */
- sleep(5);
- continue;
- }
-#define pkcontrol(c) ((c)&(TIOCPKT_FLUSHWRITE|TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))
- if (ebits & (1<<p)) {
- cc = read(p, &cntl, 1);
- if (cc == 1 && pkcontrol(cntl)) {
- cntl |= oobdata[0];
- send(f, &cntl, 1, MSG_OOB);
- if (cntl & TIOCPKT_FLUSHWRITE) {
- pcc = 0;
- ibits &= ~(1<<p);
- }
- }
- }
- if (ibits & (1<<f)) {
- fcc = read(f, fibuf, sizeof(fibuf));
- if (fcc < 0 && errno == EWOULDBLOCK)
- fcc = 0;
- else {
- register char *cp;
- int left, n;
-
- if (fcc <= 0)
- break;
- fbp = fibuf;
-
- top:
- for (cp = fibuf; cp < fibuf+fcc-1; cp++)
- if (cp[0] == magic[0] &&
- cp[1] == magic[1]) {
- left = fcc - (cp-fibuf);
- n = control(p, cp, left);
- if (n) {
- left -= n;
- if (left > 0)
-
-bcopy(cp+n, cp, left);
- fcc -= n;
- goto top; /* n^2 */
- }
- }
- }
- }
-
- if ((obits & (1<<p)) && fcc > 0) {
- cc = write(p, fbp, fcc);
- if (cc > 0) {
- fcc -= cc;
- fbp += cc;
- }
- }
-
- if (ibits & (1<<p)) {
- pcc = read(p, pibuf, sizeof (pibuf));
- pbp = pibuf;
- if (pcc < 0 && errno == EWOULDBLOCK)
- pcc = 0;
- else if (pcc <= 0)
- break;
- else if (pibuf[0] == 0)
- pbp++, pcc--;
- else {
- if (pkcontrol(pibuf[0])) {
- pibuf[0] |= oobdata[0];
- send(f, &pibuf[0], 1, MSG_OOB);
- }
- pcc = 0;
- }
- }
- if ((obits & (1<<f)) && pcc > 0) {
- cc = des_write(f, pbp, pcc);
- if (cc < 0 && errno == EWOULDBLOCK) {
- /* also shouldn't happen */
- sleep(5);
- continue;
- }
- if (cc > 0) {
- pcc -= cc;
- pbp += cc;
- }
- }
- }
-}
-
-cleanup()
-{
- char *p;
-
- p = line + sizeof("/dev/") - 1;
- if (!logout(p))
- logwtmp(p, "", "");
- (void)chmod(line, 0666);
- (void)chown(line, 0, 0);
- *p = 'p';
- (void)chmod(line, 0666);
- (void)chown(line, 0, 0);
- shutdown(netf, 2);
- exit(1);
-}
-
-fatal(f, msg)
- int f;
- char *msg;
-{
- char buf[BUFSIZ];
-
- buf[0] = '\01'; /* error indicator */
- (void) sprintf(buf + 1, "rlogind: %s.\r\n", msg);
- (void) write(f, buf, strlen(buf));
- exit(1);
-}
-
-fatalperror(f, msg)
- int f;
- char *msg;
-{
- char buf[BUFSIZ];
- extern int sys_nerr;
- extern char *sys_errlist[];
-
- if ((unsigned)errno < sys_nerr)
- (void) sprintf(buf, "%s: %s", msg, sys_errlist[errno]);
- else
- (void) sprintf(buf, "%s: Error %d", msg, errno);
- fatal(f, buf);
-}
+++ /dev/null
-BABYL OPTIONS:
-Version: 5
-Labels:
-Note: This is the header of an rmail file.
-Note: If you are seeing it in rmail,
-Note: it means the file has no messages in it.
-\1f\f
-1,,
-Received: by E40-PO.MIT.EDU (5.45/4.7) id AA21631; Fri, 31 May 91 18:18:51 EDT
-Received: from uucp-gw-1.pa.dec.com by ATHENA.MIT.EDU with SMTP
- id AA27178; Fri, 31 May 91 18:16:24 EDT
-Received: by uucp-gw-1.pa.dec.com; id AA17698; Fri, 31 May 91 10:48:08 -0700
-Received: by sejour.lkg.dec.com (5.57/Ultrix4.0)
- id AA11377; Fri, 31 May 91 13:51:46 -0400
-Message-Id: <9105311751.AA11377@sejour.lkg.dec.com>
-To: tytso@ATHENA.MIT.EDU
-Cc: kannan@sejour.lkg.dec.com
-Subject: Re: testing GSS API
-In-Reply-To: Your message of Thu, 30 May 91 18:25:28 -0400.
- <9105302225.AA24140@tsx-11.MIT.EDU>
-Date: Fri, 31 May 91 13:51:44 EDT
-From: kannan@sejour.lkg.dec.com
-
-*** EOOH ***
-To: tytso@ATHENA.MIT.EDU
-Cc: kannan@sejour.lkg.dec.com
-Subject: Re: testing GSS API
-In-Reply-To: Your message of Thu, 30 May 91 18:25:28 -0400.
- <9105302225.AA24140@tsx-11.MIT.EDU>
-Date: Fri, 31 May 91 13:51:44 EDT
-From: kannan@sejour.lkg.dec.com
-
-Here is the new rlogin code. BTW, it is also being distributed with
-the SPX v2.1 kit.
-
-I'm sending you the following files:
-
- Makefile, flogin.c, flogind.c, and login.c
-
-> The real test is whether or not the application runs.
-
-I agree. Does this mean that you will implement the "unofficial" GSS API
-routines used in the flogin code?
-
- -kannan
-
-========== Makefile ======================
-
-===================== flogin.c ========================
-
-===================== flogind.c ================
-
-===================== login.c ======================
-\1f
\ No newline at end of file
+++ /dev/null
-/* KITEST-MASTER.C */
-/* */
-/* Program to build GSSAPI-compliant Kerberos authentication packets, using */
-/* the Kerberos V5 (Beta 2) GSSAPI implementation, and attempt to */
-/* authenticate to a DCE/GSSAPI implementation. */
-/* */
-/* Since both GSSAPI implementations share the same routine names, two */
-/* executables are built by linking against either the DCE/GSSAPI or the */
-/* Kerberos V5 GSSAPI library. This file is compiled with the preprocessor */
-/* name KERBEROS defined if it is to invoke the Kerberos API, and with DCE */
-/* defined if it is to link against the DCE/GSSAPI. */
-/* */
-/* Invocation should specify two parameters - */
-/* 1) Name of initiating principal */
-/* 2) Name of accepting principal */
-/* */
-/* A flag '-S' is used to specify the name of the file that process will */
-/* activate as a slave. */
-/* */
-/* So to test, for example, Kerberos against Kerberos, and assuming that */
-/* the executable is called kitest-krb, you'd set up a Kerberos credential */
-/* for <client-name> using kinit, and arrange for a server Kerberos */
-/* credential for <server-name> to be available in a keytable, and issue */
-/* the command: */
-/* kitest-krb -S kitest-krb <client-name> <server-name> */
-/* */
-/* The original process becomes the context initiator, while the spawned */
-/* subprocess (running the executable specified after the -S flag) is */
-/* expected to act as the context acceptor. */
-
-#if defined(KERBEROS) && defined(DCE)
-#error "Both KERBEROS and DCE specified"
-#endif
-
-#if !defined(KERBEROS) && !defined(DCE)
-#error "Neither KERBEROS nor DCE defined"
-#endif
-
-/* You need to create links from krb-gssapi.h to the Kerberos gssapi.h, and */
-/* from dce-gssapi.h to the DCE gssapi.h. */
-#ifdef KERBEROS
-#include "krb-gssapi.h"
-#endif
-
-#ifdef DCE
-#include "dce-gssapi.h"
-#endif
-
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <signal.h>
-#include <sys/types.h>
-#include <netdb.h>
-
-#ifndef GSS_ERROR
-#define GSS_ERROR(x) (x & 0xffff0000)
-/* The Kerberos gssapi.h doesn't define this macro. */
-#endif
-
-#define DOWN_CHANNEL 3
-/* Don't understand why stdin doesn't work here, but channel 3 seems to */
-/* work fine. */
-
-#define INITIAL_CHILD_MESSAGES 7
-
-extern int errno;
-
-int master = 0;
-int inpipe[2];
-int outpipe[2];
-int errpipe[2];
-
-gss_name_t source_internal_name;
-gss_name_t target_internal_name;
-gss_name_t source_authenticated_name;
-gss_buffer_desc source_name_buffer;
-gss_buffer_desc target_name_buffer;
-
-gss_cred_id_t my_cred_handle;
-gss_cred_id_t delegated_cred_handle;
-gss_ctx_id_t my_ctx_handle;
-gss_OID_set actual_cred_mech_set;
-gss_OID actual_ctx_mech_type;
-OM_uint32 actual_cred_time_rec;
-OM_uint32 actual_ctx_time_rec;
-gss_buffer_desc token_to_send;
-gss_buffer_desc token_received;
-int actual_ret_flags;
-struct gss_channel_bindings_struct my_channel_bindings;
-
-char source_name[512];
-char target_name[512];
-
-char my_host_name[50];
-char my_internet_address[4];
-struct hostent * my_hostent;
-
-unsigned char received_token_buffer[2048];
-unsigned received_length;
-
-OM_uint32 major_status;
-OM_uint32 kept_status;
-OM_uint32 minor_status;
-
-int subprocess_pid = 0;
-
-char line_buffer[128];
-int chars_read;
-
-void indicate_data(void) {
- fprintf(stderr, "\a\n");
- fflush(stderr);
-}
-
-void send_data(void * ptr, unsigned length) {
- unsigned char length_buf[2];
- unsigned char * char_ptr;
- int data_sent;
-
- char_ptr = (unsigned char *)ptr;
-
- length_buf[0] = length & 0xff;
- length_buf[1] = (length & 0xff00) >> 8;
-
- if (master) {
-/* Data is sent via inpipe. */
- errno = 0;
- if ((data_sent = write(inpipe[1], length_buf, 2)) != 2) {
- fprintf(stderr,
- "Write of length sent %d bytes, expected 2\n",
- data_sent);
- fflush(stderr);
- if (data_sent == -1) {
- fprintf(stderr,
- "Errno: %d\n",
- errno);
- fflush(stderr);
- };
- };
- errno = 0;
- if ((data_sent =write(inpipe[1], ptr, length)) != length) {
- fprintf(stderr,
- "Write of length sent %d bytes, expected 2\n",
- data_sent);
- fflush(stderr);
- if (data_sent == -1) {
- fprintf(stderr,
- "Errno: %d\n",
- errno);
- fflush(stderr);
- };
- };
- fprintf(stderr, "Sending data (length = %d):\n", length);
- fprintf(stderr, " %2.2X %2.2X %2.2X %2.2X %2.2X...\n",
- char_ptr[0], char_ptr[1], char_ptr[2],
- char_ptr[3], char_ptr[4]);
- } else {
-/* Data is sent via stdout, and a data indication on stderr. */
- fwrite(length_buf, 2, 1, stdout);
- fwrite(ptr, length, 1, stdout);
- fflush(stdout);
- indicate_data();
- };
-}
-
-void receive_data(void * ptr, unsigned * length) {
- unsigned char length_buf[2];
- unsigned char * char_ptr;
- int data_read;
-
- char_ptr = (unsigned char *)ptr;
-
- if (master) {
-/* Data is received via outpipe. A data indication is assumed to have been */
-/* received on errpipe, otherwise this routine will hang. */
- read(outpipe[0], length_buf, 2);
- *length = length_buf[0] | (length_buf[1]<<8);
- read(outpipe[0], ptr, *length);
- } else {
-/* Data is received on fd3 */
- errno = 0;
- if ((data_read = read(DOWN_CHANNEL, length_buf, 2)) != 2) {
- fprintf(stderr,
- "Error: received %d bytes for length, expecting 2\n",
- data_read);
- fflush(stderr);
- if (data_read == -1) {
- fprintf(stderr, "errno: %d\n", errno);
- fflush(stderr);
- };
- };
-
- *length = length_buf[0] | (length_buf[1]<<8);
-
- errno = 0;
- if ((data_read = read(DOWN_CHANNEL, ptr, *length)) != *length) {
- fprintf(stderr,
- "Error: received %d bytes for data, expecting %d\n",
- data_read, *length);
- fflush(stderr);
- if (data_read == -1) {
- fprintf(stderr, "errno: %d\n", errno);
- fflush(stderr);
- };
- };
-
- fprintf(stderr, "Received data (length = %d):\n", *length);
- fprintf(stderr, " %2.2X %2.2X %2.2X %2.2X %2.2X...\n",
- char_ptr[0], char_ptr[1], char_ptr[2],
- char_ptr[3], char_ptr[4]);
-
- };
-}
-
-int read_subproc_line(char * ptr, unsigned buf_length) {
-/* Returns length of data read, or zero if binary data waiting. */
- int bytes_read = 0;
- int finished = 0;
- if (!master) {
- fprintf(stderr, "Error: Child called read_subproc_data\n");
- fflush(stderr);
- exit(2);
- } else {
- while (!finished) {
- read(errpipe[0], &ptr[bytes_read], 1);
- if (ptr[bytes_read] == '\n') finished = 1;
- if (bytes_read >= buf_length) finished = 1;
- bytes_read ++;
- };
- if (bytes_read == 2 && ptr[0] == '\a') return 0;
- else return bytes_read;
- };
-}
-
-void display_error(char * where, OM_uint32 maj_stat, OM_uint32 min_stat) {
- int context = 0;
- OM_uint32 major_status, minor_status;
- gss_buffer_desc message_buffer;
-
- fprintf(stderr, "Error: %s\n", where);
- fprintf(stderr, "Major status (%d) (min = %d):\n", maj_stat, min_stat);
- fflush(stderr);
- do {
- message_buffer.length = 0;
- message_buffer.value = NULL;
- major_status = gss_display_status(&minor_status,
- maj_stat,
- GSS_C_GSS_CODE,
- GSS_C_NULL_OID,
- &context,
- &message_buffer);
- fprintf(stderr,
- " message_buffer.length = %u, message_buffer.value = %p\n",
- message_buffer.length, message_buffer.value);
- fflush(stderr);
- if (message_buffer.length = 0) {
- fprintf(stderr,
- " %.*s\n",
- message_buffer.length,
- message_buffer.value);
- major_status = gss_release_buffer(&minor_status, &message_buffer);
- } else {
- fprintf(stderr, "-- no message --\n");
- /* If we've been asked to translate an invalid status code */
- };
- fflush(stderr);
-
- } while (context != 0);
- fprintf(stderr, "Minor status:\n");
- fflush(stderr);
- major_status = gss_display_status(&minor_status,
- min_stat,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &context,
- &message_buffer);
- fprintf(stderr,
- " %.*s\n",
- message_buffer.length,
- message_buffer.value);
- fflush(stderr);
-
- major_status = gss_release_buffer(&minor_status, &message_buffer);
-
-}
-
-void import_names(void) {
-
- source_name_buffer.value = (void *)&source_name[0];
- source_name_buffer.length = strlen(source_name);
-
- major_status = gss_import_name(&minor_status,
- &source_name_buffer,
- GSS_C_NULL_OID,
- &source_internal_name);
-
- if (major_status != GSS_S_COMPLETE)
- display_error("Importing source principal", major_status, minor_status);
-
- target_name_buffer.value = (void *)&target_name[0];
- target_name_buffer.length = strlen(target_name);
-
- major_status = gss_import_name(&minor_status,
- &target_name_buffer,
- GSS_C_NULL_OID,
- &target_internal_name);
-
- if (major_status != GSS_S_COMPLETE)
- display_error("Importing target principal", major_status, minor_status);
-
-}
-
-
-void alarm_handler(int sig) {
- fprintf(stderr, "SIGALRM received, terminating subprocess\n");
- fflush(stderr);
- kill(subprocess_pid, SIGTERM);
- exit(0);
-}
-
-
-void flush_subprocess_message_queue_and_exit(void) {
-
- signal(SIGALRM, alarm_handler);
- alarm(10);
-
- do {
- chars_read = read_subproc_line(line_buffer,
- sizeof(line_buffer));
- if (chars_read == 0) {
- fprintf(stderr,
- "Unexpected binary data received from child\n");
- fflush(stderr);
- receive_data(received_token_buffer,
- &received_length);
- } else {
- fprintf(stderr,"CHILD> %.*s", chars_read, line_buffer);
- };
- fflush(stderr);
- } while (1);
-}
-
-void sigpipe_handler(int sig) {
- fprintf(stderr, "SIGPIPE received, flushing subprocess message queue\n");
- fflush(stderr);
- flush_subprocess_message_queue_and_exit();
-}
-
-int main(int argc, char *argv[]) {
-
- int c;
- int errflg = 0;
- char * image_name;
- int pid;
-
- int i;
-
- extern int optind, opterr;
- extern char * optarg;
-
- int blocking;
-
- while ((c = getopt(argc, argv, "S:")) != EOF) {
- switch (c) {
- case 'S' : master = 1;
- image_name = optarg;
- break;
- case '?' : errflg++;
- break;
- };
- };
-
- if (optind < argc) {
- strncpy(source_name, argv[optind++], sizeof(source_name)-1);
- } else {
- fprintf(stderr, "Error: Source name (prin-1) missing\n");
- errflg++;
- };
-
- if (optind < argc) {
- strncpy(target_name, argv[optind++], sizeof(source_name)-1);
- } else {
- fprintf(stderr, "Error: Target name (prin-2) missing\n");
- errflg++;
- };
-
- if (optind < argc) {
- fprintf(stderr, "Error: too many parameters\n");
- errflg++;
- };
-
- if (errflg) {
- fprintf(stderr, "Usage: %s -S <subprocess> <princ-1> <princ-2>\n", argv[0]);
- exit(2);
- };
-
- gethostname(my_host_name, sizeof(my_host_name));
- my_hostent = gethostbyname(my_host_name);
- memcpy(&my_internet_address, my_hostent->h_addr_list[0], 4);
-
- fprintf(stderr,"Host: '%s', %u.%u.%u.%u\n",
- my_host_name,
- my_internet_address[0],
- my_internet_address[1],
- my_internet_address[2],
- my_internet_address[3]);
-
- my_channel_bindings.initiator_addrtype = GSS_C_AF_INET;
- my_channel_bindings.initiator_address.length = 4;
- my_channel_bindings.initiator_address.value = my_internet_address;
-
- my_channel_bindings.acceptor_addrtype = GSS_C_AF_INET;
- my_channel_bindings.acceptor_address.length = 4;
- my_channel_bindings.acceptor_address.value = my_internet_address;
-
- my_channel_bindings.application_data.length = 0;
- my_channel_bindings.application_data.value = NULL;
-
- my_ctx_handle = GSS_C_NO_CONTEXT;
-
- if (!master) {
-
-/* Subprocess. */
-
- fprintf(stderr, "Importing names\n");
- fflush(stderr);
-
- import_names();
-
- fprintf(stderr, "Calling acquire_cred\n");
- fflush(stderr);
-
- major_status = gss_acquire_cred(&minor_status,
- target_internal_name,
- 60 * 60 * 24,
- GSS_C_NULL_OID_SET,
- GSS_C_ACCEPT,
- &my_cred_handle,
- &actual_cred_mech_set,
- &actual_cred_time_rec);
-
- if (major_status != GSS_S_COMPLETE) {
- display_error("Acquiring ACCEPT credential for target principal",
- major_status, minor_status);
- while (1) ;
- };
-
- fprintf(stderr, "Returned from acquire_cred, waiting for token from parent\n");
- fflush(stderr);
-
- do {
-
- receive_data(received_token_buffer,
- &received_length);
- token_received.value = (void *)received_token_buffer;
- token_received.length = received_length;
-
- fprintf(stderr, "Got token, calling accept_sec_context\n");
- fflush(stderr);
-
- major_status = gss_accept_sec_context(&minor_status,
- &my_ctx_handle,
- my_cred_handle,
- &token_received,
- &my_channel_bindings,
- &source_authenticated_name,
- &actual_ctx_mech_type,
- &token_to_send,
- &actual_ret_flags,
- &actual_ctx_time_rec,
- &delegated_cred_handle);
- kept_status = major_status;
-
- if (GSS_ERROR(major_status)) {
- display_error("ACCEPT_SEC_CONTEXT",
- major_status, minor_status);
- while (1) ;
- };
-
- if (token_to_send.length != 0) {
- send_data(token_to_send.value, token_to_send.length);
- major_status = gss_release_buffer(&minor_status,
- &token_to_send);
- };
-
- if (kept_status & GSS_S_CONTINUE_NEEDED) {
- receive_data(received_token_buffer,
- &received_length);
- token_received.value = (void *)received_token_buffer;
- token_received.length = received_length;
- };
-
- } while (kept_status & GSS_S_CONTINUE_NEEDED);
-
- if (!GSS_ERROR(kept_status)) {
- fprintf(stderr, "Authenticated context established\n");
- } else {
- fprintf(stderr, "Context not established\n");
- };
- fflush(stderr);
- while (1) ;
- } else {
-/* We need to create three pipes - inpipe, outpipe and errpipe, to which */
-/* the subprocess will connect its fd3, stdout and stderr channels. */
-
- if (pipe(inpipe) < 0) {
- fprintf(stderr, "Error: Can't make inpipe\n");
- exit(2);
- };
- if (pipe(outpipe) < 0) {
- fprintf(stderr, "Error: Can't make outpipe\n");
- exit(2);
- };
- if (pipe(errpipe) < 0) {
- fprintf(stderr, "Error: Can't make errpipe\n");
- exit(2);
- };
-
- if ((subprocess_pid = fork()) == 0) {
-/* This is the slave subprocess in a two-process chain. Connect inpipe, */
-/* outpipe and errpipe to fd3, stderr and stdout, and then exec the slave */
-/* image. */
- fprintf(stderr, "CHILD: forked, closing pipes\n");
- fflush(stderr);
-
- close(inpipe[1]); /* Close write end of inpipe */
- close(outpipe[0]); /* Close read end of outpipe */
- close(errpipe[0]); /* Close read end of errpipe */
-
-
- write (errpipe[1],
- "Child process forked (write to errpipe[1])\n",
- strlen("Child process forked (write to errpipe[1])\n")
- );
-
- if (dup2(inpipe[0], DOWN_CHANNEL) == -1) {
- fprintf(stderr, "CHILD: Can't dup2 inpipe[0]\n");
- fflush(stderr);
- };
- /* Attach inpipe to fd3 */
- if (dup2(outpipe[1], 1) == -1) {
- fprintf(stderr, "CHILD: Can't dup2 outpipe[1]\n");
- fflush(stderr);
- };
- /* Attach outpipe to stdout */
- if (dup2(errpipe[1], 2) == -1) {
- fprintf(stderr, "CHILD: Can't dup2 errpipe[1]\n");
- fflush(stderr);
- };
- /* Attach errpipe to stderr */
-
- write (2,
- "Child process forked (write to fd2)\n",
- strlen("Child process forked (write to fd2)\n")
- );
-
- fprintf(stderr, "Execing %s\n", image_name);
- fflush(stderr);
-
- execl(image_name, image_name, source_name, target_name, (char *)0);
-
- fprintf(stderr, "Error: Couldn't exec %s\n", image_name);
- exit(2);
-
- } else if (subprocess_pid < 0) {
- fprintf(stderr, "Error: Fork returned %d\n", subprocess_pid);
- exit(2);
- } else {
-/* This is the master process in a two-process chain. The slave process */
-/* has connected inpipe, outpipe and errpipe to its fd3, stdout and */
-/* stderr. We have to use the other ends. */
-
-
- close(inpipe[0]); /* Close read end of inpipe */
- close(outpipe[1]); /* Close write end of outpipe */
- close(errpipe[1]); /* Close write end of errpipe */
-
-/* A simple protocol will be used between master and slave processes. The */
-/* subprocess (slave) will always expect that data received on its inpipe */
-/* will be binary messages, preceeded by a two-byte count. Messages from */
-/* slave to master will be sent on the errpipe channel if they are text */
-/* messages, and on outpipe if they are binary data (preceeded as above by */
-/* a two-byte count field). The presence of a binary message in the */
-/* outpipe will be indicated by writing the sequence "\a\n" to errpipe. */
-/* This protocol is implemented in the master by the routine */
-/* read_subproc_line, which reads a single line of text from the */
-/* subprocess, returning either its length, or zero to indicate that binary */
-/* data is waiting. Binary data is received by either process by invoking */
-/* the receive_data routine, and sent by invoking the send_data routine. */
-/* The receive_data routine will block until the data is available, so */
-/* care should be taken in the master not to call this routine unless a */
-/* data indication has already been received. */
-
-/* Master: */
- signal(SIGPIPE, sigpipe_handler);
-
-/* The child will send us messages on start-up (at least */
-/* INITIAL_CHILD_MESSAGES of them), so we'll read them here to make sure we */
-/* catch a sleepy child early. */
-
- fprintf(stderr, "Parent waiting for wake-up call from child...\n");
- fflush(stderr);
-
- signal(SIGALRM, alarm_handler);
- alarm(10);
-
- for (i=0; i<INITIAL_CHILD_MESSAGES; i++) {
- chars_read = read_subproc_line(line_buffer,
- sizeof(line_buffer));
-
- if (chars_read == 0) {
- fprintf(stderr,
- "Unexpected binary data received from child\n");
- fflush(stderr);
- receive_data(received_token_buffer,
- &received_length);
- } else {
- fprintf(stderr,"CHILD> %.*s", chars_read, line_buffer);
- };
- fflush(stderr);
-
- };
-
- alarm(0);
-
- fprintf(stderr, "Parent continuing, importing names...\n");
- fflush(stderr);
-
- import_names();
-
- fprintf(stderr, "Parent got names...\n");
- fflush(stderr);
-
-#ifdef KERBEROS
-
-/* This version of the acquire_cred code requests the client credential */
-/* explicitly by name; the DCE version uses no name, meaning "give me a */
-/* to the default credential. */
-
- fprintf(stderr, "Parent calling acquire_cred...\n");
- fflush(stderr);
-
- major_status = gss_acquire_cred(&minor_status,
- source_internal_name,
- 60 * 60 * 24,
- GSS_C_NULL_OID_SET,
- GSS_C_INITIATE,
- &my_cred_handle,
- &actual_cred_mech_set,
- &actual_cred_time_rec);
-
- fprintf(stderr, "Parent returned from acquire_cred.\n");
- fflush(stderr);
-
-#endif
-#ifdef DCE
- major_status = gss_acquire_cred(&minor_status,
- GSS_C_NO_NAME,
- 60 * 60 * 24,
- GSS_C_NULL_OID_SET,
- GSS_C_INITIATE,
- &my_cred_handle,
- &actual_cred_mech_set,
- &actual_cred_time_rec);
-#endif
- if (major_status != GSS_S_COMPLETE)
- display_error("Acquiring INITIATE credential for source principal",
- major_status, minor_status);
-
-
- token_received.length = 0;
- token_received.value = NULL;
-
- do {
-
- fprintf(stderr, "Parent calling init_sec_ctx...\n");
- fflush(stderr);
-
- major_status = gss_init_sec_context(&minor_status,
- my_cred_handle,
- &my_ctx_handle,
- target_internal_name,
- GSS_C_NULL_OID,
- GSS_C_MUTUAL_FLAG,
- 60 * 60 * 23,
- &my_channel_bindings,
- &token_received,
- &actual_ctx_mech_type,
- &token_to_send,
- &actual_ret_flags,
- &actual_ctx_time_rec);
-
- fprintf(stderr, "Parent returned from init_sec_ctx...\n");
- fflush(stderr);
-
- kept_status = major_status;
-
- if (GSS_ERROR(major_status))
- display_error("INIT_SEC_CONTEXT",
- major_status, minor_status);
-
- if (token_to_send.length != 0) {
-
- fprintf(stderr, "Parent transmitting token...\n");
- fflush(stderr);
-
- send_data(token_to_send.value, token_to_send.length);
- major_status = gss_release_buffer(&minor_status,
- &token_to_send);
- };
-
- if (kept_status & GSS_S_CONTINUE_NEEDED) {
- signal(SIGALRM, alarm_handler);
- alarm(30);
- while ((chars_read = read_subproc_line(line_buffer,
- sizeof(line_buffer))
- ) != 0) {
- fprintf(stderr, "CHILD> %.*s", chars_read, line_buffer);
- };
- alarm(0);
- receive_data(received_token_buffer,
- &received_length);
- token_received.value = (void *)received_token_buffer;
- token_received.length = received_length;
- };
-
- } while (kept_status & GSS_S_CONTINUE_NEEDED);
-
- if (!GSS_ERROR(kept_status)) {
- fprintf(stderr, "Authenticated context established\n");
- } else {
- fprintf(stderr, "Context not established\n");
- };
- fflush(stderr);
-
- flush_subprocess_message_queue_and_exit();
-
- };
- };
-}
+++ /dev/null
-/*
- * Copyright (c) 1980, 1987, 1988 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley. The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#ifndef lint
-char copyright[] =
-"@(#) Copyright (c) 1980, 1987, 1988 The Regents of the University of California.\n\
- All rights reserved.\n";
-#endif /* not lint */
-
-#ifndef lint
-static char sccsid[] = "@(#)login.c 5.25 (Berkeley) 1/6/89";
-#endif /* not lint */
-
-/*
- * login [ name ]
- * login -r hostname (for rlogind)
- * login -h hostname (for telnetd, etc.)
- * login -f name (for pre-authenticated login: datakit, xterm, etc.)
- * ifdef KERBEROS
- * login -e name (for pre-authenticated encrypted, must do term
- * negotiation)
- * login -k hostname (for Kerberos rlogind with password access)
- * login -K hostname (for Kerberos rlogind with restricted access)
- * endif KERBEROS
- */
-
-#include <sys/param.h>
-#ifndef VFS
-#include <sys/quota.h>
-#endif /* VFS */
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
-
-#include <utmp.h>
-#include <signal.h>
-#include <lastlog.h>
-#include <errno.h>
-#ifndef NOTTYENT
-#include <ttyent.h>
-#endif /* NOTTYENT */
-#include <syslog.h>
-#include <grp.h>
-#include <pwd.h>
-#include <setjmp.h>
-#include <stdio.h>
-#include <strings.h>
-
-#include <netdb.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include "gssapi_defs.h"
-
-#define TOKEN_MAJIC_NUMBER_BYTE0 1
-#define TOKEN_MAJIC_NUMBER_BYTE1 1
-
-char userfullname[GSS_C_MAX_PRINTABLE_NAME];
-char userlocalname[GSS_C_MAX_PRINTABLE_NAME];
-gss_cred_id_t gss_delegated_cred_handle;
-
-#ifdef UIDGID_T
-/* uid_t getuid(); */
-#define uid_type uid_t
-#define gid_type gid_t
-#else
-/* int getuid(); */
-#define uid_type int
-#define gid_type int
-#endif /* UIDGID_T */
-
-#define TTYGRPNAME "tty" /* name of group to own ttys */
-
-#define MOTDFILE "/etc/motd"
-#define MAILDIR "/usr/spool/mail"
-#define NOLOGIN "/etc/nologin"
-#define HUSHLOGIN ".hushlogin"
-#define LASTLOG "/usr/adm/lastlog"
-#define BSHELL "/bin/sh"
-
-#ifdef VFS
-#define QUOTAWARN "/usr/ucb/quota" /* warn user about quotas */
-#endif /* VFS */
-
-#define UT_HOSTSIZE sizeof(((struct utmp *)0)->ut_host)
-#define UT_NAMESIZE sizeof(((struct utmp *)0)->ut_name)
-
-/*
- * This bounds the time given to login. Not a define so it can
- * be patched on machines where it's too small.
- */
-int timeout = 300;
-
-struct passwd *pwd;
-char term[64], *hostname, *username;
-
-gss_ctx_id_t context_handle;
-
-struct sgttyb sgttyb;
-struct tchars tc = {
- CINTR, CQUIT, CSTART, CSTOP, CEOT, CBRK
-};
-struct ltchars ltc = {
- CSUSP, CDSUSP, CRPRNT, CFLUSH, CWERASE, CLNEXT
-};
-
-extern int errno;
-
-#ifdef POSIX
-typedef void sigtype;
-#else
-typedef int sigtype;
-#endif /* POSIX */
-
-#define EXCL_TEST if (rflag || kflag || Kflag || eflag || \
- fflag || hflag) { \
- fprintf(stderr, \
- "login: only one of -r, -k, -K, -e, -h and -f allowed.\n"); \
- exit(1);\
- }
-main(argc, argv)
- int argc;
- char **argv;
-{
- extern int optind;
- extern char *optarg, **environ;
- struct group *gr;
- register int ch;
- register char *p;
-
- int gflag;
-
- int fflag, hflag, pflag, rflag, cnt;
- int kflag, Kflag, eflag;
- int quietlog, passwd_req, ioctlval, major_status, minor_status;
- sigtype timedout();
- char *domain, *salt, *envinit[1], *ttyn, *tty;
- char tbuf[MAXPATHLEN + 2];
- char *ttyname(), *stypeof(), *crypt(), *getpass();
- time_t time();
- off_t lseek();
-
- (void)signal(SIGALRM, timedout);
- (void)alarm((u_int)timeout);
- (void)signal(SIGQUIT, SIG_IGN);
- (void)signal(SIGINT, SIG_IGN);
- (void)setpriority(PRIO_PROCESS, 0, 0);
-#ifndef VFS
- (void)quota(Q_SETUID, 0, 0, 0);
-#endif /* VFS */
-
- /*
- * -s is used by flogind to cause the SPX autologin protocol;
- * -p is used by getty to tell login not to destroy the environment
- * -r is used by rlogind to cause the autologin protocol;
- * -f is used to skip a second login authentication
- * -e is used to skip a second login authentication, but allows
- * login as root.
- * -h is used by other servers to pass the name of the
- * remote host to login so that it may be placed in utmp and wtmp
- * -k is used by klogind to cause the Kerberos autologin protocol;
- * -K is used by klogind to cause the Kerberos autologin protocol with
- * restricted access.;
- */
- (void)gethostname(tbuf, sizeof(tbuf));
- domain = index(tbuf, '.');
-
- fflag = hflag = pflag = rflag = kflag = Kflag = eflag = 0;
- passwd_req = 1;
- while ((ch = getopt(argc, argv, "feh:pr:k:K:g:")) != EOF)
- switch (ch) {
- case 'f':
- EXCL_TEST;
- fflag = 1;
- break;
- case 'h':
- EXCL_TEST;
- if (getuid()) {
- fprintf(stderr,
- "login: -h for super-user only.\n");
- exit(1);
- }
- hflag = 1;
- if (domain && (p = index(optarg, '.')) &&
- strcmp(p, domain) == 0)
- *p = 0;
- hostname = optarg;
- break;
- case 'p':
- pflag = 1;
- break;
- case 'r':
- EXCL_TEST;
- if (getuid()) {
- fprintf(stderr,
- "login: -r for super-user only.\n");
- exit(1);
- }
- /* "-r hostname" must be last args */
- if (optind != argc) {
- fprintf(stderr, "Syntax error.\n");
- exit(1);
- }
- rflag = 1;
- passwd_req = (doremotelogin(optarg) == -1);
- if (domain && (p = index(optarg, '.')) &&
- !strcmp(p, domain))
- *p = '\0';
- hostname = optarg;
- break;
- case 'g':
- if (optind != argc) {
- fprintf(stderr, "Syntax error.\n");
- exit(1);
- }
- gflag = do_gss_login(optarg);
- if (gflag == 1) passwd_req = 0;
- else {
- (void)ioctl(0, TIOCHPCL, (char *)0);
- sleepexitnew(1,1);
- }
- hostname = optarg;
- break;
- case '?':
- default:
- fprintf(stderr, "usage: login [-fp] [username]\n");
- exit(1);
- }
- argc -= optind;
- argv += optind;
- if (*argv)
- username = *argv;
-
- ioctlval = 0;
- (void)ioctl(0, TIOCLSET, (char *)&ioctlval);
- (void)ioctl(0, TIOCNXCL, (char *)0);
- (void)fcntl(0, F_SETFL, ioctlval);
- (void)ioctl(0, TIOCGETP, (char *)&sgttyb);
-
- /*
- * If talking to an rlogin process, propagate the terminal type and
- * baud rate across the network.
- */
-
- if (rflag || kflag || Kflag || eflag || gflag)
- doremoteterm(&sgttyb);
- sgttyb.sg_erase = CERASE;
- sgttyb.sg_kill = CKILL;
- (void)ioctl(0, TIOCSLTC, (char *)<c);
- (void)ioctl(0, TIOCSETC, (char *)&tc);
- (void)ioctl(0, TIOCSETP, (char *)&sgttyb);
-
- for (cnt = getdtablesize(); cnt > 2; cnt--)
- (void) close(cnt);
-
- ttyn = ttyname(0);
- if (ttyn == NULL || *ttyn == '\0')
- ttyn = "/dev/tty??";
- if (tty = rindex(ttyn, '/'))
- ++tty;
- else
- tty = ttyn;
-
- for (cnt = 0;; username = NULL) {
- ioctlval = 0;
- (void)ioctl(0, TIOCSETD, (char *)&ioctlval);
-
- if (username == NULL) {
- fflag = 0;
- getloginname();
- }
- if (pwd = getpwnam(username))
- salt = pwd->pw_passwd;
- else
- salt = "xx";
-
- /* if user not super-user, check for disabled logins */
- if (pwd == NULL || pwd->pw_uid)
- checknologin();
-
- /*
- * Disallow automatic login to root; if not invoked by
- * root, disallow if the uid's differ.
- */
- if (fflag && pwd) {
- int uid = (int) getuid();
-
- passwd_req = pwd->pw_uid == 0 ||
- (uid && uid != pwd->pw_uid);
- }
-
- /*
- * If no remote login authentication and a password exists
- * for this user, prompt for one and verify it.
- */
- if (!passwd_req || pwd && !*pwd->pw_passwd)
- break;
-
- (void) setpriority(PRIO_PROCESS, 0, -4);
- p = crypt(getpass("password:"), salt);
- (void) setpriority(PRIO_PROCESS, 0, 0);
- if (pwd && !strcmp(p, pwd->pw_passwd))
- break;
-
- printf("Login incorrect\n");
- if (++cnt >= 5) {
- if (hostname)
- syslog(LOG_ERR,
- "REPEATED LOGIN FAILURES ON %s FROM %.*s, %.*s",
- tty, UT_HOSTSIZE, hostname, UT_NAMESIZE,
- username);
- else
- syslog(LOG_ERR,
- "REPEATED LOGIN FAILURES ON %s, %.*s",
- tty, UT_NAMESIZE, username);
- (void)ioctl(0, TIOCHPCL, (char *)0);
- sleepexit(1);
- }
- }
-
- /* committed to login -- turn off timeout */
- (void)alarm((u_int)0);
-
- /*
- * If valid so far and root is logging in, see if root logins on
- * this terminal are permitted.
- */
-#ifndef SPX_CHALLENGE
- if (pwd->pw_uid == 0 && !rootterm(tty)) {
- if (hostname)
- syslog(LOG_ERR, "ROOT LOGIN REFUSED ON %s FROM %.*s",
- tty, UT_HOSTSIZE, hostname);
- else
- syslog(LOG_ERR, "ROOT LOGIN REFUSED ON %s", tty);
- printf("Login incorrect\n");
- sleepexit(1);
- }
-#else
- if (pwd->pw_uid == 0) {
- syslog(LOG_INFO, "%s (%s)", userfullname, userlocalname);
- }
-
-#endif /* SPX_CHALLENGE */
-
-#ifndef VFS
- if (quota(Q_SETUID, pwd->pw_uid, 0, 0) < 0 && errno != EINVAL) {
- switch(errno) {
- case EUSERS:
- fprintf(stderr,
- "Too many users logged on already.\nTry again later.\n");
- break;
- case EPROCLIM:
- fprintf(stderr,
- "You have too many processes running.\n");
- break;
- default:
- perror("quota (Q_SETUID)");
- }
- sleepexit(0);
- }
-#endif /* !VFS */
-
- if (chdir(pwd->pw_dir) < 0) {
- printf("No directory %s!\n", pwd->pw_dir);
- if (chdir("/"))
- exit(0);
- pwd->pw_dir = "/";
- printf("Logging in with home = \"/\".\n");
- }
-
- /* nothing else left to fail -- really log in */
- {
- struct utmp utmp;
-
- (void)time(&utmp.ut_time);
- (void) strncpy(utmp.ut_name, username, sizeof(utmp.ut_name));
- if (hostname)
- (void) strncpy(utmp.ut_host, hostname,
- sizeof(utmp.ut_host));
- else
- bzero(utmp.ut_host, sizeof(utmp.ut_host));
- (void) strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line));
- login(&utmp);
- }
-
- quietlog = access(HUSHLOGIN, F_OK) == 0;
- dolastlog(quietlog, tty);
-
- if (!hflag && !rflag && !kflag && !Kflag && !eflag && !gflag) { /* XXX */
- static struct winsize win = { 0, 0, 0, 0 };
-
- (void)ioctl(0, TIOCSWINSZ, (char *)&win);
- }
-
- (void)chown(ttyn, pwd->pw_uid,
- (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
- (void)chmod(ttyn, 0620);
- (void)setgid((gid_type) pwd->pw_gid);
-
- (void) initgroups(username, pwd->pw_gid);
-
-#ifndef VFS
- quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0);
-#endif
- (void)setuid((uid_type) pwd->pw_uid);
-
- if (*pwd->pw_shell == '\0')
- pwd->pw_shell = BSHELL;
- /* turn on new line discipline for the csh */
- else if (!strcmp(pwd->pw_shell, "/bin/csh")) {
- ioctlval = NTTYDISC;
- (void)ioctl(0, TIOCSETD, (char *)&ioctlval);
- }
-
- /* destroy environment unless user has requested preservation */
- if (!pflag)
- environ = envinit;
- (void)setenv("HOME", pwd->pw_dir, 1);
- (void)setenv("SHELL", pwd->pw_shell, 1);
- if (term[0] == '\0')
- (void) strncpy(term, stypeof(tty), sizeof(term));
- (void)setenv("TERM", term, 0);
- (void)setenv("USER", pwd->pw_name, 1);
- (void)setenv("PATH", "/usr/ucb:/bin:/usr/bin:/usr/local/bin:", 0);
- major_status = gss__stash_default_cred(&minor_status,
- gss_delegated_cred_handle);
-
- if (tty[sizeof("tty")-1] == 'd')
- syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
- if (pwd->pw_uid == 0)
- if (hostname)
- syslog(LOG_NOTICE, "ROOT LOGIN %s FROM %.*s",
- tty, UT_HOSTSIZE, hostname);
- else
- syslog(LOG_NOTICE, "ROOT LOGIN %s", tty);
-
- if (!quietlog) {
- struct stat st;
-
- motd();
- (void)sprintf(tbuf, "%s/%s", MAILDIR, pwd->pw_name);
- if (stat(tbuf, &st) == 0 && st.st_size != 0)
- printf("You have %smail.\n",
- (st.st_mtime > st.st_atime) ? "new " : "");
- }
-
-#ifdef VFS
- if (! access( QUOTAWARN, X_OK)) (void) system(QUOTAWARN);
-#endif /* VFS */
- (void)signal(SIGALRM, SIG_DFL);
- (void)signal(SIGQUIT, SIG_DFL);
- (void)signal(SIGINT, SIG_DFL);
- (void)signal(SIGTSTP, SIG_IGN);
-
- tbuf[0] = '-';
- (void) strcpy(tbuf + 1, (p = rindex(pwd->pw_shell, '/')) ?
- p + 1 : pwd->pw_shell);
- execlp(pwd->pw_shell, tbuf, 0);
- fprintf(stderr, "login: no shell: ");
- perror(pwd->pw_shell);
- exit(0);
-}
-
-getloginname()
-{
- register int ch;
- register char *p;
- static char nbuf[UT_NAMESIZE + 1];
-
- for (;;) {
- printf("login: ");
- for (p = nbuf; (ch = getchar()) != '\n'; ) {
- if (ch == EOF)
- exit(0);
- if (p < nbuf + UT_NAMESIZE)
- *p++ = ch;
- }
- if (p > nbuf)
- if (nbuf[0] == '-')
- fprintf(stderr,
- "login names may not start with '-'.\n");
- else {
- *p = '\0';
- username = nbuf;
- break;
- }
- }
-}
-
-sigtype
-timedout()
-{
- fprintf(stderr, "Login timed out after %d seconds\n", timeout);
- exit(0);
-}
-
-#ifdef NOTTYENT
-int root_tty_security = 0;
-#endif
-rootterm(tty)
- char *tty;
-{
-#ifdef NOTTYENT
- return(root_tty_security);
-#else
- struct ttyent *t;
-
- return((t = getttynam(tty)) && t->ty_status&TTY_SECURE);
-#endif /* NOTTYENT */
-}
-
-jmp_buf motdinterrupt;
-
-motd()
-{
- register int fd, nchars;
- sigtype (*oldint)(), sigint();
- char tbuf[8192];
-
- if ((fd = open(MOTDFILE, O_RDONLY, 0)) < 0)
- return;
- signal(SIGINT, sigint);
-
- if (setjmp(motdinterrupt) == 0)
- while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
- (void)write(fileno(stdout), tbuf, nchars);
- (void)close(fd);
-}
-
-sigtype
-sigint()
-{
- longjmp(motdinterrupt, 1);
-}
-
-checknologin()
-{
- register int fd, nchars;
- char tbuf[8192];
-
- if ((fd = open(NOLOGIN, O_RDONLY, 0)) >= 0) {
- while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
- (void)write(fileno(stdout), tbuf, nchars);
- sleepexit(0);
- }
-}
-
-dolastlog(quiet, tty)
- int quiet;
- char *tty;
-{
- struct lastlog ll;
- int fd;
-
- if ((fd = open(LASTLOG, O_RDWR, 0)) >= 0) {
- (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);
- if (!quiet) {
- if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) &&
- ll.ll_time != 0) {
- printf("Last login: %.*s ",
- 24-5, (char *)ctime(&ll.ll_time));
- if (*ll.ll_host != '\0')
- printf("from %.*s\n",
- sizeof(ll.ll_host), ll.ll_host);
- else
- printf("on %.*s\n",
- sizeof(ll.ll_line), ll.ll_line);
- }
- (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);
- }
- (void)time(&ll.ll_time);
- (void) strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
- if (hostname)
- (void) strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
- else
- (void) bzero(ll.ll_host, sizeof(ll.ll_host));
- (void)write(fd, (char *)&ll, sizeof(ll));
- (void)close(fd);
- }
-}
-
-#undef UNKNOWN
-#define UNKNOWN "su"
-
-char *
-stypeof(ttyid)
- char *ttyid;
-{
-#ifdef NOTTYENT
- return(UNKNOWN);
-#else
- struct ttyent *t;
-
- return(ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN);
-#endif
-}
-
-doremotelogin(host)
- char *host;
-{
- static char lusername[UT_NAMESIZE+1];
- char rusername[UT_NAMESIZE+1];
-
- getstr(rusername, sizeof(rusername), "remuser");
- getstr(lusername, sizeof(lusername), "locuser");
- getstr(term, sizeof(term), "Terminal type");
- username = lusername;
- pwd = getpwnam(username);
- if (pwd == NULL)
- return(-1);
- return(ruserok(host, (pwd->pw_uid == 0), rusername, username));
-}
-
-do_gss_login(host)
- char *host;
-{
- int j, tokenlen, partlen, numbuf, i, debugflag = 0, auth_valid;
- unsigned char token[GSS_C_MAX_TOKEN], *charp, *cp, *address;
- unsigned char tokenheader[4], send_tokenheader[4];
- char targ_printable[GSS_C_MAX_PRINTABLE_NAME];
- char lhostname[GSS_C_MAX_PRINTABLE_NAME];
- unsigned char chanbinding[8];
- int chanbinding_len;
- static char lusername[UT_NAMESIZE+1], rusername[UT_NAMESIZE+1];
- int hostlen, xcc, need_to_exit = 0;
-/*
- * GSS API support
- */
- gss_OID_set actual_mechs;
- gss_OID actual_mech_type, output_name_type;
- int major_status, status, msg_ctx = 0, new_status;
- int req_flags = 0, ret_flags, lifetime_rec;
- gss_cred_id_t gss_cred_handle;
- gss_ctx_id_t actual_ctxhandle;
- gss_buffer_desc output_token, input_token, input_name_buffer;
- gss_buffer_desc status_string;
- gss_name_t desired_targname, src_name;
- gss_channel_bindings input_chan_bindings;
-
-
- j = sphinx_net_read(3, tokenheader, 4);
- if ((tokenheader[0] != TOKEN_MAJIC_NUMBER_BYTE0) || (tokenheader[1] != TOKEN_MAJIC_NUMBER_BYTE1)) {
- exit(0);
- }
- tokenlen = tokenheader[2] * 256 + tokenheader[3];
-
- if (tokenlen > sizeof(token)) {
- syslog(LOG_INFO, "token is too large, size is %d, buffer size is %d",
- tokenlen, sizeof(token));
- exit(0);
- }
-
- charp = token;
- j = sphinx_net_read(3, token, tokenlen);
- if (j != tokenlen)
- syslog(LOG_INFO,"%d = read(3, token, %d)",j, tokenlen);
- close(3);
-
- gethostname(lhostname, sizeof(lhostname));
-
- strcpy(targ_printable, "SERVICE:rlogin@");
- strcat(targ_printable, lhostname);
-/*
- strcpy(targetname, lhostname);
- if ((cp = index(targetname, '.')) != 0) *cp = '\0';
-*/
-
- input_name_buffer.length = strlen(targ_printable);
- input_name_buffer.value = targ_printable;
-
- major_status = gss_import_name(&status,
- &input_name_buffer,
- GSS_C_NULL_OID,
- &desired_targname);
-
- major_status = gss_acquire_cred(&status,
- desired_targname,
- 0,
- GSS_C_NULL_OID_SET,
- GSS_C_ACCEPT,
- &gss_cred_handle,
- &actual_mechs,
- &lifetime_rec);
-
- major_status = gss_release_name(&status, desired_targname);
-
- if (major_status != GSS_S_COMPLETE) {
- xcc = write(0, "AuthentError", 12);
- if (xcc <= 0)
- syslog(LOG_INFO, "write(0, resp, 12): %m");
-
- gss_display_status(&new_status,
- status,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &msg_ctx,
- &status_string);
- fprintf(stderr, "%s - ", status_string.value);
- return(0);
- }
-
- getstr(rusername, sizeof (rusername), "remuser");
- getstr(lusername, sizeof (lusername), "locuser");
- getstr(term, sizeof(term), "Terminal type");
-
- username = lusername;
-
- pwd = getpwnam(lusername);
- if (pwd == NULL) {
- syslog(LOG_INFO,"passwd entry for '%s' is NULL",lusername);
-/*
- xcc = write(0, "Auth Error ", 12);
- if (xcc <= 0)
- syslog(LOG_INFO, "write(0, resp, 12): %m");
- fprintf(stderr, "SPX : user account '%s' doesn't exist - ", lusername);
-*/
- }
-
- if (major_status != GSS_S_COMPLETE) {
- xcc = write(0, "AuthentError", 12);
- if (xcc <= 0)
- syslog(LOG_INFO, "write(0, resp, 12): %m");
-
- gss_display_status(&new_status,
- status,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &msg_ctx,
- &status_string);
- fprintf(stderr, "%s - ", status_string.value);
- return(0);
- }
-
- if (pwd != NULL) seteuid(pwd->pw_uid);
-
- {
- char myhost[32];
- int from_addr=0, to_addr=0, myhostlen, j;
- struct hostent *my_hp, *from_hp;
- struct sockaddr_in sin, sin2;
-
- from_hp=gethostbyname(host);
- if (from_hp != 0) {
- bcopy(from_hp->h_addr_list[0],
- (caddr_t)&sin.sin_addr, from_hp->h_length);
-#ifdef ultrix
- from_addr = sin.sin_addr.S_un.S_addr;
-#else
- from_addr = sin.sin_addr.s_addr;
-#endif
- } else {
- from_addr = inet_addr(host);
- }
- from_addr = htonl(from_addr);
- j=gethostname(myhost, sizeof(myhost));
- my_hp=gethostbyname(myhost);
- if (my_hp != 0) {
- bcopy(my_hp->h_addr_list[0],
- (caddr_t)&sin2.sin_addr, my_hp->h_length);
-#ifdef ultrix
- to_addr = sin2.sin_addr.S_un.S_addr;
-#else
- to_addr = sin2.sin_addr.s_addr;
-#endif
- to_addr = htonl(to_addr);
- }
-
- input_chan_bindings = (gss_channel_bindings)
- malloc(sizeof(struct gss_channel_bindings_desc));
-
- input_chan_bindings->initiator_addrtype = GSS_C_AF_INET;
- input_chan_bindings->initiator_address.length = 4;
- address = (char *) malloc(4);
- input_chan_bindings->initiator_address.value = (char *) address;
- address[0] = ((from_addr & 0xff000000) >> 24);
- address[1] = ((from_addr & 0xff0000) >> 16);
- address[2] = ((from_addr & 0xff00) >> 8);
- address[3] = (from_addr & 0xff);
- input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET;
- input_chan_bindings->acceptor_address.length = 4;
- address = (char *) malloc(4);
- input_chan_bindings->acceptor_address.value = (char *) address;
- address[0] = ((to_addr & 0xff000000) >> 24);
- address[1] = ((to_addr & 0xff0000) >> 16);
- address[2] = ((to_addr & 0xff00) >> 8);
- address[3] = (to_addr & 0xff);
- input_chan_bindings->application_data.length = 0;
- }
-
- input_token.length = tokenlen;
- input_token.value = token;
-
- major_status = gss_accept_sec_context(&status,
- &context_handle,
- gss_cred_handle,
- &input_token,
- input_chan_bindings,
- &src_name,
- &actual_mech_type,
- &output_token,
- &ret_flags,
- &lifetime_rec,
- &gss_delegated_cred_handle);
-
- if (output_token.length != 0) {
-
- send_tokenheader[0] = TOKEN_MAJIC_NUMBER_BYTE0;
- send_tokenheader[1] = TOKEN_MAJIC_NUMBER_BYTE1;
- send_tokenheader[2] = ((output_token.length & 0xff00) >> 8);
- send_tokenheader[3] = (output_token.length & 0xff);
-
- xcc = write(0, (char *) send_tokenheader, 4);
- if (xcc != 4)
- syslog(LOG_INFO, "write(0, send_tokenheader, 4): %m");
-
- xcc = write(0, (char *) output_token.value, output_token.length);
- if (xcc <= 0)
- syslog(LOG_INFO, "write(0, resp, %d): %m",output_token.length);
- }
-
- if (pwd == NULL) {
- fprintf(stderr, "SPX : user account '%s' doesn't exist - ", lusername);
- return(-1);
- }
- if (getuid()) {
- syslog(LOG_INFO,"getuid() is 0, so return nouser");
- return(0);
- }
-
- if (major_status != GSS_S_COMPLETE) {
- syslog(LOG_INFO, "got error on accept\n");
- gss_display_status(&new_status,
- status,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &msg_ctx,
- &status_string);
- fprintf(stderr, "%s - ", status_string.value);
- return(-1);
- }
-
-#ifdef SPX_CHALLENGE
- /*
- * if trying to login to root account, then we need to verify response
- * proving that the user is interactive.
- *
- */
- if (strcmp(lusername, "root")==0) {
- j = sphinx_net_read(0, tokenheader, 4);
- if (j != 4)
- syslog(LOG_INFO,"%d = read(0, token, 4)",j);
-
- if ((tokenheader[0] != TOKEN_MAJIC_NUMBER_BYTE0) ||
-(tokenheader[1] != TOKEN_MAJIC_NUMBER_BYTE1)) {
- exit(0);
- }
- tokenlen = tokenheader[2] * 256 + tokenheader[3];
- if (tokenlen > sizeof(token)) {
- syslog(LOG_INFO, "token too large, %d/%d",tokenlen,sizeof(token));
- exit(0);
- }
-
- charp = token;
- j = sphinx_net_read(0, token, tokenlen);
- if (j != tokenlen)
- syslog(LOG_INFO,"%d = read(0, token, %d)",j, tokenlen);
- major_status = spx_verify_response(&status,
- context_handle,
- gss_cred_handle,
- token,
- tokenlen);
- if (major_status != GSS_S_COMPLETE) {
- gss_display_status(&new_status,
- status,
- GSS_C_MECH_CODE,
- GSS_C_NULL_OID,
- &msg_ctx,
- &status_string);
- fprintf(stderr, "%s - ", status_string.value);
- return(0);
- }
- }
-#endif /* SPX_CHALLENGE */
-
- seteuid(0);
-
- {
- gss_buffer_desc fullname_buffer, luser_buffer, acl_file_buffer;
- gss_buffer_desc service_buffer, resource_buffer;
- gss_OID fullname_type;
- int access_mode;
- char acl_file[160], service[60], resource[160];
-
- major_status = gss_display_name(&status,
- src_name,
- &fullname_buffer,
- &fullname_type);
-
- luser_buffer.value = lusername;
- luser_buffer.length = strlen(lusername);
-
- strcpy(acl_file, pwd->pw_dir);
- strcat(acl_file, "/.sphinx");
- acl_file_buffer.value = acl_file;
- acl_file_buffer.length = strlen(acl_file);
-
- strcpy(service, "flogin");
- service_buffer.value = service;
- service_buffer.length = 6;
- resource[0] = '\0';
- resource_buffer.value = resource;
- resource_buffer.length = 0;
- access_mode = GSS_C_READ | GSS_C_WRITE;
-
- major_status = gss__check_authorization(&status,
- &fullname_buffer,
- &luser_buffer,
- &acl_file_buffer,
- &service_buffer,
- access_mode,
- &resource_buffer);
-
- if (major_status != GSS_S_COMPLETE) {
- if (strcmp(lusername, "root")==0)
- syslog(LOG_INFO, "root authorization denied - '%s'", src_name);
- fprintf(stderr,
- "SPX : authorization denied to user account '%s' - ",
- lusername);
- return(-1);
- } else {
- strcpy(userfullname, src_name);
- strcpy(userlocalname, rusername);
- }
- major_status = gss_release_buffer(&status, &fullname_buffer);
- return(1);
- }
-}
-
-getstr(buf, cnt, err)
- char *buf, *err;
- int cnt;
-{
- char ch;
-
- do {
- if (read(0, &ch, sizeof(ch)) != sizeof(ch))
- exit(1);
- if (--cnt < 0) {
- fprintf(stderr, "%s too long\r\n", err);
- sleepexit(1);
- }
- *buf++ = ch;
- } while (ch);
-}
-
-char *speeds[] = {
- "0", "50", "75", "110", "134", "150", "200", "300", "600",
- "1200", "1800", "2400", "4800", "9600", "19200", "38400",
-};
-#define NSPEEDS (sizeof(speeds) / sizeof(speeds[0]))
-
-doremoteterm(tp)
- struct sgttyb *tp;
-{
- register char *cp = index(term, '/'), **cpp;
- char *speed;
-
- if (cp) {
- *cp++ = '\0';
- speed = cp;
- cp = index(speed, '/');
- if (cp)
- *cp++ = '\0';
- for (cpp = speeds; cpp < &speeds[NSPEEDS]; cpp++)
- if (strcmp(*cpp, speed) == 0) {
- tp->sg_ispeed = tp->sg_ospeed = cpp-speeds;
- break;
- }
- }
- tp->sg_flags = ECHO|CRMOD|ANYP|XTABS;
-}
-
-sleepexitnew(eval, interval)
- int eval, interval;
-{
- sleep((u_int)interval);
- exit(eval);
-}
-
-
-sleepexit(eval)
- int eval;
-{
- sleep((u_int)5);
- exit(eval);
-}
+++ /dev/null
-/*
- * Copyright (c) 1988 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley. The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)login.c 5.1 (Berkeley) 9/27/88";
-#endif /* LIBC_SCCS and not lint */
-
-#include <sys/types.h>
-#include <sys/file.h>
-#include <utmp.h>
-#include <stdio.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-
-#define UTMPFILE "/etc/utmp"
-#define WTMPFILE "/usr/adm/wtmp"
-
-void
-login(ut)
- struct utmp *ut;
-{
- register int fd;
- int tty;
- off_t lseek();
-
- tty = ttyslot();
- if (tty > 0 && (fd = open(UTMPFILE, O_WRONLY, 0)) >= 0) {
- (void)lseek(fd, (long)(tty * sizeof(struct utmp)), L_SET);
- (void)write(fd, (char *)ut, sizeof(struct utmp));
- (void)close(fd);
- }
- if ((fd = open(WTMPFILE, O_WRONLY|O_APPEND, 0)) >= 0) {
- (void)write(fd, (char *)ut, sizeof(struct utmp));
- (void)close(fd);
- }
-}
-/*
- * Copyright (c) 1988 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley. The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)logout.c 5.1 (Berkeley) 8/31/88";
-#endif /* LIBC_SCCS and not lint */
-
-logout(line)
- register char *line;
-{
- register FILE *fp;
- struct utmp ut;
- int rval;
- time_t time();
-
- if (!(fp = fopen(UTMPFILE, "r+")))
- return(0);
- rval = 1;
- while (fread((char *)&ut, sizeof(struct utmp), 1, fp) == 1) {
- if (!ut.ut_name[0] ||
- strncmp(ut.ut_line, line, sizeof(ut.ut_line)))
- continue;
- bzero(ut.ut_name, sizeof(ut.ut_name));
- bzero(ut.ut_host, sizeof(ut.ut_host));
- (void)time(&ut.ut_time);
- (void)fseek(fp, (long)-sizeof(struct utmp), L_INCR);
- (void)fwrite((char *)&ut, sizeof(struct utmp), 1, fp);
- (void)fseek(fp, (long)0, L_INCR);
- rval = 0;
- }
- (void)fclose(fp);
- return(rval);
-}
-/*
- * Copyright (c) 1988 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that the above copyright notice and this paragraph are
- * duplicated in all such forms and that any documentation,
- * advertising materials, and other materials related to such
- * distribution and use acknowledge that the software was developed
- * by the University of California, Berkeley. The name of the
- * University may not be used to endorse or promote products derived
- * from this software without specific prior written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)logwtmp.c 5.2 (Berkeley) 9/20/88";
-#endif /* LIBC_SCCS and not lint */
-
-logwtmp(line, name, host)
- char *line, *name, *host;
-{
- struct utmp ut;
- struct stat buf;
- int fd;
- time_t time();
- char *strncpy();
-
- if ((fd = open(WTMPFILE, O_WRONLY|O_APPEND, 0)) < 0)
- return;
- if (!fstat(fd, &buf)) {
- (void)strncpy(ut.ut_line, line, sizeof(ut.ut_line));
- (void)strncpy(ut.ut_name, name, sizeof(ut.ut_name));
- (void)strncpy(ut.ut_host, host, sizeof(ut.ut_host));
- (void)time(&ut.ut_time);
- if (write(fd, (char *)&ut, sizeof(struct utmp)) !=
- sizeof(struct utmp))
- (void)ftruncate(fd, buf.st_size);
- }
- (void)close(fd);
-}
+++ /dev/null
-/*
- * seal.c --- seal message
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_seal(minor_status, context, conf_req_flag, qop_req,
- input_message_buffer, conf_state, output_message_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context;
- int conf_req_flag;
- int qop_req;
- gss_buffer_t input_message_buffer;
- int *conf_state;
- gss_buffer_t output_message_buffer;
-{
- krb5_data inbuf, outbuf;
-
- *minor_status = 0;
-
- inbuf.length = input_message_buffer->length;
- inbuf.data = input_message_buffer->value;
- if (conf_req_flag) {
- int priv_flags = 0;
- int eblock_size;
- char *i_vector;
-
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- priv_flags = KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME;
- /*
- * Initialize the initial vector.
- */
- eblock_size =
- krb5_keytype_array[context->session_key->keytype]->
- system->block_length;
- if (!(i_vector=malloc(eblock_size))) {
- return(GSS_S_FAILURE);
- }
- memset(i_vector, 0, eblock_size);
- if (*minor_status = krb5_mk_priv(&inbuf, ETYPE_DES_CBC_CRC,
- context->session_key,
- &context->my_address,
- &context->his_address,
- context->my_seq_num,
- priv_flags,
- 0, /* no rcache */
- i_vector,
- &outbuf))
- return(GSS_S_FAILURE);
- if (*minor_status = gss_make_token(minor_status,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_PRIV,
- outbuf.length,
- outbuf.data,
- output_message_buffer)) {
- krb5_xfree(outbuf.data);
- return(GSS_S_FAILURE);
- }
- if (conf_state)
- *conf_state = 1;
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- context->my_seq_num++;
- return(GSS_S_COMPLETE);
- } else {
- int safe_flags = 0;
-
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- safe_flags = KRB5_SAFE_DOSEQUENCE|KRB5_SAFE_NOTIME;
- if (*minor_status = krb5_mk_safe(&inbuf,
- CKSUMTYPE_RSA_MD4_DES,
- context->session_key,
- &context->my_address,
- &context->his_address,
- context->my_seq_num,
- safe_flags,
- 0, /* no rcache */
- &outbuf))
- return(GSS_S_FAILURE);
- if (*minor_status = gss_make_token(minor_status,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_SAFE,
- outbuf.length,
- outbuf.data,
- output_message_buffer)) {
- krb5_xfree(outbuf.data);
- return(GSS_S_FAILURE);
- }
- if (conf_state)
- *conf_state = 0;
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- context->my_seq_num++;
- return(GSS_S_COMPLETE);
- }
-}
-
-#ifdef notdef
-/*
- * XXX This is done inefficiently; the token in gss_sign does not need
- * to include the text of the data, just a cryptographic checksum to
- * act as a checksum. Nevertheless, this is a quick and dirty way to
- * get it to work. When we fix this so that it works for real, we
- * will need to let gss_verify accept both, and change the servers
- * first.
- */
-
-OM_uint32 gss_sign(minor_status, context, qop_req,
- input_message_buffer, output_message_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context;
- int qop_req;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
-{
- return(gss_seal(minor_status, context, 0, qop_req,
- input_message_buffer, NULL, output_message_buffer));
-}
-
-#endif
+++ /dev/null
-/*
- * sign.c --- sign message
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-#include <krb5/asn1.h>
-
-OM_uint32 gss_sign(minor_status, context, qop_req,
- input_message_buffer, output_message_buffer)
- OM_uint32 *minor_status;
- gss_ctx_id_t context;
- int qop_req;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
-{
- krb5_data inbuf, outbuf, *scratch;
- int safe_flags = 0;
- krb5_safe *message;
-
- *minor_status = 0;
-
- inbuf.length = input_message_buffer->length;
- inbuf.data = input_message_buffer->value;
-
-
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- safe_flags = KRB5_SAFE_DOSEQUENCE|KRB5_SAFE_NOTIME;
- if (*minor_status = krb5_mk_safe(&inbuf,
- CKSUMTYPE_RSA_MD4_DES,
- context->session_key,
- &context->my_address,
- &context->his_address,
- context->my_seq_num,
- safe_flags,
- 0, /* no rcache */
- &outbuf))
- return(GSS_S_FAILURE);
- if (*minor_status = decode_krb5_safe(&outbuf, &message))
- return(GSS_S_FAILURE);
- message->user_data.length = 1;
- krb5_xfree(outbuf.data);
- if (*minor_status = encode_krb5_safe(&message, &scratch)) {
- krb5_free_safe(message);
- return(GSS_S_FAILURE);
- }
- krb5_free_safe(message);
- if (*minor_status = gss_make_token(minor_status,
- GSS_API_KRB5_TYPE,
- GSS_API_KRB5_SIGN,
- scratch->length,
- scratch->data,
- output_message_buffer)) {
- krb5_free_data(scratch);
- return(GSS_S_FAILURE);
- }
- krb5_free_data(scratch);
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- context->my_seq_num++;
- return(GSS_S_COMPLETE);
-}
-
+++ /dev/null
-/*
- * seal.c --- seal message
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-
-OM_uint32 gss_unseal(minor_status, context, input_message_buffer,
- output_message_buffer, conf_state, qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context;
- gss_buffer_t input_message_buffer;
- gss_buffer_t output_message_buffer;
- int *conf_state;
- int *qop_state;
-{
- OM_uint32 retval;
- krb5_data inbuf, outbuf;
- int token_type;
-
- *minor_status = 0;
-
- if (retval = gss_check_token(minor_status, input_message_buffer,
- GSS_API_KRB5_TYPE, 0))
- return(retval);
- token_type = ((char *) input_message_buffer->value)[2];
- if ((token_type != GSS_API_KRB5_SAFE) &&
- (token_type != GSS_API_KRB5_PRIV))
- return(GSS_S_DEFECTIVE_TOKEN);
- inbuf.length = input_message_buffer->length-4;
- inbuf.data = ( (char *) input_message_buffer->value)+4;
- if (token_type == GSS_API_KRB5_PRIV) {
- int priv_flags = 0;
- int eblock_size;
- char *i_vector;
-
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- priv_flags = KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME;
- /*
- * Initialize the initial vector.
- */
- eblock_size =
- krb5_keytype_array[context->session_key->keytype]->
- system->block_length;
- if (!(i_vector=malloc(eblock_size))) {
- return(GSS_S_FAILURE);
- }
- memset(i_vector, 0, eblock_size);
- if (*minor_status = krb5_rd_priv(&inbuf,
- context->session_key,
- &context->his_address,
- &context->my_address,
- context->his_seq_num,
- priv_flags,
- i_vector,
- 0, /* no rcache */
- &outbuf))
- return(GSS_S_FAILURE);
- if (conf_state)
- *conf_state = 1;
- } else {
- int safe_flags = 0;
-
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- safe_flags = KRB5_SAFE_DOSEQUENCE|KRB5_SAFE_NOTIME;
- if (*minor_status = krb5_rd_safe(&inbuf,
- context->session_key,
- &context->his_address,
- &context->my_address,
- context->his_seq_num,
- safe_flags,
- 0, /* no rcache */
- &outbuf))
- return(GSS_S_FAILURE);
- if (conf_state)
- *conf_state = 0;
- }
- if (qop_state)
- *qop_state = 0;
- output_message_buffer->length = outbuf.length;
- output_message_buffer->value = outbuf.data;
- return(GSS_S_COMPLETE);
-}
-
-#ifdef notdef
-OM_uint32 gss_verify(minor_status, context, message_buffer,
- token_buffer, qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- int *qop_state;
-{
- OM_uint32 retval, ret;
- gss_buffer_desc buf;
- gss_buffer_t output_message_buffer = &buf;
-
-
- if (retval = gss_unseal(minor_status, context, message_buffer,
- output_message_buffer, NULL, qop_state))
- return(retval);
- if (token_buffer->length != output_message_buffer->length)
- ret = GSS_S_BAD_SIG;
- else if (!memcmp(token_buffer->value, output_message_buffer->value,
- token_buffer->length))
- ret = GSS_S_BAD_SIG;
- if (retval = gss_release_buffer(minor_status, output_message_buffer))
- return(retval);
- return(ret);
-}
-
-#endif
+++ /dev/null
-/*
- * verify.c --- verify message
- *
- * $Source$
- * $Author$
- * $Header$
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- */
-
-#include <gssapi.h>
-#include <krb5/asn1.h>
-
-OM_uint32 gss_verify(minor_status, context, message_buffer,
- token_buffer, qop_state)
- OM_uint32 *minor_status;
- gss_ctx_id_t context;
- gss_buffer_t message_buffer;
- gss_buffer_t token_buffer;
- int *qop_state;
-{
- OM_uint32 retval;
- krb5_data inbuf, outbuf, *scratch;
- krb5_safe *message;
- int safe_flags = 0;
-
- *minor_status = 0;
-
- if (retval = gss_check_token(minor_status, message_buffer,
- GSS_API_KRB5_TYPE, GSS_API_KRB5_SIGN))
- return(retval);
- inbuf.length = token_buffer->length-4;
- inbuf.data = ( (char *) token_buffer->value)+4;
- if (*minor_status = decode_krb5_safe(&inbuf, &message))
- return(GSS_S_FAILURE);
- if (message->user_data.data)
- krb5_xfree(message->user_data.data);
- message->user_data.length = message_buffer->length;
- message->user_data.data = message_buffer->value;
- if (*minor_status = encode_krb5_safe(&message, &scratch)) {
- message->user_data.data = NULL;
- krb5_free_safe(message);
- return(GSS_S_FAILURE);
- }
- message->user_data.data = NULL;
- krb5_free_safe(message);
- if (context->flags & GSS_C_SEQUENCE_FLAG)
- safe_flags = KRB5_SAFE_DOSEQUENCE|KRB5_SAFE_NOTIME;
- if (*minor_status = krb5_rd_safe(scratch,
- context->session_key,
- &context->his_address,
- &context->my_address,
- context->his_seq_num,
- safe_flags,
- 0, /* no rcache */
- &outbuf)) {
- krb5_free_data(scratch);
- return(GSS_S_FAILURE);
- }
- krb5_free_data(scratch);
- if (qop_state)
- *qop_state = 0;
- return(GSS_S_COMPLETE);
-}
projects / krb5.git / commitdiff