From: Tom Yu Date: Wed, 27 Nov 2002 03:09:35 +0000 (+0000) Subject: Merge more KfM krb4 things X-Git-Tag: krb5-1.3-alpha1~260 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=a6949b28c7db5fa6cf7e6d0e455e83d92627196e;p=krb5.git Merge more KfM krb4 things Implement *_in_tkt_creds, mk_req_creds, and rd_req_int functions. Implement KfM krb4 kadm password changing, mostly by pulling in the client side of the kadm library into the krb4 library. Do some more header file cleanup of des.h and krb.h. Remove some ancient krb4 dead weight. Some Mac-specific functionality still needs to be merged. ticket: 1189 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15014 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/ChangeLog b/src/include/ChangeLog index 8007aafbe..0cf22ca70 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,8 @@ +2002-11-26 Tom Yu + + * port-sockets.h: Add SOCKET_CONNECT, SOCKET_GETSOCKNAME, and + SOCKET_CLOSE to allow for porting of some KfM things. + 2002-11-14 Tom Yu * Makefile.in: Remove references to adm_err.h from here too. diff --git a/src/include/kerberosIV/ChangeLog b/src/include/kerberosIV/ChangeLog index 8c8fa69b7..bbee33b22 100644 --- a/src/include/kerberosIV/ChangeLog +++ b/src/include/kerberosIV/ChangeLog @@ -1,3 +1,31 @@ +2002-11-26 Tom Yu + + * Makefile.in (KRB4_HEADERS): Don't install kadm.h anymore. + + * des.h: Put "#" characters in first column. Do the + KRBINT_BEGIN_DECLS hack to make emacs happy. Shuffle limits.h + inclusion to be outside C++ and Mac alignment magic. + + * kadm.h: Remove some spurious prototypes. Rename a bunch of + internal kadm_stream stuff to avoid stomping on namespace. Add + prototypes for some client-side kadm stuff. + + * krb.h: Do Mac CFM magic. Do C++ mangling protection. Do Mac + alignment magic. Move inclusions outside of C++ mangling + protection and Mac magic. Add KRB5_CALLCONV to a few functions + that KfM's krb.h exports. Merge the *_in_tkt_*_creds, + mk_req_creds, and rd_req_int functions from KfM. Add prototypes + for some KfM-specific things yet to be merged. + + * prot.h: Don't include krb_conf.h anymore. Twiddle the int + encoding/decoding macros a little. + + * des_conf.h: + * highc.h: + * krb_conf.h: + * passwd_server.h: + * principal.h: Remove, since they're obsolete. + 2002-10-07 Sam Hartman * Makefile.in: Support install-headers diff --git a/src/include/kerberosIV/Makefile.in b/src/include/kerberosIV/Makefile.in index e48321ec6..d54101dcd 100644 --- a/src/include/kerberosIV/Makefile.in +++ b/src/include/kerberosIV/Makefile.in @@ -3,7 +3,7 @@ myfulldir=include/kerberosIV mydir=kerberosIV MY_SUBDIRS=. BUILDTOP=$(REL)..$(S).. -KRB4_HEADERS=krb.h des.h kadm.h mit-copyright.h +KRB4_HEADERS=krb.h des.h mit-copyright.h all-unix:: krb_err.h diff --git a/src/include/kerberosIV/des.h b/src/include/kerberosIV/des.h index 46a4f527d..d51120958 100644 --- a/src/include/kerberosIV/des.h +++ b/src/include/kerberosIV/des.h @@ -27,25 +27,37 @@ */ #if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__)) - #include - #if TARGET_RT_MAC_CFM - #error "Use KfM 4.0 SDK headers for CFM compilation." - #endif +# include +# if TARGET_RT_MAC_CFM +# error "Use KfM 4.0 SDK headers for CFM compilation." +# endif +#endif + +#ifdef __cplusplus +#ifndef KRBINT_BEGIN_DECLS +#define KRBINT_BEGIN_DECLS extern "C" { +#define KRBINT_END_DECLS } +#endif +#else +#define KRBINT_BEGIN_DECLS +#define KRBINT_END_DECLS #endif #ifndef KRB5INT_DES_TYPES_DEFINED #define KRB5INT_DES_TYPES_DEFINED +#include + +KRBINT_BEGIN_DECLS + #if TARGET_OS_MAC - #if defined(__MWERKS__) - #pragma import on - #pragma enumsalwaysint on - #endif - #pragma options align=mac68k +# if defined(__MWERKS__) +# pragma import on +# pragma enumsalwaysint on +# endif +# pragma options align=mac68k #endif -#include - #if UINT_MAX >= 0xFFFFFFFFUL #define DES_INT32 int #define DES_UINT32 unsigned int @@ -60,10 +72,12 @@ typedef unsigned char des_cblock[8]; /* crypto-block size */ * * This used to be * - * typedef struct des_ks_struct { union { DES_INT32 pad; des_cblock _;} __; } des_key_schedule[16]; + * typedef struct des_ks_struct { + * union { DES_INT32 pad; des_cblock _;} __; + * } des_key_schedule[16]; * - * but it would cause trouble if DES_INT32 is ever more than 4 bytes. - * The reason is that all the encryption functions cast it to + * but it would cause trouble if DES_INT32 were ever more than 4 + * bytes. The reason is that all the encryption functions cast it to * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the * caller-allocated des_key_schedule will be overflowed by the key @@ -74,13 +88,15 @@ typedef unsigned char des_cblock[8]; /* crypto-block size */ typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16]; #if TARGET_OS_MAC - #if defined(__MWERKS__) - #pragma enumsalwaysint reset - #pragma import reset - #endif - #pragma options align=reset +# if defined(__MWERKS__) +# pragma enumsalwaysint reset +# pragma import reset +# endif +# pragma options align=reset #endif +KRBINT_END_DECLS + #endif /* KRB5INT_DES_TYPES_DEFINED */ /* only do the whole thing once */ @@ -94,18 +110,6 @@ typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16]; #ifndef KRB5INT_CRYPTO_DES_INT #define DES_DEFS -#if TARGET_OS_MAC - #if defined(__MWERKS__) - #pragma import on - #pragma enumsalwaysint on - #endif - #pragma options align=mac68k -#endif - -#if defined(_WIN32) && !defined(_WINDOWS) -#define _WINDOWS -#endif - #if defined(_WINDOWS) #ifndef KRB4 #define KRB4 1 @@ -114,6 +118,20 @@ typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16]; #endif #include /* need FILE for des_cblock_print_file */ +KRBINT_BEGIN_DECLS + +#if TARGET_OS_MAC +# if defined(__MWERKS__) +# pragma import on +# pragma enumsalwaysint on +# endif +# pragma options align=mac68k +#endif + +#if defined(_WIN32) && !defined(_WINDOWS) +#define _WINDOWS +#endif + /* Windows declarations */ #ifndef KRB5_CALLCONV #define KRB5_CALLCONV @@ -221,12 +239,14 @@ void des_set_sequence_number(des_cblock); #endif /* TARGET_OS_MAC */ #if TARGET_OS_MAC - #if defined(__MWERKS__) - #pragma enumsalwaysint reset - #pragma import reset - #endif - #pragma options align=reset +# if defined(__MWERKS__) +# pragma enumsalwaysint reset +# pragma import reset +# endif +# pragma options align=reset #endif +KRBINT_END_DECLS + #endif /* KRB5INT_CRYPTO_DES_INT */ #endif /* DES_DEFS */ diff --git a/src/include/kerberosIV/des_conf.h b/src/include/kerberosIV/des_conf.h deleted file mode 100644 index 673eb93fb..000000000 --- a/src/include/kerberosIV/des_conf.h +++ /dev/null @@ -1,2 +0,0 @@ -This file is obsolete and should not be used any more. -Use "conf.h" instead. diff --git a/src/include/kerberosIV/highc.h b/src/include/kerberosIV/highc.h deleted file mode 100644 index c45a85502..000000000 --- a/src/include/kerberosIV/highc.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * include/kerberosIV/highc.h - * - * Copyright 1988, 1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Known breakage in the version of Metaware's High C compiler that - * we've got available.... - */ - -#define const -/*#define volatile*/ - -/* - * Some builtin functions we can take advantage of for inlining.... - */ - -#define abs _abs -/* the _max and _min builtins accept any number of arguments */ -#undef MAX -#define MAX(x,y) _max(x,y) -#undef MIN -#define MIN(x,y) _min(x,y) -/* - * I'm not sure if 65535 is a limit for this builtin, but it's - * reasonable for a string length. Or is it? - */ -/*#define strlen(s) _find_char(s,65535,0)*/ -#define bzero(ptr,len) _fill_char(ptr,len,'\0') -#define bcmp(b1,b2,len) _compare(b1,b2,len) diff --git a/src/include/kerberosIV/kadm.h b/src/include/kerberosIV/kadm.h index e3f47c059..e65af2926 100644 --- a/src/include/kerberosIV/kadm.h +++ b/src/include/kerberosIV/kadm.h @@ -1,8 +1,8 @@ /* * include/kerberosIV/kadm.h * - * Copyright 1988, 1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. + * Copyright 1988, 1994, 2002 by the Massachusetts Institute of + * Technology. All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -23,7 +23,9 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. * - * Definitions for Kerberos administration server & client + * Definitions for Kerberos administration server & client. These + * should be considered private; among other reasons, it leaks all + * over the namespace. */ #ifndef KADM_DEFS @@ -47,18 +49,21 @@ /* The global structures for the client and server */ typedef struct { - struct sockaddr_in admin_addr; - struct sockaddr_in my_addr; - int my_addr_len; - int admin_fd; /* file descriptor for link to admin server */ - char sname[ANAME_SZ]; /* the service name */ - char sinst[INST_SZ]; /* the services instance */ - char krbrlm[REALM_SZ]; + struct sockaddr_in admin_addr; + struct sockaddr_in my_addr; + int my_addr_len; + int admin_fd; /* file descriptor for link to admin server */ + char sname[ANAME_SZ]; /* the service name */ + char sinst[INST_SZ]; /* the services instance */ + char krbrlm[REALM_SZ]; + /* KfM additions... */ + int default_port; + CREDENTIALS creds; /* The client's credentials (from krb_get_pw_in_tkt_creds)*/ } Kadm_Client; typedef struct { /* status of the server, i.e the parameters */ - int inter; /* Space for command line flags */ - char *sysfile; /* filename of server */ + int inter; /* Space for command line flags */ + char *sysfile; /* filename of server */ } admin_params; /* Well... it's the admin's parameters */ /* Largest password length to be supported */ @@ -92,9 +97,9 @@ typedef struct { u_char fields[FLDSZ]; /* The active fields in this struct */ char name[ANAME_SZ]; char instance[INST_SZ]; - unsigned long key_low; - unsigned long key_high; - unsigned long exp_date; + KRB_UINT32 key_low; + KRB_UINT32 key_high; + KRB_UINT32 exp_date; unsigned short attributes; unsigned char max_life; } Kadm_vals; /* The basic values structure in Kadm */ @@ -143,18 +148,47 @@ DELACL #define KADM_CYGNUS_EXT_BASE 64 #define DEL_ENT (KADM_CYGNUS_EXT_BASE+1) -extern long kdb_get_master_key(); /* XXX should be in krb_db.h */ -extern long kdb_verify_master_key(); /* XXX ditto */ - -extern long krb_mk_priv(), krb_rd_priv(); /* XXX should be in krb.h */ -extern void krb_set_tkt_string(); /* XXX ditto */ - -extern unsigned long quad_cksum(); /* XXX should be in des.h */ - #ifdef POSIX typedef void sigtype; #else typedef int sigtype; #endif +/* Avoid stomping on namespace... */ + +#define vals_to_stream kadm_vals_to_stream +#define build_field_header kadm_build_field_header +#define vts_string kadm_vts_string +#define vts_short kadm_vts_short +#define vts_long kadm_vts_long +#define vts_char kadm_vts_char + +#define stream_to_vals kadm_stream_to_vals +#define check_field_header kadm_check_field_header +#define stv_string kadm_stv_string +#define stv_short kadm_stv_short +#define stv_long kadm_stv_long +#define stv_char kadm_stv_char + +int vals_to_stream(Kadm_vals *, u_char **); +int build_field_header(u_char *, u_char **); +int vts_string(char *, u_char **, int); +int vts_short(KRB_UINT32, u_char **, int); +int vts_long(KRB_UINT32, u_char **, int); +int vts_char(KRB_UINT32, u_char **, int); + +int stream_to_vals(u_char *, Kadm_vals *, int); +int check_field_header(u_char *, u_char *, int); +int stv_string(u_char *, char *, int, int, int); +int stv_short(u_char *, u_short *, int, int); +int stv_long(u_char *, KRB_UINT32 *, int, int); +int stv_char(u_char *, u_char *, int, int); + +int kadm_init_link(char *, char *, char *, Kadm_Client *, int); +int kadm_cli_send(Kadm_Client *, u_char *, size_t, u_char **, size_t *); +int kadm_cli_conn(Kadm_Client *); +void kadm_cli_disconn(Kadm_Client *); +int kadm_cli_out(Kadm_Client *, u_char *, int, u_char **, size_t *); +int kadm_cli_keyd(Kadm_Client *, des_cblock, des_key_schedule); + #endif /* KADM_DEFS */ diff --git a/src/include/kerberosIV/krb.h b/src/include/kerberosIV/krb.h index 30376bcfd..fe28111c4 100644 --- a/src/include/kerberosIV/krb.h +++ b/src/include/kerberosIV/krb.h @@ -1,8 +1,8 @@ /* * include/kerberosIV/krb.h * - * Copyright 1987, 1988, 1994, 2001 by the Massachusetts Institute of - * Technology. All Rights Reserved. + * Copyright 1987, 1988, 1994, 2001, 2002 by the Massachusetts + * Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -30,17 +30,51 @@ #ifndef KRB_DEFS #define KRB_DEFS +#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__)) +# include +# if TARGET_RT_MAC_CFM +# error "Use KfM 4.0 SDK headers for CFM compilation." +# endif +#endif + +/* Define u_char, u_short, u_int, and u_long. */ +/* XXX these typdef names are not standardized! */ +#include + /* Need some defs from des.h */ #include -#define KRB4_32 DES_INT32 -#define KRB_INT32 DES_INT32 -#define KRB_UINT32 DES_UINT32 +#include /* XXX FIXME! */ + +#include #ifdef _WINDOWS #include #endif /* _WINDOWS */ +#ifdef __cplusplus +#ifndef KRBINT_BEGIN_DECLS +#define KRBINT_BEGIN_DECLS extern "C" { +#define KRBINT_END_DECLS } +#endif +#else +#define KRBINT_BEGIN_DECLS +#define KRBINT_END_DECLS +#endif +KRBINT_BEGIN_DECLS + +#if TARGET_OS_MAC +# if defined(__MWERKS__) +# pragma import on +# pragma enumsalwaysint on +# endif +# pragma options align=mac68k +#endif + +#define KRB4_32 DES_INT32 +#define KRB_INT32 DES_INT32 +#define KRB_UINT32 DES_UINT32 + /* Text describing error codes */ #define MAX_KRB_ERRORS 256 extern const char *const krb_err_txt[MAX_KRB_ERRORS]; @@ -74,6 +108,9 @@ extern const char *const krb_err_txt[MAX_KRB_ERRORS]; #define REALM_SZ 40 #define SNAME_SZ 40 #define INST_SZ 40 +/* + * NB: This overcounts due to NULs. + */ /* include space for '.' and '@' */ #define MAX_K_NAME_SZ (ANAME_SZ + INST_SZ + REALM_SZ + 2) #define KKEY_SZ 100 @@ -117,7 +154,7 @@ typedef struct ktext KTEXT_ST; #endif /* PC */ /* Parameters for rd_ap_req */ -/* Maximum alloable clock skew in seconds */ +/* Maximum allowable clock skew in seconds */ #define CLOCK_SKEW 5*60 /* Filename for readservkey */ #define KEYFILE ((char*)krb__get_srvtabname("/etc/srvtab")) @@ -182,7 +219,10 @@ typedef struct msg_dat MSG_DAT; #define TKT_ROOT "/tmp/tkt" #endif /* PC */ -#include "kerberosIV/krb_err.h" /* XXX FIXME! */ +/* + * Error codes are now defined as offsets from com_err (krb_err.et) + * values. + */ #define KRB_ET(x) ((KRBET_ ## x) - ERROR_TABLE_BASE_krb) /* Error codes returned from the KDC */ @@ -267,7 +307,7 @@ typedef struct msg_dat MSG_DAT; #define KNAME_FMT KRB_ET(KNAME_FMT) /* 81 - Bad krb name fmt */ /* Error code returned by krb_mk_safe */ -#define SAFE_PRIV_ERROR -1 /* syscall error */ +#define SAFE_PRIV_ERROR (-1) /* syscall error */ /* Kerberos ticket flag field bit definitions */ #define K_FLAG_ORDER 0 /* bit 0 --> lsb */ @@ -279,6 +319,7 @@ typedef struct msg_dat MSG_DAT; #define K_FLAG_6 /* reserved */ #define K_FLAG_7 /* reserved, bit 7 --> msb */ +/* Are these needed anymore? */ #ifdef OLDNAMES #define krb_mk_req mk_ap_req #define krb_rd_req rd_ap_req @@ -330,9 +371,6 @@ typedef struct msg_dat MSG_DAT; #endif /*_WINDOWS*/ -/* Define u_char, u_short, u_int, and u_long. */ -#include - /* ask to disable IP address checking in the library */ extern int krb_ignore_ip_address; @@ -376,10 +414,6 @@ extern struct _krb5_context * krb5__krb4_context; struct sockaddr_in; -#ifdef __cplusplus -extern "C" { -#endif - /* dest_tkt.c */ int KRB5_CALLCONV dest_tkt (void); @@ -387,7 +421,8 @@ int KRB5_CALLCONV dest_tkt const char * KRB5_CALLCONV krb_get_err_text (int errnum); /* g_ad_tkt.c */ -int get_ad_tkt +/* Previously not KRB5_CALLCONV */ +int KRB5_CALLCONV get_ad_tkt (char *service, char *sinst, char *realm, int lifetime); /* g_admhst.c */ int KRB5_CALLCONV krb_get_admhst @@ -397,15 +432,21 @@ int KRB5_CALLCONV krb_get_cred (char *service, char *instance, char *realm, CREDENTIALS *c); /* g_in_tkt.c */ -int krb_get_in_tkt +/* Previously not KRB5_CALLCONV */ +int KRB5_CALLCONV krb_get_in_tkt (char *k_user, char *instance, char *realm, char *service, char *sinst, int life, key_proc_type, decrypt_tkt_type, char *arg); -int krb_get_in_tkt_preauth +/* Previously not KRB5_CALLCONV */ +int KRB5_CALLCONV krb_get_in_tkt_preauth (char *k_user, char *instance, char *realm, char *service, char *sinst, int life, key_proc_type, decrypt_tkt_type, char *arg, char *preauth_p, int preauth_len); +/* From KfM */ +int KRB5_CALLCONV krb_get_in_tkt_creds(char *, char *, char *, char *, char *, + int, key_proc_type, decrypt_tkt_type, char *, CREDENTIALS *); + /* g_krbhst.c */ int KRB5_CALLCONV krb_get_krbhst (char *host, char *realm, int idx); @@ -427,11 +468,21 @@ int KRB5_CALLCONV krb_get_pw_in_tkt_preauth (char *k_user, char *instance, char *realm, char *service, char *sinstance, int life, char *password); +int KRB5_CALLCONV +krb_get_pw_in_tkt_creds(char *, char *, char *, + char *, char *, int, char *, CREDENTIALS *); + /* g_svc_in_tkt.c */ int KRB5_CALLCONV krb_get_svc_in_tkt (char *k_user, char *instance, char *realm, char *service, char *sinstance, int life, char *srvtab); +#if TARGET_OS_MAC && defined(__FILES__) +int KRB5_CALLCONV +FSp_krb_get_svc_in_tkt(char *, char *, char *, char *, char *, + int, const FSSpec *); +#endif + /* g_tf_fname.c */ int KRB5_CALLCONV krb_get_tf_fullname (char *ticket_file, char *name, char *inst, char *realm); @@ -453,6 +504,10 @@ int KRB5_CALLCONV krb_in_tkt int KRB5_CALLCONV kname_parse (char *name, char *inst, char *realm, char *fullname); +/* From KfM XXX to be merged*/ +int KRB5_CALLCONV kname_unparse + (char *, const char *, const char *, const char *); + int KRB5_CALLCONV k_isname (char *); int KRB5_CALLCONV k_isinst @@ -503,6 +558,12 @@ int KRB5_CALLCONV krb_mk_req (KTEXT authent, char *service, char *instance, char *realm, KRB4_32 checksum); +/* Merged from KfM */ +int KRB5_CALLCONV krb_mk_req_creds(KTEXT, CREDENTIALS *, KRB_INT32); + +/* Added CALLCONV (KfM exports w/o INTERFACE, but KfW doesn't export?) */ +int KRB5_CALLCONV krb_set_lifetime(int newval); + /* mk_safe.c */ long KRB5_CALLCONV krb_mk_safe (u_char *in, u_char *out, unsigned KRB4_32 length, @@ -510,12 +571,15 @@ long KRB5_CALLCONV krb_mk_safe struct sockaddr_in *sender, struct sockaddr_in *receiver); /* netread.c */ +/* XXX private */ int krb_net_read (int fd, char *buf, int len); /* netwrite.c */ +/* XXX private */ int krb_net_write (int fd, char *buf, int len); /* pkt_clen.c */ +/* XXX private */ int pkt_clen (KTEXT); /* put_svc_key.c */ @@ -523,6 +587,11 @@ int KRB5_CALLCONV put_svc_key (char *sfile, char *name, char *inst, char *realm, int newvno, char *key); +#if TARGET_OS_MAC && defined(__FILES__) +int KRB5_CALLCONV FSp_put_svc_key(const FSSpec *, char *, char *, char *, + int, char *); +#endif + /* rd_err.c */ int KRB5_CALLCONV krb_rd_err (u_char *in, u_long in_length, @@ -539,6 +608,10 @@ int KRB5_CALLCONV krb_rd_req (KTEXT, char *service, char *inst, unsigned KRB4_32 from_addr, AUTH_DAT *, char *srvtab); +/* Merged from KfM */ +int KRB5_CALLCONV +krb_rd_req_int(KTEXT, char *, char *, KRB_UINT32, AUTH_DAT *, C_Block); + /* rd_safe.c */ long KRB5_CALLCONV krb_rd_safe (u_char *in, unsigned KRB4_32 in_length, @@ -553,6 +626,11 @@ int KRB5_CALLCONV read_service_key int KRB5_CALLCONV get_service_key (char *service, char *instance, char *realm, int *kvno, char *file, char *key); +#if TARGET_OS_MAC && defined(__FILES__) +int KRB5_CALLCONV FSp_read_service_key(char *, char *, char *, + int, const FSSpec*, char *); +#endif + /* realmofhost.c */ char * KRB5_CALLCONV krb_realmofhost (char *host); @@ -579,13 +657,15 @@ int KRB5_CALLCONV krb_save_credentials C_Block session, int lifetime, int kvno, KTEXT ticket, long issue_date); /* send_to_kdc.c */ +/* XXX PRIVATE? KfM doesn't export. */ int send_to_kdc (KTEXT pkt, KTEXT rpkt, char *realm); /* tkt_string.c */ -char * tkt_string +/* Used to return pointer to non-const char */ +const char * KRB5_CALLCONV tkt_string (void); -void krb_set_tkt_string +void KRB5_CALLCONV krb_set_tkt_string (char *); /* tf_util.c */ @@ -608,7 +688,9 @@ unsigned KRB4_32 KRB5_CALLCONV unix_time_gmt_unixsec */ extern int krb_set_key (char *key, int cvt); -extern int decomp_ticket + +/* This is exported by KfM. It was previously not KRB5_CALLCONV. */ +extern int KRB5_CALLCONV decomp_ticket (KTEXT tkt, unsigned char *flags, char *pname, char *pinstance, char *prealm, unsigned KRB4_32 *paddress, C_Block session, int *life, unsigned KRB4_32 *time_sec, @@ -646,23 +728,38 @@ extern int krb_set_key_krb5(krb5_context ctx, krb5_keyblock *key); #endif #if TARGET_OS_MAC -/* The following functions are not part of the standard Kerberos v4 API. - * They were created for Mac implementation, and used by admin tools - * such as CNS-Config. */ +/* + * KfM krb.hin had the following, probably inherited from CNS: + * + * The following functions are not part of the standard Kerberos v4 + * API. They were created for Mac implementation, and used by admin + * tools such as CNS-Config. + */ extern int KRB5_CALLCONV krb_get_num_cred(void); -extern int INTERFACE +extern int KRB5_CALLCONV krb_get_nth_cred(char *, char *, char *, int); -extern int INTERFACE +extern int KRB5_CALLCONV krb_delete_cred(char *, char *,char *); -extern int INTERFACE +extern int KRB5_CALLCONV dest_all_tkts(void); #endif /* TARGET_OS_MAC */ +/* + * krb_change_password -- merged from KfM + */ +/* change_password.c */ +int KRB5_CALLCONV krb_change_password(char *, char *, char *, char *, char *); + +/* + * RealmConfig-glue.c from KfM XXX to be merged + */ +extern int KRB5_CALLCONV krb_get_profile(profile_t *profile); + #ifdef _WINDOWS HINSTANCE get_lib_instance(void); unsigned int krb_get_notification_message(void); @@ -672,8 +769,14 @@ unsigned KRB4_32 win_time_gmt_unixsec(unsigned KRB4_32 *); long win_time_get_epoch(void); #endif -#ifdef __cplusplus -} +#if TARGET_OS_MAC +# if defined(__MWERKS__) +# pragma enumsalwaysint reset +# pragma import reset +# endif +# pragma options align=reset #endif +KRBINT_END_DECLS + #endif /* KRB_DEFS */ diff --git a/src/include/kerberosIV/krb_conf.h b/src/include/kerberosIV/krb_conf.h deleted file mode 100644 index 3edeaf941..000000000 --- a/src/include/kerberosIV/krb_conf.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * include/kerberosIV/krb_conf.h - * - * Copyright 1988, 1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This file contains configuration information for the Kerberos library - * which is machine specific; currently, this file contains - * configuration information for the vax, the "ibm032" (RT), and the - * "PC8086" (IBM PC). - * - * Note: cross-compiled targets must appear BEFORE their corresponding - * cross-compiler host. Otherwise, both will be defined when running - * the native compiler on the programs that construct cross-compiled - * sources. - */ - -#ifndef KRB_CONF_DEFS -#define KRB_CONF_DEFS - -/* Byte ordering */ -extern int krbONE; -#define HOST_BYTE_ORDER (* (char *) &krbONE) -#define MSB_FIRST 0 /* 68000, IBM RT/PC */ -#define LSB_FIRST 1 /* Vax, PC8086 */ - -#endif /* KRB_CONF_DEFS */ diff --git a/src/include/kerberosIV/passwd_server.h b/src/include/kerberosIV/passwd_server.h deleted file mode 100644 index e0a32c54c..000000000 --- a/src/include/kerberosIV/passwd_server.h +++ /dev/null @@ -1,45 +0,0 @@ -/* - * include/kerberosIV/passwd_server.h - * - * Copyright 1987, 1988, 1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Include file for password server - */ - -#ifndef PASSWD_SERVER_DEFS -#define PASSWD_SERVER_DEFS - -#define PW_SRV_VERSION 2 /* version number */ -#define RETRY_LIMIT 1 -#define TIME_OUT 30 -#define USER_TIMEOUT 90 -#define MAX_KPW_LEN 40 /* hey, seems like a good number */ - -#define INSTALL_NEW_PW (1<<0) /* - * ver, cmd, name, password, old_pass, - * crypt_pass, uid - */ - -#define INSTALL_REPLY (1<<1) /* ver, cmd, name, password */ - -#endif /* PASSWD_SERVER_DEFS */ diff --git a/src/include/kerberosIV/principal.h b/src/include/kerberosIV/principal.h deleted file mode 100644 index 2960870be..000000000 --- a/src/include/kerberosIV/principal.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * include/kerberosIV/principal.h - * - * Copyright 1988, 1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Definitions for principal names. - */ - -#ifndef PRINCIPAL_DEFS -#define PRINCIPAL_DEFS - -#define NAME_LEN 39 -#define INSTANCE_LEN 39 - -#endif /* PRINCIPAL_DEFS */ diff --git a/src/include/kerberosIV/prot.h b/src/include/kerberosIV/prot.h index aec6546cf..3c1b530e0 100644 --- a/src/include/kerberosIV/prot.h +++ b/src/include/kerberosIV/prot.h @@ -27,8 +27,6 @@ * encoding and decoding. */ -#include - #ifndef PROT_DEFS #define PROT_DEFS @@ -100,20 +98,22 @@ * that is a moving pointer of type (unsigned char *) into the buffer, * and assume that the caller has already bounds-checked. */ -#define KRB4_PUT32BE(p, val) \ -do { \ - *(p)++ = ((unsigned KRB4_32)(val) >> 24) & 0xff; \ - *(p)++ = ((unsigned KRB4_32)(val) >> 16) & 0xff; \ - *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff; \ - *(p)++ = (unsigned KRB4_32)(val) & 0xff; \ +#define KRB4_PUT32BE(p, val) \ +do { \ + (p)[0] = ((KRB_UINT32)(val) >> 24) & 0xff; \ + (p)[1] = ((KRB_UINT32)(val) >> 16) & 0xff; \ + (p)[2] = ((KRB_UINT32)(val) >> 8) & 0xff; \ + (p)[3] = (KRB_UINT32)(val) & 0xff; \ + (p) += 4; \ } while (0) -#define KRB4_PUT32LE(p, val) \ -do { \ - *(p)++ = (unsigned KRB4_32)(val) & 0xff; \ - *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff; \ - *(p)++ = ((unsigned KRB4_32)(val) >> 16) & 0xff; \ - *(p)++ = ((unsigned KRB4_32)(val) >> 24) & 0xff; \ +#define KRB4_PUT32LE(p, val) \ +do { \ + (p)[0] = (KRB_UINT32)(val) & 0xff; \ + (p)[1] = ((KRB_UINT32)(val) >> 8) & 0xff; \ + (p)[2] = ((KRB_UINT32)(val) >> 16) & 0xff; \ + (p)[3] = ((KRB_UINT32)(val) >> 24) & 0xff; \ + (p) += 4; \ } while (0) #define KRB4_PUT32(p, val, le) \ @@ -124,16 +124,18 @@ do { \ KRB4_PUT32BE((p), (val)); \ } while (0) -#define KRB4_PUT16BE(p, val) \ -do { \ - *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff; \ - *(p)++ = (unsigned KRB4_32)(val) & 0xff; \ +#define KRB4_PUT16BE(p, val) \ +do { \ + (p)[0] = ((KRB_UINT32)(val) >> 8) & 0xff; \ + (p)[1] = (KRB_UINT32)(val) & 0xff; \ + (p) += 2; \ } while (0) -#define KRB4_PUT16LE(p, val) \ -do { \ - *(p)++ = (unsigned KRB4_32)(val) & 0xff; \ - *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff; \ +#define KRB4_PUT16LE(p, val) \ +do { \ + (p)[0] = (KRB_UINT32)(val) & 0xff; \ + (p)[1] = ((KRB_UINT32)(val) >> 8) & 0xff; \ + (p) += 2; \ } while (0) #define KRB4_PUT16(p, val, le) \ @@ -154,18 +156,20 @@ do { \ */ #define KRB4_GET32BE(val, p) \ do { \ - (val) = (unsigned KRB4_32)*(p)++ << 24; \ - (val) |= (unsigned KRB4_32)*(p)++ << 16; \ - (val) |= (unsigned KRB4_32)*(p)++ << 8; \ - (val) |= (unsigned KRB4_32)*(p)++; \ + (val) = (KRB_UINT32)(p)[0] << 24; \ + (val) |= (KRB_UINT32)(p)[1] << 16; \ + (val) |= (KRB_UINT32)(p)[2] << 8; \ + (val) |= (KRB_UINT32)(p)[3]; \ + (p) += 4; \ } while (0) #define KRB4_GET32LE(val, p) \ do { \ - (val) = (unsigned KRB4_32)*(p)++; \ - (val) |= (unsigned KRB4_32)*(p)++ << 8; \ - (val) |= (unsigned KRB4_32)*(p)++ << 16; \ - (val) |= (unsigned KRB4_32)*(p)++ << 24; \ + (val) = (KRB_UINT32)(p)[0]; \ + (val) |= (KRB_UINT32)(p)[1] << 8; \ + (val) |= (KRB_UINT32)(p)[2] << 16; \ + (val) |= (KRB_UINT32)(p)[3] << 24; \ + (p) += 4; \ } while(0) #define KRB4_GET32(val, p, le) \ @@ -178,14 +182,16 @@ do { \ #define KRB4_GET16BE(val, p) \ do { \ - (val) = (unsigned KRB4_32)*(p)++ << 8; \ - (val) |= (unsigned KRB4_32)*(p)++; \ + (val) = (KRB_UINT32)(p)[0] << 8; \ + (val) |= (KRB_UINT32)(p)[1]; \ + (p) += 2; \ } while (0) #define KRB4_GET16LE(val, p) \ do { \ - (val) = (unsigned KRB4_32)*(p)++; \ - (val) |= (unsigned KRB4_32)*(p)++ << 8; \ + (val) = (KRB_UINT32)(p)[0]; \ + (val) |= (KRB_UINT32)(p)[1] << 8; \ + (p) += 2; \ } while (0) #define KRB4_GET16(val, p, le) \ diff --git a/src/include/port-sockets.h b/src/include/port-sockets.h index 1b9be3ee1..e23ac1a3f 100644 --- a/src/include/port-sockets.h +++ b/src/include/port-sockets.h @@ -26,6 +26,9 @@ typedef WSABUF sg_buf; #define SOCKET_NFDS(f) (0) /* select()'s first arg is ignored */ #define SOCKET_READ(fd, b, l) (recv(fd, b, l, 0)) #define SOCKET_WRITE(fd, b, l) (send(fd, b, l, 0)) +#define SOCKET_CONNECT connect /* XXX */ +#define SOCKET_GETSOCKNAME getsockname /* XXX */ +#define SOCKET_CLOSE close /* XXX */ #define SOCKET_EINTR WSAEINTR /* Return -1 for error or number of bytes written. @@ -119,6 +122,9 @@ typedef struct iovec sg_buf; #define SOCKET_NFDS(f) ((f)+1) /* select() arg for a single fd */ #define SOCKET_READ read #define SOCKET_WRITE write +#define SOCKET_CONNECT connect +#define SOCKET_GETSOCKNAME getsockname +#define SOCKET_CLOSE close #define SOCKET_EINTR EINTR #define SOCKET_WRITEV_TEMP int /* Use TMP to avoid compiler warnings and keep things consistent with diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog index 256c60f3b..cdae96991 100644 --- a/src/kadmin/v4server/ChangeLog +++ b/src/kadmin/v4server/ChangeLog @@ -1,3 +1,15 @@ +2002-11-26 Tom Yu + + * Makefile.in (OBJS): Remove kadm_stream.o and kadm_err.o. Also, + remove references to kadm_err.et. + + * kadm_err.et: Remove. It lives in lib/krb4 now. + + * kadm_server.h: Remove some prototypes that were moved to + kadm.h. + + * kadm_stream.c: Remove. It lives in lib/krb4 now. + 2002-11-01 Tom Yu * kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002 diff --git a/src/kadmin/v4server/Makefile.in b/src/kadmin/v4server/Makefile.in index 0260d4ee7..e6120d102 100644 --- a/src/kadmin/v4server/Makefile.in +++ b/src/kadmin/v4server/Makefile.in @@ -13,14 +13,10 @@ LOCALINCLUDES = $(KRB4_INCLUDES) -I. -I$(srcdir) PROG = kadmind4 OBJS = kadm_server.o admin_server.o kadm_ser_wrap.o \ - kadm_funcs.o kadm_stream.o kadm_supp.o acl_files.o kadm_err.o + kadm_funcs.o kadm_supp.o acl_files.o all:: $(PROG) -kadm_err.c kadm_err.h: kadm_err.et - -$(OBJS): kadm_err.h - $(PROG): $(OBJS) $(KADMCLNT_DEPLIBS) $(KDB5_DEPLIBS) $(KRB4COMPAT_DEPLIBS) $(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(KDB5_LIBS) \ $(KRB4COMPAT_LIBS) $(HESIOD_LIBS) diff --git a/src/kadmin/v4server/kadm_server.h b/src/kadmin/v4server/kadm_server.h index 45007b4ac..6578716d0 100644 --- a/src/kadmin/v4server/kadm_server.h +++ b/src/kadmin/v4server/kadm_server.h @@ -94,18 +94,6 @@ void prin_vals(Kadm_vals *); void kadm_prin_to_vals(u_char *, Kadm_vals *, Principal *); void kadm_vals_to_prin(u_char *, Principal *, Kadm_vals *); -/* kadm_stream.c */ -int stv_char(u_char *, u_char *, int, int); -int stv_short(u_char *, u_short *, int, int); -int stv_long(u_char *, krb5_ui_4 *, int, int); -int stv_string(u_char *, char *, int, int, int); -int stream_to_vals(u_char *, Kadm_vals *, int); -int vals_to_stream(Kadm_vals *, u_char **); -int vts_string(char *, u_char **, int); -int vts_short(u_short, u_char **, int); -int vts_long(krb5_ui_4, u_char **, int); -int vts_char(u_char, u_char **, int); - /* acl_files.c */ int acl_add(char *, char *); int acl_delete(char *, char *); diff --git a/src/kadmin/v4server/kadm_stream.c b/src/kadmin/v4server/kadm_stream.c deleted file mode 100644 index d2a3cdb39..000000000 --- a/src/kadmin/v4server/kadm_stream.c +++ /dev/null @@ -1,298 +0,0 @@ -/* - * kadmin/v4server/kadm_stream.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Stream conversion functions for Kerberos administration server - */ - - -#include -#include -#include "k5-int.h" - -#ifdef HAVE_STDLIB_H -#include -#else -extern char *malloc(), *calloc(), *realloc(); -#endif - -static int check_field_header(u_char *, u_char *, int); -static int build_field_header(u_char *, u_char **); - - -/* - kadm_stream.c - this holds the stream support routines for the kerberos administration server - - vals_to_stream: converts a vals struct to a stream for transmission - internals build_field_header, vts_[string, char, long, short] - stream_to_vals: converts a stream to a vals struct - internals check_field_header, stv_[string, char, long, short] - error: prints out a kadm error message, returns - fatal: prints out a kadm fatal error message, exits -*/ - -#include "kadm.h" -#include "kadm_server.h" - -#define min(a,b) (((a) < (b)) ? (a) : (b)) - -/* -vals_to_stream - recieves : kadm_vals *, u_char * - returns : a realloced and filled in u_char * - -this function creates a byte-stream representation of the kadm_vals structure -*/ -int -vals_to_stream(dt_in, dt_out) -Kadm_vals *dt_in; -u_char **dt_out; -{ - int vsloop, stsize; /* loop counter, stream size */ - - stsize = build_field_header(dt_in->fields, dt_out); - for (vsloop=31; vsloop>=0; vsloop--) - if (IS_FIELD(vsloop,dt_in->fields)) { - switch (vsloop) { - case KADM_NAME: - stsize+=vts_string(dt_in->name, dt_out, stsize); - break; - case KADM_INST: - stsize+=vts_string(dt_in->instance, dt_out, stsize); - break; - case KADM_EXPDATE: - stsize+=vts_long(dt_in->exp_date, dt_out, stsize); - break; - case KADM_ATTR: - stsize+=vts_short(dt_in->attributes, dt_out, stsize); - break; - case KADM_MAXLIFE: - stsize+=vts_char(dt_in->max_life, dt_out, stsize); - break; - case KADM_DESKEY: - stsize+=vts_long(dt_in->key_high, dt_out, stsize); - stsize+=vts_long(dt_in->key_low, dt_out, stsize); - break; - default: - break; - } -} - return(stsize); -} - -static int -build_field_header(cont, st) -u_char *cont; /* container for fields data */ -u_char **st; /* stream */ -{ - *st = (u_char *) malloc (4); - memcpy((char *) *st, (char *) cont, 4); - return 4; /* return pointer to current stream location */ -} - -int -vts_string(dat, st, loc) -char *dat; /* a string to put on the stream */ -u_char **st; /* base pointer to the stream */ -int loc; /* offset into the stream for current data */ -{ - *st = (u_char *) realloc ((char *)*st, (unsigned) (loc + strlen(dat) + 1)); - memcpy((char *)(*st + loc), dat, strlen(dat)+1); - return strlen(dat)+1; -} - -int -vts_short(dat, st, loc) -u_short dat; /* the attributes field */ -u_char **st; /* a base pointer to the stream */ -int loc; /* offset into the stream for current data */ -{ - u_short temp; /* to hold the net order short */ - - temp = htons(dat); /* convert to network order */ - *st = (u_char *) realloc ((char *)*st, (unsigned)(loc + sizeof(u_short))); - memcpy((char *)(*st + loc), (char *) &temp, sizeof(u_short)); - return sizeof(u_short); -} - -int -vts_long(dat, st, loc) -krb5_ui_4 dat; /* the attributes field */ -u_char **st; /* a base pointer to the stream */ -int loc; /* offset into the stream for current data */ -{ - krb5_ui_4 temp; /* to hold the net order short */ - - temp = htonl(dat); /* convert to network order */ - *st = (u_char *) realloc ((char *)*st, (unsigned)(loc + sizeof(krb5_ui_4))); - memcpy((char *)(*st + loc), (char *) &temp, sizeof(krb5_ui_4)); - return sizeof(krb5_ui_4); -} - - -int -vts_char(dat, st, loc) -u_char dat; /* the attributes field */ -u_char **st; /* a base pointer to the stream */ -int loc; /* offset into the stream for current data */ -{ - *st = (u_char *) realloc ((char *)*st, (unsigned)(loc + sizeof(u_char))); - (*st)[loc] = (u_char) dat; - return 1; -} - -/* -stream_to_vals - recieves : u_char *, kadm_vals * - returns : a kadm_vals filled in according to u_char * - -this decodes a byte stream represntation of a vals struct into kadm_vals -*/ -int -stream_to_vals(dt_in, dt_out, maxlen) -u_char *dt_in; -Kadm_vals *dt_out; -int maxlen; /* max length to use */ -{ - register int vsloop, stsize; /* loop counter, stream size */ - register int status; - krb5_ui_4 l_trans; - - memset((char *) dt_out, 0, sizeof(*dt_out)); - - stsize = check_field_header(dt_in, dt_out->fields, maxlen); - if (stsize < 0) - return(-1); - for (vsloop=31; vsloop>=0; vsloop--) - if (IS_FIELD(vsloop,dt_out->fields)) - switch (vsloop) { - case KADM_NAME: - if ((status = stv_string(dt_in, dt_out->name, stsize, - sizeof(dt_out->name), maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_INST: - if ((status = stv_string(dt_in, dt_out->instance, stsize, - sizeof(dt_out->instance), maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_EXPDATE: - if ((status = stv_long(dt_in, &l_trans, stsize, - maxlen)) < 0) - return(-1); - dt_out->exp_date = l_trans; - stsize += status; - break; - case KADM_ATTR: - if ((status = stv_short(dt_in, &dt_out->attributes, stsize, - maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_MAXLIFE: - if ((status = stv_char(dt_in, &dt_out->max_life, stsize, - maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_DESKEY: - if ((status = stv_long(dt_in, &l_trans, stsize, - maxlen)) < 0) - return(-1); - dt_out->key_high = l_trans; - stsize += status; - if ((status = stv_long(dt_in, &l_trans, stsize, - maxlen)) < 0) - return(-1); - dt_out->key_low = l_trans; - stsize += status; - break; - default: - break; - } - return stsize; -} - -static int -check_field_header(st, cont, maxlen) -u_char *st; /* stream */ -u_char *cont; /* container for fields data */ -int maxlen; -{ - if (4 > maxlen) - return(-1); - memcpy((char *) cont, (char *) st, 4); - return 4; /* return pointer to current stream location */ -} - -int -stv_string(st, dat, loc, stlen, maxlen) -register u_char *st; /* base pointer to the stream */ -char *dat; /* a string to read from the stream */ -register int loc; /* offset into the stream for current data */ -int stlen; /* max length of string to copy in */ -int maxlen; /* max length of input stream */ -{ - int maxcount; /* max count of chars to copy */ - - maxcount = min(maxlen - loc, stlen); - - (void) strncpy(dat, (char *)st + loc, maxcount); - - if (dat[maxcount-1]) /* not null-term --> not enuf room */ - return(-1); - return strlen(dat)+1; -} - -int -stv_short(st, dat, loc, maxlen) -u_char *st; /* a base pointer to the stream */ -u_short *dat; /* the attributes field */ -int loc; /* offset into the stream for current data */ -int maxlen; -{ - u_short temp; /* to hold the net order short */ - - if (loc + sizeof(u_short) > maxlen) - return(-1); - memcpy((char *) &temp, (char *) st+ loc, sizeof(u_short)); - *dat = ntohs(temp); /* convert to network order */ - return sizeof(u_short); -} - -int -stv_long(st, dat, loc, maxlen) -u_char *st; /* a base pointer to the stream */ -krb5_ui_4 *dat; /* the attributes field */ -int loc; /* offset into the stream for current data */ -int maxlen; /* maximum length of st */ -{ - krb5_ui_4 temp; /* to hold the net order short */ - - if (loc + sizeof(krb5_ui_4) > maxlen) - return(-1); - memcpy((char *) &temp, (char *) st + loc, sizeof(krb5_ui_4)); - *dat = ntohl(temp); /* convert to network order */ - return sizeof(krb5_ui_4); -} - -int -stv_char(st, dat, loc, maxlen) -u_char *st; /* a base pointer to the stream */ -u_char *dat; /* the attributes field */ -int loc; /* offset into the stream for current data */ -int maxlen; -{ - if (loc + 1 > maxlen) - return(-1); - *dat = *(st + loc); - return 1; -} - diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index cb4376369..7978904ea 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,10 @@ +2002-11-26 Tom Yu + + * Makefile.in: Update dependencies. + + * kerberos_v4.c: Inline some stuff formerly in krb_conf.h until we + get a chance to fix it properly. + 2002-11-03 Tom Yu * do_as_req.c (process_as_req): Fix previous patch; it caused an diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index c597b6f29..077c2194a 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -165,8 +165,8 @@ $(OUTPRE)kerberos_v4.$(OBJEXT): kerberos_v4.c $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ $(BUILDTOP)/include/profile.h kdc_util.h $(SRCTOP)/include/krb5/adm_proto.h \ $(SRCTOP)/include/syslog.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/klog.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(SRCTOP)/include/kerberosIV/klog.h $(SRCTOP)/include/kerberosIV/prot.h \ $(SRCTOP)/include/kerberosIV/krb_db.h $(SRCTOP)/include/kerberosIV/kdc.h \ extern.h diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c index 2856d5fb6..d8a7ce452 100644 --- a/src/kdc/kerberos_v4.c +++ b/src/kdc/kerberos_v4.c @@ -79,6 +79,12 @@ char * v4_klog (int, const char *, ...); /* take this out when we don't need it anymore */ int krbONE = 1; +/* XXX inline former contents of krb_conf.h for now */ +/* Byte ordering */ +extern int krbONE; +#define HOST_BYTE_ORDER (* (char *) &krbONE) +#define MSB_FIRST 0 /* 68000, IBM RT/PC */ +#define LSB_FIRST 1 /* Vax, PC8086 */ int f; diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog index ecaba3b34..2287b6d9a 100644 --- a/src/lib/krb4/ChangeLog +++ b/src/lib/krb4/ChangeLog @@ -1,3 +1,61 @@ +2002-11-26 Tom Yu + + * Makefile.in (OBJS, SRCS): Add change_password.c, kadm_err.c, + kadm_net.c, kadm_stream.c. Remove one.c. + Also, add com_err support for kadm_err.et. Update dependencies. + + * change_password.c: New file. + + * configure.in: Remove checks for BITS16, BITS32, MSBFIRST, and + LSBFIRST. + + * g_in_tkt.c (krb_mk_in_tkt_preauth): Update to optionally return + local address -- not yet fully implemented. + (krb_parse_in_tkt_creds): Renamed from krb_parse_in_tkt(). Now + fills in a CREDENTIALS instead of storing into a ticket file. + (krb_get_in_tkt_preauth_creds): Renamed from + krb_get_in_tkt_preauth(). Now fills in a CREDENTIALS instead of + storing into a ticket file. + (krb_get_in_tkt_creds): Port from KfM. + (krb_get_in_tkt_preauth): Reimplement in terms of + krb_get_in_tkt_creds_preauth(). + + * g_pw_in_tkt.c (krb_get_pw_in_tkt_creds): Port from KfM. + + * kadm_err.et: + * kadm_net.c: + * kadm_stream.c: New files to implement password changing, ported + from KfM. + + * mk_req.c (krb_mk_req_creds_prealm): New internal function -- + similar to krb_mk_req_creds() but takes the client's realm, since + it's needed for forming a correct request but is not present in a + CREDENTIALS. + (krb_mk_req): Reimplement in terms of krb_mk_req_creds_prealm(). + Move the logic for acquiring credentials and determining client's + realm here. + (krb_mk_req_creds): Port from KfM. + (krb_set_lifetime): Make KRB5_CALLCONV now. + + * one.c: Remove. + + * password_to_key.c: New file, ported from KfM. Will eventually + implement some string-to-key stuff. + + * prot_client.c: Eliminate references to {LSB,MSB}_FIRST. + + * prot_kdc.c: Eliminate references to {LSB,MSB}_FIRST. + + * rd_req.c (krb_rd_req_with_key): New internal function -- can + take a key schedule or a krb5_keyblock and use one of those to + decrypt the ticket. + (krb_rd_req_int): Ported from KfM. Calls into + krb_rd_req_with_key(). + (krb_rd_req): Reimplement in terms of krb_rd_req_with_key(). Copy + some of the realm and kvno reading logic here. + + * tkt_string.c: Returns pointer to const now. + 2002-08-29 Ken Raeburn * Makefile.in: Revert $(S)=>/ change, for Windows support. diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in index 98da61abb..26870a9fa 100644 --- a/src/lib/krb4/Makefile.in +++ b/src/lib/krb4/Makefile.in @@ -30,6 +30,7 @@ SHLIB_RDIRS=$(KRB5_LIBDIR) EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV OBJS = \ + $(OUTPRE)change_password.$(OBJEXT) \ $(OUTPRE)cr_auth_repl.$(OBJEXT) \ $(OUTPRE)cr_ciph.$(OBJEXT) \ $(OUTPRE)cr_tkt.$(OBJEXT) \ @@ -44,6 +45,9 @@ OBJS = \ $(OUTPRE)g_tkt_svc.$(OBJEXT) \ $(OUTPRE)gethostname.$(OBJEXT) \ $(OUTPRE)getst.$(OBJEXT) \ + $(OUTPRE)kadm_err.$(OBJEXT) \ + $(OUTPRE)kadm_net.$(OBJEXT) \ + $(OUTPRE)kadm_stream.$(OBJEXT) \ $(OUTPRE)kname_parse.$(OBJEXT) \ $(OUTPRE)lifetime.$(OBJEXT) \ $(OUTPRE)mk_auth.$(OBJEXT) \ @@ -52,7 +56,6 @@ OBJS = \ $(OUTPRE)mk_req.$(OBJEXT) \ $(OUTPRE)mk_safe.$(OBJEXT) \ $(OUTPRE)month_sname.$(OBJEXT) \ - $(OUTPRE)one.$(OBJEXT) \ $(OUTPRE)prot_client.$(OBJEXT) \ $(OUTPRE)prot_common.$(OBJEXT) \ $(OUTPRE)prot_kdc.$(OBJEXT) \ @@ -70,6 +73,7 @@ OBJS = \ $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) SRCS = \ + $(srcdir)/change_password.c \ $(srcdir)/cr_auth_repl.c \ $(srcdir)/cr_ciph.c \ $(srcdir)/cr_tkt.c \ @@ -82,6 +86,8 @@ SRCS = \ $(srcdir)/g_tkt_svc.c \ $(srcdir)/getst.c \ $(srcdir)/gethostname.c \ + $(srcdir)/kadm_net.c \ + $(srcdir)/kadm_stream.c \ $(srcdir)/kname_parse.c \ $(srcdir)/err_txt.c \ $(srcdir)/lifetime.c \ @@ -92,7 +98,6 @@ SRCS = \ $(srcdir)/mk_req.c \ $(srcdir)/mk_safe.c \ $(srcdir)/month_sname.c \ - $(srcdir)/one.c \ $(srcdir)/pkt_cipher.c \ $(srcdir)/pkt_clen.c \ $(srcdir)/prot_client.c \ @@ -190,7 +195,7 @@ CODE=$(SRCS) Makefile.in krb_err.et # We want *library* compiler options... DBG=$(DBG_LIB) -all-unix:: krb_err.h includes all-liblinks +all-unix:: krb_err.h kadm_err.h includes all-liblinks ##DOS##LIBOBJS = $(OBJS) @@ -198,7 +203,10 @@ all-unix:: krb_err.h includes all-liblinks krb_err.h:: krb_err.et krb_err.c: krb_err.et -depend:: krb_err.h +kadm_err.h: kadm_err.et +kadm_err.c: kadm_err.et + +depend:: krb_err.h kadm_err.h depend:: $(CODE) includes:: krb_err.h @@ -208,8 +216,16 @@ includes:: krb_err.h $(CP) krb_err.h $(EHDRDIR)/krb_err.h) ; \ fi +includes:: kadm_err.h + if cmp kadm_err.h $(EHDRDIR)/kadm_err.h >/dev/null 2>&1; then :; \ + else \ + (set -x; $(RM) $(EHDRDIR)/kadm_err.h; \ + $(CP) kadm_err.h $(EHDRDIR)/kadm_err.h) ; \ + fi + clean-unix:: $(RM) $(EHDRDIR)/krb_err.h + $(RM) $(EHDRDIR)/kadm_err.h @@ -227,7 +243,10 @@ clean-:: clean-unix clean-unix:: -$(RM) krb_err.c -$(RM) krb_err.h + -$(RM) kadm_err.c + -$(RM) kadm_err.h -$(RM) ../../include/kerberosIV/krb_err.h + -$(RM) ../../include/kerberosIV/kadm_err.h clean-unix:: clean-liblinks clean-libs clean-libobjs @@ -243,222 +262,294 @@ install-unix:: install-libs # Makefile dependencies follow. This must be the last section in # the Makefile.in file # +change_password.so change_password.po $(OUTPRE)change_password.$(OBJEXT): change_password.c \ + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/kerberosIV/kadm.h \ + $(SRCTOP)/include/kerberosIV/prot.h cr_auth_repl.so cr_auth_repl.po $(OUTPRE)cr_auth_repl.$(OBJEXT): cr_auth_repl.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h cr_ciph.so cr_ciph.po $(OUTPRE)cr_ciph.$(OBJEXT): cr_ciph.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h cr_tkt.so cr_tkt.po $(OUTPRE)cr_tkt.$(OBJEXT): cr_tkt.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/krb.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h debug.so debug.po $(OUTPRE)debug.$(OBJEXT): debug.c $(SRCTOP)/include/kerberosIV/mit-copyright.h decomp_tkt.so decomp_tkt.po $(OUTPRE)decomp_tkt.$(OBJEXT): decomp_tkt.c $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/krb.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/krb54proto.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h g_ad_tkt.so g_ad_tkt.po $(OUTPRE)g_ad_tkt.$(OBJEXT): g_ad_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h g_pw_in_tkt.so g_pw_in_tkt.po $(OUTPRE)g_pw_in_tkt.$(OBJEXT): g_pw_in_tkt.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h g_phost.so g_phost.po $(OUTPRE)g_phost.$(OBJEXT): g_phost.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(BUILDTOP)/include/krb5/autoconf.h g_pw_tkt.so g_pw_tkt.po $(OUTPRE)g_pw_tkt.$(OBJEXT): g_pw_tkt.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h g_tkt_svc.so g_tkt_svc.po $(OUTPRE)g_tkt_svc.$(OBJEXT): g_tkt_svc.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(BUILDTOP)/include/krb5/autoconf.h getst.so getst.po $(OUTPRE)getst.$(OBJEXT): getst.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h gethostname.so gethostname.po $(OUTPRE)gethostname.$(OBJEXT): gethostname.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h +kadm_net.so kadm_net.po $(OUTPRE)kadm_net.$(OBJEXT): kadm_net.c $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/kerberosIV/krb.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krbports.h \ + $(SRCTOP)/include/kerberosIV/kadm.h $(BUILDTOP)/include/kerberosIV/kadm_err.h \ + $(SRCTOP)/include/kerberosIV/prot.h +kadm_stream.so kadm_stream.po $(OUTPRE)kadm_stream.$(OBJEXT): kadm_stream.c $(SRCTOP)/include/kerberosIV/kadm.h \ + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kerberosIV/kadm_err.h \ + $(SRCTOP)/include/kerberosIV/prot.h kname_parse.so kname_parse.po $(OUTPRE)kname_parse.$(OBJEXT): kname_parse.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h lifetime.so lifetime.po $(OUTPRE)lifetime.$(OBJEXT): lifetime.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h g_in_tkt.so g_in_tkt.po $(OUTPRE)g_in_tkt.$(OBJEXT): g_in_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h mk_auth.so mk_auth.po $(OUTPRE)mk_auth.$(OBJEXT): mk_auth.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h mk_err.so mk_err.po $(OUTPRE)mk_err.$(OBJEXT): mk_err.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): mk_priv.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): mk_req.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h krb4int.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + krb4int.h mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): mk_safe.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h month_sname.so month_sname.po $(OUTPRE)month_sname.$(OBJEXT): month_sname.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h krb4int.h -one.so one.po $(OUTPRE)one.$(OBJEXT): one.c + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h pkt_cipher.so pkt_cipher.po $(OUTPRE)pkt_cipher.$(OBJEXT): pkt_cipher.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h pkt_clen.so pkt_clen.po $(OUTPRE)pkt_clen.$(OBJEXT): pkt_clen.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h prot_client.so prot_client.po $(OUTPRE)prot_client.$(OBJEXT): prot_client.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h prot_common.so prot_common.po $(OUTPRE)prot_common.$(OBJEXT): prot_common.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h prot_kdc.so prot_kdc.po $(OUTPRE)prot_kdc.$(OBJEXT): prot_kdc.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h rd_err.so rd_err.po $(OUTPRE)rd_err.$(OBJEXT): rd_err.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): rd_priv.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): rd_safe.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h send_to_kdc.so send_to_kdc.po $(OUTPRE)send_to_kdc.$(OBJEXT): send_to_kdc.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krbports.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krbports.h \ + $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ $(BUILDTOP)/include/krb5/autoconf.h stime.so stime.po $(OUTPRE)stime.$(OBJEXT): stime.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h strnlen.so strnlen.po $(OUTPRE)strnlen.$(OBJEXT): strnlen.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h rd_preauth.so rd_preauth.po $(OUTPRE)rd_preauth.$(OBJEXT): rd_preauth.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb_db.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h \ - krb4int.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krb_db.h \ + $(SRCTOP)/include/kerberosIV/prot.h krb4int.h mk_preauth.so mk_preauth.po $(OUTPRE)mk_preauth.$(OBJEXT): mk_preauth.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): unix_time.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): unix_time.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h tf_util.so tf_util.po $(OUTPRE)tf_util.$(OBJEXT): tf_util.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h krb4int.h + krb4int.h dest_tkt.so dest_tkt.po $(OUTPRE)dest_tkt.$(OBJEXT): dest_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h in_tkt.so in_tkt.po $(OUTPRE)in_tkt.$(OBJEXT): in_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h -tkt_string.so tkt_string.po $(OUTPRE)tkt_string.$(OBJEXT): tkt_string.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h +tkt_string.so tkt_string.po $(OUTPRE)tkt_string.$(OBJEXT): tkt_string.c $(SRCTOP)/include/kerberosIV/krb.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h g_tf_fname.so g_tf_fname.po $(OUTPRE)g_tf_fname.$(OBJEXT): g_tf_fname.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h g_tf_realm.so g_tf_realm.po $(OUTPRE)g_tf_realm.$(OBJEXT): g_tf_realm.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h g_cred.so g_cred.po $(OUTPRE)g_cred.$(OBJEXT): g_cred.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h save_creds.so save_creds.po $(OUTPRE)save_creds.$(OBJEXT): save_creds.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h unix_glue.so unix_glue.po $(OUTPRE)unix_glue.$(OBJEXT): unix_glue.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h krb4int.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h klog.so klog.po $(OUTPRE)klog.$(OBJEXT): klog.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/kerberosIV/klog.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/kerberosIV/klog.h kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): kuserok.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h log.so log.po $(OUTPRE)log.$(OBJEXT): log.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/kerberosIV/klog.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/kerberosIV/klog.h kntoln.so kntoln.po $(OUTPRE)kntoln.$(OBJEXT): kntoln.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h fgetst.so fgetst.po $(OUTPRE)fgetst.$(OBJEXT): fgetst.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h rd_svc_key.so rd_svc_key.po $(OUTPRE)rd_svc_key.$(OBJEXT): rd_svc_key.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ + $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/kerberosIV/prot.h cr_err_repl.so cr_err_repl.po $(OUTPRE)cr_err_repl.$(OBJEXT): cr_err_repl.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): rd_req.c $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/krb54proto.h + $(SRCTOP)/include/kerberosIV/krb.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/krb54proto.h g_svc_in_tkt.so g_svc_in_tkt.po $(OUTPRE)g_svc_in_tkt.$(OBJEXT): g_svc_in_tkt.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ krb4int.h recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): recvauth.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h krb_err.so krb_err.po $(OUTPRE)krb_err.$(OBJEXT): krb_err.c $(COM_ERR_DEPS) ad_print.so ad_print.po $(OUTPRE)ad_print.$(OBJEXT): ad_print.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h cr_death_pkt.so cr_death_pkt.po $(OUTPRE)cr_death_pkt.$(OBJEXT): cr_death_pkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h kparse.so kparse.po $(OUTPRE)kparse.$(OBJEXT): kparse.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/kparse.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/kparse.h put_svc_key.so put_svc_key.po $(OUTPRE)put_svc_key.$(OBJEXT): put_svc_key.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h krb4int.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): sendauth.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h netread.so netread.po $(OUTPRE)netread.$(OBJEXT): netread.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h netwrite.so netwrite.po $(OUTPRE)netwrite.$(OBJEXT): netwrite.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h g_cnffile.so g_cnffile.po $(OUTPRE)g_cnffile.$(OBJEXT): g_cnffile.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h krb4int.h + krb4int.h g_krbhst.so g_krbhst.po $(OUTPRE)g_krbhst.$(OBJEXT): g_krbhst.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h g_krbrlm.so g_krbrlm.po $(OUTPRE)g_krbrlm.$(OBJEXT): g_krbrlm.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h g_admhst.so g_admhst.po $(OUTPRE)g_admhst.$(OBJEXT): g_admhst.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h realmofhost.so realmofhost.po $(OUTPRE)realmofhost.$(OBJEXT): realmofhost.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h krb4int.h diff --git a/src/lib/krb4/change_password.c b/src/lib/krb4/change_password.c new file mode 100644 index 000000000..8bceec28d --- /dev/null +++ b/src/lib/krb4/change_password.c @@ -0,0 +1,138 @@ +/* + * g_pw_in_tkt.c + * + * Copyright 1987, 1988, 2002 by the Massachusetts Institute of + * Technology. All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include +#include +#include + +#if TARGET_OS_MAC /* XXX */ +#include +#endif +#include "krb.h" +#include "krb4int.h" +#include "kadm.h" +#include "prot.h" + +/* + * krb_change_password(): This disgusting function handles changing passwords + * in a krb4-only environment. + * -1783126240 + * THIS IS NOT A NORMAL KRB4 API FUNCTION! DON'T USE IN PORTABLE CODE! + */ + +int KRB5_CALLCONV +krb_change_password(char *principal, char *instance, char *realm, + char *oldPassword, char *newPassword) +{ + KRB_INT32 err; + des_cblock key; + KRB_UINT32 tempKey; + size_t sendSize; + u_char *sendStream; + size_t receiveSize; + u_char *receiveStream; + Kadm_Client client_parm; + u_char *p; + + err = 0; + /* + * Get tickets to change the old password and shove them in the + * client_parm + */ + err = krb_get_pw_in_tkt_creds(principal, instance, realm, + PWSERV_NAME, KADM_SINST, 1, + oldPassword, &client_parm.creds); + if (err != KSUCCESS) + goto cleanup; + +#if TARGET_OS_MAC + /* Now create the key to send to the server */ + switch (client_parm.creds.stk_type) { + case cc_v4_stk_des: + mit_passwd_to_key(principal, instance, realm, newPassword, key); + break; + case cc_v4_stk_afs: + afs_passwd_to_key(principal, instance, realm, newPassword, key); + break; + case cc_v4_stk_krb5: + krb5_passwd_to_key(principal, instance, realm, newPassword, key); + break; + default: + /* + * Okay, actually afs_string_to_key sites can't use this + * protocol to change passwords + */ + mit_passwd_to_key(principal, instance, realm, newPassword, key); + break; + } +#else + des_string_to_key(newPassword, key); /* XXX check this! */ +#endif + /* Create the link to the server */ + err = kadm_init_link(PWSERV_NAME, KRB_MASTER, realm, &client_parm, 1); + if (err != KADM_SUCCESS) + goto cleanup; + + /* Connect to the KDC */ + err = kadm_cli_conn(&client_parm); + if (err != KADM_SUCCESS) + goto cleanup; + + /* possible problem with vts_long on a non-multiple of four boundary */ + sendSize = 0; /* start of our output packet */ + sendStream = malloc(1); /* to make it reallocable */ + sendStream[sendSize++] = CHANGE_PW; + + /* change key to stream */ + /* This looks backwards but gets inverted on the server side. */ + p = key + 4; + KRB4_GET32BE(tempKey, p); + sendSize += vts_long(tempKey, &sendStream, (int)sendSize); + p = key; + KRB4_GET32BE(tempKey, p); + sendSize += vts_long(tempKey, &sendStream, (int)sendSize); + + if (newPassword) { + sendSize += vts_string(newPassword, &sendStream, (int)sendSize); + } + + /* send the data to the kdc */ + err = kadm_cli_send(&client_parm, sendStream, sendSize, + &receiveStream, &receiveSize); + free(sendStream); + if (receiveSize > 0) + /* If there is a string from the kdc, free it - we don't care */ + free(receiveStream); + if (err != KADM_SUCCESS) + goto disconnect; + +disconnect: + /* Disconnect */ + kadm_cli_disconn(&client_parm); + +cleanup: + return err; +} diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in index 874555ddf..0512949a5 100644 --- a/src/lib/krb4/configure.in +++ b/src/lib/krb4/configure.in @@ -10,33 +10,6 @@ dnl Could check for full stdc environment, but will only test dnl for stdlib.h AC_CHECK_HEADERS(stdlib.h) -AC_C_CROSS dnl pretty up output, eval this before AC_TRY_RUN -dnl need MSBFIRST, LSBFIRST, BITS16, BITS32 -AC_MSG_CHECKING([if system is msbfirst]) -AC_CACHE_VAL(krb5_cv_is_msbfirst, -[AC_TRY_RUN( -[#include -int main() -{ - int one = 1; - exit (*(char*) &one); /* MSBFIRST iff 1 */ -}], -krb5_cv_is_msbfirst=yes, krb5_cv_is_msbfirst=no -)])dnl fail on cross for now -AC_MSG_RESULT($krb5_cv_is_msbfirst) -if test $krb5_cv_is_msbfirst = yes; then - AC_DEFINE(MSBFIRST) -else - AC_DEFINE(LSBFIRST) -fi -dnl -dnl check int, set bits16/bits32 based on it -AC_CHECK_SIZEOF(int) -if test $ac_cv_sizeof_int = 2; then - AC_DEFINE(BITS16) -else - AC_DEFINE(BITS32) -fi AC_TYPE_MODE_T AC_TYPE_UID_T AC_DEFINE(KRB4_USE_KEYTAB) @@ -45,4 +18,3 @@ AC_PROG_AWK KRB5_BUILD_LIBOBJS KRB5_BUILD_LIBRARY_WITH_DEPS V5_AC_OUTPUT_MAKEFILE - diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c index 16b19660d..43997a698 100644 --- a/src/lib/krb4/g_in_tkt.c +++ b/src/lib/krb4/g_in_tkt.c @@ -44,13 +44,12 @@ typedef int (*decrypt_tkt_type) (char *, char *, char *, char *, key_proc_type, KTEXT *); #endif -static int -krb_mk_in_tkt_preauth(char *, char *, char *, char *, char *, - int, char *, int, KTEXT, int *); - -static int -krb_parse_in_tkt(char *, char *, char *, char *, char *, - int, KTEXT, int); +static int decrypt_tkt(char *, char *, char *, char *, key_proc_type, KTEXT *); +static int krb_mk_in_tkt_preauth(char *, char *, char *, char *, char *, + int, char *, int, KTEXT, int *, + struct sockaddr_in *); +static int krb_parse_in_tkt_creds(char *, char *, char *, char *, char *, + int, KTEXT, int, CREDENTIALS *); /* * decrypt_tkt(): Given user, instance, realm, passwd, key_proc @@ -135,7 +134,7 @@ decrypt_tkt(user, instance, realm, arg, key_proc, cipp) static int krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, - preauth_p, preauth_len, cip, byteorder) + preauth_p, preauth_len, cip, byteorder, local_addr) char *user; char *instance; char *realm; @@ -146,6 +145,7 @@ krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, int preauth_len; KTEXT cip; int *byteorder; + struct sockaddr_in *local_addr; { KTEXT_ST pkt_st; KTEXT pkt = &pkt_st; /* Packet to KDC */ @@ -213,7 +213,11 @@ krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */ rpkt->length = 0; +#if 0 /* XXX */ + kerror = send_to_kdc_addr(pkt, rpkt, realm, local_addr); +#else kerror = send_to_kdc(pkt, rpkt, realm); +#endif if (kerror) return kerror; @@ -281,8 +285,8 @@ krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, } static int -krb_parse_in_tkt(user, instance, realm, service, sinstance, life, cip, - byteorder) +krb_parse_in_tkt_creds(user, instance, realm, service, sinstance, life, cip, + byteorder, creds) char *user; char *instance; char *realm; @@ -291,9 +295,9 @@ krb_parse_in_tkt(user, instance, realm, service, sinstance, life, cip, int life; KTEXT cip; int byteorder; + CREDENTIALS *creds; { unsigned char *ptr; - C_Block ses; /* Session key for tkt */ int len; int kvno; /* Kvno for session key */ char s_name[SNAME_SZ]; @@ -304,7 +308,6 @@ krb_parse_in_tkt(user, instance, realm, service, sinstance, life, cip, unsigned long kdc_time; /* KDC time */ unsigned KRB4_32 t_local; /* Must be 4 bytes long for memcpy below! */ KRB4_32 t_diff; /* Difference between timestamps */ - int kerror; int lifetime; ptr = cip->dat; @@ -368,24 +371,26 @@ krb_parse_in_tkt(user, instance, realm, service, sinstance, life, cip, return RD_AP_TIME; /* XXX should probably be better code */ } - /* initialize ticket cache */ - if (in_tkt(user,instance) != KSUCCESS) - return INTK_ERR; /* stash ticket, session key, etc. for future use */ - memcpy(ses, cip->dat, 8); - kerror = krb_save_credentials(s_name, s_instance, rlm, ses, - lifetime, kvno, - tkt, (KRB4_32)t_local); - memset(ses, 0, 8); - if (kerror) - return kerror; + strncpy(creds->service, s_name, sizeof(creds->service)); + strncpy(creds->instance, s_instance, sizeof(creds->instance)); + strncpy(creds->realm, rlm, sizeof(creds->realm)); + memmove(creds->session, cip->dat, sizeof(C_Block)); + creds->lifetime = lifetime; + creds->kvno = kvno; + creds->ticket_st.length = tkt->length; + memmove(creds->ticket_st.dat, tkt->dat, (size_t)tkt->length); + creds->issue_date = t_local; + strncpy(creds->pname, user, sizeof(creds->pname)); + strncpy(creds->pinst, instance, sizeof(creds->pinst)); return INTK_OK; } int -krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, arg, preauth_p, preauth_len) +krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life, + key_proc, decrypt_proc, + arg, preauth_p, preauth_len, creds) char *user; char *instance; char *realm; @@ -397,16 +402,27 @@ krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, char *arg; char *preauth_p; int preauth_len; + CREDENTIALS *creds; { KTEXT_ST cip_st; KTEXT cip = &cip_st; /* Returned Ciphertext */ int kerror; int byteorder; +#if TARGET_OS_MAC + struct sockaddr_in local_addr; +#endif +#if TARGET_OS_MAC kerror = krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, preauth_p, preauth_len, - cip, &byteorder); + cip, &byteorder, &local_addr); +#else + kerror = krb_mk_in_tkt_preauth(user, instance, realm, + service, sinstance, + life, preauth_p, preauth_len, + cip, &byteorder, NULL); +#endif if (kerror) return kerror; /* Attempt to decrypt the reply. */ @@ -415,14 +431,86 @@ krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, else (*decrypt_proc)(user, instance, realm, arg, key_proc, &cip); - kerror = krb_parse_in_tkt(user, instance, realm, - service, sinstance, - life, cip, byteorder); + kerror = krb_parse_in_tkt_creds(user, instance, realm, + service, sinstance, + life, cip, byteorder, creds); +#if TARGET_OS_MAC + /* Do this here to avoid OS dependency in parse_in_tkt prototype. */ + creds->address = local_addr->sin_addr.s_addr; +#endif /* stomp stomp stomp */ memset(cip->dat, 0, (size_t)cip->length); return kerror; } +int +krb_get_in_tkt_creds(user, instance, realm, service, sinstance, life, + key_proc, decrypt_proc, arg, creds) + char *user; + char *instance; + char *realm; + char *service; + char *sinstance; + int life; + key_proc_type key_proc; + decrypt_tkt_type decrypt_proc; + char *arg; + CREDENTIALS *creds; +{ + return krb_get_in_tkt_preauth_creds(user, instance, realm, + service, sinstance, life, + key_proc, decrypt_proc, arg, + NULL, 0, creds); +} + +int +krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, + key_proc, decrypt_proc, + arg, preauth_p, preauth_len) + char *user; + char *instance; + char *realm; + char *service; + char *sinstance; + int life; + key_proc_type key_proc; + decrypt_tkt_type decrypt_proc; + char *arg; + char *preauth_p; + int preauth_len; +{ + int retval; + CREDENTIALS creds; + + do { + retval = krb_get_in_tkt_preauth_creds(user, instance, realm, + service, sinstance, life, + key_proc, decrypt_proc, + arg, preauth_p, preauth_len, + &creds); + if (retval != KSUCCESS) break; + if (in_tkt(user, instance) != KSUCCESS) { + retval = INTK_ERR; + break; + } +#if TARGET_OS_MAC /* XXX */ + retval = krb_save_credentials_addr(creds.service, creds.instance, + creds.realm, creds.session, + creds.lifetime, creds.kvno, + &creds.ticket_st, creds.issue_date, + creds.address, creds.stk_type); +#else + retval = krb_save_credentials(creds.service, creds.instance, + creds.realm, creds.session, + creds.lifetime, creds.kvno, + &creds.ticket_st, creds.issue_date); +#endif + if (retval != KSUCCESS) break; + } while (0); + memset(&creds, 0, sizeof(creds)); + return retval; +} + int krb_get_in_tkt(user, instance, realm, service, sinstance, life, key_proc, decrypt_proc, arg) @@ -439,5 +527,5 @@ krb_get_in_tkt(user, instance, realm, service, sinstance, life, return krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, key_proc, decrypt_proc, arg, - (char *)NULL, 0); + NULL, 0); } diff --git a/src/lib/krb4/g_pw_in_tkt.c b/src/lib/krb4/g_pw_in_tkt.c index f878b77bd..3396fcbd9 100644 --- a/src/lib/krb4/g_pw_in_tkt.c +++ b/src/lib/krb4/g_pw_in_tkt.c @@ -115,6 +115,18 @@ krb_get_pw_in_tkt(user,instance,realm,service,sinstance,life,password) (decrypt_tkt_type)NULL, password)); } +int KRB5_CALLCONV +krb_get_pw_in_tkt_creds( + char *user, char *instance, char *realm, char *service, char *sinstance, + int life, char *password, CREDENTIALS *creds) +{ + return krb_get_in_tkt_creds(user, instance, realm, + service, sinstance, life, + (key_proc_type)passwd_to_key, + NULL, password, creds); +} + + /* * krb_get_pw_in_tkt_preauth() gets handed the password or key explicitly, * since the whole point of "pre" authentication is to prove that we've diff --git a/src/kadmin/v4server/kadm_err.et b/src/lib/krb4/kadm_err.et similarity index 100% rename from src/kadmin/v4server/kadm_err.et rename to src/lib/krb4/kadm_err.et diff --git a/src/lib/krb4/kadm_net.c b/src/lib/krb4/kadm_net.c new file mode 100644 index 000000000..37a660319 --- /dev/null +++ b/src/lib/krb4/kadm_net.c @@ -0,0 +1,383 @@ +/* + * kadm_net.c + * + * Copyright 1988, 2002 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Kerberos administration server client-side network access routines + * These routines do actual network traffic, in a machine dependent manner. + */ + +#include +#include +#include +#include +#ifdef HAVE_UNISTD_H +#include +#endif + +#define DEFINE_SOCKADDR /* Ask krb.h for struct sockaddr, etc */ +#include "port-sockets.h" +#include "krb.h" +#include "krbports.h" +#include "kadm.h" +#include "kadm_err.h" +#include "prot.h" + +/* XXX FIXME! */ +#if defined(_WINDOWS) || defined(macintosh) + #define SIGNAL(s, f) 0 +#else + #define SIGNAL(s, f) signal(s, f) + extern int errno; +#endif + +static void clear_secrets(des_cblock sess_key, Key_schedule sess_sched); +/* XXX FIXME! */ +static sigtype (*opipe)(); + + +/* + * kadm_init_link + * receives : principal, instance, realm + * + * initializes client parm, the Kadm_Client structure which holds the + * data about the connection between the server and client, the services + * used, the locations and other fun things + */ +int +kadm_init_link(char *principal, char *instance, char *realm, + Kadm_Client *client_parm, int changepw) +{ + struct servent *sep; /* service we will talk to */ + u_short sep_port; + struct hostent *hop; /* host we will talk to */ + char adm_hostname[MAXHOSTNAMELEN]; + char *scol = 0; + + (void) strcpy(client_parm->sname, principal); + (void) strcpy(client_parm->sinst, instance); + (void) strcpy(client_parm->krbrlm, realm); + client_parm->admin_fd = -1; + client_parm->default_port = 1; + + /* + * set up the admin_addr - fetch name of admin or kpasswd host + * (usually the admin host is the kpasswd host unless you have + * some sort of realm on crack) + */ + if (changepw) { +#if 0 /* XXX */ + if (krb_get_kpasswdhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) +#endif + if (krb_get_admhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) + return KADM_NO_HOST; + } else { + if (krb_get_admhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) + return KADM_NO_HOST; + } + scol = strchr(adm_hostname,':'); + if (scol) *scol = 0; + if ((hop = gethostbyname(adm_hostname)) == NULL) + /* + * couldn't find the admin servers address + */ + return KADM_UNK_HOST; + if (scol) { + sep_port = htons(atoi(scol+1)); + client_parm->default_port = 0; + } else if ((sep = getservbyname(KADM_SNAME, "tcp")) != NULL) + sep_port = sep->s_port; + else + sep_port = htons(KADM_PORT); /* KADM_SNAME = kerberos_master/tcp */ + memset(&client_parm->admin_addr, 0, sizeof(client_parm->admin_addr)); + client_parm->admin_addr.sin_family = hop->h_addrtype; + memcpy(&client_parm->admin_addr.sin_addr, hop->h_addr, hop->h_length); + client_parm->admin_addr.sin_port = sep_port; + + return KADM_SUCCESS; +} + +/* + * kadm_cli_send + * recieves : opcode, packet, packet length, serv_name, serv_inst + * returns : return code from the packet build, the server, or + * something else + * + * It assembles a packet as follows: + * 8 bytes : VERSION STRING + * 4 bytes : LENGTH OF MESSAGE DATA and OPCODE + * : KTEXT + * : OPCODE \ + * : DATA > Encrypted (with make priv) + * : ...... / + * + * If it builds the packet and it is small enough, then it attempts to open the + * connection to the admin server. If the connection is succesfully open + * then it sends the data and waits for a reply. + */ +int +kadm_cli_send(Kadm_Client *client_parm, + u_char *st_dat, /* the actual data */ + size_t st_siz, /* length of said data */ + u_char **ret_dat, /* to give return info */ + size_t *ret_siz) /* length of returned info */ +{ +/* Macros for use in returning data... used in kadm_cli_send */ +#define RET_N_FREE(r) {clear_secrets(sess_key, sess_sched); free((char *)act_st); free((char *)priv_pak); return r;} +#define RET_N_FREE2(r) {free((char *)*ret_dat); *ret_dat = 0; *ret_siz = 0; clear_secrets(sess_key, sess_sched); return(r);} + + int act_len; /* current offset into packet, return */ + KRB_INT32 retdat; /* data */ + KTEXT_ST authent; /* the authenticator we will build */ + u_char *act_st; /* the pointer to the complete packet */ + u_char *priv_pak; /* private version of the packet */ + long priv_len; /* length of private packet */ + u_long cksum; /* checksum of the packet */ + MSG_DAT mdat; + u_char *return_dat; + u_char *p; + KRB_UINT32 uretdat; + + /* Keys for use in the transactions */ + des_cblock sess_key; /* to be filled in by kadm_cli_keyd */ + Key_schedule sess_sched; + + act_st = malloc(KADM_VERSIZE); /* verstr stored first */ + strncpy((char *)act_st, KADM_VERSTR, KADM_VERSIZE); + act_len = KADM_VERSIZE; + + if ((retdat = kadm_cli_keyd(client_parm, sess_key, sess_sched)) != KADM_SUCCESS) { + free(act_st); + return retdat; /* couldnt get key working */ + } + priv_pak = malloc(st_siz + 200); + /* 200 bytes for extra info case */ + /* XXX Check mk_priv return type */ + if ((priv_len = krb_mk_priv(st_dat, priv_pak, (u_long)st_siz, + sess_sched, (C_Block *)sess_key, + &client_parm->my_addr, + &client_parm->admin_addr)) < 0) + RET_N_FREE(KADM_NO_ENCRYPT); /* whoops... we got a lose here */ + /* + * here is the length of priv data. receiver calcs size of + * authenticator by subtracting vno size, priv size, and + * sizeof(u_long) (for the size indication) from total size + */ + act_len += vts_long((KRB_UINT32)priv_len, &act_st, (int)act_len); +#ifdef NOENCRYPTION + cksum = 0; +#else + cksum = quad_cksum(priv_pak, NULL, priv_len, 0, &sess_key); +#endif + /* XXX cast unsigned->signed */ + if ((retdat = krb_mk_req_creds(&authent, &client_parm->creds, (long)cksum)) != NULL) { + /* authenticator? */ + RET_N_FREE(retdat); + } + + act_st = realloc(act_st, (unsigned) (act_len + authent.length + + priv_len)); + if (!act_st) { + clear_secrets(sess_key, sess_sched); + free(priv_pak); + return KADM_NOMEM; + } + memcpy(act_st + act_len, authent.dat, authent.length); + memcpy(act_st + act_len + authent.length, priv_pak, priv_len); + free(priv_pak); + if ((retdat = kadm_cli_out(client_parm, act_st, + act_len + authent.length + priv_len, + ret_dat, ret_siz)) != KADM_SUCCESS) + RET_N_FREE(retdat); + free(act_st); + + /* first see if it's a YOULOSE */ + if ((*ret_siz >= KADM_VERSIZE) && + !strncmp(KADM_ULOSE, (char *)*ret_dat, KADM_VERSIZE)) + { + /* it's a youlose packet */ + if (*ret_siz < KADM_VERSIZE + 4) + RET_N_FREE2(KADM_BAD_VER); + p = *ret_dat + KADM_VERSIZE; + KRB4_GET32BE(uretdat, p); + /* XXX unsigned->signed */ + retdat = (KRB_INT32)uretdat; + RET_N_FREE2(retdat); + } + /* need to decode the ret_dat */ + if ((retdat = krb_rd_priv(*ret_dat, (u_long)*ret_siz, sess_sched, + (C_Block *)sess_key, &client_parm->admin_addr, + &client_parm->my_addr, &mdat)) != NULL) + RET_N_FREE2(retdat); + if (mdat.app_length < KADM_VERSIZE + 4) + /* too short! */ + RET_N_FREE2(KADM_BAD_VER); + if (strncmp((char *)mdat.app_data, KADM_VERSTR, KADM_VERSIZE)) + /* bad version */ + RET_N_FREE2(KADM_BAD_VER); + p = mdat.app_data + KADM_VERSIZE; + KRB4_GET32BE(uretdat, p); + /* XXX unsigned->signed */ + retdat = (KRB_INT32)uretdat; + if ((mdat.app_length - KADM_VERSIZE - 4) != 0) { + if (!(return_dat = + malloc((unsigned)(mdat.app_length - KADM_VERSIZE - 4)))) + RET_N_FREE2(KADM_NOMEM); + memcpy(return_dat, p, mdat.app_length - KADM_VERSIZE - 4); + } else { + /* If it's zero length, still need to malloc a 1 byte string; */ + /* malloc's of zero will return NULL on AIX & A/UX */ + if (!(return_dat = malloc((unsigned) 1))) + RET_N_FREE2(KADM_NOMEM); + *return_dat = '\0'; + } + free(*ret_dat); + clear_secrets(sess_key, sess_sched); + *ret_dat = return_dat; + *ret_siz = mdat.app_length - KADM_VERSIZE - 4; + return retdat; +} + +int kadm_cli_conn(Kadm_Client *client_parm) +{ /* this connects and sets my_addr */ +#if 0 + int on = 1; +#endif + if ((client_parm->admin_fd = + socket(client_parm->admin_addr.sin_family, SOCK_STREAM,0)) < 0) + return KADM_NO_SOCK; /* couldnt create the socket */ + if (SOCKET_CONNECT(client_parm->admin_fd, + (struct sockaddr *) & client_parm->admin_addr, + sizeof(client_parm->admin_addr))) { + (void) SOCKET_CLOSE(client_parm->admin_fd); + client_parm->admin_fd = -1; + + /* The V4 kadmind port number is 751. The RFC assigned + number, for V5, is 749. Sometimes the entry in + /etc/services on a client machine will say 749, but the + server may be listening on port 751. We try to partially + cope by automatically falling back to try port 751 if we + don't get a reply on port we are using. */ + if (client_parm->admin_addr.sin_port != htons(KADM_PORT) + && client_parm->default_port) { + client_parm->admin_addr.sin_port = htons(KADM_PORT); + return kadm_cli_conn(client_parm); + } + + return KADM_NO_CONN; /* couldnt get the connect */ + } + opipe = SIGNAL(SIGPIPE, SIG_IGN); + client_parm->my_addr_len = sizeof(client_parm->my_addr); + if (SOCKET_GETSOCKNAME(client_parm->admin_fd, + (struct sockaddr *) & client_parm->my_addr, + &client_parm->my_addr_len) < 0) { + (void) SOCKET_CLOSE(client_parm->admin_fd); + client_parm->admin_fd = -1; + (void) SIGNAL(SIGPIPE, opipe); + return KADM_NO_HERE; /* couldnt find out who we are */ + } +#if 0 + if (setsockopt(client_parm.admin_fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, + sizeof(on)) < 0) { + (void) closesocket(client_parm.admin_fd); + client_parm.admin_fd = -1; + (void) SIGNAL(SIGPIPE, opipe); + return KADM_NO_CONN; /* XXX */ + } +#endif + return KADM_SUCCESS; +} + +void kadm_cli_disconn(Kadm_Client *client_parm) +{ + (void) SOCKET_CLOSE(client_parm->admin_fd); + (void) SIGNAL(SIGPIPE, opipe); + return; +} + +int kadm_cli_out(Kadm_Client *client_parm, u_char *dat, int dat_len, + u_char **ret_dat, size_t *ret_siz) +{ + u_short dlen; + int retval; + unsigned char buf[2], *p; + + dlen = (u_short)dat_len; + if (dlen > 0x7fff) /* XXX krb_net_write signedness */ + return KADM_NO_ROOM; + + p = buf; + KRB4_PUT16BE(p, dlen); + if (krb_net_write(client_parm->admin_fd, (char *)buf, 2) < 0) + return SOCKET_ERRNO; /* XXX */ + + if (krb_net_write(client_parm->admin_fd, (char *)dat, (int)dat_len) < 0) + return SOCKET_ERRNO; /* XXX */ + + retval = krb_net_read(client_parm->admin_fd, (char *)buf, 2); + if (retval != 2) { + if (retval < 0) + return SOCKET_ERRNO; /* XXX */ + else + return EPIPE; /* short read ! */ + } + + p = buf; + KRB4_GET16BE(dlen, p); + if (dlen > INT_MAX) /* XXX krb_net_read signedness */ + return KADM_NO_ROOM; + *ret_dat = malloc(dlen); + if (!*ret_dat) + return KADM_NOMEM; + + retval = krb_net_read(client_parm->admin_fd, (char *)*ret_dat, (int)dlen); + if (retval != dlen) { + if (retval < 0) + return SOCKET_ERRNO; /* XXX */ + else + return EPIPE; /* short read ! */ + } + *ret_siz = dlen; + return KADM_SUCCESS; +} + +static void +clear_secrets(des_cblock sess_key, Key_schedule sess_sched) +{ + memset(sess_key, 0, sizeof(sess_key)); + memset(sess_sched, 0, sizeof(sess_sched)); + return; +} + +/* takes in the sess_key and key_schedule and sets them appropriately */ +int kadm_cli_keyd(Kadm_Client *client_parm, + des_cblock s_k, des_key_schedule s_s) +{ + int stat; + + memcpy(s_k, client_parm->creds.session, sizeof(des_cblock)); + stat = key_sched(s_k, s_s); + if (stat) + return stat; + return KADM_SUCCESS; +} /* This code "works" */ diff --git a/src/lib/krb4/kadm_stream.c b/src/lib/krb4/kadm_stream.c new file mode 100644 index 000000000..3a9861eda --- /dev/null +++ b/src/lib/krb4/kadm_stream.c @@ -0,0 +1,319 @@ +/* + * kadm_stream.c + * + * Copyright 1988, 2002 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Stream conversion functions for Kerberos administration server + */ + +/* + kadm_stream.c + this holds the stream support routines for the kerberos administration server + + vals_to_stream: converts a vals struct to a stream for transmission + internals build_field_header, vts_[string, char, long, short] + stream_to_vals: converts a stream to a vals struct + internals check_field_header, stv_[string, char, long, short] + error: prints out a kadm error message, returns + fatal: prints out a kadm fatal error message, exits +*/ + +#include +#include + +#include "kadm.h" +#include "kadm_err.h" +#include "prot.h" + +#define min(a,b) (((a) < (b)) ? (a) : (b)) + +/* +vals_to_stream + recieves : kadm_vals *, u_char * + returns : a realloced and filled in u_char * + +this function creates a byte-stream representation of the kadm_vals structure +*/ +int +vals_to_stream(Kadm_vals *dt_in, u_char **dt_out) +{ + int vsloop, stsize; /* loop counter, stream size */ + + stsize = build_field_header(dt_in->fields, dt_out); + for (vsloop = 31; vsloop >= 0; vsloop--) + if (IS_FIELD(vsloop, dt_in->fields)) { + switch (vsloop) { + case KADM_NAME: + stsize += vts_string(dt_in->name, dt_out, stsize); + break; + case KADM_INST: + stsize += vts_string(dt_in->instance, dt_out, stsize); + break; + case KADM_EXPDATE: + stsize += vts_long((KRB_UINT32)dt_in->exp_date, + dt_out, stsize); + break; + case KADM_ATTR: + stsize += vts_short(dt_in->attributes, dt_out, stsize); + break; + case KADM_MAXLIFE: + stsize += vts_char(dt_in->max_life, dt_out, stsize); + break; + case KADM_DESKEY: + stsize += vts_long(dt_in->key_high, dt_out, stsize); + stsize += vts_long(dt_in->key_low, dt_out, stsize); + break; + default: + break; + } + } + return stsize; +} + +int +build_field_header( + u_char *cont, /* container for fields data */ + u_char **st) /* stream */ +{ + *st = malloc(4); + if (*st == NULL) + return -1; + memcpy(*st, cont, 4); + return 4; /* return pointer to current stream location */ +} + +int +vts_string(char *dat, u_char **st, int loc) +{ + size_t len; + unsigned char *p; + + if (loc < 0) + return -1; + len = strlen(dat) + 1; + p = realloc(*st, (size_t)loc + len); + if (p == NULL) + return -1; + memcpy(p + loc, dat, len); + *st = p; + return len; +} + +int +vts_short(KRB_UINT32 dat, u_char **st, int loc) +{ + unsigned char *p; + + if (loc < 0) + return -1; + p = realloc(*st, (size_t)loc + 2); + if (p == NULL) + return -1; + + KRB4_PUT16BE(p, dat); + *st = p; + return 2; +} + +int +vts_long(KRB_UINT32 dat, u_char **st, int loc) +{ + unsigned char *p; + + if (loc < 0) + return -1; + p = realloc(*st, (size_t)loc + 4); + if (p == NULL) + return -1; + + KRB4_PUT32BE(p, dat); + *st = p; + return 4; +} + +int +vts_char(KRB_UINT32 dat, u_char **st, int loc) +{ + unsigned char *p; + + if (loc < 0) + return -1; + p = realloc(*st, (size_t)loc + 1); + if (p == NULL) + return -1; + p[loc] = dat & 0xff; + *st = p; + return 1; +} + +/* +stream_to_vals + recieves : u_char *, kadm_vals * + returns : a kadm_vals filled in according to u_char * + +this decodes a byte stream represntation of a vals struct into kadm_vals +*/ +int +stream_to_vals( + u_char *dt_in, + Kadm_vals *dt_out, + int maxlen) /* max length to use */ +{ + register int vsloop, stsize; /* loop counter, stream size */ + register int status; + + memset(dt_out, 0, sizeof(*dt_out)); + + stsize = check_field_header(dt_in, dt_out->fields, maxlen); + if (stsize < 0) + return -1; + for (vsloop = 31; vsloop >= 0; vsloop--) + if (IS_FIELD(vsloop, dt_out->fields)) + switch (vsloop) { + case KADM_NAME: + status = stv_string(dt_in, dt_out->name, stsize, + sizeof(dt_out->name), maxlen); + if (status < 0) + return -1; + stsize += status; + break; + case KADM_INST: + status = stv_string(dt_in, dt_out->instance, stsize, + sizeof(dt_out->instance), maxlen); + if (status < 0) + return -1; + stsize += status; + break; + case KADM_EXPDATE: + { + KRB_UINT32 exp_date; + + status = stv_long(dt_in, &exp_date, stsize, maxlen); + if (status < 0) + return -1; + dt_out->exp_date = exp_date; + stsize += status; + } + break; + case KADM_ATTR: + status = stv_short(dt_in, &dt_out->attributes, stsize, + maxlen); + if (status < 0) + return -1; + stsize += status; + break; + case KADM_MAXLIFE: + status = stv_char(dt_in, &dt_out->max_life, stsize, + maxlen); + if (status < 0) + return -1; + stsize += status; + break; + case KADM_DESKEY: + status = stv_long(dt_in, &dt_out->key_high, stsize, + maxlen); + if (status < 0) + return -1; + stsize += status; + status = stv_long(dt_in, &dt_out->key_low, stsize, + maxlen); + if (status < 0) + return -1; + stsize += status; + break; + default: + break; + } + return stsize; +} + +int +check_field_header( + u_char *st, /* stream */ + u_char *cont, /* container for fields data */ + int maxlen) +{ + if (4 > maxlen) + return -1; + memcpy(cont, st, 4); + return 4; /* return pointer to current stream location */ +} + +int +stv_string( + register u_char *st, /* base pointer to the stream */ + char *dat, /* a string to read from the stream */ + register int loc, /* offset into the stream for current data */ + int stlen, /* max length of string to copy in */ + int maxlen) /* max length of input stream */ +{ + int maxcount; /* max count of chars to copy */ + + if (loc < 0) + return -1; + maxcount = min(maxlen - loc, stlen); + if (maxcount <= 0) /* No strings left in the input stream */ + return -1; + + (void) strncpy(dat, (char *)st + loc, (size_t)maxcount); + + if (dat[maxcount - 1]) /* not null-term --> not enuf room */ + return -1; + return strlen(dat) + 1; +} + +int +stv_short(u_char *st, u_short *dat, int loc, int maxlen) +{ + u_short temp; + unsigned char *p; + + if (loc < 0 || loc + 2 > maxlen) + return -1; + p = st + loc; + KRB4_GET16BE(temp, p); + *dat = temp; + return 2; +} + +int +stv_long(u_char *st, KRB_UINT32 *dat, int loc, int maxlen) +{ + KRB_UINT32 temp; + unsigned char *p; + + if (loc < 0 || loc + 4 > maxlen) + return -1; + p = st + loc; + KRB4_GET32BE(temp, p); + *dat = temp; + return 4; +} + +int +stv_char(u_char *st, u_char *dat, int loc, int maxlen) +{ + if (loc < 0 || loc + 1 > maxlen) + return -1; + *dat = *(st + loc); + return 1; +} diff --git a/src/lib/krb4/mk_req.c b/src/lib/krb4/mk_req.c index b5f02529b..698d2c2ad 100644 --- a/src/lib/krb4/mk_req.c +++ b/src/lib/krb4/mk_req.c @@ -1,7 +1,7 @@ /* * lib/krb4/mk_req.c * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts + * Copyright 1985, 1986, 1987, 1988, 2000, 2002 by the Massachusetts * Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may @@ -33,6 +33,8 @@ extern int krb_ap_req_debug; static int lifetime = 255; /* Default based on the TGT */ +static int krb_mk_req_creds_prealm(KTEXT, CREDENTIALS *, KRB4_32, char *); + /* * krb_mk_req takes a text structure in which an authenticator is to * be built, the name of a service, an instance, a realm, @@ -83,83 +85,51 @@ static int lifetime = 255; /* Default based on the TGT */ * all rounded up to multiple of 8. */ -int KRB5_CALLCONV -krb_mk_req(authent, service, instance, realm, checksum) +static int +krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) register KTEXT authent; /* Place to build the authenticator */ - char *service; /* Name of the service */ - char *instance; /* Service instance */ - char *realm; /* Authentication domain of service */ + CREDENTIALS *creds; KRB4_32 checksum; /* Checksum of data (optional) */ + char *myrealm; /* Client's realm */ { KTEXT_ST req_st; /* Temp storage for req id */ KTEXT req_id = &req_st; unsigned char *p, *q, *reqid_lenp; int tl; /* Tkt len */ int idl; /* Reqid len */ - CREDENTIALS cr; /* Credentials used by retr */ - register KTEXT ticket = &(cr.ticket_st); /* Pointer to tkt_st */ - int retval; /* Returned by krb_get_cred */ + register KTEXT ticket; /* Pointer to tkt_st */ Key_schedule key_s; - char krb_realm[REALM_SZ]; /* Our local realm, if not specified */ - char myrealm[REALM_SZ]; /* Realm of our TGT */ size_t realmlen, pnamelen, pinstlen, myrealmlen; unsigned KRB4_32 time_secs; unsigned KRB4_32 time_usecs; - /* get current realm if not passed in */ - if (realm == NULL) { - retval = krb_get_lrealm(krb_realm, 1); - if (retval != KSUCCESS) - return retval; - realm = krb_realm; - } - + ticket = &creds->ticket_st; /* Get the ticket and move it into the authenticator */ if (krb_ap_req_debug) - DEB (("Realm: %s\n",realm)); - /* - * Determine realm of these tickets. We will send this to the - * KDC from which we are requesting tickets so it knows what to - * with our session key. - */ - retval = krb_get_tf_realm(TKT_FILE, myrealm); - if (retval != KSUCCESS) - return retval; + DEB (("Realm: %s\n", creds->realm)); - retval = krb_get_cred(service, instance, realm, &cr); - if (retval == RET_NOTKT) { - retval = get_ad_tkt(service, instance, realm, lifetime); - if (retval) - return retval; - retval = krb_get_cred(service, instance, realm, &cr); - if (retval) - return retval; - } - if (retval != KSUCCESS) - return retval; - - realmlen = strlen(realm) + 1; + realmlen = strlen(creds->realm) + 1; if (sizeof(authent->dat) < (1 + 1 + 1 + realmlen + 1 + 1 + ticket->length) || ticket->length < 0 || ticket->length > 255) { authent->length = 0; - memset(cr.session, 0, sizeof(cr.session)); + memset(creds->session, 0, sizeof(creds->session)); return KFAILURE; } if (krb_ap_req_debug) - DEB (("%s %s %s %s %s\n", service, instance, realm, - cr.pname, cr.pinst)); + DEB (("%s %s %s %s %s\n", creds->service, creds->instance, + creds->realm, creds->pname, creds->pinst)); p = authent->dat; /* The fixed parts of the authenticator */ *p++ = KRB_PROT_VERSION; *p++ = AUTH_MSG_APPL_REQUEST; - *p++ = cr.kvno; + *p++ = creds->kvno; - memcpy(p, realm, realmlen); + memcpy(p, creds->realm, realmlen); p += realmlen; tl = ticket->length; @@ -173,14 +143,14 @@ krb_mk_req(authent, service, instance, realm, checksum) if (krb_ap_req_debug) DEB (("Ticket->length = %d\n",ticket->length)); if (krb_ap_req_debug) - DEB (("Issue date: %d\n",cr.issue_date)); + DEB (("Issue date: %d\n",creds->issue_date)); - pnamelen = strlen(cr.pname) + 1; - pinstlen = strlen(cr.pinst) + 1; + pnamelen = strlen(creds->pname) + 1; + pinstlen = strlen(creds->pinst) + 1; myrealmlen = strlen(myrealm) + 1; if (sizeof(req_id->dat) / 8 < (pnamelen + pinstlen + myrealmlen + 4 + 1 + 4 + 7) / 8) { - memset(cr.session, 0, sizeof(cr.session)); + memset(creds->session, 0, sizeof(creds->session)); return KFAILURE; } @@ -188,10 +158,10 @@ krb_mk_req(authent, service, instance, realm, checksum) /* Build request id */ /* Auth name */ - memcpy(q, cr.pname, pnamelen); + memcpy(q, creds->pname, pnamelen); q += pnamelen; /* Principal's instance */ - memcpy(q, cr.pinst, pinstlen); + memcpy(q, creds->pinst, pinstlen); q += pinstlen; /* Authentication domain */ memcpy(q, myrealm, myrealmlen); @@ -210,12 +180,12 @@ krb_mk_req(authent, service, instance, realm, checksum) #ifndef NOENCRYPTION /* Encrypt the request ID using the session key */ - key_sched(cr.session, key_s); + key_sched(creds->session, key_s); pcbc_encrypt((C_Block *)req_id->dat, (C_Block *)req_id->dat, - (long)req_id->length, key_s, &cr.session, 1); + (long)req_id->length, key_s, &creds->session, 1); /* clean up */ memset(key_s, 0, sizeof(key_s)); - memset(cr.session, 0, sizeof(cr.session)); + memset(creds->session, 0, sizeof(creds->session)); #endif /* NOENCRYPTION */ /* Copy it into the authenticator */ @@ -239,6 +209,61 @@ krb_mk_req(authent, service, instance, realm, checksum) return KSUCCESS; } +int KRB5_CALLCONV +krb_mk_req(authent, service, instance, realm, checksum) + register KTEXT authent; /* Place to build the authenticator */ + char *service; /* Name of the service */ + char *instance; /* Service instance */ + char *realm; /* Authentication domain of service */ + KRB4_32 checksum; /* Checksum of data (optional) */ +{ + char krb_realm[REALM_SZ]; /* Our local realm, if not specified */ + char myrealm[REALM_SZ]; /* Realm of initial TGT. */ + int retval; + CREDENTIALS creds; + + /* get current realm if not passed in */ + if (realm == NULL) { + retval = krb_get_lrealm(krb_realm, 1); + if (retval != KSUCCESS) + return retval; + realm = krb_realm; + } + /* + * Determine realm of these tickets. We will send this to the + * KDC from which we are requesting tickets so it knows what to + * with our session key. + */ + retval = krb_get_tf_realm(TKT_FILE, myrealm); + if (retval != KSUCCESS) + retval = krb_get_lrealm(myrealm, 1); + if (retval != KSUCCESS) + return retval; + + retval = krb_get_cred(service, instance, realm, &creds); + if (retval == RET_NOTKT) { + retval = get_ad_tkt(service, instance, realm, lifetime); + if (retval) + return retval; + retval = krb_get_cred(service, instance, realm, &creds); + if (retval) + return retval; + } + if (retval != KSUCCESS) + return retval; + + return krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm); +} + +int KRB5_CALLCONV +krb_mk_req_creds(authent, creds, checksum) + register KTEXT authent; /* Place to build the authenticator */ + CREDENTIALS *creds; + KRB4_32 checksum; /* Checksum of data (optional) */ +{ + return krb_mk_req_creds_prealm(authent, creds, checksum, creds->realm); +} + /* * krb_set_lifetime sets the default lifetime for additional tickets * obtained via krb_mk_req(). @@ -246,7 +271,7 @@ krb_mk_req(authent, service, instance, realm, checksum) * It returns the previous value of the default lifetime. */ -int +int KRB5_CALLCONV krb_set_lifetime(newval) int newval; { diff --git a/src/lib/krb4/one.c b/src/lib/krb4/one.c deleted file mode 100644 index 47a16e27f..000000000 --- a/src/lib/krb4/one.c +++ /dev/null @@ -1,15 +0,0 @@ -/* - * one.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -/* - * definition of variable set to 1. - * used in krb_conf.h to determine host byte order. - */ - -const int krbONE = 1; diff --git a/src/lib/krb4/password_to_key.c b/src/lib/krb4/password_to_key.c new file mode 100644 index 000000000..be307a42d --- /dev/null +++ b/src/lib/krb4/password_to_key.c @@ -0,0 +1,146 @@ +/* + * password_to_key.c -- password_to_key functions merged from KfM + * + * Copyright 1999, 2002 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include +#include + +#if TARGET_OS_MAC +#include +#endif +#include "krb.h" +#include "krb4int.h" + +/* + * passwd_to_key(): given a password, return a DES key. + * There are extra arguments here which (used to be?) + * used by srvtab_to_key(). + * + * If the "passwd" argument is not null, generate a DES + * key from it, using string_to_key(). + * + * If the "passwd" argument is null, then on a Unix system we call + * des_read_password() to prompt for a password and then convert it + * into a DES key. But "prompting" the user is harder in a Windows or + * Macintosh environment, so we rely on our caller to explicitly do + * that now. + * + * In either case, the resulting key is put in the "key" argument, + * and 0 is returned. + */ + +#if TARGET_OS_MAC +/*ARGSUSED */ +int +krb_get_keyprocs(KRB_UINT32 stkType, + key_proc_array kps, key_proc_type_array sts) +{ + /* generates the list of key procs */ + /* always try them all, but try the specified one first */ + switch (stkType) { + case cc_v4_stk_afs: + kps[0] = afs_passwd_to_key; + sts[0] = cc_v4_stk_afs; + + kps[1] = mit_passwd_to_key; + sts[1] = cc_v4_stk_des; + + kps[2] = krb5_passwd_to_key; + sts[2] = cc_v4_stk_krb5; + + kps[3] = NULL; + break; + case cc_v4_stk_des: + case cc_v4_stk_unknown: + default: + kps[0] = mit_passwd_to_key; + sts[0] = cc_v4_stk_des; + + kps[1] = afs_passwd_to_key; + sts[1] = cc_v4_stk_afs; + + kps[2] = krb5_passwd_to_key; + sts[2] = cc_v4_stk_krb5; + + kps[3] = NULL; + break; + } + return KSUCCESS; +} +#endif + +int +mit_passwd_to_key(char *user, char *instance, char *realm, + char *passwd, C_Block key) +{ +#pragma unused(user) +#pragma unused(instance) +#pragma unused(realm) + + if (passwd) + mit_string_to_key(passwd, key); +#if !(defined(_WINDOWS) || defined(macintosh)) + else { + des_read_password((C_Block *)key, "Password: ", 0); + } +#endif /* unix */ + return (0); +} + +/* So we can use a v4 kinit against a v5 kdc with no krb4 salted key */ +int +krb5_passwd_to_key(char *user, char *instance, char *realm, + char *passwd, C_Block key) +{ + if (user && instance && realm && passwd) { + unsigned int len = MAX_K_NAME_SZ + strlen(passwd) + 1; + char *p = malloc (len); + if (p != NULL) { + snprintf (p, len, "%s%s%s%s", passwd, realm, user, instance); + p[len - 1] = '\0'; + mit_string_to_key (p, key); + free (p); + return 0; + } + } + return -1; +} + +int +afs_passwd_to_key(char *user, char *instance, char *realm, + char *passwd, C_Block key) +{ +#pragma unused(user) +#pragma unused(instance) + + if (passwd) + afs_string_to_key(passwd, realm, key); +#if !(defined(_WINDOWS) || defined(macintosh)) + else { + des_read_password((C_Block *)key, "Password: ", 0); + } +#endif /* unix */ + return (0); +} diff --git a/src/lib/krb4/prot_client.c b/src/lib/krb4/prot_client.c index d254e8949..315f7f08a 100644 --- a/src/lib/krb4/prot_client.c +++ b/src/lib/krb4/prot_client.c @@ -64,7 +64,7 @@ krb4prot_encode_kdc_request(char *pname, char *pinst, char *prealm, p = pkt->dat; *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_KDC_REQUEST | (le ? LSB_FIRST : MSB_FIRST); + *p++ = AUTH_MSG_KDC_REQUEST | !!le; ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, pkt, &p); @@ -235,7 +235,7 @@ krb4prot_encode_apreq(int kvno, char *realm, p = pkt->dat; /* Assume >= 3 bytes in a KTEXT. */ *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_APPL_REQUEST | (le ? LSB_FIRST : MSB_FIRST); + *p++ = AUTH_MSG_APPL_REQUEST | !!le; *p++ = kvno; diff --git a/src/lib/krb4/prot_kdc.c b/src/lib/krb4/prot_kdc.c index d733c2589..aaaa9d00c 100644 --- a/src/lib/krb4/prot_kdc.c +++ b/src/lib/krb4/prot_kdc.c @@ -91,7 +91,7 @@ krb4prot_encode_kdc_reply(char *pname, char *pinst, char *prealm, else *p++ = KRB_PROT_VERSION; /* little-endianness based on input, usually big-endian, though. */ - *p++ = AUTH_MSG_KDC_REPLY | (le ? LSB_FIRST : MSB_FIRST); + *p++ = AUTH_MSG_KDC_REPLY | !!le; ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, outbuf, &p); @@ -281,7 +281,7 @@ krb4prot_encode_tkt(unsigned int flags, * Assume at least one byte in a KTEXT. If not, we have bigger * problems. Also, bitwise-OR in the little-endian flag. */ - *p++ = flags | (le ? LSB_FIRST : MSB_FIRST); + *p++ = flags | !!le; if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, tkt, &p)) @@ -369,7 +369,7 @@ krb4prot_encode_err_reply(char *pname, char *pinst, char *prealm, p = pkt->dat; /* Assume >= 2 bytes in KTEXT. */ *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_ERR_REPLY | (le ? LSB_FIRST : MSB_FIRST); + *p++ = AUTH_MSG_ERR_REPLY | !!le; if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, pkt, &p)) diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c index b97bdbe0a..1b8de0cf3 100644 --- a/src/lib/krb4/rd_req.c +++ b/src/lib/krb4/rd_req.c @@ -1,8 +1,8 @@ /* * lib/krb4/rd_req.c * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts - * Institute of Technology. All Rights Reserved. + * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2002 by the + * Massachusetts Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -33,6 +33,10 @@ extern int krb_ap_req_debug; +static int +krb_rd_req_with_key(KTEXT, char *, char *, KRB_UINT32, AUTH_DAT *, + Key_schedule, krb5_keyblock *); + /* declared in krb.h */ int krb_ignore_ip_address = 0; @@ -162,14 +166,15 @@ krb_clear_key_krb5(ctx) * Mutual authentication is not implemented. */ -int KRB5_CALLCONV -krb_rd_req(authent, service, instance, from_addr, ad, fn) +static int +krb_rd_req_with_key(authent, service, instance, from_addr, ad, ks, k5key) register KTEXT authent; /* The received message */ char *service; /* Service name */ char *instance; /* Service instance */ unsigned KRB4_32 from_addr; /* Net address of originating host */ AUTH_DAT *ad; /* Structure to be filled in */ - char *fn; /* Filename to get keys from */ + Key_schedule ks; + krb5_keyblock *k5key; { KTEXT_ST ticket; /* Temp storage for ticket */ KTEXT tkt = &ticket; @@ -178,7 +183,6 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) char realm[REALM_SZ]; /* Realm of issuing kerberos */ Key_schedule seskey_sched; /* Key sched for session key */ - unsigned char skey[KKEY_SZ]; /* Session key from ticket */ char sname[SNAME_SZ]; /* Service name from ticket */ char iname[INST_SZ]; /* Instance name from ticket */ char r_aname[ANAME_SZ]; /* Client name from authenticator */ @@ -199,8 +203,6 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) Kerberos used to encrypt ticket */ int ret; int len; - krb5_keyblock keyblock; - int status; tkt->mbz = req_id->mbz = 0; @@ -248,49 +250,6 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) (void)memcpy(realm, ptr, (size_t)len); ptr += len; /* skip the realm "hint" */ - /* - * If "fn" is NULL, key info should already be set; don't - * bother with ticket file. Otherwise, check to see if we - * already have key info for the given server and key version - * (saved in the static st_* variables). If not, go get it - * from the ticket file. If "fn" is the null string, use the - * default ticket file. - */ - if (fn && (strcmp(st_nam,service) || strcmp(st_inst,instance) - || strcmp(st_rlm,realm) || (st_kvno != s_kvno))) { - if (*fn == 0) - fn = KEYFILE; - st_kvno = s_kvno; -#ifndef NOENCRYPTION - if (read_service_key(service,instance,realm, (int)s_kvno, - fn, (char *)skey) == 0) { - if ((status = krb_set_key((char *)skey,0))) - return(status); -#ifdef KRB4_USE_KEYTAB - } else if (krb54_get_service_keyblock(service, instance, - realm, (int)s_kvno, - fn, &keyblock) == 0) { - krb_set_key_krb5(krb5__krb4_context, &keyblock); - krb5_free_keyblock_contents(krb5__krb4_context, &keyblock); -#endif - } else - return RD_AP_UNDEC; -#endif /* !NOENCRYPTION */ - - len = krb4int_strnlen(realm, sizeof(st_rlm)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_rlm, realm, (size_t)len); - len = krb4int_strnlen(service, sizeof(st_nam)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_nam, service, (size_t)len); - len = krb4int_strnlen(instance, sizeof(st_inst)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_inst, instance, (size_t)len); - } - /* Get ticket length */ tkt->length = *ptr++; /* Get authenticator length while we're at it. */ @@ -312,10 +271,10 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) /* Decrypt and take apart ticket */ #endif - if (!krb5_key) { + if (k5key == NULL) { if (decomp_ticket(tkt,&ad->k_flags,ad->pname,ad->pinst,ad->prealm, &(ad->address),ad->session, &(ad->life), - &(ad->time_sec),sname,iname,ky,serv_key)) { + &(ad->time_sec),sname,iname,ky,ks)) { #ifdef KRB_CRYPT_DEBUG log("Can't decode ticket"); #endif @@ -325,7 +284,7 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) if (decomp_tkt_krb5(tkt, &ad->k_flags, ad->pname, ad->pinst, ad->prealm, &ad->address, ad->session, &ad->life, &ad->time_sec, sname, iname, - &srv_k5key)) { + k5key)) { return RD_AP_UNDEC; } } @@ -471,3 +430,98 @@ cleanup: return RD_AP_OK; } + +int KRB5_CALLCONV +krb_rd_req_int(authent, service, instance, from_addr, ad, key) + KTEXT authent; /* The received message */ + char *service; /* Service name */ + char *instance; /* Service instance */ + KRB_UINT32 from_addr; /* Net address of originating host */ + AUTH_DAT *ad; /* Structure to be filled in */ + C_Block key; /* Key to decrypt ticket with */ +{ + Key_schedule ks; + int ret; + + do { + ret = des_key_sched(key, ks); + if (ret) break; + ret = krb_rd_req_with_key(authent, service, instance, + from_addr, ad, ks, NULL); + } while (0); + memset(ks, 0, sizeof(ks)); + return ret; +} + +int KRB5_CALLCONV +krb_rd_req(authent, service, instance, from_addr, ad, fn) + register KTEXT authent; /* The received message */ + char *service; /* Service name */ + char *instance; /* Service instance */ + unsigned KRB4_32 from_addr; /* Net address of originating host */ + AUTH_DAT *ad; /* Structure to be filled in */ + char *fn; /* Filename to get keys from */ +{ + unsigned char *ptr; + unsigned char s_kvno; + char realm[REALM_SZ]; + unsigned char skey[KKEY_SZ]; + krb5_keyblock keyblock; + int len; + int status; + +#define AUTHENT_REMAIN (authent->length - (ptr - authent->dat)) + if (authent->length < 3) + return RD_AP_MODIFIED; + ptr = authent->dat + 2; + s_kvno = *ptr++; /* get server key version */ + len = krb4int_strnlen((char *)ptr, AUTHENT_REMAIN) + 1; + if (len <= 0 || len > sizeof(realm)) + return RD_AP_MODIFIED; + (void)memcpy(realm, ptr, (size_t)len); +#undef AUTHENT_REMAIN + /* + * If "fn" is NULL, key info should already be set; don't + * bother with ticket file. Otherwise, check to see if we + * already have key info for the given server and key version + * (saved in the static st_* variables). If not, go get it + * from the ticket file. If "fn" is the null string, use the + * default ticket file. + */ + if (fn && (strcmp(st_nam,service) || strcmp(st_inst,instance) + || strcmp(st_rlm,realm) || (st_kvno != s_kvno))) { + if (*fn == 0) + fn = KEYFILE; + st_kvno = s_kvno; + if (read_service_key(service,instance,realm, (int)s_kvno, + fn, (char *)skey) == 0) { + if ((status = krb_set_key((char *)skey,0))) + return(status); +#ifdef KRB4_USE_KEYTAB + } else if (krb54_get_service_keyblock(service, instance, + realm, (int)s_kvno, + fn, &keyblock) == 0) { + krb_set_key_krb5(krb5__krb4_context, &keyblock); + krb5_free_keyblock_contents(krb5__krb4_context, &keyblock); +#endif + } else + return RD_AP_UNDEC; + + len = krb4int_strnlen(realm, sizeof(st_rlm)) + 1; + if (len <= 0) + return KFAILURE; + memcpy(st_rlm, realm, (size_t)len); + len = krb4int_strnlen(service, sizeof(st_nam)) + 1; + if (len <= 0) + return KFAILURE; + memcpy(st_nam, service, (size_t)len); + len = krb4int_strnlen(instance, sizeof(st_inst)) + 1; + if (len <= 0) + return KFAILURE; + memcpy(st_inst, instance, (size_t)len); + } + return krb_rd_req_with_key(authent, service, instance, + from_addr, ad, + krb5_key ? NULL : serv_key, + krb5_key ? &srv_k5key : NULL); +} diff --git a/src/lib/krb4/tf_util.c b/src/lib/krb4/tf_util.c index 5ceee51c2..473c597ad 100644 --- a/src/lib/krb4/tf_util.c +++ b/src/lib/krb4/tf_util.c @@ -689,8 +689,6 @@ tf_read(s, n) return n; } -char *tkt_string(); - /* * tf_save_cred() appends an incoming ticket to the end of the ticket * file. You must call tf_init() before calling tf_save_cred(). diff --git a/src/lib/krb4/tkt_string.c b/src/lib/krb4/tkt_string.c index 68ef84365..36625fc0b 100644 --- a/src/lib/krb4/tkt_string.c +++ b/src/lib/krb4/tkt_string.c @@ -1,14 +1,29 @@ /* * tkt_string.c * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. + * Copyright 1985, 1986, 1987, 1988, 2002 by the Massachusetts + * Institute of Technology. All Rights Reserved. * - * For copying and distribution information, please see the file - * . + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. */ -#include "mit-copyright.h" #include "krb.h" #include #include @@ -44,7 +59,7 @@ uid_t getuid(void) { return 0; } static char krb_ticket_string[MAXPATHLEN]; -char *tkt_string() +const char *tkt_string() { char *env; uid_t getuid();