From 3bee8ea39e56d0ddd369bfb365cca9d51fdcfc37 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 18 Dec 2008 18:31:16 +0000 Subject: [PATCH] Remove krb524, lib/des425, lib/krb4, and include/kerberosIV. Remove krb4 build system references and conditionals. Move des425 header stuff referenced by des_int.h into des_int.h. Remove krb4 test cases. ticket: 6303 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21544 dc483132-0cff-0310-8789-dd5450dbe970 --- src/Makefile.in | 37 +- src/aclocal.m4 | 56 - src/config/pre.in | 22 - src/configure.in | 63 +- src/include/Makefile.in | 1 - src/include/kerberosIV/Makefile.in | 23 - src/include/kerberosIV/addr_comp.h | 52 - src/include/kerberosIV/admin_server.h | 58 - src/include/kerberosIV/des.h | 237 ---- src/include/kerberosIV/kadm.h | 194 --- src/include/kerberosIV/kdc.h | 55 - src/include/kerberosIV/klog.h | 57 - src/include/kerberosIV/kparse.h | 106 -- src/include/kerberosIV/krb.h | 924 -------------- src/include/kerberosIV/krb_db.h | 119 -- src/include/kerberosIV/krbports.h | 27 - src/include/kerberosIV/lsb_addr_cmp.h | 47 - src/include/kerberosIV/mit-copyright.h | 23 - src/include/kerberosIV/prot.h | 277 ----- src/kadmin/dbutil/Makefile.in | 9 +- src/krb5-config.M | 1 - src/krb5-config.in | 11 - src/krb524/Makefile.in | 175 --- src/krb524/README | 154 --- src/krb524/cnv_tkt_skey.c | 223 ---- src/krb524/k524init.M | 47 - src/krb524/k524init.c | 183 --- src/krb524/krb524.c | 47 - src/krb524/krb524.def | 13 - src/krb524/krb524_prot | 11 - src/krb524/krb524d.M | 74 -- src/krb524/krb524d.c | 637 ---------- src/krb524/krb524d.h | 48 - src/krb524/libinit.c | 27 - src/krb524/test.c | 353 ------ src/lib/Makefile.in | 9 +- src/lib/crypto/Makefile.in | 7 +- src/lib/crypto/des/Makefile.in | 94 +- src/lib/crypto/des/des_int.h | 53 +- src/lib/crypto/enc_provider/Makefile.in | 18 +- src/lib/crypto/keyhash_provider/Makefile.in | 27 +- src/lib/crypto/old/Makefile.in | 8 +- src/lib/des425/ISSUES | 28 - src/lib/des425/Makefile.in | 273 ---- src/lib/des425/cksum.c | 68 - src/lib/des425/des.c | 44 - src/lib/des425/enc_dec.c | 47 - src/lib/des425/key_parity.c | 52 - src/lib/des425/key_sched.c | 40 - src/lib/des425/libdes425.exports | 18 - src/lib/des425/mac_des_glue.c | 104 -- src/lib/des425/new_rnd_key.c | 96 -- src/lib/des425/pcbc_encrypt.c | 235 ---- src/lib/des425/quad_cksum.c | 200 --- src/lib/des425/random_key.c | 74 -- src/lib/des425/read_passwd.c | 128 -- src/lib/des425/str_to_key.c | 168 --- src/lib/des425/string2key.c | 174 --- src/lib/des425/t_pcbc.c | 123 -- src/lib/des425/t_quad.c | 101 -- src/lib/des425/unix_time.c | 46 - src/lib/des425/util.c | 33 - src/lib/des425/verify.c | 317 ----- src/lib/des425/weak_key.c | 41 - src/lib/krb4/CCache-glue.c | 741 ----------- src/lib/krb4/FSp-glue.c | 112 -- src/lib/krb4/Makefile.in | 664 ---------- src/lib/krb4/Password.c | 436 ------- src/lib/krb4/RealmsConfig-glue.c | 692 ----------- src/lib/krb4/ad_print.c | 85 -- src/lib/krb4/change_password.c | 127 -- src/lib/krb4/cr_auth_repl.c | 136 -- src/lib/krb4/cr_ciph.c | 136 -- src/lib/krb4/cr_death_pkt.c | 78 -- src/lib/krb4/cr_err_repl.c | 110 -- src/lib/krb4/cr_tkt.c | 254 ---- src/lib/krb4/debug.c | 15 - src/lib/krb4/decomp_tkt.c | 295 ----- src/lib/krb4/dest_tkt.c | 162 --- src/lib/krb4/err_txt.c | 87 -- src/lib/krb4/et_errtxt.awk | 71 -- src/lib/krb4/fgetst.c | 38 - src/lib/krb4/g_ad_tkt.c | 383 ------ src/lib/krb4/g_cnffile.c | 128 -- src/lib/krb4/g_cred.c | 58 - src/lib/krb4/g_in_tkt.c | 555 --------- src/lib/krb4/g_phost.c | 92 -- src/lib/krb4/g_pw_in_tkt.c | 341 ----- src/lib/krb4/g_pw_tkt.c | 68 - src/lib/krb4/g_svc_in_tkt.c | 152 --- src/lib/krb4/g_tf_fname.c | 67 - src/lib/krb4/g_tf_realm.c | 44 - src/lib/krb4/g_tkt_svc.c | 174 --- src/lib/krb4/gethostname.c | 36 - src/lib/krb4/getst.c | 40 - src/lib/krb4/in_tkt.c | 205 --- src/lib/krb4/kadm_err.et | 58 - src/lib/krb4/kadm_net.c | 393 ------ src/lib/krb4/kadm_stream.c | 325 ----- src/lib/krb4/klog.c | 126 -- src/lib/krb4/kname_parse.c | 411 ------ src/lib/krb4/kntoln.c | 62 - src/lib/krb4/krb4int.h | 129 -- src/lib/krb4/krb_err.et | 776 ------------ src/lib/krb4/kuserok.c | 190 --- src/lib/krb4/libkrb4.exports | 157 --- src/lib/krb4/lifetime.c | 62 - src/lib/krb4/log.c | 151 --- src/lib/krb4/mac_glue.c | 48 - src/lib/krb4/mac_store.c | 731 ----------- src/lib/krb4/mac_store.h | 56 - src/lib/krb4/mac_stubs.c | 525 -------- src/lib/krb4/mac_time.c | 152 --- src/lib/krb4/memcache.c | 891 ------------- src/lib/krb4/memcache.h | 36 - src/lib/krb4/mk_auth.c | 249 ---- src/lib/krb4/mk_err.c | 83 -- src/lib/krb4/mk_preauth.c | 78 -- src/lib/krb4/mk_priv.c | 301 ----- src/lib/krb4/mk_req.c | 285 ----- src/lib/krb4/mk_safe.c | 167 --- src/lib/krb4/month_sname.c | 28 - src/lib/krb4/netread.c | 69 -- src/lib/krb4/netwrite.c | 65 - src/lib/krb4/password_to_key.c | 152 --- src/lib/krb4/pkt_cipher.c | 35 - src/lib/krb4/pkt_clen.c | 47 - src/lib/krb4/prot_client.c | 370 ------ src/lib/krb4/prot_common.c | 136 -- src/lib/krb4/prot_kdc.c | 461 ------- src/lib/krb4/put_svc_key.c | 96 -- src/lib/krb4/rd_err.c | 78 -- src/lib/krb4/rd_preauth.c | 62 - src/lib/krb4/rd_priv.c | 233 ---- src/lib/krb4/rd_req.c | 543 -------- src/lib/krb4/rd_safe.c | 208 ---- src/lib/krb4/rd_svc_key.c | 345 ------ src/lib/krb4/recvauth.c | 308 ----- src/lib/krb4/ren-cyg.sh | 11 - src/lib/krb4/ren-pc.bat | 29 - src/lib/krb4/ren-pc.sh | 7 - src/lib/krb4/ren-pl10.sh | 7 - src/lib/krb4/ren.msg | 117 -- src/lib/krb4/ren2dos.sh | 7 - src/lib/krb4/ren2long.sh | 7 - src/lib/krb4/save_creds.c | 87 -- src/lib/krb4/sed-cyg.sh | 13 - src/lib/krb4/sed-pc.sh | 11 - src/lib/krb4/sed-pl10.sh | 10 - src/lib/krb4/send_to_kdc.c | 206 --- src/lib/krb4/sendauth.c | 282 ----- src/lib/krb4/setenv.c | 164 --- src/lib/krb4/stime.c | 57 - src/lib/krb4/strcasecmp.c | 83 -- src/lib/krb4/strnlen.c | 50 - src/lib/krb4/swab.c | 18 - src/lib/krb4/tf_shm.c | 173 --- src/lib/krb4/tf_util.c | 1103 ----------------- src/lib/krb4/tkt_string.c | 101 -- src/lib/krb4/unix_glue.c | 40 - src/lib/krb4/unix_time.c | 26 - src/lib/krb4/vmslink.com | 79 -- src/lib/krb4/vmsswab.c | 34 - src/lib/krb4/win_glue.c | 51 - src/lib/krb4/win_store.c | 154 --- src/lib/krb4/win_time.c | 121 -- src/lib/krb5/krb/t_kerb.c | 5 - src/tests/dejagnu/Makefile.in | 2 - src/tests/dejagnu/config/default.exp | 174 +-- src/tests/dejagnu/krb-root/telnet.exp | 2 +- .../dejagnu/krb-standalone/standalone.exp | 41 - src/tests/dejagnu/krb-standalone/v4gssftp.exp | 508 -------- .../dejagnu/krb-standalone/v4krb524d.exp | 168 --- .../dejagnu/krb-standalone/v4standalone.exp | 95 -- src/util/depfix.pl | 4 - src/util/ss/Makefile.in | 2 +- 176 files changed, 139 insertions(+), 27187 deletions(-) delete mode 100644 src/include/kerberosIV/Makefile.in delete mode 100644 src/include/kerberosIV/addr_comp.h delete mode 100644 src/include/kerberosIV/admin_server.h delete mode 100644 src/include/kerberosIV/des.h delete mode 100644 src/include/kerberosIV/kadm.h delete mode 100644 src/include/kerberosIV/kdc.h delete mode 100644 src/include/kerberosIV/klog.h delete mode 100644 src/include/kerberosIV/kparse.h delete mode 100644 src/include/kerberosIV/krb.h delete mode 100644 src/include/kerberosIV/krb_db.h delete mode 100644 src/include/kerberosIV/krbports.h delete mode 100644 src/include/kerberosIV/lsb_addr_cmp.h delete mode 100644 src/include/kerberosIV/mit-copyright.h delete mode 100644 src/include/kerberosIV/prot.h delete mode 100644 src/krb524/Makefile.in delete mode 100644 src/krb524/README delete mode 100644 src/krb524/cnv_tkt_skey.c delete mode 100644 src/krb524/k524init.M delete mode 100644 src/krb524/k524init.c delete mode 100644 src/krb524/krb524.c delete mode 100644 src/krb524/krb524.def delete mode 100644 src/krb524/krb524_prot delete mode 100644 src/krb524/krb524d.M delete mode 100644 src/krb524/krb524d.c delete mode 100644 src/krb524/krb524d.h delete mode 100644 src/krb524/libinit.c delete mode 100644 src/krb524/test.c delete mode 100644 src/lib/des425/ISSUES delete mode 100644 src/lib/des425/Makefile.in delete mode 100644 src/lib/des425/cksum.c delete mode 100644 src/lib/des425/des.c delete mode 100644 src/lib/des425/enc_dec.c delete mode 100644 src/lib/des425/key_parity.c delete mode 100644 src/lib/des425/key_sched.c delete mode 100644 src/lib/des425/libdes425.exports delete mode 100644 src/lib/des425/mac_des_glue.c delete mode 100644 src/lib/des425/new_rnd_key.c delete mode 100644 src/lib/des425/pcbc_encrypt.c delete mode 100644 src/lib/des425/quad_cksum.c delete mode 100644 src/lib/des425/random_key.c delete mode 100644 src/lib/des425/read_passwd.c delete mode 100644 src/lib/des425/str_to_key.c delete mode 100644 src/lib/des425/string2key.c delete mode 100644 src/lib/des425/t_pcbc.c delete mode 100644 src/lib/des425/t_quad.c delete mode 100644 src/lib/des425/unix_time.c delete mode 100644 src/lib/des425/util.c delete mode 100644 src/lib/des425/verify.c delete mode 100644 src/lib/des425/weak_key.c delete mode 100644 src/lib/krb4/CCache-glue.c delete mode 100644 src/lib/krb4/FSp-glue.c delete mode 100644 src/lib/krb4/Makefile.in delete mode 100644 src/lib/krb4/Password.c delete mode 100644 src/lib/krb4/RealmsConfig-glue.c delete mode 100644 src/lib/krb4/ad_print.c delete mode 100644 src/lib/krb4/change_password.c delete mode 100644 src/lib/krb4/cr_auth_repl.c delete mode 100644 src/lib/krb4/cr_ciph.c delete mode 100644 src/lib/krb4/cr_death_pkt.c delete mode 100644 src/lib/krb4/cr_err_repl.c delete mode 100644 src/lib/krb4/cr_tkt.c delete mode 100644 src/lib/krb4/debug.c delete mode 100644 src/lib/krb4/decomp_tkt.c delete mode 100644 src/lib/krb4/dest_tkt.c delete mode 100644 src/lib/krb4/err_txt.c delete mode 100755 src/lib/krb4/et_errtxt.awk delete mode 100644 src/lib/krb4/fgetst.c delete mode 100644 src/lib/krb4/g_ad_tkt.c delete mode 100644 src/lib/krb4/g_cnffile.c delete mode 100644 src/lib/krb4/g_cred.c delete mode 100644 src/lib/krb4/g_in_tkt.c delete mode 100644 src/lib/krb4/g_phost.c delete mode 100644 src/lib/krb4/g_pw_in_tkt.c delete mode 100644 src/lib/krb4/g_pw_tkt.c delete mode 100644 src/lib/krb4/g_svc_in_tkt.c delete mode 100644 src/lib/krb4/g_tf_fname.c delete mode 100644 src/lib/krb4/g_tf_realm.c delete mode 100644 src/lib/krb4/g_tkt_svc.c delete mode 100644 src/lib/krb4/gethostname.c delete mode 100644 src/lib/krb4/getst.c delete mode 100644 src/lib/krb4/in_tkt.c delete mode 100644 src/lib/krb4/kadm_err.et delete mode 100644 src/lib/krb4/kadm_net.c delete mode 100644 src/lib/krb4/kadm_stream.c delete mode 100644 src/lib/krb4/klog.c delete mode 100644 src/lib/krb4/kname_parse.c delete mode 100644 src/lib/krb4/kntoln.c delete mode 100644 src/lib/krb4/krb4int.h delete mode 100644 src/lib/krb4/krb_err.et delete mode 100644 src/lib/krb4/kuserok.c delete mode 100644 src/lib/krb4/libkrb4.exports delete mode 100644 src/lib/krb4/lifetime.c delete mode 100644 src/lib/krb4/log.c delete mode 100644 src/lib/krb4/mac_glue.c delete mode 100644 src/lib/krb4/mac_store.c delete mode 100644 src/lib/krb4/mac_store.h delete mode 100644 src/lib/krb4/mac_stubs.c delete mode 100644 src/lib/krb4/mac_time.c delete mode 100644 src/lib/krb4/memcache.c delete mode 100644 src/lib/krb4/memcache.h delete mode 100644 src/lib/krb4/mk_auth.c delete mode 100644 src/lib/krb4/mk_err.c delete mode 100644 src/lib/krb4/mk_preauth.c delete mode 100644 src/lib/krb4/mk_priv.c delete mode 100644 src/lib/krb4/mk_req.c delete mode 100644 src/lib/krb4/mk_safe.c delete mode 100644 src/lib/krb4/month_sname.c delete mode 100644 src/lib/krb4/netread.c delete mode 100644 src/lib/krb4/netwrite.c delete mode 100644 src/lib/krb4/password_to_key.c delete mode 100644 src/lib/krb4/pkt_cipher.c delete mode 100644 src/lib/krb4/pkt_clen.c delete mode 100644 src/lib/krb4/prot_client.c delete mode 100644 src/lib/krb4/prot_common.c delete mode 100644 src/lib/krb4/prot_kdc.c delete mode 100644 src/lib/krb4/put_svc_key.c delete mode 100644 src/lib/krb4/rd_err.c delete mode 100644 src/lib/krb4/rd_preauth.c delete mode 100644 src/lib/krb4/rd_priv.c delete mode 100644 src/lib/krb4/rd_req.c delete mode 100644 src/lib/krb4/rd_safe.c delete mode 100644 src/lib/krb4/rd_svc_key.c delete mode 100644 src/lib/krb4/recvauth.c delete mode 100755 src/lib/krb4/ren-cyg.sh delete mode 100644 src/lib/krb4/ren-pc.bat delete mode 100644 src/lib/krb4/ren-pc.sh delete mode 100644 src/lib/krb4/ren-pl10.sh delete mode 100644 src/lib/krb4/ren.msg delete mode 100644 src/lib/krb4/ren2dos.sh delete mode 100644 src/lib/krb4/ren2long.sh delete mode 100644 src/lib/krb4/save_creds.c delete mode 100755 src/lib/krb4/sed-cyg.sh delete mode 100755 src/lib/krb4/sed-pc.sh delete mode 100755 src/lib/krb4/sed-pl10.sh delete mode 100644 src/lib/krb4/send_to_kdc.c delete mode 100644 src/lib/krb4/sendauth.c delete mode 100644 src/lib/krb4/setenv.c delete mode 100644 src/lib/krb4/stime.c delete mode 100644 src/lib/krb4/strcasecmp.c delete mode 100644 src/lib/krb4/strnlen.c delete mode 100644 src/lib/krb4/swab.c delete mode 100644 src/lib/krb4/tf_shm.c delete mode 100644 src/lib/krb4/tf_util.c delete mode 100644 src/lib/krb4/tkt_string.c delete mode 100644 src/lib/krb4/unix_glue.c delete mode 100644 src/lib/krb4/unix_time.c delete mode 100644 src/lib/krb4/vmslink.com delete mode 100644 src/lib/krb4/vmsswab.c delete mode 100644 src/lib/krb4/win_glue.c delete mode 100644 src/lib/krb4/win_store.c delete mode 100644 src/lib/krb4/win_time.c delete mode 100644 src/tests/dejagnu/krb-standalone/v4gssftp.exp delete mode 100644 src/tests/dejagnu/krb-standalone/v4krb524d.exp delete mode 100644 src/tests/dejagnu/krb-standalone/v4standalone.exp diff --git a/src/Makefile.in b/src/Makefile.in index 0fb2b2d37..a3c346877 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -9,7 +9,7 @@ mydir=. # plugins/preauth/wpse # plugins/preauth/cksum_body # plugins/authdata/greet -SUBDIRS=util include lib @krb524@ kdc kadmin @ldap_plugin_dir@ slave clients \ +SUBDIRS=util include lib kdc kadmin @ldap_plugin_dir@ slave clients \ plugins/kdb/db2 \ plugins/preauth/pkinit \ appl tests \ @@ -195,7 +195,6 @@ WINMAKEFILES=Makefile \ clients\kpasswd\Makefile clients\kvno\Makefile \ clients\kcpytkt\Makefile clients\kdeltkt\Makefile \ include\Makefile \ - krb524\Makefile \ lib\Makefile lib\crypto\Makefile \ lib\crypto\crc32\Makefile lib\crypto\des\Makefile \ lib\crypto\dk\Makefile lib\crypto\enc_provider\Makefile \ @@ -205,11 +204,10 @@ WINMAKEFILES=Makefile \ lib\crypto\sha1\Makefile lib\crypto\arcfour\Makefile \ lib\crypto\md4\Makefile lib\crypto\md5\Makefile \ lib\crypto\yarrow\Makefile lib\crypto\aes\Makefile \ - lib\des425\Makefile \ lib\gssapi\Makefile lib\gssapi\generic\Makefile \ lib\gssapi\krb5\Makefile lib\gssapi\mechglue\Makefile \ lib\gssapi\spnego\Makefile \ - lib\krb4\Makefile lib\krb5\Makefile \ + lib\krb5\Makefile \ lib\krb5\asn.1\Makefile lib\krb5\ccache\Makefile \ lib\krb5\ccache\ccapi\Makefile \ lib\krb5\error_tables\Makefile \ @@ -260,8 +258,6 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##include\Makefile: include\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##krb524\Makefile: krb524\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\Makefile: lib\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\Makefile: lib\crypto\Makefile.in $(MKFDEP) @@ -294,8 +290,6 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\crypto\raw\Makefile: lib\crypto\raw\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##lib\des425\Makefile: lib\des425\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\gssapi\Makefile: lib\gssapi\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\gssapi\generic\Makefile: lib\gssapi\generic\Makefile.in $(MKFDEP) @@ -306,8 +300,6 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\gssapi\krb5\Makefile: lib\gssapi\krb5\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##lib\krb4\Makefile: lib\krb4\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\krb5\Makefile: lib\krb5\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##lib\krb5\asn.1\Makefile: lib\krb5\asn.1\Makefile.in $(MKFDEP) @@ -395,14 +387,14 @@ FILES= ./* \ clients/* clients/kdestroy/* clients/kinit/* clients/klist/* \ clients/kpasswd/* clients/kcpytkt/* clients/kdeltkt/* \ config/* include/* include/kerberosIV/* \ - include/krb5/* include/krb5/stock/* include/sys/* krb524/* lib/* \ + include/krb5/* include/krb5/stock/* include/sys/* lib/* \ lib/crypto/* lib/crypto/crc32/* lib/crypto/des/* lib/crypto/dk/* \ lib/crypto/enc_provider/* lib/crypto/hash_provider/* \ lib/crypto/keyhash_provider/* lib/crypto/old/* lib/crypto/raw/* \ lib/crypto/sha1/* lib/crypto/arcfour/* lib/crypto/md4/* \ lib/crypto/md5/* lib/crypto/yarrow/* \ - lib/des425/* lib/gssapi/* lib/gssapi/generic/* lib/gssapi/krb5/* \ - lib/gssapi/mechglue/* lib/gssapi/spnego/* lib/krb4/* \ + lib/gssapi/* lib/gssapi/generic/* lib/gssapi/krb5/* \ + lib/gssapi/mechglue/* lib/gssapi/spnego/* \ lib/krb5/* lib/krb5/asn.1/* lib/krb5/krb/* \ lib/krb5/ccache/* lib/krb5/ccache/ccapi/* \ lib/krb5/error_tables/* \ @@ -442,12 +434,9 @@ ETOUT = \ $(INC)krb5_err.h $(ET)krb5_err.c \ $(INC)kv5m_err.h $(ET)kv5m_err.c \ $(INC)krb524_err.h $(ET)krb524_err.c \ - $(INC)/kerberosIV/kadm_err.h lib/krb4/kadm_err.c \ - $(INC)/kerberosIV/krb_err.h lib/krb4/krb_err.c \ $(PR)prof_err.h $(PR)prof_err.c \ $(GG)gssapi_err_generic.h $(GG)gssapi_err_generic.c \ - $(GK)gssapi_err_krb5.h $(GK)gssapi_err_krb5.c \ - lib/krb4/krb_err_txt.c + $(GK)gssapi_err_krb5.h $(GK)gssapi_err_krb5.c HOUT = $(INC)krb5\krb5.h $(GG)gssapi.h $(PR)profile.h @@ -502,10 +491,6 @@ $(INC)kv5m_err.h: $(AH) $(ET)kv5m_err.et $(AWK) -f $(AH) outfile=$@ $(ET)kv5m_err.et $(INC)krb524_err.h: $(AH) $(ET)krb524_err.et $(AWK) -f $(AH) outfile=$@ $(ET)krb524_err.et -$(INC)/kerberosIV/kadm_err.h: $(AH) lib/krb4/kadm_err.et - $(AWK) -f $(AH) outfile=$@ lib/krb4/kadm_err.et -$(INC)/kerberosIV/krb_err.h: $(AH) lib/krb4/krb_err.et - $(AWK) -f $(AH) outfile=$@ lib/krb4/krb_err.et $(PR)prof_err.h: $(AH) $(PR)prof_err.et $(AWK) -f $(AH) outfile=$@ $(PR)prof_err.et $(GG)gssapi_err_generic.h: $(AH) $(GG)gssapi_err_generic.et @@ -527,10 +512,6 @@ $(ET)kv5m_err.c: $(AC) $(ET)kv5m_err.et $(AWK) -f $(AC) outfile=$@ $(ET)kv5m_err.et $(ET)krb524_err.c: $(AC) $(ET)krb524_err.et $(AWK) -f $(AC) outfile=$@ $(ET)krb524_err.et -lib/krb4/kadm_err.c: $(AC) lib/krb4/kadm_err.et - $(AWK) -f $(AC) outfile=$@ lib/krb4/kadm_err.et -lib/krb4/krb_err.c: $(AC) lib/krb4/krb_err.et - $(AWK) -f $(AC) outfile=$@ lib/krb4/krb_err.et $(PR)prof_err.c: $(AC) $(PR)prof_err.et $(AWK) -f $(AC) outfile=$@ $(PR)prof_err.et $(GG)gssapi_err_generic.c: $(AC) $(GG)gssapi_err_generic.et @@ -542,10 +523,6 @@ $(CE)test1.c: $(AC) $(CE)test1.et $(CE)test2.c: $(AC) $(CE)test2.et $(AWK) -f $(AC) outfile=$@ $(CE)test2.et -lib/krb4/krb_err_txt.c: lib/krb4/krb_err.et - $(AWK) -f lib/krb4/et_errtxt.awk outfile=$@ \ - lib/krb4/krb_err.et - KRBHDEP = $(INC)krb5\krb5.hin $(INC)krb5_err.h $(INC)kdb5_err.h \ $(INC)kv5m_err.h $(INC)krb524_err.h $(INC)asn1_err.h @@ -616,8 +593,6 @@ install-windows:: $(CP) clients\kcpytkt\$(OUTPRE)kcpytkt.exe "$(KRB_INSTALL_DIR)\bin\." $(CP) clients\kdeltkt\$(OUTPRE)kdeltkt.exe "$(KRB_INSTALL_DIR)\bin\." $(CP) clients\kpasswd\$(OUTPRE)kpasswd.exe "$(KRB_INSTALL_DIR)\bin\." - @if exist "$(KRB_INSTALL_DIR)\bin\krb4_32.dll" del "$(KRB_INSTALL_DIR)\bin\krb4_32.dll" - @if exist "$(KRB_INSTALL_DIR)\lib\krb4_32.lib" del "$(KRB_INSTALL_DIR)\lib\krb4_32.lib" install-unix:: $(INSTALL_SCRIPT) krb5-config \ diff --git a/src/aclocal.m4 b/src/aclocal.m4 index d7fb2cc85..a42a5fefa 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -74,7 +74,6 @@ AC_REQUIRE_CPP if test -z "$LD" ; then LD=$CC; fi AC_ARG_VAR(LD,[linker command [CC]]) AC_SUBST(LDFLAGS) dnl -WITH_KRB4 dnl KRB5_AC_CHOOSE_ET dnl KRB5_AC_CHOOSE_SS dnl KRB5_AC_CHOOSE_DB dnl @@ -502,61 +501,6 @@ changequote([, ])dnl AC_DEFINE_UNQUOTED($ac_tr_file) $2], $3)dnl done ]) -dnl -dnl set $(KRB4) from --with-krb4=value -- WITH_KRB4 -dnl -AC_DEFUN(WITH_KRB4,[ -AC_ARG_WITH([krb4], -[ --without-krb4 omit Kerberos V4 backwards compatibility (default) - --with-krb4 use V4 libraries included with V5 - --with-krb4=KRB4DIR use preinstalled V4 libraries], -, -withval=no -)dnl -if test $withval = no; then - AC_MSG_NOTICE(no krb4 support) - KRB4_LIB= - KRB4_DEPLIB= - KRB4_INCLUDES= - KRB4_LIBPATH= - KRB_ERR_H_DEP= - krb5_cv_build_krb4_libs=no - krb5_cv_krb4_libdir= -else - AC_DEFINE([KRB5_KRB4_COMPAT], 1, [Define this if building with krb4 compat]) - if test $withval = yes; then - AC_MSG_NOTICE(enabling built in krb4 support) - KRB4_DEPLIB='$(TOPLIBD)/libkrb4$(DEPLIBEXT)' - KRB4_LIB=-lkrb4 - KRB4_INCLUDES='-I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV' - KRB4_LIBPATH= - KRB_ERR_H_DEP='$(BUILDTOP)/include/kerberosIV/krb_err.h' - krb5_cv_build_krb4_libs=yes - krb5_cv_krb4_libdir= - else - AC_MSG_NOTICE(using preinstalled krb4 in $withval) - KRB4_LIB="-lkrb" -dnl DEPKRB4_LIB="$withval/lib/libkrb.a" - KRB4_INCLUDES="-I$withval/include" - KRB4_LIBPATH="-L$withval/lib" - KRB_ERR_H_DEP= - krb5_cv_build_krb4_libs=no - krb5_cv_krb4_libdir="$withval/lib" - fi -fi -AC_SUBST(KRB4_INCLUDES) -AC_SUBST(KRB4_LIBPATH) -AC_SUBST(KRB4_LIB) -AC_SUBST(KRB4_DEPLIB) -AC_SUBST(KRB_ERR_H_DEP) -dnl We always compile the des425 library -DES425_DEPLIB='$(TOPLIBD)/libdes425$(DEPLIBEXT)' -DES425_LIB=-ldes425 -AC_SUBST(DES425_DEPLIB) -AC_SUBST(DES425_LIB) -])dnl -dnl -dnl AC_DEFUN(KRB5_AC_CHECK_FOR_CFLAGS,[ AC_BEFORE([$0],[AC_PROG_CC]) AC_BEFORE([$0],[AC_PROG_CXX]) diff --git a/src/config/pre.in b/src/config/pre.in index b5691e13d..72494fe23 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -327,8 +327,6 @@ KADMSRV_DEPLIB = $(TOPLIBD)/libkadm5srv$(DEPLIBEXT) KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT) GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT) GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT) -KRB4_DEPLIB = @KRB4_DEPLIB@ # $(TOPLIBD)/libkrb4$(DEPLIBEXT) -DES425_DEPLIB = @DES425_DEPLIB@ # $(TOPLIBD)/libdes425$(DEPLIBEXT) KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT) CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT) COM_ERR_DEPLIB = $(COM_ERR_DEPLIB-@COM_ERR_VERSION@) @@ -346,7 +344,6 @@ PTY_DEPLIB = $(TOPLIBD)/libpty.a APPUTILS_DEPLIB = $(TOPLIBD)/libapputils.a KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB) -KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS) KDB5_DEPLIBS = $(KDB5_DEPLIB) GSS_DEPLIBS = $(GSS_DEPLIB) GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS) @@ -367,11 +364,6 @@ SS_DEPS = $(SS_DEPS-@SS_VERSION@) SS_DEPS-sys = SS_DEPS-k5 = $(BUILDTOP)/include/ss/ss.h $(BUILDTOP)/include/ss/ss_err.h -# Header file dependencies that might depend on whether krb4 support -# is compiled. - -KRB_ERR_H_DEP = @KRB_ERR_H_DEP@ - # LIBS gets substituted in... e.g. -lnsl -lsocket # GEN_LIB is -lgen if needed for regexp @@ -390,19 +382,10 @@ COM_ERR_LIB = -lcom_err GSS_KRB5_LIB = -lgssapi_krb5 SUPPORT_LIB = -l$(SUPPORT_LIBNAME) -# KRB4_LIB is -lkrb4 if building --with-krb4 -# needs fixing if ever used on Mac OS X! -KRB4_LIB = @KRB4_LIB@ - -# DES425_LIB is -ldes425 if building --with-krb4 -# needs fixing if ever used on Mac OS X! -DES425_LIB = @DES425_LIB@ - # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) -KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! @@ -422,11 +405,6 @@ UTIL_LIB = @UTIL_LIB@ # eventually) but which we don't want to install. APPUTILS_LIB = -lapputils -# -# some more stuff for --with-krb4 -KRB4_LIBPATH = @KRB4_LIBPATH@ -KRB4_INCLUDES = @KRB4_INCLUDES@ - # # variables for --with-tcl= TCL_LIBS = @TCL_LIBS@ diff --git a/src/configure.in b/src/configure.in index 4d2b5b3bb..ef9cd7ce4 100644 --- a/src/configure.in +++ b/src/configure.in @@ -55,20 +55,6 @@ AC_KRB5_TCL AC_ARG_ENABLE([athena], [ --enable-athena build with MIT Project Athena configuration],,) dnl -if test -z "$KRB4_LIB"; then -kadminv4="" -krb524="" -libkrb4="" -KRB4="" -else -kadminv4=kadmin.v4 -krb524=krb524 -libkrb4=lib/krb4 -KRB4=krb4 -fi -AC_SUBST(KRB4) -AC_SUBST(krb524) -dnl dnl Begin autoconf tests for the Makefiles generated out of the top-level dnl configure.in... dnl @@ -168,7 +154,6 @@ fi AC_SUBST(FAKEKA) KRB5_RUN_FLAGS dnl -dnl for krb524 AC_TYPE_SIGNAL dnl dnl from old include/configure.in @@ -586,15 +571,6 @@ AC_ARG_ENABLE([athena], [ --enable-athena build with MIT Project Athena configuration], AC_DEFINE(KRB5_ATHENA_COMPAT,1,[Define if MIT Project Athena default configuration should be used]),) -if test "$KRB4_LIB" = ''; then - AC_MSG_NOTICE(No Kerberos 4 compatibility) - maybe_kerberosIV= -else - AC_MSG_NOTICE(Kerberos 4 compatibility enabled) - maybe_kerberosIV=kerberosIV - AC_DEFINE(KRB5_KRB4_COMPAT,1,[Define if Kerberos V4 backwards compatibility should be supported]) -fi -AC_SUBST(maybe_kerberosIV) dnl AC_C_INLINE AH_TOP([ @@ -700,11 +676,6 @@ if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != ""; t fi AC_SUBST(DO_TEST) dnl -DO_V4_TEST= -if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != "" -a "$ath_compat" != ""; then - DO_V4_TEST=ok -fi -AC_SUBST(DO_V4_TEST) dnl The following are substituted into kadmin/testing/scripts/env-setup.sh RBUILD=`pwd` AC_SUBST(RBUILD) @@ -726,25 +697,6 @@ dnl for lib/kadm5 AC_CHECK_PROG(RUNTEST,runtest,runtest) AC_CHECK_PROG(PERL,perl,perl) dnl -dnl -dnl for lib/krb4 -case $krb5_cv_host in - *-apple-darwin*) - KRB_ERR_TXT= - KRB_ERR= - KRB_ERR_C=krb_err.c - ;; - *) - KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)' - KRB_ERR_TXT=krb_err_txt.c - KRB_ERR_C= - ;; -esac -AC_SUBST([KRB_ERR_TXT]) -AC_SUBST([KRB_ERR]) -AC_SUBST([KRB_ERR_C]) -dnl -dnl dnl lib/gssapi AC_CHECK_HEADER(stdint.h,[ include_stdint='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null'], @@ -970,13 +922,6 @@ else HAVE_RUNTEST=no fi AC_SUBST(HAVE_RUNTEST) -if test "$KRB4_LIB" = ''; then - KRB4_DEJAGNU_TEST="KRBIV=0" -else - AC_MSG_RESULT(Kerberos 4 testing enabled) - KRB4_DEJAGNU_TEST="KRBIV=1" -fi -AC_SUBST(KRB4_DEJAGNU_TEST) dnl for plugins/kdb/db2 dnl @@ -1052,9 +997,6 @@ fi if test "$SS_VERSION" = k5 ; then K5_GEN_MAKEFILE(util/ss) fi -if test -n "$KRB4_LIB"; then - K5_GEN_MAKEFILE(lib/krb4) -fi dnl dnl ldap_plugin_dir="" @@ -1109,7 +1051,7 @@ V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr - lib lib/des425 lib/kdb + lib lib/kdb lib/crypto lib/crypto/crc32 lib/crypto/des lib/crypto/dk lib/crypto/enc_provider lib/crypto/hash_provider @@ -1129,8 +1071,7 @@ V5_AC_OUTPUT_MAKEFILE(. lib/apputils - kdc slave krb524 config-files gen-manpages include - include/kerberosIV + kdc slave config-files gen-manpages include plugins/locate/python plugins/kdb/db2 diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 61798d008..caba002f3 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -1,7 +1,6 @@ thisconfigdir=.. myfulldir=include mydir=include -SUBDIRS=@maybe_kerberosIV@ BUILDTOP=$(REL).. KRB5RCTMPDIR= @KRB5_RCTMPDIR@ ##DOSBUILDTOP = .. diff --git a/src/include/kerberosIV/Makefile.in b/src/include/kerberosIV/Makefile.in deleted file mode 100644 index a82f5e6cb..000000000 --- a/src/include/kerberosIV/Makefile.in +++ /dev/null @@ -1,23 +0,0 @@ -thisconfigdir=./../.. -myfulldir=include/kerberosIV -mydir=include/kerberosIV -BUILDTOP=$(REL)..$(S).. -KRB4_HEADERS=krb.h des.h mit-copyright.h - -all-unix:: krb_err.h kadm_err.h - -krb_err.h: $(SRCTOP)/lib/krb4/krb_err.et -kadm_err.h: $(SRCTOP)/lib/krb4/kadm_err.et -krb_err.h kadm_err.h: rebuild-k4-error-tables; : $@ -rebuild-k4-error-tables: - (cd $(BUILDTOP)/lib/krb4 && $(MAKE) includes) - -clean-unix:: - $(RM) krb_err.h kadm_err.h - -install-headers-unix install:: krb_err.h kadm_err.h - @set -x; for f in $(KRB4_HEADERS) ; \ - do $(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(KRB5_INCDIR)/kerberosIV/$$f ; \ - done - $(INSTALL_DATA) krb_err.h $(DESTDIR)$(KRB5_INCDIR)$(S)kerberosIV$(S)krb_err.h - $(INSTALL_DATA) kadm_err.h $(DESTDIR)$(KRB5_INCDIR)$(S)kerberosIV$(S)kadm_err.h diff --git a/src/include/kerberosIV/addr_comp.h b/src/include/kerberosIV/addr_comp.h deleted file mode 100644 index ccf3a8d05..000000000 --- a/src/include/kerberosIV/addr_comp.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * include/kerberosIV/addr_comp.h - * - * Copyright 1987-1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Include file for address comparison macros. - */ - -#ifndef ADDR_COMP_DEFS -#define ADDR_COMP_DEFS - -/* -** Look boys and girls, a big kludge -** We need to compare the two internet addresses in network byte order, not -** local byte order. This is a *really really slow way of doing that* -** But..... -** .....it works -** so we run with it -** -** long_less_than gets fed two (u_char *)'s.... -*/ - -#define u_char_comp(x,y) \ - (((x)>(y))?(1):(((x)==(y))?(0):(-1))) - -#define long_less_than(x,y) \ - (u_char_comp((x)[0],(y)[0])?u_char_comp((x)[0],(y)[0]): \ - (u_char_comp((x)[1],(y)[1])?u_char_comp((x)[1],(y)[1]): \ - (u_char_comp((x)[2],(y)[2])?u_char_comp((x)[2],(y)[2]): \ - (u_char_comp((x)[3],(y)[3]))))) - -#endif /* ADDR_COMP_DEFS */ diff --git a/src/include/kerberosIV/admin_server.h b/src/include/kerberosIV/admin_server.h deleted file mode 100644 index 3da415518..000000000 --- a/src/include/kerberosIV/admin_server.h +++ /dev/null @@ -1,58 +0,0 @@ -/* - * include/kerberosIV/admin_server.h - * - * Copyright 1987-1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#ifndef ADMIN_SERVER_DEFS -#define ADMIN_SERVER_DEFS - -#define PW_SRV_VERSION 2 /* version number */ - -#define INSTALL_NEW_PW (1<<0) /* - * ver, cmd, name, password, - * old_pass, crypt_pass, uid - */ - -#define ADMIN_NEW_PW (2<<1) /* - * ver, cmd, name, passwd, - * old_pass - * (grot), crypt_pass (grot) - */ - -#define ADMIN_SET_KDC_PASSWORD (3<<1) /* ditto */ -#define ADMIN_ADD_NEW_KEY (4<<1) /* ditto */ -#define ADMIN_ADD_NEW_KEY_ATTR (5<<1) /* - * ver, cmd, name, passwd, - * inst, attr (grot) - */ -#define INSTALL_REPLY (1<<1) /* ver, cmd, name, password */ -#define RETRY_LIMIT 1 -#define TIME_OUT 30 -#define USER_TIMEOUT 90 -#define MAX_KPW_LEN 40 - -#define KADM "changepw" /* service name */ - -#endif /* ADMIN_SERVER_DEFS */ diff --git a/src/include/kerberosIV/des.h b/src/include/kerberosIV/des.h deleted file mode 100644 index 9f9d3a85e..000000000 --- a/src/include/kerberosIV/des.h +++ /dev/null @@ -1,237 +0,0 @@ -/* - * include/kerberosIV/des.h - * - * Copyright 1987, 1988, 1994, 2002 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Include file for the Data Encryption Standard library. - */ - -#if defined(__MACH__) && defined(__APPLE__) -#include -#include -#if TARGET_RT_MAC_CFM -#error "Use KfM 4.0 SDK headers for CFM compilation." -#endif -#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS) -#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5 -#endif -#endif /* defined(__MACH__) && defined(__APPLE__) */ - -/* Macro to add deprecated attribute to DES types and functions */ -/* Currently only defined on Mac OS X 10.5 and later. */ -#ifndef KRB5INT_DES_DEPRECATED -#define KRB5INT_DES_DEPRECATED -#endif - -#ifdef __cplusplus -#ifndef KRBINT_BEGIN_DECLS -#define KRBINT_BEGIN_DECLS extern "C" { -#define KRBINT_END_DECLS } -#endif -#else -#define KRBINT_BEGIN_DECLS -#define KRBINT_END_DECLS -#endif - -#ifndef KRB5INT_DES_TYPES_DEFINED -#define KRB5INT_DES_TYPES_DEFINED - -#include - -KRBINT_BEGIN_DECLS - -#if TARGET_OS_MAC -# pragma pack(push,2) -#endif - -#if UINT_MAX >= 0xFFFFFFFFUL -#define DES_INT32 int -#define DES_UINT32 unsigned int -#else -#define DES_INT32 long -#define DES_UINT32 unsigned long -#endif - -typedef unsigned char des_cblock[8] /* crypto-block size */ -KRB5INT_DES_DEPRECATED; - -/* - * Key schedule. - * - * This used to be - * - * typedef struct des_ks_struct { - * union { DES_INT32 pad; des_cblock _;} __; - * } des_key_schedule[16]; - * - * but it would cause trouble if DES_INT32 were ever more than 4 - * bytes. The reason is that all the encryption functions cast it to - * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If - * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the - * caller-allocated des_key_schedule will be overflowed by the key - * scheduling functions. We can't assume that every platform will - * have an exact 32-bit int, and nothing should be looking inside a - * des_key_schedule anyway. - */ -typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] -KRB5INT_DES_DEPRECATED; - -#if TARGET_OS_MAC -# pragma pack(pop) -#endif - -KRBINT_END_DECLS - -#endif /* KRB5INT_DES_TYPES_DEFINED */ - -/* only do the whole thing once */ -#ifndef DES_DEFS -/* - * lib/crypto/des/des_int.h defines KRB5INT_CRYPTO_DES_INT temporarily - * to avoid including the defintions and declarations below. The - * reason that the crypto library needs to include this file is that - * it needs to have its types aligned with krb4's types. - */ -#ifndef KRB5INT_CRYPTO_DES_INT -#define DES_DEFS - -#if defined(_WIN32) -#ifndef KRB4 -#define KRB4 1 -#endif -#include -#endif -#include /* need FILE for des_cblock_print_file */ - -KRBINT_BEGIN_DECLS - -#if TARGET_OS_MAC -# pragma pack(push,2) -#endif - -/* Windows declarations */ -#ifndef KRB5_CALLCONV -#define KRB5_CALLCONV -#define KRB5_CALLCONV_C -#endif - -#define DES_KEY_SZ (sizeof(des_cblock)) -#define DES_ENCRYPT 1 -#define DES_DECRYPT 0 - -#ifndef NCOMPAT -#define C_Block des_cblock -#define Key_schedule des_key_schedule -#define ENCRYPT DES_ENCRYPT -#define DECRYPT DES_DECRYPT -#define KEY_SZ DES_KEY_SZ -#define string_to_key des_string_to_key -#define read_pw_string des_read_pw_string -#define random_key des_random_key -#define pcbc_encrypt des_pcbc_encrypt -#define key_sched des_key_sched -#define cbc_encrypt des_cbc_encrypt -#define cbc_cksum des_cbc_cksum -#define C_Block_print des_cblock_print -#define quad_cksum des_quad_cksum -typedef struct des_ks_struct bit_64; -#endif - -#define des_cblock_print(x) des_cblock_print_file(x, stdout) - -/* - * Function Prototypes - */ - -int KRB5_CALLCONV des_key_sched (C_Block, Key_schedule) -KRB5INT_DES_DEPRECATED; - -int KRB5_CALLCONV -des_pcbc_encrypt (C_Block *in, C_Block *out, long length, - const des_key_schedule schedule, C_Block *ivec, - int enc) -KRB5INT_DES_DEPRECATED; - -unsigned long KRB5_CALLCONV -des_quad_cksum (const unsigned char *in, unsigned DES_INT32 *out, - long length, int out_count, C_Block *seed) -KRB5INT_DES_DEPRECATED; - -/* - * XXX ABI change: used to return void; also, cns/kfm have signed long - * instead of unsigned long length. - */ -unsigned long KRB5_CALLCONV -des_cbc_cksum(const des_cblock *, des_cblock *, unsigned long, - const des_key_schedule, const des_cblock *) -KRB5INT_DES_DEPRECATED; - -int KRB5_CALLCONV des_string_to_key (const char *, C_Block) -KRB5INT_DES_DEPRECATED; - -void afs_string_to_key(char *, char *, des_cblock) -KRB5INT_DES_DEPRECATED; - -/* XXX ABI change: used to return krb5_error_code */ -int KRB5_CALLCONV des_read_password(des_cblock *, char *, int) -KRB5INT_DES_DEPRECATED; - -int KRB5_CALLCONV des_ecb_encrypt(des_cblock *, des_cblock *, - const des_key_schedule, int) -KRB5INT_DES_DEPRECATED; - -/* XXX kfm/cns have signed long length */ -int des_cbc_encrypt(des_cblock *, des_cblock *, unsigned long, - const des_key_schedule, const des_cblock *, int) -KRB5INT_DES_DEPRECATED; - -void des_fixup_key_parity(des_cblock) -KRB5INT_DES_DEPRECATED; - -int des_check_key_parity(des_cblock) -KRB5INT_DES_DEPRECATED; - -int KRB5_CALLCONV des_new_random_key(des_cblock) -KRB5INT_DES_DEPRECATED; - -void des_init_random_number_generator(des_cblock) -KRB5INT_DES_DEPRECATED; - -int des_random_key(des_cblock *) -KRB5INT_DES_DEPRECATED; - -int des_is_weak_key(des_cblock) -KRB5INT_DES_DEPRECATED; - -void des_cblock_print_file(des_cblock *, FILE *fp) -KRB5INT_DES_DEPRECATED; - - -#if TARGET_OS_MAC -# pragma pack(pop) -#endif - -KRBINT_END_DECLS - -#endif /* KRB5INT_CRYPTO_DES_INT */ -#endif /* DES_DEFS */ diff --git a/src/include/kerberosIV/kadm.h b/src/include/kerberosIV/kadm.h deleted file mode 100644 index 21bc60e5a..000000000 --- a/src/include/kerberosIV/kadm.h +++ /dev/null @@ -1,194 +0,0 @@ -/* - * include/kerberosIV/kadm.h - * - * Copyright 1988, 1994, 2002 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Definitions for Kerberos administration server & client. These - * should be considered private; among other reasons, it leaks all - * over the namespace. - */ - -#ifndef KADM_DEFS -#define KADM_DEFS - -/* - * kadm.h - * Header file for the fourth attempt at an admin server - * Doug Church, December 28, 1989, MIT Project Athena - */ - -#include -#include "port-sockets.h" -#include -#include - -/* for those broken Unixes without this defined... should be in sys/param.h */ -#ifndef MAXHOSTNAMELEN -#define MAXHOSTNAMELEN 64 -#endif - -/* The global structures for the client and server */ -typedef struct { - struct sockaddr_in admin_addr; - struct sockaddr_in my_addr; - int my_addr_len; - int admin_fd; /* file descriptor for link to admin server */ - char sname[ANAME_SZ]; /* the service name */ - char sinst[INST_SZ]; /* the services instance */ - char krbrlm[REALM_SZ]; - /* KfM additions... */ - int default_port; - CREDENTIALS creds; /* The client's credentials (from krb_get_pw_in_tkt_creds)*/ -} Kadm_Client; - -typedef struct { /* status of the server, i.e the parameters */ - int inter; /* Space for command line flags */ - char *sysfile; /* filename of server */ -} admin_params; /* Well... it's the admin's parameters */ - -/* Largest password length to be supported */ -#define MAX_KPW_LEN 128 - -/* Largest packet the admin server will ever allow itself to return */ -#define KADM_RET_MAX 2048 - -/* That's right, versions are 8 byte strings */ -#define KADM_VERSTR "KADM0.0A" -#define KADM_ULOSE "KYOULOSE" /* sent back when server can't - decrypt client's msg */ -#define KADM_VERSIZE strlen(KADM_VERSTR) - -/* the lookups for the server instances */ -#define PWSERV_NAME "changepw" -#define KADM_SNAME "kerberos_master" -#define KADM_SINST "kerberos" - -/* Attributes fields constants and macros */ -#define ALLOC 2 -#define RESERVED 3 -#define DEALLOC 4 -#define DEACTIVATED 5 -#define ACTIVE 6 - -/* Kadm_vals structure for passing db fields into the server routines */ -#define FLDSZ 4 - -typedef struct { - u_char fields[FLDSZ]; /* The active fields in this struct */ - char name[ANAME_SZ]; - char instance[INST_SZ]; - KRB_UINT32 key_low; - KRB_UINT32 key_high; - KRB_UINT32 exp_date; - unsigned short attributes; - unsigned char max_life; -} Kadm_vals; /* The basic values structure in Kadm */ - -/* Kadm_vals structure for passing db fields into the server routines */ -#define FLDSZ 4 - -/* Need to define fields types here */ -#define KADM_NAME 31 -#define KADM_INST 30 -#define KADM_EXPDATE 29 -#define KADM_ATTR 28 -#define KADM_MAXLIFE 27 -#define KADM_DESKEY 26 - -/* To set a field entry f in a fields structure d */ -#define SET_FIELD(f,d) (d[3-(f/8)]|=(1<<(f%8))) - -/* To set a field entry f in a fields structure d */ -#define CLEAR_FIELD(f,d) (d[3-(f/8)]&=(~(1<<(f%8)))) - -/* Is field f in fields structure d */ -#define IS_FIELD(f,d) (d[3-(f/8)]&(1<<(f%8))) - -/* Various return codes */ -#define KADM_SUCCESS 0 - -#define WILDCARD_STR "*" - -enum acl_types { -ADDACL, -GETACL, -MODACL, -STABACL, -DELACL -}; - -/* Various opcodes for the admin server's functions */ -#define CHANGE_PW 2 -#define ADD_ENT 3 -#define MOD_ENT 4 -#define GET_ENT 5 -#define CHECK_PW 6 -#define CHG_STAB 7 -/* Cygnus principal-deletion support */ -#define KADM_CYGNUS_EXT_BASE 64 -#define DEL_ENT (KADM_CYGNUS_EXT_BASE+1) - -#ifdef POSIX -typedef void sigtype; -#else -typedef int sigtype; -#endif - -/* Avoid stomping on namespace... */ - -#define vals_to_stream kadm_vals_to_stream -#define build_field_header kadm_build_field_header -#define vts_string kadm_vts_string -#define vts_short kadm_vts_short -#define vts_long kadm_vts_long -#define vts_char kadm_vts_char - -#define stream_to_vals kadm_stream_to_vals -#define check_field_header kadm_check_field_header -#define stv_string kadm_stv_string -#define stv_short kadm_stv_short -#define stv_long kadm_stv_long -#define stv_char kadm_stv_char - -int vals_to_stream(Kadm_vals *, u_char **); -int build_field_header(u_char *, u_char **); -int vts_string(char *, u_char **, int); -int vts_short(KRB_UINT32, u_char **, int); -int vts_long(KRB_UINT32, u_char **, int); -int vts_char(KRB_UINT32, u_char **, int); - -int stream_to_vals(u_char *, Kadm_vals *, int); -int check_field_header(u_char *, u_char *, int); -int stv_string(u_char *, char *, int, int, int); -int stv_short(u_char *, u_short *, int, int); -int stv_long(u_char *, KRB_UINT32 *, int, int); -int stv_char(u_char *, u_char *, int, int); - -int kadm_init_link(char *, char *, char *, Kadm_Client *, int); -int kadm_cli_send(Kadm_Client *, u_char *, size_t, u_char **, size_t *); -int kadm_cli_conn(Kadm_Client *); -void kadm_cli_disconn(Kadm_Client *); -int kadm_cli_out(Kadm_Client *, u_char *, int, u_char **, size_t *); -int kadm_cli_keyd(Kadm_Client *, des_cblock, des_key_schedule); - -#endif /* KADM_DEFS */ diff --git a/src/include/kerberosIV/kdc.h b/src/include/kerberosIV/kdc.h deleted file mode 100644 index 095420c28..000000000 --- a/src/include/kerberosIV/kdc.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * include/kerberosIV/kdc.h - * - * Copyright 1987, 1988, 1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Include file for the Kerberos Key Distribution Center. - */ - -#ifndef KDC_DEFS -#define KDC_DEFS - -#define S_AD_SZ sizeof(struct sockaddr_in) - -#ifdef notdef -#define max(a,b) (a>b ? a : b) -#define min(a,b) (a='0') && (CH<='7') ) -#define ISQUOTE(CH) ( (CH=='\"') || (CH=='\'') || (CH=='`') ) -#define ISWHITESPACE(C) ( (C==' ') || (C=='\t') ) -#define ISLINEFEED(C) ( (C=='\n') || (C=='\r') || (C=='\f') ) - -/* - * tokens consist of any printable charcacter except comma, equal, or - * whitespace - */ - -#define ISTOKENCHAR(C) ((C>040) && (C<0177) && (C != ',') && (C != '=')) - -/* - * the parameter table defines the keywords that will be recognized by - * fGetParameterSet, and their default values if not specified. - */ - -typedef struct { - char *keyword; - char *defvalue; - char *value; -} parmtable; - -#define PARMCOUNT(P) (sizeof(P)/sizeof(P[0])) - -int fGetChar (FILE *fp); -int fGetParameterSet (FILE *fp, parmtable parm[], int parmcount); -int ParmCompare (parmtable parm[], int parmcount, char *keyword, char *value); - -void FreeParameterSet (parmtable parm[], int parmcount); - -int fGetKeywordValue (FILE *fp, char *keyword, int klen, char *value, int vlen); - -int fGetToken (FILE *fp, char *dest, int maxlen); - -int fGetLiteral (FILE *fp); - -int fUngetChar (int ch, FILE *fp); - -#endif /* KPARSE_DEFS */ diff --git a/src/include/kerberosIV/krb.h b/src/include/kerberosIV/krb.h deleted file mode 100644 index b11a6b69d..000000000 --- a/src/include/kerberosIV/krb.h +++ /dev/null @@ -1,924 +0,0 @@ -/* - * include/kerberosIV/krb.h - * - * Copyright 1987, 1988, 1994, 2001, 2002 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Include file for the Kerberos V4 library. - */ - -/* Only one time, please */ -#ifndef KRB_DEFS -#define KRB_DEFS - -/* - * For MacOS, don't expose prototypes of various private functions. - * Unfortuantely, they've leaked out everywhere else. - */ -#if defined(__MACH__) && defined(__APPLE__) -#include -#include -#if TARGET_RT_MAC_CFM -#error "Use KfM 4.0 SDK headers for CFM compilation." -#endif -#ifndef KRB_PRIVATE -#define KRB_PRIVATE 0 -#endif -#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS) -#define KRB5INT_KRB4_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5 -#endif -#else -#ifndef KRB_PRIVATE -#define KRB_PRIVATE 1 -#endif -#endif /* defined(__MACH__) && defined(__APPLE__) */ - -/* Macro to add deprecated attribute to KRB4 types and functions */ -/* Currently only defined on Mac OS X 10.5 and later. */ -#ifndef KRB5INT_KRB4_DEPRECATED -#define KRB5INT_KRB4_DEPRECATED -#endif - -/* Define u_char, u_short, u_int, and u_long. */ -/* XXX these typdef names are not standardized! */ -#include - -/* Need some defs from des.h */ -#include -#include -#include - -#ifdef _WIN32 -#include -#endif /* _WIN32 */ - -#ifdef __cplusplus -#ifndef KRBINT_BEGIN_DECLS -#define KRBINT_BEGIN_DECLS extern "C" { -#define KRBINT_END_DECLS } -#endif -#else -#define KRBINT_BEGIN_DECLS -#define KRBINT_END_DECLS -#endif -KRBINT_BEGIN_DECLS - -#if TARGET_OS_MAC -# pragma pack(push,2) -#endif - -#define KRB4_32 DES_INT32 -#define KRB_INT32 DES_INT32 -#define KRB_UINT32 DES_UINT32 - -#define MAX_KRB_ERRORS 256 - -#if TARGET_OS_MAC -/* ABI divergence on Mac for backwards compatibility. */ -extern const char * const * const krb_err_txt -KRB5INT_KRB4_DEPRECATED; -#else -extern const char * const krb_err_txt[MAX_KRB_ERRORS] -KRB5INT_KRB4_DEPRECATED; -#endif - -/* General definitions */ -#define KSUCCESS 0 -#define KFAILURE 255 - -/* - * Kerberos specific definitions - * - * KRBLOG is the log file for the kerberos master server. KRB_CONF is - * the configuration file where different host machines running master - * and slave servers can be found. KRB_MASTER is the name of the - * machine with the master database. The admin_server runs on this - * machine, and all changes to the db (as opposed to read-only - * requests, which can go to slaves) must go to it. KRB_HOST is the - * default machine * when looking for a kerberos slave server. Other - * possibilities are * in the KRB_CONF file. KRB_REALM is the name of - * the realm. - */ - -#define KRB_CONF "/etc/krb.conf" -#define KRB_RLM_TRANS "/etc/krb.realms" -#define KRB_MASTER "kerberos" -#define KRB_HOST KRB_MASTER -#define KRB_REALM "ATHENA.MIT.EDU" - -/* The maximum sizes for aname, realm, sname, and instance +1 */ -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 -#define ADDR_SZ 40 -/* - * NB: This overcounts due to NULs. - */ -/* include space for '.' and '@' */ -#define MAX_K_NAME_SZ (ANAME_SZ + INST_SZ + REALM_SZ + 2) -#define KKEY_SZ 100 -#define VERSION_SZ 1 -#define MSG_TYPE_SZ 1 -#define DATE_SZ 26 /* RTI date output */ - -#define MAX_HSTNM 100 - -#ifndef DEFAULT_TKT_LIFE /* allow compile-time override */ -#define DEFAULT_TKT_LIFE 120 /* default lifetime for krb_mk_req */ -#endif - -#define KRB_TICKET_GRANTING_TICKET "krbtgt" - -/* Definition of text structure used to pass text around */ -#define MAX_KTXT_LEN 1250 - -struct ktext { - int length; /* Length of the text */ - unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ - unsigned long mbz; /* zero to catch runaway strings */ -} KRB5INT_KRB4_DEPRECATED; - -typedef struct ktext *KTEXT KRB5INT_KRB4_DEPRECATED; -typedef struct ktext KTEXT_ST KRB5INT_KRB4_DEPRECATED; - - -/* Definitions for send_to_kdc */ -#define CLIENT_KRB_TIMEOUT 4 /* time between retries */ -#define CLIENT_KRB_RETRY 5 /* retry this many times */ -#define CLIENT_KRB_BUFLEN 512 /* max unfragmented packet */ - -/* Definitions for ticket file utilities */ -#define R_TKT_FIL 0 -#define W_TKT_FIL 1 - -/* Definitions for cl_get_tgt */ -#ifdef PC -#define CL_GTGT_INIT_FILE "\\kerberos\\k_in_tkts" -#else -#define CL_GTGT_INIT_FILE "/etc/k_in_tkts" -#endif /* PC */ - -/* Parameters for rd_ap_req */ -/* Maximum allowable clock skew in seconds */ -#define CLOCK_SKEW 5*60 -/* Filename for readservkey */ -#define KEYFILE ((char*)krb__get_srvtabname("/etc/srvtab")) - -/* Structure definition for rd_ap_req */ - -struct auth_dat { - unsigned char k_flags; /* Flags from ticket */ - char pname[ANAME_SZ]; /* Principal's name */ - char pinst[INST_SZ]; /* His Instance */ - char prealm[REALM_SZ]; /* His Realm */ - unsigned KRB4_32 checksum; /* Data checksum (opt) */ - C_Block session; /* Session Key */ - int life; /* Life of ticket */ - unsigned KRB4_32 time_sec; /* Time ticket issued */ - unsigned KRB4_32 address; /* Address in ticket */ - KTEXT_ST reply; /* Auth reply (opt) */ -} KRB5INT_KRB4_DEPRECATED; - -typedef struct auth_dat AUTH_DAT KRB5INT_KRB4_DEPRECATED; - -/* Structure definition for credentials returned by get_cred */ - -struct credentials { - char service[ANAME_SZ]; /* Service name */ - char instance[INST_SZ]; /* Instance */ - char realm[REALM_SZ]; /* Auth domain */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT_ST ticket_st; /* The ticket itself */ - KRB4_32 issue_date; /* The issue time */ - char pname[ANAME_SZ]; /* Principal's name */ - char pinst[INST_SZ]; /* Principal's instance */ -#if TARGET_OS_MAC - KRB_UINT32 address; /* Address in ticket */ - KRB_UINT32 stk_type; /* string_to_key function needed */ -#endif -#ifdef _WIN32 - char address[ADDR_SZ]; /* Address in ticket */ -#endif -} KRB5INT_KRB4_DEPRECATED; - -typedef struct credentials CREDENTIALS KRB5INT_KRB4_DEPRECATED; - -/* Structure definition for rd_private_msg and rd_safe_msg */ - -struct msg_dat { - unsigned char *app_data; /* pointer to appl data */ - unsigned KRB4_32 app_length; /* length of appl data */ - unsigned KRB4_32 hash; /* hash to lookup replay */ - int swap; /* swap bytes? */ - KRB4_32 time_sec; /* msg timestamp seconds */ - unsigned char time_5ms; /* msg timestamp 5ms units */ -} KRB5INT_KRB4_DEPRECATED; - -typedef struct msg_dat MSG_DAT KRB5INT_KRB4_DEPRECATED; - - -/* Location of ticket file for save_cred and get_cred */ -#ifdef _WIN32 -#define TKT_FILE "\\kerberos\\ticket.ses" -#else -#define TKT_FILE tkt_string() -#define TKT_ROOT "/tmp/tkt" -#endif /* _WIN32 */ - -/* - * Error codes are now defined as offsets from com_err (krb_err.et) - * values. - */ -#define KRB_ET(x) ((KRBET_ ## x) - ERROR_TABLE_BASE_krb) - -/* Error codes returned from the KDC */ -#define KDC_OK KRB_ET(KSUCCESS) /* 0 - Request OK */ -#define KDC_NAME_EXP KRB_ET(KDC_NAME_EXP) /* 1 - Principal expired */ -#define KDC_SERVICE_EXP KRB_ET(KDC_SERVICE_EXP) /* 2 - Service expired */ -#define KDC_AUTH_EXP KRB_ET(KDC_AUTH_EXP) /* 3 - Auth expired */ -#define KDC_PKT_VER KRB_ET(KDC_PKT_VER) /* 4 - Prot version unknown */ -#define KDC_P_MKEY_VER KRB_ET(KDC_P_MKEY_VER) /* 5 - Wrong mkey version */ -#define KDC_S_MKEY_VER KRB_ET(KDC_S_MKEY_VER) /* 6 - Wrong mkey version */ -#define KDC_BYTE_ORDER KRB_ET(KDC_BYTE_ORDER) /* 7 - Byte order unknown */ -#define KDC_PR_UNKNOWN KRB_ET(KDC_PR_UNKNOWN) /* 8 - Princ unknown */ -#define KDC_PR_N_UNIQUE KRB_ET(KDC_PR_N_UNIQUE) /* 9 - Princ not unique */ -#define KDC_NULL_KEY KRB_ET(KDC_NULL_KEY) /* 10 - Princ has null key */ -#define KDC_GEN_ERR KRB_ET(KDC_GEN_ERR) /* 20 - Generic err frm KDC */ - -/* Values returned by get_credentials */ -#define GC_OK KRB_ET(KSUCCESS) /* 0 - Retrieve OK */ -#define RET_OK KRB_ET(KSUCCESS) /* 0 - Retrieve OK */ -#define GC_TKFIL KRB_ET(GC_TKFIL) /* 21 - Can't rd tkt file */ -#define RET_TKFIL KRB_ET(GC_TKFIL) /* 21 - Can't rd tkt file */ -#define GC_NOTKT KRB_ET(GC_NOTKT) /* 22 - Can't find tkt|TGT */ -#define RET_NOTKT KRB_ET(GC_NOTKT) /* 22 - Can't find tkt|TGT */ - -/* Values returned by mk_ap_req */ -#define MK_AP_OK KRB_ET(KSUCCESS) /* 0 - Success */ -#define MK_AP_TGTEXP KRB_ET(MK_AP_TGTEXP) /* 26 - TGT Expired */ - -/* Values returned by rd_ap_req */ -#define RD_AP_OK KRB_ET(KSUCCESS) /* 0 - Request authentic */ -#define RD_AP_UNDEC KRB_ET(RD_AP_UNDEC) /* 31 - Can't decode authent */ -#define RD_AP_EXP KRB_ET(RD_AP_EXP) /* 32 - Ticket expired */ -#define RD_AP_NYV KRB_ET(RD_AP_NYV) /* 33 - Ticket not yet valid */ -#define RD_AP_REPEAT KRB_ET(RD_AP_REPEAT) /* 34 - Repeated request */ -#define RD_AP_NOT_US KRB_ET(RD_AP_NOT_US) /* 35 - Ticket isn't for us */ -#define RD_AP_INCON KRB_ET(RD_AP_INCON) /* 36 - Request inconsistent */ -#define RD_AP_TIME KRB_ET(RD_AP_TIME) /* 37 - delta_t too big */ -#define RD_AP_BADD KRB_ET(RD_AP_BADD) /* 38 - Incorrect net addr */ -#define RD_AP_VERSION KRB_ET(RD_AP_VERSION) /* 39 - prot vers mismatch */ -#define RD_AP_MSG_TYPE KRB_ET(RD_AP_MSG_TYPE) /* 40 - invalid msg type */ -#define RD_AP_MODIFIED KRB_ET(RD_AP_MODIFIED) /* 41 - msg stream modified */ -#define RD_AP_ORDER KRB_ET(RD_AP_ORDER) /* 42 - message out of order */ -#define RD_AP_UNAUTHOR KRB_ET(RD_AP_UNAUTHOR) /* 43 - unauthorized request */ - -/* Values returned by get_pw_tkt */ -#define GT_PW_OK KRB_ET(KSUCCESS) /* 0 - Got passwd chg tkt */ -#define GT_PW_NULL KRB_ET(GT_PW_NULL) /* 51 - Current PW is null */ -#define GT_PW_BADPW KRB_ET(GT_PW_BADPW) /* 52 - Wrong passwd */ -#define GT_PW_PROT KRB_ET(GT_PW_PROT) /* 53 - Protocol Error */ -#define GT_PW_KDCERR KRB_ET(GT_PW_KDCERR) /* 54 - Error ret by KDC */ -#define GT_PW_NULLTKT KRB_ET(GT_PW_NULLTKT) /* 55 - Null tkt ret by KDC */ - -/* Values returned by send_to_kdc */ -#define SKDC_OK KRB_ET(KSUCCESS) /* 0 - Response received */ -#define SKDC_RETRY KRB_ET(SKDC_RETRY) /* 56 - Retry count exceeded */ -#define SKDC_CANT KRB_ET(SKDC_CANT) /* 57 - Can't send request */ - -/* - * Values returned by get_intkt - * (can also return SKDC_* and KDC errors) - */ - -#define INTK_OK KRB_ET(KSUCCESS) /* 0 - Ticket obtained */ -#define INTK_PW_NULL KRB_ET(GT_PW_NULL) /* 51 - Current PW is null */ -#define INTK_W_NOTALL KRB_ET(INTK_W_NOTALL) /* 61 - Not ALL tkts retd */ -#define INTK_BADPW KRB_ET(INTK_BADPW) /* 62 - Incorrect password */ -#define INTK_PROT KRB_ET(INTK_PROT) /* 63 - Protocol Error */ -#define INTK_ERR KRB_ET(INTK_ERR) /* 70 - Other error */ - -/* Values returned by get_adtkt */ -#define AD_OK KRB_ET(KSUCCESS) /* 0 - Ticket Obtained */ -#define AD_NOTGT KRB_ET(AD_NOTGT) /* 71 - Don't have tgt */ - -/* Error codes returned by ticket file utilities */ -#define NO_TKT_FIL KRB_ET(NO_TKT_FIL) /* 76 - No ticket file found */ -#define TKT_FIL_ACC KRB_ET(TKT_FIL_ACC) /* 77 - Can't acc tktfile */ -#define TKT_FIL_LCK KRB_ET(TKT_FIL_LCK) /* 78 - Can't lck tkt file */ -#define TKT_FIL_FMT KRB_ET(TKT_FIL_FMT) /* 79 - Bad tkt file format */ -#define TKT_FIL_INI KRB_ET(TKT_FIL_INI) /* 80 - tf_init not called */ - -/* Error code returned by kparse_name */ -#define KNAME_FMT KRB_ET(KNAME_FMT) /* 81 - Bad krb name fmt */ - -/* Error code returned by krb_mk_safe */ -#define SAFE_PRIV_ERROR (-1) /* syscall error */ - -/* Kerberos ticket flag field bit definitions */ -#define K_FLAG_ORDER 0 /* bit 0 --> lsb */ -#define K_FLAG_1 /* reserved */ -#define K_FLAG_2 /* reserved */ -#define K_FLAG_3 /* reserved */ -#define K_FLAG_4 /* reserved */ -#define K_FLAG_5 /* reserved */ -#define K_FLAG_6 /* reserved */ -#define K_FLAG_7 /* reserved, bit 7 --> msb */ - -/* Are these needed anymore? */ -#ifdef OLDNAMES -#define krb_mk_req mk_ap_req -#define krb_rd_req rd_ap_req -#define krb_kntoln an_to_ln -#define krb_set_key set_serv_key -#define krb_get_cred get_credentials -#define krb_mk_priv mk_private_msg -#define krb_rd_priv rd_private_msg -#define krb_mk_safe mk_safe_msg -#define krb_rd_safe rd_safe_msg -#define krb_mk_err mk_appl_err_msg -#define krb_rd_err rd_appl_err_msg -#define krb_ck_repl check_replay -#define krb_get_pw_in_tkt get_in_tkt -#define krb_get_svc_in_tkt get_svc_in_tkt -#define krb_get_pw_tkt get_pw_tkt -#define krb_realmofhost krb_getrealm -#define krb_get_phost get_phost -#define krb_get_krbhst get_krbhst -#define krb_get_lrealm get_krbrlm -#endif /* OLDNAMES */ - -/* Defines for krb_sendauth and krb_recvauth */ - -#define KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */ -#define KOPT_DO_MUTUAL 0x00000002 /* do mutual auth */ -#define KOPT_DONT_CANON 0x00000004 /* don't canonicalize inst as a host */ - -#define KRB_SENDAUTH_VLEN 8 /* length for version strings */ - -#ifdef ATHENA_COMPAT -#define KOPT_DO_OLDSTYLE 0x00000008 /* use the old-style protocol */ -#endif /* ATHENA_COMPAT */ - - -#ifdef _WIN32 -#define TIME_GMT_UNIXSEC win_time_gmt_unixsec((unsigned KRB4_32 *)0) -#define TIME_GMT_UNIXSEC_US(us) win_time_gmt_unixsec((us)) -#define CONVERT_TIME_EPOCH win_time_get_epoch() -#else -/* until we do V4 compat under DOS, just turn this off */ -#define _fmemcpy memcpy -#define _fstrncpy strncpy -#define far_fputs fputs -/* and likewise, just drag in the unix time interface */ -#define TIME_GMT_UNIXSEC unix_time_gmt_unixsec((unsigned KRB4_32 *)0) -#define TIME_GMT_UNIXSEC_US(us) unix_time_gmt_unixsec((us)) -#define CONVERT_TIME_EPOCH ((long)0) /* Unix epoch is Krb epoch */ -#endif /* _WIN32 */ - -/* Constants for KerberosProfileLib */ -#define REALMS_V4_PROF_REALMS_SECTION "v4 realms" -#define REALMS_V4_PROF_KDC "kdc" -#define REALMS_V4_PROF_ADMIN_KDC "admin_server" -#define REALMS_V4_PROF_KPASSWD_KDC "kpasswd_server" -#define REALMS_V4_PROF_DOMAIN_SECTION "v4 domain_realm" -#define REALMS_V4_PROF_LIBDEFAULTS_SECTION "libdefaults" -#define REALMS_V4_PROF_LOCAL_REALM "default_realm" -#define REALMS_V4_PROF_STK "string_to_key_type" -#define REALMS_V4_MIT_STK "mit_string_to_key" -#define REALMS_V4_AFS_STK "afs_string_to_key" -#define REALMS_V4_COLUMBIA_STK "columbia_string_to_key" -#define REALMS_V4_DEFAULT_REALM "default_realm" -#define REALMS_V4_NO_ADDRESSES "noaddresses" - -/* ask to disable IP address checking in the library */ -extern int krb_ignore_ip_address; - -/* Debugging printfs shouldn't even be compiled on many systems that don't - support printf! Use it like DEB (("Oops - %s\n", string)); */ - -#ifdef DEBUG -#define DEB(x) if (krb_debug) printf x -extern int krb_debug; -#else -#define DEB(x) /* nothing */ -#endif - -/* Define a couple of function types including parameters. These - are needed on MS-Windows to convert arguments of the function pointers - to the proper types during calls. */ - -typedef int (KRB5_CALLCONV *key_proc_type) - (char *, char *, char *, - char *, C_Block) -KRB5INT_KRB4_DEPRECATED; - -#define KEY_PROC_TYPE_DEFINED - -typedef int (KRB5_CALLCONV *decrypt_tkt_type) - (char *, char *, char *, - char *, key_proc_type, KTEXT *) -KRB5INT_KRB4_DEPRECATED; - -#define DECRYPT_TKT_TYPE_DEFINED - -extern struct _krb5_context * krb5__krb4_context; - -/* - * Function Prototypes for Kerberos V4. - */ - -struct sockaddr_in; - -/* dest_tkt.c */ -int KRB5_CALLCONV dest_tkt - (void) -KRB5INT_KRB4_DEPRECATED; - -/* err_txt.c */ -const char * KRB5_CALLCONV krb_get_err_text - (int errnum) -KRB5INT_KRB4_DEPRECATED; - -/* g_ad_tkt.c */ -/* Previously not KRB5_CALLCONV */ -int KRB5_CALLCONV get_ad_tkt - (char *service, char *sinst, char *realm, int lifetime) -KRB5INT_KRB4_DEPRECATED; - -/* g_admhst.c */ -int KRB5_CALLCONV krb_get_admhst - (char *host, char *realm, int idx) -KRB5INT_KRB4_DEPRECATED; - -/* g_cred.c */ -int KRB5_CALLCONV krb_get_cred - (char *service, char *instance, char *realm, - CREDENTIALS *c) -KRB5INT_KRB4_DEPRECATED; - -/* g_in_tkt.c */ -/* Previously not KRB5_CALLCONV */ -int KRB5_CALLCONV krb_get_in_tkt - (char *k_user, char *instance, char *realm, - char *service, char *sinst, int life, - key_proc_type, decrypt_tkt_type, char *arg) -KRB5INT_KRB4_DEPRECATED; - -#if KRB_PRIVATE -/* Previously not KRB5_CALLCONV */ -int KRB5_CALLCONV krb_get_in_tkt_preauth - (char *k_user, char *instance, char *realm, - char *service, char *sinst, int life, - key_proc_type, decrypt_tkt_type, char *arg, - char *preauth_p, int preauth_len) -KRB5INT_KRB4_DEPRECATED; -#endif - -/* From KfM */ -int KRB5_CALLCONV krb_get_in_tkt_creds(char *, char *, char *, char *, char *, - int, key_proc_type, decrypt_tkt_type, char *, CREDENTIALS *) -KRB5INT_KRB4_DEPRECATED; - - -/* g_krbhst.c */ -int KRB5_CALLCONV krb_get_krbhst - (char *host, const char *realm, int idx) -KRB5INT_KRB4_DEPRECATED; - -/* g_krbrlm.c */ -int KRB5_CALLCONV krb_get_lrealm - (char *realm, int idx) -KRB5INT_KRB4_DEPRECATED; - -/* g_phost.c */ -char * KRB5_CALLCONV krb_get_phost - (char * alias) -KRB5INT_KRB4_DEPRECATED; - -/* get_pw_tkt */ -int KRB5_CALLCONV get_pw_tkt - (char *, char *, char *, char *) -KRB5INT_KRB4_DEPRECATED; - -/* g_pw_in_tkt.c */ -int KRB5_CALLCONV krb_get_pw_in_tkt - (char *k_user, char *instance, char *realm, - char *service, char *sinstance, - int life, char *password) -KRB5INT_KRB4_DEPRECATED; - -#if KRB_PRIVATE -int KRB5_CALLCONV krb_get_pw_in_tkt_preauth - (char *k_user, char *instance, char *realm, - char *service, char *sinstance, - int life, char *password) -KRB5INT_KRB4_DEPRECATED; -#endif - -int KRB5_CALLCONV -krb_get_pw_in_tkt_creds(char *, char *, char *, - char *, char *, int, char *, CREDENTIALS *) -KRB5INT_KRB4_DEPRECATED; - -/* g_svc_in_tkt.c */ -int KRB5_CALLCONV krb_get_svc_in_tkt - (char *k_user, char *instance, char *realm, - char *service, char *sinstance, - int life, char *srvtab) -KRB5INT_KRB4_DEPRECATED; - -/* g_tf_fname.c */ -int KRB5_CALLCONV krb_get_tf_fullname - (const char *ticket_file, char *name, char *inst, char *realm) -KRB5INT_KRB4_DEPRECATED; - -/* g_tf_realm.c */ -int KRB5_CALLCONV krb_get_tf_realm - (const char *ticket_file, char *realm) -KRB5INT_KRB4_DEPRECATED; - -/* g_tkt_svc.c */ -int KRB5_CALLCONV krb_get_ticket_for_service - (char *serviceName, - char *buf, unsigned KRB4_32 *buflen, - int checksum, des_cblock, Key_schedule, - char *version, int includeVersion) -KRB5INT_KRB4_DEPRECATED; - -#if KRB_PRIVATE -/* in_tkt.c */ -int KRB5_CALLCONV in_tkt - (char *name, char *inst) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV krb_in_tkt - (char *pname, char *pinst, char *realm) -KRB5INT_KRB4_DEPRECATED; -#endif - -/* kname_parse.c */ -int KRB5_CALLCONV kname_parse - (char *name, char *inst, char *realm, - char *fullname) -KRB5INT_KRB4_DEPRECATED; - -/* Merged from KfM */ -int KRB5_CALLCONV kname_unparse - (char *, const char *, const char *, const char *) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV k_isname - (char *) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV k_isinst - (char *) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV k_isrealm - (char *) -KRB5INT_KRB4_DEPRECATED; - - -/* kuserok.c */ -int KRB5_CALLCONV kuserok - (AUTH_DAT *kdata, char *luser) -KRB5INT_KRB4_DEPRECATED; - -/* lifetime.c */ -KRB4_32 KRB5_CALLCONV krb_life_to_time - (KRB4_32 start, int life) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV krb_time_to_life - (KRB4_32 start, KRB4_32 end) -KRB5INT_KRB4_DEPRECATED; - -/* mk_auth.c */ -int KRB5_CALLCONV krb_check_auth - (KTEXT, unsigned KRB4_32 cksum, MSG_DAT *, - C_Block, Key_schedule, - struct sockaddr_in * local_addr, - struct sockaddr_in * foreign_addr) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV krb_mk_auth - (long k4_options, KTEXT ticket, - char *service, char *inst, char *realm, - unsigned KRB4_32 checksum, char *version, KTEXT buf) -KRB5INT_KRB4_DEPRECATED; - -/* mk_err.c */ -long KRB5_CALLCONV krb_mk_err - (u_char *out, KRB4_32 k4_code, char *text) -KRB5INT_KRB4_DEPRECATED; - -#if KRB_PRIVATE -/* mk_preauth.c */ -int krb_mk_preauth - (char **preauth_p, int *preauth_len, key_proc_type, - char *name, char *inst, char *realm, char *password, - C_Block) -KRB5INT_KRB4_DEPRECATED; - -void krb_free_preauth - (char * preauth_p, int len) -KRB5INT_KRB4_DEPRECATED; -#endif - -/* mk_priv.c */ -long KRB5_CALLCONV krb_mk_priv - (u_char *in, u_char *out, - unsigned KRB4_32 length, - Key_schedule, C_Block *, - struct sockaddr_in * sender, - struct sockaddr_in * receiver) -KRB5INT_KRB4_DEPRECATED; - -/* mk_req.c */ -int KRB5_CALLCONV krb_mk_req - (KTEXT authent, - char *service, char *instance, char *realm, - KRB4_32 checksum) -KRB5INT_KRB4_DEPRECATED; - -/* Merged from KfM */ -int KRB5_CALLCONV krb_mk_req_creds(KTEXT, CREDENTIALS *, KRB_INT32) -KRB5INT_KRB4_DEPRECATED; - -/* Added CALLCONV (KfM exports w/o INTERFACE, but KfW doesn't export?) */ -int KRB5_CALLCONV krb_set_lifetime(int newval) -KRB5INT_KRB4_DEPRECATED; - -/* mk_safe.c */ -long KRB5_CALLCONV krb_mk_safe - (u_char *in, u_char *out, unsigned KRB4_32 length, - C_Block *, - struct sockaddr_in *sender, - struct sockaddr_in *receiver) -KRB5INT_KRB4_DEPRECATED; - -#if KRB_PRIVATE -/* netread.c */ -int krb_net_read - (int fd, char *buf, int len) -KRB5INT_KRB4_DEPRECATED; - -/* netwrite.c */ -int krb_net_write - (int fd, char *buf, int len) -KRB5INT_KRB4_DEPRECATED; - -/* pkt_clen.c */ -int pkt_clen - (KTEXT) -KRB5INT_KRB4_DEPRECATED; -#endif - -/* put_svc_key.c */ -int KRB5_CALLCONV put_svc_key - (char *sfile, - char *name, char *inst, char *realm, - int newvno, char *key) -KRB5INT_KRB4_DEPRECATED; - -/* rd_err.c */ -int KRB5_CALLCONV krb_rd_err - (u_char *in, u_long in_length, - long *k4_code, MSG_DAT *m_data) -KRB5INT_KRB4_DEPRECATED; - -/* rd_priv.c */ -long KRB5_CALLCONV krb_rd_priv - (u_char *in,unsigned KRB4_32 in_length, - Key_schedule, C_Block *, - struct sockaddr_in *sender, - struct sockaddr_in *receiver, - MSG_DAT *m_data) -KRB5INT_KRB4_DEPRECATED; - -/* rd_req.c */ -int KRB5_CALLCONV krb_rd_req - (KTEXT, char *service, char *inst, - unsigned KRB4_32 from_addr, AUTH_DAT *, - char *srvtab) -KRB5INT_KRB4_DEPRECATED; - -/* Merged from KfM */ -int KRB5_CALLCONV -krb_rd_req_int(KTEXT, char *, char *, KRB_UINT32, AUTH_DAT *, C_Block) -KRB5INT_KRB4_DEPRECATED; - -/* rd_safe.c */ -long KRB5_CALLCONV krb_rd_safe - (u_char *in, unsigned KRB4_32 in_length, - C_Block *, - struct sockaddr_in *sender, - struct sockaddr_in *receiver, - MSG_DAT *m_data) -KRB5INT_KRB4_DEPRECATED; - -/* rd_svc_key.c */ -int KRB5_CALLCONV read_service_key - (char *service, char *instance, char *realm, - int kvno, char *file, char *key) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV get_service_key - (char *service, char *instance, char *realm, - int *kvno, char *file, char *key) -KRB5INT_KRB4_DEPRECATED; - -/* realmofhost.c */ -char * KRB5_CALLCONV krb_realmofhost - (char *host) -KRB5INT_KRB4_DEPRECATED; - -/* recvauth.c */ -int KRB5_CALLCONV krb_recvauth - (long k4_options, int fd, KTEXT ticket, - char *service, char *instance, - struct sockaddr_in *foreign_addr, - struct sockaddr_in *local_addr, - AUTH_DAT *kdata, char *srvtab, - Key_schedule schedule, char *version) -KRB5INT_KRB4_DEPRECATED; - -/* sendauth.c */ -int KRB5_CALLCONV krb_sendauth - (long k4_options, int fd, KTEXT ticket, - char *service, char *inst, char *realm, - unsigned KRB4_32 checksum, MSG_DAT *msg_data, - CREDENTIALS *cred, Key_schedule schedule, - struct sockaddr_in *laddr, struct sockaddr_in *faddr, - char *version) -KRB5INT_KRB4_DEPRECATED; - -#if KRB_PRIVATE -/* save_creds.c */ -int KRB5_CALLCONV krb_save_credentials - (char *service, char *instance, char *realm, - C_Block session, int lifetime, int kvno, - KTEXT ticket, long issue_date) -KRB5INT_KRB4_DEPRECATED; - -/* send_to_kdc.c */ -/* XXX PRIVATE? KfM doesn't export. */ -int send_to_kdc - (KTEXT pkt, KTEXT rpkt, char *realm) -KRB5INT_KRB4_DEPRECATED; -#endif - -/* tkt_string.c */ -/* Used to return pointer to non-const char */ -const char * KRB5_CALLCONV tkt_string - (void) -KRB5INT_KRB4_DEPRECATED; - -/* Previously not KRB5_CALLCONV, and previously took pointer to non-const. */ -void KRB5_CALLCONV krb_set_tkt_string - (const char *) -KRB5INT_KRB4_DEPRECATED; - -#if KRB_PRIVATE -/* tf_util.c */ -int KRB5_CALLCONV tf_init (const char *tf_name, int rw) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV tf_get_pname (char *p) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV tf_get_pinst (char *p) -KRB5INT_KRB4_DEPRECATED; - -int KRB5_CALLCONV tf_get_cred (CREDENTIALS *c) -KRB5INT_KRB4_DEPRECATED; - -void KRB5_CALLCONV tf_close (void) -KRB5INT_KRB4_DEPRECATED; -#endif - -#if KRB_PRIVATE -/* unix_time.c */ -unsigned KRB4_32 KRB5_CALLCONV unix_time_gmt_unixsec - (unsigned KRB4_32 *) -KRB5INT_KRB4_DEPRECATED; - -/* - * Internal prototypes - */ -extern int krb_set_key - (char *key, int cvt) -KRB5INT_KRB4_DEPRECATED; - -/* This is exported by KfM. It was previously not KRB5_CALLCONV. */ -extern int KRB5_CALLCONV decomp_ticket - (KTEXT tkt, unsigned char *flags, char *pname, - char *pinstance, char *prealm, unsigned KRB4_32 *paddress, - C_Block session, int *life, unsigned KRB4_32 *time_sec, - char *sname, char *sinstance, C_Block, - Key_schedule key_s) -KRB5INT_KRB4_DEPRECATED; - - -extern void cr_err_reply(KTEXT pkt, char *pname, char *pinst, char *prealm, - u_long time_ws, u_long e, char *e_string) -KRB5INT_KRB4_DEPRECATED; - -extern int create_ciph(KTEXT c, C_Block session, char *service, - char *instance, char *realm, unsigned long life, - int kvno, KTEXT tkt, unsigned long kdc_time, - C_Block key) -KRB5INT_KRB4_DEPRECATED; - - -extern int krb_create_ticket(KTEXT tkt, unsigned int flags, char *pname, - char *pinstance, char *prealm, long paddress, - char *session, int life, long time_sec, - char *sname, char *sinstance, C_Block key) -KRB5INT_KRB4_DEPRECATED; - -#endif /* KRB_PRIVATE */ - -/* This function is used by KEYFILE above. Do not call it directly */ -extern char * krb__get_srvtabname(const char *) -KRB5INT_KRB4_DEPRECATED; - -#if KRB_PRIVATE - -extern int krb_kntoln(AUTH_DAT *, char *) -KRB5INT_KRB4_DEPRECATED; - -#ifdef KRB5_GENERAL__ -extern int krb_cr_tkt_krb5(KTEXT tkt, unsigned int flags, char *pname, - char *pinstance, char *prealm, long paddress, - char *session, int life, long time_sec, - char *sname, char *sinstance, - krb5_keyblock *k5key) -KRB5INT_KRB4_DEPRECATED; - -extern int krb_set_key_krb5(krb5_context ctx, krb5_keyblock *key) -KRB5INT_KRB4_DEPRECATED; - -#endif - -#endif /* KRB_PRIVATE */ - -/* - * krb_change_password -- merged from KfM - */ -/* change_password.c */ -int KRB5_CALLCONV krb_change_password(char *, char *, char *, char *, char *) -KRB5INT_KRB4_DEPRECATED; - -/* - * RealmsConfig-glue.c -- merged from KfM - */ -int KRB5_CALLCONV krb_get_profile(profile_t *) -KRB5INT_KRB4_DEPRECATED; - -#ifdef _WIN32 -HINSTANCE get_lib_instance(void) -KRB5INT_KRB4_DEPRECATED; -unsigned int krb_get_notification_message(void) -KRB5INT_KRB4_DEPRECATED; -char * KRB5_CALLCONV krb_get_default_user(void) -KRB5INT_KRB4_DEPRECATED; -int KRB5_CALLCONV krb_set_default_user(char *) -KRB5INT_KRB4_DEPRECATED; -unsigned KRB4_32 win_time_gmt_unixsec(unsigned KRB4_32 *) -KRB5INT_KRB4_DEPRECATED; -long win_time_get_epoch(void) -KRB5INT_KRB4_DEPRECATED; -#endif - -#if TARGET_OS_MAC -# pragma pack(pop) -#endif - -KRBINT_END_DECLS - -#endif /* KRB_DEFS */ diff --git a/src/include/kerberosIV/krb_db.h b/src/include/kerberosIV/krb_db.h deleted file mode 100644 index 3e3b1dda6..000000000 --- a/src/include/kerberosIV/krb_db.h +++ /dev/null @@ -1,119 +0,0 @@ -/* - * include/kerberosIV/krb_db.h - * - * Copyright 1987, 1988, 1994 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * spm Project Athena 8/85 - * - * This file defines data structures for the kerberos - * authentication/authorization database. - * - * They MUST correspond to those defined in *.rel - */ - -#ifndef KRB_DB_DEFS -#define KRB_DB_DEFS - -#define KERB_M_NAME "K" /* Kerberos */ -#define KERB_M_INST "M" /* Master */ -#define KERB_DEFAULT_NAME "default" -#define KERB_DEFAULT_INST "" -#define DBM_FILE "/kerberos/principal" - -/* this also defines the number of queue headers */ -#define KERB_DB_HASH_MODULO 64 - - -/* Arguments to kerb_dbl_lock() */ - -#define KERB_DBL_EXCLUSIVE 1 -#define KERB_DBL_SHARED 0 - -/* arguments to kerb_db_set_lockmode() */ - -#define KERB_DBL_BLOCKING 0 -#define KERB_DBL_NONBLOCKING 1 - -/* Principal defines the structure of a principal's name */ - -typedef struct { - char name[ANAME_SZ]; - char instance[INST_SZ]; - - unsigned long key_low; - unsigned long key_high; - unsigned long exp_date; - char exp_date_txt[DATE_SZ]; - unsigned long mod_date; - char mod_date_txt[DATE_SZ]; - unsigned short attributes; - unsigned char max_life; - unsigned char kdc_key_ver; - unsigned char key_version; - - char mod_name[ANAME_SZ]; - char mod_instance[INST_SZ]; - char *old; /* cast to (Principal *); not in db, - * ptr to old vals */ -} - Principal; - -typedef struct { - long cpu; - long elapsed; - long dio; - long pfault; - long t_stamp; - long n_retrieve; - long n_replace; - long n_append; - long n_get_stat; - long n_put_stat; -} - DB_stat; - -/* Dba defines the structure of a database administrator */ - -typedef struct { - char name[ANAME_SZ]; - char instance[INST_SZ]; - unsigned short attributes; - unsigned long exp_date; - char exp_date_txt[DATE_SZ]; - char *old; /* - * cast to (Dba *); not in db, ptr to - * old vals - */ -} - Dba; - -#if 0 -extern int kerb_get_principal(); -extern int kerb_put_principal(); -extern int kerb_db_get_stat(); -extern int kerb_db_put_stat(); -extern int kerb_get_dba(); -extern int kerb_db_get_dba(); -#endif - -#endif /* KRB_DB_DEFS */ diff --git a/src/include/kerberosIV/krbports.h b/src/include/kerberosIV/krbports.h deleted file mode 100644 index 5b4dc5641..000000000 --- a/src/include/kerberosIV/krbports.h +++ /dev/null @@ -1,27 +0,0 @@ -/* krbports.h -- fallback port numbers in case /etc/services isn't changed */ -/* used by: appl/bsd/rcp.c, rlogin.c, rsh.c, knetd.c - kadmin/kadm_ser_wrap.c, lib/kadm/kadm_cli_wrap.c - lib/krb/send_to_kdc.c - movemail/movemail.c, pfrom/popmail.c - server/kerberos.c, slave/kprop.c, kpropd.c -*/ - -#define KRB_SHELL_PORT 544 -#define UCB_SHELL_PORT 514 - -#define KLOGIN_PORT 543 -#define EKLOGIN_PORT 2105 -#define UCB_LOGIN_PORT 513 - -#define KADM_PORT 751 -#define KERBEROS_PORT 750 -#define KERBEROS_SEC_PORT 88 -#define KRB_PROP_PORT 754 - -#define KPOP_PORT 1109 -#define POP3_PORT 110 - -#define KNETD_PORT 2053 - -/* already in rkinit_private.h */ -#define RKINIT_PORT 2108 diff --git a/src/include/kerberosIV/lsb_addr_cmp.h b/src/include/kerberosIV/lsb_addr_cmp.h deleted file mode 100644 index 573f2b46c..000000000 --- a/src/include/kerberosIV/lsb_addr_cmp.h +++ /dev/null @@ -1,47 +0,0 @@ -/* - * include/kerberosIV/lsb_addr_cmp.h - * - * Copyright 1988, 1995 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Comparison macros to emulate LSBFIRST comparison results of network - * byte-order quantities - */ - -#include "mit-copyright.h" -#ifndef LSB_ADDR_COMP_DEFS -#define LSB_ADDR_COMP_DEFS - -/* #include "osconf.h" */ - -/* note that if we don't explicitly know if we're LSBFIRST, the - alternate code is byte order independent and will give the - right answer. */ -#ifdef LSBFIRST -#define lsb_net_ulong_less(x,y) ((x < y) ? -1 : ((x > y) ? 1 : 0)) -#define lsb_net_ushort_less(x,y) ((x < y) ? -1 : ((x > y) ? 1 : 0)) -#else -/* MSBFIRST */ -#define u_char_comp(x,y) \ - (((x)>(y))?(1):(((x)==(y))?(0):(-1))) -/* This is gross, but... */ -#define lsb_net_ulong_less(x, y) long_less_than((u_char *)&x, (u_char *)&y) -#define lsb_net_ushort_less(x, y) short_less_than((u_char *)&x, (u_char *)&y) - -#define long_less_than(x,y) \ - (u_char_comp((x)[3],(y)[3])?u_char_comp((x)[3],(y)[3]): \ - (u_char_comp((x)[2],(y)[2])?u_char_comp((x)[2],(y)[2]): \ - (u_char_comp((x)[1],(y)[1])?u_char_comp((x)[1],(y)[1]): \ - (u_char_comp((x)[0],(y)[0]))))) -#define short_less_than(x,y) \ - (u_char_comp((x)[1],(y)[1])?u_char_comp((x)[1],(y)[1]): \ - (u_char_comp((x)[0],(y)[0]))) - -#endif /* LSBFIRST */ - -/* For krb4 library internal use only. */ -extern int krb4int_address_less (struct sockaddr_in *, struct sockaddr_in *); - -#endif /* LSB_ADDR_COMP_DEFS */ diff --git a/src/include/kerberosIV/mit-copyright.h b/src/include/kerberosIV/mit-copyright.h deleted file mode 100644 index e00865769..000000000 --- a/src/include/kerberosIV/mit-copyright.h +++ /dev/null @@ -1,23 +0,0 @@ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America may - require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, Permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. Furthermore if you modify this software you must label -your software as modified software and not distribute it in such a -fashion that it might be confused with the original M.I.T. software. -M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ diff --git a/src/include/kerberosIV/prot.h b/src/include/kerberosIV/prot.h deleted file mode 100644 index ccb028bd7..000000000 --- a/src/include/kerberosIV/prot.h +++ /dev/null @@ -1,277 +0,0 @@ -/* - * include/kerberosIV/prot.h - * - * Copyright 1985-1994, 2001 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Prototypes for internal functions, mostly related to protocol - * encoding and decoding. - */ - -#ifndef PROT_DEFS -#define PROT_DEFS - -#define KRB_PORT 750 /* PC's don't have - * /etc/services */ -#define KRB_PROT_VERSION 4 -#define MAX_PKT_LEN 1000 -#define MAX_TXT_LEN 1000 - -/* Macro's to obtain various fields from a packet */ - -#define pkt_version(packet) (unsigned int) *(packet->dat) -#define pkt_msg_type(packet) (unsigned int) *(packet->dat+1) -#define pkt_a_name(packet) (packet->dat+2) -#define pkt_a_inst(packet) \ - (packet->dat+3+strlen((char *)pkt_a_name(packet))) -#define pkt_a_realm(packet) \ - (pkt_a_inst(packet)+1+strlen((char *)pkt_a_inst(packet))) - -/* Macro to obtain realm from application request */ -#define apreq_realm(auth) (auth->dat + 3) - -#define pkt_time_ws(packet) (char *) \ - (packet->dat+5+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet))) - -#define pkt_no_req(packet) (unsigned short) \ - *(packet->dat+9+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet))) -#define pkt_x_date(packet) (char *) \ - (packet->dat+10+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet))) -#define pkt_err_code(packet) ( (char *) \ - (packet->dat+9+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet)))) -#define pkt_err_text(packet) \ - (packet->dat+13+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet))) - -/* - * This remains here for the KDC to use for now, but will go away - * soon. - */ - -#define swap_u_long(x) {\ - unsigned KRB4_32 _krb_swap_tmp[4];\ - swab((char *) &x, ((char *) _krb_swap_tmp) +2 ,2); \ - swab(((char *) &x) +2,((char *) _krb_swap_tmp),2); \ - x = _krb_swap_tmp[0]; \ - } - -/* - * New byte swapping routines, much cleaner. - * - * Should also go away soon though. - */ -#include "k5-platform.h" - -#ifdef SWAP16 -#define krb4_swab16(val) SWAP16(val) -#else -#define krb4_swab16(val) ((((val) >> 8)&0xFF) | ((val) << 8)) -#endif -#ifdef SWAP32 -#define krb4_swap32(val) SWAP32(val) -#else -#define krb4_swab32(val) ((((val)>>24)&0xFF) | (((val)>>8)&0xFF00) | \ - (((val)<<8)&0xFF0000) | ((val)<<24)) -#endif - -/* - * Macros to encode integers into buffers. These take a parameter - * that is a moving pointer of type (unsigned char *) into the buffer, - * and assume that the caller has already bounds-checked. - */ -#define KRB4_PUT32BE(p, val) (store_32_be(val, p), (p) += 4) -#define KRB4_PUT32LE(p, val) (store_32_le(val, p), (p) += 4) -#define KRB4_PUT32(p, val, le) \ -do { \ - if (le) \ - KRB4_PUT32LE((p), (val)); \ - else \ - KRB4_PUT32BE((p), (val)); \ -} while (0) - -#define KRB4_PUT16BE(p, val) (store_16_be(val, p), (p) += 2) -#define KRB4_PUT16LE(p, val) (store_16_le(val, p), (p) += 2) -#define KRB4_PUT16(p, val, le) \ -do { \ - if (le) \ - KRB4_PUT16LE((p), (val)); \ - else \ - KRB4_PUT16BE((p), (val)); \ -} while (0) - -/* - * Macros to get integers from a buffer. These take a parameter that - * is a moving pointer of type (unsigned char *) into the buffer, and - * assume that the caller has already bounds-checked. In addition, - * they assume that val is an unsigned type; ANSI leaves the semantics - * of unsigned -> signed conversion as implementation-defined, so it's - * unwise to depend on such. - */ -#define KRB4_GET32BE(val, p) ((val) = load_32_be(p), (p) += 4) -#define KRB4_GET32LE(val, p) ((val) = load_32_le(p), (p) += 4) -#define KRB4_GET32(val, p, le) \ -do { \ - if (le) \ - KRB4_GET32LE((val), (p)); \ - else \ - KRB4_GET32BE((val), (p)); \ -} while (0) - -#define KRB4_GET16BE(val, p) ((val) = load_16_be(p), (p) += 2) -#define KRB4_GET16LE(val, p) ((val) = load_16_le(p), (p) += 2) -#define KRB4_GET16(val, p, le) \ -do { \ - if (le) \ - KRB4_GET16LE((val), (p)); \ - else \ - KRB4_GET16BE((val), (p)); \ -} while (0) - -/* Routines to create and read packets may be found in prot.c */ - -KTEXT create_auth_reply(char *, char *, char *, long, int, - unsigned long, int, KTEXT); -KTEXT create_death_packet(char *); -KTEXT pkt_cipher(KTEXT); - -/* getst.c */ -int krb4int_getst(int, char *, int); - -/* strnlen.c */ -extern int KRB5_CALLCONV krb4int_strnlen(const char *, int); - -/* prot_client.c */ -extern int KRB5_CALLCONV krb4prot_encode_kdc_request( - char *, char *, char *, - KRB4_32, int, - char *, char *, - char *, int, int, int, - KTEXT); -extern int KRB5_CALLCONV krb4prot_decode_kdc_reply( - KTEXT, - int *, - char *, char *, char *, - long *, int *, unsigned long *, int *, KTEXT); -extern int KRB5_CALLCONV krb4prot_decode_ciph( - KTEXT, int, - C_Block, - char *, char *, char *, - int *, int *, KTEXT, unsigned long *); -extern int KRB5_CALLCONV krb4prot_encode_apreq( - int, char *, - KTEXT, KTEXT, - int, int, KTEXT); -extern int KRB5_CALLCONV krb4prot_encode_authent( - char *, char *, char *, - KRB4_32, - int, long, - int, int le, - KTEXT pkt); -extern int KRB5_CALLCONV krb4prot_decode_error( - KTEXT, int *, - char *, char *, char *, - unsigned long *, unsigned long *, char *); - -/* prot_common.c */ -extern int KRB5_CALLCONV krb4prot_encode_naminstrlm( - char *, char *, char *, - int, KTEXT, unsigned char **); -extern int KRB5_CALLCONV krb4prot_decode_naminstrlm( - KTEXT, unsigned char **, - char *, char *, char *); -extern int KRB5_CALLCONV krb4prot_decode_header( - KTEXT, int *, int *, int *); - -/* prot_kdc.c */ -extern int KRB5_CALLCONV krb4prot_encode_kdc_reply( - char *, char *, char *, - long, int, unsigned long, - int, KTEXT, int, int, KTEXT); -extern int KRB5_CALLCONV krb4prot_encode_ciph( - C_Block, - char *, char *, char *, - unsigned long, int, KTEXT, unsigned long, - int, int, KTEXT); -extern int KRB5_CALLCONV krb4prot_encode_tkt( - unsigned int, - char *, char *, char *, - unsigned long, - char *, int, long, - char *, char *, - int, int, KTEXT tkt); -extern int KRB5_CALLCONV krb4prot_encode_err_reply( - char *, char *, char *, - unsigned long, unsigned long, char *, - int, int, KTEXT); -extern int KRB5_CALLCONV krb4prot_decode_kdc_request( - KTEXT, - int *, char *, char *, char *, - long *, int *, char *sname, char *sinst); - -/* Message types , always leave lsb for byte order */ - -#define AUTH_MSG_KDC_REQUEST 1<<1 -#define AUTH_MSG_KDC_REPLY 2<<1 -#define AUTH_MSG_APPL_REQUEST 3<<1 -#define AUTH_MSG_APPL_REQUEST_MUTUAL 4<<1 -#define AUTH_MSG_ERR_REPLY 5<<1 -#define AUTH_MSG_PRIVATE 6<<1 -#define AUTH_MSG_SAFE 7<<1 -#define AUTH_MSG_APPL_ERR 8<<1 -#define AUTH_MSG_DIE 63<<1 - -/* values for kerb error codes */ - -#define KERB_ERR_OK 0 -#define KERB_ERR_NAME_EXP 1 -#define KERB_ERR_SERVICE_EXP 2 -#define KERB_ERR_AUTH_EXP 3 -#define KERB_ERR_PKT_VER 4 -#define KERB_ERR_NAME_MAST_KEY_VER 5 -#define KERB_ERR_SERV_MAST_KEY_VER 6 -#define KERB_ERR_BYTE_ORDER 7 -#define KERB_ERR_PRINCIPAL_UNKNOWN 8 -#define KERB_ERR_PRINCIPAL_NOT_UNIQUE 9 -#define KERB_ERR_NULL_KEY 10 -/* Cygnus extensions for Preauthentication */ -#define KERB_ERR_PREAUTH_SHORT 11 -#define KERB_ERR_PREAUTH_MISMATCH 12 - -/* Return codes from krb4prot_ encoders/decoders */ - -#define KRB4PROT_OK 0 -#define KRB4PROT_ERR_UNDERRUN 1 -#define KRB4PROT_ERR_OVERRUN 2 -#define KRB4PROT_ERR_PROT_VERS 3 -#define KRB4PROT_ERR_MSG_TYPE 4 -#define KRB4PROT_ERR_GENERIC 255 - -#endif /* PROT_DEFS */ diff --git a/src/kadmin/dbutil/Makefile.in b/src/kadmin/dbutil/Makefile.in index 2d8b15da5..66bebb211 100644 --- a/src/kadmin/dbutil/Makefile.in +++ b/src/kadmin/dbutil/Makefile.in @@ -2,10 +2,9 @@ thisconfigdir=../.. myfulldir=kadmin/dbutil mydir=kadmin/dbutil BUILDTOP=$(REL)..$(S).. -DEFINES = -DKDB4_DISABLE DEFS= -LOCALINCLUDES = -I. @KRB4_INCLUDES@ -PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) +LOCALINCLUDES = -I. +PROG_LIBPATH=-L$(TOPLIBD) $(KRB5_LIBPATH) PROG_RPATH=$(KRB5_LIBDIR) KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) @@ -17,8 +16,8 @@ OBJS = kdb5_util.o kdb5_create.o kadm5_create.o string_table.o kdb5_destroy.o kd all:: $(PROG) -$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $(PROG) $(OBJS) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB4COMPAT_LIBS) +$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $(PROG) $(OBJS) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) import_err.c import_err.h: $(srcdir)/import_err.et diff --git a/src/krb5-config.M b/src/krb5-config.M index c0a0fa140..56661aee7 100644 --- a/src/krb5-config.M +++ b/src/krb5-config.M @@ -64,7 +64,6 @@ values for \fIlibraries\fP are: .in +.5i krb5 Kerberos 5 application gssapi GSSAPI application with Kerberos 5 bindings -krb4 Kerberos 4 application kadm-client Kadmin client kadm-server Kadmin server kdb Application that accesses the kerberos database diff --git a/src/krb5-config.in b/src/krb5-config.in index 711dac925..1952ccb5c 100755 --- a/src/krb5-config.in +++ b/src/krb5-config.in @@ -32,8 +32,6 @@ exec_prefix=@exec_prefix@ includedir=@includedir@ libdir=@libdir@ CC_LINK='@CC_LINK@' -KRB4_LIB=@KRB4_LIB@ -DES425_LIB=@DES425_LIB@ KDB5_DB_LIB=@KDB5_DB_LIB@ LDFLAGS='@LDFLAGS@' RPATH_FLAG='@RPATH_FLAG@' @@ -87,9 +85,6 @@ while test $# != 0; do gssapi) library=gssapi ;; - krb4) - library=krb4 - ;; kadm-client) library=kadm_client ;; @@ -126,7 +121,6 @@ if test -n "$do_help"; then echo "Libraries:" echo " krb5 Kerberos 5 application" echo " gssapi GSSAPI application with Kerberos 5 bindings" - echo " krb4 Kerberos 4 application" echo " kadm-client Kadmin client" echo " kadm-server Kadmin server" echo " kdb Application that accesses the kerberos database" @@ -219,11 +213,6 @@ if test -n "$do_libs"; then library=krb5 fi - if test $library = 'krb4'; then - lib_flags="$lib_flags $KRB4_LIB $DES425_LIB" - library=krb5 - fi - if test $library = 'krb5'; then lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB" fi diff --git a/src/krb524/Makefile.in b/src/krb524/Makefile.in deleted file mode 100644 index e832733f2..000000000 --- a/src/krb524/Makefile.in +++ /dev/null @@ -1,175 +0,0 @@ -thisconfigdir=.. -myfulldir=krb524 -mydir=krb524 -BUILDTOP=$(REL).. -KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) -DEFS= - -# Copyright 1994 by OpenVision Technologies, Inc. -# -# Permission to use, copy, modify, distribute, and sell this software -# and its documentation for any purpose is hereby granted without fee, -# provided that the above copyright notice appears in all copies and -# that both that copyright notice and this permission notice appear in -# supporting documentation, and that the name of OpenVision not be used -# in advertising or publicity pertaining to distribution of the software -# without specific, written prior permission. OpenVision makes no -# representations about the suitability of this software for any -# purpose. It is provided "as is" without express or implied warranty. -# -# OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, -# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO -# EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR -# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF -# USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR -# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. -# - -DEFINES = -DUSE_MASTER -DKRB524_PRIVATE=1 -PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) -PROG_RPATH=$(KRB5_LIBDIR) - -##WIN32##!if ("$(CPU)" == "i386") && defined(USE_ALTERNATE_KRB4_INCLUDES) -##WIN32##KRB4_INCLUDES=-I$(USE_ALTERNATE_KRB4_INCLUDES) -##WIN32##!endif - -##WIN32##!if ("$(CPU)" == "i386") && defined(USE_ALTERNATE_KRB4_LIB) -##WIN32##K4LIB=$(USE_ALTERNATE_KRB4_LIB) -##WIN32##!endif - -K524EXE = $(OUTPRE)k524init.exe -K524LIB = $(OUTPRE)krb524.lib -K524DEP = $(K524LIB) -K524DEF = krb524.def -WINLIBS = kernel32.lib ws2_32.lib user32.lib shell32.lib oldnames.lib \ - version.lib advapi32.lib gdi32.lib - -LOCALINCLUDES= $(KRB4_INCLUDES) -I. -I$(srcdir) - -# Library sources -SRCS = \ - $(srcdir)/cnv_tkt_skey.c \ - $(srcdir)/libinit.c \ - $(srcdir)/krb524.c - -EXTRADEPSRCS = \ - $(srcdir)/test.c \ - $(srcdir)/k524init.c \ - $(srcdir)/krb524d.c - -##WIN32##!ifdef KRB524_STATIC_HACK -##WIN32##LPREFIX=..\lib -##WIN32##K5_GLUE=$(LPREFIX)\$(OUTPRE)k5_glue.obj -##WIN32##KLIBS = $(LPREFIX)\krb5\$(OUTPRE)krb5.lib \ -##WIN32## $(LPREFIX)\crypto\$(OUTPRE)crypto.lib \ -##WIN32## $(BUILDTOP)\util\profile\$(OUTPRE)profile.lib \ -##WIN32## $(LPREFIX)\des425\$(OUTPRE)des425.lib -##WIN32##KLIB=$(KLIBS) $(DNSLIBS) $(K5_GLUE) $(CLIB) -##WIN32##STLIBOBJS=$(STLIBOBJS:libinit=globals) -##WIN32##K524DEP=$(STLIBOBJS) -##WIN32##!endif - -##WIN32##VERSIONRC = $(BUILDTOP)\windows\version.rc -##WIN32##RCFLAGS=$(CPPFLAGS) -I$(SRCTOP) -D_WIN32 -DRES_ONLY - -##WIN32##EXERES=$(K524EXE:.exe=.res) -##WIN32##LIBRES=$(K524LIB:.lib=.res) - -##WIN32##$(EXERES): $(VERSIONRC) -##WIN32## $(RC) $(RCFLAGS) -DKRB524_INIT -fo $@ -r $** -##WIN32##$(LIBRES): $(VERSIONRC) -##WIN32## $(RC) $(RCFLAGS) -DKRB524_LIB -fo $@ -r $** - -all-unix:: krb524d krb524test k524init - -##WIN32##all-windows:: $(K524EXE) $(K524LIB) - -krb524test: test.o $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o krb524test test.o $(KRB5_LIB) $(KRB4COMPAT_LIBS) - -SERVER_OBJS= krb524d.o cnv_tkt_skey.o -CLIENT_OBJS= $(OUTPRE)k524init.$(OBJEXT) - -krb524d: $(SERVER_OBJS) $(KADMSRV_DEPLIBS) $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB) - $(CC_LINK) -o krb524d $(SERVER_OBJS) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_LIB) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB) - -k524init: $(CLIENT_OBJS) $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o k524init $(CLIENT_OBJS) $(KRB5_LIB) $(KRB4COMPAT_LIBS) - -##WIN32##$(K524LIB): $(OUTPRE)krb524.$(OBJEXT) $(OUTPRE)libinit.$(OBJEXT) $(KLIB) $(CLIB) $(LIBRES) -##WIN32## link $(DLL_LINKOPTS) -def:$(K524DEF) -out:$*.dll $** $(WINLIBS) -##WIN32## $(_VC_MANIFEST_EMBED_DLL) - -##WIN32##$(K524EXE): $(OUTPRE)k524init.$(OBJEXT) $(KLIB) $(K4LIB) $(CLIB) $(EXERES) $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib -##WIN32## link $(EXE_LINKOPTS) -out:$@ $** $(WINLIBS) $(SCLIB) -##WIN32## $(_VC_MANIFEST_EMBED_EXE) - -install-unix:: - $(INSTALL_PROGRAM) krb524d $(DESTDIR)$(SERVER_BINDIR)/krb524d - $(INSTALL_PROGRAM) k524init $(DESTDIR)$(CLIENT_BINDIR)/krb524init - $(INSTALL_DATA) $(srcdir)/krb524d.M $(DESTDIR)$(SERVER_MANDIR)/krb524d.8 - $(INSTALL_DATA) $(srcdir)/k524init.M \ - $(DESTDIR)$(CLIENT_MANDIR)/krb524init.1 - -clean-unix:: - $(RM) $(OBJS) core *~ *.bak #* - $(RM) krb524test krb524d k524init test.o $(CLIENT_OBJS) $(SERVER_OBJS) - - -# +++ Dependency line eater +++ -# -# Makefile dependencies follow. This must be the last section in -# the Makefile.in file -# -$(OUTPRE)cnv_tkt_skey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h cnv_tkt_skey.c krb524d.h -$(OUTPRE)libinit.$(OBJEXT): libinit.c -$(OUTPRE)krb524.$(OBJEXT): krb524.c -$(OUTPRE)test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h test.c -$(OUTPRE)k524init.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h k524init.c -$(OUTPRE)krb524d.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(KRB_ERR_H_DEP) \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \ - $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \ - $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \ - $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \ - $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \ - $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h krb524d.c krb524d.h diff --git a/src/krb524/README b/src/krb524/README deleted file mode 100644 index dd7ca9c23..000000000 --- a/src/krb524/README +++ /dev/null @@ -1,154 +0,0 @@ -Copyright 1994 by OpenVision Technologies, Inc. - -Permission to use, copy, modify, distribute, and sell this software -and its documentation for any purpose is hereby granted without fee, -provided that the above copyright notice appears in all copies and -that both that copyright notice and this permission notice appear in -supporting documentation, and that the name of OpenVision not be used -in advertising or publicity pertaining to distribution of the software -without specific, written prior permission. OpenVision makes no -representations about the suitability of this software for any -purpose. It is provided "as is" without express or implied warranty. - -OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, -INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO -EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR -CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF -USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR -OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. - - -Kerberos V5 to Kerberos V4 Credentials Converting Service, ALPHA RELEASE -======================================================================== - -krb524 is a service that converts Kerberos V5 credentials into -Kerberos V4 credentials suitable for use with applications that for -whatever reason do not use V5 directly. The service consists of a -server that has access to the secret key of the Kerberos service for -which credentials will be converted, and a library for use by client -programs that wish to use the server. - -The protocol is simple. Suppose that a client C wishes to obtain V4 -credentials for a V5 service S by using the krb524 server. The -notation {C,S}_n represents a Vn service ticket for S for use by C. - -(1) C obtains V5 credentials, including a ticket {C,S}_5, for S by the -normal V5 means. - -(2) C transmits {C,S}_5 to KRB524. - -(3) KRB524 converts {C,S}_5 into {C,S}_4. - -(4) KRB524 transmits {C,S}_4 to C. - -(5) C creates a V4 credentials strucuture from the plaintext -information in the V5 credential and {C,S}_4. - -Steps (2) through (4) are encapsulated in a single function call in -the krb524 library. - -An alternate conversion is provided for AFS servers that support the -encrypted part of a krb5 ticket as an AFS token. If the krb524d is -converting a principal whose first component is afs and if the -encrypted part of the ticket fits in 344 bytes, then it will default -to simply returning the encrypted part of the ticket as a token. If -it turns out that the AFS server does not support the ticket, then -users will get an unknown key version error and the krb524d must be -configured to use v4 tickets for this AFS service. - - -Obviously, not all V5 credentials can be completely converted to V4 -credentials, since the former is a superset of the latter. The -precise semantics of the conversion function are still undecided. -UTSL. - -Programs contained in this release -====================================================================== - -krb524d [-m[aster]] [-k[eytab]] - -The krb524 server. It accepts UDP requests on the krb524 service -port, specified in /etc/services, or on port 4444 by default. (A -request for an official port assignment is underway.) The -m argument -causes krb524d to access the KDC master database directly; the -k -argument causes krb524d to use the default keytab (and therefore only -be able to convert tickets for services in the keytab). Only one of --m or -k can be specified. - -test -remote server client service - -A test program that obtains a V5 credential for {client,service}, -converts it to a V4 credential, and prints out the entire contents of -both versions. It prompts for service's secret key, which it needs to -decrypt both tickets in order to print them out. Enter it as an eight -digit ASCII hex number. - -k524init [-n] [-p principal] - -Convert a V5 credential into a V4 credential and store it in a V4 -ticket file. The client is 'principal', or krbtgt at the V5 ccache's -default principal's realm if not specified. The -n argument causes -the new ticket to be added to the existing ticket file; otherwise, the -ticket file is initialized. - -Configuring krb524d AFS Conversion -====================================================================== - -The krb524d looks in the appdefaults section of krb5.conf for an -application called afs_krb5 to determine whether afs principals -support encrypted ticket parts as tokens. The following configuration -fragment says that afs/sipb.mit.edu@ATHENA.MIT.EDU supports the new -token format but afs@ATHENA.MIT.EDU and -afs/athena.mit.edu@ATHENA.MIT.EDU do not. Note that the default is to -assume afs servers support the new format. - -[appdefaults] -afs_krb5 = { - ATHENA.MIT.EDU = { - # This stanza describes principals in the - #ATHENA.MIT.EDU realm - afs = false - afs/athena.mit.edu = false - afs/sipb.mit.edu = true - } -} - - -Using libkrb524.a -====================================================================== - -To use libkrb524.a, #include "krb524.h", link against libkrb524.a, -call krb524_init_ets() at the beginning of your program, and call one -of the following two functions: - -int krb524_convert_creds_addr(krb5_creds *v5creds, CREDENTIALS *v4creds, - struct sockaddr *saddr) - -int krb524_convert_creds_kdc(krb5_creds *v5creds, CREDENTIALS *v4creds) - -Both convert the V5 credential in v5creds into a V4 credential in -v4creds. One assumes krb524d is running on the KDC, the other uses an -explicit host. You only need to specify the address for saddr; the -port is filled in automatically. - -Unresolved issues / Bugs -====================================================================== - -o krb524d requires access to the secret key of any service to be -converted. Should krb524d run on the KDC or on individual server -machines? The latter is more paranoid, since it prevents bugs in -krb524d from provided unauthorized access to the master database. -However, it also requires the client to provide the address of the -server to be used. The client will usually have this information -(since presumably it will be sending the converted V4 credentials to -the same server) but it may not be in a convenient form. It seems -"cleaner" to have krb524d run on the KDC. - -o Even if krb524d uses keytabs on server machines, it needs to be more -flexible. You only want to run one krb524d per host, so it has to be -able to scan multiple keytabs. This might get logistically messy. - -o This code is of alpha quality. Bugs, omissions, memory leaks, and -perhaps security holes still remain. Do not use it (yet) in a -production environment. diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c deleted file mode 100644 index 217eb40a8..000000000 --- a/src/krb524/cnv_tkt_skey.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright 2003 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include "k5-int.h" /* we need krb5_context::clockskew */ -#include -#include - -#ifdef _WIN32 -#include "port-sockets.h" -#else -#include -#include -#endif -#include -#include "krb524d.h" - -static int krb524d_debug = 0; - -static int -krb524_convert_princs(context, client, server, pname, pinst, prealm, - sname, sinst, srealm) - krb5_context context; - krb5_principal client, server; - char *pname, *pinst, *prealm, *sname, *sinst, *srealm; -{ - int ret; - - if ((ret = krb5_524_conv_principal(context, client, pname, pinst, - prealm))) - return ret; - - return krb5_524_conv_principal(context, server, sname, sinst, srealm); -} -/* - * Convert a v5 ticket for server to a v4 ticket, using service key - * skey for both. - */ -int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, - saddr) - krb5_context context; - krb5_ticket *v5tkt; - KTEXT_ST *v4tkt; - krb5_keyblock *v5_skey, *v4_skey; - struct sockaddr_in *saddr; -{ - char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - char sname[ANAME_SZ], sinst[INST_SZ], srealm[REALM_SZ]; - krb5_enc_tkt_part *v5etkt; - int ret, lifetime, v4endtime; - krb5_timestamp server_time; - struct sockaddr_in *sinp = (struct sockaddr_in *)saddr; - krb5_address kaddr; - - v5tkt->enc_part2 = NULL; - if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) { - return ret; - } - v5etkt = v5tkt->enc_part2; - - if (v5etkt->transited.tr_contents.length != 0) { - /* Some intermediate realms transited -- do we accept them? - - Simple answer: No. - - More complicated answer: Check our local config file to - see if the path is correct, and base the answer on that. - This denies the krb4 application server any ability to do - its own validation as krb5 servers can. - - Fast answer: Not right now. */ - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - /* We could also encounter a case where luser@R1 gets a ticket - for krbtgt/R3@R2, and then tries to convert it. But the - converted ticket would be one the v4 KDC code should reject - anyways. So we don't need to worry about it here. */ - - if ((ret = krb524_convert_princs(context, v5etkt->client, v5tkt->server, - pname, pinst, prealm, sname, - sinst, srealm))) { - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return ret; - } - if ((v5etkt->session->enctype != ENCTYPE_DES_CBC_CRC && - v5etkt->session->enctype != ENCTYPE_DES_CBC_MD4 && - v5etkt->session->enctype != ENCTYPE_DES_CBC_MD5) || - v5etkt->session->length != sizeof(C_Block)) { - if (krb524d_debug) - fprintf(stderr, "v5 session keyblock type %d length %d != C_Block size %d\n", - v5etkt->session->enctype, - v5etkt->session->length, - (int) sizeof(C_Block)); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return KRB524_BADKEY; - } - - /* V4 has no concept of authtime or renew_till, so ignore them */ - if (v5etkt->times.starttime == 0) - v5etkt->times.starttime = v5etkt->times.authtime; - /* rather than apply fit an extended v5 lifetime into a v4 range, - give out a v4 ticket with as much of the v5 lifetime is available - "now" instead. */ - if ((ret = krb5_timeofday(context, &server_time))) { - if (krb524d_debug) - fprintf(stderr, "krb5_timeofday failed!\n"); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return ret; - } - if ((server_time + context->clockskew >= v5etkt->times.starttime) - && (server_time - context->clockskew <= v5etkt->times.endtime)) { - lifetime = krb_time_to_life(server_time, v5etkt->times.endtime); - v4endtime = krb_life_to_time(server_time, lifetime); - /* - * Adjust start time backwards if the lifetime value - * returned by krb_time_to_life() maps to a longer lifetime - * than that of the original krb5 ticket. - */ - if (v4endtime > v5etkt->times.endtime) - server_time -= v4endtime - v5etkt->times.endtime; - } else { - if (krb524d_debug) - fprintf(stderr, "v5 ticket time out of bounds\n"); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - if (server_time+context->clockskew < v5etkt->times.starttime) - return KRB5KRB_AP_ERR_TKT_NYV; - else if (server_time-context->clockskew > v5etkt->times.endtime) - return KRB5KRB_AP_ERR_TKT_EXPIRED; - else /* shouldn't happen, but just in case... */ - return KRB5KRB_AP_ERR_TKT_NYV; - } - - kaddr.addrtype = ADDRTYPE_INET; - kaddr.length = sizeof(sinp->sin_addr); - kaddr.contents = (krb5_octet *)&sinp->sin_addr; - - if (!krb5_address_search(context, &kaddr, v5etkt->caddrs)) { - if (krb524d_debug) - fprintf(stderr, "Invalid v5creds address information.\n"); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return KRB524_BADADDR; - } - - if (krb524d_debug) - printf("startime = %ld, authtime = %ld, lifetime = %ld\n", - (long) v5etkt->times.starttime, - (long) v5etkt->times.authtime, - (long) lifetime); - - /* XXX are there V5 flags we should map to V4 equivalents? */ - if (v4_skey->enctype == ENCTYPE_DES_CBC_CRC) { - ret = krb_create_ticket(v4tkt, - 0, /* flags */ - pname, - pinst, - prealm, - sinp->sin_addr.s_addr, - (char *) v5etkt->session->contents, - lifetime, - /* issue_data */ - server_time, - sname, - sinst, - v4_skey->contents); - } - else abort(); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - if (ret == KSUCCESS) - return 0; - else - return KRB524_V4ERR; -} diff --git a/src/krb524/k524init.M b/src/krb524/k524init.M deleted file mode 100644 index f480767a0..000000000 --- a/src/krb524/k524init.M +++ /dev/null @@ -1,47 +0,0 @@ -.\" krb524/k524init.M -.\" -.\" Copyright 2005 by the Massachusetts Institute of Technology. -.\" -.\" Export of this software from the United States of America may -.\" require a specific license from the United States Government. -.\" It is the responsibility of any person or organization contemplating -.\" export to obtain such a license before exporting. -.\" -.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\" distribute this software and its documentation for any purpose and -.\" without fee is hereby granted, provided that the above copyright -.\" notice appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, and that -.\" the name of M.I.T. not be used in advertising or publicity pertaining -.\" to distribution of the software without specific, written prior -.\" permission. Furthermore if you modify this software you must label -.\" your software as modified software and not distribute it in such a -.\" fashion that it might be confused with the original M.I.T. software. -.\" M.I.T. makes no representations about the suitability of -.\" this software for any purpose. It is provided "as is" without express -.\" or implied warranty. -.\" " -.TH KRB524INIT 1 -.SH NAME -krb524init \- Obtain Kerberos V4 tickets from Kerberos V5 tickets -.SH SYNOPSIS -\fBkrb524init\fP [\fB\-n\fP] [\fB\-p\fP \fIprincipal\fP] -.SH DESCRIPTION -.I krb524init -converts a V5 credential to a V4 credential by querying a remote krb524d -server and stores it in a V4 ticket cache. The credential is -.I principal -or "krbtgt" at the V5 ticket cache's default principal's realm if not -specified. -.SH OPTIONS -.TP -.B \-n -By default, the V4 ticket cache is initialized. If this option is given, -the converted credential is instead added to the existing ticket cache. -.TP -\fB\-p\fP \fIprincipal\fP -Convert -.I principal -rather than krbtgt. -.SH SEE ALSO -kinit(1), krb524d(8) diff --git a/src/krb524/k524init.c b/src/krb524/k524init.c deleted file mode 100644 index c611b2e5c..000000000 --- a/src/krb524/k524init.c +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include "autoconf.h" -#include "k5-int.h" /* for data_eq */ -#include -#include "com_err.h" - -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include -#include -#ifndef _WIN32 -#include -#include -#include -#endif - -#include - -extern int optind; -extern char *optarg; -char *prog = "k524init"; - -int main(argc, argv) - int argc; - char **argv; -{ - krb5_principal client, server; - krb5_ccache cc; - krb5_creds increds, *v5creds; - CREDENTIALS v4creds; - int code; - int option; - char *princ = NULL; - int nodelete = 0; - int lose = 0; - krb5_context context; - krb5_error_code retval; - - if (argv[0]) { - prog = strrchr (argv[0], '/'); - if (prog) - prog++; - else - prog = argv[0]; - } - - retval = krb5_init_context(&context); - if (retval) { - com_err(prog, retval, "while initializing krb5"); - exit(1); - } - - while(((option = getopt(argc, argv, "p:n")) != -1)) { - switch(option) { - case 'p': - princ = optarg; - break; - case 'n': - nodelete++; - break; - default: - lose++; - break; - } - } - - if (lose || (argc - optind > 1)) { - fprintf(stderr, "Usage: %s [-p principal] [-n]\n", prog); - exit(1); - } - - if ((code = krb5_cc_default(context, &cc))) { - com_err(prog, code, "opening default credentials cache"); - exit(1); - } - - if ((code = krb5_cc_get_principal(context, cc, &client))) { - com_err(prog, code, "while retrieving user principal name"); - exit(1); - } - - if (princ) { - if ((code = krb5_parse_name(context, princ, &server))) { - com_err(prog, code, "while parsing service principal name"); - exit(1); - } - } else { - if ((code = krb5_build_principal(context, &server, - krb5_princ_realm(context, client)->length, - krb5_princ_realm(context, client)->data, - "krbtgt", - krb5_princ_realm(context, client)->data, - NULL))) { - com_err(prog, code, "while creating service principal name"); - exit(1); - } - } - - if (!nodelete) { - krb5_data *crealm = krb5_princ_realm (context, client); - krb5_data *srealm = krb5_princ_realm (context, server); - if (!data_eq(*crealm, *srealm)) { - /* Since krb4 ticket files don't store the realm name - separately, and the client realm is assumed to be the - realm of the first ticket, let's not store an initial - ticket with the wrong realm name, since it'll confuse - other programs. */ - fprintf (stderr, - "%s: Client and server principals' realm names are different;\n" - "\tbecause of limitations in the krb4 ticket file implementation,\n" - "\tthis doesn't work for an initial ticket. Try `%s -n'\n" - "\tif you already have other krb4 tickets, or convert the\n" - "\tticket-granting ticket from your home realm.\n", - prog, prog); - exit (1); - } - } - - memset((char *) &increds, 0, sizeof(increds)); - increds.client = client; - increds.server = server; - increds.times.endtime = 0; - increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - if ((code = krb5_get_credentials(context, 0, cc, &increds, &v5creds))) { - com_err(prog, code, "getting V5 credentials"); - exit(1); - } - - if ((code = krb5_524_convert_creds(context, v5creds, &v4creds))) { - com_err(prog, code, "converting to V4 credentials"); - exit(1); - } - - /* this is stolen from the v4 kinit */ - - if (!nodelete) { - /* initialize ticket cache */ - code = krb_in_tkt(v4creds.pname,v4creds.pinst,v4creds.realm); - if (code != KSUCCESS) { - fprintf (stderr, "%s: %s trying to create the V4 ticket file", - prog, krb_get_err_text (code)); - exit(1); - } - } - - /* stash ticket, session key, etc. for future use */ - /* This routine does *NOT* return one of the usual com_err codes. */ - if ((code = krb_save_credentials(v4creds.service, v4creds.instance, - v4creds.realm, v4creds.session, - v4creds.lifetime, v4creds.kvno, - &(v4creds.ticket_st), - v4creds.issue_date))) { - fprintf (stderr, "%s: %s trying to save the V4 ticket\n", - prog, krb_get_err_text (code)); - exit(1); - } - - exit(0); -} diff --git a/src/krb524/krb524.c b/src/krb524/krb524.c deleted file mode 100644 index 1eff72f00..000000000 --- a/src/krb524/krb524.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (C) 2003 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#ifdef _WIN32 -#include "krb5.h" - -#ifdef krb524_convert_creds_kdc -#undef krb524_convert_creds_kdc -#endif -#ifdef krb524_init_ets -#undef krb524_init_ets -#endif - -int KRB5_CALLCONV_WRONG -krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, struct credentials *v4creds) -{ - return(krb5_524_convert_creds(context,v5creds,v4creds)); -} - -void KRB5_CALLCONV_WRONG -krb524_init_ets(krb5_context context) -{ - /* no-op */ -} -#endif /* _WIN32 */ diff --git a/src/krb524/krb524.def b/src/krb524/krb524.def deleted file mode 100644 index 67d205045..000000000 --- a/src/krb524/krb524.def +++ /dev/null @@ -1,13 +0,0 @@ -;---------------------------------------------------- -; KRB524.DEF - KRB524.DLL module definition file -;---------------------------------------------------- - -; **************************************************************************** -; Do not add any function to this file until you make sure the calling -; convention for the exported function is KRB5_CALLCONV -; **************************************************************************** - - -EXPORTS - krb524_convert_creds_kdc @1 - krb524_init_ets @2 diff --git a/src/krb524/krb524_prot b/src/krb524/krb524_prot deleted file mode 100644 index f83854d77..000000000 --- a/src/krb524/krb524_prot +++ /dev/null @@ -1,11 +0,0 @@ -Protocol: - - -> ASN.1 encoded V5 ticket - <- int status_code, [int kvno, encode_v4tkt encoded KTEXT_ST] - -kvno and V4 ticket are only included if status_code is zero. - -The kvno for the converted ticket is sent explicitly because the field -is ASN.1 encoded in the krb5_creds structure; the client would have to -decode (but not decrypt) the entire krb5_ticket structure to get it, -which would be inefficient. diff --git a/src/krb524/krb524d.M b/src/krb524/krb524d.M deleted file mode 100644 index dee00cf81..000000000 --- a/src/krb524/krb524d.M +++ /dev/null @@ -1,74 +0,0 @@ -.\" krb524/krb524d.M -.\" -.\" Copyright 1990 by the Massachusetts Institute of Technology. -.\" -.\" Export of this software from the United States of America may -.\" require a specific license from the United States Government. -.\" It is the responsibility of any person or organization contemplating -.\" export to obtain such a license before exporting. -.\" -.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\" distribute this software and its documentation for any purpose and -.\" without fee is hereby granted, provided that the above copyright -.\" notice appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, and that -.\" the name of M.I.T. not be used in advertising or publicity pertaining -.\" to distribution of the software without specific, written prior -.\" permission. Furthermore if you modify this software you must label -.\" your software as modified software and not distribute it in such a -.\" fashion that it might be confused with the original M.I.T. software. -.\" M.I.T. makes no representations about the suitability of -.\" this software for any purpose. It is provided "as is" without express -.\" or implied warranty. -.\" " -.TH KRB524D 8 -.SH NAME -krb524d \- Version 5 to Version 4 Credentials Conversion Daemon -.SH SYNOPSIS -.B krb524d -[ -.B \-m[aster] -| -.B \-k[eytab] -] [ -.B \-r -.I realm -] [ -.B \-nofork -] [ -.B \-p -.I portnum -] -.br -.SH DESCRIPTION -.I krb524d -is the Kerberos Version 5 to Version 4 Credentials Conversion daemon. -It works in conjuction with a krb5kdc to allow clients to acquire Kerberos -version 4 tickets from Kerberos version 5 tickets without specifying a password. -.SH OPTIONS -.TP -\fB\-m[aster]\fP -Use the KDC database to convert credentials. This option cannot be combined with -\fB\-k[eytab]\fP. -.TP -\fB\-k[eytab]\fP -Use the default keytab to convert credentials. This option cannot be combined with -\fB\-m[aster]\fP. -.TP -\fB\-r\fP \fIrealm\fP -Convert credentials for \fIrealm\fP; by default the realm returned by -.IR krb5_default_local_realm (3) -is used. -.TP -\fB\-nofork\fP -specifies that krb524d not fork on launch. Useful for debugging purposes. -.TP -\fB\-p\fP \fIportnum\fP -specifies the default UDP port number which krb524d should listen on for -Kerberos 524 requests. This value is used when no port is specified in -the KDC profile and when no port is specified in the Kerberos configuration -file. -If no value is available, then the value in /etc/services for service -"krb524" is used. -.SH SEE ALSO -kerberos(1), krb5kdc(8), kdb5_util(8), kdc.conf(5) diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c deleted file mode 100644 index 202cda920..000000000 --- a/src/krb524/krb524d.c +++ /dev/null @@ -1,637 +0,0 @@ -/* - * Copyright (C) 2002, 2007, 2008 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include -#include -#include - -#include -#include -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#include -#include -#include -#include -#include -#include - -#include -#include "krb524d.h" - -#if defined(NEED_DAEMON_PROTO) -extern int daemon(int, int); -#endif - -#define TIMEOUT 60 -#define TKT_BUFSIZ 2048 -#define MSGSIZE 8192 - -char *whoami; -int signalled = 0; -static int debug = 0; -void *handle = NULL; - -int use_keytab, use_master; -int allow_v4_crossrealm = 0; -char *keytab = NULL; -krb5_keytab kt; - -void init_keytab(krb5_context), - init_master(krb5_context, kadm5_config_params *), - cleanup_and_exit(int, krb5_context); -krb5_error_code do_connection(int, krb5_context); -krb5_error_code lookup_service_key(krb5_context, krb5_principal, - krb5_enctype, krb5_kvno, - krb5_keyblock *, krb5_kvno *); -krb5_error_code kdc_get_server_key(krb5_context, krb5_principal, - krb5_keyblock *, krb5_kvno *, - krb5_enctype, krb5_kvno); - -static krb5_error_code -handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, - struct sockaddr_in *saddr, - krb5_data *tktdata, krb5_kvno *v4kvno); -static krb5_error_code -afs_return_v4(krb5_context, const krb5_principal , int *use_v5); - -static void usage(context) - krb5_context context; -{ - fprintf(stderr, "Usage: %s [-k[eytab]] [-m[aster] [-r realm]] [-nofork] [-p portnum]\n", whoami); - cleanup_and_exit(1, context); -} - -static RETSIGTYPE request_exit(signo) - int signo; -{ - signalled = 1; -} - -int (*encode_v4tkt)(KTEXT, char *, unsigned int *) = 0; - -int main(argc, argv) - int argc; - char **argv; -{ - struct servent *serv; - struct sockaddr_in saddr; - struct timeval timeout; - int ret, s, nofork; - fd_set rfds; - krb5_context context; - krb5_error_code retval; - kadm5_config_params config_params; - unsigned long port = 0; - - whoami = ((whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]); - - retval = krb5int_init_context_kdc(&context); - if (retval) { - com_err(whoami, retval, "while initializing krb5"); - exit(1); - } - - { - krb5int_access k5int; - retval = krb5int_accessor(&k5int, KRB5INT_ACCESS_VERSION); - if (retval != 0) { - com_err(whoami, retval, - "while accessing krb5 library internal support"); - exit(1); - } - encode_v4tkt = k5int.krb524_encode_v4tkt; - if (encode_v4tkt == NULL) { - com_err(whoami, 0, - "krb4 support disabled in krb5 support library"); - exit(1); - } - } - - argv++; argc--; - use_master = use_keytab = nofork = 0; - config_params.mask = 0; - - while (argc) { - if (strncmp(*argv, "-X", 2) == 0) { - allow_v4_crossrealm = 1; - } - else if (strncmp(*argv, "-k", 2) == 0) - use_keytab = 1; - else if (strncmp(*argv, "-m", 2) == 0) - use_master = 1; - else if (strcmp(*argv, "-nofork") == 0) - nofork = 1; - else if (strcmp(*argv, "-r") == 0) { - argv++; argc--; - if (argc == 0 || !use_master) - usage(context); - config_params.mask |= KADM5_CONFIG_REALM; - config_params.realm = *argv; - } - else if (strcmp(*argv, "-p") == 0) { - char *endptr = 0; - argv++; argc--; - if (argc == 0) - usage (context); - if (port != 0) { - com_err (whoami, 0, - "port number may only be specified once"); - exit (1); - } - port = strtoul (*argv, &endptr, 0); - if (*endptr != '\0' || port > 65535 || port == 0) { - com_err (whoami, 0, - "invalid port number %s, must be 1..65535\n", - *argv); - exit (1); - } - } - else - break; - argv++; argc--; - } - if (argc || use_keytab + use_master > 1 || - use_keytab + use_master == 0) { - use_keytab = use_master = 0; - usage(context); - } - - signal(SIGINT, request_exit); - signal(SIGHUP, SIG_IGN); - signal(SIGTERM, request_exit); - - krb5_klog_init(context, "krb524d", whoami, !nofork); - - if (use_keytab) - init_keytab(context); - if (use_master) - init_master(context, &config_params); - - memset((char *) &saddr, 0, sizeof(struct sockaddr_in)); - saddr.sin_family = AF_INET; - saddr.sin_addr.s_addr = INADDR_ANY; - if (port == 0) { - serv = getservbyname(KRB524_SERVICE, "udp"); - if (serv == NULL) { - com_err(whoami, 0, "service entry `%s' not found, using %d", - KRB524_SERVICE, KRB524_PORT); - saddr.sin_port = htons(KRB524_PORT); - } else - saddr.sin_port = serv->s_port; - } else - saddr.sin_port = htons(port); - - if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { - com_err(whoami, errno, "creating main socket"); - cleanup_and_exit(1, context); - } - set_cloexec_fd(s); - if ((ret = bind(s, (struct sockaddr *) &saddr, - sizeof(struct sockaddr_in))) < 0) { - com_err(whoami, errno, "binding main socket"); - cleanup_and_exit(1, context); - } - if (!nofork && daemon(0, 0)) { - com_err(whoami, errno, "while detaching from tty"); - cleanup_and_exit(1, context); - } - - while (1) { - FD_ZERO(&rfds); - FD_SET(s, &rfds); - timeout.tv_sec = TIMEOUT; - timeout.tv_usec = 0; - - ret = select(s+1, &rfds, NULL, NULL, &timeout); - if (signalled) - cleanup_and_exit(0, context); - else if (ret == 0) { - if (use_master) { - ret = kadm5_flush(handle); - if (ret && ret != KRB5_KDB_DBNOTINITED) { - com_err(whoami, ret, "closing kerberos database"); - cleanup_and_exit(1, context); - } - } - } else if (ret < 0 && errno != EINTR) { - com_err(whoami, errno, "in select"); - cleanup_and_exit(1, context); - } else if (FD_ISSET(s, &rfds)) { - if (debug) - printf("received packet\n"); - if ((ret = do_connection(s, context))) { - com_err(whoami, ret, "handling packet"); - } - } else - com_err(whoami, 0, "impossible situation occurred!"); - } - - cleanup_and_exit(0, context); -} - -void cleanup_and_exit(ret, context) - int ret; - krb5_context context; -{ - if (use_master && handle) { - (void) kadm5_destroy(handle); - } - if (use_keytab && kt) krb5_kt_close(context, kt); - krb5_klog_close(context); - krb5_free_context(context); - exit(ret); -} - -void init_keytab(context) - krb5_context context; -{ - int ret; - use_keytab = 0; - if (keytab == NULL) { - if ((ret = krb5_kt_default(context, &kt))) { - com_err(whoami, ret, "while opening default keytab"); - cleanup_and_exit(1, context); - } - } else { - if ((ret = krb5_kt_resolve(context, keytab, &kt))) { - com_err(whoami, ret, "while resolving keytab %s", - keytab); - cleanup_and_exit(1, context); - } - } - use_keytab = 1; /* now safe to close keytab */ -} - -void init_master(context, params) - krb5_context context; - kadm5_config_params *params; -{ - int ret; - - use_master = 0; - if ((ret = kadm5_init(whoami, NULL, KADM5_ADMIN_SERVICE, params, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, NULL, - &handle))) { - com_err(whoami, ret, "initializing kadm5 library"); - cleanup_and_exit(1, context); - } - use_master = 1; /* now safe to close kadm5 */ -} - -krb5_error_code do_connection(s, context) - int s; - krb5_context context; -{ - struct sockaddr saddr; - krb5_ticket *v5tkt = 0; - krb5_data msgdata, tktdata; - char msgbuf[MSGSIZE], tktbuf[TKT_BUFSIZ], *p; - int ret; - socklen_t saddrlen; - krb5_int32 n; /* Must be 4 bytes */ - krb5_kvno v4kvno; - - msgdata.data = msgbuf; - msgdata.length = MSGSIZE; - tktdata.data = tktbuf; - tktdata.length = TKT_BUFSIZ; - saddrlen = sizeof(struct sockaddr); - ret = recvfrom(s, msgdata.data, (int) msgdata.length, 0, &saddr, &saddrlen); - if (ret < 0) { - /* if recvfrom fails, we probably don't have a valid saddr to - use for the reply, so don't even try to respond. */ - return errno; - } - if (debug) - printf("message received\n"); - - if ((ret = decode_krb5_ticket(&msgdata, &v5tkt))) { - switch (ret) { - case KRB5KDC_ERR_BAD_PVNO: - case ASN1_MISPLACED_FIELD: - case ASN1_MISSING_FIELD: - case ASN1_BAD_ID: - case KRB5_BADMSGTYPE: - /* don't even answer parse errors */ - return ret; - break; - default: - /* try and recognize our own error packet */ - if (msgdata.length == sizeof(krb5_int32)) - return KRB5_BADMSGTYPE; - else - goto error; - } - } - if (debug) - printf("V5 ticket decoded\n"); - - if (krb5_princ_size(context, v5tkt->server) >= 1 - && krb5_princ_component(context, v5tkt->server, 0)->length == 3 - && strncmp(krb5_princ_component(context, v5tkt->server, 0)->data, - "afs", 3) == 0) { - krb5_data *enc_part; - int use_v5; - if ((ret = afs_return_v4(context, v5tkt->server, - &use_v5)) != 0) - goto error; - if ((ret = encode_krb5_enc_data(&v5tkt->enc_part, &enc_part)) != 0) - goto error; - if (!(use_v5)|| enc_part->length >= 344) { - krb5_free_data(context, enc_part); - if ((ret = handle_classic_v4(context, v5tkt, - (struct sockaddr_in *) &saddr, &tktdata, - &v4kvno)) != 0) - goto error; - } else { - KTEXT_ST fake_v4tkt; - memset(&fake_v4tkt, 0x11, sizeof(fake_v4tkt)); - fake_v4tkt.mbz = 0; - fake_v4tkt.length = enc_part->length; - memcpy(fake_v4tkt.dat, enc_part->data, enc_part->length); - v4kvno = (0x100-0x2b); /*protocol constant indicating v5 - * enc part only*/ - krb5_free_data(context, enc_part); - ret = encode_v4tkt(&fake_v4tkt, tktdata.data, &tktdata.length); - } - } else { - if ((ret = handle_classic_v4(context, v5tkt, - (struct sockaddr_in *) &saddr, &tktdata, - &v4kvno)) != 0) - goto error; - } - -error: - /* create the reply */ - p = msgdata.data; - msgdata.length = 0; - - n = htonl(ret); - memcpy(p, (char *) &n, sizeof(krb5_int32)); - p += sizeof(krb5_int32); - msgdata.length += sizeof(krb5_int32); - - if (ret) - goto write_msg; - - n = htonl(v4kvno); - memcpy(p, (char *) &n, sizeof(krb5_int32)); - p += sizeof(krb5_int32); - msgdata.length += sizeof(krb5_int32); - - memcpy(p, tktdata.data, tktdata.length); - p += tktdata.length; - msgdata.length += tktdata.length; - -write_msg: - if (ret) - (void) sendto(s, msgdata.data, (int) msgdata.length, 0, &saddr, saddrlen); - else - if (sendto(s, msgdata.data, msgdata.length, 0, &saddr, saddrlen)<0) - ret = errno; - if (debug) - printf("reply written\n"); - if (v5tkt) - krb5_free_ticket(context, v5tkt); - - - return ret; -} - -krb5_error_code lookup_service_key(context, p, ktype, kvno, key, kvnop) - krb5_context context; - krb5_principal p; - krb5_enctype ktype; - krb5_kvno kvno; - krb5_keyblock *key; - krb5_kvno *kvnop; -{ - int ret; - krb5_keytab_entry entry; - - if (use_keytab) { - if ((ret = krb5_kt_get_entry(context, kt, p, kvno, ktype, &entry))) - return ret; - *key = entry.key; - key->contents = malloc(key->length); - if (key->contents) - memcpy(key->contents, entry.key.contents, key->length); - else if (key->length) { - /* out of memory? */ - ret = ENOMEM; - memset (key, 0, sizeof (*key)); - return ret; - } - - krb5_kt_free_entry(context, &entry); - return 0; - } else if (use_master) { - return kdc_get_server_key(context, p, key, kvnop, ktype, kvno); - } - return 0; -} - -krb5_error_code kdc_get_server_key(context, service, key, kvnop, ktype, kvno) - krb5_context context; - krb5_principal service; - krb5_keyblock *key; - krb5_kvno *kvnop; - krb5_enctype ktype; - krb5_kvno kvno; -{ - krb5_error_code ret; - kadm5_principal_ent_rec server; - - if ((ret = kadm5_get_principal(handle, service, &server, - KADM5_KEY_DATA|KADM5_ATTRIBUTES))) - return ret; - - if (server.attributes & KRB5_KDB_DISALLOW_ALL_TIX - || server.attributes & KRB5_KDB_DISALLOW_SVR) { - kadm5_free_principal_ent(handle, &server); - return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - } - - /* - * We try kadm5_decrypt_key twice because in the case of a - * ENCTYPE_DES_CBC_CRC key, we prefer to find a krb4 salt type - * over a normal key. Note this may create a problem if the - * server key is passworded and has both a normal and v4 salt. - * There is no good solution to this. - */ - if ((ret = kadm5_decrypt_key(handle, - &server, - ktype, - (ktype == ENCTYPE_DES_CBC_CRC) ? - KRB5_KDB_SALTTYPE_V4 : -1, - kvno, - key, NULL, kvnop)) && - (ret = kadm5_decrypt_key(handle, - &server, - ktype, - -1, - kvno, - key, NULL, kvnop))) { - kadm5_free_principal_ent(handle, &server); - return (KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); - } - - kadm5_free_principal_ent(handle, &server); - return ret; -} - -/* - * We support two kinds of v4 credentials. There are real v4 - * credentials, and a Kerberos v5 enc part masquerading as a krb4 - * credential to be used by modern AFS implementations; this function - * handles the classic v4 case. - */ - -static krb5_error_code -handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, - struct sockaddr_in *saddr, - krb5_data *tktdata, krb5_kvno *v4kvno) -{ - krb5_error_code ret; - krb5_keyblock v5_service_key, v4_service_key; - KTEXT_ST v4tkt; - - v5_service_key.contents = NULL; - v4_service_key.contents = NULL; - - if ((ret = lookup_service_key(context, v5tkt->server, - v5tkt->enc_part.enctype, - v5tkt->enc_part.kvno, - &v5_service_key, NULL))) - goto error; - - if ((ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_DES_CBC_CRC, - 0, - &v4_service_key, v4kvno))) - goto error; - - if (debug) - printf("service key retrieved\n"); - if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt))) { - goto error; - } - - if (!(allow_v4_crossrealm || krb5_realm_compare(context, v5tkt->server, - v5tkt->enc_part2->client))) { - ret = KRB5KDC_ERR_POLICY; - goto error; - } - krb5_free_enc_tkt_part(context, v5tkt->enc_part2); - v5tkt->enc_part2= NULL; - - memset(&v4tkt, 0x33, sizeof(v4tkt)); - ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key, - &v4_service_key, - (struct sockaddr_in *)saddr); - if (ret) - goto error; - - if (debug) - printf("credentials converted\n"); - - ret = encode_v4tkt(&v4tkt, tktdata->data, &tktdata->length); - if (ret) - goto error; - if (debug) - printf("v4 credentials encoded\n"); - -error: - if (v5tkt->enc_part2) { - krb5_free_enc_tkt_part(context, v5tkt->enc_part2); - v5tkt->enc_part2 = NULL; - } - - if (v5_service_key.contents) - krb5_free_keyblock_contents(context, &v5_service_key); - if (v4_service_key.contents) - krb5_free_keyblock_contents(context, &v4_service_key); - return ret; -} - -/* - * afs_return_v4: a predicate to determine whether we want to try - * using the afs krb5 encrypted part encoding or whether we just - * return krb4. Takes a principal, and checks the configuration file. - */ -static krb5_error_code -afs_return_v4 (krb5_context context, const krb5_principal princ, - int *use_v5) -{ - krb5_error_code ret; - char *unparsed_name; - char *cp; - krb5_data realm; - assert(use_v5 != NULL); - ret = krb5_unparse_name(context, princ, &unparsed_name); - if (ret != 0) - return ret; -/* Trim out trailing realm component into separate string.*/ - for (cp = unparsed_name; *cp != '\0'; cp++) { - if (*cp == '\\') { - cp++; /* We trust unparse_name not to leave a singleton - * backslash*/ - continue; - } - if (*cp == '@') { - *cp = '\0'; - realm.data = cp+1; - realm.length = strlen((char *) realm.data); - break; - } - } - krb5_appdefault_boolean(context, "afs_krb5", - &realm, unparsed_name, 1, - use_v5); - krb5_free_unparsed_name(context, unparsed_name); - return ret; -} diff --git a/src/krb524/krb524d.h b/src/krb524/krb524d.h deleted file mode 100644 index b40e3aec5..000000000 --- a/src/krb524/krb524d.h +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef KRB524INT_H -#define KRB524INT_H - -#include "port-sockets.h" -#include "kerberosIV/krb.h" - -#ifndef KRB524INT_BEGIN_DECLS -#ifdef __cplusplus -#define KRB524INT_BEGIN_DECLS extern "C" { -#define KRB524INT_END_DECLS } -#else -#define KRB524INT_BEGIN_DECLS -#define KRB524INT_END_DECLS -#endif -#endif - -KRB524INT_BEGIN_DECLS - -int krb524_convert_tkt_skey - (krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt, - krb5_keyblock *v5_skey, krb5_keyblock *v4_skey, - struct sockaddr_in *saddr); - -KRB524INT_END_DECLS - -#endif /* KRB524INT_H */ diff --git a/src/krb524/libinit.c b/src/krb524/libinit.c deleted file mode 100644 index 22aeea9f8..000000000 --- a/src/krb524/libinit.c +++ /dev/null @@ -1,27 +0,0 @@ -#ifdef _WIN32 -#include - -BOOL -WINAPI -DllMain( - HANDLE hModule, - DWORD fdwReason, - LPVOID lpReserved - ) -{ - switch (fdwReason) - { - case DLL_PROCESS_ATTACH: - break; - case DLL_THREAD_ATTACH: - break; - case DLL_THREAD_DETACH: - break; - case DLL_PROCESS_DETACH: - break; - default: - return FALSE; - } - return TRUE; -} -#endif diff --git a/src/krb524/test.c b/src/krb524/test.c deleted file mode 100644 index d0cb92181..000000000 --- a/src/krb524/test.c +++ /dev/null @@ -1,353 +0,0 @@ -/* - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include "k5-int.h" - -#include -#include -#include - -#ifndef _WIN32 -#include -#endif - -#include -#include -#include "com_err.h" - -#define KEYSIZE 8 -#define CRED_BUFSIZ 2048 - -#define krb5_print_addrs - -void do_local (krb5_creds *, krb5_keyblock *), - do_remote (krb5_context, krb5_creds *, char *, krb5_keyblock *); - -static -void print_key(msg, key) - char *msg; - des_cblock *key; -{ - printf("%s: ", msg); - C_Block_print(key); - printf("\n"); -} - -static -void print_time(msg, t) - char *msg; - int t; -{ - printf("%s: %d, %s", msg, t, ctime((time_t *) &t)); -} - -static -void krb5_print_times(msg, t) - char *msg; - krb5_ticket_times *t; -{ - printf("%s: Start: %d, %s", msg, t->starttime, - ctime((time_t *) &t->starttime)); - printf("%s: End: %d, %s", msg, t->endtime, - ctime((time_t *) &t->endtime)); - printf("%s: Auth: %d, %s", msg, t->authtime, - ctime((time_t *) &t->authtime)); - printf("%s: Renew: %d, %s", msg, t->renew_till, - ctime((time_t *) &t->renew_till)); -} - -static -void krb5_print_keyblock(msg, key) - char *msg; - krb5_keyblock *key; -{ - printf("%s: Keytype: %d\n", msg, key->enctype); - printf("%s: Length: %d\n", msg, key->length); - printf("%s: Key: ", msg); - C_Block_print((des_cblock *) key->contents); - printf("\n"); -} - -static -void krb5_print_ticket(context, ticket_data, key) - krb5_context context; - krb5_data *ticket_data; - krb5_keyblock *key; -{ - char *p; - krb5_ticket *tkt; - int ret; - - if ((ret = decode_krb5_ticket(ticket_data, &tkt))) { - com_err("test", ret, "decoding ticket"); - exit(1); - } - if ((ret = krb5_decrypt_tkt_part(context, key, tkt))) { - com_err("test", ret, "decrypting V5 ticket for print"); - exit(1); - } - - krb5_unparse_name(context, tkt->server, &p); - printf("Ticket: Server: %s\n", p); - free(p); - printf("Ticket: kvno: %d\n", tkt->enc_part.kvno); - printf("Ticket: Flags: 0x%08x\n", tkt->enc_part2->flags); - krb5_print_keyblock("Ticket: Session Keyblock", - tkt->enc_part2->session); - krb5_unparse_name(context, tkt->enc_part2->client, &p); - printf("Ticket: Client: %s\n", p); - free(p); - krb5_print_times("Ticket: Times", &tkt->enc_part2->times); - printf("Ticket: Address 0: %08lx\n", - *((unsigned long *) tkt->enc_part2->caddrs[0]->contents)); - - krb5_free_ticket(context, tkt); -} - -static -void krb5_print_creds(context, creds, secret_key) - krb5_context context; - krb5_creds *creds; - krb5_keyblock *secret_key; -{ - char *p; - - krb5_unparse_name(context, creds->client, &p); - printf("Client: %s\n", p); - free(p); - krb5_unparse_name(context, creds->server, &p); - printf("Server: %s\n", p); - free(p); - krb5_print_keyblock("Session key", &creds->keyblock); - krb5_print_times("Times", &creds->times); - printf("is_skey: %s\n", creds->is_skey ? "True" : "False"); - printf("Flags: 0x%08x\n", creds->ticket_flags); -#if 0 - krb5_print_addrs(creds->addresses); -#endif - krb5_print_ticket(context, &creds->ticket, secret_key); - /* krb5_print_ticket(context, &creds->second_ticket, secret_key); */ -} - -static -void krb4_print_ticket(ticket, secret_key) - KTEXT ticket; - krb5_keyblock *secret_key; -{ - char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - char sname[ANAME_SZ], sinst[INST_SZ]; - unsigned char flags; - krb5_ui_4 addr; - krb5_ui_4 issue_time; - C_Block session_key; - int life; - Key_schedule keysched; - - int ret; - - if (des_key_sched(secret_key->contents, keysched)) { - fprintf(stderr, "Bug in DES key somewhere.\n"); - exit(1); - } - - ret = decomp_ticket(ticket, &flags, pname, pinst, prealm, &addr, - session_key, &life, &issue_time, sname, - sinst, secret_key->contents, keysched); - if (ret != KSUCCESS) { - fprintf(stderr, "krb4 decomp_ticket failed\n"); - exit(1); - } - printf("Ticket: Client: %s.%s@%s\n", pname, pinst, prealm); - printf("Ticket: Service: %s.%s\n", sname, sinst); - printf("Ticket: Address: %08lx\n", (long) addr); - print_key("Ticket: Session Key", (char *) session_key); - printf("Ticket: Lifetime: %d\n", life); - printf("Ticket: Issue Date: %ld, %s", (long) issue_time, - ctime((time_t *) &issue_time)); -} - -static -void krb4_print_creds(creds, secret_key) - CREDENTIALS *creds; - krb5_keyblock *secret_key; -{ - printf("Client: %s.%s@%s\n", creds->pname, creds->pinst, - creds->realm); - printf("Service: %s.%s@%s\n", creds->service, creds->instance, - creds->realm); - print_key("Session key", (char *) creds->session); - printf("Lifetime: %d\n", creds->lifetime); - printf("Key Version: %d\n", creds->kvno); - print_time("Issue Date", creds->issue_date); - krb4_print_ticket(&creds->ticket_st, secret_key); -} - -static -void usage() -{ - fprintf(stderr, "Usage: test [-remote server] client service\n"); - exit(1); -} - -int main(argc, argv) - int argc; - char **argv; -{ - krb5_principal client, server; - krb5_ccache cc; - krb5_creds increds, *v5creds; - krb5_keyblock key; - char keybuf[KEYSIZE], buf[BUFSIZ]; - int i, ret, local; - char *remote; - krb5_context context; - krb5_error_code retval; - -#if 0 - krb524_debug = 1; -#endif - - retval = krb5_init_context(&context); - if (retval) { - com_err(argv[0], retval, "while initializing krb5"); - exit(1); - } - - local = 0; - remote = NULL; - argc--; argv++; - while (argc) { - if (strcmp(*argv, "-local") == 0) - local++; -#if 0 - else if (strcmp(*argv, "-remote") == 0) { - argc--; argv++; - if (!argc) - usage(); - remote = *argv; - } -#endif - else - break; - argc--; argv++; - } - if (argc != 2) - usage(); - - if ((ret = krb5_parse_name(context, argv[0], &client))) { - com_err("test", ret, "parsing client name"); - exit(1); - } - if ((ret = krb5_parse_name(context, argv[1], &server))) { - com_err("test", ret, "parsing server name"); - exit(1); - } - if ((ret = krb5_cc_default(context, &cc))) { - com_err("test", ret, "opening default credentials cache"); - exit(1); - } - - memset((char *) &increds, 0, sizeof(increds)); - increds.client = client; - increds.server = server; - increds.times.endtime = 0; - increds.keyblock.enctype = ENCTYPE_DES_CBC_MD5; - if ((ret = krb5_get_credentials(context, 0, cc, &increds, &v5creds))) { - com_err("test", ret, "getting V5 credentials"); - exit(1); - } - - /* We need the service key in order to locally decrypt both */ - /* tickets for testing */ - printf("Service's key: "); - fflush(stdout); - fgets(buf, BUFSIZ, stdin); - for (i = 0; i < 8; i++) { - unsigned char c; - c = buf[2*i]; - if (c >= '0' && c <= '9') - c -= '0'; - else if (c >= 'a' && c <= 'z') - c = c - 'a' + 0xa; - keybuf[i] = c << 4; - c = buf[2*i+1]; - if (c >= '0' && c <= '9') - c -= '0'; - else if (c >= 'a' && c <= 'z') - c = c - 'a' + 0xa; - keybuf[i] += c; - } - - key.enctype = ENCTYPE_DES_CBC_MD5; - key.length = KEYSIZE; /* presumably */ - key.contents = (krb5_octet *) keybuf; - - do_remote(context, v5creds, remote, &key); - exit(0); -} - -void do_remote(context, v5creds, server, key) - krb5_context context; - krb5_creds *v5creds; - char *server; - krb5_keyblock *key; -{ -#if 0 - struct sockaddr_in saddr; - struct hostent *hp; -#endif - CREDENTIALS v4creds; - int ret; - - printf("\nV5 credentials:\n"); - krb5_print_creds(context, v5creds, key); - -#if 0 - if (strcmp(server, "kdc") != 0) { - hp = gethostbyname(server); - if (hp == NULL) { - fprintf(stderr, "test: host %s does not exist.\n", server); - exit(1); - } - memset((char *) &saddr, 0, sizeof(struct sockaddr_in)); - saddr.sin_family = AF_INET; - memcpy((char *) &saddr.sin_addr.s_addr, hp->h_addr, - sizeof(struct in_addr)); - - if ((ret = krb524_convert_creds_addr(context, v5creds, &v4creds, - (struct sockaddr *) &saddr))) { - com_err("test", ret, "converting credentials on %s", - server); - exit(1); - } - } else -#endif - { - if ((ret = krb524_convert_creds_kdc(context, v5creds, &v4creds))) { - com_err("test", ret, "converting credentials via kdc"); - exit(1); - } - } - - printf("\nV4 credentials:\n"); - krb4_print_creds(&v4creds, key); -} diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 9d139a744..f5180d7c2 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -1,15 +1,14 @@ thisconfigdir=./.. myfulldir=lib mydir=lib -SUBDIRS=crypto krb5 des425 @KRB4@ gssapi rpc kdb kadm5 apputils +SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils BUILDTOP=$(REL).. all-unix:: -CLEANLIBS = libkrb5.a libkdb5.a libcrypto.a libgssapi_krb5.a libdes425.a \ - libkrb425.a libkadm.a libkrb4.a libcom_err.a libpty.a \ - libss.a libgssapi.a libapputils.a \ - libkrb5.so libcrypto.so libkrb4.so libdes425.so +CLEANLIBS = libkrb5.a libkdb5.a libcrypto.a libgssapi_krb5.a libkadm.a \ + libcom_err.a libpty.a ibss.a libgssapi.a libapputils.a libkrb5.so \ + libcrypto.so clean-unix:: diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index 3b277f192..b6b647858 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -501,7 +501,7 @@ decrypt.so decrypt.po $(OUTPRE)decrypt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - decrypt.c etypes.h + aead.h decrypt.c etypes.h decrypt_iov.so decrypt_iov.po $(OUTPRE)decrypt_iov.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -522,7 +522,7 @@ encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - encrypt.c etypes.h + aead.h encrypt.c etypes.h encrypt_iov.so encrypt_iov.po $(OUTPRE)encrypt_iov.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -542,7 +542,8 @@ encrypt_length.so encrypt_length.po $(OUTPRE)encrypt_length.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h encrypt_length.c etypes.h + $(SRCTOP)/include/socket-utils.h aead.h encrypt_length.c \ + etypes.h enctype_compare.so enctype_compare.po $(OUTPRE)enctype_compare.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/crypto/des/Makefile.in b/src/lib/crypto/des/Makefile.in index 203a73e84..aa2da62f7 100644 --- a/src/lib/crypto/des/Makefile.in +++ b/src/lib/crypto/des/Makefile.in @@ -108,32 +108,29 @@ afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - afsstring2key.c des_int.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h afsstring2key.c des_int.h d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h d3_cbc.c des_int.h \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + d3_cbc.c des_int.h f_tables.h d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \ - d3_aead.c des_int.h f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../aead.h d3_aead.c des_int.h f_tables.h d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -141,32 +138,29 @@ d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - d3_kysched.c des_int.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h d3_kysched.c des_int.h f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_cbc.c \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_cbc.c f_tables.h f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_cksum.c \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_cksum.c f_tables.h f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -174,20 +168,19 @@ f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_parity.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h f_parity.c f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_sched.c + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_sched.c f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -195,10 +188,10 @@ f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_tables.c f_tables.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h f_tables.c \ + f_tables.h key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -206,10 +199,9 @@ key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h key_sched.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h key_sched.c weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -217,10 +209,9 @@ weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h weak_key.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h weak_key.c string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -228,7 +219,6 @@ string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h string2key.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h string2key.c diff --git a/src/lib/crypto/des/des_int.h b/src/lib/crypto/des/des_int.h index f04056449..3bafb740b 100644 --- a/src/lib/crypto/des/des_int.h +++ b/src/lib/crypto/des/des_int.h @@ -64,9 +64,56 @@ #ifndef KRB5_MIT_DES__ #define KRB5_MIT_DES__ -#define KRB5INT_CRYPTO_DES_INT /* skip krb4-specific DES stuff */ -#include "kerberosIV/des.h" /* for des_key_schedule, etc. */ -#undef KRB5INT_CRYPTO_DES_INT /* don't screw other inclusions of des.h */ +#if defined(__MACH__) && defined(__APPLE__) +#include +#include +#if TARGET_RT_MAC_CFM +#error "Use KfM 4.0 SDK headers for CFM compilation." +#endif +#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS) +#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5 +#endif +#endif /* defined(__MACH__) && defined(__APPLE__) */ + +/* Macro to add deprecated attribute to DES types and functions */ +/* Currently only defined on Mac OS X 10.5 and later. */ +#ifndef KRB5INT_DES_DEPRECATED +#define KRB5INT_DES_DEPRECATED +#endif + +#include + +#if UINT_MAX >= 0xFFFFFFFFUL +#define DES_INT32 int +#define DES_UINT32 unsigned int +#else +#define DES_INT32 long +#define DES_UINT32 unsigned long +#endif + +typedef unsigned char des_cblock[8] /* crypto-block size */ +KRB5INT_DES_DEPRECATED; + +/* + * Key schedule. + * + * This used to be + * + * typedef struct des_ks_struct { + * union { DES_INT32 pad; des_cblock _;} __; + * } des_key_schedule[16]; + * + * but it would cause trouble if DES_INT32 were ever more than 4 + * bytes. The reason is that all the encryption functions cast it to + * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If + * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the + * caller-allocated des_key_schedule will be overflowed by the key + * scheduling functions. We can't assume that every platform will + * have an exact 32-bit int, and nothing should be looking inside a + * des_key_schedule anyway. + */ +typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] +KRB5INT_DES_DEPRECATED; typedef des_cblock mit_des_cblock; typedef des_key_schedule mit_des_key_schedule; diff --git a/src/lib/crypto/enc_provider/Makefile.in b/src/lib/crypto/enc_provider/Makefile.in index 337f0ed68..f5ba1c655 100644 --- a/src/lib/crypto/enc_provider/Makefile.in +++ b/src/lib/crypto/enc_provider/Makefile.in @@ -51,22 +51,20 @@ des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ - des.c enc_provider.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../des/des_int.h des.c enc_provider.h des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \ - $(srcdir)/../des/des_int.h des3.c + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../aead.h $(srcdir)/../des/des_int.h des3.c aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ diff --git a/src/lib/crypto/keyhash_provider/Makefile.in b/src/lib/crypto/keyhash_provider/Makefile.in index ed4bdfa46..21d95bcc5 100644 --- a/src/lib/crypto/keyhash_provider/Makefile.in +++ b/src/lib/crypto/keyhash_provider/Makefile.in @@ -65,11 +65,10 @@ descbc.so descbc.po $(OUTPRE)descbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ - descbc.c keyhash_provider.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../des/des_int.h descbc.c keyhash_provider.h k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -77,11 +76,10 @@ k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h $(srcdir)/../md4/rsa-md4.h \ - k5_md4des.c keyhash_provider.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + $(srcdir)/../md4/rsa-md4.h k5_md4des.c keyhash_provider.h k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -89,11 +87,10 @@ k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h $(srcdir)/../md5/rsa-md5.h \ - k5_md5des.c keyhash_provider.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + $(srcdir)/../md5/rsa-md5.h k5_md5des.c keyhash_provider.h hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/crypto/old/Makefile.in b/src/lib/crypto/old/Makefile.in index c097a2b0e..be91c4b09 100644 --- a/src/lib/crypto/old/Makefile.in +++ b/src/lib/crypto/old/Makefile.in @@ -45,10 +45,10 @@ des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h des_stringtokey.c old.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + des_stringtokey.c old.h old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/des425/ISSUES b/src/lib/des425/ISSUES deleted file mode 100644 index ec5ce0087..000000000 --- a/src/lib/des425/ISSUES +++ /dev/null @@ -1,28 +0,0 @@ --*- text -*- - -* unix_time.c also exists in ../krb4, and they're different; both - should probably call into the krb5 support anyways to avoid - duplicating code. - -* namespace intrusions - -* Check include/kerberosIV/des.h and see if all the prototyped - functions really are necessary to retain; if not, delete some of - these source files. - -* Much of this code requires that DES_INT32 be *exactly* 32 bits, and - 4 bytes. - -* Array types are used in function call signatures, which is unclean. - It makes trying to add "const" qualifications in the right places - really, um, interesting. But we're probably stuck with them. - -* quad_cksum is totally broken. I have no idea whether the author - actually believed it implemented the documented algorithm, but I'm - certain it doesn't. The only question is, is it still reasonably - secure, when the plaintext and checksum are visible to an attacker - as in the mk_safe message? - -* des_read_password and des_read_pw_string are not thread-safe. Also, - they should be calling into the k5crypto library instead of - duplicating functionality. diff --git a/src/lib/des425/Makefile.in b/src/lib/des425/Makefile.in deleted file mode 100644 index 218ceaf34..000000000 --- a/src/lib/des425/Makefile.in +++ /dev/null @@ -1,273 +0,0 @@ -thisconfigdir=../.. -myfulldir=lib/des425 -mydir=lib/des425 -BUILDTOP=$(REL)..$(S).. -LOCALINCLUDES = -I$(srcdir)/../crypto/des -I$(srcdir)/../../include/kerberosIV -DEFS= - -##DOS##BUILDTOP = ..\.. -##DOS##LIBNAME=$(OUTPRE)des425.lib -##DOS##OBJFILE=$(OUTPRE)des425.lst -##DOS##OBJFILEDEP=$(OUTPRE)des425.lst -##DOS##OBJFILELIST=@$(OUTPRE)des425.lst - -PROG_LIBPATH=-L$(TOPLIBD) -PROG_RPATH=$(KRB5_LIBDIR) - -RUN_SETUP=@KRB5_RUN_ENV@ - -LIBBASE=des425 -LIBMAJOR=3 -LIBMINOR=0 -RELDIR=des425 -# Depends on libk5crypto and libkrb5 -SHLIB_EXPDEPS = \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto -SHLIB_DIRS=-L$(TOPLIBD) -SHLIB_RDIRS=$(KRB5_LIBDIR) - -STOBJLISTS=OBJS.ST -STLIBOBJS=cksum.o \ - des.o \ - enc_dec.o \ - key_parity.o \ - key_sched.o \ - new_rnd_key.o \ - pcbc_encrypt.o \ - quad_cksum.o \ - random_key.o \ - read_passwd.o \ - str_to_key.o \ - unix_time.o \ - util.o \ - weak_key.o - - -OBJS= $(OUTPRE)cksum.$(OBJEXT) \ - $(OUTPRE)des.$(OBJEXT) \ - $(OUTPRE)enc_dec.$(OBJEXT) \ - $(OUTPRE)key_parity.$(OBJEXT) \ - $(OUTPRE)key_sched.$(OBJEXT) \ - $(OUTPRE)new_rnd_key.$(OBJEXT) \ - $(OUTPRE)pcbc_encrypt.$(OBJEXT) \ - $(OUTPRE)quad_cksum.$(OBJEXT) \ - $(OUTPRE)random_key.$(OBJEXT) \ - $(OUTPRE)read_passwd.$(OBJEXT) \ - $(OUTPRE)str_to_key.$(OBJEXT) \ - $(OUTPRE)unix_time.$(OBJEXT) \ - $(OUTPRE)util.$(OBJEXT) \ - $(OUTPRE)weak_key.$(OBJEXT) - -SRCS= $(srcdir)/cksum.c \ - $(srcdir)/des.c \ - $(srcdir)/enc_dec.c \ - $(srcdir)/key_parity.c \ - $(srcdir)/key_sched.c \ - $(srcdir)/new_rnd_key.c \ - $(srcdir)/pcbc_encrypt.c \ - $(srcdir)/quad_cksum.c \ - $(srcdir)/random_key.c \ - $(srcdir)/read_passwd.c \ - $(srcdir)/str_to_key.c \ - $(srcdir)/unix_time.c \ - $(srcdir)/util.c \ - $(srcdir)/weak_key.c - -all-unix:: all-liblinks - -##DOS##LIBOBJS = $(OBJS) - -shared: - mkdir shared - -verify: verify.o $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ verify.o $(DES425_LIB) $(KRB5_BASE_LIBS) - -t_quad: t_quad.o quad_cksum.o $(SUPPORT_DEPLIB) - $(CC_LINK) -o $@ t_quad.o quad_cksum.o $(SUPPORT_LIB) - -t_pcbc: t_pcbc.o pcbc_encrypt.o key_sched.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_pcbc.o pcbc_encrypt.o key_sched.o $(KRB5_BASE_LIBS) - -check-unix:: verify t_quad t_pcbc - $(RUN_SETUP) $(VALGRIND) ./verify -z - $(RUN_SETUP) $(VALGRIND) ./verify -m - $(RUN_SETUP) $(VALGRIND) ./verify - $(RUN_SETUP) $(VALGRIND) ./t_quad - $(RUN_SETUP) $(VALGRIND) ./t_pcbc - -check-windows:: - -clean:: - $(RM) $(OUTPRE)verify$(EXEEXT) $(OUTPRE)verify.$(OBJEXT) \ - $(OUTPRE)t_quad$(EXEEXT) $(OUTPRE)t_quad.$(OBJEXT) \ - $(OUTPRE)t_pcbc$(EXEEXT) $(OUTPRE)t_pcbc.$(OBJEXT) - -clean-unix:: clean-liblinks clean-libs clean-libobjs - -install-unix:: install-libs - -@lib_frag@ -@libobj_frag@ - -# +++ Dependency line eater +++ -# -# Makefile dependencies follow. This must be the last section in -# the Makefile.in file -# -cksum.so cksum.po $(OUTPRE)cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../crypto/des/des_int.h \ - cksum.c -des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../crypto/des/des_int.h \ - des.c -enc_dec.so enc_dec.po $(OUTPRE)enc_dec.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../crypto/des/des_int.h \ - enc_dec.c -key_parity.so key_parity.po $(OUTPRE)key_parity.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h key_parity.c -key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h key_sched.c -new_rnd_key.so new_rnd_key.po $(OUTPRE)new_rnd_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h new_rnd_key.c -pcbc_encrypt.so pcbc_encrypt.po $(OUTPRE)pcbc_encrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h $(srcdir)/../crypto/des/f_tables.h \ - pcbc_encrypt.c -quad_cksum.so quad_cksum.po $(OUTPRE)quad_cksum.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h quad_cksum.c -random_key.so random_key.po $(OUTPRE)random_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h random_key.c -read_passwd.so read_passwd.po $(OUTPRE)read_passwd.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h read_passwd.c -str_to_key.so str_to_key.po $(OUTPRE)str_to_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h str_to_key.c -unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h unix_time.c -util.so util.po $(OUTPRE)util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../crypto/des/des_int.h \ - util.c -weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h weak_key.c diff --git a/src/lib/des425/cksum.c b/src/lib/des425/cksum.c deleted file mode 100644 index 33b5322ac..000000000 --- a/src/lib/des425/cksum.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * lib/des425/cksum.c - * - * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * These routines perform encryption and decryption using the DES - * private key algorithm, or else a subset of it-- fewer inner loops. - * (AUTH_DES_ITER defaults to 16, may be less.) - * - * Under U.S. law, this software may not be exported outside the US - * without license from the U.S. Commerce department. - * - * These routines form the library interface to the DES facilities. - * - * spm 8/85 MIT project athena - */ - -#include "des_int.h" -#include "des.h" - -/* - * This routine performs DES cipher-block-chaining checksum operation, - * a.k.a. Message Authentication Code. It ALWAYS encrypts from input - * to a single 64 bit output MAC checksum. - * - * The key schedule is passed as an arg, as well as the cleartext or - * ciphertext. The cleartext and ciphertext should be in host order. - * - * NOTE-- the output is ALWAYS 8 bytes long. If not enough space was - * provided, your program will get trashed. - * - * The input is null padded, at the end (highest addr), to an integral - * multiple of eight bytes. - */ - -unsigned long KRB5_CALLCONV -des_cbc_cksum(in,out,length,key,iv) - const des_cblock *in; /* >= length bytes of inputtext */ - des_cblock *out; /* >= length bytes of outputtext */ - register unsigned long length; /* in bytes */ - const mit_des_key_schedule key; /* precomputed key schedule */ - const des_cblock *iv; /* 8 bytes of ivec */ -{ - return mit_des_cbc_cksum((const krb5_octet *)in, (krb5_octet *)out, - length, key, (krb5_octet *)iv); -} diff --git a/src/lib/des425/des.c b/src/lib/des425/des.c deleted file mode 100644 index 745b4bed5..000000000 --- a/src/lib/des425/des.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * lib/des425/des.c - * - * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "des_int.h" -#include "des.h" -#undef mit_des_cbc_encrypt - -int KRB5_CALLCONV -des_ecb_encrypt(clear, cipher, schedule, enc) - des_cblock *clear; - des_cblock *cipher; - const mit_des_key_schedule schedule; - int enc; /* 0 ==> decrypt, else encrypt */ -{ - static const des_cblock iv; - - return (mit_des_cbc_encrypt((const des_cblock *)clear, cipher, - 8, schedule, iv, enc)); -} diff --git a/src/lib/des425/enc_dec.c b/src/lib/des425/enc_dec.c deleted file mode 100644 index b75a63e20..000000000 --- a/src/lib/des425/enc_dec.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * lib/des425/enc_dec.c - * - * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include "des_int.h" -#include "des.h" -#undef mit_des_cbc_encrypt - -int -des_cbc_encrypt(in,out,length,key,iv,enc) - des_cblock *in; /* >= length bytes of input text */ - des_cblock *out; /* >= length bytes of output text */ - register unsigned long length; /* in bytes */ - const mit_des_key_schedule key; /* precomputed key schedule */ - const des_cblock *iv; /* 8 bytes of ivec */ - int enc; /* 0 ==> decrypt, else encrypt */ -{ - return (mit_des_cbc_encrypt((const des_cblock *) in, - out, length, key, - (const unsigned char *)iv, /* YUCK! */ - enc)); -} diff --git a/src/lib/des425/key_parity.c b/src/lib/des425/key_parity.c deleted file mode 100644 index 96e13e2f4..000000000 --- a/src/lib/des425/key_parity.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * lib/des425/key_parity.c - * - * Copyright 1989, 1990 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "des_int.h" -#include "des.h" - -/* - * des_fixup_key_parity: Forces odd parity per byte; parity is bits - * 8,16,...64 in des order, implies 0, 8, 16, ... - * vax order. - */ -void -des_fixup_key_parity(key) - register mit_des_cblock key; -{ - mit_des_fixup_key_parity(key); -} - -/* - * des_check_key_parity: returns true iff key has the correct des parity. - */ -int -des_check_key_parity(key) - register mit_des_cblock key; -{ - return(mit_des_check_key_parity(key)); -} - diff --git a/src/lib/des425/key_sched.c b/src/lib/des425/key_sched.c deleted file mode 100644 index 70f61ce5e..000000000 --- a/src/lib/des425/key_sched.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * lib/des425/key_sched.c - * - * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - - -#include -#include "des_int.h" -#include "des.h" - -int KRB5_CALLCONV -des_key_sched(k,schedule) - des_cblock k; - des_key_schedule schedule; -{ - return (mit_des_key_sched(k, schedule)); -} diff --git a/src/lib/des425/libdes425.exports b/src/lib/des425/libdes425.exports deleted file mode 100644 index 5753a6e96..000000000 --- a/src/lib/des425/libdes425.exports +++ /dev/null @@ -1,18 +0,0 @@ -afs_string_to_key -des_cbc_cksum -des_cbc_encrypt -des_cblock_print_file -des_check_key_parity -des_ecb_encrypt -des_fixup_key_parity -des_init_random_number_generator -des_is_weak_key -des_key_sched -des_new_random_key -des_pcbc_encrypt -des_quad_cksum -des_random_key -des_read_password -des_read_pw_string -des_string_to_key -unix_time_gmt_unixsec diff --git a/src/lib/des425/mac_des_glue.c b/src/lib/des425/mac_des_glue.c deleted file mode 100644 index b7f3a6af8..000000000 --- a/src/lib/des425/mac_des_glue.c +++ /dev/null @@ -1,104 +0,0 @@ -#include "des_int.h" -#include "des.h" -#undef mit_des3_cbc_encrypt - -/* These functions are exported on KfM for ABI compatibility with - * older versions of the library. They have been pulled from the headers - * in the hope that someday we can remove them. - * - * Do not change the ABIs of any of these functions! - */ - -//int des_read_pw_string(char *, int, char *, int); -char *des_crypt(const char *, const char *); -char *des_fcrypt(const char *, const char *, char *); - -int make_key_sched(des_cblock *, des_key_schedule); -int des_set_key(des_cblock *, des_key_schedule); - -void des_3cbc_encrypt(des_cblock *, des_cblock *, long, - des_key_schedule, des_key_schedule, des_key_schedule, - des_cblock *, int); -void des_3ecb_encrypt(des_cblock *, des_cblock *, - des_key_schedule, des_key_schedule, des_key_schedule, - int); - -void des_generate_random_block(des_cblock); -void des_set_random_generator_seed(des_cblock); -void des_set_sequence_number(des_cblock); - -#pragma mark - - -/* Why was this exported on KfM? Who knows... */ -int des_debug = 0; - -char *des_crypt(const char *str, const char *salt) -{ - char afs_buf[16]; - - return des_fcrypt(str, salt, afs_buf); -} - - -char *des_fcrypt(const char *str, const char *salt, char *buf) -{ - return mit_afs_crypt(str, salt, buf); -} - - -int make_key_sched(des_cblock *k, des_key_schedule schedule) -{ - return mit_des_key_sched((unsigned char *)k, schedule); /* YUCK! */ -} - - -int des_set_key(des_cblock *key, des_key_schedule schedule) -{ - return make_key_sched(key, schedule); -} - - -void des_3cbc_encrypt(des_cblock *in, des_cblock *out, long length, - des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, - des_cblock *iv, int enc) -{ - mit_des3_cbc_encrypt((const des_cblock *)in, out, (unsigned long)length, - ks1, ks2, ks3, - (const unsigned char *)iv, /* YUCK! */ - enc); -} - - -void des_3ecb_encrypt(des_cblock *clear, des_cblock *cipher, - des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, - int enc) -{ - static const des_cblock iv; - - mit_des3_cbc_encrypt((const des_cblock *)clear, cipher, 8, ks1, ks2, ks3, iv, enc); -} - - -void des_generate_random_block(des_cblock block) -{ - krb5_data data; - - data.length = sizeof(des_cblock); - data.data = (char *)block; - - /* This function can return an error, however we must ignore it. */ - /* The worst that happens is that the resulting block is non-random */ - krb5_c_random_make_octets(/* XXX */ 0, &data); -} - - -void des_set_random_generator_seed(des_cblock block) -{ - des_init_random_number_generator(block); /* XXX */ -} - - -void des_set_sequence_number(des_cblock block) -{ - des_init_random_number_generator(block); /* XXX */ -} diff --git a/src/lib/des425/new_rnd_key.c b/src/lib/des425/new_rnd_key.c deleted file mode 100644 index 126ddf500..000000000 --- a/src/lib/des425/new_rnd_key.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * lib/des425/new_rnd_key.c - * - * Copyright 1988,1990 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "des_int.h" -#include "des.h" -#include "k5-int.h" - -void -des_init_random_number_generator(key) - mit_des_cblock key; -{ - krb5_data seed; - - seed.length = sizeof(key); - seed.data = (char *) key; - - if (krb5_c_random_seed(/* XXX */ 0, &seed)) - /* XXX */ abort(); -} - -/* - * des_new_random_key: create a random des key - * - * Requires: des_set_random_number_generater_seed must be at called least - * once before this routine is called. - * - * Notes: the returned key has correct parity and is guarenteed not - * to be a weak des key. Des_generate_random_block is used to - * provide the random bits. - */ -int KRB5_CALLCONV -des_new_random_key(key) - mit_des_cblock key; -{ - krb5_keyblock keyblock; - krb5_error_code kret; - - kret = krb5_c_make_random_key(/* XXX */ 0, ENCTYPE_DES_CBC_CRC, &keyblock); - if (kret) return kret; - - memcpy(key, keyblock.contents, sizeof(mit_des_cblock)); - krb5_free_keyblock_contents(/* XXX */ 0, &keyblock); - - return 0; -} diff --git a/src/lib/des425/pcbc_encrypt.c b/src/lib/des425/pcbc_encrypt.c deleted file mode 100644 index 130fd20f6..000000000 --- a/src/lib/des425/pcbc_encrypt.c +++ /dev/null @@ -1,235 +0,0 @@ -/* - * lib/des425/pcbc_encrypt.c - * - * Copyright (C) 1990 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * DES implementation donated by Dennis Ferguson - */ - -/* - * des_pcbc_encrypt.c - encrypt a string of characters in error propagation mode - */ - -#include "autoconf.h" /* in case this defines CONFIG_SMALL */ -#undef CONFIG_SMALL /* XXX needs non-exported crypto symbols */ -#include "des_int.h" -#include "des.h" -#include - -/* - * des_pcbc_encrypt - {en,de}crypt a stream in PCBC mode - */ -int KRB5_CALLCONV -des_pcbc_encrypt(in, out, length, schedule, ivec, enc) - des_cblock *in; - des_cblock *out; - long length; - const des_key_schedule schedule; - des_cblock *ivec; - int enc; -{ - unsigned DES_INT32 left, right; - const unsigned DES_INT32 *kp; - const unsigned char *ip; - unsigned char *op; - - /* - * Copy the key pointer, just once - */ - kp = (const unsigned DES_INT32 *)schedule; - - /* - * Deal with encryption and decryption separately. - */ - if (enc) { - /* Initialization isn't really needed here, but gcc - complains because it doesn't understand that the - only case where these can be used uninitialized is - to compute values that'll in turn be ignored - because we won't go around the loop again. */ - unsigned DES_INT32 plainl = 42; - unsigned DES_INT32 plainr = 17; - - /* - * Initialize left and right with the contents of the initial - * vector. - */ - ip = *ivec; - GET_HALF_BLOCK(left, ip); - GET_HALF_BLOCK(right, ip); - - /* - * Suitably initialized, now work the length down 8 bytes - * at a time. - */ - ip = *in; - op = *out; - while (length > 0) { - /* - * Get block of input. If the length is - * greater than 8 this is straight - * forward. Otherwise we have to fart around. - */ - if (length > 8) { - GET_HALF_BLOCK(plainl, ip); - GET_HALF_BLOCK(plainr, ip); - left ^= plainl; - right ^= plainr; - length -= 8; - } else { - /* - * Oh, shoot. We need to pad the - * end with zeroes. Work backwards - * to do this. We know this is the - * last block, though, so we don't have - * to save the plain text. - */ - ip += (int) length; - switch(length) { - case 8: - right ^= *(--ip) & 0xff; - case 7: - right ^= (*(--ip) & 0xff) << 8; - case 6: - right ^= (*(--ip) & 0xff) << 16; - case 5: - right ^= (*(--ip) & 0xff) << 24; - case 4: - left ^= *(--ip) & 0xff; - case 3: - left ^= (*(--ip) & 0xff) << 8; - case 2: - left ^= (*(--ip) & 0xff) << 16; - case 1: - left ^= (*(--ip) & 0xff) << 24; - break; - } - length = 0; - } - - /* - * Encrypt what we have - */ - DES_DO_ENCRYPT(left, right, kp); - - /* - * Copy the results out - */ - PUT_HALF_BLOCK(left, op); - PUT_HALF_BLOCK(right, op); - - /* - * Xor with the old plain text - */ - left ^= plainl; - right ^= plainr; - } - } else { - /* - * Decrypting is harder than encrypting because of - * the necessity of remembering a lot more things. - * Should think about this a little more... - */ - unsigned DES_INT32 ocipherl, ocipherr; - unsigned DES_INT32 cipherl, cipherr; - - if (length <= 0) - return 0; - - /* - * Prime the old cipher with ivec. - */ - ip = *ivec; - GET_HALF_BLOCK(ocipherl, ip); - GET_HALF_BLOCK(ocipherr, ip); - - /* - * Now do this in earnest until we run out of length. - */ - ip = *in; - op = *out; - for (;;) { /* check done inside loop */ - /* - * Read a block from the input into left and - * right. Save this cipher block for later. - */ - GET_HALF_BLOCK(left, ip); - GET_HALF_BLOCK(right, ip); - cipherl = left; - cipherr = right; - - /* - * Decrypt this. - */ - DES_DO_DECRYPT(left, right, kp); - - /* - * Xor with the old cipher to get plain - * text. Output 8 or less bytes of this. - */ - left ^= ocipherl; - right ^= ocipherr; - if (length > 8) { - length -= 8; - PUT_HALF_BLOCK(left, op); - PUT_HALF_BLOCK(right, op); - /* - * Save current cipher block here - */ - ocipherl = cipherl ^ left; - ocipherr = cipherr ^ right; - } else { - /* - * Trouble here. Start at end of output, - * work backwards. - */ - op += (int) length; - switch(length) { - case 8: - *(--op) = (unsigned char) (right & 0xff); - case 7: - *(--op) = (unsigned char) ((right >> 8) & 0xff); - case 6: - *(--op) = (unsigned char) ((right >> 16) & 0xff); - case 5: - *(--op) = (unsigned char) ((right >> 24) & 0xff); - case 4: - *(--op) = (unsigned char) (left & 0xff); - case 3: - *(--op) = (unsigned char) ((left >> 8) & 0xff); - case 2: - *(--op) = (unsigned char) ((left >> 16) & 0xff); - case 1: - *(--op) = (unsigned char) ((left >> 24) & 0xff); - break; - } - break; /* we're done */ - } - } - } - - /* - * Done, return nothing. - */ - return 0; -} diff --git a/src/lib/des425/quad_cksum.c b/src/lib/des425/quad_cksum.c deleted file mode 100644 index 2a7b78cfd..000000000 --- a/src/lib/des425/quad_cksum.c +++ /dev/null @@ -1,200 +0,0 @@ -/* - * lib/des425/quad_cksum.c - * - * Copyright 1985, 1986, 1987, 1988,1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * This routine does not implement: - * - * - * Quadratic Congruential Manipulation Dectection Code - * - * ref: "Message Authentication" - * R.R. Jueneman, S. M. Matyas, C.H. Meyer - * IEEE Communications Magazine, - * Sept 1985 Vol 23 No 9 p 29-40 - * - * This routine, part of the Athena DES library built for the Kerberos - * authentication system, calculates a manipulation detection code for - * a message. It is a much faster alternative to the DES-checksum - * method. No guarantees are offered for its security. - * - * Implementation for 4.2bsd - * by S.P. Miller Project Athena/MIT - */ - -/* - * Algorithm (per paper): - * define: - * message to be composed of n m-bit blocks X1,...,Xn - * optional secret seed S in block X1 - * MDC in block Xn+1 - * prime modulus N - * accumulator Z - * initial (secret) value of accumulator C - * N, C, and S are known at both ends - * C and , optionally, S, are hidden from the end users - * then - * (read array references as subscripts over time) - * Z[0] = c; - * for i = 1...n - * Z[i] = (Z[i+1] + X[i])**2 modulo N - * X[n+1] = Z[n] = MDC - * - * Then pick - * N = 2**31 -1 - * m = 16 - * iterate 4 times over plaintext, also use Zn - * from iteration j as seed for iteration j+1, - * total MDC is then a 128 bit array of the four - * Zn; - * - * return the last Zn and optionally, all - * four as output args. - * - * Modifications: - * To inhibit brute force searches of the seed space, this - * implementation is modified to have - * Z = 64 bit accumulator - * C = 64 bit C seed - * N = 2**63 - 1 - * S = S seed is not implemented here - * arithmetic is not quite real double integer precision, since we - * cant get at the carry or high order results from multiply, - * but nontheless is 64 bit arithmetic. - */ -/* - * This code purports to implement the above algorithm, but fails. - * - * First of all, there was an implicit mod 2**32 being done on the - * machines where this was developed because of their word sizes, and - * for compabitility this has to be done on machines with 64-bit - * words, so we make it explicit. - * - * Second, in the squaring operation, I really doubt the carry-over - * from the low 31-bit half of the accumulator is being done right, - * and using a modulus of 0x7fffffff on the low half of the - * accumulator seems completely wrong. And I challenge anyone to - * explain where the number 83653421 comes from. - * - * --Ken Raeburn 2001-04-06 - */ - - -/* System include files */ -#include -#include - -#include "des_int.h" -#include "des.h" - -/* Definitions for byte swapping */ - -/* vax byte order is LSB first. This is not performance critical, and - is far more readable this way. */ -#define four_bytes_vax_to_nets(x) ((((((x[3]<<8)|x[2])<<8)|x[1])<<8)|x[0]) -#define vaxtohl(x) four_bytes_vax_to_nets(((const unsigned char *)(x))) -#define two_bytes_vax_to_nets(x) ((x[1]<<8)|x[0]) -#define vaxtohs(x) two_bytes_vax_to_nets(((const unsigned char *)(x))) - -/* Externals */ -extern int des_debug; - -/*** Routines ***************************************************** */ - -unsigned long KRB5_CALLCONV -des_quad_cksum(in,out,length,out_count,c_seed) - const unsigned char *in; /* input block */ - unsigned DES_INT32 *out; /* optional longer output */ - long length; /* original length in bytes */ - int out_count; /* number of iterations */ - mit_des_cblock *c_seed; /* secret seed, 8 bytes */ -{ - - /* - * this routine both returns the low order of the final (last in - * time) 32bits of the checksum, and if "out" is not a null - * pointer, a longer version, up to entire 32 bytes of the - * checksum is written unto the address pointed to. - */ - - register unsigned DES_INT32 z; - register unsigned DES_INT32 z2; - register unsigned DES_INT32 x; - register unsigned DES_INT32 x2; - const unsigned char *p; - register DES_INT32 len; - register int i; - - /* use all 8 bytes of seed */ - - z = vaxtohl(c_seed); - z2 = vaxtohl((const char *)c_seed+4); - if (out == NULL) - out_count = 1; /* default */ - - /* This is repeated n times!! */ - for (i = 1; i <=4 && i<= out_count; i++) { - len = length; - p = in; - while (len) { - /* - * X = Z + Input ... sort of. Carry out from low half - * isn't done, so we're using all 32 bits of x now. - */ - if (len > 1) { - x = (z + vaxtohs(p)); - p += 2; - len -= 2; - } - else { - x = (z + *(const unsigned char *)p++); - len = 0; - } - x2 = z2; - /* - * I think this is supposed to be a squaring operation. - * What it really is, I haven't figured out yet. - * - * Explicit mod 2**32 is for backwards compatibility. Why - * mod 0x7fffffff and not 0x80000000 on the low half of - * the (supposed) accumulator? And where does the number - * 83653421 come from?? - */ - z = (((x * x) + (x2 * x2)) & 0xffffffff) % 0x7fffffff; - z2 = ((x * (x2+83653421)) & 0xffffffff) % 0x7fffffff; /* modulo */ -#ifdef DEBUG - if (des_debug & 8) - printf("%d %d\n",z,z2); -#endif - } - - if (out != NULL) { - *out++ = z; - *out++ = z2; - } - } - /* return final z value as 32 bit version of checksum */ - return z; -} diff --git a/src/lib/des425/random_key.c b/src/lib/des425/random_key.c deleted file mode 100644 index f367fc817..000000000 --- a/src/lib/des425/random_key.c +++ /dev/null @@ -1,74 +0,0 @@ -/* - * lib/des425/random_key.c - * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "des_int.h" -#include "des.h" - -/* random_key */ -int -des_random_key(key) - mit_des_cblock *key; -{ - krb5_keyblock keyblock; - krb5_error_code kret; - - if ((kret = krb5_c_make_random_key(/* XXX */ 0, ENCTYPE_DES_CBC_CRC, - &keyblock))) - return(kret); - - memcpy(key, keyblock.contents, sizeof(mit_des_cblock)); - - return(0); -} - diff --git a/src/lib/des425/read_passwd.c b/src/lib/des425/read_passwd.c deleted file mode 100644 index bdcb32999..000000000 --- a/src/lib/des425/read_passwd.c +++ /dev/null @@ -1,128 +0,0 @@ -/* - * lib/des425/read_passwd.c - * - * Copyright 1985,1986,1987,1988,1991 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * This routine prints the supplied string to standard - * output as a prompt, and reads a password string without - * echoing. - */ - -#if !defined(_WIN32) - -#include "des_int.h" -#include "des.h" -#include -#include -#include -/* This is re-declared here because des.h might not declare it. */ -int KRB5_CALLCONV des_read_pw_string(char *, int, char *, int); -static int des_rd_pwstr_2prompt(char *, int, char *, char *); - - -/*** Routines ****************************************************** */ -static int -des_rd_pwstr_2prompt(return_pwd, bufsize_in, prompt, prompt2) - char *return_pwd; - int bufsize_in; - char *prompt; - char *prompt2; -{ - krb5_data reply_data; - krb5_prompt k5prompt; - krb5_error_code retval; - reply_data.length = bufsize_in; - reply_data.data = return_pwd; - k5prompt.prompt = prompt; - k5prompt.hidden = 1; - k5prompt.reply = &reply_data; - retval = krb5_prompter_posix(NULL, - NULL, NULL, NULL, 1, &k5prompt); - - if ((retval==0) && prompt2) { - krb5_data verify_data; - verify_data.data = malloc(bufsize_in); - verify_data.length = bufsize_in; - k5prompt.prompt = prompt2; - k5prompt.reply = &verify_data; - if (!verify_data.data) - return ENOMEM; - retval = krb5_prompter_posix(NULL, - NULL,NULL, NULL, 1, &k5prompt); - if (retval) { - free(verify_data.data); - } else { - /* compare */ - if (strncmp(return_pwd, (char *)verify_data.data, bufsize_in)) { - retval = KRB5_LIBOS_BADPWDMATCH; - free(verify_data.data); - } - } - } - return retval; -} - - -int KRB5_CALLCONV -des_read_password(k,prompt,verify) - mit_des_cblock *k; - char *prompt; - int verify; -{ - int ok; - char key_string[BUFSIZ]; - - ok = des_read_pw_string(key_string, sizeof(key_string), prompt, verify); - if (ok == 0) - des_string_to_key(key_string, *k); - - memset(key_string, 0, sizeof (key_string)); - return ok; -} - -/* Note: this function is exported on KfM. Do not change its ABI. */ -int KRB5_CALLCONV -des_read_pw_string(s, max, prompt, verify) - char *s; - int max; - char *prompt; - int verify; -{ - int ok; - char prompt2[BUFSIZ]; - - if (verify) { - snprintf(prompt2, sizeof(prompt2), "Verifying, please re-enter %s", - prompt); - } - ok = des_rd_pwstr_2prompt(s, max, prompt, verify ? prompt2 : 0); - return ok; -} - -#else /* !unix */ -/* - * These are all just dummy functions to make the rest of the library happy... - */ -#endif /* _WINDOWS */ diff --git a/src/lib/des425/str_to_key.c b/src/lib/des425/str_to_key.c deleted file mode 100644 index 4ddcaed4a..000000000 --- a/src/lib/des425/str_to_key.c +++ /dev/null @@ -1,168 +0,0 @@ -/* - * lib/des425/str_to_key.c - * - * Copyright 1985, 1986, 1987, 1988, 1989,1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * These routines perform encryption and decryption using the DES - * private key algorithm, or else a subset of it-- fewer inner loops. - * (AUTH_DES_ITER defaults to 16, may be less.) - * - * Under U.S. law, this software may not be exported outside the US - * without license from the U.S. Commerce department. - * - * The key schedule is passed as an arg, as well as the cleartext or - * ciphertext. The cleartext and ciphertext should be in host order. - * - * These routines form the library interface to the DES facilities. - * - * spm 8/85 MIT project athena - */ - - -#include -#include -#include "des_int.h" -#include "des.h" - -extern int mit_des_debug; - -/* - * Convert an arbitrary length string to a DES key. - */ - -/* - * For krb5, a change was made to this algorithm: When each key is - * generated, after fixing parity, a check for weak and semi-weak keys - * is done. If the key is weak or semi-weak, we XOR the last byte - * with 0xF0. (In the case of the intermediate key, the weakness is - * probably irrelevant, but there it is.) The odds that this will - * generate a different key for a random input string are pretty low, - * but non-zero. So we need this different function for krb4 to use. - */ -int KRB5_CALLCONV -des_string_to_key(str,key) - const char *str; - register mit_des_cblock key; -{ - const char *in_str; - register unsigned temp; - register int j; - unsigned long i, length; - unsigned char *k_p; - int forward; - register char *p_char; - char k_char[64]; - mit_des_key_schedule key_sked; - - in_str = str; - forward = 1; - p_char = k_char; - length = strlen(str); - - /* init key array for bits */ - memset(k_char, 0,sizeof(k_char)); - -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout, - "\n\ninput str length = %ld string = %s\nstring = 0x ", - length,str); -#endif - - /* get next 8 bytes, strip parity, xor */ - for (i = 1; i <= length; i++) { - /* get next input key byte */ - temp = (unsigned int) *str++; -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout,"%02x ",temp & 0xff); -#endif - /* loop through bits within byte, ignore parity */ - for (j = 0; j <= 6; j++) { - if (forward) - *p_char++ ^= (int) temp & 01; - else - *--p_char ^= (int) temp & 01; - temp = temp >> 1; - } - - /* check and flip direction */ - if ((i%8) == 0) - forward = !forward; - } - - /* now stuff into the key des_cblock, and force odd parity */ - p_char = k_char; - k_p = (unsigned char *) key; - - for (i = 0; i <= 7; i++) { - temp = 0; - for (j = 0; j <= 6; j++) - temp |= *p_char++ << (1+j); - *k_p++ = (unsigned char) temp; - } - - /* fix key parity */ - des_fixup_key_parity(key); - - /* Now one-way encrypt it with the folded key */ - (void) des_key_sched(key, key_sked); - (void) des_cbc_cksum((const des_cblock *)in_str, (des_cblock *)key, - length, key_sked, (const des_cblock *)key); - /* erase key_sked */ - memset(key_sked, 0,sizeof(key_sked)); - - /* now fix up key parity again */ - des_fixup_key_parity(key); - -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout, - "\nResulting string_to_key = 0x%x 0x%x\n", - *((unsigned long *) key), - *((unsigned long *) key+1)); -#endif /* DEBUG */ - return 0; /* Really should be returning void, */ - /* but the original spec was for it to */ - /* return an int, and ANSI compilers */ - /* can do dumb things sometimes */ -} - -void afs_string_to_key(char *str, char *cell, des_cblock key) -{ - krb5_data str_data; - krb5_data cell_data; - krb5_keyblock keyblock; - - str_data.data = str; - str_data.length = strlen(str); - cell_data.data = cell; - cell_data.length = strlen(cell); - keyblock.enctype = ENCTYPE_DES_CBC_CRC; - keyblock.length = sizeof(des_cblock); - keyblock.contents = key; - - mit_afs_string_to_key(&keyblock, &str_data, &cell_data); -} diff --git a/src/lib/des425/string2key.c b/src/lib/des425/string2key.c deleted file mode 100644 index 8756787a1..000000000 --- a/src/lib/des425/string2key.c +++ /dev/null @@ -1,174 +0,0 @@ -/* THIS FILE DOES NOT GET COMPILED. AUDIT BEFORE USE. */ -/* - * lib/des425/string2key.c - * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * Wrapper for the V4 libdes for use with kerberos V5. - */ - - -#include "des.h" -#include "des_int.h" - -#ifdef DEBUG -#include -extern int des_debug; -#endif - -/* - converts the string pointed to by "data" into an encryption key - of type "enctype". *keyblock is filled in with the key info; - in particular, keyblock->contents is to be set to allocated storage. - It is the responsibility of the caller to release this storage - when the generated key no longer needed. - - The routine may use "princ" to seed or alter the conversion - algorithm. - - If the particular function called does not know how to make a - key of type "enctype", an error may be returned. - - returns: errors - */ - -krb5_error_code mit_des_string_to_key (enctype, keyblock, data, princ) - const krb5_enctype enctype; - krb5_keyblock * keyblock; - const krb5_data * data; - krb5_const_principal princ; -{ - char copystr[512]; - - register char *str = copystr; - register krb5_octet *key; - - register unsigned temp,i; - register int j; - register long length; - unsigned char *k_p; - int forward; - register char *p_char; - char k_char[64]; - mit_des_key_schedule key_sked; - -#define min(A, B) ((A) < (B) ? (A): (B)) - - if ( enctype != ENCTYPE_DES ) - return (KRB5_PROG_ENCTYPE_NOSUPP); - - if ( !(keyblock->contents = (krb5_octet *)malloc(sizeof(mit_des_cblock))) ) - return(ENOMEM); - -#define cleanup() {memset(keyblock->contents, 0, sizeof(mit_des_cblock));\ - krb5_xfree(keyblock->contents);} - - keyblock->enctype = ENCTYPE_DES; - keyblock->length = sizeof(mit_des_cblock); - key = keyblock->contents; - - memset(copystr, 0, sizeof(copystr)); - j = min(data->length, 511); - (void) strncpy(copystr, data->data, j); - if ( princ != 0 ) - for (i=0; princ[i] != 0 && j < 511; i++) { - (void) strncpy(copystr+j, princ[i]->data, - min(princ[i]->length, 511-j)); - j += min(princ[i]->length, 511-j); - } - - /* convert copystr to des key */ - forward = 1; - p_char = k_char; - length = strlen(str); - - /* init key array for bits */ - memset(k_char,0,sizeof(k_char)); - -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout, - "\n\ninput str length = %d string = %s\nstring = 0x ", - length,str); -#endif - - /* get next 8 bytes, strip parity, xor */ - for (i = 1; i <= length; i++) { - /* get next input key byte */ - temp = (unsigned int) *str++; -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout,"%02x ",temp & 0xff); -#endif - /* loop through bits within byte, ignore parity */ - for (j = 0; j <= 6; j++) { - if (forward) - *p_char++ ^= (int) temp & 01; - else - *--p_char ^= (int) temp & 01; - temp = temp >> 1; - } - - /* check and flip direction */ - if ((i%8) == 0) - forward = !forward; - } - - /* now stuff into the key mit_des_cblock, and force odd parity */ - p_char = k_char; - k_p = (unsigned char *) key; - - for (i = 0; i <= 7; i++) { - temp = 0; - for (j = 0; j <= 6; j++) - temp |= *p_char++ << (1+j); - *k_p++ = (unsigned char) temp; - } - - /* fix key parity */ - mit_des_fixup_key_parity(key); - - /* Now one-way encrypt it with the folded key */ - (void) mit_des_key_sched(key, key_sked); - (void) mit_des_cbc_cksum((krb5_octet *)copystr, key, length, key_sked, key); - /* erase key_sked */ - memset((char *)key_sked, 0, sizeof(key_sked)); - - /* now fix up key parity again */ - mit_des_fixup_key_parity(key); - -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout, - "\nResulting string_to_key = 0x%x 0x%x\n", - *((unsigned long *) key), - *((unsigned long *) key+1)); -#endif - - return 0; -} - - - - diff --git a/src/lib/des425/t_pcbc.c b/src/lib/des425/t_pcbc.c deleted file mode 100644 index 2932148b7..000000000 --- a/src/lib/des425/t_pcbc.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * lib/des425/t_quad.c - * - * Copyright 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - - -#include -#include -#include "des_int.h" -#include "des.h" - -char *progname; -int des_debug; - -/* These test values were constructed by experimentation, because I - couldn't be bothered to look up the spec for the encryption mode - and see if any test vector is defined. But really, the thing we - need to test is that the operation we use doesn't changed. Like - with quad_cksum, compatibility is more important than strict - adherence to the spec, if we have to choose. In any case, if you - have a useful test vector, send it in.... */ -struct { - unsigned char text[32]; - des_cblock out[4]; -} tests[] = { - { - "Now is the time for all ", - { - { 0x7f, 0x81, 0x65, 0x41, 0x21, 0xdb, 0xd4, 0xcf, }, - { 0xf8, 0xaa, 0x09, 0x90, 0xeb, 0xc7, 0x60, 0x2b, }, - { 0x45, 0x3e, 0x4e, 0x65, 0x83, 0x6c, 0xf1, 0x98, }, - { 0x4c, 0xfc, 0x69, 0x72, 0x23, 0xdb, 0x48, 0x78, } - } - }, { - "7654321 Now is the time for ", - { - { 0xcc, 0xd1, 0x73, 0xff, 0xab, 0x20, 0x39, 0xf4, }, - { 0x6d, 0xec, 0xb4, 0x70, 0xa0, 0xe5, 0x6b, 0x15, }, - { 0xae, 0xa6, 0xbf, 0x61, 0xed, 0x7d, 0x9c, 0x9f, }, - { 0xf7, 0x17, 0x46, 0x3b, 0x8a, 0xb3, 0xcc, 0x88, } - } - }, { - "hi", - { { 0x76, 0x61, 0x0e, 0x8b, 0x23, 0xa4, 0x5f, 0x34, } } - }, -}; - -/* 0x0123456789abcdef */ -unsigned char default_key[8] = { - 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef -}; -des_cblock ivec = { - 0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10 -}; - -int -main(argc,argv) - int argc; - char *argv[]; -{ - int i; - int fail=0; - des_cblock out[32/8]; - des_cblock out2[32/8]; - des_key_schedule sked; - - progname=argv[0]; /* salt away invoking program */ - - /* use known input and key */ - - for (i = 0; i < 3; i++) { - int wrong = 0, j, jmax; - des_key_sched (default_key, sked); - /* This could lose on alignment... */ - des_pcbc_encrypt ((des_cblock *)&tests[i].text, out, - strlen(tests[i].text) + 1, sked, &ivec, 1); - printf ("pcbc_encrypt(\"%s\") = {", tests[i].text); - jmax = (strlen (tests[i].text) + 8) & ~7U; - for (j = 0; j < jmax; j++) { - if (j % 8 == 0) - printf ("\n\t"); - printf (" 0x%02x,", out[j/8][j%8]); - if (out[j/8][j%8] != tests[i].out[j/8][j%8]) - wrong = 1; - } - printf ("\n}\n"); - - /* reverse it */ - des_pcbc_encrypt (out, out2, jmax, sked, &ivec, 0); - if (strcmp ((char *)out2, tests[i].text)) { - printf ("decrypt failed\n"); - wrong = 1; - } else - printf ("decrypt worked\n"); - - if (wrong) { - printf ("wrong result!\n"); - fail = 1; - } - } - return fail; -} diff --git a/src/lib/des425/t_quad.c b/src/lib/des425/t_quad.c deleted file mode 100644 index b9299fd20..000000000 --- a/src/lib/des425/t_quad.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * lib/des425/t_quad.c - * - * Copyright 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - - -#include -#include -#include "des_int.h" -#include "des.h" - -extern unsigned long quad_cksum(); -char *progname; -int des_debug; -unsigned DES_INT32 out[8]; -struct { - unsigned char text[64]; - unsigned DES_INT32 out[8]; -} tests[] = { - { - "Now is the time for all ", - { - 0x6c6240c5, 0x77db9b1c, 0x7991d316, 0x4e688989, - 0x27a0ae6a, 0x13be2da4, 0x4a2fdfc6, 0x7dfc494c, - } - }, { - "7654321 Now is the time for ", - { - 0x36839db5, 0x4d7be717, 0x15b0f5b6, 0x2304ff9c, - 0x75472d26, 0x6a5f833c, 0x7399a4ee, 0x1170fdfb, - } - }, { - {2,0,0,0, 1,0,0,0}, - { - 0x7c81f205, 0x63d38e38, 0x314ece44, 0x05d3a4f8, - 0x6e10db76, 0x3eda7685, 0x2e841332, 0x1bdc7fd3, - } - }, -}; - -/* 0x0123456789abcdef */ -unsigned char default_key[8] = { - 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef -}; - -int -main(argc,argv) - int argc; - char *argv[]; -{ - int i; - int fail=0; - - progname=argv[0]; /* salt away invoking program */ - - /* use known input and key */ - - for (i = 0; i < 3; i++) { - int wrong = 0, j; - des_quad_cksum (tests[i].text, out, 64L, 4, - (mit_des_cblock *) &default_key); - if (tests[i].text[0] == 2) - printf ("quad_cksum() = {"); - else - printf ("quad_cksum(\"%s\"...zero fill...) = {", tests[i].text); - for (j = 0; j < 8; j++) { - if (j == 0 || j == 4) - printf ("\n\t"); - printf (" 0x%lx,", (unsigned long) out[j]); - if (out[j] != tests[i].out[j]) - wrong = 1; - } - printf ("\n}\n"); - if (wrong) { - printf ("wrong result!\n"); - fail = 1; - } - } - return fail; -} diff --git a/src/lib/des425/unix_time.c b/src/lib/des425/unix_time.c deleted file mode 100644 index 53ce03b68..000000000 --- a/src/lib/des425/unix_time.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * unix_time.c - * - * Glue code for pasting Kerberos into the Unix environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - * - * Required for use by the Cygnus krb.a. - */ - - -#include "k5-int.h" - -#if !defined(_WIN32) -#include - -krb5_ui_4 -unix_time_gmt_unixsec (usecptr) - krb5_ui_4 *usecptr; -{ - struct timeval now; - - (void) gettimeofday (&now, (struct timezone *)0); - if (usecptr) - *usecptr = now.tv_usec; - return now.tv_sec; -} - -#endif /* !_WIN32 */ - -#ifdef _WIN32 -#include - -krb5_ui_4 -unix_time_gmt_unixsec (usecptr) - krb5_ui_4 *usecptr; -{ - time_t gmt; - - time(&gmt); - if (usecptr) - *usecptr = gmt; - return gmt; -} -#endif /* _WIN32 */ diff --git a/src/lib/des425/util.c b/src/lib/des425/util.c deleted file mode 100644 index 2c5ef9216..000000000 --- a/src/lib/des425/util.c +++ /dev/null @@ -1,33 +0,0 @@ -/* - * lib/des425/util.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Miscellaneous debug printing utilities - */ - -#include - -/* Application include files */ -#include "k5-int.h" -#include "des_int.h" -#include "des.h" - -void des_cblock_print_file(x, fp) - des_cblock *x; - FILE *fp; -{ - unsigned char *y = *x; - register int i = 0; - fprintf(fp," 0x { "); - - while (i++ < 8) { - fprintf(fp,"%x",*y++); - if (i < 8) - fprintf(fp,", "); - } - fprintf(fp," }"); -} diff --git a/src/lib/des425/verify.c b/src/lib/des425/verify.c deleted file mode 100644 index 653730a2f..000000000 --- a/src/lib/des425/verify.c +++ /dev/null @@ -1,317 +0,0 @@ -/* - * lib/des425/verify.c - * - * Copyright 1988,1990 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * Program to test the correctness of the DES library - * implementation. - * - * exit returns 0 ==> success - * -1 ==> error - */ - - -#include -#include -#include "des_int.h" -#include "des.h" - -char *progname; -int nflag = 2; -int vflag; -int mflag; -int zflag; -int pid; -int des_debug; -des_key_schedule KS; -unsigned char cipher_text[64]; -unsigned char clear_text[64] = "Now is the time for all " ; -unsigned char clear_text2[64] = "7654321 Now is the time for "; -unsigned char clear_text3[64] = {2,0,0,0, 1,0,0,0}; -unsigned char output[64]; -unsigned char zero_text[8] = {0x0,0,0,0,0,0,0,0}; -unsigned char msb_text[8] = {0x0,0,0,0, 0,0,0,0x40}; /* to ANSI MSB */ -unsigned char *input; - -/* 0x0123456789abcdef */ -unsigned char default_key[8] = { - 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef -}; -unsigned char key2[8] = { 0x08,0x19,0x2a,0x3b,0x4c,0x5d,0x6e,0x7f }; -unsigned char key3[8] = { 0x80,1,1,1,1,1,1,1 }; -des_cblock s_key; -unsigned char default_ivec[8] = { - 0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef -}; -unsigned char *ivec; -unsigned char zero_key[8] = {1,1,1,1,1,1,1,1}; /* just parity bits */ -int i,j; - -unsigned char cipher1[8] = { - 0x25,0xdd,0xac,0x3e,0x96,0x17,0x64,0x67 -}; -unsigned char cipher2[8] = { - 0x3f,0xa4,0x0e,0x8a,0x98,0x4d,0x48,0x15 -}; -unsigned char cipher3[64] = { - 0xe5,0xc7,0xcd,0xde,0x87,0x2b,0xf2,0x7c, - 0x43,0xe9,0x34,0x00,0x8c,0x38,0x9c,0x0f, - 0x68,0x37,0x88,0x49,0x9a,0x7c,0x05,0xf6 -}; -unsigned char checksum[8] = { - 0x58,0xd2,0xe7,0x7e,0x86,0x06,0x27,0x33 -}; - -unsigned char zresult[8] = { - 0x8c, 0xa6, 0x4d, 0xe9, 0xc1, 0xb1, 0x23, 0xa7 -}; - -unsigned char mresult[8] = { - 0xa3, 0x80, 0xe0, 0x2a, 0x6b, 0xe5, 0x46, 0x96 -}; - - -/* - * Can also add : - * plaintext = 0, key = 0, cipher = 0x8ca64de9c1b123a7 (or is it a 1?) - */ - -void do_encrypt (unsigned char *, unsigned char *); -void do_decrypt (unsigned char *, unsigned char *); - -int -main(argc,argv) - int argc; - char *argv[]; -{ - /* Local Declarations */ - unsigned long in_length; - - progname=argv[0]; /* salt away invoking program */ - - while (--argc > 0 && (*++argv)[0] == '-') - for (i=1; argv[0][i] != '\0'; i++) { - switch (argv[0][i]) { - - /* debug flag */ - case 'd': - des_debug=3; - continue; - - case 'z': - zflag = 1; - continue; - - case 'm': - mflag = 1; - continue; - - default: - printf("%s: illegal flag \"%c\" ", - progname,argv[0][i]); - exit(1); - } - }; - - if (argc) { - fprintf(stderr, "Usage: %s [-dmz]\n", progname); - exit(1); - } - - /* use known input and key */ - - /* ECB zero text zero key */ - if (zflag) { - input = zero_text; - des_key_sched(zero_key,KS); - printf("plaintext = key = 0, cipher = 0x8ca64de9c1b123a7\n"); - do_encrypt(input,cipher_text); - printf("\tcipher = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) - printf("%02x ",cipher_text[j]); - printf("\n"); - do_decrypt(output,cipher_text); - if ( memcmp((char *)cipher_text, (char *)zresult, 8) ) { - printf("verify: error in zero key test\n"); - exit(-1); - } - exit(0); - } - - if (mflag) { - input = msb_text; - des_key_sched(key3,KS); - printf("plaintext = 0x00 00 00 00 00 00 00 40, "); - printf("key = 0, cipher = 0x??\n"); - do_encrypt(input,cipher_text); - printf("\tcipher = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) { - printf("%02x ",cipher_text[j]); - } - printf("\n"); - do_decrypt(output,cipher_text); - if ( memcmp((char *)cipher_text, (char *)mresult, 8) ) { - printf("verify: error in msb test\n"); - exit(-1); - } - exit(0); - } - - /* ECB mode Davies and Price */ - { - input = zero_text; - des_key_sched(key2,KS); - printf("Examples per FIPS publication 81, keys ivs and cipher\n"); - printf("in hex. These are the correct answers, see below for\n"); - printf("the actual answers.\n\n"); - printf("Examples per Davies and Price.\n\n"); - printf("EXAMPLE ECB\tkey = 08192a3b4c5d6e7f\n"); - printf("\tclear = 0\n"); - printf("\tcipher = 25 dd ac 3e 96 17 64 67\n"); - printf("ACTUAL ECB\n"); - printf("\tclear \"%s\"\n", input); - do_encrypt(input,cipher_text); - printf("\tcipher = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) - printf("%02x ",cipher_text[j]); - printf("\n\n"); - do_decrypt(output,cipher_text); - if ( memcmp((char *)cipher_text, (char *)cipher1, 8) ) { - printf("verify: error in ECB encryption\n"); - exit(-1); - } - else - printf("verify: ECB encription is correct\n\n"); - } - - /* ECB mode */ - { - des_key_sched(default_key,KS); - input = clear_text; - ivec = default_ivec; - printf("EXAMPLE ECB\tkey = 0123456789abcdef\n"); - printf("\tclear = \"Now is the time for all \"\n"); - printf("\tcipher = 3f a4 0e 8a 98 4d 48 15 ...\n"); - printf("ACTUAL ECB\n\tclear \"%s\"",input); - do_encrypt(input,cipher_text); - printf("\n\tcipher = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) { - printf("%02x ",cipher_text[j]); - } - printf("\n\n"); - do_decrypt(output,cipher_text); - if ( memcmp((char *)cipher_text, (char *)cipher2, 8) ) { - printf("verify: error in ECB encryption\n"); - exit(-1); - } - else - printf("verify: ECB encription is correct\n\n"); - } - - /* CBC mode */ - printf("EXAMPLE CBC\tkey = 0123456789abcdef"); - printf("\tiv = 1234567890abcdef\n"); - printf("\tclear = \"Now is the time for all \"\n"); - printf("\tcipher =\te5 c7 cd de 87 2b f2 7c\n"); - printf("\t\t\t43 e9 34 00 8c 38 9c 0f\n"); - printf("\t\t\t68 37 88 49 9a 7c 05 f6\n"); - - printf("ACTUAL CBC\n\tclear \"%s\"\n",input); - in_length = strlen((char *) input); - des_cbc_encrypt(input,cipher_text, in_length,KS,ivec,1); - printf("\tciphertext = (low to high bytes)\n"); - for (i = 0; i <= 7; i++) { - printf("\t\t"); - for (j = 0; j <= 7; j++) { - printf("%02x ",cipher_text[i*8+j]); - } - printf("\n"); - } - des_cbc_encrypt(cipher_text,clear_text,in_length,KS,ivec,0); - printf("\tdecrypted clear_text = \"%s\"\n",clear_text); - - if ( memcmp(cipher_text, cipher3, (size_t) in_length) ) { - printf("verify: error in CBC encryption\n"); - exit(-1); - } - else - printf("verify: CBC encription is correct\n\n"); - - printf("EXAMPLE CBC checksum"); - printf("\tkey = 0123456789abcdef\tiv = 1234567890abcdef\n"); - printf("\tclear =\t\t\"7654321 Now is the time for \"\n"); - printf("\tchecksum\t58 d2 e7 7e 86 06 27 33, "); - printf("or some part thereof\n"); - input = clear_text2; - des_cbc_cksum(input,cipher_text,(long) strlen((char *) input),KS,ivec); - printf("ACTUAL CBC checksum\n"); - printf("\t\tencrypted cksum = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) - printf("%02x ",cipher_text[j]); - printf("\n\n"); - if ( memcmp((char *)cipher_text, (char *)checksum, 8) ) { - printf("verify: error in CBC cheksum\n"); - exit(-1); - } - else - printf("verify: CBC checksum is correct\n\n"); - exit(0); -} - -void -do_encrypt(in,out) - unsigned char *in; - unsigned char *out; -{ - for (i =1; i<=nflag; i++) { - des_ecb_encrypt((unsigned long *) in, (unsigned long *)out, KS, 1); - if (des_debug) { - printf("\nclear %s\n",in); - for (j = 0; j<=7; j++) - printf("%02X ",in[j] & 0xff); - printf("\tcipher "); - for (j = 0; j<=7; j++) - printf("%02X ",out[j] & 0xff); - } - } -} - -void -do_decrypt(in,out) - unsigned char *out; - unsigned char *in; - /* try to invert it */ -{ - for (i =1; i<=nflag; i++) { - des_ecb_encrypt((unsigned long *) out, (unsigned long *)in,KS,0); - if (des_debug) { - printf("clear %s\n",in); - for (j = 0; j<=7; j++) - printf("%02X ",in[j] & 0xff); - printf("\tcipher "); - for (j = 0; j<=7; j++) - printf("%02X ",out[j] & 0xff); - } - } -} diff --git a/src/lib/des425/weak_key.c b/src/lib/des425/weak_key.c deleted file mode 100644 index f4ef6fbc5..000000000 --- a/src/lib/des425/weak_key.c +++ /dev/null @@ -1,41 +0,0 @@ -/* - * lib/des425/weak_key.c - * - * Copyright 1989,1990 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "des_int.h" -#include "des.h" - -/* - * mit_des_is_weak_key: returns true iff key is a [semi-]weak des key. - * - * Requires: key has correct odd parity. - */ -int -des_is_weak_key(key) - mit_des_cblock key; -{ - return (mit_des_is_weak_key(key)); -} diff --git a/src/lib/krb4/CCache-glue.c b/src/lib/krb4/CCache-glue.c deleted file mode 100644 index a078c9f69..000000000 --- a/src/lib/krb4/CCache-glue.c +++ /dev/null @@ -1,741 +0,0 @@ -/* - * CCache-glue.c - * - * This file contains implementations of krb4 credentials cache operations in terms - * of the CCache API (). - * - * $Header$ - */ - - -#include "krb.h" -#include "krb4int.h" - -#if !defined (USE_CCAPI) || !USE_CCAPI -#error "Cannot use CCache glue without the CCAPI!" -#endif - -#ifdef USE_LOGIN_LIBRARY -#include -#endif /* USE_LOGIN_LIBRARY */ -#include - -#include -#include - -/* - * The following functions are part of the KfM ABI. - * They are deprecated, so they only appear here, not in krb.h. - * - * Do not change the ABI of these functions! - */ -int KRB5_CALLCONV krb_get_num_cred(void); -int KRB5_CALLCONV krb_get_nth_cred(char *, char *, char *, int); -int KRB5_CALLCONV krb_delete_cred(char *, char *,char *); -int KRB5_CALLCONV dest_all_tkts(void); - -/* Internal functions */ -static void UpdateDefaultCache (void); - -/* - * The way Kerberos v4 normally works is that at any given point in time there is a - * file where all the tickets go, determined by an environment variable. If a user kinits - * to a new principal, the existing tickets are replaced with new ones. At any point in time, there is a - * "current" or "default" principal, which is determined by the principal associated with - * the current ticket file. - * - * In the CCache API implementation, this corresponds to always having a "default" - * or "current" named cache. The default principal then corresponds to that cache. - * - * Unfortunately, Kerberos v4 also has this notion that the default cache exists (in the sense - * that its name is known) even before the actual file has been created. - * - * In addition to this, we cannot make the default cache system-wide global, because then - * we get all sorts of interesting scenarios in which context switches between processes - * can cause credentials to be stored in wrong caches. - * - * To solve all the problems, we have to emulate the concept of an environment variable, - * by having a system-wide concept of what a default credentials cache is; then, we copy - * the system-wide value into the per-process value when the application starts up. - * - * However, in order to allow applications to be able to sanely handle the user model we - * want to support, in which the user has some way of selecting the system-wide default - * user _without_ quitting and relaunching all applications (this is also necessary for - * KClient support), calls had to be added to the Kerberos v4 library to reset the - * per-process cached value of default cache. - */ - -/* - * Name of the default cache - */ -char* gDefaultCacheName = NULL; - -/* - * Initialize credentials cache - * - * Creating the cache will blow away an existing one. The assumption is that - * whoever called us made sure that the one that we blow away if it exists - * is the right one to blow away. - */ - -int KRB5_CALLCONV -krb_in_tkt ( - char* pname, - char* pinst, - char* realm) -{ - char principal [MAX_K_NAME_SZ + 1]; - cc_int32 err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (err == ccNoError) { - snprintf (principal, sizeof(principal), "%s%s%s@%s", pname, (pinst [0] == '\0') ? "" : ".", pinst, realm); - } - - if (err == ccNoError) { - err = cc_context_create_ccache (cc_context, TKT_FILE, cc_credentials_v4, principal, &ccache); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (err != ccNoError) - return KFAILURE; - else - return KSUCCESS; -} - -int KRB5_CALLCONV -krb_save_credentials( - char *service, - char *instance, - char *realm, - C_Block session, - int lifetime, - int kvno, - KTEXT ticket, - long issue_date) -{ - return krb4int_save_credentials_addr(service, instance, realm, - session, lifetime, kvno, - ticket, issue_date, 0); -} - -/* - * Store a ticket into the default credentials cache - * cache must exist (if it didn't exist, it would have been created by in_tkt) - */ -int -krb4int_save_credentials_addr( - char* service, - char* instance, - char* realm, - C_Block session, - int lifetime, - int kvno, - KTEXT ticket, - KRB4_32 issue_date, - KRB_UINT32 local_address) -{ - cc_int32 cc_err = ccNoError; - int kerr = KSUCCESS; - cc_credentials_v4_t v4creds; - cc_credentials_union creds; - cc_ccache_t ccache = NULL; - cc_string_t principal; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - /* First try existing cache */ - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - /* Now we have a cache. Fill out the credentials and put them in the cache. */ - /* To fill out the credentials, we need the principal */ - cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); - } - - if (cc_err == ccNoError) { - kerr = kname_parse (v4creds.principal, v4creds.principal_instance, v4creds.realm, (char*) principal -> data); - cc_string_release (principal); - } - - if ((cc_err == ccNoError) && (kerr == KSUCCESS)) { - strncpy (v4creds.service, service, SNAME_SZ); - strncpy (v4creds.service_instance, instance, INST_SZ); - strncpy (v4creds.realm, realm, REALM_SZ); - memmove (v4creds.session_key, session, sizeof (C_Block)); - v4creds.kvno = kvno; - v4creds.string_to_key_type = cc_v4_stk_unknown; - v4creds.issue_date = issue_date; - v4creds.address = local_address; - v4creds.lifetime = lifetime; - v4creds.ticket_size = ticket -> length; - memmove (v4creds.ticket, ticket -> dat, ticket -> length); - - creds.version = cc_credentials_v4; - creds.credentials.credentials_v4 = &v4creds; - - cc_err = cc_ccache_store_credentials (ccache, &creds); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (kerr != KSUCCESS) - return kerr; - if (cc_err != ccNoError) - return KFAILURE; - else - return KSUCCESS; -} - -/* - * Credentials file -> realm mapping - * - * Determine the realm by opening the named cache and parsing realm from the principal - */ -int KRB5_CALLCONV -krb_get_tf_realm ( - const char* ticket_file, - char* realm) -{ - cc_string_t principal; - char pname [ANAME_SZ]; - char pinst [INST_SZ]; - char prealm [REALM_SZ]; - int kerr = KSUCCESS; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version = 0; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, ticket_file, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); - } - - if (cc_err == ccNoError) { - /* found cache. get princiapl and parse it */ - kerr = kname_parse (pname, pinst, prealm, (char*) principal -> data); - cc_string_release (principal); - } - - if ((cc_err == ccNoError) && (kerr == KSUCCESS)) { - strcpy (realm, prealm); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (kerr != KSUCCESS) - return kerr; - if (cc_err != ccNoError) - return GC_NOTKT; - else - return KSUCCESS; -} - -/* - * Credentials file -> name, instance, realm mapping - */ -int KRB5_CALLCONV -krb_get_tf_fullname ( - const char* ticket_file, - char* name, - char* instance, - char* realm) -{ - cc_string_t principal; - int kerr = KSUCCESS; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, ticket_file, &ccache); - } - - if (cc_err == ccNoError) { - /* found cache. get principal and parse it */ - cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); - } - - if (cc_err == ccNoError) { - kerr = kname_parse (name, instance, realm, (char*) principal -> data); - cc_string_release (principal); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (kerr != KSUCCESS) - return kerr; - if (cc_err != ccNoError) - return GC_NOTKT; - else - return KSUCCESS; -} - - -/* - * Retrieval from credentials cache - */ -int KRB5_CALLCONV -krb_get_cred ( - char* service, - char* instance, - char* realm, - CREDENTIALS* creds) -{ - int kerr = KSUCCESS; - cc_int32 cc_err = ccNoError; - cc_credentials_t theCreds = NULL; - cc_credentials_iterator_t iterator = NULL; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - -#ifdef USE_LOGIN_LIBRARY - // If we are requesting a tgt, prompt for it - if (strncmp (service, KRB_TICKET_GRANTING_TICKET, ANAME_SZ) == 0) { - OSStatus err; - char *cacheName; - KLPrincipal outPrincipal; - - err = __KLInternalAcquireInitialTicketsForCache (TKT_FILE, kerberosVersion_V4, NULL, - &outPrincipal, &cacheName); - - if (err == klNoErr) { - krb_set_tkt_string (cacheName); // Tickets for the krb4 principal went here - KLDisposeString (cacheName); - KLDisposePrincipal (outPrincipal); - } else { - return GC_NOTKT; - } - } -#endif /* USE_LOGIN_LIBRARY */ - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator); - } - - if (cc_err == ccNoError) { - for (;;) { - /* get next creds */ - cc_err = cc_credentials_iterator_next (iterator, &theCreds); - if (cc_err == ccIteratorEnd) { - kerr = GC_NOTKT; - break; - } - if (cc_err != ccNoError) { - kerr = KFAILURE; - break; - } - - /* version, service, instance, realm check */ - if ((theCreds -> data -> version == cc_credentials_v4) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> service, service) == 0) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> service_instance, instance) == 0) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> realm, realm) == 0)) { - - /* Match! */ - strcpy (creds -> service, service); - strcpy (creds -> instance, instance); - strcpy (creds -> realm, realm); - memmove (creds -> session, theCreds -> data -> credentials.credentials_v4 -> session_key, sizeof (C_Block)); - creds -> lifetime = theCreds -> data -> credentials.credentials_v4 -> lifetime; - creds -> kvno = theCreds -> data -> credentials.credentials_v4 -> kvno; - creds -> ticket_st.length = theCreds -> data -> credentials.credentials_v4 -> ticket_size; - memmove (creds -> ticket_st.dat, theCreds -> data -> credentials.credentials_v4 -> ticket, creds -> ticket_st.length); - creds -> issue_date = theCreds -> data -> credentials.credentials_v4 -> issue_date; - strcpy (creds -> pname, theCreds -> data -> credentials.credentials_v4 -> principal); - strcpy (creds -> pinst, theCreds -> data -> credentials.credentials_v4 -> principal_instance); - creds -> stk_type = theCreds -> data -> credentials.credentials_v4 -> string_to_key_type; - - cc_credentials_release (theCreds); - kerr = KSUCCESS; - break; - } else { - cc_credentials_release (theCreds); - } - } - } - - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (kerr != KSUCCESS) - return kerr; - if (cc_err != ccNoError) - return GC_NOTKT; - else - return KSUCCESS; -} - - -/* - * Getting name of default credentials cache - */ -const char* KRB5_CALLCONV -tkt_string (void) -{ - if (gDefaultCacheName == NULL) { - UpdateDefaultCache (); - } - return gDefaultCacheName; -} - -/* - * Synchronize default cache for this process with system default cache - */ - -static void -UpdateDefaultCache (void) -{ - cc_string_t name; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_get_default_ccache_name (cc_context, &name); - } - - if (cc_err == ccNoError) { - krb_set_tkt_string ((char*) name -> data); - cc_string_release (name); - } - - if (cc_context != NULL) - cc_context_release (cc_context); -} - -/* - * Setting name of default credentials cache - */ -void -krb_set_tkt_string ( - const char* val) -{ - /* If we get called with the return value of tkt_string, we - shouldn't dispose of the input string */ - if (val != gDefaultCacheName) { - if (gDefaultCacheName != NULL) - free (gDefaultCacheName); - - gDefaultCacheName = malloc (strlen (val) + 1); - if (gDefaultCacheName != NULL) - strcpy (gDefaultCacheName, val); - } -} - -/* - * Destroy credentials file - * - * Implementation in dest_tkt.c - */ -int KRB5_CALLCONV -dest_tkt (void) -{ - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_ccache_destroy (ccache); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (cc_err != ccNoError) - return RET_TKFIL; - else - return KSUCCESS; -} - -/* - * The following functions are not part of the standard Kerberos v4 API. - * They were created for Mac implementation, and used by admin tools - * such as CNS-Config. - */ - -/* - * Number of credentials in credentials cache - */ -int KRB5_CALLCONV -krb_get_num_cred (void) -{ - cc_credentials_t theCreds = NULL; - int count = 0; - cc_credentials_iterator_t iterator = NULL; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator); - } - - if (cc_err == ccNoError) { - for (;;) { - /* get next creds */ - cc_err = cc_credentials_iterator_next (iterator, &theCreds); - if (cc_err != ccNoError) - break; - - if (theCreds -> data -> version == cc_credentials_v4) - count++; - - cc_credentials_release (theCreds); - } - } - - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (cc_err != ccNoError) - return 0; - else - return count; -} - -/* - * Retrieval from credentials file - * This function is _not_!! well-defined under CCache API, because - * there is no guarantee about order of credentials remaining the same. - */ -int KRB5_CALLCONV -krb_get_nth_cred ( - char* sname, - char* sinstance, - char* srealm, - int n) -{ - cc_credentials_t theCreds = NULL; - int count = 0; - cc_credentials_iterator_t iterator = NULL; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - if (n < 1) - return KFAILURE; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator); - } - - if (cc_err == ccNoError) { - for (count = 0; count < n;) { - /* get next creds */ - cc_err = cc_credentials_iterator_next (iterator, &theCreds); - if (cc_err != ccNoError) - break; - - if (theCreds -> data -> version == cc_credentials_v4) - count++; - - if (count < n - 1) - cc_credentials_release (theCreds); - } - } - - if (cc_err == ccNoError) { - strcpy (sname, theCreds -> data -> credentials.credentials_v4 -> service); - strcpy (sinstance, theCreds -> data -> credentials.credentials_v4 -> service_instance); - strcpy (srealm, theCreds -> data -> credentials.credentials_v4 -> realm); - } - - if (theCreds != NULL) - cc_credentials_release (theCreds); - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (cc_err != ccNoError) - return KFAILURE; - else - return KSUCCESS; -} - -/* - * Deletion from credentials file - */ -int KRB5_CALLCONV -krb_delete_cred ( - char* sname, - char* sinstance, - char* srealm) -{ - cc_credentials_t theCreds = NULL; - cc_credentials_iterator_t iterator = NULL; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator); - } - - if (cc_err == ccNoError) { - for (;;) { - /* get next creds */ - cc_err = cc_credentials_iterator_next (iterator, &theCreds); - if (cc_err != ccNoError) { - break; - } - - if ((theCreds -> data -> version == cc_credentials_v4) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> service, sname) == 0) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> service_instance, sinstance) == 0) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> realm, srealm) == 0)) { - - cc_ccache_remove_credentials (ccache, theCreds); - cc_credentials_release (theCreds); - break; - } - - cc_credentials_release (theCreds); - } - } - - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (cc_err != ccNoError) - return KFAILURE; - else - return KSUCCESS; -} - -/* - * Destroy all credential caches - * - * Implementation in memcache.c - */ -int KRB5_CALLCONV -dest_all_tkts (void) -{ - int count = 0; - cc_ccache_iterator_t iterator = NULL; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_new_ccache_iterator (cc_context, &iterator); - } - - if (cc_err == ccNoError) { - for (;;) { - /* get next ccache */ - cc_err = cc_ccache_iterator_next (iterator, &ccache); - - if (cc_err != ccNoError) - break; - - cc_ccache_destroy (ccache); - count++; - } - } - - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (cc_context != NULL) - cc_context_release (cc_context); - - if ((cc_err == ccIteratorEnd) && (count == 0)) { - /* first time, nothing to destroy */ - return KFAILURE; - } else { - if (cc_err == ccIteratorEnd) { - /* done */ - return KSUCCESS; - } else { - /* error */ - return KFAILURE; - } - } -} diff --git a/src/lib/krb4/FSp-glue.c b/src/lib/krb4/FSp-glue.c deleted file mode 100644 index 7bf0e7b54..000000000 --- a/src/lib/krb4/FSp-glue.c +++ /dev/null @@ -1,112 +0,0 @@ -/* - * lib/krb4/FSp-glue.c - * - * Copyright 1985, 1986, 1987, 1988, 2002 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * MacOS-specific glue for using FSSpecs to deal with srvtabs. - */ - -#include "krb.h" -#include "krb4int.h" -#include -#include - -#include -/* - * These functions are compiled in for ABI compatibility with older versions of KfM. - * They are deprecated so they do not appear in the KfM headers anymore. - * - * Do not change their ABIs! - */ -int KRB5_CALLCONV FSp_krb_get_svc_in_tkt (char *, char *, char *, char *, char *, int, const FSSpec *); -int KRB5_CALLCONV FSp_put_svc_key (const FSSpec *, char *, char *, char *, int, char *); -int KRB5_CALLCONV FSp_read_service_key (char *, char *, char *, int, const FSSpec*, char *); - -static int FSp_srvtab_to_key (char *, char *, char *, char *, C_Block); - -int KRB5_CALLCONV -FSp_read_service_key( - char *service, /* Service Name */ - char *instance, /* Instance name or "*" */ - char *realm, /* Realm */ - int kvno, /* Key version number */ - const FSSpec *filespec, /* Filespec */ - char *key) /* Pointer to key to be filled in */ -{ - int retval = KFAILURE; - char file [MAXPATHLEN]; - if (filespec != NULL) { - if (FSSpecToPOSIXPath (filespec, file, sizeof(file)) != noErr) { - return retval; - } - } - retval = read_service_key(service, instance, realm, kvno, file, key); - if (file != NULL) { - free (file); - } - return retval; -} - -int KRB5_CALLCONV -FSp_put_svc_key( - const FSSpec *sfilespec, - char *name, - char *inst, - char *realm, - int newvno, - char *key) -{ - int retval = KFAILURE; - char sfile[MAXPATHLEN]; - - if (sfilespec != NULL) { - if (FSSpecToPOSIXPath (sfilespec, sfile, sizeof(sfile)) != noErr) { - return retval; - } - } - retval = put_svc_key(sfile, name, inst, realm, newvno, key); - if (sfile != NULL) { - free (sfile); - } - return retval; -} - -int KRB5_CALLCONV -FSp_krb_get_svc_in_tkt( - char *user, char *instance, char *realm, - char *service, char *sinstance, int life, - const FSSpec *srvtab) -{ - /* Cast the FSSpec into the password field. It will be pulled out again */ - /* by FSp_srvtab_to_key and used to read the real password */ - return krb_get_in_tkt(user, instance, realm, service, sinstance, - life, FSp_srvtab_to_key, NULL, (char *)srvtab); -} - -static int FSp_srvtab_to_key(char *user, char *instance, char *realm, - char *srvtab, C_Block key) -{ - /* FSp_read_service_key correctly handles a NULL FSSpecPtr */ - return FSp_read_service_key(user, instance, realm, 0, - (FSSpec *)srvtab, (char *)key); -} diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in deleted file mode 100644 index 9275f9ecf..000000000 --- a/src/lib/krb4/Makefile.in +++ /dev/null @@ -1,664 +0,0 @@ -thisconfigdir=../.. -myfulldir=lib/krb4 -mydir=lib/krb4 -BUILDTOP=$(REL)..$(S).. -LOCALINCLUDES = -I$(BUILDTOP)/include/kerberosIV -I$(srcdir)/../../include/kerberosIV -I. -DEFINES= -DKRB4_USE_KEYTAB -DEFS= - -##DOS##BUILDTOP = ..\.. -##DOS##LIBNAME=$(OUTPRE)krb4.lib -##DOS##OBJFILE=$(OUTPRE)krb4.lst - -LIBBASE=krb4 -LIBMAJOR=2 -LIBMINOR=0 -RELDIR=krb4 - -# Depends on libk5crypto, libkrb5, KRB4_CRYPTO_LIB and _et_list... -# Depends on libkrb5, expect to find -# krb5_init_context, krb5_free_context, profile_get_values -# -KRB4_CRYPTO_LIBS=-ldes425 - -SHLIB_EXPDEPS = \ - $(TOPLIBD)/libdes425$(SHLIBEXT) \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -SHLIB_DIRS=-L$(TOPLIBD) -SHLIB_RDIRS=$(KRB5_LIBDIR) - -EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV -KRB_ERR=@KRB_ERR@ -##DOS##KRB_ERR=$(OUTPRE)krb_err.$(OBJEXT) - -# Name of generated krb_err.c, needed for err_txt.* dependency on Darwin. -KRB_ERR_C=@KRB_ERR_C@ -##DOS##KRB_ERR_C= - -OBJS = \ - $(OUTPRE)change_password.$(OBJEXT) \ - $(OUTPRE)cr_auth_repl.$(OBJEXT) \ - $(OUTPRE)cr_ciph.$(OBJEXT) \ - $(OUTPRE)cr_tkt.$(OBJEXT) \ - $(OUTPRE)debug.$(OBJEXT) \ - $(OUTPRE)decomp_tkt.$(OBJEXT) \ - $(OUTPRE)err_txt.$(OBJEXT) \ - $(OUTPRE)g_ad_tkt.$(OBJEXT) \ - $(OUTPRE)g_in_tkt.$(OBJEXT) \ - $(OUTPRE)g_phost.$(OBJEXT) \ - $(OUTPRE)g_pw_in_tkt.$(OBJEXT) \ - $(OUTPRE)g_pw_tkt.$(OBJEXT) \ - $(OUTPRE)g_tkt_svc.$(OBJEXT) \ - $(OUTPRE)gethostname.$(OBJEXT) \ - $(OUTPRE)getst.$(OBJEXT) \ - $(OUTPRE)kadm_err.$(OBJEXT) \ - $(OUTPRE)kadm_net.$(OBJEXT) \ - $(OUTPRE)kadm_stream.$(OBJEXT) \ - $(OUTPRE)kname_parse.$(OBJEXT) \ - $(OUTPRE)lifetime.$(OBJEXT) \ - $(OUTPRE)mk_auth.$(OBJEXT) \ - $(OUTPRE)mk_err.$(OBJEXT) \ - $(OUTPRE)mk_priv.$(OBJEXT) \ - $(OUTPRE)mk_req.$(OBJEXT) \ - $(OUTPRE)mk_safe.$(OBJEXT) \ - $(OUTPRE)month_sname.$(OBJEXT) \ - $(OUTPRE)password_to_key.$(OBJEXT) \ - $(OUTPRE)prot_client.$(OBJEXT) \ - $(OUTPRE)prot_common.$(OBJEXT) \ - $(OUTPRE)prot_kdc.$(OBJEXT) \ - $(OUTPRE)pkt_cipher.$(OBJEXT) \ - $(OUTPRE)pkt_clen.$(OBJEXT) \ - $(OUTPRE)rd_err.$(OBJEXT) \ - $(OUTPRE)rd_priv.$(OBJEXT) \ - $(OUTPRE)rd_safe.$(OBJEXT) \ - $(OUTPRE)send_to_kdc.$(OBJEXT) \ - $(OUTPRE)stime.$(OBJEXT) \ - $(OUTPRE)strnlen.$(OBJEXT) \ - $(OUTPRE)rd_preauth.$(OBJEXT) \ - $(OUTPRE)mk_preauth.$(OBJEXT) \ - $(OSOBJS) $(CACHEOBJS) $(SETENVOBJS) $(STRCASEOBJS) $(SHMOBJS) \ - $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) $(KRB_ERR) - -SRCS = \ - change_password.c \ - cr_auth_repl.c \ - cr_ciph.c \ - cr_tkt.c \ - debug.c \ - decomp_tkt.c \ - g_ad_tkt.c \ - g_pw_in_tkt.c \ - g_phost.c \ - g_pw_tkt.c \ - g_tkt_svc.c \ - getst.c \ - gethostname.c \ - kadm_err.c \ - kadm_net.c \ - kadm_stream.c \ - kname_parse.c \ - err_txt.c \ - lifetime.c \ - g_in_tkt.c \ - mk_auth.c \ - mk_err.c \ - mk_priv.c \ - mk_req.c \ - mk_safe.c \ - month_sname.c \ - password_to_key.c \ - pkt_cipher.c \ - pkt_clen.c \ - prot_client.c \ - prot_common.c \ - prot_kdc.c \ - rd_err.c \ - rd_priv.c \ - rd_safe.c \ - send_to_kdc.c \ - stime.c \ - strnlen.c \ - rd_preauth.c \ - mk_preauth.c \ - unix_time.c \ - $(OSSRCS) $(CACHESRCS) $(SETENVSRCS) $(STRCASESRCS) $(SHMSRCS) \ - $(LIB_KRB_HOSTSRCS) $(SERVER_KRB_SRCS) $(NETIO_SRCS) $(REALMDBSRCS) - -STLIBOBJS = $(OBJS) -STOBJLISTS=OBJS.ST - -# -# These objects implement the time computation routines. -# -OSOBJS = $(OUTPRE)unix_time.$(OBJEXT) -OSSRCS = unix_time.c - -##DOS##OSOBJS = $(OUTPRE)win_time.obj - -# -# These objects implement ticket cacheing for Unix. They are -# replaced by other files when compiling for Windows or Mac. -# -CACHESRCS = \ - tf_util.c dest_tkt.c in_tkt.c \ - tkt_string.c g_tf_fname.c g_tf_realm.c \ - g_cred.c save_creds.c -CACHEOBJS = \ - $(OUTPRE)tf_util.$(OBJEXT) $(OUTPRE)dest_tkt.$(OBJEXT) $(OUTPRE)in_tkt.$(OBJEXT) \ - $(OUTPRE)tkt_string.$(OBJEXT) $(OUTPRE)g_tf_fname.$(OBJEXT) $(OUTPRE)g_tf_realm.$(OBJEXT) \ - $(OUTPRE)g_cred.$(OBJEXT) $(OUTPRE)save_creds.$(OBJEXT) - -##DOS##CACHEOBJS = $(OUTPRE)memcache.$(OBJEXT) - -# -# These objects implement Kerberos realm<->host database lookup. -# They read config files and/or network databases in various ways -# on various platforms. -# - -CNFFILE = g_cnffile -##DOS##CNFFILE = win_store - -REALMDBSRCS=$(CNFFILE).c RealmsConfig-glue.c -REALMDBOBJS=$(OUTPRE)$(CNFFILE).$(OBJEXT) $(OUTPRE)RealmsConfig-glue.$(OBJEXT) - -# -# These objects are only used on server or debug implementations of Kerberos, -# and they cause some major or minor sort of trouble for some -# client-only platform (Mac or Windows). -# -SERVER_KRB_SRCS = \ - klog.c kuserok.c log.c \ - kntoln.c \ - fgetst.c rd_svc_key.c cr_err_repl.c \ - rd_req.c g_svc_in_tkt.c recvauth.c \ - ad_print.c cr_death_pkt.c \ - put_svc_key.c sendauth.c -SERVER_KRB_OBJS = \ - $(OUTPRE)klog.$(OBJEXT) $(OUTPRE)kuserok.$(OBJEXT) $(OUTPRE)log.$(OBJEXT) \ - $(OUTPRE)kntoln.$(OBJEXT) \ - $(OUTPRE)fgetst.$(OBJEXT) $(OUTPRE)rd_svc_key.$(OBJEXT) $(OUTPRE)cr_err_repl.$(OBJEXT) \ - $(OUTPRE)rd_req.$(OBJEXT) $(OUTPRE)g_svc_in_tkt.$(OBJEXT) $(OUTPRE)recvauth.$(OBJEXT) \ - $(OUTPRE)ad_print.$(OBJEXT) $(OUTPRE)cr_death_pkt.$(OBJEXT) \ - $(OUTPRE)put_svc_key.$(OBJEXT) $(OUTPRE)sendauth.$(OBJEXT) -# -# These objects are included on Unix and Windows (for kstream and kadm) -# but not under Mac (there are no file descriptors). -# -NETIO_SRCS=netread.c netwrite.c -NETIO_OBJS=$(OUTPRE)netread.$(OBJEXT) $(OUTPRE)netwrite.$(OBJEXT) - -# -# These objects glue the Kerberos library to the operating system -# (time-of-day access, etc). They are replaced in Mac and Windows -# by other _glue.* routines. -# -LIB_KRB_HOSTSRCS=unix_glue.c -LIB_KRB_HOSTOBJS=$(OUTPRE)unix_glue.$(OBJEXT) - -##DOS##LIB_KRB_HOSTOBJS=$(OUTPRE)win_glue.obj - -ARCHIVEARGS= $@ $(OBJS) - -# We want *library* compiler options... -DBG=$(DBG_LIB) - -all-unix:: includes all-liblinks - -##DOS##LIBOBJS = $(OBJS) - -# comp_et_depend(krb_err) -krb_err.h: krb_err.et -krb_err.c: krb_err.et - -kadm_err.h: kadm_err.et -kadm_err.c: kadm_err.et - -GEN_ERRTXT=$(AWK) -f $(srcdir)$(S)et_errtxt.awk outfile=$@ - -krb_err_txt.c: krb_err.et $(srcdir)$(S)et_errtxt.awk - $(GEN_ERRTXT) $(srcdir)/krb_err.et - -# Will be empty on Darwin, krb_err_txt.c elsewhere. -KRB_ERR_TXT=@KRB_ERR_TXT@ -##DOS##KRB_ERR_TXT=krb_err_txt.c -err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_C) $(KRB_ERR_TXT) - -depend-dependencies: krb_err.h $(EHDRDIR)$(S)krb_err.h \ - kadm_err.h $(EHDRDIR)$(S)kadm_err.h \ - krb_err.c - -includes: $(EHDRDIR)$(S)krb_err.h $(EHDRDIR)$(S)kadm_err.h - -$(EHDRDIR)$(S)krb_err.h: krb_err.h - $(CP) krb_err.h $@ -$(EHDRDIR)$(S)kadm_err.h: kadm_err.h - $(CP) kadm_err.h $@ - -clean-unix:: - $(RM) $(EHDRDIR)/krb_err.h - $(RM) $(EHDRDIR)/kadm_err.h - $(RM) krb_err_txt.c - -clean:: - -$(RM) $(OBJS) - -clean-:: clean-unix - -clean-unix:: - -$(RM) krb_err.c - -$(RM) krb_err.h - -$(RM) kadm_err.c - -$(RM) kadm_err.h - -$(RM) ../../include/kerberosIV/krb_err.h - -$(RM) ../../include/kerberosIV/kadm_err.h - -clean-unix:: clean-liblinks clean-libs clean-libobjs - - -check-unix:: $(TEST_PROGS) -check-windows:: - - -install-unix:: install-libs - -@lib_frag@ -@libobj_frag@ - -# +++ Dependency line eater +++ -# -# Makefile dependencies follow. This must be the last section in -# the Makefile.in file -# -change_password.so change_password.po $(OUTPRE)change_password.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/kadm.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/port-sockets.h change_password.c \ - krb4int.h -cr_auth_repl.so cr_auth_repl.po $(OUTPRE)cr_auth_repl.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h cr_auth_repl.c -cr_ciph.so cr_ciph.po $(OUTPRE)cr_ciph.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h cr_ciph.c -cr_tkt.so cr_tkt.po $(OUTPRE)cr_tkt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/port-sockets.h cr_tkt.c -debug.so debug.po $(OUTPRE)debug.$(OBJEXT): $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - debug.c -decomp_tkt.so decomp_tkt.po $(OUTPRE)decomp_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb54proto.h \ - $(SRCTOP)/include/port-sockets.h decomp_tkt.c -g_ad_tkt.so g_ad_tkt.po $(OUTPRE)g_ad_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - g_ad_tkt.c krb4int.h -g_pw_in_tkt.so g_pw_in_tkt.po $(OUTPRE)g_pw_in_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ - g_pw_in_tkt.c krb4int.h -g_phost.so g_phost.po $(OUTPRE)g_phost.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h g_phost.c -g_pw_tkt.so g_pw_tkt.po $(OUTPRE)g_pw_tkt.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h g_pw_tkt.c -g_tkt_svc.so g_tkt_svc.po $(OUTPRE)g_tkt_svc.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - g_tkt_svc.c -getst.so getst.po $(OUTPRE)getst.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - getst.c krb4int.h -gethostname.so gethostname.po $(OUTPRE)gethostname.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/port-sockets.h gethostname.c krb4int.h -kadm_err.so kadm_err.po $(OUTPRE)kadm_err.$(OBJEXT): \ - $(COM_ERR_DEPS) kadm_err.c -kadm_net.so kadm_net.po $(OUTPRE)kadm_net.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/kerberosIV/kadm_err.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/kadm.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/krbports.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - kadm_net.c -kadm_stream.so kadm_stream.po $(OUTPRE)kadm_stream.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/kerberosIV/kadm_err.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/kadm.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/port-sockets.h kadm_stream.c -kname_parse.so kname_parse.po $(OUTPRE)kname_parse.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - kname_parse.c -err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h err_txt.c krb4int.h -lifetime.so lifetime.po $(OUTPRE)lifetime.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - lifetime.c -g_in_tkt.so g_in_tkt.po $(OUTPRE)g_in_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - g_in_tkt.c krb4int.h -mk_auth.so mk_auth.po $(OUTPRE)mk_auth.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h mk_auth.c -mk_err.so mk_err.po $(OUTPRE)mk_err.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h mk_err.c -mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - mk_priv.c -mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h mk_req.c -mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - mk_safe.c -month_sname.so month_sname.po $(OUTPRE)month_sname.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h month_sname.c -password_to_key.so password_to_key.po $(OUTPRE)password_to_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h password_to_key.c -pkt_cipher.so pkt_cipher.po $(OUTPRE)pkt_cipher.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/kerberosIV/prot.h \ - pkt_cipher.c -pkt_clen.so pkt_clen.po $(OUTPRE)pkt_clen.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/kerberosIV/prot.h \ - pkt_clen.c -prot_client.so prot_client.po $(OUTPRE)prot_client.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h prot_client.c -prot_common.so prot_common.po $(OUTPRE)prot_common.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h prot_common.c -prot_kdc.so prot_kdc.po $(OUTPRE)prot_kdc.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - prot_kdc.c -rd_err.so rd_err.po $(OUTPRE)rd_err.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h rd_err.c -rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - rd_priv.c -rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - rd_safe.c -send_to_kdc.so send_to_kdc.po $(OUTPRE)send_to_kdc.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/krbports.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h krb4int.h send_to_kdc.c -stime.so stime.po $(OUTPRE)stime.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h stime.c -strnlen.so strnlen.po $(OUTPRE)strnlen.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h strnlen.c -rd_preauth.so rd_preauth.po $(OUTPRE)rd_preauth.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/krb_db.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h rd_preauth.c -mk_preauth.so mk_preauth.po $(OUTPRE)mk_preauth.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h mk_preauth.c -unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - unix_time.c -tf_util.so tf_util.po $(OUTPRE)tf_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h krb4int.h tf_util.c -dest_tkt.so dest_tkt.po $(OUTPRE)dest_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h dest_tkt.c -in_tkt.so in_tkt.po $(OUTPRE)in_tkt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h in_tkt.c -tkt_string.so tkt_string.po $(OUTPRE)tkt_string.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - tkt_string.c -g_tf_fname.so g_tf_fname.po $(OUTPRE)g_tf_fname.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h g_tf_fname.c -g_tf_realm.so g_tf_realm.po $(OUTPRE)g_tf_realm.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - g_tf_realm.c -g_cred.so g_cred.po $(OUTPRE)g_cred.$(OBJEXT): $(KRB_ERR_H_DEP) \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - g_cred.c -save_creds.so save_creds.po $(OUTPRE)save_creds.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h save_creds.c -unix_glue.so unix_glue.po $(OUTPRE)unix_glue.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h unix_glue.c -klog.so klog.po $(OUTPRE)klog.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/klog.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - klog.c krb4int.h -kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - kuserok.c -log.so log.po $(OUTPRE)log.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/klog.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h log.c -kntoln.so kntoln.po $(OUTPRE)kntoln.$(OBJEXT): $(KRB_ERR_H_DEP) \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - kntoln.c -fgetst.so fgetst.po $(OUTPRE)fgetst.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - fgetst.c krb4int.h -rd_svc_key.so rd_svc_key.po $(OUTPRE)rd_svc_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h krb4int.h rd_svc_key.c -cr_err_repl.so cr_err_repl.po $(OUTPRE)cr_err_repl.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h cr_err_repl.c -rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb54proto.h rd_req.c -g_svc_in_tkt.so g_svc_in_tkt.po $(OUTPRE)g_svc_in_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - g_svc_in_tkt.c krb4int.h -recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - recvauth.c -ad_print.so ad_print.po $(OUTPRE)ad_print.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - ad_print.c krb4int.h -cr_death_pkt.so cr_death_pkt.po $(OUTPRE)cr_death_pkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h cr_death_pkt.c -put_svc_key.so put_svc_key.po $(OUTPRE)put_svc_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h put_svc_key.c -sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h sendauth.c -netread.so netread.po $(OUTPRE)netread.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h netread.c -netwrite.so netwrite.po $(OUTPRE)netwrite.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - netwrite.c -g_cnffile.so g_cnffile.po $(OUTPRE)g_cnffile.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - g_cnffile.c krb4int.h -RealmsConfig-glue.so RealmsConfig-glue.po $(OUTPRE)RealmsConfig-glue.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - RealmsConfig-glue.c krb4int.h diff --git a/src/lib/krb4/Password.c b/src/lib/krb4/Password.c deleted file mode 100644 index 5862e0e65..000000000 --- a/src/lib/krb4/Password.c +++ /dev/null @@ -1,436 +0,0 @@ -#include "kerberos.h" -#define KRB_DEFS -#include "krb_driver.h" - -#include -#include -#include -#include -#include -#include - -/* added for OpenInitRF.c - FIXME jcm - should check that they are not in c-mac - or other included file -*/ - -#include -#include -#include -#include -#include -#include - - -// #include "debug.h" - -#define kLoginDLOGID -4081 -#define kErrorALERTID -4082 -#define kLoginOKItem 1 -#define kLoginCnclItem 2 -#define kLoginNameItem 10 -#define kLoginVisPwItem 9 -#define kLoginFrameItem 5 -#define kLoginIvisPwItem 6 -#define kBadUserError 1 -#define kNotUniqueError 2 -#define kGenError 3 -#define kIntegrityError 4 -#define kBadPasswordError 5 -#define cr 0x0D -#define enter 0x03 -#define bs 0x08 -#define tab 0x09 -#define larrow 0x1C -#define rarrow 0x1D -#define uarrow 0x1E -#define darrow 0x1F -#define DialogNotDone 1 - -typedef union { // used to convert ProcPtr to Handle - Handle H; - ProcPtr P; -} Proc2Hand; - -static char gPassword [MAX_K_NAME_SZ] = "\0"; - -pascal void FrameOKbtn( WindowPtr myWindow, short itemNo ); -pascal Boolean TwoItemFilter( DialogPtr dlog, EventRecord *event, short *itemHit ); - -/* - FIXME jcm - begin OpenInitRF - Mac_store thinks that it is managing the open resource file - is this code in conflict? -*/ - -void GetExtensionsFolder(short *vRefNumP, long *dirIDP) -{ - Boolean hasFolderMgr = false; - long feature; - -/* - FIXME Error: Ô_GestaltDispatchÕ has not been declared - not needed now? - jcm - if (TrapAvailable(_GestaltDispatch)) -*/ - if (Gestalt(gestaltFindFolderAttr, &feature) == noErr) hasFolderMgr = true; - if (!hasFolderMgr) { - GetSystemFolder(vRefNumP, dirIDP); - return; - } - else { - if (FindFolder(kOnSystemDisk, kExtensionFolderType, kDontCreateFolder, vRefNumP, dirIDP) != noErr) { - *vRefNumP = 0; - *dirIDP = 0; - } - } -} - -short SearchFolderForINIT(long targetType, long targetCreator, short vRefNum, long dirID) -{ - HParamBlockRec fi; - Str255 filename; - short refnum; - - fi.fileParam.ioCompletion = nil; - fi.fileParam.ioNamePtr = filename; - fi.fileParam.ioVRefNum = vRefNum; - fi.fileParam.ioDirID = dirID; - fi.fileParam.ioFDirIndex = 1; - - while (PBHGetFInfo(&fi, false) == noErr) { - /* scan system folder for driver resource files of specific type & creator */ - if (fi.fileParam.ioFlFndrInfo.fdType == targetType && - fi.fileParam.ioFlFndrInfo.fdCreator == targetCreator) { - refnum = HOpenResFile(vRefNum, dirID, filename, fsRdPerm); - return refnum; - } - /* check next file in folder */ - fi.fileParam.ioFDirIndex++; - fi.fileParam.ioDirID = dirID; /* PBHGetFInfo() clobbers ioDirID */ - } - return(-1); -} - -short OpenInitRF() -{ - short refnum; - short vRefNum; - long dirID; - - /* first search Extensions Panels */ - GetExtensionsFolder(&vRefNum, &dirID); - refnum = SearchFolderForINIT('INIT', 'krbL', vRefNum, dirID); - if (refnum != -1) return(refnum); - - /* next search System Folder */ - GetSystemFolder(&vRefNum, &dirID); - refnum = SearchFolderForINIT('INIT', 'krbL', vRefNum, dirID); - if (refnum != -1) return(refnum); - - /* finally, search Control Panels */ - GetCPanelFolder(&vRefNum, &dirID); - refnum = SearchFolderForINIT('INIT', 'krbL', vRefNum, dirID); - if (refnum != -1) return(refnum); - - return -1; -} - -int DisplayError( short errorID ) -{ - OSErr err; - Str255 errText; - - GetIndString(errText,kErrorALERTID,errorID); - if (errText[0] == 0) { - SysBeep(1); // nothing else we can do - return cKrbCorruptedFile; - } - - ParamText(errText,"\p","\p","\p"); - err = StopAlert(kErrorALERTID,nil); - - return DialogNotDone; -} - - - -OSErr GetUserInfo( char *password ) -{ - DialogPtr myDLOG; - short itemHit; - short itemType; - Handle itemHandle; - Rect itemRect; - OSErr rc = DialogNotDone; - Str255 tempStr,tpswd,tuser; - Proc2Hand procConv; - short rf; - char uname[ANAME_SZ]="\0"; - char uinst[INST_SZ]="\0"; - char realm[REALM_SZ]="\0"; - char UserName[MAX_K_NAME_SZ]="\0"; - CursHandle aCursor; - - krb_get_lrealm (realm, 1); - - ////////////////////////////////////////////////////// - // already got a password, just get the initial ticket - ////////////////////////////////////////////////////// - if (*gPassword) { - strncpy (UserName, krb_get_default_user( ), sizeof(UserName)-1); - UserName[sizeof(UserName) - 1] = '\0'; - /* FIXME jcm - if we have a password then no dialog - comes up for setting the uinstance. */ - rc = kname_parse(uname, uinst, realm, UserName); - if (rc) return rc; - (void) dest_all_tkts(); // start from scratch - rc = krb_get_pw_in_tkt(uname,uinst,realm,"krbtgt",realm,DEFAULT_TKT_LIFE,gPassword); - *gPassword = 0; // Always clear, password only good for one shot - return rc; - } - - ///////////////////////// - // Ask user for password - ///////////////////////// - rf = OpenInitRF(); // need the resource file for the dialog resources - if (rf<=0) return rf; - password[0] = 0; - myDLOG = GetNewDialog( kLoginDLOGID, (void *) NULL, (WindowPtr) -1 ); - if( myDLOG == NULL ) { - CloseResFile(rf); - return cKrbCorruptedFile; - } - - // Insert user's name in dialog - strncpy (UserName, krb_get_default_user( ), sizeof(UserName) - 1); - UserName[sizeof(UserName) - 1] = '\0'; - if (*UserName) { - tempStr[0] = strlen(UserName); - memcpy( &(tempStr[1]), UserName, tempStr[0]); - GetDItem( myDLOG, kLoginNameItem, &itemType, &itemHandle, &itemRect ); - SetIText( itemHandle, tempStr ); - SelIText( myDLOG, kLoginVisPwItem,0,0 ); - } - else SelIText( myDLOG, kLoginNameItem,0,0 ); - - // Establish a user item around the OK button to draw the default button frame in - GetDItem( myDLOG, kLoginOKItem, &itemType, &itemHandle, &itemRect ); - InsetRect( &itemRect, -4, -4 ); // position user item around OK button - procConv.P = (ProcPtr) FrameOKbtn; // convert ProcPtr to a Handle - SetDItem( myDLOG, kLoginFrameItem, userItem, procConv.H, &itemRect ); - - InitCursor(); - do { - do { // display the dialog & handle events - SetOKEnable(myDLOG); - ModalDialog( (ModalFilterProcPtr) TwoItemFilter, (short *) &itemHit ); - } while( itemHit != kLoginOKItem && itemHit != kLoginCnclItem ); - - if( itemHit == kLoginOKItem ) { // OK button pressed? - GetDItem( myDLOG, kLoginNameItem, &itemType, &itemHandle, &itemRect ); - GetIText( itemHandle, tempStr ); - - tempStr[0] = ( tempStr[0] < MAX_K_NAME_SZ ) ? tempStr[0] : MAX_K_NAME_SZ-1 ; - memcpy ((void*) UserName, (void*) &(tempStr[1]), tempStr[0]); - UserName[tempStr[0]] = 0; - - GetDItem( myDLOG, kLoginIvisPwItem, &itemType, &itemHandle, &itemRect ); - GetIText( itemHandle, tempStr ); - - tempStr[0] = ( tempStr[0] < ANAME_SZ ) ? tempStr[0] : ANAME_SZ-1 ; - memcpy( (void*) password, (void*) &(tempStr[1]), tempStr[0]); - password[tempStr[0]] = 0; - - //---------------------------------------------------- - // Get the ticket - //---------------------------------------------------- - aCursor = GetCursor(watchCursor); - SetCursor(*aCursor); - ShowCursor(); - - rc = kname_parse(uname, uinst, realm, UserName); - if (rc) return rc; - - (void) dest_all_tkts(); // start from scratch - rc = krb_get_pw_in_tkt(uname,uinst,realm,"krbtgt",realm,DEFAULT_TKT_LIFE,password); - InitCursor(); - if (!rc) - switch (rc) { - case KDC_PR_UNKNOWN: - case KDC_NULL_KEY: - rc = DisplayError(kBadUserError); - SelIText( myDLOG, kLoginNameItem,0,256 ); - break; - case KDC_PR_N_UNIQUE: - rc = DisplayError(kNotUniqueError); - SelIText( myDLOG, kLoginNameItem,0,256 ); - break; - case KDC_GEN_ERR: - rc = DisplayError(kGenError); - SelIText( myDLOG, kLoginNameItem,0,256 ); - break; - case RD_AP_MODIFIED: - rc = DisplayError(kIntegrityError); - SelIText( myDLOG, kLoginNameItem,0,256 ); - break; - case INTK_BADPW: - rc = DisplayError(kBadPasswordError); - SelIText( myDLOG, kLoginVisPwItem,0,256 ); - break; - default: - break; - } - //---------------------------------------------------- - } - else rc = cKrbUserCancelled; // pressed the Cancel button - } while( rc == DialogNotDone ); - - DisposDialog( myDLOG ); - CloseResFile(rf); - return rc; -} - - -static pascal void FrameOKbtn( WindowPtr myWindow, short itemNo ) -{ - short tempType; - Handle tempHandle; - Rect itemRect; - - GetDItem( (DialogPtr) myWindow, itemNo, &tempType, &tempHandle, &itemRect ); - PenSize( 3, 3 ); - FrameRoundRect( &itemRect, 16, 16 ); // make it an OK button suitable for framing -} - - -static pascal Boolean TwoItemFilter( DialogPtr dlog, EventRecord *event, short *itemHit ) -{ - DialogPtr evtDlog; - short selStart, selEnd; - Handle okBtnHandle; - short tempType; - Rect tempRect; - long tempTicks; - - if( event->what != keyDown && event->what != autoKey ) - return false; // don't care about this event - - switch( event->message & charCodeMask ) - { - case cr: // Return (hitting return or enter is the same as hitting the OK button) - case enter: // Enter - - if (!OKIsEnabled(dlog)) { - event->what = nullEvent; - return false; - } - - GetDItem( dlog, kLoginOKItem, &tempType, &okBtnHandle, &tempRect ); - HiliteControl( (ControlHandle) okBtnHandle, 1 ); // hilite the OK button - Delay( 10, &tempTicks ); // wait a little while - HiliteControl( (ControlHandle) okBtnHandle, 0 ); - - *itemHit = kLoginOKItem; // OK Button - return true; // We handled the event - - case tab: // Tab - case larrow: // Left arrow (Keys that just change the selection) - case rarrow: // Right arrow - case uarrow: // Up arrow - case darrow: // Down arrow - return false; // Let ModalDialog handle them - - default: - - // First see if we're in password field, do stuff to make ¥ displayed - - if( ((DialogPeek) dlog)->editField == kLoginVisPwItem - 1 ) { - - selStart = (**((DialogPeek) dlog)->textH).selStart; // Get the selection in the visible item - selEnd = (**((DialogPeek) dlog)->textH).selEnd; - - SelIText( dlog, kLoginIvisPwItem, selStart, selEnd ); // Select text in invisible item - DialogSelect( event,&evtDlog, itemHit ); // Input key - - SelIText( dlog, kLoginVisPwItem, selStart, selEnd ); // Select same area in visible item - if( ( event->message & charCodeMask ) != bs ) // If it's not a backspace (backspace is the only key that can affect both the text and the selection- thus we need to process it in both fields, but not change it for the hidden field. - event->message = '¥'; // Replace with character to use - } - - // Do the key event and set the hilite on the OK button accordingly - - DialogSelect( event,&evtDlog, itemHit ); // Input key - SetOKEnable(dlog); - - // Pass a NULL event back to DialogMgr - - event->what = nullEvent; - - return false; - } -} - -static int SetOKEnable( DialogPtr dlog ) -{ - short itemType,state; - Handle itemHandle; - Rect itemRect; - Str255 tpswd,tuser; - ControlHandle okButton; - - GetDItem( dlog, kLoginNameItem, &itemType, &itemHandle, &itemRect ); - GetIText( itemHandle, tuser ); - GetDItem( dlog, kLoginVisPwItem, &itemType, &itemHandle, &itemRect ); - GetIText( itemHandle, tpswd ); - GetDItem( dlog, kLoginOKItem, &itemType, (Handle *) &okButton, &itemRect ); - state = (tuser[0] && tpswd[0]) ? 0 : 255; - HiliteControl(okButton,state); -} - -static int OKIsEnabled( DialogPtr dlog ) -{ - short itemType; - Rect itemRect; - ControlHandle okButton; - - GetDItem( dlog, kLoginOKItem, &itemType, (Handle *) &okButton, &itemRect ); - return ((**okButton).contrlHilite != 255); -} - - -extern OSErr INTERFACE -CacheInitialTicket( serviceName ) - char *serviceName; -{ - char service[ANAME_SZ]="\0"; - char instance[INST_SZ]="\0"; - char realm[REALM_SZ]="\0"; - OSErr err = noErr; - char uname[ANAME_SZ]="\0"; - char uinst[INST_SZ]="\0"; - char urealm[REALM_SZ]="\0"; - char password[KKEY_SZ]="\0"; - char UserName[MAX_K_NAME_SZ]="\0"; - char oldName[120]="\0"; - - err = GetUserInfo( password ); - if (err) return err; - - if (!serviceName || (serviceName[0] == '\0')) - return err; - - strncpy (UserName, krb_get_default_user(), sizeof(UserName) - 1); - UserName[sizeof(UserName) - 1] = '\0'; - - err = kname_parse(uname, uinst, urealm, UserName); - if (err) return err; - - if (urealm[0] == '\0') - krb_get_lrealm (urealm, 1); - - err = kname_parse(service, instance, realm, serviceName); // check if there is a service name - if (err) return err; - - err = krb_get_pw_in_tkt(uname,uinst,urealm,service,instance,DEFAULT_TKT_LIFE,password); - return err; -} diff --git a/src/lib/krb4/RealmsConfig-glue.c b/src/lib/krb4/RealmsConfig-glue.c deleted file mode 100644 index df663adb5..000000000 --- a/src/lib/krb4/RealmsConfig-glue.c +++ /dev/null @@ -1,692 +0,0 @@ -/* - * lib/krb4/RealmsConfig-glue.c - * - * Copyright 1985-2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * These calls implement the layer of Kerberos v4 library which - * accesses realms configuration by calling into the Kerberos Profile - * library. - */ - -#include -#include -#include -#include -#include - -#include "profile.h" -#include "krb.h" -#include "krb4int.h" -#include "k5-int.h" /* for accessor, addrlist stuff */ -#include "port-sockets.h" - -/* These two *must* be kept in sync to avoid buffer overflows. */ -#define SCNSCRATCH "%1023s" -#define SCRATCHSZ 1024 -#if SCRATCHSZ < MAXHOSTNAMELEN -#error "SCRATCHSZ must be at least MAXHOSTNAMELEN" -#endif - -/* - * Returns to the caller an initialized profile using the same files - * as Kerberos4Lib would. - */ -int KRB5_CALLCONV -krb_get_profile(profile_t* profile) -{ - int retval = KSUCCESS; - profile_filespec_t *files = NULL; - - /* Use krb5 to get the config files */ - retval = krb5_get_default_config_files(&files); - - if (retval == KSUCCESS) { - retval = profile_init((const_profile_filespec_t *)files, profile); - } - - if (files) { - krb5_free_config_files(files); - } - - if (retval == ENOENT) { - /* No edu.mit.Kerberos file */ - return KFAILURE; - } - - if ((retval == PROF_SECTION_NOTOP) || - (retval == PROF_SECTION_SYNTAX) || - (retval == PROF_RELATION_SYNTAX) || - (retval == PROF_EXTRA_CBRACE) || - (retval == PROF_MISSING_OBRACE)) { - /* Bad config file format */ - return retval; - } - - return retval; -} - -/* Caller must ensure that n >= 1 and that pointers are non-NULL. */ -static int -krb_prof_get_nth( - char *ret, - size_t retlen, - const char *realm, - int n, - const char *sec, - const char *key) -{ - int result; - long profErr; - profile_t profile = NULL; - const char *names[4]; - void *iter = NULL; - char *name = NULL; - char *value = NULL; - int i; - - result = KFAILURE; - - profErr = krb_get_profile(&profile); - if (profErr) { - /* - * Can krb_get_profile() return errors that change PROFILE? - */ - goto cleanup; - } - names[0] = sec; - names[1] = realm; - names[2] = key; - names[3] = NULL; - profErr = profile_iterator_create(profile, names, - PROFILE_ITER_RELATIONS_ONLY, &iter); - if (profErr) - goto cleanup; - - result = KSUCCESS; - for (i = 1; i <= n; i++) { - if (name != NULL) - profile_release_string(name); - if (value != NULL) - profile_release_string(value); - name = value = NULL; - - profErr = profile_iterator(&iter, &name, &value); - if (profErr || (name == NULL)) { - result = KFAILURE; - break; - } - } - if (result == KSUCCESS) { - /* Return error rather than truncating. */ - /* Don't strncpy because retlen is a guess for some callers */ - if (strlen(value) >= retlen) - result = KFAILURE; - else - strcpy(ret, value); - } -cleanup: - if (name != NULL) - profile_release_string(name); - if (value != NULL) - profile_release_string(value); - if (iter != NULL) - profile_iterator_free(&iter); - if (profile != NULL) - profile_abandon(profile); - return result; -} - -/* - * Index -> realm name mapping - * - * Not really. The original implementation has a cryptic comment - * indicating that the function can only work for n = 1, and always - * returns the default realm. I don't know _why_ that's the case, but - * I have to do it that way... - * - * Old description from g_krbrlm.c: - * - * krb_get_lrealm takes a pointer to a string, and a number, n. It fills - * in the string, r, with the name of the nth realm specified on the - * first line of the kerberos config file (KRB_CONF, defined in "krb.h"). - * It returns 0 (KSUCCESS) on success, and KFAILURE on failure. If the - * config file does not exist, and if n=1, a successful return will occur - * with r = KRB_REALM (also defined in "krb.h"). - * - * NOTE: for archaic & compatibility reasons, this routine will only return - * valid results when n = 1. - * - * For the format of the KRB_CONF file, see comments describing the routine - * krb_get_krbhst(). This will also look in KRB_FB_CONF is - * ATHENA_CONF_FALLBACK is defined. - */ -int KRB5_CALLCONV -krb_get_lrealm( - char *realm, - int n) -{ - int result = KSUCCESS; - profile_t profile = NULL; - char *profileDefaultRealm = NULL; - char **profileV4Realms = NULL; - int profileHasDefaultRealm = 0; - int profileDefaultRealmIsV4RealmInProfile = 0; - char krbConfLocalRealm[REALM_SZ]; - int krbConfHasLocalRealm = 0; - - if ((realm == NULL) || (n != 1)) { result = KFAILURE; } - - if (result == KSUCCESS) { - /* Some callers don't check the return value so we initialize - * to an empty string in case it never gets filled in. */ - realm [0] = '\0'; - } - - if (result == KSUCCESS) { - int profileErr = krb_get_profile (&profile); - - if (!profileErr) { - /* Get the default realm from the profile */ - profileErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION, - REALMS_V4_DEFAULT_REALM, NULL, NULL, - &profileDefaultRealm); - if (profileDefaultRealm == NULL) { profileErr = KFAILURE; } - } - - if (!profileErr) { - /* If there is an equivalent v4 realm to the default realm, use that instead */ - char *profileV4EquivalentRealm = NULL; - - if (profile_get_string (profile, "realms", profileDefaultRealm, "v4_realm", NULL, - &profileV4EquivalentRealm) == 0 && - profileV4EquivalentRealm != NULL) { - - profile_release_string (profileDefaultRealm); - profileDefaultRealm = profileV4EquivalentRealm; - } - } - - if (!profileErr) { - if (strlen (profileDefaultRealm) < REALM_SZ) { - profileHasDefaultRealm = 1; /* a reasonable default realm */ - } else { - profileErr = KFAILURE; - } - } - - if (!profileErr) { - /* Walk through the v4 realms list looking for the default realm */ - const char *profileV4RealmsList[] = { REALMS_V4_PROF_REALMS_SECTION, NULL }; - - if (profile_get_subsection_names (profile, profileV4RealmsList, - &profileV4Realms) == 0 && - profileV4Realms != NULL) { - - char **profileRealm; - for (profileRealm = profileV4Realms; *profileRealm != NULL; profileRealm++) { - if (strcmp (*profileRealm, profileDefaultRealm) == 0) { - /* default realm is a v4 realm */ - profileDefaultRealmIsV4RealmInProfile = 1; - break; - } - } - } - } - } - - if (result == KSUCCESS) { - /* Try to get old-style config file lookup for fallback. */ - FILE *cnffile = NULL; - char scratch[SCRATCHSZ]; - - cnffile = krb__get_cnffile(); - if (cnffile != NULL) { - if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) { - if (strlen(scratch) < REALM_SZ) { - strncpy(krbConfLocalRealm, scratch, REALM_SZ); - krbConfHasLocalRealm = 1; - } - } - fclose(cnffile); - } - } - - if (result == KSUCCESS) { - /* - * We want to favor the profile value over the krb.conf value - * but not stop suppporting its use with a v5-only profile. - * So we only use the krb.conf realm when the default profile - * realm doesn't exist in the v4 realm section of the profile. - */ - if (krbConfHasLocalRealm && !profileDefaultRealmIsV4RealmInProfile) { - strncpy (realm, krbConfLocalRealm, REALM_SZ); - } else if (profileHasDefaultRealm) { - strncpy (realm, profileDefaultRealm, REALM_SZ); - } else { - result = KFAILURE; /* No default realm */ - } - } - - if (profileDefaultRealm != NULL) { profile_release_string (profileDefaultRealm); } - if (profileV4Realms != NULL) { profile_free_list (profileV4Realms); } - if (profile != NULL) { profile_abandon (profile); } - - return result; -} - -/* - * Realm, index -> admin KDC mapping - * - * Old description from g_admhst.c: - * - * Given a Kerberos realm, find a host on which the Kerberos database - * administration server can be found. - * - * krb_get_admhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer n, and - * returns (in h) the nth administrative host entry from the configuration - * file (KRB_CONF, defined in "krb.h") associated with the specified realm. - * If ATHENA_CONF_FALLBACK is defined, also look in old location. - * - * On error, get_admhst returns KFAILURE. If all goes well, the routine - * returns KSUCCESS. - * - * For the format of the KRB_CONF file, see comments describing the routine - * krb_get_krbhst(). - * - * This is a temporary hack to allow us to find the nearest system running - * a Kerberos admin server. In the long run, this functionality will be - * provided by a nameserver. - */ -int KRB5_CALLCONV -krb_get_admhst( - char *host, - char *realm, - int n) -{ - int result; - int i; - FILE *cnffile; - char linebuf[BUFSIZ]; - char trealm[SCRATCHSZ]; - char thost[SCRATCHSZ]; - char scratch[SCRATCHSZ]; - - if (n < 1 || host == NULL || realm == NULL) - return KFAILURE; - - result = krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n, - REALMS_V4_PROF_REALMS_SECTION, - REALMS_V4_PROF_ADMIN_KDC); - if (result == KSUCCESS) - return result; - - /* - * Do old-style config file lookup. - */ - cnffile = krb__get_cnffile(); - if (cnffile == NULL) - return KFAILURE; - result = KSUCCESS; - for (i = 0; i < n;) { - if (fgets(linebuf, BUFSIZ, cnffile) == NULL) { - result = KFAILURE; - break; - } - if (!strchr(linebuf, '\n')) { - result = KFAILURE; - break; - } - /* - * Need to scan for a token after 'admin' to make sure that - * admin matched correctly. - */ - if (sscanf(linebuf, SCNSCRATCH " " SCNSCRATCH " admin " SCNSCRATCH, - trealm, thost, scratch) != 3) - continue; - if (!strcmp(trealm, realm)) - i++; - } - fclose(cnffile); - if (result == KSUCCESS && strlen(thost) < MAX_HSTNM) - strcpy(host, thost); - else - result = KFAILURE; - return result; -} - -/* - * Realm, index -> kpasswd KDC mapping - */ -int -krb_get_kpasswdhst( - char *host, - char *realm, - int n) -{ - if (n < 1 || host == NULL || realm == NULL) - return KFAILURE; - - return krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n, - REALMS_V4_PROF_REALMS_SECTION, - REALMS_V4_PROF_KPASSWD_KDC); -} - -/* - * Realm, index -> KDC mapping - * - * Old description from g_krbhst.c: - * - * Given a Kerberos realm, find a host on which the Kerberos authenti- - * cation server can be found. - * - * krb_get_krbhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer, n, and - * returns (in h) the nth entry from the configuration file (KRB_CONF, - * defined in "krb.h") associated with the specified realm. - * - * On end-of-file, krb_get_krbhst returns KFAILURE. If n=1 and the - * configuration file does not exist, krb_get_krbhst will return KRB_HOST - * (also defined in "krb.h"). If all goes well, the routine returnes - * KSUCCESS. - * - * The KRB_CONF file contains the name of the local realm in the first - * line (not used by this routine), followed by lines indicating realm/host - * entries. The words "admin server" following the hostname indicate that - * the host provides an administrative database server. - * This will also look in KRB_FB_CONF if ATHENA_CONF_FALLBACK is defined. - * - * For example: - * - * ATHENA.MIT.EDU - * ATHENA.MIT.EDU kerberos-1.mit.edu admin server - * ATHENA.MIT.EDU kerberos-2.mit.edu - * LCS.MIT.EDU kerberos.lcs.mit.edu admin server - * - * This is a temporary hack to allow us to find the nearest system running - * kerberos. In the long run, this functionality will be provided by a - * nameserver. - */ -#ifdef KRB5_DNS_LOOKUP -static struct { - time_t when; - char realm[REALM_SZ+1]; - struct srv_dns_entry *srv; -} dnscache = { 0, { 0 }, 0 }; -#define DNS_CACHE_TIMEOUT 60 /* seconds */ -#endif - -int KRB5_CALLCONV -krb_get_krbhst( - char *host, - const char *realm, - int n) -{ - int result; - int i; - FILE *cnffile; - char linebuf[BUFSIZ]; - char tr[SCRATCHSZ]; - char scratch[SCRATCHSZ]; -#ifdef KRB5_DNS_LOOKUP - time_t now; -#endif - - if (n < 1 || host == NULL || realm == NULL) - return KFAILURE; - -#ifdef KRB5_DNS_LOOKUP - /* We'll only have this realm's info in the DNS cache if there is - no data in the local config files. - - XXX The files could've been updated in the last few seconds. - Do we care? */ - if (!strncmp(dnscache.realm, realm, REALM_SZ) - && (time(&now), abs(dnscache.when - now) < DNS_CACHE_TIMEOUT)) { - struct srv_dns_entry *entry; - - get_from_dnscache: - /* n starts at 1, addrs indices run 0..naddrs */ - for (i = 1, entry = dnscache.srv; i < n && entry; i++) - entry = entry->next; - if (entry == NULL) - return KFAILURE; - if (strlen(entry->host) + 6 >= MAXHOSTNAMELEN) - return KFAILURE; - snprintf(host, MAXHOSTNAMELEN, "%s:%d", entry->host, entry->port); - return KSUCCESS; - } -#endif - - result = krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n, - REALMS_V4_PROF_REALMS_SECTION, - REALMS_V4_PROF_KDC); - if (result == KSUCCESS) - return result; - /* - * Do old-style config file lookup. - */ - do { - cnffile = krb__get_cnffile(); - if (cnffile == NULL) - break; - /* Skip default realm name. */ - if (fscanf(cnffile, SCNSCRATCH, tr) == EOF) { - fclose(cnffile); - break; - } - result = KSUCCESS; - for (i = 0; i < n;) { - if (fgets(linebuf, BUFSIZ, cnffile) == NULL) { - result = KFAILURE; - break; - } - if (!strchr(linebuf, '\n')) { - result = KFAILURE; - break; - } - if ((sscanf(linebuf, SCNSCRATCH " " SCNSCRATCH, - tr, scratch) != 2)) - continue; - if (!strcmp(tr, realm)) - i++; - } - fclose(cnffile); - if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN) { - strcpy(host, scratch); - return KSUCCESS; - } - if (i > 0) - /* Found some, but not as many as requested. */ - return KFAILURE; - } while (0); -#ifdef KRB5_DNS_LOOKUP - do { - krb5int_access k5; - krb5_error_code err; - krb5_data realmdat; - struct srv_dns_entry *srv; - - err = krb5int_accessor(&k5, KRB5INT_ACCESS_VERSION); - if (err) - break; - - if (k5.use_dns_kdc(krb5__krb4_context)) { - realmdat.data = realm; - realmdat.length = strlen(realm); - err = k5.make_srv_query_realm(&realmdat, "_kerberos-iv", "_udp", - &srv); - if (err) - break; - - if (srv == 0) - break; - - if (dnscache.srv) - k5.free_srv_dns_data(dnscache.srv); - dnscache.srv = srv; - strncpy(dnscache.realm, realm, REALM_SZ); - dnscache.when = now; - goto get_from_dnscache; - } - } while (0); -#endif - return KFAILURE; -} - -/* - * Hostname -> realm name mapping - * - * Old description from realmofhost.c: - * - * Given a fully-qualified domain-style primary host name, - * return the name of the Kerberos realm for the host. - * If the hostname contains no discernable domain, or an error occurs, - * return the local realm name, as supplied by get_krbrlm(). - * If the hostname contains a domain, but no translation is found, - * the hostname's domain is converted to upper-case and returned. - * - * The format of each line of the translation file is: - * domain_name kerberos_realm - * -or- - * host_name kerberos_realm - * - * domain_name should be of the form .XXX.YYY (e.g. .LCS.MIT.EDU) - * host names should be in the usual form (e.g. FOO.BAR.BAZ) - */ -char * KRB5_CALLCONV -krb_realmofhost(char *host) -{ - /* Argh! */ - static char realm[REALM_SZ]; - char *lhost; - const char *names[] = {REALMS_V4_PROF_DOMAIN_SECTION, NULL, NULL}; - char **values = NULL; - profile_t profile = NULL; - long profErr; - char hostname[MAXHOSTNAMELEN]; - char *p; - char *domain; - FILE *trans_file = NULL; - int retval; - char thost[SCRATCHSZ]; - char trealm[SCRATCHSZ]; - struct hostent *h; - - /* Return local realm if all else fails */ - krb_get_lrealm(realm, 1); - - /* Forward-resolve in case domain is missing. */ - h = gethostbyname(host); - if (h == NULL) - lhost = host; - else - lhost = h->h_name; - - if (strlen(lhost) >= MAXHOSTNAMELEN) - return realm; - strcpy(hostname, lhost); - - /* Remove possible trailing dot. */ - p = strrchr(hostname, '.'); - if (p != NULL && p[1] == '\0') - *p = '\0'; - domain = strchr(hostname, '.'); - /* - * If the hostname is just below the top, e.g., CYGNUS.COM, then - * we special-case it; if someone really wants a realm called COM - * they will just have to specify it properly. - */ - if (domain != NULL) { - domain++; - p = strchr(domain, '.'); - if (p == NULL) - domain = lhost; - if (strlen(domain) < REALM_SZ) { - strncpy(realm, domain, REALM_SZ); - /* Upcase realm name. */ - for (p = hostname; *p != '\0'; p++) { - if (*p > 0 && islower((unsigned char)*p)) - *p = toupper((unsigned char)*p); - } - } - } - /* Downcase hostname. */ - for (p = hostname; *p != '\0'; p++) { - if (*p > 0 && isupper((unsigned char)*p)) - *p = tolower((unsigned char)*p); - } - - profErr = krb_get_profile(&profile); - if (profErr) - goto cleanup; - - for (domain = hostname; domain != NULL && *domain != '\0';) { - names[1] = domain; - values = NULL; - profErr = profile_get_values(profile, names, &values); - if (!profErr && strlen(values[0]) < REALM_SZ) { - /* Found, return it */ - strncpy(realm, values[0], REALM_SZ); - profile_free_list(values); - break; - } else { - /* Skip over leading dot. */ - if (*domain == '.') - domain++; - domain = strchr(domain, '.'); - } - profile_free_list(values); - } -cleanup: - if (profile != NULL) - profile_abandon(profile); - - trans_file = krb__get_realmsfile(); - if (trans_file == NULL) - return realm; - domain = strchr(hostname, '.'); - for (;;) { - retval = fscanf(trans_file, SCNSCRATCH " " SCNSCRATCH, - thost, trealm); - if (retval == EOF) - break; - if (retval != 2 || strlen(trealm) >= REALM_SZ) - continue; /* Ignore malformed lines. */ - /* Attempt to match domain. */ - if (*thost == '.') { - if (domain && !strcasecmp(thost, domain)) { - strncpy(realm, trealm, REALM_SZ); - continue; /* Try again for an exact match. */ - } - } else { - /* Hostname must match exactly. */ - if (!strcasecmp(thost, hostname)) { - strncpy(realm, trealm, REALM_SZ); - break; - } - } - } - fclose(trans_file); - return realm; -} diff --git a/src/lib/krb4/ad_print.c b/src/lib/krb4/ad_print.c deleted file mode 100644 index 632957208..000000000 --- a/src/lib/krb4/ad_print.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * lib/krb4/ad_print.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. All - * Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "des.h" -#include "krb4int.h" -#include -#include "port-sockets.h" - -#ifndef _WIN32 - -/* - * Print some of the contents of the given authenticator structure - * (AUTH_DAT defined in "krb.h"). Fields printed are: - * - * pname, pinst, prealm, netaddr, flags, cksum, timestamp, session - */ - -void -ad_print(x) - AUTH_DAT *x; -{ - struct in_addr ina; - ina.s_addr = x->address; - - printf("\n%s %s %s ", x->pname, x->pinst, x->prealm); - far_fputs (inet_ntoa(ina), stdout); - printf(" flags %u cksum 0x%lX\n\ttkt_tm 0x%lX sess_key", - x->k_flags, (long) x->checksum, (long) x->time_sec); - printf("[8] ="); -#ifdef NOENCRYPTION - placebo_cblock_print(x->session); -#else /* Do Encryption */ - des_cblock_print_file(&x->session,stdout); -#endif /* NOENCRYPTION */ - /* skip reply for now */ -} - -#ifdef NOENCRYPTION -/* - * Print in hex the 8 bytes of the given session key. - * - * Printed format is: " 0x { x, x, x, x, x, x, x, x }" - */ - -placebo_cblock_print(x) - des_cblock x; -{ - unsigned char *y = (unsigned char *) x; - register int i = 0; - - printf(" 0x { "); - - while (i++ <8) { - printf("%x",*y++); - if (i<8) printf(", "); - } - printf(" }"); -} -#endif /* NOENCRYPTION */ - -#endif diff --git a/src/lib/krb4/change_password.c b/src/lib/krb4/change_password.c deleted file mode 100644 index 7c3bcd01d..000000000 --- a/src/lib/krb4/change_password.c +++ /dev/null @@ -1,127 +0,0 @@ -/* - * change_password.c - * - * Copyright 1987, 1988, 2002 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include -#include - -#include "krb.h" -#include "krb4int.h" -#include "kadm.h" -#include "prot.h" - -/* - * krb_change_password(): This disgusting function handles changing passwords - * in a krb4-only environment. - * -1783126240 - * THIS IS NOT A NORMAL KRB4 API FUNCTION! DON'T USE IN PORTABLE CODE! - */ - -int KRB5_CALLCONV -krb_change_password(char *principal, char *instance, char *realm, - char *oldPassword, char *newPassword) -{ - int err; - des_cblock key; - KRB_UINT32 tempKey; - size_t sendSize; - u_char *sendStream; - size_t receiveSize; - u_char *receiveStream; - Kadm_Client client_parm; - u_char *p; - - err = 0; - - /* Check inputs: */ - if (principal == NULL || instance == NULL || realm == NULL || - oldPassword == NULL || newPassword == NULL) { - return KFAILURE; - } - - /* - * Get tickets to change the old password and shove them in the - * client_parm - */ - err = krb_get_pw_in_tkt_creds(principal, instance, realm, - PWSERV_NAME, KADM_SINST, 1, - oldPassword, &client_parm.creds); - if (err != KSUCCESS) - goto cleanup; - - /* Now create the key to send to the server */ - /* Use this and not mit_password_to_key so that we don't prompt */ - des_string_to_key(newPassword, key); - - /* Create the link to the server */ - err = kadm_init_link(PWSERV_NAME, KRB_MASTER, realm, &client_parm, 1); - if (err != KADM_SUCCESS) - goto cleanup; - - /* Connect to the KDC */ - err = kadm_cli_conn(&client_parm); - if (err != KADM_SUCCESS) - goto cleanup; - - /* possible problem with vts_long on a non-multiple of four boundary */ - sendSize = 0; /* start of our output packet */ - sendStream = malloc(1); /* to make it reallocable */ - if (sendStream == NULL) - goto disconnect; - sendStream[sendSize++] = CHANGE_PW; - - /* change key to stream */ - /* This looks backwards but gets inverted on the server side. */ - p = key + 4; - KRB4_GET32BE(tempKey, p); - sendSize += vts_long(tempKey, &sendStream, (int)sendSize); - p = key; - KRB4_GET32BE(tempKey, p); - sendSize += vts_long(tempKey, &sendStream, (int)sendSize); - tempKey = 0; - - if (newPassword) { - sendSize += vts_string(newPassword, &sendStream, (int)sendSize); - } - - /* send the data to the kdc */ - err = kadm_cli_send(&client_parm, sendStream, sendSize, - &receiveStream, &receiveSize); - free(sendStream); - if (receiveSize > 0) - /* If there is a string from the kdc, free it - we don't care */ - free(receiveStream); - if (err != KADM_SUCCESS) - goto disconnect; - -disconnect: - /* Disconnect */ - kadm_cli_disconn(&client_parm); - -cleanup: - memset(&client_parm.creds.session, 0, sizeof(client_parm.creds.session)); - memset(&key, 0, sizeof(key)); - return err; -} diff --git a/src/lib/krb4/cr_auth_repl.c b/src/lib/krb4/cr_auth_repl.c deleted file mode 100644 index 277d9af8e..000000000 --- a/src/lib/krb4/cr_auth_repl.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * lib/krb4/cr_auth_repl.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include - -/* - * This routine is called by the Kerberos authentication server - * to create a reply to an authentication request. The routine - * takes the user's name, instance, and realm, the client's - * timestamp, the number of tickets, the user's key version - * number and the ciphertext containing the tickets themselves. - * It constructs a packet and returns a pointer to it. - * - * Notes: The packet returned by this routine is static. Thus, if you - * intend to keep the result beyond the next call to this routine, you - * must copy it elsewhere. - * - * The packet is built in the following format: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * unsigned char KRB_PROT_VERSION protocol version number - * - * unsigned char AUTH_MSG_KDC_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned char n number of tickets - * - * unsigned long x_date expiration date - * - * unsigned char kvno master key version - * - * short w_1 cipher length - * - * --- cipher->dat cipher data - */ - -KTEXT -create_auth_reply(pname, pinst, prealm, time_ws, n, x_date, kvno, cipher) - char *pname; /* Principal's name */ - char *pinst; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long time_ws; /* Workstation time */ - int n; /* Number of tickets */ - unsigned long x_date; /* Principal's expiration date */ - int kvno; /* Principal's key version number */ - KTEXT cipher; /* Cipher text with tickets and - * session keys */ -{ - static KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; - unsigned char *p; - size_t pnamelen, pinstlen, prealmlen; - - /* Create fixed part of packet */ - p = pkt->dat; - /* This is really crusty. */ - if (n != 0) - *p++ = 3; - else - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_KDC_REPLY; /* always big-endian */ - - /* Make sure the response will actually fit into its buffer. */ - pnamelen = strlen(pname) + 1; - pinstlen = strlen(pinst) + 1; - prealmlen = strlen(prealm) + 1; - if (sizeof(pkt->dat) < (1 + 1 + pnamelen + pinstlen + prealmlen - + 4 + 1 + 4 + 1 + 2 + cipher->length) - || cipher->length > 65535 || cipher->length < 0) { - pkt->length = 0; - return NULL; - } - /* Add the basic info */ - memcpy(p, pname, pnamelen); - p += pnamelen; - memcpy(p, pinst, pinstlen); - p += pinstlen; - memcpy(p, prealm, prealmlen); - p += prealmlen; - - /* Workstation timestamp */ - KRB4_PUT32BE(p, time_ws); - - *p++ = n; - - /* Expiration date */ - KRB4_PUT32BE(p, x_date); - - /* Now send the ciphertext and info to help decode it */ - *p++ = kvno; - KRB4_PUT16BE(p, cipher->length); - memcpy(p, cipher->dat, (size_t)cipher->length); - p += cipher->length; - - /* And return the packet */ - pkt->length = p - pkt->dat; - return pkt; -} diff --git a/src/lib/krb4/cr_ciph.c b/src/lib/krb4/cr_ciph.c deleted file mode 100644 index 481cb7ee3..000000000 --- a/src/lib/krb4/cr_ciph.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * lib/krb4/cr_ciph.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include "des.h" -#include - -/* - * This routine is used by the authentication server to create - * a packet for its client, containing a ticket for the requested - * service (given in "tkt"), and some information about the ticket, -#ifndef NOENCRYPTION - * all encrypted in the given key ("key"). -#endif - * - * Returns KSUCCESS no matter what. - * - * The length of the cipher is stored in c->length; the format of - * c->dat is as follows: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * - * 8 bytes session session key for client, service - * - * string service service name - * - * string instance service instance - * - * string realm KDC realm - * - * unsigned char life ticket lifetime - * - * unsigned char kvno service key version number - * - * unsigned char tkt->length length of following ticket - * - * data tkt->dat ticket for service - * - * 4 bytes kdc_time KDC's timestamp - * - * <=7 bytes null null pad to 8 byte multiple - * - */ - -int -create_ciph(c, session, service, instance, realm, life, kvno, tkt, - kdc_time, key) - KTEXT c; /* Text block to hold ciphertext */ - C_Block session; /* Session key to send to user */ - char *service; /* Service name on ticket */ - char *instance; /* Instance name on ticket */ - char *realm; /* Realm of this KDC */ - unsigned long life; /* Lifetime of the ticket */ - int kvno; /* Key version number for service */ - KTEXT tkt; /* The ticket for the service */ - unsigned long kdc_time; /* KDC time */ - C_Block key; /* Key to encrypt ciphertext with */ -{ - unsigned char *ptr; - size_t servicelen, instancelen, realmlen; - Key_schedule key_s; - - ptr = c->dat; - - /* Validate lengths. */ - servicelen = strlen(service) + 1; - instancelen = strlen(instance) + 1; - realmlen = strlen(realm) + 1; - if (sizeof(c->dat) / 8 < ((8 + servicelen + instancelen + realmlen - + 1 + 1 + 1 + tkt->length - + 4 + 7) / 8) - || tkt->length > 255 || tkt->length < 0) { - c->length = 0; - return KFAILURE; - } - - memcpy(ptr, session, 8); - ptr += 8; - - memcpy(ptr, service, servicelen); - ptr += servicelen; - memcpy(ptr, instance, instancelen); - ptr += instancelen; - memcpy(ptr, realm, realmlen); - ptr += realmlen; - - *ptr++ = life; - *ptr++ = kvno; - *ptr++ = tkt->length; - - memcpy(ptr, tkt->dat, (size_t)tkt->length); - ptr += tkt->length; - - KRB4_PUT32BE(ptr, kdc_time); - - /* guarantee null padded encrypted data to multiple of 8 bytes */ - memset(ptr, 0, 7); - - c->length = (((ptr - c->dat) + 7) / 8) * 8; - -#ifndef NOENCRYPTION - key_sched(key, key_s); - pcbc_encrypt((C_Block *)c->dat, (C_Block *)c->dat, - (long)c->length, key_s, (C_Block*)key, ENCRYPT); - memset(key_s, 0, sizeof(key_s)); -#endif /* NOENCRYPTION */ - - return KSUCCESS; -} diff --git a/src/lib/krb4/cr_death_pkt.c b/src/lib/krb4/cr_death_pkt.c deleted file mode 100644 index 63d756277..000000000 --- a/src/lib/krb4/cr_death_pkt.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * lib/krb4/cr_death_pkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include - -/* - * This routine creates a packet to type AUTH_MSG_DIE which is sent to - * the Kerberos server to make it shut down. It is used only in the - * development environment. - * - * It takes a string "a_name" which is sent in the packet. A pointer - * to the packet is returned. - * - * The format of the killer packet is: - * - * type variable data - * or constant - * ---- ----------- ---- - * - * unsigned char KRB_PROT_VERSION protocol version number - * - * unsigned char AUTH_MSG_DIE message type - * - * [least significant HOST_BYTE_ORDER byte order of sender - * bit of above field] - * - * string a_name presumably, name of - * principal sending killer - * packet - */ - -#ifdef DEBUG -KTEXT -krb_create_death_packet(a_name) - char *a_name; -{ - static KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; - unsigned char *p; - size_t namelen; - - p = pkt->dat; - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_DIE; - namelen = strlen(a_name) + 1; - if (1 + 1 + namelen > sizeof(pkt->dat)) - return NULL; - memcpy(p, a_name, namelen); - p += namelen; - pkt->length = p - pkt->dat; - return pkt; -} -#endif /* DEBUG */ diff --git a/src/lib/krb4/cr_err_repl.c b/src/lib/krb4/cr_err_repl.c deleted file mode 100644 index 5dad8c1b1..000000000 --- a/src/lib/krb4/cr_err_repl.c +++ /dev/null @@ -1,110 +0,0 @@ -/* - * lib/krb4/cr_err_repl.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include - -/* - * This routine is used by the Kerberos authentication server to - * create an error reply packet to send back to its client. - * - * It takes a pointer to the packet to be built, the name, instance, - * and realm of the principal, the client's timestamp, an error code - * and an error string as arguments. Its return value is undefined. - * - * The packet is built in the following format: - * - * type variable data - * or constant - * ---- ----------- ---- - * - * unsigned char req_ack_vno protocol version number - * - * unsigned char AUTH_MSG_ERR_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned long e error code - * - * string e_string error text - */ - -void -cr_err_reply(pkt,pname,pinst,prealm,time_ws,e,e_string) - KTEXT pkt; - char *pname; /* Principal's name */ - char *pinst; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - u_long time_ws; /* Workstation time */ - u_long e; /* Error code */ - char *e_string; /* Text of error */ -{ - unsigned char *p; - size_t pnamelen, pinstlen, prealmlen, e_stringlen; - - p = pkt->dat; - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_ERR_REPLY; - - /* Make sure the reply will fit into the buffer. */ - pnamelen = strlen(pname) + 1; - pinstlen = strlen(pinst) + 1; - prealmlen = strlen(prealm) + 1; - e_stringlen = strlen(e_string) + 1; - if(sizeof(pkt->dat) < (1 + 1 + pnamelen + pinstlen + prealmlen - + 4 + 4 + e_stringlen)) { - pkt->length = 0; - return; - } - /* Add the basic info */ - memcpy(p, pname, pnamelen); - p += pnamelen; - memcpy(p, pinst, pinstlen); - p += pinstlen; - memcpy(p, prealm, prealmlen); - p += prealmlen; - /* ws timestamp */ - KRB4_PUT32BE(p, time_ws); - /* err code */ - KRB4_PUT32BE(p, e); - /* err text */ - memcpy(p, e_string, e_stringlen); - p += e_stringlen; - - /* And return */ - pkt->length = p - pkt->dat; - return; -} diff --git a/src/lib/krb4/cr_tkt.c b/src/lib/krb4/cr_tkt.c deleted file mode 100644 index 2c01257d8..000000000 --- a/src/lib/krb4/cr_tkt.c +++ /dev/null @@ -1,254 +0,0 @@ -/* - * lib/krb4/cr_tkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include -#include "des.h" -#include "krb.h" -#include "prot.h" -#include -#include "port-sockets.h" - -static int -krb_cr_tkt_int (KTEXT tkt, unsigned int flags_in, char *pname, - char *pinstance, char *prealm, long paddress, - char *session, int life, long time_sec, - char *sname, char *sinstance); - -/* - * Create ticket takes as arguments information that should be in a - * ticket, and the KTEXT object in which the ticket should be - * constructed. It then constructs a ticket and returns, leaving the - * newly created ticket in tkt. -#ifndef NOENCRYPTION - * The data in tkt->dat is encrypted in the server's key. -#endif - * The length of the ticket is a multiple of - * eight bytes and is in tkt->length. - * - * If the ticket is too long, the ticket will contain nulls. - * The return value of the routine is undefined. - * - * The corresponding routine to extract information from a ticket it - * decomp_ticket. When changes are made to this routine, the - * corresponding changes should also be made to that file. - * - * The packet is built in the following format: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * tkt->length length of ticket (multiple of 8 bytes) - * -#ifdef NOENCRYPTION - * tkt->dat: -#else - * tkt->dat: (encrypted in server's key) -#endif - * - * unsigned char flags namely, HOST_BYTE_ORDER - * - * string pname client's name - * - * string pinstance client's instance - * - * string prealm client's realm - * - * 4 bytes paddress client's address - * - * 8 bytes session session key - * - * 1 byte life ticket lifetime - * - * 4 bytes time_sec KDC timestamp - * - * string sname service's name - * - * string sinstance service's instance - * - * <=7 bytes null null pad to 8 byte multiple - * - */ -int -krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, key) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ - C_Block key; /* Service's secret key */ -{ - int kerr; - Key_schedule key_s; - - kerr = krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance); - if (kerr) - return kerr; - - /* Encrypt the ticket in the services key */ - key_sched(key, key_s); - pcbc_encrypt((C_Block *)tkt->dat, (C_Block *)tkt->dat, - (long)tkt->length, key_s, (C_Block *)key, 1); - memset(key_s, 0, sizeof(key_s)); - return 0; -} - -int -krb_cr_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, k5key) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ - krb5_keyblock *k5key; /* NULL if not present */ -{ - int kerr; - krb5_data in; - krb5_enc_data out; - krb5_error_code ret; - size_t enclen; - - kerr = krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, - paddress, session, life, time_sec, - sname, sinstance); - if (kerr) - return kerr; - - /* Encrypt the ticket in the services key */ - in.length = tkt->length; - in.data = (char *)tkt->dat; - /* XXX assumes context arg is ignored */ - ret = krb5_c_encrypt_length(NULL, k5key->enctype, - (size_t)in.length, &enclen); - if (ret) - return KFAILURE; - out.ciphertext.length = enclen; - out.ciphertext.data = malloc(enclen); - if (out.ciphertext.data == NULL) - return KFAILURE; /* XXX maybe ENOMEM? */ - - /* XXX assumes context arg is ignored */ - ret = krb5_c_encrypt(NULL, k5key, KRB5_KEYUSAGE_KDC_REP_TICKET, - NULL, &in, &out); - if (ret) { - free(out.ciphertext.data); - return KFAILURE; - } else { - tkt->length = out.ciphertext.length; - memcpy(tkt->dat, out.ciphertext.data, out.ciphertext.length); - memset(out.ciphertext.data, 0, out.ciphertext.length); - free(out.ciphertext.data); - } - return 0; -} - -static int -krb_cr_tkt_int(tkt, flags_in, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags_in; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ -{ - register unsigned char *data; /* running index into ticket */ - size_t pnamelen, pinstlen, prealmlen, snamelen, sinstlen; - struct in_addr paddr; - - /* Be really paranoid. */ - if (sizeof(paddr.s_addr) != 4) - return KFAILURE; - - tkt->length = 0; /* Clear previous data */ - - /* Check length of ticket */ - pnamelen = strlen(pname) + 1; - pinstlen = strlen(pinstance) + 1; - prealmlen = strlen(prealm) + 1; - snamelen = strlen(sname) + 1; - sinstlen = strlen(sinstance) + 1; - if (sizeof(tkt->dat) / 8 < ((1 + pnamelen + pinstlen + prealmlen - + 4 /* address */ - + 8 /* session */ - + 1 /* life */ - + 4 /* issue time */ - + snamelen + sinstlen - + 7) / 8) /* roundoff */ - || life > 255 || life < 0) { - memset(tkt->dat, 0, sizeof(tkt->dat)); - return KFAILURE /* XXX */; - } - - data = tkt->dat; - *data++ = flags_in; - memcpy(data, pname, pnamelen); - data += pnamelen; - memcpy(data, pinstance, pinstlen); - data += pinstlen; - memcpy(data, prealm, prealmlen); - data += prealmlen; - - paddr.s_addr = paddress; - memcpy(data, &paddr.s_addr, sizeof(paddr.s_addr)); - data += sizeof(paddr.s_addr); - - memcpy(data, session, 8); - data += 8; - *data++ = life; - /* issue time */ - KRB4_PUT32BE(data, time_sec); - - memcpy(data, sname, snamelen); - data += snamelen; - memcpy(data, sinstance, sinstlen); - data += sinstlen; - - /* guarantee null padded ticket to multiple of 8 bytes */ - memset(data, 0, 7); - tkt->length = ((data - tkt->dat + 7) / 8) * 8; - return 0; -} diff --git a/src/lib/krb4/debug.c b/src/lib/krb4/debug.c deleted file mode 100644 index bd2ec904a..000000000 --- a/src/lib/krb4/debug.c +++ /dev/null @@ -1,15 +0,0 @@ -/* - * debug.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" - -/* Declare global debugging variables. */ - -int krb_ap_req_debug = 0; -int krb_debug = 0; diff --git a/src/lib/krb4/decomp_tkt.c b/src/lib/krb4/decomp_tkt.c deleted file mode 100644 index 7d85991a0..000000000 --- a/src/lib/krb4/decomp_tkt.c +++ /dev/null @@ -1,295 +0,0 @@ -/* - * lib/krb4/decomp_tkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "des.h" -#include "krb.h" -#include "prot.h" -#include -#include -#include "krb54proto.h" -#include "port-sockets.h" - -#ifdef KRB_CRYPT_DEBUG -extern int krb_debug; -#endif - -static int dcmp_tkt_int (KTEXT tkt, unsigned char *flags, - char *pname, char *pinstance, char *prealm, - unsigned KRB4_32 *paddress, C_Block session, - int *life, unsigned KRB4_32 *time_sec, - char *sname, char *sinstance, C_Block key, - Key_schedule key_s, krb5_keyblock *k5key); -/* - * This routine takes a ticket and pointers to the variables that - * should be filled in based on the information in the ticket. It -#ifndef NOENCRYPTION - * decrypts the ticket using the given key, and -#endif - * fills in values for its arguments. - * - * Note: if the client realm field in the ticket is the null string, - * then the "prealm" variable is filled in with the local realm (as - * defined by KRB_REALM). - * - * If the ticket byte order is different than the host's byte order - * (as indicated by the byte order bit of the "flags" field), then - * the KDC timestamp "time_sec" is byte-swapped. The other fields - * potentially affected by byte order, "paddress" and "session" are - * not byte-swapped. - * - * The routine returns KFAILURE if any of the "pname", "pinstance", - * or "prealm" fields is too big, otherwise it returns KSUCCESS. - * - * The corresponding routine to generate tickets is create_ticket. - * When changes are made to this routine, the corresponding changes - * should also be made to that file. - * - * See create_ticket.c for the format of the ticket packet. - */ - -int KRB5_CALLCONV /* XXX should this be exported on win32? */ -decomp_ticket(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, key, key_s) - KTEXT tkt; /* The ticket to be decoded */ - unsigned char *flags; /* Kerberos ticket flags */ - char *pname; /* Authentication name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - unsigned KRB4_32 *paddress; /* Net address of entity - * requesting ticket */ - C_Block session; /* Session key inserted in ticket */ - int *life; /* Lifetime of the ticket */ - unsigned KRB4_32 *time_sec; /* Issue time and date */ - char *sname; /* Service name */ - char *sinstance; /* Service instance */ - C_Block key; /* Service's secret key - * (to decrypt the ticket) */ - Key_schedule key_s; /* The precomputed key schedule */ -{ - return - dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, - paddress, session, life, time_sec, sname, sinstance, - key, key_s, NULL); -} - -int -decomp_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, k5key) - KTEXT tkt; /* The ticket to be decoded */ - unsigned char *flags; /* Kerberos ticket flags */ - char *pname; /* Authentication name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - unsigned KRB4_32 *paddress; /* Net address of entity - * requesting ticket */ - C_Block session; /* Session key inserted in ticket */ - int *life; /* Lifetime of the ticket */ - unsigned KRB4_32 *time_sec; /* Issue time and date */ - char *sname; /* Service name */ - char *sinstance; /* Service instance */ - krb5_keyblock *k5key; /* krb5 keyblock of service */ -{ - C_Block key; /* placeholder; doesn't get used */ - Key_schedule key_s; /* placeholder; doesn't get used */ - - return - dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, key, key_s, k5key); -} - -static int -dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, key, key_s, k5key) - KTEXT tkt; /* The ticket to be decoded */ - unsigned char *flags; /* Kerberos ticket flags */ - char *pname; /* Authentication name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - unsigned KRB4_32 *paddress; /* Net address of entity - * requesting ticket */ - C_Block session; /* Session key inserted in ticket */ - int *life; /* Lifetime of the ticket */ - unsigned KRB4_32 *time_sec; /* Issue time and date */ - char *sname; /* Service name */ - char *sinstance; /* Service instance */ - C_Block key; /* Service's secret key - * (to decrypt the ticket) */ - Key_schedule key_s; /* The precomputed key schedule */ - krb5_keyblock *k5key; /* krb5 keyblock of service */ -{ - int tkt_le; /* little-endian ticket? */ - unsigned char *ptr = tkt->dat; - int kret, len; - struct in_addr paddr; - - /* Be really paranoid. */ - if (sizeof(paddr.s_addr) != 4) - return KFAILURE; - -#ifndef NOENCRYPTION - /* Do the decryption */ -#ifdef KRB_CRYPT_DEBUG - if (krb_debug) { - FILE *fp; - char *keybuf[BUFSIZ]; /* Avoid secret stuff in stdio buffers */ - - fp = fopen("/kerberos/tkt.des", "wb"); - setbuf(fp, keybuf); - fwrite(tkt->dat, 1, tkt->length, fp); - fclose(fp); - memset(keybuf, 0, sizeof(keybuf)); /* Clear the buffer */ - } -#endif - if (k5key != NULL) { - /* block locals */ - krb5_enc_data in; - krb5_data out; - krb5_error_code ret; - - in.enctype = k5key->enctype; - in.kvno = 0; - in.ciphertext.length = tkt->length; - in.ciphertext.data = (char *)tkt->dat; - out.length = tkt->length; - out.data = malloc((size_t)tkt->length); - if (out.data == NULL) - return KFAILURE; /* XXX maybe ENOMEM? */ - - /* XXX note the following assumes that context arg isn't used */ - ret = - krb5_c_decrypt(NULL, k5key, - KRB5_KEYUSAGE_KDC_REP_TICKET, NULL, &in, &out); - if (ret) { - free(out.data); - return KFAILURE; - } else { - memcpy(tkt->dat, out.data, out.length); - memset(out.data, 0, out.length); - free(out.data); - } - } else { - pcbc_encrypt((C_Block *)tkt->dat, (C_Block *)tkt->dat, - (long)tkt->length, key_s, (C_Block *)key, 0); - } -#endif /* ! NOENCRYPTION */ -#ifdef KRB_CRYPT_DEBUG - if (krb_debug) { - FILE *fp; - char *keybuf[BUFSIZ]; /* Avoid secret stuff in stdio buffers */ - - fp = fopen("/kerberos/tkt.clear", "wb"); - setbuf(fp, keybuf); - fwrite(tkt->dat, 1, tkt->length, fp); - fclose(fp); - memset(keybuf, 0, sizeof(keybuf)); /* Clear the buffer */ - } -#endif - -#define TKT_REMAIN (tkt->length - (ptr - tkt->dat)) - kret = KFAILURE; - if (TKT_REMAIN < 1) - goto cleanup; - *flags = *ptr++; - tkt_le = (*flags >> K_FLAG_ORDER) & 1; - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > ANAME_SZ) - goto cleanup; - memcpy(pname, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - goto cleanup; - memcpy(pinstance, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > REALM_SZ) - goto cleanup; - memcpy(prealm, ptr, (size_t)len); - ptr += len; - - /* - * This hack may be needed for some really krb4 servers, such as - * AFS kaserver (?), that fail to fill in the realm of a ticket - * under some circumstances. - */ - if (*prealm == '\0') - krb_get_lrealm(prealm, 1); - - /* - * Ensure there's enough remaining in the ticket to get the - * fixed-size stuff. - */ - if (TKT_REMAIN < 4 + 8 + 1 + 4) - goto cleanup; - - memcpy(&paddr.s_addr, ptr, sizeof(paddr.s_addr)); - ptr += sizeof(paddr.s_addr); - *paddress = paddr.s_addr; - - memcpy(session, ptr, 8); /* session key */ - memset(ptr, 0, 8); - ptr += 8; -#ifdef notdef /* DONT SWAP SESSION KEY spm 10/22/86 */ - if (tkt_swap_bytes) - swap_C_Block(session); -#endif - - *life = *ptr++; - - KRB4_GET32(*time_sec, ptr, tkt_le); - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > SNAME_SZ) - goto cleanup; - memcpy(sname, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - goto cleanup; - memcpy(sinstance, ptr, (size_t)len); - ptr += len; - kret = KSUCCESS; - -#ifdef KRB_CRYPT_DEBUG - if (krb_debug) { - krb_log("service=%s.%s len(sname)=%d, len(sinstance)=%d", - sname, sinstance, strlen(sname), strlen(sinstance)); - krb_log("ptr - tkt->dat=%d",(char *)ptr - (char *)tkt->dat); - } -#endif - -cleanup: - if (kret != KSUCCESS) { - memset(session, 0, sizeof(session)); - memset(tkt->dat, 0, (size_t)tkt->length); - return kret; - } - return KSUCCESS; -} diff --git a/src/lib/krb4/dest_tkt.c b/src/lib/krb4/dest_tkt.c deleted file mode 100644 index 69198ba6c..000000000 --- a/src/lib/krb4/dest_tkt.c +++ /dev/null @@ -1,162 +0,0 @@ -/* - * lib/krb4/dest_tkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include -#include -#include -#include - -#include "k5-util.h" -#define do_seteuid krb5_seteuid -#include "k5-platform.h" - -#ifdef TKT_SHMEM -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#include - -#ifndef O_SYNC -#define O_SYNC 0 -#endif - -/* - * dest_tkt() is used to destroy the ticket store upon logout. - * If the ticket file does not exist, dest_tkt() returns RET_TKFIL. - * Otherwise the function returns RET_OK on success, KFAILURE on - * failure. - * - * The ticket file (TKT_FILE) is defined in "krb.h". - */ - -int KRB5_CALLCONV -dest_tkt() -{ - const char *file = TKT_FILE; - int i,fd; - int ret; - struct stat statpre, statpost; - char buf[BUFSIZ]; - uid_t me, metoo; -#ifdef TKT_SHMEM - char shmidname[MAXPATHLEN]; - size_t shmidlen; -#endif /* TKT_SHMEM */ - - /* If ticket cache selector is null, use default cache. */ - if (file == 0) - file = tkt_string(); - - errno = 0; - ret = KSUCCESS; - me = getuid(); - metoo = geteuid(); - - if (lstat(file, &statpre) < 0) - return (errno == ENOENT) ? RET_TKFIL : KFAILURE; - /* - * This does not guard against certain cases that are vulnerable - * to race conditions, such as world-writable or group-writable - * directories that are not stickybitted, or untrusted path - * components. In all other cases, the following checks should be - * sufficient. It is assumed that the aforementioned certain - * vulnerable cases are unlikely to arise on a well-administered - * system where the user is not deliberately being stupid. - */ - if (!(statpre.st_mode & S_IFREG) || me != statpre.st_uid - || statpre.st_nlink != 1) - return KFAILURE; - /* - * Yes, we do uid twiddling here. It's not optimal, but some - * applications may expect that the ruid is what should really own - * the ticket file, e.g. setuid applications. - */ - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - if ((fd = open(file, O_RDWR|O_SYNC, 0)) < 0) { - ret = (errno == ENOENT) ? RET_TKFIL : KFAILURE; - goto out; - } - set_cloexec_fd(fd); - /* - * Do some additional paranoid things. The worst-case situation - * is that a user may be fooled into opening a non-regular file - * briefly if the file is in a directory with improper - * permissions. - */ - if (fstat(fd, &statpost) < 0) { - (void)close(fd); - ret = KFAILURE; - goto out; - } - if (statpre.st_dev != statpost.st_dev - || statpre.st_ino != statpost.st_ino) { - (void)close(fd); - errno = 0; - ret = KFAILURE; - goto out; - } - - memset(buf, 0, BUFSIZ); - for (i = 0; i < statpost.st_size; i += BUFSIZ) - if (write(fd, buf, BUFSIZ) != BUFSIZ) { -#ifndef NO_FSYNC - (void) fsync(fd); -#endif - (void) close(fd); - goto out; - } - -#ifndef NO_FSYNC - (void) fsync(fd); -#endif - (void) close(fd); - - (void) unlink(file); - -out: - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (ret != KSUCCESS) - return ret; - -#ifdef TKT_SHMEM - /* - * handle the shared memory case - */ - shmidlen = strlen(file) + sizeof(".shm"); - if (shmidlen > sizeof(shmidname)) - return RET_TKFIL; - (void)strcpy(shmidname, file); - (void)strcat(shmidname, ".shm"); - return krb_shm_dest(shmidname); -#else /* !TKT_SHMEM */ - return KSUCCESS; -#endif /* !TKT_SHMEM */ -} diff --git a/src/lib/krb4/err_txt.c b/src/lib/krb4/err_txt.c deleted file mode 100644 index 0c4a01158..000000000 --- a/src/lib/krb4/err_txt.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * lib/krb4/err_txt.c - * - * Copyright 1988, 2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "krb4int.h" - -/* - * This is gross. We want krb_err_txt to match the contents of the - * com_err error table, but the text is static in krb_err.c. We can't - * alias it by making a pointer to it, either, so we have to suck in - * another copy of it that is named differently. */ -#if TARGET_OS_MAC && !defined(DEPEND) -#undef initialize_krb_error_table -#define initialize_krb_error_table krb4int_init_krb_err_tbl -void krb4int_init_krb_err_tbl(void); -#include "krb_err.c" -#undef initialize_krb_error_table - -/* - * Depends on the name of the static table generated by compile_et, - * but since this is only on Darwin, where we will always use a - * certain compile_et, it should be ok. - */ -const char * const * const krb_err_txt = text; -#else -#ifndef DEPEND -/* Don't put this in auto-generated dependencies. */ -#include "krb_err_txt.c" -#endif -#endif - -void initialize_krb_error_table(void); - -static int inited = 0; - -void -krb4int_et_init(void) -{ - if (inited) - return; - add_error_table(&et_krb_error_table); - inited = 1;\ -} - -void -krb4int_et_fini(void) -{ - if (inited) - remove_error_table(&et_krb_error_table); -} - -const char * KRB5_CALLCONV -krb_get_err_text(code) - int code; -{ - krb4int_et_init(); - /* - * Shift krb error code into com_err number space. - */ - if (code >= 0 && code < MAX_KRB_ERRORS) - return error_message(ERROR_TABLE_BASE_krb + code); - else - return "Invalid Kerberos error code"; -} diff --git a/src/lib/krb4/et_errtxt.awk b/src/lib/krb4/et_errtxt.awk deleted file mode 100755 index 888dad695..000000000 --- a/src/lib/krb4/et_errtxt.awk +++ /dev/null @@ -1,71 +0,0 @@ -/^[ \t]*(error_table|et)[ \t]+[a-zA-Z][a-zA-Z0-9_]+/ { - print "/*" > outfile - print " * " outfile ":" > outfile - print " * This file is automatically generated; please do not edit it." > outfile - print " */" > outfile - print "#if TARGET_OS_MAC" > outfile - print "const char * const * const krb_err_txt" > outfile - print "#else" > outfile - print "const char * const krb_err_txt[]" > outfile - print "#endif" > outfile - print "\t= {" > outfile - table_item_count = 0 -} - -(continuation == 1) && ($0 ~ /\\[ \t]*$/) { - text=substr($0,1,length($0)-1); -# printf "\t\t\"%s\"\n", text > outfile - cont_buf=cont_buf text; -} - -(continuation == 1) && ($0 ~ /"[ \t]*$/) { -# " -# printf "\t\t\"%s,\n", $0 > outfile - printf "\t%s,\n", cont_buf $0 > outfile - continuation = 0; -} -/^[ \t]*(error_code|ec)[ \t]+[A-Z_0-9]+,[ \t]*$/ { - table_item_count++ - skipone=1 - next -} - -/^[ \t]*(error_code|ec)[ \t]+[A-Z_0-9]+,[ \t]*".*"[ \t]*$/ { - text="" - for (i=3; i<=NF; i++) { - text = text FS $i - } - text=substr(text,2,length(text)-1); - printf "\t%s,\n", text > outfile - table_item_count++ -} -/^[ \t]*(error_code|ec)[ \t]+[A-Z_0-9]+,[ \t]*".*\\[ \t]*$/ { - text="" - for (i=3; i<=NF; i++) { - text = text FS $i - } - text=substr(text,2,length(text)-2); -# printf "\t%s\"\n", text > outfile - cont_buf=text - continuation++; -} - -/^[ \t]*".*\\[ \t]*$/ { - if (skipone) { - text=substr($0,1,length($0)-1); -# printf "\t%s\"\n", text > outfile - cont_buf=text - continuation++; - } - skipone=0 -} - -{ - if (skipone) { - printf "\t%s,\n", $0 > outfile - } - skipone=0 -} -END { - print "};" > outfile -} diff --git a/src/lib/krb4/fgetst.c b/src/lib/krb4/fgetst.c deleted file mode 100644 index e652ac93a..000000000 --- a/src/lib/krb4/fgetst.c +++ /dev/null @@ -1,38 +0,0 @@ -/* - * fgetst.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include -#include "krb.h" -#include "krb4int.h" - -/* - * fgetst takes a file descriptor, a character pointer, and a count. - * It reads from the file it has either read "count" characters, or - * until it reads a null byte. When finished, what has been read exists - * in "s". If "count" characters were actually read, the last is changed - * to a null, so the returned string is always null-terminated. fgetst - * returns the number of characters read, including the null terminator. - */ - -int -fgetst(f, s, n) - FILE *f; - register char *s; - int n; -{ - register int count = n; - int ch; /* NOT char; otherwise you don't see EOF */ - - while ((ch = getc(f)) != EOF && ch && --count) { - *s++ = ch; - } - *s = '\0'; - return (n - count); -} diff --git a/src/lib/krb4/g_ad_tkt.c b/src/lib/krb4/g_ad_tkt.c deleted file mode 100644 index 353fdcee5..000000000 --- a/src/lib/krb4/g_ad_tkt.c +++ /dev/null @@ -1,383 +0,0 @@ -/* - * lib/krb4/g_ad_tkt.c - * - * Copyright 1986, 1987, 1988, 2000, 2001 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "des.h" -#include "krb4int.h" -#include "prot.h" -#include - -#include - -extern int krb_debug; -extern int swap_bytes; - -/* - * get_ad_tkt obtains a new service ticket from Kerberos, using - * the ticket-granting ticket which must be in the ticket file. - * It is typically called by krb_mk_req() when the client side - * of an application is creating authentication information to be - * sent to the server side. - * - * get_ad_tkt takes four arguments: three pointers to strings which - * contain the name, instance, and realm of the service for which the - * ticket is to be obtained; and an integer indicating the desired - * lifetime of the ticket. - * - * It returns an error status if the ticket couldn't be obtained, - * or AD_OK if all went well. The ticket is stored in the ticket - * cache. - * - * The request sent to the Kerberos ticket-granting service looks - * like this: - * - * pkt->dat - * - * TEXT original contents of authenticator+ticket - * pkt->dat built in krb_mk_req call - * - * 4 bytes time_ws always 0 (?) FIXME! - * char lifetime lifetime argument passed - * string service service name argument - * string sinstance service instance arg. - * - * See "prot.h" for the reply packet layout and definitions of the - * extraction macros like pkt_version(), pkt_msg_type(), etc. - */ - -/* - * g_ad_tk_parse() - * - * Parse the returned packet from the KDC. - * - * Note that the caller is responsible for clearing the returned - * session key if there is an error; that makes the error handling - * code a little less hairy. - */ -static int -g_ad_tkt_parse(KTEXT rpkt, C_Block tgtses, C_Block ses, - char *s_name, char *s_instance, char *rlm, - char *service, char *sinstance, char *realm, - int *lifetime, int *kvno, KTEXT tkt, - unsigned KRB4_32 *kdc_time, - KRB4_32 *t_local) -{ - unsigned char *ptr; - unsigned int t_switch; - int msg_byte_order; - unsigned long rep_err_code; - unsigned long cip_len; - KTEXT_ST cip_st; - KTEXT cip = &cip_st; /* Returned Ciphertext */ - Key_schedule key_s; - int len, i; - KRB4_32 t_diff; /* Difference between timestamps */ - - ptr = rpkt->dat; -#define RPKT_REMAIN (rpkt->length - (ptr - rpkt->dat)) - if (RPKT_REMAIN < 1 + 1) - return INTK_PROT; - /* check packet version of the returned packet */ - if (*ptr++ != KRB_PROT_VERSION) - return INTK_PROT; - - /* This used to be - switch (pkt_msg_type(rpkt) & ~1) { - but SCO 3.2v4 cc compiled that incorrectly. */ - t_switch = *ptr++; - /* Check byte order (little-endian == 1) */ - msg_byte_order = t_switch & 1; - t_switch &= ~1; - /* - * Skip over some stuff (3 strings and various integers -- see - * cr_auth_repl.c for details). Maybe we should actually verify - * these? - */ - for (i = 0; i < 3; i++) { - len = krb4int_strnlen((char *)ptr, RPKT_REMAIN) + 1; - if (len <= 0) - return INTK_PROT; - ptr += len; - } - switch (t_switch) { - case AUTH_MSG_KDC_REPLY: - if (RPKT_REMAIN < 4 + 1 + 4 + 1) - return INTK_PROT; - ptr += 4 + 1 + 4 + 1; - break; - case AUTH_MSG_ERR_REPLY: - if (RPKT_REMAIN < 8) - return INTK_PROT; - ptr += 4; - KRB4_GET32(rep_err_code, ptr, msg_byte_order); - return rep_err_code; - - default: - return INTK_PROT; - } - - /* Extract the ciphertext */ - if (RPKT_REMAIN < 2) - return INTK_PROT; - KRB4_GET16(cip_len, ptr, msg_byte_order); - if (RPKT_REMAIN < cip_len) - return INTK_PROT; - /* - * RPKT_REMAIN will always be non-negative and at most the maximum - * possible value of cip->length, so this assignment is safe. - */ - cip->length = cip_len; - memcpy(cip->dat, ptr, (size_t)cip->length); - ptr += cip->length; - -#ifndef NOENCRYPTION - /* Attempt to decrypt it */ - - key_sched(tgtses, key_s); - DEB (("About to do decryption ...")); - pcbc_encrypt((C_Block *)cip->dat, (C_Block *)cip->dat, - (long)cip->length, key_s, (C_Block *)tgtses, 0); -#endif /* !NOENCRYPTION */ - /* - * Stomp on key schedule. Caller should stomp on tgtses. - */ - memset(key_s, 0, sizeof(key_s)); - - ptr = cip->dat; -#define CIP_REMAIN (cip->length - (ptr - cip->dat)) - if (CIP_REMAIN < 8) - return RD_AP_MODIFIED; - memcpy(ses, ptr, 8); - /* - * Stomp on decrypted session key immediately after copying it. - */ - memset(ptr, 0, 8); - ptr += 8; - - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > SNAME_SZ) - return RD_AP_MODIFIED; - memcpy(s_name, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - return RD_AP_MODIFIED; - memcpy(s_instance, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > REALM_SZ) - return RD_AP_MODIFIED; - memcpy(rlm, ptr, (size_t)len); - ptr += len; - - if (strcmp(s_name, service) || strcmp(s_instance, sinstance) - || strcmp(rlm, realm)) /* not what we asked for */ - return INTK_ERR; /* we need a better code here XXX */ - - if (CIP_REMAIN < 1 + 1 + 1) - return RD_AP_MODIFIED; - *lifetime = *ptr++; - *kvno = *ptr++; - tkt->length = *ptr++; - - if (CIP_REMAIN < tkt->length) - return RD_AP_MODIFIED; - memcpy(tkt->dat, ptr, (size_t)tkt->length); - ptr += tkt->length; - - /* Time (coarse) */ - if (CIP_REMAIN < 4) - return RD_AP_MODIFIED; - KRB4_GET32(*kdc_time, ptr, msg_byte_order); - - /* check KDC time stamp */ - *t_local = TIME_GMT_UNIXSEC; - t_diff = *t_local - *kdc_time; - if (t_diff < 0) - t_diff = -t_diff; /* Absolute value of difference */ - if (t_diff > CLOCK_SKEW) - return RD_AP_TIME; /* XXX should probably be better code */ - - return 0; -} - -int KRB5_CALLCONV -get_ad_tkt(service, sinstance, realm, lifetime) - char *service; - char *sinstance; - char *realm; - int lifetime; -{ - KTEXT_ST pkt_st; - KTEXT pkt = & pkt_st; /* Packet to KDC */ - KTEXT_ST rpkt_st; - KTEXT rpkt = &rpkt_st; /* Returned packet */ - KTEXT_ST tkt_st; - KTEXT tkt = &tkt_st; /* Current ticket */ - C_Block ses; /* Session key for tkt */ - CREDENTIALS cr; - int kvno; /* Kvno for session key */ - int kerror; - char lrealm[REALM_SZ]; - KRB4_32 time_ws = 0; - char s_name[SNAME_SZ]; - char s_instance[INST_SZ]; - char rlm[REALM_SZ]; - unsigned char *ptr; - KRB4_32 t_local; - struct sockaddr_in laddr; - socklen_t addrlen; - unsigned KRB4_32 kdc_time; /* KDC time */ - size_t snamelen, sinstlen; - - kerror = krb_get_tf_realm(TKT_FILE, lrealm); -#if USE_LOGIN_LIBRARY - if (kerror == GC_NOTKT) { - /* No tickets... call krb_get_cred (KLL will prompt) and try again. */ - if ((kerror = krb_get_cred ("krbtgt", realm, realm, &cr)) == KSUCCESS) { - /* Now get the realm again. */ - kerror = krb_get_tf_realm (TKT_FILE, lrealm); - } - } -#endif - if (kerror != KSUCCESS) - return kerror; - - /* Create skeleton of packet to be sent */ - pkt->length = 0; - - /* - * Look for the session key (and other stuff we don't need) - * in the ticket file for krbtgt.realm@lrealm where "realm" - * is the service's realm (passed in "realm" argument) and - * "lrealm" is the realm of our initial ticket (the local realm). - * If that fails, and the server's realm and the local realm are - * the same thing, give up - no TGT available for local realm. - * - * If the server realm and local realm are different, though, - * try getting a ticket-granting ticket for the server's realm, - * i.e. a ticket for "krbtgt.alienrealm@lrealm", by calling get_ad_tkt(). - * If that succeeds, the ticket will be in ticket cache, get it - * into the "cr" structure by calling krb_get_cred(). - */ - kerror = krb_get_cred("krbtgt", realm, lrealm, &cr); - if (kerror != KSUCCESS) { - /* - * If realm == lrealm, we have no hope, so let's not even try. - */ - if (strncmp(realm, lrealm, sizeof(lrealm)) == 0) - return AD_NOTGT; - else { - kerror = get_ad_tkt("krbtgt", realm, lrealm, lifetime); - if (kerror != KSUCCESS) { - if (kerror == KDC_PR_UNKNOWN) /* no cross-realm ticket */ - return AD_NOTGT; /* So call it no ticket */ - return kerror; - } - kerror = krb_get_cred("krbtgt",realm,lrealm,&cr); - if (kerror != KSUCCESS) - return kerror; - } - } - - /* - * Make up a request packet to the "krbtgt.realm@lrealm". - * Start by calling krb_mk_req() which puts ticket+authenticator - * into "pkt". Then tack other stuff on the end. - */ - kerror = krb_mk_req(pkt, "krbtgt", realm, lrealm, 0L); - if (kerror) { - /* stomp stomp stomp */ - memset(cr.session, 0, sizeof(cr.session)); - return AD_NOTGT; - } - - ptr = pkt->dat + pkt->length; - - snamelen = strlen(service) + 1; - sinstlen = strlen(sinstance) + 1; - if (sizeof(pkt->dat) - (ptr - pkt->dat) < (4 + 1 - + snamelen - + sinstlen)) { - /* stomp stomp stomp */ - memset(cr.session, 0, sizeof(cr.session)); - return INTK_ERR; - } - - /* timestamp */ /* FIXME -- always 0 now, should we fill it in??? */ - KRB4_PUT32BE(ptr, time_ws); - - *ptr++ = lifetime; - - memcpy(ptr, service, snamelen); - ptr += snamelen; - memcpy(ptr, sinstance, sinstlen); - ptr += sinstlen; - - pkt->length = ptr - pkt->dat; - - /* Send the request to the local ticket-granting server */ - rpkt->length = 0; - addrlen = sizeof(laddr); - kerror = krb4int_send_to_kdc_addr(pkt, rpkt, realm, - (struct sockaddr *)&laddr, &addrlen); - - if (!kerror) { - /* No error; parse return packet from KDC. */ - kerror = g_ad_tkt_parse(rpkt, cr.session, ses, - s_name, s_instance, rlm, - service, sinstance, realm, - &lifetime, &kvno, tkt, - &kdc_time, &t_local); - } - /* - * Unconditionally stomp on cr.session because we don't need it - * anymore. - */ - memset(cr.session, 0, sizeof(cr.session)); - if (kerror) { - /* - * Stomp on ses for good measure, since g_ad_tkt_parse() - * doesn't do that for us. - */ - memset(ses, 0, sizeof(ses)); - return kerror; - } - - kerror = krb4int_save_credentials_addr(s_name, s_instance, rlm, - ses, lifetime, kvno, tkt, - t_local, - laddr.sin_addr.s_addr); - /* - * Unconditionally stomp on ses because we don't need it anymore. - */ - memset(ses, 0, sizeof(ses)); - if (kerror) - return kerror; - return AD_OK; -} diff --git a/src/lib/krb4/g_cnffile.c b/src/lib/krb4/g_cnffile.c deleted file mode 100644 index 8ef38feef..000000000 --- a/src/lib/krb4/g_cnffile.c +++ /dev/null @@ -1,128 +0,0 @@ -/* Copyright 1994 Cygnus Support */ -/* Mark W. Eichin */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* common code for looking at krb.conf and krb.realms file */ -/* this may be superceded by 's work for the Mac port, but - it solves a problem for now. */ - -#include -#include "krb.h" -#include "k5-int.h" -#include "krb4int.h" - -krb5_context krb5__krb4_context = 0; - -static FILE* -krb__v5_get_file(s) - const char *s; -{ - FILE *cnffile = 0; - const char* names[3]; - char **full_name = 0, **cpp; - krb5_error_code retval; - - if (!krb5__krb4_context) - krb5_init_context(&krb5__krb4_context); - names[0] = "libdefaults"; - names[1] = s; - names[2] = 0; - if (krb5__krb4_context) { - retval = profile_get_values(krb5__krb4_context->profile, names, - &full_name); - if (retval == 0 && full_name && full_name[0]) { - cnffile = fopen(full_name[0],"r"); - if (cnffile) - set_cloexec_file(cnffile); - for (cpp = full_name; *cpp; cpp++) - krb5_xfree(*cpp); - krb5_xfree(full_name); - } - } - return cnffile; -} - -char * -krb__get_srvtabname(default_srvtabname) - const char *default_srvtabname; -{ - const char* names[3]; - char **full_name = 0, **cpp; - krb5_error_code retval; - static char retname[MAXPATHLEN]; - - if (!krb5__krb4_context) - krb5_init_context(&krb5__krb4_context); - names[0] = "libdefaults"; - names[1] = "krb4_srvtab"; - names[2] = 0; - if (krb5__krb4_context) { - retval = profile_get_values(krb5__krb4_context->profile, names, - &full_name); - if (retval == 0 && full_name && full_name[0]) { - retname[0] = '\0'; - strncat(retname, full_name[0], sizeof(retname)); - for (cpp = full_name; *cpp; cpp++) - krb5_xfree(*cpp); - krb5_xfree(full_name); - return retname; - } - } - retname[0] = '\0'; - strncat(retname, default_srvtabname, sizeof(retname)); - return retname; -} - -FILE* -krb__get_cnffile() -{ - char *s; - FILE *cnffile = 0; - extern char *getenv(); - - /* standard V4 override first */ - s = getenv("KRB_CONF"); - if (s) cnffile = fopen(s,"r"); - /* if that's wrong, use V5 config */ - if (!cnffile) cnffile = krb__v5_get_file("krb4_config"); - /* and if V5 config doesn't have it, go to hard-coded values */ - if (!cnffile) cnffile = fopen(KRB_CONF,"r"); -#ifdef ATHENA_CONF_FALLBACK - if (!cnffile) cnffile = fopen(KRB_FB_CONF,"r"); -#endif - if (cnffile) - set_cloexec_file(cnffile); - return cnffile; -} - - -FILE* -krb__get_realmsfile() -{ - FILE *realmsfile = 0; - char *s; - - /* standard (not really) V4 override first */ - s = getenv("KRB_REALMS"); - if (s) realmsfile = fopen(s,"r"); - if (!realmsfile) realmsfile = krb__v5_get_file("krb4_realms"); - if (!realmsfile) realmsfile = fopen(KRB_RLM_TRANS, "r"); - -#ifdef ATHENA_CONF_FALLBACK - if (!realmsfile) realmsfile = fopen(KRB_FB_RLM_TRANS, "r"); -#endif - - if (realmsfile) - set_cloexec_file(realmsfile); - - return realmsfile; -} diff --git a/src/lib/krb4/g_cred.c b/src/lib/krb4/g_cred.c deleted file mode 100644 index 498a5f106..000000000 --- a/src/lib/krb4/g_cred.c +++ /dev/null @@ -1,58 +0,0 @@ -/* - * g_cred.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include -#include -#include "krb.h" - -/* - * krb_get_cred takes a service name, instance, and realm, and a - * structure of type CREDENTIALS to be filled in with ticket - * information. It then searches the ticket file for the appropriate - * ticket and fills in the structure with the corresponding - * information from the file. If successful, it returns KSUCCESS. - * On failure it returns a Kerberos error code. - */ - -int KRB5_CALLCONV -krb_get_cred(service,instance,realm,c) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - CREDENTIALS *c; /* Credentials struct */ -{ - int tf_status; /* return value of tf function calls */ - - /* Open ticket file and lock it for shared reading */ - if ((tf_status = tf_init(TKT_FILE, R_TKT_FIL)) != KSUCCESS) - return(tf_status); - - /* Copy principal's name and instance into the CREDENTIALS struc c */ - - if ( (tf_status = tf_get_pname(c->pname)) != KSUCCESS || - (tf_status = tf_get_pinst(c->pinst)) != KSUCCESS ) - return (tf_status); - - /* Search for requested service credentials and copy into c */ - - while ((tf_status = tf_get_cred(c)) == KSUCCESS) { - /* Is this the right ticket? */ - if ((strcmp(c->service,service) == 0) && - (strcmp(c->instance,instance) == 0) && - (strcmp(c->realm,realm) == 0)) - break; - } - (void) tf_close(); - - if (tf_status == EOF) - return (GC_NOTKT); - return(tf_status); -} diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c deleted file mode 100644 index cf4ebd15d..000000000 --- a/src/lib/krb4/g_in_tkt.c +++ /dev/null @@ -1,555 +0,0 @@ -/* - * lib/krb4/g_in_tkt.c - * - * Copyright 1986-2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "des.h" -#include "krb4int.h" -#include "prot.h" - -#include "port-sockets.h" -#include - -/* Define a couple of function types including parameters. These - are needed on MS-Windows to convert arguments of the function pointers - to the proper types during calls. These declarations are found - in , but the code below is too opaque if you can't also - see them here. */ -#ifndef KEY_PROC_TYPE_DEFINED -typedef int (*key_proc_type) (char *, char *, char *, - char *, C_Block); -#endif -#ifndef DECRYPT_TKT_TYPE_DEFINED -typedef int (*decrypt_tkt_type) (char *, char *, char *, char *, - key_proc_type, KTEXT *); -#endif - -static int decrypt_tkt(char *, char *, char *, char *, key_proc_type, KTEXT *); -static int krb_mk_in_tkt_preauth(char *, char *, char *, char *, char *, - int, char *, int, KTEXT, int *, struct sockaddr_in *); -static int krb_parse_in_tkt_creds(char *, char *, char *, char *, char *, - int, KTEXT, int, CREDENTIALS *); - -/* - * decrypt_tkt(): Given user, instance, realm, passwd, key_proc - * and the cipher text sent from the KDC, decrypt the cipher text - * using the key returned by key_proc. - */ - -static int -decrypt_tkt(user, instance, realm, arg, key_proc, cipp) - char *user; - char *instance; - char *realm; - char *arg; - key_proc_type key_proc; - KTEXT *cipp; -{ - KTEXT cip = *cipp; - C_Block key; /* Key for decrypting cipher */ - Key_schedule key_s; - register int rc; - -#ifndef NOENCRYPTION - /* Attempt to decrypt it */ -#endif - /* generate a key from the supplied arg or password. */ - rc = (*key_proc)(user, instance, realm, arg, key); - if (rc) - return rc; - -#ifndef NOENCRYPTION - key_sched(key, key_s); - pcbc_encrypt((C_Block *)cip->dat, (C_Block *)cip->dat, - (long)cip->length, key_s, (C_Block *)key, 0); -#endif /* !NOENCRYPTION */ - /* Get rid of all traces of key */ - memset(key, 0, sizeof(key)); - memset(key_s, 0, sizeof(key_s)); - - return 0; -} - -/* - * krb_get_in_tkt() gets a ticket for a given principal to use a given - * service and stores the returned ticket and session key for future - * use. - * - * The "user", "instance", and "realm" arguments give the identity of - * the client who will use the ticket. The "service" and "sinstance" - * arguments give the identity of the server that the client wishes - * to use. (The realm of the server is the same as the Kerberos server - * to whom the request is sent.) The "life" argument indicates the - * desired lifetime of the ticket; the "key_proc" argument is a pointer - * to the routine used for getting the client's private key to decrypt - * the reply from Kerberos. The "decrypt_proc" argument is a pointer - * to the routine used to decrypt the reply from Kerberos; and "arg" - * is an argument to be passed on to the "key_proc" routine. - * - * If all goes well, krb_get_in_tkt() returns INTK_OK, otherwise it - * returns an error code: If an AUTH_MSG_ERR_REPLY packet is returned - * by Kerberos, then the error code it contains is returned. Other - * error codes returned by this routine include INTK_PROT to indicate - * wrong protocol version, INTK_BADPW to indicate bad password (if - * decrypted ticket didn't make sense), INTK_ERR if the ticket was for - * the wrong server or the ticket store couldn't be initialized. - * - * The format of the message sent to Kerberos is as follows: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_KDC_REQUEST | message type - * HOST_BYTE_ORDER local byte order in lsb - * string user client's name - * string instance client's instance - * string realm client's realm - * 4 bytes tlocal.tv_sec timestamp in seconds - * 1 byte life desired lifetime - * string service service's name - * string sinstance service's instance - */ - -static int -krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, - preauth_p, preauth_len, cip, byteorder, local_addr) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - char *preauth_p; - int preauth_len; - KTEXT cip; - int *byteorder; - struct sockaddr_in *local_addr; -{ - KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; /* Packet to KDC */ - KTEXT_ST rpkt_st; - KTEXT rpkt = &rpkt_st; /* Returned packet */ - unsigned char *p; - size_t userlen, instlen, realmlen, servicelen, sinstlen; - unsigned KRB4_32 t_local; - - int msg_byte_order; - int kerror; - socklen_t addrlen; -#if 0 - unsigned long exp_date; -#endif - unsigned long rep_err_code; - unsigned long cip_len; - unsigned int t_switch; - int i, len; - - /* BUILD REQUEST PACKET */ - - p = pkt->dat; - - userlen = strlen(user) + 1; - instlen = strlen(instance) + 1; - realmlen = strlen(realm) + 1; - servicelen = strlen(service) + 1; - sinstlen = strlen(sinstance) + 1; - /* Make sure the ticket data will fit into the buffer. */ - if (sizeof(pkt->dat) < (1 + 1 + userlen + instlen + realmlen - + 4 + 1 + servicelen + sinstlen - + preauth_len)) { - pkt->length = 0; - return INTK_ERR; - } - - /* Set up the fixed part of the packet */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_KDC_REQUEST; - - /* Now for the variable info */ - memcpy(p, user, userlen); - p += userlen; - memcpy(p, instance, instlen); - p += instlen; - memcpy(p, realm, realmlen); - p += realmlen; - - /* timestamp */ - t_local = TIME_GMT_UNIXSEC; - KRB4_PUT32BE(p, t_local); - - *p++ = life; - - memcpy(p, service, servicelen); - p += servicelen; - memcpy(p, sinstance, sinstlen); - p += sinstlen; - - if (preauth_len) - memcpy(p, preauth_p, (size_t)preauth_len); - p += preauth_len; - - pkt->length = p - pkt->dat; - - /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */ - rpkt->length = 0; - addrlen = sizeof(struct sockaddr_in); - kerror = krb4int_send_to_kdc_addr(pkt, rpkt, realm, - (struct sockaddr *)local_addr, - &addrlen); - if (kerror) - return kerror; - - p = rpkt->dat; -#define RPKT_REMAIN (rpkt->length - (p - rpkt->dat)) - - /* check packet version of the returned packet */ - if (RPKT_REMAIN < 1 + 1) - return INTK_PROT; - if (*p++ != KRB_PROT_VERSION) - return INTK_PROT; - - /* This used to be - switch (pkt_msg_type(rpkt) & ~1) { - but SCO 3.2v4 cc compiled that incorrectly. */ - t_switch = *p++; - /* Check byte order */ - msg_byte_order = t_switch & 1; - t_switch &= ~1; - - /* EXTRACT INFORMATION FROM RETURN PACKET */ - - /* - * Skip over some stuff (3 strings and various integers -- see - * cr_auth_repl.c for details). - */ - for (i = 0; i < 3; i++) { - len = krb4int_strnlen((char *)p, RPKT_REMAIN) + 1; - if (len <= 0) - return INTK_PROT; - p += len; - } - switch (t_switch) { - case AUTH_MSG_KDC_REPLY: - if (RPKT_REMAIN < 4 + 1 + 4 + 1) - return INTK_PROT; - p += 4 + 1 + 4 + 1; - break; - case AUTH_MSG_ERR_REPLY: - if (RPKT_REMAIN < 8) - return INTK_PROT; - p += 4; - KRB4_GET32(rep_err_code, p, msg_byte_order); - return rep_err_code; - default: - return INTK_PROT; - } - - /* Extract the ciphertext */ - if (RPKT_REMAIN < 2) - return INTK_PROT; - KRB4_GET16(cip_len, p, msg_byte_order); - if (RPKT_REMAIN < cip_len) - return INTK_ERR; - /* - * RPKT_REMAIN will always be non-negative and at most the maximum - * possible value of cip->length, so this assignment is safe. - */ - cip->length = cip_len; - memcpy(cip->dat, p, (size_t)cip->length); - p += cip->length; - - *byteorder = msg_byte_order; - return INTK_OK; -} - -static int -krb_parse_in_tkt_creds(user, instance, realm, service, sinstance, life, cip, - byteorder, creds) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - KTEXT cip; - int byteorder; - CREDENTIALS *creds; -{ - unsigned char *ptr; - int len; - int kvno; /* Kvno for session key */ - char s_name[SNAME_SZ]; - char s_instance[INST_SZ]; - char rlm[REALM_SZ]; - KTEXT_ST tkt_st; - KTEXT tkt = &tkt_st; /* Current ticket */ - unsigned long kdc_time; /* KDC time */ - unsigned KRB4_32 t_local; /* Must be 4 bytes long for memcpy below! */ - KRB4_32 t_diff; /* Difference between timestamps */ - int lifetime; - - ptr = cip->dat; - /* Assume that cip->length >= 0 for now. */ -#define CIP_REMAIN (cip->length - (ptr - cip->dat)) - - /* Skip session key for now */ - if (CIP_REMAIN < 8) - return INTK_BADPW; - ptr += 8; - - /* extract server's name */ - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > sizeof(s_name)) - return INTK_BADPW; - memcpy(s_name, ptr, (size_t)len); - ptr += len; - - /* extract server's instance */ - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > sizeof(s_instance)) - return INTK_BADPW; - memcpy(s_instance, ptr, (size_t)len); - ptr += len; - - /* extract server's realm */ - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > sizeof(rlm)) - return INTK_BADPW; - memcpy(rlm, ptr, (size_t)len); - ptr += len; - - /* extract ticket lifetime, server key version, ticket length */ - /* be sure to avoid sign extension on lifetime! */ - if (CIP_REMAIN < 3) - return INTK_BADPW; - lifetime = *ptr++; - kvno = *ptr++; - tkt->length = *ptr++; - - /* extract ticket itself */ - if (CIP_REMAIN < tkt->length) - return INTK_BADPW; - memcpy(tkt->dat, ptr, (size_t)tkt->length); - ptr += tkt->length; - - if (strcmp(s_name, service) || strcmp(s_instance, sinstance) - || strcmp(rlm, realm)) /* not what we asked for */ - return INTK_ERR; /* we need a better code here XXX */ - - /* check KDC time stamp */ - if (CIP_REMAIN < 4) - return INTK_BADPW; - KRB4_GET32(kdc_time, ptr, byteorder); - - t_local = TIME_GMT_UNIXSEC; - t_diff = t_local - kdc_time; - if (t_diff < 0) - t_diff = -t_diff; /* Absolute value of difference */ - if (t_diff > CLOCK_SKEW) { - return RD_AP_TIME; /* XXX should probably be better code */ - } - - /* stash ticket, session key, etc. for future use */ - strncpy(creds->service, s_name, sizeof(creds->service)); - strncpy(creds->instance, s_instance, sizeof(creds->instance)); - strncpy(creds->realm, rlm, sizeof(creds->realm)); - memmove(creds->session, cip->dat, sizeof(C_Block)); - creds->lifetime = lifetime; - creds->kvno = kvno; - creds->ticket_st.length = tkt->length; - memmove(creds->ticket_st.dat, tkt->dat, (size_t)tkt->length); - creds->issue_date = t_local; - strncpy(creds->pname, user, sizeof(creds->pname)); - strncpy(creds->pinst, instance, sizeof(creds->pinst)); - - return INTK_OK; -} - -int -krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, - arg, preauth_p, preauth_len, creds, laddrp) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - key_proc_type key_proc; - decrypt_tkt_type decrypt_proc; - char *arg; - char *preauth_p; - int preauth_len; - CREDENTIALS *creds; - KRB_UINT32 *laddrp; -{ - int ok; - char key_string[BUFSIZ]; - KTEXT_ST cip_st; - KTEXT cip = &cip_st; /* Returned Ciphertext */ - int kerror; - int byteorder; - key_proc_type *keyprocs = krb_get_keyprocs (key_proc); - int i = 0; - struct sockaddr_in local_addr; - - kerror = krb_mk_in_tkt_preauth(user, instance, realm, - service, sinstance, - life, preauth_p, preauth_len, - cip, &byteorder, &local_addr); - if (kerror) - return kerror; - - /* If arg is null, we have to prompt for the password. decrypt_tkt, by - way of the *_passwd_to_key functions, will prompt if the password is - NULL, but that means that each separate encryption type will prompt - separately. Obtain the password first so that we can try multiple - encryption types without re-prompting. - - Don't, however, prompt on a Windows or Macintosh environment, since - that's harder. Rely on our caller to do it. */ -#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - if (arg == NULL) { - ok = des_read_pw_string(key_string, sizeof(key_string), "Password", 0); - if (ok != 0) - return ok; - arg = key_string; - } -#endif - - /* Attempt to decrypt the reply. Loop trying password_to_key algorithms - until we succeed or we get an error other than "bad password" */ - do { - KTEXT_ST cip_copy_st; - memcpy(&cip_copy_st, &cip_st, sizeof(cip_st)); - cip = &cip_copy_st; - if (decrypt_proc == NULL) { - decrypt_tkt (user, instance, realm, arg, keyprocs[i], &cip); - } else { - (*decrypt_proc)(user, instance, realm, arg, keyprocs[i], &cip); - } - kerror = krb_parse_in_tkt_creds(user, instance, realm, - service, sinstance, life, cip, byteorder, creds); - } while ((keyprocs [++i] != NULL) && (kerror == INTK_BADPW)); - cip = &cip_st; - - /* Fill in the local address if the caller wants it */ - if (laddrp != NULL) { - *laddrp = local_addr.sin_addr.s_addr; - } - - /* stomp stomp stomp */ - memset(key_string, 0, sizeof(key_string)); - memset(cip->dat, 0, (size_t)cip->length); - return kerror; -} - -int KRB5_CALLCONV -krb_get_in_tkt_creds(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, arg, creds) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - key_proc_type key_proc; - decrypt_tkt_type decrypt_proc; - char *arg; - CREDENTIALS *creds; -{ -#if TARGET_OS_MAC - KRB_UINT32 *laddrp = &creds->address; -#else - KRB_UINT32 *laddrp = NULL; /* Only the Mac stores the address */ -#endif - - return krb_get_in_tkt_preauth_creds(user, instance, realm, - service, sinstance, life, - key_proc, decrypt_proc, arg, - NULL, 0, creds, laddrp); -} - -int KRB5_CALLCONV -krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, - arg, preauth_p, preauth_len) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - key_proc_type key_proc; - decrypt_tkt_type decrypt_proc; - char *arg; - char *preauth_p; - int preauth_len; -{ - int retval; - KRB_UINT32 laddr; - CREDENTIALS creds; - - do { - retval = krb_get_in_tkt_preauth_creds(user, instance, realm, - service, sinstance, life, - key_proc, decrypt_proc, - arg, preauth_p, preauth_len, - &creds, &laddr); - if (retval != KSUCCESS) break; - if (krb_in_tkt(user, instance, realm) != KSUCCESS) { - retval = INTK_ERR; - break; - } - retval = krb4int_save_credentials_addr(creds.service, creds.instance, - creds.realm, creds.session, - creds.lifetime, creds.kvno, - &creds.ticket_st, - creds.issue_date, laddr); - if (retval != KSUCCESS) break; - } while (0); - memset(&creds, 0, sizeof(creds)); - return retval; -} - -int KRB5_CALLCONV -krb_get_in_tkt(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, arg) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - key_proc_type key_proc; - decrypt_tkt_type decrypt_proc; - char *arg; -{ - return krb_get_in_tkt_preauth(user, instance, realm, - service, sinstance, life, - key_proc, decrypt_proc, arg, - NULL, 0); -} diff --git a/src/lib/krb4/g_phost.c b/src/lib/krb4/g_phost.c deleted file mode 100644 index ba1108f21..000000000 --- a/src/lib/krb4/g_phost.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * lib/krb4/g_phost.c - * - * Copyright 1988, 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" - -#include -#include -#include -#include "port-sockets.h" - -/* - * This routine takes an alias for a host name and returns the first - * field, lower case, of its domain name. For example, if "menel" is - * an alias for host officially named "menelaus" (in /etc/hosts), for - * the host whose official name is "MENELAUS.MIT.EDU", the name "menelaus" - * is returned. - * - * This is done for historical Athena reasons: the Kerberos name of - * rcmd servers (rlogin, rsh, rcp) is of the form "rcmd.host@realm" - * where "host"is the lowercase for of the host name ("menelaus"). - * This should go away: the instance should be the domain name - * (MENELAUS.MIT.EDU). But for now we need this routine... - * - * A pointer to the name is returned, if found, otherwise a pointer - * to the original "alias" argument is returned. - */ - -char * KRB5_CALLCONV -krb_get_phost(alias) - char *alias; -{ - struct hostent *h; - char *p; - unsigned char *ucp; - static char hostname_mem[MAXHOSTNAMELEN]; -#ifdef DO_REVERSE_RESOLVE - char *rev_addr; int rev_type, rev_len; -#endif - - if ((h=gethostbyname(alias)) != (struct hostent *)NULL ) { -#ifdef DO_REVERSE_RESOLVE - if (! h->h_addr_list ||! h->h_addr_list[0]) { - return(0); - } - rev_type = h->h_addrtype; - rev_len = h->h_length; - rev_addr = malloc(rev_len); - _fmemcpy(rev_addr, h->h_addr_list[0], rev_len); - h = gethostbyaddr(rev_addr, rev_len, rev_type); - free(rev_addr); - if (h == 0) { - return (0); - } -#endif - /* We don't want to return a *, so we copy to a safe location. */ - strncpy (hostname_mem, h->h_name, sizeof (hostname_mem)); - /* Bail out if h_name is too long. */ - if (hostname_mem[MAXHOSTNAMELEN-1] != '\0') - return NULL; - p = strchr( hostname_mem, '.' ); - if (p) - *p = 0; - ucp = (unsigned char *)hostname_mem; - do { - if (isupper(*ucp)) *ucp=tolower(*ucp); - } while (*ucp++); - } - return(hostname_mem); -} diff --git a/src/lib/krb4/g_pw_in_tkt.c b/src/lib/krb4/g_pw_in_tkt.c deleted file mode 100644 index 4382161e0..000000000 --- a/src/lib/krb4/g_pw_in_tkt.c +++ /dev/null @@ -1,341 +0,0 @@ -/* - * lib/krb4/g_pw_in_tkt.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include -#include "krb.h" -#include "krb4int.h" -#include "krb_err.h" -#include "prot.h" -#include - -#ifndef NULL -#define NULL 0 -#endif - -#ifndef INTK_PW_NULL -#define INTK_PW_NULL KRBET_GT_PW_NULL -#endif - -/* - * This file contains one routine: krb_get_pw_in_tkt() gets an initial ticket for - * a user. - */ - -/* - * krb_get_pw_in_tkt() takes the name of the server for which the initial - * ticket is to be obtained, the name of the principal the ticket is - * for, the desired lifetime of the ticket, and the user's password. - * It passes its arguments on to krb_get_in_tkt(), which contacts - * Kerberos to get the ticket, decrypts it using the password provided, - * and stores it away for future use. - * - * On a Unix system, krb_get_pw_in_tkt() is able to prompt the user - * for a password, if the supplied password is null. On a a non Unix - * system, it now requires the caller to supply a non-null password. - * This is because of the complexities of prompting the user in a - * non-terminal-oriented environment like the Macintosh (running in a - * driver) or MS-Windows (in a DLL). - * - * krb_get_pw_in_tkt() passes two additional arguments to - * krb_get_in_tkt(): a routine to be used to get the password in case - * the "password" argument is null and NULL for the decryption - * procedure indicating that krb_get_in_tkt should use the default - * method of decrypting the response from the KDC. - * - * The result of the call to krb_get_in_tkt() is returned. - */ - -int KRB5_CALLCONV -krb_get_pw_in_tkt(user,instance,realm,service,sinstance,life,password) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *password; -{ -#if defined(_WIN32) || (defined(USE_LOGIN_LIBRARY) && USE_LOGIN_LIBRARY) - /* In spite of the comments above, we don't allow that path here, - to simplify coding the non-UNIX clients. The only code that now - depends on this behavior is the preauth support, which has a - seperate function without this trap. Strictly speaking, this - is an API change. */ - - if (password == 0) - return INTK_PW_NULL; -#endif - - return(krb_get_in_tkt(user,instance,realm,service,sinstance,life, - (key_proc_type)NULL, /* krb_get_in_tkt will try them all */ - (decrypt_tkt_type)NULL, password)); -} - -int KRB5_CALLCONV -krb_get_pw_in_tkt_creds( - char *user, char *instance, char *realm, char *service, char *sinstance, - int life, char *password, CREDENTIALS *creds) -{ - return krb_get_in_tkt_creds(user, instance, realm, - service, sinstance, life, - (key_proc_type)NULL, /* krb_get_in_tkt_creds will try them all */ - NULL, password, creds); -} - - -/* - * krb_get_pw_in_tkt_preauth() gets handed the password or key explicitly, - * since the whole point of "pre" authentication is to prove that we've - * already got the key, and the only way to do that is to ask the user - * for it. Clearly we shouldn't ask twice. - */ - -static C_Block old_key; - -static int stub_key(user,instance,realm,passwd,key) - char *user, *instance, *realm, *passwd; - C_Block key; -{ - (void) memcpy((char *) key, (char *) old_key, sizeof(old_key)); - return 0; -} - -int KRB5_CALLCONV -krb_get_pw_in_tkt_preauth(user,instance,realm,service,sinstance,life,password) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *password; -{ - char *preauth_p; - int preauth_len; - int ret_st; - key_proc_type *keyprocs = krb_get_keyprocs (NULL); - int i = 0; - -#if defined(_WIN32) || (defined(USE_LOGIN_LIBRARY) && USE_LOGIN_LIBRARY) - /* On non-Unix systems, we can't handle a null password, because - passwd_to_key can't handle prompting for the password. */ - if (password == 0) - return INTK_PW_NULL; -#endif - - /* Loop trying all the key_proc types */ - do { - krb_mk_preauth(&preauth_p, &preauth_len, keyprocs[i], - user, instance, realm, password, old_key); - ret_st = krb_get_in_tkt_preauth(user,instance,realm,service,sinstance,life, - (key_proc_type) stub_key, - (decrypt_tkt_type) NULL, password, - preauth_p, preauth_len); - - krb_free_preauth(preauth_p, preauth_len); - } while ((keyprocs[++i] != NULL) && (ret_st == INTK_BADPW)); - - return ret_st; -} - -/* FIXME! This routine belongs in the krb library and should simply - be shared between the encrypted and NOENCRYPTION versions! */ - -#ifdef NOENCRYPTION -/* - * This routine prints the supplied string to standard - * output as a prompt, and reads a password string without - * echoing. - */ - -#include -#ifdef BSDUNIX -#include -#include -#include -#include -#else -int strcmp(); -#endif -#if defined(__svr4__) || defined(__SVR4) -#include -#endif - -#ifdef BSDUNIX -static jmp_buf env; -#endif - -#ifdef BSDUNIX -static void sig_restore(); -static push_signals(), pop_signals(); -int placebo_read_pw_string(); -#endif - -/*** Routines ****************************************************** */ -int -placebo_read_password(k,prompt,verify) - des_cblock *k; - char *prompt; - int verify; -{ - int ok; - char key_string[BUFSIZ]; - -#ifdef BSDUNIX - if (setjmp(env)) { - ok = -1; - goto lose; - } -#endif - - ok = placebo_read_pw_string(key_string, BUFSIZ, prompt, verify); - if (ok == 0) - memset(k, 0, sizeof(C_Block)); - -lose: - memset(key_string, 0, sizeof (key_string)); - return ok; -} - -/* - * This version just returns the string, doesn't map to key. - * - * Returns 0 on success, non-zero on failure. - */ - -int -placebo_read_pw_string(s,max,prompt,verify) - char *s; - int max; - char *prompt; - int verify; -{ - int ok = 0; - char *ptr; - -#ifdef BSDUNIX - jmp_buf old_env; - struct sgttyb tty_state; -#endif - char key_string[BUFSIZ]; - - if (max > BUFSIZ) { - return -1; - } - -#ifdef BSDUNIX - memcpy(env, old_env, sizeof(env)); - if (setjmp(env)) - goto lose; - - /* save terminal state */ - if (ioctl(0,TIOCGETP,&tty_state) == -1) - return -1; - - push_signals(); - /* Turn off echo */ - tty_state.sg_flags &= ~ECHO; - if (ioctl(0,TIOCSETP,&tty_state) == -1) - return -1; -#endif - while (!ok) { - printf(prompt); - fflush(stdout); -#ifdef CROSSMSDOS - h19line(s,sizeof(s),0); - if (!strlen(s)) - continue; -#else - if (!fgets(s, max, stdin)) { - clearerr(stdin); - continue; - } - if ((ptr = strchr(s, '\n'))) - *ptr = '\0'; -#endif - if (verify) { - printf("\nVerifying, please re-enter %s",prompt); - fflush(stdout); -#ifdef CROSSMSDOS - h19line(key_string,sizeof(key_string),0); - if (!strlen(key_string)) - continue; -#else - if (!fgets(key_string, sizeof(key_string), stdin)) { - clearerr(stdin); - continue; - } - if ((ptr = strchr(key_string, '\n'))) - *ptr = '\0'; -#endif - if (strcmp(s,key_string)) { - printf("\n\07\07Mismatch - try again\n"); - fflush(stdout); - continue; - } - } - ok = 1; - } - -#ifdef BSDUNIX -lose: - if (!ok) - memset(s, 0, max); - printf("\n"); - /* turn echo back on */ - tty_state.sg_flags |= ECHO; - if (ioctl(0,TIOCSETP,&tty_state)) - ok = 0; - pop_signals(); - memcpy(old_env, env, sizeof(env)); -#endif - if (verify) - memset(key_string, 0, sizeof (key_string)); - s[max-1] = 0; /* force termination */ - return !ok; /* return nonzero if not okay */ -} - -#ifdef BSDUNIX -/* - * this can be static since we should never have more than - * one set saved.... - */ -static sigtype (*old_sigfunc[NSIG])(); - -static push_signals() -{ - register i; - for (i = 0; i < NSIG; i++) - old_sigfunc[i] = signal(i,sig_restore); -} - -static pop_signals() -{ - register i; - for (i = 0; i < NSIG; i++) - signal(i,old_sigfunc[i]); -} - -static void sig_restore(sig,code,scp) - int sig,code; - struct sigcontext *scp; -{ - longjmp(env,1); -} -#endif -#endif /* NOENCRYPTION */ diff --git a/src/lib/krb4/g_pw_tkt.c b/src/lib/krb4/g_pw_tkt.c deleted file mode 100644 index f074fbc6c..000000000 --- a/src/lib/krb4/g_pw_tkt.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * g_pw_tkt.c - * - * Copyright 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include "krb.h" - -/* - * Get a ticket for the password-changing server ("changepw.KRB_MASTER"). - * - * Given the name, instance, realm, and current password of the - * principal for which the user wants a password-changing-ticket, - * return either: - * - * GT_PW_BADPW if current password was wrong, - * GT_PW_NULL if principal had a NULL password, - * or the result of the krb_get_pw_in_tkt() call. - * - * First, try to get a ticket for "user.instance@realm" to use the - * "changepw.KRB_MASTER" server (KRB_MASTER is defined in "krb.h"). - * The requested lifetime for the ticket is "1", and the current - * password is the "cpw" argument given. - * - * If the password was bad, give up. - * - * If the principal had a NULL password in the Kerberos database - * (indicating that the principal is known to Kerberos, but hasn't - * got a password yet), try instead to get a ticket for the principal - * "default.changepw@realm" to use the "changepw.KRB_MASTER" server. - * Use the password "changepwkrb" instead of "cpw". Return GT_PW_NULL - * if all goes well, otherwise the error. - * - * If this routine succeeds, a ticket and session key for either the - * principal "user.instance@realm" or "default.changepw@realm" to use - * the password-changing server will be in the user's ticket file. - */ - -int KRB5_CALLCONV -get_pw_tkt(user,instance,realm,cpw) - char *user; - char *instance; - char *realm; - char *cpw; -{ - int kerror; - - kerror = krb_get_pw_in_tkt(user, instance, realm, "changepw", - KRB_MASTER, 1, cpw); - - if (kerror == INTK_BADPW) - return(GT_PW_BADPW); - - if (kerror == KDC_NULL_KEY) { - kerror = krb_get_pw_in_tkt("default","changepw",realm,"changepw", - KRB_MASTER,1,"changepwkrb"); - if (kerror) - return(kerror); - return(GT_PW_NULL); - } - - return(kerror); -} diff --git a/src/lib/krb4/g_svc_in_tkt.c b/src/lib/krb4/g_svc_in_tkt.c deleted file mode 100644 index 7ed4efd2a..000000000 --- a/src/lib/krb4/g_svc_in_tkt.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * lib/krb4/g_svc_in_tkt.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include -#include -#include "krb.h" -#include "prot.h" -#include "krb4int.h" - -/* - * This file contains two routines: srvtab_to_key(), which gets - * a server's key from a srvtab file, and krb_get_svc_in_tkt() which - * gets an initial ticket for a server. - */ - -/* - * srvtab_to_key(): given a "srvtab" file (where the keys for the - * service on a host are stored), return the private key of the - * given service (user.instance@realm). - * - * srvtab_to_key() passes its arguments on to read_service_key(), - * plus one additional argument, the key version number. - * (Currently, the key version number is always 0; this value - * is treated as a wildcard by read_service_key().) - * - * If the "srvtab" argument is null, KEYFILE (defined in "krb.h") - * is passed in its place. - * - * It returns the return value of the read_service_key() call. - * The service key is placed in "key". - */ - -static int srvtab_to_key(user, instance, realm, srvtab, key) - char *user, *instance, *realm, *srvtab; - C_Block key; -{ - if (!srvtab) - srvtab = KEYFILE; - - return(read_service_key(user, instance, realm, 0, srvtab, - (char *)key)); -} - -/* - * krb_get_svc_in_tkt() passes its arguments on to krb_get_in_tkt(), - * plus two additional arguments: a pointer to the srvtab_to_key() - * function to be used to get the key from the key file and a NULL - * for the decryption procedure indicating that krb_get_in_tkt should - * use the default method of decrypting the response from the KDC. - * - * It returns the return value of the krb_get_in_tkt() call. - */ - -int KRB5_CALLCONV -krb_get_svc_in_tkt(user, instance, realm, service, sinstance, life, srvtab) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *srvtab; -{ - return(krb_get_in_tkt(user, instance, realm, service, sinstance, life, - (key_proc_type) srvtab_to_key, NULL, srvtab)); -} - -/* and we need a preauth version as well. */ -static C_Block old_key; - -static int stub_key(user,instance,realm,passwd,key) - char *user, *instance, *realm, *passwd; - C_Block key; -{ - memcpy(key, old_key, sizeof(C_Block)); - return 0; -} - -int -krb_get_svc_in_tkt_preauth(user, instance, realm, service, sinstance, life, srvtab) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *srvtab; -{ - char *preauth_p; - int preauth_len; - int ret_st; - - krb_mk_preauth(&preauth_p, &preauth_len, - (key_proc_type) srvtab_to_key, user, instance, realm, - srvtab, old_key); - ret_st = krb_get_in_tkt_preauth(user,instance,realm,service,sinstance,life, - (key_proc_type) stub_key, NULL, srvtab, - preauth_p, preauth_len); - - krb_free_preauth(preauth_p, preauth_len); - return ret_st; -} - -/* DEC's dss-kerberos adds krb_svc_init; simple enough */ - -int -krb_svc_init(user,instance,realm,lifetime,srvtab_file,tkt_file) - char *user; - char *instance; - char *realm; - int lifetime; - char *srvtab_file; - char *tkt_file; -{ - if (tkt_file) - krb_set_tkt_string(tkt_file); - - return krb_get_svc_in_tkt(user,instance,realm, - KRB_TICKET_GRANTING_TICKET,realm,lifetime,srvtab_file); -} - - -int -krb_svc_init_preauth(user,instance,realm,lifetime,srvtab_file,tkt_file) - char *user; - char *instance; - char *realm; - int lifetime; - char *srvtab_file; - char *tkt_file; -{ - if (tkt_file) - krb_set_tkt_string(tkt_file); - - return krb_get_svc_in_tkt_preauth(user,instance,realm, - KRB_TICKET_GRANTING_TICKET,realm,lifetime,srvtab_file); -} diff --git a/src/lib/krb4/g_tf_fname.c b/src/lib/krb4/g_tf_fname.c deleted file mode 100644 index e03fe24b1..000000000 --- a/src/lib/krb4/g_tf_fname.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * g_tf_fname.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include "krb.h" -#include -#include /* For EOF */ - -/* - * This file contains a routine to extract the fullname of a user - * from the ticket file. - */ - -/* - * krb_get_tf_fullname() takes four arguments: the name of the - * ticket file, and variables for name, instance, and realm to be - * returned in. Since the realm of a ticket file is not really fully - * supported, the realm used will be that of the the first ticket in - * the file as this is the one that was obtained with a password by - * krb_get_in_tkt(). - */ - -int KRB5_CALLCONV -krb_get_tf_fullname(ticket_file, name, instance, realm) - const char *ticket_file; - char *name; - char *instance; - char *realm; -{ - int tf_status; - CREDENTIALS c; - - /* If ticket cache selector is null, use default cache. */ - if (ticket_file == 0) - ticket_file = tkt_string(); - - if ((tf_status = tf_init(ticket_file, R_TKT_FIL)) != KSUCCESS) - return(tf_status); - - if (((tf_status = tf_get_pname(c.pname)) != KSUCCESS) || - ((tf_status = tf_get_pinst(c.pinst)) != KSUCCESS)) - return (tf_status); - - if (name) - strcpy(name, c.pname); - if (instance) - strcpy(instance, c.pinst); - if ((tf_status = tf_get_cred(&c)) == KSUCCESS) { - if (realm) - strcpy(realm, c.realm); - } - else { - if (tf_status == EOF) - return(KFAILURE); - else - return(tf_status); - } - (void) tf_close(); - - return(tf_status); -} diff --git a/src/lib/krb4/g_tf_realm.c b/src/lib/krb4/g_tf_realm.c deleted file mode 100644 index fe99e61e1..000000000 --- a/src/lib/krb4/g_tf_realm.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * lib/krb4/g_tf_realm.c - * - * Copyright 1987-2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" - -/* - * This file contains a routine to extract the realm of a kerberos - * ticket file. - */ - -/* - * krb_get_tf_realm() takes two arguments: the name of a ticket - * and a variable to store the name of the realm in. - * - */ - -int KRB5_CALLCONV -krb_get_tf_realm(const char *ticket_file, char *realm) -{ - return krb_get_tf_fullname(ticket_file, NULL, NULL, realm); -} diff --git a/src/lib/krb4/g_tkt_svc.c b/src/lib/krb4/g_tkt_svc.c deleted file mode 100644 index d9a2d9f62..000000000 --- a/src/lib/krb4/g_tkt_svc.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * g_tkt_svc.c - * - * Gets a ticket for a service. Adopted from KClient. - */ - -#include -#include "krb.h" -#include "port-sockets.h" - -/* FIXME -- this should probably be calling mk_auth nowadays. */ -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ - - -static int -ParseFullName(name, instance, realm, fname) - char *name; - char *instance; - char *realm; - char *fname; -{ - int err; - - if (!*fname) return KNAME_FMT; /* null names are not OK */ - *instance = '\0'; - err = kname_parse(name,instance,realm,fname); - if (err) return err; - if (!*name) return KNAME_FMT; /* null names are not OK */ - if (!*realm) { - if ((err = krb_get_lrealm (realm, 1))) - return err; - if (!*realm) return KNAME_FMT; /* FIXME -- should give better error */ - } - return KSUCCESS; -} - - - -static void -CopyTicket(dest, src, numBytes, version, includeVersion) - char *dest; - KTEXT src; - unsigned KRB4_32 *numBytes; - char *version; - int includeVersion; -{ - unsigned KRB4_32 tkt_len; - unsigned KRB4_32 nbytes = 0; - - /* first put version info into the buffer */ - if (includeVersion) { - (void) strncpy(dest, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN); - (void) strncpy(dest+KRB_SENDAUTH_VLEN, version, KRB_SENDAUTH_VLEN); - nbytes = 2*KRB_SENDAUTH_VLEN; - } - - /* put ticket length into buffer */ - tkt_len = htonl((unsigned long) src->length); - (void) memcpy((char *)(dest+nbytes), (char *) &tkt_len, sizeof(tkt_len)); - nbytes += sizeof(tkt_len); - - /* put ticket into buffer */ - (void) memcpy ((char *)(dest+nbytes), (char *) src->dat, src->length); - nbytes += src->length; - - *numBytes = nbytes; -} - - -static int -CredIsExpired( cr ) - CREDENTIALS *cr; -{ - KRB4_32 now; - - /* This routine is for use with clients only in order to determine - if a credential is still good. - Note: twice CLOCK_SKEW was added to age of ticket so that we could - be more sure that the ticket was good. - FIXME: I think this is a bug -- should use the same algorithm - everywhere to determine ticket expiration. */ - - now = TIME_GMT_UNIXSEC; - return now + 2 * CLOCK_SKEW > krb_life_to_time(cr->issue_date, - cr->lifetime); -} - - -/* - * Gets a ticket and returns it to application in buf - -> service Formal Kerberos name of service - -> buf Buffer to receive ticket - -> checksum checksum for this service - <-> buflen length of ticket buffer (must be at least - 1258 bytes) - <- sessionKey for internal use - <- schedule for internal use - - * Result is: - * GC_NOTKT if there is no matching TGT in the cache - * MK_AP_TGTEXP if the matching TGT is expired - * Other errors possible. These could cause a dialogue with the user - * to get a new TGT. - */ - -int KRB5_CALLCONV -krb_get_ticket_for_service (serviceName, buf, buflen, checksum, sessionKey, - schedule, version, includeVersion) - char *serviceName; - char *buf; - unsigned KRB4_32 *buflen; - int checksum; - des_cblock sessionKey; - Key_schedule schedule; - char *version; - int includeVersion; -{ - char service[SNAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - int err; - char lrealm[REALM_SZ]; - CREDENTIALS cr; - - service[0] = '\0'; - instance[0] = '\0'; - realm[0] = '\0'; - - /* parse out service name */ - - err = ParseFullName(service, instance, realm, serviceName); - if (err) - return err; - - if ((err = krb_get_tf_realm(TKT_FILE, lrealm)) != KSUCCESS) - return(err); - - /* Make sure we have an intial ticket for the user in this realm - Check local realm, not realm for service since krb_mk_req will - get additional krbtgt if necessary. This is so that inter-realm - works without asking for a password twice. - FIXME gnu - I think this is a bug. We should allow direct - authentication to the desired realm, regardless of what the "local" - realm is. I fixed it. FIXME -- not quite right. */ - err = krb_get_cred (KRB_TICKET_GRANTING_TICKET, realm, lrealm, &cr); - if (err) - return err; - - err = CredIsExpired(&cr); - if (err) - return RD_AP_EXP; /* Expired ticket */ - - /* Get a ticket for the service */ - err = krb_mk_req(&(cr.ticket_st),service,instance,realm,checksum); - if (err) - return err; - - CopyTicket(buf, &(cr.ticket_st), buflen, version, includeVersion); - - /* get the session key for later use in deciphering the server response */ - err = krb_get_cred(service,instance,realm,&cr); - if (err) - return err; - memcpy((char *)sessionKey, (char *)cr.session, sizeof(C_Block)); - err = key_sched(sessionKey, schedule); - if (err) - return KFAILURE; /* Bad DES key for some reason (FIXME better error) */ - - else - return KSUCCESS; - -} - - diff --git a/src/lib/krb4/gethostname.c b/src/lib/krb4/gethostname.c deleted file mode 100644 index cc40dd078..000000000 --- a/src/lib/krb4/gethostname.c +++ /dev/null @@ -1,36 +0,0 @@ -/* - * gethostname.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include "krb.h" -#include "krb4int.h" -#include "autoconf.h" - -#ifdef HAVE_UNISTD_H -#include -#endif - -#ifndef GETHOSTNAME -#define GETHOSTNAME gethostname /* A rather simple default */ -#endif - -/* - * Return the local host's name in "name", up to "namelen" characters. - * "name" will be null-terminated if "namelen" is big enough. - * The return code is 0 on success, -1 on failure. (The calling - * interface is identical to BSD gethostname(2).) - */ - -int -k_gethostname(name, namelen) - char *name; - int namelen; -{ - return GETHOSTNAME(name, namelen); -} diff --git a/src/lib/krb4/getst.c b/src/lib/krb4/getst.c deleted file mode 100644 index 336170d41..000000000 --- a/src/lib/krb4/getst.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * getst.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include "krb.h" -#include "krb4int.h" -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include -#endif - -/* - * getst() takes a file descriptor, a string and a count. It reads - * from the file until either it has read "count" characters, or until - * it reads a null byte. When finished, what has been read exists in - * the given string "s". If "count" characters were actually read, the - * last is changed to a null, so the returned string is always null- - * terminated. getst() returns the number of characters read, including - * the null terminator. - */ - -int -getst(fd, s, n) - int fd; - register char *s; - int n; -{ - register int count = n; - while (read(fd, s, 1) > 0 && --count) - if (*s++ == '\0') - return (n - count); - *s = '\0'; - return (n - count); -} diff --git a/src/lib/krb4/in_tkt.c b/src/lib/krb4/in_tkt.c deleted file mode 100644 index e2d071aec..000000000 --- a/src/lib/krb4/in_tkt.c +++ /dev/null @@ -1,205 +0,0 @@ -/* - * lib/krb4/in_tkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include -#include -#include -#include "krb.h" -#include -#include -#include "autoconf.h" -#ifdef TKT_SHMEM -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif - -extern int krb_debug; - -/* - * in_tkt() is used to initialize the ticket store. It creates the - * file to contain the tickets and writes the given user's name "pname" - * and instance "pinst" in the file. in_tkt() returns KSUCCESS on - * success, or KFAILURE if something goes wrong. - */ - -#include "k5-util.h" -#define do_seteuid krb5_seteuid -#include "k5-platform.h" - -#ifndef O_SYNC -#define O_SYNC 0 -#endif - -int KRB5_CALLCONV -in_tkt(pname,pinst) - char *pname; - char *pinst; -{ - int tktfile; - uid_t me, metoo, getuid(), geteuid(); - struct stat statpre, statpost; - int count; - const char *file = TKT_FILE; - int fd; - register int i; - char charbuf[BUFSIZ]; - mode_t mask; -#ifdef TKT_SHMEM - char shmidname[MAXPATHLEN]; -#endif /* TKT_SHMEM */ - - /* If ticket cache selector is null, use default cache. */ - if (file == 0) - file = tkt_string(); - - me = getuid (); - metoo = geteuid(); - if (lstat(file, &statpre) == 0) { - if (statpre.st_uid != me || !(statpre.st_mode & S_IFREG) - || statpre.st_nlink != 1 || statpre.st_mode & 077) { - if (krb_debug) - fprintf(stderr,"Error initializing %s",file); - return(KFAILURE); - } - /* - * Yes, we do uid twiddling here. It's not optimal, but some - * applications may expect that the ruid is what should really - * own the ticket file, e.g. setuid applications. - */ - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - /* file already exists, and permissions appear ok, so nuke it */ - fd = open(file, O_RDWR|O_SYNC, 0); - if (fd >= 0) - set_cloexec_fd(fd); - (void)unlink(file); - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (fd < 0) { - goto out; /* can't zero it, but we can still try truncating it */ - } - - /* - * Do some additional paranoid things. The worst-case - * situation is that a user may be fooled into opening a - * non-regular file briefly if the file is in a directory with - * improper permissions. - */ - if (fstat(fd, &statpost) < 0) { - (void)close(fd); - goto out; - } - if (statpre.st_dev != statpost.st_dev - || statpre.st_ino != statpost.st_ino) { - (void)close(fd); - errno = 0; - goto out; - } - - memset(charbuf, 0, sizeof(charbuf)); - - for (i = 0; i < statpost.st_size; i += sizeof(charbuf)) - if (write(fd, charbuf, sizeof(charbuf)) != sizeof(charbuf)) { -#ifndef NO_FSYNC - (void) fsync(fd); -#endif - (void) close(fd); - goto out; - } - -#ifndef NO_FSYNC - (void) fsync(fd); -#endif - (void) close(fd); - } - out: - /* arrange so the file is owned by the ruid - (swap real & effective uid if necessary). - This isn't a security problem, since the ticket file, if it already - exists, has the right uid (== ruid) and mode. */ - if (me != metoo) { - if (do_seteuid(me) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("in_tkt: seteuid"); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n",(int) metoo, (int) me); - } - /* Set umask to ensure that we have write access on the created - ticket file. */ - mask = umask(077); - tktfile = open(file, O_RDWR|O_SYNC|O_CREAT|O_EXCL, 0600); - if (tktfile >= 0) - set_cloexec_fd(tktfile); - umask(mask); - if (me != metoo) { - if (do_seteuid(metoo) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("in_tkt: seteuid2"); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n", (int) me, (int) metoo); - } - if (tktfile < 0) { - if (krb_debug) - fprintf(stderr,"Error initializing %s",TKT_FILE); - return(KFAILURE); - } - count = strlen(pname)+1; - if (write(tktfile,pname,count) != count) { - (void) close(tktfile); - return(KFAILURE); - } - count = strlen(pinst)+1; - if (write(tktfile,pinst,count) != count) { - (void) close(tktfile); - return(KFAILURE); - } - (void) close(tktfile); -#ifdef TKT_SHMEM - (void) strncpy(shmidname, file, sizeof(shmidname) - 1); - shmidname[sizeof(shmidname) - 1] = '\0'; - (void) strncat(shmidname, ".shm", sizeof(shmidname) - 1 - strlen(shmidname)); - return(krb_shm_create(shmidname)); -#else /* !TKT_SHMEM */ - return(KSUCCESS); -#endif /* TKT_SHMEM */ -} - -int KRB5_CALLCONV -krb_in_tkt(pname, pinst, prealm) - char *pname; - char *pinst; - char *prealm; -{ - return in_tkt(pname, pinst); -} diff --git a/src/lib/krb4/kadm_err.et b/src/lib/krb4/kadm_err.et deleted file mode 100644 index 07ab9da4b..000000000 --- a/src/lib/krb4/kadm_err.et +++ /dev/null @@ -1,58 +0,0 @@ -# kadmin.v4/server/kadm_err.et -# -# Copyright 1988 by the Massachusetts Institute of Technology. -# -# For copying and distribution information, please see the file -# . -# -# Kerberos administration server error table -# - et kadm - -# KADM_SUCCESS, as all success codes should be, is zero - -ec KADM_RCSID, "$Header$" -# /* Building and unbuilding the packet errors */ -ec KADM_NO_REALM, "Cannot fetch local realm" -ec KADM_NO_CRED, "Unable to fetch credentials" -ec KADM_BAD_KEY, "Bad key supplied" -ec KADM_NO_ENCRYPT, "Can't encrypt data" -ec KADM_NO_AUTH, "Cannot encode/decode authentication info" -ec KADM_WRONG_REALM, "Principal attemping change is in wrong realm" -ec KADM_NO_ROOM, "Packet is too large" -ec KADM_BAD_VER, "Version number is incorrect" -ec KADM_BAD_CHK, "Checksum does not match" -ec KADM_NO_READ, "Unsealing private data failed" -ec KADM_NO_OPCODE, "Unsupported operation" -ec KADM_NO_HOST, "Could not find administrating host" -ec KADM_UNK_HOST, "Administrating host name is unknown" -ec KADM_NO_SERV, "Could not find service name in services database" -ec KADM_NO_SOCK, "Could not create socket" -ec KADM_NO_CONN, "Could not connect to server" -ec KADM_NO_HERE, "Could not fetch local socket address" -ec KADM_NO_MAST, "Could not fetch master key" -ec KADM_NO_VERI, "Could not verify master key" - -# /* From the server side routines */ -ec KADM_INUSE, "Entry already exists in database" -ec KADM_UK_SERROR, "Database store error" -ec KADM_UK_RERROR, "Database read error" -ec KADM_UNAUTH, "Insufficient access to perform requested operation" -# KADM_DATA isn't really an error, but... -ec KADM_DATA, "Data is available for return to client" -ec KADM_NOENTRY, "No such entry in the database" - -ec KADM_NOMEM, "Memory exhausted" -ec KADM_NO_HOSTNAME, "Could not fetch system hostname" -ec KADM_NO_BIND, "Could not bind port" -ec KADM_LENGTH_ERROR, "Length mismatch problem" -ec KADM_ILL_WILDCARD, "Illegal use of wildcard" - -ec KADM_DB_INUSE, "Database locked or in use" - -ec KADM_INSECURE_PW, "Insecure password rejected" -ec KADM_PW_MISMATCH, "Cleartext password and DES key did not match" - -ec KADM_NOT_SERV_PRINC, "Invalid principal for change srvtab request" -ec KADM_REALM_TOO_LONG, "Realm name too long" -end diff --git a/src/lib/krb4/kadm_net.c b/src/lib/krb4/kadm_net.c deleted file mode 100644 index 89c87cc27..000000000 --- a/src/lib/krb4/kadm_net.c +++ /dev/null @@ -1,393 +0,0 @@ -/* - * lib/krb4/kadm_net.c - * - * Copyright 1988, 2002, 2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Kerberos administration server client-side network access routines - * These routines do actual network traffic, in a machine dependent manner. - */ - -#include -#include -#include -#include -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include -#endif - -#define DEFINE_SOCKADDR /* Ask krb.h for struct sockaddr, etc */ -#include "port-sockets.h" -#include "krb.h" -#include "krbports.h" -#include "kadm.h" -#include "kadm_err.h" -#include "prot.h" - -/* XXX FIXME! */ -#if defined(_WIN32) - #define SIGNAL(s, f) 0 -#else - #define SIGNAL(s, f) signal(s, f) -#endif - -static void clear_secrets(des_cblock sess_key, Key_schedule sess_sched); -/* XXX FIXME! */ -#ifdef SIGPIPE -static krb5_sigtype (*opipe)(); -#endif - -/* - * kadm_init_link - * receives : principal, instance, realm - * - * initializes client parm, the Kadm_Client structure which holds the - * data about the connection between the server and client, the services - * used, the locations and other fun things - */ -int -kadm_init_link(char *principal, char *instance, char *realm, - Kadm_Client *client_parm, int changepw) -{ - struct servent *sep; /* service we will talk to */ - u_short sep_port; - struct hostent *hop; /* host we will talk to */ - char adm_hostname[MAXHOSTNAMELEN]; - char *scol = 0; - - (void) strcpy(client_parm->sname, principal); - (void) strcpy(client_parm->sinst, instance); - (void) strcpy(client_parm->krbrlm, realm); - client_parm->admin_fd = -1; - client_parm->default_port = 1; - - /* - * set up the admin_addr - fetch name of admin or kpasswd host - * (usually the admin host is the kpasswd host unless you have - * some sort of realm on crack) - */ - if (changepw) { -#if 0 /* XXX */ - if (krb_get_kpasswdhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) -#endif - if (krb_get_admhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) - return KADM_NO_HOST; - } else { - if (krb_get_admhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) - return KADM_NO_HOST; - } - scol = strchr(adm_hostname,':'); - if (scol) *scol = 0; - if ((hop = gethostbyname(adm_hostname)) == NULL) - /* - * couldn't find the admin servers address - */ - return KADM_UNK_HOST; - if (scol) { - sep_port = htons(atoi(scol+1)); - client_parm->default_port = 0; - } else if ((sep = getservbyname(KADM_SNAME, "tcp")) != NULL) - sep_port = sep->s_port; - else - sep_port = htons(KADM_PORT); /* KADM_SNAME = kerberos_master/tcp */ - memset(&client_parm->admin_addr, 0, sizeof(client_parm->admin_addr)); - client_parm->admin_addr.sin_family = hop->h_addrtype; - memcpy(&client_parm->admin_addr.sin_addr, hop->h_addr, hop->h_length); - client_parm->admin_addr.sin_port = sep_port; - - return KADM_SUCCESS; -} - -/* - * kadm_cli_send - * recieves : opcode, packet, packet length, serv_name, serv_inst - * returns : return code from the packet build, the server, or - * something else - * - * It assembles a packet as follows: - * 8 bytes : VERSION STRING - * 4 bytes : LENGTH OF MESSAGE DATA and OPCODE - * : KTEXT - * : OPCODE \ - * : DATA > Encrypted (with make priv) - * : ...... / - * - * If it builds the packet and it is small enough, then it attempts to open the - * connection to the admin server. If the connection is succesfully open - * then it sends the data and waits for a reply. - */ -int -kadm_cli_send(Kadm_Client *client_parm, - u_char *st_dat, /* the actual data */ - size_t st_siz, /* length of said data */ - u_char **ret_dat, /* to give return info */ - size_t *ret_siz) /* length of returned info */ -{ -/* Macros for use in returning data... used in kadm_cli_send */ -#define RET_N_FREE(r) {clear_secrets(sess_key, sess_sched); free((char *)act_st); free((char *)priv_pak); return r;} -#define RET_N_FREE2(r) {free((char *)*ret_dat); *ret_dat = 0; *ret_siz = 0; clear_secrets(sess_key, sess_sched); return(r);} - - int act_len; /* current offset into packet, return */ - KRB_INT32 retdat; /* data */ - KTEXT_ST authent; /* the authenticator we will build */ - u_char *act_st; /* the pointer to the complete packet */ - u_char *priv_pak; /* private version of the packet */ - long priv_len; /* length of private packet */ - u_long cksum; /* checksum of the packet */ - MSG_DAT mdat; - u_char *return_dat; - u_char *p; - KRB_UINT32 uretdat; - - /* Keys for use in the transactions */ - des_cblock sess_key; /* to be filled in by kadm_cli_keyd */ - Key_schedule sess_sched; - - act_st = malloc(KADM_VERSIZE); /* verstr stored first */ - strncpy((char *)act_st, KADM_VERSTR, KADM_VERSIZE); - act_len = KADM_VERSIZE; - - if ((retdat = kadm_cli_keyd(client_parm, sess_key, sess_sched)) != KADM_SUCCESS) { - free(act_st); - return retdat; /* couldnt get key working */ - } - priv_pak = malloc(st_siz + 200); - /* 200 bytes for extra info case */ - /* XXX Check mk_priv return type */ - if ((priv_len = krb_mk_priv(st_dat, priv_pak, (u_long)st_siz, - sess_sched, (C_Block *)sess_key, - &client_parm->my_addr, - &client_parm->admin_addr)) < 0) - RET_N_FREE(KADM_NO_ENCRYPT); /* whoops... we got a lose here */ - /* - * here is the length of priv data. receiver calcs size of - * authenticator by subtracting vno size, priv size, and - * sizeof(u_long) (for the size indication) from total size - */ - act_len += vts_long((KRB_UINT32)priv_len, &act_st, (int)act_len); -#ifdef NOENCRYPTION - cksum = 0; -#else - cksum = quad_cksum(priv_pak, NULL, priv_len, 0, &sess_key); -#endif - /* XXX cast unsigned->signed */ - if ((retdat = krb_mk_req_creds(&authent, &client_parm->creds, (long)cksum)) != 0) { - /* authenticator? */ - RET_N_FREE(retdat); - } - - act_st = realloc(act_st, (unsigned) (act_len + authent.length - + priv_len)); - if (!act_st) { - clear_secrets(sess_key, sess_sched); - free(priv_pak); - return KADM_NOMEM; - } - memcpy(act_st + act_len, authent.dat, authent.length); - memcpy(act_st + act_len + authent.length, priv_pak, priv_len); - free(priv_pak); - if ((retdat = kadm_cli_out(client_parm, act_st, - act_len + authent.length + priv_len, - ret_dat, ret_siz)) != KADM_SUCCESS) - RET_N_FREE(retdat); - free(act_st); - - /* first see if it's a YOULOSE */ - if ((*ret_siz >= KADM_VERSIZE) && - !strncmp(KADM_ULOSE, (char *)*ret_dat, KADM_VERSIZE)) - { - /* it's a youlose packet */ - if (*ret_siz < KADM_VERSIZE + 4) - RET_N_FREE2(KADM_BAD_VER); - p = *ret_dat + KADM_VERSIZE; - KRB4_GET32BE(uretdat, p); - /* XXX unsigned->signed */ - retdat = (KRB_INT32)uretdat; - RET_N_FREE2(retdat); - } - /* need to decode the ret_dat */ - if ((retdat = krb_rd_priv(*ret_dat, (u_long)*ret_siz, sess_sched, - (C_Block *)sess_key, &client_parm->admin_addr, - &client_parm->my_addr, &mdat)) != 0) - RET_N_FREE2(retdat); - if (mdat.app_length < KADM_VERSIZE + 4) - /* too short! */ - RET_N_FREE2(KADM_BAD_VER); - if (strncmp((char *)mdat.app_data, KADM_VERSTR, KADM_VERSIZE)) - /* bad version */ - RET_N_FREE2(KADM_BAD_VER); - p = mdat.app_data + KADM_VERSIZE; - KRB4_GET32BE(uretdat, p); - /* XXX unsigned->signed */ - retdat = (KRB_INT32)uretdat; - if ((mdat.app_length - KADM_VERSIZE - 4) != 0) { - if (!(return_dat = - malloc((unsigned)(mdat.app_length - KADM_VERSIZE - 4)))) - RET_N_FREE2(KADM_NOMEM); - memcpy(return_dat, p, mdat.app_length - KADM_VERSIZE - 4); - } else { - /* If it's zero length, still need to malloc a 1 byte string; */ - /* malloc's of zero will return NULL on AIX & A/UX */ - if (!(return_dat = malloc((unsigned) 1))) - RET_N_FREE2(KADM_NOMEM); - *return_dat = '\0'; - } - free(*ret_dat); - clear_secrets(sess_key, sess_sched); - *ret_dat = return_dat; - *ret_siz = mdat.app_length - KADM_VERSIZE - 4; - return retdat; -} - -int kadm_cli_conn(Kadm_Client *client_parm) -{ /* this connects and sets my_addr */ -#if 0 - int on = 1; -#endif - if ((client_parm->admin_fd = - socket(client_parm->admin_addr.sin_family, SOCK_STREAM,0)) < 0) - return KADM_NO_SOCK; /* couldnt create the socket */ - set_cloexec_fd(client_parm->admin_fd); - if (SOCKET_CONNECT(client_parm->admin_fd, - (struct sockaddr *) & client_parm->admin_addr, - sizeof(client_parm->admin_addr))) { - (void) SOCKET_CLOSE(client_parm->admin_fd); - client_parm->admin_fd = -1; - - /* The V4 kadmind port number is 751. The RFC assigned - number, for V5, is 749. Sometimes the entry in - /etc/services on a client machine will say 749, but the - server may be listening on port 751. We try to partially - cope by automatically falling back to try port 751 if we - don't get a reply on port we are using. */ - if (client_parm->admin_addr.sin_port != htons(KADM_PORT) - && client_parm->default_port) { - client_parm->admin_addr.sin_port = htons(KADM_PORT); - return kadm_cli_conn(client_parm); - } - - return KADM_NO_CONN; /* couldnt get the connect */ - } -#ifdef SIGPIPE - opipe = SIGNAL(SIGPIPE, SIG_IGN); -#endif - client_parm->my_addr_len = sizeof(client_parm->my_addr); - if (SOCKET_GETSOCKNAME(client_parm->admin_fd, - (struct sockaddr *) & client_parm->my_addr, - &client_parm->my_addr_len) < 0) { - (void) SOCKET_CLOSE(client_parm->admin_fd); - client_parm->admin_fd = -1; -#ifdef SIGPIPE - (void) SIGNAL(SIGPIPE, opipe); -#endif - return KADM_NO_HERE; /* couldnt find out who we are */ - } -#if 0 - if (setsockopt(client_parm.admin_fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, - sizeof(on)) < 0) { - (void) closesocket(client_parm.admin_fd); - client_parm.admin_fd = -1; -#ifdef SIGPIPE - (void) SIGNAL(SIGPIPE, opipe); -#endif - return KADM_NO_CONN; /* XXX */ - } -#endif - return KADM_SUCCESS; -} - -void kadm_cli_disconn(Kadm_Client *client_parm) -{ - (void) SOCKET_CLOSE(client_parm->admin_fd); -#ifdef SIGPIPE - (void) SIGNAL(SIGPIPE, opipe); -#endif - return; -} - -int kadm_cli_out(Kadm_Client *client_parm, u_char *dat, int dat_len, - u_char **ret_dat, size_t *ret_siz) -{ - u_short dlen; - int retval; - unsigned char buf[2], *p; - - dlen = (u_short)dat_len; - if (dlen > 0x7fff) /* XXX krb_net_write signedness */ - return KADM_NO_ROOM; - - p = buf; - KRB4_PUT16BE(p, dlen); - if (krb_net_write(client_parm->admin_fd, (char *)buf, 2) < 0) - return SOCKET_ERRNO; /* XXX */ - - if (krb_net_write(client_parm->admin_fd, (char *)dat, (int)dat_len) < 0) - return SOCKET_ERRNO; /* XXX */ - - retval = krb_net_read(client_parm->admin_fd, (char *)buf, 2); - if (retval != 2) { - if (retval < 0) - return SOCKET_ERRNO; /* XXX */ - else - return EPIPE; /* short read ! */ - } - - p = buf; - KRB4_GET16BE(dlen, p); - if (dlen > INT_MAX) /* XXX krb_net_read signedness */ - return KADM_NO_ROOM; - *ret_dat = malloc(dlen); - if (!*ret_dat) - return KADM_NOMEM; - - retval = krb_net_read(client_parm->admin_fd, (char *)*ret_dat, (int)dlen); - if (retval != dlen) { - if (retval < 0) - return SOCKET_ERRNO; /* XXX */ - else - return EPIPE; /* short read ! */ - } - *ret_siz = dlen; - return KADM_SUCCESS; -} - -static void -clear_secrets(des_cblock sess_key, Key_schedule sess_sched) -{ - memset(sess_key, 0, sizeof(sess_key)); - memset(sess_sched, 0, sizeof(sess_sched)); - return; -} - -/* takes in the sess_key and key_schedule and sets them appropriately */ -int kadm_cli_keyd(Kadm_Client *client_parm, - des_cblock s_k, des_key_schedule s_s) -{ - int stat; - - memcpy(s_k, client_parm->creds.session, sizeof(des_cblock)); - stat = key_sched(s_k, s_s); - if (stat) - return stat; - return KADM_SUCCESS; -} /* This code "works" */ diff --git a/src/lib/krb4/kadm_stream.c b/src/lib/krb4/kadm_stream.c deleted file mode 100644 index dc9fef110..000000000 --- a/src/lib/krb4/kadm_stream.c +++ /dev/null @@ -1,325 +0,0 @@ -/* - * kadm_stream.c - * - * Copyright 1988, 2002 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Stream conversion functions for Kerberos administration server - */ - -/* - kadm_stream.c - this holds the stream support routines for the kerberos administration server - - vals_to_stream: converts a vals struct to a stream for transmission - internals build_field_header, vts_[string, char, long, short] - stream_to_vals: converts a stream to a vals struct - internals check_field_header, stv_[string, char, long, short] - error: prints out a kadm error message, returns - fatal: prints out a kadm fatal error message, exits -*/ - -#include -#include - -#include "kadm.h" -#include "kadm_err.h" -#include "prot.h" - -#define min(a,b) (((a) < (b)) ? (a) : (b)) - -/* -vals_to_stream - recieves : kadm_vals *, u_char * - returns : a realloced and filled in u_char * - -this function creates a byte-stream representation of the kadm_vals structure -*/ -int -vals_to_stream(Kadm_vals *dt_in, u_char **dt_out) -{ - int vsloop, stsize; /* loop counter, stream size */ - - stsize = build_field_header(dt_in->fields, dt_out); - for (vsloop = 31; vsloop >= 0; vsloop--) - if (IS_FIELD(vsloop, dt_in->fields)) { - switch (vsloop) { - case KADM_NAME: - stsize += vts_string(dt_in->name, dt_out, stsize); - break; - case KADM_INST: - stsize += vts_string(dt_in->instance, dt_out, stsize); - break; - case KADM_EXPDATE: - stsize += vts_long((KRB_UINT32)dt_in->exp_date, - dt_out, stsize); - break; - case KADM_ATTR: - stsize += vts_short(dt_in->attributes, dt_out, stsize); - break; - case KADM_MAXLIFE: - stsize += vts_char(dt_in->max_life, dt_out, stsize); - break; - case KADM_DESKEY: - stsize += vts_long(dt_in->key_high, dt_out, stsize); - stsize += vts_long(dt_in->key_low, dt_out, stsize); - break; - default: - break; - } - } - return stsize; -} - -int -build_field_header( - u_char *cont, /* container for fields data */ - u_char **st) /* stream */ -{ - *st = malloc(4); - if (*st == NULL) - return -1; - memcpy(*st, cont, 4); - return 4; /* return pointer to current stream location */ -} - -int -vts_string(char *dat, u_char **st, int loc) -{ - size_t len; - unsigned char *p; - - if (loc < 0) - return -1; - len = strlen(dat) + 1; - p = realloc(*st, (size_t)loc + len); - if (p == NULL) - return -1; - memcpy(p + loc, dat, len); - *st = p; - return len; -} - -int -vts_short(KRB_UINT32 dat, u_char **st, int loc) -{ - unsigned char *p; - - if (loc < 0) - return -1; - p = realloc(*st, (size_t)loc + 2); - if (p == NULL) - return -1; - - *st = p; /* KRB4_PUT32BE will modify p */ - - p += loc; /* place bytes at the end */ - KRB4_PUT16BE(p, dat); - - return 2; -} - -int -vts_long(KRB_UINT32 dat, u_char **st, int loc) -{ - unsigned char *p; - - if (loc < 0) - return -1; - p = realloc(*st, (size_t)loc + 4); - if (p == NULL) - return -1; - - *st = p; /* KRB4_PUT32BE will modify p */ - - p += loc; /* place bytes at the end */ - KRB4_PUT32BE(p, dat); - - return 4; -} - -int -vts_char(KRB_UINT32 dat, u_char **st, int loc) -{ - unsigned char *p; - - if (loc < 0) - return -1; - p = realloc(*st, (size_t)loc + 1); - if (p == NULL) - return -1; - p[loc] = dat & 0xff; - *st = p; - return 1; -} - -/* -stream_to_vals - recieves : u_char *, kadm_vals * - returns : a kadm_vals filled in according to u_char * - -this decodes a byte stream represntation of a vals struct into kadm_vals -*/ -int -stream_to_vals( - u_char *dt_in, - Kadm_vals *dt_out, - int maxlen) /* max length to use */ -{ - register int vsloop, stsize; /* loop counter, stream size */ - register int status; - - memset(dt_out, 0, sizeof(*dt_out)); - - stsize = check_field_header(dt_in, dt_out->fields, maxlen); - if (stsize < 0) - return -1; - for (vsloop = 31; vsloop >= 0; vsloop--) - if (IS_FIELD(vsloop, dt_out->fields)) - switch (vsloop) { - case KADM_NAME: - status = stv_string(dt_in, dt_out->name, stsize, - sizeof(dt_out->name), maxlen); - if (status < 0) - return -1; - stsize += status; - break; - case KADM_INST: - status = stv_string(dt_in, dt_out->instance, stsize, - sizeof(dt_out->instance), maxlen); - if (status < 0) - return -1; - stsize += status; - break; - case KADM_EXPDATE: - { - KRB_UINT32 exp_date; - - status = stv_long(dt_in, &exp_date, stsize, maxlen); - if (status < 0) - return -1; - dt_out->exp_date = exp_date; - stsize += status; - } - break; - case KADM_ATTR: - status = stv_short(dt_in, &dt_out->attributes, stsize, - maxlen); - if (status < 0) - return -1; - stsize += status; - break; - case KADM_MAXLIFE: - status = stv_char(dt_in, &dt_out->max_life, stsize, - maxlen); - if (status < 0) - return -1; - stsize += status; - break; - case KADM_DESKEY: - status = stv_long(dt_in, &dt_out->key_high, stsize, - maxlen); - if (status < 0) - return -1; - stsize += status; - status = stv_long(dt_in, &dt_out->key_low, stsize, - maxlen); - if (status < 0) - return -1; - stsize += status; - break; - default: - break; - } - return stsize; -} - -int -check_field_header( - u_char *st, /* stream */ - u_char *cont, /* container for fields data */ - int maxlen) -{ - if (4 > maxlen) - return -1; - memcpy(cont, st, 4); - return 4; /* return pointer to current stream location */ -} - -int -stv_string( - register u_char *st, /* base pointer to the stream */ - char *dat, /* a string to read from the stream */ - register int loc, /* offset into the stream for current data */ - int stlen, /* max length of string to copy in */ - int maxlen) /* max length of input stream */ -{ - int maxcount; /* max count of chars to copy */ - - if (loc < 0) - return -1; - maxcount = min(maxlen - loc, stlen); - if (maxcount <= 0) /* No strings left in the input stream */ - return -1; - - (void) strncpy(dat, (char *)st + loc, (size_t)maxcount); - - if (dat[maxcount - 1]) /* not null-term --> not enuf room */ - return -1; - return strlen(dat) + 1; -} - -int -stv_short(u_char *st, u_short *dat, int loc, int maxlen) -{ - u_short temp; - unsigned char *p; - - if (loc < 0 || loc + 2 > maxlen) - return -1; - p = st + loc; - KRB4_GET16BE(temp, p); - *dat = temp; - return 2; -} - -int -stv_long(u_char *st, KRB_UINT32 *dat, int loc, int maxlen) -{ - KRB_UINT32 temp; - unsigned char *p; - - if (loc < 0 || loc + 4 > maxlen) - return -1; - p = st + loc; - KRB4_GET32BE(temp, p); - *dat = temp; - return 4; -} - -int -stv_char(u_char *st, u_char *dat, int loc, int maxlen) -{ - if (loc < 0 || loc + 1 > maxlen) - return -1; - *dat = *(st + loc); - return 1; -} diff --git a/src/lib/krb4/klog.c b/src/lib/krb4/klog.c deleted file mode 100644 index b1cfa93b4..000000000 --- a/src/lib/krb4/klog.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * lib/krb4/klog.c - * - * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "autoconf.h" -#ifdef HAVE_TIME_H -#include -#endif -#if !defined(VMS) && !defined(_WIN32) -#include -#endif -#include - -#include "krb4int.h" -#include -#include "k5-platform.h" - -static char *log_name = KRBLOG; -static char logtxt[1000]; - -/* - * This file contains two logging routines: kset_logfile() - * to determine the file to which log entries should be written; - * and klog() to write log entries to the file. - */ - -/* - * klog() is used to add entries to the logfile (see kset_logfile() - * below). Note that it is probably not portable since it makes - * assumptions about what the compiler will do when it is called - * with less than the correct number of arguments which is the - * way it is usually called. - * - * The log entry consists of a timestamp and the given arguments - * printed according to the given "format" string. - * - * The log file is opened and closed for each log entry. - * - * If the given log type "type" is unknown, or if the log file - * cannot be opened, no entry is made to the log file. - * - * The return value is always a pointer to the formatted log - * text string "logtxt". - */ - -char * klog(type,format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0) - int type; - char *format; - char *a1,*a2,*a3,*a4,*a5,*a6,*a7,*a8,*a9,*a0; -{ - FILE *logfile; - time_t now; - struct tm *tm; - static int logtype_array[NLOGTYPE]; - static int array_initialized; - - if (!(array_initialized++)) { - logtype_array[L_NET_ERR] = 1; - logtype_array[L_KRB_PERR] = 1; - logtype_array[L_KRB_PWARN] = 1; - logtype_array[L_APPL_REQ] = 1; - logtype_array[L_INI_REQ] = 1; - logtype_array[L_DEATH_REQ] = 1; - logtype_array[L_NTGT_INTK] = 1; - logtype_array[L_ERR_SEXP] = 1; - logtype_array[L_ERR_MKV] = 1; - logtype_array[L_ERR_NKY] = 1; - logtype_array[L_ERR_NUN] = 1; - logtype_array[L_ERR_UNK] = 1; - } - - (void) snprintf(logtxt,sizeof(logtxt),format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0); - - if (!logtype_array[type]) - return(logtxt); - - if ((logfile = fopen(log_name,"a")) == NULL) - return(logtxt); - set_cloexec_file(logfile); - - (void) time(&now); - tm = localtime(&now); - - fprintf(logfile,"%2d-%s-%d %02d:%02d:%02d ",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - fprintf(logfile,"%s\n",logtxt); - (void) fclose(logfile); - return(logtxt); -} - -/* - * kset_logfile() changes the name of the file to which - * messages are logged. If kset_logfile() is not called, - * the logfile defaults to KRBLOG, defined in "krb.h". - */ - -void -kset_logfile(filename) - char *filename; -{ - log_name = filename; -} diff --git a/src/lib/krb4/kname_parse.c b/src/lib/krb4/kname_parse.c deleted file mode 100644 index db3a1cf0b..000000000 --- a/src/lib/krb4/kname_parse.c +++ /dev/null @@ -1,411 +0,0 @@ -/* - * lib/krb4/kname_parse.c - * - * Copyright 1987, 1988, 2001 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include -#include "krb.h" -#include - -static int k_isname_unparsed(const char *s); -static int k_isinst_unparsed(const char *s); -static int k_isrealm_unparsed(const char *s); - -/* - * max size of full name - * - * XXX This does not account for backslach quoting, and besides we - * might want to use MAX_K_NAME_SZ. - */ -#define FULL_SZ (ANAME_SZ + INST_SZ + REALM_SZ) - -#define NAME 0 /* which field are we in? */ -#define INST 1 -#define REALM 2 - -/* - * This file contains four routines for handling Kerberos names. - * - * kname_parse() breaks a Kerberos name into its name, instance, - * and realm components. - * - * k_isname(), k_isinst(), and k_isrealm() check a given string to see if - * it's a syntactically legitimate respective part of a Kerberos name, - * returning 1 if it is, 0 if it isn't. - * - * Definition of "syntactically legitimate" names is according to - * the Project Athena Technical Plan Section E.2.1, page 7 "Specifying - * names", version dated 21 Dec 1987. - */ - -/* - * kname_parse() takes a Kerberos name "fullname" of the form: - * - * username[.instance][@realm] - * - * and returns the three components ("name", "instance", and "realm" - * in the example above) in the given arguments "np", "ip", and "rp". - * - * If successful, it returns KSUCCESS. If there was an error, - * KNAME_FMT is returned. - * - * For proper operation, this routine requires that the ip, np, and rp - * arguments be initialized, either to null strings, or to default values - * of name, instance, and realm. FIXME-gnu: Does anyone use it this way? - */ - -int KRB5_CALLCONV -kname_parse(np, ip, rp, fullname) - char *np; - char *ip; - char *rp; - char *fullname; -{ - char buf[FULL_SZ]; - char *rnext, *wnext; /* next char to read, write */ - register char c; - int backslash; - int field; - - backslash = 0; - rnext = buf; - wnext = np; - field = NAME; - - if (strlen(fullname) > FULL_SZ) - return KNAME_FMT; - (void) strcpy(buf, fullname); - - while ((c = *rnext++)) { - if (backslash) { - *wnext++ = c; - backslash = 0; - continue; - } - switch (c) { - case '\\': - backslash++; - break; - case '.': - switch (field) { - case NAME: - if (wnext == np) - return KNAME_FMT; - *wnext = '\0'; - field = INST; - wnext = ip; - break; - case INST: /* We now allow period in instance */ - case REALM: - *wnext++ = c; - break; - default: - DEB (("unknown field value\n")); - return KNAME_FMT; - } - break; - case '@': - switch (field) { - case NAME: - if (wnext == np) - return KNAME_FMT; - *ip = '\0'; - /* fall through */ - case INST: - *wnext = '\0'; - field = REALM; - wnext = rp; - break; - case REALM: - return KNAME_FMT; - default: - DEB (("unknown field value\n")); - return KNAME_FMT; - } - break; - default: - *wnext++ = c; - } - /* - * Paranoia: check length each time through to ensure that we - * don't overwrite things. - */ - switch (field) { - case NAME: - if (wnext - np >= ANAME_SZ) - return KNAME_FMT; - break; - case INST: - if (wnext - ip >= INST_SZ) - return KNAME_FMT; - break; - case REALM: - if (wnext - rp >= REALM_SZ) - return KNAME_FMT; - break; - default: - DEB (("unknown field value\n")); - return KNAME_FMT; - } - } - *wnext = '\0'; - return KSUCCESS; -} - -/* - * k_isname() returns 1 if the given name is a syntactically legitimate - * Kerberos name; returns 0 if it's not. - */ - -int KRB5_CALLCONV -k_isname(s) - char *s; -{ - register char c; - int backslash = 0; - - if (!*s) - return 0; - if (strlen(s) > ANAME_SZ - 1) - return 0; - while((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '.': - return 0; - /* break; */ - case '@': - return 0; - /* break; */ - } - } - return 1; -} - - -/* - * k_isinst() returns 1 if the given name is a syntactically legitimate - * Kerberos instance; returns 0 if it's not. - * - * We now allow periods in instance names -- they are unambiguous. - */ - -int KRB5_CALLCONV -k_isinst(s) - char *s; -{ - register char c; - int backslash = 0; - - if (strlen(s) > INST_SZ - 1) - return 0; - while((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '@': - return 0; - /* break; */ - } - } - return 1; -} - -/* - * k_isrealm() returns 1 if the given name is a syntactically legitimate - * Kerberos realm; returns 0 if it's not. - */ - -int KRB5_CALLCONV -k_isrealm(s) - char *s; -{ - register char c; - int backslash = 0; - - if (!*s) - return 0; - if (strlen(s) > REALM_SZ - 1) - return 0; - while((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '@': - return 0; - /* break; */ - } - } - return 1; -} - -int KRB5_CALLCONV -kname_unparse( - char *outFullName, - const char *inName, - const char *inInstance, - const char *inRealm) -{ - const char *read; - char *write = outFullName; - - if (inName == NULL) - return KFAILURE; - - if (outFullName == NULL) - return KFAILURE; - - if (!k_isname_unparsed(inName) || - ((inInstance != NULL) && !k_isinst_unparsed(inInstance)) || - ((inRealm != NULL) && !k_isrealm_unparsed(inRealm))) { - - return KFAILURE; - } - - for (read = inName; *read != '\0'; read++, write++) { - if ((*read == '.') || (*read == '@')) { - *write = '\\'; - write++; - } - *write = *read; - } - - if ((inInstance != NULL) && (inInstance[0] != '\0')) { - *write = '.'; - write++; - for (read = inInstance; *read != '\0'; read++, write++) { - if (*read == '@') { - *write = '\\'; - write++; - } - *write = *read; - } - } - - if ((inRealm != NULL) && (inRealm[0] != '\0')) { - *write = '@'; - write++; - for (read = inRealm; *read != '\0'; read++, write++) { - if (*read == '@') { - *write = '\\'; - write++; - } - *write = *read; - } - } - - *write = '\0'; - return KSUCCESS; -} - -/* - * k_isname, k_isrealm, k_isinst expect an unparsed realm -- i.e., one where all - * components have special characters escaped with \. However, - * for kname_unparse, we need to be able to sanity-check components without \. - * That's what k_is*_unparsed are for. - */ - -static int -k_isname_unparsed(const char *s) -{ - int len = strlen(s); - const char* c; - /* Has to be non-empty and has to fit in ANAME_SZ when escaped with \ */ - - if (!*s) - return 0; - - for (c = s; *c != '\0'; c++) { - switch (*c) { - case '.': - case '@': - len++; - break; - } - } - - if (len > ANAME_SZ - 1) - return 0; - return 1; -} - -static int -k_isinst_unparsed(const char *s) -{ - int len = strlen(s); - const char* c; - /* Has to fit in INST_SZ when escaped with \ */ - - for (c = s; *c != '\0'; c++) { - switch (*c) { - case '.': - case '@': - len++; - break; - } - } - - if (len > INST_SZ - 1) - return 0; - return 1; -} - -static int -k_isrealm_unparsed(const char *s) -{ - int len = strlen(s); - const char* c; - /* Has to be non-empty and has to fit in REALM_SZ when escaped with \ */ - - if (!*s) - return 0; - - for (c = s; *c != '\0'; c++) { - switch (*c) { - case '@': - len++; - break; - } - } - - if (len > REALM_SZ - 1) - return 0; - return 1; -} diff --git a/src/lib/krb4/kntoln.c b/src/lib/krb4/kntoln.c deleted file mode 100644 index ca48381b9..000000000 --- a/src/lib/krb4/kntoln.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * kntoln.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include "krb.h" -#include - -/* - * krb_kntoln converts an auth name into a local name by looking up - * the auth name in the /etc/aname file. The format of the aname - * file is: - * - * +-----+-----+-----+-----+------+----------+-------+-------+ - * | anl | inl | rll | lnl | name | instance | realm | lname | - * +-----+-----+-----+-----+------+----------+-------+-------+ - * | 1by | 1by | 1by | 1by | name | instance | realm | lname | - * +-----+-----+-----+-----+------+----------+-------+-------+ - * - * If the /etc/aname file can not be opened it will set the - * local name to the auth name. Thus, in this case it performs as - * the identity function. - * - * The name instance and realm are passed to krb_kntoln through - * the AUTH_DAT structure (ad). - * - * Now here's what it *really* does: - * - * Given a Kerberos name in an AUTH_DAT structure, check that the - * instance is null, and that the realm is the same as the local - * realm, and return the principal's name in "lname". Return - * KSUCCESS if all goes well, otherwise KFAILURE. - */ - -/* The definition of MAX_USERNAME here MUST agree with kuserok.c, or bad - * things will happen. */ -#define MAX_USERNAME 10 - -int -krb_kntoln(ad,lname) - AUTH_DAT *ad; - char *lname; -{ - static char lrealm[REALM_SZ]; - - if (!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) - return(KFAILURE); - - if (strcmp(ad->pinst,"")) - return(KFAILURE); - if (strcmp(ad->prealm,lrealm)) - return(KFAILURE); - (void) strncpy(lname,ad->pname,MAX_USERNAME-1); - lname[MAX_USERNAME - 1] = '\0'; - return(KSUCCESS); -} diff --git a/src/lib/krb4/krb4int.h b/src/lib/krb4/krb4int.h deleted file mode 100644 index 51b1138c9..000000000 --- a/src/lib/krb4/krb4int.h +++ /dev/null @@ -1,129 +0,0 @@ -/* - * lib/krb4/krb4int.h - * - * Copyright 2001-2002, 2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * A series of private prototypes that we are not exporting but should - * be available for self consistancy in the library. - */ - -#include "port-sockets.h" - -/* ad_print.c */ -void ad_print(AUTH_DAT *x); - -/* fgetst.c */ -int fgetst(FILE *, char *, int); - -/* getst.c */ -int getst(int, char *, int); - -/* g_cnffile.c */ -FILE *krb__get_realmsfile(void); - -FILE *krb__get_cnffile(void); - -/* g_svc_in_tkt.c */ -int krb_svc_init(char *, char *, char *, int, char *, char *); -int krb_svc_init_preauth(char *, char *, char *, int, char *, char *); - -int krb_get_svc_in_tkt_preauth(char *, char *, char *, char *, char *, int, char *); - -/* gethostname.c */ -int k_gethostname(char *, int); - -/* g_in_tkt.c */ -int krb_get_in_tkt_preauth_creds(char *, char *, char *, - char *, char *, int, - key_proc_type, decrypt_tkt_type, - char *, char *, int, CREDENTIALS *, KRB_UINT32 *); - -/* klog.c */ -void kset_logfile(char *); - -/* log.c */ -void krb_log(const char *, ...) -#if !defined(__cplusplus) && (__GNUC__ > 2) - __attribute__((__format__(__printf__, 1, 2))) -#endif - ; - -void krb_set_logfile(char *); - -/* month_sname.c */ -const char * month_sname(int); - -/* password_to_key.c */ -key_proc_type *krb_get_keyprocs (key_proc_type keyproc); -int KRB5_CALLCONV mit_passwd_to_key(char *user, char *instance, char *realm, - char *passwd, C_Block key); -int KRB5_CALLCONV krb5_passwd_to_key(char *user, char *instance, char *realm, - char *passwd, C_Block key); -int KRB5_CALLCONV afs_passwd_to_key(char *user, char *instance, char *realm, - char *passwd, C_Block key); - -/* rd_preauth.c */ -#ifdef KRB_DB_DEFS -int krb_rd_preauth(KTEXT, char *, int, Principal *, des_cblock); -#endif - -/* sendauth.c */ -int krb_net_rd_sendauth(int, KTEXT, KRB4_32 *); - -/* stime.c */ -char *krb_stime(long *); - -/* tf_util.c */ -int tf_save_cred(char *, char *, char *, C_Block, int , int, KTEXT, KRB4_32); - - -/* unix_glue.c */ -int krb_start_session(char *); - -int krb_end_session(char *); - -#ifndef _WIN32 -/* For windows users, these are defined in krb.h */ -char *krb_get_default_user (void); - -int krb_set_default_user (char *); -#endif - -/* RealmConfig-glue.c */ -int krb_get_kpasswdhst(char *, char *, int); - -/* err_txt.c */ -void krb4int_et_init(void); -void krb4int_et_fini(void); - -int krb4int_save_credentials_addr( - char *, char *, char *, C_Block, int, int, KTEXT, KRB4_32, KRB_UINT32); - -int krb4int_send_to_kdc_addr(KTEXT, KTEXT, char *, - struct sockaddr *, socklen_t *); - -/* - * Exported by libdes425 and called by krb_get_in_pw_tkt, but not part of - * the standard DES interface and therefore not prototyped in des.h. - */ -int KRB5_CALLCONV des_read_pw_string(char *, int, char *, int); diff --git a/src/lib/krb4/krb_err.et b/src/lib/krb4/krb_err.et deleted file mode 100644 index c4f225d6c..000000000 --- a/src/lib/krb4/krb_err.et +++ /dev/null @@ -1,776 +0,0 @@ -# Copyright 1987,1988 Massachusetts Institute of Technology -# -# For copying and distribution information, see the file -# "mit-copyright.h". -# -# - error_table krb - - ec KRBET_KSUCCESS, - "Kerberos successful" - - ec KRBET_KDC_NAME_EXP, - "Kerberos principal expired" - - ec KRBET_KDC_SERVICE_EXP, - "Kerberos service expired" - - ec KRBET_KDC_AUTH_EXP, - "Kerberos auth expired" - - ec KRBET_KDC_PKT_VER, - "Unknown kerberos protocol version" - - ec KRBET_KDC_P_MKEY_VER, - "Incorrect kerberos master key version for principal" - - ec KRBET_KDC_S_MKEY_VER, - "Incorrect kerberos master key version for service" - - ec KRBET_KDC_BYTE_ORDER, - "Bad byte order (kerberos)" - - ec KRBET_KDC_PR_UNKNOWN, - "Kerberos principal unknown" - - ec KRBET_KDC_PR_N_UNIQUE, - "Kerberos principal not unique" - - ec KRBET_KDC_NULL_KEY, - "Kerberos principal has null key" - - ec KRBET_KRB_RES11, - "Reserved error message 11 (kerberos)" - - ec KRBET_KRB_RES12, - "Reserved error message 12 (kerberos)" - - ec KRBET_KRB_RES13, - "Reserved error message 13 (kerberos)" - - ec KRBET_KRB_RES14, - "Reserved error message 14 (kerberos)" - - ec KRBET_KRB_RES15, - "Reserved error message 15 (kerberos)" - - ec KRBET_KRB_RES16, - "Reserved error message 16 (kerberos)" - - ec KRBET_KRB_RES17, - "Reserved error message 17 (kerberos)" - - ec KRBET_KRB_RES18, - "Reserved error message 18 (kerberos)" - - ec KRBET_KRB_RES19, - "Reserved error message 19 (kerberos)" - - ec KRBET_KDC_GEN_ERR, - "Generic error from Kerberos KDC" - - ec KRBET_GC_TKFIL, - "Can't read Kerberos ticket file" - - ec KRBET_GC_NOTKT, - "Can't find Kerberos ticket or TGT" - - ec KRBET_KRB_RES23, - "Reserved error message 23 (krb_get_cred)" - - ec KRBET_KRB_RES24, - "Reserved error message 24 (krb_get_cred)" - - ec KRBET_KRB_RES25, - "Reserved error message 25 (krb_get_cred)" - - ec KRBET_MK_AP_TGTEXP, - "Kerberos TGT Expired" - - ec KRBET_KRB_RES27, - "Reserved error message 27 (krb_mk_req)" - - ec KRBET_KRB_RES28, - "Reserved error message 28 (krb_mk_req)" - - ec KRBET_KRB_RES29, - "Reserved error message 29 (krb_mk_req)" - - ec KRBET_KRB_RES30, - "Reserved error message 30 (krb_mk_req)" - - ec KRBET_RD_AP_UNDEC, - "Can't decode authenticator (krb_rd_req)" - - ec KRBET_RD_AP_EXP, - "Kerberos ticket expired (krb_rd_req)" - - ec KRBET_RD_AP_NYV, - "Kerberos ticket not yet valid (krb_rd_req)" - - ec KRBET_RD_AP_REPEAT, - "Repeated request (krb_rd_req)" - - ec KRBET_RD_AP_NOT_US, - "Kerberos ticket is for wrong server (krb_rd_req)" - - ec KRBET_RD_AP_INCON, - "Kerberos request inconsistent" - - ec KRBET_RD_AP_TIME, - "Time is out of bounds (krb_rd_req)" - - ec KRBET_RD_AP_BADD, - "Incorrect net address (krb_rd_req)" - - ec KRBET_RD_AP_VERSION, - "Kerberos protocol version mismatch (krb_rd_req)" - - ec KRBET_RD_AP_MSG_TYPE, - "Invalid msg type (krb_rd_req)" - - ec KRBET_RD_AP_MODIFIED, - "Message integrity error (krb_rd_req)" - - ec KRBET_RD_AP_ORDER, - "Message out of order (krb_rd_req)" - - ec KRBET_RD_AP_UNAUTHOR, - "Unauthorized request (krb_rd_req)" - - ec KRBET_KRB_RES44, - "Reserved error message 44 (krb_rd_req)" - - ec KRBET_KRB_RES45, - "Reserved error message 45 (krb_rd_req)" - - ec KRBET_KRB_RES46, - "Reserved error message 46 (krb_rd_req)" - - ec KRBET_KRB_RES47, - "Reserved error message 47 (krb_rd_req)" - - ec KRBET_KRB_RES48, - "Reserved error message 48 (krb_rd_req)" - - ec KRBET_KRB_RES49, - "Reserved error message 49 (krb_rd_req)" - - ec KRBET_KRB_RES50, - "Reserved error message 50 (krb_rd_req)" - - ec KRBET_GT_PW_NULL, - "Current password is null (get_pw_tkt)" - - ec KRBET_GT_PW_BADPW, - "Incorrect current password (get_pw_tkt)" - - ec KRBET_GT_PW_PROT, - "Protocol error (get_pw_tkt)" - - ec KRBET_GT_PW_KDCERR, - "Error returned by KDC (get_pw_tkt)" - - ec KRBET_GT_PW_NULLTKT, - "Null Kerberos ticket returned by KDC (get_pw_tkt)" - - ec KRBET_SKDC_RETRY, - "Retry count exceeded (send_to_kdc)" - - ec KRBET_SKDC_CANT, - "Can't send request (send_to_kdc)" - - ec KRBET_KRB_RES58, - "Reserved error message 58 (send_to_kdc)" - - ec KRBET_KRB_RES59, - "Reserved error message 59 (send_to_kdc)" - - ec KRBET_KRB_RES60, - "Reserved error message 60 (send_to_kdc)" - - ec KRBET_INTK_W_NOTALL, - "Kerberos error: not all tickets returned" - - ec KRBET_INTK_BADPW, - "Incorrect password (get_in_tkt)" - - ec KRBET_INTK_PROT, - "Protocol error (get_in_tkt)" - - ec KRBET_KRB_RES64, - "Reserved error message 64 (get_in_tkt)" - - ec KRBET_KRB_RES65, - "Reserved error message 65 (get_in_tkt)" - - ec KRBET_KRB_RES66, - "Reserved error message 66 (get_in_tkt)" - - ec KRBET_KRB_RES67, - "Reserved error message 67 (get_in_tkt)" - - ec KRBET_KRB_RES68, - "Reserved error message 68 (get_in_tkt)" - - ec KRBET_KRB_RES69, - "Reserved error message 69 (get_in_tkt)" - - ec KRBET_INTK_ERR, - "Other error (get_in_tkt)" - - ec KRBET_AD_NOTGT, - "Don't have Kerberos ticket-granting ticket (get_ad_tkt)" - - ec KRBET_KRB_RES72, - "Reserved error message 72 (get_ad_tkt)" - - ec KRBET_KRB_RES73, - "Reserved error message 73 (get_ad_tkt)" - - ec KRBET_KRB_RES74, - "Reserved error message 74 (get_ad_tkt)" - - ec KRBET_KRB_RES75, - "Reserved error message 75 (get_ad_tkt)" - - ec KRBET_NO_TKT_FIL, - "You have no tickets cached" - - ec KRBET_TKT_FIL_ACC, - "Couldn't access ticket file (tf_util)" - - ec KRBET_TKT_FIL_LCK, - "Couldn't lock ticket file (tf_util)" - - ec KRBET_TKT_FIL_FMT, - "Bad ticket file format (tf_util)" - - ec KRBET_TKT_FIL_INI, - "tf_init not called before reading from ticket file (tf_util)" - - ec KRBET_KNAME_FMT, - "Bad Kerberos name format (kname_parse)" - - ec KRBET_RES82, - "Reserved error message 82" - - ec KRBET_RES83, - "Reserved error message 83" - - ec KRBET_RES84, - "Reserved error message 84" - - ec KRBET_RES85, - "Reserved error message 85" - - ec KRBET_RES86, - "Reserved error message 86" - - ec KRBET_RES87, - "Reserved error message 87" - - ec KRBET_RES88, - "Reserved error message 88" - - ec KRBET_RES89, - "Reserved error message 89" - - ec KRBET_RES90, - "Reserved error message 90" - - ec KRBET_RES91, - "Reserved error message 91" - - ec KRBET_RES92, - "Reserved error message 92" - - ec KRBET_RES93, - "Reserved error message 93" - - ec KRBET_RES94, - "Reserved error message 94" - - ec KRBET_RES95, - "Reserved error message 95" - - ec KRBET_RES96, - "Reserved error message 96" - - ec KRBET_RES97, - "Reserved error message 97" - - ec KRBET_RES98, - "Reserved error message 98" - - ec KRBET_RES99, - "Reserved error message 99" - - ec KRBET_RES100, - "Reserved error message 100" - - ec KRBET_RES101, - "Reserved error message 101" - - ec KRBET_RES102, - "Reserved error message 102" - - ec KRBET_RES103, - "Reserved error message 103" - - ec KRBET_RES104, - "Reserved error message 104" - - ec KRBET_RES105, - "Reserved error message 105" - - ec KRBET_RES106, - "Reserved error message 106" - - ec KRBET_RES107, - "Reserved error message 107" - - ec KRBET_RES108, - "Reserved error message 108" - - ec KRBET_RES109, - "Reserved error message 109" - - ec KRBET_RES110, - "Reserved error message 110" - - ec KRBET_RES111, - "Reserved error message 111" - - ec KRBET_RES112, - "Reserved error message 112" - - ec KRBET_RES113, - "Reserved error message 113" - - ec KRBET_RES114, - "Reserved error message 114" - - ec KRBET_RES115, - "Reserved error message 115" - - ec KRBET_RES116, - "Reserved error message 116" - - ec KRBET_RES117, - "Reserved error message 117" - - ec KRBET_RES118, - "Reserved error message 118" - - ec KRBET_RES119, - "Reserved error message 119" - - ec KRBET_RES120, - "Reserved error message 120" - - ec KRBET_RES121, - "Reserved error message 121" - - ec KRBET_RES122, - "Reserved error message 122" - - ec KRBET_RES123, - "Reserved error message 123" - - ec KRBET_RES124, - "Reserved error message 124" - - ec KRBET_RES125, - "Reserved error message 125" - - ec KRBET_RES126, - "Reserved error message 126" - - ec KRBET_RES127, - "Reserved error message 127" - - ec KRBET_RES128, - "Reserved error message 128" - - ec KRBET_RES129, - "Reserved error message 129" - - ec KRBET_RES130, - "Reserved error message 130" - - ec KRBET_RES131, - "Reserved error message 131" - - ec KRBET_RES132, - "Reserved error message 132" - - ec KRBET_RES133, - "Reserved error message 133" - - ec KRBET_RES134, - "Reserved error message 134" - - ec KRBET_RES135, - "Reserved error message 135" - - ec KRBET_RES136, - "Reserved error message 136" - - ec KRBET_RES137, - "Reserved error message 137" - - ec KRBET_RES138, - "Reserved error message 138" - - ec KRBET_RES139, - "Reserved error message 139" - - ec KRBET_RES140, - "Reserved error message 140" - - ec KRBET_RES141, - "Reserved error message 141" - - ec KRBET_RES142, - "Reserved error message 142" - - ec KRBET_RES143, - "Reserved error message 143" - - ec KRBET_RES144, - "Reserved error message 144" - - ec KRBET_RES145, - "Reserved error message 145" - - ec KRBET_RES146, - "Reserved error message 146" - - ec KRBET_RES147, - "Reserved error message 147" - - ec KRBET_RES148, - "Reserved error message 148" - - ec KRBET_RES149, - "Reserved error message 149" - - ec KRBET_RES150, - "Reserved error message 150" - - ec KRBET_RES151, - "Reserved error message 151" - - ec KRBET_RES152, - "Reserved error message 152" - - ec KRBET_RES153, - "Reserved error message 153" - - ec KRBET_RES154, - "Reserved error message 154" - - ec KRBET_RES155, - "Reserved error message 155" - - ec KRBET_RES156, - "Reserved error message 156" - - ec KRBET_RES157, - "Reserved error message 157" - - ec KRBET_RES158, - "Reserved error message 158" - - ec KRBET_RES159, - "Reserved error message 159" - - ec KRBET_RES160, - "Reserved error message 160" - - ec KRBET_RES161, - "Reserved error message 161" - - ec KRBET_RES162, - "Reserved error message 162" - - ec KRBET_RES163, - "Reserved error message 163" - - ec KRBET_RES164, - "Reserved error message 164" - - ec KRBET_RES165, - "Reserved error message 165" - - ec KRBET_RES166, - "Reserved error message 166" - - ec KRBET_RES167, - "Reserved error message 167" - - ec KRBET_RES168, - "Reserved error message 168" - - ec KRBET_RES169, - "Reserved error message 169" - - ec KRBET_RES170, - "Reserved error message 170" - - ec KRBET_RES171, - "Reserved error message 171" - - ec KRBET_RES172, - "Reserved error message 172" - - ec KRBET_RES173, - "Reserved error message 173" - - ec KRBET_RES174, - "Reserved error message 174" - - ec KRBET_RES175, - "Reserved error message 175" - - ec KRBET_RES176, - "Reserved error message 176" - - ec KRBET_RES177, - "Reserved error message 177" - - ec KRBET_RES178, - "Reserved error message 178" - - ec KRBET_RES179, - "Reserved error message 179" - - ec KRBET_RES180, - "Reserved error message 180" - - ec KRBET_RES181, - "Reserved error message 181" - - ec KRBET_RES182, - "Reserved error message 182" - - ec KRBET_RES183, - "Reserved error message 183" - - ec KRBET_RES184, - "Reserved error message 184" - - ec KRBET_RES185, - "Reserved error message 185" - - ec KRBET_RES186, - "Reserved error message 186" - - ec KRBET_RES187, - "Reserved error message 187" - - ec KRBET_RES188, - "Reserved error message 188" - - ec KRBET_RES189, - "Reserved error message 189" - - ec KRBET_RES190, - "Reserved error message 190" - - ec KRBET_RES191, - "Reserved error message 191" - - ec KRBET_RES192, - "Reserved error message 192" - - ec KRBET_RES193, - "Reserved error message 193" - - ec KRBET_RES194, - "Reserved error message 194" - - ec KRBET_RES195, - "Reserved error message 195" - - ec KRBET_RES196, - "Reserved error message 196" - - ec KRBET_RES197, - "Reserved error message 197" - - ec KRBET_RES198, - "Reserved error message 198" - - ec KRBET_RES199, - "Reserved error message 199" - - ec KRBET_RES200, - "Reserved error message 200" - - ec KRBET_RES201, - "Reserved error message 201" - - ec KRBET_RES202, - "Reserved error message 202" - - ec KRBET_RES203, - "Reserved error message 203" - - ec KRBET_RES204, - "Reserved error message 204" - - ec KRBET_RES205, - "Reserved error message 205" - - ec KRBET_RES206, - "Reserved error message 206" - - ec KRBET_RES207, - "Reserved error message 207" - - ec KRBET_RES208, - "Reserved error message 208" - - ec KRBET_RES209, - "Reserved error message 209" - - ec KRBET_RES210, - "Reserved error message 210" - - ec KRBET_RES211, - "Reserved error message 211" - - ec KRBET_RES212, - "Reserved error message 212" - - ec KRBET_RES213, - "Reserved error message 213" - - ec KRBET_RES214, - "Reserved error message 214" - - ec KRBET_RES215, - "Reserved error message 215" - - ec KRBET_RES216, - "Reserved error message 216" - - ec KRBET_RES217, - "Reserved error message 217" - - ec KRBET_RES218, - "Reserved error message 218" - - ec KRBET_RES219, - "Reserved error message 219" - - ec KRBET_RES220, - "Reserved error message 220" - - ec KRBET_RES221, - "Reserved error message 221" - - ec KRBET_RES222, - "Reserved error message 222" - - ec KRBET_RES223, - "Reserved error message 223" - - ec KRBET_RES224, - "Reserved error message 224" - - ec KRBET_RES225, - "Reserved error message 225" - - ec KRBET_RES226, - "Reserved error message 226" - - ec KRBET_RES227, - "Reserved error message 227" - - ec KRBET_RES228, - "Reserved error message 228" - - ec KRBET_RES229, - "Reserved error message 229" - - ec KRBET_RES230, - "Reserved error message 230" - - ec KRBET_RES231, - "Reserved error message 231" - - ec KRBET_RES232, - "Reserved error message 232" - - ec KRBET_RES233, - "Reserved error message 233" - - ec KRBET_RES234, - "Reserved error message 234" - - ec KRBET_RES235, - "Reserved error message 235" - - ec KRBET_RES236, - "Reserved error message 236" - - ec KRBET_RES237, - "Reserved error message 237" - - ec KRBET_RES238, - "Reserved error message 238" - - ec KRBET_RES239, - "Reserved error message 239" - - ec KRBET_RES240, - "Reserved error message 240" - - ec KRBET_RES241, - "Reserved error message 241" - - ec KRBET_RES242, - "Reserved error message 242" - - ec KRBET_RES243, - "Reserved error message 243" - - ec KRBET_RES244, - "Reserved error message 244" - - ec KRBET_RES245, - "Reserved error message 245" - - ec KRBET_RES246, - "Reserved error message 246" - - ec KRBET_RES247, - "Reserved error message 247" - - ec KRBET_RES248, - "Reserved error message 248" - - ec KRBET_RES249, - "Reserved error message 249" - - ec KRBET_RES250, - "Reserved error message 250" - - ec KRBET_RES251, - "Reserved error message 251" - - ec KRBET_RES252, - "Reserved error message 252" - - ec KRBET_RES253, - "Reserved error message 253" - - ec KRBET_RES254, - "Reserved error message 254" - - ec KRBET_KFAILURE, - "Generic kerberos error (kfailure)" - end diff --git a/src/lib/krb4/kuserok.c b/src/lib/krb4/kuserok.c deleted file mode 100644 index 84a8ebde8..000000000 --- a/src/lib/krb4/kuserok.c +++ /dev/null @@ -1,190 +0,0 @@ -/* - * lib/krb4/kuserok.c - * - * Copyright 1987, 1988, 2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * kuserok: check if a kerberos principal has - * access to a local account - */ - -#include "krb.h" - -#if !defined(_WIN32) - -#include -#include -#include -#include -#include -#include -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include -#endif -#ifdef __SCO__ -/* just for F_OK for sco */ -#include -#endif -#include "k5-platform.h" - -#ifndef HAVE_SETEUID -#ifdef HAVE_SETRESUID -#define seteuid(e) setresuid(-1,e,-1) -#define setegid(e) setresgid(-1,e,-1) -#endif -#endif - -#define OK 0 -#define NOTOK 1 -#define MAX_USERNAME 10 - -/* - * Given a Kerberos principal "kdata", and a local username "luser", - * determine whether user is authorized to login according to the - * authorization file ("~luser/.klogin" by default). Returns OK - * if authorized, NOTOK if not authorized. - * - * If there is no account for "luser" on the local machine, returns - * NOTOK. If there is no authorization file, and the given Kerberos - * name "kdata" translates to the same name as "luser" (using - * krb_kntoln()), returns OK. Otherwise, if the authorization file - * can't be accessed, returns NOTOK. Otherwise, the file is read for - * a matching principal name, instance, and realm. If one is found, - * returns OK, if none is found, returns NOTOK. - * - * The file entries are in the format: - * - * name.instance@realm - * - * one entry per line. - * - */ - -int KRB5_CALLCONV -kuserok(kdata, luser) - AUTH_DAT *kdata; - char *luser; -{ - struct stat sbuf; - struct passwd *pwd; - char pbuf[MAXPATHLEN]; - int isok = NOTOK, rc; - FILE *fp; - char kuser[MAX_USERNAME]; - char principal[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; - char linebuf[BUFSIZ]; - char *newline; - int gobble; - - /* no account => no access */ - if ((pwd = getpwnam(luser)) == NULL) { - return(NOTOK); - } - if (strlen (pwd->pw_dir) + sizeof ("/.klogin") >= sizeof (pbuf)) - return NOTOK; - (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); - pbuf[sizeof(pbuf) - 1] = '\0'; - (void) strncat(pbuf, "/.klogin", sizeof(pbuf) - 1 - strlen(pbuf)); - - if (access(pbuf, F_OK)) { /* not accessible */ - /* - * if he's trying to log in as himself, and there is no .klogin file, - * let him. To find out, call - * krb_kntoln to convert the triple in kdata to a name which we can - * string compare. - */ - if (!krb_kntoln(kdata, kuser) && (strcmp(kuser, luser) == 0)) { - return(OK); - } - } - /* open ~/.klogin */ - if ((fp = fopen(pbuf, "r")) == NULL) { - /* however, root might not have enough access, so temporarily switch - * over to the user's uid, try the access again, and switch back - */ - if(getuid() == 0) { - uid_t old_euid = geteuid(); - if (seteuid(pwd->pw_uid) < 0) - return NOTOK; - fp = fopen(pbuf, "r"); - if (seteuid(old_euid) < 0) - return NOTOK; - if ((fp) == NULL) { - return(NOTOK); - } - } else { - return(NOTOK); - } - } - set_cloexec_file(fp); - /* - * security: if the user does not own his own .klogin file, - * do not grant access - */ - if (fstat(fileno(fp), &sbuf)) { - fclose(fp); - return(NOTOK); - } - /* - * however, allow root to own the .klogin file, to allow creative - * access management schemes. - */ - if (sbuf.st_uid && (sbuf.st_uid != pwd->pw_uid)) { - fclose(fp); - return(NOTOK); - } - - /* check each line */ - while ((isok != OK) && (fgets(linebuf, BUFSIZ, fp) != NULL)) { - /* null-terminate the input string */ - linebuf[BUFSIZ-1] = '\0'; - newline = NULL; - /* nuke the newline if it exists */ - if ((newline = strchr(linebuf, '\n'))) - *newline = '\0'; - - /* Default the fields (default realm is filled in later) */ - principal[0] = '\0'; - inst[0] = '\0'; - realm[0] = '\0'; - rc = kname_parse(principal, inst, realm, linebuf); - if (rc == KSUCCESS) { - if (realm[0] == '\0') { - rc = krb_get_lrealm(realm, 1); - if (rc != KSUCCESS) - goto nextline; - } - isok = (strncmp(kdata->pname, principal, ANAME_SZ) || - strncmp(kdata->pinst, inst, INST_SZ) || - strncmp(kdata->prealm, realm, REALM_SZ)); - } - nextline: - /* clean up the rest of the line if necessary */ - if (!newline) - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); - } - fclose(fp); - return(isok); -} - -#endif diff --git a/src/lib/krb4/libkrb4.exports b/src/lib/krb4/libkrb4.exports deleted file mode 100644 index acb11698b..000000000 --- a/src/lib/krb4/libkrb4.exports +++ /dev/null @@ -1,157 +0,0 @@ -__krb_sendauth_hidden_tkt_len -ad_print -afs_passwd_to_key -cr_err_reply -create_auth_reply -create_ciph -decomp_ticket -decomp_tkt_krb5 -dest_tkt -et_kadm_error_table -et_krb_error_table -fgetst -get_ad_tkt -get_pw_tkt -get_service_key -getst -in_tkt -initialize_kadm_error_table -initialize_krb_error_table -k_gethostname -k_isinst -k_isname -k_isrealm -kadm_build_field_header -kadm_check_field_header -kadm_cli_conn -kadm_cli_disconn -kadm_cli_keyd -kadm_cli_out -kadm_cli_send -kadm_init_link -kadm_stream_to_vals -kadm_stv_char -kadm_stv_long -kadm_stv_short -kadm_stv_string -kadm_vals_to_stream -kadm_vts_char -kadm_vts_long -kadm_vts_short -kadm_vts_string -klog -kname_parse -kname_unparse -krb4int_address_less -krb4int_et_fini -krb4int_et_init -krb4int_save_credentials_addr -krb4int_send_to_kdc_addr -krb4int_strnlen -krb4prot_decode_ciph -krb4prot_decode_error -krb4prot_decode_header -krb4prot_decode_kdc_reply -krb4prot_decode_kdc_request -krb4prot_decode_naminstrlm -krb4prot_encode_apreq -krb4prot_encode_authent -krb4prot_encode_ciph -krb4prot_encode_err_reply -krb4prot_encode_kdc_reply -krb4prot_encode_kdc_request -krb4prot_encode_naminstrlm -krb4prot_encode_tkt -krb54_get_service_keyblock -krb5__krb4_context -krb5_passwd_to_key -krb__get_cnffile -krb__get_realmsfile -krb__get_srvtabname -krb_ap_req_debug -krb_change_password -krb_check_auth -krb_clear_key_krb5 -krb_cr_tkt_krb5 -krb_create_ticket -krb_debug -krb_end_session -krb_err_txt -krb_free_preauth -krb_get_admhst -krb_get_cred -krb_get_default_user -krb_get_err_text -krb_get_in_tkt -krb_get_in_tkt_creds -krb_get_in_tkt_preauth -krb_get_in_tkt_preauth_creds -krb_get_keyprocs -krb_get_kpasswdhst -krb_get_krbhst -krb_get_lrealm -krb_get_phost -krb_get_profile -krb_get_pw_in_tkt -krb_get_pw_in_tkt_creds -krb_get_pw_in_tkt_preauth -krb_get_svc_in_tkt -krb_get_svc_in_tkt_preauth -krb_get_tf_fullname -krb_get_tf_realm -krb_get_ticket_for_service -krb_ignore_ip_address -krb_in_tkt -krb_kntoln -krb_life_to_time -krb_log -krb_mk_auth -krb_mk_err -krb_mk_preauth -krb_mk_priv -krb_mk_req -krb_mk_req_creds -krb_mk_safe -krb_net_rd_sendauth -krb_net_read -krb_net_write -krb_rd_err -krb_rd_preauth -krb_rd_priv -krb_rd_req -krb_rd_req_int -krb_rd_safe -krb_realmofhost -krb_recvauth -krb_save_credentials -krb_sendauth -krb_set_default_user -krb_set_key -krb_set_key_krb5 -krb_set_lifetime -krb_set_logfile -krb_set_tkt_string -krb_start_session -krb_stime -krb_svc_init -krb_svc_init_preauth -krb_time_to_life -kset_logfile -kuserok -mit_passwd_to_key -month_sname -pkt_cipher -pkt_clen -private_msg_ver -put_svc_key -read_service_key -send_to_kdc -swap_bytes -tf_close -tf_get_cred -tf_get_pinst -tf_get_pname -tf_init -tf_save_cred -tkt_string -unix_time_gmt_unixsec diff --git a/src/lib/krb4/lifetime.c b/src/lib/krb4/lifetime.c deleted file mode 100644 index 826e090df..000000000 --- a/src/lib/krb4/lifetime.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb.h" -#include "k5-int.h" - -/* - * krb_life_to_time - * - * Given a start date and a lifetime byte, compute the expiration - * date. - */ -KRB4_32 KRB5_CALLCONV -krb_life_to_time(KRB4_32 start, int life) -{ - krb5int_access k5internals; - - if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION) - || k5internals.krb_life_to_time == NULL) - return start; - return k5internals.krb_life_to_time(start, life); -} - -/* - * krb_time_to_life - * - * Given the start date and the end date, compute the lifetime byte. - * Round up, since we can adjust the start date backwards if we are - * issuing the ticket to cause it to expire at the correct time. - */ -int KRB5_CALLCONV -krb_time_to_life(KRB4_32 start, KRB4_32 end) -{ - krb5int_access k5internals; - - if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION) - || k5internals.krb_time_to_life == NULL) - return 0; - return k5internals.krb_time_to_life(start, end); -} diff --git a/src/lib/krb4/log.c b/src/lib/krb4/log.c deleted file mode 100644 index 5be69eaf5..000000000 --- a/src/lib/krb4/log.c +++ /dev/null @@ -1,151 +0,0 @@ -/* - * lib/krb4/log.c - * - * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifdef KRB_CRYPT_DEBUG -/* This file used to contain log() and set_logfile(). If you define - KRB_CRYPT_DEBUG, you'll need to define those to point to krb_log and - krb_set_logfile, or change all the invokers. */ -#endif - -#include "krb.h" -#include "autoconf.h" -#ifdef HAVE_TIME_H -#include -#endif -#if !defined(VMS) && !defined(_WIN32) -#include -#endif -#include -#include - -#include "krb4int.h" -#include -#include "k5-platform.h" - -static char *log_name = KRBLOG; -#if 0 -static is_open; -#endif - -/* - * This file contains three logging routines: set_logfile() - * to determine the file that log entries should be written to; - * and log() and new_log() to write log entries to the file. - */ - -/* - * krb_log() is used to add entries to the logfile (see krb_set_logfile() - * below). Note that it is probably not portable since it makes - * assumptions about what the compiler will do when it is called - * with less than the correct number of arguments which is the - * way it is usually called. - * - * The log entry consists of a timestamp and the given arguments - * printed according to the given "format". - * - * The log file is opened and closed for each log entry. - * - * The return value is undefined. - */ - -void krb_log(const char *format,...) -{ - FILE *logfile; - time_t now; - struct tm *tm; - va_list args; - - va_start(args, format); - - if ((logfile = fopen(log_name,"a")) != NULL) { - set_cloexec_file(logfile); - (void) time(&now); - tm = localtime(&now); - - fprintf(logfile,"%2d-%s-%d %02d:%02d:%02d ",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - vfprintf(logfile,format,args); - fprintf(logfile,"\n"); - (void) fclose(logfile); - } - va_end(args); - return; -} - -/* - * krb_set_logfile() changes the name of the file to which - * messages are logged. If krb_set_logfile() is not called, - * the logfile defaults to KRBLOG, defined in "krb.h". - */ - -void -krb_set_logfile(filename) - char *filename; -{ - log_name = filename; -#if 0 - is_open = 0; -#endif -} - -#if 0 -/* - * new_log() appends a log entry containing the give time "t" and the - * string "string" to the logfile (see set_logfile() above). The file - * is opened once and left open. The routine returns 1 on failure, 0 - * on success. - */ - -krb_new_log(t,string) - long t; - char *string; -{ - static FILE *logfile; - - struct tm *tm; - - if (!is_open) { - if ((logfile = fopen(log_name,"a")) == NULL) return(1); - set_cloexec_file(logfile); - is_open = 1; - } - - if (t) { - tm = localtime(&t); - - fprintf(logfile,"\n%2d-%s-%d %02d:%02d:%02d %s",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec, string); - } - else { - fprintf(logfile,"\n%20s%s","",string); - } - - (void) fflush(logfile); - return(0); -} -#endif diff --git a/src/lib/krb4/mac_glue.c b/src/lib/krb4/mac_glue.c deleted file mode 100644 index 77d11c2cc..000000000 --- a/src/lib/krb4/mac_glue.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * mac_glue.c - * - * Copyright 1989 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Macintosh ooperating system interface for Kerberos. - */ - -#include "mit-copyright.h" -#include "krb.h" - -/* Mac Cincludes */ -#include -#include - -/* FIXME! swab should be swapping, but for initial test, don't bother. */ - -void swab(char *from, char *to, int nbytes) {} - -mymemset( void *s, register int c, register size_t n ) -{ - // written because memset doesn't work in think C (ARGGGG!!!!!!) - register char *j = s; - while( n-- ) - *j++ = c; -} - -int INTERFACE -krb_start_session (x) - char *x; -{ - return KSUCCESS; -} - -int INTERFACE -krb_end_session (x) - char *x; -{ - return KSUCCESS; -} - -/* FIXME: These stubs should go away. */ -int read() {return 0;} -int write () {return 0;} -int krb_ignore_ip_address = 0; diff --git a/src/lib/krb4/mac_store.c b/src/lib/krb4/mac_store.c deleted file mode 100644 index 262ba58bd..000000000 --- a/src/lib/krb4/mac_store.c +++ /dev/null @@ -1,731 +0,0 @@ -/* - * mac_store.c - * - * Kerberos configuration store - * Originally coded by Tim Miller / Brown University as KRB_Store.c - * Mods 1/92 By Peter Bosanko - * - * Modified May-June 1994 by Julia Menapace and John Gilmore - * of Cygnus Support. - * - * This file incorporates replacements for the Unix files - * g_admhst.c, g_krbhst.c, realmofhost.c, and g_krbrlm.c. - */ - -/* Headers from in_tkt.c, merged in by gnu FIXME */ -#include - -/* Headers from store.c from KClient */ -#include -#include -#include -#include -#include -#include -#include - -#include "krb.h" -#include "mac_store.h" /* includes memcache.h */ -#include "krb_driver.h" - -#define prefname "\pKerberos Client Preferences" -const OSType preftype = 'PREF'; -const OSType prefcrea = 'krbL'; -const OSType unametype = 'UNam'; -const OSType lrealmtype = 'LRlm'; -const OSType templatetype = 'TMPL'; -const OSType realmmaptype = 'RMap'; -const OSType servermaptype = 'SMap'; -#define kNumTemplates 4 -#define kFirstTemplate 128 -#define kMapResNum 1024 - - -/* Lower level routines and data structures */ - - -/* Need to check this in each high-level routine, and call init_store - if not set. */ -static int initialized_store = 0; - -static char fLRealm[REALM_SZ] = ""; -static Handle fRealmMap = 0; -static Handle fServerMap = 0; -static short fPrefVRefNum; -static long fPrefDirID; -OSErr fConstructErr = -1; - -/* Current default user name (for prompts, etc). */ - -static char gUserName[MAX_K_NAME_SZ]; - - -/* Routines for dealing with the realm versus host database */ - -/* - * krb_get_admhst - * - * Given a Kerberos realm, find a host on which the Kerberos database - * administration server can be found. - * - * krb_get_admhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer n, and - * returns (in h) the nth administrative host entry from the configuration - * file (KRB_CONF, defined in "krb.h") associated with the specified realm. - * If ATHENA_CONF_FALLBACK is defined, also look in old location. - * - * On error, get_admhst returns KFAILURE. If all goes well, the routine - * returns KSUCCESS. - * - * For the format of the KRB_CONF file, see comments describing the routine - * krb_get_krbhst(). - * - * This is a temporary hack to allow us to find the nearest system running - * a Kerberos admin server. In the long run, this functionality will be - * provided by a nameserver. (HAH!) - */ -int -krb_get_admhst (h, r, n) - char *h; - char *r; - int n; -{ - if (!initialized_store) - if (init_store()) - return KFAILURE; - if(GetNthServer(n, r, 1, h)) return KFAILURE; - else return KSUCCESS; -} - -/* - * Given a Kerberos realm, find a host on which the Kerberos authenti- - * cation server can be found. - * - * krb_get_krbhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer, n, and - * returns (in h) the nth entry from the configuration information - * associated with the specified realm. - * - * If no info is found, krb_get_krbhst returns KFAILURE. If n=1 and the - * configuration file does not exist, krb_get_krbhst will return KRB_HOST - * (defined in "krb.h"). If all goes well, the routine returnes - * KSUCCESS. - * - * This is a temporary hack to allow us to find the nearest system running - * kerberos. In the long run, this functionality will be provided by a - * nameserver. (AH SO!) - */ -int krb_get_krbhst(h, r, n) - char *h; - char *r; - int n; -{ - if (!initialized_store) - if (init_store()) - return KFAILURE; - if (GetNthServer(n, r, 0, h)) return KFAILURE; - else return KSUCCESS; -} - - -/* - * krb_get_lrealm takes a pointer to a string, and a number, n. It fills - * in the string, r, with the name of the local realm specified in - * the local Kerberos configuration. - * It returns 0 (KSUCCESS) on success, and KFAILURE on failure. If the - * config info does not exist, and if n=1, a successful return will occur - * with r = KRB_REALM (also defined in "krb.h"). [FIXME -- not implem.] - * - * NOTE: for archaic & compatibility reasons, this routine will only return - * valid results when n = 1. - */ - -int krb_get_lrealm(char *r, int n) -{ - if (!initialized_store) - if (init_store()) - return KFAILURE; - if (n != 1) - return KFAILURE; - if (GetLocalRealm(r)) - return KFAILURE; - return KSUCCESS; -} - - -/* - * krb_realmofhost. - * Given a fully-qualified domain-style primary host name, - * return the name of the Kerberos realm for the host. - * If the hostname contains no discernable domain, or an error occurs, - * return the local realm name, as supplied by get_krbrlm(). - * If the hostname contains a domain, but no translation is found, - * the hostname's domain is converted to upper-case and returned. - * - * In the database, - * domain_name should be of the form .XXX.YYY (e.g. .LCS.MIT.EDU) - * host names should be in the usual form (e.g. FOO.BAR.BAZ) - */ - -char *krb_realmofhost(char *host) -{ - static char realm[REALM_SZ]; - - if (!initialized_store) - if (init_store()) - return 0; - - /* Store realm string through REALM pointer arg */ - GetRealm(host, realm); - return realm; -} - - -char * INTERFACE -krb_get_default_user (void) -{ - if (!initialized_store) - if (init_store()) - return 0; - - return gUserName; -} - - -int INTERFACE -krb_set_default_user (uName) - char* uName; -{ - if (!initialized_store) - if (init_store()) - return KFAILURE; - - if( strcmp( gUserName, uName ) != 0 ) { - strcpy( gUserName, uName ); - if (WriteUser() != 0) - return KFAILURE; - } - return KSUCCESS; -} - - - -void GetPrefsFolder(short *vRefNumP, long *dirIDP) -{ - Boolean hasFolderMgr = false; - long feature; -/* - FIXME Error: Ô_GestaltDispatchÕ has not been declared - not needed now? - jcm - if (TrapAvailable(_GestaltDispatch)) -*/ - if (Gestalt(gestaltFindFolderAttr, &feature) == noErr) hasFolderMgr = true; - if (!hasFolderMgr) { - GetSystemFolder(vRefNumP, dirIDP); - return; - } - else { - if (FindFolder(kOnSystemDisk, kPreferencesFolderType, kDontCreateFolder, vRefNumP, dirIDP) != noErr) { - *vRefNumP = 0; - *dirIDP = 0; - } - } - } - - -/* - init_store() is used to initialize the config store. It opens the - driver preferences file and reads the local realm, user name, and - realm and server maps from resources in the prefs file into driver - storage. If the preferences file doesn't exist, init_store creates it. - Returns 0 on success, or 1 if something goes wrong. - */ -int -init_store() -{ - short refnum; - Handle temp; - int hasPrefFile; - - /* If a prefs file exists, load from it, otherwise load defaults from self */ - GetPrefsFolder(&fPrefVRefNum, &fPrefDirID); - refnum = HOpenResFile(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, fsRdPerm); - hasPrefFile = (refnum != -1); // did we open it? - - temp = GetResource(lrealmtype, kMapResNum); - if(ResError() || !temp) { - if(refnum != -1) CloseResFile(refnum); - fConstructErr = cKrbCorruptedFile; - return 1; - } - strcpy(fLRealm, *temp); - ReleaseResource(temp); - - temp = GetResource(unametype, kMapResNum); - if(ResError() || !temp) { - if(refnum != -1) CloseResFile(refnum); - fConstructErr = cKrbCorruptedFile; - return 1; - } - strcpy(gUserName, *temp); - ReleaseResource(temp); - - fRealmMap = GetResource(realmmaptype, kMapResNum); - if(ResError() || !fRealmMap) { - if(refnum != -1) CloseResFile(refnum); - *fLRealm = 0; - fConstructErr = cKrbCorruptedFile; - return 1; - } - DetachResource(fRealmMap); - - fServerMap = GetResource(servermaptype, kMapResNum); - if(ResError() || !fServerMap) { - if(refnum != -1) CloseResFile(refnum); - *fLRealm = 0; - DisposeHandle(fRealmMap); - fRealmMap = 0; - fConstructErr = cKrbCorruptedFile; - return 1; - } - DetachResource(fServerMap); - - if(refnum != -1) CloseResFile(refnum); - fConstructErr = noErr; - - if (!hasPrefFile) { - fConstructErr = CreatePrefFile(); // make prefs file if we need to - } - - initialized_store = 1; - return 0; -} - - -/****************Private routines******************/ - -OSErr OpenPrefsFile(short *refnum) -{ - *refnum = HOpenResFile(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, fsRdWrPerm); - - if(ResError()) { /* doesn't exist, create it */ - FInfo fndrinfo; - - HCreateResFile(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname); - if(ResError()) { - return ResError(); - } - *refnum = HOpenResFile(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, fsRdWrPerm); - if(ResError()) { - return ResError(); - } - HGetFInfo(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, &fndrinfo); - fndrinfo.fdCreator = prefcrea; - fndrinfo.fdType = preftype; - HSetFInfo(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, &fndrinfo); - } - - return noErr; - } - - - -OSErr CreatePrefFile() -{ - short refnum, i; - OSErr err; - Handle tmpls[ kNumTemplates ]; - - // Get all the templates for ResEdit - for( i = 0; i < kNumTemplates; i++ ) { - tmpls[i] = GetResource( templatetype, kFirstTemplate + i ); - if( ResError() || !tmpls[i] ) return cKrbCorruptedFile; - } - - err = OpenPrefsFile( &refnum ); - if( err ) return err; - - // write out the templates - for( i = 0; i < kNumTemplates && !err; i++ ) { - short tmplid; - ResType theType; - Str255 resName; - - GetResInfo( tmpls[i], &tmplid, &theType, resName ); - err = WritePref( refnum, tmpls[i], templatetype, tmplid, resName ); - ReleaseResource( tmpls[i] ); - } - - if( !err ) - err = WritePref( refnum, fRealmMap, realmmaptype, kMapResNum, "\p" ); - if( !err ) - err = WritePref( refnum, fServerMap, servermaptype, kMapResNum, "\p" ); - if( !err ) - err = WritePrefStr( refnum, fLRealm, lrealmtype, kMapResNum, "\p" ); - if( !err ) - err = WritePrefStr( refnum, gUserName, unametype, kMapResNum, "\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr WriteUser() -{ - short refnum; - OSErr err; - - err = OpenPrefsFile( &refnum ); - if( err ) return err; - - err = WritePrefStr( refnum, gUserName, unametype, kMapResNum, "\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr WritePref( short refnum, Handle dataHandle, OSType mapType, short resID, Str255 resName ) -{ - OSErr err; - Handle resHandle; - - resHandle = Get1Resource( mapType, resID ); - if( !resHandle ) { // create a new resource: - resHandle = dataHandle; - err = HandToHand( &resHandle ); // copy the data handle - if( err != noErr ) return err; - - AddResource( resHandle, mapType, resID, resName ); - if( ( err = ResError() ) != noErr ) { - DisposHandle( resHandle ); - return err; - } - SetResAttrs( resHandle, resSysHeap | GetResAttrs( resHandle ) ); - } - else { /* modify an existing resource: */ - Size handleSize = GetHandleSize( dataHandle ); - SetHandleSize( resHandle, handleSize ); - if( ( err = MemError() ) != noErr ) { - ReleaseResource( resHandle ); - return err; - } - BlockMove( *dataHandle, *resHandle, handleSize ); - ChangedResource( resHandle ); - if( ( err = ResError() ) != noErr ) { - ReleaseResource( resHandle ); - return err; - } - } - - UpdateResFile( refnum ); - err = ResError(); - ReleaseResource( resHandle ); - return err; -} - -OSErr WritePrefStr( short refnum, char *dataString, OSType mapType, short resID, Str255 resName ) -{ - OSErr err; - Handle dataHandle; - - err = PtrToHand( dataString, &dataHandle, strlen( dataString ) + 1 ); - if( err == noErr ) { - err = WritePref( refnum, dataHandle, mapType, resID, resName ); - DisposHandle( dataHandle ); - } - return err; -} - -OSErr WriteRealmMap() -{ - short refnum; - OSErr err; - - err = OpenPrefsFile( &refnum ); - if( err ) return err; - - err = WritePref( refnum, fRealmMap, realmmaptype, kMapResNum, "\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr WriteServerMap() -{ - short refnum; - OSErr err; - - err = OpenPrefsFile(&refnum); - if( err ) return err; - - err = WritePref( refnum, fServerMap, servermaptype, kMapResNum,"\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr GetLocalRealm(char *lrealm) -{ - if (!initialized_store) - init_store(); - - strcpy(lrealm, fLRealm); - return noErr; - } - -OSErr SetLocalRealm( const char *lrealm ) -{ - short refnum; - OSErr err; - - if (!initialized_store) - init_store(); - - strcpy( fLRealm, (char *) lrealm ); - - err = OpenPrefsFile( &refnum ); - if( err ) return err; - - err = WritePrefStr( refnum, fLRealm, lrealmtype, kMapResNum, "\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr GetRealm(const char *host, char *realm) -{ - int numrealms; - char *curnetorhost, *currealm; - char *domain; - - if (!initialized_store) - init_store(); - - numrealms = *((short *)*fRealmMap); - GetLocalRealm(realm); - - domain = strchr( host, '.'); - if(!domain) return noErr; - - curnetorhost = (*fRealmMap) + 2; - currealm = strchr(curnetorhost, '\0') + 1; - for( ; numrealms > 0; numrealms--) { - if(!strcasecmp(curnetorhost, host)) { - strcpy(realm, currealm); - return noErr; - } - if(!strcasecmp(curnetorhost, domain)) { - strcpy(realm, currealm); - } - - if(numrealms > 1) { - curnetorhost = strchr(currealm, '\0') + 1; - currealm = strchr(curnetorhost, '\0') + 1; - } - } - - return noErr; - } - -OSErr AddRealmMap(const char *netorhost, const char *realm) -{ - int numrealms; - char *curptr; - - SetHandleSize(fRealmMap, strlen(netorhost)+1 + strlen(realm)+1 + - GetHandleSize(fRealmMap)); - if(MemError()) return MemError(); - - numrealms = ++(*((short *)*fRealmMap)); - - for(curptr = (*fRealmMap)+2; numrealms > 1; numrealms--) { - curptr = strchr(curptr, '\0') + 1; - curptr = strchr(curptr, '\0') + 1; - } - - strcpy(curptr, netorhost); - curptr = strchr(curptr, '\0') + 1; - strcpy(curptr, realm); - - return WriteRealmMap(); - } - -OSErr DeleteRealmMap(const char *netorhost) -{ - int numrealms = *((short *)*fRealmMap); - char *curptr, *fromptr, *nextptr; - - for(curptr = (*fRealmMap)+2; numrealms > 0; numrealms--) { - if(!strcasecmp(curptr, netorhost)) break; /* got it! */ - - curptr = strchr(curptr, '\0') + 1; - curptr = strchr(curptr, '\0') + 1; - } - - if(numrealms == 0) return cKrbMapDoesntExist; - - *(short*)*fRealmMap -= 1; - - if(numrealms > 1) { - fromptr = strchr(curptr, '\0') + 1; - fromptr = strchr(fromptr, '\0') + 1; - } - - for( ; numrealms > 1; numrealms--) { - nextptr = strchr(fromptr, '\0') + 1; - strcpy(curptr, fromptr); - curptr = strchr(curptr, '\0') + 1; - fromptr = nextptr; - - nextptr = strchr(fromptr, '\0') + 1; - strcpy(curptr, fromptr); - curptr = strchr(curptr, '\0') + 1; - fromptr = nextptr; - } - - SetHandleSize(fRealmMap, curptr-(*fRealmMap)); - if(MemError()) return MemError(); - return WriteRealmMap(); - } - -OSErr GetNthRealmMap(const int n, char *netorhost, char *realm) -{ - int i; - char *curptr; - - if(n > *(short*)*fRealmMap) return cKrbMapDoesntExist; - - for(curptr = (*fRealmMap) + 2, i = 1; i < n; i++) { - curptr = strchr(curptr, '\0') + 1; - curptr = strchr(curptr, '\0') + 1; - } - - strcpy(netorhost, curptr); - curptr = strchr(curptr, '\0') + 1; - strcpy(realm, curptr); - - return noErr; - } - -OSErr GetNthServer(const int n, const char *realm, const int mustadmin, - char *server) -{ - int numservers = *(short*)*fServerMap, i = 0; - char *currealm, *curserver; - - currealm = (*fServerMap) + 2; - curserver = strchr(currealm, '\0') + 1 + 1; - for( ; numservers > 0; numservers--) { - if(!strcmp(currealm, realm)) { - if(!mustadmin || *(curserver-1)) i++; - if(i >= n) { - strcpy(server, curserver); - return noErr; - } - } - - if(numservers > 1) { - currealm = strchr(curserver, '\0') + 1; - curserver = strchr(currealm, '\0') + 1 + 1; - } - } - - return cKrbMapDoesntExist; - } - -OSErr AddServerMap(const char *realm, const char *server, - const int isadmin) -{ - int numservers; - char *curptr; - - SetHandleSize(fServerMap, strlen(realm)+1 + 1 + strlen(server)+1 + - GetHandleSize(fServerMap)); - if(MemError()) return MemError(); - - numservers = ++(*((short *)*fServerMap)); - - for(curptr = (*fServerMap)+2; numservers > 1; numservers--) { - curptr = strchr(curptr, '\0') + 1 + 1; - curptr = strchr(curptr, '\0') + 1; - } - - strcpy(curptr, realm); - curptr = strchr(curptr, '\0') + 1; - *curptr = (char) isadmin; - curptr++; - strcpy(curptr, server); - - return WriteServerMap(); - } - -OSErr DeleteServerMap(const char *realm, const char *server) -{ - int numservers = *((short *)*fServerMap); - char *curptr, *fromptr, *nextptr; - - for(curptr = (*fServerMap)+2; numservers > 0; numservers--) { - if(!strcmp(curptr, realm)) { - nextptr = strchr(curptr, '\0') + 1 + 1; - if(!strcasecmp(nextptr, server)) { - break; /* got it! */ - } - } - - curptr = strchr(curptr, '\0') + 1 + 1; - curptr = strchr(curptr, '\0') + 1; - } - - if(numservers == 0) return cKrbMapDoesntExist; - - *(short*)*fServerMap -= 1; - - if(numservers > 1) { - fromptr = strchr(curptr, '\0') + 1 + 1; - fromptr = strchr(fromptr, '\0') + 1; - } - - for( ; numservers > 1; numservers--) { - nextptr = strchr(fromptr, '\0') + 1; - strcpy(curptr, fromptr); - curptr = strchr(curptr, '\0') + 1; - fromptr = nextptr; - - *curptr = *fromptr; - curptr++; - fromptr++; - - nextptr = strchr(fromptr, '\0') + 1; - strcpy(curptr, fromptr); - curptr = strchr(curptr, '\0') + 1; - fromptr = nextptr; - } - - SetHandleSize(fServerMap, curptr-(*fServerMap)); - if(MemError()) return MemError(); - return WriteServerMap(); - } - -OSErr GetNthServerMap(const int n, char *realm, char *server, int *admin) -{ - int i; - char *curptr; - - if(n > *(short*)*fServerMap) return cKrbMapDoesntExist; - - for(curptr = (*fServerMap) + 2, i = 1; i < n; i++) { - curptr = strchr(curptr, '\0') + 1 + 1; - curptr = strchr(curptr, '\0') + 1; - } - - strcpy(realm, curptr); - curptr = strchr(curptr, '\0') + 1; - *admin = *curptr; - curptr++; - strcpy(server, curptr); - - return noErr; -} diff --git a/src/lib/krb4/mac_store.h b/src/lib/krb4/mac_store.h deleted file mode 100644 index b1652dc55..000000000 --- a/src/lib/krb4/mac_store.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - store.h - Kerberos credential store - Originally coded by Tim Miller / Brown University - Mods 1/92 By Peter Bosanko - - Modified May 1994 by Julia Menapace and John Gilmore, Cygnus - Support. -*/ - -#include "memcache.h" - -extern OSErr fConstructErr; - - OSErr CreatePrefFile(); - OSErr WriteUser(); /* saves gUserName to prefs file */ - - /* Used internally... */ - OSErr WritePref(short refnum, Handle dataHandle, OSType mapType, short resID, - Str255 resName); - OSErr WritePrefStr(short refnum, char *dataString, OSType mapType, short resID, - Str255 resName); - - /*** Realm info routines: ***/ - OSErr GetLocalRealm(char *lrealm); /* stuffs local realm in lrealm */ - OSErr SetLocalRealm(const char *lrealm); /* sets local realm */ - - OSErr GetRealm(const char *host, char *realm); /* yields realm for given - host's net name */ - OSErr AddRealmMap(const char *netorhost, const char *realm); /* says hosts - with this name or in this domain (if - begins with period) map to this realm - (provided no more specific map is - found) */ - OSErr DeleteRealmMap(const char *netorhost); /* deletes realm map for the - net or net hostname */ - OSErr GetNthRealmMap(const int n, char *netorhost, char *realm); /* yields - the Nth mapping of a net or host to - a kerberos realm */ - - OSErr GetNthServer(const int n, const char *realm, const int mustadmin, - char *server); /* yields Nth (administrating if - mustadmin is true) server for - the given realm */ - OSErr AddServerMap(const char *realm, const char *server, - const int isadmin); /* says this server services this - realm (administratively if isadmin) */ - OSErr DeleteServerMap(const char *realm, const char *server); /* deletes - the map of this realm to this server */ - OSErr GetNthServerMap(const int n, char *realm, char *server, int *admin); - /* yields Nth realm-server mapping */ - - OSErr OpenPrefsFile(short *refnum); /* open (create if necessary) prefs file - for writing */ - OSErr WriteRealmMap(); - OSErr WriteServerMap(); diff --git a/src/lib/krb4/mac_stubs.c b/src/lib/krb4/mac_stubs.c deleted file mode 100644 index 2cd1f0ac7..000000000 --- a/src/lib/krb4/mac_stubs.c +++ /dev/null @@ -1,525 +0,0 @@ -/* - * mac_stubs.c - * - * For copying and distribution information, please see the file - * . - * - * Macintosh oopserating system stub interface for Kerberos. - * Applications call these routines, which then call the driver to do the work. - */ - -#include "krb.h" -#include "krb_driver.h" /* Mac driver interface */ - -#include -#include -#include -#include - -/* We export the driver reference under the name mac_stubs_kdriver, - but for convenience throughout this code, we call it "kdriver", - which was its name when it was static. */ -short mac_stubs_kdriver = 0; /* .Kerberos driver ref */ -#define kdriver mac_stubs_kdriver - -ParamBlockRec pb[1]; -struct krbHiParmBlock khipb[1]; -struct krbParmBlock klopb[1]; - -short lowcall (long cscode, krbParmBlock *klopb, short kdriver) -{ - short s; - ParamBlockRec pb; - - memset (&pb, 0, sizeof(ParamBlockRec)); - *(long *)pb.cntrlParam.csParam = (long)klopb; - pb.cntrlParam.ioCompletion = nil; - pb.cntrlParam.ioCRefNum = kdriver; - pb.cntrlParam.csCode = cscode; - - if (s = PBControl(&pb, false)) - return KFAILURE; - if (s = pb.cntrlParam.ioResult) - return -(s - cKrbKerberosErrBlock); /* Restore krb err code from driver err */ - - return KSUCCESS; -} - - -short hicall (long cscode, krbHiParmBlock *khipb, short kdriver) -{ - short s; - ParamBlockRec pb; - memset(&pb, 0, sizeof(ParamBlockRec)); - *(long *)pb.cntrlParam.csParam = (long)khipb; - pb.cntrlParam.ioCompletion = nil; - pb.cntrlParam.ioCRefNum = kdriver; - - pb.cntrlParam.csCode = cscode; - if (s = PBControl(&pb, false)) - return KFAILURE; - if (s = pb.cntrlParam.ioResult) - return -(s - cKrbKerberosErrBlock); /* Restore krb err code from driver err */ - - return KSUCCESS; -} - - -int INTERFACE -krb_start_session (x) - char *x; -{ - short s; - - /* - * Open the .Kerberos driver if not already open - */ - if (!kdriver) { - s = OpenDriver("\p.Kerberos", &kdriver); - if (s) { - return KFAILURE; /* Improve this error code */ - } - } - - return KSUCCESS; -} - - -int INTERFACE -krb_end_session (x) - char *x; -{ - short s; - -#if 0 /* This driver doesn't want to be closed. FIXME, is this OK? */ - if (kdriver) { - s = CloseDriver(kdriver); - if (s) - return KFAILURE; - kdriver = 0; - } -#endif - return KSUCCESS; -} - - -char * INTERFACE -krb_realmofhost (host) - char *host; -{ - short s; - ParamBlockRec pb; - static char realm[REALM_SZ]; - - memset(klopb, 0, sizeof(*klopb)); - klopb->host = host; - klopb->uRealm = realm; - - /* FIXME jcm - no error handling for return value of lowcall in krb_realmofhost */ - s = lowcall (cKrbGetRealm , klopb, kdriver); - - return realm; -} - -int INTERFACE -krb_get_lrealm (realm, n) - char *realm; - int n; -{ - short s; - ParamBlockRec pb; - - if (n != 1) - return KFAILURE; - - memset(klopb, 0, sizeof(*klopb)); - klopb->uRealm = realm; - - s = lowcall (cKrbGetLocalRealm, klopb, kdriver); - return s; - -} - - -int INTERFACE -kname_parse (name, instance, realm, fullname) - char *name, *instance, *realm, *fullname; -{ - short s; - ParamBlockRec pb; - - memset(klopb, 0, sizeof(*klopb)); - klopb->uName = name; - klopb->uInstance = instance; - klopb->uRealm = realm; - klopb->fullname = fullname; - - s = lowcall (cKrbKnameParse, klopb, kdriver); - return s; -} - -const char* INTERFACE -krb_get_err_text (error_code) - int error_code; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - klopb->admin = error_code; - s = lowcall (cKrbGetErrText, klopb, kdriver); - if (s != KSUCCESS) - return "Error in get_err_text"; - return klopb->uName; -} - - -int INTERFACE -krb_get_pw_in_tkt(user,instance,realm,service,sinstance,life,password) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *password; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - klopb->uName = user; - klopb->uInstance = instance; - klopb->uRealm = realm; - klopb->sName = service; - klopb->sInstance = sinstance; - klopb->admin = life; - klopb->fullname = password; - - s = lowcall (cKrbGetPwInTkt, klopb, kdriver); - return s; -} - - -/* FIXME: For now, we handle the preauth version exactly the same - as the non-preauth. */ -krb_get_pw_in_tkt_preauth(user,instance,realm,service,sinstance,life,password) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *password; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - klopb->uName = user; - klopb->uInstance = instance; - klopb->uRealm = realm; - klopb->sName = service; - klopb->sInstance = sinstance; - klopb->admin = life; - klopb->fullname = password; - - s = lowcall (cKrbGetPwInTkt, klopb, kdriver); - return s; -} - - - -char* INTERFACE -krb_get_default_user (void) -{ - short s; - static char return_name[MAX_K_NAME_SZ]; - - memset(khipb, 0, sizeof(*khipb)); - khipb->user = return_name; - s = hicall (cKrbGetUserName, khipb, kdriver); - if (s != KSUCCESS) - return 0; - return return_name; -} - - -int INTERFACE -krb_set_default_user (uName) - char* uName; -{ - short s; - - memset(khipb, 0, sizeof(*khipb)); - khipb->user = uName; - s = hicall (cKrbSetUserName, khipb, kdriver); - return s; -} - -int INTERFACE -krb_get_cred (name, instance, realm, cr) - char *name; - char *instance; - char *realm; - CREDENTIALS *cr; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - - strcpy(cr->service, name); - strcpy(cr->instance, instance); - strcpy(cr->realm, realm); - - klopb->cred = cr; - - s = lowcall (cKrbGetCredentials, klopb, kdriver); - return s; -} - -int INTERFACE -krb_save_credentials (sname, sinstance, srealm, session, - lifetime, kvno,ticket, issue_date) - char *sname; /* service name */ - char *sinstance; /* service instance */ - char *srealm; /* service realm */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - long issue_date; /* The issue time */ - -{ - short s; - CREDENTIALS cr; - - strcpy(cr.service, sname); - strcpy(cr.instance, sinstance); - strcpy(cr.realm, srealm); - memcpy(cr.session, session, sizeof(C_Block)); - cr.lifetime = lifetime; - cr.kvno = kvno; - cr.ticket_st = *ticket; - cr.issue_date = issue_date; - - memset(klopb, 0, sizeof(*klopb)); - klopb->cred = &cr; - - s = lowcall (cKrbAddCredentials, klopb, kdriver); - return s; -} - - -int INTERFACE -krb_delete_cred (sname, sinstance, srealm) - char *sname; - char *sinstance; - char *srealm; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - - klopb->sName = sname; - klopb->sInstance = sinstance; - klopb->sRealm = srealm; - - s = lowcall (cKrbDeleteCredentials, klopb, kdriver); - return s; -} - -int INTERFACE -dest_tkt (cachename) - char *cachename; /* This parameter is ignored. */ -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - s = lowcall (cKrbDeleteAllSessions, klopb, kdriver); - return s; -} - -/* - * returns service name, service instance and realm of the nth credential. - * credential numbering is 1 based. - */ - -int INTERFACE -krb_get_nth_cred (sname, sinstance, srealm, n) - char *sname; - char *sinstance; - char *srealm; - int n; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - - klopb->sName = sname; - klopb->sInstance = sinstance; - klopb->sRealm = srealm; - klopb->itemNumber = &n; - - s = lowcall (cKrbGetNthCredentials, klopb, kdriver); - return s; -} - -/* - * Return the number of credentials in the current credential cache (ticket cache). - * On error, returns -1. - */ -int INTERFACE -krb_get_num_cred () -{ - int s; - int n; - - memset(klopb, 0, sizeof(*klopb)); - klopb->itemNumber = &n; - - s = lowcall (cKrbGetNumCredentials, klopb, kdriver); - if (s) - return -1; - return *(klopb->itemNumber); -} - - - -/* GetNthRealmMap - yields the Nth mapping of a net or host to a Kerberos realm - -> itemNumber which mapping, traditionally the first - -> host host or net - -> uRealm pointer to buffer that will receive realm name -*/ - -OSErr INTERFACE -GetNthRealmMap(n, netorhost, realm) - int n; - char *netorhost; - char *realm; -{ - int s; - memset(klopb, 0, sizeof(*klopb)); - klopb->itemNumber = &n; - klopb->host = netorhost; - klopb->uRealm = realm; - - s = lowcall (cKrbGetNthRealmMap, klopb, kdriver); - return s; -} - -/* GetNthServerMap - yields Nth realm-server mapping - -> itemNumber which mapping should be returned - -> uRealm pointer to buffer that will receive realm name - -> host pointer to buffer that will receive server name - -> admin pointer to admin flag - */ - -OSErr INTERFACE -GetNthServerMap(n, realm, server, admin) - int n; - char *realm; - char *server; - int *admin; -{ - int s; - memset(klopb, 0, sizeof(*klopb)); - klopb->itemNumber = &n; - klopb->uRealm = realm; - klopb->host = server; - klopb->adminReturn = admin; - - s = lowcall (cKrbGetNthServerMap, klopb, kdriver); - return s; -} - - - -/* krb_get_ticket_for_service - * Gets a ticket and returns it to application in buf - -> service Formal Kerberos name of service - -> buf Buffer to receive ticket - -> checksum checksum for this service - <-> buflen length of ticket buffer (must be at least - 1258 bytes) - <- sessionKey for internal use - <- schedule for internal use - - * Result is: - * GC_NOTKT if there is no matching TGT in the cache - * MK_AP_TGTEXP if the matching TGT is expired - * Other errors possible. These could cause a dialogue with the user - * to get a new TGT. - */ - -int INTERFACE -krb_get_ticket_for_service (serviceName, buf, buflen, checksum, sessionKey, - schedule, version, includeVersion) - char *serviceName; - char *buf; - unsigned KRB4_32 *buflen; - int checksum; - des_cblock sessionKey; - Key_schedule schedule; - char *version; - int includeVersion; -{ - short s; - - if (includeVersion) - return KFAILURE; /* Not implmented in the kclient driver iface */ - - memset(khipb, 0, sizeof(*khipb)); - khipb->service = serviceName; - khipb->buf = buf; - khipb->buflen = *buflen; - khipb->checksum = checksum; - - s = hicall (cKrbGetTicketForService, khipb, kdriver); - /* These are ARRAYS in the hiparmblock, for some reason! */ - memcpy (sessionKey, khipb->sessionKey, sizeof (khipb[0].sessionKey)); - memcpy (schedule, khipb->schedule, sizeof (khipb[0].schedule)); - *buflen = khipb->buflen; - return s; -} - - -/* krb_get_tf_fullname -- return name, instance and realm of the - principal in the current ticket file. The ticket file name is not - currently used for anything since there is only one credentials - cache/ticket file -*/ - -int INTERFACE -krb_get_tf_fullname (tktfile, name, instance, realm) - char *tktfile; - char *name; - char *instance; - char *realm; - -{ - short s; - memset (klopb, 0, sizeof(*klopb)); - klopb->fullname = tktfile; - klopb->uName = name; - klopb->uInstance = instance; - klopb->uRealm = realm; - - s = lowcall (cKrbGetTfFullname, klopb, kdriver); - return s; -} - - - -#if 0 - xbzero(khipb, sizeof(krbHiParmBlock)); - khipb->service = (char *)cannon; - khipb->buf = (char *)buf; /* where to build it */ - khipb->checksum = 0; - khipb->buflen = sizeof(buf); - if (s = hicall(cKrbGetTicketForService, khipb, kdriver)) - return s; - xbcopy(khipb->sessionKey, sessionKey, sizeof(sessionKey)); /* save the session key */ - /* - * cKrbGetTicketForService put a longword buffer length into the buffer - * which we don't want, so we ignore it. - * Make room for first 3 bytes which preceed the auth data. - */ - cp = &buf[4-3]; /* skip long, make room for 3 bytes */ - cp[0] = tp[0]; /* copy type and modifier */ - cp[1] = tp[1]; - cp[2] = KRB_AUTH; /* suboption command */ - len = khipb->buflen - sizeof(long) + 3; /* data - 4 + 3 */ - -#endif /* 0 */ diff --git a/src/lib/krb4/mac_time.c b/src/lib/krb4/mac_time.c deleted file mode 100644 index bec4d8f53..000000000 --- a/src/lib/krb4/mac_time.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * mac_time.c - * (Originally time_stuff.c) - * - * Copyright 1989 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Macintosh ooperating system interface for Kerberos. - */ - -#include "mit-copyright.h" -#include "krb.h" -#include "des.h" -#include "AddressXlation.h" /* for ip_addr */ -#include -#include - -#include /* Defines MachineLocation, used by getTimeZoneOffset */ -#include /* Defines BitTst(), called by getTimeZoneOffset() */ -#include /* Defines GetDateTime */ - -/* Mac Cincludes */ -#include -#include - - - /******************************* - The Unix epoch is 1/1/70, the Mac epoch is 1/1/04. - - 70 - 4 = 66 year differential - - Thus the offset is: - - (66 yrs) * (365 days/yr) * (24 hours/day) * (60 mins/hour) * (60 secs/min) - plus - (17 leap days) * (24 hours/day) * (60 mins/hour) * (60 secs/min) - - Don't forget the offset from GMT. - *******************************/ - - -/* returns the offset in hours between the mac local time and the GMT */ - -unsigned long -getTimeZoneOffset() -{ - MachineLocation macLocation; - long gmtDelta; - - macLocation.gmtFlags.gmtDelta=0L; - ReadLocation(&macLocation); - gmtDelta=macLocation.gmtFlags.gmtDelta & 0x00FFFFFF; - if (BitTst((void *)&gmtDelta,23L)) gmtDelta |= 0xFF000000; - gmtDelta /= 3600L; - return(gmtDelta); -} - - -/* Returns the GMT in seconds using the Unix epoch, ie. Net time */ - -static unsigned long -gettimeofdaynet_no_offset() -{ - time_t the_time; - - GetDateTime (&the_time); - the_time = the_time - - ((66 * 365 * 24 * 60 * 60) + - (17 * 24 * 60 * 60) + - (getTimeZoneOffset() * 60 * 60)); - return the_time; -} - - - -int -gettimeofdaynet (struct timeval *tp, struct timezone *tz) -{ - tp->tv_sec = gettimeofdaynet_no_offset(); - return 0; -} - - -#if 0 - -int -gettimeofdaynet (struct timeval *tp, struct timezone *tz) -{ - int result; - - if (!net_got_offset) - result = get_net_offset(); - else result = 0; - - time ((time_t *) &(tp->tv_sec)); - - tp->tv_sec = tp->tv_sec - (66 * 365 * 24 * 60 * 60 - + 17 * 60 * 60 * 24) + net_offset; - - return (result); -} - - -#define TIME_PORT 37 -#define TM_OFFSET 2208988800 - -/* - * - * get_net_offset () -- Use UDP time protocol to figure out the - * offset between what the Mac thinks the time is an what - * the network thinks. - * - */ -int -get_net_offset() -{ - time_t tv; - char buf[512],ts[256]; - long *nettime; - int attempts, cc, time_port; - long unixtime; - char realm[REALM_SZ]; - ip_addr fromaddr; - unsigned short fromport; - int result; - - nettime = (long *)buf; - time_port = TIME_PORT; - - cc = sizeof(buf); - result = hosts_send_recv(ts, 1, buf, &cc, "", time_port); - time (&tv); - - if (result!=KSUCCESS || cc<4) { - net_offset = 0; - if (!result) result = 100; - return result; - } - - unixtime = (long) ntohl(*nettime) - TM_OFFSET; - - tv -= 66 * 365 * 24 * 60 * 60 - + 17 * 60 * 60 * 24; /* Convert to unix time w/o offset */ - net_offset = unixtime - tv; - net_got_offset = 1; - - return 0; -} - -#endif diff --git a/src/lib/krb4/memcache.c b/src/lib/krb4/memcache.c deleted file mode 100644 index 18a74126b..000000000 --- a/src/lib/krb4/memcache.c +++ /dev/null @@ -1,891 +0,0 @@ -/* - * memcache.c - * - * Kerberos credential cache - * Originally coded by Tim Miller / Brown University as KRB_Store.c - * Mods 1/92 By Peter Bosanko - * - * Modified May-June 1994 by Julia Menapace and John Gilmore - * of Cygnus Support. - * - * This file incorporates replacements for the Unix files - * in_tkt.c, dest_tkt.c, tf_util.c, and tkt_string.c. - */ - -#include "krb.h" -#include "krb4int.h" -#include "autoconf.h" - -#ifdef _WIN32 -#include - -typedef DWORD OSErr; -#define noErr 0 -#define cKrbCredsDontExist 12001 -#define cKrbSessDoesntExist 12002 -#define memFullErr ENOMEM -#endif - -#ifndef unix -#ifdef _AIX -#define unix -#endif -#endif - -#ifdef unix -/* Unix interface to memory cache Mac functions. */ - -#include -#include -#ifdef HAVE_STDLIB_H -#include -#else -extern char *malloc (), *realloc (); -#endif - -typedef int OSErr; -#define noErr 0 -#define memFullErr ENOMEM - -#endif /* unix */ - -#include "memcache.h" - - -/* Lower level data structures */ - -static int fNumSessions = 0; -static Session **fSessions = 0; - -#ifndef _WIN32 -#define change_cache() -#endif - -#if defined (_WIN32) || defined (unix) -/* Fake Mac handles up for general use. */ -#define Handle char ** -#define Size int - -static OSErr memerror = noErr; - -/* - * Simulates Macintosh routine by allocating a block of memory - * and a pointer to that block of memory. If the requested block - * size is 0, then we just allocate the indirect pointer and 0 - * it, otherwise we allocate an indirect pointer and place a pointer - * to the actual allocated block in the indirect pointer location. - */ -Handle -NewHandleSys(s) - int s; -{ - Handle h; - - h = (char **) malloc(sizeof(char *)); - - if (h == NULL) { - memerror = memFullErr; - return (NULL); - } - - if (s > 0) { - *h = malloc(s); - - if (*h == NULL) { - free(h); - memerror = memFullErr; - return (NULL); - } - } - else - *h = NULL; - - memerror = noErr; - - return h; -} - -/* - * Frees allocated indirect pointer and the block of memory it points - * to. If the indirect pointer is NULL, then the block is considered - * to have 0 length. - */ -void -DisposHandle(h) - Handle h; -{ - if (*h != NULL) - free(*h); - free(h); -} - -/* - * Resizes a block of memory pointed to by and indirect pointer. The - * indirect pointer is updated when the block of memory is reallocated. - * If the indirect pointer is 0, then the block of memory is allocated - * rather than reallocated. If the size requested is 0, then the block - * is deallcated rather than reallocated. - */ -void -SetHandleSize(h, s) - Handle h; - int s; -{ - if (*h != NULL) { - if (s > 0) { - *h = realloc(*h, s); - if (*h == NULL) { - memerror = memFullErr; - return; - } - } - else { - free(*h); - *h = NULL; - } - } - - else { - if (s > 0) { - *h = malloc(s); - if (*h == NULL) { - memerror = memFullErr; - return; - } - } - } - - memerror = noErr; -} - -OSErr -MemError() -{ - return memerror; -} - -#endif /* Windows || unix */ - -#ifdef _WIN32 - -/* - * change_cache should be called after the cache changes. - * If the session count is > 0 it forces the DLL to stay in - * memory even after the calling program exits providing cross - * session ticket cacheing. Also a notification message is - * is posted out to all top level Windows so that they may - * recheck the cache based on the changes made. The - * krb_get_notifcation_message routine will return the - * current notificaiton message for the system which an - * application can expect to get. - */ -void -change_cache() -{ - char fname[260]; - static BOOL locked = FALSE; - - if (fNumSessions > 0 && !locked) { - GetModuleFileName(get_lib_instance(), fname, sizeof(fname)); - LoadLibrary(fname); - locked = TRUE; - } - - else if (fNumSessions == 0 && locked) { - FreeLibrary(get_lib_instance()); - locked = FALSE; - } - - PostMessage(HWND_BROADCAST, krb_get_notification_message(), 0, 0); -} - - -/* - * Returns a system wide unique notification message. This - * message will be broadcast to all top level windows when - * the credential cache changes. - */ -unsigned int -krb_get_notification_message(void) -{ - static UINT message = 0; - - if (message == 0) - message = RegisterWindowMessage(WM_KERBEROS_CHANGED); - - return message; -} - - -#endif /* Windows */ - - -/* The low level routines in this file are capable of storing - tickets for multiple "sessions", each led by a different - ticket-granting ticket. For now, since the top level code - doesn't know how to handle that, we are short-cutting all - that with a fixed top level identifying tag for the (one) - session supported. - - FIXME jcm - Force one named cache for now for compatibility with - Cygnus source tree. Figure out later how to access the multiple - cache functionality in KClient. - */ - -char uname[] = "Fixed User"; -char uinstance[] = "Fixed Instance"; -char urealm[] = "Fixed Realm"; - -static char curr_auth_uname [ANAME_SZ]; -static char curr_auth_uinst [INST_SZ]; - - -/* - in_tkt() is used to initialize the ticket cache. - It inits the driver's credentials storage, by deleting any tickets. - in_tkt() returns KSUCCESS on success, or KFAILURE if something goes wrong. - - User name, instance and realm are not currently being stored in - the credentials cache because currently we are forcing a single - named cache by using a fixed user name,inst,and realm in the - memcache accessor routines. - - FIXME jcm - needed while stubbing out multi-caching with fixed - user etc... Store currently authenticated user name and instance - in this file. We will use this information to fill out the p_user - and p_inst fields in the credential. - - FIXME jcm - more kludges: make sure default user name matches the - current credentials cache. Telnet asks for default user name. It - may have last been set to another user name programmatically or - via ResEdit. - - */ -int KRB5_CALLCONV -in_tkt(pname,pinst) - char *pname; - char *pinst; -{ - int retval; - - strncpy (curr_auth_uname, pname, ANAME_SZ); - strncpy (curr_auth_uinst, pinst, INST_SZ); - - krb_set_default_user (pname); - - retval = dest_tkt(); - if (!retval) - return retval; - else - return KSUCCESS; - -} - -int KRB5_CALLCONV -krb_in_tkt(pname, pinst, prealm) - char *pname; - char *pinst; - char *prealm; -{ - return in_tkt(pname, pinst); -} - -/* - * dest_tkt() is used to destroy the ticket store upon logout. - * If the ticket file does not exist, dest_tkt() returns RET_TKFIL. - * Otherwise the function returns RET_OK on success, KFAILURE on - * failure. - * - */ -int KRB5_CALLCONV -dest_tkt() -{ - /* - FIXME jcm - Force one named cache for now for - compatibility with Cygnus source tree. Figure out - later how to access the multiple cache functionality in - KClient. - */ - OSErr err; - - err = DeleteSession(uname, uinstance, urealm); - - change_cache(); - - switch(err) { - case noErr: - return RET_OK; - case cKrbSessDoesntExist: - return RET_TKFIL; - default: - return KFAILURE; - } - } - - -int dest_all_tkts() -{ - int i=0; - char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; - int ndeletes=0; - int err=0; - - (void) GetNumSessions(&i); - if(!i) return RET_TKFIL; - - for( ; i; i--) { - if(!GetNthSession(i, name, inst, realm)) { - if (err = DeleteSession(name, inst, realm)) - break; - ndeletes++; - } - else { - err = KFAILURE; - break; - } - } - - if (ndeletes > 0) - change_cache(); - - if (err) - return KFAILURE; - else - return KSUCCESS; - } - - -/* krb_get_tf_realm -- return the realm of the current ticket file. */ -int KRB5_CALLCONV -krb_get_tf_realm (tktfile, lrealm) - char *tktfile; - char *lrealm; /* Result stored through here */ -{ - - return krb_get_tf_fullname(tktfile, (char*) 0, (char*) 0 , lrealm); -} - - -/* krb_get_tf_fullname -- return name, instance and realm of the -principal in the current ticket file. */ -int KRB5_CALLCONV -krb_get_tf_fullname (tktfile, name, instance, realm) - char *tktfile; - char *name; - char *instance; - char *realm; - -{ - OSErr err; - -/* - Explaining this ugly hack: - uname, uinstance, and urealm in the session record are "fixed" - to short circuit multicache functionality, yielding only one - session/cache for all cases. This was done under protest to remain - API compatable with UNIX. The principal's and service realm are - always the same and are stored in the same field of the credential. - Principal's name and instance are stored neither in the session - record or the credentials cache but in the file static variables - curr_auth_uname, and curr_auth_uinst as set by in_tkt from its - arguments pname and pinst. - - FIXME for multiple sessions -- keep track of which one is - the "current" session, as picked by the user. tktfile not - used for anything right now... -*/ - - err = GetNthCredentials(uname, uinstance, urealm, name, - instance, realm, 1); - - if (err != noErr) - return NO_TKT_FIL; - - if (name) - strcpy(name, curr_auth_uname); - if (instance) - strcpy(instance, curr_auth_uinst); - - return KSUCCESS; - -} - - -/* - * krb_get_cred takes a service name, instance, and realm, and a - * structure of type CREDENTIALS to be filled in with ticket - * information. It then searches the ticket file for the appropriate - * ticket and fills in the structure with the corresponding - * information from the file. If successful, it returns KSUCCESS. - * On failure it returns a Kerberos error code. - */ -int KRB5_CALLCONV -krb_get_cred (service, instance, realm, c) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Authorization domain */ - CREDENTIALS *c; /* Credentials struct */ -{ - strcpy(c->service, service); - strcpy(c->instance, instance); - strcpy(c->realm, realm); - - /* - FIXME jcm - Force one named cache for now for - compatibility with Cygnus source tree. Figure out - later how to access the multiple cache functionality - from KClient. - */ - - switch(GetCredentials(uname, uinstance, urealm, c)) { - case noErr: - return KSUCCESS; - case cKrbCredsDontExist: - case cKrbSessDoesntExist: - return GC_NOTKT; - default: - return KFAILURE; - } -} - -/* - * This routine takes a ticket and associated info and - * stores them in the ticket cache. The peer - * routine for extracting a ticket and associated info from the - * ticket cache is krb_get_cred(). When changes are made to - * this routine, the corresponding changes should be made - * in krb_get_cred() as well. - * - * Returns KSUCCESS if all goes well, otherwise KFAILURE. - */ - -int -krb4int_save_credentials_addr(sname, sinst, srealm, session, - lifetime, kvno, ticket, issue_date, laddr) - - char* sname; /* Service name */ - char* sinst; /* Instance */ - char* srealm; /* Auth domain */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - KRB4_32 issue_date; /* The issue time */ - KRB_UINT32 laddr; -{ - CREDENTIALS cr; - - strcpy(cr.service, sname); - strcpy(cr.instance, sinst); - strcpy(cr.realm, srealm); - memcpy((void*)cr.session, (void*)session, sizeof(C_Block)); - cr.lifetime = lifetime; - cr.kvno = kvno; - cr.ticket_st = *ticket; - cr.issue_date = issue_date; - strcpy(cr.pname, curr_auth_uname); /* FIXME for mult sessions */ - strcpy(cr.pinst, curr_auth_uinst); /* FIXME for mult sessions */ - - if(AddCredentials(uname, uinstance, urealm, &cr)) return KFAILURE; - change_cache(); - return KSUCCESS; -} - -int KRB5_CALLCONV -krb_save_credentials( - char *name, - char *inst, - char *realm, - C_Block session, - int lifetime, - int kvno, - KTEXT ticket, - KRB4_32 issue_date) -{ - return krb4int_save_credentials_addr(name, inst, realm, session, - lifetime, kvno, ticket, - issue_date, 0); -} - - -int -krb_delete_cred (sname, sinstance, srealm) - char *sname; - char *sinstance; - char *srealm; -{ - - if (DeleteCredentials (uname, uinstance, urealm, sname, sinstance, srealm)) - return KFAILURE; - - change_cache(); - - return KSUCCESS; - - /* - FIXME jcm - translate better between KClient internal OSErr errors - (eg. cKrbCredsDontExist) and kerberos error codes (eg. GC_NOTKT) - */ -} - -int -krb_get_nth_cred (sname, sinstance, srealm, n) - char *sname; - char *sinstance; - char *srealm; - int n; -{ - if (GetNthCredentials(uname, uinstance, urealm, sname, sinstance, srealm, n)) - return KFAILURE; - else - return KSUCCESS; -} - -/* - * Return the number of credentials in the current credential cache (ticket cache). - * On error, returns -1. - */ -int -krb_get_num_cred () -{ - int n; - int s; - - s = GetNumCredentials(uname, uinstance, urealm, &n); - if (s) return -1; - else return n; -} - - - -/* Lower level routines */ - -OSErr GetNumSessions(n) - int *n; -{ - *n = fNumSessions; - return 0; - } - -/* n starts at 1, not 0 */ -OSErr -GetNthSession(n, name, instance, realm) - const int n; - char *name; - char *instance; - char *realm; -{ - Session *sptr; - - if(n > fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = (*fSessions) + n-1; - if (name) strcpy(name, sptr->name); - if (instance) strcpy(instance, sptr->instance); - if (realm) strcpy(realm, sptr->realm); - - return noErr; - } - -OSErr DeleteSession(name, instance, realm) - const char *name; - const char *instance; - const char *realm; -{ - int i; - Session *sptr; - Handle creds; - - if(!fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, name) && - !strcmp(sptr[i].instance, instance) && - !strcmp(sptr[i].realm, realm)) { - break; - } - } - - if(i == fNumSessions) return cKrbSessDoesntExist; - - fNumSessions--; - - creds = (Handle) sptr[i].creds; - - for( ; i < fNumSessions; i++) { - strcpy(sptr[i].name, sptr[i+1].name); - strcpy(sptr[i].instance, sptr[i+1].instance); - strcpy(sptr[i].realm, sptr[i+1].realm); - } - - SetHandleSize((Handle) fSessions, fNumSessions * sizeof(Session)); - if(creds) DisposHandle(creds); - - return MemError(); - } - -OSErr GetCredentials(name, instance, realm, cr) - const char *name; - const char *instance; - const char *realm; - CREDENTIALS *cr; -{ - int i; - Session *sptr; - CREDENTIALS *cptr; - - if(!fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, name) && - !strcmp(sptr[i].instance, instance) && - !strcmp(sptr[i].realm, realm)) { - break; - } - } - - if(i == fNumSessions) return cKrbSessDoesntExist; - - sptr = sptr + i; - - if(!sptr->numcreds || !sptr->creds) return cKrbCredsDontExist; - - cptr = *(sptr->creds); - - for(i = 0; i < sptr->numcreds; i++) { - if(!strcmp(cptr[i].service, cr->service) && - !strcmp(cptr[i].instance, cr->instance) && - !strcmp(cptr[i].realm, cr->realm)) { - break; - } - } - - if(i == sptr->numcreds) return cKrbCredsDontExist; - - *cr = cptr[i]; - return noErr; - } - -OSErr AddCredentials(name, instance, realm, cr) - const char *name; - const char *instance; - const char *realm; - const CREDENTIALS *cr; -{ - Session *sptr; - Handle creds; - int i, thesess; - CREDENTIALS *cptr; - - /* find the appropriate session, or create it if it doesn't exist */ - if(!fSessions) { - fSessions = (Session**) NewHandleSys(0); - if(MemError()) return MemError(); - fNumSessions = 0; - } - - sptr = *fSessions; - - for(thesess = 0; thesess < fNumSessions; thesess++) { - if(!strcmp(sptr[thesess].name, name) && - !strcmp(sptr[thesess].instance, instance) && - !strcmp(sptr[thesess].realm, realm)) { - break; - } - } - - sptr = (*fSessions) + thesess; - - if(thesess == fNumSessions) { /* doesn't exist, create it */ - fNumSessions++; - SetHandleSize((Handle) fSessions, fNumSessions * sizeof(Session)); - if(MemError()) return MemError(); - - /* fSessions may have been moved, so redereference */ - sptr = (*fSessions) + thesess; - strcpy(sptr->name, (char *)name); - strcpy(sptr->instance, (char *)instance); - strcpy(sptr->realm, (char *)realm); - sptr->numcreds = 0; - sptr->creds = 0; - } - - /* if the session has no assoc creds, create storage for them so rest of algorithm - doesn't break */ - if(!sptr->numcreds || !sptr->creds) { - creds = NewHandleSys((Size) 0); - if(MemError()) return MemError(); - - /* rederef */ - sptr = (*fSessions) + thesess; - sptr->creds = (CREDENTIALS **)creds; - sptr->numcreds = 0; - } - - /* find creds if we already have an instance of them, or create a new slot for them - if we don't */ - cptr = *(sptr->creds); - - for(i = 0; i < sptr->numcreds; i++) { - if(!strcmp(cptr[i].service, cr->service) && - !strcmp(cptr[i].instance, cr->instance) && - !strcmp(cptr[i].realm, cr->realm)) { - break; - } - } - - if(i == sptr->numcreds) { - sptr->numcreds++; - SetHandleSize((Handle)sptr->creds, sptr->numcreds * sizeof(CREDENTIALS)); - if(MemError()) return MemError(); - - /* rederef */ - sptr = (*fSessions) + thesess; - cptr = *(sptr->creds); - } - - /* store them (possibly replacing previous creds if they already exist) */ - cptr[i] = *cr; - return noErr; - } - -OSErr -DeleteCredentials (uname, uinst, urealm, sname, sinst, srealm) - const char *uname; - const char *uinst; - const char *urealm; - const char *sname; - const char *sinst; - const char *srealm; -{ - int i; - Session *sptr; - CREDENTIALS *cptr; - - if(!fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, uname) && - !strcmp(sptr[i].instance, uinstance) && - !strcmp(sptr[i].realm, urealm)) { - break; - } - } - - if(i == fNumSessions) return cKrbSessDoesntExist; - - sptr = sptr + i; - - if(!sptr->numcreds || !sptr->creds) return cKrbCredsDontExist; - - cptr = *(sptr->creds); - - for(i = 0; i < sptr->numcreds; i++) { - if(!strcmp(cptr[i].service, sname) && - !strcmp(cptr[i].instance, sinst) && - !strcmp(cptr[i].realm, srealm)) { - break; - } - } - - if(i == sptr->numcreds) return cKrbCredsDontExist; - - sptr->numcreds--; - - for( ; i < sptr->numcreds; i++) { - cptr[i] = cptr[i+1]; - } - - SetHandleSize((Handle) sptr->creds, sptr->numcreds * sizeof(CREDENTIALS)); - - return MemError(); - } - -OSErr GetNumCredentials(name, instance, realm, n) - const char *name; - const char *instance; - const char *realm; - int *n; -{ - int i; - Session *sptr; - - if(!fNumSessions || !fSessions) { - *n = 0; - return cKrbSessDoesntExist; - } - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, name) && - !strcmp(sptr[i].instance, instance) && - !strcmp(sptr[i].realm, realm)) { - break; - } - } - - if(i == fNumSessions) { - *n = 0; - return cKrbCredsDontExist; - } - - *n = sptr[i].numcreds; - return noErr; - } - -/* returns service name, service instance and realm of the nth credential. */ -/* n starts at 1, not 0 */ -OSErr -GetNthCredentials(uname, uinstance, urealm, sname, sinst, srealm, n) - const char *uname; - const char *uinstance; - const char *urealm; - char *sname; - char *sinst; - char *srealm; - const int n; -{ - int i; - Session *sptr; - CREDENTIALS *cptr; - - if(!fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, uname) && - !strcmp(sptr[i].instance, uinstance) && - !strcmp(sptr[i].realm, urealm)) { - break; - } - } - - if(i == fNumSessions) return cKrbSessDoesntExist; - - sptr = (*fSessions) + i; - - if(n > sptr->numcreds || !sptr->creds) return cKrbCredsDontExist; - - cptr = (*(sptr->creds)) + n-1; - - /* - check for null pointers cuz. some callers don't provide - storage for all this info, eg. Kerb_get_tf_fullname. - */ - - if (sname) - strcpy(sname, cptr->service); - if (sinst) - strcpy(sinst, cptr->instance); - if (srealm) - strcpy(srealm, cptr->realm); - return noErr; -} diff --git a/src/lib/krb4/memcache.h b/src/lib/krb4/memcache.h deleted file mode 100644 index d6d04190b..000000000 --- a/src/lib/krb4/memcache.h +++ /dev/null @@ -1,36 +0,0 @@ -/* - memcache.h - Kerberos credential store in memory - Originally coded by Tim Miller / Brown University - Mods 1/92 By Peter Bosanko - - Modified May-June 1994 by Julia Menapace and John Gilmore, - Cygnus Support. -*/ - -struct Session { - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - int numcreds; - CREDENTIALS **creds; -}; -typedef struct Session Session; - -OSErr GetNumSessions(int *n); -OSErr GetNthSession(const int n, char *name, char *instance, char *realm); -OSErr DeleteSession(const char *name, const char *instance, const char *realm); -OSErr GetCredentials(const char *name, const char *instance, const char *realm, - CREDENTIALS *cr); -/* name, instance, and realm of service wanted should be set in *cr - before calling */ -OSErr AddCredentials(const char *name, const char *instance, const char *realm, - const CREDENTIALS *cr); -OSErr DeleteCredentials(const char *uname, const char *uinst, - const char *urealm, const char *sname, - const char *sinst, const char *srealm); -OSErr GetNumCredentials(const char *name, const char *instance, - const char *realm, int *n); -OSErr GetNthCredentials(const char *uname, const char *uinst, - const char *urealm, char *sname, char *sinst, - char *srealm, const int n); diff --git a/src/lib/krb4/mk_auth.c b/src/lib/krb4/mk_auth.c deleted file mode 100644 index e09e90076..000000000 --- a/src/lib/krb4/mk_auth.c +++ /dev/null @@ -1,249 +0,0 @@ -/* - * lib/krb4/mk_auth.c - * - * Copyright 1987, 1988, 2000, 2001 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Derived from sendauth.c by John Gilmore, 10 October 1994. - */ - -#include -#include "krb.h" -#include "prot.h" -#include -#include - -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ -/* - * If the protocol changes, you will need to change the version string - * and make appropriate changes in recvauth.c and sendauth.c. - */ - -/* - * This file contains two routines: krb_mk_auth() and krb_check_auth(). - * - * krb_mk_auth() packages a ticket for transmission to an application - * server. - * - * krb_krb_check_auth() validates a mutual-authentication response from - * the application server. - * - * These routines are portable versions that implement a protocol - * compatible with the original Unix "sendauth". - */ - -/* - * The first argument to krb_mk_auth() contains a bitfield of - * options (the options are defined in "krb.h"): - * - * KOPT_DONT_CANON Don't canonicalize instance as a hostname. - * (If this option is not chosen, krb_get_phost() - * is called to canonicalize it.) - * - * KOPT_DONT_MK_REQ Don't request server ticket from Kerberos. - * A ticket must be supplied in the "ticket" - * argument. - * (If this option is not chosen, and there - * is no ticket for the given server in the - * ticket cache, one will be fetched using - * krb_mk_req() and returned in "ticket".) - * - * KOPT_DO_MUTUAL Do mutual authentication, requiring that the - * receiving server return the checksum+1 encrypted - * in the session key. The mutual authentication - * is done using krb_mk_priv() on the other side - * (see "recvauth.c") and krb_rd_priv() on this - * side. - * - * The "ticket" argument is used to store the new ticket - * from the krb_mk_req() call. If the KOPT_DONT_MK_REQ options is - * chosen, the ticket must be supplied in the "ticket" argument. - * The "service", "inst", and "realm" arguments identify the ticket. - * If "realm" is null, the local realm is used. - * - * The following argument is only needed if the KOPT_DO_MUTUAL option - * is chosen: - * - * The "checksum" argument is a number that the server will add 1 to - * to authenticate itself back to the client. - * - * The application protocol version number (of up to KRB_SENDAUTH_VLEN - * characters) is passed in "version". - * - * The ticket is packaged into a message in the buffer pointed to by - * the argument "buf". - * - * If all goes well, KSUCCESS is returned, otherwise some error code. - * - * The format of the message packaged to send to the application server is: - * - * Size Variable Field - * ---- -------- ----- - * - * KRB_SENDAUTH_VLEN KRB_SENDAUTH_VER sendauth protocol - * bytes version number - * - * KRB_SENDAUTH_VLEN version application protocol - * bytes version number - * - * 4 bytes ticket->length length of ticket - * - * ticket->length ticket->dat ticket itself - */ - -/* - * Build a "sendauth" packet compatible with Unix sendauth/recvauth. - */ -int KRB5_CALLCONV -krb_mk_auth(options, ticket, service, inst, realm, checksum, version, buf) - long options; /* bit-pattern of options */ - KTEXT ticket; /* where to put ticket (return); or - supplied in case of KOPT_DONT_MK_REQ */ - char *service; /* service name */ - char *inst; /* instance (OUTPUT canonicalized) */ - char *realm; /* realm */ - unsigned KRB4_32 checksum; /* checksum to include in request */ - char *version; /* version string */ - KTEXT buf; /* Output buffer to fill */ -{ - int rem; - char krb_realm[REALM_SZ]; - char *phost; - int phostlen; - unsigned char *p; - - rem = KSUCCESS; - - /* get current realm if not passed in */ - if (!realm) { - rem = krb_get_lrealm(krb_realm,1); - if (rem != KSUCCESS) - return rem; - realm = krb_realm; - } - - if (!(options & KOPT_DONT_CANON)) { - phost = krb_get_phost(inst); - phostlen = krb4int_strnlen(phost, INST_SZ) + 1; - if (phostlen <= 0 || phostlen > INST_SZ) - return KFAILURE; - memcpy(inst, phost, (size_t)phostlen); - } - - /* get the ticket if desired */ - if (!(options & KOPT_DONT_MK_REQ)) { - rem = krb_mk_req(ticket, service, inst, realm, (KRB4_32)checksum); - if (rem != KSUCCESS) - return rem; - } - -#ifdef ATHENA_COMPAT - /* this is only for compatibility with old servers */ - if (options & KOPT_DO_OLDSTYLE) { - (void) snprintf(buf->dat, sizeof(buf->dat), "%d ",ticket->length); - (void) write(fd, buf, strlen(buf)); - (void) write(fd, (char *) ticket->dat, ticket->length); - return(rem); - } -#endif /* ATHENA_COMPAT */ - - /* Check buffer size */ - if (sizeof(buf->dat) < (KRB_SENDAUTH_VLEN + KRB_SENDAUTH_VLEN - + 4 + ticket->length) - || ticket->length < 0) - return KFAILURE; - - /* zero the buffer */ - memset(buf->dat, 0, sizeof(buf->dat)); - p = buf->dat; - - /* insert version strings */ - strncpy((char *)p, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN); - p += KRB_SENDAUTH_VLEN; - strncpy((char *)p, version, KRB_SENDAUTH_VLEN); - p += KRB_SENDAUTH_VLEN; - - /* put ticket length into buffer */ - KRB4_PUT32BE(p, ticket->length); - - /* put ticket into buffer */ - memcpy(p, ticket->dat, (size_t)ticket->length); - p += ticket->length; - - buf->length = p - buf->dat; - return KSUCCESS; -} - -/* - * For mutual authentication using mk_auth, check the server's response - * to validate that we're really talking to the server which holds the - * key that we obtained from the Kerberos key server. - * - * The "buf" argument is the response we received from the app server. - * The "checksum" argument is a number that the server has added 1 to - * to authenticate itself back to the client (us); the "msg_data" argument - * returns the returned mutual-authentication message from the server - * (i.e., the checksum+1); "session" holds the - * session key of the server, extracted from the ticket file, for use - * in decrypting the mutual authentication message from the server; - * and "schedule" returns the key schedule for that decryption. The - * the local and server addresses are given in "laddr" and "faddr". - */ -int KRB5_CALLCONV -krb_check_auth (buf, checksum, msg_data, session, schedule, laddr, faddr) - KTEXT buf; /* The response we read from app server */ - unsigned KRB4_32 checksum; /* checksum we included in request */ - MSG_DAT *msg_data; /* mutual auth MSG_DAT (return) */ - C_Block session; /* credentials (input) */ - Key_schedule schedule; /* key schedule (return) */ - struct sockaddr_in *laddr; /* local address */ - struct sockaddr_in *faddr; /* address of foreign host on fd */ -{ - int cc; - unsigned KRB4_32 cksum; - unsigned char *p; - - /* decrypt it */ -#ifndef NOENCRYPTION - key_sched(session, schedule); -#endif /* !NOENCRYPTION */ - if (buf->length < 0) - return KFAILURE; - cc = krb_rd_priv(buf->dat, (unsigned KRB4_32)buf->length, schedule, - (C_Block *)session, faddr, laddr, msg_data); - if (cc) - return cc; - - /* - * Fetch the (incremented) checksum that we supplied in the - * request. - */ - if (msg_data->app_length < 4) - return KFAILURE; - p = msg_data->app_data; - KRB4_GET32BE(cksum, p); - - /* if it doesn't match, fail -- reply wasn't from our real server. */ - if (cksum != checksum + 1) - return KFAILURE; /* XXX */ - return KSUCCESS; -} diff --git a/src/lib/krb4/mk_err.c b/src/lib/krb4/mk_err.c deleted file mode 100644 index 5eeca1bdb..000000000 --- a/src/lib/krb4/mk_err.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * lib/krb4/mk_err.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include - -/* - * This routine creates a general purpose error reply message. It - * doesn't use KTEXT because application protocol may have long - * messages, and may want this part of buffer contiguous to other - * stuff. - * - * The error reply is built in "p", using the error code "e" and - * error text "e_string" given. The length of the error reply is - * returned. - * - * The error reply is in the following format: - * - * unsigned char KRB_PROT_VERSION protocol version no. - * unsigned char AUTH_MSG_APPL_ERR message type - * (least significant - * bit of above) HOST_BYTE_ORDER local byte order - * 4 bytes e given error code - * string e_string given error text - */ - -long KRB5_CALLCONV -krb_mk_err(p, e, e_string) - u_char *p; /* Where to build error packet */ - KRB4_32 e; /* Error code */ - char *e_string; /* Text of error */ -{ - u_char *start; - size_t e_len; - - e_len = strlen(e_string) + 1; - - /* Just return the buffer length if p is NULL, because writing to the - * buffer would be a bad idea. Note that this feature is a change from - * previous versions, and can therefore only be used safely in this - * source tree, where we know this function supports it. */ - if (p == NULL) { - return 1 + 1 + 4 + e_len; - } - - start = p; - - /* Create fixed part of packet */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_APPL_ERR; - - /* Add the basic info */ - KRB4_PUT32BE(p, e); - memcpy(p, e_string, e_len); /* err text */ - p += e_len; - - /* And return the length */ - return p - start; -} diff --git a/src/lib/krb4/mk_preauth.c b/src/lib/krb4/mk_preauth.c deleted file mode 100644 index 1215e1145..000000000 --- a/src/lib/krb4/mk_preauth.c +++ /dev/null @@ -1,78 +0,0 @@ -/* mk_preauth.c */ -/* part of Cygnus Network Security */ -/* Copyright 1994 Cygnus Support */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include - -#include "autoconf.h" -#ifdef HAVE_STDLIB_H -#include -#else -extern char *malloc(), *calloc(), *realloc(); -#endif - -int -krb_mk_preauth(preauth_p, preauth_len, - key_proc, aname, inst, realm, password, key) - char **preauth_p; - int *preauth_len; - key_proc_type key_proc; - char *aname; - char *inst; - char *realm; - char *password; - C_Block key; -{ -#ifdef NOENCRYPTION - *preauth_len = strlen(aname) + 1; /* include the trailing 0 */ - *preauth_p = malloc(*preauth_len); - strcpy(*preauth_p, aname); /* this will copy the trailing 0 */ -#else - des_key_schedule key_s; - int sl = strlen(aname); -#endif - - (*key_proc)(aname, inst, realm, password, key); - -#ifndef NOENCRYPTION - /* - * preauth_len is set to a length greater than sl + 1 - * and a multpile of 8 - */ - *preauth_len = (((sl + 1) / 8) + 1) * 8; - /* allocate memory for preauth_p and fill it with 0 */ - *preauth_p = malloc((size_t)*preauth_len); - /* create the key schedule */ - if (des_key_sched(key, key_s)) { - return 1; - } - /* - * encrypt aname using key_s as the key schedule and key as the - * initialization vector. - */ - des_pcbc_encrypt((des_cblock *)aname, (des_cblock *)*preauth_p, - (long)(sl + 1), key_s, (des_cblock *)key, DES_ENCRYPT); - memset(key_s, 0, sizeof(key_s)); -#endif - return 0; -} - -void -krb_free_preauth(preauth_p, preauth_len) - char *preauth_p; - int preauth_len; -{ - free(preauth_p); - return; -} diff --git a/src/lib/krb4/mk_priv.c b/src/lib/krb4/mk_priv.c deleted file mode 100644 index 470ad9473..000000000 --- a/src/lib/krb4/mk_priv.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * lib/krb4/mk_priv.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This routine constructs a Kerberos 'private msg', i.e. - * cryptographically sealed with a private session key. - * - * Returns either < 0 ===> error, or resulting size of message - * - * Steve Miller Project Athena MIT/DEC - */ - -#include -#include - -#include "krb.h" -#include "prot.h" -#include "des.h" -#include "lsb_addr_cmp.h" -#include "port-sockets.h" - -extern int krb_debug; - -/* - * krb_mk_priv() constructs an AUTH_MSG_PRIVATE message. It takes - * some user data "in" of "length" bytes and creates a packet in "out" - * consisting of the user data, a timestamp, and the sender's network - * address. -#ifndef NOENCRYTION - * The packet is encrypted by pcbc_encrypt(), using the given - * "key" and "schedule". -#endif - * The length of the resulting packet "out" is - * returned. - * - * It is similar to krb_mk_safe() except for the additional key - * schedule argument "schedule" and the fact that the data is encrypted - * rather than appended with a checksum. Also, the protocol version - * number is "private_msg_ver", defined in krb_rd_priv.c, rather than - * KRB_PROT_VERSION, defined in "krb.h". - * - * The "out" packet consists of: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte private_msg_ver protocol version number - * 1 byte AUTH_MSG_PRIVATE | message type plus local - * HOST_BYTE_ORDER byte order in low bit - * -#ifdef NOENCRYPTION - * 4 bytes c_length length of data -#else - * 4 bytes c_length length of encrypted data - * - * ===================== begin encrypt ================================ -#endif - * - * 4 bytes length length of user data - * length in user data - * 1 byte msg_time_5ms timestamp milliseconds - * 4 bytes sender->sin.addr.s_addr sender's IP address - * - * 4 bytes msg_time_sec or timestamp seconds with - * -msg_time_sec direction in sign bit - * - * 0<=n<=7 bytes pad to 8 byte multiple zeroes -#ifndef NOENCRYPTION - * (done by pcbc_encrypt()) - * - * ======================= end encrypt ================================ -#endif - */ - -/* Utility function: - - Determine order of addresses, if SENDER less than RECEIVER return 1 - so caller will negate timestamp. Return -1 for failure. */ -int -krb4int_address_less (struct sockaddr_in *sender, struct sockaddr_in *receiver) -{ - unsigned long sender_addr, receiver_addr; - unsigned short sender_port, receiver_port; - switch (sender->sin_family) { - case AF_INET: - sender_addr = sender->sin_addr.s_addr; - sender_port = sender->sin_port; - break; -#ifdef KRB5_USE_INET6 - case AF_INET6: - { - struct sockaddr_in6 *s6 = (struct sockaddr_in6 *) sender; - if (IN6_IS_ADDR_V4MAPPED (&s6->sin6_addr)) { - struct sockaddr_in sintmp = { 0 }; - memcpy (&sintmp.sin_addr.s_addr, - 12+(char*)&s6->sin6_addr.s6_addr, - 4); - sender_addr = sintmp.sin_addr.s_addr; - } else - return -1; - sender_port = s6->sin6_port; - break; - } -#endif - default: - return -1; - } - switch (receiver->sin_family) { - case AF_INET: - receiver_addr = receiver->sin_addr.s_addr; - receiver_port = receiver->sin_port; - break; -#ifdef KRB5_USE_INET6 - case AF_INET6: - { - struct sockaddr_in6 *s6 = (struct sockaddr_in6 *) receiver; - if (IN6_IS_ADDR_V4MAPPED (&s6->sin6_addr)) { - struct sockaddr_in sintmp = { 0 }; - memcpy (&sintmp.sin_addr.s_addr, - 12+(char*)&s6->sin6_addr.s6_addr, - 4); - receiver_addr = sintmp.sin_addr.s_addr; - } else - return -1; - receiver_port = s6->sin6_port; - break; - } -#endif - default: - return -1; - } - /* For compatibility with broken old code, compares are done in - VAX byte order (LSBFIRST). */ - if (lsb_net_ulong_less(sender_addr, receiver_addr) == -1 - || (lsb_net_ulong_less(sender_addr, receiver_addr) == 0 - && lsb_net_ushort_less(sender_port, receiver_port) == -1)) - return 1; - return 0; - /* - * all that for one tiny bit! Heaven help those that talk to - * themselves. - */ -} - -long KRB5_CALLCONV -krb_mk_priv(in, out, length, schedule, key, sender, receiver) - u_char *in; /* application data */ - u_char *out; /* put msg here, leave room for - * header! breaks if in and out - * (header stuff) overlap */ - unsigned KRB4_32 length; /* of in data */ - Key_schedule schedule; /* precomputed key schedule */ - C_Block *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender address */ - struct sockaddr_in *receiver; /* receiver address */ -{ - register u_char *p,*q; - u_char *c_length_ptr; - extern int private_msg_ver; /* in krb_rd_priv.c */ - - unsigned KRB4_32 c_length, c_length_raw; - u_char msg_time_5ms; - unsigned KRB4_32 msg_time_sec; - unsigned KRB4_32 msg_time_usec; - - /* Be really paranoid. */ - if (sizeof(sender->sin_addr.s_addr) != 4) - return -1; - /* - * get the current time to use instead of a sequence #, since - * process lifetime may be shorter than the lifetime of a session - * key. - */ - msg_time_sec = TIME_GMT_UNIXSEC_US(&msg_time_usec); - msg_time_5ms = msg_time_usec / 5000; /* 5ms quanta */ - - p = out; - - /* Cruftiness below! */ - *p++ = private_msg_ver ? private_msg_ver : KRB_PROT_VERSION; - *p++ = AUTH_MSG_PRIVATE; - - /* save ptr to cipher length */ - c_length_ptr = p; - p += 4; - -#ifndef NOENCRYPTION - /* start for encrypted stuff */ -#endif - q = p; - - /* stuff input length */ - KRB4_PUT32BE(p, length); - -#ifdef NOENCRYPTION - /* make all the stuff contiguous for checksum */ -#else - /* make all the stuff contiguous for checksum and encryption */ -#endif - memcpy(p, in, (size_t)length); - p += length; - - /* stuff time 5ms */ - *p++ = msg_time_5ms; - - /* stuff source address */ - if (sender->sin_family == AF_INET) - memcpy(p, &sender->sin_addr.s_addr, sizeof(sender->sin_addr.s_addr)); -#ifdef KRB5_USE_INET6 - else if (sender->sin_family == AF_INET6 - && IN6_IS_ADDR_V4MAPPED (&((struct sockaddr_in6 *)sender)->sin6_addr)) - memcpy(p, 12+(char*)&((struct sockaddr_in6 *)sender)->sin6_addr, 4); -#endif - else - /* The address isn't one we can encode in 4 bytes -- but - that's okay if the receiver doesn't care. */ - memset(p, 0, 4); - p += sizeof(sender->sin_addr.s_addr); - - /* - * direction bit is the sign bit of the timestamp. Ok - * until 2038?? - */ - switch (krb4int_address_less (sender, receiver)) { - case 1: - msg_time_sec = -msg_time_sec; - break; - case -1: - /* Which way should we go in this case? */ - case 0: - break; - } - - /* stuff time sec */ - KRB4_PUT32BE(p, msg_time_sec); - - /* - * All that for one tiny bit! Heaven help those that talk to - * themselves. - */ - -#ifdef notdef - /* - * calculate the checksum of the length, address, sequence, and - * inp data - */ - cksum = quad_cksum(q,NULL,p-q,0,key); - DEB (("\ncksum = %u",cksum)); - /* stuff checksum */ - memcpy(p, &cksum, sizeof(cksum)); - p += sizeof(cksum); -#endif - -#ifdef NOENCRYPTION - /* - * All the data have been assembled, compute length - */ -#else - /* - * All the data have been assembled, compute length and encrypt - * starting with the length, data, and timestamps use the key as - * an ivec. - */ -#endif - - c_length_raw = p - q; - c_length = ((c_length_raw + sizeof(C_Block) -1) - / sizeof(C_Block)) * sizeof(C_Block); - /* stuff the length */ - p = c_length_ptr; - KRB4_PUT32BE(p, c_length); - -#ifndef NOENCRYPTION - /* pcbc encrypt, pad as needed, use key as ivec */ - pcbc_encrypt((C_Block *)q,(C_Block *)q, (long)c_length_raw, - schedule, key, ENCRYPT); -#endif /* NOENCRYPTION */ - - return q - out + c_length; /* resulting size */ -} diff --git a/src/lib/krb4/mk_req.c b/src/lib/krb4/mk_req.c deleted file mode 100644 index fc92c58e6..000000000 --- a/src/lib/krb4/mk_req.c +++ /dev/null @@ -1,285 +0,0 @@ -/* - * lib/krb4/mk_req.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2002 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include "des.h" -#include -#include "krb4int.h" - -extern int krb_ap_req_debug; -static int lifetime = 255; /* Default based on the TGT */ - -static int krb_mk_req_creds_prealm(KTEXT, CREDENTIALS *, KRB4_32, char *); - -/* - * krb_mk_req takes a text structure in which an authenticator is to - * be built, the name of a service, an instance, a realm, - * and a checksum. It then retrieves a ticket for - * the desired service and creates an authenticator in the text - * structure passed as the first argument. krb_mk_req returns - * KSUCCESS on success and a Kerberos error code on failure. - * - * The peer procedure on the other end is krb_rd_req. When making - * any changes to this routine it is important to make corresponding - * changes to krb_rd_req. - * - * The authenticator consists of the following: - * - * authent->dat - * - * unsigned char KRB_PROT_VERSION protocol version no. - * unsigned char AUTH_MSG_APPL_REQUEST message type - * (least significant - * bit of above) HOST_BYTE_ORDER local byte ordering - * unsigned char kvno from ticket server's key version - * string realm server's realm - * unsigned char tl ticket length - * unsigned char idl request id length - * text ticket->dat ticket for server - * text req_id->dat request id - * - * The ticket information is retrieved from the ticket cache or - * fetched from Kerberos. The request id (called the "authenticator" -#ifdef NOENCRYPTION - * in the papers on Kerberos) contains the following: -#else - * in the papers on Kerberos) contains information encrypted in the session - * key for the client and ticket-granting service: {req_id}Kc,tgs - * Before encryption, it contains the following: -#endif - * - * req_id->dat - * - * string cr.pname {name, instance, and - * string cr.pinst realm of principal - * string myrealm making this request} - * 4 bytes checksum checksum argument given - * unsigned char time_usecs time (microseconds) - * 4 bytes time_secs time (seconds) - * - * req_id->length = 3 strings + 3 terminating nulls + 5 bytes for time, - * all rounded up to multiple of 8. - */ - -static int -krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) - register KTEXT authent; /* Place to build the authenticator */ - CREDENTIALS *creds; - KRB4_32 checksum; /* Checksum of data (optional) */ - char *myrealm; /* Client's realm */ -{ - KTEXT_ST req_st; /* Temp storage for req id */ - KTEXT req_id = &req_st; - unsigned char *p, *q, *reqid_lenp; - int tl; /* Tkt len */ - int idl; /* Reqid len */ - register KTEXT ticket; /* Pointer to tkt_st */ - Key_schedule key_s; - size_t realmlen, pnamelen, pinstlen, myrealmlen; - unsigned KRB4_32 time_secs; - unsigned KRB4_32 time_usecs; - - /* Don't risk exposing stack garbage to correspondent, even if - encrypted from other prying eyes. */ - memset(&req_st, 0x69, sizeof(req_st)); - - ticket = &creds->ticket_st; - /* Get the ticket and move it into the authenticator */ - if (krb_ap_req_debug) - DEB (("Realm: %s\n", creds->realm)); - - realmlen = strlen(creds->realm) + 1; - if (sizeof(authent->dat) < (1 + 1 + 1 - + realmlen - + 1 + 1 + ticket->length) - || ticket->length < 0 || ticket->length > 255) { - authent->length = 0; - return KFAILURE; - } - - if (krb_ap_req_debug) - DEB (("%s %s %s %s %s\n", creds->service, creds->instance, - creds->realm, creds->pname, creds->pinst)); - - p = authent->dat; - - /* The fixed parts of the authenticator */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_APPL_REQUEST; - *p++ = creds->kvno; - - memcpy(p, creds->realm, realmlen); - p += realmlen; - - tl = ticket->length; - *p++ = tl; - /* Save ptr to where req_id->length goes. */ - reqid_lenp = p; - p++; - memcpy(p, ticket->dat, (size_t)tl); - p += tl; - - if (krb_ap_req_debug) - DEB (("Ticket->length = %d\n",ticket->length)); - if (krb_ap_req_debug) - DEB (("Issue date: %d\n",creds->issue_date)); - - pnamelen = strlen(creds->pname) + 1; - pinstlen = strlen(creds->pinst) + 1; - myrealmlen = strlen(myrealm) + 1; - if (sizeof(req_id->dat) / 8 < (pnamelen + pinstlen + myrealmlen - + 4 + 1 + 4 + 7) / 8) { - return KFAILURE; - } - - q = req_id->dat; - - /* Build request id */ - /* Auth name */ - memcpy(q, creds->pname, pnamelen); - q += pnamelen; - /* Principal's instance */ - memcpy(q, creds->pinst, pinstlen); - q += pinstlen; - /* Authentication domain */ - memcpy(q, myrealm, myrealmlen); - q += myrealmlen; - /* Checksum */ - KRB4_PUT32BE(q, checksum); - - /* Fill in the times on the request id */ - time_secs = TIME_GMT_UNIXSEC_US (&time_usecs); - *q++ = time_usecs; /* time_usecs % 255 */ - /* Time (coarse) */ - KRB4_PUT32BE(q, time_secs); - - /* Fill to a multiple of 8 bytes for DES */ - req_id->length = ((q - req_id->dat + 7) / 8) * 8; - -#ifndef NOENCRYPTION - /* Encrypt the request ID using the session key */ - key_sched(creds->session, key_s); - pcbc_encrypt((C_Block *)req_id->dat, (C_Block *)req_id->dat, - (long)req_id->length, key_s, &creds->session, 1); - /* clean up */ - memset(key_s, 0, sizeof(key_s)); -#endif /* NOENCRYPTION */ - - /* Copy it into the authenticator */ - idl = req_id->length; - if (idl > 255) - return KFAILURE; - *reqid_lenp = idl; - memcpy(p, req_id->dat, (size_t)idl); - p += idl; - - authent->length = p - authent->dat; - - /* clean up */ - memset(req_id, 0, sizeof(*req_id)); - - if (krb_ap_req_debug) - DEB (("Authent->length = %d\n",authent->length)); - if (krb_ap_req_debug) - DEB (("idl = %d, tl = %d\n", idl, tl)); - - return KSUCCESS; -} - -int KRB5_CALLCONV -krb_mk_req(authent, service, instance, realm, checksum) - register KTEXT authent; /* Place to build the authenticator */ - char *service; /* Name of the service */ - char *instance; /* Service instance */ - char *realm; /* Authentication domain of service */ - KRB4_32 checksum; /* Checksum of data (optional) */ -{ - char krb_realm[REALM_SZ]; /* Our local realm, if not specified */ - char myrealm[REALM_SZ]; /* Realm of initial TGT. */ - int retval; - CREDENTIALS creds; - - /* get current realm if not passed in */ - if (realm == NULL) { - retval = krb_get_lrealm(krb_realm, 1); - if (retval != KSUCCESS) - return retval; - realm = krb_realm; - } - /* - * Determine realm of these tickets. We will send this to the - * KDC from which we are requesting tickets so it knows what to - * with our session key. - */ - retval = krb_get_tf_realm(TKT_FILE, myrealm); - if (retval != KSUCCESS) - retval = krb_get_lrealm(myrealm, 1); - if (retval != KSUCCESS) - return retval; - - retval = krb_get_cred(service, instance, realm, &creds); - if (retval == RET_NOTKT) { - retval = get_ad_tkt(service, instance, realm, lifetime); - if (retval) - return retval; - retval = krb_get_cred(service, instance, realm, &creds); - if (retval) - return retval; - } - if (retval != KSUCCESS) - return retval; - - retval = krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm); - memset(&creds.session, 0, sizeof(creds.session)); - return retval; -} - -int KRB5_CALLCONV -krb_mk_req_creds(authent, creds, checksum) - register KTEXT authent; /* Place to build the authenticator */ - CREDENTIALS *creds; - KRB4_32 checksum; /* Checksum of data (optional) */ -{ - return krb_mk_req_creds_prealm(authent, creds, checksum, creds->realm); -} - -/* - * krb_set_lifetime sets the default lifetime for additional tickets - * obtained via krb_mk_req(). - * - * It returns the previous value of the default lifetime. - */ - -int KRB5_CALLCONV -krb_set_lifetime(newval) -int newval; -{ - int olife = lifetime; - - lifetime = newval; - return olife; -} diff --git a/src/lib/krb4/mk_safe.c b/src/lib/krb4/mk_safe.c deleted file mode 100644 index 2a157caad..000000000 --- a/src/lib/krb4/mk_safe.c +++ /dev/null @@ -1,167 +0,0 @@ -/* - * lib/krb4/mk_req.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This routine constructs a Kerberos 'safe msg', i.e. authenticated - * using a private session key to seed a checksum. Msg is NOT - * encrypted. - * - * Returns either <0 ===> error, or resulting size of message - * - * Steve Miller Project Athena MIT/DEC - */ - -#include -#include - -#include "krb.h" -#include "des.h" -#include "prot.h" -#include "lsb_addr_cmp.h" -#include "port-sockets.h" - -extern int krb_debug; - -/* - * krb_mk_safe() constructs an AUTH_MSG_SAFE message. It takes some - * user data "in" of "length" bytes and creates a packet in "out" - * consisting of the user data, a timestamp, and the sender's network - * address, followed by a checksum computed on the above, using the - * given "key". The length of the resulting packet is returned. - * - * The "out" packet consists of: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_SAFE | message type plus local - * HOST_BYTE_ORDER byte order in low bit - * - * ===================== begin checksum ================================ - * - * 4 bytes length length of user data - * length in user data - * 1 byte msg_time_5ms timestamp milliseconds - * 4 bytes sender->sin.addr.s_addr sender's IP address - * - * 4 bytes msg_time_sec or timestamp seconds with - * -msg_time_sec direction in sign bit - * - * ======================= end checksum ================================ - * - * 16 bytes big_cksum quadratic checksum of - * above using "key" - */ - -long KRB5_CALLCONV -krb_mk_safe(in, out, length, key, sender, receiver) - u_char *in; /* application data */ - u_char *out; /* - * put msg here, leave room for header! - * breaks if in and out (header stuff) - * overlap - */ - unsigned KRB4_32 length; /* of in data */ - C_Block *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender address */ - struct sockaddr_in *receiver; /* receiver address */ -{ - register u_char *p,*q; - - unsigned KRB4_32 cksum; - unsigned KRB4_32 big_cksum[4]; - unsigned KRB4_32 msg_secs; - unsigned KRB4_32 msg_usecs; - u_char msg_time_5ms; - KRB4_32 msg_time_sec; - int i; - - /* Be really paranoid. */ - if (sizeof(sender->sin_addr.s_addr) != 4) - return -1; - /* - * get the current time to use instead of a sequence #, since - * process lifetime may be shorter than the lifetime of a session - * key. - */ - msg_secs = TIME_GMT_UNIXSEC_US(&msg_usecs); - msg_time_sec = msg_secs; - msg_time_5ms = msg_usecs / 5000; /* 5ms quanta */ - - p = out; - - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_SAFE; - - q = p; /* start for checksum stuff */ - /* stuff input length */ - KRB4_PUT32BE(p, length); - - /* make all the stuff contiguous for checksum */ - memcpy(p, in, length); - p += length; - - /* stuff time 5ms */ - *p++ = msg_time_5ms; - - /* stuff source address */ - if (sender->sin_family == AF_INET) - memcpy(p, &sender->sin_addr.s_addr, sizeof(sender->sin_addr.s_addr)); -#ifdef KRB5_USE_INET6 - else if (sender->sin_family == AF_INET6 - && IN6_IS_ADDR_V4MAPPED (&((struct sockaddr_in6 *)sender)->sin6_addr)) - memcpy(p, 12+(char*)&((struct sockaddr_in6 *)sender)->sin6_addr, 4); -#endif - else - /* The address isn't one we can encode in 4 bytes -- but - that's okay if the receiver doesn't care. */ - memset(p, 0, 4); - p += sizeof(sender->sin_addr.s_addr); - - /* - * direction bit is the sign bit of the timestamp. Ok until - * 2038?? - */ - if (krb4int_address_less (sender, receiver) == 1) - msg_time_sec = -msg_time_sec; - /* stuff time sec */ - KRB4_PUT32BE(p, msg_time_sec); - -#ifdef NOENCRYPTION - cksum = 0; - memset(big_cksum, 0, sizeof(big_cksum)); -#else /* Do encryption */ - /* calculate the checksum of length, timestamps, and input data */ - cksum = quad_cksum(q, (unsigned KRB4_32 *)big_cksum, - p - q, 2, key); -#endif /* NOENCRYPTION */ - DEB(("\ncksum = %u",cksum)); - - /* stuff checksum */ - for (i = 0; i < 4; i++) - KRB4_PUT32BE(p, big_cksum[i]); - - return p - out; /* resulting size */ -} diff --git a/src/lib/krb4/month_sname.c b/src/lib/krb4/month_sname.c deleted file mode 100644 index 48be89e53..000000000 --- a/src/lib/krb4/month_sname.c +++ /dev/null @@ -1,28 +0,0 @@ -/* - * month_sname.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -/* - * Given an integer 1-12, month_sname() returns a string - * containing the first three letters of the corresponding - * month. Returns 0 if the argument is out of range. - */ - -#include -#include "krb4int.h" - -const char *month_sname(n) - int n; -{ - static const char name[][4] = { - "Jan","Feb","Mar","Apr","May","Jun", - "Jul","Aug","Sep","Oct","Nov","Dec" - }; - return((n < 1 || n > 12) ? 0 : name [n-1]); -} diff --git a/src/lib/krb4/netread.c b/src/lib/krb4/netread.c deleted file mode 100644 index b366df3d2..000000000 --- a/src/lib/krb4/netread.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * lib/krb4/netwrite.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include -#include "krb.h" -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include -#endif -#include "port-sockets.h" - -/* - * krb_net_read() reads from the file descriptor "fd" to the buffer - * "buf", until either 1) "len" bytes have been read or 2) cannot - * read anymore from "fd". It returns the number of bytes read - * or a read() error. (The calling interface is identical to - * read(2).) - * - * XXX must not use non-blocking I/O - */ -int -krb_net_read(fd, buf, len) -int fd; -register char *buf; -register int len; -{ - int cc, len2 = 0; - - do { - cc = SOCKET_READ(fd, buf, len); - if (cc < 0) - { - if (SOCKET_ERRNO == SOCKET_EINTR) - continue; - return(cc); /* errno is already set */ - } - else if (cc == 0) { - return(len2); - } else { - buf += cc; - len2 += cc; - len -= cc; - } - } while (len > 0); - return(len2); -} diff --git a/src/lib/krb4/netwrite.c b/src/lib/krb4/netwrite.c deleted file mode 100644 index 31832488d..000000000 --- a/src/lib/krb4/netwrite.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * lib/krb4/netwrite.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include -#include "krb.h" -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include -#endif -#include "port-sockets.h" - -/* - * krb_net_write() writes "len" bytes from "buf" to the file - * descriptor "fd". It returns the number of bytes written or - * a write() error. (The calling interface is identical to - * write(2).) - * - * XXX must not use non-blocking I/O - */ -int -krb_net_write(fd, buf, len) -int fd; -register char *buf; -int len; -{ - int cc; - register int wrlen = len; - do { - cc = SOCKET_WRITE(fd, buf, wrlen); - if (cc < 0) - { - if (SOCKET_ERRNO == SOCKET_EINTR) - continue; - return(cc); - } - else { - buf += cc; - wrlen -= cc; - } - } while (wrlen > 0); - return(len); -} diff --git a/src/lib/krb4/password_to_key.c b/src/lib/krb4/password_to_key.c deleted file mode 100644 index d5ca7a5cc..000000000 --- a/src/lib/krb4/password_to_key.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * lib/krb4/password_to_key.c - * - * Copyright 1999, 2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * password_to_key functions merged from KfM - */ - -#include -#include - -#ifdef USE_CCAPI -#include -#endif -#include "krb.h" -#include "krb4int.h" - -#include "k5-platform.h" - -/* - * passwd_to_key(): given a password, return a DES key. - * There are extra arguments here which (used to be?) - * used by srvtab_to_key(). - * - * If the "passwd" argument is not null, generate a DES - * key from it, using string_to_key(). - * - * If the "passwd" argument is null, then on a Unix system we call - * des_read_password() to prompt for a password and then convert it - * into a DES key. But "prompting" the user is harder in a Windows or - * Macintosh environment, so we rely on our caller to explicitly do - * that now. - * - * In either case, the resulting key is put in the "key" argument, - * and 0 is returned. - */ - - -key_proc_type *krb_get_keyprocs (key_proc_type keyproc) -{ - static key_proc_type default_keyprocs[4] = { mit_passwd_to_key, - afs_passwd_to_key, - krb5_passwd_to_key, - NULL }; - - static key_proc_type user_keyprocs[2] = { NULL, NULL }; - - /* generate the list of key procs */ - if (keyproc == NULL) { - return default_keyprocs; /* use the default */ - } else { - user_keyprocs[0] = keyproc; - return user_keyprocs; /* use the caller provided keyprocs */ - } -} - -int KRB5_CALLCONV -mit_passwd_to_key( - char *user, - char *instance, - char *realm, - char *passwd, - C_Block key) -{ -#if 0 /* what system? */ -#pragma unused(user) -#pragma unused(instance) -#pragma unused(realm) -#endif - - if (passwd) { - des_string_to_key(passwd, key); - } else { -#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - des_read_password((des_cblock *)key, "Password", 0); -#else - return (-1); -#endif - } - return (0); -} - -/* So we can use a v4 kinit against a v5 kdc with no krb4 salted key */ -int KRB5_CALLCONV -krb5_passwd_to_key( - char *user, - char *instance, - char *realm, - char *passwd, - C_Block key) -{ - char *p; - - if (user && instance && realm && passwd) { - if (strlen(realm) + strlen(user) + strlen(instance) > MAX_K_NAME_SZ) - /* XXX Is this right? The old code returned 0, which is - also what it returns after sucessfully generating a - key. The other error path returns -1. */ - return 0; - if (asprintf(&p, "%s%s%s%s", passwd, realm, user, instance) >= 0) { - des_string_to_key (p, key); - free (p); - return 0; - } - } - return -1; -} - -int KRB5_CALLCONV -afs_passwd_to_key( - char *user, - char *instance, - char *realm, - char *passwd, - C_Block key) -{ -#if 0 /* what system? */ -#pragma unused(user) -#pragma unused(instance) -#endif - - if (passwd) { - afs_string_to_key(passwd, realm, key); - } else { -#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - des_read_password((des_cblock *)key, "Password", 0); -#else - return (-1); -#endif - } - return (0); -} diff --git a/src/lib/krb4/pkt_cipher.c b/src/lib/krb4/pkt_cipher.c deleted file mode 100644 index 29123480e..000000000 --- a/src/lib/krb4/pkt_cipher.c +++ /dev/null @@ -1,35 +0,0 @@ -/* - * pkt_cipher.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include -#include "krb.h" -#include "prot.h" - - -/* - * This routine takes a reply packet from the Kerberos ticket-granting - * service and returns a pointer to the beginning of the ciphertext in it. - * - * See "prot.h" for packet format. - */ - -KTEXT -pkt_cipher(packet) - KTEXT packet; -{ - unsigned char *ptr = pkt_a_realm(packet) + 6 - + strlen((char *)pkt_a_realm(packet)); - /* Skip a few more fields */ - ptr += 3 + 4; /* add 4 for exp_date */ - - /* And return the pointer */ - return((KTEXT) ptr); -} diff --git a/src/lib/krb4/pkt_clen.c b/src/lib/krb4/pkt_clen.c deleted file mode 100644 index 52763a4dd..000000000 --- a/src/lib/krb4/pkt_clen.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * pkt_clen.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include -#include "krb.h" -#include "prot.h" - -extern int krb_debug; -int swap_bytes=0; - -/* - * Given a pointer to an AUTH_MSG_KDC_REPLY packet, return the length of - * its ciphertext portion. The external variable "swap_bytes" is assumed - * to have been set to indicate whether or not the packet is in local - * byte order. pkt_clen() takes this into account when reading the - * ciphertext length out of the packet. - */ - -int -pkt_clen(pkt) - KTEXT pkt; -{ - static unsigned short temp; - int clen = 0; - - /* Start of ticket list */ - unsigned char *ptr = pkt_a_realm(pkt) + 10 - + strlen((char *)pkt_a_realm(pkt)); - - /* Finally the length */ - memcpy((char *)&temp, (char *)(++ptr), 2); /* alignment */ - if (swap_bytes) - temp = krb4_swab16(temp); - - clen = (int) temp; - - DEB (("Clen is %d\n",clen)); - return(clen); -} diff --git a/src/lib/krb4/prot_client.c b/src/lib/krb4/prot_client.c deleted file mode 100644 index 315f7f08a..000000000 --- a/src/lib/krb4/prot_client.c +++ /dev/null @@ -1,370 +0,0 @@ -/* - * lib/krb4/prot_client.c - * - * Copyright 2001 by the Massachusetts Institute of Technology. All - * Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Contains protocol encoders and decoders used by a krb4 client. - */ - -#include "krb.h" -#include "prot.h" -#include - -/* - * encode_kdc_request - * - * Packet format is originally from g_in_tkt.c. - * - * Size Variable Field - * ---- -------- ----- - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_KDC_REQUEST | message type - * HOST_BYTE_ORDER local byte order in lsb - * string user client's name - * string instance client's instance - * string realm client's realm - * 4 bytes tlocal.tv_sec timestamp in seconds - * 1 byte life desired lifetime - * string service service's name - * string sinstance service's instance - */ -int KRB5_CALLCONV -krb4prot_encode_kdc_request(char *pname, char *pinst, char *prealm, - KRB4_32 tlocal, int life, - char *sname, char *sinst, - char *preauth, int preauthlen, - int chklen, /* check input str len? */ - int le, /* little-endian? */ - KTEXT pkt) -{ - unsigned char *p; - int ret; - size_t snamelen, sinstlen; - - p = pkt->dat; - - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_KDC_REQUEST | !!le; - - ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - pkt, &p); - if (ret) - return ret; - - snamelen = strlen(sname) + 1; - sinstlen = strlen(sinst) + 1; - if (chklen && (snamelen > ANAME_SZ || sinstlen > INST_SZ)) - return KRB4PROT_ERR_OVERRUN; - if ((sizeof(pkt->dat) - (p - pkt->dat)) - < (4 + 1 + snamelen + sinstlen + preauthlen)) - return KRB4PROT_ERR_OVERRUN; - - /* timestamp */ - KRB4_PUT32(p, tlocal, le); - - *p++ = life; - - memcpy(p, sname, snamelen); - p += snamelen; - memcpy(p, sinst, sinstlen); - p += sinstlen; - - if (preauthlen) - memcpy(p, preauth, (size_t)preauthlen); - p += preauthlen; - - pkt->length = p - pkt->dat; - return KRB4PROT_OK; -} - -/* - * decode_kdc_reply - */ -int KRB5_CALLCONV -krb4prot_decode_kdc_reply(KTEXT pkt, - int *le, - char *pname, char *pinst, char *prealm, - long *time_ws, int *n, - unsigned long *x_date, int *kvno, - KTEXT ciph) -{ - unsigned char *p; - int msg_type; - int ret; - unsigned int ciph_len; - - p = pkt->dat; - if (pkt->length < 2) - return KRB4PROT_ERR_UNDERRUN; - if (*p++ != KRB_PROT_VERSION) - return KRB4PROT_ERR_PROT_VERS; - msg_type = *p++; - *le = msg_type & 1; - msg_type &= ~1; - if (msg_type != AUTH_MSG_KDC_REPLY) - return KRB4PROT_ERR_MSG_TYPE; - - ret = krb4prot_decode_naminstrlm(ciph, &p, pname, pinst, prealm); - if (ret) - return ret; - -#define PKT_REMAIN (pkt->length - (p - pkt->dat)) - - if (PKT_REMAIN < (4 /* time */ - + 1 /* number of tickets */ - + 4 /* exp date */ - + 1 /* kvno */ - + 2)) /* ciph length */ - return KRB4PROT_ERR_UNDERRUN; - if (time_ws != NULL) - KRB4_GET32(*time_ws, p, *le); /* XXX signed/unsigned */ - else - p += 4; - if (n != NULL) - *n = *p++; - else - p++; - if (x_date != NULL) - KRB4_GET32(*x_date, p, *le); - else - p += 4; - if (kvno != NULL) - *kvno = *p++; - else - p++; - KRB4_GET16(ciph_len, p, *le); - if (PKT_REMAIN < ciph_len) - return KRB4PROT_ERR_UNDERRUN; - ciph->length = ciph_len; - memcpy(ciph->dat, p, (size_t)ciph->length); - return KRB4PROT_OK; -#undef PKT_REMAIN -} - -int KRB5_CALLCONV -krb4prot_decode_ciph(KTEXT ciph, int le, - C_Block session, - char *name, char *inst, char *realm, - int *life, int *kvno, - KTEXT tkt, unsigned long *kdc_time) -{ - unsigned char *p; - int ret; - - p = ciph->dat; - if (ciph->length < 8) - return KRB4PROT_ERR_UNDERRUN; - memcpy(session, p, 8); - p += 8; - ret = krb4prot_decode_naminstrlm(ciph, &p, name, inst, realm); - if (ret) - return ret; -#define CIPH_REMAIN (ciph->length - (p - ciph->dat)) - if (CIPH_REMAIN < (1 /* life */ - + 1 /* kvno */ - + 1)) /* tkt->length */ - return KRB4PROT_ERR_UNDERRUN; - if (life != NULL) - *life = *p++; - else - p++; - if (kvno != NULL) - *kvno = *p++; - else - p++; - tkt->length = *p++; - if (CIPH_REMAIN < (tkt->length - + 4)) /* kdc_time */ - return KRB4PROT_ERR_UNDERRUN; - memcpy(tkt->dat, p, (size_t)tkt->length); - p += tkt->length; - - if (kdc_time != NULL) - KRB4_GET32(*kdc_time, p, le); - - return KRB4PROT_OK; -#undef CIPH_REMAIN -} - -/* - * encode_apreq - * - * The following was originally from mk_req.c. - * - * unsigned char KRB_PROT_VERSION protocol version no. - * unsigned char AUTH_MSG_APPL_REQUEST message type - * (least significant - * bit of above) HOST_BYTE_ORDER local byte ordering - * unsigned char kvno from ticket server's key version - * string realm server's realm - * unsigned char tl ticket length - * unsigned char idl request id length - * binary ticket->dat ticket for server - * binary req_id->dat request id - */ -int KRB5_CALLCONV -krb4prot_encode_apreq(int kvno, char *realm, - KTEXT tkt, KTEXT req_id, - int chklen, /* check str len? */ - int le, /* little-endian? */ - KTEXT pkt) -{ - unsigned char *p; - size_t realmlen; - - p = pkt->dat; - /* Assume >= 3 bytes in a KTEXT. */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_APPL_REQUEST | !!le; - - *p++ = kvno; - - realmlen = strlen(realm) + 1; - if (chklen && realmlen > REALM_SZ) - return KRB4PROT_ERR_OVERRUN; - if (tkt->length > 255 || req_id->length > 255) - return KRB4PROT_ERR_OVERRUN; - if ((sizeof(pkt->dat) - (p - pkt->dat)) - < (realmlen - + 1 /* tkt->length */ - + 1 /* req_id->length */ - + tkt->length + req_id->length)) - return KRB4PROT_ERR_OVERRUN; - - memcpy(p, realm, realmlen); - p += realmlen; - - *p++ = tkt->length; - *p++ = req_id->length; - memcpy(p, tkt->dat, (size_t)tkt->length); - p += tkt->length; - memcpy(p, req_id->dat, (size_t)req_id->length); - p += req_id->length; - - pkt->length = p - pkt->dat; - return KRB4PROT_OK; -} - -/* - * encode_authent - * - * Encodes an authenticator (called req_id in some of the code for - * some weird reason). Does not encrypt. - * - * The following packet layout is originally from mk_req.c. It is - * rounded up to the next multiple of 8 bytes. - * - * string cr.pname {name, instance, and - * string cr.pinst realm of principal - * string myrealm making this request} - * 4 bytes checksum checksum argument given - * unsigned char time_usecs time (microseconds) - * 4 bytes time_secs time (seconds) - */ -int KRB5_CALLCONV -krb4prot_encode_authent(char *pname, char *pinst, char *prealm, - KRB4_32 checksum, - int time_usec, long time_sec, - int chklen, /* check str lens? */ - int le, /* little-endian? */ - KTEXT pkt) -{ - unsigned char *p; - int ret; - - p = pkt->dat; - ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - pkt, &p); - if (ret) - return ret; - if ((sizeof(pkt->dat) - (p - pkt->dat)) / 8 - < (4 /* checksum */ - + 1 /* microsec */ - + 4 /* time */ - + 7) / 8) /* roundoff */ - return KRB4PROT_ERR_OVERRUN; - - KRB4_PUT32(p, checksum, le); - *p++ = time_usec; - KRB4_PUT32(p, time_sec, le); - - memset(p, 0, 7); /* nul-pad */ - pkt->length = (((p - pkt->dat) + 7) / 8) * 8; - return KRB4PROT_OK; -} - -/* - * decode_error - * - * Decodes an error reply from the KDC. - */ -int KRB5_CALLCONV -krb4prot_decode_error(KTEXT pkt, int *le, - char *pname, char *pinst, char *prealm, - unsigned long *time_ws, - unsigned long *err, char *err_string) -{ - unsigned char *p; - int msg_type, ret, errstrlen; - - p = pkt->dat; - if (pkt->length < 2) - return KRB4PROT_ERR_UNDERRUN; - if (*p++ != KRB_PROT_VERSION) - return KRB4PROT_ERR_PROT_VERS; - msg_type = *p++; - *le = msg_type & 1; - msg_type &= ~1; - if (msg_type != AUTH_MSG_ERR_REPLY) - return KRB4PROT_ERR_MSG_TYPE; - - ret = krb4prot_decode_naminstrlm(pkt, &p, pname, pinst, prealm); - if (ret) - return ret; - -#define PKT_REMAIN (pkt->length - (p - pkt->dat)) - if (PKT_REMAIN < (4 /* time */ - + 4)) /* err code */ - return KRB4PROT_ERR_UNDERRUN; - - if (time_ws != NULL) - KRB4_GET32(*time_ws, p, le); - else - p += 4; - if (err != NULL) - KRB4_GET32(*err, p, le); - else - p += 4; - - if (PKT_REMAIN <= 0) /* allow for missing error string */ - return KRB4PROT_OK; - - errstrlen = krb4int_strnlen((char *)p, PKT_REMAIN) + 1; - if (errstrlen <= 0) /* If it's there, it must be nul-terminated. */ - return KRB4PROT_ERR_OVERRUN; - if (err_string != NULL) - memcpy(err_string, p, (size_t)errstrlen); - - return KRB4PROT_OK; -#undef PKT_REMAIN -} diff --git a/src/lib/krb4/prot_common.c b/src/lib/krb4/prot_common.c deleted file mode 100644 index 3e36de129..000000000 --- a/src/lib/krb4/prot_common.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * lib/krb4/prot_common.c - * - * Copyright 2001 by the Massachusetts Institute of Technology. All - * Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Contains some common code used by multiple encoders/decoders. - */ - -#include "krb.h" -#include "prot.h" -#include - -/* - * encode_naminstrlm - * - * Takes input string triplet of a principal, encodes into PKT. - * Assumes that input strings are properly terminated. If CHKLEN is - * non-zero, validate input string lengths against their respective - * limits. The pointer P is the address of the moving pointer used by - * the caller, and is updated here. - * - * Returns zero on success, non-zero on failure. - * - * PKT->LENGTH is NOT updated. The caller must update it. - */ -int KRB5_CALLCONV -krb4prot_encode_naminstrlm(char *name, char *inst, char *realm, - int chklen, /* check input str len? */ - KTEXT pkt, /* buffer to encode into */ - unsigned char **p /* moving pointer */) -{ - size_t namelen, instlen, realmlen; - - namelen = strlen(name) + 1; - instlen = strlen(inst) + 1; - realmlen = strlen(realm) + 1; - if (chklen && (namelen > ANAME_SZ || instlen > INST_SZ - || realmlen > REALM_SZ)) - return KRB4PROT_ERR_OVERRUN; - if (*p - pkt->dat < namelen + instlen + realmlen) - return KRB4PROT_ERR_OVERRUN; - memcpy(*p, name, namelen); - *p += namelen; - memcpy(*p, inst, instlen); - *p += namelen; - memcpy(*p, realm, realmlen); - *p += namelen; - return KRB4PROT_OK; -} - -/* - * decode_naminstrlm - * - * Grabs a string triplet corresponding to a principal. The input - * buffer PKT should have its length properly set. The pointer P is - * the address of the moving pointer used by the caller, and will be - * updated. If any input pointer is NULL, merely skip the string. - * - * The output strings NAME, INST, and REALM are assumed to be of the - * correct sizes (ANAME_SZ, INST_SZ, REALM_SZ). - * - * Returns 0 on success, non-zero on failure. - */ -int KRB5_CALLCONV -krb4prot_decode_naminstrlm(KTEXT pkt, /* buffer to decode from */ - unsigned char **p, /* moving pointer */ - char *name, char *inst, char *realm) -{ - int len; - -#define PKT_REMAIN (pkt->length - (*p - pkt->dat)) - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)*p, PKT_REMAIN) + 1; - if (len == 0 || len > ANAME_SZ) - return KRB4PROT_ERR_OVERRUN; - if (name != NULL) - memcpy(name, *p, (size_t)len); - *p += len; - - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)*p, PKT_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - return KRB4PROT_ERR_OVERRUN; - if (name != NULL) - memcpy(inst, *p, (size_t)len); - *p += len; - - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)*p, PKT_REMAIN) + 1; - if (len <= 0 || len > REALM_SZ) - return KRB4PROT_ERR_OVERRUN; - if (realm != NULL) - memcpy(realm, *p, (size_t)len); - *p += len; - return KRB4PROT_OK; -#undef PKT_REMAIN -} - -int KRB5_CALLCONV -krb4prot_decode_header(KTEXT pkt, - int *pver, int *msgtype, int *le) -{ - unsigned char *p; - - p = pkt->dat; - if (pkt->length < 2) - return KRB4PROT_ERR_UNDERRUN; - *pver = *p++; - *msgtype = *p++; - *le = *msgtype & 1; - *msgtype &= ~1; - return KRB4PROT_OK; -} diff --git a/src/lib/krb4/prot_kdc.c b/src/lib/krb4/prot_kdc.c deleted file mode 100644 index aaaa9d00c..000000000 --- a/src/lib/krb4/prot_kdc.c +++ /dev/null @@ -1,461 +0,0 @@ -/* - * lib/krb4/prot_kdc.c - * - * Copyright 1985--1988, 2000, 2001 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Contains the protocol encoders and decoders used by the KDC. - */ - -#include "krb.h" -#include "prot.h" -#include -#include "port-sockets.h" - -/* - * encode_kdc_reply - * - * Encodes a reply from the KDC to the client. - * - * Returns KRB4PROT_OK on success, non-zero on failure. - * - * Caller is responsible for cleaning up OUTBUF. - * - * This packet layout description was originally in cr_auth_repl.c: - * - * variable - * type or constant data - * ---- ----------- ---- - * unsigned char KRB_PROT_VERSION protocol version number - * - * unsigned char AUTH_MSG_KDC_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned char n number of tickets - * - * unsigned long x_date expiration date - * - * unsigned char kvno master key version - * - * short cipher->length cipher length - * - * binary cipher->dat cipher data - */ -int KRB5_CALLCONV -krb4prot_encode_kdc_reply(char *pname, char *pinst, char *prealm, - long time_ws, - int n, /* Number of tickets; 0 for krb4 (!) */ - unsigned long x_date, /* exp date */ - int kvno, - KTEXT cipher, /* encrypted ticket */ - int chklen, /* check input str len? */ - int le, /* little-endian? */ - KTEXT outbuf) -{ - unsigned char *p; - int ret; - - p = outbuf->dat; - /* This is really crusty. */ - if (n != 0) - *p++ = 3; - else - *p++ = KRB_PROT_VERSION; - /* little-endianness based on input, usually big-endian, though. */ - *p++ = AUTH_MSG_KDC_REPLY | !!le; - - ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - outbuf, &p); - if (ret) - return ret; - - /* Check lengths */ - if (cipher->length > 65535 || cipher->length < 0) - return KRB4PROT_ERR_OVERRUN; - if ((sizeof(outbuf->dat) - (p - outbuf->dat) - < (4 /* timestamp */ - + 1 /* num of tickets */ - + 4 /* exp date */ - + 1 /* kvno */ - + 2 /* cipher->length */ - + cipher->length))) /* cipher->dat */ - return KRB4PROT_ERR_OVERRUN; - - /* Workstation timestamp */ - KRB4_PUT32(p, time_ws, le); - - /* Number of tickets */ - *p++ = n; - - /* Expiration date */ - KRB4_PUT32(p, x_date, le); - - /* Now send the ciphertext and info to help decode it */ - *p++ = kvno; - KRB4_PUT16(p, cipher->length, le); - memcpy(p, cipher->dat, (size_t)cipher->length); - p += cipher->length; - - /* And return the packet */ - outbuf->length = p - outbuf->dat; - return KRB4PROT_OK; -} - -/* - * encode_ciph - * - * Encodes a "cipher" that is to be included in a KDC reply message. - * - * Caller is responsible for cleaning up CIPH. - * - * Returns KRB4PROT_OK on success, non-zero on failure. - * - * Packet format below is originally from cr_ciph.c: - * - * variable - * type or constant data - * ---- ----------- ---- - * 8 bytes session session key for client, service - * - * string service service name - * - * string instance service instance - * - * string realm KDC realm - * - * unsigned char life ticket lifetime - * - * unsigned char kvno service key version number - * - * unsigned char tkt->length length of following ticket - * - * data tkt->dat ticket for service - * - * 4 bytes kdc_time KDC's timestamp - * - * <=7 bytes null null pad to 8 byte multiple - */ -int KRB5_CALLCONV -krb4prot_encode_ciph(C_Block session, - char *name, char *inst, char *realm, - unsigned long life, int kvno, - KTEXT tkt, /* ticket */ - unsigned long kdc_time, - int chklen, /* check str lens? */ - int le, /* little-endian? */ - KTEXT ciph) /* output buffer */ -{ - unsigned char *p; - int ret; - - p = ciph->dat; - /* - * Assume that there will be >= 8 bytes in a KTEXT. If there - * aren't, we have worse problems. - */ - memcpy(p, session, 8); - p += 8; - - ret = krb4prot_encode_naminstrlm(name, inst, realm, chklen, - ciph, &p); - if (ret) - return ret; - if (tkt->length > 255 || tkt->length < 0) - return KRB4PROT_ERR_OVERRUN; - if ((sizeof(ciph->dat) - (p - ciph->dat)) / 8 - < (1 /* life */ - + 1 /* kvno */ - + 1 /* tkt->length */ - + tkt->length /* tkt->dat */ - + 4 /* kdc_time */ - + 7) / 8) /* roundoff */ - return KRB4PROT_ERR_OVERRUN; - - *p++ = life; - *p++ = kvno; - *p++ = tkt->length; - - memcpy(p, tkt->dat, (size_t)tkt->length); - p += tkt->length; - - KRB4_PUT32(p, kdc_time, le); - - /* Guarantee null pad to multiple of 8 bytes */ - memset(p, 0, 7); - ciph->length = (((p - ciph->dat) + 7) / 8) * 8; - return KRB4PROT_OK; -} - -/* - * encode_tkt - * - * Encode ticket to include in a "cipher". Does not encrypt. - * - * Caller is responsible for cleaning TKT. - * - * The length of the ticket is a multiple of - * eight bytes and is in tkt->length. - * - * If the ticket is not a multiple of eight bytes long, the ticket - * will contain nulls. - * - * Returns KRB4PROT_OK on success, non-zero on failure. - * - * The following packet layout is from cr_tkt.c: - * - * variable - * type or constant data - * ---- ----------- ---- - * unsigned char flags namely, HOST_BYTE_ORDER - * - * string pname client's name - * - * string pinstance client's instance - * - * string prealm client's realm - * - * 4 bytes paddress client's address - * - * 8 bytes session session key - * - * 1 byte life ticket lifetime - * - * 4 bytes time_sec KDC timestamp - * - * string sname service's name - * - * string sinstance service's instance - * - * <=7 bytes null null pad to 8 byte multiple - */ -int KRB5_CALLCONV -krb4prot_encode_tkt(unsigned int flags, - char *pname, char *pinst, char *prealm, - unsigned long paddress, - char *session, - int life, long time_sec, - char *sname, char *sinst, - int chklen, /* check str lens? */ - int le, /* little-endian? */ - KTEXT tkt) /* output buf */ -{ - struct in_addr paddr; - unsigned char *p; - size_t snamelen, sinstlen; - - /* Be really paranoid. */ - if (sizeof(paddr.s_addr) != 4) - return KFAILURE; - - p = tkt->dat; - /* - * Assume at least one byte in a KTEXT. If not, we have bigger - * problems. Also, bitwise-OR in the little-endian flag. - */ - *p++ = flags | !!le; - - if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - tkt, &p)) - return KFAILURE; - - snamelen = strlen(sname) + 1; - sinstlen = strlen(sinst) + 1; - if (life > 255 || life < 0) - return KFAILURE; - if (chklen && (snamelen > ANAME_SZ || sinstlen > INST_SZ)) - return KFAILURE; - if ((sizeof(tkt->dat) - (p - tkt->dat)) / 8 - < (4 /* address */ - + 8 /* session */ - + 1 /* life */ - + 4 /* issue time */ - + snamelen + sinstlen - + 7) / 8) /* roundoff */ - return KFAILURE; - - paddr.s_addr = paddress; - memcpy(p, &paddr.s_addr, sizeof(paddr.s_addr)); - p += sizeof(paddr.s_addr); - - memcpy(p, session, 8); - p += 8; - *p++ = life; - /* issue time */ - KRB4_PUT32(p, time_sec, le); - - memcpy(p, sname, snamelen); - p += snamelen; - memcpy(p, sinst, sinstlen); - p += sinstlen; - - /* guarantee null padded ticket to multiple of 8 bytes */ - memset(p, 0, 7); - tkt->length = ((p - tkt->dat + 7) / 8) * 8; - return KSUCCESS; -} - -/* - * encode_err_reply - * - * Encode an error reply message from the KDC to the client. - * - * Returns KRB4PROT_OK on success, non-zero on error. - * - * The following packet layout description is from cr_err_repl.c: - * - * type variable data - * or constant - * ---- ----------- ---- - * unsigned char req_ack_vno protocol version number - * - * unsigned char AUTH_MSG_ERR_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned long e error code - * - * string e_string error text - */ -int KRB5_CALLCONV -krb4prot_encode_err_reply(char *pname, char *pinst, char *prealm, - unsigned long time_ws, - unsigned long err, /* error code */ - char *err_string, /* error text */ - int chklen, /* check str lens? */ - int le, /* little-endian? */ - KTEXT pkt) /* output buf */ -{ - unsigned char *p; - size_t err_stringlen; - - p = pkt->dat; - /* Assume >= 2 bytes in KTEXT. */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_ERR_REPLY | !!le; - - if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - pkt, &p)) - return KFAILURE; - - err_stringlen = strlen(err_string) + 1; - if ((sizeof(pkt->dat) - (p - pkt->dat)) - < (4 /* timestamp */ - + 4 /* err code */ - + err_stringlen)) - return KFAILURE; - /* ws timestamp */ - KRB4_PUT32(p, time_ws, le); - /* err code */ - KRB4_PUT32(p, err, le); - /* err text */ - memcpy(p, err_string, err_stringlen); - p += err_stringlen; - - /* And return */ - pkt->length = p - pkt->dat; - return KSUCCESS; -} - -/* - * decode_kdc_request - * - * Decode an initial ticket request sent from the client to the KDC. - * - * Packet format is described in g_in_tkt.c. - * - * Returns KRB4PROT_OK on success, non-zero on failure. - */ -int KRB5_CALLCONV -krb4prot_decode_kdc_request(KTEXT pkt, - int *le, - char *pname, char *pinst, char *prealm, - long *req_time, int *life, - char *sname, char *sinst) -{ - unsigned char *p; - int msg_type, ret, len; - - p = pkt->dat; - - /* Get prot vers and msg type */ - if (pkt->length < 2) - return KRB4PROT_ERR_UNDERRUN; - if (*p++ != KRB_PROT_VERSION) - return KRB4PROT_ERR_PROT_VERS; - msg_type = *p++; - *le = msg_type & 1; - msg_type &= ~1; - if (msg_type != AUTH_MSG_KDC_REQUEST) - return KRB4PROT_ERR_MSG_TYPE; - - ret = krb4prot_decode_naminstrlm(pkt, &p, pname, pinst, prealm); - if (ret) - return ret; - -#define PKT_REMAIN (pkt->length - (p - pkt->dat)) - - if (PKT_REMAIN < (4 /* time */ - + 1)) /* life */ - return KRB4PROT_ERR_UNDERRUN; - - KRB4_GET32(*req_time, p, *le); - - *life = *p++; - - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)p, PKT_REMAIN) + 1; - if (len <= 0 || len > ANAME_SZ) - return KRB4PROT_ERR_OVERRUN; - memcpy(sname, p, (size_t)len); - p += len; - - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)p, PKT_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - return KRB4PROT_ERR_OVERRUN; - memcpy(sinst, p, (size_t)len); - p += len; - - /* XXX krb4 preauth? */ - return KRB4PROT_OK; -} diff --git a/src/lib/krb4/put_svc_key.c b/src/lib/krb4/put_svc_key.c deleted file mode 100644 index 53e53c71a..000000000 --- a/src/lib/krb4/put_svc_key.c +++ /dev/null @@ -1,96 +0,0 @@ -/* lib/krb/put_svc_key.c */ -/* Copyright 1994 Cygnus Support */ -/* Mark W. Eichin */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * put_svc_key is a simple version of what 'ksrvutil add' provides, for some - * circumstances when service keys are distributed by applictions. - * - * Caveats: currently uses UNIX I/O (open, read) rather than stdio - this - * should be fixed. - * It could probably be made more general (and then actually be used - * by ksrvutil.) This version supports just enough to be useful. - */ - -#include "krb.h" -#include "krb4int.h" - -#include -#include -#include -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include -#endif -#include "k5-platform.h" - -#define KEYSZ sizeof(C_Block) -/* strict put_svc_key. - The srvtab must already exist; - The key (exact match) must already be in the file; - version numbers are not checked. - */ -int KRB5_CALLCONV -put_svc_key(sfile,name,inst,realm,newvno,key) - char *sfile; - char *name; - char *inst; - char *realm; - int newvno; - char *key; -{ - int fd; - char fname[SNAME_SZ], finst[INST_SZ], frlm[REALM_SZ]; - unsigned char fvno; - char fkey[KEYSZ]; - - if (!sfile) - sfile = KEYFILE; - - if ((fd = open(sfile, O_RDWR)) < 0) - return KFAILURE; - set_cloexec_fd(fd); - - while(getst(fd,fname,SNAME_SZ) > 0) { - getst(fd,finst,INST_SZ); - getst(fd,frlm,REALM_SZ); - if (!strcmp(fname,name) - && !strcmp(finst,inst) - && !strcmp(frlm,realm)) { - /* all matched, so write new data */ - fvno = newvno; - lseek(fd,0,SEEK_CUR); - if (write(fd,&fvno,1) != 1) { - close(fd); - return KFAILURE; - } - if (write(fd,key,KEYSZ) != KEYSZ) { - close(fd); - return KFAILURE; - } - close(fd); - return KSUCCESS; - } - if (read(fd,&fvno,1) != 1) { - close(fd); - return KFAILURE; - } - if (read(fd,fkey,KEYSZ) != KEYSZ) { - close(fd); - return KFAILURE; - } - } - /* never found it */ - close(fd); - return KFAILURE; -} diff --git a/src/lib/krb4/rd_err.c b/src/lib/krb4/rd_err.c deleted file mode 100644 index 47f5167b5..000000000 --- a/src/lib/krb4/rd_err.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * lib/krb4/rd_err.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Steve Miller Project Athena MIT/DEC - */ - -#include - -#include "krb.h" -#include "prot.h" - -/* - * Given an AUTH_MSG_APPL_ERR message, "in" and its length "in_length", - * return the error code from the message in "code" and the text in - * "m_data" as follows: - * - * m_data->app_data points to the error text - * m_data->app_length points to the length of the error text - * - * If all goes well, return RD_AP_OK. If the version number - * is wrong, return RD_AP_VERSION, and if it's not an AUTH_MSG_APPL_ERR - * type message, return RD_AP_MSG_TYPE. - * - * The AUTH_MSG_APPL_ERR message format can be found in mk_err.c - */ - -int KRB5_CALLCONV -krb_rd_err(in, in_length, code, m_data) - u_char *in; /* pointer to the msg received */ - u_long in_length; /* of in msg */ - long *code; /* received error code */ - MSG_DAT *m_data; -{ - register u_char *p; - int le; - unsigned KRB4_32 raw_code; - - p = in; /* beginning of message */ - - if (in_length < 1 + 1 + 4) - return RD_AP_MODIFIED; /* XXX should have better error code */ - if (*p++ != KRB_PROT_VERSION) - return RD_AP_VERSION; - if (((*p) & ~1) != AUTH_MSG_APPL_ERR) - return RD_AP_MSG_TYPE; - le = *p++ & 1; - - KRB4_GET32(raw_code, p, le); - *code = raw_code; /* XXX unsigned->signed conversion! */ - - m_data->app_data = p; /* we're now at the error text - * message */ - m_data->app_length = p - in; - - return RD_AP_OK; /* OK == 0 */ -} diff --git a/src/lib/krb4/rd_preauth.c b/src/lib/krb4/rd_preauth.c deleted file mode 100644 index b30838cc4..000000000 --- a/src/lib/krb4/rd_preauth.c +++ /dev/null @@ -1,62 +0,0 @@ -/* rd_preauth.c */ -/* part of Cygnus Network Security */ -/* Copyright 1994 Cygnus Support */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "krb_db.h" -#include "prot.h" -#include "des.h" -#include "krb4int.h" -#include - -/* #define KERB_ERR_PREAUTH_SHORT 11 */ -/* #define KERB_ERR_PREAUTH_MISMATCH 12 */ - - -int -krb_rd_preauth(pkt, preauth_p, preauth_len, auth_pr, key) - KTEXT pkt; - char *preauth_p; - int preauth_len; - Principal *auth_pr; - des_cblock key; -{ - int st; - char *name_p; - - name_p = auth_pr->name; - -#ifndef NOENCRYPTION - /* Decrypt preauth_p using key as the key and initialization vector. */ - /* check preauth_len */ - if ((((strlen(name_p) + 1) / 8) + 1) * 8 != preauth_len) - return KERB_ERR_PREAUTH_SHORT; - else { - des_key_schedule key_s; - - if (des_key_sched(key, key_s)) { - return 1; - } - des_pcbc_encrypt((des_cblock *)preauth_p, (des_cblock *)preauth_p, - (long)preauth_len, key_s, (des_cblock *)key, - DES_DECRYPT); - memset(key_s, 0, sizeof(key_s)); - } -#endif /* R3_NO_MODIFICATIONS */ - - /* since the preauth data has the trailing 0, this just works */ - st = strcmp(preauth_p, name_p); - if (st) - return KERB_ERR_PREAUTH_MISMATCH; - return 0; -} diff --git a/src/lib/krb4/rd_priv.c b/src/lib/krb4/rd_priv.c deleted file mode 100644 index 1ba60081c..000000000 --- a/src/lib/krb4/rd_priv.c +++ /dev/null @@ -1,233 +0,0 @@ -/* - * lib/krb4/rd_priv.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This routine dissects a a Kerberos 'private msg', decrypting it, - * checking its integrity, and returning a pointer to the application - * data contained and its length. - * - * Returns 0 (RD_AP_OK) for success or an error code (RD_AP_...). If - * the return value is RD_AP_TIME, then either the times are too far - * out of synch, OR the packet was modified. - * - * Steve Miller Project Athena MIT/DEC - */ - -/* system include files */ -#include -#include - -/* application include files */ -#include "krb.h" -#include "prot.h" -#include "des.h" -#include "lsb_addr_cmp.h" -#include "port-sockets.h" - -extern int krb_debug; - -/* This one is exported, for use by krb_mk_priv. */ -int private_msg_ver = KRB_PROT_VERSION; - -/* -#ifdef NOENCRPYTION - * krb_rd_priv() checks the integrity of an -#else - * krb_rd_priv() decrypts and checks the integrity of an -#endif - * AUTH_MSG_PRIVATE message. Given the message received, "in", - * the length of that message, "in_length", the key "schedule" -#ifdef NOENCRYPTION - * and "key", and the network addresses of the -#else - * and "key" to decrypt with, and the network addresses of the -#endif - * "sender" and "receiver" of the message, krb_rd_safe() returns - * RD_AP_OK if the message is okay, otherwise some error code. - * - * The message data retrieved from "in" are returned in the structure -#ifdef NOENCRYPTION - * "m_data". The pointer to the application data -#else - * "m_data". The pointer to the decrypted application data -#endif - * (m_data->app_data) refers back to the appropriate place in "in". - * - * See the file "mk_priv.c" for the format of the AUTH_MSG_PRIVATE - * message. The structure containing the extracted message - * information, MSG_DAT, is defined in "krb.h". - */ - -long KRB5_CALLCONV -krb_rd_priv(in, in_length, schedule, key, sender, receiver, m_data) - u_char *in; /* pointer to the msg received */ - unsigned KRB4_32 in_length; /* length of "in" msg */ - Key_schedule schedule; /* precomputed key schedule */ - C_Block *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; - struct sockaddr_in *receiver; - MSG_DAT *m_data; /*various input/output data from msg */ -{ - register u_char *p,*q; - int v, t, le; - struct in_addr src_addr; - unsigned KRB4_32 c_length; - int swap_bytes; - unsigned KRB4_32 t_local; - KRB4_32 delta_t; /* Difference between timestamps */ - - p = in; /* beginning of message */ -#define IN_REMAIN (in_length - (p - in)) - swap_bytes = 0; - - if (IN_REMAIN < 1 + 1 + 4) - return RD_AP_MODIFIED; - v = *p++; - if (v != KRB_PROT_VERSION && v != 3) - return RD_AP_VERSION; - private_msg_ver = v; - t = *p++; - if ((t & ~1) != AUTH_MSG_PRIVATE) - return RD_AP_MSG_TYPE; - le = t & 1; - - /* get cipher length */ - KRB4_GET32(c_length, p, le); - /* check for rational length so we don't go comatose */ - if (IN_REMAIN < c_length) - return RD_AP_MODIFIED; - -#ifndef NOENCRYPTION - /* - * decrypt to obtain length, timestamps, app_data, and checksum - * use the session key as an ivec - */ -#endif - - q = p; /* mark start of encrypted stuff */ - -#ifndef NOENCRYPTION - /* pcbc decrypt, use key as ivec */ - pcbc_encrypt((C_Block *)q, (C_Block *)q, (long)c_length, - schedule, key, DECRYPT); -#endif - - /* safely get application data length */ - KRB4_GET32(m_data->app_length, p, le); - - if (IN_REMAIN < m_data->app_length + 4 + 1 + 4) - return RD_AP_MODIFIED; - -#ifndef NOENCRYPTION - /* we're now at the decrypted application data */ -#endif - m_data->app_data = p; - - p += m_data->app_length; - - /* safely get time_5ms */ - m_data->time_5ms = *p++; - - /* safely get src address */ - memcpy(&src_addr.s_addr, p, sizeof(src_addr.s_addr)); - /* don't swap, net order always */ - p += sizeof(src_addr.s_addr); - - if (!krb_ignore_ip_address) { - switch (sender->sin_family) { - case AF_INET: - if (src_addr.s_addr != sender->sin_addr.s_addr) - return RD_AP_MODIFIED; - break; -#ifdef KRB5_USE_INET6 - case AF_INET6: - if (IN6_IS_ADDR_V4MAPPED (&((struct sockaddr_in6 *)sender)->sin6_addr) - && !memcmp (&src_addr.s_addr, - 12 + (char *) &((struct sockaddr_in6 *)sender)->sin6_addr, - 4)) - break; - /* Not v4 mapped? Not ignoring addresses? You lose. */ - return RD_AP_MODIFIED; -#endif - default: - return RD_AP_MODIFIED; - } - } - - /* safely get time_sec */ - KRB4_GET32(m_data->time_sec, p, le); - - /* check direction bit is the sign bit */ - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - /* However, if we don't have good ip addresses anyhow, just clear - the bit. This makes it harder to detect replay of sent packets - back to the receiver, but most higher level protocols can deal - with that more directly. */ - if (krb_ignore_ip_address) { - if (m_data->time_sec < 0) - m_data->time_sec = -m_data->time_sec; - } else - switch (krb4int_address_less (sender, receiver)) { - case 1: - m_data->time_sec = -m_data->time_sec; - break; - case -1: - if (m_data->time_sec < 0) - m_data->time_sec = -m_data->time_sec; - break; - } - - /* check the time integrity of the msg */ - t_local = TIME_GMT_UNIXSEC; - delta_t = t_local - m_data->time_sec; - if (delta_t < 0) - delta_t = -delta_t; /* Absolute value of difference */ - if (delta_t > CLOCK_SKEW) - return RD_AP_TIME; /* XXX should probably be better code */ - DEB(("\ndelta_t = %d", delta_t)); - - /* - * caller must check timestamps for proper order and - * replays, since server might have multiple clients - * each with its own timestamps and we don't assume - * tightly synchronized clocks. - */ - -#ifdef notdef - memcpy((char *)&cksum, (char *) p, sizeof(cksum)); - if (swap_bytes) cksum = krb4_swab32(cksum) - /* - * calculate the checksum of the length, sequence, - * and input data, on the sending byte order!! - */ - calc_cksum = quad_cksum(q, NULL, p-q, 0, key); - - DEB (("\ncalc_cksum = %u, received cksum = %u", - calc_cksum, cksum)); - if (cksum != calc_cksum) - return RD_AP_MODIFIED; -#endif - return RD_AP_OK; /* OK == 0 */ -} diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c deleted file mode 100644 index a1d70c643..000000000 --- a/src/lib/krb4/rd_req.c +++ /dev/null @@ -1,543 +0,0 @@ -/* - * lib/krb4/rd_req.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2002 by the - * Massachusetts Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "des.h" -#include "krb.h" -#include "prot.h" -#include -#include -#include - -extern int krb_ap_req_debug; - -static int -krb_rd_req_with_key(KTEXT, char *, char *, KRB_UINT32, AUTH_DAT *, - Key_schedule, krb5_keyblock *); - -/* declared in krb.h */ -int krb_ignore_ip_address = 0; - -/* - * Keep the following information around for subsequent calls - * to this routine by the same server using the same key. - */ - -static Key_schedule serv_key; /* Key sched to decrypt ticket */ -static C_Block ky; /* Initialization vector */ -static int st_kvno; /* version number for this key */ -static char st_rlm[REALM_SZ]; /* server's realm */ -static char st_nam[ANAME_SZ]; /* service name */ -static char st_inst[INST_SZ]; /* server's instance */ -static int krb5_key; /* whether krb5 key is used for decrypt */ - -/* - * This file contains two functions. krb_set_key() takes a DES - * key or password string and returns a DES key (either the original - * key, or the password converted into a DES key) and a key schedule - * for it. - * - * krb_rd_req() reads an authentication request and returns information - * about the identity of the requestor, or an indication that the - * identity information was not authentic. - */ - -/* - * krb_set_key() takes as its first argument either a DES key or a - * password string. The "cvt" argument indicates how the first - * argument "key" is to be interpreted: if "cvt" is null, "key" is - * taken to be a DES key; if "cvt" is non-null, "key" is taken to - * be a password string, and is converted into a DES key using - * string_to_key(). In either case, the resulting key is returned - * in the external static variable "ky". A key schedule is - * generated for "ky" and returned in the external static variable - * "serv_key". - * - * This routine returns the return value of des_key_sched. - * - * krb_set_key() needs to be in the same .o file as krb_rd_req() so that - * the key set by krb_set_key() is available in private storage for - * krb_rd_req(). - */ - -static krb5_keyblock srv_k5key; - -int -krb_set_key(key, cvt) - char *key; - int cvt; -{ - if (krb5_key) - /* XXX assumes that context arg is ignored */ - krb5_free_keyblock_contents(NULL, &srv_k5key); - krb5_key = 0; -#ifdef NOENCRYPTION - memset(ky, 0, sizeof(ky)); - return KSUCCESS; -#else /* Encrypt */ - if (cvt) - string_to_key(key, ky); - else - memcpy((char *)ky, key, 8); - return des_key_sched(ky,serv_key); -#endif /* NOENCRYPTION */ -} - -int -krb_set_key_krb5(ctx, key) - krb5_context ctx; - krb5_keyblock *key; -{ - if (krb5_key) - krb5_free_keyblock_contents(ctx, &srv_k5key); - krb5_key = 1; - return krb5_copy_keyblock_contents(ctx, key, &srv_k5key); -} - -void -krb_clear_key_krb5(ctx) - krb5_context ctx; -{ - if (krb5_key) - krb5_free_keyblock_contents(ctx, &srv_k5key); - krb5_key = 0; -} - -/* - * krb_rd_req() takes an AUTH_MSG_APPL_REQUEST or - * AUTH_MSG_APPL_REQUEST_MUTUAL message created by krb_mk_req(), - * checks its integrity and returns a judgement as to the requestor's - * identity. - * - * The "authent" argument is a pointer to the received message. - * The "service" and "instance" arguments name the receiving server, - * and are used to get the service's ticket to decrypt the ticket - * in the message, and to compare against the server name inside the - * ticket. "from_addr" is the network address of the host from which - * the message was received; this is checked against the network - * address in the ticket. If "from_addr" is zero, the check is not - * performed. "ad" is an AUTH_DAT structure which is - * filled in with information about the sender's identity according - * to the authenticator and ticket sent in the message. Finally, - * "fn" contains the name of the file containing the server's key. - * (If "fn" is NULL, the server's key is assumed to have been set - * by krb_set_key(). If "fn" is the null string ("") the default - * file KEYFILE, defined in "krb.h", is used.) - * - * krb_rd_req() returns RD_AP_OK if the authentication information - * was genuine, or one of the following error codes (defined in - * "krb.h"): - * - * RD_AP_VERSION - wrong protocol version number - * RD_AP_MSG_TYPE - wrong message type - * RD_AP_UNDEC - couldn't decipher the message - * RD_AP_INCON - inconsistencies found - * RD_AP_BADD - wrong network address - * RD_AP_TIME - client time (in authenticator) - * too far off server time - * RD_AP_NYV - Kerberos time (in ticket) too - * far off server time - * RD_AP_EXP - ticket expired - * - * For the message format, see krb_mk_req(). - * - * Mutual authentication is not implemented. - */ - -static int -krb_rd_req_with_key(authent, service, instance, from_addr, ad, ks, k5key) - register KTEXT authent; /* The received message */ - char *service; /* Service name */ - char *instance; /* Service instance */ - unsigned KRB4_32 from_addr; /* Net address of originating host */ - AUTH_DAT *ad; /* Structure to be filled in */ - Key_schedule ks; - krb5_keyblock *k5key; -{ - KTEXT_ST ticket; /* Temp storage for ticket */ - KTEXT tkt = &ticket; - KTEXT_ST req_id_st; /* Temp storage for authenticator */ - register KTEXT req_id = &req_id_st; - - char realm[REALM_SZ]; /* Realm of issuing kerberos */ - Key_schedule seskey_sched; /* Key sched for session key */ - char sname[SNAME_SZ]; /* Service name from ticket */ - char iname[INST_SZ]; /* Instance name from ticket */ - char r_aname[ANAME_SZ]; /* Client name from authenticator */ - char r_inst[INST_SZ]; /* Client instance from authenticator */ - char r_realm[REALM_SZ]; /* Client realm from authenticator */ - unsigned int r_time_ms; /* Fine time from authenticator */ - unsigned KRB4_32 r_time_sec; /* Coarse time from authenticator */ - register unsigned char *ptr; /* For stepping through */ - unsigned KRB4_32 t_local; /* Local time on our side of the protocol */ - KRB4_32 delta_t; /* Time in authenticator minus local time */ -#ifdef KRB_CRYPT_DEBUG - KRB4_32 tkt_age; /* Age of ticket */ -#endif - int le; /* is little endian? */ - int mutual; /* Mutual authentication requested? */ - int t; /* msg type */ - unsigned char s_kvno; /* Version number of the server's key - Kerberos used to encrypt ticket */ - int ret; - int len; - - tkt->mbz = req_id->mbz = 0; - - if (authent->length < 1 + 1 + 1) - return RD_AP_MODIFIED; - - ptr = authent->dat; -#define AUTHENT_REMAIN (authent->length - (ptr - authent->dat)) - - /* get msg version, type and byte order, and server key version */ - - /* check version */ - if (KRB_PROT_VERSION != *ptr++) - return RD_AP_VERSION; - - /* byte order */ - t = *ptr++; - le = t & 1; - - /* check msg type */ - mutual = 0; - switch (t & ~1) { - case AUTH_MSG_APPL_REQUEST: - break; - case AUTH_MSG_APPL_REQUEST_MUTUAL: - mutual++; - break; - default: - return RD_AP_MSG_TYPE; - } - -#ifdef lint - /* XXX mutual is set but not used; why??? */ - /* this is a crock to get lint to shut up */ - if (mutual) - mutual = 0; -#endif /* lint */ - s_kvno = *ptr++; /* get server key version */ - len = krb4int_strnlen((char *)ptr, AUTHENT_REMAIN) + 1; - if (len <= 0 || len > sizeof(realm)) { - return RD_AP_MODIFIED; /* must have been modified, the client wouldn't - try to trick us with wacky data */ - } - /* And the realm of the issuing KDC */ - (void)memcpy(realm, ptr, (size_t)len); - ptr += len; /* skip the realm "hint" */ - - /* Get ticket length */ - tkt->length = *ptr++; - /* Get authenticator length while we're at it. */ - req_id->length = *ptr++; - if (AUTHENT_REMAIN < tkt->length + req_id->length) - return RD_AP_MODIFIED; - /* Copy ticket */ - memcpy(tkt->dat, ptr, (size_t)tkt->length); - ptr += tkt->length; - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("ticket->length: %d",tkt->length); - if (krb_ap_req_debug) - log("authent->length: %d", authent->length); -#endif - -#ifndef NOENCRYPTION - /* Decrypt and take apart ticket */ -#endif - - if (k5key == NULL) { - if (decomp_ticket(tkt,&ad->k_flags,ad->pname,ad->pinst,ad->prealm, - &(ad->address),ad->session, &(ad->life), - &(ad->time_sec),sname,iname,ky,ks)) { -#ifdef KRB_CRYPT_DEBUG - log("Can't decode ticket"); -#endif - return(RD_AP_UNDEC); - } - } else { - if (decomp_tkt_krb5(tkt, &ad->k_flags, ad->pname, ad->pinst, - ad->prealm, &ad->address, ad->session, - &ad->life, &ad->time_sec, sname, iname, - k5key)) { - return RD_AP_UNDEC; - } - } - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) { - log("Ticket Contents."); - log(" Aname: %s%s%s@%s",ad->pname, - ((int)*(ad->pinst) ? "." : ""), ad->pinst, - ((int)*(ad->prealm) ? ad->prealm : "Athena")); - log(" Service: %s%s%s",sname,((int)*iname ? "." : ""),iname); - log(" sname=%s, sinst=%s", sname, iname); - } -#endif - - /* Extract the authenticator */ - memcpy(req_id->dat, ptr, (size_t)req_id->length); - -#ifndef NOENCRYPTION - /* And decrypt it with the session key from the ticket */ -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) log("About to decrypt authenticator"); -#endif - - key_sched(ad->session, seskey_sched); - pcbc_encrypt((C_Block *)req_id->dat, (C_Block *)req_id->dat, - (long)req_id->length, - seskey_sched, &ad->session, DES_DECRYPT); - memset(seskey_sched, 0, sizeof(seskey_sched)); - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) log("Done."); -#endif -#endif /* NOENCRYPTION */ - - ptr = req_id->dat; -#define REQID_REMAIN (req_id->length - (ptr - req_id->dat)) - - ret = RD_AP_MODIFIED; - - len = krb4int_strnlen((char *)ptr, REQID_REMAIN) + 1; - if (len <= 0 || len > ANAME_SZ) - goto cleanup; - memcpy(r_aname, ptr, (size_t)len); /* Authentication name */ - ptr += len; - len = krb4int_strnlen((char *)ptr, REQID_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - goto cleanup; - memcpy(r_inst, ptr, (size_t)len); /* Authentication instance */ - ptr += len; - len = krb4int_strnlen((char *)ptr, REQID_REMAIN) + 1; - if (len <= 0 || len > REALM_SZ) - goto cleanup; - memcpy(r_realm, ptr, (size_t)len); /* Authentication name */ - ptr += len; - - if (REQID_REMAIN < 4 + 1 + 4) - goto cleanup; - KRB4_GET32(ad->checksum, ptr, le); - r_time_ms = *ptr++; /* Time (fine) */ -#ifdef lint - /* XXX r_time_ms is set but not used. why??? */ - /* this is a crock to get lint to shut up */ - if (r_time_ms) - r_time_ms = 0; -#endif /* lint */ - /* Time (coarse) */ - KRB4_GET32(r_time_sec, ptr, le); - - /* Check for authenticity of the request */ -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("Pname: %s %s",ad->pname,r_aname); -#endif - - ret = RD_AP_INCON; - if (strcmp(ad->pname,r_aname) != 0) - goto cleanup; - if (strcmp(ad->pinst,r_inst) != 0) - goto cleanup; - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("Realm: %s %s",ad->prealm,r_realm); -#endif - - if (strcmp(ad->prealm,r_realm) != 0) - goto cleanup; - - /* check the time integrity of the msg */ - ret = RD_AP_TIME; - t_local = TIME_GMT_UNIXSEC; - delta_t = t_local - r_time_sec; - if (delta_t < 0) delta_t = -delta_t; /* Absolute value of difference */ - if (delta_t > CLOCK_SKEW) { -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("Time out of range: %d - %d = %d", - time_secs, r_time_sec, delta_t); -#endif - goto cleanup; - } - - /* Now check for expiration of ticket */ - - ret = RD_AP_NYV; -#ifdef KRB_CRYPT_DEBUG - tkt_age = t_local - ad->time_sec; - if (krb_ap_req_debug) - log("Time: %d Issue Date: %d Diff: %d Life %x", - time_secs, ad->time_sec, tkt_age, ad->life); -#endif - if (t_local < ad->time_sec) { - if ((ad->time_sec - t_local) > CLOCK_SKEW) - goto cleanup; - } else if (krb_life_to_time((KRB4_32)ad->time_sec, ad->life) - < t_local + CLOCK_SKEW) { - /* - * This calculation is different than the same expiration - * calculation in krb5. In krb5 the ticket lasts for - * clock_skew seconds longer than its expiration; in krb4 it - * lasts clock_skew seconds less. This difference is - * necessary to avoid using an almost expired tgt to get a new - * tgt that will last for another 5 minutes. This code - * interacts with the login in src/kdc/kerberos_v4.c to - * back-date tickets to avoid them expiring late. The - * combination may be overly conservative, but I'm fairly sure - * either removing the kerberos_v4 backdating or replacing - * this check with the krb5 check is sufficient to create a - * security problem. - */ - ret = RD_AP_EXP; - goto cleanup; - } - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("Address: %d %d",ad->address,from_addr); -#endif - - if (!krb_ignore_ip_address - && from_addr && (ad->address != from_addr)) { - ret = RD_AP_BADD; - goto cleanup; - } - - /* All seems OK */ - ad->reply.length = 0; - ret = 0; - -cleanup: - if (ret) { - /* Stomp on session key if there is an error. */ - memset(ad->session, 0, sizeof(ad->session)); - return ret; - } - - return RD_AP_OK; -} - -int KRB5_CALLCONV -krb_rd_req_int(authent, service, instance, from_addr, ad, key) - KTEXT authent; /* The received message */ - char *service; /* Service name */ - char *instance; /* Service instance */ - KRB_UINT32 from_addr; /* Net address of originating host */ - AUTH_DAT *ad; /* Structure to be filled in */ - C_Block key; /* Key to decrypt ticket with */ -{ - Key_schedule ks; - int ret; - - do { - ret = des_key_sched(key, ks); - if (ret) break; - ret = krb_rd_req_with_key(authent, service, instance, - from_addr, ad, ks, NULL); - } while (0); - memset(ks, 0, sizeof(ks)); - return ret; -} - -int KRB5_CALLCONV -krb_rd_req(authent, service, instance, from_addr, ad, fn) - register KTEXT authent; /* The received message */ - char *service; /* Service name */ - char *instance; /* Service instance */ - unsigned KRB4_32 from_addr; /* Net address of originating host */ - AUTH_DAT *ad; /* Structure to be filled in */ - char *fn; /* Filename to get keys from */ -{ - unsigned char *ptr; - unsigned char s_kvno; - char realm[REALM_SZ]; - unsigned char skey[KKEY_SZ]; -#ifdef KRB4_USE_KEYTAB - krb5_keyblock keyblock; -#endif - int len; - int status; - -#define AUTHENT_REMAIN (authent->length - (ptr - authent->dat)) - if (authent->length < 3) - return RD_AP_MODIFIED; - ptr = authent->dat + 2; - s_kvno = *ptr++; /* get server key version */ - len = krb4int_strnlen((char *)ptr, AUTHENT_REMAIN) + 1; - if (len <= 0 || len > sizeof(realm)) - return RD_AP_MODIFIED; - (void)memcpy(realm, ptr, (size_t)len); -#undef AUTHENT_REMAIN - /* - * If "fn" is NULL, key info should already be set; don't - * bother with ticket file. Otherwise, check to see if we - * already have key info for the given server and key version - * (saved in the static st_* variables). If not, go get it - * from the ticket file. If "fn" is the null string, use the - * default ticket file. - */ - if (fn && (strcmp(st_nam,service) || strcmp(st_inst,instance) - || strcmp(st_rlm,realm) || (st_kvno != s_kvno))) { - if (*fn == 0) - fn = KEYFILE; - st_kvno = s_kvno; - if (read_service_key(service,instance,realm, (int)s_kvno, - fn, (char *)skey) == 0) { - if ((status = krb_set_key((char *)skey,0))) - return(status); -#ifdef KRB4_USE_KEYTAB - } else if (krb54_get_service_keyblock(service, instance, - realm, (int)s_kvno, - fn, &keyblock) == 0) { - krb_set_key_krb5(krb5__krb4_context, &keyblock); - krb5_free_keyblock_contents(krb5__krb4_context, &keyblock); -#endif - } else - return RD_AP_UNDEC; - - len = krb4int_strnlen(realm, sizeof(st_rlm)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_rlm, realm, (size_t)len); - len = krb4int_strnlen(service, sizeof(st_nam)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_nam, service, (size_t)len); - len = krb4int_strnlen(instance, sizeof(st_inst)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_inst, instance, (size_t)len); - } - return krb_rd_req_with_key(authent, service, instance, - from_addr, ad, - krb5_key ? NULL : serv_key, - krb5_key ? &srv_k5key : NULL); -} diff --git a/src/lib/krb4/rd_safe.c b/src/lib/krb4/rd_safe.c deleted file mode 100644 index 7df0d6599..000000000 --- a/src/lib/krb4/rd_safe.c +++ /dev/null @@ -1,208 +0,0 @@ -/* - * lib/krb4/rd_safe.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This routine dissects a a Kerberos 'safe msg', checking its - * integrity, and returning a pointer to the application data - * contained and its length. - * - * Returns 0 (RD_AP_OK) for success or an error code (RD_AP_...) - * - * Steve Miller Project Athena MIT/DEC - */ - -/* system include files */ -#include -#include - -/* application include files */ -#include "krb.h" -#include "prot.h" -#include "des.h" -#include "lsb_addr_cmp.h" -#include "port-sockets.h" - -extern int krb_debug; - -/* - * krb_rd_safe() checks the integrity of an AUTH_MSG_SAFE message. - * Given the message received, "in", the length of that message, - * "in_length", the "key" to compute the checksum with, and the - * network addresses of the "sender" and "receiver" of the message, - * krb_rd_safe() returns RD_AP_OK if message is okay, otherwise - * some error code. - * - * The message data retrieved from "in" is returned in the structure - * "m_data". The pointer to the application data (m_data->app_data) - * refers back to the appropriate place in "in". - * - * See the file "mk_safe.c" for the format of the AUTH_MSG_SAFE - * message. The structure containing the extracted message - * information, MSG_DAT, is defined in "krb.h". - */ - -long KRB5_CALLCONV -krb_rd_safe(in,in_length,key,sender,receiver,m_data) - u_char *in; /* pointer to the msg received */ - unsigned KRB4_32 in_length; /* length of "in" msg */ - C_Block *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender's address */ - struct sockaddr_in *receiver; /* receiver's address -- me */ - MSG_DAT *m_data; /* where to put message information */ -{ - int i; - unsigned KRB4_32 calc_cksum[4]; - unsigned KRB4_32 big_cksum[4]; - int le; - - u_char *p,*q; - int t; - struct in_addr src_addr; - unsigned KRB4_32 t_local; /* Local time in our machine */ - KRB4_32 delta_t; /* Difference between timestamps */ - - /* Be very conservative */ - if (sizeof(src_addr.s_addr) != 4) { -#ifdef DEBUG - fprintf(stderr, "\nkrb_rd_safe protocol err " - "sizeof(src_addr.s_addr) != 4\n"); -#endif - return RD_AP_VERSION; - } - - p = in; /* beginning of message */ -#define IN_REMAIN (in_length - (p - in)) - if (IN_REMAIN < 1 + 1 + 4) - return RD_AP_MODIFIED; - - if (*p++ != KRB_PROT_VERSION) - return RD_AP_VERSION; - t = *p++; - if ((t & ~1) != AUTH_MSG_SAFE) - return RD_AP_MSG_TYPE; - le = t & 1; - - q = p; /* mark start of cksum stuff */ - - /* safely get length */ - KRB4_GET32(m_data->app_length, p, le); - - if (IN_REMAIN < m_data->app_length + 1 + 4 + 4 + 4 * 4) - return RD_AP_MODIFIED; - - m_data->app_data = p; /* we're now at the application data */ - - /* skip app data */ - p += m_data->app_length; - - /* safely get time_5ms */ - m_data->time_5ms = *p++; - - /* safely get src address */ - (void)memcpy(&src_addr.s_addr, p, sizeof(src_addr.s_addr)); - /* don't swap, net order always */ - p += sizeof(src_addr.s_addr); - - if (!krb_ignore_ip_address) { - switch (sender->sin_family) { - case AF_INET: - if (src_addr.s_addr != sender->sin_addr.s_addr) - return RD_AP_MODIFIED; - break; -#ifdef KRB5_USE_INET6 - case AF_INET6: - if (IN6_IS_ADDR_V4MAPPED (&((struct sockaddr_in6 *)sender)->sin6_addr) - && !memcmp (&src_addr.s_addr, - 12 + (char *) &((struct sockaddr_in6 *)sender)->sin6_addr, - 4)) - break; - /* Not v4 mapped? Not ignoring addresses? You lose. */ - return RD_AP_MODIFIED; -#endif - default: - return RD_AP_MODIFIED; - } - } - - /* safely get time_sec */ - KRB4_GET32(m_data->time_sec, p, le); - - /* check direction bit is the sign bit */ - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - /* However, if we don't have good ip addresses anyhow, just clear - the bit. This makes it harder to detect replay of sent packets - back to the receiver, but most higher level protocols can deal - with that more directly. */ - if (krb_ignore_ip_address) { - if (m_data->time_sec < 0) - m_data->time_sec = -m_data->time_sec; - } else - switch (krb4int_address_less (sender, receiver)) { - case 1: - m_data->time_sec = -m_data->time_sec; - break; - case -1: - if (m_data->time_sec < 0) - m_data->time_sec = -m_data->time_sec; - break; - } - - /* check the time integrity of the msg */ - t_local = TIME_GMT_UNIXSEC; - delta_t = t_local - m_data->time_sec; - if (delta_t < 0) delta_t = -delta_t; /* Absolute value of difference */ - if (delta_t > CLOCK_SKEW) { - return(RD_AP_TIME); /* XXX should probably be better - code */ - } - - /* - * caller must check timestamps for proper order and replays, since - * server might have multiple clients each with its own timestamps - * and we don't assume tightly synchronized clocks. - */ - -#ifdef NOENCRYPTION - memset(calc_cksum, 0, sizeof(calc_cksum)); -#else /* Do encryption */ - /* calculate the checksum of the length, timestamps, and - * input data, on the sending byte order !! */ - quad_cksum(q,calc_cksum,p-q,2,key); -#endif /* NOENCRYPTION */ - - for (i = 0; i < 4; i++) - KRB4_GET32(big_cksum[i], p, le); - - DEB (("\n0: calc %l big %lx\n1: calc %lx big %lx\n2: calc %lx big %lx\n3: calc %lx big %lx\n", - calc_cksum[0], big_cksum[0], - calc_cksum[1], big_cksum[1], - calc_cksum[2], big_cksum[2], - calc_cksum[3], big_cksum[3])); - for (i = 0; i < 4; i++) - if (big_cksum[i] != calc_cksum[i]) - return RD_AP_MODIFIED; - - return RD_AP_OK; /* OK == 0 */ -} diff --git a/src/lib/krb4/rd_svc_key.c b/src/lib/krb4/rd_svc_key.c deleted file mode 100644 index 8aeb0999b..000000000 --- a/src/lib/krb4/rd_svc_key.c +++ /dev/null @@ -1,345 +0,0 @@ -/* - * rd_svc_key.c - * - * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#include "mit-copyright.h" -#include "krb.h" -#include "krb4int.h" -#include -#include - -#include "k5-int.h" -#include -#include "prot.h" - -/* - * The private keys for servers on a given host are stored in a - * "srvtab" file (typically "/etc/srvtab"). This routine extracts - * a given server's key from the file. - * - * read_service_key() takes the server's name ("service"), "instance", - * and "realm" and a key version number "kvno", and looks in the given - * "file" for the corresponding entry, and if found, returns the entry's - * key field in "key". - * - * If "instance" contains the string "*", then it will match - * any instance, and the chosen instance will be copied to that - * string. For this reason it is important that the there is enough - * space beyond the "*" to receive the entry. - * - * If "kvno" is 0, it is treated as a wild card and the first - * matching entry regardless of the "vno" field is returned. - * - * This routine returns KSUCCESS on success, otherwise KFAILURE. - * - * The format of each "srvtab" entry is as follows: - * - * Size Variable Field in file - * ---- -------- ------------- - * string serv server name - * string inst server instance - * string realm server realm - * 1 byte vno server key version # - * 8 bytes key server's key - * ... ... ... - */ - -#ifdef __i960__ -/* special hack to use a global srvtab variable... */ -#define open vxworks_srvtab_open -#define close vxworks_srvtab_close -#define getst vxworks_srvtab_getst -#define read vxworks_srvtab_read - -extern char *vxworks_srvtab_base; -char *vxworks_srvtab_ptr; -int vxworks_srvtab_getchar(s) - char *s; -{ - int tmp1; - if(vxworks_srvtab_ptr >= (vxworks_srvtab_base + strlen(vxworks_srvtab_base))) - return 0; - - sscanf(vxworks_srvtab_ptr, "%2x", &tmp1); - - *s = tmp1; - vxworks_srvtab_ptr+=2; - return 1; -} - -int vxworks_srvtab_getst(fd,s,n) - int fd; - register char *s; - int n; -{ - register count = n; - while (vxworks_srvtab_getchar(s) && --count) - if (*s++ == '\0') - return (n - count); - *s = '\0'; - return (n - count); -} - -int vxworks_srvtab_open(s, n, m) - char *s; - int n, m; -{ - vxworks_srvtab_ptr = vxworks_srvtab_base; - return 1; -} - -int vxworks_srvtab_close(fd) - int fd; -{ - vxworks_srvtab_ptr = 0; - return 0; -} - -int vxworks_srvtab_read(fd, s, n) - int fd; - char *s; - int n; -{ - int count = n; - /* we want to get exactly n chars. */ - while(vxworks_srvtab_getchar(s) && --count) - s++; - return (n-count); -} -#endif - -#ifdef KRB4_USE_KEYTAB -/* - * This function looks up the requested Krb4 srvtab key using the krb5 - * keytab format, if possible. - */ -extern krb5_error_code -krb54_get_service_keyblock(service,instance,realm,kvno,file,keyblock) - char *service; /* Service Name */ - char *instance; /* Instance name or "*" */ - char *realm; /* Realm */ - int kvno; /* Key version number */ - char *file; /* Filename */ - krb5_keyblock * keyblock; -{ - krb5_error_code retval; - krb5_principal princ = NULL; - krb5_keytab kt_id; - krb5_keytab_entry kt_entry; - char sname[ANAME_SZ+1]; - char sinst[INST_SZ+1]; - char srealm[REALM_SZ+1]; - char keytabname[MAX_KEYTAB_NAME_LEN + 1]; /* + 1 for NULL termination */ - - if (!krb5__krb4_context) { - retval = krb5_init_context(&krb5__krb4_context); - if (retval) - return retval; - } - - if (!strcmp(instance, "*")) { - if ((retval = krb5_sname_to_principal(krb5__krb4_context, NULL, NULL, - KRB5_NT_SRV_HST, &princ))) - goto errout; - - if ((retval = krb5_524_conv_principal(krb5__krb4_context, princ, - sname, sinst, srealm))) - goto errout; - - instance = sinst; - krb5_free_principal(krb5__krb4_context, princ); - princ = 0; - } - - if ((retval = krb5_425_conv_principal(krb5__krb4_context, service, - instance, realm, &princ))) - goto errout; - - /* - * Figure out what name to use; if the name is one of the standard - * /etc/srvtab, /etc/athena/srvtab, etc., use the default keytab - * name. Otherwise, append .krb5 to the filename and try to use - * that. - */ - if (file && - strcmp(file, "/etc/srvtab") && - strcmp(file, "/etc/athena/srvtab") && - strcmp(file, KEYFILE)) { - strncpy(keytabname, file, sizeof(keytabname)); - keytabname[sizeof(keytabname)-1] = 0; - if (strlen(keytabname)+6 < sizeof(keytabname)) - strcat(keytabname, ".krb5"); - } else { - if ((retval = krb5_kt_default_name(krb5__krb4_context, - (char *)keytabname, sizeof(keytabname)-1))) - goto errout; - } - - if ((retval = krb5_kt_resolve(krb5__krb4_context, keytabname, &kt_id))) - goto errout; - - if ((retval = krb5_kt_get_entry(krb5__krb4_context, kt_id, princ, kvno, - 0, &kt_entry))) { - krb5_kt_close(krb5__krb4_context, kt_id); - goto errout; - } - - retval = krb5_copy_keyblock_contents(krb5__krb4_context, - &kt_entry.key, keyblock); - /* Bash types */ - /* KLUDGE! If it's a non-raw des3 key, bash its enctype */ - /* See kdc/kerberos_v4.c */ - if (keyblock->enctype == ENCTYPE_DES3_CBC_SHA1 ) - keyblock->enctype = ENCTYPE_DES3_CBC_RAW; - - krb5_kt_free_entry(krb5__krb4_context, &kt_entry); - krb5_kt_close (krb5__krb4_context, kt_id); - -errout: - if (princ) - krb5_free_principal(krb5__krb4_context, princ); - return retval; -} -#endif - - -int KRB5_CALLCONV -read_service_key(service,instance,realm,kvno,file,key) - char *service; /* Service Name */ - char *instance; /* Instance name or "*" */ - char *realm; /* Realm */ - int kvno; /* Key version number */ - char *file; /* Filename */ - char *key; /* Pointer to key to be filled in */ -{ - int kret; - -#ifdef KRB4_USE_KEYTAB - krb5_error_code retval; - krb5_keyblock keyblock; -#endif - - kret = get_service_key(service,instance,realm,&kvno,file,key); - - if (! kret) - return KSUCCESS; - -#ifdef KRB4_USE_KEYTAB - kret = KFAILURE; - keyblock.magic = KV5M_KEYBLOCK; - keyblock.contents = 0; - - retval = krb54_get_service_keyblock(service,instance,realm,kvno,file, - &keyblock); - if (retval) - goto errout; - - if ((keyblock.length != sizeof(C_Block)) || - ((keyblock.enctype != ENCTYPE_DES_CBC_CRC) && - (keyblock.enctype != ENCTYPE_DES_CBC_MD4) && - (keyblock.enctype != ENCTYPE_DES_CBC_MD5))) { - goto errout; - } - (void) memcpy(key, keyblock.contents, sizeof(C_Block)); - kret = KSUCCESS; - -errout: - if (keyblock.contents) - krb5_free_keyblock_contents(krb5__krb4_context, &keyblock); -#endif - - return kret; -} - -/* kvno is passed by reference, so that if it is zero, and we find a match, - the match gets written back into *kvno so the caller can find it. - */ -int KRB5_CALLCONV -get_service_key(service,instance,realm,kvno,file,key) - char *service; /* Service Name */ - char *instance; /* Instance name or "*" */ - char *realm; /* Realm */ - int *kvno; /* Key version number */ - char *file; /* Filename */ - char *key; /* Pointer to key to be filled in */ -{ - char serv[SNAME_SZ]; - char inst[INST_SZ]; - char rlm[REALM_SZ]; - unsigned char vno; /* Key version number */ - int wcard; - char krb_realm[REALM_SZ]; - - int stab; - - if (!file) - file = KEYFILE; - - if ((stab = open(file, 0, 0)) < 0) - return(KFAILURE); - set_cloexec_fd(stab); - - wcard = (instance[0] == '*') && (instance[1] == '\0'); - /* get current realm if not passed in */ - if (!realm) { - int rem; - - rem = krb_get_lrealm(krb_realm,1); - if (rem != KSUCCESS) - return(rem); - realm = krb_realm; - } - - while(getst(stab,serv,SNAME_SZ) > 0) { /* Read sname */ - (void) getst(stab,inst,INST_SZ); /* Instance */ - (void) getst(stab,rlm,REALM_SZ); /* Realm */ - /* Vers number */ - if (read(stab,(char *)&vno,1) != 1) { - close(stab); - return(KFAILURE); - } - /* Key */ - if (read(stab,key,8) != 8) { - close(stab); - return(KFAILURE); - } - /* Is this the right service */ - if (strcmp(serv,service)) - continue; - /* How about instance */ - if (!wcard && strcmp(inst,instance)) - continue; - if (wcard) - (void) strncpy(instance,inst,INST_SZ); - /* Is this the right realm */ -#if defined(ATHENA_COMPAT) || defined(ATHENA_OLD_SRVTAB) - /* XXX For backward compatibility: if keyfile says "Athena" - and caller wants "ATHENA.MIT.EDU", call it a match */ - if (strcmp(rlm,realm) && - (strcmp(rlm,"Athena") || - strcmp(realm,"ATHENA.MIT.EDU"))) - continue; -#else /* ! ATHENA_COMPAT */ - if (strcmp(rlm,realm)) - continue; -#endif /* ATHENA_COMPAT */ - - /* How about the key version number */ - if (*kvno && *kvno != (int) vno) - continue; - - (void) close(stab); - *kvno = vno; - return(KSUCCESS); - } - - /* Can't find the requested service */ - (void) close(stab); - return(KFAILURE); -} diff --git a/src/lib/krb4/recvauth.c b/src/lib/krb4/recvauth.c deleted file mode 100644 index c5f857e98..000000000 --- a/src/lib/krb4/recvauth.c +++ /dev/null @@ -1,308 +0,0 @@ -/* - * lib/krb4/recvauth.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include -#include -#include -#include "autoconf.h" -#ifdef HAVE_STDLIB_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#include "port-sockets.h" - - -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN - chars */ - -/* - * If the protocol changes, you will need to change the version string - * and make appropriate changes in krb_sendauth.c - * be sure to support old versions of krb_sendauth! - */ - -/* - * krb_recvauth() reads (and optionally responds to) a message sent - * using krb_sendauth(). The "options" argument is a bit-field of - * selected options (see "sendauth.c" for options description). - * The only option relevant to krb_recvauth() is KOPT_DO_MUTUAL - * (mutual authentication requested). The "fd" argument supplies - * a file descriptor to read from (and write to, if mutual authenti- - * cation is requested). - * - * Part of the received message will be a Kerberos ticket sent by the - * client; this is read into the "ticket" argument. The "service" and - * "instance" arguments supply the server's Kerberos name. If the - * "instance" argument is the string "*", it is treated as a wild card - * and filled in during the krb_rd_req() call (see read_service_key()). - * - * The "faddr" and "laddr" give the sending (client) and receiving - * (local server) network addresses. ("laddr" may be left NULL unless - * mutual authentication is requested, in which case it must be set.) - * - * The authentication information extracted from the message is returned - * in "kdata". The "filename" argument indicates the file where the - * server's key can be found. (It is passed on to krb_rd_req().) If - * left null, the default "/etc/srvtab" will be used. - * - * If mutual authentication is requested, the session key schedule must - * be computed in order to reply; this schedule is returned in the - * "schedule" argument. A string containing the application version - * number from the received message is returned in "version", which - * should be large enough to hold a KRB_SENDAUTH_VLEN-character string. - * - * See krb_sendauth() for the format of the received client message. - * - * This routine supports another client format, for backward - * compatibility, consisting of: - * - * Size Variable Field - * ---- -------- ----- - * - * string tmp_buf, tkt_len length of ticket, in - * ascii - * - * char ' ' (space char) separator - * - * tkt_len ticket->dat the ticket - * - * This old-style version does not support mutual authentication. - * - * krb_recvauth() first reads the protocol version string from the - * given file descriptor. If it doesn't match the current protocol - * version (KRB_SENDAUTH_VERS), the old-style format is assumed. In - * that case, the string of characters up to the first space is read - * and interpreted as the ticket length, then the ticket is read. - * - * If the first string did match KRB_SENDAUTH_VERS, krb_recvauth() - * next reads the application protocol version string. Then the - * ticket length and ticket itself are read. - * - * The ticket is decrypted and checked by the call to krb_rd_req(). - * If no mutual authentication is required, the result of the - * krb_rd_req() call is retured by this routine. If mutual authenti- - * cation is required, a message in the following format is returned - * on "fd": - * - * Size Variable Field - * ---- -------- ----- - * - * 4 bytes tkt_len length of ticket or -1 - * if error occurred - * - * priv_len tmp_buf "private" message created - * by krb_mk_priv() which - * contains the incremented - * checksum sent by the client - * encrypted in the session - * key. (This field is not - * present in case of error.) - * - * If all goes well, KSUCCESS is returned; otherwise KFAILURE or some - * other error code is returned. - */ - -#ifndef max -#define max(a,b) (((a) > (b)) ? (a) : (b)) -#endif /* max */ - -int KRB5_CALLCONV -krb_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata, - filename, schedule, version) - long options; /* bit-pattern of options */ - int fd; /* file descr. to read from */ - KTEXT ticket; /* storage for client's ticket */ - char *service; /* service expected */ - char *instance; /* inst expected (may be filled in) */ - struct sockaddr_in *faddr; /* address of foreign host on fd */ - struct sockaddr_in *laddr; /* local address */ - AUTH_DAT *kdata; /* kerberos data (returned) */ - char *filename; /* name of file with service keys */ - Key_schedule schedule; /* key schedule (return) */ - char *version; /* version string (filled in) */ -{ - - int i, cc, old_vers = 0; - char krb_vers[KRB_SENDAUTH_VLEN + 1]; /* + 1 for the null terminator */ - char *cp = NULL; - int rem; - KRB4_32 tkt_len, priv_len; - unsigned KRB4_32 cksum; - u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)] = { 0 }; - - /* read the protocol version number */ - if (krb_net_read(fd, krb_vers, KRB_SENDAUTH_VLEN) != - KRB_SENDAUTH_VLEN) - return(errno); - krb_vers[KRB_SENDAUTH_VLEN] = '\0'; - - /* check version string */ - if (strcmp(krb_vers,KRB_SENDAUTH_VERS)) { - /* Assume the old version of sendkerberosdata: send ascii - length, ' ', and ticket. */ - if (options & KOPT_DO_MUTUAL) - return(KFAILURE); /* XXX can't do old style with mutual auth */ - old_vers = 1; - - /* copy what we have read into tmp_buf */ - (void) memcpy((char *) tmp_buf, krb_vers, KRB_SENDAUTH_VLEN); - - /* search for space, and make it a null */ - for (i = 0; i < KRB_SENDAUTH_VLEN; i++) - if (tmp_buf[i]== ' ') { - tmp_buf[i] = '\0'; - /* point cp to the beginning of the real ticket */ - cp = (char *) &tmp_buf[i+1]; - break; - } - - if (i == KRB_SENDAUTH_VLEN) - /* didn't find the space, keep reading to find it */ - for (; i<20; i++) { - if (read(fd, (char *)&tmp_buf[i], 1) != 1) { - return(KFAILURE); - } - if (tmp_buf[i] == ' ') { - tmp_buf[i] = '\0'; - /* point cp to the beginning of the real ticket */ - cp = (char *) &tmp_buf[i+1]; - break; - } - } - - if (i==20) - return(KFAILURE); - - tkt_len = (KRB4_32) atoi((char *) tmp_buf); - - /* sanity check the length */ - /* These conditions make sure that cp got initialized */ - if ((tkt_len<=0)||(tkt_len>MAX_KTXT_LEN)) - return(KFAILURE); - - if (i < KRB_SENDAUTH_VLEN) { - /* since we already got the space, and part of the ticket, - we read fewer bytes to get the rest of the ticket */ - int len_to_read = tkt_len - KRB_SENDAUTH_VLEN + 1 + i; - if (len_to_read <= 0) - return KFAILURE; - if (krb_net_read(fd, (char *)(tmp_buf+KRB_SENDAUTH_VLEN), - len_to_read) - != len_to_read) - return(errno); - } else { - if (krb_net_read(fd, (char *)(tmp_buf+i), (int)tkt_len) != - (int) tkt_len) - return(errno); - } - ticket->length = tkt_len; - /* copy the ticket into the struct */ - (void) memcpy((char *) ticket->dat, cp, ticket->length); - - } else { - /* read the application version string */ - if (krb_net_read(fd, version, KRB_SENDAUTH_VLEN) != - KRB_SENDAUTH_VLEN) - return(errno); - version[KRB_SENDAUTH_VLEN] = '\0'; - - /* get the length of the ticket */ - if (krb_net_read(fd, (char *)&tkt_len, sizeof(tkt_len)) != - sizeof(tkt_len)) - return(errno); - - /* sanity check */ - ticket->length = ntohl((unsigned KRB4_32)tkt_len); - if ((ticket->length <= 0) || (ticket->length > MAX_KTXT_LEN)) { - if (options & KOPT_DO_MUTUAL) { - rem = KFAILURE; - goto mutual_fail; - } else - return(KFAILURE); /* XXX there may still be junk on the fd? */ - } - - /* read the ticket */ - if (krb_net_read(fd, (char *) ticket->dat, ticket->length) - != ticket->length) - return(errno); - } - /* - * now have the ticket. decrypt it to get the authenticated - * data. - */ - rem = krb_rd_req(ticket,service,instance,faddr->sin_addr.s_addr, - kdata,filename); - - if (old_vers) return(rem); /* XXX can't do mutual with old client */ - - /* if we are doing mutual auth, compose a response */ - if (options & KOPT_DO_MUTUAL) { - if (rem != KSUCCESS) - /* the krb_rd_req failed */ - goto mutual_fail; - - /* add one to the (formerly) sealed checksum, and re-seal it - for return to the client */ - cksum = kdata->checksum + 1; - cksum = htonl(cksum); -#ifndef NOENCRYPTION - key_sched(kdata->session,schedule); -#endif /* !NOENCRYPTION */ - priv_len = krb_mk_priv((unsigned char *)&cksum, - tmp_buf, - (unsigned KRB4_32) sizeof(cksum), - schedule, - &kdata->session, - laddr, - faddr); - if (priv_len < 0) { - /* re-sealing failed; notify the client */ - rem = KFAILURE; /* XXX */ -mutual_fail: - priv_len = -1; - tkt_len = htonl((unsigned KRB4_32) priv_len); - /* a length of -1 is interpreted as an authentication - failure by the client */ - if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len))) - != sizeof(tkt_len)) - return(cc); - return(rem); - } else { - /* re-sealing succeeded, send the private message */ - tkt_len = htonl((unsigned KRB4_32)priv_len); - if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len))) - != sizeof(tkt_len)) - return(cc); - if ((cc = krb_net_write(fd, (char *)tmp_buf, (int) priv_len)) - != (int) priv_len) - return(cc); - } - } - return(rem); -} diff --git a/src/lib/krb4/ren-cyg.sh b/src/lib/krb4/ren-cyg.sh deleted file mode 100755 index d3d31a9d4..000000000 --- a/src/lib/krb4/ren-cyg.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -# Rename Kerberos Cygnus V4 filenames to proposed names -# for converting old trees. -awk '/^@ / { if ($6 != "") - if ($6 != $4) - print "mv " $6 " " $4 - else ; - else if ($2 != $4 && $2 != "-") - print "mv " $2 " " $4 - } - ' - -[edited since sending, to bring it up to date with what actually happened.] - -I'd like to come up with some file naming and configuration -conventions that will work in DOS, Unix, and Mac environments. At -Cygnus, we are creating a single freely available K4 source tree that -works on many Unixes, Windows, and Mac. It currently works on Unixes. -(To get a copy, send mail to info@cygnus.com requesting our Kerberos -release. It's in a hidden FTP location due to export control.) - -I diffed the current MIT release of Kerberos for PC and Windows -against the V4 patchlevel 10 release, and identified some 30 files in -lib/krb that have been renamed between Unix and PC. Comparing source -trees becomes much more painful when files are renamed. If we don't -come to sync on the file names, it will be very hard to collaborate, -which would make more work for all of us. - -My plan, which we have used successfully in the GNU software, is to -make sure that all filenames are unique if you take the first 8 chars -and the first 3 after the dot. No files have more than a single dot -in them. We don't restrict file names to just 8.3 characters, since -doing so would impact readability for the (99.9%) of the developers -who are on Unix or Mac, where long file names are fine. - -There's an additional complication that names longer than 14 -characters present problems to old System V Unix and to `ar' on Unix. -DJ Delorie's excellent `doschk' program points out all these problems. -(prep.ai.mit.edu:/pub/gnu/doschk-1.1.tar.gz). - -Here's my proposal for the lib/krb directory. In general, I tried to -regularize the names, turning get_ into g_, removing krb_, turning -reply into repl, turning ticket into tkt, keeping all file names -unique across the various libraries, and making a file name more like -the function name contained in it when there were conflicts. Some -resulting truncated names are more readable than in the current MIT K4 -PC, some are less readable -- but the overall advantage is that the -new names should be acceptable to Unix/Mac developers, while the old -ones weren't. - - MIT K4 patch10 MIT K4 PC PROPOSED NAME (trunc to 8.3) old Cyg -$1 $2 $3 $4 $5 $6 - -@ add_ticket.c (gone) add_tkt.c add_tkt.c -@ - - ChangeLog changelo -@ cr_err_reply.c crerrep.c cr_err_repl.c cr_err_r.c -@ create_auth_reply.c crauthre.c cr_auth_repl.c cr_auth_.c cr_auth_reply.c -@ create_ciph.c cr_ciph.c cr_ciph.c cr_ciph.c -@ create_death_packet.c cr_death.c cr_death_pkt.c cr_death.c cr_death_pkt.c -@ create_ticket.c crticket.c cr_tkt.c cr_tkt.c -@ debug_decl.c debug.c debug.c debug.c -@ decomp_ticket.c decomtkt.c decomp_tkt.c decomp_t.c -@ - - DNR.c dnr.c -@ extract_ticket.c ext_tkt.c ext_tkt.c ext_tkt.c extract_tkt.c -@ - - g_cnffile.c g_cnffil.c -@ get_ad_tkt.c getadtkt.c g_ad_tkt.c g_ad_tkt.c -@ get_admhst.c getadmhs.c g_admhst.c g_admhst.c -@ get_cred.c get_cred.c g_cred.c g_cred.c -@ get_in_tkt.c getintkt.c g_pw_in_tkt.c g_pw_in_.c -@ get_krbhst.c getkrbhs.c g_krbhst.c g_krbhst.c -@ get_krbrlm.c g_krbrlm.c g_krbrlm.c g_krbrlm.c -@ get_phost.c getphost.c g_phost.c g_phost.c -@ get_pw_tkt.c getpwtkt.c g_pw_tkt.c g_pw_tkt.c -@ get_request.c get_req.c (gone) (gone) -@ get_svc_in_tkt.c g_svctkt.c g_svc_in_tkt.c g_svc_in.c get_svc_in.c -@ get_tf_fullname.c gettfnam.c g_tf_fname.c g_tf_fna.c get_tf_fname.c -@ get_tf_realm.c gettfrlm.c g_tf_realm.c g_tf_rea.c -@ - - g_tkt_svc.c g_tkt_sv.c -@ getrealm.c getrealm.c realmofhost.c realmofh.c -@ k_gethostname.c k_gethst.c gethostname.c gethostn.c -@ kname_parse.c knm_pars.c kname_parse.c kname_pa.c -@ krb_err_txt.c k_errtxt.c err_txt.c err_txt.c -@ krb_get_in_tkt.c k_gettkt.c g_in_tkt.c g_in_tkt.c krb_get_in.c -@ - - mac_store.c mac_stor.c -@ - - mac_store.h mac_stor.h -@ - - mac_stubs.c mac_stub.c -@ - - Makefile.in makefile.in -@ - - mk_preauth.c mk_preau.c -@ month_sname.c mth_snam.c month_sname.c month_sn.c -@ pkt_cipher.c pkt_ciph.c pkt_cipher.c pkt_ciph.c -@ - - Password.c password.c -@ - - rd_preauth.c rd_preau.c -@ - - put_svc_key.c put_svc_.c -@ read_service_key.c rdservky.c rd_svc_key.c rd_svc_k.c read_svc_key.c -@ save_credentials.c savecred.c save_creds.c save_cre.c save_creds.c -@ send_to_kdc.c send_kdc.c send_to_kdc.c send_to_.c -@ strcasecmp.c s_cascmp.c strcasecmp.c strcasec.c -@ tkt_string.c tkt_strg.c tkt_string.c tkt_stri.c -@ - - unix_glue.c unix_glu.c -@ util.c util.c ad_print.c ad_print.c -@ - - win_store.c win_stor.c -# Cleanup for simplified sed scripts that use this table -@sed s/tf_ad_print\./tf_util\./g - -I've supplied Unix shell scripts in the distribution for moving: -ren-pl10.sh V4 pl10 filenames to proposed names for converting old trees -ren-pc.sh V4 MIT PC names to proposed names for converting old trees -ren2long.sh truncated names to proposed names for moving DOS->unix -ren2dos.sh proposed names to truncated names for unix->DOS names - -There's also shell scripts to produce sed scripts for converting Makefiles -and documentation. You use them like: - ./sed-pl10.sh >/tmp/sed - sed -f /tmp/sed newMakefile -sed-pl10.sh V4 pl10 filenames to proposed names for converting old trees -sed-pc.sh V4 MIT PC names to proposed names for converting old trees - -I'll also supply a DOS script for moving: -ren-pc.bat V4 MIT PC names to proposed names for converting old trees - -And an MPW script for moving -ren-pl10.mpw V4 pl10 filenames to proposed names for converting old trees - - John Gilmore - Cygnus Support diff --git a/src/lib/krb4/ren2dos.sh b/src/lib/krb4/ren2dos.sh deleted file mode 100644 index 3989e2c6e..000000000 --- a/src/lib/krb4/ren2dos.sh +++ /dev/null @@ -1,7 +0,0 @@ -# Rename Unix filenames to DOS-truncated filenames for KRB library. -# for converting Unix distributions to DOS distributions -awk '/^@ / { - if ($4 != $5) - print "mv " $4 " " $5 - } - ' -#include "krb.h" -#include "krb4int.h" - -/* - * This routine takes a ticket and associated info and calls - * tf_save_cred() to store them in the ticket cache. The peer - * routine for extracting a ticket and associated info from the - * ticket cache is krb_get_cred(). When changes are made to - * this routine, the corresponding changes should be made - * in krb_get_cred() as well. - * - * Returns KSUCCESS if all goes well, otherwise an error returned - * by the tf_init() or tf_save_cred() routines. - * - * This used to just be called save_credentials, but when we formalized - * the DOS/Mac interface, we created and exported krb_save_credentials - * to avoid namespace pollution. - */ - -int -krb4int_save_credentials_addr(service, instance, realm, session, lifetime, kvno, - ticket, issue_date, local_addr) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - KRB4_32 issue_date; /* The issue time */ - KRB_UINT32 local_addr; -{ - int tf_status; /* return values of the tf_util calls */ - - /* Open and lock the ticket file for writing */ - if ((tf_status = tf_init(TKT_FILE, W_TKT_FIL)) != KSUCCESS) - return(tf_status); - - /* Save credentials by appending to the ticket file */ - tf_status = tf_save_cred(service, instance, realm, session, - lifetime, kvno, ticket, issue_date); - (void) tf_close(); - return (tf_status); -} - -int KRB5_CALLCONV -krb_save_credentials( - char *service, - char *instance, - char *realm, - C_Block session, - int lifetime, - int kvno, - KTEXT ticket, - long issue_date) -{ - return krb4int_save_credentials_addr(service, instance, realm, - session, lifetime, kvno, - ticket, (KRB4_32)issue_date, 0); -} diff --git a/src/lib/krb4/sed-cyg.sh b/src/lib/krb4/sed-cyg.sh deleted file mode 100755 index 3859df138..000000000 --- a/src/lib/krb4/sed-cyg.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -# Produce a sed script for converting Kerberos Cygnus V4 filenames to proposed -# names -- for converting old makefiles and doc. -# We fix any "oldfoo." into "newfoo." including .c and .o and .h files. -awk '/^@ / { if ($6 != "") - if ($6 != $4) - print "s/" $6 "/" $4 "/g" - else ; - else if ($2 != $4 && $2 != "-") - print "s/" $2 "/" $4 "/g" - } - /^@sed / { print $2 } - ' -#include -#include -#include "autoconf.h" -#ifdef HAVE_SYS_SELECT_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#include "port-sockets.h" -#include "fake-addrinfo.h" -#include "k5-int.h" -#include "krb4int.h" - -#define S_AD_SZ sizeof(struct sockaddr_in) - -/* These are really defaults from getservbyname() or hardcoded. */ -static int cached_krb_udp_port = 0; -static int cached_krbsec_udp_port = 0; - -int krb4int_send_to_kdc_addr(KTEXT, KTEXT, char *, - struct sockaddr *, socklen_t *); - -#ifdef DEBUG -static char *prog = "send_to_kdc"; -#endif - -/* - * send_to_kdc() sends a message to the Kerberos authentication - * server(s) in the given realm and returns the reply message. - * The "pkt" argument points to the message to be sent to Kerberos; - * the "rpkt" argument will be filled in with Kerberos' reply. - * The "realm" argument indicates the realm of the Kerberos server(s) - * to transact with. If the realm is null, the local realm is used. - * - * If more than one Kerberos server is known for a given realm, - * different servers will be queried until one of them replies. - * Several attempts (retries) are made for each server before - * giving up entirely. - * - * The following results can be returned: - * - * KSUCCESS - an answer was received from a Kerberos host - * - * SKDC_CANT - can't get local realm - * - can't find "kerberos" in /etc/services database - * - can't open socket - * - can't bind socket - * - all ports in use - * - couldn't find any Kerberos host - * - * SKDC_RETRY - couldn't get an answer from any Kerberos server, - * after several retries - */ - -int -krb4int_send_to_kdc_addr( - KTEXT pkt, KTEXT rpkt, char *realm, - struct sockaddr *addr, socklen_t *addrlen) -{ - struct addrlist al = ADDRLIST_INIT; - char lrealm[REALM_SZ]; - krb5int_access internals; - krb5_error_code retval; - struct servent *sp; - int krb_udp_port = 0; - int krbsec_udp_port = 0; - char krbhst[MAXHOSTNAMELEN]; - char *scol; - int i; - int err; - krb5_data message, reply; - - /* - * If "realm" is non-null, use that, otherwise get the - * local realm. - */ - if (realm) - strncpy(lrealm, realm, sizeof(lrealm) - 1); - else { - if (krb_get_lrealm(lrealm, 1)) { - DEB (("%s: can't get local realm\n", prog)); - return SKDC_CANT; - } - } - lrealm[sizeof(lrealm) - 1] = '\0'; - DEB (("lrealm is %s\n", lrealm)); - - retval = krb5int_accessor(&internals, KRB5INT_ACCESS_VERSION); - if (retval) - return KFAILURE; - - /* The first time, decide what port to use for the KDC. */ - if (cached_krb_udp_port == 0) { - sp = getservbyname("kerberos","udp"); - if (sp) - cached_krb_udp_port = sp->s_port; - else - cached_krb_udp_port = htons(KERBEROS_PORT); /* kerberos/udp */ - DEB (("cached_krb_udp_port is %d\n", cached_krb_udp_port)); - } - /* If kerberos/udp isn't 750, try using kerberos-sec/udp (or 750) - as a fallback. */ - if (cached_krbsec_udp_port == 0 && - cached_krb_udp_port != htons(KERBEROS_PORT)) { - sp = getservbyname("kerberos-sec","udp"); - if (sp) - cached_krbsec_udp_port = sp->s_port; - else - cached_krbsec_udp_port = htons(KERBEROS_PORT); /* kerberos/udp */ - DEB (("cached_krbsec_udp_port is %d\n", cached_krbsec_udp_port)); - } - - for (i = 1; krb_get_krbhst(krbhst, lrealm, i) == KSUCCESS; ++i) { -#ifdef DEBUG - if (krb_debug) { - DEB (("Getting host entry for %s...",krbhst)); - (void) fflush(stdout); - } -#endif - if (0 != (scol = strchr(krbhst,':'))) { - krb_udp_port = htons(atoi(scol+1)); - *scol = 0; - if (krb_udp_port == 0) { -#ifdef DEBUG - if (krb_debug) { - DEB (("bad port number %s\n",scol+1)); - (void) fflush(stdout); - } -#endif - continue; - } - krbsec_udp_port = 0; - } else { - krb_udp_port = cached_krb_udp_port; - krbsec_udp_port = cached_krbsec_udp_port; - } - err = internals.add_host_to_list(&al, krbhst, - krb_udp_port, krbsec_udp_port, - SOCK_DGRAM, PF_INET); - if (err) { - retval = SKDC_CANT; - goto free_al; - } - } - if (al.naddrs == 0) { - DEB (("%s: can't find any Kerberos host.\n", prog)); - retval = SKDC_CANT; - } - - message.length = pkt->length; - message.data = (char *)pkt->dat; /* XXX yuck */ - retval = internals.sendto_udp(NULL, &message, &al, NULL, &reply, addr, - addrlen, NULL, 0, NULL, NULL, NULL); - DEB(("sendto_udp returns %d\n", retval)); -free_al: - internals.free_addrlist(&al); - if (retval) - return SKDC_CANT; - DEB(("reply.length=%d\n", reply.length)); - if (reply.length > sizeof(rpkt->dat)) - retval = SKDC_CANT; - rpkt->length = 0; - if (!retval) { - memcpy(rpkt->dat, reply.data, reply.length); - rpkt->length = reply.length; - } - krb5_free_data_contents(NULL, &reply); - return retval; -} - -int -send_to_kdc(KTEXT pkt, KTEXT rpkt, char *realm) -{ - return krb4int_send_to_kdc_addr(pkt, rpkt, realm, NULL, NULL); -} diff --git a/src/lib/krb4/sendauth.c b/src/lib/krb4/sendauth.c deleted file mode 100644 index 83729442a..000000000 --- a/src/lib/krb4/sendauth.c +++ /dev/null @@ -1,282 +0,0 @@ -/* - * sendauth.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - */ - -#include "mit-copyright.h" - -#include "krb.h" -#include "krb4int.h" -#include -#include -#include -#include "port-sockets.h" - -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ -/* - * If the protocol changes, you will need to change the version string - * and make appropriate changes in krb_recvauth.c - */ - -/* - * This file contains two routines: krb_sendauth() and krb_sendsrv(). - * - * krb_sendauth() transmits a ticket over a file descriptor for a - * desired service, instance, and realm, doing mutual authentication - * with the server if desired. - * - * Most of the real work of krb_sendauth() has been moved into mk_auth.c - * for portability; sendauth takes a Unix file descriptor as argument, - * which doesn't work on other operating systems. - * - * krb_sendsvc() sends a service name to a remote knetd server, and is - * only for Athena compatability. - */ - -/* - * The first argument to krb_sendauth() contains a bitfield of - * options (the options are defined in "krb.h"): - * - * KOPT_DONT_CANON Don't canonicalize instance as a hostname. - * (If this option is not chosen, krb_get_phost() - * is called to canonicalize it.) - * - * KOPT_DONT_MK_REQ Don't request server ticket from Kerberos. - * A ticket must be supplied in the "ticket" - * argument. - * (If this option is not chosen, and there - * is no ticket for the given server in the - * ticket cache, one will be fetched using - * krb_mk_req() and returned in "ticket".) - * - * KOPT_DO_MUTUAL Do mutual authentication, requiring that the - * receiving server return the checksum+1 encrypted - * in the session key. The mutual authentication - * is done using krb_mk_priv() on the other side - * (see "recvauth.c") and krb_rd_priv() on this - * side. - * - * The "fd" argument is a file descriptor to write to the remote - * server on. The "ticket" argument is used to store the new ticket - * from the krb_mk_req() call. If the KOPT_DONT_MK_REQ options is - * chosen, the ticket must be supplied in the "ticket" argument. - * The "service", "inst", and "realm" arguments identify the ticket. - * If "realm" is null, the local realm is used. - * - * The following arguments are only needed if the KOPT_DO_MUTUAL option - * is chosen: - * - * The "checksum" argument is a number that the server will add 1 to - * to authenticate itself back to the client; the "msg_data" argument - * holds the returned mutual-authentication message from the server - * (i.e., the checksum+1); the "cred" structure is used to hold the - * session key of the server, extracted from the ticket file, for use - * in decrypting the mutual authentication message from the server; - * and "schedule" holds the key schedule for that decryption. The - * the local and server addresses are given in "laddr" and "faddr". - * - * The application protocol version number (of up to KRB_SENDAUTH_VLEN - * characters) is passed in "version". - * - * If all goes well, KSUCCESS is returned, otherwise some error code. - * - * The format of the message sent to the server is: - * - * Size Variable Field - * ---- -------- ----- - * - * KRB_SENDAUTH_VLEN KRB_SENDAUTH_VER sendauth protocol - * bytes version number - * - * KRB_SENDAUTH_VLEN version application protocol - * bytes version number - * - * 4 bytes ticket->length length of ticket - * - * ticket->length ticket->dat ticket itself - */ - -/* - * XXX: Note that krb_rd_priv() is coded in such a way that - * "msg_data->app_data" will be pointing into "packet", which - * will disappear when krb_sendauth() returns. - * - * See FIXME KLUDGE code in appl/bsd/kcmd.c. - */ -KRB4_32 __krb_sendauth_hidden_tkt_len=0; -#define raw_tkt_len __krb_sendauth_hidden_tkt_len - - -/* - * Read a server's sendauth response out of a file descriptor. - * Returns a Kerberos error code. - * - * Note sneaky code using raw_tkt_len to stash away a bit of info - * for use by appl/bsd/kcmd.c. Now that krb_net_rd_sendauth is - * a separate function, kcmd should call it directly to get this - * sneaky info. - */ -int -krb_net_rd_sendauth (fd, reply, raw_len) - int fd; /* file descriptor to write onto */ - KTEXT reply; /* Where we put the reply message */ - KRB4_32 *raw_len; /* Where to read the length field info */ -{ - KRB4_32 tkt_len; - int got; - - reply->length = 0; /* Nothing read from net yet */ - reply->mbz = 0; - - /* get the length of the reply */ - reread: - got = krb_net_read(fd, (char *)raw_len, sizeof(KRB4_32)); - if (got != sizeof(KRB4_32)) - return KFAILURE; - - /* Here's an amazing hack. If we are contacting an rlogin server, - and it is running on a Sun4, and it was compiled with the wrong - shared libary version, it will print an ld.so warning message - when it starts up. We just ignore any such message and keep - going. This doesn't affect security: we just require the - ticket to follow the warning message. */ - if (!memcmp("ld.s", raw_len, 4)) { - char c; - - while (krb_net_read(fd, &c, 1) == 1 && c != '\n') - ; - goto reread; - } - - tkt_len = ntohl(*raw_len); - - /* if the length is negative, the server failed to recognize us. */ - if ((tkt_len < 0) || (tkt_len > sizeof(reply->dat))) - return KFAILURE; /* XXX */ - /* read the reply... */ - got = krb_net_read(fd, (char *)reply->dat, (int) tkt_len); - if (got != (int) tkt_len) - return KFAILURE; - - reply->length = tkt_len; - reply->mbz = 0; - return KSUCCESS; -} - - -/* - * krb_sendauth - * - * The original routine, provided on Unix. - * Obtains a service ticket using the ticket-granting ticket, - * uses it to stuff an authorization request down a Unix socket to the - * end-user application server, sucks a response out of the socket, - * and decodes it to verify mutual authentication. - */ -int KRB5_CALLCONV -krb_sendauth(options, fd, ticket, service, inst, realm, checksum, - msg_data, cred, schedule, laddr, faddr, version) - long options; /* bit-pattern of options */ - int fd; /* file descriptor to write onto */ - KTEXT ticket; /* where to put ticket (return); or - supplied in case of KOPT_DONT_MK_REQ */ - char *service; /* service name */ - char *inst; /* service instance */ - char *realm; /* service realm */ - unsigned KRB4_32 checksum; /* checksum to include in request */ - MSG_DAT *msg_data; /* mutual auth MSG_DAT (return) */ - CREDENTIALS *cred; /* credentials (return) */ - Key_schedule schedule; /* key schedule (return) */ - struct sockaddr_in *laddr; /* local address */ - struct sockaddr_in *faddr; /* address of foreign host on fd */ - char *version; /* version string */ -{ - int rem, cc; - char srv_inst[INST_SZ]; - char krb_realm[REALM_SZ]; - KTEXT_ST packet[1]; /* Re-use same one for msg and reply */ - - /* get current realm if not passed in */ - if (!realm) { - rem = krb_get_lrealm(krb_realm,1); - if (rem != KSUCCESS) - return(rem); - realm = krb_realm; - } - - /* copy instance into local storage, so mk_auth can canonicalize */ - (void) strncpy(srv_inst, inst, INST_SZ-1); - srv_inst[INST_SZ-1] = 0; - rem = krb_mk_auth (options, ticket, service, srv_inst, realm, checksum, - version, packet); - if (rem != KSUCCESS) - return rem; - -#ifdef ATHENA_COMPAT - /* this is only for compatibility with old servers */ - if (options & KOPT_DO_OLDSTYLE) { - (void) sprintf(buf,"%d ",ticket->length); - (void) write(fd, buf, strlen(buf)); - (void) write(fd, (char *) ticket->dat, ticket->length); - return(rem); - } -#endif /* ATHENA_COMPAT */ - - /* write the request to the server */ - if ((cc = krb_net_write(fd, packet->dat, packet->length)) != packet->length) - return(cc); - - /* mutual authentication, if desired */ - if (options & KOPT_DO_MUTUAL) { - /* get credentials so we have service session - key for decryption below */ - cc = krb_get_cred(service, srv_inst, realm, cred); - if (cc) - return(cc); - - /* Get the reply out of the socket. */ - cc = krb_net_rd_sendauth (fd, packet, &raw_tkt_len); - if (cc != KSUCCESS) - return cc; - - /* Check the reply to verify that server is really who we expect. */ - cc = krb_check_auth (packet, checksum, - msg_data, cred->session, schedule, laddr, faddr); - if (cc != KSUCCESS) - return cc; - } - return(KSUCCESS); -} - - -#ifdef ATHENA_COMPAT -/* - * krb_sendsvc - */ - -int -krb_sendsvc(fd, service) - int fd; - char *service; -{ - /* write the service name length and then the service name to - the fd */ - KRB4_32 serv_length; - int cc; - - serv_length = htonl((unsigned long)strlen(service)); - if ((cc = krb_net_write(fd, (char *) &serv_length, - sizeof(serv_length))) - != sizeof(serv_length)) - return(cc); - if ((cc = krb_net_write(fd, service, strlen(service))) - != strlen(service)) - return(cc); - return(KSUCCESS); -} -#endif /* ATHENA_COMPAT */ diff --git a/src/lib/krb4/setenv.c b/src/lib/krb4/setenv.c deleted file mode 100644 index 76a2a615b..000000000 --- a/src/lib/krb4/setenv.c +++ /dev/null @@ -1,164 +0,0 @@ -/* - * Copyright (c) 1987 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)setenv.c 5.2 (Berkeley) 6/27/88"; -#endif /* LIBC_SCCS and not lint */ - -#include "conf.h" -#include -#include - -/* - * setenv -- - * Set the value of the environmental variable "name" to be - * "value". If rewrite is set, replace any current value. - */ -int setenv(name, value, rewrite) - register char *name, *value; - int rewrite; -{ - extern char **environ; - static int alloced; /* if allocated space before */ - register char *C; - int l_value, offset; - char *malloc(), *realloc(), *_findenv(); - - if (*value == '=') /* no `=' in value */ - ++value; - l_value = strlen(value); - if ((C = _findenv(name, &offset))) { /* find if already exists */ - if (!rewrite) - return(0); - if (strlen(C) >= l_value) { /* old larger; copy over */ - while (*C++ = *value++); - return(0); - } - } - else { /* create new slot */ - register int cnt; - register char **P; - - for (P = environ, cnt = 0; *P; ++P, ++cnt); - if (alloced) { /* just increase size */ - environ = (char **)realloc((char *)environ, - (u_int)(sizeof(char *) * (cnt + 2))); - if (!environ) - return(-1); - } - else { /* get new space */ - alloced = 1; /* copy old entries into it */ - P = (char **)malloc((u_int)(sizeof(char *) * - (cnt + 2))); - if (!P) - return(-1); - memcpy(P, environ, cnt * sizeof(char *)); - environ = P; - } - environ[cnt + 1] = NULL; - offset = cnt; - } - for (C = name; *C && *C != '='; ++C); /* no `=' in name */ - if (!(environ[offset] = /* name + `=' + value */ - malloc((u_int)((int)(C - name) + l_value + 2)))) - return(-1); - for (C = environ[offset]; (*C = *name++) && *C != '='; ++C); - for (*C++ = '='; *C++ = *value++;); - return(0); -} - -/* - * unsetenv(name) -- - * Delete environmental variable "name". - */ -void -unsetenv(name) - char *name; -{ - extern char **environ; - register char **P; - int offset; - char *_findenv(); - - while (_findenv(name, &offset)) /* if set multiple times */ - for (P = &environ[offset];; ++P) - if (!(*P = *(P + 1))) - break; -} -/* - * Copyright (c) 1987 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#ifndef HAVE_GETENV -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)getenv.c 5.5 (Berkeley) 6/27/88"; -#endif /* LIBC_SCCS and not lint */ - -/* - * getenv -- - * Returns ptr to value associated with name, if any, else NULL. - */ -char * -getenv(name) - char *name; -{ - int offset; - char *_findenv(); - - return(_findenv(name, &offset)); -} -#endif -/* - * _findenv -- - * Returns pointer to value associated with name, if any, else NULL. - * Sets offset to be the offset of the name/value combination in the - * environmental array, for use by setenv(3) and unsetenv(3). - * Explicitly removes '=' in argument name. - * - * This routine *should* be a static; don't use it. - */ -char * -_findenv(name, offset) - register char *name; - int *offset; -{ - extern char **environ; - register int len; - register char **P, *C; - - for (C = name, len = 0; *C && *C != '='; ++C, ++len); - for (P = environ; *P; ++P) - if (!strncmp(*P, name, len)) - if (*(C = *P + len) == '=') { - *offset = P - environ; - return(++C); - } - return(NULL); -} diff --git a/src/lib/krb4/stime.c b/src/lib/krb4/stime.c deleted file mode 100644 index f73c6f520..000000000 --- a/src/lib/krb4/stime.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * lib/krb4/stime.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "krb4int.h" -#include /* for sprintf() */ -#ifndef _WIN32 -#include -#include -#endif - -/* - * Given a pointer to a long containing the number of seconds - * since the beginning of time (midnight 1 Jan 1970 GMT), return - * a string containing the local time in the form: - * - * "25-Jan-88 10:17:56" - */ - -char *krb_stime(t) - long *t; -{ - static char st[40]; - static time_t adjusted_time; - struct tm *tm; - - adjusted_time = *t - CONVERT_TIME_EPOCH; - tm = localtime(&adjusted_time); - (void) snprintf(st,sizeof(st),"%2d-%s-%d %02d:%02d:%02d",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - return st; -} - diff --git a/src/lib/krb4/strcasecmp.c b/src/lib/krb4/strcasecmp.c deleted file mode 100644 index 31bf0afbf..000000000 --- a/src/lib/krb4/strcasecmp.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 1987 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -/* - * This array is designed for mapping upper and lower case letter - * together for a case independent comparison. The mappings are - * based upon ascii character sequences. - */ -static unsigned char charmap[] = { - '\000', '\001', '\002', '\003', '\004', '\005', '\006', '\007', - '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017', - '\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027', - '\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037', - '\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047', - '\050', '\051', '\052', '\053', '\054', '\055', '\056', '\057', - '\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067', - '\070', '\071', '\072', '\073', '\074', '\075', '\076', '\077', - '\100', '\141', '\142', '\143', '\144', '\145', '\146', '\147', - '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', - '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', - '\170', '\171', '\172', '\133', '\134', '\135', '\136', '\137', - '\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147', - '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', - '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', - '\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177', - '\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207', - '\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217', - '\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227', - '\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237', - '\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247', - '\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257', - '\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267', - '\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277', - '\300', '\341', '\342', '\343', '\344', '\345', '\346', '\347', - '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357', - '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367', - '\370', '\371', '\372', '\333', '\334', '\335', '\336', '\337', - '\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347', - '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357', - '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367', - '\370', '\371', '\372', '\373', '\374', '\375', '\376', '\377', -}; - -strcasecmp(s1, s2) - char *s1, *s2; -{ - register unsigned char *cm = charmap, - *us1 = (unsigned char *)s1, - *us2 = (unsigned char *)s2; - - while (cm[*us1] == cm[*us2++]) - if (*us1++ == '\0') - return(0); - return(cm[*us1] - cm[*--us2]); -} - -strncasecmp(s1, s2, n) - char *s1, *s2; - register int n; -{ - register unsigned char *cm = charmap, - *us1 = (unsigned char *)s1, - *us2 = (unsigned char *)s2; - - while (--n >= 0 && cm[*us1] == cm[*us2++]) - if (*us1++ == '\0') - return(0); - return(n < 0 ? 0 : cm[*us1] - cm[*--us2]); -} diff --git a/src/lib/krb4/strnlen.c b/src/lib/krb4/strnlen.c deleted file mode 100644 index 5dc80115c..000000000 --- a/src/lib/krb4/strnlen.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * lib/krb4/strnlen.c - * - * Copyright 2000, 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include -#include "krb.h" -#include "prot.h" - -/* - * krb4int_strnlen() - * - * Return the length of the string if a NUL is found in the first n - * bytes, otherwise, -1. - */ - -int KRB5_CALLCONV -krb4int_strnlen(const char *s, int n) -{ - int i = 0; - - for (i = 0; i < n; i++) { - if (s[i] == '\0') { - return i; - } - } - return -1; -} diff --git a/src/lib/krb4/swab.c b/src/lib/krb4/swab.c deleted file mode 100644 index e07b28b43..000000000 --- a/src/lib/krb4/swab.c +++ /dev/null @@ -1,18 +0,0 @@ -/* simple implementation of swab. */ - -swab(from,to,nbytes) - char *from; - char *to; - int nbytes; -{ - char tmp; - while ( (nbytes-=2) >= 0 ) { - tmp = from[1]; - to[1] = from[0]; - to[0] = tmp; - to++; to++; - from++; from++; - } -} - - diff --git a/src/lib/krb4/tf_shm.c b/src/lib/krb4/tf_shm.c deleted file mode 100644 index 2b040713c..000000000 --- a/src/lib/krb4/tf_shm.c +++ /dev/null @@ -1,173 +0,0 @@ -/* - * tf_shm.c - * - * Copyright 1988, 2007 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Shared memory segment functions for session keys. Derived from code - * contributed by Dan Kolkowitz (kolk@jessica.stanford.edu). - */ - -#include "mit-copyright.h" - -#include -#include -#include -#include "krb.h" -#include "des.h" -#include -#include - -#define MAX_BUFF sizeof(des_cblock)*1000 /* room for 1k keys */ - -extern int krb_debug; - -/* - * krb_create_shmtkt: - * - * create a shared memory segment for session keys, leaving its id - * in the specified filename. - */ - -int -krb_shm_create(file_name) -char *file_name; -{ - int retval; - int shmid; - struct shmid_ds shm_buf; - FILE *sfile; - uid_t me, metoo, getuid(), geteuid(); - - (void) krb_shm_dest(file_name); /* nuke it if it exists... - this cleans up to make sure we - don't slowly lose memory. */ - - shmid = shmget((long)IPC_PRIVATE,MAX_BUFF, IPC_CREAT); - if (shmid == -1) { - if (krb_debug) - perror("krb_shm_create shmget"); - return(KFAILURE); /* XXX */ - } - me = getuid(); - metoo = geteuid(); - /* - * now set up the buffer so that we can modify it - */ - shm_buf.shm_perm.uid = me; - shm_buf.shm_perm.gid = getgid(); - shm_buf.shm_perm.mode = 0600; - if (shmctl(shmid,IPC_SET,&shm_buf) < 0) { /*can now map it */ - if (krb_debug) - perror("krb_shm_create shmctl"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); /* XXX */ - } -#if !defined(_AIX) - (void) shmctl(shmid, SHM_LOCK, 0); /* attempt to lock-in-core */ -#endif - /* arrange so the file is owned by the ruid - (swap real & effective uid if necessary). */ - if (me != metoo) { - if (setreuid(metoo, me) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("krb_shm_create: setreuid"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n",metoo,me); - } - if ((sfile = fopen(file_name,"w")) == 0) { - if (krb_debug) - perror("krb_shm_create file"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); /* XXX */ - } - set_cloexec_file(sfile); - if (fchmod(fileno(sfile),0600) < 0) { - if (krb_debug) - perror("krb_shm_create fchmod"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); /* XXX */ - } - if (me != metoo) { - if (setreuid(me, metoo) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("krb_shm_create: setreuid2"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n",me,metoo); - } - - (void) fprintf(sfile,"%d",shmid); - (void) fflush(sfile); - (void) fclose(sfile); - return(KSUCCESS); -} - - -/* - * krb_is_diskless: - * - * check / to see if file .diskless exists. If so it is diskless. - * Do it this way now to avoid dependencies on a particular routine. - * Choose root file system since that will be private to the client. - */ - -int krb_is_diskless() -{ - struct stat buf; - if (stat("/.diskless",&buf) < 0) - return(0); - else return(1); -} - -/* - * krb_shm_dest: destroy shared memory segment with session keys, and remove - * file pointing to it. - */ - -int krb_shm_dest(file) -char *file; -{ - int shmid; - FILE *sfile; - struct stat st_buf; - - if (stat(file,&st_buf) == 0) { - /* successful stat */ - if ((sfile = fopen(file,"r")) == 0) { - if (krb_debug) - perror("cannot open shared memory file"); - return(KFAILURE); /* XXX */ - } - set_cloexec_file(sfile); - if (fscanf(sfile,"%d",&shmid) == 1) { - if (shmctl(shmid,IPC_RMID,0) != 0) { - if (krb_debug) - perror("krb_shm_dest: cannot delete shm segment"); - (void) fclose(sfile); - return(KFAILURE); /* XXX */ - } - } else { - if (krb_debug) - fprintf(stderr, "bad format in shmid file\n"); - (void) fclose(sfile); - return(KFAILURE); /* XXX */ - } - (void) fclose(sfile); - (void) unlink(file); - return(KSUCCESS); - } else - return(RET_TKFIL); /* XXX */ -} - - - diff --git a/src/lib/krb4/tf_util.c b/src/lib/krb4/tf_util.c deleted file mode 100644 index 0bc05d75d..000000000 --- a/src/lib/krb4/tf_util.c +++ /dev/null @@ -1,1103 +0,0 @@ -/* - * lib/krb4/tf_util.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "k5-int.h" -#include "krb4int.h" - - -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include - -#ifdef TKT_SHMEM -#include -#include -#include -#endif /* TKT_SHMEM */ - - - -#define TOO_BIG -1 -#define TF_LCK_RETRY ((unsigned)2) /* seconds to sleep before - * retry if ticket file is - * locked */ -extern int krb_debug; - -void tf_close(); - -#ifdef TKT_SHMEM -char *krb_shm_addr; -static char *tmp_shm_addr; -static const char krb_dummy_skey[8]; - -char *shmat(); -#endif /* TKT_SHMEM */ - -#ifdef NEED_UTIMES - -#include -#ifdef __SCO__ -#include -#endif -#if defined(__svr4__) || defined(__SVR4) -#include -#endif -int utimes(path, times) - char* path; - struct timeval times[2]; -{ - struct utimbuf tv; - tv.actime = times[0].tv_sec; - tv.modtime = times[1].tv_sec; - return utime(path,&tv); -} -#endif - -#ifdef HAVE_SETEUID -#define do_seteuid(e) seteuid((e)) -#else -#ifdef HAVE_SETRESUID -#define do_seteuid(e) setresuid(-1, (e), -1) -#else -#ifdef HAVE_SETREUID -#define do_seteuid(e) setreuid(geteuid(), (e)) -#else -#define do_seteuid(e) (errno = EPERM, -1) -#endif -#endif -#endif - - -#ifdef K5_LE -/* This was taken from jhutz's patch for heimdal krb4. It only - * applies to little endian systems. Big endian systems have a - * less elegant solution documented below. - * - * This record is written after every real ticket, to ensure that - * both 32- and 64-bit readers will perceive the next real ticket - * as starting in the same place. This record looks like a ticket - * with the following properties: - * Field 32-bit 64-bit - * ============ ================= ================= - * sname "." "." - * sinst "" "" - * srealm ".." ".." - * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 - * lifetime 0 0 - * kvno 0 12 - * ticket 12 nulls 4 nulls - * issue 0 0 - * - * Our code always reads and writes the 32-bit format, but knows - * to skip 00000000 at the front of a record, and to completely - * ignore tickets for the special alignment principal. - */ -static unsigned char align_rec[] = { - 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0x00, 0x2e, - 0x2e, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, - 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00 -}; - -#else /* Big Endian */ - -/* These alignment records are for big endian systems. We need more - * of them because the portion of the 64-bit issue_date that overlaps - * with the start of a ticket on 32-bit systems contains an unpredictable - * number of NULL bytes. Preceeding these records is a second copy of the - * 32-bit issue_date. The srealm for the alignment records is always one of - * ".." or "?.." - */ - -/* No NULL bytes - * This is actually two alignment records since both 32- and 64-bit - * readers will agree on everything in the first record up through the - * issue_date size, except where sname starts. - * Field (1) 32-bit 64-bit - * ============ ================= ================= - * sname "????." "." - * sinst "" "" - * srealm ".." ".." - * session key 00000000 xxxxxxxx 00000000 xxxxxxxx - * lifetime 0 0 - * kvno 0 0 - * ticket 4 nulls 4 nulls - * issue 0 0 - * - * Field (2) 32-bit 64-bit - * ============ ================= ================= - * sname "." "." - * sinst "" "" - * srealm ".." ".." - * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 - * lifetime 0 0 - * kvno 0 12 - * ticket 12 nulls 4 nulls - * issue 0 0 - * - */ -static unsigned char align_rec_0[] = { - 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, - 0x00, 0x2e, 0x2e, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00 -}; - -/* One NULL byte - * Field 32-bit 64-bit - * ============ ================= ================= - * sname "x" |"xx"|"xxx" "." - * sinst "xx."|"x."|"." ".." - * srealm ".." "..." - * session key 2E2E2E00 xxxxxxxx xxxxxxxx 00000000 - * lifetime 0 0 - * kvno 0 12 - * ticket 12 nulls 4 nulls - * issue 0 0 - */ -static unsigned char align_rec_1[] = { - 0x2e, 0x00, 0x2e, 0x2e, 0x00, 0x2e, 0x2e, 0x2e, - 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00 -}; - -/* Two NULL bytes - * Field 32-bit 64-bit - * ============ ================= ================= - * sname "x" |"x" |"xx" ".." - * sinst "" |"x" |"" "" - * srealm "x.."|".."|".." ".." - * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 - * lifetime 0 0 - * kvno 0 12 - * ticket 12 nulls 4 nulls - * issue 0 0 - */ - static unsigned char align_rec_2[] = { - 0x2e, 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0xff, - 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, - 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; - -/* Three NULL bytes - * Things break here for 32-bit krb4 libraries that don't - * understand this alignment record. We can't really do - * anything about the fact that the three strings ended - * in the duplicate timestamp. The good news is that this - * only happens once every 0x1000000 seconds, once roughly - * every six and a half months. We'll live. - * - * Discussion on the krbdev list has suggested the - * issue_date be incremented by one in this case to avoid - * the problem. I'm leaving this here just in case. - * - * Field 32-bit 64-bit - * ============ ================= ================= - * sname "" "." - * sinst "" "" - * srealm "" ".." - * session key 2E00002E 2E00FFFF xxxx0000 0000xxxx - * lifetime 0 0 - * kvno 4294901760 917504 - * ticket 14 nulls 4 nulls - * issue 0 0 - */ -/* -static unsigned char align_rec_3[] = { - 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; -*/ -#endif /* K5_LE*/ - -/* - * fd must be initialized to something that won't ever occur as a real - * file descriptor. Since open(2) returns only non-negative numbers as - * valid file descriptors, and tf_init always stuffs the return value - * from open in here even if it is an error flag, we must - * a. Initialize fd to a negative number, to indicate that it is - * not initially valid. - * b. When checking for a valid fd, assume that negative values - * are invalid (ie. when deciding whether tf_init has been - * called.) - * c. In tf_close, be sure it gets reinitialized to a negative - * number. - */ -static int fd = -1; -static int curpos; /* Position in tfbfr */ -static int lastpos; /* End of tfbfr */ -static char tfbfr[BUFSIZ]; /* Buffer for ticket data */ - -static int tf_gets (char *, int), tf_read (char *, int); - -/* - * This file contains routines for manipulating the ticket cache file. - * - * The ticket file is in the following format: - * - * principal's name (null-terminated string) - * principal's instance (null-terminated string) - * CREDENTIAL_1 - * CREDENTIAL_2 - * ... - * CREDENTIAL_n - * EOF - * - * Where "CREDENTIAL_x" consists of the following fixed-length - * fields from the CREDENTIALS structure (see "krb.h"): - * - * string service[ANAME_SZ] - * string instance[INST_SZ] - * string realm[REALM_SZ] - * C_Block session - * int lifetime - * int kvno - * KTEXT_ST ticket_st - * KRB4_32 issue_date - * - * Strings are stored NUL-terminated, and read back until a NUL is - * found or the indicated number of bytes have been read. (So if you - * try to store a string exactly that long or longer, reading them - * back will not work.) The KTEXT_ST structure is stored as an int - * length followed by that many data bytes. All ints are stored using - * host size and byte order for "int". - * - * Short description of routines: - * - * tf_init() opens the ticket file and locks it. - * - * tf_get_pname() returns the principal's name. - * - * tf_get_pinst() returns the principal's instance (may be null). - * - * tf_get_cred() returns the next CREDENTIALS record. - * - * tf_save_cred() appends a new CREDENTIAL record to the ticket file. - * - * tf_close() closes the ticket file and releases the lock. - * - * tf_gets() returns the next null-terminated string. It's an internal - * routine used by tf_get_pname(), tf_get_pinst(), and tf_get_cred(). - * - * tf_read() reads a given number of bytes. It's an internal routine - * used by tf_get_cred(). - */ - -/* - * tf_init() should be called before the other ticket file routines. - * It takes the name of the ticket file to use, "tf_name", and a - * read/write flag "rw" as arguments. - * - * It tries to open the ticket file, checks the mode, and if everything - * is okay, locks the file. If it's opened for reading, the lock is - * shared. If it's opened for writing, the lock is exclusive. - * - * Returns KSUCCESS if all went well, otherwise one of the following: - * - * NO_TKT_FIL - file wasn't there - * TKT_FIL_ACC - file was in wrong mode, etc. - * TKT_FIL_LCK - couldn't lock the file, even after a retry - */ - -int KRB5_CALLCONV tf_init(tf_name, rw) - const char *tf_name; - int rw; -{ - int wflag; - uid_t me, metoo; - struct stat stat_buf, stat_buffd; -#ifdef TKT_SHMEM - char shmidname[MAXPATHLEN]; - FILE *sfp; - int shmid; -#endif - - if (!krb5__krb4_context) { - if (krb5_init_context(&krb5__krb4_context)) - return TKT_FIL_LCK; - } - - me = getuid(); - metoo = geteuid(); - - switch (rw) { - case R_TKT_FIL: - wflag = 0; - break; - case W_TKT_FIL: - wflag = 1; - break; - default: - if (krb_debug) fprintf(stderr, "tf_init: illegal parameter\n"); - return TKT_FIL_ACC; - } - - /* If ticket cache selector is null, use default cache. */ - if (tf_name == 0) - tf_name = tkt_string(); - -#ifdef TKT_SHMEM - (void) strncpy(shmidname, tf_name, sizeof(shmidname) - 1); - shmidname[sizeof(shmidname) - 1] = '\0'; - (void) strncat(shmidname, ".shm", sizeof(shmidname) - 1 - strlen(shmidname)); -#endif /* TKT_SHMEM */ - - /* - * If "wflag" is set, open the ticket file in append-writeonly mode - * and lock the ticket file in exclusive mode. If unable to lock - * the file, sleep and try again. If we fail again, return with the - * proper error message. - */ - - curpos = sizeof(tfbfr); - -#ifdef TKT_SHMEM - if (lstat(shmidname, &stat_buf) < 0) { - switch (errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - if (stat_buf.st_uid != me || !(stat_buf.st_mode & S_IFREG) - || stat_buf.st_nlink != 1 || stat_buf.st_mode & 077) { - return TKT_FIL_ACC; - } - - /* - * Yes, we do uid twiddling here. It's not optimal, but some - * applications may expect that the ruid is what should really own - * the ticket file, e.g. setuid applications. - */ - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - sfp = fopen(shmidname, "r"); /* only need read/write on the - actual tickets */ - if (sfp != 0) - set_cloexec_file(sfp); - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (sfp == 0) { - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - - /* - * fstat() the file to check that the file we opened is the one we - * think it is. - */ - if (fstat(fileno(sfp), &stat_buffd) < 0) { - (void) close(fd); - fd = -1; - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* Check that it's the right file */ - if ((stat_buf.st_ino != stat_buffd.st_ino) || - (stat_buf.st_dev != stat_buffd.st_dev)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - /* Check ownership */ - if ((stat_buffd.st_uid != me && me != 0) || - ((stat_buffd.st_mode & S_IFMT) != S_IFREG)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - - - - shmid = -1; - { - char buf[BUFSIZ]; - int val; /* useful for debugging fscanf */ - /* We provide our own buffer here since some STDIO libraries - barf on unbuffered input with fscanf() */ - setbuf(sfp, buf); - if ((val = fscanf(sfp,"%d",&shmid)) != 1) { - (void) fclose(sfp); - return TKT_FIL_ACC; - } - if (shmid < 0) { - (void) fclose(sfp); - return TKT_FIL_ACC; - } - (void) fclose(sfp); - } - /* - * global krb_shm_addr is initialized to 0. Ultrix bombs when you try and - * attach the same segment twice so we need this check. - */ - if (!krb_shm_addr) { - if ((krb_shm_addr = shmat(shmid,0,0)) == -1){ - if (krb_debug) - fprintf(stderr, - "cannot attach shared memory for segment %d\n", - shmid); - krb_shm_addr = 0; /* reset so we catch further errors */ - return TKT_FIL_ACC; - } - } - tmp_shm_addr = krb_shm_addr; -#endif /* TKT_SHMEM */ - - if (lstat(tf_name, &stat_buf) < 0) { - switch (errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - if (stat_buf.st_uid != me || !(stat_buf.st_mode & S_IFREG) - || stat_buf.st_nlink != 1 || stat_buf.st_mode & 077) { - return TKT_FIL_ACC; - } - - if (wflag) { - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - fd = open(tf_name, O_RDWR, 0600); - if (fd >= 0) - set_cloexec_fd(fd); - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (fd < 0) { - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* - * fstat() the file to check that the file we opened is the - * one we think it is, and to check ownership. - */ - if (fstat(fd, &stat_buffd) < 0) { - (void) close(fd); - fd = -1; - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* Check that it's the right file */ - if ((stat_buf.st_ino != stat_buffd.st_ino) || - (stat_buf.st_dev != stat_buffd.st_dev)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - /* Check ownership */ - if ((stat_buffd.st_uid != me && me != 0) || - ((stat_buffd.st_mode & S_IFMT) != S_IFREG)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - if (krb5_lock_file(krb5__krb4_context, fd, - KRB5_LOCKMODE_EXCLUSIVE | - KRB5_LOCKMODE_DONTBLOCK) < 0) { - sleep(TF_LCK_RETRY); - if (krb5_lock_file(krb5__krb4_context, fd, - KRB5_LOCKMODE_EXCLUSIVE | - KRB5_LOCKMODE_DONTBLOCK) < 0) { - (void) close(fd); - fd = -1; - return TKT_FIL_LCK; - } - } - return KSUCCESS; - } - /* - * Otherwise "wflag" is not set and the ticket file should be opened - * for read-only operations and locked for shared access. - */ - - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - fd = open(tf_name, O_RDONLY, 0600); - if (fd >= 0) - set_cloexec_fd(fd); - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (fd < 0) { - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* - * fstat() the file to check that the file we opened is the one we - * think it is, and to check ownership. - */ - if (fstat(fd, &stat_buffd) < 0) { - (void) close(fd); - fd = -1; - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* Check that it's the right file */ - if ((stat_buf.st_ino != stat_buffd.st_ino) || - (stat_buf.st_dev != stat_buffd.st_dev)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - /* Check ownership */ - if ((stat_buffd.st_uid != me && me != 0) || - ((stat_buffd.st_mode & S_IFMT) != S_IFREG)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - if (krb5_lock_file(krb5__krb4_context, fd, - KRB5_LOCKMODE_SHARED | - KRB5_LOCKMODE_DONTBLOCK) < 0) { - sleep(TF_LCK_RETRY); - if (krb5_lock_file(krb5__krb4_context, fd, - KRB5_LOCKMODE_SHARED | - KRB5_LOCKMODE_DONTBLOCK) < 0) { - (void) close(fd); - fd = -1; - return TKT_FIL_LCK; - } - } - return KSUCCESS; -} - -/* - * tf_get_pname() reads the principal's name from the ticket file. It - * should only be called after tf_init() has been called. The - * principal's name is filled into the "p" parameter. If all goes well, - * KSUCCESS is returned. If tf_init() wasn't called, TKT_FIL_INI is - * returned. If the name was null, or EOF was encountered, or the name - * was longer than ANAME_SZ, TKT_FIL_FMT is returned. - */ - -int KRB5_CALLCONV tf_get_pname(p) - char *p; -{ - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_pname called before tf_init.\n"); - return TKT_FIL_INI; - } - if (tf_gets(p, ANAME_SZ) < 2) /* can't be just a null */ - return TKT_FIL_FMT; - return KSUCCESS; -} - -/* - * tf_get_pinst() reads the principal's instance from a ticket file. - * It should only be called after tf_init() and tf_get_pname() have been - * called. The instance is filled into the "inst" parameter. If all - * goes well, KSUCCESS is returned. If tf_init() wasn't called, - * TKT_FIL_INI is returned. If EOF was encountered, or the instance - * was longer than ANAME_SZ, TKT_FIL_FMT is returned. Note that the - * instance may be null. - */ - -int KRB5_CALLCONV tf_get_pinst(inst) - char *inst; -{ - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_pinst called before tf_init.\n"); - return TKT_FIL_INI; - } - if (tf_gets(inst, INST_SZ) < 1) - return TKT_FIL_FMT; - return KSUCCESS; -} - -/* - * tf_get_cred() reads a CREDENTIALS record from a ticket file and fills - * in the given structure "c". It should only be called after tf_init(), - * tf_get_pname(), and tf_get_pinst() have been called. If all goes well, - * KSUCCESS is returned. Possible error codes are: - * - * TKT_FIL_INI - tf_init wasn't called first - * TKT_FIL_FMT - bad format - * EOF - end of file encountered - */ - -static int real_tf_get_cred(c) - CREDENTIALS *c; -{ - KTEXT ticket = &c->ticket_st; /* pointer to ticket */ - int k_errno; - unsigned char nullbuf[3]; /* used for 64-bit issue_date tf compatibility */ - - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_cred called before tf_init.\n"); - return TKT_FIL_INI; - } - if ((k_errno = tf_gets(c->service, SNAME_SZ)) < 2) { - -#ifdef K5_BE - /* If we're big endian then we can have a null service name as part of - * an alignment record. */ - if (k_errno < 2) - switch (k_errno) { - case TOO_BIG: - tf_close(); - return TKT_FIL_FMT; - case 0: - return EOF; - } -#else /* Little Endian */ - /* If we read an empty service name, it's possible that's because - * the file was written by someone who thinks issue_date should be - * 64 bits. If that is the case, there will be three more zeros, - * followed by the real record.*/ - - if (k_errno == 1 && - tf_read(nullbuf, 3) == 3 && - !nullbuf[0] && !nullbuf[1] && !nullbuf[2]) - k_errno = tf_gets(c->service, SNAME_SZ); - - if (k_errno < 2) - switch (k_errno) { - case TOO_BIG: - case 1: /* can't be just a null */ - tf_close(); - return TKT_FIL_FMT; - case 0: - return EOF; - } -#endif/*K5_BE*/ - - } - if ((k_errno = tf_gets(c->instance, INST_SZ)) < 1) - switch (k_errno) { - case TOO_BIG: - return TKT_FIL_FMT; - case 0: - return EOF; - } - if ((k_errno = tf_gets(c->realm, REALM_SZ)) < 2) { - switch (k_errno) { - case TOO_BIG: - case 1: /* can't be just a null */ - tf_close(); - return TKT_FIL_FMT; - case 0: - return EOF; - } - } - - if ( - tf_read((char *) (c->session), KEY_SZ) < 1 || - tf_read((char *) &(c->lifetime), sizeof(c->lifetime)) < 1 || - tf_read((char *) &(c->kvno), sizeof(c->kvno)) < 1 || - tf_read((char *) &(ticket->length), sizeof(ticket->length)) - < 1 || - /* don't try to read a silly amount into ticket->dat */ - ticket->length > MAX_KTXT_LEN || - tf_read((char *) (ticket->dat), ticket->length) < 1 || - tf_read((char *) &(c->issue_date), sizeof(c->issue_date)) < 1 - ) { - tf_close(); - return TKT_FIL_FMT; - } - -#ifdef K5_BE - /* If the issue_date is 0 and we're not dealing with an alignment - record, then it's likely we've run into an issue_date written by - a 64-bit library that is using long instead of KRB4_32. Let's get - the next four bytes instead. - */ - if (0 == c->issue_date) { - int len = strlen(c->realm); - if (!(2 == len && 0 == strcmp(c->realm, "..")) && - !(3 == len && 0 == strcmp(c->realm + 1, ".."))) { - if (tf_read((char *) &(c->issue_date), sizeof(c->issue_date)) < 1) { - tf_close(); - return TKT_FIL_FMT; - } - } - } - -#endif - - return KSUCCESS; -} - -int KRB5_CALLCONV tf_get_cred(c) - CREDENTIALS *c; -{ - int k_errno; - int fake; - - do { - fake = 0; - k_errno = real_tf_get_cred(c); - if (k_errno) - return k_errno; - -#ifdef K5_BE - /* Here we're checking to see if the realm is one of the - * alignment record realms, ".." or "?..", so we can skip it. - * If it's not, then we need to verify that the service name - * was not null as this should be a valid ticket. - */ - { - int len = strlen(c->realm); - if (2 == len && 0 == strcmp(c->realm, "..")) - fake = 1; - if (3 == len && 0 == strcmp(c->realm + 1, "..")) - fake = 1; - if (!fake && 0 == strlen(c->service)) { - tf_close(); - return TKT_FIL_FMT; - } - } -#else /* Little Endian */ - /* Here we're checking to see if the service principal is the - * special alignment record principal ".@..", so we can skip it. - */ - if (strcmp(c->service, ".") == 0 && - strcmp(c->instance, "") == 0 && - strcmp(c->realm, "..") == 0) - fake = 1; -#endif/*K5_BE*/ - } while (fake); - -#ifdef TKT_SHMEM - memcpy(c->session, tmp_shm_addr, KEY_SZ); - tmp_shm_addr += KEY_SZ; -#endif /* TKT_SHMEM */ - return KSUCCESS; -} - -/* - * tf_close() closes the ticket file and sets "fd" to -1. If "fd" is - * not a valid file descriptor, it just returns. It also clears the - * buffer used to read tickets. - * - * The return value is not defined. - */ - -void KRB5_CALLCONV tf_close() -{ - if (!(fd < 0)) { -#ifdef TKT_SHMEM - if (shmdt(krb_shm_addr)) { - /* what kind of error? */ - if (krb_debug) - fprintf(stderr, "shmdt 0x%x: errno %d",krb_shm_addr, errno); - } else { - krb_shm_addr = 0; - } -#endif /* TKT_SHMEM */ - if (!krb5__krb4_context) - krb5_init_context(&krb5__krb4_context); - (void) krb5_lock_file(krb5__krb4_context, fd, KRB5_LOCKMODE_UNLOCK); - (void) close(fd); - fd = -1; /* see declaration of fd above */ - } - memset(tfbfr, 0, sizeof(tfbfr)); -} - -/* - * tf_gets() is an internal routine. It takes a string "s" and a count - * "n", and reads from the file until either it has read "n" characters, - * or until it reads a null byte. When finished, what has been read exists - * in "s". If it encounters EOF or an error, it closes the ticket file. - * - * Possible return values are: - * - * n the number of bytes read (including null terminator) - * when all goes well - * - * 0 end of file or read error - * - * TOO_BIG if "count" characters are read and no null is - * encountered. This is an indication that the ticket - * file is seriously ill. - */ - -static int -tf_gets(s, n) - register char *s; - int n; -{ - register int count; - - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_gets called before tf_init.\n"); - return TKT_FIL_INI; - } - for (count = n - 1; count > 0; --count) { - if (curpos >= sizeof(tfbfr)) { - lastpos = read(fd, tfbfr, sizeof(tfbfr)); - curpos = 0; - } - if (curpos == lastpos) { - tf_close(); - return 0; - } - *s = tfbfr[curpos++]; - if (*s++ == '\0') - return (n - count); - } - tf_close(); - return TOO_BIG; -} - -/* - * tf_read() is an internal routine. It takes a string "s" and a count - * "n", and reads from the file until "n" bytes have been read. When - * finished, what has been read exists in "s". If it encounters EOF or - * an error, it closes the ticket file. - * - * Possible return values are: - * - * n the number of bytes read when all goes well - * - * 0 on end of file or read error - */ - -static int -tf_read(s, n) - register char *s; - register int n; -{ - register int count; - - for (count = n; count > 0; --count) { - if (curpos >= sizeof(tfbfr)) { - lastpos = read(fd, tfbfr, sizeof(tfbfr)); - curpos = 0; - } - if (curpos == lastpos) { - tf_close(); - return 0; - } - *s++ = tfbfr[curpos++]; - } - return n; -} - -/* - * tf_save_cred() appends an incoming ticket to the end of the ticket - * file. You must call tf_init() before calling tf_save_cred(). - * - * The "service", "instance", and "realm" arguments specify the - * server's name; "session" contains the session key to be used with - * the ticket; "kvno" is the server key version number in which the - * ticket is encrypted, "ticket" contains the actual ticket, and - * "issue_date" is the time the ticket was requested (local host's time). - * - * Returns KSUCCESS if all goes well, TKT_FIL_INI if tf_init() wasn't - * called previously, and KFAILURE for anything else that went wrong. - */ - -int tf_save_cred(service, instance, realm, session, lifetime, kvno, - ticket, issue_date) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - KRB4_32 issue_date; /* The issue time */ -{ - - off_t lseek(); - unsigned int count; /* count for write */ -#ifdef TKT_SHMEM - int *skey_check; -#endif /* TKT_SHMEM */ - - if (fd < 0) { /* fd is ticket file as set by tf_init */ - if (krb_debug) - fprintf(stderr, "tf_save_cred called before tf_init.\n"); - return TKT_FIL_INI; - } - /* Find the end of the ticket file */ - (void) lseek(fd, (off_t)0, 2); -#ifdef TKT_SHMEM - /* scan to end of existing keys: pick first 'empty' slot. - we assume that no real keys will be completely zero (it's a weak - key under DES) */ - - skey_check = (int *) krb_shm_addr; - - while (*skey_check && *(skey_check+1)) - skey_check += 2; - tmp_shm_addr = (char *)skey_check; -#endif /* TKT_SHMEM */ - - /* Write the ticket and associated data */ - /* Service */ - count = strlen(service) + 1; - if (write(fd, service, count) != count) - goto bad; - /* Instance */ - count = strlen(instance) + 1; - if (write(fd, instance, count) != count) - goto bad; - /* Realm */ - count = strlen(realm) + 1; - if (write(fd, realm, count) != count) - goto bad; - /* Session key */ -#ifdef TKT_SHMEM - memcpy(tmp_shm_addr, session, 8); - tmp_shm_addr+=8; - if (write(fd,krb_dummy_skey,8) != 8) - goto bad; -#else /* ! TKT_SHMEM */ - if (write(fd, (char *) session, 8) != 8) - goto bad; -#endif /* TKT_SHMEM */ - /* Lifetime */ - if (write(fd, (char *) &lifetime, sizeof(int)) != sizeof(int)) - goto bad; - /* Key vno */ - if (write(fd, (char *) &kvno, sizeof(int)) != sizeof(int)) - goto bad; - /* Tkt length */ - if (write(fd, (char *) &(ticket->length), sizeof(int)) != - sizeof(int)) - goto bad; - /* Ticket */ - count = ticket->length; - if (write(fd, (char *) (ticket->dat), count) != count) - goto bad; - /* Issue date */ - if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) - != sizeof(KRB4_32)) - goto bad; - /* Alignment Record */ -#ifdef K5_BE - { - int null_bytes = 0; - if (0 == (issue_date & 0xff000000)) - ++null_bytes; - if (0 == (issue_date & 0x00ff0000)) - ++null_bytes; - if (0 == (issue_date & 0x0000ff00)) - ++null_bytes; - if (0 == (issue_date & 0x000000ff)) - ++null_bytes; - - switch(null_bytes) { - case 0: - /* Issue date */ - if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) - != sizeof(KRB4_32)) - goto bad; - if (write(fd, align_rec_0, sizeof(align_rec_0)) - != sizeof(align_rec_0)) - goto bad; - break; - - case 1: - if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) - != sizeof(KRB4_32)) - goto bad; - if (write(fd, align_rec_1, sizeof(align_rec_1)) - != sizeof(align_rec_1)) - goto bad; - break; - - case 3: - /* Three NULLS are troublesome but rare. We'll just pretend - * they don't exist by decrementing the issue_date. - */ - --issue_date; - case 2: - if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) - != sizeof(KRB4_32)) - goto bad; - if (write(fd, align_rec_2, sizeof(align_rec_2)) - != sizeof(align_rec_2)) - goto bad; - break; - - default: - goto bad; - } - - } -#else - if (write(fd, align_rec, sizeof(align_rec)) != sizeof(align_rec)) - goto bad; -#endif - - /* Actually, we should check each write for success */ - return (KSUCCESS); -bad: - return (KFAILURE); -} diff --git a/src/lib/krb4/tkt_string.c b/src/lib/krb4/tkt_string.c deleted file mode 100644 index f6ed927b7..000000000 --- a/src/lib/krb4/tkt_string.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * tkt_string.c - * - * Copyright 1985, 1986, 1987, 1988, 2002 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include -#include -#include -#include "autoconf.h" -#include "port-sockets.h" /* XXX this gets us MAXPATHLEN but we should find - a better way */ - -#ifdef HAVE_STDLIB_H -#include -#else -char *getenv(); -#endif - - -#ifdef _WIN32 -typedef unsigned long uid_t; -uid_t getuid(void) { return 0; } -#endif /* _WIN32 */ - -/* - * This routine is used to generate the name of the file that holds - * the user's cache of server tickets and associated session keys. - * - * If it is set, krb_ticket_string contains the ticket file name. - * Otherwise, the filename is constructed as follows: - * - * If it is set, the environment variable "KRBTKFILE" will be used as - * the ticket file name. Otherwise TKT_ROOT (defined in "krb.h") and - * the user's uid are concatenated to produce the ticket file name - * (e.g., "/tmp/tkt123"). A pointer to the string containing the ticket - * file name is returned. - */ - -static char krb_ticket_string[MAXPATHLEN]; - -const char *tkt_string() -{ - char *env; - uid_t getuid(); - - if (!*krb_ticket_string) { - env = getenv("KRBTKFILE"); - if (env) { - (void) strncpy(krb_ticket_string, env, - sizeof(krb_ticket_string)-1); - krb_ticket_string[sizeof(krb_ticket_string)-1] = '\0'; - } else { - /* 32 bits of signed integer will always fit in 11 characters - (including the sign), so no need to worry about overflow */ - (void) snprintf(krb_ticket_string, sizeof(krb_ticket_string), - "%s%d",TKT_ROOT,(int) getuid()); - } - } - return krb_ticket_string; -} - -/* - * This routine is used to set the name of the file that holds the user's - * cache of server tickets and associated session keys. - * - * The value passed in is copied into local storage. - * - * NOTE: This routine should be called during initialization, before other - * Kerberos routines are called; otherwise tkt_string() above may be called - * and return an undesired ticket file name until this routine is called. - */ - -void KRB5_CALLCONV -krb_set_tkt_string(val) - const char *val; -{ - (void) strncpy(krb_ticket_string, val, sizeof(krb_ticket_string)-1); - krb_ticket_string[sizeof(krb_ticket_string)-1] = '\0'; -} diff --git a/src/lib/krb4/unix_glue.c b/src/lib/krb4/unix_glue.c deleted file mode 100644 index 93a30ed01..000000000 --- a/src/lib/krb4/unix_glue.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * unix_glue.c - * - * Glue code for pasting Kerberos into the Unix environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - */ - -#include "krb.h" -#include -#include "krb4int.h" - -/* Start and end Kerberos library access. On Unix, this is a No-op. */ -int -krb_start_session (x) - char *x; -{ - return KSUCCESS; -} - -int -krb_end_session (x) - char *x; -{ - return KSUCCESS; -} - -char * -krb_get_default_user () -{ - return 0; /* FIXME */ -} - -int -krb_set_default_user (x) - char *x; -{ - return KFAILURE; /* FIXME */ -} diff --git a/src/lib/krb4/unix_time.c b/src/lib/krb4/unix_time.c deleted file mode 100644 index 411ee38d6..000000000 --- a/src/lib/krb4/unix_time.c +++ /dev/null @@ -1,26 +0,0 @@ -/* - * unix_time.c - * - * Glue code for pasting Kerberos into the Unix environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - */ - -#include "krb.h" -#include - -/* Time handling. Translate Unix time calls into Kerberos cnternal - procedure calls. See ../../include/cc-unix.h. */ - -unsigned KRB4_32 KRB5_CALLCONV -unix_time_gmt_unixsec (usecptr) - unsigned KRB4_32 *usecptr; -{ - struct timeval now; - - (void) gettimeofday (&now, (struct timezone *)0); - if (usecptr) - *usecptr = now.tv_usec; - return now.tv_sec; -} diff --git a/src/lib/krb4/vmslink.com b/src/lib/krb4/vmslink.com deleted file mode 100644 index 95cabfe1d..000000000 --- a/src/lib/krb4/vmslink.com +++ /dev/null @@ -1,79 +0,0 @@ -$ write sys$output "start of run" -$ cc /decc /inc=inc /debug=all des.c -$ cc /decc /inc=inc /debug=all d3des.c -$ cc /decc /inc=inc /debug=all cbc.c -$ cc /decc /inc=([],inc) /debug=all qcksum.c -$ cc /decc /inc=([],inc) /debug=all str2key.c -$ cc /decc /inc=([],inc) /debug=all parity.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all ad_print.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all add_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_auth_repl.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_ciph.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_death_pkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_err_repl.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_tkt.c -$ write sys$output "begin d" -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all debug.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all decomp_tkt.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all dest_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all err_txt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all ext_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all fakeenv.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all fgetst.c -$ write sys$output "begin g" -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_ad_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_admhst.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_cnffile.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_cred.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_in_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_krbhst.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_krbrlm.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_phost.c -sgtty $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_pw_in_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_pw_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_request.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_svc_in_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_tf_fname.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_tf_realm.c -$ write sys$output "end g_" -$ cc/decc/inc=inc /define=("HOST_BYTE_ORDER=1",BSD42) /debug=all gethostname.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all getst.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all in_tkt.c -$ cc/decc/inc=inc /define=("HOST_BYTE_ORDER=1",NEED_TIME_H) /debug=all klog.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all kname_parse.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all kntoln.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all kparse.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all krbglue.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all kuserok.c -$ write sys$output "end k" -$ cc/decc/inc=inc /define=("HOST_BYTE_ORDER=1",NEED_TIME_H) /debug=all log.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_err.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_preauth.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_priv.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_req.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_safe.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all month_sname.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all netread.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all netwrite.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all pkt_cipher.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all pkt_clen.c -$ write sys$output "begin rd" -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_err.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_preauth.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_priv.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_req.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_safe.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_svc_key.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all realmofhost.c -$ write sys$output "begin recv" -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all recvauth.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all save_creds.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all send_to_kdc.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all sendauth.c -$ cc/decc/inc=inc /define=("HOST_BYTE_ORDER=1",NEED_TIME_H) /debug=all stime.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all tf_shm.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all tf_util.c -MAXPATHLEN $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all tkt_string.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all vmsswab.c -$ library /create /list libkrb *.obj - diff --git a/src/lib/krb4/vmsswab.c b/src/lib/krb4/vmsswab.c deleted file mode 100644 index 019580882..000000000 --- a/src/lib/krb4/vmsswab.c +++ /dev/null @@ -1,34 +0,0 @@ -/* Copyright 1994 Cygnus Support */ -/* Mark W. Eichin */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* VMS doesn't have swab, but everything else does */ -/* so make this available anyway ... someday it might go - into the VMS makefile fragment, but for now it is only - referenced by l.com. */ - -swab(from,to,nbytes) - char *from; - char *to; - int nbytes; -{ - char tmp; - - while ( (nbytes-=2) >= 0 ) { - tmp = from[1]; - to[1] = from[0]; - to[0] = tmp; - to++; to++; - from++; from++; - } -} - diff --git a/src/lib/krb4/win_glue.c b/src/lib/krb4/win_glue.c deleted file mode 100644 index e9cb5db33..000000000 --- a/src/lib/krb4/win_glue.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - * win-glue.c - * - * Glue code for pasting Kerberos into the Windows environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - */ - -#include "krb.h" - -#include -#include -#include - - -/* - * We needed a way to print out what might be FAR pointers on Windows, - * but might be ordinary pointers on real machines. Printf modifiers - * scattered through the code don't cut it, - * since they might break on real machines. Microloss - * didn't provide a function to print a char *, so we wrote one. - * It gets #define'd to fputs on real machines. - */ -int -far_fputs(string, stream) - char *string; - FILE *stream; -{ - return fprintf(stream, "%Fs", string); -} - -int -krb_start_session(x) - char *x; -{ - return KSUCCESS; -} - -int -krb_end_session(x) - char *x; -{ - return KSUCCESS; -} - -void KRB5_CALLCONV -krb_set_tkt_string(val) -char *val; -{ -} diff --git a/src/lib/krb4/win_store.c b/src/lib/krb4/win_store.c deleted file mode 100644 index 9c2c37aa9..000000000 --- a/src/lib/krb4/win_store.c +++ /dev/null @@ -1,154 +0,0 @@ -/* - * win_store.c - * - * Kerberos configuration storage management routines. - * - * Originally coded by John Rivlin / Fusion Software, Inc. - * - * This file incorporates replacements for the following Unix files: - * g_cnffil.c - */ - -#include "krb.h" -#include "k5-int.h" -#include -#include - -krb5_context krb5__krb4_context = 0; - -char * -krb__get_srvtabname(default_srvtabname) - const char *default_srvtabname; -{ - const char* names[3]; - char **full_name = 0, **cpp; - krb5_error_code retval; - char *retname; - - if (!krb5__krb4_context) { - retval = krb5_init_context(&krb5__krb4_context); - if (!retval) - return NULL; - } - names[0] = "libdefaults"; - names[1] = "krb4_srvtab"; - names[2] = 0; - retval = profile_get_values(krb5__krb4_context->profile, names, - &full_name); - if (retval == 0 && full_name && full_name[0]) { - retname = strdup(full_name[0]); - for (cpp = full_name; *cpp; cpp++) - krb5_xfree(*cpp); - krb5_xfree(full_name); - } else { - retname = strdup(default_srvtabname); - } - return retname; -} - -/* - * Returns an open file handle to the configuration file. This - * file was called "krb.conf" on Unix. Here we search for the entry - * "krb.conf=" in the "[FILES]" section of the "kerberos.ini" file - * located in the Windows directory. If the entry doesn't exist in - * the kerberos.ini file, then "krb.con" in the Windows directory is - * used in its place. - */ -FILE* -krb__get_cnffile() -{ - FILE *cnffile = 0; - char cnfname[FILENAME_MAX]; - char defname[FILENAME_MAX]; - UINT rc; - - defname[sizeof(defname) - 1] = '\0'; - rc = GetWindowsDirectory(defname, sizeof(defname) - 1); - assert(rc > 0); - - strncat(defname, "\\", sizeof(defname) - 1 - strlen(defname)); - - strncat(defname, DEF_KRB_CONF, sizeof(defname) - 1 - strlen(defname)); - - cnfname[sizeof(cnfname) - 1] = '\0'; - GetPrivateProfileString(INI_FILES, INI_KRB_CONF, defname, - cnfname, sizeof(cnfname) - 1, KERBEROS_INI); - - cnffile = fopen(cnfname, "r"); - if (cnffile) - set_cloexec_file(cnffile); - - return cnffile; -} - - -/* - * Returns an open file handle to the realms file. This - * file was called "krb.realms" on Unix. Here we search for the entry - * "krb.realms=" in the "[FILES]" section of the "kerberos.ini" file - * located in the Windows directory. If the entry doesn't exist in - * the kerberos.ini file, then "krb.rea" in the Windows directory is - * used in its place. - */ -FILE* -krb__get_realmsfile() -{ - FILE *realmsfile = 0; - char realmsname[FILENAME_MAX]; - char defname[FILENAME_MAX]; - UINT rc; - - defname[sizeof(defname) - 1] = '\0'; - rc = GetWindowsDirectory(defname, sizeof(defname) - 1); - assert(rc > 0); - - strncat(defname, "\\", sizeof(defname) - 1 - strlen(defname)); - - strncat(defname, DEF_KRB_REALMS, sizeof(defname) - 1 - strlen(defname)); - - defname[sizeof(defname) - 1] = '\0'; - GetPrivateProfileString(INI_FILES, INI_KRB_REALMS, defname, - realmsname, sizeof(realmsname) - 1, KERBEROS_INI); - - realmsfile = fopen(realmsname, "r"); - if (realmsfile) - set_cloexec_file(realmsfile); - - return realmsfile; -} - - -/* - * Returns the current default user. This information is stored in - * the [DEFAULTS] section of the "kerberos.ini" file located in the - * Windows directory. - */ -char * KRB5_CALLCONV -krb_get_default_user() -{ - static char username[ANAME_SZ]; - - GetPrivateProfileString(INI_DEFAULTS, INI_USER, "", - username, sizeof(username), KERBEROS_INI); - - return username; -} - - -/* - * Sets the default user name stored in the "kerberos.ini" file. - */ -int KRB5_CALLCONV -krb_set_default_user(username) - char *username; -{ - BOOL rc; - - rc = WritePrivateProfileString(INI_DEFAULTS, INI_USER, - username, KERBEROS_INI); - - if (rc) - return KSUCCESS; - else - return KFAILURE; -} diff --git a/src/lib/krb4/win_time.c b/src/lib/krb4/win_time.c deleted file mode 100644 index 2560c3192..000000000 --- a/src/lib/krb4/win_time.c +++ /dev/null @@ -1,121 +0,0 @@ -/* - * win_time.c - * - * Glue code for pasting Kerberos into the Windows environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - */ - -#include "krb.h" - -#include -#include -#include -#include -#include -#include - -#ifdef _WIN32 - -unsigned KRB4_32 -win_time_gmt_unixsec (usecptr) - unsigned KRB4_32 *usecptr; -{ - struct _timeb timeptr; - - _ftime(&timeptr); /* Get the current time */ - - if (usecptr) - *usecptr = timeptr.millitm * 1000; - - return timeptr.time + CONVERT_TIME_EPOCH; -} - -#else - -/* - * Time handling. Translate Unix time calls into Kerberos internal - * procedure calls. See ../../include/c-win.h. - * - * Due to the fact that DOS time can be unreliable we have reverted - * to using the AT hardware clock and converting it to Unix time. - */ - -unsigned KRB4_32 -win_time_gmt_unixsec (usecptr) - unsigned KRB4_32 *usecptr; -{ - struct tm tm; - union _REGS inregs; - union _REGS outregs; - struct _timeb now; - time_t time; - - _ftime(&now); - - #if 0 - if (usecptr) - *usecptr = now.millitm * 1000; - #endif - - /* Get time from AT hardware clock INT 0x1A, AH=2 */ - memset(&inregs, 0, sizeof(inregs)); - inregs.h.ah = 2; - - _int86(0x1a, &inregs, &outregs); - - /* 0x13 = decimal 13, hence the decoding below */ - tm.tm_sec = 10 * ((outregs.h.dh & 0xF0) >> 4) + (outregs.h.dh & 0x0F); - tm.tm_min = 10 * ((outregs.h.cl & 0xF0) >> 4) + (outregs.h.cl & 0x0F); - tm.tm_hour = 10 * ((outregs.h.ch & 0xF0) >> 4) + (outregs.h.ch & 0x0F); - - /* Get date from AT hardware clock INT 0x1A, AH=4 */ - memset(&inregs, 0, sizeof(inregs)); - inregs.h.ah = 4; - - _int86(0x1a, &inregs, &outregs); - - tm.tm_mday = 10 * ((outregs.h.dl & 0xF0) >> 4) + (outregs.h.dl & 0x0F); - tm.tm_mon = 10 * ((outregs.h.dh & 0xF0) >> 4) + (outregs.h.dh & 0x0F) - 1; - tm.tm_year = 10 * ((outregs.h.cl & 0xF0) >> 4) + (outregs.h.cl & 0x0F); - tm.tm_year += 100 * ((10 * (outregs.h.ch & 0xF0) >> 4) - + (outregs.h.ch & 0x0F) - 19); - - tm.tm_wday = 0; - tm.tm_yday = 0; - tm.tm_isdst = now.dstflag; - - time = mktime(&tm); - - if (usecptr) - *usecptr = 0; - - return time + CONVERT_TIME_EPOCH; -} - -#endif - -/* - * This routine figures out the current time epoch and returns the - * conversion factor. It exists because - * Microloss screwed the pooch on the time() and _ftime() calls in - * its release 7.0 libraries. They changed the epoch to Dec 31, 1899! - * Idiots... We try to cope. - */ - -static struct tm jan_1_70 = {0, 0, 0, 1, 0, 70}; -static long epoch = 0; -static int epoch_set = 0; - -long -win_time_get_epoch() -{ - - if (!epoch_set) { - epoch = - mktime (&jan_1_70); /* Seconds til 1970 localtime */ - epoch += timezone; /* Seconds til 1970 GMT */ - epoch_set = 1; - } - return epoch; -} diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c index 9e3116170..8627922b2 100644 --- a/src/lib/krb5/krb/t_kerb.c +++ b/src/lib/krb5/krb/t_kerb.c @@ -5,9 +5,6 @@ #include "krb5.h" #include "autoconf.h" -#ifdef KRB5_KRB4_COMPAT -#include "kerberosIV/krb.h" -#endif #include #include #include @@ -68,11 +65,9 @@ void test_524_conv_principal(krb5_context ctx, char *name) { krb5_principal princ = 0; krb5_error_code retval; -#ifndef KRB5_KRB4_COMPAT #define ANAME_SZ 40 #define INST_SZ 40 #define REALM_SZ 40 -#endif char aname[ANAME_SZ+1], inst[INST_SZ+1], realm[REALM_SZ+1]; aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0; diff --git a/src/tests/dejagnu/Makefile.in b/src/tests/dejagnu/Makefile.in index 83d73e9bf..ddc0da96e 100644 --- a/src/tests/dejagnu/Makefile.in +++ b/src/tests/dejagnu/Makefile.in @@ -7,7 +7,6 @@ RUNTESTFLAGS = KRB5_RUN_ENV= @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) -KRB4_RUNTESTFLAGS=@KRB4_DEJAGNU_TEST@ SRCS=$(srcdir)/t_inetd.c @@ -47,7 +46,6 @@ site.exp: runenv.vals Makefile sed -e 's%=\.%='`pwd`'/.%g' > site.exp echo "set KRB5_DB_MODULE_DIR {$(KRB5_DB_MODULE_DIR)}" >> site.exp echo "set PRIOCNTL_HACK @PRIOCNTL_HACK@" >> site.exp - echo set $(KRB4_RUNTESTFLAGS) | sed -e 's/=/ /' >> site.exp # +++ Dependency line eater +++ # diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index 97649d727..fc8a50730 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -821,7 +821,6 @@ proc modify_principal { name args } { # kadmind +4 # kpasswd +5 # (nothing) +6 -# krb524 +7 # application servers (krlogind, telnetd, krshd, ftpd, etc) +8 # iprop +9 (if enabled) # kpropd +10 @@ -1039,7 +1038,6 @@ proc setup_krb5_conf { {type client} } { } puts $conffile " krb4_config = $tmppwd/krb.conf" puts $conffile " krb4_realms = $tmppwd/krb.realms" - puts $conffile " krb4_srvtab = $tmppwd/v4srvtab" if { $mode == "tcp" } { puts $conffile " udp_preference_limit = 1" } @@ -1058,7 +1056,6 @@ proc setup_krb5_conf { {type client} } { puts $conffile " admin_server = $hostname:[expr 4 + $portbase]" puts $conffile " kpasswd_server = $hostname:[expr 5 + $portbase]" puts $conffile " default_domain = $domain" - puts $conffile " krb524_server = $hostname:[expr 7 + $portbase]" puts $conffile " database_module = foo_db2" puts $conffile " \}" puts $conffile "" @@ -1131,10 +1128,6 @@ proc setup_kerberos_env { {type client} } { set env(KRB5CCNAME) $tmppwd/tkt verbose "KRB5CCNAME=$env(KRB5CCNAME)" - # Direct the Kerberos programs at a local ticket file. - set env(KRBTKFILE) $tmppwd/tktv4 - verbose "KRBTKFILE=$env(KRBTKFILE)" - # Direct the Kerberos server at a cache file stored in the # temporary directory. set env(KRB5RCACHEDIR) $tmppwd @@ -1762,7 +1755,7 @@ proc start_kerberos_daemons { standalone } { envstack_push setup_kerberos_env kdc - spawn $KRB5KDC -r $REALMNAME -n -4 full + spawn $KRB5KDC -r $REALMNAME -n full envstack_pop set kdc_pid [exp_pid] set kdc_spawn_id $spawn_id @@ -2439,171 +2432,6 @@ proc v4_compatible_enctype {} { } } -# kinit -# Use kinit to get a ticket. If the argument is non-zero, call pass -# at relevant points. Returns 1 on success, 0 on failure. - -proc v4kinit { name pass standalone } { - global REALMNAME - global KINIT - global spawn_id - global des3_krbtgt - - # Use kinit to get a ticket. - # - # For now always get forwardable tickets. Later when we need to make - # tests that distiguish between forwardable tickets and otherwise - # we should but another option to this proc. --proven - # - spawn $KINIT -4 $name@$REALMNAME - expect { - "Password for $name@$REALMNAME:" { - verbose "v4kinit started" - } - timeout { - fail "v4kinit" - return 0 - } - eof { - fail "v4kinit" - return 0 - } - } - send "$pass\r" - expect eof - if {$des3_krbtgt == 0} { - if ![check_exit_status v4kinit] { - return 0 - } - } else { - # Fail if kinit is successful with a des3 TGT. - set status_list [wait -i $spawn_id] - set testname v4kinit - verbose "wait -i $spawn_id returned $status_list ($testname)" - if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } { - verbose -log "exit status: $status_list" - fail "$testname (exit status)" - } - } - if {$standalone} { - pass "v4kinit" - } - - return 1 -} - -proc v4kinit_kt { name keytab standalone } { - global REALMNAME - global KINIT - global spawn_id - - # Use kinit to get a ticket. - # - # For now always get forwardable tickets. Later when we need to make - # tests that distiguish between forwardable tickets and otherwise - # we should but another option to this proc. --proven - # - spawn $KINIT -4 -k -t $keytab $name@$REALMNAME - expect { - timeout { - fail "v4kinit" - return 0 - } - eof { } - } - if ![check_exit_status kinit] { - return 0 - } - - if {$standalone} { - pass "v4kinit" - } - - return 1 -} - -# List v4 tickets. -# Client and server are regular expressions. -proc v4klist { client server testname } { - global KLIST - global tmppwd - - spawn $KLIST -4 - expect { - -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*$client.*$server\r\n" { - verbose "klist started" - } - timeout { - fail $testname - return 0 - } - eof { - fail $testname - return 0 - } - } - - expect eof - - if ![check_exit_status $testname] { - return 0 - } - pass $testname - return 1 -} - -# Destroy tickets. -proc v4kdestroy { testname } { - global KDESTROY - spawn $KDESTROY -4 - if ![check_exit_status $testname] { - return 0 - } - pass $testname - return 1 -} - -# Try to list the krb4 tickets -- there shouldn't be any ticket file. -proc v4klist_none { testname } { - global KLIST - global tmppwd - - # Double check that the ticket was destroyed. - spawn $KLIST -4 - expect { - -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*klist: You have no tickets cached.*\r\n" { - verbose "v4klist started" - pass "$testname (output)" - } - timeout { - fail "$testname (output)" - # Skip the 'wait' below, if it's taking too long. - untested "$testname (exit status)" - return 0 - } - eof { - fail "$testname (output)" - } - } - # We can't use check_exit_status, because we expect an exit status - # of 1. - expect eof - set status_list [wait -i $spawn_id] - verbose "wait -i $spawn_id returned $status_list (v4klist)" - if { [lindex $status_list 2] != 0 } { - fail "$testname (exit status)" - return 0 - } else { - if { [lindex $status_list 3] != 1 } { - fail "$testname (exit status)" - return 0 - } else { - pass "$testname (exit status)" - } - } - return 1 -} - # Set up a root shell using rlogin $hostname -l root. This is used # when testing the daemons that must be run as root, such as telnetd # or rlogind. This sets the global variables rlogin_spawn_id and diff --git a/src/tests/dejagnu/krb-root/telnet.exp b/src/tests/dejagnu/krb-root/telnet.exp index 57b1e076a..17095b336 100644 --- a/src/tests/dejagnu/krb-root/telnet.exp +++ b/src/tests/dejagnu/krb-root/telnet.exp @@ -47,7 +47,7 @@ proc start_telnet_daemon { args } { # we don't need to use inetd. The portbase+8 is the port to listen at. # Note that tmppwd here is a shell variable, which is set in # setup_root_shell, not a TCL variable. - send -i $rlogin_spawn_id "sh -c \"$TELNETD $args -debug -t \$tmppwd/srvtab -R $REALMNAME -L $tmppwd/login.wrap -X KERBEROS_V4 [expr 8 + $portbase]\" &\r" + send -i $rlogin_spawn_id "sh -c \"$TELNETD $args -debug -t \$tmppwd/srvtab -R $REALMNAME -L $tmppwd/login.wrap [expr 8 + $portbase]\" &\r" expect { -i $rlogin_spawn_id -re "$ROOT_PROMPT" { } diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/dejagnu/krb-standalone/standalone.exp index ca601ef48..ad14bcc7d 100644 --- a/src/tests/dejagnu/krb-standalone/standalone.exp +++ b/src/tests/dejagnu/krb-standalone/standalone.exp @@ -175,47 +175,6 @@ proc doit { } { kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno" do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno" do_kdestroy "kdestroy foo/bar vno $vno" - - if {[info exists KRBIV] && $KRBIV && - [regexp {des-cbc-[a-z0-9-]*:v4} [lindex $supported_enctypes 0]]} { - catch "exec rm -f $tmppwd/foosrvtab" - spawn $KTUTIL - expect_after { - timeout { fail "ktutil converting keytab to srvtab" ; set ok 0 } - eof { fail "ktutil converting keytab to srvtab" ; set ok 0 } - } - expect "ktutil: " - send "rkt $tmppwd/fookeytab\r" - expect -ex "rkt $tmppwd/fookeytab\r" - expect "ktutil: " -# for debugging, just log this -# send "list\r" -# expect "ktutil: " - # - send "wst $tmppwd/foosrvtab\r" - expect -ex "wst $tmppwd/foosrvtab\r" - expect "ktutil: " -# for debugging, just log this -# send "clear\r" -# expect "ktutil: " -# send "rst $tmppwd/foosrvtab\r" -# expect "ktutil: " -# send "list\r" -# expect "ktutil: " - # okay, now quit and finish testing - send "quit\r" - expect eof - catch expect_after - if [check_exit_status "ktutil converting keytab to srvtab (vno $vno)"] { - pass "ktutil converting keytab to srvtab (vno $vno)" - do_klist_kt $tmppwd/fookeytab "klist srvtab foo/bar vno $vno" - kinit_kt "foo/bar" "SRVTAB:$tmppwd/foosrvtab" 1 "st kvno $vno" - do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist st foo/bar vno $vno" - do_kdestroy "kdestroy st foo/bar vno $vno" - } - } else { - verbose "skipping v5kinit/srvtab tests because of non-v4 enctype" - } } catch "exec rm -f $keytab" # Check that kadmin.local can actually read the correct kvno, even diff --git a/src/tests/dejagnu/krb-standalone/v4gssftp.exp b/src/tests/dejagnu/krb-standalone/v4gssftp.exp deleted file mode 100644 index d75c57280..000000000 --- a/src/tests/dejagnu/krb-standalone/v4gssftp.exp +++ /dev/null @@ -1,508 +0,0 @@ -# Kerberos ftp test. -# This is a DejaGnu test script. -# This script tests Kerberos ftp. -# Originally written by Ian Lance Taylor, Cygnus Support, . -# Modified bye Ezra Peisach for GSSAPI support. - -# Find the programs we need. We use the binaries from the build tree -# if they exist. If they do not, then they must be in PATH. We -# expect $objdir to be .../kerberos/build/tests/dejagnu - -if ![info exists FTP] { - set FTP [findfile $objdir/../../appl/gssftp/ftp/ftp] -} - -if ![info exists FTPD] { - set FTPD [findfile $objdir/../../appl/gssftp/ftpd/ftpd] -} - -# If we do not have what is for a V4 test - return -if ![v4_compatible_enctype] { - return -} - -# A procedure to start up the ftp daemon. - -proc start_ftp_daemon { } { - global FTPD - global tmppwd - global ftpd_spawn_id - global ftpd_pid - global portbase - - # The -p argument tells it to accept a single connection, so we - # don't need to use inetd. Portbase+8 is the port to listen at. - # We rely on KRB5_KTNAME being set to the proper keyfile as there is - # no way to cleanly set it with the gssapi API. - # The -U argument tells it to use an alternate ftpusers file (using - # /dev/null will allow root to login regardless of /etc/ftpusers). - # The -a argument requires authorization, to mitigate any - # vulnerability introduced by circumventing ftpusers. - spawn $FTPD -p [expr 8 + $portbase] -a -U /dev/null -r $tmppwd/krb.conf - set ftpd_spawn_id $spawn_id - set ftpd_pid [exp_pid] - - # Give the ftp daemon a few seconds to get set up. - sleep 2 -} - -# A procedure to stop the ftp daemon. - -proc stop_ftp_daemon { } { - global ftpd_spawn_id - global ftpd_pid - - if [info exists ftpd_pid] { - catch "close -i $ftpd_spawn_id" - catch "exec kill $ftpd_pid" - catch "wait -i $ftpd_spawn_id" - unset ftpd_pid - } -} - -# Test that a file was copied correctly. -proc check_file { filename {bigfile 0}} { - if ![file exists $filename] { - verbose "$filename does not exist" - send_log "$filename does not exist\n" - return 0 - } - - set file [open $filename r] - if { [gets $file line] == -1 } { - verbose "$filename is empty" - send_log "$filename is empty\n" - close $file - return 0 - } - - if ![string match "This file is used for ftp testing." $line] { - verbose "$filename contains $line" - send_log "$filename contains $line\n" - close $file - return 0 - } - - if {$bigfile} { - # + 1 for the newline - seek $file 1048577 current - if { [gets $file line] == -1 } { - verbose "$filename is truncated" - send_log "$filename is truncated\n" - close $file - return 0 - } - - if ![string match "This file is used for ftp testing." $line] { - verbose "$filename contains $line" - send_log "$filename contains $line\n" - close $file - return 0 - } - } - - if { [gets $file line] != -1} { - verbose "$filename is too long ($line)" - send_log "$filename is too long ($line)\n" - close $file - return 0 - } - - close $file - - return 1 -} - -# -# Restore environment variables possibly set. -# -proc ftp_restore_env { } { - global env - global ftp_save_ktname - global ftp_save_ccname - - catch "unset env(KRB5_KTNAME)" - if [info exists ftp_save_ktname] { - set env(KRB5_KTNAME) $ftp_save_ktname - unset ftp_save_ktname - } - - catch "unset env(KRB5CCNAME)" - if [info exists ftp_save_ccname] { - set env(KRB5CCNAME) $ftp_save_ccname - unset ftp_save_ccname - } -} - -# Wrap the tests in a procedure, so that we can kill the daemons if -# we get some sort of error. - -proc v4ftp_test { } { - global FTP - global KEY - global REALMNAME - global hostname - global localhostname - global env - global ftpd_spawn_id - global ftpd_pid - global spawn_id - global tmppwd - global ftp_save_ktname - global ftp_save_ccname - global des3_krbtgt - global portbase - - if {$des3_krbtgt} { - return - } - # Start up the kerberos and kadmind daemons and get a srvtab and a - # ticket file. - if {![start_kerberos_daemons 0] \ - || ![add_random_key ftp/$hostname 0] \ - || ![setup_srvtab 0 ftp] \ - || ![add_kerberos_key $env(USER) 0] \ - || ![v4kinit $env(USER) $env(USER)$KEY 0]} { - return - } - - # - # Save settings of KRB5_KTNAME - # - if [info exists env(KRB5_KTNAME)] { - set ftp_save_ktname $env(KRB5_KTNAME) - } - - # - # set KRB5_KTNAME - # - set env(KRB5_KTNAME) FILE:$tmppwd/srvtab - verbose "KRB5_KTNAME=$env(KRB5_KTNAME)" - - # - # Save settings of KRB5CCNAME - # These tests fail if the krb5 cache happens to have a valid credential - # which can result from running the gssftp.exp test immediately - # preceeding these tests. - # - if [info exists env(KRB5CCNAME)] { - set ftp_save_ccname $env(KRB5CCNAME) - } - - # - # set KRB5_KTNAME - # - set env(KRB5CCNAME) FILE:$tmppwd/non-existant-cache - verbose "KRB5CCNAME=$env(KRB5CCNAME)" - - # Start the ftp daemon. - start_ftp_daemon - - # Make an ftp client connection to it. - spawn $FTP $hostname [expr 8 + $portbase] - - expect_after { - timeout { - fail "$testname (timeout)" - catch "expect_after" - return - } - eof { - fail "$testname (eof)" - catch "expect_after" - return - } - } - - set testname "ftp connection(v4)" - expect -nocase "connected to $hostname" - expect -nocase -re "$localhostname.*ftp server .version \[0-9.\]*. ready." - expect -re "Using authentication type GSSAPI; ADAT must follow" - expect "GSSAPI accepted as authentication type" - expect -re "GSSAPI error major: (Unspecified GSS|Miscellaneous) failure" - expect { - "GSSAPI error minor: Unsupported credentials cache format version number" {} - "GSSAPI error minor: No credentials cache found" {} - -re "GSSAPI error minor: Credentials cache file '.*' not found" {} - "GSSAPI error minor: Decrypt integrity check failed" {} - } - expect "GSSAPI error: initializing context" - expect "GSSAPI authentication failed" - expect -re "Using authentication type KERBEROS_V4; ADAT must follow" - expect { - "Kerberos V4 authentication succeeded" { pass "ftp authentication" } - eof { fail "ftp authentication" ; catch "expect_after" ; return } - -re "Kerberos V4 .* failed.*\r" { - fail "ftp authentication"; - send "quit\r"; catch "expect_after"; - return - } - } - expect -nocase "name ($hostname:$env(USER)): " - send "$env(USER)\r" - expect "Kerberos user $env(USER)@$REALMNAME is authorized as $env(USER)" - expect "Remote system type is UNIX." - expect "Using binary mode to transfer files." - expect "ftp> " { - pass $testname - } - - set testname "binary(v4)" - send "binary\r" - expect "ftp> " { - pass $testname - } - - set testname "status(v4)" - send "status\r" - expect -nocase "connected to $hostname." - expect "Authentication type: KERBEROS_V4" - expect "ftp> " { - pass $testname - } - - set testname "ls(v4)" - send "ls $tmppwd/ftp-test\r" - expect -re "Opening ASCII mode data connection for .*ls." - expect -re ".* $tmppwd/ftp-test" - expect "ftp> " { - pass $testname - } - - set testname "nlist(v4)" - send "nlist $tmppwd/ftp-test\r" - expect -re "Opening ASCII mode data connection for file list." - expect -re "$tmppwd/ftp-test" - expect -re ".* Transfer complete." - expect "ftp> " { - pass $testname - } - - set testname "ls missing(v4)" - send "ls $tmppwd/ftp-testmiss\r" - expect -re "Opening ASCII mode data connection for .*ls." - expect { - -re "$tmppwd/ftp-testmiss not found" {} - -re "$tmppwd/ftp-testmiss: No such file or directory" - } - expect "ftp> " { - pass $testname - } - - - set testname "get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get $tmppwd/ftp-test $tmppwd/copy\r" - expect "Opening BINARY mode data connection for $tmppwd/ftp-test" - expect "Transfer complete" - expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" - expect "ftp> " - if [check_file $tmppwd/copy] { - pass $testname - } else { - fail $testname - } - - set testname "put(v4)" - catch "exec rm -f $tmppwd/copy" - send "put $tmppwd/ftp-test $tmppwd/copy\r" - expect "Opening BINARY mode data connection for $tmppwd/copy" - expect "Transfer complete" - expect -re "\[0-9\]+ bytes sent in \[0-9.e-\]+ seconds" - expect "ftp> " - if [check_file $tmppwd/copy] { - pass $testname - } else { - fail $testname - } - - set testname "cd(v4)" - send "cd $tmppwd\r" - expect "CWD command successful." - expect "ftp> " { - pass $testname - } - - set testname "lcd(v4)" - send "lcd $tmppwd\r" - expect "Local directory now $tmppwd" - expect "ftp> " { - pass $testname - } - - set testname "local get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get ftp-test copy\r" - expect "Opening BINARY mode data connection for ftp-test" - expect "Transfer complete" - expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" - expect "ftp> " - if [check_file $tmppwd/copy] { - pass $testname - } else { - fail $testname - } - - set testname "big local get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get bigftp-test copy\r" - expect "Opening BINARY mode data connection for bigftp-test" - expect "Transfer complete" - expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" - expect "ftp> " - if [check_file $tmppwd/copy 1] { - pass $testname - } else { - fail $testname - } - - set testname "start encryption(v4)" - send "private\r" - expect "Data channel protection level set to private" - expect "ftp> " { - pass $testname - } - - set testname "status(v4)" - send "status\r" - expect "Protection Level: private" - expect "ftp> " { - pass $testname - } - - set testname "encrypted get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get ftp-test copy\r" - expect "Opening BINARY mode data connection for ftp-test" - expect "Transfer complete" - expect { - -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" {} - -re "krb_rd_priv failed for KERBEROS_V4" { - fail $testname - send "quit\r" - catch "expect_after" - return - } - } - expect "ftp> " - if [check_file $tmppwd/copy] { - pass $testname - } else { - fail $testname - } - - - # Test a large file that will overflow PBSZ size - set testname "big encrypted get(v4)" - catch "exec rm -f $tmppwd/copy" - send "get bigftp-test copy\r" - expect "Opening BINARY mode data connection for bigftp-test" - expect "Transfer complete" - expect { - -re "\[0-9\]+ bytes received in \[0-9.e+-\]+ seconds" {} - -re "krb_rd_priv failed for KERBEROS_V4" { - fail $testname - send "quit\r" - catch "expect_after" - return - } - } - expect "ftp> " - if [check_file $tmppwd/copy 1] { - pass $testname - } else { - fail $testname - } - - set testname "close(v4)" - send "close\r" - expect "Goodbye." - expect "ftp> " - set status_list [wait -i $ftpd_spawn_id] - verbose "wait -i $ftpd_spawn_id returned $status_list ($testname)" - catch "close -i $ftpd_spawn_id" - if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } { - send_log "exit status: $status_list\n" - verbose "exit status: $status_list" - fail $testname - } else { - pass $testname - unset ftpd_pid - } - - set testname "quit(v4)" - send "quit\r" - expect_after - expect eof - if [check_exit_status $testname] { - pass $testname - } - -} - -run_once v4gssftp { - # Make sure .klogin is reasonable. - if ![check_k5login ftp] { - return - } - - if ![check_klogin ftp] { - return - } - - # Set up the kerberos database. - if {![get_hostname] \ - || ![setup_kerberos_files] \ - || ![setup_kerberos_env] \ - || ![setup_kerberos_db 0]} { - return - } - - # Create a file to use for ftp testing. - set file [open $tmppwd/ftp-test w] - puts $file "This file is used for ftp testing." - close $file - - # Create a large file to use for ftp testing. File needs to be - # larger that 2^20 or 1MB for PBSZ testing. - set file [open $tmppwd/bigftp-test w] - puts $file "This file is used for ftp testing.\n" - seek $file 1048576 current - puts $file "This file is used for ftp testing." - close $file - - # The ftp client will look in $HOME/.netrc for the user name to use. - # To avoid confusing the testsuite, point $HOME at a directory where - # we know there is no .netrc file. - if [info exists env(HOME)] { - set home $env(HOME) - } elseif [info exists home] { - unset home - } - set env(HOME) $tmppwd - - # Run the test. Logging in sometimes takes a while, so increase the - # timeout. - set oldtimeout $timeout - set timeout 60 - set status [catch v4ftp_test msg] - set timeout $oldtimeout - - # Shut down the kerberos daemons and the ftp daemon. - stop_kerberos_daemons - - stop_ftp_daemon - - ftp_restore_env - - # Reset $HOME, for safety in case we are going to run more tests. - if [info exists home] { - set env(HOME) $home - } else { - unset env(HOME) - } - - if { $status != 0 } { - perror "error in v4gssftp.exp: $msg" - } -} diff --git a/src/tests/dejagnu/krb-standalone/v4krb524d.exp b/src/tests/dejagnu/krb-standalone/v4krb524d.exp deleted file mode 100644 index d78f14ba3..000000000 --- a/src/tests/dejagnu/krb-standalone/v4krb524d.exp +++ /dev/null @@ -1,168 +0,0 @@ -# Standalone Kerberos test. -# This is a DejaGnu test script. -# This script tests that the Kerberos tools can talk to each other. - -# This mostly just calls procedures in testsuite/config/default.exp. - -if ![info exists K524INIT] { - set K524INIT [findfile $objdir/../../krb524/k524init] -} - -if ![info exists KRB524D] { - set KRB524D [findfile $objdir/../../krb524/krb524d] -} - -if ![info exists KLIST] { - set KLIST [findfile $objdir/../../clients/klist/klist] -} - -if ![info exists KDESTROY] { - set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy] -} - -# Set up the Kerberos files and environment. -if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} { - return -} - -# If we do not have what is for a V4 test - return -if ![v4_compatible_enctype] { - return -} - -# Initialize the Kerberos database. The argument tells -# setup_kerberos_db that it is being called from here. -if ![setup_kerberos_db 1] { - return -} - -# A procedure to stop the krb524 daemon. -proc start_k524_daemon { } { - global KRB524D - global k524d_spawn_id - global k524d_pid - global REALMNAME - global portbase - - spawn $KRB524D -m -p [expr 7 + $portbase] -r $REALMNAME -nofork - set k524d_spawn_id $spawn_id - set k524d_pid [exp_pid] - - # Give the krb524d daemon a few seconds to get set up. - sleep 2 -} - -# A procedure to stop the krb524 daemon. -proc stop_k524_daemon { } { - global k524d_spawn_id - global k524d_pid - - if [info exists k524d_pid] { - catch "close -i $k524d_spawn_id" - catch "exec kill $k524d_pid" - catch "wait -i $k524d_spawn_id" - unset k524d_pid - } -} - -# We are about to start up a couple of daemon processes. We do all -# the rest of the tests inside a proc, so that we can easily kill the -# processes when the procedure ends. - -proc doit { } { - global env - global KEY - global K524INIT - # To pass spawn_id to the wait process - global spawn_id - global KLIST - global KDESTROY - global tmppwd - global REALMNAME - global des3_krbtgt - - if {$des3_krbtgt} { - return - } - # Start up the kerberos and kadmind daemons. - if ![start_kerberos_daemons 1] { - return - } - - # Add a user key and get a V5 ticket - if {![add_kerberos_key $env(USER) 0] \ - || ![kinit $env(USER) $env(USER)$KEY 0]} { - return - } - - # Start the krb524d daemon. - start_k524_daemon - - # The k524init program does not advertise anything on success - - #only failure. - spawn $K524INIT - expect { - -timeout 10 - -re "k524init: .*\r" { - fail "k524init" - return - } - eof {} - timeout {} - } - - - if ![check_exit_status "k524init"] { - return - } - pass "k524init" - - # Make sure that klist can see the ticket. - spawn $KLIST -4 - expect { - -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*$env(USER)@$REALMNAME.*krbtgt\.$REALMNAME@$REALMNAME\r\n" { - verbose "klist started" - } - timeout { - fail "v4klist" - return - } - eof { - fail "v4klist" - return - } - } - - expect { - "\r" { } - eof { } - } - - if ![check_exit_status "klist"] { - return - } - pass "krb524d: v4klist" - - # Destroy the ticket. - spawn $KDESTROY -4 - if ![check_exit_status "kdestroy"] { - return - } - pass "krb524d: v4kdestroy" - - pass "krb524d: krb524d" -} - -set status [catch doit msg] - -stop_kerberos_daemons - -stop_k524_daemon - -if { $status != 0 } { - send_error "ERROR: error in v4krb524d.exp\n" - send_error "$msg\n" - exit 1 -} - - diff --git a/src/tests/dejagnu/krb-standalone/v4standalone.exp b/src/tests/dejagnu/krb-standalone/v4standalone.exp deleted file mode 100644 index cc42e8dab..000000000 --- a/src/tests/dejagnu/krb-standalone/v4standalone.exp +++ /dev/null @@ -1,95 +0,0 @@ -# Standalone Kerberos test. -# This is a DejaGnu test script. -# This script tests that the Kerberos tools can talk to each other. - -# This mostly just calls procedures in testsuite/config/default.exp. - -# Set up the Kerberos files and environment. -if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} { - return -} - -# If we do not have what is for a V4 test - return -if ![v4_compatible_enctype] { - return -} - -# Initialize the Kerberos database. The argument tells -# setup_kerberos_db that it is being called from here. -if ![setup_kerberos_db 1] { - return -} - -# We are about to start up a couple of daemon processes. We do all -# the rest of the tests inside a proc, so that we can easily kill the -# processes when the procedure ends. - -proc check_and_destroy_v4_tix { client server } { - global REALMNAME - global des3_krbtgt - - # Skip this if we're using a des3 TGT, since that's supposed to fail. - if {$des3_krbtgt} { - return - } - # Make sure that klist can see the ticket. - if ![v4klist "$client" "$server" "v4klist"] { - return - } - - # Destroy the ticket. - if ![v4kdestroy "v4kdestroy"] { - return - } - - if ![v4klist_none "v4klist no tix 1"] { - return - } -} - -proc doit { } { - global REALMNAME - global KLIST - global KDESTROY - global KEY - global hostname - global spawn_id - global tmppwd - - # Start up the kerberos and kadmind daemons. - if ![start_kerberos_daemons 1] { - return - } - - # Use kadmin to add an host key. - if ![add_random_key host/$hostname 1] { - return - } - - # Use ksrvutil to create a srvtab entry. - if ![setup_srvtab 1] { - return - } - - # Use kinit to get a ticket. - if [v4kinit krbtest.admin adminpass$KEY 1] { - check_and_destroy_v4_tix krbtest.admin@$REALMNAME krbtgt.$REALMNAME@$REALMNAME - } - - # Use kinit with srvtab to get a ticket. - # XXX - Currently kinit doesn't support "-4 -k"! -# set shorthost [string range $hostname 0 [expr [string first . $hostname] - 1]] -# if [v4kinit_kt host.$shorthost SRVTAB:$tmppwd/srvtab 1] { -# check_and_destroy_v4_tix host.$shorthost@$REALMNAME krbtgt.$REALMNAME@$REALMNAME -# } -} - -set status [catch doit msg] - -stop_kerberos_daemons - -if { $status != 0 } { - send_error "ERROR: error in v4standalone.exp\n" - send_error "$msg\n" - exit 1 -} diff --git a/src/util/depfix.pl b/src/util/depfix.pl index dfe774251..71142127d 100644 --- a/src/util/depfix.pl +++ b/src/util/depfix.pl @@ -162,10 +162,6 @@ sub do_subs_2 { $_ = &uniquify($_); - # Some krb4 dependencies should only be present if building with krb4 - # enabled. - s;\$\(BUILDTOP\)/include/kerberosIV/krb_err.h ;\$(KRB_ERR_H_DEP) ;g; - # Delete trailing whitespace. s; *$;;g; diff --git a/src/util/ss/Makefile.in b/src/util/ss/Makefile.in index 9d89de840..55359420e 100644 --- a/src/util/ss/Makefile.in +++ b/src/util/ss/Makefile.in @@ -233,7 +233,7 @@ utils.so utils.po $(OUTPRE)utils.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ utils.c options.so options.po $(OUTPRE)options.$(OBJEXT): $(BUILDTOP)/include/ss/ss_err.h \ $(COM_ERR_DEPS) copyright.h options.c ss.h -cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.h +cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.o: $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) \ ct.tab.c ss.h ss_err.so ss_err.po $(OUTPRE)ss_err.$(OBJEXT): $(COM_ERR_DEPS) \ -- 2.26.2