From bb08b522cb5381f36cb012220a1ecb47d75dee10 Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Sat, 18 Dec 1993 03:04:55 +0000 Subject: [PATCH] Removing old gssapi implementation git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3204 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/README | 8 - src/lib/gssapi/ac_cred.c | 143 ---- src/lib/gssapi/acc_sec.c | 285 -------- src/lib/gssapi/check_tok.c | 64 -- src/lib/gssapi/cmp_name.c | 42 -- src/lib/gssapi/comp_oid.c | 38 -- src/lib/gssapi/dsp_name.c | 49 -- src/lib/gssapi/dsp_status.c | 147 ---- src/lib/gssapi/gssapi.h | 359 ---------- src/lib/gssapi/imp_name.c | 106 --- src/lib/gssapi/ind_mechs.c | 52 -- src/lib/gssapi/init_sec.c | 290 -------- src/lib/gssapi/make_tok.c | 63 -- src/lib/gssapi/rel_buffer.c | 42 -- src/lib/gssapi/rel_cred.c | 43 -- src/lib/gssapi/rel_name.c | 42 -- src/lib/gssapi/rel_oidset.c | 46 -- src/lib/gssapi/rel_sec.c | 45 -- src/lib/gssapi/sample/Imakefile | 59 -- src/lib/gssapi/sample/MAIL.KANNAN | 114 ---- src/lib/gssapi/sample/Makefile.bak | 396 ----------- src/lib/gssapi/sample/fcmd.c | 607 ----------------- src/lib/gssapi/sample/flogin.c | 729 -------------------- src/lib/gssapi/sample/flogind.c | 456 ------------- src/lib/gssapi/sample/gssapi.mail | 54 -- src/lib/gssapi/sample/kitest.c | 742 -------------------- src/lib/gssapi/sample/login.c | 1011 ---------------------------- src/lib/gssapi/sample/logutil.c | 140 ---- src/lib/gssapi/seal.c | 143 ---- src/lib/gssapi/sign.c | 86 --- src/lib/gssapi/unseal.c | 136 ---- src/lib/gssapi/verify.c | 83 --- 32 files changed, 6620 deletions(-) delete mode 100644 src/lib/gssapi/README delete mode 100644 src/lib/gssapi/ac_cred.c delete mode 100644 src/lib/gssapi/acc_sec.c delete mode 100644 src/lib/gssapi/check_tok.c delete mode 100644 src/lib/gssapi/cmp_name.c delete mode 100644 src/lib/gssapi/comp_oid.c delete mode 100644 src/lib/gssapi/dsp_name.c delete mode 100644 src/lib/gssapi/dsp_status.c delete mode 100644 src/lib/gssapi/gssapi.h delete mode 100644 src/lib/gssapi/imp_name.c delete mode 100644 src/lib/gssapi/ind_mechs.c delete mode 100644 src/lib/gssapi/init_sec.c delete mode 100644 src/lib/gssapi/make_tok.c delete mode 100644 src/lib/gssapi/rel_buffer.c delete mode 100644 src/lib/gssapi/rel_cred.c delete mode 100644 src/lib/gssapi/rel_name.c delete mode 100644 src/lib/gssapi/rel_oidset.c delete mode 100644 src/lib/gssapi/rel_sec.c delete mode 100644 src/lib/gssapi/sample/Imakefile delete mode 100644 src/lib/gssapi/sample/MAIL.KANNAN delete mode 100644 src/lib/gssapi/sample/Makefile.bak delete mode 100644 src/lib/gssapi/sample/fcmd.c delete mode 100644 src/lib/gssapi/sample/flogin.c delete mode 100644 src/lib/gssapi/sample/flogind.c delete mode 100644 src/lib/gssapi/sample/gssapi.mail delete mode 100644 src/lib/gssapi/sample/kitest.c delete mode 100644 src/lib/gssapi/sample/login.c delete mode 100644 src/lib/gssapi/sample/logutil.c delete mode 100644 src/lib/gssapi/seal.c delete mode 100644 src/lib/gssapi/sign.c delete mode 100644 src/lib/gssapi/unseal.c delete mode 100644 src/lib/gssapi/verify.c diff --git a/src/lib/gssapi/README b/src/lib/gssapi/README deleted file mode 100644 index dd1a07459..000000000 --- a/src/lib/gssapi/README +++ /dev/null @@ -1,8 +0,0 @@ -WARNING! The contents of this directory are Alpha-test quality at -best. The definition of the GSS API is still in flux, and this code -has not really been tested due to a lack of an implementation to link -against. - -Look in doc/gss/* for more information. - - diff --git a/src/lib/gssapi/ac_cred.c b/src/lib/gssapi/ac_cred.c deleted file mode 100644 index 9019049ee..000000000 --- a/src/lib/gssapi/ac_cred.c +++ /dev/null @@ -1,143 +0,0 @@ -/* - * ac_cred.c --- gss_acquire_cred - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -/* - * Note: There are really two kinds of credentials in Kerberos V5... - * the first kind is for users, and we use a krb5_ccache to get at - * that. The second kind is for servers, and we use a krb5_keytab to - * point at that. - * - * It is possible to convert from one to another, but we don't address - * that right now. - * - * XXX We need to do something with time_rec. - */ - -#include - -char *gss_krb5_fetchfrom = NULL; - -OM_uint32 gss_acquire_cred(minor_status, desired_name, time_req, - desired_mechs, cred_usage, output_cred_handle, - actual_mechs, time_rec) - OM_uint32 *minor_status; - gss_name_t desired_name; - OM_uint32 time_req; - gss_OID_set desired_mechs; - int cred_usage; - gss_cred_id_t *output_cred_handle; - gss_OID_set *actual_mechs; - OM_uint32 *time_rec; -{ - krb5_keytab_entry entry; - krb5_keytab keytabid; - int do_kerberos = 0; - int i; - krb5_error_code retval; - - *minor_status = 0; - - /* - * Figure out which mechanism we should be using. - */ - if (desired_mechs == GSS_C_NULL_OID_SET) - do_kerberos++; - else { - for (i = 0; i <= desired_mechs->count; i++) { - if (gss_compare_OID(&desired_mechs->elements[i], - &gss_OID_krb5)) - do_kerberos++; - } - } - - /* - * Should we return failure here? - */ - if (!do_kerberos) - return(GSS_S_FAILURE); - output_cred_handle->cred_flags = 0; - - /* - * This is Kerberos V5 specific stuff starting here. - * First, let's try to search the keytab file. - * Applications that know what they are doing can mess with - * the variable gss_krb_fetchfrom. Otherwise, we use the - * system default keytab file. - */ - if (*minor_status = krb5_copy_principal(desired_name, - &output_cred_handle->principal)) { - return(GSS_S_FAILURE); - } - if (gss_krb5_fetchfrom) { - /* use the named keytab */ - retval = krb5_kt_resolve(gss_krb5_fetchfrom, &keytabid); - } else { - /* use default keytab */ - retval = krb5_kt_default(&keytabid); - } - if (!retval) { - retval = krb5_kt_get_entry(keytabid, desired_name, 0, - &entry); - (void) krb5_kt_close(keytabid); - if (!retval) { - output_cred_handle->cred_flags |= GSS_KRB_HAS_SRVTAB; - output_cred_handle->kvno = entry.vno; - output_cred_handle->srvtab = entry.key; - krb5_free_principal(entry.principal); - } - } - /* - * Now let's try opening the default credentials file and see - * if it contains the desired name. We could try searching - * some directory (like /tmp) if we really cared, but not for - * now. - * - * We're not even looking in the default credentials file - * right now. XXX - */ - - /* - * We're done, clean up and get out. - */ - if (actual_mechs) { - gss_OID_set set; - - if (!(set = (gss_OID_set) - malloc (sizeof(struct gss_OID_set_desc)))) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - set->count = 1; - set->elements = &gss_OID_krb5; - *actual_mechs = set; - } - return(GSS_S_COMPLETE); - -} - diff --git a/src/lib/gssapi/acc_sec.c b/src/lib/gssapi/acc_sec.c deleted file mode 100644 index d0cc43c19..000000000 --- a/src/lib/gssapi/acc_sec.c +++ /dev/null @@ -1,285 +0,0 @@ -/* - * acc_sec.c --- accept security context - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -extern krb5_flags krb5_kdc_default_options; - -/* - * To do in the future: - * - * * Support replay cache - * - * * Support delegation of credentials - * - * * Do something with time_rec - * - * * Should handle Kerberos error packets being sent back and - * forth. - */ - -static krb5_error_code gss_krb5_keyproc(DECLARG(krb5_pointer, cred_handle), - DECLARG(krb5_principal, principal), - DECLARG(krb5_kvno, vno), - DECLARG(krb5_keyblock **, key)) -OLDDECLARG(krb5_pointer, cred_handle) -OLDDECLARG(krb5_principal, principal) -OLDDECLARG(krb5_kvno, vno) -OLDDECLARG(krb5_keyblock **, key) -{ - gss_cred_id_t *creds; - - creds = (gss_cred_id_t *) cred_handle; - - if (krb5_principal_compare(creds->principal, principal)) { - if (creds->cred_flags & GSS_KRB_HAS_SRVTAB) { - *key = &creds->srvtab; - return(0); - } else - return(KRB5_KT_NOTFOUND); - } else - return(KRB5_KT_NOTFOUND); -} - - -OM_uint32 gss_accept_sec_context(minor_status, context_handle, - verifier_cred_handle, input_token, - channel, src_name, - mech_type, output_token, - ret_flags, time_rec, - delegated_cred_handle) - OM_uint32 *minor_status; - gss_ctx_id_t *context_handle; - gss_cred_id_t verifier_cred_handle; - gss_buffer_t input_token; - gss_channel_bindings channel; - gss_name_t *src_name; - gss_OID *mech_type; - gss_buffer_t output_token; - int *ret_flags; - OM_uint32 *time_rec; - gss_cred_id_t *delegated_cred_handle; -{ - krb5_rcache rcache; - krb5_address sender_addr; - krb5_data inbuf, outbuf; - krb5_principal server; - krb5_tkt_authent *authdat; - OM_uint32 retval; - gss_ctx_id_t context; - - *minor_status = 0; - - if (!context_handle) { - /* - * This is first call to accept_sec_context - * - * Make sure the input token is sane. - */ - if (retval = gss_check_token(minor_status, input_token, - GSS_API_KRB5_TYPE, - GSS_API_KRB5_REQ)) - return(retval); - inbuf.length = input_token->length-5; - inbuf.data = ( (char *) input_token->value)+5; - sender_addr.addrtype = channel->initiator_addrtype; - sender_addr.length = channel->initiator_address.length; - sender_addr.contents = (krb5_octet *) - channel->initiator_address.value; - server = verifier_cred_handle.principal; - /* - * Setup the replay cache. - */ - if (*minor_status = - krb5_get_server_rcache(krb5_princ_component(server, 1), - &rcache)) - return(GSS_S_FAILURE); - /* - * Now let's rip apart the packet - */ - if (*minor_status = krb5_rd_req(&inbuf, server, &sender_addr, - 0, gss_krb5_keyproc, - (krb5_pointer)&verifier_cred_handle, - rcache, &authdat)) - return(GSS_S_FAILURE); - if (*minor_status = krb5_rc_close(rcache)) - return(GSS_S_FAILURE); - - /* - * Allocate the context handle structure - */ - if (!(context = (gss_ctx_id_t) - malloc(sizeof(struct gss_ctx_id_desc)))) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - context->mech_type = &gss_OID_krb5; - context->flags = 0; - context->state = GSS_KRB_STATE_DOWN; - context->am_client = 0; - context->rcache = NULL; - - context->my_address.addrtype = channel->initiator_addrtype; - context->my_address.length = channel->initiator_address.length; - if (!(context->my_address.contents = (krb5_octet *) - malloc(context->my_address.length))) { - krb5_xfree(context); - return(GSS_S_FAILURE); - } - memcpy((char *) context->my_address.contents, - (char *) channel->initiator_address.value, - context->my_address.length); - context->his_address.addrtype = channel->acceptor_addrtype; - context->his_address.length = channel->acceptor_address.length; - if (!(context->his_address.contents = (krb5_octet *) - malloc(context->my_address.length))) { - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - return(GSS_S_FAILURE); - } - memcpy((char *) context->his_address.contents, - (char *) channel->acceptor_address.value, - context->his_address.length); - - /* - * Do mutual authentication if requested. - */ - output_token->length = 0; - if ((authdat->ap_options & AP_OPTS_MUTUAL_REQUIRED)) { - krb5_ap_rep_enc_part repl; - /* - * Generate a random sequence number - */ - if (*minor_status = - krb5_generate_seq_number(authdat->ticket->enc_part2->session, - &context->my_seq_num)) { - krb5_xfree(context->his_address.contents); - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - krb5_free_tkt_authent(authdat); - return(GSS_S_FAILURE); - } - - repl.ctime = authdat->authenticator->ctime; - repl.cusec = authdat->authenticator->cusec; - repl.subkey = authdat->authenticator->subkey; - repl.seq_number = context->my_seq_num; - - if (*minor_status = - krb5_mk_rep(&repl, - authdat->ticket->enc_part2->session, - &outbuf)) { - krb5_xfree(context->his_address.contents); - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - krb5_free_tkt_authent(authdat); - return(GSS_S_FAILURE); - } - if (*minor_status = gss_make_token(minor_status, - GSS_API_KRB5_TYPE, - GSS_API_KRB5_REQ, - outbuf.length, - outbuf.data, - output_token)) { - krb5_xfree(context->his_address.contents); - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - krb5_xfree(outbuf.data); - krb5_free_tkt_authent(authdat); - return(GSS_S_FAILURE); - } - } - - /* - * Fill in context handle structure - */ - if (*minor_status = - krb5_copy_principal(verifier_cred_handle.principal, - &context->me)) { - krb5_xfree(context->his_address.contents); - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - return(GSS_S_FAILURE); - } - if (*minor_status = - krb5_copy_principal(authdat->authenticator->client, - &context->him)) { - krb5_free_principal(context->me); - krb5_xfree(context->his_address.contents); - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - return(GSS_S_FAILURE); - } - if (*minor_status = - krb5_copy_keyblock(authdat->ticket->enc_part2->session, - &context->session_key)) { - krb5_free_principal(context->me); - krb5_free_principal(context->him); - krb5_xfree(context->his_address.contents); - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - return(GSS_S_FAILURE); - } - context->his_seq_num = authdat->authenticator->seq_number; - context->cusec = authdat->authenticator->cusec; - context->ctime = authdat->authenticator->ctime; - context->flags = ((char *) input_token->value)[4]; - /* - * Strip out flags we don't support (yet) XXX - */ - context->flags &= ~(GSS_C_DELEG_FLAG | GSS_C_REPLAY_FLAG); - /* - * Deliver output parameters - */ - if (src_name) { - if (*minor_status = krb5_copy_principal(context->him, - src_name)) { - krb5_xfree(context->session_key->contents); - krb5_free_principal(context->me); - krb5_free_principal(context->him); - krb5_xfree(context->his_address.contents); - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - return(GSS_S_FAILURE); - } - } - if (mech_type) - *mech_type = &gss_OID_krb5; - *ret_flags = context->flags; - if (time_rec) - *time_rec = GSS_TIME_REC_INDEFINITE; - return(GSS_S_COMPLETE); - } else { - /* - * Context is non-null, this is the second time through.... - */ - return(GSS_S_FAILURE); - } -} - diff --git a/src/lib/gssapi/check_tok.c b/src/lib/gssapi/check_tok.c deleted file mode 100644 index d17db98ab..000000000 --- a/src/lib/gssapi/check_tok.c +++ /dev/null @@ -1,64 +0,0 @@ -/* - * check_tok.c --- Read a GSS API token and do error checking - * checking on it. - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_check_token(DECLARG(OM_uint32 *, minor_status), - DECLARG(gss_buffer_t, input_token), - DECLARG(unsigned int, mechanism), - DECLARG(unsigned int, type)) -OLDDECLARG(OM_uint32 *, minor_status) -OLDDECLARG(gss_buffer_t, input_token) -OLDDECLARG(unsigned int, mechanism) -OLDDECLARG(unsigned int, type) -{ - char *buf; - - *minor_status = 0; - - if (!input_token) - return(GSS_S_CALL_INACCESSIBLE_READ); - - if (input_token->length < 4) - return(GSS_S_DEFECTIVE_TOKEN); - - buf = input_token->value; - - if (buf[0] != GSS_API_IMPL_VERSION) - return(GSS_S_DEFECTIVE_TOKEN); - - if (mechanism && (mechanism != buf[1])) - return(GSS_S_BAD_MECH); - - if (type && (type != buf[2])) - return(GSS_S_FAILURE | GSS_S_UNSEQ_TOKEN); - - return(GSS_S_COMPLETE); -} diff --git a/src/lib/gssapi/cmp_name.c b/src/lib/gssapi/cmp_name.c deleted file mode 100644 index a1513c111..000000000 --- a/src/lib/gssapi/cmp_name.c +++ /dev/null @@ -1,42 +0,0 @@ -/* - * imp_name.c --- import_name - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_compare_name(minor_status, name1, name2, name_equal) - OM_uint32 *minor_status; - gss_name_t name1, name2; - int *name_equal; -{ - *minor_status = 0; - - *name_equal = krb5_principal_compare(name1, name2); - return(GSS_S_COMPLETE); -} - diff --git a/src/lib/gssapi/comp_oid.c b/src/lib/gssapi/comp_oid.c deleted file mode 100644 index 88074ca0e..000000000 --- a/src/lib/gssapi/comp_oid.c +++ /dev/null @@ -1,38 +0,0 @@ -/* - * comp_oid.c --- compare OID's - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -int gss_compare_OID(oid1, oid2) - gss_OID oid1, oid2; -{ - if (oid1->length != oid2->length) - return(0); - return (!memcmp(oid1->elements, oid2->elements, oid1->length)); -} diff --git a/src/lib/gssapi/dsp_name.c b/src/lib/gssapi/dsp_name.c deleted file mode 100644 index c60502c8d..000000000 --- a/src/lib/gssapi/dsp_name.c +++ /dev/null @@ -1,49 +0,0 @@ -/* - * dsp_name.c --- display_name - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_display_name(minor_status, input_name, output_name_buffer, - output_name_type) - OM_uint32 *minor_status; - gss_name_t input_name; - gss_buffer_t output_name_buffer; - gss_OID *output_name_type; -{ - char *str; - - if (*minor_status = krb5_unparse_name(input_name, &str)) - return(GSS_S_FAILURE); - output_name_buffer->value = str; - output_name_buffer->length = strlen(str); - if (output_name_type) - *output_name_type = &gss_OID_krb5; - - return(GSS_S_COMPLETE); -} diff --git a/src/lib/gssapi/dsp_status.c b/src/lib/gssapi/dsp_status.c deleted file mode 100644 index 4af6cc1a4..000000000 --- a/src/lib/gssapi/dsp_status.c +++ /dev/null @@ -1,147 +0,0 @@ -/* - * dsp_status.c --- display_status - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -#define GSS_CE_MASK 0xFF000000 -#define GSS_RE_MASK 0x00FF0000 -#define GSS_SS_MASK 0x0000FFFF - -#define GSS_CONTEXT_THIS(i) ((i) & 0xFFFF) -#define GSS_CONTEXT_NEXT(i) ((i) >> 16) - -struct gss_error_table { - int code; - int mask; - char *string; -}; - -static struct gss_error_table table[] = { - { GSS_S_CALL_INACCESSIBLE_READ, GSS_CE_MASK, - "GSSAPI Calling Error: Inaccessible read" }, - { GSS_S_CALL_INACCESSIBLE_WRITE, GSS_CE_MASK, - "GSSAPI Calling Error: Inaccessible write" }, - { GSS_S_CALL_BAD_STRUCTURE, GSS_CE_MASK, - "GSSAPI Calling Error: Bad Structure" }, - { GSS_S_BAD_MECH, GSS_RE_MASK, - "GSSAPI Routine Error: Bad Mechanism" }, - { GSS_S_BAD_NAME, GSS_RE_MASK, - "GSSAPI Routine Error: Bad Name" }, - { GSS_S_BAD_NAMETYPE, GSS_RE_MASK, - "GSSAPI Routine Error: Bad Nametype" }, - { GSS_S_BAD_BINDINGS, GSS_RE_MASK, - "GSSAPI Routine Error: Bad Bindings" }, - { GSS_S_BAD_STATUS, GSS_RE_MASK, - "GSSAPI Routine Error: Bad Status" }, - { GSS_S_BAD_SIG, GSS_RE_MASK, - "GSSAPI Routine Error: Invalid Signature" }, - { GSS_S_NO_CRED, GSS_RE_MASK, - "GSSAPI Routine Error: Missing Credentials" }, - { GSS_S_NO_CONTEXT, GSS_RE_MASK, - "GSSAPI Routine Error: Missing Context" }, - { GSS_S_DEFECTIVE_TOKEN, GSS_RE_MASK, - "GSSAPI Routine Error: Defective Token" }, - { GSS_S_DEFECTIVE_CREDENTIAL, GSS_RE_MASK, - "GSSAPI Routine Error: Defective Credential" }, - { GSS_S_CREDENTIALS_EXPIRED, GSS_RE_MASK, - "GSSAPI Routine Error: Credentials Expired" }, - { GSS_S_CONTEXT_EXPIRED, GSS_RE_MASK, - "GSSAPI Routine Error: Context expired" }, - { GSS_S_FAILURE, GSS_RE_MASK, - "GSSAPI Routine Error: Mechanism-specific failure" }, -}; -static int nentries = sizeof (struct gss_error_table) / sizeof (*table); - -OM_uint32 gss_display_status(minor_status, status_value, status_type, - mech_type, message_context, status_string) - OM_uint32 *minor_status; - int status_value; - int status_type; - gss_OID mech_type; - int *message_context; - gss_buffer_t status_string; -{ - const char *str; - int next; - int retval; - - *minor_status = 0; - - if (status_type == GSS_C_MECH_CODE) { - /* - * We only handle Kerberos V5... - */ - if ((mech_type != GSS_C_NULL_OID) && - !gss_compare_OID(mech_type, &gss_OID_krb5)) { - return(GSS_S_BAD_MECH); - } - str = error_message(status_value); - retval = GSS_S_COMPLETE; - goto return_message_found; - } else { - next = *message_context; - - if (next < 0 || next >= nentries) { - return(GSS_S_FAILURE); - } - if (next == 0) { - while (next < nentries) { - if ((status_value & table[next].mask) == - table[next].code) - break; - next++; - } - if (next >= nentries) - return(GSS_S_BAD_STATUS); - } - str = table[next].string; - next++; - while (next < nentries) { - if ((status_value & table[next].mask) == - table[next].code) - break; - next++; - } - if (next >= nentries) - retval = GSS_S_COMPLETE; - else - retval = GSS_S_CONTINUE_NEEDED; - *message_context = next; - } - -return_message_found: - status_string->length = strlen(str); - if (!(status_string->value = malloc(status_string->length))) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - strcpy(status_string->value, str); - return(GSS_S_COMPLETE); -} - diff --git a/src/lib/gssapi/gssapi.h b/src/lib/gssapi/gssapi.h deleted file mode 100644 index 0fc7c09be..000000000 --- a/src/lib/gssapi/gssapi.h +++ /dev/null @@ -1,359 +0,0 @@ -/* - * gssapi.h --- header file for the Kerberos 5 GSS API layer - */ - -#include -#include -#include -#include -#include -#include - -/* - * Some compilers can't handle void * - */ -#ifdef __STDC__ -#define Voidptr void * -#else -#define Voidptr char * -#endif - -typedef unsigned int OM_uint32; -typedef unsigned short OM_uint16; - -typedef struct gss_buffer_desc_struct { - size_t length; - Voidptr value; -} gss_buffer_desc, *gss_buffer_t; - -typedef struct gss_OID_desc { - OM_uint32 length; - void *elements; -} *gss_OID; - -typedef struct gss_OID_set_desc { - OM_uint32 count; - struct gss_OID_desc *elements; -} *gss_OID_set; - -typedef struct gss_ctx_id_desc { - gss_OID mech_type; - int state; - int flags; /* gss_init_sec_context flags */ - krb5_boolean am_client; /* True if I am the client */ - krb5_principal me; - krb5_principal him; /* Principal of the other side */ - krb5_address my_address; - krb5_address his_address; - krb5_keyblock *session_key; - krb5_rcache rcache; - krb5_int32 my_seq_num; - krb5_int32 his_seq_num; - krb5_int32 cusec; /* Client usec portion */ - krb5_timestamp ctime; /* Client sec portion */ -} *gss_ctx_id_t; - -/* structure for address */ -typedef struct gss_channel_bindings_struct { - OM_uint32 initiator_addrtype; - gss_buffer_desc initiator_address; - OM_uint32 acceptor_addrtype; - gss_buffer_desc acceptor_address; - gss_buffer_desc application_data; -} *gss_channel_bindings; - -#define GSS_C_AF_INET 0x0002 -#define GSS_C_AF_CHAOS 0x0005 -#define GSS_C_AF_XNS 0x0006 -#define GSS_C_AF_ISO 0x0007 -#define GSS_C_AF_DDP 0x0010 - -#define GSS_KRB_STATE_DOWN 1 -#define GSS_KRB_STATE_MUTWAIT 2 -#define GSS_KRB_STATE_UP 3 - -typedef krb5_principal gss_name_t; - -typedef struct gss_cred_id_desc { - krb5_principal principal; - gss_OID mech_type; - int cred_flags; - /* Client information */ - krb5_ccache ccache; - /* Server information */ - krb5_kvno kvno; - krb5_keyblock srvtab; -} gss_cred_id_t; - -#define GSS_KRB_HAS_CCACHE 0x0001 -#define GSS_KRB_HAS_SRVTAB 0x0002 - -/* - * Optional parameters - */ - -#define GSS_C_NO_BUFFER ((gss_buffer_t) 0) -#define GSS_C_NULL_OID ((gss_OID) 0) -#define GSS_C_NULL_OID_SET ((gss_OID_set) 0) -#define GSS_C_NO_CREDENTIAL (gss_default_credentials) - -extern gss_cred_id_t gss_default_credentials; - -/* - * Indefinite time - */ -#define GSS_TIME_REC_INDEFINITE 2147483647 - -/* - * Token format: - * - * Byte 0: GSS API Implementation Version (currently 1) - * Byte 1: Mechanism Identifier (currently 1 means Kerberos V5) - * Byte 2: Token type - * Byte 3: Reserved - * Byte 4--n: Mechanism/Token information - */ - -#define GSS_API_IMPL_VERSION 1 - -#define GSS_API_KRB5_TYPE 1 - -/* Token types */ -#define GSS_API_KRB5_REQ 1 -#define GSS_API_KRB5_REP 2 -#define GSS_API_KRB5_SAFE 3 -#define GSS_API_KRB5_PRIV 4 -#define GSS_API_KRB5_SIGN 5 -#define GSS_API_KRB5_ERROR 6 -#define GSS_API_KRB5_SHUTDOWN 31 - -/* - * Calling errors - */ -#define GSS_S_CALL_INACCESSIBLE_READ (1 << 24) -#define GSS_S_CALL_INACCESSIBLE_WRITE (2 << 24) -#define GSS_S_CALL_BAD_STRUCTURE (3 << 24) - -/* - * Routine Errors - */ -#define GSS_S_BAD_MECH (1 << 16) -#define GSS_S_BAD_NAME (2 << 16) -#define GSS_S_BAD_NAMETYPE (3 << 16) -#define GSS_S_BAD_BINDINGS (4 << 16) -#define GSS_S_BAD_STATUS (5 << 16) -#define GSS_S_BAD_SIG (6 << 16) -#define GSS_S_NO_CRED (7 << 16) -#define GSS_S_NO_CONTEXT (8 << 16) -#define GSS_S_DEFECTIVE_TOKEN (9 << 16) -#define GSS_S_DEFECTIVE_CREDENTIAL (10 << 16) -#define GSS_S_CREDENTIALS_EXPIRED (11 << 16) -#define GSS_S_CONTEXT_EXPIRED (12 << 16) -#define GSS_S_FAILURE (13 << 16) - -/* - * Supplementary Status Bits - */ -#define GSS_S_CONTINUE_NEEDED (1 << 0) -#define GSS_S_DUPLICATE_TOKEN (1 << 1) -#define GSS_S_OLD_TOKEN (1 << 2) -#define GSS_S_UNSEQ_TOKEN (1 << 3) - -#define GSS_S_COMPLETE 0 - -/* - * Macros to break apart a return code - */ - -#define gss_calling_error(r) ((r) & 0xff000000) -#define gss_routine_error(r) ((r) & 0x00ff0000) -#define gss_supplementary_info(r) ((r) & 0x0000ffff) - -/* - * gss_acquire_cred --- cred_usage values - */ -#define GSS_C_INITIATE 0x0001 -#define GSS_C_ACCEPT 0x0002 -#define GSS_C_BOTH 0x0003 - -/* - * gss_init_sec_context flags - */ -#define GSS_C_DELEG_FLAG 0x0001 -#define GSS_C_MUTUAL_FLAG 0x0002 -#define GSS_C_REPLAY_FLAG 0x0004 -#define GSS_C_SEQUENCE_FLAG 0x0008 -#define GSS_C_CONF_FLAG 0x0010 - -/* - * Values for qop_req - */ -#define GSS_C_QOP_DEFAULT 0 - -/* - * Values for gss_display_status - */ -#define GSS_C_GSS_CODE 1 -#define GSS_C_MECH_CODE 2 - -/* - * OID declarations - */ -extern struct gss_OID_desc gss_OID_krb5; -extern struct gss_OID_desc gss_OID_krb5_name; - -/* - * XXX Stuff to make Kannan's flogin stuff happy. - */ -#define GSS_C_MAX_TOKEN 1024 -#define GSS_C_MAX_PRINTABLE_NAME 1024 - -#define GSS_C_READ (1 << 0) -#define GSS_C_WRITE (1 << 1) -#define GSS_C_EXECUTE (1 << 2) - -/* - * Function declaragions, generated by mkptypes - */ -/* ac_cred.c */ -OM_uint32 gss_acquire_cred PROTOTYPE((OM_uint32 *minor_status, - gss_name_t desired_name, - OM_uint32 time_req, - gss_OID_set desired_mechs, - int cred_usage, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec)); - -/* acc_sec.c */ -OM_uint32 gss_accept_sec_context PROTOTYPE((OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_cred_id_t verifier_cred_handle, - gss_buffer_t input_token, - gss_channel_bindings channel, - gss_name_t *src_name, - gss_OID *mech_type, - gss_buffer_t output_token, - int *ret_flags, - OM_uint32 *time_rec, - gss_cred_id_t *delegated_cred_handle)); - -/* check_tok.c */ -OM_uint32 gss_check_token PROTOTYPE((OM_uint32 *minor_status, - gss_buffer_t input_token, - unsigned int mechanism, - unsigned int type)); - -/* cmp_name.c */ -OM_uint32 gss_compare_name PROTOTYPE((OM_uint32 *minor_status, - gss_name_t name1, - gss_name_t name2, - int *name_equal)); - -/* comp_oid.c */ -int gss_compare_OID PROTOTYPE((gss_OID oid1, - gss_OID oid2)); - -/* dsp_name.c */ -OM_uint32 gss_display_name PROTOTYPE((OM_uint32 *minor_status, - gss_name_t input_name, - gss_buffer_t output_name_buffer, - gss_OID *output_name_type)); - -/* imp_name.c */ -OM_uint32 gss_import_name PROTOTYPE((OM_uint32 *minor_status, - gss_buffer_t input_name_buffer, - gss_OID input_name_type, - gss_name_t *output_name)); -OM_uint32 gss_service_import_name PROTOTYPE((OM_uint32 *minor_status, - gss_buffer_t input_name_buffer, - gss_name_t *output_name)); - -/* ind_mechs.c */ -OM_uint32 gss_indicate_mechs PROTOTYPE((OM_uint32 *minor_status, - gss_OID_set *mech_set)); - -/* init_sec.c */ -OM_uint32 gss_init_sec_context PROTOTYPE((OM_uint32 *minor_status, - gss_cred_id_t claimant_cred_handle, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - int req_flags, - int time_req, - gss_channel_bindings channel, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - int *ret_flags, - OM_uint32 *time_rec)); - -/* make_tok.c */ -OM_uint32 gss_make_token PROTOTYPE((OM_uint32 *minor_status, - unsigned int mechanism, - unsigned int type, - size_t length, - Voidptr data, - gss_buffer_t output_token)); - -/* rel_buffer.c */ -OM_uint32 gss_release_buffer PROTOTYPE((OM_uint32 *minor_status, - gss_buffer_t buffer)); - -/* rel_cred.c */ -OM_uint32 gss_release_cred PROTOTYPE((OM_uint32 *minor_status, - gss_cred_id_t *cred_handle)); - -/* rel_name.c */ -OM_uint32 gss_release_name PROTOTYPE((OM_uint32 *minor_status, - gss_name_t *name)); - -/* rel_oidset.c */ -OM_uint32 gss_release_oid_set PROTOTYPE((OM_uint32 *minor_status, - gss_OID_set set)); - -/* rel_sec.c */ -OM_uint32 gss_release_security_context PROTOTYPE((OM_uint32 *minor_status, - gss_ctx_id_t context)); - -/* seal.c */ -OM_uint32 gss_seal PROTOTYPE((OM_uint32 *minor_status, - gss_ctx_id_t context, - int conf_req_flag, - int qop_req, - gss_buffer_t input_message_buffer, - int *conf_state, - gss_buffer_t output_message_buffer)); -OM_uint32 gss_sign PROTOTYPE((OM_uint32 *minor_status, - gss_ctx_id_t context, - int qop_req, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer)); - -/* sign.c */ -OM_uint32 gss_sign PROTOTYPE((OM_uint32 *minor_status, - gss_ctx_id_t context, - int qop_req, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer)); - -/* unseal.c */ -OM_uint32 gss_unseal PROTOTYPE((OM_uint32 *minor_status, - gss_ctx_id_t context, - gss_buffer_t input_message_buffer, - gss_buffer_t output_message_buffer, - int *conf_state, - int *qop_state)); -OM_uint32 gss_verify PROTOTYPE((OM_uint32 *minor_status, - gss_ctx_id_t context, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int *qop_state)); - -/* verify.c */ -OM_uint32 gss_verify PROTOTYPE((OM_uint32 *minor_status, - gss_ctx_id_t context, - gss_buffer_t message_buffer, - gss_buffer_t token_buffer, - int *qop_state)); - diff --git a/src/lib/gssapi/imp_name.c b/src/lib/gssapi/imp_name.c deleted file mode 100644 index de7940eeb..000000000 --- a/src/lib/gssapi/imp_name.c +++ /dev/null @@ -1,106 +0,0 @@ -/* - * imp_name.c --- import_name - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_service_import_name(); - -OM_uint32 gss_import_name(minor_status, input_name_buffer, input_name_type, - output_name) - OM_uint32 *minor_status; - gss_buffer_t input_name_buffer; - gss_OID input_name_type; - gss_name_t *output_name; -{ - *minor_status = 0; - - if ((input_name_type == GSS_C_NULL_OID) || - gss_compare_OID(input_name_type, &gss_OID_krb5)) { - /* - * Kerberos V5 name - */ - if (!strncasecmp("service:", input_name_buffer->value, 8) && - input_name_buffer->length >= 8) { - return(gss_service_import_name(minor_status, - input_name_buffer, - output_name)); - } - if (*minor_status = krb5_parse_name(input_name_buffer->value, - output_name)) - return(GSS_S_FAILURE); - else - return(GSS_S_COMPLETE); - } - /* - * It's of an unknown type. We don't know how to deal. - */ - return(GSS_S_BAD_NAMETYPE); -} - - -OM_uint32 gss_service_import_name(minor_status, input_name_buffer, output_name) - OM_uint32 *minor_status; - gss_buffer_t input_name_buffer; - gss_name_t *output_name; -{ - char *str, *cp; - char *service, *kservice; - char *host; - char buf[512]; - - if (!(str = malloc(input_name_buffer->length+1))) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - memcpy(str, input_name_buffer->value, input_name_buffer->length); - str[input_name_buffer->length] = '\0'; - - /* - * Assume the first eight characters are "service:" - */ - service = cp = str + 8; - if (!(cp = strchr(cp, '@'))) { - free(str); - return(GSS_S_BAD_NAME); - } - *cp++ = 0; - host = cp; - /* - * We will need to do some mapping here later... XXX - */ - kservice = service; - - sprintf(buf, "%s/%s", kservice, host); - - if (*minor_status = krb5_parse_name(buf, output_name)) - return(GSS_S_FAILURE); - else - return(GSS_S_COMPLETE); -} - diff --git a/src/lib/gssapi/ind_mechs.c b/src/lib/gssapi/ind_mechs.c deleted file mode 100644 index c51a77d4a..000000000 --- a/src/lib/gssapi/ind_mechs.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * ind_mechs.c --- Indicate mechanisms (also where the OID's are declared) - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -struct gss_OID_desc gss_OID_krb5 = { 15, "KRB5.OSI.SUCKS"}; -struct gss_OID_desc gss_OID_krb5_name = { 20, "KRB5.NAME.OSI.SUCKS" }; - -OM_uint32 gss_indicate_mechs(minor_status, mech_set) - OM_uint32 *minor_status; - gss_OID_set *mech_set; -{ - gss_OID_set set; - - *minor_status = 0; - if (!(set = (gss_OID_set) malloc (sizeof(struct gss_OID_set_desc)))) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - set->count = 1; - set->elements = &gss_OID_krb5; - *mech_set = set; - return(GSS_S_COMPLETE); -} - - diff --git a/src/lib/gssapi/init_sec.c b/src/lib/gssapi/init_sec.c deleted file mode 100644 index 87f48d832..000000000 --- a/src/lib/gssapi/init_sec.c +++ /dev/null @@ -1,290 +0,0 @@ -/* - * init_sec.c --- initialize security context - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -extern krb5_flags krb5_kdc_default_options; - -/* - * To do in the future: - * - * * Support replay cache - * - * * Support delegation of credentials - * - * * Do something with time_rec - * - * * Should handle Kerberos error packets being sent back and - * forth. - */ - -gss_cred_id_t gss_default_credentials = { - (krb5_principal) NULL, (gss_OID) NULL, 0, (krb5_ccache) NULL, - (krb5_kvno) 0, { (krb5_keytype) 0, 0, (krb5_octet *) NULL } -}; - - -OM_uint32 gss_init_sec_context(minor_status, claimant_cred_handle, - context_handle, target_name, - mech_type, req_flags, time_req, - channel, input_token, - actual_mech_type, output_token, - ret_flags, time_rec) - OM_uint32 *minor_status; - gss_cred_id_t claimant_cred_handle; - gss_ctx_id_t *context_handle; - gss_name_t target_name; - gss_OID mech_type; - int req_flags; - int time_req; - gss_channel_bindings channel; - gss_buffer_t input_token; - gss_OID *actual_mech_type; - gss_buffer_t output_token; - int *ret_flags; - OM_uint32 *time_rec; -{ - krb5_flags kdc_options = krb5_kdc_default_options; - krb5_flags ap_req_options = 0; - krb5_ccache ccache; - krb5_creds creds; - krb5_authenticator authent; - krb5_data inbuf, outbuf; - krb5_ap_rep_enc_part *repl; - OM_uint32 retval; - gss_ctx_id_t context; - - *minor_status = 0; - - if (!context_handle) { - /* - * This is first call to init_sec_context - * - * We only handle Kerberos V5... - */ - if ((mech_type != GSS_C_NULL_OID) && - !gss_compare_OID(mech_type, &gss_OID_krb5)) { - return(GSS_S_BAD_MECH); - } - if (actual_mech_type) - *actual_mech_type = &gss_OID_krb5; - /* - * Sanitize the incoming flags - * - * We don't support delegation or replay detection --- yet. - */ - req_flags &= ~GSS_C_DELEG_FLAG; - req_flags &= ~GSS_C_REPLAY_FLAG; - /* - * If no credentials were passed in, get our own - */ - if (claimant_cred_handle.ccache) - ccache = claimant_cred_handle.ccache; - else { - /* - * Default (or NULL) credentials, we need to - * fill in with defaults. - */ - if (*minor_status = krb5_cc_default(&ccache)) { - return(GSS_S_FAILURE); - } - claimant_cred_handle.ccache = ccache; - if (*minor_status = - krb5_cc_get_principal(ccache, - &claimant_cred_handle.principal)) - return(GSS_S_FAILURE); - } - /* - * Allocate the context handle structure - */ - if (!(context = (gss_ctx_id_t) - malloc(sizeof(struct gss_ctx_id_desc)))) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - context->mech_type = &gss_OID_krb5; - context->state = GSS_KRB_STATE_DOWN; - /* - * Fill in context handle structure - */ - if (*minor_status = - krb5_copy_principal(claimant_cred_handle.principal, - &context->me)) - return(GSS_S_FAILURE); - if (*minor_status = - krb5_copy_principal(target_name, - &context->him)) - return(GSS_S_FAILURE); - context->flags = req_flags | GSS_C_CONF_FLAG;; - context->am_client = 1; - context->session_key = NULL; - context->rcache = NULL; - context->my_address.addrtype = channel->initiator_addrtype; - context->my_address.length = channel->initiator_address.length; - if (!(context->my_address.contents = (krb5_octet *) - malloc(context->my_address.length))) { - krb5_xfree(context); - return(GSS_S_FAILURE); - } - memcpy((char *) context->my_address.contents, - (char *) channel->initiator_address.value, - context->my_address.length); - context->his_address.addrtype = channel->acceptor_addrtype; - context->his_address.length = channel->acceptor_address.length; - if (!(context->his_address.contents = (krb5_octet *) - malloc(context->my_address.length))) { - krb5_xfree(context->my_address.contents); - krb5_xfree(context); - return(GSS_S_FAILURE); - } - memcpy((char *) context->his_address.contents, - (char *) channel->acceptor_address.value, - context->his_address.length); - /* - * Generate a random sequence number - */ - if (*minor_status = - krb5_generate_seq_number(&creds.keyblock, - &context->my_seq_num)) { - krb5_xfree(context->his_address.contents); - krb5_xfree(context->my_address.contents); - free((char *)context); - return(GSS_S_FAILURE); - } - context->his_seq_num = 0; - /* - * Make a credentials structure - */ - memset((char *)&creds, 0, sizeof(creds)); - creds.server = context->him; - creds.client = context->me; - /* creds.times.endtime = 0; -- memset 0 takes care of this - zero means "as long as possible" */ - /* creds.keyblock.keytype = 0; -- as well as this. - zero means no session keytype - preference */ - if (*minor_status = krb5_get_credentials(0, - ccache, - &creds)) { - krb5_free_cred_contents(&creds); - free((char *)context); - return(GSS_S_FAILURE); - } - /* - * Setup the ap_req_options - */ - if ((req_flags & GSS_C_MUTUAL_FLAG) || - (req_flags & GSS_C_SEQUENCE_FLAG)) - ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; - /* - * OK, get the authentication header! - */ - if (*minor_status = krb5_mk_req_extended(ap_req_options, 0, - kdc_options, - context->my_seq_num, 0, - ccache, &creds, &authent, - &outbuf)) { - memset((char *)&authent, 0, sizeof(authent)); - krb5_free_cred_contents(&creds); - free((char *)context); - return(GSS_S_FAILURE); - } - context->cusec = authent.cusec; - context->ctime = authent.ctime; - memset((char *)&authent, 0, sizeof(authent)); - - if (*minor_status = - krb5_copy_keyblock(&creds.keyblock, - &context->session_key)) { - krb5_xfree(outbuf.data); - krb5_free_cred_contents(&creds); - free((char *)context); - return(GSS_S_FAILURE); - } - - if (*minor_status = gss_make_token(minor_status, - GSS_API_KRB5_TYPE, - GSS_API_KRB5_REQ, - outbuf.length, - outbuf.data, - output_token)) { - krb5_xfree(outbuf.data); - krb5_free_cred_contents(&creds); - free((char *) context); - return(GSS_S_FAILURE); - } - /* - * Send over the requested flags information - */ - ((char *) output_token->value)[4] = context->flags; - krb5_xfree(outbuf.data); - *context_handle = context; - context->state = GSS_KRB_STATE_DOWN; - *ret_flags = context->flags; - /* - * Don't free server and client because we need them - * for the context structure. - */ - creds.server = 0; - creds.client = 0; - krb5_free_cred_contents(&creds); - if (ap_req_options & AP_OPTS_MUTUAL_REQUIRED) { - context->state = GSS_KRB_STATE_MUTWAIT; - return(GSS_S_CONTINUE_NEEDED); - } else { - context->state = GSS_KRB_STATE_UP; - return(GSS_S_COMPLETE); - } - - } else { - context = *context_handle; - - if (context->state != GSS_KRB_STATE_MUTWAIT) - return(GSS_S_FAILURE); - if (retval = gss_check_token(minor_status, input_token, - GSS_API_KRB5_TYPE, - GSS_API_KRB5_REP)) - return(retval); - inbuf.length = input_token->length-4; - inbuf.data = ((char *)input_token->value)+4; - - if (*minor_status = krb5_rd_rep(&inbuf, context->session_key, - &repl)) - return(GSS_S_FAILURE); - if ((repl->ctime != context->ctime) || - (repl->cusec != context->cusec)) { - *minor_status = KRB5_SENDAUTH_MUTUAL_FAILED; - return(GSS_S_FAILURE); - } - context->his_seq_num = repl->seq_number; - context->state = GSS_KRB_STATE_UP; - krb5_free_ap_rep_enc_part(repl); - return(GSS_S_COMPLETE); - } -} diff --git a/src/lib/gssapi/make_tok.c b/src/lib/gssapi/make_tok.c deleted file mode 100644 index 5078bed36..000000000 --- a/src/lib/gssapi/make_tok.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * make_tok.c --- Make a GSS API token - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_make_token(minor_status, mechanism, type, length, data, - output_token) - OM_uint32 *minor_status; - unsigned int mechanism; - unsigned int type; - size_t length; - Voidptr data; - gss_buffer_t output_token; -{ - char *buf; - int offset = 4; - - *minor_status = 0; - /* - * The Kerberos initial request token needs an extra byte of - * flag information, so we reserve it here. - */ - if ((mechanism == GSS_API_KRB5_TYPE) && (type == GSS_API_KRB5_REQ)) - offset++; - if (!(buf = malloc(length+offset))) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); - } - output_token->value = (Voidptr) buf; - output_token->length = length+4; - buf[0] = GSS_API_IMPL_VERSION; - buf[1] = mechanism; /* Authentication mechanism */ - buf[2] = type; /* Token type */ - buf[3] = 0; /* Reserved */ - memcpy(buf+offset, data, length); - return(GSS_S_COMPLETE); -} diff --git a/src/lib/gssapi/rel_buffer.c b/src/lib/gssapi/rel_buffer.c deleted file mode 100644 index 7a6bac04e..000000000 --- a/src/lib/gssapi/rel_buffer.c +++ /dev/null @@ -1,42 +0,0 @@ -/* - * rel_buffer.c --- release a gss_buffer_t - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_release_buffer(minor_status, buffer) - OM_uint32 *minor_status; - gss_buffer_t buffer; -{ - *minor_status = 0; - - free(buffer->value); - return(GSS_S_COMPLETE); -} - - diff --git a/src/lib/gssapi/rel_cred.c b/src/lib/gssapi/rel_cred.c deleted file mode 100644 index af9a758e4..000000000 --- a/src/lib/gssapi/rel_cred.c +++ /dev/null @@ -1,43 +0,0 @@ -/* - * rel_cred.c --- release a gss_cred_id_t - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_release_cred(minor_status, cred_handle) - OM_uint32 *minor_status; - gss_cred_id_t *cred_handle; -{ - krb5_free_principal(cred_handle->principal); - if (*minor_status = krb5_cc_close(cred_handle->ccache)) - return(GSS_S_FAILURE); - krb5_xfree(cred_handle->srvtab.contents); - return(GSS_S_COMPLETE); -} - - diff --git a/src/lib/gssapi/rel_name.c b/src/lib/gssapi/rel_name.c deleted file mode 100644 index 1ad66492f..000000000 --- a/src/lib/gssapi/rel_name.c +++ /dev/null @@ -1,42 +0,0 @@ -/* - * rel_name.c --- release a gss_name_t - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_release_name(minor_status, name) - OM_uint32 *minor_status; - gss_name_t *name; -{ - *minor_status = 0; - - krb5_free_principal(*name); - return(GSS_S_COMPLETE); -} - - diff --git a/src/lib/gssapi/rel_oidset.c b/src/lib/gssapi/rel_oidset.c deleted file mode 100644 index 93ba47e67..000000000 --- a/src/lib/gssapi/rel_oidset.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * rel_oidset.c --- release a fgss_oid_set - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_release_oid_set(minor_status, set) - OM_uint32 *minor_status; - gss_OID_set set; -{ - *minor_status = 0; - - /* - * We don't free the OID parts themselves, since they will all - * be constant structures in this version - */ - free((char *)set); - return(GSS_S_COMPLETE); -} - - diff --git a/src/lib/gssapi/rel_sec.c b/src/lib/gssapi/rel_sec.c deleted file mode 100644 index 56f2569ac..000000000 --- a/src/lib/gssapi/rel_sec.c +++ /dev/null @@ -1,45 +0,0 @@ -/* - * rel_buffer.c --- release a security context - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_release_security_context(minor_status, context) - OM_uint32 *minor_status; - gss_ctx_id_t context; -{ - *minor_status = 0; - - krb5_free_principal(context->me); - krb5_free_principal(context->him); - - context->state = GSS_KRB5_STATE_DOWN; - return(GSS_S_COMPLETE); -} - - diff --git a/src/lib/gssapi/sample/Imakefile b/src/lib/gssapi/sample/Imakefile deleted file mode 100644 index 045f87eca..000000000 --- a/src/lib/gssapi/sample/Imakefile +++ /dev/null @@ -1,59 +0,0 @@ -# $Source$ -# $Author$ -# $Id$ -# -# Copyright 1991 by the Massachusetts Institute of Technology. -# All Rights Reserved. -# -# For copying and distribution information, please see the file -# . -# - - DEPLIBS = ../libgssapi.a $(DEPKLIB) -LOCAL_LIBRARIES = ../libgssapi.a $(KLIB) - DEFINES = -DDEBUG - -SRCS = flogin.c fcmd.c flogind.c fsh.c fcp.c login.c logutil.c -OBJS = flogin.o fcmd.o flogind.o fsh.o fcp.o login.o logutil.o - -FLOGINSRCS = flogin.c fcmd.c -FLOGINOBJS = flogin.o fcmd.o - -LOGINSRCS = login.c logutil.c -LOGINOBJS = login.o logutil.o - -FLOGINDSRCS = flogind.c logutil.c -FLOGINDOBJS = flogind.o logutil.o - -FSHSRCS = fsh.c fcmd.c -FSHOBJS = fsh.o fcmd.o - -FSHDSRCS = fshd.c -FSHDOBJS = fshd.o - -FCPSRCS = fcp.c fcmd.c -FCPOBJS = fcp.o fcmd.o - -all:: flogin login.gssapi flogind - -NormalProgramTarget(flogin,$(FLOGINOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),) -NormalProgramTarget(login.gssapi,$(LOGINOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),) -NormalProgramTarget(flogind,$(FLOGINDOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),) -NormalProgramTarget(fsh,$(FSHOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),) -NormalProgramTarget(fshd,$(FSHDOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),) -NormalProgramTarget(fcp,$(FCPOBJS),$(DEPLIBS),$(LOCAL_LIBRARIES),) - -SaberProgramTarget(flogin, $(FLOGINSRCS), $(FLOGINOBJS), - $(DEPLIBS) $(LOCAL_LIBRARIES),) -SaberProgramTarget(login.gssapi, $(LOGINSRCS), $(LOGINOBJS), - $(DEPLIBS) $(LOCAL_LIBRARIES),) -SaberProgramTarget(flogind, $(FLOGINDSRCS), $(FLOGINDOBJS), - $(DEPLIBS) $(LOCAL_LIBRARIES),) -SaberProgramTarget(fsh, $(FSHSRCS), $(FSHOBJS), - $(DEPLIBS) $(LOCAL_LIBRARIES),) -SaberProgramTarget(fshd, $(FSHDSRCS), $(FSHDOBJS), - $(DEPLIBS) $(LOCAL_LIBRARIES),) -SaberProgramTarget(fcp, $(FCPSRCS), $(FCPOBJS), - $(DEPLIBS) $(LOCAL_LIBRARIES),) - -DependTarget() diff --git a/src/lib/gssapi/sample/MAIL.KANNAN b/src/lib/gssapi/sample/MAIL.KANNAN deleted file mode 100644 index 0bd0f0a8c..000000000 --- a/src/lib/gssapi/sample/MAIL.KANNAN +++ /dev/null @@ -1,114 +0,0 @@ -Received: by E40-PO.MIT.EDU (5.45/4.7) id AA17675; Fri, 24 May 91 14:58:47 EDT -Received: from uucp-gw-1.pa.dec.com by ATHENA.MIT.EDU with SMTP - id AA18573; Fri, 24 May 91 14:58:33 EDT -Received: by uucp-gw-1.pa.dec.com; id AA01785; Fri, 24 May 91 11:56:31 -0700 -Received: by sejour.lkg.dec.com (5.57/Ultrix4.0) - id AA15569; Fri, 24 May 91 15:00:01 -0400 -Message-Id: <9105241900.AA15569@sejour.lkg.dec.com> -To: tytso@ATHENA.MIT.EDU -Cc: kannan@sejour.lkg.dec.com -Subject: GSS API for SPX ready for testing -Date: Fri, 24 May 91 15:00:00 EDT -From: kannan@sejour.lkg.dec.com - -Ted, - -I have completed the initial implementation of the GSS API for the SPX -mechanism and I've modified the flogin program to use this new -interface. My "standard" GSS library includes the following routines: - -/* - * Offering "standard" GSS API for following mechanism(s) : SPX - * - * Supported jacket routines : - * - * gss_acquire_cred Assume a global identity - * - * gss_release_cred Discard credentials - * - * gss_init_sec_context Initiate a security context with a - * peer application - * - * gss_accept_sec_context Accept a security context from a - * peer application - * - * gss_display_status Convert an API status code to text - * - * gss_indicate_mechs Determine underlying mechanism - * - * gss_display_name Convert opaque name to text - * - * gss_import_name Convert a textual name to API-format - * - * gss_release_name Deallocate API internal name - * - * gss_release_buffer Deallocate a buffer descriptor - * - * gss_release_oid_set Deallocate a set of object identifiers - * - * Unofficial jacket routines : - * - * gss__stash_default_cred Bind credential handle as default - * - * gss__check_authorization Check authorization rights for principal - * - */ - -As you can tell, I have two unofficial routines referred to as "gss__" -instead of "gss_". - -The first, gss__stash_default_cred will set the specified credential as -the default for a process. After calling this routine, GSS_C_NULL_CREDENTIAL -can be used by the calling application to reference the stashed credentials. -Note, if GSS_C_NULL_CREDENTIAL is passed to this routine, success is returned. - -/* - * WARNING: UNOFFICIAL GSSAPI ROUTINE!! - * - * gss__stash_default_cred() - Allows remote peer to bind delegated credential - * handle with remote application. Called by applications to set the - * delegated credentials as the default credentials for a process. - * - * OM_uint32 *minor_status (output) - mechanism specific status code - * gss_cred_id_t delegated_cred_handle (input) - handle for credentials - * received from context initiator. - * - */ - -The second, gss__check_authorization is a bit more controversial. This -routine will check access rights for a principal against an ACL file. -I've added a few additional arguments to make this routine more robust -so that access control decisions can be based on a per service and -possible per resource basis. - -/* - * WARNING: UNOFFICIAL GSSAPI ROUTINE!! - * - * gss__check_authorization() - Check authorization rights for principal - * using the ACL file specified. - * - * OM_uint32 *minor_status (output) - mechanism specific status code - * gss_buffer_t fullname_buffer (input) - principal's printable name - * gss_buffer_t luser_buffer (input) - local user name - * gss_buffer_t acl_file_buffer (input) - acl file name - * gss_buffer_t service_buffer (input) - service name - * int access_mode (input) - type of access (rwx, etc.) - * gss_buffer_t resource_buffer (input) - resource name - * - */ - -I've also defined 3 unofficial constants to describe the access modes. - -#define GSS_C_READ (1 << 0) -#define GSS_C_WRITE (1 << 1) -#define GSS_C_EXECUTE (1 << 2) - -You look at the application source code to see how these routines are -being used. The next message will contain the following files: - - - Makefile, flogin.c fcmd.c flogind.c login.c - -Talk to you later. - - -kannan - diff --git a/src/lib/gssapi/sample/Makefile.bak b/src/lib/gssapi/sample/Makefile.bak deleted file mode 100644 index 3dd42fbb1..000000000 --- a/src/lib/gssapi/sample/Makefile.bak +++ /dev/null @@ -1,396 +0,0 @@ -# Makefile generated by imake - do not edit! -# $XConsortium: imake.c,v 1.51 89/12/12 12:37:30 jim Exp $ - -# $Source$ -# $Author$ -# $Id$ -# - -########################################################################### -# Makefile generated from "Imake.tmpl" and -# $XConsortium: Imake.tmpl,v 1.77 89/12/18 17:01:37 jim Exp $ -# -# Platform-specific parameters may be set in the appropriate .cf -# configuration files. Site-wide parameters may be set in the file -# site.def. Full rebuilds are recommended if any parameters are changed. -# -# If your C preprocessor doesn't define any unique symbols, you'll need -# to set BOOTSTRAPCFLAGS when rebuilding imake (usually when doing -# "make Makefile", "make Makefiles", or "make World"). -# -# If you absolutely can't get imake to work, you'll need to set the -# variables at the top of each Makefile as well as the dependencies at the -# bottom (makedepend will do this automatically). -# - -########################################################################### -# platform-specific configuration parameters - edit vaxbsd.cf to change - -# $Source$ -# $Author$ -# $Id$ -# - -########################################################################### -# site-specific configuration parameters - edit site.def to change - -# $Source$ -# $Author$ -# $Id$ -# - -# site: $XConsortium: site.def,v 1.21 89/12/06 11:46:50 jim Exp $ - - SHELL = /bin/sh - - TOP = ../../../. - CURRENT_DIR = ./lib/gssapi/sample - - AR = ar cq - BOOTSTRAPCFLAGS = - CC = gcc -fstrength-reduce -fpcc-struct-return -pedantic -ansi -Wall -Dunix -Dvax - - COMPRESS = compress - CPP = /lib/cpp $(STD_CPP_DEFINES) - PREPROCESSCMD = gcc -fstrength-reduce -fpcc-struct-return -pedantic -ansi -Wall -Dunix -Dvax -E $(STD_CPP_DEFINES) - INSTALL = install - LD = ld - LDLOCATIONS = - LINT = lint - LINTLIBFLAG = -C - LINTOPTS = -axz - LN = ln -s - MAKE = make - MV = mv - CP = cp - RANLIB = ranlib - RANLIBINSTFLAGS = - RM = rm -f - STD_INCLUDES = - STD_CPP_DEFINES = - STD_DEFINES = - SABER_DEFINES = -I/mit/gnu/vaxlib/gcc-include -Dconst= - EXTRA_LOAD_FLAGS = -Z - EXTRA_LIBRARIES = - TAGS = ctags - ETAGS = etags -STDC_TOP_INCLUDES = -I$(TOP)/include/stdc-incl - - SIGNAL_DEFINES = -DSIGNALRETURNSINT - - INSTPGMFLAGS = -s - - INSTSCRFLAGS = - INSTBINFLAGS = -m 0755 - INSTUIDFLAGS = -o root -m 4755 - INSTLIBFLAGS = -m 0664 - INSTINCFLAGS = -m 0444 - INSTMANFLAGS = -m 0444 - INSTDATFLAGS = -m 0444 - INSTKMEMFLAGS = -o root -m 4755 - - DESTDIR = - - TOP_INCLUDES = -I$(TOP) - - CDEBUGFLAGS = -O - CCOPTIONS = - COMPATFLAGS = - - ALLINCLUDES = $(INCLUDES) $(STD_INCLUDES) $(TOP_INCLUDES) $(EXTRA_INCLUDES) - ALLDEFINES = $(ALLINCLUDES) $(STD_DEFINES) $(PROTO_DEFINES) $(DEFINES) $(COMPATFLAGS) - CFLAGS = $(CDEBUGFLAGS) $(CCOPTIONS) $(ALLDEFINES) - LINTFLAGS = $(LINTOPTS) -DLINT $(ALLDEFINES) - LDLIBS = $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - LDOPTIONS = $(CDEBUGFLAGS) $(CCOPTIONS) $(LDLOCATIONS) - LDCOMBINEFLAGS = -X -r - MDFLAGS = -D__STDC__ -I/mit/gnu/vaxlib/gcc-include - - MACROFILE = vaxbsd.cf - RM_CMD = $(RM) *.CKP *.ln *.BAK *.bak *.o core errs ,* *~ *.a .emacs_* tags TAGS make.log MakeOut - - IMAKE_DEFINES = - - IRULESRC = $(CONFIGSRC) - - IMAKE_CMD = $(IMAKE) -I$(NEWTOP)$(IRULESRC) $(IMAKE_DEFINES) - - ICONFIGFILES = $(IRULESRC)/Imake.tmpl $(IRULESRC)/Imake.rules \ - $(IRULESRC)/Project.tmpl $(IRULESRC)/site.def \ - $(IRULESRC)/$(MACROFILE) $(EXTRA_ICONFIGFILES) - -# Kerberos version 5 Build Parameters -# -# $Source$ -# $Author$ -# $Id$ - -P_TERMIOS=-UHasPosixTermiosTrue - -P_FLOCKS=-UHasPosixFileLocksTrue - -P_TYPES=-UHasPosixTypesTrue - -P_SIGTYPE=-UHasVoidSignalReturnTrue - -P_STRINGH=-DHasStringHTrue - -P_BITSIZE=-DBitsize32 -UBitsize16 -UBitsize64 - -P_DBM=-DHasNdbmTrue - -P_INET=-DHasInetTrue - -P_STDLIBH=-UHasStdlibHTrue -UForceStdlibH - -P_TIME_DEFS=-DUseSysTimeH -UUseTimeH - -P_PROTOS=-UProvidePrototypes - -P_NPROTO=-UUseNarrowPrototypes - -P_STDARG=-UUseStdarg - - ARADD = ar cruv - TOP_INCLUDES = -I$(TOP)/include $(STDC_TOP_INCLUDES) - CONFIGSRC = $(TOP)/config - ISODE = /mit/isode/isode-6.8 - PSYFLAGS = -f -h0 -a -s - PEPSY = $(ISODE)/@sys/bin/pepsy - TOUCH = touch - IMAKE = imake - DEPEND = makedepend - UNIFDEF = unifdef - HESDEFS = -DHESIOD - HESLIBS = -lhesiod - - PROCESS_DEFINES = $(P_TERMIOS) $(P_FLOCKS) $(P_TYPES) $(P_SIGTYPE) $(P_STRINGH) $(P_BITSIZE) $(P_DBM) $(P_INET) $(P_STDLIBH) $(P_TIME_DEFS) $(P_PROTOS) $(P_NPROTO) $(P_STDARG) -DUnifdefRan - DESDEFINES = -DBIG -DLSBFIRST - TOPLIBD = $(TOP)/lib - OSLIB = os - OSDEPLIB = $(TOPLIBD)/libos.a - DESLIB = des5 - DESDEPLIB = $(TOPLIBD)/libdes5.a - RSAMD4LIB = md4 - RSAMD4DEPLIB = $(TOPLIBD)/libmd4.a - KRB5LIB = krb5 - KRB5DEPLIB = $(TOPLIBD)/libkrb5.a - CRCLIB = crc32 - CRCDEPLIB = $(TOPLIBD)/libcrc32.a - ISODELIB = -L/mit/isode/isode-6.8/@sys/lib -lisode - - DBMLIB = - DEPKLIB = $(KRB5DEPLIB) $(DESDEPLIB) $(OSDEPLIB) - KLIBLOC = -L$(TOPLIBD) - KLIB = $(KLIBLOC) -l$(KRB5LIB) -l$(DESLIB) -l$(OSLIB) $(ISODELIB) $(COMERRLIB) $(DBMLIB) - KDBDEPLIB = $(TOPLIBD)/libkdb.a - KDBLIB = $(KLIBLOC) -lkdb - KRB425DEPLIB = $(TOPLIBD)/libkrb425.a - KRB425LIB = krb425 - DES425DEPLIB = $(TOPLIBD)/libdes425.a - DES425LIB = des425 - KRB4LIB = -lkrb $(KLIBLOC) -l$(DES425LIB) - KRB4INCLUDES = -I$(TOP)/include/kerberosIV - KRB4DEPLIB = $(DES425DEPLIB) - - SSLIB = -lss - MK_CMDS = mk_cmds - COMERRLIB = -lcom_err - COMPILE_ET = compile_et - - ADMIN_BINDIR = /krb5/admin - ADMIN_MANSUFFIX = 8 - ADMIN_MANDIR = /krb5/man/man8 - SERVER_BINDIR = /krb5/sbin - SERVER_MANSUFFIX = 8 - SERVER_MANDIR = /krb5/man/man8 - CLIENT_BINDIR = /krb5/bin - CLIENT_MANSUFFIX = 1 - CLIENT_MANDIR = /krb5/man/man1 - -# $Source$ -# $Author$ -# $Id$ -# - -########################################################################### -# Imake rules for building libraries, programs, scripts, and data files -# rules: $XConsortium: Imake.rules,v 1.67 89/12/18 17:14:15 jim Exp $ - -########################################################################### -# start of Imakefile - -# $Source$ -# $Author$ -# $Id$ -# -# Copyright 1991 by the Massachusetts Institute of Technology. -# All Rights Reserved. -# -# For copying and distribution information, please see the file -# . -# - - DEPLIBS = $(DEPKLIB) ../libgssapi.a -LOCAL_LIBRARIES = $(KLIB) ../libgssapi.a - DEFINES = -DDEBUG - -SRCS = flogin.c fcmd.c flogind.c fsh.c fcp.c login.c logutil.c -OBJS = flogin.o fcmd.o flogind.o fsh.o fcp.o login.o logutil.o - -FLOGINSRCS = flogin.c fcmd.c -FLOGINOBJS = flogin.o fcmd.o - -LOGINSRCS = login.c logutil.c -LOGINOBJS = login.o logutil.o - -FLOGINDSRCS = flogind.c logutil.c -FLOGINDOBJS = flogind.o logutil.o - -FSHSRCS = fsh.c fcmd.c -FSHOBJS = fsh.o fcmd.o - -FSHDSRCS = fshd.c -FSHDOBJS = fshd.o - -FCPSRCS = fcp.c fcmd.c -FCPOBJS = fcp.o fcmd.o - -all:: flogin login.gssapi flogind - -flogin: $(FLOGINOBJS) $(DEPLIBS) - $(RM) $@ - $(CC) -o $@ $(FLOGINOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS) - -clean:: - $(RM) flogin - -login.gssapi: $(LOGINOBJS) $(DEPLIBS) - $(RM) $@ - $(CC) -o $@ $(LOGINOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS) - -clean:: - $(RM) login.gssapi - -flogind: $(FLOGINDOBJS) $(DEPLIBS) - $(RM) $@ - $(CC) -o $@ $(FLOGINDOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS) - -clean:: - $(RM) flogind - -fsh: $(FSHOBJS) $(DEPLIBS) - $(RM) $@ - $(CC) -o $@ $(FSHOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS) - -clean:: - $(RM) fsh - -fshd: $(FSHDOBJS) $(DEPLIBS) - $(RM) $@ - $(CC) -o $@ $(FSHDOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS) - -clean:: - $(RM) fshd - -fcp: $(FCPOBJS) $(DEPLIBS) - $(RM) $@ - $(CC) -o $@ $(FCPOBJS) $(LDOPTIONS) $(LOCAL_LIBRARIES) $(LDLIBS) $(EXTRA_LOAD_FLAGS) - -clean:: - $(RM) fcp - -saber_flogin: - #load $(ALLDEFINES) $(FLOGINSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -osaber_flogin: - #load $(ALLDEFINES) $(FLOGINOBJS) - $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -saber_login.gssapi: - #load $(ALLDEFINES) $(LOGINSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -osaber_login.gssapi: - #load $(ALLDEFINES) $(LOGINOBJS) - $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -saber_flogind: - #load $(ALLDEFINES) $(FLOGINDSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -osaber_flogind: - #load $(ALLDEFINES) $(FLOGINDOBJS) - $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -saber_fsh: - #load $(ALLDEFINES) $(FSHSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -osaber_fsh: - #load $(ALLDEFINES) $(FSHOBJS) - $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -saber_fshd: - #load $(ALLDEFINES) $(FSHDSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -osaber_fshd: - #load $(ALLDEFINES) $(FSHDOBJS) - $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -saber_fcp: - #load $(ALLDEFINES) $(FCPSRCS) $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -osaber_fcp: - #load $(ALLDEFINES) $(FCPOBJS) - $(DEPLIBS) $(LOCAL_LIBRARIES) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) - -SRCS=$(SERVERSRCS) $(CLIENTSRCS) - -depend:: - $(DEPEND) -s "# DO NOT DELETE" -- $(ALLDEFINES) $(MDFLAGS) -- $(SRCS) - -########################################################################### -# common rules for all Makefiles - do not edit - -emptyrule:: - -clean:: - $(RM_CMD) \#* - -Makefile:: Imakefile - $(IMAKE_CMD) -DTOPDIR=$(TOP) -DCURDIR=$(CURRENT_DIR) -s Makefile.new - $(MAKE) -f Makefile.new noop - -@if [ -f Makefile ]; then \ - echo "$(RM) Makefile.bak; $(MV) Makefile Makefile.bak"; \ - $(RM) Makefile.bak; $(MV) Makefile Makefile.bak; \ - fi - $(MV) Makefile.new Makefile - -noop:: - -tags:: - $(TAGS) -w *.[ch] - $(ETAGS) *.[ch] - -saber: - #load $(ALLDEFINES) $(SABER_DEFINES) $(SRCS) - #setopt load_flags $(ALLDEFINES) $(SABER_DEFINES) - -osaber: - #load $(ALLDEFINES) $(OBJS) - -########################################################################### -# empty rules for directories that do not have SUBDIRS - do not edit - -install:: - @echo "install in $(CURRENT_DIR) done" - -install.man:: - @echo "install.man in $(CURRENT_DIR) done" - -Makefiles:: - -includes:: - -########################################################################### -# dependencies generated by makedepend - -# DO NOT DELETE diff --git a/src/lib/gssapi/sample/fcmd.c b/src/lib/gssapi/sample/fcmd.c deleted file mode 100644 index 351e5024a..000000000 --- a/src/lib/gssapi/sample/fcmd.c +++ /dev/null @@ -1,607 +0,0 @@ -/* - * Copyright (c) 1983 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that: (1) source distributions retain this entire copyright - * notice and comment, and (2) distributions including binaries display - * the following acknowledgement: ``This product includes software - * developed by the University of California, Berkeley and its contributors'' - * in the documentation or other materials provided with the distribution - * and in all advertising materials mentioning features or use of this - * software. Neither the name of the University nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)rcmd.c 5.22 (Berkeley) 6/1/90"; -#endif /* LIBC_SCCS and not lint */ - -/* - * 2-14-91 ka - * Modified sources to add SPX strong authentication, called fcmd.c - * - * 5-24-91 ka - * Modified sources to remove SPX and Kerberos specific authentication. - * Replaced with GSS API - * - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include -#include - -#include -#include "gssapi_defs.h" - -#define START_PORT 5120 - -#define TOKEN_MAJIC_NUMBER_BYTE0 1 -#define TOKEN_MAJIC_NUMBER_BYTE1 1 - -extern errno; -char *index(); - -fcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, targetname, -context_handle, mutual_flag, deleg_flag, debugflag) - int *sock; - char **ahost; - int rport; - char *locuser, *remuser, *cmd; - int *fd2p; - char *targetname; - int *context_handle; - int mutual_flag, deleg_flag, debugflag; -{ - int s, timo = 1, pid; - long oldmask; - struct sockaddr_in sin, sin2, from; - char c; - int lport = START_PORT; - struct hostent *hp; - fd_set reads; - - unsigned char token[GSS_C_MAX_TOKEN], chanbinding[8]; - unsigned char *charp; - char tokenheader[4], recv_tokenheader[4]; - int tokenlen, i, j, status = 0, hostlen, xcc, cc, mutual_len; - int replay_flag=0, seq_flag=0; - char mutual_resp[GSS_C_MAX_TOKEN]; - char targ_printable[GSS_C_MAX_PRINTABLE_NAME]; -/* - * GSS API support - */ - gss_OID actual_mech_type, output_name_type; - gss_ctx_id_t actual_ctxhandle; - int msg_ctx = 0, new_status; - int req_flags = 0, ret_flags, lifetime_rec, major_status; - gss_buffer_desc output_token, input_token, input_name_buffer; - gss_buffer_desc output_name_buffer, status_string; - gss_name_t desired_targname; - gss_channel_bindings input_chan_bindings; - - pid = getpid(); - hp = gethostbyname(*ahost); - if (hp == 0) { - fprintf(stderr, "%s : unknown host\n", *ahost); - return (-1); - } - *ahost = hp->h_name; - oldmask = sigblock(sigmask(SIGURG)); - for (;;) { - s = rresvport(&lport); - if (s < 0) { - if (errno == EAGAIN) - fprintf(stderr, "socket: All ports in use\n"); - else - perror("rcmd: socket"); - sigsetmask(oldmask); - return (-1); - } - fcntl(s, F_SETOWN, pid); - sin.sin_family = hp->h_addrtype; - bcopy(hp->h_addr_list[0], (caddr_t)&sin.sin_addr, hp->h_length); - sin.sin_port = rport; - if (connect(s, (caddr_t)&sin, sizeof (sin)) >= 0) - break; - (void) close(s); - if (errno == EADDRINUSE) { - lport--; - continue; - } - if (errno == ECONNREFUSED && timo <= 16) { - sleep(timo); - timo *= 2; - continue; - } - if (hp->h_addr_list[1] != NULL) { - int oerrno = errno; - - fprintf(stderr, - "connect to address %s: ", inet_ntoa(sin.sin_addr)); - errno = oerrno; - perror(0); - hp->h_addr_list++; - bcopy(hp->h_addr_list[0], (caddr_t)&sin.sin_addr, - hp->h_length); - fprintf(stderr, "Trying %s...\n", - inet_ntoa(sin.sin_addr)); - continue; - } - perror(hp->h_name); - sigsetmask(oldmask); - return (-1); - } - - lport--; - if (fd2p == 0) { - write(s, "", 1); - lport = 0; - } else { - char num[8]; - int s2 = rresvport(&lport), s3; - int len = sizeof (from); - - if (s2 < 0) - goto bad; - listen(s2, 1); - (void) sprintf(num, "%d", lport); - if (write(s, num, strlen(num)+1) != strlen(num)+1) { - perror("write: setting up stderr"); - (void) close(s2); - goto bad; - } - FD_ZERO(&reads); - FD_SET(s, &reads); - FD_SET(s2, &reads); - errno = 0; - if (select(32, &reads, 0, 0, 0) < 1 || - !FD_ISSET(s2, &reads)) { - if (errno != 0) - perror("select: setting up stderr"); - else - fprintf(stderr, - "select: protocol failure in circuit setup.\n"); - (void) close(s2); - goto bad; - } - s3 = accept(s2, &from, &len); - (void) close(s2); - if (s3 < 0) { - perror("accept"); - lport = 0; - goto bad; - } - *fd2p = s3; - from.sin_port = ntohs((u_short)from.sin_port); - if (from.sin_family != AF_INET || - from.sin_port >= IPPORT_RESERVED) { - fprintf(stderr, - "socket: protocol failure in circuit setup.\n"); - goto bad2; - } - } -/* - * GSS API authentication - * import name - * init context - * send token - * if (mutual) init context - * - */ - { - char myhost[32]; - char *address; - int from_addr=0, to_addr=0, myhostlen, j; - struct hostent *my_hp; - - strcpy(targ_printable, "SERVICE:rlogin@"); - strcat(targ_printable, targetname); - if (debugflag) { - printf("call gss_import_name for '%s'\n", targ_printable); - } - - input_name_buffer.length = strlen(targ_printable); - input_name_buffer.value = targ_printable; - - major_status = gss_import_name(&status, - &input_name_buffer, - GSS_C_NULL_OID, - &desired_targname); - - major_status = gss_display_name(&status, - desired_targname, - &output_name_buffer, - &output_name_type); - - printf("target is '%s'\n", output_name_buffer.value); - - major_status = gss_release_buffer(&status, &output_name_buffer); - - j=gethostname(myhost, sizeof(myhost)); - my_hp=gethostbyname(myhost); - if (my_hp != 0) { - bcopy(my_hp->h_addr_list[0], - (caddr_t)&sin2.sin_addr, my_hp->h_length); -#ifdef ultrix - from_addr = sin2.sin_addr.S_un.S_addr; -#else - from_addr = sin2.sin_addr.s_addr; -#endif - from_addr = htonl(from_addr); - } -#ifdef ultrix - to_addr = sin.sin_addr.S_un.S_addr; -#else - to_addr = sin.sin_addr.s_addr; -#endif - to_addr = htonl(to_addr); - - input_chan_bindings = (gss_channel_bindings) - malloc(sizeof(struct gss_channel_bindings_desc)); - - input_chan_bindings->initiator_addrtype = GSS_C_AF_INET; - input_chan_bindings->initiator_address.length = 4; - address = (char *) malloc(4); - input_chan_bindings->initiator_address.value = (char *) address; - address[0] = ((from_addr & 0xff000000) >> 24); - address[1] = ((from_addr & 0xff0000) >> 16); - address[2] = ((from_addr & 0xff00) >> 8); - address[3] = (from_addr & 0xff); - input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET; - input_chan_bindings->acceptor_address.length = 4; - address = (char *) malloc(4); - input_chan_bindings->acceptor_address.value = (char *) address; - address[0] = ((to_addr & 0xff000000) >> 24); - address[1] = ((to_addr & 0xff0000) >> 16); - address[2] = ((to_addr & 0xff00) >> 8); - address[3] = (to_addr & 0xff); - input_chan_bindings->application_data.length = 0; - } - - req_flags = 0; - if (deleg_flag) req_flags = req_flags | 1; - if (mutual_flag) req_flags = req_flags | 2; - if (replay_flag) req_flags = req_flags | 4; - if (seq_flag) req_flags = req_flags | 8; - - major_status = gss_init_sec_context(&status, /* minor status */ - GSS_C_NO_CREDENTIAL, /* cred handle */ - &actual_ctxhandle, /* ctx handle */ - desired_targname, /* target name */ - GSS_C_NULL_OID, /* mech type */ - req_flags, /* req flags */ - 0, /* time req */ - input_chan_bindings, /* chan binding */ - GSS_C_NO_BUFFER, /* input token */ - &actual_mech_type, /* actual mech */ - &output_token, /* output token */ - &ret_flags, /* ret flags */ - &lifetime_rec); /* time rec */ - - - if ((major_status!=GSS_S_COMPLETE)&& - (major_status!=GSS_S_CONTINUE_NEEDED)) { - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - printf("%s\n", status_string.value); - return(-1); - } - - tokenheader[0] = TOKEN_MAJIC_NUMBER_BYTE0; - tokenheader[1] = TOKEN_MAJIC_NUMBER_BYTE1; - tokenheader[2] = ((output_token.length & 0xff00) >> 8); - tokenheader[3] = (output_token.length & 0xff); - - j = sphinx_net_write(s, tokenheader, 4); - - j = sphinx_net_write(s, output_token.value, output_token.length); - - (void) write(s, locuser, strlen(locuser)+1); - (void) write(s, remuser, strlen(remuser)+1); - (void) write(s, cmd, strlen(cmd)+1); - - if (read(s, &c, 1) != 1) { - perror(*ahost); - goto bad2; - } - - i = 0; - if (major_status == GSS_S_CONTINUE_NEEDED) { - - xcc = 4; - while (xcc > 0) { - if ((cc = read(s, &recv_tokenheader[i], xcc)) < 0) { - syslog(LOG_INFO,"read(s, recv_tokenheader, %d): %m",xcc); - break; - } - i +=cc; - xcc -= cc; - } - - if ((recv_tokenheader[0] != TOKEN_MAJIC_NUMBER_BYTE0) || - (recv_tokenheader[1] != TOKEN_MAJIC_NUMBER_BYTE1)) { - printf("illegal mutual response token format\n"); - syslog(LOG_INFO, "cannot go from v2.1 client to v2.0 server"); - return(-1); - } - xcc = recv_tokenheader[2] * 256 + recv_tokenheader[3]; - - mutual_len = 0; - while (xcc > 0) { - if ((cc = read(s, &mutual_resp[mutual_len], xcc)) < 0) { - syslog(LOG_INFO,"read(s, mutual_resp, %d): %m",xcc); - break; - } - mutual_len +=cc; - xcc -= cc; - } - - input_token.length = mutual_len; - input_token.value = mutual_resp; - - major_status = gss_init_sec_context(&status, /* minor status */ - GSS_C_NO_CREDENTIAL, /* cred handle */ - &actual_ctxhandle, /* ctx handle */ - desired_targname, /* target name */ - GSS_C_NULL_OID, /* mech type */ - req_flags, /* req flags */ - 0, /* time req */ - input_chan_bindings, /* chan binding */ - &input_token, /* input token */ - &actual_mech_type, /* actual mech */ - &output_token, /* output token */ - &ret_flags, /* ret flags */ - &lifetime_rec); /* time rec */ - - if (major_status!=GSS_S_COMPLETE) { - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - printf("%s\n", status_string.value); - return(-1); - } - } - - major_status = gss_release_name(&status, desired_targname); - -#ifdef SPX_CHALLENGE - /* - * if trying to login to root account, make up response proving - * that the user is interactive. - * - * response is the signed mutual response with the user's long term - * private key. - * - */ - if (strcmp(remuser, "root")==0) { - major_status = spx_make_response(&status, - GSS_C_NO_CREDENTIAL, - actual_ctxhandle, - token, - &tokenlen); - - if (major_status != GSS_S_COMPLETE) { - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - printf("%s\n", status_string.value); - return(-1); - } - - tokenheader[0] = TOKEN_MAJIC_NUMBER_BYTE0; - tokenheader[1] = TOKEN_MAJIC_NUMBER_BYTE1; - tokenheader[2] = ((tokenlen & 0xff00) >> 8); - tokenheader[3] = (tokenlen & 0xff); - - j = sphinx_net_write(s, tokenheader, 4); - - charp = token; - j = sphinx_net_write(s, (char *)charp, tokenlen); - - } -#endif /* SPX_CHALLENGE */ - *context_handle = actual_ctxhandle; - - if (c != 0) { - while (read(s, &c, 1) == 1) { - (void) write(2, &c, 1); - if (c == '\n') - break; - } - goto bad2; - } - sigsetmask(oldmask); - return (s); -bad2: - if (lport) - (void) close(*fd2p); -bad: - (void) close(s); - sigsetmask(oldmask); - return (-1); -} - -rresvport(alport) - int *alport; -{ - struct sockaddr_in sin; - int s; - - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = INADDR_ANY; - s = socket(AF_INET, SOCK_STREAM, 0); - if (s < 0) - return (-1); - for (;;) { - sin.sin_port = htons((u_short)*alport); - if (bind(s, (caddr_t)&sin, sizeof (sin)) >= 0) - return (s); - if (errno != EADDRINUSE) { - (void) close(s); - return (-1); - } - (*alport)--; - if (*alport == IPPORT_RESERVED/2) { - (void) close(s); - errno = EAGAIN; /* close */ - return (-1); - } - } -} - -int _check_rhosts_file = 1; - -ruserok(rhost, superuser, ruser, luser) - char *rhost; - int superuser; - char *ruser, *luser; -{ - FILE *hostf; - char fhost[MAXHOSTNAMELEN]; - int first = 1; - register char *sp, *p; - int baselen = -1; - - sp = rhost; - p = fhost; - while (*sp) { - if (*sp == '.') { - if (baselen == -1) - baselen = sp - rhost; - *p++ = *sp++; - } else { - *p++ = isupper(*sp) ? tolower(*sp++) : *sp++; - } - } - *p = '\0'; - hostf = superuser ? (FILE *)0 : fopen("/etc/hosts.equiv", "r"); -again: - if (hostf) { - if (!_validuser(hostf, fhost, luser, ruser, baselen)) { - (void) fclose(hostf); - return(0); - } - (void) fclose(hostf); - } - if (first == 1 && (_check_rhosts_file || superuser)) { - struct stat sbuf; - struct passwd *pwd; - char pbuf[MAXPATHLEN]; - - first = 0; - if ((pwd = getpwnam(luser)) == NULL) - return(-1); - (void)strcpy(pbuf, pwd->pw_dir); - (void)strcat(pbuf, "/.rhosts"); - if ((hostf = fopen(pbuf, "r")) == NULL) - return(-1); - /* - * if owned by someone other than user or root or if - * writeable by anyone but the owner, quit - */ - if (fstat(fileno(hostf), &sbuf) || - sbuf.st_uid && sbuf.st_uid != pwd->pw_uid || - sbuf.st_mode&022) { - fclose(hostf); - return(-1); - } - goto again; - } - return (-1); -} - -/* don't make static, used by lpd(8) */ -_validuser(hostf, rhost, luser, ruser, baselen) - char *rhost, *luser, *ruser; - FILE *hostf; - int baselen; -{ - char *user; - char ahost[MAXHOSTNAMELEN]; - register char *p; - - while (fgets(ahost, sizeof (ahost), hostf)) { - p = ahost; - while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') { - *p = isupper(*p) ? tolower(*p) : *p; - p++; - } - if (*p == ' ' || *p == '\t') { - *p++ = '\0'; - while (*p == ' ' || *p == '\t') - p++; - user = p; - while (*p != '\n' && *p != ' ' && *p != '\t' && *p != '\0') - p++; - } else - user = p; - *p = '\0'; - if (_checkhost(rhost, ahost, baselen) && - !strcmp(ruser, *user ? user : luser)) { - return (0); - } - } - return (-1); -} - -static -_checkhost(rhost, lhost, len) - char *rhost, *lhost; - int len; -{ - static char ldomain[MAXHOSTNAMELEN + 1]; - static char *domainp = NULL; - static int nodomain = 0; - register char *cp; - - if (len == -1) - return(!strcmp(rhost, lhost)); - if (strncmp(rhost, lhost, len)) - return(0); - if (!strcmp(rhost, lhost)) - return(1); - if (*(lhost + len) != '\0') - return(0); - if (nodomain) - return(0); - if (!domainp) { - if (gethostname(ldomain, sizeof(ldomain)) == -1) { - nodomain = 1; - return(0); - } - ldomain[MAXHOSTNAMELEN] = NULL; - if ((domainp = index(ldomain, '.')) == (char *)NULL) { - nodomain = 1; - return(0); - } - for (cp = ++domainp; *cp; ++cp) - if (isupper(*cp)) - *cp = tolower(*cp); - } - return(!strcmp(domainp, rhost + len +1)); -} diff --git a/src/lib/gssapi/sample/flogin.c b/src/lib/gssapi/sample/flogin.c deleted file mode 100644 index 0fc70195e..000000000 --- a/src/lib/gssapi/sample/flogin.c +++ /dev/null @@ -1,729 +0,0 @@ -/* - * Copyright (c) 1983, 1990 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted provided - * that: (1) source distributions retain this entire copyright notice and - * comment, and (2) distributions including binaries display the following - * acknowledgement: ``This product includes software developed by the - * University of California, Berkeley and its contributors'' in the - * documentation or other materials provided with the distribution and in - * all advertising materials mentioning features or use of this software. - * Neither the name of the University nor the names of its contributors may - * be used to endorse or promote products derived from this software without - * specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#ifndef lint -char copyright[] = -"@(#) Copyright (c) 1983, 1990 The Regents of the University of California.\n\ - All rights reserved.\n"; -#endif /* not lint */ - -#ifndef lint -static char sccsid[] = "@(#)rlogin.c 5.29 (Berkeley) 6/27/90"; -#endif /* not lint */ - -/* - * $Source$ - * $Header: mit/rlogin/RCS/rlogin.c,v 5.2 89/07/26 12:11:21 kfall - * Exp Locker: kfall $ - */ - -/* - * 2-14-91 ka - * Modified sources to add SPX strong authentication, called flogin.c - * - * 5-24-91 ka - * Modified sources to remove SPX and Kerberos specific authentication. - * Replaced with GSS API - * - */ - -/* - * rlogin - remote login - */ -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#ifdef ultrix -#include -#endif -#include - -#include "gssapi_defs.h" - -#ifndef STDIN_FILENO -#define STDIN_FILENO 0 /* standard in */ -#endif - -#define FLOGIN_PORT 221 - -#ifndef TIOCPKT_WINDOW -#define TIOCPKT_WINDOW 0x80 -#endif - -/* concession to Sun */ -#ifndef SIGUSR1 -#define SIGUSR1 30 -#endif - -extern int errno; -int eight, litout, rem; -char cmdchar; -char *speeds[] = { - "0", "50", "75", "110", "134", "150", "200", "300", "600", "1200", - "1800", "2400", "4800", "9600", "19200", "38400" -}; - -#ifdef sun -struct winsize { - unsigned short ws_row, ws_col; - unsigned short ws_xpixel, ws_ypixel; -}; -#endif -struct winsize winsize; - -#ifndef sun -#define get_window_size(fd, wp) ioctl(fd, TIOCGWINSZ, wp) -#endif - -main(argc, argv) - int argc; - char **argv; -{ - extern char *optarg; - extern int optind; - struct passwd *pw; - struct servent *sp; - struct sgttyb ttyb; - long omask; - int argoff, ch, dflag, one, uid; - char *host, *p, *user, term[1024]; - void lostpeer(); - char *getenv(); - int mutual_flag = 1, deleg_flag = 1, sock = 0; - int debugflag = 0; - gss_cred_id_t context_handle; - - argoff = dflag = 0; - one = 1; - host = user = NULL; - cmdchar = '~'; - - if (p = rindex(argv[0], '/')) - ++p; - else - p = argv[0]; - - /* handle "flogin host flags" */ - if (!host && argc > 2 && argv[1][0] != '-') { - host = argv[1]; - argoff = 1; - } - -#define OPTIONS "8Lde:l:vn" - - while ((ch = getopt(argc - argoff, argv + argoff, OPTIONS)) != EOF) - switch(ch) { - case '8': - eight = 1; - break; - case 'L': - litout = 1; - break; - case 'd': - dflag = 1; - break; - case 'e': - cmdchar = optarg[0]; - break; - case 'l': - user = optarg; - break; - case 'v': - debugflag = 1; - break; - case 'n': - deleg_flag = 0; - break; - case '?': - default: - usage(); - } - optind += argoff; - argc -= optind; - argv += optind; - - /* if haven't gotten a host yet, do so */ - if (!host && !(host = *argv++)) - usage(); - - if (*argv) - usage(); - - if (!(pw = getpwuid(uid = getuid()))) { - (void)fprintf(stderr, "flogin: unknown user id.\n"); - exit(1); - } - if (!user) - user = pw->pw_name; - - sp = NULL; - - /* - * if remote login to root account, force no delegation - */ - if (strcmp(user, "root")==0) deleg_flag=0; - sp = getservbyname("flogin", "tcp"); - if (sp == NULL) { - sp = (struct servent *) malloc(sizeof(struct servent)); - sp->s_port = htons(FLOGIN_PORT); - } - - if (sp == NULL) - sp = getservbyname("login", "tcp"); - if (sp == NULL) { - (void)fprintf(stderr, "rlogin: login/tcp: unknown service.\n"); - exit(1); - } - - (void)strcpy(term, (p = getenv("TERM")) ? p : "network"); - if (ioctl(0, TIOCGETP, &ttyb) == 0) { - (void)strcat(term, "/"); - (void)strcat(term, speeds[ttyb.sg_ospeed]); - } - - (void)get_window_size(0, &winsize); - - (void)signal(SIGPIPE, lostpeer); - /* will use SIGUSR1 for window size hack, so hold it off */ - omask = sigblock(sigmask(SIGURG) | sigmask(SIGUSR1)); - - rem = fcmd(&sock, &host, sp->s_port, pw->pw_name, - user, term, 0, host, &context_handle, - mutual_flag, deleg_flag, debugflag); - - if (rem < 0) - exit(1); - - if (dflag && - setsockopt(rem, SOL_SOCKET, SO_DEBUG, &one, sizeof(one)) < 0) - (void)fprintf(stderr, "flogin: setsockopt: errno %d.\n", - errno); - - (void)setuid(uid); - doit(omask); - /*NOTREACHED*/ -} - -int child, defflags, deflflags, tabflag; -char deferase, defkill; -struct tchars deftc; -struct ltchars defltc; -struct tchars notc = { -1, -1, -1, -1, -1, -1 }; -struct ltchars noltc = { -1, -1, -1, -1, -1, -1 }; - -doit(omask) - long omask; -{ - struct sgttyb sb; - void catch_child(), copytochild(), exit(), writeroob(); - - (void)ioctl(0, TIOCGETP, (char *)&sb); - defflags = sb.sg_flags; - tabflag = defflags & TBDELAY; - defflags &= ECHO | CRMOD; - deferase = sb.sg_erase; - defkill = sb.sg_kill; - (void)ioctl(0, TIOCLGET, (char *)&deflflags); - (void)ioctl(0, TIOCGETC, (char *)&deftc); - notc.t_startc = deftc.t_startc; - notc.t_stopc = deftc.t_stopc; - (void)ioctl(0, TIOCGLTC, (char *)&defltc); - (void)signal(SIGINT, SIG_IGN); - setsignal(SIGHUP, exit); - setsignal(SIGQUIT, exit); - child = fork(); - if (child == -1) { - (void)fprintf(stderr, "rlogin: fork: errno %d.\n", errno); - done(1); - } - if (child == 0) { - mode(1); - if (reader(omask) == 0) { - msg("connection closed."); - exit(0); - } - sleep(1); - msg("\007connection closed."); - exit(1); - } - - /* - * We may still own the socket, and may have a pending SIGURG (or might - * receive one soon) that we really want to send to the reader. Set a - * trap that simply copies such signals to the child. - */ - (void)signal(SIGURG, copytochild); - (void)signal(SIGUSR1, writeroob); - (void)sigsetmask(omask); - (void)signal(SIGCHLD, catch_child); - writer(); - msg("closed connection."); - done(0); -} - -/* trap a signal, unless it is being ignored. */ -setsignal(sig, act) - int sig; - void (*act)(); -{ - int omask = sigblock(sigmask(sig)); - - if (signal(sig, act) == SIG_IGN) - (void)signal(sig, SIG_IGN); - (void)sigsetmask(omask); -} - -done(status) - int status; -{ - int w; - - mode(0); - if (child > 0) { - /* make sure catch_child does not snap it up */ - (void)signal(SIGCHLD, SIG_DFL); - if (kill(child, SIGKILL) >= 0) - while ((w = wait((union wait *)0)) > 0 && w != child); - } - exit(status); -} - -int dosigwinch; - -/* - * This is called when the reader process gets the out-of-band (urgent) - * request to turn on the window-changing protocol. - */ -void -writeroob() -{ - void sigwinch(); - - if (dosigwinch == 0) { - sendwindow(); - (void)signal(SIGWINCH, sigwinch); - } - dosigwinch = 1; -} - -void -catch_child() -{ - union wait status; - int pid; - - for (;;) { - pid = wait3(&status, WNOHANG|WUNTRACED, (struct rusage *)0); - if (pid == 0) - return; - /* if the child (reader) dies, just quit */ - if (pid < 0 || pid == child && !WIFSTOPPED(status)) - done((int)(status.w_termsig | status.w_retcode)); - } - /* NOTREACHED */ -} - -/* - * writer: write to remote: 0 -> line. - * ~. terminate - * ~^Z suspend rlogin process. - * ~^Y suspend rlogin process, but leave reader alone. - */ -writer() -{ - char c; - register int bol, local, n; - - bol = 1; /* beginning of line */ - local = 0; - for (;;) { - n = read(STDIN_FILENO, &c, 1); - if (n <= 0) { - if (n < 0 && errno == EINTR) - continue; - break; - } - /* - * If we're at the beginning of the line and recognize a - * command character, then we echo locally. Otherwise, - * characters are echo'd remotely. If the command character - * is doubled, this acts as a force and local echo is - * suppressed. - */ - if (bol) { - bol = 0; - if (c == cmdchar) { - bol = 0; - local = 1; - continue; - } - } else if (local) { - local = 0; - if (c == '.' || c == deftc.t_eofc) { - echo(c); - break; - } - if (c == defltc.t_suspc || c == defltc.t_dsuspc) { - bol = 1; - echo(c); - stop(c); - continue; - } - if (c != cmdchar) { - (void)write(rem, &cmdchar, 1); - } - } - - if (write(rem, &c, 1) == 0) { - msg("line gone"); - break; - } - bol = c == defkill || c == deftc.t_eofc || - c == deftc.t_intrc || c == defltc.t_suspc || - c == '\r' || c == '\n'; - } -} - -echo(c) -register char c; -{ - register char *p; - char buf[8]; - - p = buf; - c &= 0177; - *p++ = cmdchar; - if (c < ' ') { - *p++ = '^'; - *p++ = c + '@'; - } else if (c == 0177) { - *p++ = '^'; - *p++ = '?'; - } else - *p++ = c; - *p++ = '\r'; - *p++ = '\n'; - (void)write(1, buf, p - buf); -} - -stop(cmdc) - char cmdc; -{ - mode(0); - (void)signal(SIGCHLD, SIG_IGN); - (void)kill(cmdc == defltc.t_suspc ? 0 : getpid(), SIGTSTP); - (void)signal(SIGCHLD, catch_child); - mode(1); - sigwinch(); /* check for size changes */ -} - -void -sigwinch() -{ - struct winsize ws; - - if (dosigwinch && get_window_size(0, &ws) == 0 && - bcmp(&ws, &winsize, sizeof(ws))) { - winsize = ws; - sendwindow(); - } -} - -/* - * Send the window size to the server via the magic escape - */ -sendwindow() -{ - struct winsize *wp; - char obuf[4 + sizeof (struct winsize)]; - - wp = (struct winsize *)(obuf+4); - obuf[0] = 0377; - obuf[1] = 0377; - obuf[2] = 's'; - obuf[3] = 's'; - wp->ws_row = htons(winsize.ws_row); - wp->ws_col = htons(winsize.ws_col); - wp->ws_xpixel = htons(winsize.ws_xpixel); - wp->ws_ypixel = htons(winsize.ws_ypixel); - - (void)write(rem, obuf, sizeof(obuf)); -} - -/* - * reader: read from remote: line -> 1 - */ -#define READING 1 -#define WRITING 2 - -jmp_buf rcvtop; -int ppid, rcvcnt, rcvstate; -char rcvbuf[8 * 1024]; - -void -oob() -{ - struct sgttyb sb; - int atmark, n, out, rcvd; - char waste[BUFSIZ], mark; - - out = O_RDWR; - rcvd = 0; - while (recv(rem, &mark, 1, MSG_OOB) < 0) - switch (errno) { - case EWOULDBLOCK: - /* - * Urgent data not here yet. It may not be possible - * to send it yet if we are blocked for output and - * our input buffer is full. - */ - if (rcvcnt < sizeof(rcvbuf)) { - n = read(rem, rcvbuf + rcvcnt, - sizeof(rcvbuf) - rcvcnt); - if (n <= 0) - return; - rcvd += n; - } else { - n = read(rem, waste, sizeof(waste)); - if (n <= 0) - return; - } - continue; - default: - return; - } - if (mark & TIOCPKT_WINDOW) { - /* Let server know about window size changes */ - (void)kill(ppid, SIGUSR1); - } - if (!eight && (mark & TIOCPKT_NOSTOP)) { - (void)ioctl(0, TIOCGETP, (char *)&sb); - sb.sg_flags &= ~CBREAK; - sb.sg_flags |= RAW; - (void)ioctl(0, TIOCSETN, (char *)&sb); - notc.t_stopc = -1; - notc.t_startc = -1; - (void)ioctl(0, TIOCSETC, (char *)¬c); - } - if (!eight && (mark & TIOCPKT_DOSTOP)) { - (void)ioctl(0, TIOCGETP, (char *)&sb); - sb.sg_flags &= ~RAW; - sb.sg_flags |= CBREAK; - (void)ioctl(0, TIOCSETN, (char *)&sb); - notc.t_stopc = deftc.t_stopc; - notc.t_startc = deftc.t_startc; - (void)ioctl(0, TIOCSETC, (char *)¬c); - } - if (mark & TIOCPKT_FLUSHWRITE) { - (void)ioctl(1, TIOCFLUSH, (char *)&out); - for (;;) { - if (ioctl(rem, SIOCATMARK, &atmark) < 0) { - (void)fprintf(stderr, "rlogin: ioctl: errno %d.\n", - errno); - break; - } - if (atmark) - break; - n = read(rem, waste, sizeof (waste)); - if (n <= 0) - break; - } - /* - * Don't want any pending data to be output, so clear the recv - * buffer. If we were hanging on a write when interrupted, - * don't want it to restart. If we were reading, restart - * anyway. - */ - rcvcnt = 0; - longjmp(rcvtop, 1); - } - - /* oob does not do FLUSHREAD (alas!) */ - - /* - * If we filled the receive buffer while a read was pending, longjmp - * to the top to restart appropriately. Don't abort a pending write, - * however, or we won't know how much was written. - */ - if (rcvd && rcvstate == READING) - longjmp(rcvtop, 1); -} - -/* reader: read from remote: line -> 1 */ -reader(omask) - int omask; -{ - void oob(); - -#if !defined(BSD) || BSD < 43 - int pid = -getpid(); -#else - int pid = getpid(); -#endif - int n, remaining; - char *bufp = rcvbuf; - - (void)signal(SIGTTOU, SIG_IGN); - (void)signal(SIGURG, oob); - ppid = getppid(); - (void)fcntl(rem, F_SETOWN, pid); - (void)setjmp(rcvtop); - (void)sigsetmask(omask); - for (;;) { - while ((remaining = rcvcnt - (bufp - rcvbuf)) > 0) { - rcvstate = WRITING; - n = write(1, bufp, remaining); - if (n < 0) { - if (errno != EINTR) - return(-1); - continue; - } - bufp += n; - } - bufp = rcvbuf; - rcvcnt = 0; - rcvstate = READING; - - rcvcnt = read(rem, rcvbuf, sizeof (rcvbuf)); - if (rcvcnt == 0) - return (0); - if (rcvcnt < 0) { - if (errno == EINTR) - continue; - (void)fprintf(stderr, "rlogin: read: errno %d.\n", - errno); - return(-1); - } - } -} - -mode(f) -{ - struct ltchars *ltc; - struct sgttyb sb; - struct tchars *tc; - int lflags; - - (void)ioctl(0, TIOCGETP, (char *)&sb); - (void)ioctl(0, TIOCLGET, (char *)&lflags); - switch(f) { - case 0: - sb.sg_flags &= ~(CBREAK|RAW|TBDELAY); - sb.sg_flags |= defflags|tabflag; - tc = &deftc; - ltc = &defltc; - sb.sg_kill = defkill; - sb.sg_erase = deferase; - lflags = deflflags; - break; - case 1: - sb.sg_flags |= (eight ? RAW : CBREAK); - sb.sg_flags &= ~defflags; - /* preserve tab delays, but turn off XTABS */ - if ((sb.sg_flags & TBDELAY) == XTABS) - sb.sg_flags &= ~TBDELAY; - tc = ¬c; - ltc = &noltc; - sb.sg_kill = sb.sg_erase = -1; - if (litout) - lflags |= LLITOUT; - break; - default: - return; - } - (void)ioctl(0, TIOCSLTC, (char *)ltc); - (void)ioctl(0, TIOCSETC, (char *)tc); - (void)ioctl(0, TIOCSETN, (char *)&sb); - (void)ioctl(0, TIOCLSET, (char *)&lflags); -} - -void -lostpeer() -{ - (void)signal(SIGPIPE, SIG_IGN); - msg("\007connection closed."); - done(1); -} - -/* copy SIGURGs to the child process. */ -void -copytochild() -{ - (void)kill(child, SIGURG); -} - -msg(str) - char *str; -{ - (void)fprintf(stderr, "flogin: %s\r\n", str); -} - -warning(msg) -char *msg; -{ - (void) fprintf(stderr, msg); - fflush(stderr); -} - - -usage() -{ - (void)fprintf(stderr, - "usage: rlogin [ -%s]%s[-e char] [ -l username ] host\n", - "8L", " "); - exit(1); -} - -/* - * The following routine provides compatibility (such as it is) between 4.2BSD - * Suns and others. Suns have only a `ttysize', so we convert it to a winsize. - */ -#ifdef sun -int -get_window_size(fd, wp) - int fd; - struct winsize *wp; -{ - struct ttysize ts; - int error; - - if ((error = ioctl(0, TIOCGSIZE, &ts)) != 0) - return(error); - wp->ws_row = ts.ts_lines; - wp->ws_col = ts.ts_cols; - wp->ws_xpixel = 0; - wp->ws_ypixel = 0; - return(0); -} -#endif diff --git a/src/lib/gssapi/sample/flogind.c b/src/lib/gssapi/sample/flogind.c deleted file mode 100644 index 956a06848..000000000 --- a/src/lib/gssapi/sample/flogind.c +++ /dev/null @@ -1,456 +0,0 @@ -/* - * Copyright (c) 1983 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#ifndef lint -char copyright[] = -"@(#) Copyright (c) 1983 The Regents of the University of California.\n\ - All rights reserved.\n"; -#endif /* not lint */ - -#ifndef lint -static char sccsid[] = "@(#)rlogind.c 5.17 (Berkeley) 8/31/88"; -#endif /* not lint */ - -/* - * remote login server: - * remuser\0 - * locuser\0 - * terminal info\0 - * data - */ - -#include -#include -#include -#include -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include - -#define LOGIN_PROGRAM "/usr/etc/login.sphinx" - -#define des_read read -#define des_write write - -# ifndef TIOCPKT_WINDOW -# define TIOCPKT_WINDOW 0x80 -# endif TIOCPKT_WINDOW - -extern int errno; -int reapchild(); -struct passwd *getpwnam(); -char *malloc(); - -int Pfd; - -/* ARGSUSED */ -main(argc, argv) - int argc; - char **argv; -{ - int on = 1, fromlen; - struct sockaddr_in from; - - fromlen = sizeof (from); - if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) { - fprintf(stderr, "%s: ", argv[0]); - perror("getpeername"); - _exit(1); - } - if (setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof (on)) < 0) { - syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m"); - } - doit(0, &from); -} - -int child; -int cleanup(); -int netf; -char *line; -extern char *inet_ntoa(); - -struct winsize win = { 0, 0, 0, 0 }; - - -doit(f, fromp) - int f; - struct sockaddr_in *fromp; -{ - int i, p, t, pid, on = 1; - int pipes[2]; - - register struct hostent *hp; - struct hostent hostent; - char c; - - alarm(60); - read(f, &c, 1); - if (c != 0) - exit(1); - alarm(0); - fromp->sin_port = ntohs((u_short)fromp->sin_port); - hp = gethostbyaddr(&fromp->sin_addr, sizeof (struct in_addr), - fromp->sin_family); - if (hp == 0) { - /* - * Only the name is used below. - */ - hp = &hostent; - hp->h_name = inet_ntoa(fromp->sin_addr); - } - - if (fromp->sin_family != AF_INET || - fromp->sin_port < IPPORT_RESERVED) - fatal(f, "Permission denied"); - - write(f, "", 1); - for (c = 'p'; c <= 's'; c++) { - struct stat stb; - line = "/dev/ptyXX"; - line[strlen("/dev/pty")] = c; - line[strlen("/dev/ptyp")] = '0'; - if (stat(line, &stb) < 0) - break; - for (i = 0; i < 16; i++) { - line[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i]; - p = open(line, O_RDWR); - if (p > 0) - goto gotpty; - } - } - fatal(f, "Out of ptys"); - /*NOTREACHED*/ -gotpty: - (void) ioctl(p, TIOCSWINSZ, &win); - netf = f; - line[strlen("/dev/")] = 't'; - t = open(line, O_RDWR); - if (t < 0) - fatalperror(f, line); - if (fchmod(t, 0)) - fatalperror(f, line); - (void)signal(SIGHUP, SIG_IGN); - vhangup(); - (void)signal(SIGHUP, SIG_DFL); - t = open(line, O_RDWR); - if (t < 0) - fatalperror(f, line); - { - struct sgttyb b; - - (void)ioctl(t, TIOCGETP, &b); - b.sg_flags = RAW|ANYP; - (void)ioctl(t, TIOCSETP, &b); - } -#ifdef DEBUG - { - int tt = open("/dev/tty", O_RDWR); - if (tt > 0) { - (void) ioctl(tt, TIOCNOTTY, 0); - (void) close(tt); - } - } -#endif - t = open(line, 2); - if (t < 0) - fatalperror(f, line, errno); - { struct sgttyb b; - gtty(t, &b); b.sg_flags = RAW|ANYP; stty(t, &b); - } - - if (pipe(pipes) < 0) { - fatalperror(2, "pipe", errno); - } - - pid = fork(); - if (pid < 0) - fatalperror(f, "", errno); - if (pid == 0) { - close(f), close(p); - close(pipes[1]); - dup2(t, 0), dup2(t, 1), dup2(t, 2); - if (pipes[0] != 3) { dup2(pipes[0], 3); close(pipes[0]); } - close(t); - - /* Under Ultrix 3.0, the pgrp of the slave pty terminal - needs to be set explicitly. Why rlogind works at all - without this on 4.3BSD is a mystery. - It seems to work fine on 4.3BSD with this code enabled. - */ - pid = getpgrp(getpid()); - ioctl(0, TIOCSPGRP, &pid); - execl("/usr/etc/login.sphinx", "login.sphinx", "-g", hp->h_name, 0); - fatalperror(2, "/usr/etc/login.sphinx", errno); - /*NOTREACHED*/ - } - close(t); - close(pipes[0]); - ioctl(f, FIONBIO, &on); - ioctl(p, FIONBIO, &on); - ioctl(p, TIOCPKT, &on); - signal(SIGTSTP, SIG_IGN); - signal(SIGCHLD, cleanup); - setpgrp(0, 0); - protocol(f, p, pipes[1]); - signal(SIGCHLD, SIG_IGN); - cleanup(); -} - -char magic[2] = { 0377, 0377 }; -char oobdata[] = {TIOCPKT_WINDOW}; - -/* - * Handle a "control" request (signaled by magic being present) - * in the data stream. For now, we are only willing to handle - * window size changes. - */ -control(pty, cp, n) - int pty; - char *cp; - int n; -{ - struct winsize w; - - if (n < 4+sizeof (w) || cp[2] != 's' || cp[3] != 's') - return (0); - oobdata[0] &= ~TIOCPKT_WINDOW; /* we know he heard */ - bcopy(cp+4, (char *)&w, sizeof(w)); - w.ws_row = ntohs(w.ws_row); - w.ws_col = ntohs(w.ws_col); - w.ws_xpixel = ntohs(w.ws_xpixel); - w.ws_ypixel = ntohs(w.ws_ypixel); - (void)ioctl(pty, TIOCSWINSZ, &w); - return (4+sizeof (w)); -} - -/* - * flogin "protocol" machine. - */ -protocol(f, p, pipe) - int f, p, pipe; -{ - char pibuf[1024], fibuf[1024], *pbp, *fbp; - register pcc = 0, fcc = 0; - int cc; - int on = 1, off = 0, done = 0; - char cntl; - - /* - * Must ignore SIGTTOU, otherwise we'll stop - * when we try and set slave pty's window shape - * (our controlling tty is the master pty). - */ - (void) signal(SIGTTOU, SIG_IGN); - send(f, oobdata, 1, MSG_OOB); /* indicate new rlogin */ - ioctl(f, FIONBIO, &off); - for (cc = 0; cc < 4; cc++) { - if (1 != read(f, &fibuf[cc], 1)) { - done = 1; - break; - } - } - if (!done) { - int len = ((u_char *)fibuf)[2] * 256 + ((u_char *)fibuf)[3]; - pcc = write(pipe, fibuf, cc); - if (pcc <= 0) { - done = 1; - syslog(LOG_INFO, "write(pipe [%d], fibuf, %d): %d: %m", - pipe, cc, pcc); - } - while (!done && len > 0) { - char *fbp = fibuf; - cc = read(f, fibuf, len); - if (cc <= 0) { - done = 1; - syslog(LOG_INFO, "read(f, fibuf, %d): %d: %m",len, cc); - break; - } - len -= cc; - while (cc > 0) { - pcc = write(pipe, fbp, cc); - if (pcc <= 0) { - done = 1; - syslog(LOG_INFO, "write(pipe [%d], fbp, %d): %d: %m", - pipe, cc, pcc); - break; - } - cc -= pcc; - fbp += pcc; - } - } - } - ioctl(f, FIONBIO, &on); - - close(pipe); fcc = 0; pcc = 0; - for (;;) { - int ibits, obits, ebits; - - ibits = 0; - obits = 0; - if (fcc) - obits |= (1<= 0) - if (pcc) - obits |= (1< 0) - -bcopy(cp+n, cp, left); - fcc -= n; - goto top; /* n^2 */ - } - } - } - } - - if ((obits & (1< 0) { - cc = write(p, fbp, fcc); - if (cc > 0) { - fcc -= cc; - fbp += cc; - } - } - - if (ibits & (1< 0) { - cc = des_write(f, pbp, pcc); - if (cc < 0 && errno == EWOULDBLOCK) { - /* also shouldn't happen */ - sleep(5); - continue; - } - if (cc > 0) { - pcc -= cc; - pbp += cc; - } - } - } -} - -cleanup() -{ - char *p; - - p = line + sizeof("/dev/") - 1; - if (!logout(p)) - logwtmp(p, "", ""); - (void)chmod(line, 0666); - (void)chown(line, 0, 0); - *p = 'p'; - (void)chmod(line, 0666); - (void)chown(line, 0, 0); - shutdown(netf, 2); - exit(1); -} - -fatal(f, msg) - int f; - char *msg; -{ - char buf[BUFSIZ]; - - buf[0] = '\01'; /* error indicator */ - (void) sprintf(buf + 1, "rlogind: %s.\r\n", msg); - (void) write(f, buf, strlen(buf)); - exit(1); -} - -fatalperror(f, msg) - int f; - char *msg; -{ - char buf[BUFSIZ]; - extern int sys_nerr; - extern char *sys_errlist[]; - - if ((unsigned)errno < sys_nerr) - (void) sprintf(buf, "%s: %s", msg, sys_errlist[errno]); - else - (void) sprintf(buf, "%s: Error %d", msg, errno); - fatal(f, buf); -} diff --git a/src/lib/gssapi/sample/gssapi.mail b/src/lib/gssapi/sample/gssapi.mail deleted file mode 100644 index fce920904..000000000 --- a/src/lib/gssapi/sample/gssapi.mail +++ /dev/null @@ -1,54 +0,0 @@ -BABYL OPTIONS: -Version: 5 -Labels: -Note: This is the header of an rmail file. -Note: If you are seeing it in rmail, -Note: it means the file has no messages in it. - -1,, -Received: by E40-PO.MIT.EDU (5.45/4.7) id AA21631; Fri, 31 May 91 18:18:51 EDT -Received: from uucp-gw-1.pa.dec.com by ATHENA.MIT.EDU with SMTP - id AA27178; Fri, 31 May 91 18:16:24 EDT -Received: by uucp-gw-1.pa.dec.com; id AA17698; Fri, 31 May 91 10:48:08 -0700 -Received: by sejour.lkg.dec.com (5.57/Ultrix4.0) - id AA11377; Fri, 31 May 91 13:51:46 -0400 -Message-Id: <9105311751.AA11377@sejour.lkg.dec.com> -To: tytso@ATHENA.MIT.EDU -Cc: kannan@sejour.lkg.dec.com -Subject: Re: testing GSS API -In-Reply-To: Your message of Thu, 30 May 91 18:25:28 -0400. - <9105302225.AA24140@tsx-11.MIT.EDU> -Date: Fri, 31 May 91 13:51:44 EDT -From: kannan@sejour.lkg.dec.com - -*** EOOH *** -To: tytso@ATHENA.MIT.EDU -Cc: kannan@sejour.lkg.dec.com -Subject: Re: testing GSS API -In-Reply-To: Your message of Thu, 30 May 91 18:25:28 -0400. - <9105302225.AA24140@tsx-11.MIT.EDU> -Date: Fri, 31 May 91 13:51:44 EDT -From: kannan@sejour.lkg.dec.com - -Here is the new rlogin code. BTW, it is also being distributed with -the SPX v2.1 kit. - -I'm sending you the following files: - - Makefile, flogin.c, flogind.c, and login.c - -> The real test is whether or not the application runs. - -I agree. Does this mean that you will implement the "unofficial" GSS API -routines used in the flogin code? - - -kannan - -========== Makefile ====================== - -===================== flogin.c ======================== - -===================== flogind.c ================ - -===================== login.c ====================== - \ No newline at end of file diff --git a/src/lib/gssapi/sample/kitest.c b/src/lib/gssapi/sample/kitest.c deleted file mode 100644 index 0ec048ce1..000000000 --- a/src/lib/gssapi/sample/kitest.c +++ /dev/null @@ -1,742 +0,0 @@ -/* KITEST-MASTER.C */ -/* */ -/* Program to build GSSAPI-compliant Kerberos authentication packets, using */ -/* the Kerberos V5 (Beta 2) GSSAPI implementation, and attempt to */ -/* authenticate to a DCE/GSSAPI implementation. */ -/* */ -/* Since both GSSAPI implementations share the same routine names, two */ -/* executables are built by linking against either the DCE/GSSAPI or the */ -/* Kerberos V5 GSSAPI library. This file is compiled with the preprocessor */ -/* name KERBEROS defined if it is to invoke the Kerberos API, and with DCE */ -/* defined if it is to link against the DCE/GSSAPI. */ -/* */ -/* Invocation should specify two parameters - */ -/* 1) Name of initiating principal */ -/* 2) Name of accepting principal */ -/* */ -/* A flag '-S' is used to specify the name of the file that process will */ -/* activate as a slave. */ -/* */ -/* So to test, for example, Kerberos against Kerberos, and assuming that */ -/* the executable is called kitest-krb, you'd set up a Kerberos credential */ -/* for using kinit, and arrange for a server Kerberos */ -/* credential for to be available in a keytable, and issue */ -/* the command: */ -/* kitest-krb -S kitest-krb */ -/* */ -/* The original process becomes the context initiator, while the spawned */ -/* subprocess (running the executable specified after the -S flag) is */ -/* expected to act as the context acceptor. */ - -#if defined(KERBEROS) && defined(DCE) -#error "Both KERBEROS and DCE specified" -#endif - -#if !defined(KERBEROS) && !defined(DCE) -#error "Neither KERBEROS nor DCE defined" -#endif - -/* You need to create links from krb-gssapi.h to the Kerberos gssapi.h, and */ -/* from dce-gssapi.h to the DCE gssapi.h. */ -#ifdef KERBEROS -#include "krb-gssapi.h" -#endif - -#ifdef DCE -#include "dce-gssapi.h" -#endif - - -#include -#include -#include -#include -#include -#include - -#ifndef GSS_ERROR -#define GSS_ERROR(x) (x & 0xffff0000) -/* The Kerberos gssapi.h doesn't define this macro. */ -#endif - -#define DOWN_CHANNEL 3 -/* Don't understand why stdin doesn't work here, but channel 3 seems to */ -/* work fine. */ - -#define INITIAL_CHILD_MESSAGES 7 - -extern int errno; - -int master = 0; -int inpipe[2]; -int outpipe[2]; -int errpipe[2]; - -gss_name_t source_internal_name; -gss_name_t target_internal_name; -gss_name_t source_authenticated_name; -gss_buffer_desc source_name_buffer; -gss_buffer_desc target_name_buffer; - -gss_cred_id_t my_cred_handle; -gss_cred_id_t delegated_cred_handle; -gss_ctx_id_t my_ctx_handle; -gss_OID_set actual_cred_mech_set; -gss_OID actual_ctx_mech_type; -OM_uint32 actual_cred_time_rec; -OM_uint32 actual_ctx_time_rec; -gss_buffer_desc token_to_send; -gss_buffer_desc token_received; -int actual_ret_flags; -struct gss_channel_bindings_struct my_channel_bindings; - -char source_name[512]; -char target_name[512]; - -char my_host_name[50]; -char my_internet_address[4]; -struct hostent * my_hostent; - -unsigned char received_token_buffer[2048]; -unsigned received_length; - -OM_uint32 major_status; -OM_uint32 kept_status; -OM_uint32 minor_status; - -int subprocess_pid = 0; - -char line_buffer[128]; -int chars_read; - -void indicate_data(void) { - fprintf(stderr, "\a\n"); - fflush(stderr); -} - -void send_data(void * ptr, unsigned length) { - unsigned char length_buf[2]; - unsigned char * char_ptr; - int data_sent; - - char_ptr = (unsigned char *)ptr; - - length_buf[0] = length & 0xff; - length_buf[1] = (length & 0xff00) >> 8; - - if (master) { -/* Data is sent via inpipe. */ - errno = 0; - if ((data_sent = write(inpipe[1], length_buf, 2)) != 2) { - fprintf(stderr, - "Write of length sent %d bytes, expected 2\n", - data_sent); - fflush(stderr); - if (data_sent == -1) { - fprintf(stderr, - "Errno: %d\n", - errno); - fflush(stderr); - }; - }; - errno = 0; - if ((data_sent =write(inpipe[1], ptr, length)) != length) { - fprintf(stderr, - "Write of length sent %d bytes, expected 2\n", - data_sent); - fflush(stderr); - if (data_sent == -1) { - fprintf(stderr, - "Errno: %d\n", - errno); - fflush(stderr); - }; - }; - fprintf(stderr, "Sending data (length = %d):\n", length); - fprintf(stderr, " %2.2X %2.2X %2.2X %2.2X %2.2X...\n", - char_ptr[0], char_ptr[1], char_ptr[2], - char_ptr[3], char_ptr[4]); - } else { -/* Data is sent via stdout, and a data indication on stderr. */ - fwrite(length_buf, 2, 1, stdout); - fwrite(ptr, length, 1, stdout); - fflush(stdout); - indicate_data(); - }; -} - -void receive_data(void * ptr, unsigned * length) { - unsigned char length_buf[2]; - unsigned char * char_ptr; - int data_read; - - char_ptr = (unsigned char *)ptr; - - if (master) { -/* Data is received via outpipe. A data indication is assumed to have been */ -/* received on errpipe, otherwise this routine will hang. */ - read(outpipe[0], length_buf, 2); - *length = length_buf[0] | (length_buf[1]<<8); - read(outpipe[0], ptr, *length); - } else { -/* Data is received on fd3 */ - errno = 0; - if ((data_read = read(DOWN_CHANNEL, length_buf, 2)) != 2) { - fprintf(stderr, - "Error: received %d bytes for length, expecting 2\n", - data_read); - fflush(stderr); - if (data_read == -1) { - fprintf(stderr, "errno: %d\n", errno); - fflush(stderr); - }; - }; - - *length = length_buf[0] | (length_buf[1]<<8); - - errno = 0; - if ((data_read = read(DOWN_CHANNEL, ptr, *length)) != *length) { - fprintf(stderr, - "Error: received %d bytes for data, expecting %d\n", - data_read, *length); - fflush(stderr); - if (data_read == -1) { - fprintf(stderr, "errno: %d\n", errno); - fflush(stderr); - }; - }; - - fprintf(stderr, "Received data (length = %d):\n", *length); - fprintf(stderr, " %2.2X %2.2X %2.2X %2.2X %2.2X...\n", - char_ptr[0], char_ptr[1], char_ptr[2], - char_ptr[3], char_ptr[4]); - - }; -} - -int read_subproc_line(char * ptr, unsigned buf_length) { -/* Returns length of data read, or zero if binary data waiting. */ - int bytes_read = 0; - int finished = 0; - if (!master) { - fprintf(stderr, "Error: Child called read_subproc_data\n"); - fflush(stderr); - exit(2); - } else { - while (!finished) { - read(errpipe[0], &ptr[bytes_read], 1); - if (ptr[bytes_read] == '\n') finished = 1; - if (bytes_read >= buf_length) finished = 1; - bytes_read ++; - }; - if (bytes_read == 2 && ptr[0] == '\a') return 0; - else return bytes_read; - }; -} - -void display_error(char * where, OM_uint32 maj_stat, OM_uint32 min_stat) { - int context = 0; - OM_uint32 major_status, minor_status; - gss_buffer_desc message_buffer; - - fprintf(stderr, "Error: %s\n", where); - fprintf(stderr, "Major status (%d) (min = %d):\n", maj_stat, min_stat); - fflush(stderr); - do { - message_buffer.length = 0; - message_buffer.value = NULL; - major_status = gss_display_status(&minor_status, - maj_stat, - GSS_C_GSS_CODE, - GSS_C_NULL_OID, - &context, - &message_buffer); - fprintf(stderr, - " message_buffer.length = %u, message_buffer.value = %p\n", - message_buffer.length, message_buffer.value); - fflush(stderr); - if (message_buffer.length = 0) { - fprintf(stderr, - " %.*s\n", - message_buffer.length, - message_buffer.value); - major_status = gss_release_buffer(&minor_status, &message_buffer); - } else { - fprintf(stderr, "-- no message --\n"); - /* If we've been asked to translate an invalid status code */ - }; - fflush(stderr); - - } while (context != 0); - fprintf(stderr, "Minor status:\n"); - fflush(stderr); - major_status = gss_display_status(&minor_status, - min_stat, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &context, - &message_buffer); - fprintf(stderr, - " %.*s\n", - message_buffer.length, - message_buffer.value); - fflush(stderr); - - major_status = gss_release_buffer(&minor_status, &message_buffer); - -} - -void import_names(void) { - - source_name_buffer.value = (void *)&source_name[0]; - source_name_buffer.length = strlen(source_name); - - major_status = gss_import_name(&minor_status, - &source_name_buffer, - GSS_C_NULL_OID, - &source_internal_name); - - if (major_status != GSS_S_COMPLETE) - display_error("Importing source principal", major_status, minor_status); - - target_name_buffer.value = (void *)&target_name[0]; - target_name_buffer.length = strlen(target_name); - - major_status = gss_import_name(&minor_status, - &target_name_buffer, - GSS_C_NULL_OID, - &target_internal_name); - - if (major_status != GSS_S_COMPLETE) - display_error("Importing target principal", major_status, minor_status); - -} - - -void alarm_handler(int sig) { - fprintf(stderr, "SIGALRM received, terminating subprocess\n"); - fflush(stderr); - kill(subprocess_pid, SIGTERM); - exit(0); -} - - -void flush_subprocess_message_queue_and_exit(void) { - - signal(SIGALRM, alarm_handler); - alarm(10); - - do { - chars_read = read_subproc_line(line_buffer, - sizeof(line_buffer)); - if (chars_read == 0) { - fprintf(stderr, - "Unexpected binary data received from child\n"); - fflush(stderr); - receive_data(received_token_buffer, - &received_length); - } else { - fprintf(stderr,"CHILD> %.*s", chars_read, line_buffer); - }; - fflush(stderr); - } while (1); -} - -void sigpipe_handler(int sig) { - fprintf(stderr, "SIGPIPE received, flushing subprocess message queue\n"); - fflush(stderr); - flush_subprocess_message_queue_and_exit(); -} - -int main(int argc, char *argv[]) { - - int c; - int errflg = 0; - char * image_name; - int pid; - - int i; - - extern int optind, opterr; - extern char * optarg; - - int blocking; - - while ((c = getopt(argc, argv, "S:")) != EOF) { - switch (c) { - case 'S' : master = 1; - image_name = optarg; - break; - case '?' : errflg++; - break; - }; - }; - - if (optind < argc) { - strncpy(source_name, argv[optind++], sizeof(source_name)-1); - } else { - fprintf(stderr, "Error: Source name (prin-1) missing\n"); - errflg++; - }; - - if (optind < argc) { - strncpy(target_name, argv[optind++], sizeof(source_name)-1); - } else { - fprintf(stderr, "Error: Target name (prin-2) missing\n"); - errflg++; - }; - - if (optind < argc) { - fprintf(stderr, "Error: too many parameters\n"); - errflg++; - }; - - if (errflg) { - fprintf(stderr, "Usage: %s -S \n", argv[0]); - exit(2); - }; - - gethostname(my_host_name, sizeof(my_host_name)); - my_hostent = gethostbyname(my_host_name); - memcpy(&my_internet_address, my_hostent->h_addr_list[0], 4); - - fprintf(stderr,"Host: '%s', %u.%u.%u.%u\n", - my_host_name, - my_internet_address[0], - my_internet_address[1], - my_internet_address[2], - my_internet_address[3]); - - my_channel_bindings.initiator_addrtype = GSS_C_AF_INET; - my_channel_bindings.initiator_address.length = 4; - my_channel_bindings.initiator_address.value = my_internet_address; - - my_channel_bindings.acceptor_addrtype = GSS_C_AF_INET; - my_channel_bindings.acceptor_address.length = 4; - my_channel_bindings.acceptor_address.value = my_internet_address; - - my_channel_bindings.application_data.length = 0; - my_channel_bindings.application_data.value = NULL; - - my_ctx_handle = GSS_C_NO_CONTEXT; - - if (!master) { - -/* Subprocess. */ - - fprintf(stderr, "Importing names\n"); - fflush(stderr); - - import_names(); - - fprintf(stderr, "Calling acquire_cred\n"); - fflush(stderr); - - major_status = gss_acquire_cred(&minor_status, - target_internal_name, - 60 * 60 * 24, - GSS_C_NULL_OID_SET, - GSS_C_ACCEPT, - &my_cred_handle, - &actual_cred_mech_set, - &actual_cred_time_rec); - - if (major_status != GSS_S_COMPLETE) { - display_error("Acquiring ACCEPT credential for target principal", - major_status, minor_status); - while (1) ; - }; - - fprintf(stderr, "Returned from acquire_cred, waiting for token from parent\n"); - fflush(stderr); - - do { - - receive_data(received_token_buffer, - &received_length); - token_received.value = (void *)received_token_buffer; - token_received.length = received_length; - - fprintf(stderr, "Got token, calling accept_sec_context\n"); - fflush(stderr); - - major_status = gss_accept_sec_context(&minor_status, - &my_ctx_handle, - my_cred_handle, - &token_received, - &my_channel_bindings, - &source_authenticated_name, - &actual_ctx_mech_type, - &token_to_send, - &actual_ret_flags, - &actual_ctx_time_rec, - &delegated_cred_handle); - kept_status = major_status; - - if (GSS_ERROR(major_status)) { - display_error("ACCEPT_SEC_CONTEXT", - major_status, minor_status); - while (1) ; - }; - - if (token_to_send.length != 0) { - send_data(token_to_send.value, token_to_send.length); - major_status = gss_release_buffer(&minor_status, - &token_to_send); - }; - - if (kept_status & GSS_S_CONTINUE_NEEDED) { - receive_data(received_token_buffer, - &received_length); - token_received.value = (void *)received_token_buffer; - token_received.length = received_length; - }; - - } while (kept_status & GSS_S_CONTINUE_NEEDED); - - if (!GSS_ERROR(kept_status)) { - fprintf(stderr, "Authenticated context established\n"); - } else { - fprintf(stderr, "Context not established\n"); - }; - fflush(stderr); - while (1) ; - } else { -/* We need to create three pipes - inpipe, outpipe and errpipe, to which */ -/* the subprocess will connect its fd3, stdout and stderr channels. */ - - if (pipe(inpipe) < 0) { - fprintf(stderr, "Error: Can't make inpipe\n"); - exit(2); - }; - if (pipe(outpipe) < 0) { - fprintf(stderr, "Error: Can't make outpipe\n"); - exit(2); - }; - if (pipe(errpipe) < 0) { - fprintf(stderr, "Error: Can't make errpipe\n"); - exit(2); - }; - - if ((subprocess_pid = fork()) == 0) { -/* This is the slave subprocess in a two-process chain. Connect inpipe, */ -/* outpipe and errpipe to fd3, stderr and stdout, and then exec the slave */ -/* image. */ - fprintf(stderr, "CHILD: forked, closing pipes\n"); - fflush(stderr); - - close(inpipe[1]); /* Close write end of inpipe */ - close(outpipe[0]); /* Close read end of outpipe */ - close(errpipe[0]); /* Close read end of errpipe */ - - - write (errpipe[1], - "Child process forked (write to errpipe[1])\n", - strlen("Child process forked (write to errpipe[1])\n") - ); - - if (dup2(inpipe[0], DOWN_CHANNEL) == -1) { - fprintf(stderr, "CHILD: Can't dup2 inpipe[0]\n"); - fflush(stderr); - }; - /* Attach inpipe to fd3 */ - if (dup2(outpipe[1], 1) == -1) { - fprintf(stderr, "CHILD: Can't dup2 outpipe[1]\n"); - fflush(stderr); - }; - /* Attach outpipe to stdout */ - if (dup2(errpipe[1], 2) == -1) { - fprintf(stderr, "CHILD: Can't dup2 errpipe[1]\n"); - fflush(stderr); - }; - /* Attach errpipe to stderr */ - - write (2, - "Child process forked (write to fd2)\n", - strlen("Child process forked (write to fd2)\n") - ); - - fprintf(stderr, "Execing %s\n", image_name); - fflush(stderr); - - execl(image_name, image_name, source_name, target_name, (char *)0); - - fprintf(stderr, "Error: Couldn't exec %s\n", image_name); - exit(2); - - } else if (subprocess_pid < 0) { - fprintf(stderr, "Error: Fork returned %d\n", subprocess_pid); - exit(2); - } else { -/* This is the master process in a two-process chain. The slave process */ -/* has connected inpipe, outpipe and errpipe to its fd3, stdout and */ -/* stderr. We have to use the other ends. */ - - - close(inpipe[0]); /* Close read end of inpipe */ - close(outpipe[1]); /* Close write end of outpipe */ - close(errpipe[1]); /* Close write end of errpipe */ - -/* A simple protocol will be used between master and slave processes. The */ -/* subprocess (slave) will always expect that data received on its inpipe */ -/* will be binary messages, preceeded by a two-byte count. Messages from */ -/* slave to master will be sent on the errpipe channel if they are text */ -/* messages, and on outpipe if they are binary data (preceeded as above by */ -/* a two-byte count field). The presence of a binary message in the */ -/* outpipe will be indicated by writing the sequence "\a\n" to errpipe. */ -/* This protocol is implemented in the master by the routine */ -/* read_subproc_line, which reads a single line of text from the */ -/* subprocess, returning either its length, or zero to indicate that binary */ -/* data is waiting. Binary data is received by either process by invoking */ -/* the receive_data routine, and sent by invoking the send_data routine. */ -/* The receive_data routine will block until the data is available, so */ -/* care should be taken in the master not to call this routine unless a */ -/* data indication has already been received. */ - -/* Master: */ - signal(SIGPIPE, sigpipe_handler); - -/* The child will send us messages on start-up (at least */ -/* INITIAL_CHILD_MESSAGES of them), so we'll read them here to make sure we */ -/* catch a sleepy child early. */ - - fprintf(stderr, "Parent waiting for wake-up call from child...\n"); - fflush(stderr); - - signal(SIGALRM, alarm_handler); - alarm(10); - - for (i=0; i %.*s", chars_read, line_buffer); - }; - fflush(stderr); - - }; - - alarm(0); - - fprintf(stderr, "Parent continuing, importing names...\n"); - fflush(stderr); - - import_names(); - - fprintf(stderr, "Parent got names...\n"); - fflush(stderr); - -#ifdef KERBEROS - -/* This version of the acquire_cred code requests the client credential */ -/* explicitly by name; the DCE version uses no name, meaning "give me a */ -/* to the default credential. */ - - fprintf(stderr, "Parent calling acquire_cred...\n"); - fflush(stderr); - - major_status = gss_acquire_cred(&minor_status, - source_internal_name, - 60 * 60 * 24, - GSS_C_NULL_OID_SET, - GSS_C_INITIATE, - &my_cred_handle, - &actual_cred_mech_set, - &actual_cred_time_rec); - - fprintf(stderr, "Parent returned from acquire_cred.\n"); - fflush(stderr); - -#endif -#ifdef DCE - major_status = gss_acquire_cred(&minor_status, - GSS_C_NO_NAME, - 60 * 60 * 24, - GSS_C_NULL_OID_SET, - GSS_C_INITIATE, - &my_cred_handle, - &actual_cred_mech_set, - &actual_cred_time_rec); -#endif - if (major_status != GSS_S_COMPLETE) - display_error("Acquiring INITIATE credential for source principal", - major_status, minor_status); - - - token_received.length = 0; - token_received.value = NULL; - - do { - - fprintf(stderr, "Parent calling init_sec_ctx...\n"); - fflush(stderr); - - major_status = gss_init_sec_context(&minor_status, - my_cred_handle, - &my_ctx_handle, - target_internal_name, - GSS_C_NULL_OID, - GSS_C_MUTUAL_FLAG, - 60 * 60 * 23, - &my_channel_bindings, - &token_received, - &actual_ctx_mech_type, - &token_to_send, - &actual_ret_flags, - &actual_ctx_time_rec); - - fprintf(stderr, "Parent returned from init_sec_ctx...\n"); - fflush(stderr); - - kept_status = major_status; - - if (GSS_ERROR(major_status)) - display_error("INIT_SEC_CONTEXT", - major_status, minor_status); - - if (token_to_send.length != 0) { - - fprintf(stderr, "Parent transmitting token...\n"); - fflush(stderr); - - send_data(token_to_send.value, token_to_send.length); - major_status = gss_release_buffer(&minor_status, - &token_to_send); - }; - - if (kept_status & GSS_S_CONTINUE_NEEDED) { - signal(SIGALRM, alarm_handler); - alarm(30); - while ((chars_read = read_subproc_line(line_buffer, - sizeof(line_buffer)) - ) != 0) { - fprintf(stderr, "CHILD> %.*s", chars_read, line_buffer); - }; - alarm(0); - receive_data(received_token_buffer, - &received_length); - token_received.value = (void *)received_token_buffer; - token_received.length = received_length; - }; - - } while (kept_status & GSS_S_CONTINUE_NEEDED); - - if (!GSS_ERROR(kept_status)) { - fprintf(stderr, "Authenticated context established\n"); - } else { - fprintf(stderr, "Context not established\n"); - }; - fflush(stderr); - - flush_subprocess_message_queue_and_exit(); - - }; - }; -} diff --git a/src/lib/gssapi/sample/login.c b/src/lib/gssapi/sample/login.c deleted file mode 100644 index 03aaf4520..000000000 --- a/src/lib/gssapi/sample/login.c +++ /dev/null @@ -1,1011 +0,0 @@ -/* - * Copyright (c) 1980, 1987, 1988 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#ifndef lint -char copyright[] = -"@(#) Copyright (c) 1980, 1987, 1988 The Regents of the University of California.\n\ - All rights reserved.\n"; -#endif /* not lint */ - -#ifndef lint -static char sccsid[] = "@(#)login.c 5.25 (Berkeley) 1/6/89"; -#endif /* not lint */ - -/* - * login [ name ] - * login -r hostname (for rlogind) - * login -h hostname (for telnetd, etc.) - * login -f name (for pre-authenticated login: datakit, xterm, etc.) - * ifdef KERBEROS - * login -e name (for pre-authenticated encrypted, must do term - * negotiation) - * login -k hostname (for Kerberos rlogind with password access) - * login -K hostname (for Kerberos rlogind with restricted access) - * endif KERBEROS - */ - -#include -#ifndef VFS -#include -#endif /* VFS */ -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#ifndef NOTTYENT -#include -#endif /* NOTTYENT */ -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include "gssapi_defs.h" - -#define TOKEN_MAJIC_NUMBER_BYTE0 1 -#define TOKEN_MAJIC_NUMBER_BYTE1 1 - -char userfullname[GSS_C_MAX_PRINTABLE_NAME]; -char userlocalname[GSS_C_MAX_PRINTABLE_NAME]; -gss_cred_id_t gss_delegated_cred_handle; - -#ifdef UIDGID_T -/* uid_t getuid(); */ -#define uid_type uid_t -#define gid_type gid_t -#else -/* int getuid(); */ -#define uid_type int -#define gid_type int -#endif /* UIDGID_T */ - -#define TTYGRPNAME "tty" /* name of group to own ttys */ - -#define MOTDFILE "/etc/motd" -#define MAILDIR "/usr/spool/mail" -#define NOLOGIN "/etc/nologin" -#define HUSHLOGIN ".hushlogin" -#define LASTLOG "/usr/adm/lastlog" -#define BSHELL "/bin/sh" - -#ifdef VFS -#define QUOTAWARN "/usr/ucb/quota" /* warn user about quotas */ -#endif /* VFS */ - -#define UT_HOSTSIZE sizeof(((struct utmp *)0)->ut_host) -#define UT_NAMESIZE sizeof(((struct utmp *)0)->ut_name) - -/* - * This bounds the time given to login. Not a define so it can - * be patched on machines where it's too small. - */ -int timeout = 300; - -struct passwd *pwd; -char term[64], *hostname, *username; - -gss_ctx_id_t context_handle; - -struct sgttyb sgttyb; -struct tchars tc = { - CINTR, CQUIT, CSTART, CSTOP, CEOT, CBRK -}; -struct ltchars ltc = { - CSUSP, CDSUSP, CRPRNT, CFLUSH, CWERASE, CLNEXT -}; - -extern int errno; - -#ifdef POSIX -typedef void sigtype; -#else -typedef int sigtype; -#endif /* POSIX */ - -#define EXCL_TEST if (rflag || kflag || Kflag || eflag || \ - fflag || hflag) { \ - fprintf(stderr, \ - "login: only one of -r, -k, -K, -e, -h and -f allowed.\n"); \ - exit(1);\ - } -main(argc, argv) - int argc; - char **argv; -{ - extern int optind; - extern char *optarg, **environ; - struct group *gr; - register int ch; - register char *p; - - int gflag; - - int fflag, hflag, pflag, rflag, cnt; - int kflag, Kflag, eflag; - int quietlog, passwd_req, ioctlval, major_status, minor_status; - sigtype timedout(); - char *domain, *salt, *envinit[1], *ttyn, *tty; - char tbuf[MAXPATHLEN + 2]; - char *ttyname(), *stypeof(), *crypt(), *getpass(); - time_t time(); - off_t lseek(); - - (void)signal(SIGALRM, timedout); - (void)alarm((u_int)timeout); - (void)signal(SIGQUIT, SIG_IGN); - (void)signal(SIGINT, SIG_IGN); - (void)setpriority(PRIO_PROCESS, 0, 0); -#ifndef VFS - (void)quota(Q_SETUID, 0, 0, 0); -#endif /* VFS */ - - /* - * -s is used by flogind to cause the SPX autologin protocol; - * -p is used by getty to tell login not to destroy the environment - * -r is used by rlogind to cause the autologin protocol; - * -f is used to skip a second login authentication - * -e is used to skip a second login authentication, but allows - * login as root. - * -h is used by other servers to pass the name of the - * remote host to login so that it may be placed in utmp and wtmp - * -k is used by klogind to cause the Kerberos autologin protocol; - * -K is used by klogind to cause the Kerberos autologin protocol with - * restricted access.; - */ - (void)gethostname(tbuf, sizeof(tbuf)); - domain = index(tbuf, '.'); - - fflag = hflag = pflag = rflag = kflag = Kflag = eflag = 0; - passwd_req = 1; - while ((ch = getopt(argc, argv, "feh:pr:k:K:g:")) != EOF) - switch (ch) { - case 'f': - EXCL_TEST; - fflag = 1; - break; - case 'h': - EXCL_TEST; - if (getuid()) { - fprintf(stderr, - "login: -h for super-user only.\n"); - exit(1); - } - hflag = 1; - if (domain && (p = index(optarg, '.')) && - strcmp(p, domain) == 0) - *p = 0; - hostname = optarg; - break; - case 'p': - pflag = 1; - break; - case 'r': - EXCL_TEST; - if (getuid()) { - fprintf(stderr, - "login: -r for super-user only.\n"); - exit(1); - } - /* "-r hostname" must be last args */ - if (optind != argc) { - fprintf(stderr, "Syntax error.\n"); - exit(1); - } - rflag = 1; - passwd_req = (doremotelogin(optarg) == -1); - if (domain && (p = index(optarg, '.')) && - !strcmp(p, domain)) - *p = '\0'; - hostname = optarg; - break; - case 'g': - if (optind != argc) { - fprintf(stderr, "Syntax error.\n"); - exit(1); - } - gflag = do_gss_login(optarg); - if (gflag == 1) passwd_req = 0; - else { - (void)ioctl(0, TIOCHPCL, (char *)0); - sleepexitnew(1,1); - } - hostname = optarg; - break; - case '?': - default: - fprintf(stderr, "usage: login [-fp] [username]\n"); - exit(1); - } - argc -= optind; - argv += optind; - if (*argv) - username = *argv; - - ioctlval = 0; - (void)ioctl(0, TIOCLSET, (char *)&ioctlval); - (void)ioctl(0, TIOCNXCL, (char *)0); - (void)fcntl(0, F_SETFL, ioctlval); - (void)ioctl(0, TIOCGETP, (char *)&sgttyb); - - /* - * If talking to an rlogin process, propagate the terminal type and - * baud rate across the network. - */ - - if (rflag || kflag || Kflag || eflag || gflag) - doremoteterm(&sgttyb); - sgttyb.sg_erase = CERASE; - sgttyb.sg_kill = CKILL; - (void)ioctl(0, TIOCSLTC, (char *)<c); - (void)ioctl(0, TIOCSETC, (char *)&tc); - (void)ioctl(0, TIOCSETP, (char *)&sgttyb); - - for (cnt = getdtablesize(); cnt > 2; cnt--) - (void) close(cnt); - - ttyn = ttyname(0); - if (ttyn == NULL || *ttyn == '\0') - ttyn = "/dev/tty??"; - if (tty = rindex(ttyn, '/')) - ++tty; - else - tty = ttyn; - - for (cnt = 0;; username = NULL) { - ioctlval = 0; - (void)ioctl(0, TIOCSETD, (char *)&ioctlval); - - if (username == NULL) { - fflag = 0; - getloginname(); - } - if (pwd = getpwnam(username)) - salt = pwd->pw_passwd; - else - salt = "xx"; - - /* if user not super-user, check for disabled logins */ - if (pwd == NULL || pwd->pw_uid) - checknologin(); - - /* - * Disallow automatic login to root; if not invoked by - * root, disallow if the uid's differ. - */ - if (fflag && pwd) { - int uid = (int) getuid(); - - passwd_req = pwd->pw_uid == 0 || - (uid && uid != pwd->pw_uid); - } - - /* - * If no remote login authentication and a password exists - * for this user, prompt for one and verify it. - */ - if (!passwd_req || pwd && !*pwd->pw_passwd) - break; - - (void) setpriority(PRIO_PROCESS, 0, -4); - p = crypt(getpass("password:"), salt); - (void) setpriority(PRIO_PROCESS, 0, 0); - if (pwd && !strcmp(p, pwd->pw_passwd)) - break; - - printf("Login incorrect\n"); - if (++cnt >= 5) { - if (hostname) - syslog(LOG_ERR, - "REPEATED LOGIN FAILURES ON %s FROM %.*s, %.*s", - tty, UT_HOSTSIZE, hostname, UT_NAMESIZE, - username); - else - syslog(LOG_ERR, - "REPEATED LOGIN FAILURES ON %s, %.*s", - tty, UT_NAMESIZE, username); - (void)ioctl(0, TIOCHPCL, (char *)0); - sleepexit(1); - } - } - - /* committed to login -- turn off timeout */ - (void)alarm((u_int)0); - - /* - * If valid so far and root is logging in, see if root logins on - * this terminal are permitted. - */ -#ifndef SPX_CHALLENGE - if (pwd->pw_uid == 0 && !rootterm(tty)) { - if (hostname) - syslog(LOG_ERR, "ROOT LOGIN REFUSED ON %s FROM %.*s", - tty, UT_HOSTSIZE, hostname); - else - syslog(LOG_ERR, "ROOT LOGIN REFUSED ON %s", tty); - printf("Login incorrect\n"); - sleepexit(1); - } -#else - if (pwd->pw_uid == 0) { - syslog(LOG_INFO, "%s (%s)", userfullname, userlocalname); - } - -#endif /* SPX_CHALLENGE */ - -#ifndef VFS - if (quota(Q_SETUID, pwd->pw_uid, 0, 0) < 0 && errno != EINVAL) { - switch(errno) { - case EUSERS: - fprintf(stderr, - "Too many users logged on already.\nTry again later.\n"); - break; - case EPROCLIM: - fprintf(stderr, - "You have too many processes running.\n"); - break; - default: - perror("quota (Q_SETUID)"); - } - sleepexit(0); - } -#endif /* !VFS */ - - if (chdir(pwd->pw_dir) < 0) { - printf("No directory %s!\n", pwd->pw_dir); - if (chdir("/")) - exit(0); - pwd->pw_dir = "/"; - printf("Logging in with home = \"/\".\n"); - } - - /* nothing else left to fail -- really log in */ - { - struct utmp utmp; - - (void)time(&utmp.ut_time); - (void) strncpy(utmp.ut_name, username, sizeof(utmp.ut_name)); - if (hostname) - (void) strncpy(utmp.ut_host, hostname, - sizeof(utmp.ut_host)); - else - bzero(utmp.ut_host, sizeof(utmp.ut_host)); - (void) strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); - login(&utmp); - } - - quietlog = access(HUSHLOGIN, F_OK) == 0; - dolastlog(quietlog, tty); - - if (!hflag && !rflag && !kflag && !Kflag && !eflag && !gflag) { /* XXX */ - static struct winsize win = { 0, 0, 0, 0 }; - - (void)ioctl(0, TIOCSWINSZ, (char *)&win); - } - - (void)chown(ttyn, pwd->pw_uid, - (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); - (void)chmod(ttyn, 0620); - (void)setgid((gid_type) pwd->pw_gid); - - (void) initgroups(username, pwd->pw_gid); - -#ifndef VFS - quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0); -#endif - (void)setuid((uid_type) pwd->pw_uid); - - if (*pwd->pw_shell == '\0') - pwd->pw_shell = BSHELL; - /* turn on new line discipline for the csh */ - else if (!strcmp(pwd->pw_shell, "/bin/csh")) { - ioctlval = NTTYDISC; - (void)ioctl(0, TIOCSETD, (char *)&ioctlval); - } - - /* destroy environment unless user has requested preservation */ - if (!pflag) - environ = envinit; - (void)setenv("HOME", pwd->pw_dir, 1); - (void)setenv("SHELL", pwd->pw_shell, 1); - if (term[0] == '\0') - (void) strncpy(term, stypeof(tty), sizeof(term)); - (void)setenv("TERM", term, 0); - (void)setenv("USER", pwd->pw_name, 1); - (void)setenv("PATH", "/usr/ucb:/bin:/usr/bin:/usr/local/bin:", 0); - major_status = gss__stash_default_cred(&minor_status, - gss_delegated_cred_handle); - - if (tty[sizeof("tty")-1] == 'd') - syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); - if (pwd->pw_uid == 0) - if (hostname) - syslog(LOG_NOTICE, "ROOT LOGIN %s FROM %.*s", - tty, UT_HOSTSIZE, hostname); - else - syslog(LOG_NOTICE, "ROOT LOGIN %s", tty); - - if (!quietlog) { - struct stat st; - - motd(); - (void)sprintf(tbuf, "%s/%s", MAILDIR, pwd->pw_name); - if (stat(tbuf, &st) == 0 && st.st_size != 0) - printf("You have %smail.\n", - (st.st_mtime > st.st_atime) ? "new " : ""); - } - -#ifdef VFS - if (! access( QUOTAWARN, X_OK)) (void) system(QUOTAWARN); -#endif /* VFS */ - (void)signal(SIGALRM, SIG_DFL); - (void)signal(SIGQUIT, SIG_DFL); - (void)signal(SIGINT, SIG_DFL); - (void)signal(SIGTSTP, SIG_IGN); - - tbuf[0] = '-'; - (void) strcpy(tbuf + 1, (p = rindex(pwd->pw_shell, '/')) ? - p + 1 : pwd->pw_shell); - execlp(pwd->pw_shell, tbuf, 0); - fprintf(stderr, "login: no shell: "); - perror(pwd->pw_shell); - exit(0); -} - -getloginname() -{ - register int ch; - register char *p; - static char nbuf[UT_NAMESIZE + 1]; - - for (;;) { - printf("login: "); - for (p = nbuf; (ch = getchar()) != '\n'; ) { - if (ch == EOF) - exit(0); - if (p < nbuf + UT_NAMESIZE) - *p++ = ch; - } - if (p > nbuf) - if (nbuf[0] == '-') - fprintf(stderr, - "login names may not start with '-'.\n"); - else { - *p = '\0'; - username = nbuf; - break; - } - } -} - -sigtype -timedout() -{ - fprintf(stderr, "Login timed out after %d seconds\n", timeout); - exit(0); -} - -#ifdef NOTTYENT -int root_tty_security = 0; -#endif -rootterm(tty) - char *tty; -{ -#ifdef NOTTYENT - return(root_tty_security); -#else - struct ttyent *t; - - return((t = getttynam(tty)) && t->ty_status&TTY_SECURE); -#endif /* NOTTYENT */ -} - -jmp_buf motdinterrupt; - -motd() -{ - register int fd, nchars; - sigtype (*oldint)(), sigint(); - char tbuf[8192]; - - if ((fd = open(MOTDFILE, O_RDONLY, 0)) < 0) - return; - signal(SIGINT, sigint); - - if (setjmp(motdinterrupt) == 0) - while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) - (void)write(fileno(stdout), tbuf, nchars); - (void)close(fd); -} - -sigtype -sigint() -{ - longjmp(motdinterrupt, 1); -} - -checknologin() -{ - register int fd, nchars; - char tbuf[8192]; - - if ((fd = open(NOLOGIN, O_RDONLY, 0)) >= 0) { - while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) - (void)write(fileno(stdout), tbuf, nchars); - sleepexit(0); - } -} - -dolastlog(quiet, tty) - int quiet; - char *tty; -{ - struct lastlog ll; - int fd; - - if ((fd = open(LASTLOG, O_RDWR, 0)) >= 0) { - (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); - if (!quiet) { - if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) && - ll.ll_time != 0) { - printf("Last login: %.*s ", - 24-5, (char *)ctime(&ll.ll_time)); - if (*ll.ll_host != '\0') - printf("from %.*s\n", - sizeof(ll.ll_host), ll.ll_host); - else - printf("on %.*s\n", - sizeof(ll.ll_line), ll.ll_line); - } - (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); - } - (void)time(&ll.ll_time); - (void) strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); - if (hostname) - (void) strncpy(ll.ll_host, hostname, sizeof(ll.ll_host)); - else - (void) bzero(ll.ll_host, sizeof(ll.ll_host)); - (void)write(fd, (char *)&ll, sizeof(ll)); - (void)close(fd); - } -} - -#undef UNKNOWN -#define UNKNOWN "su" - -char * -stypeof(ttyid) - char *ttyid; -{ -#ifdef NOTTYENT - return(UNKNOWN); -#else - struct ttyent *t; - - return(ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN); -#endif -} - -doremotelogin(host) - char *host; -{ - static char lusername[UT_NAMESIZE+1]; - char rusername[UT_NAMESIZE+1]; - - getstr(rusername, sizeof(rusername), "remuser"); - getstr(lusername, sizeof(lusername), "locuser"); - getstr(term, sizeof(term), "Terminal type"); - username = lusername; - pwd = getpwnam(username); - if (pwd == NULL) - return(-1); - return(ruserok(host, (pwd->pw_uid == 0), rusername, username)); -} - -do_gss_login(host) - char *host; -{ - int j, tokenlen, partlen, numbuf, i, debugflag = 0, auth_valid; - unsigned char token[GSS_C_MAX_TOKEN], *charp, *cp, *address; - unsigned char tokenheader[4], send_tokenheader[4]; - char targ_printable[GSS_C_MAX_PRINTABLE_NAME]; - char lhostname[GSS_C_MAX_PRINTABLE_NAME]; - unsigned char chanbinding[8]; - int chanbinding_len; - static char lusername[UT_NAMESIZE+1], rusername[UT_NAMESIZE+1]; - int hostlen, xcc, need_to_exit = 0; -/* - * GSS API support - */ - gss_OID_set actual_mechs; - gss_OID actual_mech_type, output_name_type; - int major_status, status, msg_ctx = 0, new_status; - int req_flags = 0, ret_flags, lifetime_rec; - gss_cred_id_t gss_cred_handle; - gss_ctx_id_t actual_ctxhandle; - gss_buffer_desc output_token, input_token, input_name_buffer; - gss_buffer_desc status_string; - gss_name_t desired_targname, src_name; - gss_channel_bindings input_chan_bindings; - - - j = sphinx_net_read(3, tokenheader, 4); - if ((tokenheader[0] != TOKEN_MAJIC_NUMBER_BYTE0) || (tokenheader[1] != TOKEN_MAJIC_NUMBER_BYTE1)) { - exit(0); - } - tokenlen = tokenheader[2] * 256 + tokenheader[3]; - - if (tokenlen > sizeof(token)) { - syslog(LOG_INFO, "token is too large, size is %d, buffer size is %d", - tokenlen, sizeof(token)); - exit(0); - } - - charp = token; - j = sphinx_net_read(3, token, tokenlen); - if (j != tokenlen) - syslog(LOG_INFO,"%d = read(3, token, %d)",j, tokenlen); - close(3); - - gethostname(lhostname, sizeof(lhostname)); - - strcpy(targ_printable, "SERVICE:rlogin@"); - strcat(targ_printable, lhostname); -/* - strcpy(targetname, lhostname); - if ((cp = index(targetname, '.')) != 0) *cp = '\0'; -*/ - - input_name_buffer.length = strlen(targ_printable); - input_name_buffer.value = targ_printable; - - major_status = gss_import_name(&status, - &input_name_buffer, - GSS_C_NULL_OID, - &desired_targname); - - major_status = gss_acquire_cred(&status, - desired_targname, - 0, - GSS_C_NULL_OID_SET, - GSS_C_ACCEPT, - &gss_cred_handle, - &actual_mechs, - &lifetime_rec); - - major_status = gss_release_name(&status, desired_targname); - - if (major_status != GSS_S_COMPLETE) { - xcc = write(0, "AuthentError", 12); - if (xcc <= 0) - syslog(LOG_INFO, "write(0, resp, 12): %m"); - - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - fprintf(stderr, "%s - ", status_string.value); - return(0); - } - - getstr(rusername, sizeof (rusername), "remuser"); - getstr(lusername, sizeof (lusername), "locuser"); - getstr(term, sizeof(term), "Terminal type"); - - username = lusername; - - pwd = getpwnam(lusername); - if (pwd == NULL) { - syslog(LOG_INFO,"passwd entry for '%s' is NULL",lusername); -/* - xcc = write(0, "Auth Error ", 12); - if (xcc <= 0) - syslog(LOG_INFO, "write(0, resp, 12): %m"); - fprintf(stderr, "SPX : user account '%s' doesn't exist - ", lusername); -*/ - } - - if (major_status != GSS_S_COMPLETE) { - xcc = write(0, "AuthentError", 12); - if (xcc <= 0) - syslog(LOG_INFO, "write(0, resp, 12): %m"); - - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - fprintf(stderr, "%s - ", status_string.value); - return(0); - } - - if (pwd != NULL) seteuid(pwd->pw_uid); - - { - char myhost[32]; - int from_addr=0, to_addr=0, myhostlen, j; - struct hostent *my_hp, *from_hp; - struct sockaddr_in sin, sin2; - - from_hp=gethostbyname(host); - if (from_hp != 0) { - bcopy(from_hp->h_addr_list[0], - (caddr_t)&sin.sin_addr, from_hp->h_length); -#ifdef ultrix - from_addr = sin.sin_addr.S_un.S_addr; -#else - from_addr = sin.sin_addr.s_addr; -#endif - } else { - from_addr = inet_addr(host); - } - from_addr = htonl(from_addr); - j=gethostname(myhost, sizeof(myhost)); - my_hp=gethostbyname(myhost); - if (my_hp != 0) { - bcopy(my_hp->h_addr_list[0], - (caddr_t)&sin2.sin_addr, my_hp->h_length); -#ifdef ultrix - to_addr = sin2.sin_addr.S_un.S_addr; -#else - to_addr = sin2.sin_addr.s_addr; -#endif - to_addr = htonl(to_addr); - } - - input_chan_bindings = (gss_channel_bindings) - malloc(sizeof(struct gss_channel_bindings_desc)); - - input_chan_bindings->initiator_addrtype = GSS_C_AF_INET; - input_chan_bindings->initiator_address.length = 4; - address = (char *) malloc(4); - input_chan_bindings->initiator_address.value = (char *) address; - address[0] = ((from_addr & 0xff000000) >> 24); - address[1] = ((from_addr & 0xff0000) >> 16); - address[2] = ((from_addr & 0xff00) >> 8); - address[3] = (from_addr & 0xff); - input_chan_bindings->acceptor_addrtype = GSS_C_AF_INET; - input_chan_bindings->acceptor_address.length = 4; - address = (char *) malloc(4); - input_chan_bindings->acceptor_address.value = (char *) address; - address[0] = ((to_addr & 0xff000000) >> 24); - address[1] = ((to_addr & 0xff0000) >> 16); - address[2] = ((to_addr & 0xff00) >> 8); - address[3] = (to_addr & 0xff); - input_chan_bindings->application_data.length = 0; - } - - input_token.length = tokenlen; - input_token.value = token; - - major_status = gss_accept_sec_context(&status, - &context_handle, - gss_cred_handle, - &input_token, - input_chan_bindings, - &src_name, - &actual_mech_type, - &output_token, - &ret_flags, - &lifetime_rec, - &gss_delegated_cred_handle); - - if (output_token.length != 0) { - - send_tokenheader[0] = TOKEN_MAJIC_NUMBER_BYTE0; - send_tokenheader[1] = TOKEN_MAJIC_NUMBER_BYTE1; - send_tokenheader[2] = ((output_token.length & 0xff00) >> 8); - send_tokenheader[3] = (output_token.length & 0xff); - - xcc = write(0, (char *) send_tokenheader, 4); - if (xcc != 4) - syslog(LOG_INFO, "write(0, send_tokenheader, 4): %m"); - - xcc = write(0, (char *) output_token.value, output_token.length); - if (xcc <= 0) - syslog(LOG_INFO, "write(0, resp, %d): %m",output_token.length); - } - - if (pwd == NULL) { - fprintf(stderr, "SPX : user account '%s' doesn't exist - ", lusername); - return(-1); - } - if (getuid()) { - syslog(LOG_INFO,"getuid() is 0, so return nouser"); - return(0); - } - - if (major_status != GSS_S_COMPLETE) { - syslog(LOG_INFO, "got error on accept\n"); - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - fprintf(stderr, "%s - ", status_string.value); - return(-1); - } - -#ifdef SPX_CHALLENGE - /* - * if trying to login to root account, then we need to verify response - * proving that the user is interactive. - * - */ - if (strcmp(lusername, "root")==0) { - j = sphinx_net_read(0, tokenheader, 4); - if (j != 4) - syslog(LOG_INFO,"%d = read(0, token, 4)",j); - - if ((tokenheader[0] != TOKEN_MAJIC_NUMBER_BYTE0) || -(tokenheader[1] != TOKEN_MAJIC_NUMBER_BYTE1)) { - exit(0); - } - tokenlen = tokenheader[2] * 256 + tokenheader[3]; - if (tokenlen > sizeof(token)) { - syslog(LOG_INFO, "token too large, %d/%d",tokenlen,sizeof(token)); - exit(0); - } - - charp = token; - j = sphinx_net_read(0, token, tokenlen); - if (j != tokenlen) - syslog(LOG_INFO,"%d = read(0, token, %d)",j, tokenlen); - major_status = spx_verify_response(&status, - context_handle, - gss_cred_handle, - token, - tokenlen); - if (major_status != GSS_S_COMPLETE) { - gss_display_status(&new_status, - status, - GSS_C_MECH_CODE, - GSS_C_NULL_OID, - &msg_ctx, - &status_string); - fprintf(stderr, "%s - ", status_string.value); - return(0); - } - } -#endif /* SPX_CHALLENGE */ - - seteuid(0); - - { - gss_buffer_desc fullname_buffer, luser_buffer, acl_file_buffer; - gss_buffer_desc service_buffer, resource_buffer; - gss_OID fullname_type; - int access_mode; - char acl_file[160], service[60], resource[160]; - - major_status = gss_display_name(&status, - src_name, - &fullname_buffer, - &fullname_type); - - luser_buffer.value = lusername; - luser_buffer.length = strlen(lusername); - - strcpy(acl_file, pwd->pw_dir); - strcat(acl_file, "/.sphinx"); - acl_file_buffer.value = acl_file; - acl_file_buffer.length = strlen(acl_file); - - strcpy(service, "flogin"); - service_buffer.value = service; - service_buffer.length = 6; - resource[0] = '\0'; - resource_buffer.value = resource; - resource_buffer.length = 0; - access_mode = GSS_C_READ | GSS_C_WRITE; - - major_status = gss__check_authorization(&status, - &fullname_buffer, - &luser_buffer, - &acl_file_buffer, - &service_buffer, - access_mode, - &resource_buffer); - - if (major_status != GSS_S_COMPLETE) { - if (strcmp(lusername, "root")==0) - syslog(LOG_INFO, "root authorization denied - '%s'", src_name); - fprintf(stderr, - "SPX : authorization denied to user account '%s' - ", - lusername); - return(-1); - } else { - strcpy(userfullname, src_name); - strcpy(userlocalname, rusername); - } - major_status = gss_release_buffer(&status, &fullname_buffer); - return(1); - } -} - -getstr(buf, cnt, err) - char *buf, *err; - int cnt; -{ - char ch; - - do { - if (read(0, &ch, sizeof(ch)) != sizeof(ch)) - exit(1); - if (--cnt < 0) { - fprintf(stderr, "%s too long\r\n", err); - sleepexit(1); - } - *buf++ = ch; - } while (ch); -} - -char *speeds[] = { - "0", "50", "75", "110", "134", "150", "200", "300", "600", - "1200", "1800", "2400", "4800", "9600", "19200", "38400", -}; -#define NSPEEDS (sizeof(speeds) / sizeof(speeds[0])) - -doremoteterm(tp) - struct sgttyb *tp; -{ - register char *cp = index(term, '/'), **cpp; - char *speed; - - if (cp) { - *cp++ = '\0'; - speed = cp; - cp = index(speed, '/'); - if (cp) - *cp++ = '\0'; - for (cpp = speeds; cpp < &speeds[NSPEEDS]; cpp++) - if (strcmp(*cpp, speed) == 0) { - tp->sg_ispeed = tp->sg_ospeed = cpp-speeds; - break; - } - } - tp->sg_flags = ECHO|CRMOD|ANYP|XTABS; -} - -sleepexitnew(eval, interval) - int eval, interval; -{ - sleep((u_int)interval); - exit(eval); -} - - -sleepexit(eval) - int eval; -{ - sleep((u_int)5); - exit(eval); -} diff --git a/src/lib/gssapi/sample/logutil.c b/src/lib/gssapi/sample/logutil.c deleted file mode 100644 index d1a535010..000000000 --- a/src/lib/gssapi/sample/logutil.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (c) 1988 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)login.c 5.1 (Berkeley) 9/27/88"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include -#include -#include -#include - -#define UTMPFILE "/etc/utmp" -#define WTMPFILE "/usr/adm/wtmp" - -void -login(ut) - struct utmp *ut; -{ - register int fd; - int tty; - off_t lseek(); - - tty = ttyslot(); - if (tty > 0 && (fd = open(UTMPFILE, O_WRONLY, 0)) >= 0) { - (void)lseek(fd, (long)(tty * sizeof(struct utmp)), L_SET); - (void)write(fd, (char *)ut, sizeof(struct utmp)); - (void)close(fd); - } - if ((fd = open(WTMPFILE, O_WRONLY|O_APPEND, 0)) >= 0) { - (void)write(fd, (char *)ut, sizeof(struct utmp)); - (void)close(fd); - } -} -/* - * Copyright (c) 1988 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)logout.c 5.1 (Berkeley) 8/31/88"; -#endif /* LIBC_SCCS and not lint */ - -logout(line) - register char *line; -{ - register FILE *fp; - struct utmp ut; - int rval; - time_t time(); - - if (!(fp = fopen(UTMPFILE, "r+"))) - return(0); - rval = 1; - while (fread((char *)&ut, sizeof(struct utmp), 1, fp) == 1) { - if (!ut.ut_name[0] || - strncmp(ut.ut_line, line, sizeof(ut.ut_line))) - continue; - bzero(ut.ut_name, sizeof(ut.ut_name)); - bzero(ut.ut_host, sizeof(ut.ut_host)); - (void)time(&ut.ut_time); - (void)fseek(fp, (long)-sizeof(struct utmp), L_INCR); - (void)fwrite((char *)&ut, sizeof(struct utmp), 1, fp); - (void)fseek(fp, (long)0, L_INCR); - rval = 0; - } - (void)fclose(fp); - return(rval); -} -/* - * Copyright (c) 1988 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)logwtmp.c 5.2 (Berkeley) 9/20/88"; -#endif /* LIBC_SCCS and not lint */ - -logwtmp(line, name, host) - char *line, *name, *host; -{ - struct utmp ut; - struct stat buf; - int fd; - time_t time(); - char *strncpy(); - - if ((fd = open(WTMPFILE, O_WRONLY|O_APPEND, 0)) < 0) - return; - if (!fstat(fd, &buf)) { - (void)strncpy(ut.ut_line, line, sizeof(ut.ut_line)); - (void)strncpy(ut.ut_name, name, sizeof(ut.ut_name)); - (void)strncpy(ut.ut_host, host, sizeof(ut.ut_host)); - (void)time(&ut.ut_time); - if (write(fd, (char *)&ut, sizeof(struct utmp)) != - sizeof(struct utmp)) - (void)ftruncate(fd, buf.st_size); - } - (void)close(fd); -} diff --git a/src/lib/gssapi/seal.c b/src/lib/gssapi/seal.c deleted file mode 100644 index 4d9065671..000000000 --- a/src/lib/gssapi/seal.c +++ /dev/null @@ -1,143 +0,0 @@ -/* - * seal.c --- seal message - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_seal(minor_status, context, conf_req_flag, qop_req, - input_message_buffer, conf_state, output_message_buffer) - OM_uint32 *minor_status; - gss_ctx_id_t context; - int conf_req_flag; - int qop_req; - gss_buffer_t input_message_buffer; - int *conf_state; - gss_buffer_t output_message_buffer; -{ - krb5_data inbuf, outbuf; - - *minor_status = 0; - - inbuf.length = input_message_buffer->length; - inbuf.data = input_message_buffer->value; - if (conf_req_flag) { - int priv_flags = 0; - int eblock_size; - char *i_vector; - - if (context->flags & GSS_C_SEQUENCE_FLAG) - priv_flags = KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME; - /* - * Initialize the initial vector. - */ - eblock_size = - krb5_keytype_array[context->session_key->keytype]-> - system->block_length; - if (!(i_vector=malloc(eblock_size))) { - return(GSS_S_FAILURE); - } - memset(i_vector, 0, eblock_size); - if (*minor_status = krb5_mk_priv(&inbuf, ETYPE_DES_CBC_CRC, - context->session_key, - &context->my_address, - &context->his_address, - context->my_seq_num, - priv_flags, - 0, /* no rcache */ - i_vector, - &outbuf)) - return(GSS_S_FAILURE); - if (*minor_status = gss_make_token(minor_status, - GSS_API_KRB5_TYPE, - GSS_API_KRB5_PRIV, - outbuf.length, - outbuf.data, - output_message_buffer)) { - krb5_xfree(outbuf.data); - return(GSS_S_FAILURE); - } - if (conf_state) - *conf_state = 1; - if (context->flags & GSS_C_SEQUENCE_FLAG) - context->my_seq_num++; - return(GSS_S_COMPLETE); - } else { - int safe_flags = 0; - - if (context->flags & GSS_C_SEQUENCE_FLAG) - safe_flags = KRB5_SAFE_DOSEQUENCE|KRB5_SAFE_NOTIME; - if (*minor_status = krb5_mk_safe(&inbuf, - CKSUMTYPE_RSA_MD4_DES, - context->session_key, - &context->my_address, - &context->his_address, - context->my_seq_num, - safe_flags, - 0, /* no rcache */ - &outbuf)) - return(GSS_S_FAILURE); - if (*minor_status = gss_make_token(minor_status, - GSS_API_KRB5_TYPE, - GSS_API_KRB5_SAFE, - outbuf.length, - outbuf.data, - output_message_buffer)) { - krb5_xfree(outbuf.data); - return(GSS_S_FAILURE); - } - if (conf_state) - *conf_state = 0; - if (context->flags & GSS_C_SEQUENCE_FLAG) - context->my_seq_num++; - return(GSS_S_COMPLETE); - } -} - -#ifdef notdef -/* - * XXX This is done inefficiently; the token in gss_sign does not need - * to include the text of the data, just a cryptographic checksum to - * act as a checksum. Nevertheless, this is a quick and dirty way to - * get it to work. When we fix this so that it works for real, we - * will need to let gss_verify accept both, and change the servers - * first. - */ - -OM_uint32 gss_sign(minor_status, context, qop_req, - input_message_buffer, output_message_buffer) - OM_uint32 *minor_status; - gss_ctx_id_t context; - int qop_req; - gss_buffer_t input_message_buffer; - gss_buffer_t output_message_buffer; -{ - return(gss_seal(minor_status, context, 0, qop_req, - input_message_buffer, NULL, output_message_buffer)); -} - -#endif diff --git a/src/lib/gssapi/sign.c b/src/lib/gssapi/sign.c deleted file mode 100644 index 62c264276..000000000 --- a/src/lib/gssapi/sign.c +++ /dev/null @@ -1,86 +0,0 @@ -/* - * sign.c --- sign message - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include -#include - -OM_uint32 gss_sign(minor_status, context, qop_req, - input_message_buffer, output_message_buffer) - OM_uint32 *minor_status; - gss_ctx_id_t context; - int qop_req; - gss_buffer_t input_message_buffer; - gss_buffer_t output_message_buffer; -{ - krb5_data inbuf, outbuf, *scratch; - int safe_flags = 0; - krb5_safe *message; - - *minor_status = 0; - - inbuf.length = input_message_buffer->length; - inbuf.data = input_message_buffer->value; - - - if (context->flags & GSS_C_SEQUENCE_FLAG) - safe_flags = KRB5_SAFE_DOSEQUENCE|KRB5_SAFE_NOTIME; - if (*minor_status = krb5_mk_safe(&inbuf, - CKSUMTYPE_RSA_MD4_DES, - context->session_key, - &context->my_address, - &context->his_address, - context->my_seq_num, - safe_flags, - 0, /* no rcache */ - &outbuf)) - return(GSS_S_FAILURE); - if (*minor_status = decode_krb5_safe(&outbuf, &message)) - return(GSS_S_FAILURE); - message->user_data.length = 1; - krb5_xfree(outbuf.data); - if (*minor_status = encode_krb5_safe(&message, &scratch)) { - krb5_free_safe(message); - return(GSS_S_FAILURE); - } - krb5_free_safe(message); - if (*minor_status = gss_make_token(minor_status, - GSS_API_KRB5_TYPE, - GSS_API_KRB5_SIGN, - scratch->length, - scratch->data, - output_message_buffer)) { - krb5_free_data(scratch); - return(GSS_S_FAILURE); - } - krb5_free_data(scratch); - if (context->flags & GSS_C_SEQUENCE_FLAG) - context->my_seq_num++; - return(GSS_S_COMPLETE); -} - diff --git a/src/lib/gssapi/unseal.c b/src/lib/gssapi/unseal.c deleted file mode 100644 index a44fdf70e..000000000 --- a/src/lib/gssapi/unseal.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * seal.c --- seal message - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include - -OM_uint32 gss_unseal(minor_status, context, input_message_buffer, - output_message_buffer, conf_state, qop_state) - OM_uint32 *minor_status; - gss_ctx_id_t context; - gss_buffer_t input_message_buffer; - gss_buffer_t output_message_buffer; - int *conf_state; - int *qop_state; -{ - OM_uint32 retval; - krb5_data inbuf, outbuf; - int token_type; - - *minor_status = 0; - - if (retval = gss_check_token(minor_status, input_message_buffer, - GSS_API_KRB5_TYPE, 0)) - return(retval); - token_type = ((char *) input_message_buffer->value)[2]; - if ((token_type != GSS_API_KRB5_SAFE) && - (token_type != GSS_API_KRB5_PRIV)) - return(GSS_S_DEFECTIVE_TOKEN); - inbuf.length = input_message_buffer->length-4; - inbuf.data = ( (char *) input_message_buffer->value)+4; - if (token_type == GSS_API_KRB5_PRIV) { - int priv_flags = 0; - int eblock_size; - char *i_vector; - - if (context->flags & GSS_C_SEQUENCE_FLAG) - priv_flags = KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME; - /* - * Initialize the initial vector. - */ - eblock_size = - krb5_keytype_array[context->session_key->keytype]-> - system->block_length; - if (!(i_vector=malloc(eblock_size))) { - return(GSS_S_FAILURE); - } - memset(i_vector, 0, eblock_size); - if (*minor_status = krb5_rd_priv(&inbuf, - context->session_key, - &context->his_address, - &context->my_address, - context->his_seq_num, - priv_flags, - i_vector, - 0, /* no rcache */ - &outbuf)) - return(GSS_S_FAILURE); - if (conf_state) - *conf_state = 1; - } else { - int safe_flags = 0; - - if (context->flags & GSS_C_SEQUENCE_FLAG) - safe_flags = KRB5_SAFE_DOSEQUENCE|KRB5_SAFE_NOTIME; - if (*minor_status = krb5_rd_safe(&inbuf, - context->session_key, - &context->his_address, - &context->my_address, - context->his_seq_num, - safe_flags, - 0, /* no rcache */ - &outbuf)) - return(GSS_S_FAILURE); - if (conf_state) - *conf_state = 0; - } - if (qop_state) - *qop_state = 0; - output_message_buffer->length = outbuf.length; - output_message_buffer->value = outbuf.data; - return(GSS_S_COMPLETE); -} - -#ifdef notdef -OM_uint32 gss_verify(minor_status, context, message_buffer, - token_buffer, qop_state) - OM_uint32 *minor_status; - gss_ctx_id_t context; - gss_buffer_t message_buffer; - gss_buffer_t token_buffer; - int *qop_state; -{ - OM_uint32 retval, ret; - gss_buffer_desc buf; - gss_buffer_t output_message_buffer = &buf; - - - if (retval = gss_unseal(minor_status, context, message_buffer, - output_message_buffer, NULL, qop_state)) - return(retval); - if (token_buffer->length != output_message_buffer->length) - ret = GSS_S_BAD_SIG; - else if (!memcmp(token_buffer->value, output_message_buffer->value, - token_buffer->length)) - ret = GSS_S_BAD_SIG; - if (retval = gss_release_buffer(minor_status, output_message_buffer)) - return(retval); - return(ret); -} - -#endif diff --git a/src/lib/gssapi/verify.c b/src/lib/gssapi/verify.c deleted file mode 100644 index 25cc14f5b..000000000 --- a/src/lib/gssapi/verify.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * verify.c --- verify message - * - * $Source$ - * $Author$ - * $Header$ - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include -#include - -OM_uint32 gss_verify(minor_status, context, message_buffer, - token_buffer, qop_state) - OM_uint32 *minor_status; - gss_ctx_id_t context; - gss_buffer_t message_buffer; - gss_buffer_t token_buffer; - int *qop_state; -{ - OM_uint32 retval; - krb5_data inbuf, outbuf, *scratch; - krb5_safe *message; - int safe_flags = 0; - - *minor_status = 0; - - if (retval = gss_check_token(minor_status, message_buffer, - GSS_API_KRB5_TYPE, GSS_API_KRB5_SIGN)) - return(retval); - inbuf.length = token_buffer->length-4; - inbuf.data = ( (char *) token_buffer->value)+4; - if (*minor_status = decode_krb5_safe(&inbuf, &message)) - return(GSS_S_FAILURE); - if (message->user_data.data) - krb5_xfree(message->user_data.data); - message->user_data.length = message_buffer->length; - message->user_data.data = message_buffer->value; - if (*minor_status = encode_krb5_safe(&message, &scratch)) { - message->user_data.data = NULL; - krb5_free_safe(message); - return(GSS_S_FAILURE); - } - message->user_data.data = NULL; - krb5_free_safe(message); - if (context->flags & GSS_C_SEQUENCE_FLAG) - safe_flags = KRB5_SAFE_DOSEQUENCE|KRB5_SAFE_NOTIME; - if (*minor_status = krb5_rd_safe(scratch, - context->session_key, - &context->his_address, - &context->my_address, - context->his_seq_num, - safe_flags, - 0, /* no rcache */ - &outbuf)) { - krb5_free_data(scratch); - return(GSS_S_FAILURE); - } - krb5_free_data(scratch); - if (qop_state) - *qop_state = 0; - return(GSS_S_COMPLETE); -} -- 2.26.2