diff options
Diffstat (limited to 'src/lib')
132 files changed, 124 insertions, 21815 deletions
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 9d139a7..f5180d7 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -1,15 +1,14 @@ thisconfigdir=./.. myfulldir=lib mydir=lib -SUBDIRS=crypto krb5 des425 @KRB4@ gssapi rpc kdb kadm5 apputils +SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils BUILDTOP=$(REL).. all-unix:: -CLEANLIBS = libkrb5.a libkdb5.a libcrypto.a libgssapi_krb5.a libdes425.a \ - libkrb425.a libkadm.a libkrb4.a libcom_err.a libpty.a \ - libss.a libgssapi.a libapputils.a \ - libkrb5.so libcrypto.so libkrb4.so libdes425.so +CLEANLIBS = libkrb5.a libkdb5.a libcrypto.a libgssapi_krb5.a libkadm.a \ + libcom_err.a libpty.a ibss.a libgssapi.a libapputils.a libkrb5.so \ + libcrypto.so clean-unix:: diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in index 3b277f1..b6b6478 100644 --- a/src/lib/crypto/Makefile.in +++ b/src/lib/crypto/Makefile.in @@ -501,7 +501,7 @@ decrypt.so decrypt.po $(OUTPRE)decrypt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - decrypt.c etypes.h + aead.h decrypt.c etypes.h decrypt_iov.so decrypt_iov.po $(OUTPRE)decrypt_iov.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -522,7 +522,7 @@ encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - encrypt.c etypes.h + aead.h encrypt.c etypes.h encrypt_iov.so encrypt_iov.po $(OUTPRE)encrypt_iov.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -542,7 +542,8 @@ encrypt_length.so encrypt_length.po $(OUTPRE)encrypt_length.$(OBJEXT): \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h encrypt_length.c etypes.h + $(SRCTOP)/include/socket-utils.h aead.h encrypt_length.c \ + etypes.h enctype_compare.so enctype_compare.po $(OUTPRE)enctype_compare.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/crypto/des/Makefile.in b/src/lib/crypto/des/Makefile.in index 203a73e..aa2da62 100644 --- a/src/lib/crypto/des/Makefile.in +++ b/src/lib/crypto/des/Makefile.in @@ -108,32 +108,29 @@ afsstring2key.so afsstring2key.po $(OUTPRE)afsstring2key.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - afsstring2key.c des_int.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h afsstring2key.c des_int.h d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h d3_cbc.c des_int.h \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + d3_cbc.c des_int.h f_tables.h d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \ - d3_aead.c des_int.h f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../aead.h d3_aead.c des_int.h f_tables.h d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -141,32 +138,29 @@ d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - d3_kysched.c des_int.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h d3_kysched.c des_int.h f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_cbc.c \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_cbc.c f_tables.h f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_cksum.c \ - f_tables.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_cksum.c f_tables.h f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -174,20 +168,19 @@ f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_parity.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h f_parity.c f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h des_int.h f_sched.c + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + des_int.h f_sched.c f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -195,10 +188,10 @@ f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h f_tables.c f_tables.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h f_tables.c \ + f_tables.h key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -206,10 +199,9 @@ key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h key_sched.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h key_sched.c weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -217,10 +209,9 @@ weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h weak_key.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h weak_key.c string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -228,7 +219,6 @@ string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - des_int.h string2key.c + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h des_int.h string2key.c diff --git a/src/lib/crypto/des/des_int.h b/src/lib/crypto/des/des_int.h index f040564..3bafb74 100644 --- a/src/lib/crypto/des/des_int.h +++ b/src/lib/crypto/des/des_int.h @@ -64,9 +64,56 @@ #ifndef KRB5_MIT_DES__ #define KRB5_MIT_DES__ -#define KRB5INT_CRYPTO_DES_INT /* skip krb4-specific DES stuff */ -#include "kerberosIV/des.h" /* for des_key_schedule, etc. */ -#undef KRB5INT_CRYPTO_DES_INT /* don't screw other inclusions of des.h */ +#if defined(__MACH__) && defined(__APPLE__) +#include <TargetConditionals.h> +#include <AvailabilityMacros.h> +#if TARGET_RT_MAC_CFM +#error "Use KfM 4.0 SDK headers for CFM compilation." +#endif +#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS) +#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5 +#endif +#endif /* defined(__MACH__) && defined(__APPLE__) */ + +/* Macro to add deprecated attribute to DES types and functions */ +/* Currently only defined on Mac OS X 10.5 and later. */ +#ifndef KRB5INT_DES_DEPRECATED +#define KRB5INT_DES_DEPRECATED +#endif + +#include <limits.h> + +#if UINT_MAX >= 0xFFFFFFFFUL +#define DES_INT32 int +#define DES_UINT32 unsigned int +#else +#define DES_INT32 long +#define DES_UINT32 unsigned long +#endif + +typedef unsigned char des_cblock[8] /* crypto-block size */ +KRB5INT_DES_DEPRECATED; + +/* + * Key schedule. + * + * This used to be + * + * typedef struct des_ks_struct { + * union { DES_INT32 pad; des_cblock _;} __; + * } des_key_schedule[16]; + * + * but it would cause trouble if DES_INT32 were ever more than 4 + * bytes. The reason is that all the encryption functions cast it to + * (DES_INT32 *), and treat it as if it were DES_INT32[32]. If + * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the + * caller-allocated des_key_schedule will be overflowed by the key + * scheduling functions. We can't assume that every platform will + * have an exact 32-bit int, and nothing should be looking inside a + * des_key_schedule anyway. + */ +typedef struct des_ks_struct { DES_INT32 _[2]; } des_key_schedule[16] +KRB5INT_DES_DEPRECATED; typedef des_cblock mit_des_cblock; typedef des_key_schedule mit_des_key_schedule; diff --git a/src/lib/crypto/enc_provider/Makefile.in b/src/lib/crypto/enc_provider/Makefile.in index 337f0ed..f5ba1c6 100644 --- a/src/lib/crypto/enc_provider/Makefile.in +++ b/src/lib/crypto/enc_provider/Makefile.in @@ -51,22 +51,20 @@ des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ - des.c enc_provider.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../des/des_int.h des.c enc_provider.h des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \ - $(srcdir)/../des/des_int.h des3.c + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../aead.h $(srcdir)/../des/des_int.h des3.c aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ diff --git a/src/lib/crypto/keyhash_provider/Makefile.in b/src/lib/crypto/keyhash_provider/Makefile.in index ed4bdfa..21d95bc 100644 --- a/src/lib/crypto/keyhash_provider/Makefile.in +++ b/src/lib/crypto/keyhash_provider/Makefile.in @@ -65,11 +65,10 @@ descbc.so descbc.po $(OUTPRE)descbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ - descbc.c keyhash_provider.h + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../des/des_int.h descbc.c keyhash_provider.h k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -77,11 +76,10 @@ k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h $(srcdir)/../md4/rsa-md4.h \ - k5_md4des.c keyhash_provider.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + $(srcdir)/../md4/rsa-md4.h k5_md4des.c keyhash_provider.h k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -89,11 +87,10 @@ k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h $(srcdir)/../md5/rsa-md5.h \ - k5_md5des.c keyhash_provider.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + $(srcdir)/../md5/rsa-md5.h k5_md5des.c keyhash_provider.h hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/crypto/old/Makefile.in b/src/lib/crypto/old/Makefile.in index c097a2b..be91c4b 100644 --- a/src/lib/crypto/old/Makefile.in +++ b/src/lib/crypto/old/Makefile.in @@ -45,10 +45,10 @@ des_stringtokey.so des_stringtokey.po $(OUTPRE)des_stringtokey.$(OBJEXT): \ $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../des/des_int.h des_stringtokey.c old.h + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(srcdir)/../des/des_int.h \ + des_stringtokey.c old.h old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/des425/ISSUES b/src/lib/des425/ISSUES deleted file mode 100644 index ec5ce00..0000000 --- a/src/lib/des425/ISSUES +++ /dev/null @@ -1,28 +0,0 @@ --*- text -*- - -* unix_time.c also exists in ../krb4, and they're different; both - should probably call into the krb5 support anyways to avoid - duplicating code. - -* namespace intrusions - -* Check include/kerberosIV/des.h and see if all the prototyped - functions really are necessary to retain; if not, delete some of - these source files. - -* Much of this code requires that DES_INT32 be *exactly* 32 bits, and - 4 bytes. - -* Array types are used in function call signatures, which is unclean. - It makes trying to add "const" qualifications in the right places - really, um, interesting. But we're probably stuck with them. - -* quad_cksum is totally broken. I have no idea whether the author - actually believed it implemented the documented algorithm, but I'm - certain it doesn't. The only question is, is it still reasonably - secure, when the plaintext and checksum are visible to an attacker - as in the mk_safe message? - -* des_read_password and des_read_pw_string are not thread-safe. Also, - they should be calling into the k5crypto library instead of - duplicating functionality. diff --git a/src/lib/des425/Makefile.in b/src/lib/des425/Makefile.in deleted file mode 100644 index 218ceaf..0000000 --- a/src/lib/des425/Makefile.in +++ /dev/null @@ -1,273 +0,0 @@ -thisconfigdir=../.. -myfulldir=lib/des425 -mydir=lib/des425 -BUILDTOP=$(REL)..$(S).. -LOCALINCLUDES = -I$(srcdir)/../crypto/des -I$(srcdir)/../../include/kerberosIV -DEFS= - -##DOS##BUILDTOP = ..\.. -##DOS##LIBNAME=$(OUTPRE)des425.lib -##DOS##OBJFILE=$(OUTPRE)des425.lst -##DOS##OBJFILEDEP=$(OUTPRE)des425.lst -##DOS##OBJFILELIST=@$(OUTPRE)des425.lst - -PROG_LIBPATH=-L$(TOPLIBD) -PROG_RPATH=$(KRB5_LIBDIR) - -RUN_SETUP=@KRB5_RUN_ENV@ - -LIBBASE=des425 -LIBMAJOR=3 -LIBMINOR=0 -RELDIR=des425 -# Depends on libk5crypto and libkrb5 -SHLIB_EXPDEPS = \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto -SHLIB_DIRS=-L$(TOPLIBD) -SHLIB_RDIRS=$(KRB5_LIBDIR) - -STOBJLISTS=OBJS.ST -STLIBOBJS=cksum.o \ - des.o \ - enc_dec.o \ - key_parity.o \ - key_sched.o \ - new_rnd_key.o \ - pcbc_encrypt.o \ - quad_cksum.o \ - random_key.o \ - read_passwd.o \ - str_to_key.o \ - unix_time.o \ - util.o \ - weak_key.o - - -OBJS= $(OUTPRE)cksum.$(OBJEXT) \ - $(OUTPRE)des.$(OBJEXT) \ - $(OUTPRE)enc_dec.$(OBJEXT) \ - $(OUTPRE)key_parity.$(OBJEXT) \ - $(OUTPRE)key_sched.$(OBJEXT) \ - $(OUTPRE)new_rnd_key.$(OBJEXT) \ - $(OUTPRE)pcbc_encrypt.$(OBJEXT) \ - $(OUTPRE)quad_cksum.$(OBJEXT) \ - $(OUTPRE)random_key.$(OBJEXT) \ - $(OUTPRE)read_passwd.$(OBJEXT) \ - $(OUTPRE)str_to_key.$(OBJEXT) \ - $(OUTPRE)unix_time.$(OBJEXT) \ - $(OUTPRE)util.$(OBJEXT) \ - $(OUTPRE)weak_key.$(OBJEXT) - -SRCS= $(srcdir)/cksum.c \ - $(srcdir)/des.c \ - $(srcdir)/enc_dec.c \ - $(srcdir)/key_parity.c \ - $(srcdir)/key_sched.c \ - $(srcdir)/new_rnd_key.c \ - $(srcdir)/pcbc_encrypt.c \ - $(srcdir)/quad_cksum.c \ - $(srcdir)/random_key.c \ - $(srcdir)/read_passwd.c \ - $(srcdir)/str_to_key.c \ - $(srcdir)/unix_time.c \ - $(srcdir)/util.c \ - $(srcdir)/weak_key.c - -all-unix:: all-liblinks - -##DOS##LIBOBJS = $(OBJS) - -shared: - mkdir shared - -verify: verify.o $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ verify.o $(DES425_LIB) $(KRB5_BASE_LIBS) - -t_quad: t_quad.o quad_cksum.o $(SUPPORT_DEPLIB) - $(CC_LINK) -o $@ t_quad.o quad_cksum.o $(SUPPORT_LIB) - -t_pcbc: t_pcbc.o pcbc_encrypt.o key_sched.o $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $@ t_pcbc.o pcbc_encrypt.o key_sched.o $(KRB5_BASE_LIBS) - -check-unix:: verify t_quad t_pcbc - $(RUN_SETUP) $(VALGRIND) ./verify -z - $(RUN_SETUP) $(VALGRIND) ./verify -m - $(RUN_SETUP) $(VALGRIND) ./verify - $(RUN_SETUP) $(VALGRIND) ./t_quad - $(RUN_SETUP) $(VALGRIND) ./t_pcbc - -check-windows:: - -clean:: - $(RM) $(OUTPRE)verify$(EXEEXT) $(OUTPRE)verify.$(OBJEXT) \ - $(OUTPRE)t_quad$(EXEEXT) $(OUTPRE)t_quad.$(OBJEXT) \ - $(OUTPRE)t_pcbc$(EXEEXT) $(OUTPRE)t_pcbc.$(OBJEXT) - -clean-unix:: clean-liblinks clean-libs clean-libobjs - -install-unix:: install-libs - -@lib_frag@ -@libobj_frag@ - -# +++ Dependency line eater +++ -# -# Makefile dependencies follow. This must be the last section in -# the Makefile.in file -# -cksum.so cksum.po $(OUTPRE)cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../crypto/des/des_int.h \ - cksum.c -des.so des.po $(OUTPRE)des.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../crypto/des/des_int.h \ - des.c -enc_dec.so enc_dec.po $(OUTPRE)enc_dec.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../crypto/des/des_int.h \ - enc_dec.c -key_parity.so key_parity.po $(OUTPRE)key_parity.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h key_parity.c -key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h key_sched.c -new_rnd_key.so new_rnd_key.po $(OUTPRE)new_rnd_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h new_rnd_key.c -pcbc_encrypt.so pcbc_encrypt.po $(OUTPRE)pcbc_encrypt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h $(srcdir)/../crypto/des/f_tables.h \ - pcbc_encrypt.c -quad_cksum.so quad_cksum.po $(OUTPRE)quad_cksum.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h quad_cksum.c -random_key.so random_key.po $(OUTPRE)random_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h random_key.c -read_passwd.so read_passwd.po $(OUTPRE)read_passwd.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h read_passwd.c -str_to_key.so str_to_key.po $(OUTPRE)str_to_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h str_to_key.c -unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h unix_time.c -util.so util.po $(OUTPRE)util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(srcdir)/../crypto/des/des_int.h \ - util.c -weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/../crypto/des/des_int.h weak_key.c diff --git a/src/lib/des425/cksum.c b/src/lib/des425/cksum.c deleted file mode 100644 index 33b5322..0000000 --- a/src/lib/des425/cksum.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * lib/des425/cksum.c - * - * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * These routines perform encryption and decryption using the DES - * private key algorithm, or else a subset of it-- fewer inner loops. - * (AUTH_DES_ITER defaults to 16, may be less.) - * - * Under U.S. law, this software may not be exported outside the US - * without license from the U.S. Commerce department. - * - * These routines form the library interface to the DES facilities. - * - * spm 8/85 MIT project athena - */ - -#include "des_int.h" -#include "des.h" - -/* - * This routine performs DES cipher-block-chaining checksum operation, - * a.k.a. Message Authentication Code. It ALWAYS encrypts from input - * to a single 64 bit output MAC checksum. - * - * The key schedule is passed as an arg, as well as the cleartext or - * ciphertext. The cleartext and ciphertext should be in host order. - * - * NOTE-- the output is ALWAYS 8 bytes long. If not enough space was - * provided, your program will get trashed. - * - * The input is null padded, at the end (highest addr), to an integral - * multiple of eight bytes. - */ - -unsigned long KRB5_CALLCONV -des_cbc_cksum(in,out,length,key,iv) - const des_cblock *in; /* >= length bytes of inputtext */ - des_cblock *out; /* >= length bytes of outputtext */ - register unsigned long length; /* in bytes */ - const mit_des_key_schedule key; /* precomputed key schedule */ - const des_cblock *iv; /* 8 bytes of ivec */ -{ - return mit_des_cbc_cksum((const krb5_octet *)in, (krb5_octet *)out, - length, key, (krb5_octet *)iv); -} diff --git a/src/lib/des425/des.c b/src/lib/des425/des.c deleted file mode 100644 index 745b4be..0000000 --- a/src/lib/des425/des.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * lib/des425/des.c - * - * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "des_int.h" -#include "des.h" -#undef mit_des_cbc_encrypt - -int KRB5_CALLCONV -des_ecb_encrypt(clear, cipher, schedule, enc) - des_cblock *clear; - des_cblock *cipher; - const mit_des_key_schedule schedule; - int enc; /* 0 ==> decrypt, else encrypt */ -{ - static const des_cblock iv; - - return (mit_des_cbc_encrypt((const des_cblock *)clear, cipher, - 8, schedule, iv, enc)); -} diff --git a/src/lib/des425/enc_dec.c b/src/lib/des425/enc_dec.c deleted file mode 100644 index b75a63e..0000000 --- a/src/lib/des425/enc_dec.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * lib/des425/enc_dec.c - * - * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -#include "des_int.h" -#include "des.h" -#undef mit_des_cbc_encrypt - -int -des_cbc_encrypt(in,out,length,key,iv,enc) - des_cblock *in; /* >= length bytes of input text */ - des_cblock *out; /* >= length bytes of output text */ - register unsigned long length; /* in bytes */ - const mit_des_key_schedule key; /* precomputed key schedule */ - const des_cblock *iv; /* 8 bytes of ivec */ - int enc; /* 0 ==> decrypt, else encrypt */ -{ - return (mit_des_cbc_encrypt((const des_cblock *) in, - out, length, key, - (const unsigned char *)iv, /* YUCK! */ - enc)); -} diff --git a/src/lib/des425/key_parity.c b/src/lib/des425/key_parity.c deleted file mode 100644 index 96e13e2..0000000 --- a/src/lib/des425/key_parity.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - * lib/des425/key_parity.c - * - * Copyright 1989, 1990 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "des_int.h" -#include "des.h" - -/* - * des_fixup_key_parity: Forces odd parity per byte; parity is bits - * 8,16,...64 in des order, implies 0, 8, 16, ... - * vax order. - */ -void -des_fixup_key_parity(key) - register mit_des_cblock key; -{ - mit_des_fixup_key_parity(key); -} - -/* - * des_check_key_parity: returns true iff key has the correct des parity. - */ -int -des_check_key_parity(key) - register mit_des_cblock key; -{ - return(mit_des_check_key_parity(key)); -} - diff --git a/src/lib/des425/key_sched.c b/src/lib/des425/key_sched.c deleted file mode 100644 index 70f61ce..0000000 --- a/src/lib/des425/key_sched.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * lib/des425/key_sched.c - * - * Copyright 1985, 1986, 1987, 1988, 1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - - -#include <stdio.h> -#include "des_int.h" -#include "des.h" - -int KRB5_CALLCONV -des_key_sched(k,schedule) - des_cblock k; - des_key_schedule schedule; -{ - return (mit_des_key_sched(k, schedule)); -} diff --git a/src/lib/des425/libdes425.exports b/src/lib/des425/libdes425.exports deleted file mode 100644 index 5753a6e..0000000 --- a/src/lib/des425/libdes425.exports +++ /dev/null @@ -1,18 +0,0 @@ -afs_string_to_key -des_cbc_cksum -des_cbc_encrypt -des_cblock_print_file -des_check_key_parity -des_ecb_encrypt -des_fixup_key_parity -des_init_random_number_generator -des_is_weak_key -des_key_sched -des_new_random_key -des_pcbc_encrypt -des_quad_cksum -des_random_key -des_read_password -des_read_pw_string -des_string_to_key -unix_time_gmt_unixsec diff --git a/src/lib/des425/mac_des_glue.c b/src/lib/des425/mac_des_glue.c deleted file mode 100644 index b7f3a6a..0000000 --- a/src/lib/des425/mac_des_glue.c +++ /dev/null @@ -1,104 +0,0 @@ -#include "des_int.h" -#include "des.h" -#undef mit_des3_cbc_encrypt - -/* These functions are exported on KfM for ABI compatibility with - * older versions of the library. They have been pulled from the headers - * in the hope that someday we can remove them. - * - * Do not change the ABIs of any of these functions! - */ - -//int des_read_pw_string(char *, int, char *, int); -char *des_crypt(const char *, const char *); -char *des_fcrypt(const char *, const char *, char *); - -int make_key_sched(des_cblock *, des_key_schedule); -int des_set_key(des_cblock *, des_key_schedule); - -void des_3cbc_encrypt(des_cblock *, des_cblock *, long, - des_key_schedule, des_key_schedule, des_key_schedule, - des_cblock *, int); -void des_3ecb_encrypt(des_cblock *, des_cblock *, - des_key_schedule, des_key_schedule, des_key_schedule, - int); - -void des_generate_random_block(des_cblock); -void des_set_random_generator_seed(des_cblock); -void des_set_sequence_number(des_cblock); - -#pragma mark - - -/* Why was this exported on KfM? Who knows... */ -int des_debug = 0; - -char *des_crypt(const char *str, const char *salt) -{ - char afs_buf[16]; - - return des_fcrypt(str, salt, afs_buf); -} - - -char *des_fcrypt(const char *str, const char *salt, char *buf) -{ - return mit_afs_crypt(str, salt, buf); -} - - -int make_key_sched(des_cblock *k, des_key_schedule schedule) -{ - return mit_des_key_sched((unsigned char *)k, schedule); /* YUCK! */ -} - - -int des_set_key(des_cblock *key, des_key_schedule schedule) -{ - return make_key_sched(key, schedule); -} - - -void des_3cbc_encrypt(des_cblock *in, des_cblock *out, long length, - des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, - des_cblock *iv, int enc) -{ - mit_des3_cbc_encrypt((const des_cblock *)in, out, (unsigned long)length, - ks1, ks2, ks3, - (const unsigned char *)iv, /* YUCK! */ - enc); -} - - -void des_3ecb_encrypt(des_cblock *clear, des_cblock *cipher, - des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3, - int enc) -{ - static const des_cblock iv; - - mit_des3_cbc_encrypt((const des_cblock *)clear, cipher, 8, ks1, ks2, ks3, iv, enc); -} - - -void des_generate_random_block(des_cblock block) -{ - krb5_data data; - - data.length = sizeof(des_cblock); - data.data = (char *)block; - - /* This function can return an error, however we must ignore it. */ - /* The worst that happens is that the resulting block is non-random */ - krb5_c_random_make_octets(/* XXX */ 0, &data); -} - - -void des_set_random_generator_seed(des_cblock block) -{ - des_init_random_number_generator(block); /* XXX */ -} - - -void des_set_sequence_number(des_cblock block) -{ - des_init_random_number_generator(block); /* XXX */ -} diff --git a/src/lib/des425/new_rnd_key.c b/src/lib/des425/new_rnd_key.c deleted file mode 100644 index 126ddf5..0000000 --- a/src/lib/des425/new_rnd_key.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * lib/des425/new_rnd_key.c - * - * Copyright 1988,1990 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "des_int.h" -#include "des.h" -#include "k5-int.h" - -void -des_init_random_number_generator(key) - mit_des_cblock key; -{ - krb5_data seed; - - seed.length = sizeof(key); - seed.data = (char *) key; - - if (krb5_c_random_seed(/* XXX */ 0, &seed)) - /* XXX */ abort(); -} - -/* - * des_new_random_key: create a random des key - * - * Requires: des_set_random_number_generater_seed must be at called least - * once before this routine is called. - * - * Notes: the returned key has correct parity and is guarenteed not - * to be a weak des key. Des_generate_random_block is used to - * provide the random bits. - */ -int KRB5_CALLCONV -des_new_random_key(key) - mit_des_cblock key; -{ - krb5_keyblock keyblock; - krb5_error_code kret; - - kret = krb5_c_make_random_key(/* XXX */ 0, ENCTYPE_DES_CBC_CRC, &keyblock); - if (kret) return kret; - - memcpy(key, keyblock.contents, sizeof(mit_des_cblock)); - krb5_free_keyblock_contents(/* XXX */ 0, &keyblock); - - return 0; -} diff --git a/src/lib/des425/pcbc_encrypt.c b/src/lib/des425/pcbc_encrypt.c deleted file mode 100644 index 130fd20..0000000 --- a/src/lib/des425/pcbc_encrypt.c +++ /dev/null @@ -1,235 +0,0 @@ -/* - * lib/des425/pcbc_encrypt.c - * - * Copyright (C) 1990 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * DES implementation donated by Dennis Ferguson - */ - -/* - * des_pcbc_encrypt.c - encrypt a string of characters in error propagation mode - */ - -#include "autoconf.h" /* in case this defines CONFIG_SMALL */ -#undef CONFIG_SMALL /* XXX needs non-exported crypto symbols */ -#include "des_int.h" -#include "des.h" -#include <f_tables.h> - -/* - * des_pcbc_encrypt - {en,de}crypt a stream in PCBC mode - */ -int KRB5_CALLCONV -des_pcbc_encrypt(in, out, length, schedule, ivec, enc) - des_cblock *in; - des_cblock *out; - long length; - const des_key_schedule schedule; - des_cblock *ivec; - int enc; -{ - unsigned DES_INT32 left, right; - const unsigned DES_INT32 *kp; - const unsigned char *ip; - unsigned char *op; - - /* - * Copy the key pointer, just once - */ - kp = (const unsigned DES_INT32 *)schedule; - - /* - * Deal with encryption and decryption separately. - */ - if (enc) { - /* Initialization isn't really needed here, but gcc - complains because it doesn't understand that the - only case where these can be used uninitialized is - to compute values that'll in turn be ignored - because we won't go around the loop again. */ - unsigned DES_INT32 plainl = 42; - unsigned DES_INT32 plainr = 17; - - /* - * Initialize left and right with the contents of the initial - * vector. - */ - ip = *ivec; - GET_HALF_BLOCK(left, ip); - GET_HALF_BLOCK(right, ip); - - /* - * Suitably initialized, now work the length down 8 bytes - * at a time. - */ - ip = *in; - op = *out; - while (length > 0) { - /* - * Get block of input. If the length is - * greater than 8 this is straight - * forward. Otherwise we have to fart around. - */ - if (length > 8) { - GET_HALF_BLOCK(plainl, ip); - GET_HALF_BLOCK(plainr, ip); - left ^= plainl; - right ^= plainr; - length -= 8; - } else { - /* - * Oh, shoot. We need to pad the - * end with zeroes. Work backwards - * to do this. We know this is the - * last block, though, so we don't have - * to save the plain text. - */ - ip += (int) length; - switch(length) { - case 8: - right ^= *(--ip) & 0xff; - case 7: - right ^= (*(--ip) & 0xff) << 8; - case 6: - right ^= (*(--ip) & 0xff) << 16; - case 5: - right ^= (*(--ip) & 0xff) << 24; - case 4: - left ^= *(--ip) & 0xff; - case 3: - left ^= (*(--ip) & 0xff) << 8; - case 2: - left ^= (*(--ip) & 0xff) << 16; - case 1: - left ^= (*(--ip) & 0xff) << 24; - break; - } - length = 0; - } - - /* - * Encrypt what we have - */ - DES_DO_ENCRYPT(left, right, kp); - - /* - * Copy the results out - */ - PUT_HALF_BLOCK(left, op); - PUT_HALF_BLOCK(right, op); - - /* - * Xor with the old plain text - */ - left ^= plainl; - right ^= plainr; - } - } else { - /* - * Decrypting is harder than encrypting because of - * the necessity of remembering a lot more things. - * Should think about this a little more... - */ - unsigned DES_INT32 ocipherl, ocipherr; - unsigned DES_INT32 cipherl, cipherr; - - if (length <= 0) - return 0; - - /* - * Prime the old cipher with ivec. - */ - ip = *ivec; - GET_HALF_BLOCK(ocipherl, ip); - GET_HALF_BLOCK(ocipherr, ip); - - /* - * Now do this in earnest until we run out of length. - */ - ip = *in; - op = *out; - for (;;) { /* check done inside loop */ - /* - * Read a block from the input into left and - * right. Save this cipher block for later. - */ - GET_HALF_BLOCK(left, ip); - GET_HALF_BLOCK(right, ip); - cipherl = left; - cipherr = right; - - /* - * Decrypt this. - */ - DES_DO_DECRYPT(left, right, kp); - - /* - * Xor with the old cipher to get plain - * text. Output 8 or less bytes of this. - */ - left ^= ocipherl; - right ^= ocipherr; - if (length > 8) { - length -= 8; - PUT_HALF_BLOCK(left, op); - PUT_HALF_BLOCK(right, op); - /* - * Save current cipher block here - */ - ocipherl = cipherl ^ left; - ocipherr = cipherr ^ right; - } else { - /* - * Trouble here. Start at end of output, - * work backwards. - */ - op += (int) length; - switch(length) { - case 8: - *(--op) = (unsigned char) (right & 0xff); - case 7: - *(--op) = (unsigned char) ((right >> 8) & 0xff); - case 6: - *(--op) = (unsigned char) ((right >> 16) & 0xff); - case 5: - *(--op) = (unsigned char) ((right >> 24) & 0xff); - case 4: - *(--op) = (unsigned char) (left & 0xff); - case 3: - *(--op) = (unsigned char) ((left >> 8) & 0xff); - case 2: - *(--op) = (unsigned char) ((left >> 16) & 0xff); - case 1: - *(--op) = (unsigned char) ((left >> 24) & 0xff); - break; - } - break; /* we're done */ - } - } - } - - /* - * Done, return nothing. - */ - return 0; -} diff --git a/src/lib/des425/quad_cksum.c b/src/lib/des425/quad_cksum.c deleted file mode 100644 index 2a7b78c..0000000 --- a/src/lib/des425/quad_cksum.c +++ /dev/null @@ -1,200 +0,0 @@ -/* - * lib/des425/quad_cksum.c - * - * Copyright 1985, 1986, 1987, 1988,1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * This routine does not implement: - * - * - * Quadratic Congruential Manipulation Dectection Code - * - * ref: "Message Authentication" - * R.R. Jueneman, S. M. Matyas, C.H. Meyer - * IEEE Communications Magazine, - * Sept 1985 Vol 23 No 9 p 29-40 - * - * This routine, part of the Athena DES library built for the Kerberos - * authentication system, calculates a manipulation detection code for - * a message. It is a much faster alternative to the DES-checksum - * method. No guarantees are offered for its security. - * - * Implementation for 4.2bsd - * by S.P. Miller Project Athena/MIT - */ - -/* - * Algorithm (per paper): - * define: - * message to be composed of n m-bit blocks X1,...,Xn - * optional secret seed S in block X1 - * MDC in block Xn+1 - * prime modulus N - * accumulator Z - * initial (secret) value of accumulator C - * N, C, and S are known at both ends - * C and , optionally, S, are hidden from the end users - * then - * (read array references as subscripts over time) - * Z[0] = c; - * for i = 1...n - * Z[i] = (Z[i+1] + X[i])**2 modulo N - * X[n+1] = Z[n] = MDC - * - * Then pick - * N = 2**31 -1 - * m = 16 - * iterate 4 times over plaintext, also use Zn - * from iteration j as seed for iteration j+1, - * total MDC is then a 128 bit array of the four - * Zn; - * - * return the last Zn and optionally, all - * four as output args. - * - * Modifications: - * To inhibit brute force searches of the seed space, this - * implementation is modified to have - * Z = 64 bit accumulator - * C = 64 bit C seed - * N = 2**63 - 1 - * S = S seed is not implemented here - * arithmetic is not quite real double integer precision, since we - * cant get at the carry or high order results from multiply, - * but nontheless is 64 bit arithmetic. - */ -/* - * This code purports to implement the above algorithm, but fails. - * - * First of all, there was an implicit mod 2**32 being done on the - * machines where this was developed because of their word sizes, and - * for compabitility this has to be done on machines with 64-bit - * words, so we make it explicit. - * - * Second, in the squaring operation, I really doubt the carry-over - * from the low 31-bit half of the accumulator is being done right, - * and using a modulus of 0x7fffffff on the low half of the - * accumulator seems completely wrong. And I challenge anyone to - * explain where the number 83653421 comes from. - * - * --Ken Raeburn 2001-04-06 - */ - - -/* System include files */ -#include <stdio.h> -#include <errno.h> - -#include "des_int.h" -#include "des.h" - -/* Definitions for byte swapping */ - -/* vax byte order is LSB first. This is not performance critical, and - is far more readable this way. */ -#define four_bytes_vax_to_nets(x) ((((((x[3]<<8)|x[2])<<8)|x[1])<<8)|x[0]) -#define vaxtohl(x) four_bytes_vax_to_nets(((const unsigned char *)(x))) -#define two_bytes_vax_to_nets(x) ((x[1]<<8)|x[0]) -#define vaxtohs(x) two_bytes_vax_to_nets(((const unsigned char *)(x))) - -/* Externals */ -extern int des_debug; - -/*** Routines ***************************************************** */ - -unsigned long KRB5_CALLCONV -des_quad_cksum(in,out,length,out_count,c_seed) - const unsigned char *in; /* input block */ - unsigned DES_INT32 *out; /* optional longer output */ - long length; /* original length in bytes */ - int out_count; /* number of iterations */ - mit_des_cblock *c_seed; /* secret seed, 8 bytes */ -{ - - /* - * this routine both returns the low order of the final (last in - * time) 32bits of the checksum, and if "out" is not a null - * pointer, a longer version, up to entire 32 bytes of the - * checksum is written unto the address pointed to. - */ - - register unsigned DES_INT32 z; - register unsigned DES_INT32 z2; - register unsigned DES_INT32 x; - register unsigned DES_INT32 x2; - const unsigned char *p; - register DES_INT32 len; - register int i; - - /* use all 8 bytes of seed */ - - z = vaxtohl(c_seed); - z2 = vaxtohl((const char *)c_seed+4); - if (out == NULL) - out_count = 1; /* default */ - - /* This is repeated n times!! */ - for (i = 1; i <=4 && i<= out_count; i++) { - len = length; - p = in; - while (len) { - /* - * X = Z + Input ... sort of. Carry out from low half - * isn't done, so we're using all 32 bits of x now. - */ - if (len > 1) { - x = (z + vaxtohs(p)); - p += 2; - len -= 2; - } - else { - x = (z + *(const unsigned char *)p++); - len = 0; - } - x2 = z2; - /* - * I think this is supposed to be a squaring operation. - * What it really is, I haven't figured out yet. - * - * Explicit mod 2**32 is for backwards compatibility. Why - * mod 0x7fffffff and not 0x80000000 on the low half of - * the (supposed) accumulator? And where does the number - * 83653421 come from?? - */ - z = (((x * x) + (x2 * x2)) & 0xffffffff) % 0x7fffffff; - z2 = ((x * (x2+83653421)) & 0xffffffff) % 0x7fffffff; /* modulo */ -#ifdef DEBUG - if (des_debug & 8) - printf("%d %d\n",z,z2); -#endif - } - - if (out != NULL) { - *out++ = z; - *out++ = z2; - } - } - /* return final z value as 32 bit version of checksum */ - return z; -} diff --git a/src/lib/des425/random_key.c b/src/lib/des425/random_key.c deleted file mode 100644 index f367fc8..0000000 --- a/src/lib/des425/random_key.c +++ /dev/null @@ -1,74 +0,0 @@ -/* - * lib/des425/random_key.c - * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - */ - -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#include "des_int.h" -#include "des.h" - -/* random_key */ -int -des_random_key(key) - mit_des_cblock *key; -{ - krb5_keyblock keyblock; - krb5_error_code kret; - - if ((kret = krb5_c_make_random_key(/* XXX */ 0, ENCTYPE_DES_CBC_CRC, - &keyblock))) - return(kret); - - memcpy(key, keyblock.contents, sizeof(mit_des_cblock)); - - return(0); -} - diff --git a/src/lib/des425/read_passwd.c b/src/lib/des425/read_passwd.c deleted file mode 100644 index bdcb329..0000000 --- a/src/lib/des425/read_passwd.c +++ /dev/null @@ -1,128 +0,0 @@ -/* - * lib/des425/read_passwd.c - * - * Copyright 1985,1986,1987,1988,1991 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * This routine prints the supplied string to standard - * output as a prompt, and reads a password string without - * echoing. - */ - -#if !defined(_WIN32) - -#include "des_int.h" -#include "des.h" -#include <stdio.h> -#include <errno.h> -#include <krb5.h> -/* This is re-declared here because des.h might not declare it. */ -int KRB5_CALLCONV des_read_pw_string(char *, int, char *, int); -static int des_rd_pwstr_2prompt(char *, int, char *, char *); - - -/*** Routines ****************************************************** */ -static int -des_rd_pwstr_2prompt(return_pwd, bufsize_in, prompt, prompt2) - char *return_pwd; - int bufsize_in; - char *prompt; - char *prompt2; -{ - krb5_data reply_data; - krb5_prompt k5prompt; - krb5_error_code retval; - reply_data.length = bufsize_in; - reply_data.data = return_pwd; - k5prompt.prompt = prompt; - k5prompt.hidden = 1; - k5prompt.reply = &reply_data; - retval = krb5_prompter_posix(NULL, - NULL, NULL, NULL, 1, &k5prompt); - - if ((retval==0) && prompt2) { - krb5_data verify_data; - verify_data.data = malloc(bufsize_in); - verify_data.length = bufsize_in; - k5prompt.prompt = prompt2; - k5prompt.reply = &verify_data; - if (!verify_data.data) - return ENOMEM; - retval = krb5_prompter_posix(NULL, - NULL,NULL, NULL, 1, &k5prompt); - if (retval) { - free(verify_data.data); - } else { - /* compare */ - if (strncmp(return_pwd, (char *)verify_data.data, bufsize_in)) { - retval = KRB5_LIBOS_BADPWDMATCH; - free(verify_data.data); - } - } - } - return retval; -} - - -int KRB5_CALLCONV -des_read_password(k,prompt,verify) - mit_des_cblock *k; - char *prompt; - int verify; -{ - int ok; - char key_string[BUFSIZ]; - - ok = des_read_pw_string(key_string, sizeof(key_string), prompt, verify); - if (ok == 0) - des_string_to_key(key_string, *k); - - memset(key_string, 0, sizeof (key_string)); - return ok; -} - -/* Note: this function is exported on KfM. Do not change its ABI. */ -int KRB5_CALLCONV -des_read_pw_string(s, max, prompt, verify) - char *s; - int max; - char *prompt; - int verify; -{ - int ok; - char prompt2[BUFSIZ]; - - if (verify) { - snprintf(prompt2, sizeof(prompt2), "Verifying, please re-enter %s", - prompt); - } - ok = des_rd_pwstr_2prompt(s, max, prompt, verify ? prompt2 : 0); - return ok; -} - -#else /* !unix */ -/* - * These are all just dummy functions to make the rest of the library happy... - */ -#endif /* _WINDOWS */ diff --git a/src/lib/des425/str_to_key.c b/src/lib/des425/str_to_key.c deleted file mode 100644 index 4ddcaed..0000000 --- a/src/lib/des425/str_to_key.c +++ /dev/null @@ -1,168 +0,0 @@ -/* - * lib/des425/str_to_key.c - * - * Copyright 1985, 1986, 1987, 1988, 1989,1990 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * These routines perform encryption and decryption using the DES - * private key algorithm, or else a subset of it-- fewer inner loops. - * (AUTH_DES_ITER defaults to 16, may be less.) - * - * Under U.S. law, this software may not be exported outside the US - * without license from the U.S. Commerce department. - * - * The key schedule is passed as an arg, as well as the cleartext or - * ciphertext. The cleartext and ciphertext should be in host order. - * - * These routines form the library interface to the DES facilities. - * - * spm 8/85 MIT project athena - */ - - -#include <stdio.h> -#include <string.h> -#include "des_int.h" -#include "des.h" - -extern int mit_des_debug; - -/* - * Convert an arbitrary length string to a DES key. - */ - -/* - * For krb5, a change was made to this algorithm: When each key is - * generated, after fixing parity, a check for weak and semi-weak keys - * is done. If the key is weak or semi-weak, we XOR the last byte - * with 0xF0. (In the case of the intermediate key, the weakness is - * probably irrelevant, but there it is.) The odds that this will - * generate a different key for a random input string are pretty low, - * but non-zero. So we need this different function for krb4 to use. - */ -int KRB5_CALLCONV -des_string_to_key(str,key) - const char *str; - register mit_des_cblock key; -{ - const char *in_str; - register unsigned temp; - register int j; - unsigned long i, length; - unsigned char *k_p; - int forward; - register char *p_char; - char k_char[64]; - mit_des_key_schedule key_sked; - - in_str = str; - forward = 1; - p_char = k_char; - length = strlen(str); - - /* init key array for bits */ - memset(k_char, 0,sizeof(k_char)); - -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout, - "\n\ninput str length = %ld string = %s\nstring = 0x ", - length,str); -#endif - - /* get next 8 bytes, strip parity, xor */ - for (i = 1; i <= length; i++) { - /* get next input key byte */ - temp = (unsigned int) *str++; -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout,"%02x ",temp & 0xff); -#endif - /* loop through bits within byte, ignore parity */ - for (j = 0; j <= 6; j++) { - if (forward) - *p_char++ ^= (int) temp & 01; - else - *--p_char ^= (int) temp & 01; - temp = temp >> 1; - } - - /* check and flip direction */ - if ((i%8) == 0) - forward = !forward; - } - - /* now stuff into the key des_cblock, and force odd parity */ - p_char = k_char; - k_p = (unsigned char *) key; - - for (i = 0; i <= 7; i++) { - temp = 0; - for (j = 0; j <= 6; j++) - temp |= *p_char++ << (1+j); - *k_p++ = (unsigned char) temp; - } - - /* fix key parity */ - des_fixup_key_parity(key); - - /* Now one-way encrypt it with the folded key */ - (void) des_key_sched(key, key_sked); - (void) des_cbc_cksum((const des_cblock *)in_str, (des_cblock *)key, - length, key_sked, (const des_cblock *)key); - /* erase key_sked */ - memset(key_sked, 0,sizeof(key_sked)); - - /* now fix up key parity again */ - des_fixup_key_parity(key); - -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout, - "\nResulting string_to_key = 0x%x 0x%x\n", - *((unsigned long *) key), - *((unsigned long *) key+1)); -#endif /* DEBUG */ - return 0; /* Really should be returning void, */ - /* but the original spec was for it to */ - /* return an int, and ANSI compilers */ - /* can do dumb things sometimes */ -} - -void afs_string_to_key(char *str, char *cell, des_cblock key) -{ - krb5_data str_data; - krb5_data cell_data; - krb5_keyblock keyblock; - - str_data.data = str; - str_data.length = strlen(str); - cell_data.data = cell; - cell_data.length = strlen(cell); - keyblock.enctype = ENCTYPE_DES_CBC_CRC; - keyblock.length = sizeof(des_cblock); - keyblock.contents = key; - - mit_afs_string_to_key(&keyblock, &str_data, &cell_data); -} diff --git a/src/lib/des425/string2key.c b/src/lib/des425/string2key.c deleted file mode 100644 index 8756787..0000000 --- a/src/lib/des425/string2key.c +++ /dev/null @@ -1,174 +0,0 @@ -/* THIS FILE DOES NOT GET COMPILED. AUDIT BEFORE USE. */ -/* - * lib/des425/string2key.c - * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * Wrapper for the V4 libdes for use with kerberos V5. - */ - - -#include "des.h" -#include "des_int.h" - -#ifdef DEBUG -#include <stdio.h> -extern int des_debug; -#endif - -/* - converts the string pointed to by "data" into an encryption key - of type "enctype". *keyblock is filled in with the key info; - in particular, keyblock->contents is to be set to allocated storage. - It is the responsibility of the caller to release this storage - when the generated key no longer needed. - - The routine may use "princ" to seed or alter the conversion - algorithm. - - If the particular function called does not know how to make a - key of type "enctype", an error may be returned. - - returns: errors - */ - -krb5_error_code mit_des_string_to_key (enctype, keyblock, data, princ) - const krb5_enctype enctype; - krb5_keyblock * keyblock; - const krb5_data * data; - krb5_const_principal princ; -{ - char copystr[512]; - - register char *str = copystr; - register krb5_octet *key; - - register unsigned temp,i; - register int j; - register long length; - unsigned char *k_p; - int forward; - register char *p_char; - char k_char[64]; - mit_des_key_schedule key_sked; - -#define min(A, B) ((A) < (B) ? (A): (B)) - - if ( enctype != ENCTYPE_DES ) - return (KRB5_PROG_ENCTYPE_NOSUPP); - - if ( !(keyblock->contents = (krb5_octet *)malloc(sizeof(mit_des_cblock))) ) - return(ENOMEM); - -#define cleanup() {memset(keyblock->contents, 0, sizeof(mit_des_cblock));\ - krb5_xfree(keyblock->contents);} - - keyblock->enctype = ENCTYPE_DES; - keyblock->length = sizeof(mit_des_cblock); - key = keyblock->contents; - - memset(copystr, 0, sizeof(copystr)); - j = min(data->length, 511); - (void) strncpy(copystr, data->data, j); - if ( princ != 0 ) - for (i=0; princ[i] != 0 && j < 511; i++) { - (void) strncpy(copystr+j, princ[i]->data, - min(princ[i]->length, 511-j)); - j += min(princ[i]->length, 511-j); - } - - /* convert copystr to des key */ - forward = 1; - p_char = k_char; - length = strlen(str); - - /* init key array for bits */ - memset(k_char,0,sizeof(k_char)); - -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout, - "\n\ninput str length = %d string = %s\nstring = 0x ", - length,str); -#endif - - /* get next 8 bytes, strip parity, xor */ - for (i = 1; i <= length; i++) { - /* get next input key byte */ - temp = (unsigned int) *str++; -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout,"%02x ",temp & 0xff); -#endif - /* loop through bits within byte, ignore parity */ - for (j = 0; j <= 6; j++) { - if (forward) - *p_char++ ^= (int) temp & 01; - else - *--p_char ^= (int) temp & 01; - temp = temp >> 1; - } - - /* check and flip direction */ - if ((i%8) == 0) - forward = !forward; - } - - /* now stuff into the key mit_des_cblock, and force odd parity */ - p_char = k_char; - k_p = (unsigned char *) key; - - for (i = 0; i <= 7; i++) { - temp = 0; - for (j = 0; j <= 6; j++) - temp |= *p_char++ << (1+j); - *k_p++ = (unsigned char) temp; - } - - /* fix key parity */ - mit_des_fixup_key_parity(key); - - /* Now one-way encrypt it with the folded key */ - (void) mit_des_key_sched(key, key_sked); - (void) mit_des_cbc_cksum((krb5_octet *)copystr, key, length, key_sked, key); - /* erase key_sked */ - memset((char *)key_sked, 0, sizeof(key_sked)); - - /* now fix up key parity again */ - mit_des_fixup_key_parity(key); - -#ifdef DEBUG - if (mit_des_debug) - fprintf(stdout, - "\nResulting string_to_key = 0x%x 0x%x\n", - *((unsigned long *) key), - *((unsigned long *) key+1)); -#endif - - return 0; -} - - - - diff --git a/src/lib/des425/t_pcbc.c b/src/lib/des425/t_pcbc.c deleted file mode 100644 index 2932148..0000000 --- a/src/lib/des425/t_pcbc.c +++ /dev/null @@ -1,123 +0,0 @@ -/* - * lib/des425/t_quad.c - * - * Copyright 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - - -#include <stdio.h> -#include <errno.h> -#include "des_int.h" -#include "des.h" - -char *progname; -int des_debug; - -/* These test values were constructed by experimentation, because I - couldn't be bothered to look up the spec for the encryption mode - and see if any test vector is defined. But really, the thing we - need to test is that the operation we use doesn't changed. Like - with quad_cksum, compatibility is more important than strict - adherence to the spec, if we have to choose. In any case, if you - have a useful test vector, send it in.... */ -struct { - unsigned char text[32]; - des_cblock out[4]; -} tests[] = { - { - "Now is the time for all ", - { - { 0x7f, 0x81, 0x65, 0x41, 0x21, 0xdb, 0xd4, 0xcf, }, - { 0xf8, 0xaa, 0x09, 0x90, 0xeb, 0xc7, 0x60, 0x2b, }, - { 0x45, 0x3e, 0x4e, 0x65, 0x83, 0x6c, 0xf1, 0x98, }, - { 0x4c, 0xfc, 0x69, 0x72, 0x23, 0xdb, 0x48, 0x78, } - } - }, { - "7654321 Now is the time for ", - { - { 0xcc, 0xd1, 0x73, 0xff, 0xab, 0x20, 0x39, 0xf4, }, - { 0x6d, 0xec, 0xb4, 0x70, 0xa0, 0xe5, 0x6b, 0x15, }, - { 0xae, 0xa6, 0xbf, 0x61, 0xed, 0x7d, 0x9c, 0x9f, }, - { 0xf7, 0x17, 0x46, 0x3b, 0x8a, 0xb3, 0xcc, 0x88, } - } - }, { - "hi", - { { 0x76, 0x61, 0x0e, 0x8b, 0x23, 0xa4, 0x5f, 0x34, } } - }, -}; - -/* 0x0123456789abcdef */ -unsigned char default_key[8] = { - 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef -}; -des_cblock ivec = { - 0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10 -}; - -int -main(argc,argv) - int argc; - char *argv[]; -{ - int i; - int fail=0; - des_cblock out[32/8]; - des_cblock out2[32/8]; - des_key_schedule sked; - - progname=argv[0]; /* salt away invoking program */ - - /* use known input and key */ - - for (i = 0; i < 3; i++) { - int wrong = 0, j, jmax; - des_key_sched (default_key, sked); - /* This could lose on alignment... */ - des_pcbc_encrypt ((des_cblock *)&tests[i].text, out, - strlen(tests[i].text) + 1, sked, &ivec, 1); - printf ("pcbc_encrypt(\"%s\") = {", tests[i].text); - jmax = (strlen (tests[i].text) + 8) & ~7U; - for (j = 0; j < jmax; j++) { - if (j % 8 == 0) - printf ("\n\t"); - printf (" 0x%02x,", out[j/8][j%8]); - if (out[j/8][j%8] != tests[i].out[j/8][j%8]) - wrong = 1; - } - printf ("\n}\n"); - - /* reverse it */ - des_pcbc_encrypt (out, out2, jmax, sked, &ivec, 0); - if (strcmp ((char *)out2, tests[i].text)) { - printf ("decrypt failed\n"); - wrong = 1; - } else - printf ("decrypt worked\n"); - - if (wrong) { - printf ("wrong result!\n"); - fail = 1; - } - } - return fail; -} diff --git a/src/lib/des425/t_quad.c b/src/lib/des425/t_quad.c deleted file mode 100644 index b9299fd..0000000 --- a/src/lib/des425/t_quad.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * lib/des425/t_quad.c - * - * Copyright 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - - -#include <stdio.h> -#include <errno.h> -#include "des_int.h" -#include "des.h" - -extern unsigned long quad_cksum(); -char *progname; -int des_debug; -unsigned DES_INT32 out[8]; -struct { - unsigned char text[64]; - unsigned DES_INT32 out[8]; -} tests[] = { - { - "Now is the time for all ", - { - 0x6c6240c5, 0x77db9b1c, 0x7991d316, 0x4e688989, - 0x27a0ae6a, 0x13be2da4, 0x4a2fdfc6, 0x7dfc494c, - } - }, { - "7654321 Now is the time for ", - { - 0x36839db5, 0x4d7be717, 0x15b0f5b6, 0x2304ff9c, - 0x75472d26, 0x6a5f833c, 0x7399a4ee, 0x1170fdfb, - } - }, { - {2,0,0,0, 1,0,0,0}, - { - 0x7c81f205, 0x63d38e38, 0x314ece44, 0x05d3a4f8, - 0x6e10db76, 0x3eda7685, 0x2e841332, 0x1bdc7fd3, - } - }, -}; - -/* 0x0123456789abcdef */ -unsigned char default_key[8] = { - 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef -}; - -int -main(argc,argv) - int argc; - char *argv[]; -{ - int i; - int fail=0; - - progname=argv[0]; /* salt away invoking program */ - - /* use known input and key */ - - for (i = 0; i < 3; i++) { - int wrong = 0, j; - des_quad_cksum (tests[i].text, out, 64L, 4, - (mit_des_cblock *) &default_key); - if (tests[i].text[0] == 2) - printf ("quad_cksum(<binary blob 1>) = {"); - else - printf ("quad_cksum(\"%s\"...zero fill...) = {", tests[i].text); - for (j = 0; j < 8; j++) { - if (j == 0 || j == 4) - printf ("\n\t"); - printf (" 0x%lx,", (unsigned long) out[j]); - if (out[j] != tests[i].out[j]) - wrong = 1; - } - printf ("\n}\n"); - if (wrong) { - printf ("wrong result!\n"); - fail = 1; - } - } - return fail; -} diff --git a/src/lib/des425/unix_time.c b/src/lib/des425/unix_time.c deleted file mode 100644 index 53ce03b..0000000 --- a/src/lib/des425/unix_time.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * unix_time.c - * - * Glue code for pasting Kerberos into the Unix environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - * - * Required for use by the Cygnus krb.a. - */ - - -#include "k5-int.h" - -#if !defined(_WIN32) -#include <sys/time.h> - -krb5_ui_4 -unix_time_gmt_unixsec (usecptr) - krb5_ui_4 *usecptr; -{ - struct timeval now; - - (void) gettimeofday (&now, (struct timezone *)0); - if (usecptr) - *usecptr = now.tv_usec; - return now.tv_sec; -} - -#endif /* !_WIN32 */ - -#ifdef _WIN32 -#include <time.h> - -krb5_ui_4 -unix_time_gmt_unixsec (usecptr) - krb5_ui_4 *usecptr; -{ - time_t gmt; - - time(&gmt); - if (usecptr) - *usecptr = gmt; - return gmt; -} -#endif /* _WIN32 */ diff --git a/src/lib/des425/util.c b/src/lib/des425/util.c deleted file mode 100644 index 2c5ef92..0000000 --- a/src/lib/des425/util.c +++ /dev/null @@ -1,33 +0,0 @@ -/* - * lib/des425/util.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - * - * Miscellaneous debug printing utilities - */ - -#include <stdio.h> - -/* Application include files */ -#include "k5-int.h" -#include "des_int.h" -#include "des.h" - -void des_cblock_print_file(x, fp) - des_cblock *x; - FILE *fp; -{ - unsigned char *y = *x; - register int i = 0; - fprintf(fp," 0x { "); - - while (i++ < 8) { - fprintf(fp,"%x",*y++); - if (i < 8) - fprintf(fp,", "); - } - fprintf(fp," }"); -} diff --git a/src/lib/des425/verify.c b/src/lib/des425/verify.c deleted file mode 100644 index 653730a..0000000 --- a/src/lib/des425/verify.c +++ /dev/null @@ -1,317 +0,0 @@ -/* - * lib/des425/verify.c - * - * Copyright 1988,1990 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * Program to test the correctness of the DES library - * implementation. - * - * exit returns 0 ==> success - * -1 ==> error - */ - - -#include <stdio.h> -#include <errno.h> -#include "des_int.h" -#include "des.h" - -char *progname; -int nflag = 2; -int vflag; -int mflag; -int zflag; -int pid; -int des_debug; -des_key_schedule KS; -unsigned char cipher_text[64]; -unsigned char clear_text[64] = "Now is the time for all " ; -unsigned char clear_text2[64] = "7654321 Now is the time for "; -unsigned char clear_text3[64] = {2,0,0,0, 1,0,0,0}; -unsigned char output[64]; -unsigned char zero_text[8] = {0x0,0,0,0,0,0,0,0}; -unsigned char msb_text[8] = {0x0,0,0,0, 0,0,0,0x40}; /* to ANSI MSB */ -unsigned char *input; - -/* 0x0123456789abcdef */ -unsigned char default_key[8] = { - 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef -}; -unsigned char key2[8] = { 0x08,0x19,0x2a,0x3b,0x4c,0x5d,0x6e,0x7f }; -unsigned char key3[8] = { 0x80,1,1,1,1,1,1,1 }; -des_cblock s_key; -unsigned char default_ivec[8] = { - 0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef -}; -unsigned char *ivec; -unsigned char zero_key[8] = {1,1,1,1,1,1,1,1}; /* just parity bits */ -int i,j; - -unsigned char cipher1[8] = { - 0x25,0xdd,0xac,0x3e,0x96,0x17,0x64,0x67 -}; -unsigned char cipher2[8] = { - 0x3f,0xa4,0x0e,0x8a,0x98,0x4d,0x48,0x15 -}; -unsigned char cipher3[64] = { - 0xe5,0xc7,0xcd,0xde,0x87,0x2b,0xf2,0x7c, - 0x43,0xe9,0x34,0x00,0x8c,0x38,0x9c,0x0f, - 0x68,0x37,0x88,0x49,0x9a,0x7c,0x05,0xf6 -}; -unsigned char checksum[8] = { - 0x58,0xd2,0xe7,0x7e,0x86,0x06,0x27,0x33 -}; - -unsigned char zresult[8] = { - 0x8c, 0xa6, 0x4d, 0xe9, 0xc1, 0xb1, 0x23, 0xa7 -}; - -unsigned char mresult[8] = { - 0xa3, 0x80, 0xe0, 0x2a, 0x6b, 0xe5, 0x46, 0x96 -}; - - -/* - * Can also add : - * plaintext = 0, key = 0, cipher = 0x8ca64de9c1b123a7 (or is it a 1?) - */ - -void do_encrypt (unsigned char *, unsigned char *); -void do_decrypt (unsigned char *, unsigned char *); - -int -main(argc,argv) - int argc; - char *argv[]; -{ - /* Local Declarations */ - unsigned long in_length; - - progname=argv[0]; /* salt away invoking program */ - - while (--argc > 0 && (*++argv)[0] == '-') - for (i=1; argv[0][i] != '\0'; i++) { - switch (argv[0][i]) { - - /* debug flag */ - case 'd': - des_debug=3; - continue; - - case 'z': - zflag = 1; - continue; - - case 'm': - mflag = 1; - continue; - - default: - printf("%s: illegal flag \"%c\" ", - progname,argv[0][i]); - exit(1); - } - }; - - if (argc) { - fprintf(stderr, "Usage: %s [-dmz]\n", progname); - exit(1); - } - - /* use known input and key */ - - /* ECB zero text zero key */ - if (zflag) { - input = zero_text; - des_key_sched(zero_key,KS); - printf("plaintext = key = 0, cipher = 0x8ca64de9c1b123a7\n"); - do_encrypt(input,cipher_text); - printf("\tcipher = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) - printf("%02x ",cipher_text[j]); - printf("\n"); - do_decrypt(output,cipher_text); - if ( memcmp((char *)cipher_text, (char *)zresult, 8) ) { - printf("verify: error in zero key test\n"); - exit(-1); - } - exit(0); - } - - if (mflag) { - input = msb_text; - des_key_sched(key3,KS); - printf("plaintext = 0x00 00 00 00 00 00 00 40, "); - printf("key = 0, cipher = 0x??\n"); - do_encrypt(input,cipher_text); - printf("\tcipher = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) { - printf("%02x ",cipher_text[j]); - } - printf("\n"); - do_decrypt(output,cipher_text); - if ( memcmp((char *)cipher_text, (char *)mresult, 8) ) { - printf("verify: error in msb test\n"); - exit(-1); - } - exit(0); - } - - /* ECB mode Davies and Price */ - { - input = zero_text; - des_key_sched(key2,KS); - printf("Examples per FIPS publication 81, keys ivs and cipher\n"); - printf("in hex. These are the correct answers, see below for\n"); - printf("the actual answers.\n\n"); - printf("Examples per Davies and Price.\n\n"); - printf("EXAMPLE ECB\tkey = 08192a3b4c5d6e7f\n"); - printf("\tclear = 0\n"); - printf("\tcipher = 25 dd ac 3e 96 17 64 67\n"); - printf("ACTUAL ECB\n"); - printf("\tclear \"%s\"\n", input); - do_encrypt(input,cipher_text); - printf("\tcipher = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) - printf("%02x ",cipher_text[j]); - printf("\n\n"); - do_decrypt(output,cipher_text); - if ( memcmp((char *)cipher_text, (char *)cipher1, 8) ) { - printf("verify: error in ECB encryption\n"); - exit(-1); - } - else - printf("verify: ECB encription is correct\n\n"); - } - - /* ECB mode */ - { - des_key_sched(default_key,KS); - input = clear_text; - ivec = default_ivec; - printf("EXAMPLE ECB\tkey = 0123456789abcdef\n"); - printf("\tclear = \"Now is the time for all \"\n"); - printf("\tcipher = 3f a4 0e 8a 98 4d 48 15 ...\n"); - printf("ACTUAL ECB\n\tclear \"%s\"",input); - do_encrypt(input,cipher_text); - printf("\n\tcipher = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) { - printf("%02x ",cipher_text[j]); - } - printf("\n\n"); - do_decrypt(output,cipher_text); - if ( memcmp((char *)cipher_text, (char *)cipher2, 8) ) { - printf("verify: error in ECB encryption\n"); - exit(-1); - } - else - printf("verify: ECB encription is correct\n\n"); - } - - /* CBC mode */ - printf("EXAMPLE CBC\tkey = 0123456789abcdef"); - printf("\tiv = 1234567890abcdef\n"); - printf("\tclear = \"Now is the time for all \"\n"); - printf("\tcipher =\te5 c7 cd de 87 2b f2 7c\n"); - printf("\t\t\t43 e9 34 00 8c 38 9c 0f\n"); - printf("\t\t\t68 37 88 49 9a 7c 05 f6\n"); - - printf("ACTUAL CBC\n\tclear \"%s\"\n",input); - in_length = strlen((char *) input); - des_cbc_encrypt(input,cipher_text, in_length,KS,ivec,1); - printf("\tciphertext = (low to high bytes)\n"); - for (i = 0; i <= 7; i++) { - printf("\t\t"); - for (j = 0; j <= 7; j++) { - printf("%02x ",cipher_text[i*8+j]); - } - printf("\n"); - } - des_cbc_encrypt(cipher_text,clear_text,in_length,KS,ivec,0); - printf("\tdecrypted clear_text = \"%s\"\n",clear_text); - - if ( memcmp(cipher_text, cipher3, (size_t) in_length) ) { - printf("verify: error in CBC encryption\n"); - exit(-1); - } - else - printf("verify: CBC encription is correct\n\n"); - - printf("EXAMPLE CBC checksum"); - printf("\tkey = 0123456789abcdef\tiv = 1234567890abcdef\n"); - printf("\tclear =\t\t\"7654321 Now is the time for \"\n"); - printf("\tchecksum\t58 d2 e7 7e 86 06 27 33, "); - printf("or some part thereof\n"); - input = clear_text2; - des_cbc_cksum(input,cipher_text,(long) strlen((char *) input),KS,ivec); - printf("ACTUAL CBC checksum\n"); - printf("\t\tencrypted cksum = (low to high bytes)\n\t\t"); - for (j = 0; j<=7; j++) - printf("%02x ",cipher_text[j]); - printf("\n\n"); - if ( memcmp((char *)cipher_text, (char *)checksum, 8) ) { - printf("verify: error in CBC cheksum\n"); - exit(-1); - } - else - printf("verify: CBC checksum is correct\n\n"); - exit(0); -} - -void -do_encrypt(in,out) - unsigned char *in; - unsigned char *out; -{ - for (i =1; i<=nflag; i++) { - des_ecb_encrypt((unsigned long *) in, (unsigned long *)out, KS, 1); - if (des_debug) { - printf("\nclear %s\n",in); - for (j = 0; j<=7; j++) - printf("%02X ",in[j] & 0xff); - printf("\tcipher "); - for (j = 0; j<=7; j++) - printf("%02X ",out[j] & 0xff); - } - } -} - -void -do_decrypt(in,out) - unsigned char *out; - unsigned char *in; - /* try to invert it */ -{ - for (i =1; i<=nflag; i++) { - des_ecb_encrypt((unsigned long *) out, (unsigned long *)in,KS,0); - if (des_debug) { - printf("clear %s\n",in); - for (j = 0; j<=7; j++) - printf("%02X ",in[j] & 0xff); - printf("\tcipher "); - for (j = 0; j<=7; j++) - printf("%02X ",out[j] & 0xff); - } - } -} diff --git a/src/lib/des425/weak_key.c b/src/lib/des425/weak_key.c deleted file mode 100644 index f4ef6fb..0000000 --- a/src/lib/des425/weak_key.c +++ /dev/null @@ -1,41 +0,0 @@ -/* - * lib/des425/weak_key.c - * - * Copyright 1989,1990 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "des_int.h" -#include "des.h" - -/* - * mit_des_is_weak_key: returns true iff key is a [semi-]weak des key. - * - * Requires: key has correct odd parity. - */ -int -des_is_weak_key(key) - mit_des_cblock key; -{ - return (mit_des_is_weak_key(key)); -} diff --git a/src/lib/krb4/CCache-glue.c b/src/lib/krb4/CCache-glue.c deleted file mode 100644 index a078c9f..0000000 --- a/src/lib/krb4/CCache-glue.c +++ /dev/null @@ -1,741 +0,0 @@ -/* - * CCache-glue.c - * - * This file contains implementations of krb4 credentials cache operations in terms - * of the CCache API (<http://www.umich.edu/~sgr/v4Cache/>). - * - * $Header$ - */ - - -#include "krb.h" -#include "krb4int.h" - -#if !defined (USE_CCAPI) || !USE_CCAPI -#error "Cannot use CCache glue without the CCAPI!" -#endif - -#ifdef USE_LOGIN_LIBRARY -#include <KerberosLoginPrivate.h> -#endif /* USE_LOGIN_LIBRARY */ -#include <CredentialsCache.h> - -#include <string.h> -#include <stdlib.h> - -/* - * The following functions are part of the KfM ABI. - * They are deprecated, so they only appear here, not in krb.h. - * - * Do not change the ABI of these functions! - */ -int KRB5_CALLCONV krb_get_num_cred(void); -int KRB5_CALLCONV krb_get_nth_cred(char *, char *, char *, int); -int KRB5_CALLCONV krb_delete_cred(char *, char *,char *); -int KRB5_CALLCONV dest_all_tkts(void); - -/* Internal functions */ -static void UpdateDefaultCache (void); - -/* - * The way Kerberos v4 normally works is that at any given point in time there is a - * file where all the tickets go, determined by an environment variable. If a user kinits - * to a new principal, the existing tickets are replaced with new ones. At any point in time, there is a - * "current" or "default" principal, which is determined by the principal associated with - * the current ticket file. - * - * In the CCache API implementation, this corresponds to always having a "default" - * or "current" named cache. The default principal then corresponds to that cache. - * - * Unfortunately, Kerberos v4 also has this notion that the default cache exists (in the sense - * that its name is known) even before the actual file has been created. - * - * In addition to this, we cannot make the default cache system-wide global, because then - * we get all sorts of interesting scenarios in which context switches between processes - * can cause credentials to be stored in wrong caches. - * - * To solve all the problems, we have to emulate the concept of an environment variable, - * by having a system-wide concept of what a default credentials cache is; then, we copy - * the system-wide value into the per-process value when the application starts up. - * - * However, in order to allow applications to be able to sanely handle the user model we - * want to support, in which the user has some way of selecting the system-wide default - * user _without_ quitting and relaunching all applications (this is also necessary for - * KClient support), calls had to be added to the Kerberos v4 library to reset the - * per-process cached value of default cache. - */ - -/* - * Name of the default cache - */ -char* gDefaultCacheName = NULL; - -/* - * Initialize credentials cache - * - * Creating the cache will blow away an existing one. The assumption is that - * whoever called us made sure that the one that we blow away if it exists - * is the right one to blow away. - */ - -int KRB5_CALLCONV -krb_in_tkt ( - char* pname, - char* pinst, - char* realm) -{ - char principal [MAX_K_NAME_SZ + 1]; - cc_int32 err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (err == ccNoError) { - snprintf (principal, sizeof(principal), "%s%s%s@%s", pname, (pinst [0] == '\0') ? "" : ".", pinst, realm); - } - - if (err == ccNoError) { - err = cc_context_create_ccache (cc_context, TKT_FILE, cc_credentials_v4, principal, &ccache); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (err != ccNoError) - return KFAILURE; - else - return KSUCCESS; -} - -int KRB5_CALLCONV -krb_save_credentials( - char *service, - char *instance, - char *realm, - C_Block session, - int lifetime, - int kvno, - KTEXT ticket, - long issue_date) -{ - return krb4int_save_credentials_addr(service, instance, realm, - session, lifetime, kvno, - ticket, issue_date, 0); -} - -/* - * Store a ticket into the default credentials cache - * cache must exist (if it didn't exist, it would have been created by in_tkt) - */ -int -krb4int_save_credentials_addr( - char* service, - char* instance, - char* realm, - C_Block session, - int lifetime, - int kvno, - KTEXT ticket, - KRB4_32 issue_date, - KRB_UINT32 local_address) -{ - cc_int32 cc_err = ccNoError; - int kerr = KSUCCESS; - cc_credentials_v4_t v4creds; - cc_credentials_union creds; - cc_ccache_t ccache = NULL; - cc_string_t principal; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - /* First try existing cache */ - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - /* Now we have a cache. Fill out the credentials and put them in the cache. */ - /* To fill out the credentials, we need the principal */ - cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); - } - - if (cc_err == ccNoError) { - kerr = kname_parse (v4creds.principal, v4creds.principal_instance, v4creds.realm, (char*) principal -> data); - cc_string_release (principal); - } - - if ((cc_err == ccNoError) && (kerr == KSUCCESS)) { - strncpy (v4creds.service, service, SNAME_SZ); - strncpy (v4creds.service_instance, instance, INST_SZ); - strncpy (v4creds.realm, realm, REALM_SZ); - memmove (v4creds.session_key, session, sizeof (C_Block)); - v4creds.kvno = kvno; - v4creds.string_to_key_type = cc_v4_stk_unknown; - v4creds.issue_date = issue_date; - v4creds.address = local_address; - v4creds.lifetime = lifetime; - v4creds.ticket_size = ticket -> length; - memmove (v4creds.ticket, ticket -> dat, ticket -> length); - - creds.version = cc_credentials_v4; - creds.credentials.credentials_v4 = &v4creds; - - cc_err = cc_ccache_store_credentials (ccache, &creds); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (kerr != KSUCCESS) - return kerr; - if (cc_err != ccNoError) - return KFAILURE; - else - return KSUCCESS; -} - -/* - * Credentials file -> realm mapping - * - * Determine the realm by opening the named cache and parsing realm from the principal - */ -int KRB5_CALLCONV -krb_get_tf_realm ( - const char* ticket_file, - char* realm) -{ - cc_string_t principal; - char pname [ANAME_SZ]; - char pinst [INST_SZ]; - char prealm [REALM_SZ]; - int kerr = KSUCCESS; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version = 0; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, ticket_file, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); - } - - if (cc_err == ccNoError) { - /* found cache. get princiapl and parse it */ - kerr = kname_parse (pname, pinst, prealm, (char*) principal -> data); - cc_string_release (principal); - } - - if ((cc_err == ccNoError) && (kerr == KSUCCESS)) { - strcpy (realm, prealm); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (kerr != KSUCCESS) - return kerr; - if (cc_err != ccNoError) - return GC_NOTKT; - else - return KSUCCESS; -} - -/* - * Credentials file -> name, instance, realm mapping - */ -int KRB5_CALLCONV -krb_get_tf_fullname ( - const char* ticket_file, - char* name, - char* instance, - char* realm) -{ - cc_string_t principal; - int kerr = KSUCCESS; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, ticket_file, &ccache); - } - - if (cc_err == ccNoError) { - /* found cache. get principal and parse it */ - cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); - } - - if (cc_err == ccNoError) { - kerr = kname_parse (name, instance, realm, (char*) principal -> data); - cc_string_release (principal); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (kerr != KSUCCESS) - return kerr; - if (cc_err != ccNoError) - return GC_NOTKT; - else - return KSUCCESS; -} - - -/* - * Retrieval from credentials cache - */ -int KRB5_CALLCONV -krb_get_cred ( - char* service, - char* instance, - char* realm, - CREDENTIALS* creds) -{ - int kerr = KSUCCESS; - cc_int32 cc_err = ccNoError; - cc_credentials_t theCreds = NULL; - cc_credentials_iterator_t iterator = NULL; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - -#ifdef USE_LOGIN_LIBRARY - // If we are requesting a tgt, prompt for it - if (strncmp (service, KRB_TICKET_GRANTING_TICKET, ANAME_SZ) == 0) { - OSStatus err; - char *cacheName; - KLPrincipal outPrincipal; - - err = __KLInternalAcquireInitialTicketsForCache (TKT_FILE, kerberosVersion_V4, NULL, - &outPrincipal, &cacheName); - - if (err == klNoErr) { - krb_set_tkt_string (cacheName); // Tickets for the krb4 principal went here - KLDisposeString (cacheName); - KLDisposePrincipal (outPrincipal); - } else { - return GC_NOTKT; - } - } -#endif /* USE_LOGIN_LIBRARY */ - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator); - } - - if (cc_err == ccNoError) { - for (;;) { - /* get next creds */ - cc_err = cc_credentials_iterator_next (iterator, &theCreds); - if (cc_err == ccIteratorEnd) { - kerr = GC_NOTKT; - break; - } - if (cc_err != ccNoError) { - kerr = KFAILURE; - break; - } - - /* version, service, instance, realm check */ - if ((theCreds -> data -> version == cc_credentials_v4) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> service, service) == 0) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> service_instance, instance) == 0) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> realm, realm) == 0)) { - - /* Match! */ - strcpy (creds -> service, service); - strcpy (creds -> instance, instance); - strcpy (creds -> realm, realm); - memmove (creds -> session, theCreds -> data -> credentials.credentials_v4 -> session_key, sizeof (C_Block)); - creds -> lifetime = theCreds -> data -> credentials.credentials_v4 -> lifetime; - creds -> kvno = theCreds -> data -> credentials.credentials_v4 -> kvno; - creds -> ticket_st.length = theCreds -> data -> credentials.credentials_v4 -> ticket_size; - memmove (creds -> ticket_st.dat, theCreds -> data -> credentials.credentials_v4 -> ticket, creds -> ticket_st.length); - creds -> issue_date = theCreds -> data -> credentials.credentials_v4 -> issue_date; - strcpy (creds -> pname, theCreds -> data -> credentials.credentials_v4 -> principal); - strcpy (creds -> pinst, theCreds -> data -> credentials.credentials_v4 -> principal_instance); - creds -> stk_type = theCreds -> data -> credentials.credentials_v4 -> string_to_key_type; - - cc_credentials_release (theCreds); - kerr = KSUCCESS; - break; - } else { - cc_credentials_release (theCreds); - } - } - } - - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (kerr != KSUCCESS) - return kerr; - if (cc_err != ccNoError) - return GC_NOTKT; - else - return KSUCCESS; -} - - -/* - * Getting name of default credentials cache - */ -const char* KRB5_CALLCONV -tkt_string (void) -{ - if (gDefaultCacheName == NULL) { - UpdateDefaultCache (); - } - return gDefaultCacheName; -} - -/* - * Synchronize default cache for this process with system default cache - */ - -static void -UpdateDefaultCache (void) -{ - cc_string_t name; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_get_default_ccache_name (cc_context, &name); - } - - if (cc_err == ccNoError) { - krb_set_tkt_string ((char*) name -> data); - cc_string_release (name); - } - - if (cc_context != NULL) - cc_context_release (cc_context); -} - -/* - * Setting name of default credentials cache - */ -void -krb_set_tkt_string ( - const char* val) -{ - /* If we get called with the return value of tkt_string, we - shouldn't dispose of the input string */ - if (val != gDefaultCacheName) { - if (gDefaultCacheName != NULL) - free (gDefaultCacheName); - - gDefaultCacheName = malloc (strlen (val) + 1); - if (gDefaultCacheName != NULL) - strcpy (gDefaultCacheName, val); - } -} - -/* - * Destroy credentials file - * - * Implementation in dest_tkt.c - */ -int KRB5_CALLCONV -dest_tkt (void) -{ - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_ccache_destroy (ccache); - } - - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (cc_err != ccNoError) - return RET_TKFIL; - else - return KSUCCESS; -} - -/* - * The following functions are not part of the standard Kerberos v4 API. - * They were created for Mac implementation, and used by admin tools - * such as CNS-Config. - */ - -/* - * Number of credentials in credentials cache - */ -int KRB5_CALLCONV -krb_get_num_cred (void) -{ - cc_credentials_t theCreds = NULL; - int count = 0; - cc_credentials_iterator_t iterator = NULL; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator); - } - - if (cc_err == ccNoError) { - for (;;) { - /* get next creds */ - cc_err = cc_credentials_iterator_next (iterator, &theCreds); - if (cc_err != ccNoError) - break; - - if (theCreds -> data -> version == cc_credentials_v4) - count++; - - cc_credentials_release (theCreds); - } - } - - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (cc_err != ccNoError) - return 0; - else - return count; -} - -/* - * Retrieval from credentials file - * This function is _not_!! well-defined under CCache API, because - * there is no guarantee about order of credentials remaining the same. - */ -int KRB5_CALLCONV -krb_get_nth_cred ( - char* sname, - char* sinstance, - char* srealm, - int n) -{ - cc_credentials_t theCreds = NULL; - int count = 0; - cc_credentials_iterator_t iterator = NULL; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - if (n < 1) - return KFAILURE; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator); - } - - if (cc_err == ccNoError) { - for (count = 0; count < n;) { - /* get next creds */ - cc_err = cc_credentials_iterator_next (iterator, &theCreds); - if (cc_err != ccNoError) - break; - - if (theCreds -> data -> version == cc_credentials_v4) - count++; - - if (count < n - 1) - cc_credentials_release (theCreds); - } - } - - if (cc_err == ccNoError) { - strcpy (sname, theCreds -> data -> credentials.credentials_v4 -> service); - strcpy (sinstance, theCreds -> data -> credentials.credentials_v4 -> service_instance); - strcpy (srealm, theCreds -> data -> credentials.credentials_v4 -> realm); - } - - if (theCreds != NULL) - cc_credentials_release (theCreds); - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (cc_err != ccNoError) - return KFAILURE; - else - return KSUCCESS; -} - -/* - * Deletion from credentials file - */ -int KRB5_CALLCONV -krb_delete_cred ( - char* sname, - char* sinstance, - char* srealm) -{ - cc_credentials_t theCreds = NULL; - cc_credentials_iterator_t iterator = NULL; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); - } - - if (cc_err == ccNoError) { - cc_err = cc_ccache_new_credentials_iterator (ccache, &iterator); - } - - if (cc_err == ccNoError) { - for (;;) { - /* get next creds */ - cc_err = cc_credentials_iterator_next (iterator, &theCreds); - if (cc_err != ccNoError) { - break; - } - - if ((theCreds -> data -> version == cc_credentials_v4) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> service, sname) == 0) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> service_instance, sinstance) == 0) && - (strcmp (theCreds -> data -> credentials.credentials_v4 -> realm, srealm) == 0)) { - - cc_ccache_remove_credentials (ccache, theCreds); - cc_credentials_release (theCreds); - break; - } - - cc_credentials_release (theCreds); - } - } - - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (ccache != NULL) - cc_ccache_release (ccache); - if (cc_context != NULL) - cc_context_release (cc_context); - - if (cc_err != ccNoError) - return KFAILURE; - else - return KSUCCESS; -} - -/* - * Destroy all credential caches - * - * Implementation in memcache.c - */ -int KRB5_CALLCONV -dest_all_tkts (void) -{ - int count = 0; - cc_ccache_iterator_t iterator = NULL; - cc_int32 cc_err = ccNoError; - cc_context_t cc_context = NULL; - cc_int32 cc_version; - cc_ccache_t ccache = NULL; - - cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); - - if (cc_err == ccNoError) { - cc_err = cc_context_new_ccache_iterator (cc_context, &iterator); - } - - if (cc_err == ccNoError) { - for (;;) { - /* get next ccache */ - cc_err = cc_ccache_iterator_next (iterator, &ccache); - - if (cc_err != ccNoError) - break; - - cc_ccache_destroy (ccache); - count++; - } - } - - if (iterator != NULL) - cc_credentials_iterator_release (iterator); - if (cc_context != NULL) - cc_context_release (cc_context); - - if ((cc_err == ccIteratorEnd) && (count == 0)) { - /* first time, nothing to destroy */ - return KFAILURE; - } else { - if (cc_err == ccIteratorEnd) { - /* done */ - return KSUCCESS; - } else { - /* error */ - return KFAILURE; - } - } -} diff --git a/src/lib/krb4/FSp-glue.c b/src/lib/krb4/FSp-glue.c deleted file mode 100644 index 7bf0e7b..0000000 --- a/src/lib/krb4/FSp-glue.c +++ /dev/null @@ -1,112 +0,0 @@ -/* - * lib/krb4/FSp-glue.c - * - * Copyright 1985, 1986, 1987, 1988, 2002 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * MacOS-specific glue for using FSSpecs to deal with srvtabs. - */ - -#include "krb.h" -#include "krb4int.h" -#include <stdio.h> -#include <string.h> - -#include <Kerberos/FSpUtils.h> -/* - * These functions are compiled in for ABI compatibility with older versions of KfM. - * They are deprecated so they do not appear in the KfM headers anymore. - * - * Do not change their ABIs! - */ -int KRB5_CALLCONV FSp_krb_get_svc_in_tkt (char *, char *, char *, char *, char *, int, const FSSpec *); -int KRB5_CALLCONV FSp_put_svc_key (const FSSpec *, char *, char *, char *, int, char *); -int KRB5_CALLCONV FSp_read_service_key (char *, char *, char *, int, const FSSpec*, char *); - -static int FSp_srvtab_to_key (char *, char *, char *, char *, C_Block); - -int KRB5_CALLCONV -FSp_read_service_key( - char *service, /* Service Name */ - char *instance, /* Instance name or "*" */ - char *realm, /* Realm */ - int kvno, /* Key version number */ - const FSSpec *filespec, /* Filespec */ - char *key) /* Pointer to key to be filled in */ -{ - int retval = KFAILURE; - char file [MAXPATHLEN]; - if (filespec != NULL) { - if (FSSpecToPOSIXPath (filespec, file, sizeof(file)) != noErr) { - return retval; - } - } - retval = read_service_key(service, instance, realm, kvno, file, key); - if (file != NULL) { - free (file); - } - return retval; -} - -int KRB5_CALLCONV -FSp_put_svc_key( - const FSSpec *sfilespec, - char *name, - char *inst, - char *realm, - int newvno, - char *key) -{ - int retval = KFAILURE; - char sfile[MAXPATHLEN]; - - if (sfilespec != NULL) { - if (FSSpecToPOSIXPath (sfilespec, sfile, sizeof(sfile)) != noErr) { - return retval; - } - } - retval = put_svc_key(sfile, name, inst, realm, newvno, key); - if (sfile != NULL) { - free (sfile); - } - return retval; -} - -int KRB5_CALLCONV -FSp_krb_get_svc_in_tkt( - char *user, char *instance, char *realm, - char *service, char *sinstance, int life, - const FSSpec *srvtab) -{ - /* Cast the FSSpec into the password field. It will be pulled out again */ - /* by FSp_srvtab_to_key and used to read the real password */ - return krb_get_in_tkt(user, instance, realm, service, sinstance, - life, FSp_srvtab_to_key, NULL, (char *)srvtab); -} - -static int FSp_srvtab_to_key(char *user, char *instance, char *realm, - char *srvtab, C_Block key) -{ - /* FSp_read_service_key correctly handles a NULL FSSpecPtr */ - return FSp_read_service_key(user, instance, realm, 0, - (FSSpec *)srvtab, (char *)key); -} diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in deleted file mode 100644 index 9275f9e..0000000 --- a/src/lib/krb4/Makefile.in +++ /dev/null @@ -1,664 +0,0 @@ -thisconfigdir=../.. -myfulldir=lib/krb4 -mydir=lib/krb4 -BUILDTOP=$(REL)..$(S).. -LOCALINCLUDES = -I$(BUILDTOP)/include/kerberosIV -I$(srcdir)/../../include/kerberosIV -I. -DEFINES= -DKRB4_USE_KEYTAB -DEFS= - -##DOS##BUILDTOP = ..\.. -##DOS##LIBNAME=$(OUTPRE)krb4.lib -##DOS##OBJFILE=$(OUTPRE)krb4.lst - -LIBBASE=krb4 -LIBMAJOR=2 -LIBMINOR=0 -RELDIR=krb4 - -# Depends on libk5crypto, libkrb5, KRB4_CRYPTO_LIB and _et_list... -# Depends on libkrb5, expect to find -# krb5_init_context, krb5_free_context, profile_get_values -# -KRB4_CRYPTO_LIBS=-ldes425 - -SHLIB_EXPDEPS = \ - $(TOPLIBD)/libdes425$(SHLIBEXT) \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -SHLIB_DIRS=-L$(TOPLIBD) -SHLIB_RDIRS=$(KRB5_LIBDIR) - -EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV -KRB_ERR=@KRB_ERR@ -##DOS##KRB_ERR=$(OUTPRE)krb_err.$(OBJEXT) - -# Name of generated krb_err.c, needed for err_txt.* dependency on Darwin. -KRB_ERR_C=@KRB_ERR_C@ -##DOS##KRB_ERR_C= - -OBJS = \ - $(OUTPRE)change_password.$(OBJEXT) \ - $(OUTPRE)cr_auth_repl.$(OBJEXT) \ - $(OUTPRE)cr_ciph.$(OBJEXT) \ - $(OUTPRE)cr_tkt.$(OBJEXT) \ - $(OUTPRE)debug.$(OBJEXT) \ - $(OUTPRE)decomp_tkt.$(OBJEXT) \ - $(OUTPRE)err_txt.$(OBJEXT) \ - $(OUTPRE)g_ad_tkt.$(OBJEXT) \ - $(OUTPRE)g_in_tkt.$(OBJEXT) \ - $(OUTPRE)g_phost.$(OBJEXT) \ - $(OUTPRE)g_pw_in_tkt.$(OBJEXT) \ - $(OUTPRE)g_pw_tkt.$(OBJEXT) \ - $(OUTPRE)g_tkt_svc.$(OBJEXT) \ - $(OUTPRE)gethostname.$(OBJEXT) \ - $(OUTPRE)getst.$(OBJEXT) \ - $(OUTPRE)kadm_err.$(OBJEXT) \ - $(OUTPRE)kadm_net.$(OBJEXT) \ - $(OUTPRE)kadm_stream.$(OBJEXT) \ - $(OUTPRE)kname_parse.$(OBJEXT) \ - $(OUTPRE)lifetime.$(OBJEXT) \ - $(OUTPRE)mk_auth.$(OBJEXT) \ - $(OUTPRE)mk_err.$(OBJEXT) \ - $(OUTPRE)mk_priv.$(OBJEXT) \ - $(OUTPRE)mk_req.$(OBJEXT) \ - $(OUTPRE)mk_safe.$(OBJEXT) \ - $(OUTPRE)month_sname.$(OBJEXT) \ - $(OUTPRE)password_to_key.$(OBJEXT) \ - $(OUTPRE)prot_client.$(OBJEXT) \ - $(OUTPRE)prot_common.$(OBJEXT) \ - $(OUTPRE)prot_kdc.$(OBJEXT) \ - $(OUTPRE)pkt_cipher.$(OBJEXT) \ - $(OUTPRE)pkt_clen.$(OBJEXT) \ - $(OUTPRE)rd_err.$(OBJEXT) \ - $(OUTPRE)rd_priv.$(OBJEXT) \ - $(OUTPRE)rd_safe.$(OBJEXT) \ - $(OUTPRE)send_to_kdc.$(OBJEXT) \ - $(OUTPRE)stime.$(OBJEXT) \ - $(OUTPRE)strnlen.$(OBJEXT) \ - $(OUTPRE)rd_preauth.$(OBJEXT) \ - $(OUTPRE)mk_preauth.$(OBJEXT) \ - $(OSOBJS) $(CACHEOBJS) $(SETENVOBJS) $(STRCASEOBJS) $(SHMOBJS) \ - $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) $(KRB_ERR) - -SRCS = \ - change_password.c \ - cr_auth_repl.c \ - cr_ciph.c \ - cr_tkt.c \ - debug.c \ - decomp_tkt.c \ - g_ad_tkt.c \ - g_pw_in_tkt.c \ - g_phost.c \ - g_pw_tkt.c \ - g_tkt_svc.c \ - getst.c \ - gethostname.c \ - kadm_err.c \ - kadm_net.c \ - kadm_stream.c \ - kname_parse.c \ - err_txt.c \ - lifetime.c \ - g_in_tkt.c \ - mk_auth.c \ - mk_err.c \ - mk_priv.c \ - mk_req.c \ - mk_safe.c \ - month_sname.c \ - password_to_key.c \ - pkt_cipher.c \ - pkt_clen.c \ - prot_client.c \ - prot_common.c \ - prot_kdc.c \ - rd_err.c \ - rd_priv.c \ - rd_safe.c \ - send_to_kdc.c \ - stime.c \ - strnlen.c \ - rd_preauth.c \ - mk_preauth.c \ - unix_time.c \ - $(OSSRCS) $(CACHESRCS) $(SETENVSRCS) $(STRCASESRCS) $(SHMSRCS) \ - $(LIB_KRB_HOSTSRCS) $(SERVER_KRB_SRCS) $(NETIO_SRCS) $(REALMDBSRCS) - -STLIBOBJS = $(OBJS) -STOBJLISTS=OBJS.ST - -# -# These objects implement the time computation routines. -# -OSOBJS = $(OUTPRE)unix_time.$(OBJEXT) -OSSRCS = unix_time.c - -##DOS##OSOBJS = $(OUTPRE)win_time.obj - -# -# These objects implement ticket cacheing for Unix. They are -# replaced by other files when compiling for Windows or Mac. -# -CACHESRCS = \ - tf_util.c dest_tkt.c in_tkt.c \ - tkt_string.c g_tf_fname.c g_tf_realm.c \ - g_cred.c save_creds.c -CACHEOBJS = \ - $(OUTPRE)tf_util.$(OBJEXT) $(OUTPRE)dest_tkt.$(OBJEXT) $(OUTPRE)in_tkt.$(OBJEXT) \ - $(OUTPRE)tkt_string.$(OBJEXT) $(OUTPRE)g_tf_fname.$(OBJEXT) $(OUTPRE)g_tf_realm.$(OBJEXT) \ - $(OUTPRE)g_cred.$(OBJEXT) $(OUTPRE)save_creds.$(OBJEXT) - -##DOS##CACHEOBJS = $(OUTPRE)memcache.$(OBJEXT) - -# -# These objects implement Kerberos realm<->host database lookup. -# They read config files and/or network databases in various ways -# on various platforms. -# - -CNFFILE = g_cnffile -##DOS##CNFFILE = win_store - -REALMDBSRCS=$(CNFFILE).c RealmsConfig-glue.c -REALMDBOBJS=$(OUTPRE)$(CNFFILE).$(OBJEXT) $(OUTPRE)RealmsConfig-glue.$(OBJEXT) - -# -# These objects are only used on server or debug implementations of Kerberos, -# and they cause some major or minor sort of trouble for some -# client-only platform (Mac or Windows). -# -SERVER_KRB_SRCS = \ - klog.c kuserok.c log.c \ - kntoln.c \ - fgetst.c rd_svc_key.c cr_err_repl.c \ - rd_req.c g_svc_in_tkt.c recvauth.c \ - ad_print.c cr_death_pkt.c \ - put_svc_key.c sendauth.c -SERVER_KRB_OBJS = \ - $(OUTPRE)klog.$(OBJEXT) $(OUTPRE)kuserok.$(OBJEXT) $(OUTPRE)log.$(OBJEXT) \ - $(OUTPRE)kntoln.$(OBJEXT) \ - $(OUTPRE)fgetst.$(OBJEXT) $(OUTPRE)rd_svc_key.$(OBJEXT) $(OUTPRE)cr_err_repl.$(OBJEXT) \ - $(OUTPRE)rd_req.$(OBJEXT) $(OUTPRE)g_svc_in_tkt.$(OBJEXT) $(OUTPRE)recvauth.$(OBJEXT) \ - $(OUTPRE)ad_print.$(OBJEXT) $(OUTPRE)cr_death_pkt.$(OBJEXT) \ - $(OUTPRE)put_svc_key.$(OBJEXT) $(OUTPRE)sendauth.$(OBJEXT) -# -# These objects are included on Unix and Windows (for kstream and kadm) -# but not under Mac (there are no file descriptors). -# -NETIO_SRCS=netread.c netwrite.c -NETIO_OBJS=$(OUTPRE)netread.$(OBJEXT) $(OUTPRE)netwrite.$(OBJEXT) - -# -# These objects glue the Kerberos library to the operating system -# (time-of-day access, etc). They are replaced in Mac and Windows -# by other _glue.* routines. -# -LIB_KRB_HOSTSRCS=unix_glue.c -LIB_KRB_HOSTOBJS=$(OUTPRE)unix_glue.$(OBJEXT) - -##DOS##LIB_KRB_HOSTOBJS=$(OUTPRE)win_glue.obj - -ARCHIVEARGS= $@ $(OBJS) - -# We want *library* compiler options... -DBG=$(DBG_LIB) - -all-unix:: includes all-liblinks - -##DOS##LIBOBJS = $(OBJS) - -# comp_et_depend(krb_err) -krb_err.h: krb_err.et -krb_err.c: krb_err.et - -kadm_err.h: kadm_err.et -kadm_err.c: kadm_err.et - -GEN_ERRTXT=$(AWK) -f $(srcdir)$(S)et_errtxt.awk outfile=$@ - -krb_err_txt.c: krb_err.et $(srcdir)$(S)et_errtxt.awk - $(GEN_ERRTXT) $(srcdir)/krb_err.et - -# Will be empty on Darwin, krb_err_txt.c elsewhere. -KRB_ERR_TXT=@KRB_ERR_TXT@ -##DOS##KRB_ERR_TXT=krb_err_txt.c -err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(KRB_ERR_C) $(KRB_ERR_TXT) - -depend-dependencies: krb_err.h $(EHDRDIR)$(S)krb_err.h \ - kadm_err.h $(EHDRDIR)$(S)kadm_err.h \ - krb_err.c - -includes: $(EHDRDIR)$(S)krb_err.h $(EHDRDIR)$(S)kadm_err.h - -$(EHDRDIR)$(S)krb_err.h: krb_err.h - $(CP) krb_err.h $@ -$(EHDRDIR)$(S)kadm_err.h: kadm_err.h - $(CP) kadm_err.h $@ - -clean-unix:: - $(RM) $(EHDRDIR)/krb_err.h - $(RM) $(EHDRDIR)/kadm_err.h - $(RM) krb_err_txt.c - -clean:: - -$(RM) $(OBJS) - -clean-:: clean-unix - -clean-unix:: - -$(RM) krb_err.c - -$(RM) krb_err.h - -$(RM) kadm_err.c - -$(RM) kadm_err.h - -$(RM) ../../include/kerberosIV/krb_err.h - -$(RM) ../../include/kerberosIV/kadm_err.h - -clean-unix:: clean-liblinks clean-libs clean-libobjs - - -check-unix:: $(TEST_PROGS) -check-windows:: - - -install-unix:: install-libs - -@lib_frag@ -@libobj_frag@ - -# +++ Dependency line eater +++ -# -# Makefile dependencies follow. This must be the last section in -# the Makefile.in file -# -change_password.so change_password.po $(OUTPRE)change_password.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/kadm.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/port-sockets.h change_password.c \ - krb4int.h -cr_auth_repl.so cr_auth_repl.po $(OUTPRE)cr_auth_repl.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h cr_auth_repl.c -cr_ciph.so cr_ciph.po $(OUTPRE)cr_ciph.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h cr_ciph.c -cr_tkt.so cr_tkt.po $(OUTPRE)cr_tkt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/port-sockets.h cr_tkt.c -debug.so debug.po $(OUTPRE)debug.$(OBJEXT): $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - debug.c -decomp_tkt.so decomp_tkt.po $(OUTPRE)decomp_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb54proto.h \ - $(SRCTOP)/include/port-sockets.h decomp_tkt.c -g_ad_tkt.so g_ad_tkt.po $(OUTPRE)g_ad_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - g_ad_tkt.c krb4int.h -g_pw_in_tkt.so g_pw_in_tkt.po $(OUTPRE)g_pw_in_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ - g_pw_in_tkt.c krb4int.h -g_phost.so g_phost.po $(OUTPRE)g_phost.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h g_phost.c -g_pw_tkt.so g_pw_tkt.po $(OUTPRE)g_pw_tkt.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h g_pw_tkt.c -g_tkt_svc.so g_tkt_svc.po $(OUTPRE)g_tkt_svc.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - g_tkt_svc.c -getst.so getst.po $(OUTPRE)getst.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - getst.c krb4int.h -gethostname.so gethostname.po $(OUTPRE)gethostname.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/port-sockets.h gethostname.c krb4int.h -kadm_err.so kadm_err.po $(OUTPRE)kadm_err.$(OBJEXT): \ - $(COM_ERR_DEPS) kadm_err.c -kadm_net.so kadm_net.po $(OUTPRE)kadm_net.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/kerberosIV/kadm_err.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/kadm.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/krbports.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - kadm_net.c -kadm_stream.so kadm_stream.po $(OUTPRE)kadm_stream.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/kerberosIV/kadm_err.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/kadm.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/port-sockets.h kadm_stream.c -kname_parse.so kname_parse.po $(OUTPRE)kname_parse.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - kname_parse.c -err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h err_txt.c krb4int.h -lifetime.so lifetime.po $(OUTPRE)lifetime.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - lifetime.c -g_in_tkt.so g_in_tkt.po $(OUTPRE)g_in_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - g_in_tkt.c krb4int.h -mk_auth.so mk_auth.po $(OUTPRE)mk_auth.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h mk_auth.c -mk_err.so mk_err.po $(OUTPRE)mk_err.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h mk_err.c -mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - mk_priv.c -mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h mk_req.c -mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - mk_safe.c -month_sname.so month_sname.po $(OUTPRE)month_sname.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h month_sname.c -password_to_key.so password_to_key.po $(OUTPRE)password_to_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h password_to_key.c -pkt_cipher.so pkt_cipher.po $(OUTPRE)pkt_cipher.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/kerberosIV/prot.h \ - pkt_cipher.c -pkt_clen.so pkt_clen.po $(OUTPRE)pkt_clen.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/kerberosIV/prot.h \ - pkt_clen.c -prot_client.so prot_client.po $(OUTPRE)prot_client.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h prot_client.c -prot_common.so prot_common.po $(OUTPRE)prot_common.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h prot_common.c -prot_kdc.so prot_kdc.po $(OUTPRE)prot_kdc.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - prot_kdc.c -rd_err.so rd_err.po $(OUTPRE)rd_err.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h rd_err.c -rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - rd_priv.c -rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - rd_safe.c -send_to_kdc.so send_to_kdc.po $(OUTPRE)send_to_kdc.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/krbports.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h krb4int.h send_to_kdc.c -stime.so stime.po $(OUTPRE)stime.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h stime.c -strnlen.so strnlen.po $(OUTPRE)strnlen.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h strnlen.c -rd_preauth.so rd_preauth.po $(OUTPRE)rd_preauth.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/krb_db.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h rd_preauth.c -mk_preauth.so mk_preauth.po $(OUTPRE)mk_preauth.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h mk_preauth.c -unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - unix_time.c -tf_util.so tf_util.po $(OUTPRE)tf_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h krb4int.h tf_util.c -dest_tkt.so dest_tkt.po $(OUTPRE)dest_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h dest_tkt.c -in_tkt.so in_tkt.po $(OUTPRE)in_tkt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h in_tkt.c -tkt_string.so tkt_string.po $(OUTPRE)tkt_string.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - tkt_string.c -g_tf_fname.so g_tf_fname.po $(OUTPRE)g_tf_fname.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h g_tf_fname.c -g_tf_realm.so g_tf_realm.po $(OUTPRE)g_tf_realm.$(OBJEXT): \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - g_tf_realm.c -g_cred.so g_cred.po $(OUTPRE)g_cred.$(OBJEXT): $(KRB_ERR_H_DEP) \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - g_cred.c -save_creds.so save_creds.po $(OUTPRE)save_creds.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h save_creds.c -unix_glue.so unix_glue.po $(OUTPRE)unix_glue.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h unix_glue.c -klog.so klog.po $(OUTPRE)klog.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/klog.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - klog.c krb4int.h -kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - kuserok.c -log.so log.po $(OUTPRE)log.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/klog.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - krb4int.h log.c -kntoln.so kntoln.po $(OUTPRE)kntoln.$(OBJEXT): $(KRB_ERR_H_DEP) \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - kntoln.c -fgetst.so fgetst.po $(OUTPRE)fgetst.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - fgetst.c krb4int.h -rd_svc_key.so rd_svc_key.po $(OUTPRE)rd_svc_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h krb4int.h rd_svc_key.c -cr_err_repl.so cr_err_repl.po $(OUTPRE)cr_err_repl.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h cr_err_repl.c -rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb54proto.h rd_req.c -g_svc_in_tkt.so g_svc_in_tkt.po $(OUTPRE)g_svc_in_tkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ - g_svc_in_tkt.c krb4int.h -recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - recvauth.c -ad_print.so ad_print.po $(OUTPRE)ad_print.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - ad_print.c krb4int.h -cr_death_pkt.so cr_death_pkt.po $(OUTPRE)cr_death_pkt.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/prot.h cr_death_pkt.c -put_svc_key.so put_svc_key.po $(OUTPRE)put_svc_key.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h put_svc_key.c -sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/port-sockets.h krb4int.h sendauth.c -netread.so netread.po $(OUTPRE)netread.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/port-sockets.h netread.c -netwrite.so netwrite.po $(OUTPRE)netwrite.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/port-sockets.h \ - netwrite.c -g_cnffile.so g_cnffile.po $(OUTPRE)g_cnffile.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - g_cnffile.c krb4int.h -RealmsConfig-glue.so RealmsConfig-glue.po $(OUTPRE)RealmsConfig-glue.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/krb5.h \ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - RealmsConfig-glue.c krb4int.h diff --git a/src/lib/krb4/Password.c b/src/lib/krb4/Password.c deleted file mode 100644 index 5862e0e..0000000 --- a/src/lib/krb4/Password.c +++ /dev/null @@ -1,436 +0,0 @@ -#include "kerberos.h" -#define KRB_DEFS -#include "krb_driver.h" - -#include <Types.h> -#include <Dialogs.h> -#include <Controls.h> -#include <ToolUtils.h> -#include <OSUtils.h> -#include <Resources.h> - -/* added for OpenInitRF.c - FIXME jcm - should check that they are not in c-mac - or other included file -*/ - -#include <Errors.h> -#include <Files.h> -#include <Memory.h> -#include <Traps.h> -#include <GestaltEqu.h> -#include <Folders.h> - - -// #include "debug.h" - -#define kLoginDLOGID -4081 -#define kErrorALERTID -4082 -#define kLoginOKItem 1 -#define kLoginCnclItem 2 -#define kLoginNameItem 10 -#define kLoginVisPwItem 9 -#define kLoginFrameItem 5 -#define kLoginIvisPwItem 6 -#define kBadUserError 1 -#define kNotUniqueError 2 -#define kGenError 3 -#define kIntegrityError 4 -#define kBadPasswordError 5 -#define cr 0x0D -#define enter 0x03 -#define bs 0x08 -#define tab 0x09 -#define larrow 0x1C -#define rarrow 0x1D -#define uarrow 0x1E -#define darrow 0x1F -#define DialogNotDone 1 - -typedef union { // used to convert ProcPtr to Handle - Handle H; - ProcPtr P; -} Proc2Hand; - -static char gPassword [MAX_K_NAME_SZ] = "\0"; - -pascal void FrameOKbtn( WindowPtr myWindow, short itemNo ); -pascal Boolean TwoItemFilter( DialogPtr dlog, EventRecord *event, short *itemHit ); - -/* - FIXME jcm - begin OpenInitRF - Mac_store thinks that it is managing the open resource file - is this code in conflict? -*/ - -void GetExtensionsFolder(short *vRefNumP, long *dirIDP) -{ - Boolean hasFolderMgr = false; - long feature; - -/* - FIXME Error: Ô_GestaltDispatchÕ has not been declared - not needed now? - jcm - if (TrapAvailable(_GestaltDispatch)) -*/ - if (Gestalt(gestaltFindFolderAttr, &feature) == noErr) hasFolderMgr = true; - if (!hasFolderMgr) { - GetSystemFolder(vRefNumP, dirIDP); - return; - } - else { - if (FindFolder(kOnSystemDisk, kExtensionFolderType, kDontCreateFolder, vRefNumP, dirIDP) != noErr) { - *vRefNumP = 0; - *dirIDP = 0; - } - } -} - -short SearchFolderForINIT(long targetType, long targetCreator, short vRefNum, long dirID) -{ - HParamBlockRec fi; - Str255 filename; - short refnum; - - fi.fileParam.ioCompletion = nil; - fi.fileParam.ioNamePtr = filename; - fi.fileParam.ioVRefNum = vRefNum; - fi.fileParam.ioDirID = dirID; - fi.fileParam.ioFDirIndex = 1; - - while (PBHGetFInfo(&fi, false) == noErr) { - /* scan system folder for driver resource files of specific type & creator */ - if (fi.fileParam.ioFlFndrInfo.fdType == targetType && - fi.fileParam.ioFlFndrInfo.fdCreator == targetCreator) { - refnum = HOpenResFile(vRefNum, dirID, filename, fsRdPerm); - return refnum; - } - /* check next file in folder */ - fi.fileParam.ioFDirIndex++; - fi.fileParam.ioDirID = dirID; /* PBHGetFInfo() clobbers ioDirID */ - } - return(-1); -} - -short OpenInitRF() -{ - short refnum; - short vRefNum; - long dirID; - - /* first search Extensions Panels */ - GetExtensionsFolder(&vRefNum, &dirID); - refnum = SearchFolderForINIT('INIT', 'krbL', vRefNum, dirID); - if (refnum != -1) return(refnum); - - /* next search System Folder */ - GetSystemFolder(&vRefNum, &dirID); - refnum = SearchFolderForINIT('INIT', 'krbL', vRefNum, dirID); - if (refnum != -1) return(refnum); - - /* finally, search Control Panels */ - GetCPanelFolder(&vRefNum, &dirID); - refnum = SearchFolderForINIT('INIT', 'krbL', vRefNum, dirID); - if (refnum != -1) return(refnum); - - return -1; -} - -int DisplayError( short errorID ) -{ - OSErr err; - Str255 errText; - - GetIndString(errText,kErrorALERTID,errorID); - if (errText[0] == 0) { - SysBeep(1); // nothing else we can do - return cKrbCorruptedFile; - } - - ParamText(errText,"\p","\p","\p"); - err = StopAlert(kErrorALERTID,nil); - - return DialogNotDone; -} - - - -OSErr GetUserInfo( char *password ) -{ - DialogPtr myDLOG; - short itemHit; - short itemType; - Handle itemHandle; - Rect itemRect; - OSErr rc = DialogNotDone; - Str255 tempStr,tpswd,tuser; - Proc2Hand procConv; - short rf; - char uname[ANAME_SZ]="\0"; - char uinst[INST_SZ]="\0"; - char realm[REALM_SZ]="\0"; - char UserName[MAX_K_NAME_SZ]="\0"; - CursHandle aCursor; - - krb_get_lrealm (realm, 1); - - ////////////////////////////////////////////////////// - // already got a password, just get the initial ticket - ////////////////////////////////////////////////////// - if (*gPassword) { - strncpy (UserName, krb_get_default_user( ), sizeof(UserName)-1); - UserName[sizeof(UserName) - 1] = '\0'; - /* FIXME jcm - if we have a password then no dialog - comes up for setting the uinstance. */ - rc = kname_parse(uname, uinst, realm, UserName); - if (rc) return rc; - (void) dest_all_tkts(); // start from scratch - rc = krb_get_pw_in_tkt(uname,uinst,realm,"krbtgt",realm,DEFAULT_TKT_LIFE,gPassword); - *gPassword = 0; // Always clear, password only good for one shot - return rc; - } - - ///////////////////////// - // Ask user for password - ///////////////////////// - rf = OpenInitRF(); // need the resource file for the dialog resources - if (rf<=0) return rf; - password[0] = 0; - myDLOG = GetNewDialog( kLoginDLOGID, (void *) NULL, (WindowPtr) -1 ); - if( myDLOG == NULL ) { - CloseResFile(rf); - return cKrbCorruptedFile; - } - - // Insert user's name in dialog - strncpy (UserName, krb_get_default_user( ), sizeof(UserName) - 1); - UserName[sizeof(UserName) - 1] = '\0'; - if (*UserName) { - tempStr[0] = strlen(UserName); - memcpy( &(tempStr[1]), UserName, tempStr[0]); - GetDItem( myDLOG, kLoginNameItem, &itemType, &itemHandle, &itemRect ); - SetIText( itemHandle, tempStr ); - SelIText( myDLOG, kLoginVisPwItem,0,0 ); - } - else SelIText( myDLOG, kLoginNameItem,0,0 ); - - // Establish a user item around the OK button to draw the default button frame in - GetDItem( myDLOG, kLoginOKItem, &itemType, &itemHandle, &itemRect ); - InsetRect( &itemRect, -4, -4 ); // position user item around OK button - procConv.P = (ProcPtr) FrameOKbtn; // convert ProcPtr to a Handle - SetDItem( myDLOG, kLoginFrameItem, userItem, procConv.H, &itemRect ); - - InitCursor(); - do { - do { // display the dialog & handle events - SetOKEnable(myDLOG); - ModalDialog( (ModalFilterProcPtr) TwoItemFilter, (short *) &itemHit ); - } while( itemHit != kLoginOKItem && itemHit != kLoginCnclItem ); - - if( itemHit == kLoginOKItem ) { // OK button pressed? - GetDItem( myDLOG, kLoginNameItem, &itemType, &itemHandle, &itemRect ); - GetIText( itemHandle, tempStr ); - - tempStr[0] = ( tempStr[0] < MAX_K_NAME_SZ ) ? tempStr[0] : MAX_K_NAME_SZ-1 ; - memcpy ((void*) UserName, (void*) &(tempStr[1]), tempStr[0]); - UserName[tempStr[0]] = 0; - - GetDItem( myDLOG, kLoginIvisPwItem, &itemType, &itemHandle, &itemRect ); - GetIText( itemHandle, tempStr ); - - tempStr[0] = ( tempStr[0] < ANAME_SZ ) ? tempStr[0] : ANAME_SZ-1 ; - memcpy( (void*) password, (void*) &(tempStr[1]), tempStr[0]); - password[tempStr[0]] = 0; - - //---------------------------------------------------- - // Get the ticket - //---------------------------------------------------- - aCursor = GetCursor(watchCursor); - SetCursor(*aCursor); - ShowCursor(); - - rc = kname_parse(uname, uinst, realm, UserName); - if (rc) return rc; - - (void) dest_all_tkts(); // start from scratch - rc = krb_get_pw_in_tkt(uname,uinst,realm,"krbtgt",realm,DEFAULT_TKT_LIFE,password); - InitCursor(); - if (!rc) - switch (rc) { - case KDC_PR_UNKNOWN: - case KDC_NULL_KEY: - rc = DisplayError(kBadUserError); - SelIText( myDLOG, kLoginNameItem,0,256 ); - break; - case KDC_PR_N_UNIQUE: - rc = DisplayError(kNotUniqueError); - SelIText( myDLOG, kLoginNameItem,0,256 ); - break; - case KDC_GEN_ERR: - rc = DisplayError(kGenError); - SelIText( myDLOG, kLoginNameItem,0,256 ); - break; - case RD_AP_MODIFIED: - rc = DisplayError(kIntegrityError); - SelIText( myDLOG, kLoginNameItem,0,256 ); - break; - case INTK_BADPW: - rc = DisplayError(kBadPasswordError); - SelIText( myDLOG, kLoginVisPwItem,0,256 ); - break; - default: - break; - } - //---------------------------------------------------- - } - else rc = cKrbUserCancelled; // pressed the Cancel button - } while( rc == DialogNotDone ); - - DisposDialog( myDLOG ); - CloseResFile(rf); - return rc; -} - - -static pascal void FrameOKbtn( WindowPtr myWindow, short itemNo ) -{ - short tempType; - Handle tempHandle; - Rect itemRect; - - GetDItem( (DialogPtr) myWindow, itemNo, &tempType, &tempHandle, &itemRect ); - PenSize( 3, 3 ); - FrameRoundRect( &itemRect, 16, 16 ); // make it an OK button suitable for framing -} - - -static pascal Boolean TwoItemFilter( DialogPtr dlog, EventRecord *event, short *itemHit ) -{ - DialogPtr evtDlog; - short selStart, selEnd; - Handle okBtnHandle; - short tempType; - Rect tempRect; - long tempTicks; - - if( event->what != keyDown && event->what != autoKey ) - return false; // don't care about this event - - switch( event->message & charCodeMask ) - { - case cr: // Return (hitting return or enter is the same as hitting the OK button) - case enter: // Enter - - if (!OKIsEnabled(dlog)) { - event->what = nullEvent; - return false; - } - - GetDItem( dlog, kLoginOKItem, &tempType, &okBtnHandle, &tempRect ); - HiliteControl( (ControlHandle) okBtnHandle, 1 ); // hilite the OK button - Delay( 10, &tempTicks ); // wait a little while - HiliteControl( (ControlHandle) okBtnHandle, 0 ); - - *itemHit = kLoginOKItem; // OK Button - return true; // We handled the event - - case tab: // Tab - case larrow: // Left arrow (Keys that just change the selection) - case rarrow: // Right arrow - case uarrow: // Up arrow - case darrow: // Down arrow - return false; // Let ModalDialog handle them - - default: - - // First see if we're in password field, do stuff to make ¥ displayed - - if( ((DialogPeek) dlog)->editField == kLoginVisPwItem - 1 ) { - - selStart = (**((DialogPeek) dlog)->textH).selStart; // Get the selection in the visible item - selEnd = (**((DialogPeek) dlog)->textH).selEnd; - - SelIText( dlog, kLoginIvisPwItem, selStart, selEnd ); // Select text in invisible item - DialogSelect( event,&evtDlog, itemHit ); // Input key - - SelIText( dlog, kLoginVisPwItem, selStart, selEnd ); // Select same area in visible item - if( ( event->message & charCodeMask ) != bs ) // If it's not a backspace (backspace is the only key that can affect both the text and the selection- thus we need to process it in both fields, but not change it for the hidden field. - event->message = '¥'; // Replace with character to use - } - - // Do the key event and set the hilite on the OK button accordingly - - DialogSelect( event,&evtDlog, itemHit ); // Input key - SetOKEnable(dlog); - - // Pass a NULL event back to DialogMgr - - event->what = nullEvent; - - return false; - } -} - -static int SetOKEnable( DialogPtr dlog ) -{ - short itemType,state; - Handle itemHandle; - Rect itemRect; - Str255 tpswd,tuser; - ControlHandle okButton; - - GetDItem( dlog, kLoginNameItem, &itemType, &itemHandle, &itemRect ); - GetIText( itemHandle, tuser ); - GetDItem( dlog, kLoginVisPwItem, &itemType, &itemHandle, &itemRect ); - GetIText( itemHandle, tpswd ); - GetDItem( dlog, kLoginOKItem, &itemType, (Handle *) &okButton, &itemRect ); - state = (tuser[0] && tpswd[0]) ? 0 : 255; - HiliteControl(okButton,state); -} - -static int OKIsEnabled( DialogPtr dlog ) -{ - short itemType; - Rect itemRect; - ControlHandle okButton; - - GetDItem( dlog, kLoginOKItem, &itemType, (Handle *) &okButton, &itemRect ); - return ((**okButton).contrlHilite != 255); -} - - -extern OSErr INTERFACE -CacheInitialTicket( serviceName ) - char *serviceName; -{ - char service[ANAME_SZ]="\0"; - char instance[INST_SZ]="\0"; - char realm[REALM_SZ]="\0"; - OSErr err = noErr; - char uname[ANAME_SZ]="\0"; - char uinst[INST_SZ]="\0"; - char urealm[REALM_SZ]="\0"; - char password[KKEY_SZ]="\0"; - char UserName[MAX_K_NAME_SZ]="\0"; - char oldName[120]="\0"; - - err = GetUserInfo( password ); - if (err) return err; - - if (!serviceName || (serviceName[0] == '\0')) - return err; - - strncpy (UserName, krb_get_default_user(), sizeof(UserName) - 1); - UserName[sizeof(UserName) - 1] = '\0'; - - err = kname_parse(uname, uinst, urealm, UserName); - if (err) return err; - - if (urealm[0] == '\0') - krb_get_lrealm (urealm, 1); - - err = kname_parse(service, instance, realm, serviceName); // check if there is a service name - if (err) return err; - - err = krb_get_pw_in_tkt(uname,uinst,urealm,service,instance,DEFAULT_TKT_LIFE,password); - return err; -} diff --git a/src/lib/krb4/RealmsConfig-glue.c b/src/lib/krb4/RealmsConfig-glue.c deleted file mode 100644 index df663ad..0000000 --- a/src/lib/krb4/RealmsConfig-glue.c +++ /dev/null @@ -1,692 +0,0 @@ -/* - * lib/krb4/RealmsConfig-glue.c - * - * Copyright 1985-2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * These calls implement the layer of Kerberos v4 library which - * accesses realms configuration by calling into the Kerberos Profile - * library. - */ - -#include <string.h> -#include <stdlib.h> -#include <stdio.h> -#include <ctype.h> -#include <errno.h> - -#include "profile.h" -#include "krb.h" -#include "krb4int.h" -#include "k5-int.h" /* for accessor, addrlist stuff */ -#include "port-sockets.h" - -/* These two *must* be kept in sync to avoid buffer overflows. */ -#define SCNSCRATCH "%1023s" -#define SCRATCHSZ 1024 -#if SCRATCHSZ < MAXHOSTNAMELEN -#error "SCRATCHSZ must be at least MAXHOSTNAMELEN" -#endif - -/* - * Returns to the caller an initialized profile using the same files - * as Kerberos4Lib would. - */ -int KRB5_CALLCONV -krb_get_profile(profile_t* profile) -{ - int retval = KSUCCESS; - profile_filespec_t *files = NULL; - - /* Use krb5 to get the config files */ - retval = krb5_get_default_config_files(&files); - - if (retval == KSUCCESS) { - retval = profile_init((const_profile_filespec_t *)files, profile); - } - - if (files) { - krb5_free_config_files(files); - } - - if (retval == ENOENT) { - /* No edu.mit.Kerberos file */ - return KFAILURE; - } - - if ((retval == PROF_SECTION_NOTOP) || - (retval == PROF_SECTION_SYNTAX) || - (retval == PROF_RELATION_SYNTAX) || - (retval == PROF_EXTRA_CBRACE) || - (retval == PROF_MISSING_OBRACE)) { - /* Bad config file format */ - return retval; - } - - return retval; -} - -/* Caller must ensure that n >= 1 and that pointers are non-NULL. */ -static int -krb_prof_get_nth( - char *ret, - size_t retlen, - const char *realm, - int n, - const char *sec, - const char *key) -{ - int result; - long profErr; - profile_t profile = NULL; - const char *names[4]; - void *iter = NULL; - char *name = NULL; - char *value = NULL; - int i; - - result = KFAILURE; - - profErr = krb_get_profile(&profile); - if (profErr) { - /* - * Can krb_get_profile() return errors that change PROFILE? - */ - goto cleanup; - } - names[0] = sec; - names[1] = realm; - names[2] = key; - names[3] = NULL; - profErr = profile_iterator_create(profile, names, - PROFILE_ITER_RELATIONS_ONLY, &iter); - if (profErr) - goto cleanup; - - result = KSUCCESS; - for (i = 1; i <= n; i++) { - if (name != NULL) - profile_release_string(name); - if (value != NULL) - profile_release_string(value); - name = value = NULL; - - profErr = profile_iterator(&iter, &name, &value); - if (profErr || (name == NULL)) { - result = KFAILURE; - break; - } - } - if (result == KSUCCESS) { - /* Return error rather than truncating. */ - /* Don't strncpy because retlen is a guess for some callers */ - if (strlen(value) >= retlen) - result = KFAILURE; - else - strcpy(ret, value); - } -cleanup: - if (name != NULL) - profile_release_string(name); - if (value != NULL) - profile_release_string(value); - if (iter != NULL) - profile_iterator_free(&iter); - if (profile != NULL) - profile_abandon(profile); - return result; -} - -/* - * Index -> realm name mapping - * - * Not really. The original implementation has a cryptic comment - * indicating that the function can only work for n = 1, and always - * returns the default realm. I don't know _why_ that's the case, but - * I have to do it that way... - * - * Old description from g_krbrlm.c: - * - * krb_get_lrealm takes a pointer to a string, and a number, n. It fills - * in the string, r, with the name of the nth realm specified on the - * first line of the kerberos config file (KRB_CONF, defined in "krb.h"). - * It returns 0 (KSUCCESS) on success, and KFAILURE on failure. If the - * config file does not exist, and if n=1, a successful return will occur - * with r = KRB_REALM (also defined in "krb.h"). - * - * NOTE: for archaic & compatibility reasons, this routine will only return - * valid results when n = 1. - * - * For the format of the KRB_CONF file, see comments describing the routine - * krb_get_krbhst(). This will also look in KRB_FB_CONF is - * ATHENA_CONF_FALLBACK is defined. - */ -int KRB5_CALLCONV -krb_get_lrealm( - char *realm, - int n) -{ - int result = KSUCCESS; - profile_t profile = NULL; - char *profileDefaultRealm = NULL; - char **profileV4Realms = NULL; - int profileHasDefaultRealm = 0; - int profileDefaultRealmIsV4RealmInProfile = 0; - char krbConfLocalRealm[REALM_SZ]; - int krbConfHasLocalRealm = 0; - - if ((realm == NULL) || (n != 1)) { result = KFAILURE; } - - if (result == KSUCCESS) { - /* Some callers don't check the return value so we initialize - * to an empty string in case it never gets filled in. */ - realm [0] = '\0'; - } - - if (result == KSUCCESS) { - int profileErr = krb_get_profile (&profile); - - if (!profileErr) { - /* Get the default realm from the profile */ - profileErr = profile_get_string(profile, REALMS_V4_PROF_LIBDEFAULTS_SECTION, - REALMS_V4_DEFAULT_REALM, NULL, NULL, - &profileDefaultRealm); - if (profileDefaultRealm == NULL) { profileErr = KFAILURE; } - } - - if (!profileErr) { - /* If there is an equivalent v4 realm to the default realm, use that instead */ - char *profileV4EquivalentRealm = NULL; - - if (profile_get_string (profile, "realms", profileDefaultRealm, "v4_realm", NULL, - &profileV4EquivalentRealm) == 0 && - profileV4EquivalentRealm != NULL) { - - profile_release_string (profileDefaultRealm); - profileDefaultRealm = profileV4EquivalentRealm; - } - } - - if (!profileErr) { - if (strlen (profileDefaultRealm) < REALM_SZ) { - profileHasDefaultRealm = 1; /* a reasonable default realm */ - } else { - profileErr = KFAILURE; - } - } - - if (!profileErr) { - /* Walk through the v4 realms list looking for the default realm */ - const char *profileV4RealmsList[] = { REALMS_V4_PROF_REALMS_SECTION, NULL }; - - if (profile_get_subsection_names (profile, profileV4RealmsList, - &profileV4Realms) == 0 && - profileV4Realms != NULL) { - - char **profileRealm; - for (profileRealm = profileV4Realms; *profileRealm != NULL; profileRealm++) { - if (strcmp (*profileRealm, profileDefaultRealm) == 0) { - /* default realm is a v4 realm */ - profileDefaultRealmIsV4RealmInProfile = 1; - break; - } - } - } - } - } - - if (result == KSUCCESS) { - /* Try to get old-style config file lookup for fallback. */ - FILE *cnffile = NULL; - char scratch[SCRATCHSZ]; - - cnffile = krb__get_cnffile(); - if (cnffile != NULL) { - if (fscanf(cnffile, SCNSCRATCH, scratch) == 1) { - if (strlen(scratch) < REALM_SZ) { - strncpy(krbConfLocalRealm, scratch, REALM_SZ); - krbConfHasLocalRealm = 1; - } - } - fclose(cnffile); - } - } - - if (result == KSUCCESS) { - /* - * We want to favor the profile value over the krb.conf value - * but not stop suppporting its use with a v5-only profile. - * So we only use the krb.conf realm when the default profile - * realm doesn't exist in the v4 realm section of the profile. - */ - if (krbConfHasLocalRealm && !profileDefaultRealmIsV4RealmInProfile) { - strncpy (realm, krbConfLocalRealm, REALM_SZ); - } else if (profileHasDefaultRealm) { - strncpy (realm, profileDefaultRealm, REALM_SZ); - } else { - result = KFAILURE; /* No default realm */ - } - } - - if (profileDefaultRealm != NULL) { profile_release_string (profileDefaultRealm); } - if (profileV4Realms != NULL) { profile_free_list (profileV4Realms); } - if (profile != NULL) { profile_abandon (profile); } - - return result; -} - -/* - * Realm, index -> admin KDC mapping - * - * Old description from g_admhst.c: - * - * Given a Kerberos realm, find a host on which the Kerberos database - * administration server can be found. - * - * krb_get_admhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer n, and - * returns (in h) the nth administrative host entry from the configuration - * file (KRB_CONF, defined in "krb.h") associated with the specified realm. - * If ATHENA_CONF_FALLBACK is defined, also look in old location. - * - * On error, get_admhst returns KFAILURE. If all goes well, the routine - * returns KSUCCESS. - * - * For the format of the KRB_CONF file, see comments describing the routine - * krb_get_krbhst(). - * - * This is a temporary hack to allow us to find the nearest system running - * a Kerberos admin server. In the long run, this functionality will be - * provided by a nameserver. - */ -int KRB5_CALLCONV -krb_get_admhst( - char *host, - char *realm, - int n) -{ - int result; - int i; - FILE *cnffile; - char linebuf[BUFSIZ]; - char trealm[SCRATCHSZ]; - char thost[SCRATCHSZ]; - char scratch[SCRATCHSZ]; - - if (n < 1 || host == NULL || realm == NULL) - return KFAILURE; - - result = krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n, - REALMS_V4_PROF_REALMS_SECTION, - REALMS_V4_PROF_ADMIN_KDC); - if (result == KSUCCESS) - return result; - - /* - * Do old-style config file lookup. - */ - cnffile = krb__get_cnffile(); - if (cnffile == NULL) - return KFAILURE; - result = KSUCCESS; - for (i = 0; i < n;) { - if (fgets(linebuf, BUFSIZ, cnffile) == NULL) { - result = KFAILURE; - break; - } - if (!strchr(linebuf, '\n')) { - result = KFAILURE; - break; - } - /* - * Need to scan for a token after 'admin' to make sure that - * admin matched correctly. - */ - if (sscanf(linebuf, SCNSCRATCH " " SCNSCRATCH " admin " SCNSCRATCH, - trealm, thost, scratch) != 3) - continue; - if (!strcmp(trealm, realm)) - i++; - } - fclose(cnffile); - if (result == KSUCCESS && strlen(thost) < MAX_HSTNM) - strcpy(host, thost); - else - result = KFAILURE; - return result; -} - -/* - * Realm, index -> kpasswd KDC mapping - */ -int -krb_get_kpasswdhst( - char *host, - char *realm, - int n) -{ - if (n < 1 || host == NULL || realm == NULL) - return KFAILURE; - - return krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n, - REALMS_V4_PROF_REALMS_SECTION, - REALMS_V4_PROF_KPASSWD_KDC); -} - -/* - * Realm, index -> KDC mapping - * - * Old description from g_krbhst.c: - * - * Given a Kerberos realm, find a host on which the Kerberos authenti- - * cation server can be found. - * - * krb_get_krbhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer, n, and - * returns (in h) the nth entry from the configuration file (KRB_CONF, - * defined in "krb.h") associated with the specified realm. - * - * On end-of-file, krb_get_krbhst returns KFAILURE. If n=1 and the - * configuration file does not exist, krb_get_krbhst will return KRB_HOST - * (also defined in "krb.h"). If all goes well, the routine returnes - * KSUCCESS. - * - * The KRB_CONF file contains the name of the local realm in the first - * line (not used by this routine), followed by lines indicating realm/host - * entries. The words "admin server" following the hostname indicate that - * the host provides an administrative database server. - * This will also look in KRB_FB_CONF if ATHENA_CONF_FALLBACK is defined. - * - * For example: - * - * ATHENA.MIT.EDU - * ATHENA.MIT.EDU kerberos-1.mit.edu admin server - * ATHENA.MIT.EDU kerberos-2.mit.edu - * LCS.MIT.EDU kerberos.lcs.mit.edu admin server - * - * This is a temporary hack to allow us to find the nearest system running - * kerberos. In the long run, this functionality will be provided by a - * nameserver. - */ -#ifdef KRB5_DNS_LOOKUP -static struct { - time_t when; - char realm[REALM_SZ+1]; - struct srv_dns_entry *srv; -} dnscache = { 0, { 0 }, 0 }; -#define DNS_CACHE_TIMEOUT 60 /* seconds */ -#endif - -int KRB5_CALLCONV -krb_get_krbhst( - char *host, - const char *realm, - int n) -{ - int result; - int i; - FILE *cnffile; - char linebuf[BUFSIZ]; - char tr[SCRATCHSZ]; - char scratch[SCRATCHSZ]; -#ifdef KRB5_DNS_LOOKUP - time_t now; -#endif - - if (n < 1 || host == NULL || realm == NULL) - return KFAILURE; - -#ifdef KRB5_DNS_LOOKUP - /* We'll only have this realm's info in the DNS cache if there is - no data in the local config files. - - XXX The files could've been updated in the last few seconds. - Do we care? */ - if (!strncmp(dnscache.realm, realm, REALM_SZ) - && (time(&now), abs(dnscache.when - now) < DNS_CACHE_TIMEOUT)) { - struct srv_dns_entry *entry; - - get_from_dnscache: - /* n starts at 1, addrs indices run 0..naddrs */ - for (i = 1, entry = dnscache.srv; i < n && entry; i++) - entry = entry->next; - if (entry == NULL) - return KFAILURE; - if (strlen(entry->host) + 6 >= MAXHOSTNAMELEN) - return KFAILURE; - snprintf(host, MAXHOSTNAMELEN, "%s:%d", entry->host, entry->port); - return KSUCCESS; - } -#endif - - result = krb_prof_get_nth(host, MAXHOSTNAMELEN, realm, n, - REALMS_V4_PROF_REALMS_SECTION, - REALMS_V4_PROF_KDC); - if (result == KSUCCESS) - return result; - /* - * Do old-style config file lookup. - */ - do { - cnffile = krb__get_cnffile(); - if (cnffile == NULL) - break; - /* Skip default realm name. */ - if (fscanf(cnffile, SCNSCRATCH, tr) == EOF) { - fclose(cnffile); - break; - } - result = KSUCCESS; - for (i = 0; i < n;) { - if (fgets(linebuf, BUFSIZ, cnffile) == NULL) { - result = KFAILURE; - break; - } - if (!strchr(linebuf, '\n')) { - result = KFAILURE; - break; - } - if ((sscanf(linebuf, SCNSCRATCH " " SCNSCRATCH, - tr, scratch) != 2)) - continue; - if (!strcmp(tr, realm)) - i++; - } - fclose(cnffile); - if (result == KSUCCESS && strlen(scratch) < MAXHOSTNAMELEN) { - strcpy(host, scratch); - return KSUCCESS; - } - if (i > 0) - /* Found some, but not as many as requested. */ - return KFAILURE; - } while (0); -#ifdef KRB5_DNS_LOOKUP - do { - krb5int_access k5; - krb5_error_code err; - krb5_data realmdat; - struct srv_dns_entry *srv; - - err = krb5int_accessor(&k5, KRB5INT_ACCESS_VERSION); - if (err) - break; - - if (k5.use_dns_kdc(krb5__krb4_context)) { - realmdat.data = realm; - realmdat.length = strlen(realm); - err = k5.make_srv_query_realm(&realmdat, "_kerberos-iv", "_udp", - &srv); - if (err) - break; - - if (srv == 0) - break; - - if (dnscache.srv) - k5.free_srv_dns_data(dnscache.srv); - dnscache.srv = srv; - strncpy(dnscache.realm, realm, REALM_SZ); - dnscache.when = now; - goto get_from_dnscache; - } - } while (0); -#endif - return KFAILURE; -} - -/* - * Hostname -> realm name mapping - * - * Old description from realmofhost.c: - * - * Given a fully-qualified domain-style primary host name, - * return the name of the Kerberos realm for the host. - * If the hostname contains no discernable domain, or an error occurs, - * return the local realm name, as supplied by get_krbrlm(). - * If the hostname contains a domain, but no translation is found, - * the hostname's domain is converted to upper-case and returned. - * - * The format of each line of the translation file is: - * domain_name kerberos_realm - * -or- - * host_name kerberos_realm - * - * domain_name should be of the form .XXX.YYY (e.g. .LCS.MIT.EDU) - * host names should be in the usual form (e.g. FOO.BAR.BAZ) - */ -char * KRB5_CALLCONV -krb_realmofhost(char *host) -{ - /* Argh! */ - static char realm[REALM_SZ]; - char *lhost; - const char *names[] = {REALMS_V4_PROF_DOMAIN_SECTION, NULL, NULL}; - char **values = NULL; - profile_t profile = NULL; - long profErr; - char hostname[MAXHOSTNAMELEN]; - char *p; - char *domain; - FILE *trans_file = NULL; - int retval; - char thost[SCRATCHSZ]; - char trealm[SCRATCHSZ]; - struct hostent *h; - - /* Return local realm if all else fails */ - krb_get_lrealm(realm, 1); - - /* Forward-resolve in case domain is missing. */ - h = gethostbyname(host); - if (h == NULL) - lhost = host; - else - lhost = h->h_name; - - if (strlen(lhost) >= MAXHOSTNAMELEN) - return realm; - strcpy(hostname, lhost); - - /* Remove possible trailing dot. */ - p = strrchr(hostname, '.'); - if (p != NULL && p[1] == '\0') - *p = '\0'; - domain = strchr(hostname, '.'); - /* - * If the hostname is just below the top, e.g., CYGNUS.COM, then - * we special-case it; if someone really wants a realm called COM - * they will just have to specify it properly. - */ - if (domain != NULL) { - domain++; - p = strchr(domain, '.'); - if (p == NULL) - domain = lhost; - if (strlen(domain) < REALM_SZ) { - strncpy(realm, domain, REALM_SZ); - /* Upcase realm name. */ - for (p = hostname; *p != '\0'; p++) { - if (*p > 0 && islower((unsigned char)*p)) - *p = toupper((unsigned char)*p); - } - } - } - /* Downcase hostname. */ - for (p = hostname; *p != '\0'; p++) { - if (*p > 0 && isupper((unsigned char)*p)) - *p = tolower((unsigned char)*p); - } - - profErr = krb_get_profile(&profile); - if (profErr) - goto cleanup; - - for (domain = hostname; domain != NULL && *domain != '\0';) { - names[1] = domain; - values = NULL; - profErr = profile_get_values(profile, names, &values); - if (!profErr && strlen(values[0]) < REALM_SZ) { - /* Found, return it */ - strncpy(realm, values[0], REALM_SZ); - profile_free_list(values); - break; - } else { - /* Skip over leading dot. */ - if (*domain == '.') - domain++; - domain = strchr(domain, '.'); - } - profile_free_list(values); - } -cleanup: - if (profile != NULL) - profile_abandon(profile); - - trans_file = krb__get_realmsfile(); - if (trans_file == NULL) - return realm; - domain = strchr(hostname, '.'); - for (;;) { - retval = fscanf(trans_file, SCNSCRATCH " " SCNSCRATCH, - thost, trealm); - if (retval == EOF) - break; - if (retval != 2 || strlen(trealm) >= REALM_SZ) - continue; /* Ignore malformed lines. */ - /* Attempt to match domain. */ - if (*thost == '.') { - if (domain && !strcasecmp(thost, domain)) { - strncpy(realm, trealm, REALM_SZ); - continue; /* Try again for an exact match. */ - } - } else { - /* Hostname must match exactly. */ - if (!strcasecmp(thost, hostname)) { - strncpy(realm, trealm, REALM_SZ); - break; - } - } - } - fclose(trans_file); - return realm; -} diff --git a/src/lib/krb4/ad_print.c b/src/lib/krb4/ad_print.c deleted file mode 100644 index 6329572..0000000 --- a/src/lib/krb4/ad_print.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * lib/krb4/ad_print.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. All - * Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "des.h" -#include "krb4int.h" -#include <stdio.h> -#include "port-sockets.h" - -#ifndef _WIN32 - -/* - * Print some of the contents of the given authenticator structure - * (AUTH_DAT defined in "krb.h"). Fields printed are: - * - * pname, pinst, prealm, netaddr, flags, cksum, timestamp, session - */ - -void -ad_print(x) - AUTH_DAT *x; -{ - struct in_addr ina; - ina.s_addr = x->address; - - printf("\n%s %s %s ", x->pname, x->pinst, x->prealm); - far_fputs (inet_ntoa(ina), stdout); - printf(" flags %u cksum 0x%lX\n\ttkt_tm 0x%lX sess_key", - x->k_flags, (long) x->checksum, (long) x->time_sec); - printf("[8] ="); -#ifdef NOENCRYPTION - placebo_cblock_print(x->session); -#else /* Do Encryption */ - des_cblock_print_file(&x->session,stdout); -#endif /* NOENCRYPTION */ - /* skip reply for now */ -} - -#ifdef NOENCRYPTION -/* - * Print in hex the 8 bytes of the given session key. - * - * Printed format is: " 0x { x, x, x, x, x, x, x, x }" - */ - -placebo_cblock_print(x) - des_cblock x; -{ - unsigned char *y = (unsigned char *) x; - register int i = 0; - - printf(" 0x { "); - - while (i++ <8) { - printf("%x",*y++); - if (i<8) printf(", "); - } - printf(" }"); -} -#endif /* NOENCRYPTION */ - -#endif diff --git a/src/lib/krb4/change_password.c b/src/lib/krb4/change_password.c deleted file mode 100644 index 7c3bcd0..0000000 --- a/src/lib/krb4/change_password.c +++ /dev/null @@ -1,127 +0,0 @@ -/* - * change_password.c - * - * Copyright 1987, 1988, 2002 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <string.h> -#include <stdlib.h> - -#include "krb.h" -#include "krb4int.h" -#include "kadm.h" -#include "prot.h" - -/* - * krb_change_password(): This disgusting function handles changing passwords - * in a krb4-only environment. - * -1783126240 - * THIS IS NOT A NORMAL KRB4 API FUNCTION! DON'T USE IN PORTABLE CODE! - */ - -int KRB5_CALLCONV -krb_change_password(char *principal, char *instance, char *realm, - char *oldPassword, char *newPassword) -{ - int err; - des_cblock key; - KRB_UINT32 tempKey; - size_t sendSize; - u_char *sendStream; - size_t receiveSize; - u_char *receiveStream; - Kadm_Client client_parm; - u_char *p; - - err = 0; - - /* Check inputs: */ - if (principal == NULL || instance == NULL || realm == NULL || - oldPassword == NULL || newPassword == NULL) { - return KFAILURE; - } - - /* - * Get tickets to change the old password and shove them in the - * client_parm - */ - err = krb_get_pw_in_tkt_creds(principal, instance, realm, - PWSERV_NAME, KADM_SINST, 1, - oldPassword, &client_parm.creds); - if (err != KSUCCESS) - goto cleanup; - - /* Now create the key to send to the server */ - /* Use this and not mit_password_to_key so that we don't prompt */ - des_string_to_key(newPassword, key); - - /* Create the link to the server */ - err = kadm_init_link(PWSERV_NAME, KRB_MASTER, realm, &client_parm, 1); - if (err != KADM_SUCCESS) - goto cleanup; - - /* Connect to the KDC */ - err = kadm_cli_conn(&client_parm); - if (err != KADM_SUCCESS) - goto cleanup; - - /* possible problem with vts_long on a non-multiple of four boundary */ - sendSize = 0; /* start of our output packet */ - sendStream = malloc(1); /* to make it reallocable */ - if (sendStream == NULL) - goto disconnect; - sendStream[sendSize++] = CHANGE_PW; - - /* change key to stream */ - /* This looks backwards but gets inverted on the server side. */ - p = key + 4; - KRB4_GET32BE(tempKey, p); - sendSize += vts_long(tempKey, &sendStream, (int)sendSize); - p = key; - KRB4_GET32BE(tempKey, p); - sendSize += vts_long(tempKey, &sendStream, (int)sendSize); - tempKey = 0; - - if (newPassword) { - sendSize += vts_string(newPassword, &sendStream, (int)sendSize); - } - - /* send the data to the kdc */ - err = kadm_cli_send(&client_parm, sendStream, sendSize, - &receiveStream, &receiveSize); - free(sendStream); - if (receiveSize > 0) - /* If there is a string from the kdc, free it - we don't care */ - free(receiveStream); - if (err != KADM_SUCCESS) - goto disconnect; - -disconnect: - /* Disconnect */ - kadm_cli_disconn(&client_parm); - -cleanup: - memset(&client_parm.creds.session, 0, sizeof(client_parm.creds.session)); - memset(&key, 0, sizeof(key)); - return err; -} diff --git a/src/lib/krb4/cr_auth_repl.c b/src/lib/krb4/cr_auth_repl.c deleted file mode 100644 index 277d9af..0000000 --- a/src/lib/krb4/cr_auth_repl.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * lib/krb4/cr_auth_repl.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include <string.h> - -/* - * This routine is called by the Kerberos authentication server - * to create a reply to an authentication request. The routine - * takes the user's name, instance, and realm, the client's - * timestamp, the number of tickets, the user's key version - * number and the ciphertext containing the tickets themselves. - * It constructs a packet and returns a pointer to it. - * - * Notes: The packet returned by this routine is static. Thus, if you - * intend to keep the result beyond the next call to this routine, you - * must copy it elsewhere. - * - * The packet is built in the following format: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * unsigned char KRB_PROT_VERSION protocol version number - * - * unsigned char AUTH_MSG_KDC_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned char n number of tickets - * - * unsigned long x_date expiration date - * - * unsigned char kvno master key version - * - * short w_1 cipher length - * - * --- cipher->dat cipher data - */ - -KTEXT -create_auth_reply(pname, pinst, prealm, time_ws, n, x_date, kvno, cipher) - char *pname; /* Principal's name */ - char *pinst; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long time_ws; /* Workstation time */ - int n; /* Number of tickets */ - unsigned long x_date; /* Principal's expiration date */ - int kvno; /* Principal's key version number */ - KTEXT cipher; /* Cipher text with tickets and - * session keys */ -{ - static KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; - unsigned char *p; - size_t pnamelen, pinstlen, prealmlen; - - /* Create fixed part of packet */ - p = pkt->dat; - /* This is really crusty. */ - if (n != 0) - *p++ = 3; - else - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_KDC_REPLY; /* always big-endian */ - - /* Make sure the response will actually fit into its buffer. */ - pnamelen = strlen(pname) + 1; - pinstlen = strlen(pinst) + 1; - prealmlen = strlen(prealm) + 1; - if (sizeof(pkt->dat) < (1 + 1 + pnamelen + pinstlen + prealmlen - + 4 + 1 + 4 + 1 + 2 + cipher->length) - || cipher->length > 65535 || cipher->length < 0) { - pkt->length = 0; - return NULL; - } - /* Add the basic info */ - memcpy(p, pname, pnamelen); - p += pnamelen; - memcpy(p, pinst, pinstlen); - p += pinstlen; - memcpy(p, prealm, prealmlen); - p += prealmlen; - - /* Workstation timestamp */ - KRB4_PUT32BE(p, time_ws); - - *p++ = n; - - /* Expiration date */ - KRB4_PUT32BE(p, x_date); - - /* Now send the ciphertext and info to help decode it */ - *p++ = kvno; - KRB4_PUT16BE(p, cipher->length); - memcpy(p, cipher->dat, (size_t)cipher->length); - p += cipher->length; - - /* And return the packet */ - pkt->length = p - pkt->dat; - return pkt; -} diff --git a/src/lib/krb4/cr_ciph.c b/src/lib/krb4/cr_ciph.c deleted file mode 100644 index 481cb7e..0000000 --- a/src/lib/krb4/cr_ciph.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * lib/krb4/cr_ciph.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include "des.h" -#include <string.h> - -/* - * This routine is used by the authentication server to create - * a packet for its client, containing a ticket for the requested - * service (given in "tkt"), and some information about the ticket, -#ifndef NOENCRYPTION - * all encrypted in the given key ("key"). -#endif - * - * Returns KSUCCESS no matter what. - * - * The length of the cipher is stored in c->length; the format of - * c->dat is as follows: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * - * 8 bytes session session key for client, service - * - * string service service name - * - * string instance service instance - * - * string realm KDC realm - * - * unsigned char life ticket lifetime - * - * unsigned char kvno service key version number - * - * unsigned char tkt->length length of following ticket - * - * data tkt->dat ticket for service - * - * 4 bytes kdc_time KDC's timestamp - * - * <=7 bytes null null pad to 8 byte multiple - * - */ - -int -create_ciph(c, session, service, instance, realm, life, kvno, tkt, - kdc_time, key) - KTEXT c; /* Text block to hold ciphertext */ - C_Block session; /* Session key to send to user */ - char *service; /* Service name on ticket */ - char *instance; /* Instance name on ticket */ - char *realm; /* Realm of this KDC */ - unsigned long life; /* Lifetime of the ticket */ - int kvno; /* Key version number for service */ - KTEXT tkt; /* The ticket for the service */ - unsigned long kdc_time; /* KDC time */ - C_Block key; /* Key to encrypt ciphertext with */ -{ - unsigned char *ptr; - size_t servicelen, instancelen, realmlen; - Key_schedule key_s; - - ptr = c->dat; - - /* Validate lengths. */ - servicelen = strlen(service) + 1; - instancelen = strlen(instance) + 1; - realmlen = strlen(realm) + 1; - if (sizeof(c->dat) / 8 < ((8 + servicelen + instancelen + realmlen - + 1 + 1 + 1 + tkt->length - + 4 + 7) / 8) - || tkt->length > 255 || tkt->length < 0) { - c->length = 0; - return KFAILURE; - } - - memcpy(ptr, session, 8); - ptr += 8; - - memcpy(ptr, service, servicelen); - ptr += servicelen; - memcpy(ptr, instance, instancelen); - ptr += instancelen; - memcpy(ptr, realm, realmlen); - ptr += realmlen; - - *ptr++ = life; - *ptr++ = kvno; - *ptr++ = tkt->length; - - memcpy(ptr, tkt->dat, (size_t)tkt->length); - ptr += tkt->length; - - KRB4_PUT32BE(ptr, kdc_time); - - /* guarantee null padded encrypted data to multiple of 8 bytes */ - memset(ptr, 0, 7); - - c->length = (((ptr - c->dat) + 7) / 8) * 8; - -#ifndef NOENCRYPTION - key_sched(key, key_s); - pcbc_encrypt((C_Block *)c->dat, (C_Block *)c->dat, - (long)c->length, key_s, (C_Block*)key, ENCRYPT); - memset(key_s, 0, sizeof(key_s)); -#endif /* NOENCRYPTION */ - - return KSUCCESS; -} diff --git a/src/lib/krb4/cr_death_pkt.c b/src/lib/krb4/cr_death_pkt.c deleted file mode 100644 index 63d7562..0000000 --- a/src/lib/krb4/cr_death_pkt.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * lib/krb4/cr_death_pkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include <string.h> - -/* - * This routine creates a packet to type AUTH_MSG_DIE which is sent to - * the Kerberos server to make it shut down. It is used only in the - * development environment. - * - * It takes a string "a_name" which is sent in the packet. A pointer - * to the packet is returned. - * - * The format of the killer packet is: - * - * type variable data - * or constant - * ---- ----------- ---- - * - * unsigned char KRB_PROT_VERSION protocol version number - * - * unsigned char AUTH_MSG_DIE message type - * - * [least significant HOST_BYTE_ORDER byte order of sender - * bit of above field] - * - * string a_name presumably, name of - * principal sending killer - * packet - */ - -#ifdef DEBUG -KTEXT -krb_create_death_packet(a_name) - char *a_name; -{ - static KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; - unsigned char *p; - size_t namelen; - - p = pkt->dat; - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_DIE; - namelen = strlen(a_name) + 1; - if (1 + 1 + namelen > sizeof(pkt->dat)) - return NULL; - memcpy(p, a_name, namelen); - p += namelen; - pkt->length = p - pkt->dat; - return pkt; -} -#endif /* DEBUG */ diff --git a/src/lib/krb4/cr_err_repl.c b/src/lib/krb4/cr_err_repl.c deleted file mode 100644 index 5dad8c1..0000000 --- a/src/lib/krb4/cr_err_repl.c +++ /dev/null @@ -1,110 +0,0 @@ -/* - * lib/krb4/cr_err_repl.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include <string.h> - -/* - * This routine is used by the Kerberos authentication server to - * create an error reply packet to send back to its client. - * - * It takes a pointer to the packet to be built, the name, instance, - * and realm of the principal, the client's timestamp, an error code - * and an error string as arguments. Its return value is undefined. - * - * The packet is built in the following format: - * - * type variable data - * or constant - * ---- ----------- ---- - * - * unsigned char req_ack_vno protocol version number - * - * unsigned char AUTH_MSG_ERR_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned long e error code - * - * string e_string error text - */ - -void -cr_err_reply(pkt,pname,pinst,prealm,time_ws,e,e_string) - KTEXT pkt; - char *pname; /* Principal's name */ - char *pinst; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - u_long time_ws; /* Workstation time */ - u_long e; /* Error code */ - char *e_string; /* Text of error */ -{ - unsigned char *p; - size_t pnamelen, pinstlen, prealmlen, e_stringlen; - - p = pkt->dat; - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_ERR_REPLY; - - /* Make sure the reply will fit into the buffer. */ - pnamelen = strlen(pname) + 1; - pinstlen = strlen(pinst) + 1; - prealmlen = strlen(prealm) + 1; - e_stringlen = strlen(e_string) + 1; - if(sizeof(pkt->dat) < (1 + 1 + pnamelen + pinstlen + prealmlen - + 4 + 4 + e_stringlen)) { - pkt->length = 0; - return; - } - /* Add the basic info */ - memcpy(p, pname, pnamelen); - p += pnamelen; - memcpy(p, pinst, pinstlen); - p += pinstlen; - memcpy(p, prealm, prealmlen); - p += prealmlen; - /* ws timestamp */ - KRB4_PUT32BE(p, time_ws); - /* err code */ - KRB4_PUT32BE(p, e); - /* err text */ - memcpy(p, e_string, e_stringlen); - p += e_stringlen; - - /* And return */ - pkt->length = p - pkt->dat; - return; -} diff --git a/src/lib/krb4/cr_tkt.c b/src/lib/krb4/cr_tkt.c deleted file mode 100644 index 2c01257..0000000 --- a/src/lib/krb4/cr_tkt.c +++ /dev/null @@ -1,254 +0,0 @@ -/* - * lib/krb4/cr_tkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <krb5.h> -#include "des.h" -#include "krb.h" -#include "prot.h" -#include <string.h> -#include "port-sockets.h" - -static int -krb_cr_tkt_int (KTEXT tkt, unsigned int flags_in, char *pname, - char *pinstance, char *prealm, long paddress, - char *session, int life, long time_sec, - char *sname, char *sinstance); - -/* - * Create ticket takes as arguments information that should be in a - * ticket, and the KTEXT object in which the ticket should be - * constructed. It then constructs a ticket and returns, leaving the - * newly created ticket in tkt. -#ifndef NOENCRYPTION - * The data in tkt->dat is encrypted in the server's key. -#endif - * The length of the ticket is a multiple of - * eight bytes and is in tkt->length. - * - * If the ticket is too long, the ticket will contain nulls. - * The return value of the routine is undefined. - * - * The corresponding routine to extract information from a ticket it - * decomp_ticket. When changes are made to this routine, the - * corresponding changes should also be made to that file. - * - * The packet is built in the following format: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * tkt->length length of ticket (multiple of 8 bytes) - * -#ifdef NOENCRYPTION - * tkt->dat: -#else - * tkt->dat: (encrypted in server's key) -#endif - * - * unsigned char flags namely, HOST_BYTE_ORDER - * - * string pname client's name - * - * string pinstance client's instance - * - * string prealm client's realm - * - * 4 bytes paddress client's address - * - * 8 bytes session session key - * - * 1 byte life ticket lifetime - * - * 4 bytes time_sec KDC timestamp - * - * string sname service's name - * - * string sinstance service's instance - * - * <=7 bytes null null pad to 8 byte multiple - * - */ -int -krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, key) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ - C_Block key; /* Service's secret key */ -{ - int kerr; - Key_schedule key_s; - - kerr = krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance); - if (kerr) - return kerr; - - /* Encrypt the ticket in the services key */ - key_sched(key, key_s); - pcbc_encrypt((C_Block *)tkt->dat, (C_Block *)tkt->dat, - (long)tkt->length, key_s, (C_Block *)key, 1); - memset(key_s, 0, sizeof(key_s)); - return 0; -} - -int -krb_cr_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, k5key) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ - krb5_keyblock *k5key; /* NULL if not present */ -{ - int kerr; - krb5_data in; - krb5_enc_data out; - krb5_error_code ret; - size_t enclen; - - kerr = krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, - paddress, session, life, time_sec, - sname, sinstance); - if (kerr) - return kerr; - - /* Encrypt the ticket in the services key */ - in.length = tkt->length; - in.data = (char *)tkt->dat; - /* XXX assumes context arg is ignored */ - ret = krb5_c_encrypt_length(NULL, k5key->enctype, - (size_t)in.length, &enclen); - if (ret) - return KFAILURE; - out.ciphertext.length = enclen; - out.ciphertext.data = malloc(enclen); - if (out.ciphertext.data == NULL) - return KFAILURE; /* XXX maybe ENOMEM? */ - - /* XXX assumes context arg is ignored */ - ret = krb5_c_encrypt(NULL, k5key, KRB5_KEYUSAGE_KDC_REP_TICKET, - NULL, &in, &out); - if (ret) { - free(out.ciphertext.data); - return KFAILURE; - } else { - tkt->length = out.ciphertext.length; - memcpy(tkt->dat, out.ciphertext.data, out.ciphertext.length); - memset(out.ciphertext.data, 0, out.ciphertext.length); - free(out.ciphertext.data); - } - return 0; -} - -static int -krb_cr_tkt_int(tkt, flags_in, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags_in; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ -{ - register unsigned char *data; /* running index into ticket */ - size_t pnamelen, pinstlen, prealmlen, snamelen, sinstlen; - struct in_addr paddr; - - /* Be really paranoid. */ - if (sizeof(paddr.s_addr) != 4) - return KFAILURE; - - tkt->length = 0; /* Clear previous data */ - - /* Check length of ticket */ - pnamelen = strlen(pname) + 1; - pinstlen = strlen(pinstance) + 1; - prealmlen = strlen(prealm) + 1; - snamelen = strlen(sname) + 1; - sinstlen = strlen(sinstance) + 1; - if (sizeof(tkt->dat) / 8 < ((1 + pnamelen + pinstlen + prealmlen - + 4 /* address */ - + 8 /* session */ - + 1 /* life */ - + 4 /* issue time */ - + snamelen + sinstlen - + 7) / 8) /* roundoff */ - || life > 255 || life < 0) { - memset(tkt->dat, 0, sizeof(tkt->dat)); - return KFAILURE /* XXX */; - } - - data = tkt->dat; - *data++ = flags_in; - memcpy(data, pname, pnamelen); - data += pnamelen; - memcpy(data, pinstance, pinstlen); - data += pinstlen; - memcpy(data, prealm, prealmlen); - data += prealmlen; - - paddr.s_addr = paddress; - memcpy(data, &paddr.s_addr, sizeof(paddr.s_addr)); - data += sizeof(paddr.s_addr); - - memcpy(data, session, 8); - data += 8; - *data++ = life; - /* issue time */ - KRB4_PUT32BE(data, time_sec); - - memcpy(data, sname, snamelen); - data += snamelen; - memcpy(data, sinstance, sinstlen); - data += sinstlen; - - /* guarantee null padded ticket to multiple of 8 bytes */ - memset(data, 0, 7); - tkt->length = ((data - tkt->dat + 7) / 8) * 8; - return 0; -} diff --git a/src/lib/krb4/debug.c b/src/lib/krb4/debug.c deleted file mode 100644 index bd2ec90..0000000 --- a/src/lib/krb4/debug.c +++ /dev/null @@ -1,15 +0,0 @@ -/* - * debug.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" - -/* Declare global debugging variables. */ - -int krb_ap_req_debug = 0; -int krb_debug = 0; diff --git a/src/lib/krb4/decomp_tkt.c b/src/lib/krb4/decomp_tkt.c deleted file mode 100644 index 7d85991..0000000 --- a/src/lib/krb4/decomp_tkt.c +++ /dev/null @@ -1,295 +0,0 @@ -/* - * lib/krb4/decomp_tkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "des.h" -#include "krb.h" -#include "prot.h" -#include <string.h> -#include <krb5.h> -#include "krb54proto.h" -#include "port-sockets.h" - -#ifdef KRB_CRYPT_DEBUG -extern int krb_debug; -#endif - -static int dcmp_tkt_int (KTEXT tkt, unsigned char *flags, - char *pname, char *pinstance, char *prealm, - unsigned KRB4_32 *paddress, C_Block session, - int *life, unsigned KRB4_32 *time_sec, - char *sname, char *sinstance, C_Block key, - Key_schedule key_s, krb5_keyblock *k5key); -/* - * This routine takes a ticket and pointers to the variables that - * should be filled in based on the information in the ticket. It -#ifndef NOENCRYPTION - * decrypts the ticket using the given key, and -#endif - * fills in values for its arguments. - * - * Note: if the client realm field in the ticket is the null string, - * then the "prealm" variable is filled in with the local realm (as - * defined by KRB_REALM). - * - * If the ticket byte order is different than the host's byte order - * (as indicated by the byte order bit of the "flags" field), then - * the KDC timestamp "time_sec" is byte-swapped. The other fields - * potentially affected by byte order, "paddress" and "session" are - * not byte-swapped. - * - * The routine returns KFAILURE if any of the "pname", "pinstance", - * or "prealm" fields is too big, otherwise it returns KSUCCESS. - * - * The corresponding routine to generate tickets is create_ticket. - * When changes are made to this routine, the corresponding changes - * should also be made to that file. - * - * See create_ticket.c for the format of the ticket packet. - */ - -int KRB5_CALLCONV /* XXX should this be exported on win32? */ -decomp_ticket(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, key, key_s) - KTEXT tkt; /* The ticket to be decoded */ - unsigned char *flags; /* Kerberos ticket flags */ - char *pname; /* Authentication name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - unsigned KRB4_32 *paddress; /* Net address of entity - * requesting ticket */ - C_Block session; /* Session key inserted in ticket */ - int *life; /* Lifetime of the ticket */ - unsigned KRB4_32 *time_sec; /* Issue time and date */ - char *sname; /* Service name */ - char *sinstance; /* Service instance */ - C_Block key; /* Service's secret key - * (to decrypt the ticket) */ - Key_schedule key_s; /* The precomputed key schedule */ -{ - return - dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, - paddress, session, life, time_sec, sname, sinstance, - key, key_s, NULL); -} - -int -decomp_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, k5key) - KTEXT tkt; /* The ticket to be decoded */ - unsigned char *flags; /* Kerberos ticket flags */ - char *pname; /* Authentication name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - unsigned KRB4_32 *paddress; /* Net address of entity - * requesting ticket */ - C_Block session; /* Session key inserted in ticket */ - int *life; /* Lifetime of the ticket */ - unsigned KRB4_32 *time_sec; /* Issue time and date */ - char *sname; /* Service name */ - char *sinstance; /* Service instance */ - krb5_keyblock *k5key; /* krb5 keyblock of service */ -{ - C_Block key; /* placeholder; doesn't get used */ - Key_schedule key_s; /* placeholder; doesn't get used */ - - return - dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, key, key_s, k5key); -} - -static int -dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, key, key_s, k5key) - KTEXT tkt; /* The ticket to be decoded */ - unsigned char *flags; /* Kerberos ticket flags */ - char *pname; /* Authentication name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - unsigned KRB4_32 *paddress; /* Net address of entity - * requesting ticket */ - C_Block session; /* Session key inserted in ticket */ - int *life; /* Lifetime of the ticket */ - unsigned KRB4_32 *time_sec; /* Issue time and date */ - char *sname; /* Service name */ - char *sinstance; /* Service instance */ - C_Block key; /* Service's secret key - * (to decrypt the ticket) */ - Key_schedule key_s; /* The precomputed key schedule */ - krb5_keyblock *k5key; /* krb5 keyblock of service */ -{ - int tkt_le; /* little-endian ticket? */ - unsigned char *ptr = tkt->dat; - int kret, len; - struct in_addr paddr; - - /* Be really paranoid. */ - if (sizeof(paddr.s_addr) != 4) - return KFAILURE; - -#ifndef NOENCRYPTION - /* Do the decryption */ -#ifdef KRB_CRYPT_DEBUG - if (krb_debug) { - FILE *fp; - char *keybuf[BUFSIZ]; /* Avoid secret stuff in stdio buffers */ - - fp = fopen("/kerberos/tkt.des", "wb"); - setbuf(fp, keybuf); - fwrite(tkt->dat, 1, tkt->length, fp); - fclose(fp); - memset(keybuf, 0, sizeof(keybuf)); /* Clear the buffer */ - } -#endif - if (k5key != NULL) { - /* block locals */ - krb5_enc_data in; - krb5_data out; - krb5_error_code ret; - - in.enctype = k5key->enctype; - in.kvno = 0; - in.ciphertext.length = tkt->length; - in.ciphertext.data = (char *)tkt->dat; - out.length = tkt->length; - out.data = malloc((size_t)tkt->length); - if (out.data == NULL) - return KFAILURE; /* XXX maybe ENOMEM? */ - - /* XXX note the following assumes that context arg isn't used */ - ret = - krb5_c_decrypt(NULL, k5key, - KRB5_KEYUSAGE_KDC_REP_TICKET, NULL, &in, &out); - if (ret) { - free(out.data); - return KFAILURE; - } else { - memcpy(tkt->dat, out.data, out.length); - memset(out.data, 0, out.length); - free(out.data); - } - } else { - pcbc_encrypt((C_Block *)tkt->dat, (C_Block *)tkt->dat, - (long)tkt->length, key_s, (C_Block *)key, 0); - } -#endif /* ! NOENCRYPTION */ -#ifdef KRB_CRYPT_DEBUG - if (krb_debug) { - FILE *fp; - char *keybuf[BUFSIZ]; /* Avoid secret stuff in stdio buffers */ - - fp = fopen("/kerberos/tkt.clear", "wb"); - setbuf(fp, keybuf); - fwrite(tkt->dat, 1, tkt->length, fp); - fclose(fp); - memset(keybuf, 0, sizeof(keybuf)); /* Clear the buffer */ - } -#endif - -#define TKT_REMAIN (tkt->length - (ptr - tkt->dat)) - kret = KFAILURE; - if (TKT_REMAIN < 1) - goto cleanup; - *flags = *ptr++; - tkt_le = (*flags >> K_FLAG_ORDER) & 1; - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > ANAME_SZ) - goto cleanup; - memcpy(pname, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - goto cleanup; - memcpy(pinstance, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > REALM_SZ) - goto cleanup; - memcpy(prealm, ptr, (size_t)len); - ptr += len; - - /* - * This hack may be needed for some really krb4 servers, such as - * AFS kaserver (?), that fail to fill in the realm of a ticket - * under some circumstances. - */ - if (*prealm == '\0') - krb_get_lrealm(prealm, 1); - - /* - * Ensure there's enough remaining in the ticket to get the - * fixed-size stuff. - */ - if (TKT_REMAIN < 4 + 8 + 1 + 4) - goto cleanup; - - memcpy(&paddr.s_addr, ptr, sizeof(paddr.s_addr)); - ptr += sizeof(paddr.s_addr); - *paddress = paddr.s_addr; - - memcpy(session, ptr, 8); /* session key */ - memset(ptr, 0, 8); - ptr += 8; -#ifdef notdef /* DONT SWAP SESSION KEY spm 10/22/86 */ - if (tkt_swap_bytes) - swap_C_Block(session); -#endif - - *life = *ptr++; - - KRB4_GET32(*time_sec, ptr, tkt_le); - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > SNAME_SZ) - goto cleanup; - memcpy(sname, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, TKT_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - goto cleanup; - memcpy(sinstance, ptr, (size_t)len); - ptr += len; - kret = KSUCCESS; - -#ifdef KRB_CRYPT_DEBUG - if (krb_debug) { - krb_log("service=%s.%s len(sname)=%d, len(sinstance)=%d", - sname, sinstance, strlen(sname), strlen(sinstance)); - krb_log("ptr - tkt->dat=%d",(char *)ptr - (char *)tkt->dat); - } -#endif - -cleanup: - if (kret != KSUCCESS) { - memset(session, 0, sizeof(session)); - memset(tkt->dat, 0, (size_t)tkt->length); - return kret; - } - return KSUCCESS; -} diff --git a/src/lib/krb4/dest_tkt.c b/src/lib/krb4/dest_tkt.c deleted file mode 100644 index 69198ba..0000000 --- a/src/lib/krb4/dest_tkt.c +++ /dev/null @@ -1,162 +0,0 @@ -/* - * lib/krb4/dest_tkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include <stdio.h> -#include <string.h> -#include <fcntl.h> -#include <sys/stat.h> - -#include "k5-util.h" -#define do_seteuid krb5_seteuid -#include "k5-platform.h" - -#ifdef TKT_SHMEM -#include <sys/param.h> -#endif -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#include <errno.h> - -#ifndef O_SYNC -#define O_SYNC 0 -#endif - -/* - * dest_tkt() is used to destroy the ticket store upon logout. - * If the ticket file does not exist, dest_tkt() returns RET_TKFIL. - * Otherwise the function returns RET_OK on success, KFAILURE on - * failure. - * - * The ticket file (TKT_FILE) is defined in "krb.h". - */ - -int KRB5_CALLCONV -dest_tkt() -{ - const char *file = TKT_FILE; - int i,fd; - int ret; - struct stat statpre, statpost; - char buf[BUFSIZ]; - uid_t me, metoo; -#ifdef TKT_SHMEM - char shmidname[MAXPATHLEN]; - size_t shmidlen; -#endif /* TKT_SHMEM */ - - /* If ticket cache selector is null, use default cache. */ - if (file == 0) - file = tkt_string(); - - errno = 0; - ret = KSUCCESS; - me = getuid(); - metoo = geteuid(); - - if (lstat(file, &statpre) < 0) - return (errno == ENOENT) ? RET_TKFIL : KFAILURE; - /* - * This does not guard against certain cases that are vulnerable - * to race conditions, such as world-writable or group-writable - * directories that are not stickybitted, or untrusted path - * components. In all other cases, the following checks should be - * sufficient. It is assumed that the aforementioned certain - * vulnerable cases are unlikely to arise on a well-administered - * system where the user is not deliberately being stupid. - */ - if (!(statpre.st_mode & S_IFREG) || me != statpre.st_uid - || statpre.st_nlink != 1) - return KFAILURE; - /* - * Yes, we do uid twiddling here. It's not optimal, but some - * applications may expect that the ruid is what should really own - * the ticket file, e.g. setuid applications. - */ - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - if ((fd = open(file, O_RDWR|O_SYNC, 0)) < 0) { - ret = (errno == ENOENT) ? RET_TKFIL : KFAILURE; - goto out; - } - set_cloexec_fd(fd); - /* - * Do some additional paranoid things. The worst-case situation - * is that a user may be fooled into opening a non-regular file - * briefly if the file is in a directory with improper - * permissions. - */ - if (fstat(fd, &statpost) < 0) { - (void)close(fd); - ret = KFAILURE; - goto out; - } - if (statpre.st_dev != statpost.st_dev - || statpre.st_ino != statpost.st_ino) { - (void)close(fd); - errno = 0; - ret = KFAILURE; - goto out; - } - - memset(buf, 0, BUFSIZ); - for (i = 0; i < statpost.st_size; i += BUFSIZ) - if (write(fd, buf, BUFSIZ) != BUFSIZ) { -#ifndef NO_FSYNC - (void) fsync(fd); -#endif - (void) close(fd); - goto out; - } - -#ifndef NO_FSYNC - (void) fsync(fd); -#endif - (void) close(fd); - - (void) unlink(file); - -out: - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (ret != KSUCCESS) - return ret; - -#ifdef TKT_SHMEM - /* - * handle the shared memory case - */ - shmidlen = strlen(file) + sizeof(".shm"); - if (shmidlen > sizeof(shmidname)) - return RET_TKFIL; - (void)strcpy(shmidname, file); - (void)strcat(shmidname, ".shm"); - return krb_shm_dest(shmidname); -#else /* !TKT_SHMEM */ - return KSUCCESS; -#endif /* !TKT_SHMEM */ -} diff --git a/src/lib/krb4/err_txt.c b/src/lib/krb4/err_txt.c deleted file mode 100644 index 0c4a011..0000000 --- a/src/lib/krb4/err_txt.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * lib/krb4/err_txt.c - * - * Copyright 1988, 2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "krb4int.h" - -/* - * This is gross. We want krb_err_txt to match the contents of the - * com_err error table, but the text is static in krb_err.c. We can't - * alias it by making a pointer to it, either, so we have to suck in - * another copy of it that is named differently. */ -#if TARGET_OS_MAC && !defined(DEPEND) -#undef initialize_krb_error_table -#define initialize_krb_error_table krb4int_init_krb_err_tbl -void krb4int_init_krb_err_tbl(void); -#include "krb_err.c" -#undef initialize_krb_error_table - -/* - * Depends on the name of the static table generated by compile_et, - * but since this is only on Darwin, where we will always use a - * certain compile_et, it should be ok. - */ -const char * const * const krb_err_txt = text; -#else -#ifndef DEPEND -/* Don't put this in auto-generated dependencies. */ -#include "krb_err_txt.c" -#endif -#endif - -void initialize_krb_error_table(void); - -static int inited = 0; - -void -krb4int_et_init(void) -{ - if (inited) - return; - add_error_table(&et_krb_error_table); - inited = 1;\ -} - -void -krb4int_et_fini(void) -{ - if (inited) - remove_error_table(&et_krb_error_table); -} - -const char * KRB5_CALLCONV -krb_get_err_text(code) - int code; -{ - krb4int_et_init(); - /* - * Shift krb error code into com_err number space. - */ - if (code >= 0 && code < MAX_KRB_ERRORS) - return error_message(ERROR_TABLE_BASE_krb + code); - else - return "Invalid Kerberos error code"; -} diff --git a/src/lib/krb4/et_errtxt.awk b/src/lib/krb4/et_errtxt.awk deleted file mode 100755 index 888dad6..0000000 --- a/src/lib/krb4/et_errtxt.awk +++ /dev/null @@ -1,71 +0,0 @@ -/^[ \t]*(error_table|et)[ \t]+[a-zA-Z][a-zA-Z0-9_]+/ { - print "/*" > outfile - print " * " outfile ":" > outfile - print " * This file is automatically generated; please do not edit it." > outfile - print " */" > outfile - print "#if TARGET_OS_MAC" > outfile - print "const char * const * const krb_err_txt" > outfile - print "#else" > outfile - print "const char * const krb_err_txt[]" > outfile - print "#endif" > outfile - print "\t= {" > outfile - table_item_count = 0 -} - -(continuation == 1) && ($0 ~ /\\[ \t]*$/) { - text=substr($0,1,length($0)-1); -# printf "\t\t\"%s\"\n", text > outfile - cont_buf=cont_buf text; -} - -(continuation == 1) && ($0 ~ /"[ \t]*$/) { -# " -# printf "\t\t\"%s,\n", $0 > outfile - printf "\t%s,\n", cont_buf $0 > outfile - continuation = 0; -} -/^[ \t]*(error_code|ec)[ \t]+[A-Z_0-9]+,[ \t]*$/ { - table_item_count++ - skipone=1 - next -} - -/^[ \t]*(error_code|ec)[ \t]+[A-Z_0-9]+,[ \t]*".*"[ \t]*$/ { - text="" - for (i=3; i<=NF; i++) { - text = text FS $i - } - text=substr(text,2,length(text)-1); - printf "\t%s,\n", text > outfile - table_item_count++ -} -/^[ \t]*(error_code|ec)[ \t]+[A-Z_0-9]+,[ \t]*".*\\[ \t]*$/ { - text="" - for (i=3; i<=NF; i++) { - text = text FS $i - } - text=substr(text,2,length(text)-2); -# printf "\t%s\"\n", text > outfile - cont_buf=text - continuation++; -} - -/^[ \t]*".*\\[ \t]*$/ { - if (skipone) { - text=substr($0,1,length($0)-1); -# printf "\t%s\"\n", text > outfile - cont_buf=text - continuation++; - } - skipone=0 -} - -{ - if (skipone) { - printf "\t%s,\n", $0 > outfile - } - skipone=0 -} -END { - print "};" > outfile -} diff --git a/src/lib/krb4/fgetst.c b/src/lib/krb4/fgetst.c deleted file mode 100644 index e652ac9..0000000 --- a/src/lib/krb4/fgetst.c +++ /dev/null @@ -1,38 +0,0 @@ -/* - * fgetst.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include <stdio.h> -#include "krb.h" -#include "krb4int.h" - -/* - * fgetst takes a file descriptor, a character pointer, and a count. - * It reads from the file it has either read "count" characters, or - * until it reads a null byte. When finished, what has been read exists - * in "s". If "count" characters were actually read, the last is changed - * to a null, so the returned string is always null-terminated. fgetst - * returns the number of characters read, including the null terminator. - */ - -int -fgetst(f, s, n) - FILE *f; - register char *s; - int n; -{ - register int count = n; - int ch; /* NOT char; otherwise you don't see EOF */ - - while ((ch = getc(f)) != EOF && ch && --count) { - *s++ = ch; - } - *s = '\0'; - return (n - count); -} diff --git a/src/lib/krb4/g_ad_tkt.c b/src/lib/krb4/g_ad_tkt.c deleted file mode 100644 index 353fdce..0000000 --- a/src/lib/krb4/g_ad_tkt.c +++ /dev/null @@ -1,383 +0,0 @@ -/* - * lib/krb4/g_ad_tkt.c - * - * Copyright 1986, 1987, 1988, 2000, 2001 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "des.h" -#include "krb4int.h" -#include "prot.h" -#include <string.h> - -#include <stdio.h> - -extern int krb_debug; -extern int swap_bytes; - -/* - * get_ad_tkt obtains a new service ticket from Kerberos, using - * the ticket-granting ticket which must be in the ticket file. - * It is typically called by krb_mk_req() when the client side - * of an application is creating authentication information to be - * sent to the server side. - * - * get_ad_tkt takes four arguments: three pointers to strings which - * contain the name, instance, and realm of the service for which the - * ticket is to be obtained; and an integer indicating the desired - * lifetime of the ticket. - * - * It returns an error status if the ticket couldn't be obtained, - * or AD_OK if all went well. The ticket is stored in the ticket - * cache. - * - * The request sent to the Kerberos ticket-granting service looks - * like this: - * - * pkt->dat - * - * TEXT original contents of authenticator+ticket - * pkt->dat built in krb_mk_req call - * - * 4 bytes time_ws always 0 (?) FIXME! - * char lifetime lifetime argument passed - * string service service name argument - * string sinstance service instance arg. - * - * See "prot.h" for the reply packet layout and definitions of the - * extraction macros like pkt_version(), pkt_msg_type(), etc. - */ - -/* - * g_ad_tk_parse() - * - * Parse the returned packet from the KDC. - * - * Note that the caller is responsible for clearing the returned - * session key if there is an error; that makes the error handling - * code a little less hairy. - */ -static int -g_ad_tkt_parse(KTEXT rpkt, C_Block tgtses, C_Block ses, - char *s_name, char *s_instance, char *rlm, - char *service, char *sinstance, char *realm, - int *lifetime, int *kvno, KTEXT tkt, - unsigned KRB4_32 *kdc_time, - KRB4_32 *t_local) -{ - unsigned char *ptr; - unsigned int t_switch; - int msg_byte_order; - unsigned long rep_err_code; - unsigned long cip_len; - KTEXT_ST cip_st; - KTEXT cip = &cip_st; /* Returned Ciphertext */ - Key_schedule key_s; - int len, i; - KRB4_32 t_diff; /* Difference between timestamps */ - - ptr = rpkt->dat; -#define RPKT_REMAIN (rpkt->length - (ptr - rpkt->dat)) - if (RPKT_REMAIN < 1 + 1) - return INTK_PROT; - /* check packet version of the returned packet */ - if (*ptr++ != KRB_PROT_VERSION) - return INTK_PROT; - - /* This used to be - switch (pkt_msg_type(rpkt) & ~1) { - but SCO 3.2v4 cc compiled that incorrectly. */ - t_switch = *ptr++; - /* Check byte order (little-endian == 1) */ - msg_byte_order = t_switch & 1; - t_switch &= ~1; - /* - * Skip over some stuff (3 strings and various integers -- see - * cr_auth_repl.c for details). Maybe we should actually verify - * these? - */ - for (i = 0; i < 3; i++) { - len = krb4int_strnlen((char *)ptr, RPKT_REMAIN) + 1; - if (len <= 0) - return INTK_PROT; - ptr += len; - } - switch (t_switch) { - case AUTH_MSG_KDC_REPLY: - if (RPKT_REMAIN < 4 + 1 + 4 + 1) - return INTK_PROT; - ptr += 4 + 1 + 4 + 1; - break; - case AUTH_MSG_ERR_REPLY: - if (RPKT_REMAIN < 8) - return INTK_PROT; - ptr += 4; - KRB4_GET32(rep_err_code, ptr, msg_byte_order); - return rep_err_code; - - default: - return INTK_PROT; - } - - /* Extract the ciphertext */ - if (RPKT_REMAIN < 2) - return INTK_PROT; - KRB4_GET16(cip_len, ptr, msg_byte_order); - if (RPKT_REMAIN < cip_len) - return INTK_PROT; - /* - * RPKT_REMAIN will always be non-negative and at most the maximum - * possible value of cip->length, so this assignment is safe. - */ - cip->length = cip_len; - memcpy(cip->dat, ptr, (size_t)cip->length); - ptr += cip->length; - -#ifndef NOENCRYPTION - /* Attempt to decrypt it */ - - key_sched(tgtses, key_s); - DEB (("About to do decryption ...")); - pcbc_encrypt((C_Block *)cip->dat, (C_Block *)cip->dat, - (long)cip->length, key_s, (C_Block *)tgtses, 0); -#endif /* !NOENCRYPTION */ - /* - * Stomp on key schedule. Caller should stomp on tgtses. - */ - memset(key_s, 0, sizeof(key_s)); - - ptr = cip->dat; -#define CIP_REMAIN (cip->length - (ptr - cip->dat)) - if (CIP_REMAIN < 8) - return RD_AP_MODIFIED; - memcpy(ses, ptr, 8); - /* - * Stomp on decrypted session key immediately after copying it. - */ - memset(ptr, 0, 8); - ptr += 8; - - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > SNAME_SZ) - return RD_AP_MODIFIED; - memcpy(s_name, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - return RD_AP_MODIFIED; - memcpy(s_instance, ptr, (size_t)len); - ptr += len; - - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > REALM_SZ) - return RD_AP_MODIFIED; - memcpy(rlm, ptr, (size_t)len); - ptr += len; - - if (strcmp(s_name, service) || strcmp(s_instance, sinstance) - || strcmp(rlm, realm)) /* not what we asked for */ - return INTK_ERR; /* we need a better code here XXX */ - - if (CIP_REMAIN < 1 + 1 + 1) - return RD_AP_MODIFIED; - *lifetime = *ptr++; - *kvno = *ptr++; - tkt->length = *ptr++; - - if (CIP_REMAIN < tkt->length) - return RD_AP_MODIFIED; - memcpy(tkt->dat, ptr, (size_t)tkt->length); - ptr += tkt->length; - - /* Time (coarse) */ - if (CIP_REMAIN < 4) - return RD_AP_MODIFIED; - KRB4_GET32(*kdc_time, ptr, msg_byte_order); - - /* check KDC time stamp */ - *t_local = TIME_GMT_UNIXSEC; - t_diff = *t_local - *kdc_time; - if (t_diff < 0) - t_diff = -t_diff; /* Absolute value of difference */ - if (t_diff > CLOCK_SKEW) - return RD_AP_TIME; /* XXX should probably be better code */ - - return 0; -} - -int KRB5_CALLCONV -get_ad_tkt(service, sinstance, realm, lifetime) - char *service; - char *sinstance; - char *realm; - int lifetime; -{ - KTEXT_ST pkt_st; - KTEXT pkt = & pkt_st; /* Packet to KDC */ - KTEXT_ST rpkt_st; - KTEXT rpkt = &rpkt_st; /* Returned packet */ - KTEXT_ST tkt_st; - KTEXT tkt = &tkt_st; /* Current ticket */ - C_Block ses; /* Session key for tkt */ - CREDENTIALS cr; - int kvno; /* Kvno for session key */ - int kerror; - char lrealm[REALM_SZ]; - KRB4_32 time_ws = 0; - char s_name[SNAME_SZ]; - char s_instance[INST_SZ]; - char rlm[REALM_SZ]; - unsigned char *ptr; - KRB4_32 t_local; - struct sockaddr_in laddr; - socklen_t addrlen; - unsigned KRB4_32 kdc_time; /* KDC time */ - size_t snamelen, sinstlen; - - kerror = krb_get_tf_realm(TKT_FILE, lrealm); -#if USE_LOGIN_LIBRARY - if (kerror == GC_NOTKT) { - /* No tickets... call krb_get_cred (KLL will prompt) and try again. */ - if ((kerror = krb_get_cred ("krbtgt", realm, realm, &cr)) == KSUCCESS) { - /* Now get the realm again. */ - kerror = krb_get_tf_realm (TKT_FILE, lrealm); - } - } -#endif - if (kerror != KSUCCESS) - return kerror; - - /* Create skeleton of packet to be sent */ - pkt->length = 0; - - /* - * Look for the session key (and other stuff we don't need) - * in the ticket file for krbtgt.realm@lrealm where "realm" - * is the service's realm (passed in "realm" argument) and - * "lrealm" is the realm of our initial ticket (the local realm). - * If that fails, and the server's realm and the local realm are - * the same thing, give up - no TGT available for local realm. - * - * If the server realm and local realm are different, though, - * try getting a ticket-granting ticket for the server's realm, - * i.e. a ticket for "krbtgt.alienrealm@lrealm", by calling get_ad_tkt(). - * If that succeeds, the ticket will be in ticket cache, get it - * into the "cr" structure by calling krb_get_cred(). - */ - kerror = krb_get_cred("krbtgt", realm, lrealm, &cr); - if (kerror != KSUCCESS) { - /* - * If realm == lrealm, we have no hope, so let's not even try. - */ - if (strncmp(realm, lrealm, sizeof(lrealm)) == 0) - return AD_NOTGT; - else { - kerror = get_ad_tkt("krbtgt", realm, lrealm, lifetime); - if (kerror != KSUCCESS) { - if (kerror == KDC_PR_UNKNOWN) /* no cross-realm ticket */ - return AD_NOTGT; /* So call it no ticket */ - return kerror; - } - kerror = krb_get_cred("krbtgt",realm,lrealm,&cr); - if (kerror != KSUCCESS) - return kerror; - } - } - - /* - * Make up a request packet to the "krbtgt.realm@lrealm". - * Start by calling krb_mk_req() which puts ticket+authenticator - * into "pkt". Then tack other stuff on the end. - */ - kerror = krb_mk_req(pkt, "krbtgt", realm, lrealm, 0L); - if (kerror) { - /* stomp stomp stomp */ - memset(cr.session, 0, sizeof(cr.session)); - return AD_NOTGT; - } - - ptr = pkt->dat + pkt->length; - - snamelen = strlen(service) + 1; - sinstlen = strlen(sinstance) + 1; - if (sizeof(pkt->dat) - (ptr - pkt->dat) < (4 + 1 - + snamelen - + sinstlen)) { - /* stomp stomp stomp */ - memset(cr.session, 0, sizeof(cr.session)); - return INTK_ERR; - } - - /* timestamp */ /* FIXME -- always 0 now, should we fill it in??? */ - KRB4_PUT32BE(ptr, time_ws); - - *ptr++ = lifetime; - - memcpy(ptr, service, snamelen); - ptr += snamelen; - memcpy(ptr, sinstance, sinstlen); - ptr += sinstlen; - - pkt->length = ptr - pkt->dat; - - /* Send the request to the local ticket-granting server */ - rpkt->length = 0; - addrlen = sizeof(laddr); - kerror = krb4int_send_to_kdc_addr(pkt, rpkt, realm, - (struct sockaddr *)&laddr, &addrlen); - - if (!kerror) { - /* No error; parse return packet from KDC. */ - kerror = g_ad_tkt_parse(rpkt, cr.session, ses, - s_name, s_instance, rlm, - service, sinstance, realm, - &lifetime, &kvno, tkt, - &kdc_time, &t_local); - } - /* - * Unconditionally stomp on cr.session because we don't need it - * anymore. - */ - memset(cr.session, 0, sizeof(cr.session)); - if (kerror) { - /* - * Stomp on ses for good measure, since g_ad_tkt_parse() - * doesn't do that for us. - */ - memset(ses, 0, sizeof(ses)); - return kerror; - } - - kerror = krb4int_save_credentials_addr(s_name, s_instance, rlm, - ses, lifetime, kvno, tkt, - t_local, - laddr.sin_addr.s_addr); - /* - * Unconditionally stomp on ses because we don't need it anymore. - */ - memset(ses, 0, sizeof(ses)); - if (kerror) - return kerror; - return AD_OK; -} diff --git a/src/lib/krb4/g_cnffile.c b/src/lib/krb4/g_cnffile.c deleted file mode 100644 index 8ef38fe..0000000 --- a/src/lib/krb4/g_cnffile.c +++ /dev/null @@ -1,128 +0,0 @@ -/* Copyright 1994 Cygnus Support */ -/* Mark W. Eichin */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* common code for looking at krb.conf and krb.realms file */ -/* this may be superceded by <gnu>'s work for the Mac port, but - it solves a problem for now. */ - -#include <stdio.h> -#include "krb.h" -#include "k5-int.h" -#include "krb4int.h" - -krb5_context krb5__krb4_context = 0; - -static FILE* -krb__v5_get_file(s) - const char *s; -{ - FILE *cnffile = 0; - const char* names[3]; - char **full_name = 0, **cpp; - krb5_error_code retval; - - if (!krb5__krb4_context) - krb5_init_context(&krb5__krb4_context); - names[0] = "libdefaults"; - names[1] = s; - names[2] = 0; - if (krb5__krb4_context) { - retval = profile_get_values(krb5__krb4_context->profile, names, - &full_name); - if (retval == 0 && full_name && full_name[0]) { - cnffile = fopen(full_name[0],"r"); - if (cnffile) - set_cloexec_file(cnffile); - for (cpp = full_name; *cpp; cpp++) - krb5_xfree(*cpp); - krb5_xfree(full_name); - } - } - return cnffile; -} - -char * -krb__get_srvtabname(default_srvtabname) - const char *default_srvtabname; -{ - const char* names[3]; - char **full_name = 0, **cpp; - krb5_error_code retval; - static char retname[MAXPATHLEN]; - - if (!krb5__krb4_context) - krb5_init_context(&krb5__krb4_context); - names[0] = "libdefaults"; - names[1] = "krb4_srvtab"; - names[2] = 0; - if (krb5__krb4_context) { - retval = profile_get_values(krb5__krb4_context->profile, names, - &full_name); - if (retval == 0 && full_name && full_name[0]) { - retname[0] = '\0'; - strncat(retname, full_name[0], sizeof(retname)); - for (cpp = full_name; *cpp; cpp++) - krb5_xfree(*cpp); - krb5_xfree(full_name); - return retname; - } - } - retname[0] = '\0'; - strncat(retname, default_srvtabname, sizeof(retname)); - return retname; -} - -FILE* -krb__get_cnffile() -{ - char *s; - FILE *cnffile = 0; - extern char *getenv(); - - /* standard V4 override first */ - s = getenv("KRB_CONF"); - if (s) cnffile = fopen(s,"r"); - /* if that's wrong, use V5 config */ - if (!cnffile) cnffile = krb__v5_get_file("krb4_config"); - /* and if V5 config doesn't have it, go to hard-coded values */ - if (!cnffile) cnffile = fopen(KRB_CONF,"r"); -#ifdef ATHENA_CONF_FALLBACK - if (!cnffile) cnffile = fopen(KRB_FB_CONF,"r"); -#endif - if (cnffile) - set_cloexec_file(cnffile); - return cnffile; -} - - -FILE* -krb__get_realmsfile() -{ - FILE *realmsfile = 0; - char *s; - - /* standard (not really) V4 override first */ - s = getenv("KRB_REALMS"); - if (s) realmsfile = fopen(s,"r"); - if (!realmsfile) realmsfile = krb__v5_get_file("krb4_realms"); - if (!realmsfile) realmsfile = fopen(KRB_RLM_TRANS, "r"); - -#ifdef ATHENA_CONF_FALLBACK - if (!realmsfile) realmsfile = fopen(KRB_FB_RLM_TRANS, "r"); -#endif - - if (realmsfile) - set_cloexec_file(realmsfile); - - return realmsfile; -} diff --git a/src/lib/krb4/g_cred.c b/src/lib/krb4/g_cred.c deleted file mode 100644 index 498a5f1..0000000 --- a/src/lib/krb4/g_cred.c +++ /dev/null @@ -1,58 +0,0 @@ -/* - * g_cred.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include <stdio.h> -#include <string.h> -#include "krb.h" - -/* - * krb_get_cred takes a service name, instance, and realm, and a - * structure of type CREDENTIALS to be filled in with ticket - * information. It then searches the ticket file for the appropriate - * ticket and fills in the structure with the corresponding - * information from the file. If successful, it returns KSUCCESS. - * On failure it returns a Kerberos error code. - */ - -int KRB5_CALLCONV -krb_get_cred(service,instance,realm,c) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - CREDENTIALS *c; /* Credentials struct */ -{ - int tf_status; /* return value of tf function calls */ - - /* Open ticket file and lock it for shared reading */ - if ((tf_status = tf_init(TKT_FILE, R_TKT_FIL)) != KSUCCESS) - return(tf_status); - - /* Copy principal's name and instance into the CREDENTIALS struc c */ - - if ( (tf_status = tf_get_pname(c->pname)) != KSUCCESS || - (tf_status = tf_get_pinst(c->pinst)) != KSUCCESS ) - return (tf_status); - - /* Search for requested service credentials and copy into c */ - - while ((tf_status = tf_get_cred(c)) == KSUCCESS) { - /* Is this the right ticket? */ - if ((strcmp(c->service,service) == 0) && - (strcmp(c->instance,instance) == 0) && - (strcmp(c->realm,realm) == 0)) - break; - } - (void) tf_close(); - - if (tf_status == EOF) - return (GC_NOTKT); - return(tf_status); -} diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c deleted file mode 100644 index cf4ebd1..0000000 --- a/src/lib/krb4/g_in_tkt.c +++ /dev/null @@ -1,555 +0,0 @@ -/* - * lib/krb4/g_in_tkt.c - * - * Copyright 1986-2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "des.h" -#include "krb4int.h" -#include "prot.h" - -#include "port-sockets.h" -#include <string.h> - -/* Define a couple of function types including parameters. These - are needed on MS-Windows to convert arguments of the function pointers - to the proper types during calls. These declarations are found - in <krb-sed.h>, but the code below is too opaque if you can't also - see them here. */ -#ifndef KEY_PROC_TYPE_DEFINED -typedef int (*key_proc_type) (char *, char *, char *, - char *, C_Block); -#endif -#ifndef DECRYPT_TKT_TYPE_DEFINED -typedef int (*decrypt_tkt_type) (char *, char *, char *, char *, - key_proc_type, KTEXT *); -#endif - -static int decrypt_tkt(char *, char *, char *, char *, key_proc_type, KTEXT *); -static int krb_mk_in_tkt_preauth(char *, char *, char *, char *, char *, - int, char *, int, KTEXT, int *, struct sockaddr_in *); -static int krb_parse_in_tkt_creds(char *, char *, char *, char *, char *, - int, KTEXT, int, CREDENTIALS *); - -/* - * decrypt_tkt(): Given user, instance, realm, passwd, key_proc - * and the cipher text sent from the KDC, decrypt the cipher text - * using the key returned by key_proc. - */ - -static int -decrypt_tkt(user, instance, realm, arg, key_proc, cipp) - char *user; - char *instance; - char *realm; - char *arg; - key_proc_type key_proc; - KTEXT *cipp; -{ - KTEXT cip = *cipp; - C_Block key; /* Key for decrypting cipher */ - Key_schedule key_s; - register int rc; - -#ifndef NOENCRYPTION - /* Attempt to decrypt it */ -#endif - /* generate a key from the supplied arg or password. */ - rc = (*key_proc)(user, instance, realm, arg, key); - if (rc) - return rc; - -#ifndef NOENCRYPTION - key_sched(key, key_s); - pcbc_encrypt((C_Block *)cip->dat, (C_Block *)cip->dat, - (long)cip->length, key_s, (C_Block *)key, 0); -#endif /* !NOENCRYPTION */ - /* Get rid of all traces of key */ - memset(key, 0, sizeof(key)); - memset(key_s, 0, sizeof(key_s)); - - return 0; -} - -/* - * krb_get_in_tkt() gets a ticket for a given principal to use a given - * service and stores the returned ticket and session key for future - * use. - * - * The "user", "instance", and "realm" arguments give the identity of - * the client who will use the ticket. The "service" and "sinstance" - * arguments give the identity of the server that the client wishes - * to use. (The realm of the server is the same as the Kerberos server - * to whom the request is sent.) The "life" argument indicates the - * desired lifetime of the ticket; the "key_proc" argument is a pointer - * to the routine used for getting the client's private key to decrypt - * the reply from Kerberos. The "decrypt_proc" argument is a pointer - * to the routine used to decrypt the reply from Kerberos; and "arg" - * is an argument to be passed on to the "key_proc" routine. - * - * If all goes well, krb_get_in_tkt() returns INTK_OK, otherwise it - * returns an error code: If an AUTH_MSG_ERR_REPLY packet is returned - * by Kerberos, then the error code it contains is returned. Other - * error codes returned by this routine include INTK_PROT to indicate - * wrong protocol version, INTK_BADPW to indicate bad password (if - * decrypted ticket didn't make sense), INTK_ERR if the ticket was for - * the wrong server or the ticket store couldn't be initialized. - * - * The format of the message sent to Kerberos is as follows: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_KDC_REQUEST | message type - * HOST_BYTE_ORDER local byte order in lsb - * string user client's name - * string instance client's instance - * string realm client's realm - * 4 bytes tlocal.tv_sec timestamp in seconds - * 1 byte life desired lifetime - * string service service's name - * string sinstance service's instance - */ - -static int -krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, - preauth_p, preauth_len, cip, byteorder, local_addr) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - char *preauth_p; - int preauth_len; - KTEXT cip; - int *byteorder; - struct sockaddr_in *local_addr; -{ - KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; /* Packet to KDC */ - KTEXT_ST rpkt_st; - KTEXT rpkt = &rpkt_st; /* Returned packet */ - unsigned char *p; - size_t userlen, instlen, realmlen, servicelen, sinstlen; - unsigned KRB4_32 t_local; - - int msg_byte_order; - int kerror; - socklen_t addrlen; -#if 0 - unsigned long exp_date; -#endif - unsigned long rep_err_code; - unsigned long cip_len; - unsigned int t_switch; - int i, len; - - /* BUILD REQUEST PACKET */ - - p = pkt->dat; - - userlen = strlen(user) + 1; - instlen = strlen(instance) + 1; - realmlen = strlen(realm) + 1; - servicelen = strlen(service) + 1; - sinstlen = strlen(sinstance) + 1; - /* Make sure the ticket data will fit into the buffer. */ - if (sizeof(pkt->dat) < (1 + 1 + userlen + instlen + realmlen - + 4 + 1 + servicelen + sinstlen - + preauth_len)) { - pkt->length = 0; - return INTK_ERR; - } - - /* Set up the fixed part of the packet */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_KDC_REQUEST; - - /* Now for the variable info */ - memcpy(p, user, userlen); - p += userlen; - memcpy(p, instance, instlen); - p += instlen; - memcpy(p, realm, realmlen); - p += realmlen; - - /* timestamp */ - t_local = TIME_GMT_UNIXSEC; - KRB4_PUT32BE(p, t_local); - - *p++ = life; - - memcpy(p, service, servicelen); - p += servicelen; - memcpy(p, sinstance, sinstlen); - p += sinstlen; - - if (preauth_len) - memcpy(p, preauth_p, (size_t)preauth_len); - p += preauth_len; - - pkt->length = p - pkt->dat; - - /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */ - rpkt->length = 0; - addrlen = sizeof(struct sockaddr_in); - kerror = krb4int_send_to_kdc_addr(pkt, rpkt, realm, - (struct sockaddr *)local_addr, - &addrlen); - if (kerror) - return kerror; - - p = rpkt->dat; -#define RPKT_REMAIN (rpkt->length - (p - rpkt->dat)) - - /* check packet version of the returned packet */ - if (RPKT_REMAIN < 1 + 1) - return INTK_PROT; - if (*p++ != KRB_PROT_VERSION) - return INTK_PROT; - - /* This used to be - switch (pkt_msg_type(rpkt) & ~1) { - but SCO 3.2v4 cc compiled that incorrectly. */ - t_switch = *p++; - /* Check byte order */ - msg_byte_order = t_switch & 1; - t_switch &= ~1; - - /* EXTRACT INFORMATION FROM RETURN PACKET */ - - /* - * Skip over some stuff (3 strings and various integers -- see - * cr_auth_repl.c for details). - */ - for (i = 0; i < 3; i++) { - len = krb4int_strnlen((char *)p, RPKT_REMAIN) + 1; - if (len <= 0) - return INTK_PROT; - p += len; - } - switch (t_switch) { - case AUTH_MSG_KDC_REPLY: - if (RPKT_REMAIN < 4 + 1 + 4 + 1) - return INTK_PROT; - p += 4 + 1 + 4 + 1; - break; - case AUTH_MSG_ERR_REPLY: - if (RPKT_REMAIN < 8) - return INTK_PROT; - p += 4; - KRB4_GET32(rep_err_code, p, msg_byte_order); - return rep_err_code; - default: - return INTK_PROT; - } - - /* Extract the ciphertext */ - if (RPKT_REMAIN < 2) - return INTK_PROT; - KRB4_GET16(cip_len, p, msg_byte_order); - if (RPKT_REMAIN < cip_len) - return INTK_ERR; - /* - * RPKT_REMAIN will always be non-negative and at most the maximum - * possible value of cip->length, so this assignment is safe. - */ - cip->length = cip_len; - memcpy(cip->dat, p, (size_t)cip->length); - p += cip->length; - - *byteorder = msg_byte_order; - return INTK_OK; -} - -static int -krb_parse_in_tkt_creds(user, instance, realm, service, sinstance, life, cip, - byteorder, creds) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - KTEXT cip; - int byteorder; - CREDENTIALS *creds; -{ - unsigned char *ptr; - int len; - int kvno; /* Kvno for session key */ - char s_name[SNAME_SZ]; - char s_instance[INST_SZ]; - char rlm[REALM_SZ]; - KTEXT_ST tkt_st; - KTEXT tkt = &tkt_st; /* Current ticket */ - unsigned long kdc_time; /* KDC time */ - unsigned KRB4_32 t_local; /* Must be 4 bytes long for memcpy below! */ - KRB4_32 t_diff; /* Difference between timestamps */ - int lifetime; - - ptr = cip->dat; - /* Assume that cip->length >= 0 for now. */ -#define CIP_REMAIN (cip->length - (ptr - cip->dat)) - - /* Skip session key for now */ - if (CIP_REMAIN < 8) - return INTK_BADPW; - ptr += 8; - - /* extract server's name */ - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > sizeof(s_name)) - return INTK_BADPW; - memcpy(s_name, ptr, (size_t)len); - ptr += len; - - /* extract server's instance */ - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > sizeof(s_instance)) - return INTK_BADPW; - memcpy(s_instance, ptr, (size_t)len); - ptr += len; - - /* extract server's realm */ - len = krb4int_strnlen((char *)ptr, CIP_REMAIN) + 1; - if (len <= 0 || len > sizeof(rlm)) - return INTK_BADPW; - memcpy(rlm, ptr, (size_t)len); - ptr += len; - - /* extract ticket lifetime, server key version, ticket length */ - /* be sure to avoid sign extension on lifetime! */ - if (CIP_REMAIN < 3) - return INTK_BADPW; - lifetime = *ptr++; - kvno = *ptr++; - tkt->length = *ptr++; - - /* extract ticket itself */ - if (CIP_REMAIN < tkt->length) - return INTK_BADPW; - memcpy(tkt->dat, ptr, (size_t)tkt->length); - ptr += tkt->length; - - if (strcmp(s_name, service) || strcmp(s_instance, sinstance) - || strcmp(rlm, realm)) /* not what we asked for */ - return INTK_ERR; /* we need a better code here XXX */ - - /* check KDC time stamp */ - if (CIP_REMAIN < 4) - return INTK_BADPW; - KRB4_GET32(kdc_time, ptr, byteorder); - - t_local = TIME_GMT_UNIXSEC; - t_diff = t_local - kdc_time; - if (t_diff < 0) - t_diff = -t_diff; /* Absolute value of difference */ - if (t_diff > CLOCK_SKEW) { - return RD_AP_TIME; /* XXX should probably be better code */ - } - - /* stash ticket, session key, etc. for future use */ - strncpy(creds->service, s_name, sizeof(creds->service)); - strncpy(creds->instance, s_instance, sizeof(creds->instance)); - strncpy(creds->realm, rlm, sizeof(creds->realm)); - memmove(creds->session, cip->dat, sizeof(C_Block)); - creds->lifetime = lifetime; - creds->kvno = kvno; - creds->ticket_st.length = tkt->length; - memmove(creds->ticket_st.dat, tkt->dat, (size_t)tkt->length); - creds->issue_date = t_local; - strncpy(creds->pname, user, sizeof(creds->pname)); - strncpy(creds->pinst, instance, sizeof(creds->pinst)); - - return INTK_OK; -} - -int -krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, - arg, preauth_p, preauth_len, creds, laddrp) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - key_proc_type key_proc; - decrypt_tkt_type decrypt_proc; - char *arg; - char *preauth_p; - int preauth_len; - CREDENTIALS *creds; - KRB_UINT32 *laddrp; -{ - int ok; - char key_string[BUFSIZ]; - KTEXT_ST cip_st; - KTEXT cip = &cip_st; /* Returned Ciphertext */ - int kerror; - int byteorder; - key_proc_type *keyprocs = krb_get_keyprocs (key_proc); - int i = 0; - struct sockaddr_in local_addr; - - kerror = krb_mk_in_tkt_preauth(user, instance, realm, - service, sinstance, - life, preauth_p, preauth_len, - cip, &byteorder, &local_addr); - if (kerror) - return kerror; - - /* If arg is null, we have to prompt for the password. decrypt_tkt, by - way of the *_passwd_to_key functions, will prompt if the password is - NULL, but that means that each separate encryption type will prompt - separately. Obtain the password first so that we can try multiple - encryption types without re-prompting. - - Don't, however, prompt on a Windows or Macintosh environment, since - that's harder. Rely on our caller to do it. */ -#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - if (arg == NULL) { - ok = des_read_pw_string(key_string, sizeof(key_string), "Password", 0); - if (ok != 0) - return ok; - arg = key_string; - } -#endif - - /* Attempt to decrypt the reply. Loop trying password_to_key algorithms - until we succeed or we get an error other than "bad password" */ - do { - KTEXT_ST cip_copy_st; - memcpy(&cip_copy_st, &cip_st, sizeof(cip_st)); - cip = &cip_copy_st; - if (decrypt_proc == NULL) { - decrypt_tkt (user, instance, realm, arg, keyprocs[i], &cip); - } else { - (*decrypt_proc)(user, instance, realm, arg, keyprocs[i], &cip); - } - kerror = krb_parse_in_tkt_creds(user, instance, realm, - service, sinstance, life, cip, byteorder, creds); - } while ((keyprocs [++i] != NULL) && (kerror == INTK_BADPW)); - cip = &cip_st; - - /* Fill in the local address if the caller wants it */ - if (laddrp != NULL) { - *laddrp = local_addr.sin_addr.s_addr; - } - - /* stomp stomp stomp */ - memset(key_string, 0, sizeof(key_string)); - memset(cip->dat, 0, (size_t)cip->length); - return kerror; -} - -int KRB5_CALLCONV -krb_get_in_tkt_creds(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, arg, creds) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - key_proc_type key_proc; - decrypt_tkt_type decrypt_proc; - char *arg; - CREDENTIALS *creds; -{ -#if TARGET_OS_MAC - KRB_UINT32 *laddrp = &creds->address; -#else - KRB_UINT32 *laddrp = NULL; /* Only the Mac stores the address */ -#endif - - return krb_get_in_tkt_preauth_creds(user, instance, realm, - service, sinstance, life, - key_proc, decrypt_proc, arg, - NULL, 0, creds, laddrp); -} - -int KRB5_CALLCONV -krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, - arg, preauth_p, preauth_len) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - key_proc_type key_proc; - decrypt_tkt_type decrypt_proc; - char *arg; - char *preauth_p; - int preauth_len; -{ - int retval; - KRB_UINT32 laddr; - CREDENTIALS creds; - - do { - retval = krb_get_in_tkt_preauth_creds(user, instance, realm, - service, sinstance, life, - key_proc, decrypt_proc, - arg, preauth_p, preauth_len, - &creds, &laddr); - if (retval != KSUCCESS) break; - if (krb_in_tkt(user, instance, realm) != KSUCCESS) { - retval = INTK_ERR; - break; - } - retval = krb4int_save_credentials_addr(creds.service, creds.instance, - creds.realm, creds.session, - creds.lifetime, creds.kvno, - &creds.ticket_st, - creds.issue_date, laddr); - if (retval != KSUCCESS) break; - } while (0); - memset(&creds, 0, sizeof(creds)); - return retval; -} - -int KRB5_CALLCONV -krb_get_in_tkt(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, arg) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - key_proc_type key_proc; - decrypt_tkt_type decrypt_proc; - char *arg; -{ - return krb_get_in_tkt_preauth(user, instance, realm, - service, sinstance, life, - key_proc, decrypt_proc, arg, - NULL, 0); -} diff --git a/src/lib/krb4/g_phost.c b/src/lib/krb4/g_phost.c deleted file mode 100644 index ba1108f..0000000 --- a/src/lib/krb4/g_phost.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * lib/krb4/g_phost.c - * - * Copyright 1988, 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" - -#include <stdio.h> -#include <ctype.h> -#include <string.h> -#include "port-sockets.h" - -/* - * This routine takes an alias for a host name and returns the first - * field, lower case, of its domain name. For example, if "menel" is - * an alias for host officially named "menelaus" (in /etc/hosts), for - * the host whose official name is "MENELAUS.MIT.EDU", the name "menelaus" - * is returned. - * - * This is done for historical Athena reasons: the Kerberos name of - * rcmd servers (rlogin, rsh, rcp) is of the form "rcmd.host@realm" - * where "host"is the lowercase for of the host name ("menelaus"). - * This should go away: the instance should be the domain name - * (MENELAUS.MIT.EDU). But for now we need this routine... - * - * A pointer to the name is returned, if found, otherwise a pointer - * to the original "alias" argument is returned. - */ - -char * KRB5_CALLCONV -krb_get_phost(alias) - char *alias; -{ - struct hostent *h; - char *p; - unsigned char *ucp; - static char hostname_mem[MAXHOSTNAMELEN]; -#ifdef DO_REVERSE_RESOLVE - char *rev_addr; int rev_type, rev_len; -#endif - - if ((h=gethostbyname(alias)) != (struct hostent *)NULL ) { -#ifdef DO_REVERSE_RESOLVE - if (! h->h_addr_list ||! h->h_addr_list[0]) { - return(0); - } - rev_type = h->h_addrtype; - rev_len = h->h_length; - rev_addr = malloc(rev_len); - _fmemcpy(rev_addr, h->h_addr_list[0], rev_len); - h = gethostbyaddr(rev_addr, rev_len, rev_type); - free(rev_addr); - if (h == 0) { - return (0); - } -#endif - /* We don't want to return a *, so we copy to a safe location. */ - strncpy (hostname_mem, h->h_name, sizeof (hostname_mem)); - /* Bail out if h_name is too long. */ - if (hostname_mem[MAXHOSTNAMELEN-1] != '\0') - return NULL; - p = strchr( hostname_mem, '.' ); - if (p) - *p = 0; - ucp = (unsigned char *)hostname_mem; - do { - if (isupper(*ucp)) *ucp=tolower(*ucp); - } while (*ucp++); - } - return(hostname_mem); -} diff --git a/src/lib/krb4/g_pw_in_tkt.c b/src/lib/krb4/g_pw_in_tkt.c deleted file mode 100644 index 4382161..0000000 --- a/src/lib/krb4/g_pw_in_tkt.c +++ /dev/null @@ -1,341 +0,0 @@ -/* - * lib/krb4/g_pw_in_tkt.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <krb5.h> -#include "krb.h" -#include "krb4int.h" -#include "krb_err.h" -#include "prot.h" -#include <string.h> - -#ifndef NULL -#define NULL 0 -#endif - -#ifndef INTK_PW_NULL -#define INTK_PW_NULL KRBET_GT_PW_NULL -#endif - -/* - * This file contains one routine: krb_get_pw_in_tkt() gets an initial ticket for - * a user. - */ - -/* - * krb_get_pw_in_tkt() takes the name of the server for which the initial - * ticket is to be obtained, the name of the principal the ticket is - * for, the desired lifetime of the ticket, and the user's password. - * It passes its arguments on to krb_get_in_tkt(), which contacts - * Kerberos to get the ticket, decrypts it using the password provided, - * and stores it away for future use. - * - * On a Unix system, krb_get_pw_in_tkt() is able to prompt the user - * for a password, if the supplied password is null. On a a non Unix - * system, it now requires the caller to supply a non-null password. - * This is because of the complexities of prompting the user in a - * non-terminal-oriented environment like the Macintosh (running in a - * driver) or MS-Windows (in a DLL). - * - * krb_get_pw_in_tkt() passes two additional arguments to - * krb_get_in_tkt(): a routine to be used to get the password in case - * the "password" argument is null and NULL for the decryption - * procedure indicating that krb_get_in_tkt should use the default - * method of decrypting the response from the KDC. - * - * The result of the call to krb_get_in_tkt() is returned. - */ - -int KRB5_CALLCONV -krb_get_pw_in_tkt(user,instance,realm,service,sinstance,life,password) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *password; -{ -#if defined(_WIN32) || (defined(USE_LOGIN_LIBRARY) && USE_LOGIN_LIBRARY) - /* In spite of the comments above, we don't allow that path here, - to simplify coding the non-UNIX clients. The only code that now - depends on this behavior is the preauth support, which has a - seperate function without this trap. Strictly speaking, this - is an API change. */ - - if (password == 0) - return INTK_PW_NULL; -#endif - - return(krb_get_in_tkt(user,instance,realm,service,sinstance,life, - (key_proc_type)NULL, /* krb_get_in_tkt will try them all */ - (decrypt_tkt_type)NULL, password)); -} - -int KRB5_CALLCONV -krb_get_pw_in_tkt_creds( - char *user, char *instance, char *realm, char *service, char *sinstance, - int life, char *password, CREDENTIALS *creds) -{ - return krb_get_in_tkt_creds(user, instance, realm, - service, sinstance, life, - (key_proc_type)NULL, /* krb_get_in_tkt_creds will try them all */ - NULL, password, creds); -} - - -/* - * krb_get_pw_in_tkt_preauth() gets handed the password or key explicitly, - * since the whole point of "pre" authentication is to prove that we've - * already got the key, and the only way to do that is to ask the user - * for it. Clearly we shouldn't ask twice. - */ - -static C_Block old_key; - -static int stub_key(user,instance,realm,passwd,key) - char *user, *instance, *realm, *passwd; - C_Block key; -{ - (void) memcpy((char *) key, (char *) old_key, sizeof(old_key)); - return 0; -} - -int KRB5_CALLCONV -krb_get_pw_in_tkt_preauth(user,instance,realm,service,sinstance,life,password) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *password; -{ - char *preauth_p; - int preauth_len; - int ret_st; - key_proc_type *keyprocs = krb_get_keyprocs (NULL); - int i = 0; - -#if defined(_WIN32) || (defined(USE_LOGIN_LIBRARY) && USE_LOGIN_LIBRARY) - /* On non-Unix systems, we can't handle a null password, because - passwd_to_key can't handle prompting for the password. */ - if (password == 0) - return INTK_PW_NULL; -#endif - - /* Loop trying all the key_proc types */ - do { - krb_mk_preauth(&preauth_p, &preauth_len, keyprocs[i], - user, instance, realm, password, old_key); - ret_st = krb_get_in_tkt_preauth(user,instance,realm,service,sinstance,life, - (key_proc_type) stub_key, - (decrypt_tkt_type) NULL, password, - preauth_p, preauth_len); - - krb_free_preauth(preauth_p, preauth_len); - } while ((keyprocs[++i] != NULL) && (ret_st == INTK_BADPW)); - - return ret_st; -} - -/* FIXME! This routine belongs in the krb library and should simply - be shared between the encrypted and NOENCRYPTION versions! */ - -#ifdef NOENCRYPTION -/* - * This routine prints the supplied string to standard - * output as a prompt, and reads a password string without - * echoing. - */ - -#include <stdio.h> -#ifdef BSDUNIX -#include <string.h> -#include <sys/ioctl.h> -#include <signal.h> -#include <setjmp.h> -#else -int strcmp(); -#endif -#if defined(__svr4__) || defined(__SVR4) -#include <sgtty.h> -#endif - -#ifdef BSDUNIX -static jmp_buf env; -#endif - -#ifdef BSDUNIX -static void sig_restore(); -static push_signals(), pop_signals(); -int placebo_read_pw_string(); -#endif - -/*** Routines ****************************************************** */ -int -placebo_read_password(k,prompt,verify) - des_cblock *k; - char *prompt; - int verify; -{ - int ok; - char key_string[BUFSIZ]; - -#ifdef BSDUNIX - if (setjmp(env)) { - ok = -1; - goto lose; - } -#endif - - ok = placebo_read_pw_string(key_string, BUFSIZ, prompt, verify); - if (ok == 0) - memset(k, 0, sizeof(C_Block)); - -lose: - memset(key_string, 0, sizeof (key_string)); - return ok; -} - -/* - * This version just returns the string, doesn't map to key. - * - * Returns 0 on success, non-zero on failure. - */ - -int -placebo_read_pw_string(s,max,prompt,verify) - char *s; - int max; - char *prompt; - int verify; -{ - int ok = 0; - char *ptr; - -#ifdef BSDUNIX - jmp_buf old_env; - struct sgttyb tty_state; -#endif - char key_string[BUFSIZ]; - - if (max > BUFSIZ) { - return -1; - } - -#ifdef BSDUNIX - memcpy(env, old_env, sizeof(env)); - if (setjmp(env)) - goto lose; - - /* save terminal state */ - if (ioctl(0,TIOCGETP,&tty_state) == -1) - return -1; - - push_signals(); - /* Turn off echo */ - tty_state.sg_flags &= ~ECHO; - if (ioctl(0,TIOCSETP,&tty_state) == -1) - return -1; -#endif - while (!ok) { - printf(prompt); - fflush(stdout); -#ifdef CROSSMSDOS - h19line(s,sizeof(s),0); - if (!strlen(s)) - continue; -#else - if (!fgets(s, max, stdin)) { - clearerr(stdin); - continue; - } - if ((ptr = strchr(s, '\n'))) - *ptr = '\0'; -#endif - if (verify) { - printf("\nVerifying, please re-enter %s",prompt); - fflush(stdout); -#ifdef CROSSMSDOS - h19line(key_string,sizeof(key_string),0); - if (!strlen(key_string)) - continue; -#else - if (!fgets(key_string, sizeof(key_string), stdin)) { - clearerr(stdin); - continue; - } - if ((ptr = strchr(key_string, '\n'))) - *ptr = '\0'; -#endif - if (strcmp(s,key_string)) { - printf("\n\07\07Mismatch - try again\n"); - fflush(stdout); - continue; - } - } - ok = 1; - } - -#ifdef BSDUNIX -lose: - if (!ok) - memset(s, 0, max); - printf("\n"); - /* turn echo back on */ - tty_state.sg_flags |= ECHO; - if (ioctl(0,TIOCSETP,&tty_state)) - ok = 0; - pop_signals(); - memcpy(old_env, env, sizeof(env)); -#endif - if (verify) - memset(key_string, 0, sizeof (key_string)); - s[max-1] = 0; /* force termination */ - return !ok; /* return nonzero if not okay */ -} - -#ifdef BSDUNIX -/* - * this can be static since we should never have more than - * one set saved.... - */ -static sigtype (*old_sigfunc[NSIG])(); - -static push_signals() -{ - register i; - for (i = 0; i < NSIG; i++) - old_sigfunc[i] = signal(i,sig_restore); -} - -static pop_signals() -{ - register i; - for (i = 0; i < NSIG; i++) - signal(i,old_sigfunc[i]); -} - -static void sig_restore(sig,code,scp) - int sig,code; - struct sigcontext *scp; -{ - longjmp(env,1); -} -#endif -#endif /* NOENCRYPTION */ diff --git a/src/lib/krb4/g_pw_tkt.c b/src/lib/krb4/g_pw_tkt.c deleted file mode 100644 index f074fbc..0000000 --- a/src/lib/krb4/g_pw_tkt.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * g_pw_tkt.c - * - * Copyright 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include "krb.h" - -/* - * Get a ticket for the password-changing server ("changepw.KRB_MASTER"). - * - * Given the name, instance, realm, and current password of the - * principal for which the user wants a password-changing-ticket, - * return either: - * - * GT_PW_BADPW if current password was wrong, - * GT_PW_NULL if principal had a NULL password, - * or the result of the krb_get_pw_in_tkt() call. - * - * First, try to get a ticket for "user.instance@realm" to use the - * "changepw.KRB_MASTER" server (KRB_MASTER is defined in "krb.h"). - * The requested lifetime for the ticket is "1", and the current - * password is the "cpw" argument given. - * - * If the password was bad, give up. - * - * If the principal had a NULL password in the Kerberos database - * (indicating that the principal is known to Kerberos, but hasn't - * got a password yet), try instead to get a ticket for the principal - * "default.changepw@realm" to use the "changepw.KRB_MASTER" server. - * Use the password "changepwkrb" instead of "cpw". Return GT_PW_NULL - * if all goes well, otherwise the error. - * - * If this routine succeeds, a ticket and session key for either the - * principal "user.instance@realm" or "default.changepw@realm" to use - * the password-changing server will be in the user's ticket file. - */ - -int KRB5_CALLCONV -get_pw_tkt(user,instance,realm,cpw) - char *user; - char *instance; - char *realm; - char *cpw; -{ - int kerror; - - kerror = krb_get_pw_in_tkt(user, instance, realm, "changepw", - KRB_MASTER, 1, cpw); - - if (kerror == INTK_BADPW) - return(GT_PW_BADPW); - - if (kerror == KDC_NULL_KEY) { - kerror = krb_get_pw_in_tkt("default","changepw",realm,"changepw", - KRB_MASTER,1,"changepwkrb"); - if (kerror) - return(kerror); - return(GT_PW_NULL); - } - - return(kerror); -} diff --git a/src/lib/krb4/g_svc_in_tkt.c b/src/lib/krb4/g_svc_in_tkt.c deleted file mode 100644 index 7ed4efd..0000000 --- a/src/lib/krb4/g_svc_in_tkt.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * lib/krb4/g_svc_in_tkt.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <string.h> -#include <stdlib.h> -#include "krb.h" -#include "prot.h" -#include "krb4int.h" - -/* - * This file contains two routines: srvtab_to_key(), which gets - * a server's key from a srvtab file, and krb_get_svc_in_tkt() which - * gets an initial ticket for a server. - */ - -/* - * srvtab_to_key(): given a "srvtab" file (where the keys for the - * service on a host are stored), return the private key of the - * given service (user.instance@realm). - * - * srvtab_to_key() passes its arguments on to read_service_key(), - * plus one additional argument, the key version number. - * (Currently, the key version number is always 0; this value - * is treated as a wildcard by read_service_key().) - * - * If the "srvtab" argument is null, KEYFILE (defined in "krb.h") - * is passed in its place. - * - * It returns the return value of the read_service_key() call. - * The service key is placed in "key". - */ - -static int srvtab_to_key(user, instance, realm, srvtab, key) - char *user, *instance, *realm, *srvtab; - C_Block key; -{ - if (!srvtab) - srvtab = KEYFILE; - - return(read_service_key(user, instance, realm, 0, srvtab, - (char *)key)); -} - -/* - * krb_get_svc_in_tkt() passes its arguments on to krb_get_in_tkt(), - * plus two additional arguments: a pointer to the srvtab_to_key() - * function to be used to get the key from the key file and a NULL - * for the decryption procedure indicating that krb_get_in_tkt should - * use the default method of decrypting the response from the KDC. - * - * It returns the return value of the krb_get_in_tkt() call. - */ - -int KRB5_CALLCONV -krb_get_svc_in_tkt(user, instance, realm, service, sinstance, life, srvtab) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *srvtab; -{ - return(krb_get_in_tkt(user, instance, realm, service, sinstance, life, - (key_proc_type) srvtab_to_key, NULL, srvtab)); -} - -/* and we need a preauth version as well. */ -static C_Block old_key; - -static int stub_key(user,instance,realm,passwd,key) - char *user, *instance, *realm, *passwd; - C_Block key; -{ - memcpy(key, old_key, sizeof(C_Block)); - return 0; -} - -int -krb_get_svc_in_tkt_preauth(user, instance, realm, service, sinstance, life, srvtab) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *srvtab; -{ - char *preauth_p; - int preauth_len; - int ret_st; - - krb_mk_preauth(&preauth_p, &preauth_len, - (key_proc_type) srvtab_to_key, user, instance, realm, - srvtab, old_key); - ret_st = krb_get_in_tkt_preauth(user,instance,realm,service,sinstance,life, - (key_proc_type) stub_key, NULL, srvtab, - preauth_p, preauth_len); - - krb_free_preauth(preauth_p, preauth_len); - return ret_st; -} - -/* DEC's dss-kerberos adds krb_svc_init; simple enough */ - -int -krb_svc_init(user,instance,realm,lifetime,srvtab_file,tkt_file) - char *user; - char *instance; - char *realm; - int lifetime; - char *srvtab_file; - char *tkt_file; -{ - if (tkt_file) - krb_set_tkt_string(tkt_file); - - return krb_get_svc_in_tkt(user,instance,realm, - KRB_TICKET_GRANTING_TICKET,realm,lifetime,srvtab_file); -} - - -int -krb_svc_init_preauth(user,instance,realm,lifetime,srvtab_file,tkt_file) - char *user; - char *instance; - char *realm; - int lifetime; - char *srvtab_file; - char *tkt_file; -{ - if (tkt_file) - krb_set_tkt_string(tkt_file); - - return krb_get_svc_in_tkt_preauth(user,instance,realm, - KRB_TICKET_GRANTING_TICKET,realm,lifetime,srvtab_file); -} diff --git a/src/lib/krb4/g_tf_fname.c b/src/lib/krb4/g_tf_fname.c deleted file mode 100644 index e03fe24..0000000 --- a/src/lib/krb4/g_tf_fname.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * g_tf_fname.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include "krb.h" -#include <string.h> -#include <stdio.h> /* For EOF */ - -/* - * This file contains a routine to extract the fullname of a user - * from the ticket file. - */ - -/* - * krb_get_tf_fullname() takes four arguments: the name of the - * ticket file, and variables for name, instance, and realm to be - * returned in. Since the realm of a ticket file is not really fully - * supported, the realm used will be that of the the first ticket in - * the file as this is the one that was obtained with a password by - * krb_get_in_tkt(). - */ - -int KRB5_CALLCONV -krb_get_tf_fullname(ticket_file, name, instance, realm) - const char *ticket_file; - char *name; - char *instance; - char *realm; -{ - int tf_status; - CREDENTIALS c; - - /* If ticket cache selector is null, use default cache. */ - if (ticket_file == 0) - ticket_file = tkt_string(); - - if ((tf_status = tf_init(ticket_file, R_TKT_FIL)) != KSUCCESS) - return(tf_status); - - if (((tf_status = tf_get_pname(c.pname)) != KSUCCESS) || - ((tf_status = tf_get_pinst(c.pinst)) != KSUCCESS)) - return (tf_status); - - if (name) - strcpy(name, c.pname); - if (instance) - strcpy(instance, c.pinst); - if ((tf_status = tf_get_cred(&c)) == KSUCCESS) { - if (realm) - strcpy(realm, c.realm); - } - else { - if (tf_status == EOF) - return(KFAILURE); - else - return(tf_status); - } - (void) tf_close(); - - return(tf_status); -} diff --git a/src/lib/krb4/g_tf_realm.c b/src/lib/krb4/g_tf_realm.c deleted file mode 100644 index fe99e61..0000000 --- a/src/lib/krb4/g_tf_realm.c +++ /dev/null @@ -1,44 +0,0 @@ -/* - * lib/krb4/g_tf_realm.c - * - * Copyright 1987-2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" - -/* - * This file contains a routine to extract the realm of a kerberos - * ticket file. - */ - -/* - * krb_get_tf_realm() takes two arguments: the name of a ticket - * and a variable to store the name of the realm in. - * - */ - -int KRB5_CALLCONV -krb_get_tf_realm(const char *ticket_file, char *realm) -{ - return krb_get_tf_fullname(ticket_file, NULL, NULL, realm); -} diff --git a/src/lib/krb4/g_tkt_svc.c b/src/lib/krb4/g_tkt_svc.c deleted file mode 100644 index d9a2d9f..0000000 --- a/src/lib/krb4/g_tkt_svc.c +++ /dev/null @@ -1,174 +0,0 @@ -/* - * g_tkt_svc.c - * - * Gets a ticket for a service. Adopted from KClient. - */ - -#include <string.h> -#include "krb.h" -#include "port-sockets.h" - -/* FIXME -- this should probably be calling mk_auth nowadays. */ -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ - - -static int -ParseFullName(name, instance, realm, fname) - char *name; - char *instance; - char *realm; - char *fname; -{ - int err; - - if (!*fname) return KNAME_FMT; /* null names are not OK */ - *instance = '\0'; - err = kname_parse(name,instance,realm,fname); - if (err) return err; - if (!*name) return KNAME_FMT; /* null names are not OK */ - if (!*realm) { - if ((err = krb_get_lrealm (realm, 1))) - return err; - if (!*realm) return KNAME_FMT; /* FIXME -- should give better error */ - } - return KSUCCESS; -} - - - -static void -CopyTicket(dest, src, numBytes, version, includeVersion) - char *dest; - KTEXT src; - unsigned KRB4_32 *numBytes; - char *version; - int includeVersion; -{ - unsigned KRB4_32 tkt_len; - unsigned KRB4_32 nbytes = 0; - - /* first put version info into the buffer */ - if (includeVersion) { - (void) strncpy(dest, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN); - (void) strncpy(dest+KRB_SENDAUTH_VLEN, version, KRB_SENDAUTH_VLEN); - nbytes = 2*KRB_SENDAUTH_VLEN; - } - - /* put ticket length into buffer */ - tkt_len = htonl((unsigned long) src->length); - (void) memcpy((char *)(dest+nbytes), (char *) &tkt_len, sizeof(tkt_len)); - nbytes += sizeof(tkt_len); - - /* put ticket into buffer */ - (void) memcpy ((char *)(dest+nbytes), (char *) src->dat, src->length); - nbytes += src->length; - - *numBytes = nbytes; -} - - -static int -CredIsExpired( cr ) - CREDENTIALS *cr; -{ - KRB4_32 now; - - /* This routine is for use with clients only in order to determine - if a credential is still good. - Note: twice CLOCK_SKEW was added to age of ticket so that we could - be more sure that the ticket was good. - FIXME: I think this is a bug -- should use the same algorithm - everywhere to determine ticket expiration. */ - - now = TIME_GMT_UNIXSEC; - return now + 2 * CLOCK_SKEW > krb_life_to_time(cr->issue_date, - cr->lifetime); -} - - -/* - * Gets a ticket and returns it to application in buf - -> service Formal Kerberos name of service - -> buf Buffer to receive ticket - -> checksum checksum for this service - <-> buflen length of ticket buffer (must be at least - 1258 bytes) - <- sessionKey for internal use - <- schedule for internal use - - * Result is: - * GC_NOTKT if there is no matching TGT in the cache - * MK_AP_TGTEXP if the matching TGT is expired - * Other errors possible. These could cause a dialogue with the user - * to get a new TGT. - */ - -int KRB5_CALLCONV -krb_get_ticket_for_service (serviceName, buf, buflen, checksum, sessionKey, - schedule, version, includeVersion) - char *serviceName; - char *buf; - unsigned KRB4_32 *buflen; - int checksum; - des_cblock sessionKey; - Key_schedule schedule; - char *version; - int includeVersion; -{ - char service[SNAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - int err; - char lrealm[REALM_SZ]; - CREDENTIALS cr; - - service[0] = '\0'; - instance[0] = '\0'; - realm[0] = '\0'; - - /* parse out service name */ - - err = ParseFullName(service, instance, realm, serviceName); - if (err) - return err; - - if ((err = krb_get_tf_realm(TKT_FILE, lrealm)) != KSUCCESS) - return(err); - - /* Make sure we have an intial ticket for the user in this realm - Check local realm, not realm for service since krb_mk_req will - get additional krbtgt if necessary. This is so that inter-realm - works without asking for a password twice. - FIXME gnu - I think this is a bug. We should allow direct - authentication to the desired realm, regardless of what the "local" - realm is. I fixed it. FIXME -- not quite right. */ - err = krb_get_cred (KRB_TICKET_GRANTING_TICKET, realm, lrealm, &cr); - if (err) - return err; - - err = CredIsExpired(&cr); - if (err) - return RD_AP_EXP; /* Expired ticket */ - - /* Get a ticket for the service */ - err = krb_mk_req(&(cr.ticket_st),service,instance,realm,checksum); - if (err) - return err; - - CopyTicket(buf, &(cr.ticket_st), buflen, version, includeVersion); - - /* get the session key for later use in deciphering the server response */ - err = krb_get_cred(service,instance,realm,&cr); - if (err) - return err; - memcpy((char *)sessionKey, (char *)cr.session, sizeof(C_Block)); - err = key_sched(sessionKey, schedule); - if (err) - return KFAILURE; /* Bad DES key for some reason (FIXME better error) */ - - else - return KSUCCESS; - -} - - diff --git a/src/lib/krb4/gethostname.c b/src/lib/krb4/gethostname.c deleted file mode 100644 index cc40dd0..0000000 --- a/src/lib/krb4/gethostname.c +++ /dev/null @@ -1,36 +0,0 @@ -/* - * gethostname.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include "krb.h" -#include "krb4int.h" -#include "autoconf.h" - -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif - -#ifndef GETHOSTNAME -#define GETHOSTNAME gethostname /* A rather simple default */ -#endif - -/* - * Return the local host's name in "name", up to "namelen" characters. - * "name" will be null-terminated if "namelen" is big enough. - * The return code is 0 on success, -1 on failure. (The calling - * interface is identical to BSD gethostname(2).) - */ - -int -k_gethostname(name, namelen) - char *name; - int namelen; -{ - return GETHOSTNAME(name, namelen); -} diff --git a/src/lib/krb4/getst.c b/src/lib/krb4/getst.c deleted file mode 100644 index 336170d..0000000 --- a/src/lib/krb4/getst.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * getst.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include "krb.h" -#include "krb4int.h" -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif - -/* - * getst() takes a file descriptor, a string and a count. It reads - * from the file until either it has read "count" characters, or until - * it reads a null byte. When finished, what has been read exists in - * the given string "s". If "count" characters were actually read, the - * last is changed to a null, so the returned string is always null- - * terminated. getst() returns the number of characters read, including - * the null terminator. - */ - -int -getst(fd, s, n) - int fd; - register char *s; - int n; -{ - register int count = n; - while (read(fd, s, 1) > 0 && --count) - if (*s++ == '\0') - return (n - count); - *s = '\0'; - return (n - count); -} diff --git a/src/lib/krb4/in_tkt.c b/src/lib/krb4/in_tkt.c deleted file mode 100644 index e2d071a..0000000 --- a/src/lib/krb4/in_tkt.c +++ /dev/null @@ -1,205 +0,0 @@ -/* - * lib/krb4/in_tkt.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <stdio.h> -#include <string.h> -#include <errno.h> -#include "krb.h" -#include <fcntl.h> -#include <sys/stat.h> -#include "autoconf.h" -#ifdef TKT_SHMEM -#include <sys/param.h> -#endif -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif - -extern int krb_debug; - -/* - * in_tkt() is used to initialize the ticket store. It creates the - * file to contain the tickets and writes the given user's name "pname" - * and instance "pinst" in the file. in_tkt() returns KSUCCESS on - * success, or KFAILURE if something goes wrong. - */ - -#include "k5-util.h" -#define do_seteuid krb5_seteuid -#include "k5-platform.h" - -#ifndef O_SYNC -#define O_SYNC 0 -#endif - -int KRB5_CALLCONV -in_tkt(pname,pinst) - char *pname; - char *pinst; -{ - int tktfile; - uid_t me, metoo, getuid(), geteuid(); - struct stat statpre, statpost; - int count; - const char *file = TKT_FILE; - int fd; - register int i; - char charbuf[BUFSIZ]; - mode_t mask; -#ifdef TKT_SHMEM - char shmidname[MAXPATHLEN]; -#endif /* TKT_SHMEM */ - - /* If ticket cache selector is null, use default cache. */ - if (file == 0) - file = tkt_string(); - - me = getuid (); - metoo = geteuid(); - if (lstat(file, &statpre) == 0) { - if (statpre.st_uid != me || !(statpre.st_mode & S_IFREG) - || statpre.st_nlink != 1 || statpre.st_mode & 077) { - if (krb_debug) - fprintf(stderr,"Error initializing %s",file); - return(KFAILURE); - } - /* - * Yes, we do uid twiddling here. It's not optimal, but some - * applications may expect that the ruid is what should really - * own the ticket file, e.g. setuid applications. - */ - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - /* file already exists, and permissions appear ok, so nuke it */ - fd = open(file, O_RDWR|O_SYNC, 0); - if (fd >= 0) - set_cloexec_fd(fd); - (void)unlink(file); - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (fd < 0) { - goto out; /* can't zero it, but we can still try truncating it */ - } - - /* - * Do some additional paranoid things. The worst-case - * situation is that a user may be fooled into opening a - * non-regular file briefly if the file is in a directory with - * improper permissions. - */ - if (fstat(fd, &statpost) < 0) { - (void)close(fd); - goto out; - } - if (statpre.st_dev != statpost.st_dev - || statpre.st_ino != statpost.st_ino) { - (void)close(fd); - errno = 0; - goto out; - } - - memset(charbuf, 0, sizeof(charbuf)); - - for (i = 0; i < statpost.st_size; i += sizeof(charbuf)) - if (write(fd, charbuf, sizeof(charbuf)) != sizeof(charbuf)) { -#ifndef NO_FSYNC - (void) fsync(fd); -#endif - (void) close(fd); - goto out; - } - -#ifndef NO_FSYNC - (void) fsync(fd); -#endif - (void) close(fd); - } - out: - /* arrange so the file is owned by the ruid - (swap real & effective uid if necessary). - This isn't a security problem, since the ticket file, if it already - exists, has the right uid (== ruid) and mode. */ - if (me != metoo) { - if (do_seteuid(me) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("in_tkt: seteuid"); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n",(int) metoo, (int) me); - } - /* Set umask to ensure that we have write access on the created - ticket file. */ - mask = umask(077); - tktfile = open(file, O_RDWR|O_SYNC|O_CREAT|O_EXCL, 0600); - if (tktfile >= 0) - set_cloexec_fd(tktfile); - umask(mask); - if (me != metoo) { - if (do_seteuid(metoo) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("in_tkt: seteuid2"); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n", (int) me, (int) metoo); - } - if (tktfile < 0) { - if (krb_debug) - fprintf(stderr,"Error initializing %s",TKT_FILE); - return(KFAILURE); - } - count = strlen(pname)+1; - if (write(tktfile,pname,count) != count) { - (void) close(tktfile); - return(KFAILURE); - } - count = strlen(pinst)+1; - if (write(tktfile,pinst,count) != count) { - (void) close(tktfile); - return(KFAILURE); - } - (void) close(tktfile); -#ifdef TKT_SHMEM - (void) strncpy(shmidname, file, sizeof(shmidname) - 1); - shmidname[sizeof(shmidname) - 1] = '\0'; - (void) strncat(shmidname, ".shm", sizeof(shmidname) - 1 - strlen(shmidname)); - return(krb_shm_create(shmidname)); -#else /* !TKT_SHMEM */ - return(KSUCCESS); -#endif /* TKT_SHMEM */ -} - -int KRB5_CALLCONV -krb_in_tkt(pname, pinst, prealm) - char *pname; - char *pinst; - char *prealm; -{ - return in_tkt(pname, pinst); -} diff --git a/src/lib/krb4/kadm_err.et b/src/lib/krb4/kadm_err.et deleted file mode 100644 index 07ab9da..0000000 --- a/src/lib/krb4/kadm_err.et +++ /dev/null @@ -1,58 +0,0 @@ -# kadmin.v4/server/kadm_err.et -# -# Copyright 1988 by the Massachusetts Institute of Technology. -# -# For copying and distribution information, please see the file -# <mit-copyright.h>. -# -# Kerberos administration server error table -# - et kadm - -# KADM_SUCCESS, as all success codes should be, is zero - -ec KADM_RCSID, "$Header$" -# /* Building and unbuilding the packet errors */ -ec KADM_NO_REALM, "Cannot fetch local realm" -ec KADM_NO_CRED, "Unable to fetch credentials" -ec KADM_BAD_KEY, "Bad key supplied" -ec KADM_NO_ENCRYPT, "Can't encrypt data" -ec KADM_NO_AUTH, "Cannot encode/decode authentication info" -ec KADM_WRONG_REALM, "Principal attemping change is in wrong realm" -ec KADM_NO_ROOM, "Packet is too large" -ec KADM_BAD_VER, "Version number is incorrect" -ec KADM_BAD_CHK, "Checksum does not match" -ec KADM_NO_READ, "Unsealing private data failed" -ec KADM_NO_OPCODE, "Unsupported operation" -ec KADM_NO_HOST, "Could not find administrating host" -ec KADM_UNK_HOST, "Administrating host name is unknown" -ec KADM_NO_SERV, "Could not find service name in services database" -ec KADM_NO_SOCK, "Could not create socket" -ec KADM_NO_CONN, "Could not connect to server" -ec KADM_NO_HERE, "Could not fetch local socket address" -ec KADM_NO_MAST, "Could not fetch master key" -ec KADM_NO_VERI, "Could not verify master key" - -# /* From the server side routines */ -ec KADM_INUSE, "Entry already exists in database" -ec KADM_UK_SERROR, "Database store error" -ec KADM_UK_RERROR, "Database read error" -ec KADM_UNAUTH, "Insufficient access to perform requested operation" -# KADM_DATA isn't really an error, but... -ec KADM_DATA, "Data is available for return to client" -ec KADM_NOENTRY, "No such entry in the database" - -ec KADM_NOMEM, "Memory exhausted" -ec KADM_NO_HOSTNAME, "Could not fetch system hostname" -ec KADM_NO_BIND, "Could not bind port" -ec KADM_LENGTH_ERROR, "Length mismatch problem" -ec KADM_ILL_WILDCARD, "Illegal use of wildcard" - -ec KADM_DB_INUSE, "Database locked or in use" - -ec KADM_INSECURE_PW, "Insecure password rejected" -ec KADM_PW_MISMATCH, "Cleartext password and DES key did not match" - -ec KADM_NOT_SERV_PRINC, "Invalid principal for change srvtab request" -ec KADM_REALM_TOO_LONG, "Realm name too long" -end diff --git a/src/lib/krb4/kadm_net.c b/src/lib/krb4/kadm_net.c deleted file mode 100644 index 89c87cc..0000000 --- a/src/lib/krb4/kadm_net.c +++ /dev/null @@ -1,393 +0,0 @@ -/* - * lib/krb4/kadm_net.c - * - * Copyright 1988, 2002, 2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Kerberos administration server client-side network access routines - * These routines do actual network traffic, in a machine dependent manner. - */ - -#include <errno.h> -#include <signal.h> -#include <string.h> -#include <stdlib.h> -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif - -#define DEFINE_SOCKADDR /* Ask krb.h for struct sockaddr, etc */ -#include "port-sockets.h" -#include "krb.h" -#include "krbports.h" -#include "kadm.h" -#include "kadm_err.h" -#include "prot.h" - -/* XXX FIXME! */ -#if defined(_WIN32) - #define SIGNAL(s, f) 0 -#else - #define SIGNAL(s, f) signal(s, f) -#endif - -static void clear_secrets(des_cblock sess_key, Key_schedule sess_sched); -/* XXX FIXME! */ -#ifdef SIGPIPE -static krb5_sigtype (*opipe)(); -#endif - -/* - * kadm_init_link - * receives : principal, instance, realm - * - * initializes client parm, the Kadm_Client structure which holds the - * data about the connection between the server and client, the services - * used, the locations and other fun things - */ -int -kadm_init_link(char *principal, char *instance, char *realm, - Kadm_Client *client_parm, int changepw) -{ - struct servent *sep; /* service we will talk to */ - u_short sep_port; - struct hostent *hop; /* host we will talk to */ - char adm_hostname[MAXHOSTNAMELEN]; - char *scol = 0; - - (void) strcpy(client_parm->sname, principal); - (void) strcpy(client_parm->sinst, instance); - (void) strcpy(client_parm->krbrlm, realm); - client_parm->admin_fd = -1; - client_parm->default_port = 1; - - /* - * set up the admin_addr - fetch name of admin or kpasswd host - * (usually the admin host is the kpasswd host unless you have - * some sort of realm on crack) - */ - if (changepw) { -#if 0 /* XXX */ - if (krb_get_kpasswdhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) -#endif - if (krb_get_admhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) - return KADM_NO_HOST; - } else { - if (krb_get_admhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) - return KADM_NO_HOST; - } - scol = strchr(adm_hostname,':'); - if (scol) *scol = 0; - if ((hop = gethostbyname(adm_hostname)) == NULL) - /* - * couldn't find the admin servers address - */ - return KADM_UNK_HOST; - if (scol) { - sep_port = htons(atoi(scol+1)); - client_parm->default_port = 0; - } else if ((sep = getservbyname(KADM_SNAME, "tcp")) != NULL) - sep_port = sep->s_port; - else - sep_port = htons(KADM_PORT); /* KADM_SNAME = kerberos_master/tcp */ - memset(&client_parm->admin_addr, 0, sizeof(client_parm->admin_addr)); - client_parm->admin_addr.sin_family = hop->h_addrtype; - memcpy(&client_parm->admin_addr.sin_addr, hop->h_addr, hop->h_length); - client_parm->admin_addr.sin_port = sep_port; - - return KADM_SUCCESS; -} - -/* - * kadm_cli_send - * recieves : opcode, packet, packet length, serv_name, serv_inst - * returns : return code from the packet build, the server, or - * something else - * - * It assembles a packet as follows: - * 8 bytes : VERSION STRING - * 4 bytes : LENGTH OF MESSAGE DATA and OPCODE - * : KTEXT - * : OPCODE \ - * : DATA > Encrypted (with make priv) - * : ...... / - * - * If it builds the packet and it is small enough, then it attempts to open the - * connection to the admin server. If the connection is succesfully open - * then it sends the data and waits for a reply. - */ -int -kadm_cli_send(Kadm_Client *client_parm, - u_char *st_dat, /* the actual data */ - size_t st_siz, /* length of said data */ - u_char **ret_dat, /* to give return info */ - size_t *ret_siz) /* length of returned info */ -{ -/* Macros for use in returning data... used in kadm_cli_send */ -#define RET_N_FREE(r) {clear_secrets(sess_key, sess_sched); free((char *)act_st); free((char *)priv_pak); return r;} -#define RET_N_FREE2(r) {free((char *)*ret_dat); *ret_dat = 0; *ret_siz = 0; clear_secrets(sess_key, sess_sched); return(r);} - - int act_len; /* current offset into packet, return */ - KRB_INT32 retdat; /* data */ - KTEXT_ST authent; /* the authenticator we will build */ - u_char *act_st; /* the pointer to the complete packet */ - u_char *priv_pak; /* private version of the packet */ - long priv_len; /* length of private packet */ - u_long cksum; /* checksum of the packet */ - MSG_DAT mdat; - u_char *return_dat; - u_char *p; - KRB_UINT32 uretdat; - - /* Keys for use in the transactions */ - des_cblock sess_key; /* to be filled in by kadm_cli_keyd */ - Key_schedule sess_sched; - - act_st = malloc(KADM_VERSIZE); /* verstr stored first */ - strncpy((char *)act_st, KADM_VERSTR, KADM_VERSIZE); - act_len = KADM_VERSIZE; - - if ((retdat = kadm_cli_keyd(client_parm, sess_key, sess_sched)) != KADM_SUCCESS) { - free(act_st); - return retdat; /* couldnt get key working */ - } - priv_pak = malloc(st_siz + 200); - /* 200 bytes for extra info case */ - /* XXX Check mk_priv return type */ - if ((priv_len = krb_mk_priv(st_dat, priv_pak, (u_long)st_siz, - sess_sched, (C_Block *)sess_key, - &client_parm->my_addr, - &client_parm->admin_addr)) < 0) - RET_N_FREE(KADM_NO_ENCRYPT); /* whoops... we got a lose here */ - /* - * here is the length of priv data. receiver calcs size of - * authenticator by subtracting vno size, priv size, and - * sizeof(u_long) (for the size indication) from total size - */ - act_len += vts_long((KRB_UINT32)priv_len, &act_st, (int)act_len); -#ifdef NOENCRYPTION - cksum = 0; -#else - cksum = quad_cksum(priv_pak, NULL, priv_len, 0, &sess_key); -#endif - /* XXX cast unsigned->signed */ - if ((retdat = krb_mk_req_creds(&authent, &client_parm->creds, (long)cksum)) != 0) { - /* authenticator? */ - RET_N_FREE(retdat); - } - - act_st = realloc(act_st, (unsigned) (act_len + authent.length - + priv_len)); - if (!act_st) { - clear_secrets(sess_key, sess_sched); - free(priv_pak); - return KADM_NOMEM; - } - memcpy(act_st + act_len, authent.dat, authent.length); - memcpy(act_st + act_len + authent.length, priv_pak, priv_len); - free(priv_pak); - if ((retdat = kadm_cli_out(client_parm, act_st, - act_len + authent.length + priv_len, - ret_dat, ret_siz)) != KADM_SUCCESS) - RET_N_FREE(retdat); - free(act_st); - - /* first see if it's a YOULOSE */ - if ((*ret_siz >= KADM_VERSIZE) && - !strncmp(KADM_ULOSE, (char *)*ret_dat, KADM_VERSIZE)) - { - /* it's a youlose packet */ - if (*ret_siz < KADM_VERSIZE + 4) - RET_N_FREE2(KADM_BAD_VER); - p = *ret_dat + KADM_VERSIZE; - KRB4_GET32BE(uretdat, p); - /* XXX unsigned->signed */ - retdat = (KRB_INT32)uretdat; - RET_N_FREE2(retdat); - } - /* need to decode the ret_dat */ - if ((retdat = krb_rd_priv(*ret_dat, (u_long)*ret_siz, sess_sched, - (C_Block *)sess_key, &client_parm->admin_addr, - &client_parm->my_addr, &mdat)) != 0) - RET_N_FREE2(retdat); - if (mdat.app_length < KADM_VERSIZE + 4) - /* too short! */ - RET_N_FREE2(KADM_BAD_VER); - if (strncmp((char *)mdat.app_data, KADM_VERSTR, KADM_VERSIZE)) - /* bad version */ - RET_N_FREE2(KADM_BAD_VER); - p = mdat.app_data + KADM_VERSIZE; - KRB4_GET32BE(uretdat, p); - /* XXX unsigned->signed */ - retdat = (KRB_INT32)uretdat; - if ((mdat.app_length - KADM_VERSIZE - 4) != 0) { - if (!(return_dat = - malloc((unsigned)(mdat.app_length - KADM_VERSIZE - 4)))) - RET_N_FREE2(KADM_NOMEM); - memcpy(return_dat, p, mdat.app_length - KADM_VERSIZE - 4); - } else { - /* If it's zero length, still need to malloc a 1 byte string; */ - /* malloc's of zero will return NULL on AIX & A/UX */ - if (!(return_dat = malloc((unsigned) 1))) - RET_N_FREE2(KADM_NOMEM); - *return_dat = '\0'; - } - free(*ret_dat); - clear_secrets(sess_key, sess_sched); - *ret_dat = return_dat; - *ret_siz = mdat.app_length - KADM_VERSIZE - 4; - return retdat; -} - -int kadm_cli_conn(Kadm_Client *client_parm) -{ /* this connects and sets my_addr */ -#if 0 - int on = 1; -#endif - if ((client_parm->admin_fd = - socket(client_parm->admin_addr.sin_family, SOCK_STREAM,0)) < 0) - return KADM_NO_SOCK; /* couldnt create the socket */ - set_cloexec_fd(client_parm->admin_fd); - if (SOCKET_CONNECT(client_parm->admin_fd, - (struct sockaddr *) & client_parm->admin_addr, - sizeof(client_parm->admin_addr))) { - (void) SOCKET_CLOSE(client_parm->admin_fd); - client_parm->admin_fd = -1; - - /* The V4 kadmind port number is 751. The RFC assigned - number, for V5, is 749. Sometimes the entry in - /etc/services on a client machine will say 749, but the - server may be listening on port 751. We try to partially - cope by automatically falling back to try port 751 if we - don't get a reply on port we are using. */ - if (client_parm->admin_addr.sin_port != htons(KADM_PORT) - && client_parm->default_port) { - client_parm->admin_addr.sin_port = htons(KADM_PORT); - return kadm_cli_conn(client_parm); - } - - return KADM_NO_CONN; /* couldnt get the connect */ - } -#ifdef SIGPIPE - opipe = SIGNAL(SIGPIPE, SIG_IGN); -#endif - client_parm->my_addr_len = sizeof(client_parm->my_addr); - if (SOCKET_GETSOCKNAME(client_parm->admin_fd, - (struct sockaddr *) & client_parm->my_addr, - &client_parm->my_addr_len) < 0) { - (void) SOCKET_CLOSE(client_parm->admin_fd); - client_parm->admin_fd = -1; -#ifdef SIGPIPE - (void) SIGNAL(SIGPIPE, opipe); -#endif - return KADM_NO_HERE; /* couldnt find out who we are */ - } -#if 0 - if (setsockopt(client_parm.admin_fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, - sizeof(on)) < 0) { - (void) closesocket(client_parm.admin_fd); - client_parm.admin_fd = -1; -#ifdef SIGPIPE - (void) SIGNAL(SIGPIPE, opipe); -#endif - return KADM_NO_CONN; /* XXX */ - } -#endif - return KADM_SUCCESS; -} - -void kadm_cli_disconn(Kadm_Client *client_parm) -{ - (void) SOCKET_CLOSE(client_parm->admin_fd); -#ifdef SIGPIPE - (void) SIGNAL(SIGPIPE, opipe); -#endif - return; -} - -int kadm_cli_out(Kadm_Client *client_parm, u_char *dat, int dat_len, - u_char **ret_dat, size_t *ret_siz) -{ - u_short dlen; - int retval; - unsigned char buf[2], *p; - - dlen = (u_short)dat_len; - if (dlen > 0x7fff) /* XXX krb_net_write signedness */ - return KADM_NO_ROOM; - - p = buf; - KRB4_PUT16BE(p, dlen); - if (krb_net_write(client_parm->admin_fd, (char *)buf, 2) < 0) - return SOCKET_ERRNO; /* XXX */ - - if (krb_net_write(client_parm->admin_fd, (char *)dat, (int)dat_len) < 0) - return SOCKET_ERRNO; /* XXX */ - - retval = krb_net_read(client_parm->admin_fd, (char *)buf, 2); - if (retval != 2) { - if (retval < 0) - return SOCKET_ERRNO; /* XXX */ - else - return EPIPE; /* short read ! */ - } - - p = buf; - KRB4_GET16BE(dlen, p); - if (dlen > INT_MAX) /* XXX krb_net_read signedness */ - return KADM_NO_ROOM; - *ret_dat = malloc(dlen); - if (!*ret_dat) - return KADM_NOMEM; - - retval = krb_net_read(client_parm->admin_fd, (char *)*ret_dat, (int)dlen); - if (retval != dlen) { - if (retval < 0) - return SOCKET_ERRNO; /* XXX */ - else - return EPIPE; /* short read ! */ - } - *ret_siz = dlen; - return KADM_SUCCESS; -} - -static void -clear_secrets(des_cblock sess_key, Key_schedule sess_sched) -{ - memset(sess_key, 0, sizeof(sess_key)); - memset(sess_sched, 0, sizeof(sess_sched)); - return; -} - -/* takes in the sess_key and key_schedule and sets them appropriately */ -int kadm_cli_keyd(Kadm_Client *client_parm, - des_cblock s_k, des_key_schedule s_s) -{ - int stat; - - memcpy(s_k, client_parm->creds.session, sizeof(des_cblock)); - stat = key_sched(s_k, s_s); - if (stat) - return stat; - return KADM_SUCCESS; -} /* This code "works" */ diff --git a/src/lib/krb4/kadm_stream.c b/src/lib/krb4/kadm_stream.c deleted file mode 100644 index dc9fef1..0000000 --- a/src/lib/krb4/kadm_stream.c +++ /dev/null @@ -1,325 +0,0 @@ -/* - * kadm_stream.c - * - * Copyright 1988, 2002 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Stream conversion functions for Kerberos administration server - */ - -/* - kadm_stream.c - this holds the stream support routines for the kerberos administration server - - vals_to_stream: converts a vals struct to a stream for transmission - internals build_field_header, vts_[string, char, long, short] - stream_to_vals: converts a stream to a vals struct - internals check_field_header, stv_[string, char, long, short] - error: prints out a kadm error message, returns - fatal: prints out a kadm fatal error message, exits -*/ - -#include <string.h> -#include <stdlib.h> - -#include "kadm.h" -#include "kadm_err.h" -#include "prot.h" - -#define min(a,b) (((a) < (b)) ? (a) : (b)) - -/* -vals_to_stream - recieves : kadm_vals *, u_char * - returns : a realloced and filled in u_char * - -this function creates a byte-stream representation of the kadm_vals structure -*/ -int -vals_to_stream(Kadm_vals *dt_in, u_char **dt_out) -{ - int vsloop, stsize; /* loop counter, stream size */ - - stsize = build_field_header(dt_in->fields, dt_out); - for (vsloop = 31; vsloop >= 0; vsloop--) - if (IS_FIELD(vsloop, dt_in->fields)) { - switch (vsloop) { - case KADM_NAME: - stsize += vts_string(dt_in->name, dt_out, stsize); - break; - case KADM_INST: - stsize += vts_string(dt_in->instance, dt_out, stsize); - break; - case KADM_EXPDATE: - stsize += vts_long((KRB_UINT32)dt_in->exp_date, - dt_out, stsize); - break; - case KADM_ATTR: - stsize += vts_short(dt_in->attributes, dt_out, stsize); - break; - case KADM_MAXLIFE: - stsize += vts_char(dt_in->max_life, dt_out, stsize); - break; - case KADM_DESKEY: - stsize += vts_long(dt_in->key_high, dt_out, stsize); - stsize += vts_long(dt_in->key_low, dt_out, stsize); - break; - default: - break; - } - } - return stsize; -} - -int -build_field_header( - u_char *cont, /* container for fields data */ - u_char **st) /* stream */ -{ - *st = malloc(4); - if (*st == NULL) - return -1; - memcpy(*st, cont, 4); - return 4; /* return pointer to current stream location */ -} - -int -vts_string(char *dat, u_char **st, int loc) -{ - size_t len; - unsigned char *p; - - if (loc < 0) - return -1; - len = strlen(dat) + 1; - p = realloc(*st, (size_t)loc + len); - if (p == NULL) - return -1; - memcpy(p + loc, dat, len); - *st = p; - return len; -} - -int -vts_short(KRB_UINT32 dat, u_char **st, int loc) -{ - unsigned char *p; - - if (loc < 0) - return -1; - p = realloc(*st, (size_t)loc + 2); - if (p == NULL) - return -1; - - *st = p; /* KRB4_PUT32BE will modify p */ - - p += loc; /* place bytes at the end */ - KRB4_PUT16BE(p, dat); - - return 2; -} - -int -vts_long(KRB_UINT32 dat, u_char **st, int loc) -{ - unsigned char *p; - - if (loc < 0) - return -1; - p = realloc(*st, (size_t)loc + 4); - if (p == NULL) - return -1; - - *st = p; /* KRB4_PUT32BE will modify p */ - - p += loc; /* place bytes at the end */ - KRB4_PUT32BE(p, dat); - - return 4; -} - -int -vts_char(KRB_UINT32 dat, u_char **st, int loc) -{ - unsigned char *p; - - if (loc < 0) - return -1; - p = realloc(*st, (size_t)loc + 1); - if (p == NULL) - return -1; - p[loc] = dat & 0xff; - *st = p; - return 1; -} - -/* -stream_to_vals - recieves : u_char *, kadm_vals * - returns : a kadm_vals filled in according to u_char * - -this decodes a byte stream represntation of a vals struct into kadm_vals -*/ -int -stream_to_vals( - u_char *dt_in, - Kadm_vals *dt_out, - int maxlen) /* max length to use */ -{ - register int vsloop, stsize; /* loop counter, stream size */ - register int status; - - memset(dt_out, 0, sizeof(*dt_out)); - - stsize = check_field_header(dt_in, dt_out->fields, maxlen); - if (stsize < 0) - return -1; - for (vsloop = 31; vsloop >= 0; vsloop--) - if (IS_FIELD(vsloop, dt_out->fields)) - switch (vsloop) { - case KADM_NAME: - status = stv_string(dt_in, dt_out->name, stsize, - sizeof(dt_out->name), maxlen); - if (status < 0) - return -1; - stsize += status; - break; - case KADM_INST: - status = stv_string(dt_in, dt_out->instance, stsize, - sizeof(dt_out->instance), maxlen); - if (status < 0) - return -1; - stsize += status; - break; - case KADM_EXPDATE: - { - KRB_UINT32 exp_date; - - status = stv_long(dt_in, &exp_date, stsize, maxlen); - if (status < 0) - return -1; - dt_out->exp_date = exp_date; - stsize += status; - } - break; - case KADM_ATTR: - status = stv_short(dt_in, &dt_out->attributes, stsize, - maxlen); - if (status < 0) - return -1; - stsize += status; - break; - case KADM_MAXLIFE: - status = stv_char(dt_in, &dt_out->max_life, stsize, - maxlen); - if (status < 0) - return -1; - stsize += status; - break; - case KADM_DESKEY: - status = stv_long(dt_in, &dt_out->key_high, stsize, - maxlen); - if (status < 0) - return -1; - stsize += status; - status = stv_long(dt_in, &dt_out->key_low, stsize, - maxlen); - if (status < 0) - return -1; - stsize += status; - break; - default: - break; - } - return stsize; -} - -int -check_field_header( - u_char *st, /* stream */ - u_char *cont, /* container for fields data */ - int maxlen) -{ - if (4 > maxlen) - return -1; - memcpy(cont, st, 4); - return 4; /* return pointer to current stream location */ -} - -int -stv_string( - register u_char *st, /* base pointer to the stream */ - char *dat, /* a string to read from the stream */ - register int loc, /* offset into the stream for current data */ - int stlen, /* max length of string to copy in */ - int maxlen) /* max length of input stream */ -{ - int maxcount; /* max count of chars to copy */ - - if (loc < 0) - return -1; - maxcount = min(maxlen - loc, stlen); - if (maxcount <= 0) /* No strings left in the input stream */ - return -1; - - (void) strncpy(dat, (char *)st + loc, (size_t)maxcount); - - if (dat[maxcount - 1]) /* not null-term --> not enuf room */ - return -1; - return strlen(dat) + 1; -} - -int -stv_short(u_char *st, u_short *dat, int loc, int maxlen) -{ - u_short temp; - unsigned char *p; - - if (loc < 0 || loc + 2 > maxlen) - return -1; - p = st + loc; - KRB4_GET16BE(temp, p); - *dat = temp; - return 2; -} - -int -stv_long(u_char *st, KRB_UINT32 *dat, int loc, int maxlen) -{ - KRB_UINT32 temp; - unsigned char *p; - - if (loc < 0 || loc + 4 > maxlen) - return -1; - p = st + loc; - KRB4_GET32BE(temp, p); - *dat = temp; - return 4; -} - -int -stv_char(u_char *st, u_char *dat, int loc, int maxlen) -{ - if (loc < 0 || loc + 1 > maxlen) - return -1; - *dat = *(st + loc); - return 1; -} diff --git a/src/lib/krb4/klog.c b/src/lib/krb4/klog.c deleted file mode 100644 index b1cfa93..0000000 --- a/src/lib/krb4/klog.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * lib/krb4/klog.c - * - * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "autoconf.h" -#ifdef HAVE_TIME_H -#include <time.h> -#endif -#if !defined(VMS) && !defined(_WIN32) -#include <sys/time.h> -#endif -#include <stdio.h> - -#include "krb4int.h" -#include <klog.h> -#include "k5-platform.h" - -static char *log_name = KRBLOG; -static char logtxt[1000]; - -/* - * This file contains two logging routines: kset_logfile() - * to determine the file to which log entries should be written; - * and klog() to write log entries to the file. - */ - -/* - * klog() is used to add entries to the logfile (see kset_logfile() - * below). Note that it is probably not portable since it makes - * assumptions about what the compiler will do when it is called - * with less than the correct number of arguments which is the - * way it is usually called. - * - * The log entry consists of a timestamp and the given arguments - * printed according to the given "format" string. - * - * The log file is opened and closed for each log entry. - * - * If the given log type "type" is unknown, or if the log file - * cannot be opened, no entry is made to the log file. - * - * The return value is always a pointer to the formatted log - * text string "logtxt". - */ - -char * klog(type,format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0) - int type; - char *format; - char *a1,*a2,*a3,*a4,*a5,*a6,*a7,*a8,*a9,*a0; -{ - FILE *logfile; - time_t now; - struct tm *tm; - static int logtype_array[NLOGTYPE]; - static int array_initialized; - - if (!(array_initialized++)) { - logtype_array[L_NET_ERR] = 1; - logtype_array[L_KRB_PERR] = 1; - logtype_array[L_KRB_PWARN] = 1; - logtype_array[L_APPL_REQ] = 1; - logtype_array[L_INI_REQ] = 1; - logtype_array[L_DEATH_REQ] = 1; - logtype_array[L_NTGT_INTK] = 1; - logtype_array[L_ERR_SEXP] = 1; - logtype_array[L_ERR_MKV] = 1; - logtype_array[L_ERR_NKY] = 1; - logtype_array[L_ERR_NUN] = 1; - logtype_array[L_ERR_UNK] = 1; - } - - (void) snprintf(logtxt,sizeof(logtxt),format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0); - - if (!logtype_array[type]) - return(logtxt); - - if ((logfile = fopen(log_name,"a")) == NULL) - return(logtxt); - set_cloexec_file(logfile); - - (void) time(&now); - tm = localtime(&now); - - fprintf(logfile,"%2d-%s-%d %02d:%02d:%02d ",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - fprintf(logfile,"%s\n",logtxt); - (void) fclose(logfile); - return(logtxt); -} - -/* - * kset_logfile() changes the name of the file to which - * messages are logged. If kset_logfile() is not called, - * the logfile defaults to KRBLOG, defined in "krb.h". - */ - -void -kset_logfile(filename) - char *filename; -{ - log_name = filename; -} diff --git a/src/lib/krb4/kname_parse.c b/src/lib/krb4/kname_parse.c deleted file mode 100644 index db3a1cf..0000000 --- a/src/lib/krb4/kname_parse.c +++ /dev/null @@ -1,411 +0,0 @@ -/* - * lib/krb4/kname_parse.c - * - * Copyright 1987, 1988, 2001 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <stdio.h> -#include "krb.h" -#include <string.h> - -static int k_isname_unparsed(const char *s); -static int k_isinst_unparsed(const char *s); -static int k_isrealm_unparsed(const char *s); - -/* - * max size of full name - * - * XXX This does not account for backslach quoting, and besides we - * might want to use MAX_K_NAME_SZ. - */ -#define FULL_SZ (ANAME_SZ + INST_SZ + REALM_SZ) - -#define NAME 0 /* which field are we in? */ -#define INST 1 -#define REALM 2 - -/* - * This file contains four routines for handling Kerberos names. - * - * kname_parse() breaks a Kerberos name into its name, instance, - * and realm components. - * - * k_isname(), k_isinst(), and k_isrealm() check a given string to see if - * it's a syntactically legitimate respective part of a Kerberos name, - * returning 1 if it is, 0 if it isn't. - * - * Definition of "syntactically legitimate" names is according to - * the Project Athena Technical Plan Section E.2.1, page 7 "Specifying - * names", version dated 21 Dec 1987. - */ - -/* - * kname_parse() takes a Kerberos name "fullname" of the form: - * - * username[.instance][@realm] - * - * and returns the three components ("name", "instance", and "realm" - * in the example above) in the given arguments "np", "ip", and "rp". - * - * If successful, it returns KSUCCESS. If there was an error, - * KNAME_FMT is returned. - * - * For proper operation, this routine requires that the ip, np, and rp - * arguments be initialized, either to null strings, or to default values - * of name, instance, and realm. FIXME-gnu: Does anyone use it this way? - */ - -int KRB5_CALLCONV -kname_parse(np, ip, rp, fullname) - char *np; - char *ip; - char *rp; - char *fullname; -{ - char buf[FULL_SZ]; - char *rnext, *wnext; /* next char to read, write */ - register char c; - int backslash; - int field; - - backslash = 0; - rnext = buf; - wnext = np; - field = NAME; - - if (strlen(fullname) > FULL_SZ) - return KNAME_FMT; - (void) strcpy(buf, fullname); - - while ((c = *rnext++)) { - if (backslash) { - *wnext++ = c; - backslash = 0; - continue; - } - switch (c) { - case '\\': - backslash++; - break; - case '.': - switch (field) { - case NAME: - if (wnext == np) - return KNAME_FMT; - *wnext = '\0'; - field = INST; - wnext = ip; - break; - case INST: /* We now allow period in instance */ - case REALM: - *wnext++ = c; - break; - default: - DEB (("unknown field value\n")); - return KNAME_FMT; - } - break; - case '@': - switch (field) { - case NAME: - if (wnext == np) - return KNAME_FMT; - *ip = '\0'; - /* fall through */ - case INST: - *wnext = '\0'; - field = REALM; - wnext = rp; - break; - case REALM: - return KNAME_FMT; - default: - DEB (("unknown field value\n")); - return KNAME_FMT; - } - break; - default: - *wnext++ = c; - } - /* - * Paranoia: check length each time through to ensure that we - * don't overwrite things. - */ - switch (field) { - case NAME: - if (wnext - np >= ANAME_SZ) - return KNAME_FMT; - break; - case INST: - if (wnext - ip >= INST_SZ) - return KNAME_FMT; - break; - case REALM: - if (wnext - rp >= REALM_SZ) - return KNAME_FMT; - break; - default: - DEB (("unknown field value\n")); - return KNAME_FMT; - } - } - *wnext = '\0'; - return KSUCCESS; -} - -/* - * k_isname() returns 1 if the given name is a syntactically legitimate - * Kerberos name; returns 0 if it's not. - */ - -int KRB5_CALLCONV -k_isname(s) - char *s; -{ - register char c; - int backslash = 0; - - if (!*s) - return 0; - if (strlen(s) > ANAME_SZ - 1) - return 0; - while((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '.': - return 0; - /* break; */ - case '@': - return 0; - /* break; */ - } - } - return 1; -} - - -/* - * k_isinst() returns 1 if the given name is a syntactically legitimate - * Kerberos instance; returns 0 if it's not. - * - * We now allow periods in instance names -- they are unambiguous. - */ - -int KRB5_CALLCONV -k_isinst(s) - char *s; -{ - register char c; - int backslash = 0; - - if (strlen(s) > INST_SZ - 1) - return 0; - while((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '@': - return 0; - /* break; */ - } - } - return 1; -} - -/* - * k_isrealm() returns 1 if the given name is a syntactically legitimate - * Kerberos realm; returns 0 if it's not. - */ - -int KRB5_CALLCONV -k_isrealm(s) - char *s; -{ - register char c; - int backslash = 0; - - if (!*s) - return 0; - if (strlen(s) > REALM_SZ - 1) - return 0; - while((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '@': - return 0; - /* break; */ - } - } - return 1; -} - -int KRB5_CALLCONV -kname_unparse( - char *outFullName, - const char *inName, - const char *inInstance, - const char *inRealm) -{ - const char *read; - char *write = outFullName; - - if (inName == NULL) - return KFAILURE; - - if (outFullName == NULL) - return KFAILURE; - - if (!k_isname_unparsed(inName) || - ((inInstance != NULL) && !k_isinst_unparsed(inInstance)) || - ((inRealm != NULL) && !k_isrealm_unparsed(inRealm))) { - - return KFAILURE; - } - - for (read = inName; *read != '\0'; read++, write++) { - if ((*read == '.') || (*read == '@')) { - *write = '\\'; - write++; - } - *write = *read; - } - - if ((inInstance != NULL) && (inInstance[0] != '\0')) { - *write = '.'; - write++; - for (read = inInstance; *read != '\0'; read++, write++) { - if (*read == '@') { - *write = '\\'; - write++; - } - *write = *read; - } - } - - if ((inRealm != NULL) && (inRealm[0] != '\0')) { - *write = '@'; - write++; - for (read = inRealm; *read != '\0'; read++, write++) { - if (*read == '@') { - *write = '\\'; - write++; - } - *write = *read; - } - } - - *write = '\0'; - return KSUCCESS; -} - -/* - * k_isname, k_isrealm, k_isinst expect an unparsed realm -- i.e., one where all - * components have special characters escaped with \. However, - * for kname_unparse, we need to be able to sanity-check components without \. - * That's what k_is*_unparsed are for. - */ - -static int -k_isname_unparsed(const char *s) -{ - int len = strlen(s); - const char* c; - /* Has to be non-empty and has to fit in ANAME_SZ when escaped with \ */ - - if (!*s) - return 0; - - for (c = s; *c != '\0'; c++) { - switch (*c) { - case '.': - case '@': - len++; - break; - } - } - - if (len > ANAME_SZ - 1) - return 0; - return 1; -} - -static int -k_isinst_unparsed(const char *s) -{ - int len = strlen(s); - const char* c; - /* Has to fit in INST_SZ when escaped with \ */ - - for (c = s; *c != '\0'; c++) { - switch (*c) { - case '.': - case '@': - len++; - break; - } - } - - if (len > INST_SZ - 1) - return 0; - return 1; -} - -static int -k_isrealm_unparsed(const char *s) -{ - int len = strlen(s); - const char* c; - /* Has to be non-empty and has to fit in REALM_SZ when escaped with \ */ - - if (!*s) - return 0; - - for (c = s; *c != '\0'; c++) { - switch (*c) { - case '@': - len++; - break; - } - } - - if (len > REALM_SZ - 1) - return 0; - return 1; -} diff --git a/src/lib/krb4/kntoln.c b/src/lib/krb4/kntoln.c deleted file mode 100644 index ca48381..0000000 --- a/src/lib/krb4/kntoln.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * kntoln.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include "krb.h" -#include <string.h> - -/* - * krb_kntoln converts an auth name into a local name by looking up - * the auth name in the /etc/aname file. The format of the aname - * file is: - * - * +-----+-----+-----+-----+------+----------+-------+-------+ - * | anl | inl | rll | lnl | name | instance | realm | lname | - * +-----+-----+-----+-----+------+----------+-------+-------+ - * | 1by | 1by | 1by | 1by | name | instance | realm | lname | - * +-----+-----+-----+-----+------+----------+-------+-------+ - * - * If the /etc/aname file can not be opened it will set the - * local name to the auth name. Thus, in this case it performs as - * the identity function. - * - * The name instance and realm are passed to krb_kntoln through - * the AUTH_DAT structure (ad). - * - * Now here's what it *really* does: - * - * Given a Kerberos name in an AUTH_DAT structure, check that the - * instance is null, and that the realm is the same as the local - * realm, and return the principal's name in "lname". Return - * KSUCCESS if all goes well, otherwise KFAILURE. - */ - -/* The definition of MAX_USERNAME here MUST agree with kuserok.c, or bad - * things will happen. */ -#define MAX_USERNAME 10 - -int -krb_kntoln(ad,lname) - AUTH_DAT *ad; - char *lname; -{ - static char lrealm[REALM_SZ]; - - if (!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) - return(KFAILURE); - - if (strcmp(ad->pinst,"")) - return(KFAILURE); - if (strcmp(ad->prealm,lrealm)) - return(KFAILURE); - (void) strncpy(lname,ad->pname,MAX_USERNAME-1); - lname[MAX_USERNAME - 1] = '\0'; - return(KSUCCESS); -} diff --git a/src/lib/krb4/krb4int.h b/src/lib/krb4/krb4int.h deleted file mode 100644 index 51b1138..0000000 --- a/src/lib/krb4/krb4int.h +++ /dev/null @@ -1,129 +0,0 @@ -/* - * lib/krb4/krb4int.h - * - * Copyright 2001-2002, 2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * A series of private prototypes that we are not exporting but should - * be available for self consistancy in the library. - */ - -#include "port-sockets.h" - -/* ad_print.c */ -void ad_print(AUTH_DAT *x); - -/* fgetst.c */ -int fgetst(FILE *, char *, int); - -/* getst.c */ -int getst(int, char *, int); - -/* g_cnffile.c */ -FILE *krb__get_realmsfile(void); - -FILE *krb__get_cnffile(void); - -/* g_svc_in_tkt.c */ -int krb_svc_init(char *, char *, char *, int, char *, char *); -int krb_svc_init_preauth(char *, char *, char *, int, char *, char *); - -int krb_get_svc_in_tkt_preauth(char *, char *, char *, char *, char *, int, char *); - -/* gethostname.c */ -int k_gethostname(char *, int); - -/* g_in_tkt.c */ -int krb_get_in_tkt_preauth_creds(char *, char *, char *, - char *, char *, int, - key_proc_type, decrypt_tkt_type, - char *, char *, int, CREDENTIALS *, KRB_UINT32 *); - -/* klog.c */ -void kset_logfile(char *); - -/* log.c */ -void krb_log(const char *, ...) -#if !defined(__cplusplus) && (__GNUC__ > 2) - __attribute__((__format__(__printf__, 1, 2))) -#endif - ; - -void krb_set_logfile(char *); - -/* month_sname.c */ -const char * month_sname(int); - -/* password_to_key.c */ -key_proc_type *krb_get_keyprocs (key_proc_type keyproc); -int KRB5_CALLCONV mit_passwd_to_key(char *user, char *instance, char *realm, - char *passwd, C_Block key); -int KRB5_CALLCONV krb5_passwd_to_key(char *user, char *instance, char *realm, - char *passwd, C_Block key); -int KRB5_CALLCONV afs_passwd_to_key(char *user, char *instance, char *realm, - char *passwd, C_Block key); - -/* rd_preauth.c */ -#ifdef KRB_DB_DEFS -int krb_rd_preauth(KTEXT, char *, int, Principal *, des_cblock); -#endif - -/* sendauth.c */ -int krb_net_rd_sendauth(int, KTEXT, KRB4_32 *); - -/* stime.c */ -char *krb_stime(long *); - -/* tf_util.c */ -int tf_save_cred(char *, char *, char *, C_Block, int , int, KTEXT, KRB4_32); - - -/* unix_glue.c */ -int krb_start_session(char *); - -int krb_end_session(char *); - -#ifndef _WIN32 -/* For windows users, these are defined in krb.h */ -char *krb_get_default_user (void); - -int krb_set_default_user (char *); -#endif - -/* RealmConfig-glue.c */ -int krb_get_kpasswdhst(char *, char *, int); - -/* err_txt.c */ -void krb4int_et_init(void); -void krb4int_et_fini(void); - -int krb4int_save_credentials_addr( - char *, char *, char *, C_Block, int, int, KTEXT, KRB4_32, KRB_UINT32); - -int krb4int_send_to_kdc_addr(KTEXT, KTEXT, char *, - struct sockaddr *, socklen_t *); - -/* - * Exported by libdes425 and called by krb_get_in_pw_tkt, but not part of - * the standard DES interface and therefore not prototyped in des.h. - */ -int KRB5_CALLCONV des_read_pw_string(char *, int, char *, int); diff --git a/src/lib/krb4/krb_err.et b/src/lib/krb4/krb_err.et deleted file mode 100644 index c4f225d..0000000 --- a/src/lib/krb4/krb_err.et +++ /dev/null @@ -1,776 +0,0 @@ -# Copyright 1987,1988 Massachusetts Institute of Technology -# -# For copying and distribution information, see the file -# "mit-copyright.h". -# -# - error_table krb - - ec KRBET_KSUCCESS, - "Kerberos successful" - - ec KRBET_KDC_NAME_EXP, - "Kerberos principal expired" - - ec KRBET_KDC_SERVICE_EXP, - "Kerberos service expired" - - ec KRBET_KDC_AUTH_EXP, - "Kerberos auth expired" - - ec KRBET_KDC_PKT_VER, - "Unknown kerberos protocol version" - - ec KRBET_KDC_P_MKEY_VER, - "Incorrect kerberos master key version for principal" - - ec KRBET_KDC_S_MKEY_VER, - "Incorrect kerberos master key version for service" - - ec KRBET_KDC_BYTE_ORDER, - "Bad byte order (kerberos)" - - ec KRBET_KDC_PR_UNKNOWN, - "Kerberos principal unknown" - - ec KRBET_KDC_PR_N_UNIQUE, - "Kerberos principal not unique" - - ec KRBET_KDC_NULL_KEY, - "Kerberos principal has null key" - - ec KRBET_KRB_RES11, - "Reserved error message 11 (kerberos)" - - ec KRBET_KRB_RES12, - "Reserved error message 12 (kerberos)" - - ec KRBET_KRB_RES13, - "Reserved error message 13 (kerberos)" - - ec KRBET_KRB_RES14, - "Reserved error message 14 (kerberos)" - - ec KRBET_KRB_RES15, - "Reserved error message 15 (kerberos)" - - ec KRBET_KRB_RES16, - "Reserved error message 16 (kerberos)" - - ec KRBET_KRB_RES17, - "Reserved error message 17 (kerberos)" - - ec KRBET_KRB_RES18, - "Reserved error message 18 (kerberos)" - - ec KRBET_KRB_RES19, - "Reserved error message 19 (kerberos)" - - ec KRBET_KDC_GEN_ERR, - "Generic error from Kerberos KDC" - - ec KRBET_GC_TKFIL, - "Can't read Kerberos ticket file" - - ec KRBET_GC_NOTKT, - "Can't find Kerberos ticket or TGT" - - ec KRBET_KRB_RES23, - "Reserved error message 23 (krb_get_cred)" - - ec KRBET_KRB_RES24, - "Reserved error message 24 (krb_get_cred)" - - ec KRBET_KRB_RES25, - "Reserved error message 25 (krb_get_cred)" - - ec KRBET_MK_AP_TGTEXP, - "Kerberos TGT Expired" - - ec KRBET_KRB_RES27, - "Reserved error message 27 (krb_mk_req)" - - ec KRBET_KRB_RES28, - "Reserved error message 28 (krb_mk_req)" - - ec KRBET_KRB_RES29, - "Reserved error message 29 (krb_mk_req)" - - ec KRBET_KRB_RES30, - "Reserved error message 30 (krb_mk_req)" - - ec KRBET_RD_AP_UNDEC, - "Can't decode authenticator (krb_rd_req)" - - ec KRBET_RD_AP_EXP, - "Kerberos ticket expired (krb_rd_req)" - - ec KRBET_RD_AP_NYV, - "Kerberos ticket not yet valid (krb_rd_req)" - - ec KRBET_RD_AP_REPEAT, - "Repeated request (krb_rd_req)" - - ec KRBET_RD_AP_NOT_US, - "Kerberos ticket is for wrong server (krb_rd_req)" - - ec KRBET_RD_AP_INCON, - "Kerberos request inconsistent" - - ec KRBET_RD_AP_TIME, - "Time is out of bounds (krb_rd_req)" - - ec KRBET_RD_AP_BADD, - "Incorrect net address (krb_rd_req)" - - ec KRBET_RD_AP_VERSION, - "Kerberos protocol version mismatch (krb_rd_req)" - - ec KRBET_RD_AP_MSG_TYPE, - "Invalid msg type (krb_rd_req)" - - ec KRBET_RD_AP_MODIFIED, - "Message integrity error (krb_rd_req)" - - ec KRBET_RD_AP_ORDER, - "Message out of order (krb_rd_req)" - - ec KRBET_RD_AP_UNAUTHOR, - "Unauthorized request (krb_rd_req)" - - ec KRBET_KRB_RES44, - "Reserved error message 44 (krb_rd_req)" - - ec KRBET_KRB_RES45, - "Reserved error message 45 (krb_rd_req)" - - ec KRBET_KRB_RES46, - "Reserved error message 46 (krb_rd_req)" - - ec KRBET_KRB_RES47, - "Reserved error message 47 (krb_rd_req)" - - ec KRBET_KRB_RES48, - "Reserved error message 48 (krb_rd_req)" - - ec KRBET_KRB_RES49, - "Reserved error message 49 (krb_rd_req)" - - ec KRBET_KRB_RES50, - "Reserved error message 50 (krb_rd_req)" - - ec KRBET_GT_PW_NULL, - "Current password is null (get_pw_tkt)" - - ec KRBET_GT_PW_BADPW, - "Incorrect current password (get_pw_tkt)" - - ec KRBET_GT_PW_PROT, - "Protocol error (get_pw_tkt)" - - ec KRBET_GT_PW_KDCERR, - "Error returned by KDC (get_pw_tkt)" - - ec KRBET_GT_PW_NULLTKT, - "Null Kerberos ticket returned by KDC (get_pw_tkt)" - - ec KRBET_SKDC_RETRY, - "Retry count exceeded (send_to_kdc)" - - ec KRBET_SKDC_CANT, - "Can't send request (send_to_kdc)" - - ec KRBET_KRB_RES58, - "Reserved error message 58 (send_to_kdc)" - - ec KRBET_KRB_RES59, - "Reserved error message 59 (send_to_kdc)" - - ec KRBET_KRB_RES60, - "Reserved error message 60 (send_to_kdc)" - - ec KRBET_INTK_W_NOTALL, - "Kerberos error: not all tickets returned" - - ec KRBET_INTK_BADPW, - "Incorrect password (get_in_tkt)" - - ec KRBET_INTK_PROT, - "Protocol error (get_in_tkt)" - - ec KRBET_KRB_RES64, - "Reserved error message 64 (get_in_tkt)" - - ec KRBET_KRB_RES65, - "Reserved error message 65 (get_in_tkt)" - - ec KRBET_KRB_RES66, - "Reserved error message 66 (get_in_tkt)" - - ec KRBET_KRB_RES67, - "Reserved error message 67 (get_in_tkt)" - - ec KRBET_KRB_RES68, - "Reserved error message 68 (get_in_tkt)" - - ec KRBET_KRB_RES69, - "Reserved error message 69 (get_in_tkt)" - - ec KRBET_INTK_ERR, - "Other error (get_in_tkt)" - - ec KRBET_AD_NOTGT, - "Don't have Kerberos ticket-granting ticket (get_ad_tkt)" - - ec KRBET_KRB_RES72, - "Reserved error message 72 (get_ad_tkt)" - - ec KRBET_KRB_RES73, - "Reserved error message 73 (get_ad_tkt)" - - ec KRBET_KRB_RES74, - "Reserved error message 74 (get_ad_tkt)" - - ec KRBET_KRB_RES75, - "Reserved error message 75 (get_ad_tkt)" - - ec KRBET_NO_TKT_FIL, - "You have no tickets cached" - - ec KRBET_TKT_FIL_ACC, - "Couldn't access ticket file (tf_util)" - - ec KRBET_TKT_FIL_LCK, - "Couldn't lock ticket file (tf_util)" - - ec KRBET_TKT_FIL_FMT, - "Bad ticket file format (tf_util)" - - ec KRBET_TKT_FIL_INI, - "tf_init not called before reading from ticket file (tf_util)" - - ec KRBET_KNAME_FMT, - "Bad Kerberos name format (kname_parse)" - - ec KRBET_RES82, - "Reserved error message 82" - - ec KRBET_RES83, - "Reserved error message 83" - - ec KRBET_RES84, - "Reserved error message 84" - - ec KRBET_RES85, - "Reserved error message 85" - - ec KRBET_RES86, - "Reserved error message 86" - - ec KRBET_RES87, - "Reserved error message 87" - - ec KRBET_RES88, - "Reserved error message 88" - - ec KRBET_RES89, - "Reserved error message 89" - - ec KRBET_RES90, - "Reserved error message 90" - - ec KRBET_RES91, - "Reserved error message 91" - - ec KRBET_RES92, - "Reserved error message 92" - - ec KRBET_RES93, - "Reserved error message 93" - - ec KRBET_RES94, - "Reserved error message 94" - - ec KRBET_RES95, - "Reserved error message 95" - - ec KRBET_RES96, - "Reserved error message 96" - - ec KRBET_RES97, - "Reserved error message 97" - - ec KRBET_RES98, - "Reserved error message 98" - - ec KRBET_RES99, - "Reserved error message 99" - - ec KRBET_RES100, - "Reserved error message 100" - - ec KRBET_RES101, - "Reserved error message 101" - - ec KRBET_RES102, - "Reserved error message 102" - - ec KRBET_RES103, - "Reserved error message 103" - - ec KRBET_RES104, - "Reserved error message 104" - - ec KRBET_RES105, - "Reserved error message 105" - - ec KRBET_RES106, - "Reserved error message 106" - - ec KRBET_RES107, - "Reserved error message 107" - - ec KRBET_RES108, - "Reserved error message 108" - - ec KRBET_RES109, - "Reserved error message 109" - - ec KRBET_RES110, - "Reserved error message 110" - - ec KRBET_RES111, - "Reserved error message 111" - - ec KRBET_RES112, - "Reserved error message 112" - - ec KRBET_RES113, - "Reserved error message 113" - - ec KRBET_RES114, - "Reserved error message 114" - - ec KRBET_RES115, - "Reserved error message 115" - - ec KRBET_RES116, - "Reserved error message 116" - - ec KRBET_RES117, - "Reserved error message 117" - - ec KRBET_RES118, - "Reserved error message 118" - - ec KRBET_RES119, - "Reserved error message 119" - - ec KRBET_RES120, - "Reserved error message 120" - - ec KRBET_RES121, - "Reserved error message 121" - - ec KRBET_RES122, - "Reserved error message 122" - - ec KRBET_RES123, - "Reserved error message 123" - - ec KRBET_RES124, - "Reserved error message 124" - - ec KRBET_RES125, - "Reserved error message 125" - - ec KRBET_RES126, - "Reserved error message 126" - - ec KRBET_RES127, - "Reserved error message 127" - - ec KRBET_RES128, - "Reserved error message 128" - - ec KRBET_RES129, - "Reserved error message 129" - - ec KRBET_RES130, - "Reserved error message 130" - - ec KRBET_RES131, - "Reserved error message 131" - - ec KRBET_RES132, - "Reserved error message 132" - - ec KRBET_RES133, - "Reserved error message 133" - - ec KRBET_RES134, - "Reserved error message 134" - - ec KRBET_RES135, - "Reserved error message 135" - - ec KRBET_RES136, - "Reserved error message 136" - - ec KRBET_RES137, - "Reserved error message 137" - - ec KRBET_RES138, - "Reserved error message 138" - - ec KRBET_RES139, - "Reserved error message 139" - - ec KRBET_RES140, - "Reserved error message 140" - - ec KRBET_RES141, - "Reserved error message 141" - - ec KRBET_RES142, - "Reserved error message 142" - - ec KRBET_RES143, - "Reserved error message 143" - - ec KRBET_RES144, - "Reserved error message 144" - - ec KRBET_RES145, - "Reserved error message 145" - - ec KRBET_RES146, - "Reserved error message 146" - - ec KRBET_RES147, - "Reserved error message 147" - - ec KRBET_RES148, - "Reserved error message 148" - - ec KRBET_RES149, - "Reserved error message 149" - - ec KRBET_RES150, - "Reserved error message 150" - - ec KRBET_RES151, - "Reserved error message 151" - - ec KRBET_RES152, - "Reserved error message 152" - - ec KRBET_RES153, - "Reserved error message 153" - - ec KRBET_RES154, - "Reserved error message 154" - - ec KRBET_RES155, - "Reserved error message 155" - - ec KRBET_RES156, - "Reserved error message 156" - - ec KRBET_RES157, - "Reserved error message 157" - - ec KRBET_RES158, - "Reserved error message 158" - - ec KRBET_RES159, - "Reserved error message 159" - - ec KRBET_RES160, - "Reserved error message 160" - - ec KRBET_RES161, - "Reserved error message 161" - - ec KRBET_RES162, - "Reserved error message 162" - - ec KRBET_RES163, - "Reserved error message 163" - - ec KRBET_RES164, - "Reserved error message 164" - - ec KRBET_RES165, - "Reserved error message 165" - - ec KRBET_RES166, - "Reserved error message 166" - - ec KRBET_RES167, - "Reserved error message 167" - - ec KRBET_RES168, - "Reserved error message 168" - - ec KRBET_RES169, - "Reserved error message 169" - - ec KRBET_RES170, - "Reserved error message 170" - - ec KRBET_RES171, - "Reserved error message 171" - - ec KRBET_RES172, - "Reserved error message 172" - - ec KRBET_RES173, - "Reserved error message 173" - - ec KRBET_RES174, - "Reserved error message 174" - - ec KRBET_RES175, - "Reserved error message 175" - - ec KRBET_RES176, - "Reserved error message 176" - - ec KRBET_RES177, - "Reserved error message 177" - - ec KRBET_RES178, - "Reserved error message 178" - - ec KRBET_RES179, - "Reserved error message 179" - - ec KRBET_RES180, - "Reserved error message 180" - - ec KRBET_RES181, - "Reserved error message 181" - - ec KRBET_RES182, - "Reserved error message 182" - - ec KRBET_RES183, - "Reserved error message 183" - - ec KRBET_RES184, - "Reserved error message 184" - - ec KRBET_RES185, - "Reserved error message 185" - - ec KRBET_RES186, - "Reserved error message 186" - - ec KRBET_RES187, - "Reserved error message 187" - - ec KRBET_RES188, - "Reserved error message 188" - - ec KRBET_RES189, - "Reserved error message 189" - - ec KRBET_RES190, - "Reserved error message 190" - - ec KRBET_RES191, - "Reserved error message 191" - - ec KRBET_RES192, - "Reserved error message 192" - - ec KRBET_RES193, - "Reserved error message 193" - - ec KRBET_RES194, - "Reserved error message 194" - - ec KRBET_RES195, - "Reserved error message 195" - - ec KRBET_RES196, - "Reserved error message 196" - - ec KRBET_RES197, - "Reserved error message 197" - - ec KRBET_RES198, - "Reserved error message 198" - - ec KRBET_RES199, - "Reserved error message 199" - - ec KRBET_RES200, - "Reserved error message 200" - - ec KRBET_RES201, - "Reserved error message 201" - - ec KRBET_RES202, - "Reserved error message 202" - - ec KRBET_RES203, - "Reserved error message 203" - - ec KRBET_RES204, - "Reserved error message 204" - - ec KRBET_RES205, - "Reserved error message 205" - - ec KRBET_RES206, - "Reserved error message 206" - - ec KRBET_RES207, - "Reserved error message 207" - - ec KRBET_RES208, - "Reserved error message 208" - - ec KRBET_RES209, - "Reserved error message 209" - - ec KRBET_RES210, - "Reserved error message 210" - - ec KRBET_RES211, - "Reserved error message 211" - - ec KRBET_RES212, - "Reserved error message 212" - - ec KRBET_RES213, - "Reserved error message 213" - - ec KRBET_RES214, - "Reserved error message 214" - - ec KRBET_RES215, - "Reserved error message 215" - - ec KRBET_RES216, - "Reserved error message 216" - - ec KRBET_RES217, - "Reserved error message 217" - - ec KRBET_RES218, - "Reserved error message 218" - - ec KRBET_RES219, - "Reserved error message 219" - - ec KRBET_RES220, - "Reserved error message 220" - - ec KRBET_RES221, - "Reserved error message 221" - - ec KRBET_RES222, - "Reserved error message 222" - - ec KRBET_RES223, - "Reserved error message 223" - - ec KRBET_RES224, - "Reserved error message 224" - - ec KRBET_RES225, - "Reserved error message 225" - - ec KRBET_RES226, - "Reserved error message 226" - - ec KRBET_RES227, - "Reserved error message 227" - - ec KRBET_RES228, - "Reserved error message 228" - - ec KRBET_RES229, - "Reserved error message 229" - - ec KRBET_RES230, - "Reserved error message 230" - - ec KRBET_RES231, - "Reserved error message 231" - - ec KRBET_RES232, - "Reserved error message 232" - - ec KRBET_RES233, - "Reserved error message 233" - - ec KRBET_RES234, - "Reserved error message 234" - - ec KRBET_RES235, - "Reserved error message 235" - - ec KRBET_RES236, - "Reserved error message 236" - - ec KRBET_RES237, - "Reserved error message 237" - - ec KRBET_RES238, - "Reserved error message 238" - - ec KRBET_RES239, - "Reserved error message 239" - - ec KRBET_RES240, - "Reserved error message 240" - - ec KRBET_RES241, - "Reserved error message 241" - - ec KRBET_RES242, - "Reserved error message 242" - - ec KRBET_RES243, - "Reserved error message 243" - - ec KRBET_RES244, - "Reserved error message 244" - - ec KRBET_RES245, - "Reserved error message 245" - - ec KRBET_RES246, - "Reserved error message 246" - - ec KRBET_RES247, - "Reserved error message 247" - - ec KRBET_RES248, - "Reserved error message 248" - - ec KRBET_RES249, - "Reserved error message 249" - - ec KRBET_RES250, - "Reserved error message 250" - - ec KRBET_RES251, - "Reserved error message 251" - - ec KRBET_RES252, - "Reserved error message 252" - - ec KRBET_RES253, - "Reserved error message 253" - - ec KRBET_RES254, - "Reserved error message 254" - - ec KRBET_KFAILURE, - "Generic kerberos error (kfailure)" - end diff --git a/src/lib/krb4/kuserok.c b/src/lib/krb4/kuserok.c deleted file mode 100644 index 84a8ebd..0000000 --- a/src/lib/krb4/kuserok.c +++ /dev/null @@ -1,190 +0,0 @@ -/* - * lib/krb4/kuserok.c - * - * Copyright 1987, 1988, 2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * kuserok: check if a kerberos principal has - * access to a local account - */ - -#include "krb.h" - -#if !defined(_WIN32) - -#include <stdio.h> -#include <pwd.h> -#include <sys/param.h> -#include <sys/stat.h> -#include <sys/file.h> -#include <string.h> -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#ifdef __SCO__ -/* just for F_OK for sco */ -#include <sys/unistd.h> -#endif -#include "k5-platform.h" - -#ifndef HAVE_SETEUID -#ifdef HAVE_SETRESUID -#define seteuid(e) setresuid(-1,e,-1) -#define setegid(e) setresgid(-1,e,-1) -#endif -#endif - -#define OK 0 -#define NOTOK 1 -#define MAX_USERNAME 10 - -/* - * Given a Kerberos principal "kdata", and a local username "luser", - * determine whether user is authorized to login according to the - * authorization file ("~luser/.klogin" by default). Returns OK - * if authorized, NOTOK if not authorized. - * - * If there is no account for "luser" on the local machine, returns - * NOTOK. If there is no authorization file, and the given Kerberos - * name "kdata" translates to the same name as "luser" (using - * krb_kntoln()), returns OK. Otherwise, if the authorization file - * can't be accessed, returns NOTOK. Otherwise, the file is read for - * a matching principal name, instance, and realm. If one is found, - * returns OK, if none is found, returns NOTOK. - * - * The file entries are in the format: - * - * name.instance@realm - * - * one entry per line. - * - */ - -int KRB5_CALLCONV -kuserok(kdata, luser) - AUTH_DAT *kdata; - char *luser; -{ - struct stat sbuf; - struct passwd *pwd; - char pbuf[MAXPATHLEN]; - int isok = NOTOK, rc; - FILE *fp; - char kuser[MAX_USERNAME]; - char principal[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; - char linebuf[BUFSIZ]; - char *newline; - int gobble; - - /* no account => no access */ - if ((pwd = getpwnam(luser)) == NULL) { - return(NOTOK); - } - if (strlen (pwd->pw_dir) + sizeof ("/.klogin") >= sizeof (pbuf)) - return NOTOK; - (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); - pbuf[sizeof(pbuf) - 1] = '\0'; - (void) strncat(pbuf, "/.klogin", sizeof(pbuf) - 1 - strlen(pbuf)); - - if (access(pbuf, F_OK)) { /* not accessible */ - /* - * if he's trying to log in as himself, and there is no .klogin file, - * let him. To find out, call - * krb_kntoln to convert the triple in kdata to a name which we can - * string compare. - */ - if (!krb_kntoln(kdata, kuser) && (strcmp(kuser, luser) == 0)) { - return(OK); - } - } - /* open ~/.klogin */ - if ((fp = fopen(pbuf, "r")) == NULL) { - /* however, root might not have enough access, so temporarily switch - * over to the user's uid, try the access again, and switch back - */ - if(getuid() == 0) { - uid_t old_euid = geteuid(); - if (seteuid(pwd->pw_uid) < 0) - return NOTOK; - fp = fopen(pbuf, "r"); - if (seteuid(old_euid) < 0) - return NOTOK; - if ((fp) == NULL) { - return(NOTOK); - } - } else { - return(NOTOK); - } - } - set_cloexec_file(fp); - /* - * security: if the user does not own his own .klogin file, - * do not grant access - */ - if (fstat(fileno(fp), &sbuf)) { - fclose(fp); - return(NOTOK); - } - /* - * however, allow root to own the .klogin file, to allow creative - * access management schemes. - */ - if (sbuf.st_uid && (sbuf.st_uid != pwd->pw_uid)) { - fclose(fp); - return(NOTOK); - } - - /* check each line */ - while ((isok != OK) && (fgets(linebuf, BUFSIZ, fp) != NULL)) { - /* null-terminate the input string */ - linebuf[BUFSIZ-1] = '\0'; - newline = NULL; - /* nuke the newline if it exists */ - if ((newline = strchr(linebuf, '\n'))) - *newline = '\0'; - - /* Default the fields (default realm is filled in later) */ - principal[0] = '\0'; - inst[0] = '\0'; - realm[0] = '\0'; - rc = kname_parse(principal, inst, realm, linebuf); - if (rc == KSUCCESS) { - if (realm[0] == '\0') { - rc = krb_get_lrealm(realm, 1); - if (rc != KSUCCESS) - goto nextline; - } - isok = (strncmp(kdata->pname, principal, ANAME_SZ) || - strncmp(kdata->pinst, inst, INST_SZ) || - strncmp(kdata->prealm, realm, REALM_SZ)); - } - nextline: - /* clean up the rest of the line if necessary */ - if (!newline) - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); - } - fclose(fp); - return(isok); -} - -#endif diff --git a/src/lib/krb4/libkrb4.exports b/src/lib/krb4/libkrb4.exports deleted file mode 100644 index acb1169..0000000 --- a/src/lib/krb4/libkrb4.exports +++ /dev/null @@ -1,157 +0,0 @@ -__krb_sendauth_hidden_tkt_len -ad_print -afs_passwd_to_key -cr_err_reply -create_auth_reply -create_ciph -decomp_ticket -decomp_tkt_krb5 -dest_tkt -et_kadm_error_table -et_krb_error_table -fgetst -get_ad_tkt -get_pw_tkt -get_service_key -getst -in_tkt -initialize_kadm_error_table -initialize_krb_error_table -k_gethostname -k_isinst -k_isname -k_isrealm -kadm_build_field_header -kadm_check_field_header -kadm_cli_conn -kadm_cli_disconn -kadm_cli_keyd -kadm_cli_out -kadm_cli_send -kadm_init_link -kadm_stream_to_vals -kadm_stv_char -kadm_stv_long -kadm_stv_short -kadm_stv_string -kadm_vals_to_stream -kadm_vts_char -kadm_vts_long -kadm_vts_short -kadm_vts_string -klog -kname_parse -kname_unparse -krb4int_address_less -krb4int_et_fini -krb4int_et_init -krb4int_save_credentials_addr -krb4int_send_to_kdc_addr -krb4int_strnlen -krb4prot_decode_ciph -krb4prot_decode_error -krb4prot_decode_header -krb4prot_decode_kdc_reply -krb4prot_decode_kdc_request -krb4prot_decode_naminstrlm -krb4prot_encode_apreq -krb4prot_encode_authent -krb4prot_encode_ciph -krb4prot_encode_err_reply -krb4prot_encode_kdc_reply -krb4prot_encode_kdc_request -krb4prot_encode_naminstrlm -krb4prot_encode_tkt -krb54_get_service_keyblock -krb5__krb4_context -krb5_passwd_to_key -krb__get_cnffile -krb__get_realmsfile -krb__get_srvtabname -krb_ap_req_debug -krb_change_password -krb_check_auth -krb_clear_key_krb5 -krb_cr_tkt_krb5 -krb_create_ticket -krb_debug -krb_end_session -krb_err_txt -krb_free_preauth -krb_get_admhst -krb_get_cred -krb_get_default_user -krb_get_err_text -krb_get_in_tkt -krb_get_in_tkt_creds -krb_get_in_tkt_preauth -krb_get_in_tkt_preauth_creds -krb_get_keyprocs -krb_get_kpasswdhst -krb_get_krbhst -krb_get_lrealm -krb_get_phost -krb_get_profile -krb_get_pw_in_tkt -krb_get_pw_in_tkt_creds -krb_get_pw_in_tkt_preauth -krb_get_svc_in_tkt -krb_get_svc_in_tkt_preauth -krb_get_tf_fullname -krb_get_tf_realm -krb_get_ticket_for_service -krb_ignore_ip_address -krb_in_tkt -krb_kntoln -krb_life_to_time -krb_log -krb_mk_auth -krb_mk_err -krb_mk_preauth -krb_mk_priv -krb_mk_req -krb_mk_req_creds -krb_mk_safe -krb_net_rd_sendauth -krb_net_read -krb_net_write -krb_rd_err -krb_rd_preauth -krb_rd_priv -krb_rd_req -krb_rd_req_int -krb_rd_safe -krb_realmofhost -krb_recvauth -krb_save_credentials -krb_sendauth -krb_set_default_user -krb_set_key -krb_set_key_krb5 -krb_set_lifetime -krb_set_logfile -krb_set_tkt_string -krb_start_session -krb_stime -krb_svc_init -krb_svc_init_preauth -krb_time_to_life -kset_logfile -kuserok -mit_passwd_to_key -month_sname -pkt_cipher -pkt_clen -private_msg_ver -put_svc_key -read_service_key -send_to_kdc -swap_bytes -tf_close -tf_get_cred -tf_get_pinst -tf_get_pname -tf_init -tf_save_cred -tkt_string -unix_time_gmt_unixsec diff --git a/src/lib/krb4/lifetime.c b/src/lib/krb4/lifetime.c deleted file mode 100644 index 826e090..0000000 --- a/src/lib/krb4/lifetime.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright 2000, 2001, 2003 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb.h" -#include "k5-int.h" - -/* - * krb_life_to_time - * - * Given a start date and a lifetime byte, compute the expiration - * date. - */ -KRB4_32 KRB5_CALLCONV -krb_life_to_time(KRB4_32 start, int life) -{ - krb5int_access k5internals; - - if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION) - || k5internals.krb_life_to_time == NULL) - return start; - return k5internals.krb_life_to_time(start, life); -} - -/* - * krb_time_to_life - * - * Given the start date and the end date, compute the lifetime byte. - * Round up, since we can adjust the start date backwards if we are - * issuing the ticket to cause it to expire at the correct time. - */ -int KRB5_CALLCONV -krb_time_to_life(KRB4_32 start, KRB4_32 end) -{ - krb5int_access k5internals; - - if (krb5int_accessor(&k5internals, KRB5INT_ACCESS_VERSION) - || k5internals.krb_time_to_life == NULL) - return 0; - return k5internals.krb_time_to_life(start, end); -} diff --git a/src/lib/krb4/log.c b/src/lib/krb4/log.c deleted file mode 100644 index 5be69ea..0000000 --- a/src/lib/krb4/log.c +++ /dev/null @@ -1,151 +0,0 @@ -/* - * lib/krb4/log.c - * - * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifdef KRB_CRYPT_DEBUG -/* This file used to contain log() and set_logfile(). If you define - KRB_CRYPT_DEBUG, you'll need to define those to point to krb_log and - krb_set_logfile, or change all the invokers. */ -#endif - -#include "krb.h" -#include "autoconf.h" -#ifdef HAVE_TIME_H -#include <time.h> -#endif -#if !defined(VMS) && !defined(_WIN32) -#include <sys/time.h> -#endif -#include <stdio.h> -#include <stdarg.h> - -#include "krb4int.h" -#include <klog.h> -#include "k5-platform.h" - -static char *log_name = KRBLOG; -#if 0 -static is_open; -#endif - -/* - * This file contains three logging routines: set_logfile() - * to determine the file that log entries should be written to; - * and log() and new_log() to write log entries to the file. - */ - -/* - * krb_log() is used to add entries to the logfile (see krb_set_logfile() - * below). Note that it is probably not portable since it makes - * assumptions about what the compiler will do when it is called - * with less than the correct number of arguments which is the - * way it is usually called. - * - * The log entry consists of a timestamp and the given arguments - * printed according to the given "format". - * - * The log file is opened and closed for each log entry. - * - * The return value is undefined. - */ - -void krb_log(const char *format,...) -{ - FILE *logfile; - time_t now; - struct tm *tm; - va_list args; - - va_start(args, format); - - if ((logfile = fopen(log_name,"a")) != NULL) { - set_cloexec_file(logfile); - (void) time(&now); - tm = localtime(&now); - - fprintf(logfile,"%2d-%s-%d %02d:%02d:%02d ",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - vfprintf(logfile,format,args); - fprintf(logfile,"\n"); - (void) fclose(logfile); - } - va_end(args); - return; -} - -/* - * krb_set_logfile() changes the name of the file to which - * messages are logged. If krb_set_logfile() is not called, - * the logfile defaults to KRBLOG, defined in "krb.h". - */ - -void -krb_set_logfile(filename) - char *filename; -{ - log_name = filename; -#if 0 - is_open = 0; -#endif -} - -#if 0 -/* - * new_log() appends a log entry containing the give time "t" and the - * string "string" to the logfile (see set_logfile() above). The file - * is opened once and left open. The routine returns 1 on failure, 0 - * on success. - */ - -krb_new_log(t,string) - long t; - char *string; -{ - static FILE *logfile; - - struct tm *tm; - - if (!is_open) { - if ((logfile = fopen(log_name,"a")) == NULL) return(1); - set_cloexec_file(logfile); - is_open = 1; - } - - if (t) { - tm = localtime(&t); - - fprintf(logfile,"\n%2d-%s-%d %02d:%02d:%02d %s",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec, string); - } - else { - fprintf(logfile,"\n%20s%s","",string); - } - - (void) fflush(logfile); - return(0); -} -#endif diff --git a/src/lib/krb4/mac_glue.c b/src/lib/krb4/mac_glue.c deleted file mode 100644 index 77d11c2..0000000 --- a/src/lib/krb4/mac_glue.c +++ /dev/null @@ -1,48 +0,0 @@ -/* - * mac_glue.c - * - * Copyright 1989 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - * - * Macintosh ooperating system interface for Kerberos. - */ - -#include "mit-copyright.h" -#include "krb.h" - -/* Mac Cincludes */ -#include <string.h> -#include <stddef.h> - -/* FIXME! swab should be swapping, but for initial test, don't bother. */ - -void swab(char *from, char *to, int nbytes) {} - -mymemset( void *s, register int c, register size_t n ) -{ - // written because memset doesn't work in think C (ARGGGG!!!!!!) - register char *j = s; - while( n-- ) - *j++ = c; -} - -int INTERFACE -krb_start_session (x) - char *x; -{ - return KSUCCESS; -} - -int INTERFACE -krb_end_session (x) - char *x; -{ - return KSUCCESS; -} - -/* FIXME: These stubs should go away. */ -int read() {return 0;} -int write () {return 0;} -int krb_ignore_ip_address = 0; diff --git a/src/lib/krb4/mac_store.c b/src/lib/krb4/mac_store.c deleted file mode 100644 index 262ba58..0000000 --- a/src/lib/krb4/mac_store.c +++ /dev/null @@ -1,731 +0,0 @@ -/* - * mac_store.c - * - * Kerberos configuration store - * Originally coded by Tim Miller / Brown University as KRB_Store.c - * Mods 1/92 By Peter Bosanko - * - * Modified May-June 1994 by Julia Menapace and John Gilmore - * of Cygnus Support. - * - * This file incorporates replacements for the Unix files - * g_admhst.c, g_krbhst.c, realmofhost.c, and g_krbrlm.c. - */ - -/* Headers from in_tkt.c, merged in by gnu FIXME */ -#include <types.h> - -/* Headers from store.c from KClient */ -#include <string.h> -#include <traps.h> -#include <gestaltEqu.h> -#include <Folders.h> -#include <Resources.h> -#include <Memory.h> -#include <Files.h> - -#include "krb.h" -#include "mac_store.h" /* includes memcache.h */ -#include "krb_driver.h" - -#define prefname "\pKerberos Client Preferences" -const OSType preftype = 'PREF'; -const OSType prefcrea = 'krbL'; -const OSType unametype = 'UNam'; -const OSType lrealmtype = 'LRlm'; -const OSType templatetype = 'TMPL'; -const OSType realmmaptype = 'RMap'; -const OSType servermaptype = 'SMap'; -#define kNumTemplates 4 -#define kFirstTemplate 128 -#define kMapResNum 1024 - - -/* Lower level routines and data structures */ - - -/* Need to check this in each high-level routine, and call init_store - if not set. */ -static int initialized_store = 0; - -static char fLRealm[REALM_SZ] = ""; -static Handle fRealmMap = 0; -static Handle fServerMap = 0; -static short fPrefVRefNum; -static long fPrefDirID; -OSErr fConstructErr = -1; - -/* Current default user name (for prompts, etc). */ - -static char gUserName[MAX_K_NAME_SZ]; - - -/* Routines for dealing with the realm versus host database */ - -/* - * krb_get_admhst - * - * Given a Kerberos realm, find a host on which the Kerberos database - * administration server can be found. - * - * krb_get_admhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer n, and - * returns (in h) the nth administrative host entry from the configuration - * file (KRB_CONF, defined in "krb.h") associated with the specified realm. - * If ATHENA_CONF_FALLBACK is defined, also look in old location. - * - * On error, get_admhst returns KFAILURE. If all goes well, the routine - * returns KSUCCESS. - * - * For the format of the KRB_CONF file, see comments describing the routine - * krb_get_krbhst(). - * - * This is a temporary hack to allow us to find the nearest system running - * a Kerberos admin server. In the long run, this functionality will be - * provided by a nameserver. (HAH!) - */ -int -krb_get_admhst (h, r, n) - char *h; - char *r; - int n; -{ - if (!initialized_store) - if (init_store()) - return KFAILURE; - if(GetNthServer(n, r, 1, h)) return KFAILURE; - else return KSUCCESS; -} - -/* - * Given a Kerberos realm, find a host on which the Kerberos authenti- - * cation server can be found. - * - * krb_get_krbhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer, n, and - * returns (in h) the nth entry from the configuration information - * associated with the specified realm. - * - * If no info is found, krb_get_krbhst returns KFAILURE. If n=1 and the - * configuration file does not exist, krb_get_krbhst will return KRB_HOST - * (defined in "krb.h"). If all goes well, the routine returnes - * KSUCCESS. - * - * This is a temporary hack to allow us to find the nearest system running - * kerberos. In the long run, this functionality will be provided by a - * nameserver. (AH SO!) - */ -int krb_get_krbhst(h, r, n) - char *h; - char *r; - int n; -{ - if (!initialized_store) - if (init_store()) - return KFAILURE; - if (GetNthServer(n, r, 0, h)) return KFAILURE; - else return KSUCCESS; -} - - -/* - * krb_get_lrealm takes a pointer to a string, and a number, n. It fills - * in the string, r, with the name of the local realm specified in - * the local Kerberos configuration. - * It returns 0 (KSUCCESS) on success, and KFAILURE on failure. If the - * config info does not exist, and if n=1, a successful return will occur - * with r = KRB_REALM (also defined in "krb.h"). [FIXME -- not implem.] - * - * NOTE: for archaic & compatibility reasons, this routine will only return - * valid results when n = 1. - */ - -int krb_get_lrealm(char *r, int n) -{ - if (!initialized_store) - if (init_store()) - return KFAILURE; - if (n != 1) - return KFAILURE; - if (GetLocalRealm(r)) - return KFAILURE; - return KSUCCESS; -} - - -/* - * krb_realmofhost. - * Given a fully-qualified domain-style primary host name, - * return the name of the Kerberos realm for the host. - * If the hostname contains no discernable domain, or an error occurs, - * return the local realm name, as supplied by get_krbrlm(). - * If the hostname contains a domain, but no translation is found, - * the hostname's domain is converted to upper-case and returned. - * - * In the database, - * domain_name should be of the form .XXX.YYY (e.g. .LCS.MIT.EDU) - * host names should be in the usual form (e.g. FOO.BAR.BAZ) - */ - -char *krb_realmofhost(char *host) -{ - static char realm[REALM_SZ]; - - if (!initialized_store) - if (init_store()) - return 0; - - /* Store realm string through REALM pointer arg */ - GetRealm(host, realm); - return realm; -} - - -char * INTERFACE -krb_get_default_user (void) -{ - if (!initialized_store) - if (init_store()) - return 0; - - return gUserName; -} - - -int INTERFACE -krb_set_default_user (uName) - char* uName; -{ - if (!initialized_store) - if (init_store()) - return KFAILURE; - - if( strcmp( gUserName, uName ) != 0 ) { - strcpy( gUserName, uName ); - if (WriteUser() != 0) - return KFAILURE; - } - return KSUCCESS; -} - - - -void GetPrefsFolder(short *vRefNumP, long *dirIDP) -{ - Boolean hasFolderMgr = false; - long feature; -/* - FIXME Error: Ô_GestaltDispatchÕ has not been declared - not needed now? - jcm - if (TrapAvailable(_GestaltDispatch)) -*/ - if (Gestalt(gestaltFindFolderAttr, &feature) == noErr) hasFolderMgr = true; - if (!hasFolderMgr) { - GetSystemFolder(vRefNumP, dirIDP); - return; - } - else { - if (FindFolder(kOnSystemDisk, kPreferencesFolderType, kDontCreateFolder, vRefNumP, dirIDP) != noErr) { - *vRefNumP = 0; - *dirIDP = 0; - } - } - } - - -/* - init_store() is used to initialize the config store. It opens the - driver preferences file and reads the local realm, user name, and - realm and server maps from resources in the prefs file into driver - storage. If the preferences file doesn't exist, init_store creates it. - Returns 0 on success, or 1 if something goes wrong. - */ -int -init_store() -{ - short refnum; - Handle temp; - int hasPrefFile; - - /* If a prefs file exists, load from it, otherwise load defaults from self */ - GetPrefsFolder(&fPrefVRefNum, &fPrefDirID); - refnum = HOpenResFile(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, fsRdPerm); - hasPrefFile = (refnum != -1); // did we open it? - - temp = GetResource(lrealmtype, kMapResNum); - if(ResError() || !temp) { - if(refnum != -1) CloseResFile(refnum); - fConstructErr = cKrbCorruptedFile; - return 1; - } - strcpy(fLRealm, *temp); - ReleaseResource(temp); - - temp = GetResource(unametype, kMapResNum); - if(ResError() || !temp) { - if(refnum != -1) CloseResFile(refnum); - fConstructErr = cKrbCorruptedFile; - return 1; - } - strcpy(gUserName, *temp); - ReleaseResource(temp); - - fRealmMap = GetResource(realmmaptype, kMapResNum); - if(ResError() || !fRealmMap) { - if(refnum != -1) CloseResFile(refnum); - *fLRealm = 0; - fConstructErr = cKrbCorruptedFile; - return 1; - } - DetachResource(fRealmMap); - - fServerMap = GetResource(servermaptype, kMapResNum); - if(ResError() || !fServerMap) { - if(refnum != -1) CloseResFile(refnum); - *fLRealm = 0; - DisposeHandle(fRealmMap); - fRealmMap = 0; - fConstructErr = cKrbCorruptedFile; - return 1; - } - DetachResource(fServerMap); - - if(refnum != -1) CloseResFile(refnum); - fConstructErr = noErr; - - if (!hasPrefFile) { - fConstructErr = CreatePrefFile(); // make prefs file if we need to - } - - initialized_store = 1; - return 0; -} - - -/****************Private routines******************/ - -OSErr OpenPrefsFile(short *refnum) -{ - *refnum = HOpenResFile(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, fsRdWrPerm); - - if(ResError()) { /* doesn't exist, create it */ - FInfo fndrinfo; - - HCreateResFile(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname); - if(ResError()) { - return ResError(); - } - *refnum = HOpenResFile(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, fsRdWrPerm); - if(ResError()) { - return ResError(); - } - HGetFInfo(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, &fndrinfo); - fndrinfo.fdCreator = prefcrea; - fndrinfo.fdType = preftype; - HSetFInfo(fPrefVRefNum, fPrefDirID, (unsigned char *)prefname, &fndrinfo); - } - - return noErr; - } - - - -OSErr CreatePrefFile() -{ - short refnum, i; - OSErr err; - Handle tmpls[ kNumTemplates ]; - - // Get all the templates for ResEdit - for( i = 0; i < kNumTemplates; i++ ) { - tmpls[i] = GetResource( templatetype, kFirstTemplate + i ); - if( ResError() || !tmpls[i] ) return cKrbCorruptedFile; - } - - err = OpenPrefsFile( &refnum ); - if( err ) return err; - - // write out the templates - for( i = 0; i < kNumTemplates && !err; i++ ) { - short tmplid; - ResType theType; - Str255 resName; - - GetResInfo( tmpls[i], &tmplid, &theType, resName ); - err = WritePref( refnum, tmpls[i], templatetype, tmplid, resName ); - ReleaseResource( tmpls[i] ); - } - - if( !err ) - err = WritePref( refnum, fRealmMap, realmmaptype, kMapResNum, "\p" ); - if( !err ) - err = WritePref( refnum, fServerMap, servermaptype, kMapResNum, "\p" ); - if( !err ) - err = WritePrefStr( refnum, fLRealm, lrealmtype, kMapResNum, "\p" ); - if( !err ) - err = WritePrefStr( refnum, gUserName, unametype, kMapResNum, "\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr WriteUser() -{ - short refnum; - OSErr err; - - err = OpenPrefsFile( &refnum ); - if( err ) return err; - - err = WritePrefStr( refnum, gUserName, unametype, kMapResNum, "\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr WritePref( short refnum, Handle dataHandle, OSType mapType, short resID, Str255 resName ) -{ - OSErr err; - Handle resHandle; - - resHandle = Get1Resource( mapType, resID ); - if( !resHandle ) { // create a new resource: - resHandle = dataHandle; - err = HandToHand( &resHandle ); // copy the data handle - if( err != noErr ) return err; - - AddResource( resHandle, mapType, resID, resName ); - if( ( err = ResError() ) != noErr ) { - DisposHandle( resHandle ); - return err; - } - SetResAttrs( resHandle, resSysHeap | GetResAttrs( resHandle ) ); - } - else { /* modify an existing resource: */ - Size handleSize = GetHandleSize( dataHandle ); - SetHandleSize( resHandle, handleSize ); - if( ( err = MemError() ) != noErr ) { - ReleaseResource( resHandle ); - return err; - } - BlockMove( *dataHandle, *resHandle, handleSize ); - ChangedResource( resHandle ); - if( ( err = ResError() ) != noErr ) { - ReleaseResource( resHandle ); - return err; - } - } - - UpdateResFile( refnum ); - err = ResError(); - ReleaseResource( resHandle ); - return err; -} - -OSErr WritePrefStr( short refnum, char *dataString, OSType mapType, short resID, Str255 resName ) -{ - OSErr err; - Handle dataHandle; - - err = PtrToHand( dataString, &dataHandle, strlen( dataString ) + 1 ); - if( err == noErr ) { - err = WritePref( refnum, dataHandle, mapType, resID, resName ); - DisposHandle( dataHandle ); - } - return err; -} - -OSErr WriteRealmMap() -{ - short refnum; - OSErr err; - - err = OpenPrefsFile( &refnum ); - if( err ) return err; - - err = WritePref( refnum, fRealmMap, realmmaptype, kMapResNum, "\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr WriteServerMap() -{ - short refnum; - OSErr err; - - err = OpenPrefsFile(&refnum); - if( err ) return err; - - err = WritePref( refnum, fServerMap, servermaptype, kMapResNum,"\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr GetLocalRealm(char *lrealm) -{ - if (!initialized_store) - init_store(); - - strcpy(lrealm, fLRealm); - return noErr; - } - -OSErr SetLocalRealm( const char *lrealm ) -{ - short refnum; - OSErr err; - - if (!initialized_store) - init_store(); - - strcpy( fLRealm, (char *) lrealm ); - - err = OpenPrefsFile( &refnum ); - if( err ) return err; - - err = WritePrefStr( refnum, fLRealm, lrealmtype, kMapResNum, "\p" ); - - CloseResFile( refnum ); - if( !err ) err = ResError(); - return err; -} - -OSErr GetRealm(const char *host, char *realm) -{ - int numrealms; - char *curnetorhost, *currealm; - char *domain; - - if (!initialized_store) - init_store(); - - numrealms = *((short *)*fRealmMap); - GetLocalRealm(realm); - - domain = strchr( host, '.'); - if(!domain) return noErr; - - curnetorhost = (*fRealmMap) + 2; - currealm = strchr(curnetorhost, '\0') + 1; - for( ; numrealms > 0; numrealms--) { - if(!strcasecmp(curnetorhost, host)) { - strcpy(realm, currealm); - return noErr; - } - if(!strcasecmp(curnetorhost, domain)) { - strcpy(realm, currealm); - } - - if(numrealms > 1) { - curnetorhost = strchr(currealm, '\0') + 1; - currealm = strchr(curnetorhost, '\0') + 1; - } - } - - return noErr; - } - -OSErr AddRealmMap(const char *netorhost, const char *realm) -{ - int numrealms; - char *curptr; - - SetHandleSize(fRealmMap, strlen(netorhost)+1 + strlen(realm)+1 + - GetHandleSize(fRealmMap)); - if(MemError()) return MemError(); - - numrealms = ++(*((short *)*fRealmMap)); - - for(curptr = (*fRealmMap)+2; numrealms > 1; numrealms--) { - curptr = strchr(curptr, '\0') + 1; - curptr = strchr(curptr, '\0') + 1; - } - - strcpy(curptr, netorhost); - curptr = strchr(curptr, '\0') + 1; - strcpy(curptr, realm); - - return WriteRealmMap(); - } - -OSErr DeleteRealmMap(const char *netorhost) -{ - int numrealms = *((short *)*fRealmMap); - char *curptr, *fromptr, *nextptr; - - for(curptr = (*fRealmMap)+2; numrealms > 0; numrealms--) { - if(!strcasecmp(curptr, netorhost)) break; /* got it! */ - - curptr = strchr(curptr, '\0') + 1; - curptr = strchr(curptr, '\0') + 1; - } - - if(numrealms == 0) return cKrbMapDoesntExist; - - *(short*)*fRealmMap -= 1; - - if(numrealms > 1) { - fromptr = strchr(curptr, '\0') + 1; - fromptr = strchr(fromptr, '\0') + 1; - } - - for( ; numrealms > 1; numrealms--) { - nextptr = strchr(fromptr, '\0') + 1; - strcpy(curptr, fromptr); - curptr = strchr(curptr, '\0') + 1; - fromptr = nextptr; - - nextptr = strchr(fromptr, '\0') + 1; - strcpy(curptr, fromptr); - curptr = strchr(curptr, '\0') + 1; - fromptr = nextptr; - } - - SetHandleSize(fRealmMap, curptr-(*fRealmMap)); - if(MemError()) return MemError(); - return WriteRealmMap(); - } - -OSErr GetNthRealmMap(const int n, char *netorhost, char *realm) -{ - int i; - char *curptr; - - if(n > *(short*)*fRealmMap) return cKrbMapDoesntExist; - - for(curptr = (*fRealmMap) + 2, i = 1; i < n; i++) { - curptr = strchr(curptr, '\0') + 1; - curptr = strchr(curptr, '\0') + 1; - } - - strcpy(netorhost, curptr); - curptr = strchr(curptr, '\0') + 1; - strcpy(realm, curptr); - - return noErr; - } - -OSErr GetNthServer(const int n, const char *realm, const int mustadmin, - char *server) -{ - int numservers = *(short*)*fServerMap, i = 0; - char *currealm, *curserver; - - currealm = (*fServerMap) + 2; - curserver = strchr(currealm, '\0') + 1 + 1; - for( ; numservers > 0; numservers--) { - if(!strcmp(currealm, realm)) { - if(!mustadmin || *(curserver-1)) i++; - if(i >= n) { - strcpy(server, curserver); - return noErr; - } - } - - if(numservers > 1) { - currealm = strchr(curserver, '\0') + 1; - curserver = strchr(currealm, '\0') + 1 + 1; - } - } - - return cKrbMapDoesntExist; - } - -OSErr AddServerMap(const char *realm, const char *server, - const int isadmin) -{ - int numservers; - char *curptr; - - SetHandleSize(fServerMap, strlen(realm)+1 + 1 + strlen(server)+1 + - GetHandleSize(fServerMap)); - if(MemError()) return MemError(); - - numservers = ++(*((short *)*fServerMap)); - - for(curptr = (*fServerMap)+2; numservers > 1; numservers--) { - curptr = strchr(curptr, '\0') + 1 + 1; - curptr = strchr(curptr, '\0') + 1; - } - - strcpy(curptr, realm); - curptr = strchr(curptr, '\0') + 1; - *curptr = (char) isadmin; - curptr++; - strcpy(curptr, server); - - return WriteServerMap(); - } - -OSErr DeleteServerMap(const char *realm, const char *server) -{ - int numservers = *((short *)*fServerMap); - char *curptr, *fromptr, *nextptr; - - for(curptr = (*fServerMap)+2; numservers > 0; numservers--) { - if(!strcmp(curptr, realm)) { - nextptr = strchr(curptr, '\0') + 1 + 1; - if(!strcasecmp(nextptr, server)) { - break; /* got it! */ - } - } - - curptr = strchr(curptr, '\0') + 1 + 1; - curptr = strchr(curptr, '\0') + 1; - } - - if(numservers == 0) return cKrbMapDoesntExist; - - *(short*)*fServerMap -= 1; - - if(numservers > 1) { - fromptr = strchr(curptr, '\0') + 1 + 1; - fromptr = strchr(fromptr, '\0') + 1; - } - - for( ; numservers > 1; numservers--) { - nextptr = strchr(fromptr, '\0') + 1; - strcpy(curptr, fromptr); - curptr = strchr(curptr, '\0') + 1; - fromptr = nextptr; - - *curptr = *fromptr; - curptr++; - fromptr++; - - nextptr = strchr(fromptr, '\0') + 1; - strcpy(curptr, fromptr); - curptr = strchr(curptr, '\0') + 1; - fromptr = nextptr; - } - - SetHandleSize(fServerMap, curptr-(*fServerMap)); - if(MemError()) return MemError(); - return WriteServerMap(); - } - -OSErr GetNthServerMap(const int n, char *realm, char *server, int *admin) -{ - int i; - char *curptr; - - if(n > *(short*)*fServerMap) return cKrbMapDoesntExist; - - for(curptr = (*fServerMap) + 2, i = 1; i < n; i++) { - curptr = strchr(curptr, '\0') + 1 + 1; - curptr = strchr(curptr, '\0') + 1; - } - - strcpy(realm, curptr); - curptr = strchr(curptr, '\0') + 1; - *admin = *curptr; - curptr++; - strcpy(server, curptr); - - return noErr; -} diff --git a/src/lib/krb4/mac_store.h b/src/lib/krb4/mac_store.h deleted file mode 100644 index b1652dc..0000000 --- a/src/lib/krb4/mac_store.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - store.h - Kerberos credential store - Originally coded by Tim Miller / Brown University - Mods 1/92 By Peter Bosanko - - Modified May 1994 by Julia Menapace and John Gilmore, Cygnus - Support. -*/ - -#include "memcache.h" - -extern OSErr fConstructErr; - - OSErr CreatePrefFile(); - OSErr WriteUser(); /* saves gUserName to prefs file */ - - /* Used internally... */ - OSErr WritePref(short refnum, Handle dataHandle, OSType mapType, short resID, - Str255 resName); - OSErr WritePrefStr(short refnum, char *dataString, OSType mapType, short resID, - Str255 resName); - - /*** Realm info routines: ***/ - OSErr GetLocalRealm(char *lrealm); /* stuffs local realm in lrealm */ - OSErr SetLocalRealm(const char *lrealm); /* sets local realm */ - - OSErr GetRealm(const char *host, char *realm); /* yields realm for given - host's net name */ - OSErr AddRealmMap(const char *netorhost, const char *realm); /* says hosts - with this name or in this domain (if - begins with period) map to this realm - (provided no more specific map is - found) */ - OSErr DeleteRealmMap(const char *netorhost); /* deletes realm map for the - net or net hostname */ - OSErr GetNthRealmMap(const int n, char *netorhost, char *realm); /* yields - the Nth mapping of a net or host to - a kerberos realm */ - - OSErr GetNthServer(const int n, const char *realm, const int mustadmin, - char *server); /* yields Nth (administrating if - mustadmin is true) server for - the given realm */ - OSErr AddServerMap(const char *realm, const char *server, - const int isadmin); /* says this server services this - realm (administratively if isadmin) */ - OSErr DeleteServerMap(const char *realm, const char *server); /* deletes - the map of this realm to this server */ - OSErr GetNthServerMap(const int n, char *realm, char *server, int *admin); - /* yields Nth realm-server mapping */ - - OSErr OpenPrefsFile(short *refnum); /* open (create if necessary) prefs file - for writing */ - OSErr WriteRealmMap(); - OSErr WriteServerMap(); diff --git a/src/lib/krb4/mac_stubs.c b/src/lib/krb4/mac_stubs.c deleted file mode 100644 index 2cd1f0a..0000000 --- a/src/lib/krb4/mac_stubs.c +++ /dev/null @@ -1,525 +0,0 @@ -/* - * mac_stubs.c - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - * - * Macintosh oopserating system stub interface for Kerberos. - * Applications call these routines, which then call the driver to do the work. - */ - -#include "krb.h" -#include "krb_driver.h" /* Mac driver interface */ - -#include <string.h> -#include <stddef.h> -#include <Files.h> -#include <Devices.h> - -/* We export the driver reference under the name mac_stubs_kdriver, - but for convenience throughout this code, we call it "kdriver", - which was its name when it was static. */ -short mac_stubs_kdriver = 0; /* .Kerberos driver ref */ -#define kdriver mac_stubs_kdriver - -ParamBlockRec pb[1]; -struct krbHiParmBlock khipb[1]; -struct krbParmBlock klopb[1]; - -short lowcall (long cscode, krbParmBlock *klopb, short kdriver) -{ - short s; - ParamBlockRec pb; - - memset (&pb, 0, sizeof(ParamBlockRec)); - *(long *)pb.cntrlParam.csParam = (long)klopb; - pb.cntrlParam.ioCompletion = nil; - pb.cntrlParam.ioCRefNum = kdriver; - pb.cntrlParam.csCode = cscode; - - if (s = PBControl(&pb, false)) - return KFAILURE; - if (s = pb.cntrlParam.ioResult) - return -(s - cKrbKerberosErrBlock); /* Restore krb err code from driver err */ - - return KSUCCESS; -} - - -short hicall (long cscode, krbHiParmBlock *khipb, short kdriver) -{ - short s; - ParamBlockRec pb; - memset(&pb, 0, sizeof(ParamBlockRec)); - *(long *)pb.cntrlParam.csParam = (long)khipb; - pb.cntrlParam.ioCompletion = nil; - pb.cntrlParam.ioCRefNum = kdriver; - - pb.cntrlParam.csCode = cscode; - if (s = PBControl(&pb, false)) - return KFAILURE; - if (s = pb.cntrlParam.ioResult) - return -(s - cKrbKerberosErrBlock); /* Restore krb err code from driver err */ - - return KSUCCESS; -} - - -int INTERFACE -krb_start_session (x) - char *x; -{ - short s; - - /* - * Open the .Kerberos driver if not already open - */ - if (!kdriver) { - s = OpenDriver("\p.Kerberos", &kdriver); - if (s) { - return KFAILURE; /* Improve this error code */ - } - } - - return KSUCCESS; -} - - -int INTERFACE -krb_end_session (x) - char *x; -{ - short s; - -#if 0 /* This driver doesn't want to be closed. FIXME, is this OK? */ - if (kdriver) { - s = CloseDriver(kdriver); - if (s) - return KFAILURE; - kdriver = 0; - } -#endif - return KSUCCESS; -} - - -char * INTERFACE -krb_realmofhost (host) - char *host; -{ - short s; - ParamBlockRec pb; - static char realm[REALM_SZ]; - - memset(klopb, 0, sizeof(*klopb)); - klopb->host = host; - klopb->uRealm = realm; - - /* FIXME jcm - no error handling for return value of lowcall in krb_realmofhost */ - s = lowcall (cKrbGetRealm , klopb, kdriver); - - return realm; -} - -int INTERFACE -krb_get_lrealm (realm, n) - char *realm; - int n; -{ - short s; - ParamBlockRec pb; - - if (n != 1) - return KFAILURE; - - memset(klopb, 0, sizeof(*klopb)); - klopb->uRealm = realm; - - s = lowcall (cKrbGetLocalRealm, klopb, kdriver); - return s; - -} - - -int INTERFACE -kname_parse (name, instance, realm, fullname) - char *name, *instance, *realm, *fullname; -{ - short s; - ParamBlockRec pb; - - memset(klopb, 0, sizeof(*klopb)); - klopb->uName = name; - klopb->uInstance = instance; - klopb->uRealm = realm; - klopb->fullname = fullname; - - s = lowcall (cKrbKnameParse, klopb, kdriver); - return s; -} - -const char* INTERFACE -krb_get_err_text (error_code) - int error_code; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - klopb->admin = error_code; - s = lowcall (cKrbGetErrText, klopb, kdriver); - if (s != KSUCCESS) - return "Error in get_err_text"; - return klopb->uName; -} - - -int INTERFACE -krb_get_pw_in_tkt(user,instance,realm,service,sinstance,life,password) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *password; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - klopb->uName = user; - klopb->uInstance = instance; - klopb->uRealm = realm; - klopb->sName = service; - klopb->sInstance = sinstance; - klopb->admin = life; - klopb->fullname = password; - - s = lowcall (cKrbGetPwInTkt, klopb, kdriver); - return s; -} - - -/* FIXME: For now, we handle the preauth version exactly the same - as the non-preauth. */ -krb_get_pw_in_tkt_preauth(user,instance,realm,service,sinstance,life,password) - char *user, *instance, *realm, *service, *sinstance; - int life; - char *password; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - klopb->uName = user; - klopb->uInstance = instance; - klopb->uRealm = realm; - klopb->sName = service; - klopb->sInstance = sinstance; - klopb->admin = life; - klopb->fullname = password; - - s = lowcall (cKrbGetPwInTkt, klopb, kdriver); - return s; -} - - - -char* INTERFACE -krb_get_default_user (void) -{ - short s; - static char return_name[MAX_K_NAME_SZ]; - - memset(khipb, 0, sizeof(*khipb)); - khipb->user = return_name; - s = hicall (cKrbGetUserName, khipb, kdriver); - if (s != KSUCCESS) - return 0; - return return_name; -} - - -int INTERFACE -krb_set_default_user (uName) - char* uName; -{ - short s; - - memset(khipb, 0, sizeof(*khipb)); - khipb->user = uName; - s = hicall (cKrbSetUserName, khipb, kdriver); - return s; -} - -int INTERFACE -krb_get_cred (name, instance, realm, cr) - char *name; - char *instance; - char *realm; - CREDENTIALS *cr; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - - strcpy(cr->service, name); - strcpy(cr->instance, instance); - strcpy(cr->realm, realm); - - klopb->cred = cr; - - s = lowcall (cKrbGetCredentials, klopb, kdriver); - return s; -} - -int INTERFACE -krb_save_credentials (sname, sinstance, srealm, session, - lifetime, kvno,ticket, issue_date) - char *sname; /* service name */ - char *sinstance; /* service instance */ - char *srealm; /* service realm */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - long issue_date; /* The issue time */ - -{ - short s; - CREDENTIALS cr; - - strcpy(cr.service, sname); - strcpy(cr.instance, sinstance); - strcpy(cr.realm, srealm); - memcpy(cr.session, session, sizeof(C_Block)); - cr.lifetime = lifetime; - cr.kvno = kvno; - cr.ticket_st = *ticket; - cr.issue_date = issue_date; - - memset(klopb, 0, sizeof(*klopb)); - klopb->cred = &cr; - - s = lowcall (cKrbAddCredentials, klopb, kdriver); - return s; -} - - -int INTERFACE -krb_delete_cred (sname, sinstance, srealm) - char *sname; - char *sinstance; - char *srealm; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - - klopb->sName = sname; - klopb->sInstance = sinstance; - klopb->sRealm = srealm; - - s = lowcall (cKrbDeleteCredentials, klopb, kdriver); - return s; -} - -int INTERFACE -dest_tkt (cachename) - char *cachename; /* This parameter is ignored. */ -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - s = lowcall (cKrbDeleteAllSessions, klopb, kdriver); - return s; -} - -/* - * returns service name, service instance and realm of the nth credential. - * credential numbering is 1 based. - */ - -int INTERFACE -krb_get_nth_cred (sname, sinstance, srealm, n) - char *sname; - char *sinstance; - char *srealm; - int n; -{ - short s; - - memset(klopb, 0, sizeof(*klopb)); - - klopb->sName = sname; - klopb->sInstance = sinstance; - klopb->sRealm = srealm; - klopb->itemNumber = &n; - - s = lowcall (cKrbGetNthCredentials, klopb, kdriver); - return s; -} - -/* - * Return the number of credentials in the current credential cache (ticket cache). - * On error, returns -1. - */ -int INTERFACE -krb_get_num_cred () -{ - int s; - int n; - - memset(klopb, 0, sizeof(*klopb)); - klopb->itemNumber = &n; - - s = lowcall (cKrbGetNumCredentials, klopb, kdriver); - if (s) - return -1; - return *(klopb->itemNumber); -} - - - -/* GetNthRealmMap - yields the Nth mapping of a net or host to a Kerberos realm - -> itemNumber which mapping, traditionally the first - -> host host or net - -> uRealm pointer to buffer that will receive realm name -*/ - -OSErr INTERFACE -GetNthRealmMap(n, netorhost, realm) - int n; - char *netorhost; - char *realm; -{ - int s; - memset(klopb, 0, sizeof(*klopb)); - klopb->itemNumber = &n; - klopb->host = netorhost; - klopb->uRealm = realm; - - s = lowcall (cKrbGetNthRealmMap, klopb, kdriver); - return s; -} - -/* GetNthServerMap - yields Nth realm-server mapping - -> itemNumber which mapping should be returned - -> uRealm pointer to buffer that will receive realm name - -> host pointer to buffer that will receive server name - -> admin pointer to admin flag - */ - -OSErr INTERFACE -GetNthServerMap(n, realm, server, admin) - int n; - char *realm; - char *server; - int *admin; -{ - int s; - memset(klopb, 0, sizeof(*klopb)); - klopb->itemNumber = &n; - klopb->uRealm = realm; - klopb->host = server; - klopb->adminReturn = admin; - - s = lowcall (cKrbGetNthServerMap, klopb, kdriver); - return s; -} - - - -/* krb_get_ticket_for_service - * Gets a ticket and returns it to application in buf - -> service Formal Kerberos name of service - -> buf Buffer to receive ticket - -> checksum checksum for this service - <-> buflen length of ticket buffer (must be at least - 1258 bytes) - <- sessionKey for internal use - <- schedule for internal use - - * Result is: - * GC_NOTKT if there is no matching TGT in the cache - * MK_AP_TGTEXP if the matching TGT is expired - * Other errors possible. These could cause a dialogue with the user - * to get a new TGT. - */ - -int INTERFACE -krb_get_ticket_for_service (serviceName, buf, buflen, checksum, sessionKey, - schedule, version, includeVersion) - char *serviceName; - char *buf; - unsigned KRB4_32 *buflen; - int checksum; - des_cblock sessionKey; - Key_schedule schedule; - char *version; - int includeVersion; -{ - short s; - - if (includeVersion) - return KFAILURE; /* Not implmented in the kclient driver iface */ - - memset(khipb, 0, sizeof(*khipb)); - khipb->service = serviceName; - khipb->buf = buf; - khipb->buflen = *buflen; - khipb->checksum = checksum; - - s = hicall (cKrbGetTicketForService, khipb, kdriver); - /* These are ARRAYS in the hiparmblock, for some reason! */ - memcpy (sessionKey, khipb->sessionKey, sizeof (khipb[0].sessionKey)); - memcpy (schedule, khipb->schedule, sizeof (khipb[0].schedule)); - *buflen = khipb->buflen; - return s; -} - - -/* krb_get_tf_fullname -- return name, instance and realm of the - principal in the current ticket file. The ticket file name is not - currently used for anything since there is only one credentials - cache/ticket file -*/ - -int INTERFACE -krb_get_tf_fullname (tktfile, name, instance, realm) - char *tktfile; - char *name; - char *instance; - char *realm; - -{ - short s; - memset (klopb, 0, sizeof(*klopb)); - klopb->fullname = tktfile; - klopb->uName = name; - klopb->uInstance = instance; - klopb->uRealm = realm; - - s = lowcall (cKrbGetTfFullname, klopb, kdriver); - return s; -} - - - -#if 0 - xbzero(khipb, sizeof(krbHiParmBlock)); - khipb->service = (char *)cannon; - khipb->buf = (char *)buf; /* where to build it */ - khipb->checksum = 0; - khipb->buflen = sizeof(buf); - if (s = hicall(cKrbGetTicketForService, khipb, kdriver)) - return s; - xbcopy(khipb->sessionKey, sessionKey, sizeof(sessionKey)); /* save the session key */ - /* - * cKrbGetTicketForService put a longword buffer length into the buffer - * which we don't want, so we ignore it. - * Make room for first 3 bytes which preceed the auth data. - */ - cp = &buf[4-3]; /* skip long, make room for 3 bytes */ - cp[0] = tp[0]; /* copy type and modifier */ - cp[1] = tp[1]; - cp[2] = KRB_AUTH; /* suboption command */ - len = khipb->buflen - sizeof(long) + 3; /* data - 4 + 3 */ - -#endif /* 0 */ diff --git a/src/lib/krb4/mac_time.c b/src/lib/krb4/mac_time.c deleted file mode 100644 index bec4d8f..0000000 --- a/src/lib/krb4/mac_time.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * mac_time.c - * (Originally time_stuff.c) - * - * Copyright 1989 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - * - * Macintosh ooperating system interface for Kerberos. - */ - -#include "mit-copyright.h" -#include "krb.h" -#include "des.h" -#include "AddressXlation.h" /* for ip_addr */ -#include <time.h> -#include <sys/time.h> - -#include <script.h> /* Defines MachineLocation, used by getTimeZoneOffset */ -#include <ToolUtils.h> /* Defines BitTst(), called by getTimeZoneOffset() */ -#include <OSUtils.h> /* Defines GetDateTime */ - -/* Mac Cincludes */ -#include <string.h> -#include <stddef.h> - - - /******************************* - The Unix epoch is 1/1/70, the Mac epoch is 1/1/04. - - 70 - 4 = 66 year differential - - Thus the offset is: - - (66 yrs) * (365 days/yr) * (24 hours/day) * (60 mins/hour) * (60 secs/min) - plus - (17 leap days) * (24 hours/day) * (60 mins/hour) * (60 secs/min) - - Don't forget the offset from GMT. - *******************************/ - - -/* returns the offset in hours between the mac local time and the GMT */ - -unsigned long -getTimeZoneOffset() -{ - MachineLocation macLocation; - long gmtDelta; - - macLocation.gmtFlags.gmtDelta=0L; - ReadLocation(&macLocation); - gmtDelta=macLocation.gmtFlags.gmtDelta & 0x00FFFFFF; - if (BitTst((void *)&gmtDelta,23L)) gmtDelta |= 0xFF000000; - gmtDelta /= 3600L; - return(gmtDelta); -} - - -/* Returns the GMT in seconds using the Unix epoch, ie. Net time */ - -static unsigned long -gettimeofdaynet_no_offset() -{ - time_t the_time; - - GetDateTime (&the_time); - the_time = the_time - - ((66 * 365 * 24 * 60 * 60) + - (17 * 24 * 60 * 60) + - (getTimeZoneOffset() * 60 * 60)); - return the_time; -} - - - -int -gettimeofdaynet (struct timeval *tp, struct timezone *tz) -{ - tp->tv_sec = gettimeofdaynet_no_offset(); - return 0; -} - - -#if 0 - -int -gettimeofdaynet (struct timeval *tp, struct timezone *tz) -{ - int result; - - if (!net_got_offset) - result = get_net_offset(); - else result = 0; - - time ((time_t *) &(tp->tv_sec)); - - tp->tv_sec = tp->tv_sec - (66 * 365 * 24 * 60 * 60 - + 17 * 60 * 60 * 24) + net_offset; - - return (result); -} - - -#define TIME_PORT 37 -#define TM_OFFSET 2208988800 - -/* - * - * get_net_offset () -- Use UDP time protocol to figure out the - * offset between what the Mac thinks the time is an what - * the network thinks. - * - */ -int -get_net_offset() -{ - time_t tv; - char buf[512],ts[256]; - long *nettime; - int attempts, cc, time_port; - long unixtime; - char realm[REALM_SZ]; - ip_addr fromaddr; - unsigned short fromport; - int result; - - nettime = (long *)buf; - time_port = TIME_PORT; - - cc = sizeof(buf); - result = hosts_send_recv(ts, 1, buf, &cc, "", time_port); - time (&tv); - - if (result!=KSUCCESS || cc<4) { - net_offset = 0; - if (!result) result = 100; - return result; - } - - unixtime = (long) ntohl(*nettime) - TM_OFFSET; - - tv -= 66 * 365 * 24 * 60 * 60 - + 17 * 60 * 60 * 24; /* Convert to unix time w/o offset */ - net_offset = unixtime - tv; - net_got_offset = 1; - - return 0; -} - -#endif diff --git a/src/lib/krb4/memcache.c b/src/lib/krb4/memcache.c deleted file mode 100644 index 18a7412..0000000 --- a/src/lib/krb4/memcache.c +++ /dev/null @@ -1,891 +0,0 @@ -/* - * memcache.c - * - * Kerberos credential cache - * Originally coded by Tim Miller / Brown University as KRB_Store.c - * Mods 1/92 By Peter Bosanko - * - * Modified May-June 1994 by Julia Menapace and John Gilmore - * of Cygnus Support. - * - * This file incorporates replacements for the Unix files - * in_tkt.c, dest_tkt.c, tf_util.c, and tkt_string.c. - */ - -#include "krb.h" -#include "krb4int.h" -#include "autoconf.h" - -#ifdef _WIN32 -#include <errno.h> - -typedef DWORD OSErr; -#define noErr 0 -#define cKrbCredsDontExist 12001 -#define cKrbSessDoesntExist 12002 -#define memFullErr ENOMEM -#endif - -#ifndef unix -#ifdef _AIX -#define unix -#endif -#endif - -#ifdef unix -/* Unix interface to memory cache Mac functions. */ - -#include <stdio.h> -#include <errno.h> -#ifdef HAVE_STDLIB_H -#include <stdlib.h> -#else -extern char *malloc (), *realloc (); -#endif - -typedef int OSErr; -#define noErr 0 -#define memFullErr ENOMEM - -#endif /* unix */ - -#include "memcache.h" - - -/* Lower level data structures */ - -static int fNumSessions = 0; -static Session **fSessions = 0; - -#ifndef _WIN32 -#define change_cache() -#endif - -#if defined (_WIN32) || defined (unix) -/* Fake Mac handles up for general use. */ -#define Handle char ** -#define Size int - -static OSErr memerror = noErr; - -/* - * Simulates Macintosh routine by allocating a block of memory - * and a pointer to that block of memory. If the requested block - * size is 0, then we just allocate the indirect pointer and 0 - * it, otherwise we allocate an indirect pointer and place a pointer - * to the actual allocated block in the indirect pointer location. - */ -Handle -NewHandleSys(s) - int s; -{ - Handle h; - - h = (char **) malloc(sizeof(char *)); - - if (h == NULL) { - memerror = memFullErr; - return (NULL); - } - - if (s > 0) { - *h = malloc(s); - - if (*h == NULL) { - free(h); - memerror = memFullErr; - return (NULL); - } - } - else - *h = NULL; - - memerror = noErr; - - return h; -} - -/* - * Frees allocated indirect pointer and the block of memory it points - * to. If the indirect pointer is NULL, then the block is considered - * to have 0 length. - */ -void -DisposHandle(h) - Handle h; -{ - if (*h != NULL) - free(*h); - free(h); -} - -/* - * Resizes a block of memory pointed to by and indirect pointer. The - * indirect pointer is updated when the block of memory is reallocated. - * If the indirect pointer is 0, then the block of memory is allocated - * rather than reallocated. If the size requested is 0, then the block - * is deallcated rather than reallocated. - */ -void -SetHandleSize(h, s) - Handle h; - int s; -{ - if (*h != NULL) { - if (s > 0) { - *h = realloc(*h, s); - if (*h == NULL) { - memerror = memFullErr; - return; - } - } - else { - free(*h); - *h = NULL; - } - } - - else { - if (s > 0) { - *h = malloc(s); - if (*h == NULL) { - memerror = memFullErr; - return; - } - } - } - - memerror = noErr; -} - -OSErr -MemError() -{ - return memerror; -} - -#endif /* Windows || unix */ - -#ifdef _WIN32 - -/* - * change_cache should be called after the cache changes. - * If the session count is > 0 it forces the DLL to stay in - * memory even after the calling program exits providing cross - * session ticket cacheing. Also a notification message is - * is posted out to all top level Windows so that they may - * recheck the cache based on the changes made. The - * krb_get_notifcation_message routine will return the - * current notificaiton message for the system which an - * application can expect to get. - */ -void -change_cache() -{ - char fname[260]; - static BOOL locked = FALSE; - - if (fNumSessions > 0 && !locked) { - GetModuleFileName(get_lib_instance(), fname, sizeof(fname)); - LoadLibrary(fname); - locked = TRUE; - } - - else if (fNumSessions == 0 && locked) { - FreeLibrary(get_lib_instance()); - locked = FALSE; - } - - PostMessage(HWND_BROADCAST, krb_get_notification_message(), 0, 0); -} - - -/* - * Returns a system wide unique notification message. This - * message will be broadcast to all top level windows when - * the credential cache changes. - */ -unsigned int -krb_get_notification_message(void) -{ - static UINT message = 0; - - if (message == 0) - message = RegisterWindowMessage(WM_KERBEROS_CHANGED); - - return message; -} - - -#endif /* Windows */ - - -/* The low level routines in this file are capable of storing - tickets for multiple "sessions", each led by a different - ticket-granting ticket. For now, since the top level code - doesn't know how to handle that, we are short-cutting all - that with a fixed top level identifying tag for the (one) - session supported. - - FIXME jcm - Force one named cache for now for compatibility with - Cygnus source tree. Figure out later how to access the multiple - cache functionality in KClient. - */ - -char uname[] = "Fixed User"; -char uinstance[] = "Fixed Instance"; -char urealm[] = "Fixed Realm"; - -static char curr_auth_uname [ANAME_SZ]; -static char curr_auth_uinst [INST_SZ]; - - -/* - in_tkt() is used to initialize the ticket cache. - It inits the driver's credentials storage, by deleting any tickets. - in_tkt() returns KSUCCESS on success, or KFAILURE if something goes wrong. - - User name, instance and realm are not currently being stored in - the credentials cache because currently we are forcing a single - named cache by using a fixed user name,inst,and realm in the - memcache accessor routines. - - FIXME jcm - needed while stubbing out multi-caching with fixed - user etc... Store currently authenticated user name and instance - in this file. We will use this information to fill out the p_user - and p_inst fields in the credential. - - FIXME jcm - more kludges: make sure default user name matches the - current credentials cache. Telnet asks for default user name. It - may have last been set to another user name programmatically or - via ResEdit. - - */ -int KRB5_CALLCONV -in_tkt(pname,pinst) - char *pname; - char *pinst; -{ - int retval; - - strncpy (curr_auth_uname, pname, ANAME_SZ); - strncpy (curr_auth_uinst, pinst, INST_SZ); - - krb_set_default_user (pname); - - retval = dest_tkt(); - if (!retval) - return retval; - else - return KSUCCESS; - -} - -int KRB5_CALLCONV -krb_in_tkt(pname, pinst, prealm) - char *pname; - char *pinst; - char *prealm; -{ - return in_tkt(pname, pinst); -} - -/* - * dest_tkt() is used to destroy the ticket store upon logout. - * If the ticket file does not exist, dest_tkt() returns RET_TKFIL. - * Otherwise the function returns RET_OK on success, KFAILURE on - * failure. - * - */ -int KRB5_CALLCONV -dest_tkt() -{ - /* - FIXME jcm - Force one named cache for now for - compatibility with Cygnus source tree. Figure out - later how to access the multiple cache functionality in - KClient. - */ - OSErr err; - - err = DeleteSession(uname, uinstance, urealm); - - change_cache(); - - switch(err) { - case noErr: - return RET_OK; - case cKrbSessDoesntExist: - return RET_TKFIL; - default: - return KFAILURE; - } - } - - -int dest_all_tkts() -{ - int i=0; - char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; - int ndeletes=0; - int err=0; - - (void) GetNumSessions(&i); - if(!i) return RET_TKFIL; - - for( ; i; i--) { - if(!GetNthSession(i, name, inst, realm)) { - if (err = DeleteSession(name, inst, realm)) - break; - ndeletes++; - } - else { - err = KFAILURE; - break; - } - } - - if (ndeletes > 0) - change_cache(); - - if (err) - return KFAILURE; - else - return KSUCCESS; - } - - -/* krb_get_tf_realm -- return the realm of the current ticket file. */ -int KRB5_CALLCONV -krb_get_tf_realm (tktfile, lrealm) - char *tktfile; - char *lrealm; /* Result stored through here */ -{ - - return krb_get_tf_fullname(tktfile, (char*) 0, (char*) 0 , lrealm); -} - - -/* krb_get_tf_fullname -- return name, instance and realm of the -principal in the current ticket file. */ -int KRB5_CALLCONV -krb_get_tf_fullname (tktfile, name, instance, realm) - char *tktfile; - char *name; - char *instance; - char *realm; - -{ - OSErr err; - -/* - Explaining this ugly hack: - uname, uinstance, and urealm in the session record are "fixed" - to short circuit multicache functionality, yielding only one - session/cache for all cases. This was done under protest to remain - API compatable with UNIX. The principal's and service realm are - always the same and are stored in the same field of the credential. - Principal's name and instance are stored neither in the session - record or the credentials cache but in the file static variables - curr_auth_uname, and curr_auth_uinst as set by in_tkt from its - arguments pname and pinst. - - FIXME for multiple sessions -- keep track of which one is - the "current" session, as picked by the user. tktfile not - used for anything right now... -*/ - - err = GetNthCredentials(uname, uinstance, urealm, name, - instance, realm, 1); - - if (err != noErr) - return NO_TKT_FIL; - - if (name) - strcpy(name, curr_auth_uname); - if (instance) - strcpy(instance, curr_auth_uinst); - - return KSUCCESS; - -} - - -/* - * krb_get_cred takes a service name, instance, and realm, and a - * structure of type CREDENTIALS to be filled in with ticket - * information. It then searches the ticket file for the appropriate - * ticket and fills in the structure with the corresponding - * information from the file. If successful, it returns KSUCCESS. - * On failure it returns a Kerberos error code. - */ -int KRB5_CALLCONV -krb_get_cred (service, instance, realm, c) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Authorization domain */ - CREDENTIALS *c; /* Credentials struct */ -{ - strcpy(c->service, service); - strcpy(c->instance, instance); - strcpy(c->realm, realm); - - /* - FIXME jcm - Force one named cache for now for - compatibility with Cygnus source tree. Figure out - later how to access the multiple cache functionality - from KClient. - */ - - switch(GetCredentials(uname, uinstance, urealm, c)) { - case noErr: - return KSUCCESS; - case cKrbCredsDontExist: - case cKrbSessDoesntExist: - return GC_NOTKT; - default: - return KFAILURE; - } -} - -/* - * This routine takes a ticket and associated info and - * stores them in the ticket cache. The peer - * routine for extracting a ticket and associated info from the - * ticket cache is krb_get_cred(). When changes are made to - * this routine, the corresponding changes should be made - * in krb_get_cred() as well. - * - * Returns KSUCCESS if all goes well, otherwise KFAILURE. - */ - -int -krb4int_save_credentials_addr(sname, sinst, srealm, session, - lifetime, kvno, ticket, issue_date, laddr) - - char* sname; /* Service name */ - char* sinst; /* Instance */ - char* srealm; /* Auth domain */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - KRB4_32 issue_date; /* The issue time */ - KRB_UINT32 laddr; -{ - CREDENTIALS cr; - - strcpy(cr.service, sname); - strcpy(cr.instance, sinst); - strcpy(cr.realm, srealm); - memcpy((void*)cr.session, (void*)session, sizeof(C_Block)); - cr.lifetime = lifetime; - cr.kvno = kvno; - cr.ticket_st = *ticket; - cr.issue_date = issue_date; - strcpy(cr.pname, curr_auth_uname); /* FIXME for mult sessions */ - strcpy(cr.pinst, curr_auth_uinst); /* FIXME for mult sessions */ - - if(AddCredentials(uname, uinstance, urealm, &cr)) return KFAILURE; - change_cache(); - return KSUCCESS; -} - -int KRB5_CALLCONV -krb_save_credentials( - char *name, - char *inst, - char *realm, - C_Block session, - int lifetime, - int kvno, - KTEXT ticket, - KRB4_32 issue_date) -{ - return krb4int_save_credentials_addr(name, inst, realm, session, - lifetime, kvno, ticket, - issue_date, 0); -} - - -int -krb_delete_cred (sname, sinstance, srealm) - char *sname; - char *sinstance; - char *srealm; -{ - - if (DeleteCredentials (uname, uinstance, urealm, sname, sinstance, srealm)) - return KFAILURE; - - change_cache(); - - return KSUCCESS; - - /* - FIXME jcm - translate better between KClient internal OSErr errors - (eg. cKrbCredsDontExist) and kerberos error codes (eg. GC_NOTKT) - */ -} - -int -krb_get_nth_cred (sname, sinstance, srealm, n) - char *sname; - char *sinstance; - char *srealm; - int n; -{ - if (GetNthCredentials(uname, uinstance, urealm, sname, sinstance, srealm, n)) - return KFAILURE; - else - return KSUCCESS; -} - -/* - * Return the number of credentials in the current credential cache (ticket cache). - * On error, returns -1. - */ -int -krb_get_num_cred () -{ - int n; - int s; - - s = GetNumCredentials(uname, uinstance, urealm, &n); - if (s) return -1; - else return n; -} - - - -/* Lower level routines */ - -OSErr GetNumSessions(n) - int *n; -{ - *n = fNumSessions; - return 0; - } - -/* n starts at 1, not 0 */ -OSErr -GetNthSession(n, name, instance, realm) - const int n; - char *name; - char *instance; - char *realm; -{ - Session *sptr; - - if(n > fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = (*fSessions) + n-1; - if (name) strcpy(name, sptr->name); - if (instance) strcpy(instance, sptr->instance); - if (realm) strcpy(realm, sptr->realm); - - return noErr; - } - -OSErr DeleteSession(name, instance, realm) - const char *name; - const char *instance; - const char *realm; -{ - int i; - Session *sptr; - Handle creds; - - if(!fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, name) && - !strcmp(sptr[i].instance, instance) && - !strcmp(sptr[i].realm, realm)) { - break; - } - } - - if(i == fNumSessions) return cKrbSessDoesntExist; - - fNumSessions--; - - creds = (Handle) sptr[i].creds; - - for( ; i < fNumSessions; i++) { - strcpy(sptr[i].name, sptr[i+1].name); - strcpy(sptr[i].instance, sptr[i+1].instance); - strcpy(sptr[i].realm, sptr[i+1].realm); - } - - SetHandleSize((Handle) fSessions, fNumSessions * sizeof(Session)); - if(creds) DisposHandle(creds); - - return MemError(); - } - -OSErr GetCredentials(name, instance, realm, cr) - const char *name; - const char *instance; - const char *realm; - CREDENTIALS *cr; -{ - int i; - Session *sptr; - CREDENTIALS *cptr; - - if(!fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, name) && - !strcmp(sptr[i].instance, instance) && - !strcmp(sptr[i].realm, realm)) { - break; - } - } - - if(i == fNumSessions) return cKrbSessDoesntExist; - - sptr = sptr + i; - - if(!sptr->numcreds || !sptr->creds) return cKrbCredsDontExist; - - cptr = *(sptr->creds); - - for(i = 0; i < sptr->numcreds; i++) { - if(!strcmp(cptr[i].service, cr->service) && - !strcmp(cptr[i].instance, cr->instance) && - !strcmp(cptr[i].realm, cr->realm)) { - break; - } - } - - if(i == sptr->numcreds) return cKrbCredsDontExist; - - *cr = cptr[i]; - return noErr; - } - -OSErr AddCredentials(name, instance, realm, cr) - const char *name; - const char *instance; - const char *realm; - const CREDENTIALS *cr; -{ - Session *sptr; - Handle creds; - int i, thesess; - CREDENTIALS *cptr; - - /* find the appropriate session, or create it if it doesn't exist */ - if(!fSessions) { - fSessions = (Session**) NewHandleSys(0); - if(MemError()) return MemError(); - fNumSessions = 0; - } - - sptr = *fSessions; - - for(thesess = 0; thesess < fNumSessions; thesess++) { - if(!strcmp(sptr[thesess].name, name) && - !strcmp(sptr[thesess].instance, instance) && - !strcmp(sptr[thesess].realm, realm)) { - break; - } - } - - sptr = (*fSessions) + thesess; - - if(thesess == fNumSessions) { /* doesn't exist, create it */ - fNumSessions++; - SetHandleSize((Handle) fSessions, fNumSessions * sizeof(Session)); - if(MemError()) return MemError(); - - /* fSessions may have been moved, so redereference */ - sptr = (*fSessions) + thesess; - strcpy(sptr->name, (char *)name); - strcpy(sptr->instance, (char *)instance); - strcpy(sptr->realm, (char *)realm); - sptr->numcreds = 0; - sptr->creds = 0; - } - - /* if the session has no assoc creds, create storage for them so rest of algorithm - doesn't break */ - if(!sptr->numcreds || !sptr->creds) { - creds = NewHandleSys((Size) 0); - if(MemError()) return MemError(); - - /* rederef */ - sptr = (*fSessions) + thesess; - sptr->creds = (CREDENTIALS **)creds; - sptr->numcreds = 0; - } - - /* find creds if we already have an instance of them, or create a new slot for them - if we don't */ - cptr = *(sptr->creds); - - for(i = 0; i < sptr->numcreds; i++) { - if(!strcmp(cptr[i].service, cr->service) && - !strcmp(cptr[i].instance, cr->instance) && - !strcmp(cptr[i].realm, cr->realm)) { - break; - } - } - - if(i == sptr->numcreds) { - sptr->numcreds++; - SetHandleSize((Handle)sptr->creds, sptr->numcreds * sizeof(CREDENTIALS)); - if(MemError()) return MemError(); - - /* rederef */ - sptr = (*fSessions) + thesess; - cptr = *(sptr->creds); - } - - /* store them (possibly replacing previous creds if they already exist) */ - cptr[i] = *cr; - return noErr; - } - -OSErr -DeleteCredentials (uname, uinst, urealm, sname, sinst, srealm) - const char *uname; - const char *uinst; - const char *urealm; - const char *sname; - const char *sinst; - const char *srealm; -{ - int i; - Session *sptr; - CREDENTIALS *cptr; - - if(!fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, uname) && - !strcmp(sptr[i].instance, uinstance) && - !strcmp(sptr[i].realm, urealm)) { - break; - } - } - - if(i == fNumSessions) return cKrbSessDoesntExist; - - sptr = sptr + i; - - if(!sptr->numcreds || !sptr->creds) return cKrbCredsDontExist; - - cptr = *(sptr->creds); - - for(i = 0; i < sptr->numcreds; i++) { - if(!strcmp(cptr[i].service, sname) && - !strcmp(cptr[i].instance, sinst) && - !strcmp(cptr[i].realm, srealm)) { - break; - } - } - - if(i == sptr->numcreds) return cKrbCredsDontExist; - - sptr->numcreds--; - - for( ; i < sptr->numcreds; i++) { - cptr[i] = cptr[i+1]; - } - - SetHandleSize((Handle) sptr->creds, sptr->numcreds * sizeof(CREDENTIALS)); - - return MemError(); - } - -OSErr GetNumCredentials(name, instance, realm, n) - const char *name; - const char *instance; - const char *realm; - int *n; -{ - int i; - Session *sptr; - - if(!fNumSessions || !fSessions) { - *n = 0; - return cKrbSessDoesntExist; - } - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, name) && - !strcmp(sptr[i].instance, instance) && - !strcmp(sptr[i].realm, realm)) { - break; - } - } - - if(i == fNumSessions) { - *n = 0; - return cKrbCredsDontExist; - } - - *n = sptr[i].numcreds; - return noErr; - } - -/* returns service name, service instance and realm of the nth credential. */ -/* n starts at 1, not 0 */ -OSErr -GetNthCredentials(uname, uinstance, urealm, sname, sinst, srealm, n) - const char *uname; - const char *uinstance; - const char *urealm; - char *sname; - char *sinst; - char *srealm; - const int n; -{ - int i; - Session *sptr; - CREDENTIALS *cptr; - - if(!fNumSessions || !fSessions) return cKrbSessDoesntExist; - - sptr = *fSessions; - - for(i = 0; i < fNumSessions; i++) { - if(!strcmp(sptr[i].name, uname) && - !strcmp(sptr[i].instance, uinstance) && - !strcmp(sptr[i].realm, urealm)) { - break; - } - } - - if(i == fNumSessions) return cKrbSessDoesntExist; - - sptr = (*fSessions) + i; - - if(n > sptr->numcreds || !sptr->creds) return cKrbCredsDontExist; - - cptr = (*(sptr->creds)) + n-1; - - /* - check for null pointers cuz. some callers don't provide - storage for all this info, eg. Kerb_get_tf_fullname. - */ - - if (sname) - strcpy(sname, cptr->service); - if (sinst) - strcpy(sinst, cptr->instance); - if (srealm) - strcpy(srealm, cptr->realm); - return noErr; -} diff --git a/src/lib/krb4/memcache.h b/src/lib/krb4/memcache.h deleted file mode 100644 index d6d0419..0000000 --- a/src/lib/krb4/memcache.h +++ /dev/null @@ -1,36 +0,0 @@ -/* - memcache.h - Kerberos credential store in memory - Originally coded by Tim Miller / Brown University - Mods 1/92 By Peter Bosanko - - Modified May-June 1994 by Julia Menapace and John Gilmore, - Cygnus Support. -*/ - -struct Session { - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - int numcreds; - CREDENTIALS **creds; -}; -typedef struct Session Session; - -OSErr GetNumSessions(int *n); -OSErr GetNthSession(const int n, char *name, char *instance, char *realm); -OSErr DeleteSession(const char *name, const char *instance, const char *realm); -OSErr GetCredentials(const char *name, const char *instance, const char *realm, - CREDENTIALS *cr); -/* name, instance, and realm of service wanted should be set in *cr - before calling */ -OSErr AddCredentials(const char *name, const char *instance, const char *realm, - const CREDENTIALS *cr); -OSErr DeleteCredentials(const char *uname, const char *uinst, - const char *urealm, const char *sname, - const char *sinst, const char *srealm); -OSErr GetNumCredentials(const char *name, const char *instance, - const char *realm, int *n); -OSErr GetNthCredentials(const char *uname, const char *uinst, - const char *urealm, char *sname, char *sinst, - char *srealm, const int n); diff --git a/src/lib/krb4/mk_auth.c b/src/lib/krb4/mk_auth.c deleted file mode 100644 index e09e900..0000000 --- a/src/lib/krb4/mk_auth.c +++ /dev/null @@ -1,249 +0,0 @@ -/* - * lib/krb4/mk_auth.c - * - * Copyright 1987, 1988, 2000, 2001 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Derived from sendauth.c by John Gilmore, 10 October 1994. - */ - -#include <stdio.h> -#include "krb.h" -#include "prot.h" -#include <errno.h> -#include <string.h> - -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ -/* - * If the protocol changes, you will need to change the version string - * and make appropriate changes in recvauth.c and sendauth.c. - */ - -/* - * This file contains two routines: krb_mk_auth() and krb_check_auth(). - * - * krb_mk_auth() packages a ticket for transmission to an application - * server. - * - * krb_krb_check_auth() validates a mutual-authentication response from - * the application server. - * - * These routines are portable versions that implement a protocol - * compatible with the original Unix "sendauth". - */ - -/* - * The first argument to krb_mk_auth() contains a bitfield of - * options (the options are defined in "krb.h"): - * - * KOPT_DONT_CANON Don't canonicalize instance as a hostname. - * (If this option is not chosen, krb_get_phost() - * is called to canonicalize it.) - * - * KOPT_DONT_MK_REQ Don't request server ticket from Kerberos. - * A ticket must be supplied in the "ticket" - * argument. - * (If this option is not chosen, and there - * is no ticket for the given server in the - * ticket cache, one will be fetched using - * krb_mk_req() and returned in "ticket".) - * - * KOPT_DO_MUTUAL Do mutual authentication, requiring that the - * receiving server return the checksum+1 encrypted - * in the session key. The mutual authentication - * is done using krb_mk_priv() on the other side - * (see "recvauth.c") and krb_rd_priv() on this - * side. - * - * The "ticket" argument is used to store the new ticket - * from the krb_mk_req() call. If the KOPT_DONT_MK_REQ options is - * chosen, the ticket must be supplied in the "ticket" argument. - * The "service", "inst", and "realm" arguments identify the ticket. - * If "realm" is null, the local realm is used. - * - * The following argument is only needed if the KOPT_DO_MUTUAL option - * is chosen: - * - * The "checksum" argument is a number that the server will add 1 to - * to authenticate itself back to the client. - * - * The application protocol version number (of up to KRB_SENDAUTH_VLEN - * characters) is passed in "version". - * - * The ticket is packaged into a message in the buffer pointed to by - * the argument "buf". - * - * If all goes well, KSUCCESS is returned, otherwise some error code. - * - * The format of the message packaged to send to the application server is: - * - * Size Variable Field - * ---- -------- ----- - * - * KRB_SENDAUTH_VLEN KRB_SENDAUTH_VER sendauth protocol - * bytes version number - * - * KRB_SENDAUTH_VLEN version application protocol - * bytes version number - * - * 4 bytes ticket->length length of ticket - * - * ticket->length ticket->dat ticket itself - */ - -/* - * Build a "sendauth" packet compatible with Unix sendauth/recvauth. - */ -int KRB5_CALLCONV -krb_mk_auth(options, ticket, service, inst, realm, checksum, version, buf) - long options; /* bit-pattern of options */ - KTEXT ticket; /* where to put ticket (return); or - supplied in case of KOPT_DONT_MK_REQ */ - char *service; /* service name */ - char *inst; /* instance (OUTPUT canonicalized) */ - char *realm; /* realm */ - unsigned KRB4_32 checksum; /* checksum to include in request */ - char *version; /* version string */ - KTEXT buf; /* Output buffer to fill */ -{ - int rem; - char krb_realm[REALM_SZ]; - char *phost; - int phostlen; - unsigned char *p; - - rem = KSUCCESS; - - /* get current realm if not passed in */ - if (!realm) { - rem = krb_get_lrealm(krb_realm,1); - if (rem != KSUCCESS) - return rem; - realm = krb_realm; - } - - if (!(options & KOPT_DONT_CANON)) { - phost = krb_get_phost(inst); - phostlen = krb4int_strnlen(phost, INST_SZ) + 1; - if (phostlen <= 0 || phostlen > INST_SZ) - return KFAILURE; - memcpy(inst, phost, (size_t)phostlen); - } - - /* get the ticket if desired */ - if (!(options & KOPT_DONT_MK_REQ)) { - rem = krb_mk_req(ticket, service, inst, realm, (KRB4_32)checksum); - if (rem != KSUCCESS) - return rem; - } - -#ifdef ATHENA_COMPAT - /* this is only for compatibility with old servers */ - if (options & KOPT_DO_OLDSTYLE) { - (void) snprintf(buf->dat, sizeof(buf->dat), "%d ",ticket->length); - (void) write(fd, buf, strlen(buf)); - (void) write(fd, (char *) ticket->dat, ticket->length); - return(rem); - } -#endif /* ATHENA_COMPAT */ - - /* Check buffer size */ - if (sizeof(buf->dat) < (KRB_SENDAUTH_VLEN + KRB_SENDAUTH_VLEN - + 4 + ticket->length) - || ticket->length < 0) - return KFAILURE; - - /* zero the buffer */ - memset(buf->dat, 0, sizeof(buf->dat)); - p = buf->dat; - - /* insert version strings */ - strncpy((char *)p, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN); - p += KRB_SENDAUTH_VLEN; - strncpy((char *)p, version, KRB_SENDAUTH_VLEN); - p += KRB_SENDAUTH_VLEN; - - /* put ticket length into buffer */ - KRB4_PUT32BE(p, ticket->length); - - /* put ticket into buffer */ - memcpy(p, ticket->dat, (size_t)ticket->length); - p += ticket->length; - - buf->length = p - buf->dat; - return KSUCCESS; -} - -/* - * For mutual authentication using mk_auth, check the server's response - * to validate that we're really talking to the server which holds the - * key that we obtained from the Kerberos key server. - * - * The "buf" argument is the response we received from the app server. - * The "checksum" argument is a number that the server has added 1 to - * to authenticate itself back to the client (us); the "msg_data" argument - * returns the returned mutual-authentication message from the server - * (i.e., the checksum+1); "session" holds the - * session key of the server, extracted from the ticket file, for use - * in decrypting the mutual authentication message from the server; - * and "schedule" returns the key schedule for that decryption. The - * the local and server addresses are given in "laddr" and "faddr". - */ -int KRB5_CALLCONV -krb_check_auth (buf, checksum, msg_data, session, schedule, laddr, faddr) - KTEXT buf; /* The response we read from app server */ - unsigned KRB4_32 checksum; /* checksum we included in request */ - MSG_DAT *msg_data; /* mutual auth MSG_DAT (return) */ - C_Block session; /* credentials (input) */ - Key_schedule schedule; /* key schedule (return) */ - struct sockaddr_in *laddr; /* local address */ - struct sockaddr_in *faddr; /* address of foreign host on fd */ -{ - int cc; - unsigned KRB4_32 cksum; - unsigned char *p; - - /* decrypt it */ -#ifndef NOENCRYPTION - key_sched(session, schedule); -#endif /* !NOENCRYPTION */ - if (buf->length < 0) - return KFAILURE; - cc = krb_rd_priv(buf->dat, (unsigned KRB4_32)buf->length, schedule, - (C_Block *)session, faddr, laddr, msg_data); - if (cc) - return cc; - - /* - * Fetch the (incremented) checksum that we supplied in the - * request. - */ - if (msg_data->app_length < 4) - return KFAILURE; - p = msg_data->app_data; - KRB4_GET32BE(cksum, p); - - /* if it doesn't match, fail -- reply wasn't from our real server. */ - if (cksum != checksum + 1) - return KFAILURE; /* XXX */ - return KSUCCESS; -} diff --git a/src/lib/krb4/mk_err.c b/src/lib/krb4/mk_err.c deleted file mode 100644 index 5eeca1b..0000000 --- a/src/lib/krb4/mk_err.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * lib/krb4/mk_err.c - * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include <string.h> - -/* - * This routine creates a general purpose error reply message. It - * doesn't use KTEXT because application protocol may have long - * messages, and may want this part of buffer contiguous to other - * stuff. - * - * The error reply is built in "p", using the error code "e" and - * error text "e_string" given. The length of the error reply is - * returned. - * - * The error reply is in the following format: - * - * unsigned char KRB_PROT_VERSION protocol version no. - * unsigned char AUTH_MSG_APPL_ERR message type - * (least significant - * bit of above) HOST_BYTE_ORDER local byte order - * 4 bytes e given error code - * string e_string given error text - */ - -long KRB5_CALLCONV -krb_mk_err(p, e, e_string) - u_char *p; /* Where to build error packet */ - KRB4_32 e; /* Error code */ - char *e_string; /* Text of error */ -{ - u_char *start; - size_t e_len; - - e_len = strlen(e_string) + 1; - - /* Just return the buffer length if p is NULL, because writing to the - * buffer would be a bad idea. Note that this feature is a change from - * previous versions, and can therefore only be used safely in this - * source tree, where we know this function supports it. */ - if (p == NULL) { - return 1 + 1 + 4 + e_len; - } - - start = p; - - /* Create fixed part of packet */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_APPL_ERR; - - /* Add the basic info */ - KRB4_PUT32BE(p, e); - memcpy(p, e_string, e_len); /* err text */ - p += e_len; - - /* And return the length */ - return p - start; -} diff --git a/src/lib/krb4/mk_preauth.c b/src/lib/krb4/mk_preauth.c deleted file mode 100644 index 1215e11..0000000 --- a/src/lib/krb4/mk_preauth.c +++ /dev/null @@ -1,78 +0,0 @@ -/* mk_preauth.c */ -/* part of Cygnus Network Security */ -/* Copyright 1994 Cygnus Support */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include <string.h> - -#include "autoconf.h" -#ifdef HAVE_STDLIB_H -#include <stdlib.h> -#else -extern char *malloc(), *calloc(), *realloc(); -#endif - -int -krb_mk_preauth(preauth_p, preauth_len, - key_proc, aname, inst, realm, password, key) - char **preauth_p; - int *preauth_len; - key_proc_type key_proc; - char *aname; - char *inst; - char *realm; - char *password; - C_Block key; -{ -#ifdef NOENCRYPTION - *preauth_len = strlen(aname) + 1; /* include the trailing 0 */ - *preauth_p = malloc(*preauth_len); - strcpy(*preauth_p, aname); /* this will copy the trailing 0 */ -#else - des_key_schedule key_s; - int sl = strlen(aname); -#endif - - (*key_proc)(aname, inst, realm, password, key); - -#ifndef NOENCRYPTION - /* - * preauth_len is set to a length greater than sl + 1 - * and a multpile of 8 - */ - *preauth_len = (((sl + 1) / 8) + 1) * 8; - /* allocate memory for preauth_p and fill it with 0 */ - *preauth_p = malloc((size_t)*preauth_len); - /* create the key schedule */ - if (des_key_sched(key, key_s)) { - return 1; - } - /* - * encrypt aname using key_s as the key schedule and key as the - * initialization vector. - */ - des_pcbc_encrypt((des_cblock *)aname, (des_cblock *)*preauth_p, - (long)(sl + 1), key_s, (des_cblock *)key, DES_ENCRYPT); - memset(key_s, 0, sizeof(key_s)); -#endif - return 0; -} - -void -krb_free_preauth(preauth_p, preauth_len) - char *preauth_p; - int preauth_len; -{ - free(preauth_p); - return; -} diff --git a/src/lib/krb4/mk_priv.c b/src/lib/krb4/mk_priv.c deleted file mode 100644 index 470ad94..0000000 --- a/src/lib/krb4/mk_priv.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * lib/krb4/mk_priv.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This routine constructs a Kerberos 'private msg', i.e. - * cryptographically sealed with a private session key. - * - * Returns either < 0 ===> error, or resulting size of message - * - * Steve Miller Project Athena MIT/DEC - */ - -#include <stdio.h> -#include <string.h> - -#include "krb.h" -#include "prot.h" -#include "des.h" -#include "lsb_addr_cmp.h" -#include "port-sockets.h" - -extern int krb_debug; - -/* - * krb_mk_priv() constructs an AUTH_MSG_PRIVATE message. It takes - * some user data "in" of "length" bytes and creates a packet in "out" - * consisting of the user data, a timestamp, and the sender's network - * address. -#ifndef NOENCRYTION - * The packet is encrypted by pcbc_encrypt(), using the given - * "key" and "schedule". -#endif - * The length of the resulting packet "out" is - * returned. - * - * It is similar to krb_mk_safe() except for the additional key - * schedule argument "schedule" and the fact that the data is encrypted - * rather than appended with a checksum. Also, the protocol version - * number is "private_msg_ver", defined in krb_rd_priv.c, rather than - * KRB_PROT_VERSION, defined in "krb.h". - * - * The "out" packet consists of: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte private_msg_ver protocol version number - * 1 byte AUTH_MSG_PRIVATE | message type plus local - * HOST_BYTE_ORDER byte order in low bit - * -#ifdef NOENCRYPTION - * 4 bytes c_length length of data -#else - * 4 bytes c_length length of encrypted data - * - * ===================== begin encrypt ================================ -#endif - * - * 4 bytes length length of user data - * length in user data - * 1 byte msg_time_5ms timestamp milliseconds - * 4 bytes sender->sin.addr.s_addr sender's IP address - * - * 4 bytes msg_time_sec or timestamp seconds with - * -msg_time_sec direction in sign bit - * - * 0<=n<=7 bytes pad to 8 byte multiple zeroes -#ifndef NOENCRYPTION - * (done by pcbc_encrypt()) - * - * ======================= end encrypt ================================ -#endif - */ - -/* Utility function: - - Determine order of addresses, if SENDER less than RECEIVER return 1 - so caller will negate timestamp. Return -1 for failure. */ -int -krb4int_address_less (struct sockaddr_in *sender, struct sockaddr_in *receiver) -{ - unsigned long sender_addr, receiver_addr; - unsigned short sender_port, receiver_port; - switch (sender->sin_family) { - case AF_INET: - sender_addr = sender->sin_addr.s_addr; - sender_port = sender->sin_port; - break; -#ifdef KRB5_USE_INET6 - case AF_INET6: - { - struct sockaddr_in6 *s6 = (struct sockaddr_in6 *) sender; - if (IN6_IS_ADDR_V4MAPPED (&s6->sin6_addr)) { - struct sockaddr_in sintmp = { 0 }; - memcpy (&sintmp.sin_addr.s_addr, - 12+(char*)&s6->sin6_addr.s6_addr, - 4); - sender_addr = sintmp.sin_addr.s_addr; - } else - return -1; - sender_port = s6->sin6_port; - break; - } -#endif - default: - return -1; - } - switch (receiver->sin_family) { - case AF_INET: - receiver_addr = receiver->sin_addr.s_addr; - receiver_port = receiver->sin_port; - break; -#ifdef KRB5_USE_INET6 - case AF_INET6: - { - struct sockaddr_in6 *s6 = (struct sockaddr_in6 *) receiver; - if (IN6_IS_ADDR_V4MAPPED (&s6->sin6_addr)) { - struct sockaddr_in sintmp = { 0 }; - memcpy (&sintmp.sin_addr.s_addr, - 12+(char*)&s6->sin6_addr.s6_addr, - 4); - receiver_addr = sintmp.sin_addr.s_addr; - } else - return -1; - receiver_port = s6->sin6_port; - break; - } -#endif - default: - return -1; - } - /* For compatibility with broken old code, compares are done in - VAX byte order (LSBFIRST). */ - if (lsb_net_ulong_less(sender_addr, receiver_addr) == -1 - || (lsb_net_ulong_less(sender_addr, receiver_addr) == 0 - && lsb_net_ushort_less(sender_port, receiver_port) == -1)) - return 1; - return 0; - /* - * all that for one tiny bit! Heaven help those that talk to - * themselves. - */ -} - -long KRB5_CALLCONV -krb_mk_priv(in, out, length, schedule, key, sender, receiver) - u_char *in; /* application data */ - u_char *out; /* put msg here, leave room for - * header! breaks if in and out - * (header stuff) overlap */ - unsigned KRB4_32 length; /* of in data */ - Key_schedule schedule; /* precomputed key schedule */ - C_Block *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender address */ - struct sockaddr_in *receiver; /* receiver address */ -{ - register u_char *p,*q; - u_char *c_length_ptr; - extern int private_msg_ver; /* in krb_rd_priv.c */ - - unsigned KRB4_32 c_length, c_length_raw; - u_char msg_time_5ms; - unsigned KRB4_32 msg_time_sec; - unsigned KRB4_32 msg_time_usec; - - /* Be really paranoid. */ - if (sizeof(sender->sin_addr.s_addr) != 4) - return -1; - /* - * get the current time to use instead of a sequence #, since - * process lifetime may be shorter than the lifetime of a session - * key. - */ - msg_time_sec = TIME_GMT_UNIXSEC_US(&msg_time_usec); - msg_time_5ms = msg_time_usec / 5000; /* 5ms quanta */ - - p = out; - - /* Cruftiness below! */ - *p++ = private_msg_ver ? private_msg_ver : KRB_PROT_VERSION; - *p++ = AUTH_MSG_PRIVATE; - - /* save ptr to cipher length */ - c_length_ptr = p; - p += 4; - -#ifndef NOENCRYPTION - /* start for encrypted stuff */ -#endif - q = p; - - /* stuff input length */ - KRB4_PUT32BE(p, length); - -#ifdef NOENCRYPTION - /* make all the stuff contiguous for checksum */ -#else - /* make all the stuff contiguous for checksum and encryption */ -#endif - memcpy(p, in, (size_t)length); - p += length; - - /* stuff time 5ms */ - *p++ = msg_time_5ms; - - /* stuff source address */ - if (sender->sin_family == AF_INET) - memcpy(p, &sender->sin_addr.s_addr, sizeof(sender->sin_addr.s_addr)); -#ifdef KRB5_USE_INET6 - else if (sender->sin_family == AF_INET6 - && IN6_IS_ADDR_V4MAPPED (&((struct sockaddr_in6 *)sender)->sin6_addr)) - memcpy(p, 12+(char*)&((struct sockaddr_in6 *)sender)->sin6_addr, 4); -#endif - else - /* The address isn't one we can encode in 4 bytes -- but - that's okay if the receiver doesn't care. */ - memset(p, 0, 4); - p += sizeof(sender->sin_addr.s_addr); - - /* - * direction bit is the sign bit of the timestamp. Ok - * until 2038?? - */ - switch (krb4int_address_less (sender, receiver)) { - case 1: - msg_time_sec = -msg_time_sec; - break; - case -1: - /* Which way should we go in this case? */ - case 0: - break; - } - - /* stuff time sec */ - KRB4_PUT32BE(p, msg_time_sec); - - /* - * All that for one tiny bit! Heaven help those that talk to - * themselves. - */ - -#ifdef notdef - /* - * calculate the checksum of the length, address, sequence, and - * inp data - */ - cksum = quad_cksum(q,NULL,p-q,0,key); - DEB (("\ncksum = %u",cksum)); - /* stuff checksum */ - memcpy(p, &cksum, sizeof(cksum)); - p += sizeof(cksum); -#endif - -#ifdef NOENCRYPTION - /* - * All the data have been assembled, compute length - */ -#else - /* - * All the data have been assembled, compute length and encrypt - * starting with the length, data, and timestamps use the key as - * an ivec. - */ -#endif - - c_length_raw = p - q; - c_length = ((c_length_raw + sizeof(C_Block) -1) - / sizeof(C_Block)) * sizeof(C_Block); - /* stuff the length */ - p = c_length_ptr; - KRB4_PUT32BE(p, c_length); - -#ifndef NOENCRYPTION - /* pcbc encrypt, pad as needed, use key as ivec */ - pcbc_encrypt((C_Block *)q,(C_Block *)q, (long)c_length_raw, - schedule, key, ENCRYPT); -#endif /* NOENCRYPTION */ - - return q - out + c_length; /* resulting size */ -} diff --git a/src/lib/krb4/mk_req.c b/src/lib/krb4/mk_req.c deleted file mode 100644 index fc92c58..0000000 --- a/src/lib/krb4/mk_req.c +++ /dev/null @@ -1,285 +0,0 @@ -/* - * lib/krb4/mk_req.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2002 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "prot.h" -#include "des.h" -#include <string.h> -#include "krb4int.h" - -extern int krb_ap_req_debug; -static int lifetime = 255; /* Default based on the TGT */ - -static int krb_mk_req_creds_prealm(KTEXT, CREDENTIALS *, KRB4_32, char *); - -/* - * krb_mk_req takes a text structure in which an authenticator is to - * be built, the name of a service, an instance, a realm, - * and a checksum. It then retrieves a ticket for - * the desired service and creates an authenticator in the text - * structure passed as the first argument. krb_mk_req returns - * KSUCCESS on success and a Kerberos error code on failure. - * - * The peer procedure on the other end is krb_rd_req. When making - * any changes to this routine it is important to make corresponding - * changes to krb_rd_req. - * - * The authenticator consists of the following: - * - * authent->dat - * - * unsigned char KRB_PROT_VERSION protocol version no. - * unsigned char AUTH_MSG_APPL_REQUEST message type - * (least significant - * bit of above) HOST_BYTE_ORDER local byte ordering - * unsigned char kvno from ticket server's key version - * string realm server's realm - * unsigned char tl ticket length - * unsigned char idl request id length - * text ticket->dat ticket for server - * text req_id->dat request id - * - * The ticket information is retrieved from the ticket cache or - * fetched from Kerberos. The request id (called the "authenticator" -#ifdef NOENCRYPTION - * in the papers on Kerberos) contains the following: -#else - * in the papers on Kerberos) contains information encrypted in the session - * key for the client and ticket-granting service: {req_id}Kc,tgs - * Before encryption, it contains the following: -#endif - * - * req_id->dat - * - * string cr.pname {name, instance, and - * string cr.pinst realm of principal - * string myrealm making this request} - * 4 bytes checksum checksum argument given - * unsigned char time_usecs time (microseconds) - * 4 bytes time_secs time (seconds) - * - * req_id->length = 3 strings + 3 terminating nulls + 5 bytes for time, - * all rounded up to multiple of 8. - */ - -static int -krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) - register KTEXT authent; /* Place to build the authenticator */ - CREDENTIALS *creds; - KRB4_32 checksum; /* Checksum of data (optional) */ - char *myrealm; /* Client's realm */ -{ - KTEXT_ST req_st; /* Temp storage for req id */ - KTEXT req_id = &req_st; - unsigned char *p, *q, *reqid_lenp; - int tl; /* Tkt len */ - int idl; /* Reqid len */ - register KTEXT ticket; /* Pointer to tkt_st */ - Key_schedule key_s; - size_t realmlen, pnamelen, pinstlen, myrealmlen; - unsigned KRB4_32 time_secs; - unsigned KRB4_32 time_usecs; - - /* Don't risk exposing stack garbage to correspondent, even if - encrypted from other prying eyes. */ - memset(&req_st, 0x69, sizeof(req_st)); - - ticket = &creds->ticket_st; - /* Get the ticket and move it into the authenticator */ - if (krb_ap_req_debug) - DEB (("Realm: %s\n", creds->realm)); - - realmlen = strlen(creds->realm) + 1; - if (sizeof(authent->dat) < (1 + 1 + 1 - + realmlen - + 1 + 1 + ticket->length) - || ticket->length < 0 || ticket->length > 255) { - authent->length = 0; - return KFAILURE; - } - - if (krb_ap_req_debug) - DEB (("%s %s %s %s %s\n", creds->service, creds->instance, - creds->realm, creds->pname, creds->pinst)); - - p = authent->dat; - - /* The fixed parts of the authenticator */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_APPL_REQUEST; - *p++ = creds->kvno; - - memcpy(p, creds->realm, realmlen); - p += realmlen; - - tl = ticket->length; - *p++ = tl; - /* Save ptr to where req_id->length goes. */ - reqid_lenp = p; - p++; - memcpy(p, ticket->dat, (size_t)tl); - p += tl; - - if (krb_ap_req_debug) - DEB (("Ticket->length = %d\n",ticket->length)); - if (krb_ap_req_debug) - DEB (("Issue date: %d\n",creds->issue_date)); - - pnamelen = strlen(creds->pname) + 1; - pinstlen = strlen(creds->pinst) + 1; - myrealmlen = strlen(myrealm) + 1; - if (sizeof(req_id->dat) / 8 < (pnamelen + pinstlen + myrealmlen - + 4 + 1 + 4 + 7) / 8) { - return KFAILURE; - } - - q = req_id->dat; - - /* Build request id */ - /* Auth name */ - memcpy(q, creds->pname, pnamelen); - q += pnamelen; - /* Principal's instance */ - memcpy(q, creds->pinst, pinstlen); - q += pinstlen; - /* Authentication domain */ - memcpy(q, myrealm, myrealmlen); - q += myrealmlen; - /* Checksum */ - KRB4_PUT32BE(q, checksum); - - /* Fill in the times on the request id */ - time_secs = TIME_GMT_UNIXSEC_US (&time_usecs); - *q++ = time_usecs; /* time_usecs % 255 */ - /* Time (coarse) */ - KRB4_PUT32BE(q, time_secs); - - /* Fill to a multiple of 8 bytes for DES */ - req_id->length = ((q - req_id->dat + 7) / 8) * 8; - -#ifndef NOENCRYPTION - /* Encrypt the request ID using the session key */ - key_sched(creds->session, key_s); - pcbc_encrypt((C_Block *)req_id->dat, (C_Block *)req_id->dat, - (long)req_id->length, key_s, &creds->session, 1); - /* clean up */ - memset(key_s, 0, sizeof(key_s)); -#endif /* NOENCRYPTION */ - - /* Copy it into the authenticator */ - idl = req_id->length; - if (idl > 255) - return KFAILURE; - *reqid_lenp = idl; - memcpy(p, req_id->dat, (size_t)idl); - p += idl; - - authent->length = p - authent->dat; - - /* clean up */ - memset(req_id, 0, sizeof(*req_id)); - - if (krb_ap_req_debug) - DEB (("Authent->length = %d\n",authent->length)); - if (krb_ap_req_debug) - DEB (("idl = %d, tl = %d\n", idl, tl)); - - return KSUCCESS; -} - -int KRB5_CALLCONV -krb_mk_req(authent, service, instance, realm, checksum) - register KTEXT authent; /* Place to build the authenticator */ - char *service; /* Name of the service */ - char *instance; /* Service instance */ - char *realm; /* Authentication domain of service */ - KRB4_32 checksum; /* Checksum of data (optional) */ -{ - char krb_realm[REALM_SZ]; /* Our local realm, if not specified */ - char myrealm[REALM_SZ]; /* Realm of initial TGT. */ - int retval; - CREDENTIALS creds; - - /* get current realm if not passed in */ - if (realm == NULL) { - retval = krb_get_lrealm(krb_realm, 1); - if (retval != KSUCCESS) - return retval; - realm = krb_realm; - } - /* - * Determine realm of these tickets. We will send this to the - * KDC from which we are requesting tickets so it knows what to - * with our session key. - */ - retval = krb_get_tf_realm(TKT_FILE, myrealm); - if (retval != KSUCCESS) - retval = krb_get_lrealm(myrealm, 1); - if (retval != KSUCCESS) - return retval; - - retval = krb_get_cred(service, instance, realm, &creds); - if (retval == RET_NOTKT) { - retval = get_ad_tkt(service, instance, realm, lifetime); - if (retval) - return retval; - retval = krb_get_cred(service, instance, realm, &creds); - if (retval) - return retval; - } - if (retval != KSUCCESS) - return retval; - - retval = krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm); - memset(&creds.session, 0, sizeof(creds.session)); - return retval; -} - -int KRB5_CALLCONV -krb_mk_req_creds(authent, creds, checksum) - register KTEXT authent; /* Place to build the authenticator */ - CREDENTIALS *creds; - KRB4_32 checksum; /* Checksum of data (optional) */ -{ - return krb_mk_req_creds_prealm(authent, creds, checksum, creds->realm); -} - -/* - * krb_set_lifetime sets the default lifetime for additional tickets - * obtained via krb_mk_req(). - * - * It returns the previous value of the default lifetime. - */ - -int KRB5_CALLCONV -krb_set_lifetime(newval) -int newval; -{ - int olife = lifetime; - - lifetime = newval; - return olife; -} diff --git a/src/lib/krb4/mk_safe.c b/src/lib/krb4/mk_safe.c deleted file mode 100644 index 2a157ca..0000000 --- a/src/lib/krb4/mk_safe.c +++ /dev/null @@ -1,167 +0,0 @@ -/* - * lib/krb4/mk_req.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This routine constructs a Kerberos 'safe msg', i.e. authenticated - * using a private session key to seed a checksum. Msg is NOT - * encrypted. - * - * Returns either <0 ===> error, or resulting size of message - * - * Steve Miller Project Athena MIT/DEC - */ - -#include <stdio.h> -#include <string.h> - -#include "krb.h" -#include "des.h" -#include "prot.h" -#include "lsb_addr_cmp.h" -#include "port-sockets.h" - -extern int krb_debug; - -/* - * krb_mk_safe() constructs an AUTH_MSG_SAFE message. It takes some - * user data "in" of "length" bytes and creates a packet in "out" - * consisting of the user data, a timestamp, and the sender's network - * address, followed by a checksum computed on the above, using the - * given "key". The length of the resulting packet is returned. - * - * The "out" packet consists of: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_SAFE | message type plus local - * HOST_BYTE_ORDER byte order in low bit - * - * ===================== begin checksum ================================ - * - * 4 bytes length length of user data - * length in user data - * 1 byte msg_time_5ms timestamp milliseconds - * 4 bytes sender->sin.addr.s_addr sender's IP address - * - * 4 bytes msg_time_sec or timestamp seconds with - * -msg_time_sec direction in sign bit - * - * ======================= end checksum ================================ - * - * 16 bytes big_cksum quadratic checksum of - * above using "key" - */ - -long KRB5_CALLCONV -krb_mk_safe(in, out, length, key, sender, receiver) - u_char *in; /* application data */ - u_char *out; /* - * put msg here, leave room for header! - * breaks if in and out (header stuff) - * overlap - */ - unsigned KRB4_32 length; /* of in data */ - C_Block *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender address */ - struct sockaddr_in *receiver; /* receiver address */ -{ - register u_char *p,*q; - - unsigned KRB4_32 cksum; - unsigned KRB4_32 big_cksum[4]; - unsigned KRB4_32 msg_secs; - unsigned KRB4_32 msg_usecs; - u_char msg_time_5ms; - KRB4_32 msg_time_sec; - int i; - - /* Be really paranoid. */ - if (sizeof(sender->sin_addr.s_addr) != 4) - return -1; - /* - * get the current time to use instead of a sequence #, since - * process lifetime may be shorter than the lifetime of a session - * key. - */ - msg_secs = TIME_GMT_UNIXSEC_US(&msg_usecs); - msg_time_sec = msg_secs; - msg_time_5ms = msg_usecs / 5000; /* 5ms quanta */ - - p = out; - - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_SAFE; - - q = p; /* start for checksum stuff */ - /* stuff input length */ - KRB4_PUT32BE(p, length); - - /* make all the stuff contiguous for checksum */ - memcpy(p, in, length); - p += length; - - /* stuff time 5ms */ - *p++ = msg_time_5ms; - - /* stuff source address */ - if (sender->sin_family == AF_INET) - memcpy(p, &sender->sin_addr.s_addr, sizeof(sender->sin_addr.s_addr)); -#ifdef KRB5_USE_INET6 - else if (sender->sin_family == AF_INET6 - && IN6_IS_ADDR_V4MAPPED (&((struct sockaddr_in6 *)sender)->sin6_addr)) - memcpy(p, 12+(char*)&((struct sockaddr_in6 *)sender)->sin6_addr, 4); -#endif - else - /* The address isn't one we can encode in 4 bytes -- but - that's okay if the receiver doesn't care. */ - memset(p, 0, 4); - p += sizeof(sender->sin_addr.s_addr); - - /* - * direction bit is the sign bit of the timestamp. Ok until - * 2038?? - */ - if (krb4int_address_less (sender, receiver) == 1) - msg_time_sec = -msg_time_sec; - /* stuff time sec */ - KRB4_PUT32BE(p, msg_time_sec); - -#ifdef NOENCRYPTION - cksum = 0; - memset(big_cksum, 0, sizeof(big_cksum)); -#else /* Do encryption */ - /* calculate the checksum of length, timestamps, and input data */ - cksum = quad_cksum(q, (unsigned KRB4_32 *)big_cksum, - p - q, 2, key); -#endif /* NOENCRYPTION */ - DEB(("\ncksum = %u",cksum)); - - /* stuff checksum */ - for (i = 0; i < 4; i++) - KRB4_PUT32BE(p, big_cksum[i]); - - return p - out; /* resulting size */ -} diff --git a/src/lib/krb4/month_sname.c b/src/lib/krb4/month_sname.c deleted file mode 100644 index 48be89e..0000000 --- a/src/lib/krb4/month_sname.c +++ /dev/null @@ -1,28 +0,0 @@ -/* - * month_sname.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -/* - * Given an integer 1-12, month_sname() returns a string - * containing the first three letters of the corresponding - * month. Returns 0 if the argument is out of range. - */ - -#include <krb.h> -#include "krb4int.h" - -const char *month_sname(n) - int n; -{ - static const char name[][4] = { - "Jan","Feb","Mar","Apr","May","Jun", - "Jul","Aug","Sep","Oct","Nov","Dec" - }; - return((n < 1 || n > 12) ? 0 : name [n-1]); -} diff --git a/src/lib/krb4/netread.c b/src/lib/krb4/netread.c deleted file mode 100644 index b366df3..0000000 --- a/src/lib/krb4/netread.c +++ /dev/null @@ -1,69 +0,0 @@ -/* - * lib/krb4/netwrite.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <errno.h> -#include "krb.h" -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#include "port-sockets.h" - -/* - * krb_net_read() reads from the file descriptor "fd" to the buffer - * "buf", until either 1) "len" bytes have been read or 2) cannot - * read anymore from "fd". It returns the number of bytes read - * or a read() error. (The calling interface is identical to - * read(2).) - * - * XXX must not use non-blocking I/O - */ -int -krb_net_read(fd, buf, len) -int fd; -register char *buf; -register int len; -{ - int cc, len2 = 0; - - do { - cc = SOCKET_READ(fd, buf, len); - if (cc < 0) - { - if (SOCKET_ERRNO == SOCKET_EINTR) - continue; - return(cc); /* errno is already set */ - } - else if (cc == 0) { - return(len2); - } else { - buf += cc; - len2 += cc; - len -= cc; - } - } while (len > 0); - return(len2); -} diff --git a/src/lib/krb4/netwrite.c b/src/lib/krb4/netwrite.c deleted file mode 100644 index 3183248..0000000 --- a/src/lib/krb4/netwrite.c +++ /dev/null @@ -1,65 +0,0 @@ -/* - * lib/krb4/netwrite.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <errno.h> -#include "krb.h" -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#include "port-sockets.h" - -/* - * krb_net_write() writes "len" bytes from "buf" to the file - * descriptor "fd". It returns the number of bytes written or - * a write() error. (The calling interface is identical to - * write(2).) - * - * XXX must not use non-blocking I/O - */ -int -krb_net_write(fd, buf, len) -int fd; -register char *buf; -int len; -{ - int cc; - register int wrlen = len; - do { - cc = SOCKET_WRITE(fd, buf, wrlen); - if (cc < 0) - { - if (SOCKET_ERRNO == SOCKET_EINTR) - continue; - return(cc); - } - else { - buf += cc; - wrlen -= cc; - } - } while (wrlen > 0); - return(len); -} diff --git a/src/lib/krb4/password_to_key.c b/src/lib/krb4/password_to_key.c deleted file mode 100644 index d5ca7a5c..0000000 --- a/src/lib/krb4/password_to_key.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * lib/krb4/password_to_key.c - * - * Copyright 1999, 2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * password_to_key functions merged from KfM - */ - -#include <string.h> -#include <stdlib.h> - -#ifdef USE_CCAPI -#include <CredentialsCache.h> -#endif -#include "krb.h" -#include "krb4int.h" - -#include "k5-platform.h" - -/* - * passwd_to_key(): given a password, return a DES key. - * There are extra arguments here which (used to be?) - * used by srvtab_to_key(). - * - * If the "passwd" argument is not null, generate a DES - * key from it, using string_to_key(). - * - * If the "passwd" argument is null, then on a Unix system we call - * des_read_password() to prompt for a password and then convert it - * into a DES key. But "prompting" the user is harder in a Windows or - * Macintosh environment, so we rely on our caller to explicitly do - * that now. - * - * In either case, the resulting key is put in the "key" argument, - * and 0 is returned. - */ - - -key_proc_type *krb_get_keyprocs (key_proc_type keyproc) -{ - static key_proc_type default_keyprocs[4] = { mit_passwd_to_key, - afs_passwd_to_key, - krb5_passwd_to_key, - NULL }; - - static key_proc_type user_keyprocs[2] = { NULL, NULL }; - - /* generate the list of key procs */ - if (keyproc == NULL) { - return default_keyprocs; /* use the default */ - } else { - user_keyprocs[0] = keyproc; - return user_keyprocs; /* use the caller provided keyprocs */ - } -} - -int KRB5_CALLCONV -mit_passwd_to_key( - char *user, - char *instance, - char *realm, - char *passwd, - C_Block key) -{ -#if 0 /* what system? */ -#pragma unused(user) -#pragma unused(instance) -#pragma unused(realm) -#endif - - if (passwd) { - des_string_to_key(passwd, key); - } else { -#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - des_read_password((des_cblock *)key, "Password", 0); -#else - return (-1); -#endif - } - return (0); -} - -/* So we can use a v4 kinit against a v5 kdc with no krb4 salted key */ -int KRB5_CALLCONV -krb5_passwd_to_key( - char *user, - char *instance, - char *realm, - char *passwd, - C_Block key) -{ - char *p; - - if (user && instance && realm && passwd) { - if (strlen(realm) + strlen(user) + strlen(instance) > MAX_K_NAME_SZ) - /* XXX Is this right? The old code returned 0, which is - also what it returns after sucessfully generating a - key. The other error path returns -1. */ - return 0; - if (asprintf(&p, "%s%s%s%s", passwd, realm, user, instance) >= 0) { - des_string_to_key (p, key); - free (p); - return 0; - } - } - return -1; -} - -int KRB5_CALLCONV -afs_passwd_to_key( - char *user, - char *instance, - char *realm, - char *passwd, - C_Block key) -{ -#if 0 /* what system? */ -#pragma unused(user) -#pragma unused(instance) -#endif - - if (passwd) { - afs_string_to_key(passwd, realm, key); - } else { -#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY)) - des_read_password((des_cblock *)key, "Password", 0); -#else - return (-1); -#endif - } - return (0); -} diff --git a/src/lib/krb4/pkt_cipher.c b/src/lib/krb4/pkt_cipher.c deleted file mode 100644 index 2912348..0000000 --- a/src/lib/krb4/pkt_cipher.c +++ /dev/null @@ -1,35 +0,0 @@ -/* - * pkt_cipher.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include <string.h> -#include "krb.h" -#include "prot.h" - - -/* - * This routine takes a reply packet from the Kerberos ticket-granting - * service and returns a pointer to the beginning of the ciphertext in it. - * - * See "prot.h" for packet format. - */ - -KTEXT -pkt_cipher(packet) - KTEXT packet; -{ - unsigned char *ptr = pkt_a_realm(packet) + 6 - + strlen((char *)pkt_a_realm(packet)); - /* Skip a few more fields */ - ptr += 3 + 4; /* add 4 for exp_date */ - - /* And return the pointer */ - return((KTEXT) ptr); -} diff --git a/src/lib/krb4/pkt_clen.c b/src/lib/krb4/pkt_clen.c deleted file mode 100644 index 52763a4..0000000 --- a/src/lib/krb4/pkt_clen.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * pkt_clen.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include <string.h> -#include "krb.h" -#include "prot.h" - -extern int krb_debug; -int swap_bytes=0; - -/* - * Given a pointer to an AUTH_MSG_KDC_REPLY packet, return the length of - * its ciphertext portion. The external variable "swap_bytes" is assumed - * to have been set to indicate whether or not the packet is in local - * byte order. pkt_clen() takes this into account when reading the - * ciphertext length out of the packet. - */ - -int -pkt_clen(pkt) - KTEXT pkt; -{ - static unsigned short temp; - int clen = 0; - - /* Start of ticket list */ - unsigned char *ptr = pkt_a_realm(pkt) + 10 - + strlen((char *)pkt_a_realm(pkt)); - - /* Finally the length */ - memcpy((char *)&temp, (char *)(++ptr), 2); /* alignment */ - if (swap_bytes) - temp = krb4_swab16(temp); - - clen = (int) temp; - - DEB (("Clen is %d\n",clen)); - return(clen); -} diff --git a/src/lib/krb4/prot_client.c b/src/lib/krb4/prot_client.c deleted file mode 100644 index 315f7f0..0000000 --- a/src/lib/krb4/prot_client.c +++ /dev/null @@ -1,370 +0,0 @@ -/* - * lib/krb4/prot_client.c - * - * Copyright 2001 by the Massachusetts Institute of Technology. All - * Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Contains protocol encoders and decoders used by a krb4 client. - */ - -#include "krb.h" -#include "prot.h" -#include <string.h> - -/* - * encode_kdc_request - * - * Packet format is originally from g_in_tkt.c. - * - * Size Variable Field - * ---- -------- ----- - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_KDC_REQUEST | message type - * HOST_BYTE_ORDER local byte order in lsb - * string user client's name - * string instance client's instance - * string realm client's realm - * 4 bytes tlocal.tv_sec timestamp in seconds - * 1 byte life desired lifetime - * string service service's name - * string sinstance service's instance - */ -int KRB5_CALLCONV -krb4prot_encode_kdc_request(char *pname, char *pinst, char *prealm, - KRB4_32 tlocal, int life, - char *sname, char *sinst, - char *preauth, int preauthlen, - int chklen, /* check input str len? */ - int le, /* little-endian? */ - KTEXT pkt) -{ - unsigned char *p; - int ret; - size_t snamelen, sinstlen; - - p = pkt->dat; - - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_KDC_REQUEST | !!le; - - ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - pkt, &p); - if (ret) - return ret; - - snamelen = strlen(sname) + 1; - sinstlen = strlen(sinst) + 1; - if (chklen && (snamelen > ANAME_SZ || sinstlen > INST_SZ)) - return KRB4PROT_ERR_OVERRUN; - if ((sizeof(pkt->dat) - (p - pkt->dat)) - < (4 + 1 + snamelen + sinstlen + preauthlen)) - return KRB4PROT_ERR_OVERRUN; - - /* timestamp */ - KRB4_PUT32(p, tlocal, le); - - *p++ = life; - - memcpy(p, sname, snamelen); - p += snamelen; - memcpy(p, sinst, sinstlen); - p += sinstlen; - - if (preauthlen) - memcpy(p, preauth, (size_t)preauthlen); - p += preauthlen; - - pkt->length = p - pkt->dat; - return KRB4PROT_OK; -} - -/* - * decode_kdc_reply - */ -int KRB5_CALLCONV -krb4prot_decode_kdc_reply(KTEXT pkt, - int *le, - char *pname, char *pinst, char *prealm, - long *time_ws, int *n, - unsigned long *x_date, int *kvno, - KTEXT ciph) -{ - unsigned char *p; - int msg_type; - int ret; - unsigned int ciph_len; - - p = pkt->dat; - if (pkt->length < 2) - return KRB4PROT_ERR_UNDERRUN; - if (*p++ != KRB_PROT_VERSION) - return KRB4PROT_ERR_PROT_VERS; - msg_type = *p++; - *le = msg_type & 1; - msg_type &= ~1; - if (msg_type != AUTH_MSG_KDC_REPLY) - return KRB4PROT_ERR_MSG_TYPE; - - ret = krb4prot_decode_naminstrlm(ciph, &p, pname, pinst, prealm); - if (ret) - return ret; - -#define PKT_REMAIN (pkt->length - (p - pkt->dat)) - - if (PKT_REMAIN < (4 /* time */ - + 1 /* number of tickets */ - + 4 /* exp date */ - + 1 /* kvno */ - + 2)) /* ciph length */ - return KRB4PROT_ERR_UNDERRUN; - if (time_ws != NULL) - KRB4_GET32(*time_ws, p, *le); /* XXX signed/unsigned */ - else - p += 4; - if (n != NULL) - *n = *p++; - else - p++; - if (x_date != NULL) - KRB4_GET32(*x_date, p, *le); - else - p += 4; - if (kvno != NULL) - *kvno = *p++; - else - p++; - KRB4_GET16(ciph_len, p, *le); - if (PKT_REMAIN < ciph_len) - return KRB4PROT_ERR_UNDERRUN; - ciph->length = ciph_len; - memcpy(ciph->dat, p, (size_t)ciph->length); - return KRB4PROT_OK; -#undef PKT_REMAIN -} - -int KRB5_CALLCONV -krb4prot_decode_ciph(KTEXT ciph, int le, - C_Block session, - char *name, char *inst, char *realm, - int *life, int *kvno, - KTEXT tkt, unsigned long *kdc_time) -{ - unsigned char *p; - int ret; - - p = ciph->dat; - if (ciph->length < 8) - return KRB4PROT_ERR_UNDERRUN; - memcpy(session, p, 8); - p += 8; - ret = krb4prot_decode_naminstrlm(ciph, &p, name, inst, realm); - if (ret) - return ret; -#define CIPH_REMAIN (ciph->length - (p - ciph->dat)) - if (CIPH_REMAIN < (1 /* life */ - + 1 /* kvno */ - + 1)) /* tkt->length */ - return KRB4PROT_ERR_UNDERRUN; - if (life != NULL) - *life = *p++; - else - p++; - if (kvno != NULL) - *kvno = *p++; - else - p++; - tkt->length = *p++; - if (CIPH_REMAIN < (tkt->length - + 4)) /* kdc_time */ - return KRB4PROT_ERR_UNDERRUN; - memcpy(tkt->dat, p, (size_t)tkt->length); - p += tkt->length; - - if (kdc_time != NULL) - KRB4_GET32(*kdc_time, p, le); - - return KRB4PROT_OK; -#undef CIPH_REMAIN -} - -/* - * encode_apreq - * - * The following was originally from mk_req.c. - * - * unsigned char KRB_PROT_VERSION protocol version no. - * unsigned char AUTH_MSG_APPL_REQUEST message type - * (least significant - * bit of above) HOST_BYTE_ORDER local byte ordering - * unsigned char kvno from ticket server's key version - * string realm server's realm - * unsigned char tl ticket length - * unsigned char idl request id length - * binary ticket->dat ticket for server - * binary req_id->dat request id - */ -int KRB5_CALLCONV -krb4prot_encode_apreq(int kvno, char *realm, - KTEXT tkt, KTEXT req_id, - int chklen, /* check str len? */ - int le, /* little-endian? */ - KTEXT pkt) -{ - unsigned char *p; - size_t realmlen; - - p = pkt->dat; - /* Assume >= 3 bytes in a KTEXT. */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_APPL_REQUEST | !!le; - - *p++ = kvno; - - realmlen = strlen(realm) + 1; - if (chklen && realmlen > REALM_SZ) - return KRB4PROT_ERR_OVERRUN; - if (tkt->length > 255 || req_id->length > 255) - return KRB4PROT_ERR_OVERRUN; - if ((sizeof(pkt->dat) - (p - pkt->dat)) - < (realmlen - + 1 /* tkt->length */ - + 1 /* req_id->length */ - + tkt->length + req_id->length)) - return KRB4PROT_ERR_OVERRUN; - - memcpy(p, realm, realmlen); - p += realmlen; - - *p++ = tkt->length; - *p++ = req_id->length; - memcpy(p, tkt->dat, (size_t)tkt->length); - p += tkt->length; - memcpy(p, req_id->dat, (size_t)req_id->length); - p += req_id->length; - - pkt->length = p - pkt->dat; - return KRB4PROT_OK; -} - -/* - * encode_authent - * - * Encodes an authenticator (called req_id in some of the code for - * some weird reason). Does not encrypt. - * - * The following packet layout is originally from mk_req.c. It is - * rounded up to the next multiple of 8 bytes. - * - * string cr.pname {name, instance, and - * string cr.pinst realm of principal - * string myrealm making this request} - * 4 bytes checksum checksum argument given - * unsigned char time_usecs time (microseconds) - * 4 bytes time_secs time (seconds) - */ -int KRB5_CALLCONV -krb4prot_encode_authent(char *pname, char *pinst, char *prealm, - KRB4_32 checksum, - int time_usec, long time_sec, - int chklen, /* check str lens? */ - int le, /* little-endian? */ - KTEXT pkt) -{ - unsigned char *p; - int ret; - - p = pkt->dat; - ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - pkt, &p); - if (ret) - return ret; - if ((sizeof(pkt->dat) - (p - pkt->dat)) / 8 - < (4 /* checksum */ - + 1 /* microsec */ - + 4 /* time */ - + 7) / 8) /* roundoff */ - return KRB4PROT_ERR_OVERRUN; - - KRB4_PUT32(p, checksum, le); - *p++ = time_usec; - KRB4_PUT32(p, time_sec, le); - - memset(p, 0, 7); /* nul-pad */ - pkt->length = (((p - pkt->dat) + 7) / 8) * 8; - return KRB4PROT_OK; -} - -/* - * decode_error - * - * Decodes an error reply from the KDC. - */ -int KRB5_CALLCONV -krb4prot_decode_error(KTEXT pkt, int *le, - char *pname, char *pinst, char *prealm, - unsigned long *time_ws, - unsigned long *err, char *err_string) -{ - unsigned char *p; - int msg_type, ret, errstrlen; - - p = pkt->dat; - if (pkt->length < 2) - return KRB4PROT_ERR_UNDERRUN; - if (*p++ != KRB_PROT_VERSION) - return KRB4PROT_ERR_PROT_VERS; - msg_type = *p++; - *le = msg_type & 1; - msg_type &= ~1; - if (msg_type != AUTH_MSG_ERR_REPLY) - return KRB4PROT_ERR_MSG_TYPE; - - ret = krb4prot_decode_naminstrlm(pkt, &p, pname, pinst, prealm); - if (ret) - return ret; - -#define PKT_REMAIN (pkt->length - (p - pkt->dat)) - if (PKT_REMAIN < (4 /* time */ - + 4)) /* err code */ - return KRB4PROT_ERR_UNDERRUN; - - if (time_ws != NULL) - KRB4_GET32(*time_ws, p, le); - else - p += 4; - if (err != NULL) - KRB4_GET32(*err, p, le); - else - p += 4; - - if (PKT_REMAIN <= 0) /* allow for missing error string */ - return KRB4PROT_OK; - - errstrlen = krb4int_strnlen((char *)p, PKT_REMAIN) + 1; - if (errstrlen <= 0) /* If it's there, it must be nul-terminated. */ - return KRB4PROT_ERR_OVERRUN; - if (err_string != NULL) - memcpy(err_string, p, (size_t)errstrlen); - - return KRB4PROT_OK; -#undef PKT_REMAIN -} diff --git a/src/lib/krb4/prot_common.c b/src/lib/krb4/prot_common.c deleted file mode 100644 index 3e36de1..0000000 --- a/src/lib/krb4/prot_common.c +++ /dev/null @@ -1,136 +0,0 @@ -/* - * lib/krb4/prot_common.c - * - * Copyright 2001 by the Massachusetts Institute of Technology. All - * Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Contains some common code used by multiple encoders/decoders. - */ - -#include "krb.h" -#include "prot.h" -#include <string.h> - -/* - * encode_naminstrlm - * - * Takes input string triplet of a principal, encodes into PKT. - * Assumes that input strings are properly terminated. If CHKLEN is - * non-zero, validate input string lengths against their respective - * limits. The pointer P is the address of the moving pointer used by - * the caller, and is updated here. - * - * Returns zero on success, non-zero on failure. - * - * PKT->LENGTH is NOT updated. The caller must update it. - */ -int KRB5_CALLCONV -krb4prot_encode_naminstrlm(char *name, char *inst, char *realm, - int chklen, /* check input str len? */ - KTEXT pkt, /* buffer to encode into */ - unsigned char **p /* moving pointer */) -{ - size_t namelen, instlen, realmlen; - - namelen = strlen(name) + 1; - instlen = strlen(inst) + 1; - realmlen = strlen(realm) + 1; - if (chklen && (namelen > ANAME_SZ || instlen > INST_SZ - || realmlen > REALM_SZ)) - return KRB4PROT_ERR_OVERRUN; - if (*p - pkt->dat < namelen + instlen + realmlen) - return KRB4PROT_ERR_OVERRUN; - memcpy(*p, name, namelen); - *p += namelen; - memcpy(*p, inst, instlen); - *p += namelen; - memcpy(*p, realm, realmlen); - *p += namelen; - return KRB4PROT_OK; -} - -/* - * decode_naminstrlm - * - * Grabs a string triplet corresponding to a principal. The input - * buffer PKT should have its length properly set. The pointer P is - * the address of the moving pointer used by the caller, and will be - * updated. If any input pointer is NULL, merely skip the string. - * - * The output strings NAME, INST, and REALM are assumed to be of the - * correct sizes (ANAME_SZ, INST_SZ, REALM_SZ). - * - * Returns 0 on success, non-zero on failure. - */ -int KRB5_CALLCONV -krb4prot_decode_naminstrlm(KTEXT pkt, /* buffer to decode from */ - unsigned char **p, /* moving pointer */ - char *name, char *inst, char *realm) -{ - int len; - -#define PKT_REMAIN (pkt->length - (*p - pkt->dat)) - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)*p, PKT_REMAIN) + 1; - if (len == 0 || len > ANAME_SZ) - return KRB4PROT_ERR_OVERRUN; - if (name != NULL) - memcpy(name, *p, (size_t)len); - *p += len; - - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)*p, PKT_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - return KRB4PROT_ERR_OVERRUN; - if (name != NULL) - memcpy(inst, *p, (size_t)len); - *p += len; - - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)*p, PKT_REMAIN) + 1; - if (len <= 0 || len > REALM_SZ) - return KRB4PROT_ERR_OVERRUN; - if (realm != NULL) - memcpy(realm, *p, (size_t)len); - *p += len; - return KRB4PROT_OK; -#undef PKT_REMAIN -} - -int KRB5_CALLCONV -krb4prot_decode_header(KTEXT pkt, - int *pver, int *msgtype, int *le) -{ - unsigned char *p; - - p = pkt->dat; - if (pkt->length < 2) - return KRB4PROT_ERR_UNDERRUN; - *pver = *p++; - *msgtype = *p++; - *le = *msgtype & 1; - *msgtype &= ~1; - return KRB4PROT_OK; -} diff --git a/src/lib/krb4/prot_kdc.c b/src/lib/krb4/prot_kdc.c deleted file mode 100644 index aaaa9d0..0000000 --- a/src/lib/krb4/prot_kdc.c +++ /dev/null @@ -1,461 +0,0 @@ -/* - * lib/krb4/prot_kdc.c - * - * Copyright 1985--1988, 2000, 2001 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Contains the protocol encoders and decoders used by the KDC. - */ - -#include "krb.h" -#include "prot.h" -#include <string.h> -#include "port-sockets.h" - -/* - * encode_kdc_reply - * - * Encodes a reply from the KDC to the client. - * - * Returns KRB4PROT_OK on success, non-zero on failure. - * - * Caller is responsible for cleaning up OUTBUF. - * - * This packet layout description was originally in cr_auth_repl.c: - * - * variable - * type or constant data - * ---- ----------- ---- - * unsigned char KRB_PROT_VERSION protocol version number - * - * unsigned char AUTH_MSG_KDC_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned char n number of tickets - * - * unsigned long x_date expiration date - * - * unsigned char kvno master key version - * - * short cipher->length cipher length - * - * binary cipher->dat cipher data - */ -int KRB5_CALLCONV -krb4prot_encode_kdc_reply(char *pname, char *pinst, char *prealm, - long time_ws, - int n, /* Number of tickets; 0 for krb4 (!) */ - unsigned long x_date, /* exp date */ - int kvno, - KTEXT cipher, /* encrypted ticket */ - int chklen, /* check input str len? */ - int le, /* little-endian? */ - KTEXT outbuf) -{ - unsigned char *p; - int ret; - - p = outbuf->dat; - /* This is really crusty. */ - if (n != 0) - *p++ = 3; - else - *p++ = KRB_PROT_VERSION; - /* little-endianness based on input, usually big-endian, though. */ - *p++ = AUTH_MSG_KDC_REPLY | !!le; - - ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - outbuf, &p); - if (ret) - return ret; - - /* Check lengths */ - if (cipher->length > 65535 || cipher->length < 0) - return KRB4PROT_ERR_OVERRUN; - if ((sizeof(outbuf->dat) - (p - outbuf->dat) - < (4 /* timestamp */ - + 1 /* num of tickets */ - + 4 /* exp date */ - + 1 /* kvno */ - + 2 /* cipher->length */ - + cipher->length))) /* cipher->dat */ - return KRB4PROT_ERR_OVERRUN; - - /* Workstation timestamp */ - KRB4_PUT32(p, time_ws, le); - - /* Number of tickets */ - *p++ = n; - - /* Expiration date */ - KRB4_PUT32(p, x_date, le); - - /* Now send the ciphertext and info to help decode it */ - *p++ = kvno; - KRB4_PUT16(p, cipher->length, le); - memcpy(p, cipher->dat, (size_t)cipher->length); - p += cipher->length; - - /* And return the packet */ - outbuf->length = p - outbuf->dat; - return KRB4PROT_OK; -} - -/* - * encode_ciph - * - * Encodes a "cipher" that is to be included in a KDC reply message. - * - * Caller is responsible for cleaning up CIPH. - * - * Returns KRB4PROT_OK on success, non-zero on failure. - * - * Packet format below is originally from cr_ciph.c: - * - * variable - * type or constant data - * ---- ----------- ---- - * 8 bytes session session key for client, service - * - * string service service name - * - * string instance service instance - * - * string realm KDC realm - * - * unsigned char life ticket lifetime - * - * unsigned char kvno service key version number - * - * unsigned char tkt->length length of following ticket - * - * data tkt->dat ticket for service - * - * 4 bytes kdc_time KDC's timestamp - * - * <=7 bytes null null pad to 8 byte multiple - */ -int KRB5_CALLCONV -krb4prot_encode_ciph(C_Block session, - char *name, char *inst, char *realm, - unsigned long life, int kvno, - KTEXT tkt, /* ticket */ - unsigned long kdc_time, - int chklen, /* check str lens? */ - int le, /* little-endian? */ - KTEXT ciph) /* output buffer */ -{ - unsigned char *p; - int ret; - - p = ciph->dat; - /* - * Assume that there will be >= 8 bytes in a KTEXT. If there - * aren't, we have worse problems. - */ - memcpy(p, session, 8); - p += 8; - - ret = krb4prot_encode_naminstrlm(name, inst, realm, chklen, - ciph, &p); - if (ret) - return ret; - if (tkt->length > 255 || tkt->length < 0) - return KRB4PROT_ERR_OVERRUN; - if ((sizeof(ciph->dat) - (p - ciph->dat)) / 8 - < (1 /* life */ - + 1 /* kvno */ - + 1 /* tkt->length */ - + tkt->length /* tkt->dat */ - + 4 /* kdc_time */ - + 7) / 8) /* roundoff */ - return KRB4PROT_ERR_OVERRUN; - - *p++ = life; - *p++ = kvno; - *p++ = tkt->length; - - memcpy(p, tkt->dat, (size_t)tkt->length); - p += tkt->length; - - KRB4_PUT32(p, kdc_time, le); - - /* Guarantee null pad to multiple of 8 bytes */ - memset(p, 0, 7); - ciph->length = (((p - ciph->dat) + 7) / 8) * 8; - return KRB4PROT_OK; -} - -/* - * encode_tkt - * - * Encode ticket to include in a "cipher". Does not encrypt. - * - * Caller is responsible for cleaning TKT. - * - * The length of the ticket is a multiple of - * eight bytes and is in tkt->length. - * - * If the ticket is not a multiple of eight bytes long, the ticket - * will contain nulls. - * - * Returns KRB4PROT_OK on success, non-zero on failure. - * - * The following packet layout is from cr_tkt.c: - * - * variable - * type or constant data - * ---- ----------- ---- - * unsigned char flags namely, HOST_BYTE_ORDER - * - * string pname client's name - * - * string pinstance client's instance - * - * string prealm client's realm - * - * 4 bytes paddress client's address - * - * 8 bytes session session key - * - * 1 byte life ticket lifetime - * - * 4 bytes time_sec KDC timestamp - * - * string sname service's name - * - * string sinstance service's instance - * - * <=7 bytes null null pad to 8 byte multiple - */ -int KRB5_CALLCONV -krb4prot_encode_tkt(unsigned int flags, - char *pname, char *pinst, char *prealm, - unsigned long paddress, - char *session, - int life, long time_sec, - char *sname, char *sinst, - int chklen, /* check str lens? */ - int le, /* little-endian? */ - KTEXT tkt) /* output buf */ -{ - struct in_addr paddr; - unsigned char *p; - size_t snamelen, sinstlen; - - /* Be really paranoid. */ - if (sizeof(paddr.s_addr) != 4) - return KFAILURE; - - p = tkt->dat; - /* - * Assume at least one byte in a KTEXT. If not, we have bigger - * problems. Also, bitwise-OR in the little-endian flag. - */ - *p++ = flags | !!le; - - if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - tkt, &p)) - return KFAILURE; - - snamelen = strlen(sname) + 1; - sinstlen = strlen(sinst) + 1; - if (life > 255 || life < 0) - return KFAILURE; - if (chklen && (snamelen > ANAME_SZ || sinstlen > INST_SZ)) - return KFAILURE; - if ((sizeof(tkt->dat) - (p - tkt->dat)) / 8 - < (4 /* address */ - + 8 /* session */ - + 1 /* life */ - + 4 /* issue time */ - + snamelen + sinstlen - + 7) / 8) /* roundoff */ - return KFAILURE; - - paddr.s_addr = paddress; - memcpy(p, &paddr.s_addr, sizeof(paddr.s_addr)); - p += sizeof(paddr.s_addr); - - memcpy(p, session, 8); - p += 8; - *p++ = life; - /* issue time */ - KRB4_PUT32(p, time_sec, le); - - memcpy(p, sname, snamelen); - p += snamelen; - memcpy(p, sinst, sinstlen); - p += sinstlen; - - /* guarantee null padded ticket to multiple of 8 bytes */ - memset(p, 0, 7); - tkt->length = ((p - tkt->dat + 7) / 8) * 8; - return KSUCCESS; -} - -/* - * encode_err_reply - * - * Encode an error reply message from the KDC to the client. - * - * Returns KRB4PROT_OK on success, non-zero on error. - * - * The following packet layout description is from cr_err_repl.c: - * - * type variable data - * or constant - * ---- ----------- ---- - * unsigned char req_ack_vno protocol version number - * - * unsigned char AUTH_MSG_ERR_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned long e error code - * - * string e_string error text - */ -int KRB5_CALLCONV -krb4prot_encode_err_reply(char *pname, char *pinst, char *prealm, - unsigned long time_ws, - unsigned long err, /* error code */ - char *err_string, /* error text */ - int chklen, /* check str lens? */ - int le, /* little-endian? */ - KTEXT pkt) /* output buf */ -{ - unsigned char *p; - size_t err_stringlen; - - p = pkt->dat; - /* Assume >= 2 bytes in KTEXT. */ - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_ERR_REPLY | !!le; - - if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, - pkt, &p)) - return KFAILURE; - - err_stringlen = strlen(err_string) + 1; - if ((sizeof(pkt->dat) - (p - pkt->dat)) - < (4 /* timestamp */ - + 4 /* err code */ - + err_stringlen)) - return KFAILURE; - /* ws timestamp */ - KRB4_PUT32(p, time_ws, le); - /* err code */ - KRB4_PUT32(p, err, le); - /* err text */ - memcpy(p, err_string, err_stringlen); - p += err_stringlen; - - /* And return */ - pkt->length = p - pkt->dat; - return KSUCCESS; -} - -/* - * decode_kdc_request - * - * Decode an initial ticket request sent from the client to the KDC. - * - * Packet format is described in g_in_tkt.c. - * - * Returns KRB4PROT_OK on success, non-zero on failure. - */ -int KRB5_CALLCONV -krb4prot_decode_kdc_request(KTEXT pkt, - int *le, - char *pname, char *pinst, char *prealm, - long *req_time, int *life, - char *sname, char *sinst) -{ - unsigned char *p; - int msg_type, ret, len; - - p = pkt->dat; - - /* Get prot vers and msg type */ - if (pkt->length < 2) - return KRB4PROT_ERR_UNDERRUN; - if (*p++ != KRB_PROT_VERSION) - return KRB4PROT_ERR_PROT_VERS; - msg_type = *p++; - *le = msg_type & 1; - msg_type &= ~1; - if (msg_type != AUTH_MSG_KDC_REQUEST) - return KRB4PROT_ERR_MSG_TYPE; - - ret = krb4prot_decode_naminstrlm(pkt, &p, pname, pinst, prealm); - if (ret) - return ret; - -#define PKT_REMAIN (pkt->length - (p - pkt->dat)) - - if (PKT_REMAIN < (4 /* time */ - + 1)) /* life */ - return KRB4PROT_ERR_UNDERRUN; - - KRB4_GET32(*req_time, p, *le); - - *life = *p++; - - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)p, PKT_REMAIN) + 1; - if (len <= 0 || len > ANAME_SZ) - return KRB4PROT_ERR_OVERRUN; - memcpy(sname, p, (size_t)len); - p += len; - - if (PKT_REMAIN <= 0) - return KRB4PROT_ERR_UNDERRUN; - len = krb4int_strnlen((char *)p, PKT_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - return KRB4PROT_ERR_OVERRUN; - memcpy(sinst, p, (size_t)len); - p += len; - - /* XXX krb4 preauth? */ - return KRB4PROT_OK; -} diff --git a/src/lib/krb4/put_svc_key.c b/src/lib/krb4/put_svc_key.c deleted file mode 100644 index 53e53c7..0000000 --- a/src/lib/krb4/put_svc_key.c +++ /dev/null @@ -1,96 +0,0 @@ -/* lib/krb/put_svc_key.c */ -/* Copyright 1994 Cygnus Support */ -/* Mark W. Eichin */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * put_svc_key is a simple version of what 'ksrvutil add' provides, for some - * circumstances when service keys are distributed by applictions. - * - * Caveats: currently uses UNIX I/O (open, read) rather than stdio - this - * should be fixed. - * It could probably be made more general (and then actually be used - * by ksrvutil.) This version supports just enough to be useful. - */ - -#include "krb.h" -#include "krb4int.h" - -#include <string.h> -#include <stdio.h> -#include <fcntl.h> -#include "autoconf.h" -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#include "k5-platform.h" - -#define KEYSZ sizeof(C_Block) -/* strict put_svc_key. - The srvtab must already exist; - The key (exact match) must already be in the file; - version numbers are not checked. - */ -int KRB5_CALLCONV -put_svc_key(sfile,name,inst,realm,newvno,key) - char *sfile; - char *name; - char *inst; - char *realm; - int newvno; - char *key; -{ - int fd; - char fname[SNAME_SZ], finst[INST_SZ], frlm[REALM_SZ]; - unsigned char fvno; - char fkey[KEYSZ]; - - if (!sfile) - sfile = KEYFILE; - - if ((fd = open(sfile, O_RDWR)) < 0) - return KFAILURE; - set_cloexec_fd(fd); - - while(getst(fd,fname,SNAME_SZ) > 0) { - getst(fd,finst,INST_SZ); - getst(fd,frlm,REALM_SZ); - if (!strcmp(fname,name) - && !strcmp(finst,inst) - && !strcmp(frlm,realm)) { - /* all matched, so write new data */ - fvno = newvno; - lseek(fd,0,SEEK_CUR); - if (write(fd,&fvno,1) != 1) { - close(fd); - return KFAILURE; - } - if (write(fd,key,KEYSZ) != KEYSZ) { - close(fd); - return KFAILURE; - } - close(fd); - return KSUCCESS; - } - if (read(fd,&fvno,1) != 1) { - close(fd); - return KFAILURE; - } - if (read(fd,fkey,KEYSZ) != KEYSZ) { - close(fd); - return KFAILURE; - } - } - /* never found it */ - close(fd); - return KFAILURE; -} diff --git a/src/lib/krb4/rd_err.c b/src/lib/krb4/rd_err.c deleted file mode 100644 index 47f5167..0000000 --- a/src/lib/krb4/rd_err.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * lib/krb4/rd_err.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Steve Miller Project Athena MIT/DEC - */ - -#include <string.h> - -#include "krb.h" -#include "prot.h" - -/* - * Given an AUTH_MSG_APPL_ERR message, "in" and its length "in_length", - * return the error code from the message in "code" and the text in - * "m_data" as follows: - * - * m_data->app_data points to the error text - * m_data->app_length points to the length of the error text - * - * If all goes well, return RD_AP_OK. If the version number - * is wrong, return RD_AP_VERSION, and if it's not an AUTH_MSG_APPL_ERR - * type message, return RD_AP_MSG_TYPE. - * - * The AUTH_MSG_APPL_ERR message format can be found in mk_err.c - */ - -int KRB5_CALLCONV -krb_rd_err(in, in_length, code, m_data) - u_char *in; /* pointer to the msg received */ - u_long in_length; /* of in msg */ - long *code; /* received error code */ - MSG_DAT *m_data; -{ - register u_char *p; - int le; - unsigned KRB4_32 raw_code; - - p = in; /* beginning of message */ - - if (in_length < 1 + 1 + 4) - return RD_AP_MODIFIED; /* XXX should have better error code */ - if (*p++ != KRB_PROT_VERSION) - return RD_AP_VERSION; - if (((*p) & ~1) != AUTH_MSG_APPL_ERR) - return RD_AP_MSG_TYPE; - le = *p++ & 1; - - KRB4_GET32(raw_code, p, le); - *code = raw_code; /* XXX unsigned->signed conversion! */ - - m_data->app_data = p; /* we're now at the error text - * message */ - m_data->app_length = p - in; - - return RD_AP_OK; /* OK == 0 */ -} diff --git a/src/lib/krb4/rd_preauth.c b/src/lib/krb4/rd_preauth.c deleted file mode 100644 index b30838c..0000000 --- a/src/lib/krb4/rd_preauth.c +++ /dev/null @@ -1,62 +0,0 @@ -/* rd_preauth.c */ -/* part of Cygnus Network Security */ -/* Copyright 1994 Cygnus Support */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "krb_db.h" -#include "prot.h" -#include "des.h" -#include "krb4int.h" -#include <string.h> - -/* #define KERB_ERR_PREAUTH_SHORT 11 */ -/* #define KERB_ERR_PREAUTH_MISMATCH 12 */ - - -int -krb_rd_preauth(pkt, preauth_p, preauth_len, auth_pr, key) - KTEXT pkt; - char *preauth_p; - int preauth_len; - Principal *auth_pr; - des_cblock key; -{ - int st; - char *name_p; - - name_p = auth_pr->name; - -#ifndef NOENCRYPTION - /* Decrypt preauth_p using key as the key and initialization vector. */ - /* check preauth_len */ - if ((((strlen(name_p) + 1) / 8) + 1) * 8 != preauth_len) - return KERB_ERR_PREAUTH_SHORT; - else { - des_key_schedule key_s; - - if (des_key_sched(key, key_s)) { - return 1; - } - des_pcbc_encrypt((des_cblock *)preauth_p, (des_cblock *)preauth_p, - (long)preauth_len, key_s, (des_cblock *)key, - DES_DECRYPT); - memset(key_s, 0, sizeof(key_s)); - } -#endif /* R3_NO_MODIFICATIONS */ - - /* since the preauth data has the trailing 0, this just works */ - st = strcmp(preauth_p, name_p); - if (st) - return KERB_ERR_PREAUTH_MISMATCH; - return 0; -} diff --git a/src/lib/krb4/rd_priv.c b/src/lib/krb4/rd_priv.c deleted file mode 100644 index 1ba6008..0000000 --- a/src/lib/krb4/rd_priv.c +++ /dev/null @@ -1,233 +0,0 @@ -/* - * lib/krb4/rd_priv.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This routine dissects a a Kerberos 'private msg', decrypting it, - * checking its integrity, and returning a pointer to the application - * data contained and its length. - * - * Returns 0 (RD_AP_OK) for success or an error code (RD_AP_...). If - * the return value is RD_AP_TIME, then either the times are too far - * out of synch, OR the packet was modified. - * - * Steve Miller Project Athena MIT/DEC - */ - -/* system include files */ -#include <stdio.h> -#include <string.h> - -/* application include files */ -#include "krb.h" -#include "prot.h" -#include "des.h" -#include "lsb_addr_cmp.h" -#include "port-sockets.h" - -extern int krb_debug; - -/* This one is exported, for use by krb_mk_priv. */ -int private_msg_ver = KRB_PROT_VERSION; - -/* -#ifdef NOENCRPYTION - * krb_rd_priv() checks the integrity of an -#else - * krb_rd_priv() decrypts and checks the integrity of an -#endif - * AUTH_MSG_PRIVATE message. Given the message received, "in", - * the length of that message, "in_length", the key "schedule" -#ifdef NOENCRYPTION - * and "key", and the network addresses of the -#else - * and "key" to decrypt with, and the network addresses of the -#endif - * "sender" and "receiver" of the message, krb_rd_safe() returns - * RD_AP_OK if the message is okay, otherwise some error code. - * - * The message data retrieved from "in" are returned in the structure -#ifdef NOENCRYPTION - * "m_data". The pointer to the application data -#else - * "m_data". The pointer to the decrypted application data -#endif - * (m_data->app_data) refers back to the appropriate place in "in". - * - * See the file "mk_priv.c" for the format of the AUTH_MSG_PRIVATE - * message. The structure containing the extracted message - * information, MSG_DAT, is defined in "krb.h". - */ - -long KRB5_CALLCONV -krb_rd_priv(in, in_length, schedule, key, sender, receiver, m_data) - u_char *in; /* pointer to the msg received */ - unsigned KRB4_32 in_length; /* length of "in" msg */ - Key_schedule schedule; /* precomputed key schedule */ - C_Block *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; - struct sockaddr_in *receiver; - MSG_DAT *m_data; /*various input/output data from msg */ -{ - register u_char *p,*q; - int v, t, le; - struct in_addr src_addr; - unsigned KRB4_32 c_length; - int swap_bytes; - unsigned KRB4_32 t_local; - KRB4_32 delta_t; /* Difference between timestamps */ - - p = in; /* beginning of message */ -#define IN_REMAIN (in_length - (p - in)) - swap_bytes = 0; - - if (IN_REMAIN < 1 + 1 + 4) - return RD_AP_MODIFIED; - v = *p++; - if (v != KRB_PROT_VERSION && v != 3) - return RD_AP_VERSION; - private_msg_ver = v; - t = *p++; - if ((t & ~1) != AUTH_MSG_PRIVATE) - return RD_AP_MSG_TYPE; - le = t & 1; - - /* get cipher length */ - KRB4_GET32(c_length, p, le); - /* check for rational length so we don't go comatose */ - if (IN_REMAIN < c_length) - return RD_AP_MODIFIED; - -#ifndef NOENCRYPTION - /* - * decrypt to obtain length, timestamps, app_data, and checksum - * use the session key as an ivec - */ -#endif - - q = p; /* mark start of encrypted stuff */ - -#ifndef NOENCRYPTION - /* pcbc decrypt, use key as ivec */ - pcbc_encrypt((C_Block *)q, (C_Block *)q, (long)c_length, - schedule, key, DECRYPT); -#endif - - /* safely get application data length */ - KRB4_GET32(m_data->app_length, p, le); - - if (IN_REMAIN < m_data->app_length + 4 + 1 + 4) - return RD_AP_MODIFIED; - -#ifndef NOENCRYPTION - /* we're now at the decrypted application data */ -#endif - m_data->app_data = p; - - p += m_data->app_length; - - /* safely get time_5ms */ - m_data->time_5ms = *p++; - - /* safely get src address */ - memcpy(&src_addr.s_addr, p, sizeof(src_addr.s_addr)); - /* don't swap, net order always */ - p += sizeof(src_addr.s_addr); - - if (!krb_ignore_ip_address) { - switch (sender->sin_family) { - case AF_INET: - if (src_addr.s_addr != sender->sin_addr.s_addr) - return RD_AP_MODIFIED; - break; -#ifdef KRB5_USE_INET6 - case AF_INET6: - if (IN6_IS_ADDR_V4MAPPED (&((struct sockaddr_in6 *)sender)->sin6_addr) - && !memcmp (&src_addr.s_addr, - 12 + (char *) &((struct sockaddr_in6 *)sender)->sin6_addr, - 4)) - break; - /* Not v4 mapped? Not ignoring addresses? You lose. */ - return RD_AP_MODIFIED; -#endif - default: - return RD_AP_MODIFIED; - } - } - - /* safely get time_sec */ - KRB4_GET32(m_data->time_sec, p, le); - - /* check direction bit is the sign bit */ - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - /* However, if we don't have good ip addresses anyhow, just clear - the bit. This makes it harder to detect replay of sent packets - back to the receiver, but most higher level protocols can deal - with that more directly. */ - if (krb_ignore_ip_address) { - if (m_data->time_sec < 0) - m_data->time_sec = -m_data->time_sec; - } else - switch (krb4int_address_less (sender, receiver)) { - case 1: - m_data->time_sec = -m_data->time_sec; - break; - case -1: - if (m_data->time_sec < 0) - m_data->time_sec = -m_data->time_sec; - break; - } - - /* check the time integrity of the msg */ - t_local = TIME_GMT_UNIXSEC; - delta_t = t_local - m_data->time_sec; - if (delta_t < 0) - delta_t = -delta_t; /* Absolute value of difference */ - if (delta_t > CLOCK_SKEW) - return RD_AP_TIME; /* XXX should probably be better code */ - DEB(("\ndelta_t = %d", delta_t)); - - /* - * caller must check timestamps for proper order and - * replays, since server might have multiple clients - * each with its own timestamps and we don't assume - * tightly synchronized clocks. - */ - -#ifdef notdef - memcpy((char *)&cksum, (char *) p, sizeof(cksum)); - if (swap_bytes) cksum = krb4_swab32(cksum) - /* - * calculate the checksum of the length, sequence, - * and input data, on the sending byte order!! - */ - calc_cksum = quad_cksum(q, NULL, p-q, 0, key); - - DEB (("\ncalc_cksum = %u, received cksum = %u", - calc_cksum, cksum)); - if (cksum != calc_cksum) - return RD_AP_MODIFIED; -#endif - return RD_AP_OK; /* OK == 0 */ -} diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c deleted file mode 100644 index a1d70c6..0000000 --- a/src/lib/krb4/rd_req.c +++ /dev/null @@ -1,543 +0,0 @@ -/* - * lib/krb4/rd_req.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2002 by the - * Massachusetts Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "des.h" -#include "krb.h" -#include "prot.h" -#include <string.h> -#include <krb5.h> -#include <krb54proto.h> - -extern int krb_ap_req_debug; - -static int -krb_rd_req_with_key(KTEXT, char *, char *, KRB_UINT32, AUTH_DAT *, - Key_schedule, krb5_keyblock *); - -/* declared in krb.h */ -int krb_ignore_ip_address = 0; - -/* - * Keep the following information around for subsequent calls - * to this routine by the same server using the same key. - */ - -static Key_schedule serv_key; /* Key sched to decrypt ticket */ -static C_Block ky; /* Initialization vector */ -static int st_kvno; /* version number for this key */ -static char st_rlm[REALM_SZ]; /* server's realm */ -static char st_nam[ANAME_SZ]; /* service name */ -static char st_inst[INST_SZ]; /* server's instance */ -static int krb5_key; /* whether krb5 key is used for decrypt */ - -/* - * This file contains two functions. krb_set_key() takes a DES - * key or password string and returns a DES key (either the original - * key, or the password converted into a DES key) and a key schedule - * for it. - * - * krb_rd_req() reads an authentication request and returns information - * about the identity of the requestor, or an indication that the - * identity information was not authentic. - */ - -/* - * krb_set_key() takes as its first argument either a DES key or a - * password string. The "cvt" argument indicates how the first - * argument "key" is to be interpreted: if "cvt" is null, "key" is - * taken to be a DES key; if "cvt" is non-null, "key" is taken to - * be a password string, and is converted into a DES key using - * string_to_key(). In either case, the resulting key is returned - * in the external static variable "ky". A key schedule is - * generated for "ky" and returned in the external static variable - * "serv_key". - * - * This routine returns the return value of des_key_sched. - * - * krb_set_key() needs to be in the same .o file as krb_rd_req() so that - * the key set by krb_set_key() is available in private storage for - * krb_rd_req(). - */ - -static krb5_keyblock srv_k5key; - -int -krb_set_key(key, cvt) - char *key; - int cvt; -{ - if (krb5_key) - /* XXX assumes that context arg is ignored */ - krb5_free_keyblock_contents(NULL, &srv_k5key); - krb5_key = 0; -#ifdef NOENCRYPTION - memset(ky, 0, sizeof(ky)); - return KSUCCESS; -#else /* Encrypt */ - if (cvt) - string_to_key(key, ky); - else - memcpy((char *)ky, key, 8); - return des_key_sched(ky,serv_key); -#endif /* NOENCRYPTION */ -} - -int -krb_set_key_krb5(ctx, key) - krb5_context ctx; - krb5_keyblock *key; -{ - if (krb5_key) - krb5_free_keyblock_contents(ctx, &srv_k5key); - krb5_key = 1; - return krb5_copy_keyblock_contents(ctx, key, &srv_k5key); -} - -void -krb_clear_key_krb5(ctx) - krb5_context ctx; -{ - if (krb5_key) - krb5_free_keyblock_contents(ctx, &srv_k5key); - krb5_key = 0; -} - -/* - * krb_rd_req() takes an AUTH_MSG_APPL_REQUEST or - * AUTH_MSG_APPL_REQUEST_MUTUAL message created by krb_mk_req(), - * checks its integrity and returns a judgement as to the requestor's - * identity. - * - * The "authent" argument is a pointer to the received message. - * The "service" and "instance" arguments name the receiving server, - * and are used to get the service's ticket to decrypt the ticket - * in the message, and to compare against the server name inside the - * ticket. "from_addr" is the network address of the host from which - * the message was received; this is checked against the network - * address in the ticket. If "from_addr" is zero, the check is not - * performed. "ad" is an AUTH_DAT structure which is - * filled in with information about the sender's identity according - * to the authenticator and ticket sent in the message. Finally, - * "fn" contains the name of the file containing the server's key. - * (If "fn" is NULL, the server's key is assumed to have been set - * by krb_set_key(). If "fn" is the null string ("") the default - * file KEYFILE, defined in "krb.h", is used.) - * - * krb_rd_req() returns RD_AP_OK if the authentication information - * was genuine, or one of the following error codes (defined in - * "krb.h"): - * - * RD_AP_VERSION - wrong protocol version number - * RD_AP_MSG_TYPE - wrong message type - * RD_AP_UNDEC - couldn't decipher the message - * RD_AP_INCON - inconsistencies found - * RD_AP_BADD - wrong network address - * RD_AP_TIME - client time (in authenticator) - * too far off server time - * RD_AP_NYV - Kerberos time (in ticket) too - * far off server time - * RD_AP_EXP - ticket expired - * - * For the message format, see krb_mk_req(). - * - * Mutual authentication is not implemented. - */ - -static int -krb_rd_req_with_key(authent, service, instance, from_addr, ad, ks, k5key) - register KTEXT authent; /* The received message */ - char *service; /* Service name */ - char *instance; /* Service instance */ - unsigned KRB4_32 from_addr; /* Net address of originating host */ - AUTH_DAT *ad; /* Structure to be filled in */ - Key_schedule ks; - krb5_keyblock *k5key; -{ - KTEXT_ST ticket; /* Temp storage for ticket */ - KTEXT tkt = &ticket; - KTEXT_ST req_id_st; /* Temp storage for authenticator */ - register KTEXT req_id = &req_id_st; - - char realm[REALM_SZ]; /* Realm of issuing kerberos */ - Key_schedule seskey_sched; /* Key sched for session key */ - char sname[SNAME_SZ]; /* Service name from ticket */ - char iname[INST_SZ]; /* Instance name from ticket */ - char r_aname[ANAME_SZ]; /* Client name from authenticator */ - char r_inst[INST_SZ]; /* Client instance from authenticator */ - char r_realm[REALM_SZ]; /* Client realm from authenticator */ - unsigned int r_time_ms; /* Fine time from authenticator */ - unsigned KRB4_32 r_time_sec; /* Coarse time from authenticator */ - register unsigned char *ptr; /* For stepping through */ - unsigned KRB4_32 t_local; /* Local time on our side of the protocol */ - KRB4_32 delta_t; /* Time in authenticator minus local time */ -#ifdef KRB_CRYPT_DEBUG - KRB4_32 tkt_age; /* Age of ticket */ -#endif - int le; /* is little endian? */ - int mutual; /* Mutual authentication requested? */ - int t; /* msg type */ - unsigned char s_kvno; /* Version number of the server's key - Kerberos used to encrypt ticket */ - int ret; - int len; - - tkt->mbz = req_id->mbz = 0; - - if (authent->length < 1 + 1 + 1) - return RD_AP_MODIFIED; - - ptr = authent->dat; -#define AUTHENT_REMAIN (authent->length - (ptr - authent->dat)) - - /* get msg version, type and byte order, and server key version */ - - /* check version */ - if (KRB_PROT_VERSION != *ptr++) - return RD_AP_VERSION; - - /* byte order */ - t = *ptr++; - le = t & 1; - - /* check msg type */ - mutual = 0; - switch (t & ~1) { - case AUTH_MSG_APPL_REQUEST: - break; - case AUTH_MSG_APPL_REQUEST_MUTUAL: - mutual++; - break; - default: - return RD_AP_MSG_TYPE; - } - -#ifdef lint - /* XXX mutual is set but not used; why??? */ - /* this is a crock to get lint to shut up */ - if (mutual) - mutual = 0; -#endif /* lint */ - s_kvno = *ptr++; /* get server key version */ - len = krb4int_strnlen((char *)ptr, AUTHENT_REMAIN) + 1; - if (len <= 0 || len > sizeof(realm)) { - return RD_AP_MODIFIED; /* must have been modified, the client wouldn't - try to trick us with wacky data */ - } - /* And the realm of the issuing KDC */ - (void)memcpy(realm, ptr, (size_t)len); - ptr += len; /* skip the realm "hint" */ - - /* Get ticket length */ - tkt->length = *ptr++; - /* Get authenticator length while we're at it. */ - req_id->length = *ptr++; - if (AUTHENT_REMAIN < tkt->length + req_id->length) - return RD_AP_MODIFIED; - /* Copy ticket */ - memcpy(tkt->dat, ptr, (size_t)tkt->length); - ptr += tkt->length; - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("ticket->length: %d",tkt->length); - if (krb_ap_req_debug) - log("authent->length: %d", authent->length); -#endif - -#ifndef NOENCRYPTION - /* Decrypt and take apart ticket */ -#endif - - if (k5key == NULL) { - if (decomp_ticket(tkt,&ad->k_flags,ad->pname,ad->pinst,ad->prealm, - &(ad->address),ad->session, &(ad->life), - &(ad->time_sec),sname,iname,ky,ks)) { -#ifdef KRB_CRYPT_DEBUG - log("Can't decode ticket"); -#endif - return(RD_AP_UNDEC); - } - } else { - if (decomp_tkt_krb5(tkt, &ad->k_flags, ad->pname, ad->pinst, - ad->prealm, &ad->address, ad->session, - &ad->life, &ad->time_sec, sname, iname, - k5key)) { - return RD_AP_UNDEC; - } - } - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) { - log("Ticket Contents."); - log(" Aname: %s%s%s@%s",ad->pname, - ((int)*(ad->pinst) ? "." : ""), ad->pinst, - ((int)*(ad->prealm) ? ad->prealm : "Athena")); - log(" Service: %s%s%s",sname,((int)*iname ? "." : ""),iname); - log(" sname=%s, sinst=%s", sname, iname); - } -#endif - - /* Extract the authenticator */ - memcpy(req_id->dat, ptr, (size_t)req_id->length); - -#ifndef NOENCRYPTION - /* And decrypt it with the session key from the ticket */ -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) log("About to decrypt authenticator"); -#endif - - key_sched(ad->session, seskey_sched); - pcbc_encrypt((C_Block *)req_id->dat, (C_Block *)req_id->dat, - (long)req_id->length, - seskey_sched, &ad->session, DES_DECRYPT); - memset(seskey_sched, 0, sizeof(seskey_sched)); - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) log("Done."); -#endif -#endif /* NOENCRYPTION */ - - ptr = req_id->dat; -#define REQID_REMAIN (req_id->length - (ptr - req_id->dat)) - - ret = RD_AP_MODIFIED; - - len = krb4int_strnlen((char *)ptr, REQID_REMAIN) + 1; - if (len <= 0 || len > ANAME_SZ) - goto cleanup; - memcpy(r_aname, ptr, (size_t)len); /* Authentication name */ - ptr += len; - len = krb4int_strnlen((char *)ptr, REQID_REMAIN) + 1; - if (len <= 0 || len > INST_SZ) - goto cleanup; - memcpy(r_inst, ptr, (size_t)len); /* Authentication instance */ - ptr += len; - len = krb4int_strnlen((char *)ptr, REQID_REMAIN) + 1; - if (len <= 0 || len > REALM_SZ) - goto cleanup; - memcpy(r_realm, ptr, (size_t)len); /* Authentication name */ - ptr += len; - - if (REQID_REMAIN < 4 + 1 + 4) - goto cleanup; - KRB4_GET32(ad->checksum, ptr, le); - r_time_ms = *ptr++; /* Time (fine) */ -#ifdef lint - /* XXX r_time_ms is set but not used. why??? */ - /* this is a crock to get lint to shut up */ - if (r_time_ms) - r_time_ms = 0; -#endif /* lint */ - /* Time (coarse) */ - KRB4_GET32(r_time_sec, ptr, le); - - /* Check for authenticity of the request */ -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("Pname: %s %s",ad->pname,r_aname); -#endif - - ret = RD_AP_INCON; - if (strcmp(ad->pname,r_aname) != 0) - goto cleanup; - if (strcmp(ad->pinst,r_inst) != 0) - goto cleanup; - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("Realm: %s %s",ad->prealm,r_realm); -#endif - - if (strcmp(ad->prealm,r_realm) != 0) - goto cleanup; - - /* check the time integrity of the msg */ - ret = RD_AP_TIME; - t_local = TIME_GMT_UNIXSEC; - delta_t = t_local - r_time_sec; - if (delta_t < 0) delta_t = -delta_t; /* Absolute value of difference */ - if (delta_t > CLOCK_SKEW) { -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("Time out of range: %d - %d = %d", - time_secs, r_time_sec, delta_t); -#endif - goto cleanup; - } - - /* Now check for expiration of ticket */ - - ret = RD_AP_NYV; -#ifdef KRB_CRYPT_DEBUG - tkt_age = t_local - ad->time_sec; - if (krb_ap_req_debug) - log("Time: %d Issue Date: %d Diff: %d Life %x", - time_secs, ad->time_sec, tkt_age, ad->life); -#endif - if (t_local < ad->time_sec) { - if ((ad->time_sec - t_local) > CLOCK_SKEW) - goto cleanup; - } else if (krb_life_to_time((KRB4_32)ad->time_sec, ad->life) - < t_local + CLOCK_SKEW) { - /* - * This calculation is different than the same expiration - * calculation in krb5. In krb5 the ticket lasts for - * clock_skew seconds longer than its expiration; in krb4 it - * lasts clock_skew seconds less. This difference is - * necessary to avoid using an almost expired tgt to get a new - * tgt that will last for another 5 minutes. This code - * interacts with the login in src/kdc/kerberos_v4.c to - * back-date tickets to avoid them expiring late. The - * combination may be overly conservative, but I'm fairly sure - * either removing the kerberos_v4 backdating or replacing - * this check with the krb5 check is sufficient to create a - * security problem. - */ - ret = RD_AP_EXP; - goto cleanup; - } - -#ifdef KRB_CRYPT_DEBUG - if (krb_ap_req_debug) - log("Address: %d %d",ad->address,from_addr); -#endif - - if (!krb_ignore_ip_address - && from_addr && (ad->address != from_addr)) { - ret = RD_AP_BADD; - goto cleanup; - } - - /* All seems OK */ - ad->reply.length = 0; - ret = 0; - -cleanup: - if (ret) { - /* Stomp on session key if there is an error. */ - memset(ad->session, 0, sizeof(ad->session)); - return ret; - } - - return RD_AP_OK; -} - -int KRB5_CALLCONV -krb_rd_req_int(authent, service, instance, from_addr, ad, key) - KTEXT authent; /* The received message */ - char *service; /* Service name */ - char *instance; /* Service instance */ - KRB_UINT32 from_addr; /* Net address of originating host */ - AUTH_DAT *ad; /* Structure to be filled in */ - C_Block key; /* Key to decrypt ticket with */ -{ - Key_schedule ks; - int ret; - - do { - ret = des_key_sched(key, ks); - if (ret) break; - ret = krb_rd_req_with_key(authent, service, instance, - from_addr, ad, ks, NULL); - } while (0); - memset(ks, 0, sizeof(ks)); - return ret; -} - -int KRB5_CALLCONV -krb_rd_req(authent, service, instance, from_addr, ad, fn) - register KTEXT authent; /* The received message */ - char *service; /* Service name */ - char *instance; /* Service instance */ - unsigned KRB4_32 from_addr; /* Net address of originating host */ - AUTH_DAT *ad; /* Structure to be filled in */ - char *fn; /* Filename to get keys from */ -{ - unsigned char *ptr; - unsigned char s_kvno; - char realm[REALM_SZ]; - unsigned char skey[KKEY_SZ]; -#ifdef KRB4_USE_KEYTAB - krb5_keyblock keyblock; -#endif - int len; - int status; - -#define AUTHENT_REMAIN (authent->length - (ptr - authent->dat)) - if (authent->length < 3) - return RD_AP_MODIFIED; - ptr = authent->dat + 2; - s_kvno = *ptr++; /* get server key version */ - len = krb4int_strnlen((char *)ptr, AUTHENT_REMAIN) + 1; - if (len <= 0 || len > sizeof(realm)) - return RD_AP_MODIFIED; - (void)memcpy(realm, ptr, (size_t)len); -#undef AUTHENT_REMAIN - /* - * If "fn" is NULL, key info should already be set; don't - * bother with ticket file. Otherwise, check to see if we - * already have key info for the given server and key version - * (saved in the static st_* variables). If not, go get it - * from the ticket file. If "fn" is the null string, use the - * default ticket file. - */ - if (fn && (strcmp(st_nam,service) || strcmp(st_inst,instance) - || strcmp(st_rlm,realm) || (st_kvno != s_kvno))) { - if (*fn == 0) - fn = KEYFILE; - st_kvno = s_kvno; - if (read_service_key(service,instance,realm, (int)s_kvno, - fn, (char *)skey) == 0) { - if ((status = krb_set_key((char *)skey,0))) - return(status); -#ifdef KRB4_USE_KEYTAB - } else if (krb54_get_service_keyblock(service, instance, - realm, (int)s_kvno, - fn, &keyblock) == 0) { - krb_set_key_krb5(krb5__krb4_context, &keyblock); - krb5_free_keyblock_contents(krb5__krb4_context, &keyblock); -#endif - } else - return RD_AP_UNDEC; - - len = krb4int_strnlen(realm, sizeof(st_rlm)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_rlm, realm, (size_t)len); - len = krb4int_strnlen(service, sizeof(st_nam)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_nam, service, (size_t)len); - len = krb4int_strnlen(instance, sizeof(st_inst)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_inst, instance, (size_t)len); - } - return krb_rd_req_with_key(authent, service, instance, - from_addr, ad, - krb5_key ? NULL : serv_key, - krb5_key ? &srv_k5key : NULL); -} diff --git a/src/lib/krb4/rd_safe.c b/src/lib/krb4/rd_safe.c deleted file mode 100644 index 7df0d65..0000000 --- a/src/lib/krb4/rd_safe.c +++ /dev/null @@ -1,208 +0,0 @@ -/* - * lib/krb4/rd_safe.c - * - * Copyright 1986, 1987, 1988, 2000 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * This routine dissects a a Kerberos 'safe msg', checking its - * integrity, and returning a pointer to the application data - * contained and its length. - * - * Returns 0 (RD_AP_OK) for success or an error code (RD_AP_...) - * - * Steve Miller Project Athena MIT/DEC - */ - -/* system include files */ -#include <stdio.h> -#include <string.h> - -/* application include files */ -#include "krb.h" -#include "prot.h" -#include "des.h" -#include "lsb_addr_cmp.h" -#include "port-sockets.h" - -extern int krb_debug; - -/* - * krb_rd_safe() checks the integrity of an AUTH_MSG_SAFE message. - * Given the message received, "in", the length of that message, - * "in_length", the "key" to compute the checksum with, and the - * network addresses of the "sender" and "receiver" of the message, - * krb_rd_safe() returns RD_AP_OK if message is okay, otherwise - * some error code. - * - * The message data retrieved from "in" is returned in the structure - * "m_data". The pointer to the application data (m_data->app_data) - * refers back to the appropriate place in "in". - * - * See the file "mk_safe.c" for the format of the AUTH_MSG_SAFE - * message. The structure containing the extracted message - * information, MSG_DAT, is defined in "krb.h". - */ - -long KRB5_CALLCONV -krb_rd_safe(in,in_length,key,sender,receiver,m_data) - u_char *in; /* pointer to the msg received */ - unsigned KRB4_32 in_length; /* length of "in" msg */ - C_Block *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender's address */ - struct sockaddr_in *receiver; /* receiver's address -- me */ - MSG_DAT *m_data; /* where to put message information */ -{ - int i; - unsigned KRB4_32 calc_cksum[4]; - unsigned KRB4_32 big_cksum[4]; - int le; - - u_char *p,*q; - int t; - struct in_addr src_addr; - unsigned KRB4_32 t_local; /* Local time in our machine */ - KRB4_32 delta_t; /* Difference between timestamps */ - - /* Be very conservative */ - if (sizeof(src_addr.s_addr) != 4) { -#ifdef DEBUG - fprintf(stderr, "\nkrb_rd_safe protocol err " - "sizeof(src_addr.s_addr) != 4\n"); -#endif - return RD_AP_VERSION; - } - - p = in; /* beginning of message */ -#define IN_REMAIN (in_length - (p - in)) - if (IN_REMAIN < 1 + 1 + 4) - return RD_AP_MODIFIED; - - if (*p++ != KRB_PROT_VERSION) - return RD_AP_VERSION; - t = *p++; - if ((t & ~1) != AUTH_MSG_SAFE) - return RD_AP_MSG_TYPE; - le = t & 1; - - q = p; /* mark start of cksum stuff */ - - /* safely get length */ - KRB4_GET32(m_data->app_length, p, le); - - if (IN_REMAIN < m_data->app_length + 1 + 4 + 4 + 4 * 4) - return RD_AP_MODIFIED; - - m_data->app_data = p; /* we're now at the application data */ - - /* skip app data */ - p += m_data->app_length; - - /* safely get time_5ms */ - m_data->time_5ms = *p++; - - /* safely get src address */ - (void)memcpy(&src_addr.s_addr, p, sizeof(src_addr.s_addr)); - /* don't swap, net order always */ - p += sizeof(src_addr.s_addr); - - if (!krb_ignore_ip_address) { - switch (sender->sin_family) { - case AF_INET: - if (src_addr.s_addr != sender->sin_addr.s_addr) - return RD_AP_MODIFIED; - break; -#ifdef KRB5_USE_INET6 - case AF_INET6: - if (IN6_IS_ADDR_V4MAPPED (&((struct sockaddr_in6 *)sender)->sin6_addr) - && !memcmp (&src_addr.s_addr, - 12 + (char *) &((struct sockaddr_in6 *)sender)->sin6_addr, - 4)) - break; - /* Not v4 mapped? Not ignoring addresses? You lose. */ - return RD_AP_MODIFIED; -#endif - default: - return RD_AP_MODIFIED; - } - } - - /* safely get time_sec */ - KRB4_GET32(m_data->time_sec, p, le); - - /* check direction bit is the sign bit */ - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - /* However, if we don't have good ip addresses anyhow, just clear - the bit. This makes it harder to detect replay of sent packets - back to the receiver, but most higher level protocols can deal - with that more directly. */ - if (krb_ignore_ip_address) { - if (m_data->time_sec < 0) - m_data->time_sec = -m_data->time_sec; - } else - switch (krb4int_address_less (sender, receiver)) { - case 1: - m_data->time_sec = -m_data->time_sec; - break; - case -1: - if (m_data->time_sec < 0) - m_data->time_sec = -m_data->time_sec; - break; - } - - /* check the time integrity of the msg */ - t_local = TIME_GMT_UNIXSEC; - delta_t = t_local - m_data->time_sec; - if (delta_t < 0) delta_t = -delta_t; /* Absolute value of difference */ - if (delta_t > CLOCK_SKEW) { - return(RD_AP_TIME); /* XXX should probably be better - code */ - } - - /* - * caller must check timestamps for proper order and replays, since - * server might have multiple clients each with its own timestamps - * and we don't assume tightly synchronized clocks. - */ - -#ifdef NOENCRYPTION - memset(calc_cksum, 0, sizeof(calc_cksum)); -#else /* Do encryption */ - /* calculate the checksum of the length, timestamps, and - * input data, on the sending byte order !! */ - quad_cksum(q,calc_cksum,p-q,2,key); -#endif /* NOENCRYPTION */ - - for (i = 0; i < 4; i++) - KRB4_GET32(big_cksum[i], p, le); - - DEB (("\n0: calc %l big %lx\n1: calc %lx big %lx\n2: calc %lx big %lx\n3: calc %lx big %lx\n", - calc_cksum[0], big_cksum[0], - calc_cksum[1], big_cksum[1], - calc_cksum[2], big_cksum[2], - calc_cksum[3], big_cksum[3])); - for (i = 0; i < 4; i++) - if (big_cksum[i] != calc_cksum[i]) - return RD_AP_MODIFIED; - - return RD_AP_OK; /* OK == 0 */ -} diff --git a/src/lib/krb4/rd_svc_key.c b/src/lib/krb4/rd_svc_key.c deleted file mode 100644 index 8aeb099..0000000 --- a/src/lib/krb4/rd_svc_key.c +++ /dev/null @@ -1,345 +0,0 @@ -/* - * rd_svc_key.c - * - * Copyright 1985, 1986, 1987, 1988, 2007 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -#include "mit-copyright.h" -#include "krb.h" -#include "krb4int.h" -#include <stdio.h> -#include <string.h> - -#include "k5-int.h" -#include <krb54proto.h> -#include "prot.h" - -/* - * The private keys for servers on a given host are stored in a - * "srvtab" file (typically "/etc/srvtab"). This routine extracts - * a given server's key from the file. - * - * read_service_key() takes the server's name ("service"), "instance", - * and "realm" and a key version number "kvno", and looks in the given - * "file" for the corresponding entry, and if found, returns the entry's - * key field in "key". - * - * If "instance" contains the string "*", then it will match - * any instance, and the chosen instance will be copied to that - * string. For this reason it is important that the there is enough - * space beyond the "*" to receive the entry. - * - * If "kvno" is 0, it is treated as a wild card and the first - * matching entry regardless of the "vno" field is returned. - * - * This routine returns KSUCCESS on success, otherwise KFAILURE. - * - * The format of each "srvtab" entry is as follows: - * - * Size Variable Field in file - * ---- -------- ------------- - * string serv server name - * string inst server instance - * string realm server realm - * 1 byte vno server key version # - * 8 bytes key server's key - * ... ... ... - */ - -#ifdef __i960__ -/* special hack to use a global srvtab variable... */ -#define open vxworks_srvtab_open -#define close vxworks_srvtab_close -#define getst vxworks_srvtab_getst -#define read vxworks_srvtab_read - -extern char *vxworks_srvtab_base; -char *vxworks_srvtab_ptr; -int vxworks_srvtab_getchar(s) - char *s; -{ - int tmp1; - if(vxworks_srvtab_ptr >= (vxworks_srvtab_base + strlen(vxworks_srvtab_base))) - return 0; - - sscanf(vxworks_srvtab_ptr, "%2x", &tmp1); - - *s = tmp1; - vxworks_srvtab_ptr+=2; - return 1; -} - -int vxworks_srvtab_getst(fd,s,n) - int fd; - register char *s; - int n; -{ - register count = n; - while (vxworks_srvtab_getchar(s) && --count) - if (*s++ == '\0') - return (n - count); - *s = '\0'; - return (n - count); -} - -int vxworks_srvtab_open(s, n, m) - char *s; - int n, m; -{ - vxworks_srvtab_ptr = vxworks_srvtab_base; - return 1; -} - -int vxworks_srvtab_close(fd) - int fd; -{ - vxworks_srvtab_ptr = 0; - return 0; -} - -int vxworks_srvtab_read(fd, s, n) - int fd; - char *s; - int n; -{ - int count = n; - /* we want to get exactly n chars. */ - while(vxworks_srvtab_getchar(s) && --count) - s++; - return (n-count); -} -#endif - -#ifdef KRB4_USE_KEYTAB -/* - * This function looks up the requested Krb4 srvtab key using the krb5 - * keytab format, if possible. - */ -extern krb5_error_code -krb54_get_service_keyblock(service,instance,realm,kvno,file,keyblock) - char *service; /* Service Name */ - char *instance; /* Instance name or "*" */ - char *realm; /* Realm */ - int kvno; /* Key version number */ - char *file; /* Filename */ - krb5_keyblock * keyblock; -{ - krb5_error_code retval; - krb5_principal princ = NULL; - krb5_keytab kt_id; - krb5_keytab_entry kt_entry; - char sname[ANAME_SZ+1]; - char sinst[INST_SZ+1]; - char srealm[REALM_SZ+1]; - char keytabname[MAX_KEYTAB_NAME_LEN + 1]; /* + 1 for NULL termination */ - - if (!krb5__krb4_context) { - retval = krb5_init_context(&krb5__krb4_context); - if (retval) - return retval; - } - - if (!strcmp(instance, "*")) { - if ((retval = krb5_sname_to_principal(krb5__krb4_context, NULL, NULL, - KRB5_NT_SRV_HST, &princ))) - goto errout; - - if ((retval = krb5_524_conv_principal(krb5__krb4_context, princ, - sname, sinst, srealm))) - goto errout; - - instance = sinst; - krb5_free_principal(krb5__krb4_context, princ); - princ = 0; - } - - if ((retval = krb5_425_conv_principal(krb5__krb4_context, service, - instance, realm, &princ))) - goto errout; - - /* - * Figure out what name to use; if the name is one of the standard - * /etc/srvtab, /etc/athena/srvtab, etc., use the default keytab - * name. Otherwise, append .krb5 to the filename and try to use - * that. - */ - if (file && - strcmp(file, "/etc/srvtab") && - strcmp(file, "/etc/athena/srvtab") && - strcmp(file, KEYFILE)) { - strncpy(keytabname, file, sizeof(keytabname)); - keytabname[sizeof(keytabname)-1] = 0; - if (strlen(keytabname)+6 < sizeof(keytabname)) - strcat(keytabname, ".krb5"); - } else { - if ((retval = krb5_kt_default_name(krb5__krb4_context, - (char *)keytabname, sizeof(keytabname)-1))) - goto errout; - } - - if ((retval = krb5_kt_resolve(krb5__krb4_context, keytabname, &kt_id))) - goto errout; - - if ((retval = krb5_kt_get_entry(krb5__krb4_context, kt_id, princ, kvno, - 0, &kt_entry))) { - krb5_kt_close(krb5__krb4_context, kt_id); - goto errout; - } - - retval = krb5_copy_keyblock_contents(krb5__krb4_context, - &kt_entry.key, keyblock); - /* Bash types */ - /* KLUDGE! If it's a non-raw des3 key, bash its enctype */ - /* See kdc/kerberos_v4.c */ - if (keyblock->enctype == ENCTYPE_DES3_CBC_SHA1 ) - keyblock->enctype = ENCTYPE_DES3_CBC_RAW; - - krb5_kt_free_entry(krb5__krb4_context, &kt_entry); - krb5_kt_close (krb5__krb4_context, kt_id); - -errout: - if (princ) - krb5_free_principal(krb5__krb4_context, princ); - return retval; -} -#endif - - -int KRB5_CALLCONV -read_service_key(service,instance,realm,kvno,file,key) - char *service; /* Service Name */ - char *instance; /* Instance name or "*" */ - char *realm; /* Realm */ - int kvno; /* Key version number */ - char *file; /* Filename */ - char *key; /* Pointer to key to be filled in */ -{ - int kret; - -#ifdef KRB4_USE_KEYTAB - krb5_error_code retval; - krb5_keyblock keyblock; -#endif - - kret = get_service_key(service,instance,realm,&kvno,file,key); - - if (! kret) - return KSUCCESS; - -#ifdef KRB4_USE_KEYTAB - kret = KFAILURE; - keyblock.magic = KV5M_KEYBLOCK; - keyblock.contents = 0; - - retval = krb54_get_service_keyblock(service,instance,realm,kvno,file, - &keyblock); - if (retval) - goto errout; - - if ((keyblock.length != sizeof(C_Block)) || - ((keyblock.enctype != ENCTYPE_DES_CBC_CRC) && - (keyblock.enctype != ENCTYPE_DES_CBC_MD4) && - (keyblock.enctype != ENCTYPE_DES_CBC_MD5))) { - goto errout; - } - (void) memcpy(key, keyblock.contents, sizeof(C_Block)); - kret = KSUCCESS; - -errout: - if (keyblock.contents) - krb5_free_keyblock_contents(krb5__krb4_context, &keyblock); -#endif - - return kret; -} - -/* kvno is passed by reference, so that if it is zero, and we find a match, - the match gets written back into *kvno so the caller can find it. - */ -int KRB5_CALLCONV -get_service_key(service,instance,realm,kvno,file,key) - char *service; /* Service Name */ - char *instance; /* Instance name or "*" */ - char *realm; /* Realm */ - int *kvno; /* Key version number */ - char *file; /* Filename */ - char *key; /* Pointer to key to be filled in */ -{ - char serv[SNAME_SZ]; - char inst[INST_SZ]; - char rlm[REALM_SZ]; - unsigned char vno; /* Key version number */ - int wcard; - char krb_realm[REALM_SZ]; - - int stab; - - if (!file) - file = KEYFILE; - - if ((stab = open(file, 0, 0)) < 0) - return(KFAILURE); - set_cloexec_fd(stab); - - wcard = (instance[0] == '*') && (instance[1] == '\0'); - /* get current realm if not passed in */ - if (!realm) { - int rem; - - rem = krb_get_lrealm(krb_realm,1); - if (rem != KSUCCESS) - return(rem); - realm = krb_realm; - } - - while(getst(stab,serv,SNAME_SZ) > 0) { /* Read sname */ - (void) getst(stab,inst,INST_SZ); /* Instance */ - (void) getst(stab,rlm,REALM_SZ); /* Realm */ - /* Vers number */ - if (read(stab,(char *)&vno,1) != 1) { - close(stab); - return(KFAILURE); - } - /* Key */ - if (read(stab,key,8) != 8) { - close(stab); - return(KFAILURE); - } - /* Is this the right service */ - if (strcmp(serv,service)) - continue; - /* How about instance */ - if (!wcard && strcmp(inst,instance)) - continue; - if (wcard) - (void) strncpy(instance,inst,INST_SZ); - /* Is this the right realm */ -#if defined(ATHENA_COMPAT) || defined(ATHENA_OLD_SRVTAB) - /* XXX For backward compatibility: if keyfile says "Athena" - and caller wants "ATHENA.MIT.EDU", call it a match */ - if (strcmp(rlm,realm) && - (strcmp(rlm,"Athena") || - strcmp(realm,"ATHENA.MIT.EDU"))) - continue; -#else /* ! ATHENA_COMPAT */ - if (strcmp(rlm,realm)) - continue; -#endif /* ATHENA_COMPAT */ - - /* How about the key version number */ - if (*kvno && *kvno != (int) vno) - continue; - - (void) close(stab); - *kvno = vno; - return(KSUCCESS); - } - - /* Can't find the requested service */ - (void) close(stab); - return(KFAILURE); -} diff --git a/src/lib/krb4/recvauth.c b/src/lib/krb4/recvauth.c deleted file mode 100644 index c5f857e..0000000 --- a/src/lib/krb4/recvauth.c +++ /dev/null @@ -1,308 +0,0 @@ -/* - * lib/krb4/recvauth.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include <errno.h> -#include <stdio.h> -#include <string.h> -#include "autoconf.h" -#ifdef HAVE_STDLIB_H -#include <stdlib.h> -#endif -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#include "port-sockets.h" - - -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN - chars */ - -/* - * If the protocol changes, you will need to change the version string - * and make appropriate changes in krb_sendauth.c - * be sure to support old versions of krb_sendauth! - */ - -/* - * krb_recvauth() reads (and optionally responds to) a message sent - * using krb_sendauth(). The "options" argument is a bit-field of - * selected options (see "sendauth.c" for options description). - * The only option relevant to krb_recvauth() is KOPT_DO_MUTUAL - * (mutual authentication requested). The "fd" argument supplies - * a file descriptor to read from (and write to, if mutual authenti- - * cation is requested). - * - * Part of the received message will be a Kerberos ticket sent by the - * client; this is read into the "ticket" argument. The "service" and - * "instance" arguments supply the server's Kerberos name. If the - * "instance" argument is the string "*", it is treated as a wild card - * and filled in during the krb_rd_req() call (see read_service_key()). - * - * The "faddr" and "laddr" give the sending (client) and receiving - * (local server) network addresses. ("laddr" may be left NULL unless - * mutual authentication is requested, in which case it must be set.) - * - * The authentication information extracted from the message is returned - * in "kdata". The "filename" argument indicates the file where the - * server's key can be found. (It is passed on to krb_rd_req().) If - * left null, the default "/etc/srvtab" will be used. - * - * If mutual authentication is requested, the session key schedule must - * be computed in order to reply; this schedule is returned in the - * "schedule" argument. A string containing the application version - * number from the received message is returned in "version", which - * should be large enough to hold a KRB_SENDAUTH_VLEN-character string. - * - * See krb_sendauth() for the format of the received client message. - * - * This routine supports another client format, for backward - * compatibility, consisting of: - * - * Size Variable Field - * ---- -------- ----- - * - * string tmp_buf, tkt_len length of ticket, in - * ascii - * - * char ' ' (space char) separator - * - * tkt_len ticket->dat the ticket - * - * This old-style version does not support mutual authentication. - * - * krb_recvauth() first reads the protocol version string from the - * given file descriptor. If it doesn't match the current protocol - * version (KRB_SENDAUTH_VERS), the old-style format is assumed. In - * that case, the string of characters up to the first space is read - * and interpreted as the ticket length, then the ticket is read. - * - * If the first string did match KRB_SENDAUTH_VERS, krb_recvauth() - * next reads the application protocol version string. Then the - * ticket length and ticket itself are read. - * - * The ticket is decrypted and checked by the call to krb_rd_req(). - * If no mutual authentication is required, the result of the - * krb_rd_req() call is retured by this routine. If mutual authenti- - * cation is required, a message in the following format is returned - * on "fd": - * - * Size Variable Field - * ---- -------- ----- - * - * 4 bytes tkt_len length of ticket or -1 - * if error occurred - * - * priv_len tmp_buf "private" message created - * by krb_mk_priv() which - * contains the incremented - * checksum sent by the client - * encrypted in the session - * key. (This field is not - * present in case of error.) - * - * If all goes well, KSUCCESS is returned; otherwise KFAILURE or some - * other error code is returned. - */ - -#ifndef max -#define max(a,b) (((a) > (b)) ? (a) : (b)) -#endif /* max */ - -int KRB5_CALLCONV -krb_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata, - filename, schedule, version) - long options; /* bit-pattern of options */ - int fd; /* file descr. to read from */ - KTEXT ticket; /* storage for client's ticket */ - char *service; /* service expected */ - char *instance; /* inst expected (may be filled in) */ - struct sockaddr_in *faddr; /* address of foreign host on fd */ - struct sockaddr_in *laddr; /* local address */ - AUTH_DAT *kdata; /* kerberos data (returned) */ - char *filename; /* name of file with service keys */ - Key_schedule schedule; /* key schedule (return) */ - char *version; /* version string (filled in) */ -{ - - int i, cc, old_vers = 0; - char krb_vers[KRB_SENDAUTH_VLEN + 1]; /* + 1 for the null terminator */ - char *cp = NULL; - int rem; - KRB4_32 tkt_len, priv_len; - unsigned KRB4_32 cksum; - u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)] = { 0 }; - - /* read the protocol version number */ - if (krb_net_read(fd, krb_vers, KRB_SENDAUTH_VLEN) != - KRB_SENDAUTH_VLEN) - return(errno); - krb_vers[KRB_SENDAUTH_VLEN] = '\0'; - - /* check version string */ - if (strcmp(krb_vers,KRB_SENDAUTH_VERS)) { - /* Assume the old version of sendkerberosdata: send ascii - length, ' ', and ticket. */ - if (options & KOPT_DO_MUTUAL) - return(KFAILURE); /* XXX can't do old style with mutual auth */ - old_vers = 1; - - /* copy what we have read into tmp_buf */ - (void) memcpy((char *) tmp_buf, krb_vers, KRB_SENDAUTH_VLEN); - - /* search for space, and make it a null */ - for (i = 0; i < KRB_SENDAUTH_VLEN; i++) - if (tmp_buf[i]== ' ') { - tmp_buf[i] = '\0'; - /* point cp to the beginning of the real ticket */ - cp = (char *) &tmp_buf[i+1]; - break; - } - - if (i == KRB_SENDAUTH_VLEN) - /* didn't find the space, keep reading to find it */ - for (; i<20; i++) { - if (read(fd, (char *)&tmp_buf[i], 1) != 1) { - return(KFAILURE); - } - if (tmp_buf[i] == ' ') { - tmp_buf[i] = '\0'; - /* point cp to the beginning of the real ticket */ - cp = (char *) &tmp_buf[i+1]; - break; - } - } - - if (i==20) - return(KFAILURE); - - tkt_len = (KRB4_32) atoi((char *) tmp_buf); - - /* sanity check the length */ - /* These conditions make sure that cp got initialized */ - if ((tkt_len<=0)||(tkt_len>MAX_KTXT_LEN)) - return(KFAILURE); - - if (i < KRB_SENDAUTH_VLEN) { - /* since we already got the space, and part of the ticket, - we read fewer bytes to get the rest of the ticket */ - int len_to_read = tkt_len - KRB_SENDAUTH_VLEN + 1 + i; - if (len_to_read <= 0) - return KFAILURE; - if (krb_net_read(fd, (char *)(tmp_buf+KRB_SENDAUTH_VLEN), - len_to_read) - != len_to_read) - return(errno); - } else { - if (krb_net_read(fd, (char *)(tmp_buf+i), (int)tkt_len) != - (int) tkt_len) - return(errno); - } - ticket->length = tkt_len; - /* copy the ticket into the struct */ - (void) memcpy((char *) ticket->dat, cp, ticket->length); - - } else { - /* read the application version string */ - if (krb_net_read(fd, version, KRB_SENDAUTH_VLEN) != - KRB_SENDAUTH_VLEN) - return(errno); - version[KRB_SENDAUTH_VLEN] = '\0'; - - /* get the length of the ticket */ - if (krb_net_read(fd, (char *)&tkt_len, sizeof(tkt_len)) != - sizeof(tkt_len)) - return(errno); - - /* sanity check */ - ticket->length = ntohl((unsigned KRB4_32)tkt_len); - if ((ticket->length <= 0) || (ticket->length > MAX_KTXT_LEN)) { - if (options & KOPT_DO_MUTUAL) { - rem = KFAILURE; - goto mutual_fail; - } else - return(KFAILURE); /* XXX there may still be junk on the fd? */ - } - - /* read the ticket */ - if (krb_net_read(fd, (char *) ticket->dat, ticket->length) - != ticket->length) - return(errno); - } - /* - * now have the ticket. decrypt it to get the authenticated - * data. - */ - rem = krb_rd_req(ticket,service,instance,faddr->sin_addr.s_addr, - kdata,filename); - - if (old_vers) return(rem); /* XXX can't do mutual with old client */ - - /* if we are doing mutual auth, compose a response */ - if (options & KOPT_DO_MUTUAL) { - if (rem != KSUCCESS) - /* the krb_rd_req failed */ - goto mutual_fail; - - /* add one to the (formerly) sealed checksum, and re-seal it - for return to the client */ - cksum = kdata->checksum + 1; - cksum = htonl(cksum); -#ifndef NOENCRYPTION - key_sched(kdata->session,schedule); -#endif /* !NOENCRYPTION */ - priv_len = krb_mk_priv((unsigned char *)&cksum, - tmp_buf, - (unsigned KRB4_32) sizeof(cksum), - schedule, - &kdata->session, - laddr, - faddr); - if (priv_len < 0) { - /* re-sealing failed; notify the client */ - rem = KFAILURE; /* XXX */ -mutual_fail: - priv_len = -1; - tkt_len = htonl((unsigned KRB4_32) priv_len); - /* a length of -1 is interpreted as an authentication - failure by the client */ - if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len))) - != sizeof(tkt_len)) - return(cc); - return(rem); - } else { - /* re-sealing succeeded, send the private message */ - tkt_len = htonl((unsigned KRB4_32)priv_len); - if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len))) - != sizeof(tkt_len)) - return(cc); - if ((cc = krb_net_write(fd, (char *)tmp_buf, (int) priv_len)) - != (int) priv_len) - return(cc); - } - } - return(rem); -} diff --git a/src/lib/krb4/ren-cyg.sh b/src/lib/krb4/ren-cyg.sh deleted file mode 100755 index d3d31a9..0000000 --- a/src/lib/krb4/ren-cyg.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -# Rename Kerberos Cygnus V4 filenames to proposed names -# for converting old trees. -awk '/^@ / { if ($6 != "") - if ($6 != $4) - print "mv " $6 " " $4 - else ; - else if ($2 != $4 && $2 != "-") - print "mv " $2 " " $4 - } - ' <ren.msg | grep -v '(gone)' | sh -x diff --git a/src/lib/krb4/ren-pc.bat b/src/lib/krb4/ren-pc.bat deleted file mode 100644 index e25755f..0000000 --- a/src/lib/krb4/ren-pc.bat +++ /dev/null @@ -1,29 +0,0 @@ -rename crerrep.c cr_err_repl.c -rename crauthre.c cr_auth_repl.c -rename cr_death.c cr_death_pkt.c -rename crticket.c cr_tkt.c -rename decomtkt.c decomp_tkt.c -rename getadtkt.c g_ad_tkt.c -rename getadmhs.c g_admhst.c -rename get_cred.c g_cred.c -rename getintkt.c g_pw_in_tkt.c -rename getkrbhs.c g_krbhst.c -rename getphost.c g_phost.c -rename getpwtkt.c g_pw_tkt.c -rename get_req.c g_request.c -rename g_svctkt.c g_svc_in_tkt.c -rename gettfnam.c g_tf_fname.c -rename gettfrlm.c g_tf_realm.c -rename getrealm.c realmofhost.c -rename k_gethst.c gethostname.c -rename knm_pars.c kname_parse.c -rename k_errtxt.c err_txt.c -rename k_gettkt.c g_in_tkt.c -rename mth_snam.c month_sname.c -rename pkt_ciph.c pkt_cipher.c -rename rdservky.c rd_svc_key.c -rename savecred.c save_creds.c -rename send_kdc.c send_to_kdc.c -rename s_cascmp.c strcasecmp.c -rename tkt_strg.c tkt_string.c -rename util.c ad_print.c diff --git a/src/lib/krb4/ren-pc.sh b/src/lib/krb4/ren-pc.sh deleted file mode 100644 index bea2beb..0000000 --- a/src/lib/krb4/ren-pc.sh +++ /dev/null @@ -1,7 +0,0 @@ -# Rename Kerberos V4 MIT PC-port filenames to proposed names -# for converting old PC trees on Unix systems. -awk '/^@ / { - if ($3 != $4 && $3 != "-") - print "mv " $3 " " $4 - } - ' <ren.msg | grep -v '(gone)' | sh -x diff --git a/src/lib/krb4/ren-pl10.sh b/src/lib/krb4/ren-pl10.sh deleted file mode 100644 index d72a72c..0000000 --- a/src/lib/krb4/ren-pl10.sh +++ /dev/null @@ -1,7 +0,0 @@ -# Rename Kerberos V4 pl10 filenames to proposed names -# for converting old trees. -awk '/^@ / { - if ($2 != $4 && $2 != "-") - print "mv " $2 " " $4 - } - ' <ren.msg | grep -v '(gone)' | sh -x diff --git a/src/lib/krb4/ren.msg b/src/lib/krb4/ren.msg deleted file mode 100644 index 45b404a..0000000 --- a/src/lib/krb4/ren.msg +++ /dev/null @@ -1,117 +0,0 @@ -Subject: Kerberos file renaming for short DOS names -Date: Tue, 19 Apr 1994 13:34:28 -0700 -From: John Gilmore <gnu@cygnus.com> - -[edited since sending, to bring it up to date with what actually happened.] - -I'd like to come up with some file naming and configuration -conventions that will work in DOS, Unix, and Mac environments. At -Cygnus, we are creating a single freely available K4 source tree that -works on many Unixes, Windows, and Mac. It currently works on Unixes. -(To get a copy, send mail to info@cygnus.com requesting our Kerberos -release. It's in a hidden FTP location due to export control.) - -I diffed the current MIT release of Kerberos for PC and Windows -against the V4 patchlevel 10 release, and identified some 30 files in -lib/krb that have been renamed between Unix and PC. Comparing source -trees becomes much more painful when files are renamed. If we don't -come to sync on the file names, it will be very hard to collaborate, -which would make more work for all of us. - -My plan, which we have used successfully in the GNU software, is to -make sure that all filenames are unique if you take the first 8 chars -and the first 3 after the dot. No files have more than a single dot -in them. We don't restrict file names to just 8.3 characters, since -doing so would impact readability for the (99.9%) of the developers -who are on Unix or Mac, where long file names are fine. - -There's an additional complication that names longer than 14 -characters present problems to old System V Unix and to `ar' on Unix. -DJ Delorie's excellent `doschk' program points out all these problems. -(prep.ai.mit.edu:/pub/gnu/doschk-1.1.tar.gz). - -Here's my proposal for the lib/krb directory. In general, I tried to -regularize the names, turning get_ into g_, removing krb_, turning -reply into repl, turning ticket into tkt, keeping all file names -unique across the various libraries, and making a file name more like -the function name contained in it when there were conflicts. Some -resulting truncated names are more readable than in the current MIT K4 -PC, some are less readable -- but the overall advantage is that the -new names should be acceptable to Unix/Mac developers, while the old -ones weren't. - - MIT K4 patch10 MIT K4 PC PROPOSED NAME (trunc to 8.3) old Cyg -$1 $2 $3 $4 $5 $6 - -@ add_ticket.c (gone) add_tkt.c add_tkt.c -@ - - ChangeLog changelo -@ cr_err_reply.c crerrep.c cr_err_repl.c cr_err_r.c -@ create_auth_reply.c crauthre.c cr_auth_repl.c cr_auth_.c cr_auth_reply.c -@ create_ciph.c cr_ciph.c cr_ciph.c cr_ciph.c -@ create_death_packet.c cr_death.c cr_death_pkt.c cr_death.c cr_death_pkt.c -@ create_ticket.c crticket.c cr_tkt.c cr_tkt.c -@ debug_decl.c debug.c debug.c debug.c -@ decomp_ticket.c decomtkt.c decomp_tkt.c decomp_t.c -@ - - DNR.c dnr.c -@ extract_ticket.c ext_tkt.c ext_tkt.c ext_tkt.c extract_tkt.c -@ - - g_cnffile.c g_cnffil.c -@ get_ad_tkt.c getadtkt.c g_ad_tkt.c g_ad_tkt.c -@ get_admhst.c getadmhs.c g_admhst.c g_admhst.c -@ get_cred.c get_cred.c g_cred.c g_cred.c -@ get_in_tkt.c getintkt.c g_pw_in_tkt.c g_pw_in_.c -@ get_krbhst.c getkrbhs.c g_krbhst.c g_krbhst.c -@ get_krbrlm.c g_krbrlm.c g_krbrlm.c g_krbrlm.c -@ get_phost.c getphost.c g_phost.c g_phost.c -@ get_pw_tkt.c getpwtkt.c g_pw_tkt.c g_pw_tkt.c -@ get_request.c get_req.c (gone) (gone) -@ get_svc_in_tkt.c g_svctkt.c g_svc_in_tkt.c g_svc_in.c get_svc_in.c -@ get_tf_fullname.c gettfnam.c g_tf_fname.c g_tf_fna.c get_tf_fname.c -@ get_tf_realm.c gettfrlm.c g_tf_realm.c g_tf_rea.c -@ - - g_tkt_svc.c g_tkt_sv.c -@ getrealm.c getrealm.c realmofhost.c realmofh.c -@ k_gethostname.c k_gethst.c gethostname.c gethostn.c -@ kname_parse.c knm_pars.c kname_parse.c kname_pa.c -@ krb_err_txt.c k_errtxt.c err_txt.c err_txt.c -@ krb_get_in_tkt.c k_gettkt.c g_in_tkt.c g_in_tkt.c krb_get_in.c -@ - - mac_store.c mac_stor.c -@ - - mac_store.h mac_stor.h -@ - - mac_stubs.c mac_stub.c -@ - - Makefile.in makefile.in -@ - - mk_preauth.c mk_preau.c -@ month_sname.c mth_snam.c month_sname.c month_sn.c -@ pkt_cipher.c pkt_ciph.c pkt_cipher.c pkt_ciph.c -@ - - Password.c password.c -@ - - rd_preauth.c rd_preau.c -@ - - put_svc_key.c put_svc_.c -@ read_service_key.c rdservky.c rd_svc_key.c rd_svc_k.c read_svc_key.c -@ save_credentials.c savecred.c save_creds.c save_cre.c save_creds.c -@ send_to_kdc.c send_kdc.c send_to_kdc.c send_to_.c -@ strcasecmp.c s_cascmp.c strcasecmp.c strcasec.c -@ tkt_string.c tkt_strg.c tkt_string.c tkt_stri.c -@ - - unix_glue.c unix_glu.c -@ util.c util.c ad_print.c ad_print.c -@ - - win_store.c win_stor.c -# Cleanup for simplified sed scripts that use this table -@sed s/tf_ad_print\./tf_util\./g - -I've supplied Unix shell scripts in the distribution for moving: -ren-pl10.sh V4 pl10 filenames to proposed names for converting old trees -ren-pc.sh V4 MIT PC names to proposed names for converting old trees -ren2long.sh truncated names to proposed names for moving DOS->unix -ren2dos.sh proposed names to truncated names for unix->DOS names - -There's also shell scripts to produce sed scripts for converting Makefiles -and documentation. You use them like: - ./sed-pl10.sh >/tmp/sed - sed -f /tmp/sed <Makefile >newMakefile -sed-pl10.sh V4 pl10 filenames to proposed names for converting old trees -sed-pc.sh V4 MIT PC names to proposed names for converting old trees - -I'll also supply a DOS script for moving: -ren-pc.bat V4 MIT PC names to proposed names for converting old trees - -And an MPW script for moving -ren-pl10.mpw V4 pl10 filenames to proposed names for converting old trees - - John Gilmore - Cygnus Support diff --git a/src/lib/krb4/ren2dos.sh b/src/lib/krb4/ren2dos.sh deleted file mode 100644 index 3989e2c..0000000 --- a/src/lib/krb4/ren2dos.sh +++ /dev/null @@ -1,7 +0,0 @@ -# Rename Unix filenames to DOS-truncated filenames for KRB library. -# for converting Unix distributions to DOS distributions -awk '/^@ / { - if ($4 != $5) - print "mv " $4 " " $5 - } - ' <ren.msg | sh -x diff --git a/src/lib/krb4/ren2long.sh b/src/lib/krb4/ren2long.sh deleted file mode 100644 index 7d1a259..0000000 --- a/src/lib/krb4/ren2long.sh +++ /dev/null @@ -1,7 +0,0 @@ -# Rename DOS-truncated filenames to Unix filenames for KRB library. -# for converting DOS distributions to Unix distributions -awk '/^@ / { - if ($4 != $5) - print "mv " $5 " " $4 - } - ' <ren.msg | sh -x diff --git a/src/lib/krb4/save_creds.c b/src/lib/krb4/save_creds.c deleted file mode 100644 index 5cc8ae8..0000000 --- a/src/lib/krb4/save_creds.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * save_creds.c - * - * Copyright 1985, 1986, 1987, 1988, 2002 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include <stdio.h> -#include "krb.h" -#include "krb4int.h" - -/* - * This routine takes a ticket and associated info and calls - * tf_save_cred() to store them in the ticket cache. The peer - * routine for extracting a ticket and associated info from the - * ticket cache is krb_get_cred(). When changes are made to - * this routine, the corresponding changes should be made - * in krb_get_cred() as well. - * - * Returns KSUCCESS if all goes well, otherwise an error returned - * by the tf_init() or tf_save_cred() routines. - * - * This used to just be called save_credentials, but when we formalized - * the DOS/Mac interface, we created and exported krb_save_credentials - * to avoid namespace pollution. - */ - -int -krb4int_save_credentials_addr(service, instance, realm, session, lifetime, kvno, - ticket, issue_date, local_addr) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - KRB4_32 issue_date; /* The issue time */ - KRB_UINT32 local_addr; -{ - int tf_status; /* return values of the tf_util calls */ - - /* Open and lock the ticket file for writing */ - if ((tf_status = tf_init(TKT_FILE, W_TKT_FIL)) != KSUCCESS) - return(tf_status); - - /* Save credentials by appending to the ticket file */ - tf_status = tf_save_cred(service, instance, realm, session, - lifetime, kvno, ticket, issue_date); - (void) tf_close(); - return (tf_status); -} - -int KRB5_CALLCONV -krb_save_credentials( - char *service, - char *instance, - char *realm, - C_Block session, - int lifetime, - int kvno, - KTEXT ticket, - long issue_date) -{ - return krb4int_save_credentials_addr(service, instance, realm, - session, lifetime, kvno, - ticket, (KRB4_32)issue_date, 0); -} diff --git a/src/lib/krb4/sed-cyg.sh b/src/lib/krb4/sed-cyg.sh deleted file mode 100755 index 3859df1..0000000 --- a/src/lib/krb4/sed-cyg.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -# Produce a sed script for converting Kerberos Cygnus V4 filenames to proposed -# names -- for converting old makefiles and doc. -# We fix any "oldfoo." into "newfoo." including .c and .o and .h files. -awk '/^@ / { if ($6 != "") - if ($6 != $4) - print "s/" $6 "/" $4 "/g" - else ; - else if ($2 != $4 && $2 != "-") - print "s/" $2 "/" $4 "/g" - } - /^@sed / { print $2 } - ' <ren.msg | grep -v '(gone)' | sed 's/\.c/\\./g' diff --git a/src/lib/krb4/sed-pc.sh b/src/lib/krb4/sed-pc.sh deleted file mode 100755 index a222dca..0000000 --- a/src/lib/krb4/sed-pc.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -# Produce a sed script for converting Kerberos V4 MIT PC filenames to proposed -# names -- for converting old makefiles and doc. -# We fix any "oldfoo." into "newfoo." including .c and .o and .h files. -awk '/^@ / { - if ($3 != $4) - print "s/" $3 "/" $4 "/g" - } - /^@sed / { print $2 } - ' <ren.msg | grep -v '(gone)' | sed 's/\.c/\\./g' - diff --git a/src/lib/krb4/sed-pl10.sh b/src/lib/krb4/sed-pl10.sh deleted file mode 100755 index a6ab27c..0000000 --- a/src/lib/krb4/sed-pl10.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -# Produce a sed script for converting Kerberos V4 pl10 filenames to proposed -# names -- for converting old makefiles and doc. -# We fix any "oldfoo." into "newfoo." including .c and .o and .h files. -awk '/^@ / { - if ($2 != $4) - print "s/" $2 "/" $4 "/g" - } - /^@sed / { print $2 } - ' <ren.msg | sed 's/\.c/\\./g' diff --git a/src/lib/krb4/send_to_kdc.c b/src/lib/krb4/send_to_kdc.c deleted file mode 100644 index 95d9d91..0000000 --- a/src/lib/krb4/send_to_kdc.c +++ /dev/null @@ -1,206 +0,0 @@ -/* - * lib/krb4/send_to_kdc.c - * - * Copyright 1987-2002 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "krbports.h" -#include "prot.h" -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "autoconf.h" -#ifdef HAVE_SYS_SELECT_H -#include <sys/select.h> -#endif -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#include "port-sockets.h" -#include "fake-addrinfo.h" -#include "k5-int.h" -#include "krb4int.h" - -#define S_AD_SZ sizeof(struct sockaddr_in) - -/* These are really defaults from getservbyname() or hardcoded. */ -static int cached_krb_udp_port = 0; -static int cached_krbsec_udp_port = 0; - -int krb4int_send_to_kdc_addr(KTEXT, KTEXT, char *, - struct sockaddr *, socklen_t *); - -#ifdef DEBUG -static char *prog = "send_to_kdc"; -#endif - -/* - * send_to_kdc() sends a message to the Kerberos authentication - * server(s) in the given realm and returns the reply message. - * The "pkt" argument points to the message to be sent to Kerberos; - * the "rpkt" argument will be filled in with Kerberos' reply. - * The "realm" argument indicates the realm of the Kerberos server(s) - * to transact with. If the realm is null, the local realm is used. - * - * If more than one Kerberos server is known for a given realm, - * different servers will be queried until one of them replies. - * Several attempts (retries) are made for each server before - * giving up entirely. - * - * The following results can be returned: - * - * KSUCCESS - an answer was received from a Kerberos host - * - * SKDC_CANT - can't get local realm - * - can't find "kerberos" in /etc/services database - * - can't open socket - * - can't bind socket - * - all ports in use - * - couldn't find any Kerberos host - * - * SKDC_RETRY - couldn't get an answer from any Kerberos server, - * after several retries - */ - -int -krb4int_send_to_kdc_addr( - KTEXT pkt, KTEXT rpkt, char *realm, - struct sockaddr *addr, socklen_t *addrlen) -{ - struct addrlist al = ADDRLIST_INIT; - char lrealm[REALM_SZ]; - krb5int_access internals; - krb5_error_code retval; - struct servent *sp; - int krb_udp_port = 0; - int krbsec_udp_port = 0; - char krbhst[MAXHOSTNAMELEN]; - char *scol; - int i; - int err; - krb5_data message, reply; - - /* - * If "realm" is non-null, use that, otherwise get the - * local realm. - */ - if (realm) - strncpy(lrealm, realm, sizeof(lrealm) - 1); - else { - if (krb_get_lrealm(lrealm, 1)) { - DEB (("%s: can't get local realm\n", prog)); - return SKDC_CANT; - } - } - lrealm[sizeof(lrealm) - 1] = '\0'; - DEB (("lrealm is %s\n", lrealm)); - - retval = krb5int_accessor(&internals, KRB5INT_ACCESS_VERSION); - if (retval) - return KFAILURE; - - /* The first time, decide what port to use for the KDC. */ - if (cached_krb_udp_port == 0) { - sp = getservbyname("kerberos","udp"); - if (sp) - cached_krb_udp_port = sp->s_port; - else - cached_krb_udp_port = htons(KERBEROS_PORT); /* kerberos/udp */ - DEB (("cached_krb_udp_port is %d\n", cached_krb_udp_port)); - } - /* If kerberos/udp isn't 750, try using kerberos-sec/udp (or 750) - as a fallback. */ - if (cached_krbsec_udp_port == 0 && - cached_krb_udp_port != htons(KERBEROS_PORT)) { - sp = getservbyname("kerberos-sec","udp"); - if (sp) - cached_krbsec_udp_port = sp->s_port; - else - cached_krbsec_udp_port = htons(KERBEROS_PORT); /* kerberos/udp */ - DEB (("cached_krbsec_udp_port is %d\n", cached_krbsec_udp_port)); - } - - for (i = 1; krb_get_krbhst(krbhst, lrealm, i) == KSUCCESS; ++i) { -#ifdef DEBUG - if (krb_debug) { - DEB (("Getting host entry for %s...",krbhst)); - (void) fflush(stdout); - } -#endif - if (0 != (scol = strchr(krbhst,':'))) { - krb_udp_port = htons(atoi(scol+1)); - *scol = 0; - if (krb_udp_port == 0) { -#ifdef DEBUG - if (krb_debug) { - DEB (("bad port number %s\n",scol+1)); - (void) fflush(stdout); - } -#endif - continue; - } - krbsec_udp_port = 0; - } else { - krb_udp_port = cached_krb_udp_port; - krbsec_udp_port = cached_krbsec_udp_port; - } - err = internals.add_host_to_list(&al, krbhst, - krb_udp_port, krbsec_udp_port, - SOCK_DGRAM, PF_INET); - if (err) { - retval = SKDC_CANT; - goto free_al; - } - } - if (al.naddrs == 0) { - DEB (("%s: can't find any Kerberos host.\n", prog)); - retval = SKDC_CANT; - } - - message.length = pkt->length; - message.data = (char *)pkt->dat; /* XXX yuck */ - retval = internals.sendto_udp(NULL, &message, &al, NULL, &reply, addr, - addrlen, NULL, 0, NULL, NULL, NULL); - DEB(("sendto_udp returns %d\n", retval)); -free_al: - internals.free_addrlist(&al); - if (retval) - return SKDC_CANT; - DEB(("reply.length=%d\n", reply.length)); - if (reply.length > sizeof(rpkt->dat)) - retval = SKDC_CANT; - rpkt->length = 0; - if (!retval) { - memcpy(rpkt->dat, reply.data, reply.length); - rpkt->length = reply.length; - } - krb5_free_data_contents(NULL, &reply); - return retval; -} - -int -send_to_kdc(KTEXT pkt, KTEXT rpkt, char *realm) -{ - return krb4int_send_to_kdc_addr(pkt, rpkt, realm, NULL, NULL); -} diff --git a/src/lib/krb4/sendauth.c b/src/lib/krb4/sendauth.c deleted file mode 100644 index 8372944..0000000 --- a/src/lib/krb4/sendauth.c +++ /dev/null @@ -1,282 +0,0 @@ -/* - * sendauth.c - * - * Copyright 1987, 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - * - */ - -#include "mit-copyright.h" - -#include "krb.h" -#include "krb4int.h" -#include <errno.h> -#include <stdio.h> -#include <string.h> -#include "port-sockets.h" - -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ -/* - * If the protocol changes, you will need to change the version string - * and make appropriate changes in krb_recvauth.c - */ - -/* - * This file contains two routines: krb_sendauth() and krb_sendsrv(). - * - * krb_sendauth() transmits a ticket over a file descriptor for a - * desired service, instance, and realm, doing mutual authentication - * with the server if desired. - * - * Most of the real work of krb_sendauth() has been moved into mk_auth.c - * for portability; sendauth takes a Unix file descriptor as argument, - * which doesn't work on other operating systems. - * - * krb_sendsvc() sends a service name to a remote knetd server, and is - * only for Athena compatability. - */ - -/* - * The first argument to krb_sendauth() contains a bitfield of - * options (the options are defined in "krb.h"): - * - * KOPT_DONT_CANON Don't canonicalize instance as a hostname. - * (If this option is not chosen, krb_get_phost() - * is called to canonicalize it.) - * - * KOPT_DONT_MK_REQ Don't request server ticket from Kerberos. - * A ticket must be supplied in the "ticket" - * argument. - * (If this option is not chosen, and there - * is no ticket for the given server in the - * ticket cache, one will be fetched using - * krb_mk_req() and returned in "ticket".) - * - * KOPT_DO_MUTUAL Do mutual authentication, requiring that the - * receiving server return the checksum+1 encrypted - * in the session key. The mutual authentication - * is done using krb_mk_priv() on the other side - * (see "recvauth.c") and krb_rd_priv() on this - * side. - * - * The "fd" argument is a file descriptor to write to the remote - * server on. The "ticket" argument is used to store the new ticket - * from the krb_mk_req() call. If the KOPT_DONT_MK_REQ options is - * chosen, the ticket must be supplied in the "ticket" argument. - * The "service", "inst", and "realm" arguments identify the ticket. - * If "realm" is null, the local realm is used. - * - * The following arguments are only needed if the KOPT_DO_MUTUAL option - * is chosen: - * - * The "checksum" argument is a number that the server will add 1 to - * to authenticate itself back to the client; the "msg_data" argument - * holds the returned mutual-authentication message from the server - * (i.e., the checksum+1); the "cred" structure is used to hold the - * session key of the server, extracted from the ticket file, for use - * in decrypting the mutual authentication message from the server; - * and "schedule" holds the key schedule for that decryption. The - * the local and server addresses are given in "laddr" and "faddr". - * - * The application protocol version number (of up to KRB_SENDAUTH_VLEN - * characters) is passed in "version". - * - * If all goes well, KSUCCESS is returned, otherwise some error code. - * - * The format of the message sent to the server is: - * - * Size Variable Field - * ---- -------- ----- - * - * KRB_SENDAUTH_VLEN KRB_SENDAUTH_VER sendauth protocol - * bytes version number - * - * KRB_SENDAUTH_VLEN version application protocol - * bytes version number - * - * 4 bytes ticket->length length of ticket - * - * ticket->length ticket->dat ticket itself - */ - -/* - * XXX: Note that krb_rd_priv() is coded in such a way that - * "msg_data->app_data" will be pointing into "packet", which - * will disappear when krb_sendauth() returns. - * - * See FIXME KLUDGE code in appl/bsd/kcmd.c. - */ -KRB4_32 __krb_sendauth_hidden_tkt_len=0; -#define raw_tkt_len __krb_sendauth_hidden_tkt_len - - -/* - * Read a server's sendauth response out of a file descriptor. - * Returns a Kerberos error code. - * - * Note sneaky code using raw_tkt_len to stash away a bit of info - * for use by appl/bsd/kcmd.c. Now that krb_net_rd_sendauth is - * a separate function, kcmd should call it directly to get this - * sneaky info. - */ -int -krb_net_rd_sendauth (fd, reply, raw_len) - int fd; /* file descriptor to write onto */ - KTEXT reply; /* Where we put the reply message */ - KRB4_32 *raw_len; /* Where to read the length field info */ -{ - KRB4_32 tkt_len; - int got; - - reply->length = 0; /* Nothing read from net yet */ - reply->mbz = 0; - - /* get the length of the reply */ - reread: - got = krb_net_read(fd, (char *)raw_len, sizeof(KRB4_32)); - if (got != sizeof(KRB4_32)) - return KFAILURE; - - /* Here's an amazing hack. If we are contacting an rlogin server, - and it is running on a Sun4, and it was compiled with the wrong - shared libary version, it will print an ld.so warning message - when it starts up. We just ignore any such message and keep - going. This doesn't affect security: we just require the - ticket to follow the warning message. */ - if (!memcmp("ld.s", raw_len, 4)) { - char c; - - while (krb_net_read(fd, &c, 1) == 1 && c != '\n') - ; - goto reread; - } - - tkt_len = ntohl(*raw_len); - - /* if the length is negative, the server failed to recognize us. */ - if ((tkt_len < 0) || (tkt_len > sizeof(reply->dat))) - return KFAILURE; /* XXX */ - /* read the reply... */ - got = krb_net_read(fd, (char *)reply->dat, (int) tkt_len); - if (got != (int) tkt_len) - return KFAILURE; - - reply->length = tkt_len; - reply->mbz = 0; - return KSUCCESS; -} - - -/* - * krb_sendauth - * - * The original routine, provided on Unix. - * Obtains a service ticket using the ticket-granting ticket, - * uses it to stuff an authorization request down a Unix socket to the - * end-user application server, sucks a response out of the socket, - * and decodes it to verify mutual authentication. - */ -int KRB5_CALLCONV -krb_sendauth(options, fd, ticket, service, inst, realm, checksum, - msg_data, cred, schedule, laddr, faddr, version) - long options; /* bit-pattern of options */ - int fd; /* file descriptor to write onto */ - KTEXT ticket; /* where to put ticket (return); or - supplied in case of KOPT_DONT_MK_REQ */ - char *service; /* service name */ - char *inst; /* service instance */ - char *realm; /* service realm */ - unsigned KRB4_32 checksum; /* checksum to include in request */ - MSG_DAT *msg_data; /* mutual auth MSG_DAT (return) */ - CREDENTIALS *cred; /* credentials (return) */ - Key_schedule schedule; /* key schedule (return) */ - struct sockaddr_in *laddr; /* local address */ - struct sockaddr_in *faddr; /* address of foreign host on fd */ - char *version; /* version string */ -{ - int rem, cc; - char srv_inst[INST_SZ]; - char krb_realm[REALM_SZ]; - KTEXT_ST packet[1]; /* Re-use same one for msg and reply */ - - /* get current realm if not passed in */ - if (!realm) { - rem = krb_get_lrealm(krb_realm,1); - if (rem != KSUCCESS) - return(rem); - realm = krb_realm; - } - - /* copy instance into local storage, so mk_auth can canonicalize */ - (void) strncpy(srv_inst, inst, INST_SZ-1); - srv_inst[INST_SZ-1] = 0; - rem = krb_mk_auth (options, ticket, service, srv_inst, realm, checksum, - version, packet); - if (rem != KSUCCESS) - return rem; - -#ifdef ATHENA_COMPAT - /* this is only for compatibility with old servers */ - if (options & KOPT_DO_OLDSTYLE) { - (void) sprintf(buf,"%d ",ticket->length); - (void) write(fd, buf, strlen(buf)); - (void) write(fd, (char *) ticket->dat, ticket->length); - return(rem); - } -#endif /* ATHENA_COMPAT */ - - /* write the request to the server */ - if ((cc = krb_net_write(fd, packet->dat, packet->length)) != packet->length) - return(cc); - - /* mutual authentication, if desired */ - if (options & KOPT_DO_MUTUAL) { - /* get credentials so we have service session - key for decryption below */ - cc = krb_get_cred(service, srv_inst, realm, cred); - if (cc) - return(cc); - - /* Get the reply out of the socket. */ - cc = krb_net_rd_sendauth (fd, packet, &raw_tkt_len); - if (cc != KSUCCESS) - return cc; - - /* Check the reply to verify that server is really who we expect. */ - cc = krb_check_auth (packet, checksum, - msg_data, cred->session, schedule, laddr, faddr); - if (cc != KSUCCESS) - return cc; - } - return(KSUCCESS); -} - - -#ifdef ATHENA_COMPAT -/* - * krb_sendsvc - */ - -int -krb_sendsvc(fd, service) - int fd; - char *service; -{ - /* write the service name length and then the service name to - the fd */ - KRB4_32 serv_length; - int cc; - - serv_length = htonl((unsigned long)strlen(service)); - if ((cc = krb_net_write(fd, (char *) &serv_length, - sizeof(serv_length))) - != sizeof(serv_length)) - return(cc); - if ((cc = krb_net_write(fd, service, strlen(service))) - != strlen(service)) - return(cc); - return(KSUCCESS); -} -#endif /* ATHENA_COMPAT */ diff --git a/src/lib/krb4/setenv.c b/src/lib/krb4/setenv.c deleted file mode 100644 index 76a2a61..0000000 --- a/src/lib/krb4/setenv.c +++ /dev/null @@ -1,164 +0,0 @@ -/* - * Copyright (c) 1987 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)setenv.c 5.2 (Berkeley) 6/27/88"; -#endif /* LIBC_SCCS and not lint */ - -#include "conf.h" -#include <stdio.h> -#include <string.h> - -/* - * setenv -- - * Set the value of the environmental variable "name" to be - * "value". If rewrite is set, replace any current value. - */ -int setenv(name, value, rewrite) - register char *name, *value; - int rewrite; -{ - extern char **environ; - static int alloced; /* if allocated space before */ - register char *C; - int l_value, offset; - char *malloc(), *realloc(), *_findenv(); - - if (*value == '=') /* no `=' in value */ - ++value; - l_value = strlen(value); - if ((C = _findenv(name, &offset))) { /* find if already exists */ - if (!rewrite) - return(0); - if (strlen(C) >= l_value) { /* old larger; copy over */ - while (*C++ = *value++); - return(0); - } - } - else { /* create new slot */ - register int cnt; - register char **P; - - for (P = environ, cnt = 0; *P; ++P, ++cnt); - if (alloced) { /* just increase size */ - environ = (char **)realloc((char *)environ, - (u_int)(sizeof(char *) * (cnt + 2))); - if (!environ) - return(-1); - } - else { /* get new space */ - alloced = 1; /* copy old entries into it */ - P = (char **)malloc((u_int)(sizeof(char *) * - (cnt + 2))); - if (!P) - return(-1); - memcpy(P, environ, cnt * sizeof(char *)); - environ = P; - } - environ[cnt + 1] = NULL; - offset = cnt; - } - for (C = name; *C && *C != '='; ++C); /* no `=' in name */ - if (!(environ[offset] = /* name + `=' + value */ - malloc((u_int)((int)(C - name) + l_value + 2)))) - return(-1); - for (C = environ[offset]; (*C = *name++) && *C != '='; ++C); - for (*C++ = '='; *C++ = *value++;); - return(0); -} - -/* - * unsetenv(name) -- - * Delete environmental variable "name". - */ -void -unsetenv(name) - char *name; -{ - extern char **environ; - register char **P; - int offset; - char *_findenv(); - - while (_findenv(name, &offset)) /* if set multiple times */ - for (P = &environ[offset];; ++P) - if (!(*P = *(P + 1))) - break; -} -/* - * Copyright (c) 1987 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -#ifndef HAVE_GETENV -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)getenv.c 5.5 (Berkeley) 6/27/88"; -#endif /* LIBC_SCCS and not lint */ - -/* - * getenv -- - * Returns ptr to value associated with name, if any, else NULL. - */ -char * -getenv(name) - char *name; -{ - int offset; - char *_findenv(); - - return(_findenv(name, &offset)); -} -#endif -/* - * _findenv -- - * Returns pointer to value associated with name, if any, else NULL. - * Sets offset to be the offset of the name/value combination in the - * environmental array, for use by setenv(3) and unsetenv(3). - * Explicitly removes '=' in argument name. - * - * This routine *should* be a static; don't use it. - */ -char * -_findenv(name, offset) - register char *name; - int *offset; -{ - extern char **environ; - register int len; - register char **P, *C; - - for (C = name, len = 0; *C && *C != '='; ++C, ++len); - for (P = environ; *P; ++P) - if (!strncmp(*P, name, len)) - if (*(C = *P + len) == '=') { - *offset = P - environ; - return(++C); - } - return(NULL); -} diff --git a/src/lib/krb4/stime.c b/src/lib/krb4/stime.c deleted file mode 100644 index f73c6f5..0000000 --- a/src/lib/krb4/stime.c +++ /dev/null @@ -1,57 +0,0 @@ -/* - * lib/krb4/stime.c - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute of - * Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "krb4int.h" -#include <stdio.h> /* for sprintf() */ -#ifndef _WIN32 -#include <time.h> -#include <sys/time.h> -#endif - -/* - * Given a pointer to a long containing the number of seconds - * since the beginning of time (midnight 1 Jan 1970 GMT), return - * a string containing the local time in the form: - * - * "25-Jan-88 10:17:56" - */ - -char *krb_stime(t) - long *t; -{ - static char st[40]; - static time_t adjusted_time; - struct tm *tm; - - adjusted_time = *t - CONVERT_TIME_EPOCH; - tm = localtime(&adjusted_time); - (void) snprintf(st,sizeof(st),"%2d-%s-%d %02d:%02d:%02d",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - return st; -} - diff --git a/src/lib/krb4/strcasecmp.c b/src/lib/krb4/strcasecmp.c deleted file mode 100644 index 31bf0af..0000000 --- a/src/lib/krb4/strcasecmp.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright (c) 1987 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms are permitted - * provided that the above copyright notice and this paragraph are - * duplicated in all such forms and that any documentation, - * advertising materials, and other materials related to such - * distribution and use acknowledge that the software was developed - * by the University of California, Berkeley. The name of the - * University may not be used to endorse or promote products derived - * from this software without specific prior written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -/* - * This array is designed for mapping upper and lower case letter - * together for a case independent comparison. The mappings are - * based upon ascii character sequences. - */ -static unsigned char charmap[] = { - '\000', '\001', '\002', '\003', '\004', '\005', '\006', '\007', - '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017', - '\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027', - '\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037', - '\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047', - '\050', '\051', '\052', '\053', '\054', '\055', '\056', '\057', - '\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067', - '\070', '\071', '\072', '\073', '\074', '\075', '\076', '\077', - '\100', '\141', '\142', '\143', '\144', '\145', '\146', '\147', - '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', - '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', - '\170', '\171', '\172', '\133', '\134', '\135', '\136', '\137', - '\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147', - '\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157', - '\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167', - '\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177', - '\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207', - '\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217', - '\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227', - '\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237', - '\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247', - '\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257', - '\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267', - '\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277', - '\300', '\341', '\342', '\343', '\344', '\345', '\346', '\347', - '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357', - '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367', - '\370', '\371', '\372', '\333', '\334', '\335', '\336', '\337', - '\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347', - '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357', - '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367', - '\370', '\371', '\372', '\373', '\374', '\375', '\376', '\377', -}; - -strcasecmp(s1, s2) - char *s1, *s2; -{ - register unsigned char *cm = charmap, - *us1 = (unsigned char *)s1, - *us2 = (unsigned char *)s2; - - while (cm[*us1] == cm[*us2++]) - if (*us1++ == '\0') - return(0); - return(cm[*us1] - cm[*--us2]); -} - -strncasecmp(s1, s2, n) - char *s1, *s2; - register int n; -{ - register unsigned char *cm = charmap, - *us1 = (unsigned char *)s1, - *us2 = (unsigned char *)s2; - - while (--n >= 0 && cm[*us1] == cm[*us2++]) - if (*us1++ == '\0') - return(0); - return(n < 0 ? 0 : cm[*us1] - cm[*--us2]); -} diff --git a/src/lib/krb4/strnlen.c b/src/lib/krb4/strnlen.c deleted file mode 100644 index 5dc8011..0000000 --- a/src/lib/krb4/strnlen.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * lib/krb4/strnlen.c - * - * Copyright 2000, 2001 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include <stddef.h> -#include "krb.h" -#include "prot.h" - -/* - * krb4int_strnlen() - * - * Return the length of the string if a NUL is found in the first n - * bytes, otherwise, -1. - */ - -int KRB5_CALLCONV -krb4int_strnlen(const char *s, int n) -{ - int i = 0; - - for (i = 0; i < n; i++) { - if (s[i] == '\0') { - return i; - } - } - return -1; -} diff --git a/src/lib/krb4/swab.c b/src/lib/krb4/swab.c deleted file mode 100644 index e07b28b..0000000 --- a/src/lib/krb4/swab.c +++ /dev/null @@ -1,18 +0,0 @@ -/* simple implementation of swab. */ - -swab(from,to,nbytes) - char *from; - char *to; - int nbytes; -{ - char tmp; - while ( (nbytes-=2) >= 0 ) { - tmp = from[1]; - to[1] = from[0]; - to[0] = tmp; - to++; to++; - from++; from++; - } -} - - diff --git a/src/lib/krb4/tf_shm.c b/src/lib/krb4/tf_shm.c deleted file mode 100644 index 2b04071..0000000 --- a/src/lib/krb4/tf_shm.c +++ /dev/null @@ -1,173 +0,0 @@ -/* - * tf_shm.c - * - * Copyright 1988, 2007 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - * - * Shared memory segment functions for session keys. Derived from code - * contributed by Dan Kolkowitz (kolk@jessica.stanford.edu). - */ - -#include "mit-copyright.h" - -#include <stdio.h> -#include <sys/ipc.h> -#include <sys/shm.h> -#include "krb.h" -#include "des.h" -#include <sys/stat.h> -#include <fcntl.h> - -#define MAX_BUFF sizeof(des_cblock)*1000 /* room for 1k keys */ - -extern int krb_debug; - -/* - * krb_create_shmtkt: - * - * create a shared memory segment for session keys, leaving its id - * in the specified filename. - */ - -int -krb_shm_create(file_name) -char *file_name; -{ - int retval; - int shmid; - struct shmid_ds shm_buf; - FILE *sfile; - uid_t me, metoo, getuid(), geteuid(); - - (void) krb_shm_dest(file_name); /* nuke it if it exists... - this cleans up to make sure we - don't slowly lose memory. */ - - shmid = shmget((long)IPC_PRIVATE,MAX_BUFF, IPC_CREAT); - if (shmid == -1) { - if (krb_debug) - perror("krb_shm_create shmget"); - return(KFAILURE); /* XXX */ - } - me = getuid(); - metoo = geteuid(); - /* - * now set up the buffer so that we can modify it - */ - shm_buf.shm_perm.uid = me; - shm_buf.shm_perm.gid = getgid(); - shm_buf.shm_perm.mode = 0600; - if (shmctl(shmid,IPC_SET,&shm_buf) < 0) { /*can now map it */ - if (krb_debug) - perror("krb_shm_create shmctl"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); /* XXX */ - } -#if !defined(_AIX) - (void) shmctl(shmid, SHM_LOCK, 0); /* attempt to lock-in-core */ -#endif - /* arrange so the file is owned by the ruid - (swap real & effective uid if necessary). */ - if (me != metoo) { - if (setreuid(metoo, me) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("krb_shm_create: setreuid"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n",metoo,me); - } - if ((sfile = fopen(file_name,"w")) == 0) { - if (krb_debug) - perror("krb_shm_create file"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); /* XXX */ - } - set_cloexec_file(sfile); - if (fchmod(fileno(sfile),0600) < 0) { - if (krb_debug) - perror("krb_shm_create fchmod"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); /* XXX */ - } - if (me != metoo) { - if (setreuid(me, metoo) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("krb_shm_create: setreuid2"); - (void) shmctl(shmid, IPC_RMID, 0); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n",me,metoo); - } - - (void) fprintf(sfile,"%d",shmid); - (void) fflush(sfile); - (void) fclose(sfile); - return(KSUCCESS); -} - - -/* - * krb_is_diskless: - * - * check / to see if file .diskless exists. If so it is diskless. - * Do it this way now to avoid dependencies on a particular routine. - * Choose root file system since that will be private to the client. - */ - -int krb_is_diskless() -{ - struct stat buf; - if (stat("/.diskless",&buf) < 0) - return(0); - else return(1); -} - -/* - * krb_shm_dest: destroy shared memory segment with session keys, and remove - * file pointing to it. - */ - -int krb_shm_dest(file) -char *file; -{ - int shmid; - FILE *sfile; - struct stat st_buf; - - if (stat(file,&st_buf) == 0) { - /* successful stat */ - if ((sfile = fopen(file,"r")) == 0) { - if (krb_debug) - perror("cannot open shared memory file"); - return(KFAILURE); /* XXX */ - } - set_cloexec_file(sfile); - if (fscanf(sfile,"%d",&shmid) == 1) { - if (shmctl(shmid,IPC_RMID,0) != 0) { - if (krb_debug) - perror("krb_shm_dest: cannot delete shm segment"); - (void) fclose(sfile); - return(KFAILURE); /* XXX */ - } - } else { - if (krb_debug) - fprintf(stderr, "bad format in shmid file\n"); - (void) fclose(sfile); - return(KFAILURE); /* XXX */ - } - (void) fclose(sfile); - (void) unlink(file); - return(KSUCCESS); - } else - return(RET_TKFIL); /* XXX */ -} - - - diff --git a/src/lib/krb4/tf_util.c b/src/lib/krb4/tf_util.c deleted file mode 100644 index 0bc05d7..0000000 --- a/src/lib/krb4/tf_util.c +++ /dev/null @@ -1,1103 +0,0 @@ -/* - * lib/krb4/tf_util.c - * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2007 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include "k5-int.h" -#include "krb4int.h" - - -#include <stdio.h> -#include <string.h> -#include <errno.h> -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#include <sys/stat.h> -#include <fcntl.h> - -#ifdef TKT_SHMEM -#include <sys/param.h> -#include <sys/ipc.h> -#include <sys/shm.h> -#endif /* TKT_SHMEM */ - - - -#define TOO_BIG -1 -#define TF_LCK_RETRY ((unsigned)2) /* seconds to sleep before - * retry if ticket file is - * locked */ -extern int krb_debug; - -void tf_close(); - -#ifdef TKT_SHMEM -char *krb_shm_addr; -static char *tmp_shm_addr; -static const char krb_dummy_skey[8]; - -char *shmat(); -#endif /* TKT_SHMEM */ - -#ifdef NEED_UTIMES - -#include <sys/time.h> -#ifdef __SCO__ -#include <utime.h> -#endif -#if defined(__svr4__) || defined(__SVR4) -#include <utime.h> -#endif -int utimes(path, times) - char* path; - struct timeval times[2]; -{ - struct utimbuf tv; - tv.actime = times[0].tv_sec; - tv.modtime = times[1].tv_sec; - return utime(path,&tv); -} -#endif - -#ifdef HAVE_SETEUID -#define do_seteuid(e) seteuid((e)) -#else -#ifdef HAVE_SETRESUID -#define do_seteuid(e) setresuid(-1, (e), -1) -#else -#ifdef HAVE_SETREUID -#define do_seteuid(e) setreuid(geteuid(), (e)) -#else -#define do_seteuid(e) (errno = EPERM, -1) -#endif -#endif -#endif - - -#ifdef K5_LE -/* This was taken from jhutz's patch for heimdal krb4. It only - * applies to little endian systems. Big endian systems have a - * less elegant solution documented below. - * - * This record is written after every real ticket, to ensure that - * both 32- and 64-bit readers will perceive the next real ticket - * as starting in the same place. This record looks like a ticket - * with the following properties: - * Field 32-bit 64-bit - * ============ ================= ================= - * sname "." "." - * sinst "" "" - * srealm ".." ".." - * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 - * lifetime 0 0 - * kvno 0 12 - * ticket 12 nulls 4 nulls - * issue 0 0 - * - * Our code always reads and writes the 32-bit format, but knows - * to skip 00000000 at the front of a record, and to completely - * ignore tickets for the special alignment principal. - */ -static unsigned char align_rec[] = { - 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0x00, 0x2e, - 0x2e, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, - 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00 -}; - -#else /* Big Endian */ - -/* These alignment records are for big endian systems. We need more - * of them because the portion of the 64-bit issue_date that overlaps - * with the start of a ticket on 32-bit systems contains an unpredictable - * number of NULL bytes. Preceeding these records is a second copy of the - * 32-bit issue_date. The srealm for the alignment records is always one of - * ".." or "?.." - */ - -/* No NULL bytes - * This is actually two alignment records since both 32- and 64-bit - * readers will agree on everything in the first record up through the - * issue_date size, except where sname starts. - * Field (1) 32-bit 64-bit - * ============ ================= ================= - * sname "????." "." - * sinst "" "" - * srealm ".." ".." - * session key 00000000 xxxxxxxx 00000000 xxxxxxxx - * lifetime 0 0 - * kvno 0 0 - * ticket 4 nulls 4 nulls - * issue 0 0 - * - * Field (2) 32-bit 64-bit - * ============ ================= ================= - * sname "." "." - * sinst "" "" - * srealm ".." ".." - * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 - * lifetime 0 0 - * kvno 0 12 - * ticket 12 nulls 4 nulls - * issue 0 0 - * - */ -static unsigned char align_rec_0[] = { - 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, - 0x00, 0x2e, 0x2e, 0x00, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00 -}; - -/* One NULL byte - * Field 32-bit 64-bit - * ============ ================= ================= - * sname "x" |"xx"|"xxx" "." - * sinst "xx."|"x."|"." ".." - * srealm ".." "..." - * session key 2E2E2E00 xxxxxxxx xxxxxxxx 00000000 - * lifetime 0 0 - * kvno 0 12 - * ticket 12 nulls 4 nulls - * issue 0 0 - */ -static unsigned char align_rec_1[] = { - 0x2e, 0x00, 0x2e, 0x2e, 0x00, 0x2e, 0x2e, 0x2e, - 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00 -}; - -/* Two NULL bytes - * Field 32-bit 64-bit - * ============ ================= ================= - * sname "x" |"x" |"xx" ".." - * sinst "" |"x" |"" "" - * srealm "x.."|".."|".." ".." - * session key 002E2E00 xxxxxxxx xxxxxxxx 00000000 - * lifetime 0 0 - * kvno 0 12 - * ticket 12 nulls 4 nulls - * issue 0 0 - */ - static unsigned char align_rec_2[] = { - 0x2e, 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0xff, - 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, - 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; - -/* Three NULL bytes - * Things break here for 32-bit krb4 libraries that don't - * understand this alignment record. We can't really do - * anything about the fact that the three strings ended - * in the duplicate timestamp. The good news is that this - * only happens once every 0x1000000 seconds, once roughly - * every six and a half months. We'll live. - * - * Discussion on the krbdev list has suggested the - * issue_date be incremented by one in this case to avoid - * the problem. I'm leaving this here just in case. - * - * Field 32-bit 64-bit - * ============ ================= ================= - * sname "" "." - * sinst "" "" - * srealm "" ".." - * session key 2E00002E 2E00FFFF xxxx0000 0000xxxx - * lifetime 0 0 - * kvno 4294901760 917504 - * ticket 14 nulls 4 nulls - * issue 0 0 - */ -/* -static unsigned char align_rec_3[] = { - 0x2e, 0x00, 0x00, 0x2e, 0x2e, 0x00, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; -*/ -#endif /* K5_LE*/ - -/* - * fd must be initialized to something that won't ever occur as a real - * file descriptor. Since open(2) returns only non-negative numbers as - * valid file descriptors, and tf_init always stuffs the return value - * from open in here even if it is an error flag, we must - * a. Initialize fd to a negative number, to indicate that it is - * not initially valid. - * b. When checking for a valid fd, assume that negative values - * are invalid (ie. when deciding whether tf_init has been - * called.) - * c. In tf_close, be sure it gets reinitialized to a negative - * number. - */ -static int fd = -1; -static int curpos; /* Position in tfbfr */ -static int lastpos; /* End of tfbfr */ -static char tfbfr[BUFSIZ]; /* Buffer for ticket data */ - -static int tf_gets (char *, int), tf_read (char *, int); - -/* - * This file contains routines for manipulating the ticket cache file. - * - * The ticket file is in the following format: - * - * principal's name (null-terminated string) - * principal's instance (null-terminated string) - * CREDENTIAL_1 - * CREDENTIAL_2 - * ... - * CREDENTIAL_n - * EOF - * - * Where "CREDENTIAL_x" consists of the following fixed-length - * fields from the CREDENTIALS structure (see "krb.h"): - * - * string service[ANAME_SZ] - * string instance[INST_SZ] - * string realm[REALM_SZ] - * C_Block session - * int lifetime - * int kvno - * KTEXT_ST ticket_st - * KRB4_32 issue_date - * - * Strings are stored NUL-terminated, and read back until a NUL is - * found or the indicated number of bytes have been read. (So if you - * try to store a string exactly that long or longer, reading them - * back will not work.) The KTEXT_ST structure is stored as an int - * length followed by that many data bytes. All ints are stored using - * host size and byte order for "int". - * - * Short description of routines: - * - * tf_init() opens the ticket file and locks it. - * - * tf_get_pname() returns the principal's name. - * - * tf_get_pinst() returns the principal's instance (may be null). - * - * tf_get_cred() returns the next CREDENTIALS record. - * - * tf_save_cred() appends a new CREDENTIAL record to the ticket file. - * - * tf_close() closes the ticket file and releases the lock. - * - * tf_gets() returns the next null-terminated string. It's an internal - * routine used by tf_get_pname(), tf_get_pinst(), and tf_get_cred(). - * - * tf_read() reads a given number of bytes. It's an internal routine - * used by tf_get_cred(). - */ - -/* - * tf_init() should be called before the other ticket file routines. - * It takes the name of the ticket file to use, "tf_name", and a - * read/write flag "rw" as arguments. - * - * It tries to open the ticket file, checks the mode, and if everything - * is okay, locks the file. If it's opened for reading, the lock is - * shared. If it's opened for writing, the lock is exclusive. - * - * Returns KSUCCESS if all went well, otherwise one of the following: - * - * NO_TKT_FIL - file wasn't there - * TKT_FIL_ACC - file was in wrong mode, etc. - * TKT_FIL_LCK - couldn't lock the file, even after a retry - */ - -int KRB5_CALLCONV tf_init(tf_name, rw) - const char *tf_name; - int rw; -{ - int wflag; - uid_t me, metoo; - struct stat stat_buf, stat_buffd; -#ifdef TKT_SHMEM - char shmidname[MAXPATHLEN]; - FILE *sfp; - int shmid; -#endif - - if (!krb5__krb4_context) { - if (krb5_init_context(&krb5__krb4_context)) - return TKT_FIL_LCK; - } - - me = getuid(); - metoo = geteuid(); - - switch (rw) { - case R_TKT_FIL: - wflag = 0; - break; - case W_TKT_FIL: - wflag = 1; - break; - default: - if (krb_debug) fprintf(stderr, "tf_init: illegal parameter\n"); - return TKT_FIL_ACC; - } - - /* If ticket cache selector is null, use default cache. */ - if (tf_name == 0) - tf_name = tkt_string(); - -#ifdef TKT_SHMEM - (void) strncpy(shmidname, tf_name, sizeof(shmidname) - 1); - shmidname[sizeof(shmidname) - 1] = '\0'; - (void) strncat(shmidname, ".shm", sizeof(shmidname) - 1 - strlen(shmidname)); -#endif /* TKT_SHMEM */ - - /* - * If "wflag" is set, open the ticket file in append-writeonly mode - * and lock the ticket file in exclusive mode. If unable to lock - * the file, sleep and try again. If we fail again, return with the - * proper error message. - */ - - curpos = sizeof(tfbfr); - -#ifdef TKT_SHMEM - if (lstat(shmidname, &stat_buf) < 0) { - switch (errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - if (stat_buf.st_uid != me || !(stat_buf.st_mode & S_IFREG) - || stat_buf.st_nlink != 1 || stat_buf.st_mode & 077) { - return TKT_FIL_ACC; - } - - /* - * Yes, we do uid twiddling here. It's not optimal, but some - * applications may expect that the ruid is what should really own - * the ticket file, e.g. setuid applications. - */ - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - sfp = fopen(shmidname, "r"); /* only need read/write on the - actual tickets */ - if (sfp != 0) - set_cloexec_file(sfp); - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (sfp == 0) { - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - - /* - * fstat() the file to check that the file we opened is the one we - * think it is. - */ - if (fstat(fileno(sfp), &stat_buffd) < 0) { - (void) close(fd); - fd = -1; - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* Check that it's the right file */ - if ((stat_buf.st_ino != stat_buffd.st_ino) || - (stat_buf.st_dev != stat_buffd.st_dev)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - /* Check ownership */ - if ((stat_buffd.st_uid != me && me != 0) || - ((stat_buffd.st_mode & S_IFMT) != S_IFREG)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - - - - shmid = -1; - { - char buf[BUFSIZ]; - int val; /* useful for debugging fscanf */ - /* We provide our own buffer here since some STDIO libraries - barf on unbuffered input with fscanf() */ - setbuf(sfp, buf); - if ((val = fscanf(sfp,"%d",&shmid)) != 1) { - (void) fclose(sfp); - return TKT_FIL_ACC; - } - if (shmid < 0) { - (void) fclose(sfp); - return TKT_FIL_ACC; - } - (void) fclose(sfp); - } - /* - * global krb_shm_addr is initialized to 0. Ultrix bombs when you try and - * attach the same segment twice so we need this check. - */ - if (!krb_shm_addr) { - if ((krb_shm_addr = shmat(shmid,0,0)) == -1){ - if (krb_debug) - fprintf(stderr, - "cannot attach shared memory for segment %d\n", - shmid); - krb_shm_addr = 0; /* reset so we catch further errors */ - return TKT_FIL_ACC; - } - } - tmp_shm_addr = krb_shm_addr; -#endif /* TKT_SHMEM */ - - if (lstat(tf_name, &stat_buf) < 0) { - switch (errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - if (stat_buf.st_uid != me || !(stat_buf.st_mode & S_IFREG) - || stat_buf.st_nlink != 1 || stat_buf.st_mode & 077) { - return TKT_FIL_ACC; - } - - if (wflag) { - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - fd = open(tf_name, O_RDWR, 0600); - if (fd >= 0) - set_cloexec_fd(fd); - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (fd < 0) { - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* - * fstat() the file to check that the file we opened is the - * one we think it is, and to check ownership. - */ - if (fstat(fd, &stat_buffd) < 0) { - (void) close(fd); - fd = -1; - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* Check that it's the right file */ - if ((stat_buf.st_ino != stat_buffd.st_ino) || - (stat_buf.st_dev != stat_buffd.st_dev)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - /* Check ownership */ - if ((stat_buffd.st_uid != me && me != 0) || - ((stat_buffd.st_mode & S_IFMT) != S_IFREG)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - if (krb5_lock_file(krb5__krb4_context, fd, - KRB5_LOCKMODE_EXCLUSIVE | - KRB5_LOCKMODE_DONTBLOCK) < 0) { - sleep(TF_LCK_RETRY); - if (krb5_lock_file(krb5__krb4_context, fd, - KRB5_LOCKMODE_EXCLUSIVE | - KRB5_LOCKMODE_DONTBLOCK) < 0) { - (void) close(fd); - fd = -1; - return TKT_FIL_LCK; - } - } - return KSUCCESS; - } - /* - * Otherwise "wflag" is not set and the ticket file should be opened - * for read-only operations and locked for shared access. - */ - - if (me != metoo && do_seteuid(me) < 0) - return KFAILURE; - fd = open(tf_name, O_RDONLY, 0600); - if (fd >= 0) - set_cloexec_fd(fd); - if (me != metoo && do_seteuid(metoo) < 0) - return KFAILURE; - if (fd < 0) { - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* - * fstat() the file to check that the file we opened is the one we - * think it is, and to check ownership. - */ - if (fstat(fd, &stat_buffd) < 0) { - (void) close(fd); - fd = -1; - switch(errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - } - /* Check that it's the right file */ - if ((stat_buf.st_ino != stat_buffd.st_ino) || - (stat_buf.st_dev != stat_buffd.st_dev)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - /* Check ownership */ - if ((stat_buffd.st_uid != me && me != 0) || - ((stat_buffd.st_mode & S_IFMT) != S_IFREG)) { - (void) close(fd); - fd = -1; - return TKT_FIL_ACC; - } - if (krb5_lock_file(krb5__krb4_context, fd, - KRB5_LOCKMODE_SHARED | - KRB5_LOCKMODE_DONTBLOCK) < 0) { - sleep(TF_LCK_RETRY); - if (krb5_lock_file(krb5__krb4_context, fd, - KRB5_LOCKMODE_SHARED | - KRB5_LOCKMODE_DONTBLOCK) < 0) { - (void) close(fd); - fd = -1; - return TKT_FIL_LCK; - } - } - return KSUCCESS; -} - -/* - * tf_get_pname() reads the principal's name from the ticket file. It - * should only be called after tf_init() has been called. The - * principal's name is filled into the "p" parameter. If all goes well, - * KSUCCESS is returned. If tf_init() wasn't called, TKT_FIL_INI is - * returned. If the name was null, or EOF was encountered, or the name - * was longer than ANAME_SZ, TKT_FIL_FMT is returned. - */ - -int KRB5_CALLCONV tf_get_pname(p) - char *p; -{ - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_pname called before tf_init.\n"); - return TKT_FIL_INI; - } - if (tf_gets(p, ANAME_SZ) < 2) /* can't be just a null */ - return TKT_FIL_FMT; - return KSUCCESS; -} - -/* - * tf_get_pinst() reads the principal's instance from a ticket file. - * It should only be called after tf_init() and tf_get_pname() have been - * called. The instance is filled into the "inst" parameter. If all - * goes well, KSUCCESS is returned. If tf_init() wasn't called, - * TKT_FIL_INI is returned. If EOF was encountered, or the instance - * was longer than ANAME_SZ, TKT_FIL_FMT is returned. Note that the - * instance may be null. - */ - -int KRB5_CALLCONV tf_get_pinst(inst) - char *inst; -{ - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_pinst called before tf_init.\n"); - return TKT_FIL_INI; - } - if (tf_gets(inst, INST_SZ) < 1) - return TKT_FIL_FMT; - return KSUCCESS; -} - -/* - * tf_get_cred() reads a CREDENTIALS record from a ticket file and fills - * in the given structure "c". It should only be called after tf_init(), - * tf_get_pname(), and tf_get_pinst() have been called. If all goes well, - * KSUCCESS is returned. Possible error codes are: - * - * TKT_FIL_INI - tf_init wasn't called first - * TKT_FIL_FMT - bad format - * EOF - end of file encountered - */ - -static int real_tf_get_cred(c) - CREDENTIALS *c; -{ - KTEXT ticket = &c->ticket_st; /* pointer to ticket */ - int k_errno; - unsigned char nullbuf[3]; /* used for 64-bit issue_date tf compatibility */ - - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_cred called before tf_init.\n"); - return TKT_FIL_INI; - } - if ((k_errno = tf_gets(c->service, SNAME_SZ)) < 2) { - -#ifdef K5_BE - /* If we're big endian then we can have a null service name as part of - * an alignment record. */ - if (k_errno < 2) - switch (k_errno) { - case TOO_BIG: - tf_close(); - return TKT_FIL_FMT; - case 0: - return EOF; - } -#else /* Little Endian */ - /* If we read an empty service name, it's possible that's because - * the file was written by someone who thinks issue_date should be - * 64 bits. If that is the case, there will be three more zeros, - * followed by the real record.*/ - - if (k_errno == 1 && - tf_read(nullbuf, 3) == 3 && - !nullbuf[0] && !nullbuf[1] && !nullbuf[2]) - k_errno = tf_gets(c->service, SNAME_SZ); - - if (k_errno < 2) - switch (k_errno) { - case TOO_BIG: - case 1: /* can't be just a null */ - tf_close(); - return TKT_FIL_FMT; - case 0: - return EOF; - } -#endif/*K5_BE*/ - - } - if ((k_errno = tf_gets(c->instance, INST_SZ)) < 1) - switch (k_errno) { - case TOO_BIG: - return TKT_FIL_FMT; - case 0: - return EOF; - } - if ((k_errno = tf_gets(c->realm, REALM_SZ)) < 2) { - switch (k_errno) { - case TOO_BIG: - case 1: /* can't be just a null */ - tf_close(); - return TKT_FIL_FMT; - case 0: - return EOF; - } - } - - if ( - tf_read((char *) (c->session), KEY_SZ) < 1 || - tf_read((char *) &(c->lifetime), sizeof(c->lifetime)) < 1 || - tf_read((char *) &(c->kvno), sizeof(c->kvno)) < 1 || - tf_read((char *) &(ticket->length), sizeof(ticket->length)) - < 1 || - /* don't try to read a silly amount into ticket->dat */ - ticket->length > MAX_KTXT_LEN || - tf_read((char *) (ticket->dat), ticket->length) < 1 || - tf_read((char *) &(c->issue_date), sizeof(c->issue_date)) < 1 - ) { - tf_close(); - return TKT_FIL_FMT; - } - -#ifdef K5_BE - /* If the issue_date is 0 and we're not dealing with an alignment - record, then it's likely we've run into an issue_date written by - a 64-bit library that is using long instead of KRB4_32. Let's get - the next four bytes instead. - */ - if (0 == c->issue_date) { - int len = strlen(c->realm); - if (!(2 == len && 0 == strcmp(c->realm, "..")) && - !(3 == len && 0 == strcmp(c->realm + 1, ".."))) { - if (tf_read((char *) &(c->issue_date), sizeof(c->issue_date)) < 1) { - tf_close(); - return TKT_FIL_FMT; - } - } - } - -#endif - - return KSUCCESS; -} - -int KRB5_CALLCONV tf_get_cred(c) - CREDENTIALS *c; -{ - int k_errno; - int fake; - - do { - fake = 0; - k_errno = real_tf_get_cred(c); - if (k_errno) - return k_errno; - -#ifdef K5_BE - /* Here we're checking to see if the realm is one of the - * alignment record realms, ".." or "?..", so we can skip it. - * If it's not, then we need to verify that the service name - * was not null as this should be a valid ticket. - */ - { - int len = strlen(c->realm); - if (2 == len && 0 == strcmp(c->realm, "..")) - fake = 1; - if (3 == len && 0 == strcmp(c->realm + 1, "..")) - fake = 1; - if (!fake && 0 == strlen(c->service)) { - tf_close(); - return TKT_FIL_FMT; - } - } -#else /* Little Endian */ - /* Here we're checking to see if the service principal is the - * special alignment record principal ".@..", so we can skip it. - */ - if (strcmp(c->service, ".") == 0 && - strcmp(c->instance, "") == 0 && - strcmp(c->realm, "..") == 0) - fake = 1; -#endif/*K5_BE*/ - } while (fake); - -#ifdef TKT_SHMEM - memcpy(c->session, tmp_shm_addr, KEY_SZ); - tmp_shm_addr += KEY_SZ; -#endif /* TKT_SHMEM */ - return KSUCCESS; -} - -/* - * tf_close() closes the ticket file and sets "fd" to -1. If "fd" is - * not a valid file descriptor, it just returns. It also clears the - * buffer used to read tickets. - * - * The return value is not defined. - */ - -void KRB5_CALLCONV tf_close() -{ - if (!(fd < 0)) { -#ifdef TKT_SHMEM - if (shmdt(krb_shm_addr)) { - /* what kind of error? */ - if (krb_debug) - fprintf(stderr, "shmdt 0x%x: errno %d",krb_shm_addr, errno); - } else { - krb_shm_addr = 0; - } -#endif /* TKT_SHMEM */ - if (!krb5__krb4_context) - krb5_init_context(&krb5__krb4_context); - (void) krb5_lock_file(krb5__krb4_context, fd, KRB5_LOCKMODE_UNLOCK); - (void) close(fd); - fd = -1; /* see declaration of fd above */ - } - memset(tfbfr, 0, sizeof(tfbfr)); -} - -/* - * tf_gets() is an internal routine. It takes a string "s" and a count - * "n", and reads from the file until either it has read "n" characters, - * or until it reads a null byte. When finished, what has been read exists - * in "s". If it encounters EOF or an error, it closes the ticket file. - * - * Possible return values are: - * - * n the number of bytes read (including null terminator) - * when all goes well - * - * 0 end of file or read error - * - * TOO_BIG if "count" characters are read and no null is - * encountered. This is an indication that the ticket - * file is seriously ill. - */ - -static int -tf_gets(s, n) - register char *s; - int n; -{ - register int count; - - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_gets called before tf_init.\n"); - return TKT_FIL_INI; - } - for (count = n - 1; count > 0; --count) { - if (curpos >= sizeof(tfbfr)) { - lastpos = read(fd, tfbfr, sizeof(tfbfr)); - curpos = 0; - } - if (curpos == lastpos) { - tf_close(); - return 0; - } - *s = tfbfr[curpos++]; - if (*s++ == '\0') - return (n - count); - } - tf_close(); - return TOO_BIG; -} - -/* - * tf_read() is an internal routine. It takes a string "s" and a count - * "n", and reads from the file until "n" bytes have been read. When - * finished, what has been read exists in "s". If it encounters EOF or - * an error, it closes the ticket file. - * - * Possible return values are: - * - * n the number of bytes read when all goes well - * - * 0 on end of file or read error - */ - -static int -tf_read(s, n) - register char *s; - register int n; -{ - register int count; - - for (count = n; count > 0; --count) { - if (curpos >= sizeof(tfbfr)) { - lastpos = read(fd, tfbfr, sizeof(tfbfr)); - curpos = 0; - } - if (curpos == lastpos) { - tf_close(); - return 0; - } - *s++ = tfbfr[curpos++]; - } - return n; -} - -/* - * tf_save_cred() appends an incoming ticket to the end of the ticket - * file. You must call tf_init() before calling tf_save_cred(). - * - * The "service", "instance", and "realm" arguments specify the - * server's name; "session" contains the session key to be used with - * the ticket; "kvno" is the server key version number in which the - * ticket is encrypted, "ticket" contains the actual ticket, and - * "issue_date" is the time the ticket was requested (local host's time). - * - * Returns KSUCCESS if all goes well, TKT_FIL_INI if tf_init() wasn't - * called previously, and KFAILURE for anything else that went wrong. - */ - -int tf_save_cred(service, instance, realm, session, lifetime, kvno, - ticket, issue_date) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - C_Block session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - KRB4_32 issue_date; /* The issue time */ -{ - - off_t lseek(); - unsigned int count; /* count for write */ -#ifdef TKT_SHMEM - int *skey_check; -#endif /* TKT_SHMEM */ - - if (fd < 0) { /* fd is ticket file as set by tf_init */ - if (krb_debug) - fprintf(stderr, "tf_save_cred called before tf_init.\n"); - return TKT_FIL_INI; - } - /* Find the end of the ticket file */ - (void) lseek(fd, (off_t)0, 2); -#ifdef TKT_SHMEM - /* scan to end of existing keys: pick first 'empty' slot. - we assume that no real keys will be completely zero (it's a weak - key under DES) */ - - skey_check = (int *) krb_shm_addr; - - while (*skey_check && *(skey_check+1)) - skey_check += 2; - tmp_shm_addr = (char *)skey_check; -#endif /* TKT_SHMEM */ - - /* Write the ticket and associated data */ - /* Service */ - count = strlen(service) + 1; - if (write(fd, service, count) != count) - goto bad; - /* Instance */ - count = strlen(instance) + 1; - if (write(fd, instance, count) != count) - goto bad; - /* Realm */ - count = strlen(realm) + 1; - if (write(fd, realm, count) != count) - goto bad; - /* Session key */ -#ifdef TKT_SHMEM - memcpy(tmp_shm_addr, session, 8); - tmp_shm_addr+=8; - if (write(fd,krb_dummy_skey,8) != 8) - goto bad; -#else /* ! TKT_SHMEM */ - if (write(fd, (char *) session, 8) != 8) - goto bad; -#endif /* TKT_SHMEM */ - /* Lifetime */ - if (write(fd, (char *) &lifetime, sizeof(int)) != sizeof(int)) - goto bad; - /* Key vno */ - if (write(fd, (char *) &kvno, sizeof(int)) != sizeof(int)) - goto bad; - /* Tkt length */ - if (write(fd, (char *) &(ticket->length), sizeof(int)) != - sizeof(int)) - goto bad; - /* Ticket */ - count = ticket->length; - if (write(fd, (char *) (ticket->dat), count) != count) - goto bad; - /* Issue date */ - if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) - != sizeof(KRB4_32)) - goto bad; - /* Alignment Record */ -#ifdef K5_BE - { - int null_bytes = 0; - if (0 == (issue_date & 0xff000000)) - ++null_bytes; - if (0 == (issue_date & 0x00ff0000)) - ++null_bytes; - if (0 == (issue_date & 0x0000ff00)) - ++null_bytes; - if (0 == (issue_date & 0x000000ff)) - ++null_bytes; - - switch(null_bytes) { - case 0: - /* Issue date */ - if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) - != sizeof(KRB4_32)) - goto bad; - if (write(fd, align_rec_0, sizeof(align_rec_0)) - != sizeof(align_rec_0)) - goto bad; - break; - - case 1: - if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) - != sizeof(KRB4_32)) - goto bad; - if (write(fd, align_rec_1, sizeof(align_rec_1)) - != sizeof(align_rec_1)) - goto bad; - break; - - case 3: - /* Three NULLS are troublesome but rare. We'll just pretend - * they don't exist by decrementing the issue_date. - */ - --issue_date; - case 2: - if (write(fd, (char *) &issue_date, sizeof(KRB4_32)) - != sizeof(KRB4_32)) - goto bad; - if (write(fd, align_rec_2, sizeof(align_rec_2)) - != sizeof(align_rec_2)) - goto bad; - break; - - default: - goto bad; - } - - } -#else - if (write(fd, align_rec, sizeof(align_rec)) != sizeof(align_rec)) - goto bad; -#endif - - /* Actually, we should check each write for success */ - return (KSUCCESS); -bad: - return (KFAILURE); -} diff --git a/src/lib/krb4/tkt_string.c b/src/lib/krb4/tkt_string.c deleted file mode 100644 index f6ed927..0000000 --- a/src/lib/krb4/tkt_string.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * tkt_string.c - * - * Copyright 1985, 1986, 1987, 1988, 2002 by the Massachusetts - * Institute of Technology. All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "krb.h" -#include <stdio.h> -#include <string.h> -#include <sys/types.h> -#include "autoconf.h" -#include "port-sockets.h" /* XXX this gets us MAXPATHLEN but we should find - a better way */ - -#ifdef HAVE_STDLIB_H -#include <stdlib.h> -#else -char *getenv(); -#endif - - -#ifdef _WIN32 -typedef unsigned long uid_t; -uid_t getuid(void) { return 0; } -#endif /* _WIN32 */ - -/* - * This routine is used to generate the name of the file that holds - * the user's cache of server tickets and associated session keys. - * - * If it is set, krb_ticket_string contains the ticket file name. - * Otherwise, the filename is constructed as follows: - * - * If it is set, the environment variable "KRBTKFILE" will be used as - * the ticket file name. Otherwise TKT_ROOT (defined in "krb.h") and - * the user's uid are concatenated to produce the ticket file name - * (e.g., "/tmp/tkt123"). A pointer to the string containing the ticket - * file name is returned. - */ - -static char krb_ticket_string[MAXPATHLEN]; - -const char *tkt_string() -{ - char *env; - uid_t getuid(); - - if (!*krb_ticket_string) { - env = getenv("KRBTKFILE"); - if (env) { - (void) strncpy(krb_ticket_string, env, - sizeof(krb_ticket_string)-1); - krb_ticket_string[sizeof(krb_ticket_string)-1] = '\0'; - } else { - /* 32 bits of signed integer will always fit in 11 characters - (including the sign), so no need to worry about overflow */ - (void) snprintf(krb_ticket_string, sizeof(krb_ticket_string), - "%s%d",TKT_ROOT,(int) getuid()); - } - } - return krb_ticket_string; -} - -/* - * This routine is used to set the name of the file that holds the user's - * cache of server tickets and associated session keys. - * - * The value passed in is copied into local storage. - * - * NOTE: This routine should be called during initialization, before other - * Kerberos routines are called; otherwise tkt_string() above may be called - * and return an undesired ticket file name until this routine is called. - */ - -void KRB5_CALLCONV -krb_set_tkt_string(val) - const char *val; -{ - (void) strncpy(krb_ticket_string, val, sizeof(krb_ticket_string)-1); - krb_ticket_string[sizeof(krb_ticket_string)-1] = '\0'; -} diff --git a/src/lib/krb4/unix_glue.c b/src/lib/krb4/unix_glue.c deleted file mode 100644 index 93a30ed..0000000 --- a/src/lib/krb4/unix_glue.c +++ /dev/null @@ -1,40 +0,0 @@ -/* - * unix_glue.c - * - * Glue code for pasting Kerberos into the Unix environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - */ - -#include "krb.h" -#include <sys/time.h> -#include "krb4int.h" - -/* Start and end Kerberos library access. On Unix, this is a No-op. */ -int -krb_start_session (x) - char *x; -{ - return KSUCCESS; -} - -int -krb_end_session (x) - char *x; -{ - return KSUCCESS; -} - -char * -krb_get_default_user () -{ - return 0; /* FIXME */ -} - -int -krb_set_default_user (x) - char *x; -{ - return KFAILURE; /* FIXME */ -} diff --git a/src/lib/krb4/unix_time.c b/src/lib/krb4/unix_time.c deleted file mode 100644 index 411ee38..0000000 --- a/src/lib/krb4/unix_time.c +++ /dev/null @@ -1,26 +0,0 @@ -/* - * unix_time.c - * - * Glue code for pasting Kerberos into the Unix environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - */ - -#include "krb.h" -#include <sys/time.h> - -/* Time handling. Translate Unix time calls into Kerberos cnternal - procedure calls. See ../../include/cc-unix.h. */ - -unsigned KRB4_32 KRB5_CALLCONV -unix_time_gmt_unixsec (usecptr) - unsigned KRB4_32 *usecptr; -{ - struct timeval now; - - (void) gettimeofday (&now, (struct timezone *)0); - if (usecptr) - *usecptr = now.tv_usec; - return now.tv_sec; -} diff --git a/src/lib/krb4/vmslink.com b/src/lib/krb4/vmslink.com deleted file mode 100644 index 95cabfe..0000000 --- a/src/lib/krb4/vmslink.com +++ /dev/null @@ -1,79 +0,0 @@ -$ write sys$output "start of run" -$ cc /decc /inc=inc /debug=all des.c -$ cc /decc /inc=inc /debug=all d3des.c -$ cc /decc /inc=inc /debug=all cbc.c -$ cc /decc /inc=([],inc) /debug=all qcksum.c -$ cc /decc /inc=([],inc) /debug=all str2key.c -$ cc /decc /inc=([],inc) /debug=all parity.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all ad_print.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all add_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_auth_repl.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_ciph.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_death_pkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_err_repl.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all cr_tkt.c -$ write sys$output "begin d" -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all debug.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all decomp_tkt.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all dest_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all err_txt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all ext_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all fakeenv.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all fgetst.c -$ write sys$output "begin g" -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_ad_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_admhst.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_cnffile.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_cred.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_in_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_krbhst.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_krbrlm.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_phost.c -sgtty $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_pw_in_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_pw_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_request.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_svc_in_tkt.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_tf_fname.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all g_tf_realm.c -$ write sys$output "end g_" -$ cc/decc/inc=inc /define=("HOST_BYTE_ORDER=1",BSD42) /debug=all gethostname.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all getst.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all in_tkt.c -$ cc/decc/inc=inc /define=("HOST_BYTE_ORDER=1",NEED_TIME_H) /debug=all klog.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all kname_parse.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all kntoln.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all kparse.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all krbglue.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all kuserok.c -$ write sys$output "end k" -$ cc/decc/inc=inc /define=("HOST_BYTE_ORDER=1",NEED_TIME_H) /debug=all log.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_err.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_preauth.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_priv.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_req.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all mk_safe.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all month_sname.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all netread.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all netwrite.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all pkt_cipher.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all pkt_clen.c -$ write sys$output "begin rd" -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_err.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_preauth.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_priv.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_req.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_safe.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all rd_svc_key.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all realmofhost.c -$ write sys$output "begin recv" -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all recvauth.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all save_creds.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all send_to_kdc.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all sendauth.c -$ cc/decc/inc=inc /define=("HOST_BYTE_ORDER=1",NEED_TIME_H) /debug=all stime.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all tf_shm.c -stat $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all tf_util.c -MAXPATHLEN $ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all tkt_string.c -$ cc/decc/inc=inc /define="HOST_BYTE_ORDER=1" /debug=all vmsswab.c -$ library /create /list libkrb *.obj - diff --git a/src/lib/krb4/vmsswab.c b/src/lib/krb4/vmsswab.c deleted file mode 100644 index 0195808..0000000 --- a/src/lib/krb4/vmsswab.c +++ /dev/null @@ -1,34 +0,0 @@ -/* Copyright 1994 Cygnus Support */ -/* Mark W. Eichin */ -/* - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* VMS doesn't have swab, but everything else does */ -/* so make this available anyway ... someday it might go - into the VMS makefile fragment, but for now it is only - referenced by l.com. */ - -swab(from,to,nbytes) - char *from; - char *to; - int nbytes; -{ - char tmp; - - while ( (nbytes-=2) >= 0 ) { - tmp = from[1]; - to[1] = from[0]; - to[0] = tmp; - to++; to++; - from++; from++; - } -} - diff --git a/src/lib/krb4/win_glue.c b/src/lib/krb4/win_glue.c deleted file mode 100644 index e9cb5db..0000000 --- a/src/lib/krb4/win_glue.c +++ /dev/null @@ -1,51 +0,0 @@ -/* - * win-glue.c - * - * Glue code for pasting Kerberos into the Windows environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - */ - -#include "krb.h" - -#include <sys/types.h> -#include <stdio.h> -#include <windows.h> - - -/* - * We needed a way to print out what might be FAR pointers on Windows, - * but might be ordinary pointers on real machines. Printf modifiers - * scattered through the code don't cut it, - * since they might break on real machines. Microloss - * didn't provide a function to print a char *, so we wrote one. - * It gets #define'd to fputs on real machines. - */ -int -far_fputs(string, stream) - char *string; - FILE *stream; -{ - return fprintf(stream, "%Fs", string); -} - -int -krb_start_session(x) - char *x; -{ - return KSUCCESS; -} - -int -krb_end_session(x) - char *x; -{ - return KSUCCESS; -} - -void KRB5_CALLCONV -krb_set_tkt_string(val) -char *val; -{ -} diff --git a/src/lib/krb4/win_store.c b/src/lib/krb4/win_store.c deleted file mode 100644 index 9c2c37a..0000000 --- a/src/lib/krb4/win_store.c +++ /dev/null @@ -1,154 +0,0 @@ -/* - * win_store.c - * - * Kerberos configuration storage management routines. - * - * Originally coded by John Rivlin / Fusion Software, Inc. - * - * This file incorporates replacements for the following Unix files: - * g_cnffil.c - */ - -#include "krb.h" -#include "k5-int.h" -#include <stdio.h> -#include <assert.h> - -krb5_context krb5__krb4_context = 0; - -char * -krb__get_srvtabname(default_srvtabname) - const char *default_srvtabname; -{ - const char* names[3]; - char **full_name = 0, **cpp; - krb5_error_code retval; - char *retname; - - if (!krb5__krb4_context) { - retval = krb5_init_context(&krb5__krb4_context); - if (!retval) - return NULL; - } - names[0] = "libdefaults"; - names[1] = "krb4_srvtab"; - names[2] = 0; - retval = profile_get_values(krb5__krb4_context->profile, names, - &full_name); - if (retval == 0 && full_name && full_name[0]) { - retname = strdup(full_name[0]); - for (cpp = full_name; *cpp; cpp++) - krb5_xfree(*cpp); - krb5_xfree(full_name); - } else { - retname = strdup(default_srvtabname); - } - return retname; -} - -/* - * Returns an open file handle to the configuration file. This - * file was called "krb.conf" on Unix. Here we search for the entry - * "krb.conf=" in the "[FILES]" section of the "kerberos.ini" file - * located in the Windows directory. If the entry doesn't exist in - * the kerberos.ini file, then "krb.con" in the Windows directory is - * used in its place. - */ -FILE* -krb__get_cnffile() -{ - FILE *cnffile = 0; - char cnfname[FILENAME_MAX]; - char defname[FILENAME_MAX]; - UINT rc; - - defname[sizeof(defname) - 1] = '\0'; - rc = GetWindowsDirectory(defname, sizeof(defname) - 1); - assert(rc > 0); - - strncat(defname, "\\", sizeof(defname) - 1 - strlen(defname)); - - strncat(defname, DEF_KRB_CONF, sizeof(defname) - 1 - strlen(defname)); - - cnfname[sizeof(cnfname) - 1] = '\0'; - GetPrivateProfileString(INI_FILES, INI_KRB_CONF, defname, - cnfname, sizeof(cnfname) - 1, KERBEROS_INI); - - cnffile = fopen(cnfname, "r"); - if (cnffile) - set_cloexec_file(cnffile); - - return cnffile; -} - - -/* - * Returns an open file handle to the realms file. This - * file was called "krb.realms" on Unix. Here we search for the entry - * "krb.realms=" in the "[FILES]" section of the "kerberos.ini" file - * located in the Windows directory. If the entry doesn't exist in - * the kerberos.ini file, then "krb.rea" in the Windows directory is - * used in its place. - */ -FILE* -krb__get_realmsfile() -{ - FILE *realmsfile = 0; - char realmsname[FILENAME_MAX]; - char defname[FILENAME_MAX]; - UINT rc; - - defname[sizeof(defname) - 1] = '\0'; - rc = GetWindowsDirectory(defname, sizeof(defname) - 1); - assert(rc > 0); - - strncat(defname, "\\", sizeof(defname) - 1 - strlen(defname)); - - strncat(defname, DEF_KRB_REALMS, sizeof(defname) - 1 - strlen(defname)); - - defname[sizeof(defname) - 1] = '\0'; - GetPrivateProfileString(INI_FILES, INI_KRB_REALMS, defname, - realmsname, sizeof(realmsname) - 1, KERBEROS_INI); - - realmsfile = fopen(realmsname, "r"); - if (realmsfile) - set_cloexec_file(realmsfile); - - return realmsfile; -} - - -/* - * Returns the current default user. This information is stored in - * the [DEFAULTS] section of the "kerberos.ini" file located in the - * Windows directory. - */ -char * KRB5_CALLCONV -krb_get_default_user() -{ - static char username[ANAME_SZ]; - - GetPrivateProfileString(INI_DEFAULTS, INI_USER, "", - username, sizeof(username), KERBEROS_INI); - - return username; -} - - -/* - * Sets the default user name stored in the "kerberos.ini" file. - */ -int KRB5_CALLCONV -krb_set_default_user(username) - char *username; -{ - BOOL rc; - - rc = WritePrivateProfileString(INI_DEFAULTS, INI_USER, - username, KERBEROS_INI); - - if (rc) - return KSUCCESS; - else - return KFAILURE; -} diff --git a/src/lib/krb4/win_time.c b/src/lib/krb4/win_time.c deleted file mode 100644 index 2560c31..0000000 --- a/src/lib/krb4/win_time.c +++ /dev/null @@ -1,121 +0,0 @@ -/* - * win_time.c - * - * Glue code for pasting Kerberos into the Windows environment. - * - * Originally written by John Gilmore, Cygnus Support, May '94. - * Public Domain. - */ - -#include "krb.h" - -#include <sys/types.h> -#include <time.h> -#include <sys/timeb.h> -#include <stdio.h> -#include <windows.h> -#include <dos.h> - -#ifdef _WIN32 - -unsigned KRB4_32 -win_time_gmt_unixsec (usecptr) - unsigned KRB4_32 *usecptr; -{ - struct _timeb timeptr; - - _ftime(&timeptr); /* Get the current time */ - - if (usecptr) - *usecptr = timeptr.millitm * 1000; - - return timeptr.time + CONVERT_TIME_EPOCH; -} - -#else - -/* - * Time handling. Translate Unix time calls into Kerberos internal - * procedure calls. See ../../include/c-win.h. - * - * Due to the fact that DOS time can be unreliable we have reverted - * to using the AT hardware clock and converting it to Unix time. - */ - -unsigned KRB4_32 -win_time_gmt_unixsec (usecptr) - unsigned KRB4_32 *usecptr; -{ - struct tm tm; - union _REGS inregs; - union _REGS outregs; - struct _timeb now; - time_t time; - - _ftime(&now); - - #if 0 - if (usecptr) - *usecptr = now.millitm * 1000; - #endif - - /* Get time from AT hardware clock INT 0x1A, AH=2 */ - memset(&inregs, 0, sizeof(inregs)); - inregs.h.ah = 2; - - _int86(0x1a, &inregs, &outregs); - - /* 0x13 = decimal 13, hence the decoding below */ - tm.tm_sec = 10 * ((outregs.h.dh & 0xF0) >> 4) + (outregs.h.dh & 0x0F); - tm.tm_min = 10 * ((outregs.h.cl & 0xF0) >> 4) + (outregs.h.cl & 0x0F); - tm.tm_hour = 10 * ((outregs.h.ch & 0xF0) >> 4) + (outregs.h.ch & 0x0F); - - /* Get date from AT hardware clock INT 0x1A, AH=4 */ - memset(&inregs, 0, sizeof(inregs)); - inregs.h.ah = 4; - - _int86(0x1a, &inregs, &outregs); - - tm.tm_mday = 10 * ((outregs.h.dl & 0xF0) >> 4) + (outregs.h.dl & 0x0F); - tm.tm_mon = 10 * ((outregs.h.dh & 0xF0) >> 4) + (outregs.h.dh & 0x0F) - 1; - tm.tm_year = 10 * ((outregs.h.cl & 0xF0) >> 4) + (outregs.h.cl & 0x0F); - tm.tm_year += 100 * ((10 * (outregs.h.ch & 0xF0) >> 4) - + (outregs.h.ch & 0x0F) - 19); - - tm.tm_wday = 0; - tm.tm_yday = 0; - tm.tm_isdst = now.dstflag; - - time = mktime(&tm); - - if (usecptr) - *usecptr = 0; - - return time + CONVERT_TIME_EPOCH; -} - -#endif - -/* - * This routine figures out the current time epoch and returns the - * conversion factor. It exists because - * Microloss screwed the pooch on the time() and _ftime() calls in - * its release 7.0 libraries. They changed the epoch to Dec 31, 1899! - * Idiots... We try to cope. - */ - -static struct tm jan_1_70 = {0, 0, 0, 1, 0, 70}; -static long epoch = 0; -static int epoch_set = 0; - -long -win_time_get_epoch() -{ - - if (!epoch_set) { - epoch = - mktime (&jan_1_70); /* Seconds til 1970 localtime */ - epoch += timezone; /* Seconds til 1970 GMT */ - epoch_set = 1; - } - return epoch; -} diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c index 9e31161..8627922 100644 --- a/src/lib/krb5/krb/t_kerb.c +++ b/src/lib/krb5/krb/t_kerb.c @@ -5,9 +5,6 @@ #include "krb5.h" #include "autoconf.h" -#ifdef KRB5_KRB4_COMPAT -#include "kerberosIV/krb.h" -#endif #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -68,11 +65,9 @@ void test_524_conv_principal(krb5_context ctx, char *name) { krb5_principal princ = 0; krb5_error_code retval; -#ifndef KRB5_KRB4_COMPAT #define ANAME_SZ 40 #define INST_SZ 40 #define REALM_SZ 40 -#endif char aname[ANAME_SZ+1], inst[INST_SZ+1], realm[REALM_SZ+1]; aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0; |