diff options
author | Hans Insulander <hin@cvs.openbsd.org> | 2000-02-25 15:15:11 +0000 |
---|---|---|
committer | Hans Insulander <hin@cvs.openbsd.org> | 2000-02-25 15:15:11 +0000 |
commit | 85dd2d09f1fceff777e46c8a197ee6848658dfff (patch) | |
tree | e0fa1602a0cb31086c91e8a3bfdeffce58504b71 | |
parent | c64c2283aca15272a000c7aec3e50464c9f63a59 (diff) |
Remove old KerberosIV code. (art@ ok)
234 files changed, 0 insertions, 34774 deletions
diff --git a/kerberosIV/Makefile b/kerberosIV/Makefile deleted file mode 100644 index 3580da09d17..00000000000 --- a/kerberosIV/Makefile +++ /dev/null @@ -1,35 +0,0 @@ -# $OpenBSD: Makefile,v 1.26 1999/03/09 00:01:42 niklas Exp $ -# from @(#)Makefile 5.1 (Berkeley) 6/25/90 - -SUBDIR= - -.ifmake includes -SUBDIR+=include -.endif - -SUBDIR+=acl krb kadm kafs kdb - -SUBDIR+=ext_srvtab kadmin kadmind kdb_destroy kdb_init kdb_edit \ - kdb_util kdestroy kerberos kinit klist kprop kpropd ksrvtgt \ - ksrvutil kstash kauth kauthd - -SUBDIR+=man doc - -LIBDIRS=acl krb kadm kafs kdb - -.include <bsd.own.mk> # for AFS - -.if (${AFS} == "yes") -SUBDIR+=afslog -.endif - -build: - ${MAKE} cleandir - ${MAKE} depend - ${SUDO} ${MAKE} includes - for dir in ${LIBDIRS}; do \ - (cd ${.CURDIR}/$$dir && ${MAKE} && ${SUDO} ${MAKE} install) \ - done - -.include <bsd.dep.mk> -.include <bsd.subdir.mk> diff --git a/kerberosIV/Makefile.inc b/kerberosIV/Makefile.inc deleted file mode 100644 index 5ab96a40539..00000000000 --- a/kerberosIV/Makefile.inc +++ /dev/null @@ -1,16 +0,0 @@ -# $OpenBSD: Makefile.inc,v 1.7 1996/11/15 09:21:25 downsj Exp $ - -CFLAGS+=-I${.CURDIR}/../include -BINDIR?=/usr/sbin - -.if defined(OBJMACHINE) -__objdir= obj.${MACHINE} -.else -__objdir= obj -.endif - -.if (${MACHINE_ARCH} != "mips") -COM_ERR= -lcom_err_pic -.else -COM_ERR= -lcom_err -.endif diff --git a/kerberosIV/acl/Makefile b/kerberosIV/acl/Makefile deleted file mode 100644 index b54ee8acb4e..00000000000 --- a/kerberosIV/acl/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $Id: Makefile,v 1.1 1995/12/14 06:52:36 tholo Exp $ - -LIB= acl -SRCS= acl_files.c -MAN= acl_check.3 -MLINKS+=acl_check.3 acl_canonicalize_principal.3 \ - acl_check.3 acl_exact_match.3 \ - acl_check.3 acl_add.3 acl_check.3 acl_delete.3 \ - acl_check.3 acl_initialize.3 - -.include <bsd.lib.mk> diff --git a/kerberosIV/acl/acl_check.3 b/kerberosIV/acl/acl_check.3 deleted file mode 100644 index 617391c4b61..00000000000 --- a/kerberosIV/acl/acl_check.3 +++ /dev/null @@ -1,205 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: acl_check.3,v 1.4 1998/02/25 15:50:28 art Exp $ -.TH ACL_CHECK 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -acl_canonicalize_principal, acl_check, acl_exact_match, acl_add, -acl_delete, acl_initialize \- Access control list routines -.SH SYNOPSIS -.nf -.nj -.ft B -cc <files> \-lacl \-lkrb -.PP -.ft B -#include <kerberosIV/krb.h> -.PP -.ft B -acl_canonicalize_principal(principal, buf) -char *principal; -char *buf; -.PP -.ft B -acl_check(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_exact_match(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_add(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_delete(acl, principal) -char *acl; -char *principal; -.PP -.ft B -acl_initialize(acl_file, mode) -char *acl_file; -int mode; -.fi -.ft R -.SH DESCRIPTION -.SS Introduction -.PP -An access control list (ACL) is a list of principals, where each -principal is represented by a text string which cannot contain -whitespace. The library allows application programs to refer to named -access control lists to test membership and to atomically add and -delete principals using a natural and intuitive interface. At -present, the names of access control lists are required to be Unix -filenames, and refer to human-readable Unix files; in the future, when -a networked ACL server is implemented, the names may refer to a -different namespace specific to the ACL service. -.PP -.SS Principal Names -.PP -Principal names have the form -.nf -.in +5n -<name>[.<instance>][@<realm>] -.in -5n -e.g.: -.in +5n -asp -asp.root -asp@ATHENA.MIT.EDU -asp.@ATHENA.MIT.EDU -asp.root@ATHENA.MIT.EDU -.in -5n -.fi -It is possible for principals to be underspecified. If an instance is -missing, it is assumed to be "". If realm is missing, it is assumed -to be the local realm as determined by -.IR krb_get_lrealm (3). -The canonical form contains all of name, instance, -and realm; the acl_add and acl_delete routines will always -leave the file in that form. Note that the canonical form of -asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU. -.SS Routines -.PP -.I acl_canonicalize_principal -stores the canonical form of -.I principal -in -.IR buf . -.I Buf -must contain enough -space to store a principal, given the limits on the sizes of name, -instance, and realm specified as ANAME_SZ, INST_SZ, and REALM_SZ, -respectively, in -.IR /usr/include/kerberosIV/kerberosIV/krb.h . -.PP -.I acl_check -returns nonzero if -.I principal -appears in -.IR acl . -Returns 0 if principal -does not appear in acl, or if an error occurs. Canonicalizes -principal before checking, and allows the ACL to contain wildcards. The -only supported wildcards are entries of the form -name.*@realm, *.*@realm, and *.*@*. An asterisk matches any value for the -its component field. For example, "jtkohl.*@*" would match principal -jtkohl, with any instance and any realm. -.PP -.I acl_exact_match -performs like -.IR acl_check , -but does no canonicalization or wildcard matching. -.PP -.I acl_add -atomically adds -.I principal -to -.IR acl . -Returns 0 if successful, nonzero otherwise. It is considered a failure -if -.I principal -is already in -.IR acl . -This routine will canonicalize -.IR principal , -but will treat wildcards literally. -.PP -.I acl_delete -atomically deletes -.I principal -from -.IR acl . -Returns 0 if successful, -nonzero otherwise. It is considered a failure if -.I principal -is not -already in -.IR acl . -This routine will canonicalize -.IR principal , -but will treat wildcards literally. -.PP -.I acl_initialize -initializes -.IR acl_file . -If the file -.I acl_file -does not exist, -.I acl_initialize -creates it with mode -.IR mode . -If the file -.I acl_file -exists, -.I acl_initialize -removes all members. Returns 0 if successful, -nonzero otherwise. WARNING: Mode argument is likely to change with -the eventual introduction of an ACL service. -.SH NOTES -In the presence of concurrency, there is a very small chance that -.I acl_add -or -.I acl_delete -could report success even though it would have -had no effect. This is a necessary side effect of using lock files -for concurrency control rather than flock(2), which is not supported -by NFS. -.PP -The current implementation caches ACLs in memory in a hash-table -format for increased efficiency in checking membership; one effect of -the caching scheme is that one file descriptor will be kept open for -each ACL cached, up to a maximum of 8. -.SH SEE ALSO -kerberos(3), krb_get_lrealm(3) -.SH AUTHOR -James Aspnes (MIT Project Athena) diff --git a/kerberosIV/acl/acl_files.c b/kerberosIV/acl/acl_files.c deleted file mode 100644 index 21252e0975e..00000000000 --- a/kerberosIV/acl/acl_files.c +++ /dev/null @@ -1,551 +0,0 @@ -/* $OpenBSD: acl_files.c,v 1.8 1998/02/25 15:50:30 art Exp $ */ -/* $KTH: acl_files.c,v 1.10 1997/05/02 14:28:56 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <unistd.h> -#include <sys/types.h> -#include <time.h> -#include <fcntl.h> -#include <sys/file.h> -#include <sys/stat.h> - -#include <errno.h> -#include <ctype.h> - -#include <kerberosIV/krb.h> -#include <kerberosIV/acl.h> - -#define min(a,b) (a < b ? a : b) - -/*** Routines for manipulating access control list files ***/ - -/* "aname.inst@realm" */ -#define MAX_PRINCIPAL_SIZE (ANAME_SZ + INST_SZ + REALM_SZ + 3) -#define INST_SEP '.' -#define REALM_SEP '@' - -#define LINESIZE 2048 /* Maximum line length in an acl file */ - -#define NEW_FILE "%s.~NEWACL~" /* Format for name of altered acl file */ -#define WAIT_TIME 300 /* Maximum time allowed write acl file */ - -#define CACHED_ACLS 8 /* How many acls to cache */ - /* Each acl costs 1 open file descriptor */ -#define ACL_LEN 16 /* Twice a reasonable acl length */ - -#define COR(a,b) ((a!=NULL)?(a):(b)) - -/* Canonicalize a principal name */ -/* If instance is missing, it becomes "" */ -/* If realm is missing, it becomes the local realm */ -/* Canonicalized form is put in canon, which must be big enough to hold - MAX_PRINCIPAL_SIZE characters */ -void -acl_canonicalize_principal(char *principal, char *canon) -{ - char *dot, *atsign, *end; - char *orgcanon = canon; - int len; - - dot = strchr(principal, INST_SEP); - atsign = strchr(principal, REALM_SEP); - - /* Maybe we're done already */ - if(dot != NULL && atsign != NULL) { - if(dot < atsign) { - /* It's for real */ - /* Copy into canon */ - strncpy(canon, principal, MAX_PRINCIPAL_SIZE); - orgcanon[MAX_PRINCIPAL_SIZE - 1] = '\0'; - return; - } else { - /* Nope, it's part of the realm */ - dot = NULL; - } - } - - /* No such luck */ - end = principal + strlen(principal); - - /* Get the principal name */ - len = min(ANAME_SZ, COR(dot, COR(atsign, end)) - principal); - strncpy(canon, principal, len); - canon += len; - - /* Add INST_SEP */ - *canon++ = INST_SEP; - - /* Get the instance, if it exists */ - if(dot != NULL) { - ++dot; - len = min(INST_SZ, COR(atsign, end) - dot); - strncpy(canon, dot, len); - canon += len; - } - - /* Add REALM_SEP */ - *canon++ = REALM_SEP; - - /* Get the realm, if it exists */ - /* Otherwise, default to local realm */ - if(atsign != NULL) { - ++atsign; - len = min(REALM_SZ, end - atsign); - strncpy(canon, atsign, len); - canon += len; - *canon++ = '\0'; - } else if(krb_get_lrealm(canon, 1) != KSUCCESS) { - strncpy(canon, KRB_REALM, MAX_PRINCIPAL_SIZE - (canon - orgcanon)); - } - orgcanon[MAX_PRINCIPAL_SIZE - 1] = '\0'; -} - -/* Get a lock to modify acl_file */ -/* Return new FILE pointer */ -/* or NULL if file cannot be modified */ -/* REQUIRES WRITE PERMISSION TO CONTAINING DIRECTORY */ -static -FILE *acl_lock_file(char *acl_file) -{ - struct stat s; - char new[LINESIZE]; - int nfd; - FILE *nf; - int mode; - - if(stat(acl_file, &s) < 0) return(NULL); - mode = s.st_mode; - snprintf(new, sizeof(new), NEW_FILE, acl_file); - for(;;) { - /* Open the new file */ - if((nfd = open(new, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0) { - if(errno == EEXIST) { - /* Maybe somebody got here already, maybe it's just old */ - if(stat(new, &s) < 0) return(NULL); - if(time(0) - s.st_ctime > WAIT_TIME) { - /* File is stale, kill it */ - unlink(new); - continue; - } else { - /* Wait and try again */ - sleep(1); - continue; - } - } else { - /* Some other error, we lose */ - return(NULL); - } - } - - /* If we got to here, the lock file is ours and ok */ - /* Reopen it under stdio */ - if((nf = fdopen(nfd, "w")) == NULL) { - /* Oops, clean up */ - unlink(new); - } - return(nf); - } -} - -/* Abort changes to acl_file written onto FILE *f */ -/* Returns 0 if successful, < 0 otherwise */ -/* Closes f */ -static int -acl_abort(char *acl_file, FILE *f) -{ - char new[LINESIZE]; - int ret; - struct stat s; - - /* make sure we aren't nuking someone else's file */ - if(fstat(fileno(f), &s) < 0 - || s.st_nlink == 0) { - fclose(f); - return(-1); - } else { - snprintf(new, sizeof(new), NEW_FILE, acl_file); - ret = unlink(new); - fclose(f); - return(ret); - } -} - -/* Commit changes to acl_file written onto FILE *f */ -/* Returns zero if successful */ -/* Returns > 0 if lock was broken */ -/* Returns < 0 if some other error occurs */ -/* Closes f */ -static int -acl_commit(char *acl_file, FILE *f) -{ - char new[LINESIZE]; - int ret; - struct stat s; - - snprintf(new, sizeof(new), NEW_FILE, acl_file); - if(fflush(f) < 0 - || fstat(fileno(f), &s) < 0 - || s.st_nlink == 0) { - acl_abort(acl_file, f); - return(-1); - } - - ret = rename(new, acl_file); - fclose(f); - return(ret); -} - -/* Initialize an acl_file */ -/* Creates the file with permissions perm if it does not exist */ -/* Erases it if it does */ -/* Returns return value of acl_commit */ -int -acl_initialize(char *acl_file, int perm) -{ - FILE *new; - int fd; - - /* Check if the file exists already */ - if((new = acl_lock_file(acl_file)) != NULL) { - return(acl_commit(acl_file, new)); - } else { - /* File must be readable and writable by owner */ - if((fd = open(acl_file, O_CREAT|O_EXCL, perm|0600)) < 0) { - return(-1); - } else { - close(fd); - return(0); - } - } -} - -/* Eliminate all whitespace character in buf */ -/* Modifies its argument */ -static void - nuke_whitespace(char *buf) -{ - char *pin, *pout; - - for(pin = pout = buf; *pin != '\0'; pin++) - if(!isspace(*pin)) *pout++ = *pin; - *pout = '\0'; /* Terminate the string */ -} - -/* Hash table stuff */ - -struct hashtbl { - int size; /* Max number of entries */ - int entries; /* Actual number of entries */ - char **tbl; /* Pointer to start of table */ -}; - -/* Make an empty hash table of size s */ -static struct hashtbl * -make_hash(int size) -{ - struct hashtbl *h; - - if(size < 1) size = 1; - h = (struct hashtbl *) malloc(sizeof(struct hashtbl)); - h->size = size; - h->entries = 0; - h->tbl = (char **) calloc(size, sizeof(char *)); - return(h); -} - -/* Destroy a hash table */ -static void -destroy_hash(struct hashtbl *h) -{ - int i; - - for(i = 0; i < h->size; i++) { - if(h->tbl[i] != NULL) { - free(h->tbl[i]); - h->tbl[i] = NULL; - } - } - free(h->tbl); - h->tbl = NULL; - free(h); - h = NULL; -} - -/* Compute hash value for a string */ -static unsigned int -hashval(char *s) -{ - unsigned hv; - - for(hv = 0; *s != '\0'; s++) { - hv ^= ((hv << 3) ^ *s); - } - return(hv); -} - -/* Add an element to a hash table */ -static void -add_hash(struct hashtbl *h, char *el) -{ - unsigned hv; - char *s; - char **old; - int i; - - /* Make space if it isn't there already */ - if(h->entries + 1 > (h->size >> 1)) { - old = h->tbl; - h->tbl = (char **) calloc(h->size << 1, sizeof(char *)); - for(i = 0; i < h->size; i++) { - if(old[i] != NULL) { - hv = hashval(old[i]) % (h->size << 1); - while(h->tbl[hv] != NULL) hv = (hv+1) % (h->size << 1); - h->tbl[hv] = old[i]; - } - } - h->size = h->size << 1; - free(old); - old = NULL; - } - - hv = hashval(el) % h->size; - while(h->tbl[hv] != NULL && strcmp(h->tbl[hv], el)) hv = (hv+1) % h->size; - s = strdup(el); - if (s != NULL) { - h->tbl[hv] = s; - h->entries++; - } -} - -/* Returns nonzero if el is in h */ -static int -check_hash(struct hashtbl *h, char *el) -{ - unsigned hv; - - for(hv = hashval(el) % h->size; - h->tbl[hv] != NULL; - hv = (hv + 1) % h->size) { - if(!strcmp(h->tbl[hv], el)) return(1); - } - return(0); -} - -struct acl { - char filename[LINESIZE]; /* Name of acl file */ - int fd; /* File descriptor for acl file */ - struct stat status; /* File status at last read */ - struct hashtbl *acl; /* Acl entries */ -}; - -static struct acl acl_cache[CACHED_ACLS]; - -static int acl_cache_count = 0; -static int acl_cache_next = 0; - -/* Returns < 0 if unsuccessful in loading acl */ -/* Returns index into acl_cache otherwise */ -/* Note that if acl is already loaded, this is just a lookup */ -static int -acl_load(char *name) -{ - int i; - FILE *f; - struct stat s; - char buf[MAX_PRINCIPAL_SIZE]; - char canon[MAX_PRINCIPAL_SIZE]; - - /* See if it's there already */ - for(i = 0; i < acl_cache_count; i++) { - if(!strcmp(acl_cache[i].filename, name) - && acl_cache[i].fd >= 0) goto got_it; - } - - /* It isn't, load it in */ - /* maybe there's still room */ - if(acl_cache_count < CACHED_ACLS) { - i = acl_cache_count++; - } else { - /* No room, clean one out */ - i = acl_cache_next; - acl_cache_next = (acl_cache_next + 1) % CACHED_ACLS; - close(acl_cache[i].fd); - if(acl_cache[i].acl) { - destroy_hash(acl_cache[i].acl); - acl_cache[i].acl = (struct hashtbl *) 0; - } - } - - /* Set up the acl */ - strncpy(acl_cache[i].filename, name, LINESIZE); - acl_cache[i].filename[LINESIZE - 1] = '\0'; - if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1); - /* Force reload */ - acl_cache[i].acl = (struct hashtbl *) 0; - - got_it: - /* - * See if the stat matches - * - * Use stat(), not fstat(), as the file may have been re-created by - * acl_add or acl_delete. If this happens, the old inode will have - * no changes in the mod-time and the following test will fail. - */ - if(stat(acl_cache[i].filename, &s) < 0) return(-1); - if(acl_cache[i].acl == (struct hashtbl *) 0 - || s.st_nlink != acl_cache[i].status.st_nlink - || s.st_mtime != acl_cache[i].status.st_mtime - || s.st_ctime != acl_cache[i].status.st_ctime) { - /* Gotta reload */ - if(acl_cache[i].fd >= 0) close(acl_cache[i].fd); - if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1); - if((f = fdopen(acl_cache[i].fd, "r")) == NULL) return(-1); - if(acl_cache[i].acl) destroy_hash(acl_cache[i].acl); - acl_cache[i].acl = make_hash(ACL_LEN); - while(fgets(buf, sizeof(buf), f) != NULL) { - nuke_whitespace(buf); - acl_canonicalize_principal(buf, canon); - add_hash(acl_cache[i].acl, canon); - } - fclose(f); - acl_cache[i].status = s; - } - return(i); -} - -/* Returns nonzero if it can be determined that acl contains principal */ -/* Principal is not canonicalized, and no wildcarding is done */ -int -acl_exact_match(char *acl, char *principal) -{ - int idx; - - return((idx = acl_load(acl)) >= 0 - && check_hash(acl_cache[idx].acl, principal)); -} - -/* Returns nonzero if it can be determined that acl contains principal */ -/* Recognizes wildcards in acl of the form - name.*@realm, *.*@realm, and *.*@* */ -int -acl_check(char *acl, char *principal) -{ - char buf[MAX_PRINCIPAL_SIZE]; - char canon[MAX_PRINCIPAL_SIZE]; - char *realm; - - acl_canonicalize_principal(principal, canon); - - /* Is it there? */ - if(acl_exact_match(acl, canon)) return(1); - - /* Try the wildcards */ - realm = strchr(canon, REALM_SEP); - *strchr(canon, INST_SEP) = '\0'; /* Chuck the instance */ - - snprintf(buf, sizeof(buf), "%s.*%s", canon, realm); - if(acl_exact_match(acl, buf)) return(1); - - snprintf(buf, sizeof(buf), "*.*%s", realm); - if(acl_exact_match(acl, buf) || acl_exact_match(acl, "*.*@*")) return(1); - - return(0); -} - -/* Adds principal to acl */ -/* Wildcards are interpreted literally */ -int -acl_add(char *acl, char *principal) -{ - int idx; - int i; - FILE *new; - char canon[MAX_PRINCIPAL_SIZE]; - - acl_canonicalize_principal(principal, canon); - - if((new = acl_lock_file(acl)) == NULL) return(-1); - if((acl_exact_match(acl, canon)) - || (idx = acl_load(acl)) < 0) { - acl_abort(acl, new); - return(-1); - } - /* It isn't there yet, copy the file and put it in */ - for(i = 0; i < acl_cache[idx].acl->size; i++) { - if(acl_cache[idx].acl->tbl[i] != NULL) { - if(fputs(acl_cache[idx].acl->tbl[i], new) == EOF - || putc('\n', new) != '\n') { - acl_abort(acl, new); - return(-1); - } - } - } - fputs(canon, new); - putc('\n', new); - return(acl_commit(acl, new)); -} - -/* Removes principal from acl */ -/* Wildcards are interpreted literally */ -int -acl_delete(char *acl, char *principal) -{ - int idx; - int i; - FILE *new; - char canon[MAX_PRINCIPAL_SIZE]; - - acl_canonicalize_principal(principal, canon); - - if((new = acl_lock_file(acl)) == NULL) return(-1); - if((!acl_exact_match(acl, canon)) - || (idx = acl_load(acl)) < 0) { - acl_abort(acl, new); - return(-1); - } - /* It isn't there yet, copy the file and put it in */ - for(i = 0; i < acl_cache[idx].acl->size; i++) { - if(acl_cache[idx].acl->tbl[i] != NULL - && strcmp(acl_cache[idx].acl->tbl[i], canon)) { - fputs(acl_cache[idx].acl->tbl[i], new); - putc('\n', new); - } - } - return(acl_commit(acl, new)); -} diff --git a/kerberosIV/acl/shlib_version b/kerberosIV/acl/shlib_version deleted file mode 100644 index 890c57389b5..00000000000 --- a/kerberosIV/acl/shlib_version +++ /dev/null @@ -1,2 +0,0 @@ -major=4 -minor=1 diff --git a/kerberosIV/afslog/Makefile b/kerberosIV/afslog/Makefile deleted file mode 100644 index 01bbd7c6fd5..00000000000 --- a/kerberosIV/afslog/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.2 1998/09/19 02:42:18 rahnds Exp $ - -PROG= afslog -DPADD= ${LIBKRB} ${LIBDES} ${LIBKAFS} -LDADD= -lkafs -lkrb -ldes -BINDIR= /usr/bin - -.include <bsd.prog.mk> diff --git a/kerberosIV/afslog/afslog.1 b/kerberosIV/afslog/afslog.1 deleted file mode 100644 index 146f6179c02..00000000000 --- a/kerberosIV/afslog/afslog.1 +++ /dev/null @@ -1,70 +0,0 @@ -.\" $OpenBSD: afslog.1,v 1.4 1999/07/09 13:35:58 aaron Exp $ -.\" $KTH: afslog.1,v 1.2 1996/11/28 13:44:40 assar Exp $ -.\" -.Dd April 27, 1996 -.Dt AFSLOG 1 -.Os -.Sh NAME -.Nm afslog -.Nd -obtains AFS tokens for specified cells -.Sh SYNOPSIS -.Nm afslog -.Op Fl d -.Op Fl c Ar cell -.Op Fl k Ar realm -.Op Fl p Pa path -.Op Fl unlog -.Op Fl createuser -.Op Ar args -.Sh DESCRIPTION -The -.Nm -command obtains AFS tokens, -.Ar args -are either a name of a cell or a pathnames of a file in the cell to -get tokens for. If an argument is -.Li . -or -.Li .. -or contains a slash it is assumed to be a pathname. Otherwise it is -assumed to be a name of a cell or a prefix thereof. -.Pp -The -.Fl c -and -.Fl p -flags can be used to resolve ambiguities. -.Pp -.Nm -might fail to guess the Kerberos realm to get tickets for (for -instance if the volume location servers of the cell does not reside in -the kerberos realm that holds the AFS service key, and the correct -realm isn't the same as the cell name or the local realm (I didn't say -this was a common problem)). Anyway, the -.Fl k -can be used to give a hint. It should not be used unless there is a -problem, since all tickets will be taken from the specified realm and -this is not (usually) what you want. -.Pp -.Fl createuser -means that -.Nm -should try to run -.Nm pts -to create a remote user principal in another cell. -.Fl d -can be used for debugging. -.Pp -If the -.Fl unlog -flag is given any tokens are removed and all other arguments are ignored. -.Sh BUGS -It should be able to handle the MIT Athena -.Nm aklog -flags -.Fl hosts , -.Fl zsubs , -and -.Fl noprdb , -but does not. diff --git a/kerberosIV/afslog/afslog.c b/kerberosIV/afslog/afslog.c deleted file mode 100644 index edf1d4ff7c1..00000000000 --- a/kerberosIV/afslog/afslog.c +++ /dev/null @@ -1,226 +0,0 @@ -/* $OpenBSD: afslog.c,v 1.1 1998/03/12 14:36:17 art Exp $ */ -/* $KTH: aklog.c,v 1.20 1997/12/09 10:36:25 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <stdarg.h> -#include <string.h> -#include <unistd.h> -#include <fcntl.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/ioccom.h> -#include <pwd.h> -#include <err.h> -#include <kerberosIV/krb.h> -#include <kerberosIV/kafs.h> - -static int debug = 0; - -static void -DEBUG(const char *, ...) -#ifdef __GNUC__ -__attribute__ ((format (printf, 1, 2))) -#endif -; - -static void -DEBUG(const char *fmt, ...) -{ - va_list ap; - if (debug) { - va_start(ap, fmt); - vwarnx(fmt, ap); - va_end(ap); - } -} - -static char * -expand_cell_name(char *cell) -{ - FILE *f; - static char buf[128]; - char *p; - - f = fopen(_PATH_CELLSERVDB, "r"); - if(f == NULL) - return cell; - while(fgets(buf, sizeof(buf), f) != NULL) { - if(buf[0] == '>') { - for(p=buf; *p && *p != ' ' && *p != '\t' && *p != '\n'; p++); - *p = '\0'; - if(strstr(buf, cell)){ - fclose(f); - return buf + 1; - } - } - buf[0] = 0; - } - fclose(f); - return cell; -} - -char * -strlwr(char *str) -{ - char *s; - - for(s = str; *s; s++) - *s = tolower(*s); - return str; -} - -static int -createuser (char *cell) -{ - char cellbuf[64]; - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - char cmd[1024]; - - if (cell == NULL) { - FILE *f; - int len; - - f = fopen (_PATH_THISCELL, "r"); - if (f == NULL) - err (1, "open(%s)", _PATH_THISCELL); - if (fgets (cellbuf, sizeof(cellbuf), f) == NULL) - err (1, "read cellname from %s", _PATH_THISCELL); - len = strlen(cellbuf); - if (cellbuf[len-1] == '\n') - cellbuf[len-1] = '\0'; - cell = cellbuf; - } - - if(krb_get_default_principal(name, instance, realm)) - errx (1, "Could not even figure out who you are"); - - snprintf (cmd, sizeof(cmd), - "pts createuser %s%s%s@%s -cell %s", - name, *instance ? "." : "", instance, strlwr(realm), - cell); - DEBUG("Executing %s", cmd); - return system(cmd); -} - -int -main(int argc, char **argv) -{ - int i; - int do_aklog = -1; - int do_createuser = -1; - char *cell = NULL; - char *realm = NULL; - char cellbuf[64]; - - if(!k_hasafs()) - exit(1); - - for(i = 1; i < argc; i++){ - if(!strncmp(argv[i], "-createuser", 11)){ - do_createuser = do_aklog = 1; - - }else if(!strncmp(argv[i], "-c", 2) && i + 1 < argc){ - cell = expand_cell_name(argv[++i]); - do_aklog = 1; - - }else if(!strncmp(argv[i], "-k", 2) && i + 1 < argc){ - realm = argv[++i]; - - }else if(!strncmp(argv[i], "-p", 2) && i + 1 < argc){ - if(k_afs_cell_of_file(argv[++i], cellbuf, sizeof(cellbuf))) - errx (1, "No cell found for file \"%s\".", argv[i]); - else - cell = cellbuf; - do_aklog = 1; - - }else if(!strncmp(argv[i], "-unlog", 6)){ - exit(k_unlog()); - - }else if(!strncmp(argv[i], "-hosts", 6)){ - warnx ("Argument -hosts is not implemented."); - - }else if(!strncmp(argv[i], "-zsubs", 6)){ - warnx("Argument -zsubs is not implemented."); - - }else if(!strncmp(argv[i], "-noprdb", 6)){ - warnx("Argument -noprdb is not implemented."); - - }else if(!strncmp(argv[i], "-d", 6)){ - debug = 1; - - }else{ - if(!strcmp(argv[i], ".") || - !strcmp(argv[i], "..") || - strchr(argv[i], '/')){ - DEBUG("I guess that \"%s\" is a filename.", argv[i]); - if(k_afs_cell_of_file(argv[i], cellbuf, sizeof(cellbuf))) - errx (1, "No cell found for file \"%s\".", argv[i]); - else { - cell = cellbuf; - DEBUG("The file \"%s\" lives in cell \"%s\".", argv[i], cell); - } - }else{ - cell = expand_cell_name(argv[i]); - DEBUG("I guess that %s is cell %s.", argv[i], cell); - } - do_aklog = 1; - } - if(do_aklog == 1){ - do_aklog = 0; - if(krb_afslog(cell, realm)) - errx (1, "Failed getting tokens for cell %s in realm %s.", - cell?cell:"(local cell)", realm?realm:"(local realm)"); - } - if(do_createuser == 1) { - do_createuser = 0; - if(createuser(cell)) - errx (1, "Failed creating user in cell %s", cell?cell:"(local cell)"); - } - } - if(do_aklog == -1 && do_createuser == -1 && krb_afslog(0, realm)) - errx (1, "Failed getting tokens for cell %s in realm %s.", - cell?cell:"(local cell)", realm?realm:"(local realm)"); - return 0; -} diff --git a/kerberosIV/doc/Makefile b/kerberosIV/doc/Makefile deleted file mode 100644 index 2a67bb3dac3..00000000000 --- a/kerberosIV/doc/Makefile +++ /dev/null @@ -1,42 +0,0 @@ -# $Id: Makefile,v 1.2 1998/03/12 14:22:49 art Exp $ - -SHELL = /bin/sh - -MAKEINFO = /usr/bin/makeinfo -INSTALL-INFO = /usr/bin/install-info - -infodir = ${DESTDIR}/usr/share/info - -INSTALL = /usr/bin/install - -info = kth-krb.info - -SRCS = ack.texi \ - index.texi \ - intro.texi \ - kth-krb.texi \ - otp.texi \ - problems.texi \ - setup.texi \ - whatis.texi - - -all: $(info) - -install: $(info) - $(INSTALL-INFO) ${.OBJDIR}/$(info) $(infodir)/dir - ${INSTALL} ${INSTALL_COPY} -m 444 -o ${BINOWN} -g ${BINGRP} -p ${.OBJDIR}/$(info) $(infodir) - -$(info): $(SRCS) - ${MAKEINFO} -I${.CURDIR} -o ${.OBJDIR}/$@ ${.CURDIR}/kth-krb.texi - -clean: - (cd ${.OBJDIR} ; rm -f *.aux *.cp *.cps *.dvi *.fn *.ky *.log *.pg *.toc *.tp *.vr *.info) - -cleandir: clean - - -.PHONY: install all clean cleandir - -.include <bsd.obj.mk> -.include <bsd.subdir.mk> diff --git a/kerberosIV/doc/ack.texi b/kerberosIV/doc/ack.texi deleted file mode 100644 index 388f6444bb8..00000000000 --- a/kerberosIV/doc/ack.texi +++ /dev/null @@ -1,80 +0,0 @@ -@node Acknowledgments, Index, Resolving frequent problems, Top -@comment node-name, next, previous, up -@appendix Acknowledgments - -People from the MIT Athena project wrote the original code that this is -based on. @w{Kerberos 4} @w{patch-level 9} was stripped of both the -encryption functions and the calls to them. This was exported from the -US as the ``Bones'' release. Eric Young put back the calls and hooked -in his libdes, thereby creating the ``eBones'' release. -@cindex Bones -@cindex eBones - -The ``rcmd'' programs where initially developed at the University of -California at Berkeley and then hacked on by the FreeBSD and NetBSD -projects. - -Berkeley also wrote @code{ftp}, @code{ftpd}, @code{telnet}, and -@code{telnetd}. The authentication and encryption code of @code{telnet} -and @code{telnetd} was added by David Borman (then of Cray Research, -Inc). The encryption code was removed when this was exported and then -added back by Juha Eskelinen, @code{<esc@@magic.fi>}. - -The @code{popper} was also a Berkeley program initially. - -The @code{login} has the same origins but has received code written by -Wietse Venema at Eindhoven University of Technology, The Netherlands. - -@code{movemail} was (at least partially) written by Jonathan Kamens, -@code{<jik@@security.ov.com>}, and is Copyright @copyright{} 1986, 1991, -1992, 1993, 1994 Free Software Foundation, Inc. - -@code{xnlock} was originally written by Dan Heller in 1985 for sunview. -The X version was written by him in 1990. - -Some of the functions in @file{libroken} also come from Berkeley by the -way of NetBSD/FreeBSD. - -The code to handle the dynamic loading of the AFS module for AIX is -copyright @copyright{} 1992 HELIOS Software GmbH 30159 Hannover, -Germany. - -@code{editline} was written by Simmule Turner and Rich Salz. - -Bugfixes and code has been contributed by: -@table @asis -@item Derrick J Brashear -@code{<shadow@@dementia.org>} -@item Anders Gertz -@code{<gertz@@lysator.liu.se>} -@item Dejan Ilic -@code{<svedja@@lysator.liu.se>} -@item Kent Engström -@code{<kent@@lysator.liu.se>} -@item Simon Josefsson -@code{<jas@@pdc.kth.se>} -@item Robert Malmgren -@code{<rom@@incolumitas.se>} -@item Fredrik Ljungberg -@code{<flag@@it.kth.se>} -@item Lars Malinowsky -@code{<lama@@pdc.kth.se>} -@item Fabien Coelho -@code{<coelho@@cri.ensmp.fr>} -@item and we hope that those not mentioned here will forgive us. -@end table - -Ian Marsh @code{<ianm@@sics.se>} removed the worst abuses of the English -language from this text. - -Ilja Hallberg @code{<iha@@incolumitas.se>} is still promising to help us -finish the documentation. - -This work was supported in part by SUNET and the Centre for Parallel -Computers at KTH. - -The port to Windows 95/NT was supported by the Computer Council at KTH -and done by Jörgen Karlsson @code{<d93-jka@@nada.kth.se>}. - -All the bugs were introduced by ourselves. - diff --git a/kerberosIV/doc/index.texi b/kerberosIV/doc/index.texi deleted file mode 100644 index ebe5d911ce0..00000000000 --- a/kerberosIV/doc/index.texi +++ /dev/null @@ -1,6 +0,0 @@ -@node Index, , Acknowledgments, Top -@comment node-name, next, previous, up -@unnumbered Index - -@printindex cp - diff --git a/kerberosIV/doc/intro.texi b/kerberosIV/doc/intro.texi deleted file mode 100644 index 24af52fd219..00000000000 --- a/kerberosIV/doc/intro.texi +++ /dev/null @@ -1,71 +0,0 @@ -@node Introduction, What is Kerberos?, Top, Top -@comment node-name, next, previous, up -@chapter Introduction - -This is an attempt at documenting the Kerberos 4 distribution from -Kungliga Tekniska Högskolan (the Royal Institute of Technology in -Stockholm, Sweden). This distribution is based on eBones, but has been -improved in many ways. It is more portable, and several new features -have been added. It currently runs on the following systems: - -@itemize @bullet -@item -OpenBSD 2.1 and newer (fully integrated) -@item -AIX 4.1, 4.2 -@item -BSD/OS 2.0, 2.1 -@item -Digital UNIX 3.2, 4.0 -@item -HP-UX 9, 10 -@item -IRIX 4.0, 5.2, 5.3, 6.1, 6.2, 6.3, 6.4 -@item -Linux 1.3, 2.0 -@item -NetBSD 1.2 -@item -FreeBSD 2.2 -@item -SunOS 4.1 -@item -SunOS 5.4/5.5 (aka Solaris 2.4/2.5) -@item -Ultrix 4.4 -@item -Cray UNICOS 9. -@item -Fujitsu UXP/V 4.1. -@end itemize - -Some part compile and work on: - -@itemize @bullet -@item -OS/2 with EMX -@item -Windows 95/NT with gnu-win32 (with the proper amount of magic the -libraries should compile with Microsoft C as well) -@end itemize - -It should work on anything that is almost POSIX, has an ANSI C -compiler, a dbm library (for the server side), and BSD Sockets. - -A web-page is available at @url{http://www.pdc.kth.se/kth-krb/}. - -@heading Bug reports - -If you cannot build the programs or they do not behave as you think they -should, please send us a bug report. The bug report should be sent to -@code{<kth-krb-bugs@@nada.kth.se>}. Please include information on what -machine and operating system (including version) you are running, what -you are trying to do, what happens, what you think should have happened, -an example for us to repeat, the output you get when trying the example, -and a patch for the problem if you have one. Please make any patches -with @code{diff -u} or @code{diff -c}. The more detailed the bug report -is, the easier it will be for us to reproduce, understand, and fix it. - -Suggestions, comments and other non bug reports are welcome. Send them -to @code{<kth-krb@@nada.kth.se>}. - diff --git a/kerberosIV/doc/kth-krb.texi b/kerberosIV/doc/kth-krb.texi deleted file mode 100644 index 3b4a5085676..00000000000 --- a/kerberosIV/doc/kth-krb.texi +++ /dev/null @@ -1,283 +0,0 @@ -\input texinfo @c -*- texinfo -*- -@c %**start of header -@c $Id: kth-krb.texi,v 1.1 1998/01/20 23:40:29 art Exp $ -@setfilename kth-krb.info -@settitle KTH-KRB -@iftex -@afourpaper -@end iftex -@c some sensible characters, please? -@tex -\input latin1.tex -@end tex -@setchapternewpage on -@syncodeindex pg cp -@c %**end of header - -@ifinfo -@dircategory Kerberos -@direntry -* Kth-krb: (kth-krb). The Kerberos IV distribution from KTH -@end direntry -@end ifinfo - -@c title page -@titlepage -@title KTH-KRB -@subtitle Kerberos 4 from KTH -@subtitle Edition -1.0, for version 0.9.8 -@subtitle 1997 -@author Johan Danielsson -@author Assar Westerlund -@author last updated $Date: 1998/01/20 23:40:29 $ - -@def@copynext{@vskip 20pt plus 1fil@penalty-1000} -@def@copyrightstart{} -@def@copyrightend{} -@page -@copyrightstart -Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan -(Royal Institute of Technology, Stockholm, Sweden). -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by the Kungliga Tekniska - Högskolan and its contributors. - -4. Neither the name of the Institute nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright (C) 1995 Eric Young (eay@@mincom.oz.au) -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by Eric Young (eay@@mincom.oz.au) - -THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright (c) 1983, 1990 The Regents of the University of California. -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by the University of - California, Berkeley and its contributors. - -4. Neither the name of the University nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - -Copyright (C) 1990 by the Massachusetts Institute of Technology - -Export of this software from the United States of America is assumed -to require a specific license from the United States Government. -It is the responsibility of any person or organization contemplating -export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - -@copynext - -Copyright 1987, 1989 by the Student Information Processing Board - of the Massachusetts Institute of Technology - -Permission to use, copy, modify, and distribute this software -and its documentation for any purpose and without fee is -hereby granted, provided that the above copyright notice -appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, -and that the names of M.I.T. and the M.I.T. S.I.P.B. not be -used in advertising or publicity pertaining to distribution -of the software without specific, written prior permission. -M.I.T. and the M.I.T. S.I.P.B. make no representations about -the suitability of this software for any purpose. It is -provided "as is" without express or implied warranty. - -@copynext - -Copyright 1992 Simmule Turner and Rich Salz. All rights reserved. - -This software is not subject to any license of the American Telephone -and Telegraph Company or of the Regents of the University of California. - -Permission is granted to anyone to use this software for any purpose on -any computer system, and to alter it and redistribute it freely, subject -to the following restrictions: - -1. The authors are not responsible for the consequences of use of this - software, no matter how awful, even if they arise from flaws in it. - -2. The origin of this software must not be misrepresented, either by - explicit claim or by omission. Since few users ever read sources, - credits must appear in the documentation. - -3. Altered versions must be plainly marked as such, and must not be - misrepresented as being the original software. Since few users - ever read sources, credits must appear in the documentation. - -4. This notice may not be removed or altered. - -@copyrightend -@end titlepage - -@c Less filling! Tastes great! -@iftex -@parindent=0pt -@global@parskip 6pt plus 1pt -@global@chapheadingskip = 15pt plus 4pt minus 2pt -@global@secheadingskip = 12pt plus 3pt minus 2pt -@global@subsecheadingskip = 9pt plus 2pt minus 2pt -@end iftex -@ifinfo -@paragraphindent 0 -@end ifinfo - -@ifinfo -@node Top, Introduction, (dir), (dir) -@top KTH-krb -@end ifinfo - -@menu -* Introduction:: -* What is Kerberos?:: -* How to set up a realm:: -* One-Time Passwords:: -* Resolving frequent problems:: -* Acknowledgments:: -* Index:: - - --- The Detailed Node Listing --- - -How to set up a realm - -* How to set up the kerberos server:: -* Install the client programs:: -* Install the kerberised services:: -* Install a slave kerberos server:: -* Cross-realm functionality :: - -How to set up the kerberos server - -* Choose a realm name:: -* Choose a kerberos server:: -* Install the configuration files:: -* Install the /etc/services:: -* Install the kerberos server:: -* Set up the server:: -* Add a few important principals:: -* Start the server:: -* Try to get tickets:: -* Create initial ACL for the admin server:: -* Start the admin server:: -* Add users to the database:: -* Automate the startup of the servers:: - -One-Time Passwords - -* What are one time passwords?:: -* When to use one time passwords?:: -* Configuring OTPs:: - -Resolving frequent problems - -* Problems compiling Kerberos:: -* Common error messages:: -@end menu - -@include intro.texi -@include whatis.texi -@include setup.texi -@include otp.texi -@include problems.texi -@include ack.texi -@include index.texi - -@c @shortcontents -@contents - -@bye diff --git a/kerberosIV/doc/latin1.tex b/kerberosIV/doc/latin1.tex deleted file mode 100644 index e683dd271dc..00000000000 --- a/kerberosIV/doc/latin1.tex +++ /dev/null @@ -1,95 +0,0 @@ -% ISO Latin 1 (ISO 8859/1) encoding for Computer Modern fonts. -% Jan Michael Rynning <jmr@nada.kth.se> 1990-10-12 -\def\inmathmode#1{\relax\ifmmode#1\else$#1$\fi} -\global\catcode`\^^a0=\active \global\let^^a0=~ % no-break space -\global\catcode`\^^a1=\active \global\def^^a1{!`} % inverted exclamation mark -\global\catcode`\^^a2=\active \global\def^^a2{{\rm\rlap/c}} % cent sign -\global\catcode`\^^a3=\active \global\def^^a3{{\it\$}} % pound sign -% currency sign, yen sign, broken bar -\global\catcode`\^^a7=\active \global\let^^a7=\S % section sign -\global\catcode`\^^a8=\active \global\def^^a8{\"{}} % diaeresis -\global\catcode`\^^a9=\active \global\let^^a9=\copyright % copyright sign -% feminine ordinal indicator, left angle quotation mark -\global\catcode`\^^ac=\active \global\def^^ac{\inmathmode\neg}% not sign -\global\catcode`\^^ad=\active \global\let^^ad=\- % soft hyphen -% registered trade mark sign -\global\catcode`\^^af=\active \global\def^^af{\={}} % macron -% ... -\global\catcode`\^^b1=\active \global\def^^b1{\inmathmode\pm} % plus minus -\global\catcode`\^^b2=\active \global\def^^b2{\inmathmode{{^2}}} -\global\catcode`\^^b3=\active \global\def^^b3{\inmathmode{{^3}}} -\global\catcode`\^^b4=\active \global\def^^b4{\'{}} % acute accent -\global\catcode`\^^b5=\active \global\def^^b5{\inmathmode\mu} % mu -\global\catcode`\^^b6=\active \global\let^^b6=\P % pilcroy -\global\catcode`\^^b7=\active \global\def^^b7{\inmathmode{{\cdot}}} -\global\catcode`\^^b8=\active \global\def^^b8{\c{}} % cedilla -\global\catcode`\^^b9=\active \global\def^^b9{\inmathmode{{^1}}} -% ... -\global\catcode`\^^bc=\active \global\def^^bc{\inmathmode{{1\over4}}} -\global\catcode`\^^bd=\active \global\def^^bd{\inmathmode{{1\over2}}} -\global\catcode`\^^be=\active \global\def^^be{\inmathmode{{3\over4}}} -\global\catcode`\^^bf=\active \global\def^^bf{?`} % inverted question mark -\global\catcode`\^^c0=\active \global\def^^c0{\`A} -\global\catcode`\^^c1=\active \global\def^^c1{\'A} -\global\catcode`\^^c2=\active \global\def^^c2{\^A} -\global\catcode`\^^c3=\active \global\def^^c3{\~A} -\global\catcode`\^^c4=\active \global\def^^c4{\"A} % capital a with diaeresis -\global\catcode`\^^c5=\active \global\let^^c5=\AA % capital a with ring above -\global\catcode`\^^c6=\active \global\let^^c6=\AE -\global\catcode`\^^c7=\active \global\def^^c7{\c C} -\global\catcode`\^^c8=\active \global\def^^c8{\`E} -\global\catcode`\^^c9=\active \global\def^^c9{\'E} -\global\catcode`\^^ca=\active \global\def^^ca{\^E} -\global\catcode`\^^cb=\active \global\def^^cb{\"E} -\global\catcode`\^^cc=\active \global\def^^cc{\`I} -\global\catcode`\^^cd=\active \global\def^^cd{\'I} -\global\catcode`\^^ce=\active \global\def^^ce{\^I} -\global\catcode`\^^cf=\active \global\def^^cf{\"I} -% capital eth -\global\catcode`\^^d1=\active \global\def^^d1{\~N} -\global\catcode`\^^d2=\active \global\def^^d2{\`O} -\global\catcode`\^^d3=\active \global\def^^d3{\'O} -\global\catcode`\^^d4=\active \global\def^^d4{\^O} -\global\catcode`\^^d5=\active \global\def^^d5{\~O} -\global\catcode`\^^d6=\active \global\def^^d6{\"O} % capital o with diaeresis -\global\catcode`\^^d7=\active \global\def^^d7{\inmathmode\times}% multiplication sign -\global\catcode`\^^d8=\active \global\let^^d8=\O -\global\catcode`\^^d9=\active \global\def^^d9{\`U} -\global\catcode`\^^da=\active \global\def^^da{\'U} -\global\catcode`\^^db=\active \global\def^^db{\^U} -\global\catcode`\^^dc=\active \global\def^^dc{\"U} -\global\catcode`\^^dd=\active \global\def^^dd{\'Y} -% capital thorn -\global\catcode`\^^df=\active \global\def^^df{\ss} -\global\catcode`\^^e0=\active \global\def^^e0{\`a} -\global\catcode`\^^e1=\active \global\def^^e1{\'a} -\global\catcode`\^^e2=\active \global\def^^e2{\^a} -\global\catcode`\^^e3=\active \global\def^^e3{\~a} -\global\catcode`\^^e4=\active \global\def^^e4{\"a} % small a with diaeresis -\global\catcode`\^^e5=\active \global\let^^e5=\aa % small a with ring above -\global\catcode`\^^e6=\active \global\let^^e6=\ae -\global\catcode`\^^e7=\active \global\def^^e7{\c c} -\global\catcode`\^^e8=\active \global\def^^e8{\`e} -\global\catcode`\^^e9=\active \global\def^^e9{\'e} -\global\catcode`\^^ea=\active \global\def^^ea{\^e} -\global\catcode`\^^eb=\active \global\def^^eb{\"e} -\global\catcode`\^^ec=\active \global\def^^ec{\`\i} -\global\catcode`\^^ed=\active \global\def^^ed{\'\i} -\global\catcode`\^^ee=\active \global\def^^ee{\^\i} -\global\catcode`\^^ef=\active \global\def^^ef{\"\i} -% small eth -\global\catcode`\^^f1=\active \global\def^^f1{\~n} -\global\catcode`\^^f2=\active \global\def^^f2{\`o} -\global\catcode`\^^f3=\active \global\def^^f3{\'o} -\global\catcode`\^^f4=\active \global\def^^f4{\^o} -\global\catcode`\^^f5=\active \global\def^^f5{\~o} -\global\catcode`\^^f6=\active \global\def^^f6{\"o} % small o with diaeresis -\global\catcode`\^^f7=\active \global\def^^f7{\inmathmode\div}% division sign -\global\catcode`\^^f8=\active \global\let^^f8=\o -\global\catcode`\^^f9=\active \global\def^^f9{\`u} -\global\catcode`\^^fa=\active \global\def^^fa{\'u} -\global\catcode`\^^fb=\active \global\def^^fb{\^u} -\global\catcode`\^^fc=\active \global\def^^fc{\"u} -\global\catcode`\^^fd=\active \global\def^^fd{\'y} -% capital thorn -\global\catcode`\^^ff=\active \global\def^^ff{\"y} diff --git a/kerberosIV/doc/otp.texi b/kerberosIV/doc/otp.texi deleted file mode 100644 index 0a5929fa862..00000000000 --- a/kerberosIV/doc/otp.texi +++ /dev/null @@ -1,127 +0,0 @@ -@node One-Time Passwords, Resolving frequent problems, How to set up a realm, Top -@chapter One-Time Passwords - -@cindex OTP -@cindex One time passwords -There is also support for using @dfn{one time passwords} (OTP) in this -package. Specifically @code{login}, @code{ftpd}, and @code{popper} have -support for using them. - -@menu -* What are one time passwords?:: -* When to use one time passwords?:: -* Configuring OTPs:: -@end menu - -@node What are one time passwords?, When to use one time passwords?, One-Time Passwords, One-Time Passwords -@comment node-name, next, previous, up -@section What are one time passwords? - -One time passwords are, as the name implies, passwords that can only -be used once. This means that even if someone is eavesdropping on the -network, they will not be able to make use of the passwords they steal. - -The OTPs used in this package support @cite{RFC 1938}. This standard is -also backwards compatible with the well-known S/Key. There are lots of -programs for generating these on everything from HP 48's to Crays. -@cindex S/Key - -@node When to use one time passwords?, Configuring OTPs, What are one time passwords?, One-Time Passwords -@comment node-name, next, previous, up -@section When to use one time passwords? - -Why would you want to use OTPs instead of Kerberos? The advantage of -OTPs is that they don't require a computer to operate. You can print -out a list of passwords and take with you, or you could use your -calculator or hand-held computer to generate them. - -The downside is that they only protect you against passive attacks. -Only the initial connection is authenticated. After that, anyone can -eavesdrop on your session, so you should not send or view any sensitive -data (e.g. passwords) over a OTP-initiated link. You are also -vulnerable to active attacks where intruders try to take over your -TCP-session and/or introduce data in the middle of it. In other words, -they provide initial authentication, but neither integrity nor -confidentiality. - -The OTPs are generated from the tuple (@var{seed}, @var{sequence -number}, @var{pass-phrase}). The seed and the sequence number will be -printed as part of the @dfn{challenge} and you will have to generate the -corresponding password or pick it from a list. - -In conclusion, they are simple and can be used everywhere but don't -protect against all threats that Kerberos does. Use them when you can't -use Kerberos. - -@node Configuring OTPs, , When to use one time passwords?, One-Time Passwords -@comment node-name, next, previous, up -@section Configuring OTPs - -@heading Initializing - -To initialize your OTPs use the @code{otp} program. This program will -write an entry in a local file on this host with your current password -(in this case the 100th) and the corresponding seed (@samp{foobar}). -@pindex otp - -@example -@cartouche -datan:>otp 100 foobar -Pass-phrase: <pass-phrase> -Verifying password Pass-phrase: <pass-phrase> -@end cartouche -@end example - -@heading Generating - -To print out a list of them there is a program called -@code{otpprint}. -@pindex otpprint - -@example -@cartouche -datan:>otpprint 100 foobar -Pass-phrase: <pass-phrase> -91: SLAM BUY SUP DUSK SKY BEST -92: DEEM SIGH ROB RASH JUG MAT -93: DUET FISK HERS AREA TOLL SUP -94: WOW RAIN LEAK SARA MARK WING -95: COG YELL MILK CART ABE BAWL -96: GROW SILK GIST OMEN CAM ANNE -97: JAG QUAD NUT BEAT BHOY MAGI -98: ADAM USED GENE NIP EYE SIS -99: MY SUNG HERO AT DASH RAKE -100: CORN KNIT BOTH TOGO SOUL BOG -@end cartouche -@end example - -@heading Using the OTPs - -When you try to use one and have initialized a series of -one-time passwords for yourself you will get a challenge with the -algorithm being used, the sequence number, and the seed. Enter those in -your generator or find the corresponding password in your list. - -@example -@cartouche -login: assar -assar's [ otp-md5 99 foobar ] Password: <MY SUNG HERO AT DASH RAKE> -@end cartouche -@end example - -The sequence number of the password will start at one less that the -number you gave to @code{otp} and decrease by one every time you use it. -You should try to keep track of which should be the current one so that -you can be assured that nobody has stolen some of your passwords and -used them. When the number has reached zero you need to acquire a new -series of passwords. - -Once you have initialized your series of passwords, you can always use -them at any password prompt where you get the challenge as shown above. - -@heading Configuring servers - -@code{ftpd}, @code{telnetd}, and @code{popper} can be configured to -require one-time passwords when the connection has not been kerberos -authenticated. Check the man pages for these programs for the correct -options. diff --git a/kerberosIV/doc/problems.texi b/kerberosIV/doc/problems.texi deleted file mode 100644 index a8c4d1e1475..00000000000 --- a/kerberosIV/doc/problems.texi +++ /dev/null @@ -1,131 +0,0 @@ -@node Resolving frequent problems, Acknowledgments, One-Time Passwords, Top -@chapter Resolving frequent problems - -@menu -* Problems compiling Kerberos:: -* Common error messages:: -@end menu - -@node Problems compiling Kerberos, Common error messages, Resolving frequent problems, Resolving frequent problems -@section Problems compiling Kerberos - -Many compilers require a switch to become ANSI compliant. Since kth-krb -is written in ANSI C it is necessary to specify the name of the compiler -to be used and the required switch to make it ANSI compliant. This is -most easily done when running configure using the @kbd{env} command. For -instance to build under HP-UX using the native compiler do: - -@cartouche -@example -datan$ env CC="cc -Ae" ./configure -@end example -@end cartouche - -In general @kbd{gcc} works. The following combinations have also been -verified to successfully compile the distribution: - -@table @asis - -@item @samp{HP-UX} -@kbd{cc -Ae} -@item @samp{Digital UNIX} -@kbd{cc -std1} -@item @samp{AIX} -@kbd{xlc} -@item @samp{Solaris 2.x} -@kbd{cc} (unbundled one) -@item @samp{IRIX} -@kbd{cc} - -@end table - -@node Common error messages, , Problems compiling Kerberos, Resolving frequent problems -@section Common error messages - -These are some of the more obscure error messages you might encounter: - -@table @asis - -@item @samp{Time is out of bounds} - -The time on your machine differs from the time on either the kerberos -server or the machine you are trying to login to. If it isn't obvious -that this is the case, remember that all times are compared in UTC. - -On unix systems you usually can find out what the local time is by doing -@code{telnet machine daytime}. This time (again, usually is the keyword) -is with correction for time-zone and daylight savings. - -If you have problem keeping your clocks synchronized, consider using a -time keeping system such as NTP (see also the discussion in -@ref{Install the client programs}). - -@item @samp{Ticket issue date too far in the future} - -The time on the kerberos server is more than five minutes ahead of the -time on the server. - -@item @samp{Can't decode authenticator} - -This means that there is a mismatch between the service key in the -kerberos server and the service key file on the specific machine. -Either: -@itemize @bullet -@item -the server couldn't find a service key matching the request -@item -the service key (or version number) does not match the key the packet -was encrypted with -@end itemize - -@item @samp{Incorrect network address} - -The address in the ticket does not match the address you sent the -request from. This happens on systems with more than one network -address, either physically or logically. You can list addresses which -should be considered equal in @file{/etc/kerberosIV/krb.equiv} on your servers. - -A note to programmers: a server should not pass @samp{*} as the instance -to @samp{krb_rd_req}. It should try to figure out on which interface the -request was received, for instance by using @samp{k_getsockinst}. - -If you change addresses on your computer you invalidate any tickets you -might have. The easiest way to fix this is to get new tickets with the -new address. - -@item @samp{Message integrity error} - -The packet is broken in some way: -@itemize @bullet -@item -the lengths does not match the size of the packet, or -@item -the checksum does not match the contents of the packet -@end itemize - -@item @samp{Can't send request} -There is some problem contacting the kerberos server. Either the server -is down, or it is using the wrong port (compare the entries for -@samp{kerberos-iv} in @file{/etc/services}). The client might also have -failed to guess what kerberos server to talk to (check -@file{/etc/kerberosIV/krb.conf} and @file{/etc/kerberosIV/krb.realms}). - -@item @samp{kerberos: socket: Unable to open socket...} - -The kerberos server has to open four sockets for each interface. If you -have a machine with lots of virtual interfaces, you run the risk of -running out of file descriptors. If that happens you will get this -error message. - -@item @samp{ftp: User foo access denied} - -This usually happens because the user's shell is not listed in -@file{/etc/shells}. Note that @kbd{ftpd} checks this file even on -systems where the system version does not and there is no -@file{/etc/shells}. - -@item @samp{Generic kerberos error} -This is a generic catch-all error message. - -@end table - diff --git a/kerberosIV/doc/setup.texi b/kerberosIV/doc/setup.texi deleted file mode 100644 index eea758303c9..00000000000 --- a/kerberosIV/doc/setup.texi +++ /dev/null @@ -1,809 +0,0 @@ -@node How to set up a realm, One-Time Passwords, What is Kerberos?, Top -@chapter How to set up a realm - -@quotation -@flushleft - Who willed you? or whose will stands but mine? - There's none protector of the realm but I. - Break up the gates, I'll be your warrantize. - Shall I be flouted thus by dunghill grooms? - --- King Henry VI, 6.1 -@end flushleft -@end quotation - -@menu -* How to set up the kerberos server:: -* Install the client programs:: -* Install the kerberised services:: -* Install a slave kerberos server:: -* Cross-realm functionality :: -@end menu - -@node How to set up the kerberos server, Install the client programs, How to set up a realm, How to set up a realm -@section How to set up the kerberos server - -@menu -* Choose a realm name:: -* Choose a kerberos server:: -* Install the configuration files:: -* Install the /etc/services:: -* Install the kerberos server:: -* Set up the server:: -* Add a few important principals:: -* Start the server:: -* Try to get tickets:: -* Create initial ACL for the admin server:: -* Start the admin server:: -* Add users to the database:: -* Automate the startup of the servers:: -@end menu - -@node Choose a realm name, Choose a kerberos server, How to set up the kerberos server, How to set up the kerberos server -@subsection Choose a realm name - -A -@cindex realm -realm is an administrative domain. Kerberos realms are usually -written in uppercase and consist of a Internet domain -name@footnote{Using lowercase characters in the realm name might break -in mysterious ways. This really should have been fixed, but has not.}. -Call your realm the same as your Internet domain name if you do not have -strong reasons for not doing so. It will make life easier for you and -everyone else. - -@node Choose a kerberos server, Install the configuration files, Choose a realm name, How to set up the kerberos server -@subsection Choose a kerberos server - -You need to choose a machine to run the -@pindex kerberos -kerberos server program. If the kerberos database residing on this host -is compromised, your entire realm will be compromised. Therefore, this -machine must be as secure as possible. Preferably it should not run any -services other than Kerberos. The secure-minded administrator might -only allow logins on the console. - -This machine has also to be reliable. If it is down, you will not be -able to use any kerberised services unless you have also configured a -slave server (@pxref{Install a slave kerberos server}) - -Running the kerberos server requires very little CPU power and a small -amount of disk. An old PC with some hundreds of megabytes of free disk -space should do fine. Most of the disk space will be used for various -logs. - -@node Install the configuration files, Install the /etc/services, Choose a kerberos server, How to set up the kerberos server -@subsection Install the configuration files - -There are two important configuration files: @file{/etc/kerberosIV/krb.conf} and -@file{/etc/kerberosIV/krb.realms}. -@pindex krb.conf -@pindex krb.realms - -The @file{krb.conf} file determines which machines are servers for -different realms. The format of this file is: - -@example -THIS.REALM -THIS.REALM kerberos.this.realm admin server -THIS.REALM kerberos-1.this.realm -ANOTHER.REALM kerberos.another.realm -@end example - -The first line defines the name of the local realm. Line two defines the -name of the master kerberos server and the database administration -server for this realm. You can define any number of kerberos slave -servers similar to the one defined in line three. The clients will try -to contact the servers in the order they are defined in @file{krb.conf}. - -To disable kerberos on your system place a '#'-sign as the first character -on the first line in @file{/etc/kerberosIV/krb.conf}. This will disable any -kerberos authentication on your system. - -The @samp{admin server} clause at the first entry states that this is -the master server -@cindex master server -(the one to contact when modifying the database, such as changing -passwords). There should be only one such entry for each realm. - -In the original MIT Kerberos 4 (as in most others), the server -specification could only take the form of a host-name. To facilitate -having kerberos servers in odd places (such as behind a firewall), -support has been added for ports other than the default (750), and -protocols other than UDP. - -The formal syntax for an entry is now -@samp{[@var{proto}/]@var{host}[:@var{port}]}. @var{proto} is either -@samp{udp} or @samp{tcp}, and @var{port} is the port to talk to. Default -value for @var{proto} is @samp{udp} and for @var{port} whatever -@samp{kerberos-iv} is defined to be in @file{/etc/services} or 750 if -undefined. - -You can also talk HTTP with your KDC, in that case you specify an URL, -like @samp{http://@var{host}[:@var{port}]}. If you for some reason need -to use a HTTP proxy, you can specify the proxy in the @samp{krb4_proxy} -environment variable, also in URL format. The default for port in this -case is 80. - -If the information about a realm is missing from the @file{krb.conf} -file, or if the information is wrong, the following methods will be -tried in order. - -@enumerate -@item -If you have an SRV-record (@cite{RFC 2052}) for your realm it will be -used. This record should be of the form -@samp{kerberos-iv.@var{protocol}.@var{REALM}}, where @var{proto} is -either @samp{udp} or @samp{tcp}. (Note: the current implementation does -not look at priority or weight when deciding which server to talk to.) -@item -If there isn't any SRV-record, it tries to find a TXT-record for the -same domain. The contents of the record should have the same format as the -host specification in @file{krb.conf}. (Note: this is a temporary -solution if your name server doesn't support SRV records. The clients -should work fine with SRV records, so if your name server supports them, -they are very much preferred.) -@item -If no valid kerberos server is found, it will try to talk udp to the -service @samp{kerberos-iv} with fall-back to port 750 with -@samp{kerberos.@var{REALM}} (which is also assumed to be the master -server), and then @samp{kerberos-1.@var{REALM}}, -@samp{kerberos-2.@var{REALM}}, and so on. -@end enumerate - -We strongly recommend that you add a CNAME @samp{kerberos.@var{REALM}} -pointing to your kerberos master server. - -The @file{krb.realms} file is used to find out what realm a particular -host belongs to. An example of this file could look like: - -@example -this.realm THIS.REALM -.this.realm THIS.REALM -foo.com SOME.OTHER.REALM -www.foo.com A.STRANGE.REALM -.foo.com FOO.REALM -@end example - -Entries starting with a dot are taken as the name of a domain. Entries -not starting with a dot are taken as a host-name. The first entry matched -is used. The entry for @samp{this.realm} is only necessary if there is a -host named @samp{this.realm}. - -If no matching realm is found in @file{krb.realms}, DNS is searched for -the correct realm. For example, if we are looking for host @samp{a.b.c}, -@samp{krb4-realm.a.b.c} is first tried and then @samp{krb4-realm.b.c} -and so on. The entry should be a TXT record containing the name of the -realm, such as: - -@example -krb4-realm.pdc.kth.se. 7200 TXT "NADA.KTH.SE" -@end example - -If this didn't help the domain name sans the first part in uppercase is -tried. - -The plain vanilla version of Kerberos doesn't have any fancy methods of -getting realms and servers so it is generally a good idea to keep -@file{krb.conf} and @file{krb.realms} up to date. - -@node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server -@subsection Updating /etc/services - -(Obsolete in OpenBSD) - -You should append or merge the contents of @file{services.append} to -your @file{/etc/services} files or NIS-map. Remove any unused factory -installed kerberos port definitions to avoid possible conflicts. -@pindex services - -Most of the programs will fall back to the default ports if the port -numbers are not found in @file{/etc/services}, but it is convenient to -have them there anyway. - -@node Install the kerberos server, Set up the server, Install the /etc/services, How to set up the kerberos server -@subsection Install the kerberos server - -You should have already chosen the machine where you want to run the -kerberos server and the realm name. The machine should also be as -secure as possible (@pxref{Choose a kerberos server}) before installing -the kerberos server. In this example, we will install a kerberos server -for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}. - -@node Set up the server, Add a few important principals, Install the kerberos server, How to set up the kerberos server -@subsection Setup the server - -Login as root on the console of the kerberos server. Run -@kbd{kdb_init}: -@pindex kdb_init - -@example -@cartouche -hemlig# kdb_init -Realm name [default FOO.SE ]: -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. - -Enter Kerberos master password: -Verifying password -Enter Kerberos master password: -@end cartouche -@end example - -If you have set up the configuration files correctly, @kbd{kdb_init} -should choose the correct realm as the default, otherwise a (good) guess -is made. Enter the master password. - -This password will only be used for encrypting the kerberos database on -disk and for generating new random keys. You will not have to remember -it, only to type it again when you run @kbd{kstash}. Choose something -long and random. Now run @kbd{kstash} using the same password: -@pindex kstash - -@example -@cartouche -hemlig# kstash - -Enter Kerberos master password: - -Current Kerberos master key version is 1. - -Master key entered. BEWARE! -Wrote master key to /etc/kerberosIV/master_key -@end cartouche -@end example - -After entering the same master password it will be saved in the file -@file{/etc/kerberosIV/master_key} and the kerberos server will read it when needed. Write down -the master password and put it in a sealed envelope in a safe, you might -need it if your disk crashes or should you want to set up a slave -server. - -@code{kdb_init} initializes the database with a few entries: - -@table @samp -@item krbtgt.@var{REALM} -The key used for authenticating to the kerberos server. - -@item changepw.kerberos -The key used for authenticating to the administrative server, i.e. when -adding users, changing passwords, and so on. - -@item default -This entry is copied to new items when these are added. Enter here the -values you want new entries to have, particularly the expiry date. - -@item K.M -This is the master key and it is only used to verify that the master key -that is saved un-encrypted in @file{/etc/kerberosIV/master_key} is correct and corresponds to -this database. - -@end table - -@code{kstash} only reads the master password and writes it to -@file{/etc/kerberosIV/master_key}. This enables the kerberos server to start without you -having to enter the master password. This file (@file{/etc/kerberosIV/master_key}) is only -readable by root and resides on a ``secure'' machine. - -@node Add a few important principals, Start the server, Set up the server, How to set up the kerberos server -@subsection Add a few important principals - -Now the kerberos database has been created, containing only a few -principals. The next step is to add a few more so that you can test -that it works properly and so that you can administer your realm without -having to use the console on the kerberos server. Use @kbd{kdb_edit} -to edit the kerberos database directly on the server. -@pindex kdb_edit - -@code{kdb_edit} is intended as a bootstrapping and fall-back mechanism -for editing the database. For normal purposes, use the @code{kadmin} -program (@pxref{Add users to the database}) - -The following example shows the adding of the principal -@samp{nisse.admin} into the kerberos database. This principal is used -by @samp{nisse} when administrating the kerberos database. Later on the -normal principal for @samp{nisse} will be created. Replace @samp{nisse} -and @samp{password} with your own username and password. - -@example -@cartouche -hemlig# kdb_edit -n -Opening database... -Current Kerberos master key version is 1. - -Master key entered. BEWARE! -Previous or default values are in [brackets] , -enter return to leave the same, or new value. - -Principal name: <nisse> -Instance: <admin> - -<Not found>, Create [y] ? <> - -Principal: nisse, Instance: admin, kdc_key_ver: 1 -New Password: <password> -Verifying password -New Password: <password> - -Principal's new key version = 1 -Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? <> -Max ticket lifetime (*5 minutes) [ 255 ] ? <> -Attributes [ 0 ] ? <> -Edit O.K. -Principal name: <> -@end cartouche -@end example - -@code{kdb_edit} will loop until you hit the @kbd{return} key at the -``Principal name'' prompt. Now you have added nisse as an administrator. - -@node Start the server, Try to get tickets, Add a few important principals, How to set up the kerberos server -@subsection Start the server - -@pindex kerberos -@example -@cartouche -hemlig# /usr/libexec/kerberos & -Kerberos server starting -Sleep forever on error -Log file is /var/log/kerberos.log -Current Kerberos master key version is 1. - -Master key entered. BEWARE! - -Current Kerberos master key version is 1 -Local realm: FOO.SE -@end cartouche -@end example - -@node Try to get tickets, Create initial ACL for the admin server, Start the server, How to set up the kerberos server -@subsection Try to get tickets - -You can now verify that these principals have been added and that the -server is working correctly. - -@pindex kinit -@example -@cartouche -hemlig# kinit -eBones International (hemlig.foo.se) -Kerberos Initialization -Kerberos name: <nisse.admin> -Password: <password> -@end cartouche -@end example - -If you do not get any error message from @code{kinit}, then everything -is working (otherwise, see @ref{Common error messages}). Use -@code{klist} to verify the tickets you acquired with @code{kinit}: - -@pindex klist -@example -@cartouche -hemlig# klist -Ticket file: /tmp/tkt0 -Principal: nisse.admin@@FOO.SE - -Issued Expires Principal -May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE -@end cartouche -@end example - -@node Create initial ACL for the admin server, Start the admin server, Try to get tickets, How to set up the kerberos server -@subsection Create initial ACL for the admin server - -The admin server, @code{kadmind}, uses a series of files to determine who has -@pindex kadmind -the right to perform certain operations. The files are: -@file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.del}, and -@file{admin_acl.mod}. Create these with @samp{nisse.admin@@FOO.SE} as -the contents. -@pindex admin_acl.add -@pindex admin_acl.get -@pindex admin_acl.del -@pindex admin_acl.mod - -@example -@cartouche -hemlig# echo "nisse.admin@@FOO.SE" >> /etc/kerberosIV/admin_acl.add -hemlig# echo "nisse.admin@@FOO.SE" >> /etc/kerberosIV/admin_acl.get -hemlig# echo "nisse.admin@@FOO.SE" >> /etc/kerberosIV/admin_acl.mod -hemlig# echo "nisse.admin@@FOO.SE" >> /etc/kerberosIV/admin_acl.del -@end cartouche -@end example - -Later on you may wish to add more users with administration -privileges. Make sure that you create both the administration principals -and add them to the admin server ACL. - -@node Start the admin server, Add users to the database, Create initial ACL for the admin server, How to set up the kerberos server -@subsection Start the admin server - -@pindex kadmind -@example -@cartouche -hemlig# /usr/libexec/kadmind & -KADM Server KADM0.0A initializing -Please do not use 'kill -9' to kill this job, use a -regular kill instead - -Current Kerberos master key version is 1. - -Master key entered. BEWARE! -@end cartouche -@end example - -@node Add users to the database, Automate the startup of the servers, Start the admin server, How to set up the kerberos server -@subsection Add users to the database - -Use the @code{kadmin} client to add users to the database: -@pindex kadmin - -@example -@cartouche -hemlig# kadmin -u nisse.admin -m -Welcome to the Kerberos Administration Program, version 2 -Type "help" if you need it. -admin: <add nisse> -Admin password: <nisse.admin's password> -Maximum ticket lifetime? (255) [Forever] -Attributes? [0x00] -Expiration date (enter yyyy-mm-dd) ? [Sat Jan 1 05:59:00 2000] -Password for nisse: -Verifying password Password for nisse: -nisse added to database. -@end cartouche -@end example - -Add whatever other users you want to have in the same way. Verify that -a user is in the database and check the database entry for that user: - -@example -@cartouche -admin: <get nisse> -Info in Database for nisse.: -Max Life: 255 (Forever) Exp Date: Sat Jan 1 05:59:59 2000 - -Attribs: 00 key: 0 0 -admin: <^D> -Cleaning up and exiting. -@end cartouche -@end example - -@node Automate the startup of the servers, , Add users to the database, How to set up the kerberos server -@subsection Automate the startup of the servers - -Add the lines that were used to start the kerberos server and the -admin server to your startup scripts (@file{/etc/rc} or similar). -@pindex rc - -@node Install the client programs, Install the kerberised services, How to set up the kerberos server, How to set up a realm -@section Install the client programs - -(Obsolete in OpenBSD) - -Making a machine a kerberos client only requires a few steps. First you -might need to change the configuration files as with the kerberos -server. (@xref{Install the configuration files}, and @pxref{Install the -/etc/services}) Also you need to make the programs in -@file{/usr/athena/bin} available. This can be done by adding the -@file{/usr/athena/bin} directory to the users' paths, by making symbolic -links, or even by copying the programs. - -You should also verify that the local time on the client is synchronised -with the time on the kerberos server by some means. The maximum allowed -time difference between the participating servers and a client is 5 -minutes. -@cindex NTP. -One good way to synchronize the time is NTP (Network Time Protocol), see -@url{http://www.eecis.udel.edu/~ntp/}. - -If you need to run the client programs on a machine where you do not -have root-access, you can hopefully just use the binaries and no -configuration will be needed. The heuristics used are mentioned above -(see @ref{Install the configuration files}). If this is not the case -and you need to have @file{krb.conf} and/or @file{krb.realms}, you can -copy them into a directory of your choice and -@pindex krb.conf -@pindex krb.realms -set the environment variable @var{KRBCONFDIR} to point at this -@cindex KRBCONFDIR -directory. - -To test the client functionality, run the @code{kinit} program: - -@example -@cartouche -foo$ kinit -eBones International (foo.foo.se) -Kerberos Initialization -Kerberos name: <nisse> -Password: <password> - -foo$ klist -Ticket file: /tmp/tkt4711 -Principal: nisse@@FOO.SE - -Issued Expires Principal -May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE -@end cartouche -@end example - -@node Install the kerberised services, Install a slave kerberos server, Install the client programs, How to set up a realm -@section Install the kerberised services - -(Obsolete in OpenBSD) - -These includes @code{rsh}, @code{rlogin}, @code{telnet}, @code{ftp}, -@code{rxtelnet}, and so on. -@pindex rsh -@pindex rlogin -@pindex telnet -@pindex ftp -@pindex rxtelnet - -First follow the steps mentioned in the prior section to make it a -client and verify its operation. Change @file{inetd.conf} next to use -the new daemons. Look at the file -@pindex inetd.conf -@file{etc/inetd.conf.changes} to see the changes that we recommend you -perform on @file{inetd.conf}. - -You should at this point decide what services you want to run on -each machine. - -@subsection rsh, rlogin, and rcp -@pindex rsh -@pindex rlogin -@pindex rcp - -These exist in kerberised versions and ``old-style'' versions. The -different versions use different port numbers, so you can choose none, -one, or both. If you do not want to use ``old-style'' r* services, you -can let the programs output the text ``Remote host requires Kerberos -authentication'' instead of just refusing connections to that port. -This is enabled with the @samp{-v} option. The kerberised services -exist in encrypted and non-encrypted versions. The encrypted services -have an ``e'' prepended to the name and the programs take @samp{-x} as an -option indicating encryption. - -Our recommendation is to only use the kerberised services and give -explanation messages for the old ports. - -@subsection telnet -@pindex telnet - -The telnet service always uses the same port and negotiates as to which -authentication method should be used. The @code{telnetd} program has -@pindex telnetd -an option ``-a user'' that only allows kerberised and authenticated -connections. If this is not included, it falls back to using clear text -passwords. For obvious reasons, we recommend that you enable this -option. If you want to use one-time passwords (@pxref{One-Time -Passwords}) you can use the ``-a otp'' option which will allow OTPs or -kerberised connections. - -@subsection ftp -@pindex ftp - -The ftp service works as telnet does, with just one port being used. By -default only kerberos authenticated connections are allowed. You can -specify additional levels that are thus allowed with these options: - -@table @asis -@item @kbd{-a otp} -Allow one-time passwords (@pxref{One-Time Passwords}) -@item @kbd{-a ftp} -Allow anonymous login (as user ``ftp'' or ``anonymous''). -@item @kbd{-a safe} -The same as @kbd{-a ftp}, for backwards compatibility. -@item @kbd{-a plain} -Allow clear-text passwords. -@item @kbd{-a none} -The same as @kbd{-a ftp -a plain}. -@item @kbd{-a user} -A no-op, also there for backwards compatibility reasons. -@end table - -When running anonymous ftp you should read the man page on @code{ftpd} -which explains how to set it up. - -@subsection pop -@pindex popper - -The Post Office Protocol (POP) is used to retrieve mail from the mail -hub. The @code{popper} program implements the standard POP3 protocol -and the kerberised KPOP. Use the @samp{-k} option to run the kerberos -version of the protocol. This service should only be run on your mail -hub. - -@subsection kx -@pindex kx - -@code{kx} allows you to run X over a kerberos-authenticated and -encrypted connection. This program is used by @code{rxtelnet}, -@code{tenletxr}, and @code{rxterm}. - -If you have some strange kind of operating system with X libraries that -do not allow you to use unix-sockets, you need to specify the @samp{-t} -@pindex kxd -option to @code{kxd}. Otherwise it should be sufficient by adding the -daemon in @file{inetd.conf}. - -@subsection kauth -@pindex kauth - -This service allows you to create tickets on a remote host. To -enable it just insert the corresponding line in @file{inetd.conf}. - -@section srvtabs -@pindex srvtab - -In the same way every user needs to have a password registered with -the kerberos server, every service needs to have a shared key with the -kerberos server. The service keys are stored in a file, usually called -@file{/etc/kerberosIV/srvtab}. This file should not be readable to anyone but -root, in order to keep the key from being divulged. The name of this principal -in the kerberos database is usually the service and the host. The key -for the pop service is called @samp{pop.@var{hostname}}. The one for -rsh/rlogin/telnet is named @samp{rcmd.@var{hostname}}. (rcmd comes from -``remote command''). To create these keys you will use the the -@code{ksrvutil} program. Perform the -@pindex ksrvutil -following: - -@example -@cartouche -bar# ksrvutil -p nisse.admin get -Name [rcmd]: <> -Instance [bar]: <> -Realm [FOO.SE]: <> -Is this correct? (y,n) [y] <> -Add more keys? (y,n) [n] <> -Password for nisse.admin@@FOO.SE: <nisse.admin's password> -Written rcmd.bar -rcmd.bar@@FOO.SE -Old keyfile in /etc/srvtab.old. -@end cartouche -@end example - -@subsection Complete test of the kerberised services - -Obtain a ticket on one machine (@samp{foo}) and use it to login with a -kerberised service to a second machine (@samp{bar}). The test should -look like this if successful: - -@example -@cartouche -foo$ kinit nisse -eBones International (foo.foo.se) -Kerberos Initialization for "nisse" -Password: <nisse's password> -foo$ klist -Ticket file: /tmp/tkt4711 -Principal: nisse@@FOO.SE - -Issued Expires Principal -May 30 13:48:03 May 30 23:48:03 krbtgt.FOO.SE@@FOO.SE -foo$ telnet bar -Trying 17.17.17.17... -Connected to bar.foo.se -Escape character is '^]'. -[ Trying mutual KERBEROS4 ... ] -[ Kerberos V4 accepts you ] -[ Kerberos V4 challenge successful ] -bar$ -@end cartouche -@end example - -You can also try with @code{rsh}, @code{rcp}, @code{rlogin}, -@code{rlogin -x}, and some other commands to see that everything is -working all right. - -@node Install a slave kerberos server, Cross-realm functionality , Install the kerberised services, How to set up a realm -@section Install a slave kerberos server - -It is desirable to have at least one backup (slave) server in case the -master server fails. It is possible to have any number of such slave -servers but more than three usually doesn't buy much more redundancy. - -First select a good server machine. @xref{Choose a kerberos -server}. Since the master and slave servers will use copies of the same -database, they need to use the same master key. - -On the master, add a @samp{rcmd.kerberos} principal (using -@samp{ksrvutil get}). The -@pindex kprop -@code{kprop} program, running on the master, will use this when -authenticating to the -@pindex kpropd -@code{kpropd} daemons running on the slave servers. - -On your master server, create a file, e.g. @file{/etc/kerberosIV/slaves}, -that contains the hostnames of your kerberos slave servers. - -Start @code{kpropd} with @samp{kpropd -i} on your slave servers. - -On your master server, create a dump of the database with @samp{kdb_util -slave_dump /etc/kerberosIV/slave_dump}, and then run @code{kprop}. - -You should now have copies of the database on your slave servers. You -can verify this by issuing @samp{kdb_util dump @var{file}} on your -slave servers, and comparing with the original file on the master -server. Note that the entries will not be in the same order. - -This procedure should be automated with a script run regularly by cron, -for instance once an hour. - -To start the kerberos server on slaves, you first have to copy the -master key from the master server. You can do this either by remembering -the master password and issuing @samp{kstash}, or you can just copy the -keyfile. Remember that if you copy the file, do so on a safe media, not -over the network. Good means include floppy or paper. Paper is better, -since it is easier to swallow afterwards. - -The kerberos server should be started with @samp{-s} on the slave -servers. This enables sanity checks, for example checking the time since -the last update from the master. - -All changes to the database are made by @code{kadmind} at the master, -and then propagated to the slaves, so you should @strong{not} run -@code{kadmind} on the slaves. - -Finally add the slave servers to -@file{/etc/kerberosIV/krb.conf}. The clients will ask the servers in the order -specified by that file. - -Consider adding CNAMEs to your slave servers, see @ref{Install the -configuration files}. - -@node Cross-realm functionality , , Install a slave kerberos server, How to set up a realm -@section Cross-realm functionality - -Suppose you are residing in the realm @samp{MY.REALM}, how do you -authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in -@samp{MY.REALM} allows you to communicate with kerberised services in that -realm. However, the computer in the other realm does not have a secret -key shared with the kerberos server in your realm. - -It is possible to add a shared key between two realms that trust each -other. When a client program, such as @code{telnet}, finds that the -other computer is in a different realm, it will try to get a ticket -granting ticket for that other realm, but from the local kerberos -server. With that ticket granting ticket, it will then obtain service -tickets from the kerberos server in the other realm. - -To add this functionality you have to add a principal to each realm. The -principals should be @samp{krbtgt.OTHER.REALM} in @samp{MY.REALM}, and -@samp{krbtgt.MY.REALM} in @samp{OTHER.REALM}. The two different -principals should have the same key (and key version number). Remember -to transfer this key in a safe manner. This is all that is required. - -@example -@cartouche -blubb$ klist -Ticket file: /tmp/tkt3008 -Principal: joda@@NADA.KTH.SE - - Issued Expires Principal -Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE -blubb$ telnet agat.e.kth.se -Trying 130.237.48.12... -Connected to agat.e.kth.se. -Escape character is '^]'. -[ Trying mutual KERBEROS4 ... ] -[ Kerberos V4 accepts you ] -[ Kerberos V4 challenge successful ] -Last login: Sun Jun 2 20:51:50 from emma.pdc.kth.se - -agat$ exit -Connection closed by foreign host. -blubb$ klist -Ticket file: /tmp/tkt3008 -Principal: joda@@NADA.KTH.SE - - Issued Expires Principal -Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE -Jun 7 02:26:50 Jun 7 12:26:50 krbtgt.E.KTH.SE@@NADA.KTH.SE -Jun 7 02:26:51 Jun 7 12:26:51 rcmd.agat@@E.KTH.SE -@end cartouche -@end example diff --git a/kerberosIV/doc/whatis.texi b/kerberosIV/doc/whatis.texi deleted file mode 100644 index eaf19aabb08..00000000000 --- a/kerberosIV/doc/whatis.texi +++ /dev/null @@ -1,137 +0,0 @@ -@node What is Kerberos?, How to set up a realm, Introduction, Top -@chapter What is Kerberos? - -@quotation -@flushleft - Now this Cerberus had three heads of dogs, - the tail of a dragon, and on his back the - heads of all sorts of snakes. - --- Pseudo-Apollodorus Library 2.5.12 -@end flushleft -@end quotation - -Kerberos is a system for authenticating users and services on a network. -It is built upon the assumption that the network is ``unsafe''. For -example, data sent over the network can be eavesdropped and altered, and -addresses can also be faked. Therefore they cannot be used for -authentication purposes. -@cindex authentication - -Kerberos is a trusted third-party service. That means that there is a -third party (the kerberos server) that is trusted by all the entities on -the network (users and services, usually called @dfn{principals}). All -principals share a secret password (or key) with the kerberos server and -this enables principals to verify that the messages from the kerberos -server are authentic. Thus trusting the kerberos server, users and -services can authenticate each other. - -@section Basic mechanism - -@ifinfo -@macro sub{arg} -<\arg\> -@end macro -@end ifinfo - -@tex -@def@xsub#1{$_{#1}$} -@global@let@sub=@xsub -@end tex - -In Kerberos, principals use @dfn{tickets} to prove that they are who -they claim to be. In the following example, @var{A} is the initiator of -the authentication exchange, usually a user, and @var{B} is the service -that @var{A} wishes to use. - -To obtain a ticket for a specific service, @var{A} sends a ticket -request to the kerberos server. The request basically contains @var{A}'s -and @var{B}'s names. The kerberos server checks that both @var{A} and -@var{B} are valid principals. - -Having verified the validity of the principals, it creates a packet -containing @var{A}'s and @var{B}'s names, @var{A}'s network address -(@var{A@sub{addr}}), the current time (@var{t@sub{issue}}), the lifetime -of the ticket (@var{life}), and a secret @dfn{session key} -@cindex session key -(@var{K@sub{AB}}). This packet is encrypted with @var{B}'s secret key -(@var{K@sub{B}}). The actual ticket (@var{T@sub{AB}}) looks like this: -(@{@var{A}, @var{B}, @var{A@sub{addr}}, @var{t@sub{issue}}, @var{life}, -@var{K@sub{AB}}@}@var{K@sub{B}}). - -The reply to @var{A} consists of the ticket (@var{T@sub{AB}}), @var{B}'s -name, the current time, the lifetime of the ticket, and the session key, all -encrypted in @var{A}'s secret key (@{@var{B}, @var{t@sub{issue}}, -@var{life}, @var{K@sub{AB}}, @var{T@sub{AB}}@}@var{K@sub{A}}). @var{A} -decrypts the reply and retains it for later use. - -@sp 1 - -Before sending a message to @var{B}, @var{A} creates an authenticator -consisting of @var{A}'s name, @var{A}'s address, the current time, and a -``checksum'' chosen by @var{A}, all encrypted with the secret session -key (@{@var{A}, @var{A@sub{addr}}, @var{t@sub{current}}, -@var{checksum}@}@var{K@sub{AB}}). This is sent together with the ticket -received from the kerberos server to @var{B}. Upon reception, @var{B} -decrypts the ticket using @var{B}'s secret key. Since the ticket -contains the session key that the authenticator was encrypted with, -@var{B} can now also decrypt the authenticator. To verify that @var{A} -really is @var{A}, @var{B} now has to compare the contents of the ticket -with that of the authenticator. If everything matches, @var{B} now -considers @var{A} as properly authenticated. - -@c (here we should have some more explanations) - -@section Different attacks - -@subheading Impersonating A - -An impostor, @var{C} could steal the authenticator and the ticket as it -is transmitted across the network, and use them to impersonate -@var{A}. The address in the ticket and the authenticator was added to -make it more difficult to perform this attack. To succeed @var{C} will -have to either use the same machine as @var{A} or fake the source -addresses of the packets. By including the time stamp in the -authenticator, @var{C} does not have much time in which to mount the -attack. - -@subheading Impersonating B - -@var{C} can masquerade @var{B}'s network address, and when @var{A} sends -her credentials, @var{C} just pretend to verify them. @var{C} can't -be sure that she is talking to @var{A}. - -@section Defense strategies - -It would be possible to add a @dfn{replay cache} -@cindex replay cache -to the server side. The idea is to save the authenticators sent during -the last few minutes, so that @var{B} can detect when someone is trying -to retransmit an already used message. This is somewhat impractical -(mostly regarding efficiency), and is not part of Kerberos 4; MIT -Kerberos 5 contains it. - -To authenticate @var{B}, @var{A} might request that @var{B} sends -something back that proves that @var{B} has access to the session -key. An example of this is the checksum that @var{A} sent as part of the -authenticator. One typical procedure is to add one to the checksum, -encrypt it with the session key and send it back to @var{A}. This is -called @dfn{mutual authentication}. - -The session key can also be used to add cryptographic checksums to the -messages sent between @var{A} and @var{B} (known as @dfn{message -integrity}). Encryption can also be added (@dfn{message -confidentiality}). This is probably the best approach in all cases. -@cindex integrity -@cindex confidentiality - -@section Further reading - -The original paper on Kerberos from 1988 is @cite{Kerberos: An -Authentication Service for Open Network Systems}, by Jennifer Steiner, -Clifford Neuman and Jeffrey I. Schiller. - -A less technical description can be found in @cite{Designing an -Authentication System: a Dialogue in Four Scenes} by Bill Bryant, also -from 1988. - -These and several other documents can be found on our web-page. diff --git a/kerberosIV/ext_srvtab/Makefile b/kerberosIV/ext_srvtab/Makefile deleted file mode 100644 index 7ad3bd3464f..00000000000 --- a/kerberosIV/ext_srvtab/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.1 1995/12/14 06:52:41 tholo Exp $ - -PROG= ext_srvtab -DPADD= ${LIBKDB} ${LIBKRB} ${LIBDES} -LDADD= -lkdb -lkrb -ldes -MAN= ext_srvtab.8 - -.include <bsd.prog.mk> diff --git a/kerberosIV/ext_srvtab/ext_srvtab.8 b/kerberosIV/ext_srvtab/ext_srvtab.8 deleted file mode 100644 index 9e0a6fa7f5c..00000000000 --- a/kerberosIV/ext_srvtab/ext_srvtab.8 +++ /dev/null @@ -1,85 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: ext_srvtab.8,v 1.4 1998/02/25 15:50:31 art Exp $ -.TH EXT_SRVTAB 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -ext_srvtab \- extract service key files from Kerberos key distribution center database -.SH SYNOPSIS -ext_srvtab [ -.B \-n -] [ -.B \-r realm -] [ -.B hostname ... -] -.SH DESCRIPTION -.I ext_srvtab -extracts service key files from the Kerberos key distribution center -(KDC) database. -.PP -Upon execution, it prompts the user to enter the master key string for -the database. If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -For each -.I hostname -specified on the command line, -.I ext_srvtab -creates the service key file -.IR hostname -new-srvtab, -containing all the entries in the database with an instance field of -.I hostname. -This new file contains all the keys registered for Kerberos-mediated -service providing programs which use the -.IR krb_get_phost (3) -principal and instance conventions to run on the host -.IR hostname . -If the -.B \-r -option is specified, the realm fields in the extracted file will -match the given realm rather than the local realm. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -.IR hostname -new-srvtab -Service key file generated for -.I hostname -.TP -/etc/kerberosIV/principal.pag, /etc/kerberosIV/principal.dir -DBM files containing database -.TP -/etc/kerberosIV/master_key -Master key cache file. -.SH SEE ALSO -read_service_key(3), krb_get_phost(3) diff --git a/kerberosIV/ext_srvtab/ext_srvtab.c b/kerberosIV/ext_srvtab/ext_srvtab.c deleted file mode 100644 index f9ff0d2bcea..00000000000 --- a/kerberosIV/ext_srvtab/ext_srvtab.c +++ /dev/null @@ -1,148 +0,0 @@ -/* $OpenBSD: ext_srvtab.c,v 1.5 1998/08/12 23:09:05 art Exp $ */ -/* $KTH: ext_srvtab.c,v 1.13 1997/05/02 14:27:33 assar Exp $ */ - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -#include <sys/param.h> - -#include <adm_locl.h> -#include <err.h> - -static des_cblock master_key; -static des_cblock session_key; -static des_key_schedule master_key_schedule; -char progname[] = "ext_srvtab"; -static char realm[REALM_SZ]; - -static void -usage(void) -{ - fprintf(stderr, - "Usage: %s [-n] [-r realm] instance [instance ...]\n", progname); - exit(1); -} - -static void -StampOutSecrets(void) -{ - memset(master_key, 0, sizeof master_key); - memset(session_key, 0, sizeof session_key); - memset(master_key_schedule, 0, sizeof master_key_schedule); -} - -static void -FWrite(void *p, int size, int n, FILE *f) -{ - if (fwrite(p, size, n, f) != n) { - StampOutSecrets(); - errx(1, "Error writing output file. Terminating.\n"); - } -} - -int -main(int argc, char **argv) -{ - FILE *fout; - char fname[MAXPATHLEN]; - int fopen_errs = 0; - int arg; - Principal princs[40]; - int more; - int prompt = KDB_GET_PROMPT; - int n, i; - - memset(realm, 0, sizeof(realm)); - - if (atexit(StampOutSecrets)) - errx(1, "Out of resources"); - - /* Parse commandline arguments */ - if (argc < 2) - usage(); - else { - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-n") == 0) - prompt = FALSE; - else if (strcmp(argv[i], "-r") == 0) { - if (++i >= argc) - usage(); - else { - strcpy(realm, argv[i]); - /* - * This is to humor the broken way commandline - * argument parsing is done. Later, this - * program ignores everything that starts with -. - */ - argv[i][0] = '-'; - } - } - else if (argv[i][0] == '-') - usage(); - else - if (!k_isinst(argv[i])) { - warnx("bad instance name: %s", argv[i]); - usage(); - } - } - } - - if (kdb_get_master_key (prompt, &master_key, master_key_schedule) != 0) - errx (1, "Couldn't read master key."); - - if (kdb_verify_master_key (&master_key, master_key_schedule, stderr) < 0) - exit(1); - - /* For each arg, search for instances of arg, and produce */ - /* srvtab file */ - if (!realm[0]) - if (krb_get_lrealm(realm, 1) != KSUCCESS) { - StampOutSecrets(); - errx (1, "couldn't get local realm"); - } - umask(077); - - for (arg = 1; arg < argc; arg++) { - if (argv[arg][0] == '-') - continue; - snprintf(fname, sizeof(fname), "%s-new-srvtab", argv[arg]); - if ((fout = fopen(fname, "w")) == NULL) { - warn("Couldn't create file '%s'.", fname); - fopen_errs++; - continue; - } - printf("Generating '%s'....\n", fname); - n = kerb_get_principal("*", argv[arg], &princs[0], 40, &more); - if (more) - fprintf(stderr, "More than 40 found...\n"); - for (i = 0; i < n; i++) { - FWrite(princs[i].name, strlen(princs[i].name) + 1, 1, fout); - FWrite(princs[i].instance, strlen(princs[i].instance) + 1, - 1, fout); - FWrite(realm, strlen(realm) + 1, 1, fout); - FWrite(&princs[i].key_version, - sizeof(princs[i].key_version), 1, fout); - copy_to_key(&princs[i].key_low, &princs[i].key_high, session_key); - kdb_encrypt_key (&session_key, &session_key, - &master_key, master_key_schedule, DES_DECRYPT); - FWrite(session_key, sizeof session_key, 1, fout); - } - fclose(fout); - } - StampOutSecrets(); - return fopen_errs; /* 0 errors if successful */ -} diff --git a/kerberosIV/include/Makefile b/kerberosIV/include/Makefile deleted file mode 100644 index 6f9af9462f2..00000000000 --- a/kerberosIV/include/Makefile +++ /dev/null @@ -1,5 +0,0 @@ -# $Id: Makefile,v 1.2 1996/11/16 21:52:36 downsj Exp $ - -SUBDIR= kerberosIV - -.include <bsd.subdir.mk> diff --git a/kerberosIV/include/adm_locl.h b/kerberosIV/include/adm_locl.h deleted file mode 100644 index e67e3985246..00000000000 --- a/kerberosIV/include/adm_locl.h +++ /dev/null @@ -1,50 +0,0 @@ -/* $OpenBSD: adm_locl.h,v 1.5 1998/05/18 02:13:20 art Exp $ */ - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -#ifndef __adm_locl_h -#define __adm_locl_h - -#include <sys/cdefs.h> -#include <kerberosIV/site.h> - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> - -#include <sys/types.h> - -#include <sys/time.h> -#include <time.h> - -#include <unistd.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <signal.h> -#include <errno.h> -#include <err.h> - -#include <netinet/in.h> - -#include <des.h> -#include <kerberosIV/krb.h> -#include <kerberosIV/krb_db.h> -#include <kerberosIV/kadm.h> -#include "kdc.h" - -#endif /* __adm_locl_h */ diff --git a/kerberosIV/include/kadm_locl.h b/kerberosIV/include/kadm_locl.h deleted file mode 100644 index 3c48c57df21..00000000000 --- a/kerberosIV/include/kadm_locl.h +++ /dev/null @@ -1,112 +0,0 @@ -/* $OpenBSD: kadm_locl.h,v 1.5 1998/02/18 11:53:33 art Exp $ */ -/* $KTH: kadm_locl.h,v 1.26 1997/09/02 18:13:26 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <string.h> - -#include <sys/types.h> - -#include <sys/time.h> -#include <time.h> - -#include <sys/stat.h> -#include <sys/select.h> -#include <fcntl.h> - -#include <errno.h> -#include <signal.h> -#include <unistd.h> - -#include <sys/resource.h> -#include <sys/wait.h> -#include <pwd.h> - -#include <sys/socket.h> -#include <netinet/in.h> -#include <netdb.h> - -#include <syslog.h> - -#include <err.h> - -#include <com_err.h> -#include <sl.h> - -#include <des.h> -#include <kerberosIV/krb.h> -#include <krb_err.h> -#include <kerberosIV/krb_db.h> -#include <kerberosIV/kadm.h> -#include <kadm_err.h> -#include <kerberosIV/acl.h> - -#include <krb_log.h> - -#include "kadm_server.h" -#include "pw_check.h" - -/* from libacl */ -/* int acl_check(char *acl, char *principal); */ - -/* GLOBALS */ -extern char *acldir; -extern Kadm_Server server_parm; - -/* Utils */ -int kadm_change __P((char *, char *, char *, des_cblock)); -int kadm_add_entry __P((char *, char *, char *, Kadm_vals *, Kadm_vals *)); -int kadm_mod_entry __P((char *, char *, char *, Kadm_vals *, Kadm_vals *, Kadm_vals *)); -int kadm_get_entry __P((char *, char *, char *, Kadm_vals *, u_char *, Kadm_vals *)); -int kadm_delete_entry __P((char *, char *, char *, Kadm_vals *)); -int kadm_ser_cpw __P((u_char *, int, AUTH_DAT *, u_char **, int *)); -int kadm_ser_add __P((u_char *, int, AUTH_DAT *, u_char **, int *)); -int kadm_ser_mod __P((u_char *, int, AUTH_DAT *, u_char **, int *)); -int kadm_ser_get __P((u_char *, int, AUTH_DAT *, u_char **, int *)); -int kadm_ser_delete __P((u_char *, int, AUTH_DAT *, u_char **, int *)); -int kadm_ser_init __P((int inter, char realm[])); -int kadm_ser_in __P((u_char **, int *)); - -int get_pw_new_pwd __P((char *pword, int pwlen, krb_principal *pr, int print_realm)); - -/* cracklib */ -char *FascistCheck __P((char *password, char *path, char **strings)); diff --git a/kerberosIV/include/kadm_server.h b/kerberosIV/include/kadm_server.h deleted file mode 100644 index 2b751489a30..00000000000 --- a/kerberosIV/include/kadm_server.h +++ /dev/null @@ -1,69 +0,0 @@ -/* $OpenBSD: kadm_server.h,v 1.4 1998/02/25 15:50:33 art Exp $ */ -/* $Id: kadm_server.h,v 1.4 1998/02/25 15:50:33 art Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Definitions for Kerberos administration server & client - */ - -#ifndef KADM_SERVER_DEFS -#define KADM_SERVER_DEFS - -/* - * kadm_server.h - * Header file for the fourth attempt at an admin server - * Doug Church, December 28, 1989, MIT Project Athena - * ps. Yes that means this code belongs to athena etc... - * as part of our ongoing attempt to copyright all greek names - */ - -#include <sys/types.h> -#include <kerberosIV/krb.h> -#include <des.h> - -typedef struct { - struct sockaddr_in admin_addr; - struct sockaddr_in recv_addr; - int recv_addr_len; - int admin_fd; /* our link to clients */ - char sname[ANAME_SZ]; - char sinst[INST_SZ]; - char krbrlm[REALM_SZ]; - des_cblock master_key; - des_cblock session_key; - des_key_schedule master_key_schedule; - long master_key_version; -} Kadm_Server; - -#endif /* KADM_SERVER_DEFS */ diff --git a/kerberosIV/include/kafs_locl.h b/kerberosIV/include/kafs_locl.h deleted file mode 100644 index 08fe2eee051..00000000000 --- a/kerberosIV/include/kafs_locl.h +++ /dev/null @@ -1,89 +0,0 @@ -/* $OpenBSD: kafs_locl.h,v 1.3 1998/09/18 00:59:32 art Exp $ */ -/* $KTH: kafs_locl.h,v 1.7 1997/10/14 22:57:11 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __KAFS_LOCL_H__ -#define __KAFS_LOCL_H__ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <signal.h> -#include <setjmp.h> -#include <errno.h> - -#include <sys/types.h> -#include <unistd.h> -#include <sys/ioctl.h> -#include <sys/filio.h> - -#include <sys/syscall.h> -#include <sys/socket.h> -#include <netinet/in.h> - -#include <netdb.h> - -#include <arpa/nameser.h> -#include <resolv.h> - -#include <kerberosIV/krb.h> -#include <kerberosIV/kafs.h> - -struct kafs_data; -typedef int (*afslog_uid_func_t)(struct kafs_data*, const char*, uid_t); - -typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*, - const char*, CREDENTIALS*); - -typedef char* (*get_realm_func_t)(struct kafs_data*, const char*); - -typedef struct kafs_data { - afslog_uid_func_t afslog_uid; - get_cred_func_t get_cred; - get_realm_func_t get_realm; - void *data; -} kafs_data; - -int _kafs_afslog_all_local_cells(kafs_data*, uid_t); - -int _kafs_get_cred(kafs_data*, const char*, const char*, const char *, - CREDENTIALS*); - -#endif /* __KAFS_LOCL_H__ */ diff --git a/kerberosIV/include/kdc.h b/kerberosIV/include/kdc.h deleted file mode 100644 index d5f5c14dee8..00000000000 --- a/kerberosIV/include/kdc.h +++ /dev/null @@ -1,56 +0,0 @@ -/* $OpenBSD: kdc.h,v 1.4 1998/02/25 15:50:34 art Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1987, 1988 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Include file for the Kerberos Key Distribution Center. - */ - -#ifndef KDC_DEFS -#define KDC_DEFS - -#define S_AD_SZ sizeof(struct sockaddr_in) - -#define TRUE 1 -#define FALSE 0 - -#define KRB_PROG "./kerberos" - -#define ONE_MINUTE 60 -#define FIVE_MINUTES (5 * ONE_MINUTE) -#define ONE_HOUR (60 * ONE_MINUTE) -#define ONE_DAY (24 * ONE_HOUR) -#define THREE_DAYS (3 * ONE_DAY) - -#endif /* KDC_DEFS */ - diff --git a/kerberosIV/include/kerberosIV/Makefile b/kerberosIV/include/kerberosIV/Makefile deleted file mode 100644 index b2c3fb5ecac..00000000000 --- a/kerberosIV/include/kerberosIV/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $Id: Makefile,v 1.8 1998/11/28 23:47:17 art Exp $ - -FILES= acl.h kadm.h kafs.h kparse.h krb.h krb_db.h krb-protos.h site.h prot.h -NOOBJ= noobj - -all include clean cleandir depend lint tags: - -includes: - install -d -o ${BINOWN} -g ${BINGRP} -m 755 ${DESTDIR}/usr/include/kerberosIV - @echo installing ${FILES} - @-for i in ${FILES}; do \ - cmp -s $$i ${DESTDIR}/usr/include/kerberosIV/$$i || \ - ${INSTALL} ${INSTALL_COPY} -m 444 $$i ${DESTDIR}/usr/include/kerberosIV/$$i; \ - done - -.include <bsd.prog.mk> diff --git a/kerberosIV/include/kerberosIV/acl.h b/kerberosIV/include/kerberosIV/acl.h deleted file mode 100644 index db54fd165ef..00000000000 --- a/kerberosIV/include/kerberosIV/acl.h +++ /dev/null @@ -1,52 +0,0 @@ -/* $OpenBSD: acl.h,v 1.5 1998/02/18 11:53:40 art Exp $ */ -/* $KTH: acl.h,v 1.5 1997/04/01 08:17:52 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __ACL_H -#define __ACL_H - -void acl_canonicalize_principal __P((char *principal, char *canon)); -int acl_initialize __P((char *acl_file, int perm)); -int acl_exact_match __P((char *acl, char *principal)); -int acl_check __P((char *acl, char *principal)); -int acl_add __P((char *acl, char *principal)); -int acl_delete __P((char *acl, char *principal)); - -#endif /* __ACL_H */ diff --git a/kerberosIV/include/kerberosIV/kadm.h b/kerberosIV/include/kerberosIV/kadm.h deleted file mode 100644 index f56306bfd62..00000000000 --- a/kerberosIV/include/kerberosIV/kadm.h +++ /dev/null @@ -1,164 +0,0 @@ -/* $OpenBSD: kadm.h,v 1.5 1998/05/18 02:12:46 art Exp $ */ -/* $KTH: kadm.h,v 1.15 1998/04/23 22:17:52 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#ifndef KADM_DEFS -#define KADM_DEFS - -/* - * kadm.h - * Header file for the fourth attempt at an admin server - * Doug Church, December 28, 1989, MIT Project Athena - */ - -#include <kerberosIV/krb_db.h> - -/* The global structures for the client and server */ -typedef struct { - struct sockaddr_in admin_addr; - struct sockaddr_in my_addr; - int my_addr_len; - int admin_fd; /* file descriptor for link to admin server */ - char sname[ANAME_SZ]; /* the service name */ - char sinst[INST_SZ]; /* the services instance */ - char krbrlm[REALM_SZ]; -} Kadm_Client; - -typedef struct { /* status of the server, i.e the parameters */ - int inter; /* Space for command line flags */ - char *sysfile; /* filename of server */ -} admin_params; /* Well... it's the admin's parameters */ - -/* Largest password length to be supported */ -#define MAX_KPW_LEN 128 -/* Minimum allowed password length */ -#define MIN_KPW_LEN 6 - -/* Largest packet the admin server will ever allow itself to return */ -#define KADM_RET_MAX 2048 - -/* That's right, versions are 8 byte strings */ -#define KADM_VERSTR "KADM0.0A" -#define KADM_ULOSE "KYOULOSE" /* sent back when server can't - decrypt client's msg */ -#define KADM_VERSIZE strlen(KADM_VERSTR) - -/* the lookups for the server instances */ -#define PWSERV_NAME "changepw" -#define KADM_SNAME "kerberos_master" -#define KADM_PORT 751 -#define KADM_SINST "kerberos" - -/* Attributes fields constants and macros */ -#define ALLOC 2 -#define RESERVED 3 -#define DEALLOC 4 -#define DEACTIVATED 5 -#define ACTIVE 6 - -/* Kadm_vals structure for passing db fields into the server routines */ -#define FLDSZ 4 - -typedef struct { - u_int8_t fields[FLDSZ]; /* The active fields in this struct */ - char name[ANAME_SZ]; - char instance[INST_SZ]; - u_int32_t key_low; - u_int32_t key_high; - u_int32_t exp_date; - u_int16_t attributes; - u_int8_t max_life; -} Kadm_vals; /* The basic values structure in Kadm */ - -/* Need to define fields types here */ -#define KADM_NAME 31 -#define KADM_INST 30 -#define KADM_EXPDATE 29 -#define KADM_ATTR 28 -#define KADM_MAXLIFE 27 -#define KADM_DESKEY 26 - -/* To set a field entry f in a fields structure d */ -#define SET_FIELD(f,d) (d[3-(f/8)]|=(1<<(f%8))) - -/* To set a field entry f in a fields structure d */ -#define CLEAR_FIELD(f,d) (d[3-(f/8)]&=(~(1<<(f%8)))) - -/* Is field f in fields structure d */ -#define IS_FIELD(f,d) (d[3-(f/8)]&(1<<(f%8))) - -/* Various return codes */ -#define KADM_SUCCESS 0 - -#define WILDCARD_STR "*" - -enum acl_types { -ADDACL, -GETACL, -MODACL, -STABACL, /* not used */ -DELACL -}; - -/* Various opcodes for the admin server's functions */ -#define CHANGE_PW 2 -#define ADD_ENT 3 -#define MOD_ENT 4 -#define GET_ENT 5 -#define CHECK_PW 6 /* not used */ -#define CHG_STAB 7 /* not used */ -#define DEL_ENT 8 - -void prin_vals __P((Kadm_vals *)); -int stv_long __P((u_char *, u_int32_t *, int, int)); -int vts_long __P((u_int32_t, u_char **, int)); -int vts_string __P((char *, u_char **, int)); -int stv_string __P((u_char *, char *, int, int, int)); - -int stream_to_vals __P((u_char *, Kadm_vals *, int)); -int vals_to_stream __P((Kadm_vals *, u_char **)); - -int kadm_init_link __P((char *, char *, char *)); -int kadm_change_pw __P((unsigned char *)); -int kadm_change_pw_plain __P((unsigned char *, char *, char**)); -int kadm_change_pw2 __P((unsigned char *, char *, char**)); -int kadm_mod __P((Kadm_vals *, Kadm_vals *)); -int kadm_get __P((Kadm_vals *, u_char *)); -int kadm_add __P((Kadm_vals *)); -int kadm_del __P((Kadm_vals *)); -void kadm_vals_to_prin __P((u_char *, Principal *, Kadm_vals *)); -void kadm_prin_to_vals __P((u_char *, Kadm_vals *, Principal *)); -int kadm_check_pw __P((const char*)); - -#endif /* KADM_DEFS */ diff --git a/kerberosIV/include/kerberosIV/kafs.h b/kerberosIV/include/kerberosIV/kafs.h deleted file mode 100644 index f2cba1ed0d4..00000000000 --- a/kerberosIV/include/kerberosIV/kafs.h +++ /dev/null @@ -1,103 +0,0 @@ -/* $OpenBSD: kafs.h,v 1.9 1998/09/18 00:54:32 art Exp $ */ -/* $KTH: kafs.h,v 1.28 1998/04/26 18:20:09 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __KAFS_H -#define __KAFS_H - -/* XXX must include krb5.h or krb.h */ - -/* sys/ioctl.h must be included manually before kafs.h */ - -#include <xfs/xfs_pioctl.h> - -/* Use k_hasafs() to probe if the machine supports AFS syscalls. - The other functions will generate a SIGSYS if AFS is not supported */ - -int k_hasafs __P((void)); - -int krb_afslog __P((const char *cell, const char *realm)); -int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid)); -/* compat */ -#define k_afsklog krb_afslog -#define k_afsklog_uid krb_afslog_uid - -int k_pioctl __P((char *a_path, - int o_opcode, - struct ViceIoctl *a_paramsP, - int a_followSymlinks)); -int k_unlog __P((void)); -int k_setpag __P((void)); -int k_afs_cell_of_file __P((const char *path, char *cell, int len)); - -/* XXX */ -#ifdef KFAILURE -#define KRB_H_INCLUDED -#endif - -#ifdef KRB5_RECVAUTH_IGNORE_VERSION -#define KRB5_H_INCLUDED -#endif - -#ifdef KRB_H_INCLUDED -int kafs_settoken __P((const char*, uid_t, CREDENTIALS*)); -#endif - -#ifdef KRB5_H_INCLUDED -krb5_error_code krb5_afslog_uid __P((krb5_context, krb5_ccache, - const char*, krb5_const_realm, uid_t)); -krb5_error_code krb5_afslog __P((krb5_context, krb5_ccache, - const char*, krb5_const_realm)); -#endif - - -#define _PATH_VICE "/usr/vice/etc/" -#define _PATH_THISCELL _PATH_VICE "ThisCell" -#define _PATH_CELLSERVDB _PATH_VICE "CellServDB" -#define _PATH_THESECELLS _PATH_VICE "TheseCells" - -#define _PATH_ARLA_VICE "/etc/afs/" -#define _PATH_ARLA_THISCELL _PATH_ARLA_VICE "ThisCell" -#define _PATH_ARLA_CELLSERVDB _PATH_ARLA_VICE "CellServDB" -#define _PATH_ARLA_THESECELLS _PATH_ARLA_VICE "TheseCells" - -extern int _kafs_debug; - -#endif /* __KAFS_H */ diff --git a/kerberosIV/include/kerberosIV/kparse.h b/kerberosIV/include/kerberosIV/kparse.h deleted file mode 100644 index 0a4fd8bdbd6..00000000000 --- a/kerberosIV/include/kerberosIV/kparse.h +++ /dev/null @@ -1,109 +0,0 @@ -/* $OpenBSD: kparse.h,v 1.2 1998/02/18 11:53:41 art Exp $ */ - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -/* - * Include file for kparse routines. - */ - -#ifndef KPARSE_DEFS -#define KPARSE_DEFS - -/* - * values returned by fGetParameterSet() - */ - -#define PS_BAD_KEYWORD -2 /* unknown or duplicate keyword */ -#define PS_SYNTAX -1 /* syntax error */ -#define PS_OKAY 0 /* got a complete parameter set */ -#define PS_EOF 1 /* nothing more in the file */ - -/* - * values returned by fGetKeywordValue() - */ - -#define KV_SYNTAX -2 /* syntax error */ -#define KV_EOF -1 /* nothing more in the file */ -#define KV_OKAY 0 /* got a keyword/value pair */ -#define KV_EOL 1 /* nothing more on this line */ - -/* - * values returned by fGetToken() - */ - -#define GTOK_BAD_QSTRING -1 /* newline found in quoted string */ -#define GTOK_EOF 0 /* end of file encountered */ -#define GTOK_QSTRING 1 /* quoted string */ -#define GTOK_STRING 2 /* unquoted string */ -#define GTOK_NUMBER 3 /* one or more digits */ -#define GTOK_PUNK 4 /* punks are punctuation, newline, - * etc. */ -#define GTOK_WHITE 5 /* one or more whitespace chars */ - -/* - * extended character classification macros - */ - -#define ISOCTAL(CH) ( (CH>='0') && (CH<='7') ) -#define ISQUOTE(CH) ( (CH=='\"') || (CH=='\'') || (CH=='`') ) -#define ISWHITESPACE(C) ( (C==' ') || (C=='\t') ) -#define ISLINEFEED(C) ( (C=='\n') || (C=='\r') || (C=='\f') ) - -/* - * tokens consist of any printable charcacter except comma, equal, or - * whitespace - */ - -#define ISTOKENCHAR(C) ((C>040) && (C<0177) && (C != ',') && (C != '=')) - -/* - * the parameter table defines the keywords that will be recognized by - * fGetParameterSet, and their default values if not specified. - */ - -typedef struct { - char *keyword; - char *defvalue; - char *value; -} parmtable; - -#define PARMCOUNT(P) (sizeof(P)/sizeof(P[0])) - -extern int LineNbr; /* current line # in parameter file */ - -extern char ErrorMsg[]; /* - * meaningful only when KV_SYNTAX, - * PS_SYNTAX, or PS_BAD_KEYWORD is - * returned by fGetKeywordValue or - * fGetParameterSet - */ - -#include <stdio.h> - -int fGetParameterSet __P((FILE *fp, parmtable *parm, int parmcount)); -int ParmCompare __P((parmtable *parm, int parmcount, char *keyword, char *value)); -void FreeParameterSet __P((parmtable *parm, int parmcount)); -int fGetKeywordValue __P((FILE *fp, char *keyword, int klen, char *value, int vlen)); -int fGetToken __P((FILE *fp, char *dest, int maxlen)); -int fGetLiteral __P((FILE *fp)); -int fUngetChar __P((int ch, FILE *fp)); -int fGetChar __P((FILE *fp)); -char * strsave __P((char *p)); -char * strutol __P((char *start)); - -#endif /* KPARSE_DEFS */ diff --git a/kerberosIV/include/kerberosIV/krb-protos.h b/kerberosIV/include/kerberosIV/krb-protos.h deleted file mode 100644 index 65866f461a9..00000000000 --- a/kerberosIV/include/kerberosIV/krb-protos.h +++ /dev/null @@ -1,741 +0,0 @@ -/* $OpenBSD: krb-protos.h,v 1.4 1998/07/07 19:07:53 art Exp $ */ -/* $KTH: krb-protos.h,v 1.7 1998/04/04 17:56:36 assar Exp $ */ - -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __krb_protos_h__ -#define __krb_protos_h__ - -#include <stdarg.h> -#include <time.h> -#include <sys/time.h> - -#ifdef __GNUC__ -struct in_addr; -struct sockaddr_in; -#endif - -void -afs_string_to_key __P(( - char *str, - char *cell, - des_cblock *key)); - -int -create_ciph __P(( - KTEXT c, - unsigned char *session, - char *service, - char *instance, - char *realm, - u_int32_t life, - int kvno, - KTEXT tkt, - u_int32_t kdc_time, - des_cblock *key)); - -void -cr_err_reply __P(( - KTEXT pkt, - char *pname, - char *pinst, - char *prealm, - u_int32_t time_ws, - u_int32_t e, - char *e_string)); - -int -decomp_ticket __P(( - KTEXT tkt, - unsigned char *flags, - char *pname, - char *pinstance, - char *prealm, - u_int32_t *paddress, - unsigned char *session, - int *life, - u_int32_t *time_sec, - char *sname, - char *sinstance, - des_cblock *key, - des_key_schedule schedule)); - -int -dest_tkt __P((void)); - -int -get_ad_tkt __P(( - char *service, - char *sinstance, - char *realm, - int lifetime)); - -int -getst __P(( - int fd, - char *s, - int n)); - -int -in_tkt __P(( - char *pname, - char *pinst)); - -int -k_get_all_addrs __P((struct in_addr **l)); - -int -k_getportbyname __P(( - const char *service, - const char *proto, - int default_port)); - -int -k_getsockinst __P(( - int fd, - char *inst, - size_t inst_size)); - -int -k_isinst __P((char *s)); - -int -k_isname __P((char *s)); - -int -k_isrealm __P((char *s)); - -struct tm *k_localtime __P((u_int32_t *tp)); - -int -kname_parse __P(( - char *np, - char *ip, - char *rp, - char *fullname)); - -int -krb_atime_to_life __P((char *atime)); - -int -krb_check_auth __P(( - KTEXT packet, - u_int32_t checksum, - MSG_DAT *msg_data, - des_cblock *session, - struct des_ks_struct *schedule, - struct sockaddr_in *laddr, - struct sockaddr_in *faddr)); - -int -krb_check_tm __P((struct tm tm)); - -KTEXT -krb_create_death_packet __P((char *a_name)); - -int -krb_create_ticket __P(( - KTEXT tkt, - unsigned char flags, - char *pname, - char *pinstance, - char *prealm, - int32_t paddress, - void *session, - int16_t life, - int32_t time_sec, - char *sname, - char *sinstance, - des_cblock *key)); - -int -krb_decode_as_rep __P(( - char *user, - char *instance, - char *realm, - char *service, - char *sinstance, - key_proc_t key_proc, - decrypt_proc_t decrypt_proc, - void *arg, - KTEXT as_rep, - CREDENTIALS *cred)); - -int -krb_enable_debug __P((void)); - -int -krb_equiv __P(( - u_int32_t a, - u_int32_t b)); - -int -krb_get_address __P(( - void *from, - u_int32_t *to)); - -int -krb_get_admhst __P(( - char *host, - char *realm, - int nth)); - -int -krb_get_config_bool __P((const char *variable)); - -const char * -krb_get_config_string __P((const char *variable)); - -int -krb_get_cred __P(( - char *service, - char *instance, - char *realm, - CREDENTIALS *c)); - -int -krb_get_default_principal __P(( - char *name, - char *instance, - char *realm)); - -char * -krb_get_default_realm __P((void)); - -const char * -krb_get_err_text __P((int code)); - -struct krb_host* -krb_get_host __P(( - int nth, - char *realm, - int admin)); - -int -krb_get_in_tkt __P(( - char *user, - char *instance, - char *realm, - char *service, - char *sinstance, - int life, - key_proc_t key_proc, - decrypt_proc_t decrypt_proc, - void *arg)); - -int -krb_get_int __P(( - void *f, - u_int32_t *to, - int size, - int lsb)); - -int -krb_get_kdc_time_diff __P((void)); - -int -krb_get_krbconf __P(( - int num, - char *buf, - size_t len)); - -int -krb_get_krbextra __P(( - int num, - char *buf, - size_t len)); - -int -krb_get_krbhst __P(( - char *host, - char *realm, - int nth)); - -int -krb_get_krbrealms __P(( - int num, - char *buf, - size_t len)); - -int -krb_get_lrealm __P(( - char *r, - int n)); - -int -krb_get_nir __P(( - void *from, - char *name, - char *instance, - char *realm)); - -char * -krb_get_phost __P((const char *alias)); - -int -krb_get_pw_in_tkt __P(( - char *user, - char *instance, - char *realm, - char *service, - char *sinstance, - int life, - char *password)); - -int -krb_get_pw_in_tkt2 __P(( - char *user, - char *instance, - char *realm, - char *service, - char *sinstance, - int life, - char *password, - des_cblock *key)); - -int -krb_get_string __P(( - void *from, - char *to)); - -int -krb_get_svc_in_tkt __P(( - char *user, - char *instance, - char *realm, - char *service, - char *sinstance, - int life, - char *srvtab)); - -int -krb_get_tf_fullname __P(( - char *ticket_file, - char *name, - char *instance, - char *realm)); - -int -krb_get_tf_realm __P(( - char *ticket_file, - char *realm)); - -void -krb_kdctimeofday __P((struct timeval *tv)); - -int -krb_kntoln __P(( - AUTH_DAT *ad, - char *lname)); - -int -krb_kuserok __P(( - char *name, - char *instance, - char *realm, - char *luser)); - -char * -krb_life_to_atime __P((int life)); - -u_int32_t -krb_life_to_time __P(( - u_int32_t start, - int life_)); - -int -krb_lsb_antinet_ulong_cmp __P(( - u_int32_t x, - u_int32_t y)); - -int -krb_lsb_antinet_ushort_cmp __P(( - u_int16_t x, - u_int16_t y)); - -int -krb_mk_as_req __P(( - char *user, - char *instance, - char *realm, - char *service, - char *sinstance, - int life, - KTEXT cip)); - -int -krb_mk_auth __P(( - int32_t options, - KTEXT ticket, - char *service, - char *instance, - char *realm, - u_int32_t checksum, - char *version, - KTEXT buf)); - -int32_t -krb_mk_err __P(( - u_char *p, - int32_t e, - char *e_string)); - -int32_t -krb_mk_priv __P(( - void *in, - void *out, - u_int32_t length, - struct des_ks_struct *schedule, - des_cblock *key, - struct sockaddr_in *sender, - struct sockaddr_in *receiver)); - -int -krb_mk_req __P(( - KTEXT authent, - char *service, - char *instance, - char *realm, - int32_t checksum)); - -int32_t -krb_mk_safe __P(( - void *in, - void *out, - u_int32_t length, - des_cblock *key, - struct sockaddr_in *sender, - struct sockaddr_in *receiver)); - -int -krb_net_read __P(( - int fd, - void *v, - size_t len)); - -int -krb_net_write __P(( - int fd, - const void *v, - size_t len)); - -int -krb_parse_name __P(( - const char *fullname, - krb_principal *principal)); - -int -krb_put_address __P(( - u_int32_t addr, - void *to)); - -int -krb_put_int __P(( - u_int32_t from, - void *to, - int size)); - -int -krb_put_nir __P(( - char *name, - char *instance, - char *realm, - void *to)); - -int -krb_put_string __P(( - char *from, - void *to)); - -int -krb_rd_err __P(( - u_char *in, - u_int32_t in_length, - int32_t *code, - MSG_DAT *m_data)); - -int32_t -krb_rd_priv __P(( - void *in, - u_int32_t in_length, - struct des_ks_struct *schedule, - des_cblock *key, - struct sockaddr_in *sender, - struct sockaddr_in *receiver, - MSG_DAT *m_data)); - -int -krb_rd_req __P(( - KTEXT authent, - char *service, - char *instance, - int32_t from_addr, - AUTH_DAT *ad, - char *fn)); - -int32_t -krb_rd_safe __P(( - void *in, - u_int32_t in_length, - des_cblock *key, - struct sockaddr_in *sender, - struct sockaddr_in *receiver, - MSG_DAT *m_data)); - -int -krb_realm_parse __P(( - char *realm, - int length)); - -char * -krb_realmofhost __P((const char *host)); - -int -krb_recvauth __P(( - int32_t options, - int fd, - KTEXT ticket, - char *service, - char *instance, - struct sockaddr_in *faddr, - struct sockaddr_in *laddr, - AUTH_DAT *kdata, - char *filename, - struct des_ks_struct *schedule, - char *version)); - -int -krb_sendauth __P(( - int32_t options, - int fd, - KTEXT ticket, - char *service, - char *instance, - char *realm, - u_int32_t checksum, - MSG_DAT *msg_data, - CREDENTIALS *cred, - struct des_ks_struct *schedule, - struct sockaddr_in *laddr, - struct sockaddr_in *faddr, - char *version)); - -void -krb_set_kdc_time_diff __P((int diff)); - -int -krb_set_key __P(( - void *key, - int cvt)); - -int -krb_set_lifetime __P((int newval)); - -void -krb_set_tkt_string __P((const char *val)); - -const char * -krb_stime __P((time_t *t)); - -int -krb_time_to_life __P(( - u_int32_t start, - u_int32_t end)); - -char * -krb_unparse_name __P((krb_principal *pr)); - -char * -krb_unparse_name_long __P(( - char *name, - char *instance, - char *realm)); - -char * -krb_unparse_name_long_r __P(( - char *name, - char *instance, - char *realm, - char *fullname)); - -char * -krb_unparse_name_r __P(( - krb_principal *pr, - char *fullname)); - -int -krb_use_admin_server __P((int flag)); - -int -krb_verify_user __P(( - char *name, - char *instance, - char *realm, - char *password, - int secure, - char *linstance)); - -int -krb_verify_user_srvtab __P(( - char *name, - char *instance, - char *realm, - char *password, - int secure, - char *linstance, - char *srvtab)); - -int -kuserok __P(( - AUTH_DAT *auth, - char *luser)); - -u_int32_t -lsb_time __P(( - time_t t, - struct sockaddr_in *src, - struct sockaddr_in *dst)); - -const char *month_sname __P((int n)); - -int -passwd_to_5key __P(( - char *user, - char *instance, - char *realm, - void *passwd, - des_cblock *key)); - -int -passwd_to_afskey __P(( - char *user, - char *instance, - char *realm, - void *passwd, - des_cblock *key)); - -int -passwd_to_key __P(( - char *user, - char *instance, - char *realm, - void *passwd, - des_cblock *key)); - -int -read_service_key __P(( - char *service, - char *instance, - char *realm, - int kvno, - char *file, - char *key)); - -int -save_credentials __P(( - char *service, - char *instance, - char *realm, - unsigned char *session, - int lifetime, - int kvno, - KTEXT ticket, - int32_t issue_date)); - -int -send_to_kdc __P(( - KTEXT pkt, - KTEXT rpkt, - char *realm)); - -int -srvtab_to_key __P(( - char *user, - char *instance, - char *realm, - void *srvtab, - des_cblock *key)); - -void -tf_close __P((void)); - -int -tf_create __P((char *tf_name)); - -int -tf_get_cred __P((CREDENTIALS *c)); - -int -tf_get_pinst __P((char *inst)); - -int -tf_get_pname __P((char *p)); - -int -tf_init __P(( - char *tf_name, - int rw)); - -int -tf_put_pinst __P((char *inst)); - -int -tf_put_pname __P((char *p)); - -int -tf_save_cred __P(( - char *service, - char *instance, - char *realm, - unsigned char *session, - int lifetime, - int kvno, - KTEXT ticket, - u_int32_t issue_date)); - -int -tf_setup __P(( - CREDENTIALS *cred, - char *pname, - char *pinst)); - -char * -tkt_string __P((void)); - -#endif /* __krb_protos_h__ */ diff --git a/kerberosIV/include/kerberosIV/krb.h b/kerberosIV/include/kerberosIV/krb.h deleted file mode 100644 index 2041cd26f91..00000000000 --- a/kerberosIV/include/kerberosIV/krb.h +++ /dev/null @@ -1,340 +0,0 @@ -/* $OpenBSD: krb.h,v 1.8 1998/05/18 02:12:43 art Exp $ */ -/* $KTH: krb.h,v 1.92 1998/05/13 18:57:32 assar Exp $ */ - -/* - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -/* - * Include file for the Kerberos library. - */ - -#include <sys/cdefs.h> -#include <sys/types.h> - -#ifndef __KRB_H__ -#define __KRB_H__ - -__BEGIN_DECLS - -/* Include site.h file to define paths */ -#include <kerberosIV/site.h> - -/* Need some defs from des.h */ -#include <des.h> - -/* CNS compatibility ahead! */ -#ifndef KRB_INT32 -#define KRB_INT32 int32_t -#endif -#ifndef KRB_UINT32 -#define KRB_UINT32 u_int32_t -#endif - -/* Global library variables. */ -extern int krb_ignore_ip_address; /* To turn off IP address comparison */ -extern int krb_no_long_lifetimes; /* To disable AFS compatible lifetimes */ -extern int krbONE; -#define HOST_BYTE_ORDER (* (char *) &krbONE) - -/* Debug variables */ -extern int krb_debug; -extern int krb_ap_req_debug; -extern int krb_dns_debug; - -/* Text describing error codes */ -#define MAX_KRB_ERRORS 256 -extern const char *krb_err_txt[MAX_KRB_ERRORS]; - -/* General definitions */ -#define KSUCCESS 0 -#define KFAILURE 255 - -/* - * Kerberos specific definitions - * - * KRBLOG is the log file for the kerberos master server. KRB_CONF is - * the configuration file where different host machines running master - * and slave servers can be found. KRB_MASTER is the name of the - * machine with the master database. The admin_server runs on this - * machine, and all changes to the db (as opposed to read-only - * requests, which can go to slaves) must go to it. KRB_HOST is the - * default machine * when looking for a kerberos slave server. Other - * possibilities are * in the KRB_CONF file. KRB_REALM is the name of - * the realm. - */ - -/* /etc/kerberosIV is only for backwards compatibility, don't use it! */ -#ifndef KRB_CONF -#define KRB_CONF "/etc/krb.conf" -#endif -#ifndef KRB_RLM_TRANS -#define KRB_RLM_TRANS "/etc/krb.realms" -#endif -#ifndef KRB_CNF_FILES -#define KRB_CNF_FILES { KRB_CONF, "/etc/kerberosIV/krb.conf", 0} -#endif -#ifndef KRB_RLM_FILES -#define KRB_RLM_FILES { KRB_RLM_TRANS, "/etc/kerberosIV/krb.realms", 0} -#endif -#ifndef KRB_EQUIV -#define KRB_EQUIV "/etc/krb.equiv" -#endif -#define KRB_MASTER "kerberos" -#ifndef KRB_REALM -#define KRB_REALM (krb_get_default_realm()) -#endif - -/* The maximum sizes for aname, realm, sname, and instance +1 */ -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 -/* Leave space for quoting */ -#define MAX_K_NAME_SZ (2*ANAME_SZ + 2*INST_SZ + 2*REALM_SZ - 3) -#define KKEY_SZ 100 -#define VERSION_SZ 1 -#define MSG_TYPE_SZ 1 -#define DATE_SZ 26 /* RTI date output */ - -#define MAX_HSTNM 100 /* for compatibility */ - -typedef struct krb_principal{ - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; -}krb_principal; - -#ifndef DEFAULT_TKT_LIFE /* allow compile-time override */ -/* default lifetime for krb_mk_req & co., 10 hrs */ -#define DEFAULT_TKT_LIFE 120 -#endif - -#define KRB_TICKET_GRANTING_TICKET "krbtgt" - -/* Definition of text structure used to pass text around */ -#define MAX_KTXT_LEN 1250 - -struct ktext { - unsigned int length; /* Length of the text */ - unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ - u_int32_t mbz; /* zero to catch runaway strings */ -}; - -typedef struct ktext *KTEXT; -typedef struct ktext KTEXT_ST; - - -/* Definitions for send_to_kdc */ -#define CLIENT_KRB_TIMEOUT 4 /* time between retries */ -#define CLIENT_KRB_RETRY 5 /* retry this many times */ -#define CLIENT_KRB_BUFLEN 512 /* max unfragmented packet */ - -/* Definitions for ticket file utilities */ -#define R_TKT_FIL 0 -#define W_TKT_FIL 1 - -/* Parameters for rd_ap_req */ -/* Maximum alloable clock skew in seconds */ -#define CLOCK_SKEW 5*60 -/* Filename for readservkey */ -#ifndef KEYFILE -#define KEYFILE "/etc/srvtab" -#endif - -/* Structure definition for rd_ap_req */ - -struct auth_dat { - unsigned char k_flags; /* Flags from ticket */ - char pname[ANAME_SZ]; /* Principal's name */ - char pinst[INST_SZ]; /* His Instance */ - char prealm[REALM_SZ]; /* His Realm */ - u_int32_t checksum; /* Data checksum (opt) */ - des_cblock session; /* Session Key */ - int life; /* Life of ticket */ - u_int32_t time_sec; /* Time ticket issued */ - u_int32_t address; /* Address in ticket */ - KTEXT_ST reply; /* Auth reply (opt) */ -}; - -typedef struct auth_dat AUTH_DAT; - -/* Structure definition for credentials returned by get_cred */ - -struct credentials { - char service[ANAME_SZ]; /* Service name */ - char instance[INST_SZ]; /* Instance */ - char realm[REALM_SZ]; /* Auth domain */ - des_cblock session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT_ST ticket_st; /* The ticket itself */ - int32_t issue_date; /* The issue time */ - char pname[ANAME_SZ]; /* Principal's name */ - char pinst[INST_SZ]; /* Principal's instance */ -}; - -typedef struct credentials CREDENTIALS; - -/* Structure definition for rd_private_msg and rd_safe_msg */ - -struct msg_dat { - unsigned char *app_data; /* pointer to appl data */ - u_int32_t app_length; /* length of appl data */ - u_int32_t hash; /* hash to lookup replay */ - int swap; /* swap bytes? */ - int32_t time_sec; /* msg timestamp seconds */ - unsigned char time_5ms; /* msg timestamp 5ms units */ -}; - -typedef struct msg_dat MSG_DAT; - -struct krb_host { - char *realm; - char *host; - enum krb_host_proto { PROTO_UDP, PROTO_TCP, PROTO_HTTP } proto; - int port; - int admin; -}; - -/* Location of ticket file for save_cred and get_cred */ -#define TKT_FILE tkt_string() -#define TKT_ROOT "/tmp/tkt" - -/* Error codes returned from the KDC */ -#define KDC_OK 0 /* Request OK */ -#define KDC_NAME_EXP 1 /* Principal expired */ -#define KDC_SERVICE_EXP 2 /* Service expired */ -#define KDC_AUTH_EXP 3 /* Auth expired */ -#define KDC_PKT_VER 4 /* Protocol version unknown */ -#define KDC_P_MKEY_VER 5 /* Wrong master key version */ -#define KDC_S_MKEY_VER 6 /* Wrong master key version */ -#define KDC_BYTE_ORDER 7 /* Byte order unknown */ -#define KDC_PR_UNKNOWN 8 /* Principal unknown */ -#define KDC_PR_N_UNIQUE 9 /* Principal not unique */ -#define KDC_NULL_KEY 10 /* Principal has null key */ -#define KDC_GEN_ERR 20 /* Generic error from KDC */ - - -/* Values returned by get_credentials */ -#define GC_OK 0 /* Retrieve OK */ -#define RET_OK 0 /* Retrieve OK */ -#define GC_TKFIL 21 /* Can't read ticket file */ -#define RET_TKFIL 21 /* Can't read ticket file */ -#define GC_NOTKT 22 /* Can't find ticket or TGT */ -#define RET_NOTKT 22 /* Can't find ticket or TGT */ - - -/* Values returned by mk_ap_req */ -#define MK_AP_OK 0 /* Success */ -#define MK_AP_TGTEXP 26 /* TGT Expired */ - -/* Values returned by rd_ap_req */ -#define RD_AP_OK 0 /* Request authentic */ -#define RD_AP_UNDEC 31 /* Can't decode authenticator */ -#define RD_AP_EXP 32 /* Ticket expired */ -#define RD_AP_NYV 33 /* Ticket not yet valid */ -#define RD_AP_REPEAT 34 /* Repeated request */ -#define RD_AP_NOT_US 35 /* The ticket isn't for us */ -#define RD_AP_INCON 36 /* Request is inconsistent */ -#define RD_AP_TIME 37 /* delta_t too big */ -#define RD_AP_BADD 38 /* Incorrect net address */ -#define RD_AP_VERSION 39 /* protocol version mismatch */ -#define RD_AP_MSG_TYPE 40 /* invalid msg type */ -#define RD_AP_MODIFIED 41 /* message stream modified */ -#define RD_AP_ORDER 42 /* message out of order */ -#define RD_AP_UNAUTHOR 43 /* unauthorized request */ - -/* Values returned by get_pw_tkt */ -#define GT_PW_OK 0 /* Got password changing tkt */ -#define GT_PW_NULL 51 /* Current PW is null */ -#define GT_PW_BADPW 52 /* Incorrect current password */ -#define GT_PW_PROT 53 /* Protocol Error */ -#define GT_PW_KDCERR 54 /* Error returned by KDC */ -#define GT_PW_NULLTKT 55 /* Null tkt returned by KDC */ - - -/* Values returned by send_to_kdc */ -#define SKDC_OK 0 /* Response received */ -#define SKDC_RETRY 56 /* Retry count exceeded */ -#define SKDC_CANT 57 /* Can't send request */ - -/* - * Values returned by get_intkt - * (can also return SKDC_* and KDC errors) - */ - -#define INTK_OK 0 /* Ticket obtained */ -#define INTK_W_NOTALL 61 /* Not ALL tickets returned */ -#define INTK_BADPW 62 /* Incorrect password */ -#define INTK_PROT 63 /* Protocol Error */ -#define INTK_ERR 70 /* Other error */ - -/* Values returned by get_adtkt */ -#define AD_OK 0 /* Ticket Obtained */ -#define AD_NOTGT 71 /* Don't have tgt */ -#define AD_INTR_RLM_NOTGT 72 /* Can't get inter-realm tgt */ - -/* Error codes returned by ticket file utilities */ -#define NO_TKT_FIL 76 /* No ticket file found */ -#define TKT_FIL_ACC 77 /* Couldn't access tkt file */ -#define TKT_FIL_LCK 78 /* Couldn't lock ticket file */ -#define TKT_FIL_FMT 79 /* Bad ticket file format */ -#define TKT_FIL_INI 80 /* tf_init not called first */ - -/* Error code returned by kparse_name */ -#define KNAME_FMT 81 /* Bad Kerberos name format */ - -/* Error code returned by krb_mk_safe */ -#define SAFE_PRIV_ERROR -1 /* syscall error */ - -/* Defines for krb_sendauth and krb_recvauth */ - -#define KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */ -#define KOPT_DO_MUTUAL 0x00000002 /* do mutual auth */ - -#define KOPT_DONT_CANON 0x00000004 /* - * don't canonicalize inst as - * a hostname - */ - -#define KOPT_IGNORE_PROTOCOL 0x0008 - -#define KRB_SENDAUTH_VLEN 8 /* length for version strings */ - - -/* File locking */ -#define K_LOCK_SH 1 /* Shared lock */ -#define K_LOCK_EX 2 /* Exclusive lock */ -#define K_LOCK_NB 4 /* Don't block when locking */ -#define K_LOCK_UN 8 /* Unlock */ - -extern char *krb4_version; - -typedef int (*key_proc_t) __P((char*, char*, char*, void*, des_cblock*)); - -typedef int (*decrypt_proc_t) __P((char*, char*, char*, void*, - key_proc_t, KTEXT*)); - -#include <kerberosIV/krb-protos.h> - -/* This shouldn't be here */ - -char *strtok_r __P((char *s1, const char *s2, char **lasts)); - -__END_DECLS - -#endif /* __KRB_H__ */ diff --git a/kerberosIV/include/kerberosIV/krb_db.h b/kerberosIV/include/kerberosIV/krb_db.h deleted file mode 100644 index 7176ab38fb9..00000000000 --- a/kerberosIV/include/kerberosIV/krb_db.h +++ /dev/null @@ -1,165 +0,0 @@ -/* $OpenBSD: krb_db.h,v 1.4 1998/02/25 15:50:42 art Exp $ */ -/* $KTH: krb_db.h,v 1.15 1996/12/17 20:34:32 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1987, 1988 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * spm Project Athena 8/85 - * - * This file defines data structures for the kerberos - * authentication/authorization database. - * - * They MUST correspond to those defined in *.rel - */ - -#ifndef KRB_DB_DEFS -#define KRB_DB_DEFS - -#include <stdio.h> - -#define KERB_M_NAME "K" /* Kerberos */ -#define KERB_M_INST "M" /* Master */ -#define KERB_DEFAULT_NAME "default" -#define KERB_DEFAULT_INST "" -#ifndef DB_DIR -#define DB_DIR "/var/kerberos" -#endif -#ifndef DBM_FILE -#define DBM_FILE DB_DIR "/principal" -#endif - -/* this also defines the number of queue headers */ -#define KERB_DB_HASH_MODULO 64 - - -/* Arguments to kerb_dbl_lock() */ - -#define KERB_DBL_EXCLUSIVE 1 -#define KERB_DBL_SHARED 0 - -/* arguments to kerb_db_set_lockmode() */ - -#define KERB_DBL_BLOCKING 0 -#define KERB_DBL_NONBLOCKING 1 - -/* arguments to kdb_get_master_key */ - -#define KDB_GET_PROMPT 1 -#define KDB_GET_TWICE 2 - -/* Principal defines the structure of a principal's name */ - -typedef struct { - char name[ANAME_SZ]; - char instance[INST_SZ]; - - u_int32_t key_low; - u_int32_t key_high; - u_int32_t exp_date; - char exp_date_txt[DATE_SZ]; - u_int32_t mod_date; - char mod_date_txt[DATE_SZ]; - u_int16_t attributes; - u_int8_t max_life; - u_int8_t kdc_key_ver; - u_int8_t key_version; - - char mod_name[ANAME_SZ]; - char mod_instance[INST_SZ]; - char *old; /* cast to (Principal *); not in db, - * ptr to old vals */ -} Principal; - -typedef struct { - int32_t cpu; - int32_t elapsed; - int32_t dio; - int32_t pfault; - int32_t t_stamp; - int32_t n_retrieve; - int32_t n_replace; - int32_t n_append; - int32_t n_get_stat; - int32_t n_put_stat; -} DB_stat; - -/* Dba defines the structure of a database administrator */ - -typedef struct { - char name[ANAME_SZ]; - char instance[INST_SZ]; - u_int16_t attributes; - u_int32_t exp_date; - char exp_date_txt[DATE_SZ]; - char *old; /* - * cast to (Dba *); not in db, ptr to - * old vals - */ -} Dba; - -typedef int (*k_iter_proc_t)(void*, Principal*); - -void copy_from_key __P((des_cblock in, u_int32_t *lo, u_int32_t *hi)); -void copy_to_key __P((u_int32_t *lo, u_int32_t *hi, des_cblock out)); - -void kdb_encrypt_key __P((des_cblock *, des_cblock *, des_cblock *, - des_key_schedule, int)); -int kdb_get_master_key __P((int prompt, des_cblock *master_key, - des_key_schedule master_key_sched)); -int kdb_get_new_master_key __P((des_cblock *, des_key_schedule, int)); -int kdb_kstash __P((des_cblock *, char *)); -int kdb_new_get_master_key __P((des_cblock *, des_key_schedule)); -int kdb_new_get_new_master_key __P((des_cblock *key, des_key_schedule schedule, int verify)); -long kdb_verify_master_key __P((des_cblock *, des_key_schedule, FILE *)); -long *kerb_db_begin_update __P((void)); -int kerb_db_create __P((char *db_name)); -int kerb_db_delete_principal (char *name, char *inst); -void kerb_db_end_update __P((long *db)); -int kerb_db_get_dba __P((char *, char *, Dba *, unsigned, int *)); -void kerb_db_get_stat __P((DB_stat *)); -int kerb_db_iterate __P((k_iter_proc_t, void*)); -int kerb_db_put_principal __P((Principal *, unsigned int)); -void kerb_db_put_stat __P((DB_stat *)); -int kerb_db_rename __P((char *, char *)); -int kerb_db_set_lockmode __P((int)); -int kerb_db_set_name __P((char *)); -int kerb_db_update __P((long *db, Principal *principal, unsigned int max)); -int kerb_delete_principal __P((char *name, char *inst)); -void kerb_fini __P((void)); -int kerb_get_dba __P((char *, char *, Dba *, unsigned int, int *)); -time_t kerb_get_db_age __P((void)); -int kerb_get_principal __P((char *, char *, Principal *, unsigned int, int *)); -int kerb_init __P((void)); -int kerb_put_principal __P((Principal *, unsigned int)); - -#endif /* KRB_DB_DEFS */ diff --git a/kerberosIV/include/kerberosIV/prot.h b/kerberosIV/include/kerberosIV/prot.h deleted file mode 100644 index c6e73927a03..00000000000 --- a/kerberosIV/include/kerberosIV/prot.h +++ /dev/null @@ -1,93 +0,0 @@ -/* $OpenBSD: prot.h,v 1.1 1998/11/28 23:41:01 art Exp $ */ -/* $KTH: prot.h,v 1.7 1997/03/23 03:52:27 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#ifndef PROT_DEFS -#define PROT_DEFS - -#define KRB_SERVICE "kerberos-iv" -#define KRB_PORT 750 /* PC's don't have - * /etc/services */ -#define KRB_PROT_VERSION 4 -#define MAX_PKT_LEN 1000 -#define MAX_TXT_LEN 1000 - -/* Routines to create and read packets may be found in prot.c */ - -KTEXT create_auth_reply(char *pname, char *pinst, char *prealm, - int32_t time_ws, int n, u_int32_t x_date, - int kvno, KTEXT cipher); -#ifdef DEBUG -KTEXT krb_create_death_packet(char *a_name); -#endif - -/* Message types , always leave lsb for byte order */ - -#define AUTH_MSG_KDC_REQUEST (1<<1) -#define AUTH_MSG_KDC_REPLY (2<<1) -#define AUTH_MSG_APPL_REQUEST (3<<1) -#define AUTH_MSG_APPL_REQUEST_MUTUAL (4<<1) -#define AUTH_MSG_ERR_REPLY (5<<1) -#define AUTH_MSG_PRIVATE (6<<1) -#define AUTH_MSG_SAFE (7<<1) -#define AUTH_MSG_APPL_ERR (8<<1) -#define AUTH_MSG_KDC_FORWARD (9<<1) -#define AUTH_MSG_KDC_RENEW (10<<1) -#define AUTH_MSG_DIE (63<<1) - -/* values for kerb error codes */ - -#define KERB_ERR_OK 0 -#define KERB_ERR_NAME_EXP 1 -#define KERB_ERR_SERVICE_EXP 2 -#define KERB_ERR_AUTH_EXP 3 -#define KERB_ERR_PKT_VER 4 -#define KERB_ERR_NAME_MAST_KEY_VER 5 -#define KERB_ERR_SERV_MAST_KEY_VER 6 -#define KERB_ERR_BYTE_ORDER 7 -#define KERB_ERR_PRINCIPAL_UNKNOWN 8 -#define KERB_ERR_PRINCIPAL_NOT_UNIQUE 9 -#define KERB_ERR_NULL_KEY 10 -#define KERB_ERR_TIMEOUT 11 - -/* sendauth - recvauth */ - -/* - * If the protocol changes, you will need to change the version string - * be sure to support old versions of krb_sendauth! - */ - -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ - -#endif /* PROT_DEFS */ diff --git a/kerberosIV/include/kerberosIV/site.h b/kerberosIV/include/kerberosIV/site.h deleted file mode 100644 index 31235f4ae86..00000000000 --- a/kerberosIV/include/kerberosIV/site.h +++ /dev/null @@ -1,48 +0,0 @@ -/* $OpenBSD: site.h,v 1.5 1999/08/20 11:00:32 art Exp $ */ - -/* - * Site-specific definitions. - */ - -#ifndef SITE_H -#define SITE_H - -/* - * Location of common files. - */ -#define KRB_CONF "/etc/kerberosIV/krb.conf" -#define KRB_RLM_TRANS "/etc/kerberosIV/krb.realms" -#define KRB_ACL "/etc/kerberosIV/kerberos.acl" -#define MKEYFILE "/etc/kerberosIV/master_key" -#define KEYFILE "/etc/kerberosIV/srvtab" -#define DBM_FILE "/etc/kerberosIV/principal" - -#define K_LOGFIL "/var/log/kpropd.log" -#define KS_LOGFIL "/var/log/kerberos_slave.log" -#define KRBLOG "/var/log/kerberos.log" /* master server */ -#define KRBSLAVELOG "/var/log/kerberos_slave.log" /* master (?) server */ - -/* from: kadm_server.h */ -/* the default syslog file */ -#define KADM_SYSLOG "/var/log/admin_server.log" - -/* used by kdb_init.c */ -/* The default expire time for principals created by kadmind */ -/* The time "1104555599" gives a date of: Sat Jan 1 04:59:59 2005 */ -#define KDBINIT_EXPDATE 1104555599 -#define KDBINIT_EXPDATE_TXT "12/31/04" - -#define DEFAULT_ACL_DIR "/etc/kerberosIV/" -/* These get appended to DEFAULT_ACL_DIR */ -#define ADD_ACL_FILE "admin_acl.add" -#define GET_ACL_FILE "admin_acl.get" -#define MOD_ACL_FILE "admin_acl.mod" -#define DEL_ACL_FILE "admin_acl.del" - -/* - * Set ORGANIZATION to be the desired organization string printed - * by the 'kinit' program. It may have spaces. - */ -#define ORGANIZATION "The OpenBSD Project" - -#endif diff --git a/kerberosIV/include/klog.h b/kerberosIV/include/klog.h deleted file mode 100644 index a531152a603..00000000000 --- a/kerberosIV/include/klog.h +++ /dev/null @@ -1,75 +0,0 @@ -/* $OpenBSD: klog.h,v 1.4 1998/02/25 15:50:36 art Exp $ */ -/* $KTH: klog.h,v 1.5 1997/05/11 11:05:28 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * This file defines the types of log messages logged by klog. Each - * type of message may be selectively turned on or off. - */ - -#ifndef KLOG_DEFS -#define KLOG_DEFS - -#ifndef KRBLOG -#define KRBLOG "/var/log/kerberos.log" /* master server */ -#endif -#ifndef KRBSLAVELOG -#define KRBSLAVELOG "/var/log/kerberos_slave.log" /* slave server */ -#endif -#define NLOGTYPE 100 /* Maximum number of log msg types */ - -#define L_NET_ERR 1 /* Error in network code */ -#define L_NET_INFO 2 /* Info on network activity */ -#define L_KRB_PERR 3 /* Kerberos protocol errors */ -#define L_KRB_PINFO 4 /* Kerberos protocol info */ -#define L_INI_REQ 5 /* Request for initial ticket */ -#define L_NTGT_INTK 6 /* Initial request not for TGT */ -#define L_DEATH_REQ 7 /* Request for server death */ -#define L_TKT_REQ 8 /* All ticket requests using a tgt */ -#define L_ERR_SEXP 9 /* Service expired */ -#define L_ERR_MKV 10 /* Master key version incorrect */ -#define L_ERR_NKY 11 /* User's key is null */ -#define L_ERR_NUN 12 /* Principal not unique */ -#define L_ERR_UNK 13 /* Principal Unknown */ -#define L_ALL_REQ 14 /* All requests */ -#define L_APPL_REQ 15 /* Application requests (using tgt) */ -#define L_KRB_PWARN 16 /* Protocol warning messages */ - -char * klog __P((int type, const char *format, ...)) -#ifdef __GNUC__ -__attribute__ ((format (printf, 2, 3))) -#endif -; - -#endif /* KLOG_DEFS */ diff --git a/kerberosIV/include/kprop.h b/kerberosIV/include/kprop.h deleted file mode 100644 index 6cb7fa0f3fb..00000000000 --- a/kerberosIV/include/kprop.h +++ /dev/null @@ -1,45 +0,0 @@ -/* $OpenBSD: kprop.h,v 1.4 1998/02/25 15:50:37 art Exp $ */ -/* $KTH: kprop.h,v 1.5 1997/02/07 21:39:52 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1987 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#define KPROP_SERVICE_NAME "rcmd" -#define KPROP_SRVTAB "/etc/kerberosIV/srvtab" -#define TGT_SERVICE_NAME "krbtgt" -#define KPROP_PROT_VERSION_LEN 8 -#define KPROP_PROT_VERSION "kprop01" -#define KPROP_TRANSFER_PRIVATE 1 -#define KPROP_TRANSFER_SAFE 2 -#define KPROP_TRANSFER_CLEAR 3 -#define KPROP_BUFSIZ 32768 -#define KPROP_PORT 754 diff --git a/kerberosIV/include/krb_log.h b/kerberosIV/include/krb_log.h deleted file mode 100644 index 9b3a8ca004b..00000000000 --- a/kerberosIV/include/krb_log.h +++ /dev/null @@ -1,80 +0,0 @@ -/* $OpenBSD: krb_log.h,v 1.3 1998/07/05 18:55:50 art Exp $ */ -/* $KTH krb_log.h,v 1.2 1997/09/26 17:40:33 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <kerberosIV/krb.h> - -#ifndef __KRB_LOG_H__ -#define __KRB_LOG_H__ - -#if !defined(__GNUC__) && !defined(__attribute__) -#define __attribute__(X) -#endif - -__BEGIN_DECLS - -/* logging.c */ - -typedef int (*krb_log_func_t) __P((FILE *, const char *, va_list)); - -typedef krb_log_func_t krb_warnfn_t; - -struct krb_log_facility; - -int krb_vlogger __P((struct krb_log_facility*, const char *, va_list)) - __attribute__ ((format (printf, 2, 0))); -int krb_logger __P((struct krb_log_facility*, const char *, ...)) - __attribute__ ((format (printf, 2, 3))); -int krb_openlog __P((struct krb_log_facility*, char*, FILE*, krb_log_func_t)); - -void krb_set_warnfn __P((krb_warnfn_t)); -krb_warnfn_t krb_get_warnfn __P((void)); -void krb_warning __P((const char*, ...)) - __attribute__ ((format (printf, 1, 2))); - -void kset_logfile __P((char*)); -void krb_log __P((const char*, ...)) - __attribute__ ((format (printf, 1, 2))); -char *klog __P((int, const char*, ...)) - __attribute__ ((format (printf, 2, 3))); - -__END_DECLS - -#endif /* __KRB_LOG_H__ */ diff --git a/kerberosIV/include/ksrvutil.h b/kerberosIV/include/ksrvutil.h deleted file mode 100644 index 3de6f0a22bb..00000000000 --- a/kerberosIV/include/ksrvutil.h +++ /dev/null @@ -1,60 +0,0 @@ -/* $OpenBSD: ksrvutil.h,v 1.2 1997/12/17 10:21:23 art Exp $ */ -/* $KTH: ksrvutil.h,v 1.8 1997/04/01 03:58:55 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - - -extern char u_name[], u_inst[], u_realm[]; -extern int destroyp; - -void leave(char *str, int x); -void safe_read_stdin(char *prompt, char *buf, size_t size); -void safe_write(char *filename, int fd, void *buf, size_t len); - -int yn(char *string); -int ny(char *string); - -void ksrvutil_get(int fd, char *filename, int argc, char **argv); - -#ifndef TRUE -#define TRUE 1 -#endif -#ifndef FALSE -#define FALSE 0 -#endif diff --git a/kerberosIV/include/kuser_locl.h b/kerberosIV/include/kuser_locl.h deleted file mode 100644 index f2c3499b609..00000000000 --- a/kerberosIV/include/kuser_locl.h +++ /dev/null @@ -1,69 +0,0 @@ -/* $OpenBSD: kuser_locl.h,v 1.4 1998/11/28 23:41:01 art Exp $ */ -/* $KTH: kuser_locl.h,v 1.10 1997/05/20 18:40:43 bg Exp $ */ - - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - - -#include <kerberosIV/site.h> - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <sys/types.h> -#include <unistd.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <time.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <netinet/in.h> - -#include <pwd.h> - -#include <err.h> - -#include <kerberosIV/krb.h> -#include <kerberosIV/krb_db.h> -#include <kerberosIV/kadm.h> -#include <kerberosIV/prot.h> - - - diff --git a/kerberosIV/include/pw_check.h b/kerberosIV/include/pw_check.h deleted file mode 100644 index c2fa873fbec..00000000000 --- a/kerberosIV/include/pw_check.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $OpenBSD: pw_check.h,v 1.1 1997/12/15 17:56:14 art Exp $ */ -/* $KTH: pw_check.h,v 1.6 1997/04/01 08:17:50 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -int kadm_pw_check(char *pw, des_cblock *newkey, - char **pw_msg, char **strings); - diff --git a/kerberosIV/include/sl.h b/kerberosIV/include/sl.h deleted file mode 100644 index 9f0fc0a7aa7..00000000000 --- a/kerberosIV/include/sl.h +++ /dev/null @@ -1,61 +0,0 @@ -/* $OpenBSD: sl.h,v 1.2 1998/02/18 11:53:38 art Exp $ */ -/* $KTH: sl.h,v 1.4 1997/08/15 21:40:10 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef _SL_H -#define _SL_H - -typedef int (*cmd_func)(int, char **); - -struct sl_cmd { - char *name; - cmd_func func; - char *usage; - char *help; -}; - -typedef struct sl_cmd SL_cmd; - -void sl_help (SL_cmd *, int argc, char **argv); -int sl_loop (SL_cmd *, char *prompt); -int sl_command (SL_cmd *cmds, int argc, char **argv); - - -#endif /* _SL_H */ diff --git a/kerberosIV/include/sl_locl.h b/kerberosIV/include/sl_locl.h deleted file mode 100644 index 308a64ba123..00000000000 --- a/kerberosIV/include/sl_locl.h +++ /dev/null @@ -1,49 +0,0 @@ -/* $OpenBSD: sl_locl.h,v 1.2 1998/02/18 11:53:38 art Exp $ */ -/* $KTH: sl_locl.h,v 1.4 1997/06/08 01:51:38 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <sl.h> - -#include <kerberosIV/krb.h> /* this wouldn't be necessary if strtok_r was - somewhere else. */ diff --git a/kerberosIV/include/slav_locl.h b/kerberosIV/include/slav_locl.h deleted file mode 100644 index 21f50b490a4..00000000000 --- a/kerberosIV/include/slav_locl.h +++ /dev/null @@ -1,34 +0,0 @@ -/* $OpenBSD: slav_locl.h,v 1.3 1998/11/28 23:41:01 art Exp $ */ - -#ifndef __slav_locl_h -#define __slav_locl_h - -#include <kerberosIV/site.h> - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> - -#include <errno.h> -#include <unistd.h> - -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <time.h> -#include <sys/file.h> - -#include <netinet/in.h> -#include <arpa/inet.h> -#include <sys/socket.h> - -#include <netdb.h> - -#include <kerberosIV/krb.h> -#include <kerberosIV/krb_db.h> -#include "klog.h" -#include <kerberosIV/prot.h> -#include "kdc.h" - -#endif /* __slav_locl_h */ diff --git a/kerberosIV/include/version.h b/kerberosIV/include/version.h deleted file mode 100644 index a046ca742ea..00000000000 --- a/kerberosIV/include/version.h +++ /dev/null @@ -1,8 +0,0 @@ -/* $OpenBSD: version.h,v 1.5 1998/07/07 19:09:53 art Exp $ */ -#ifndef __VERSION_H__ - -extern char *krb4_long_version; - -#define VERSION "0.9.9" - -#endif /* __VERSION_H__ */ diff --git a/kerberosIV/include/xdbm.h b/kerberosIV/include/xdbm.h deleted file mode 100644 index 6ac722d10ab..00000000000 --- a/kerberosIV/include/xdbm.h +++ /dev/null @@ -1,57 +0,0 @@ -/* $OpenBSD: xdbm.h,v 1.2 1998/02/18 11:53:39 art Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Generic *dbm include file */ - -#ifndef __XDBM_H__ -#define __XDBM_H__ - -#include <ndbm.h> - -/* Macros to convert ndbm names to dbm names. - * Note that dbm_nextkey() cannot be simply converted using a macro, since - * it is invoked giving the database, and nextkey() needs the previous key. - * - * Instead, all routines call "dbm_next" instead. - */ - -#define dbm_next(db,key) dbm_nextkey(db) - -#endif /* __XDBM_H__ */ diff --git a/kerberosIV/kadm/Makefile b/kerberosIV/kadm/Makefile deleted file mode 100644 index d15b991a9bf..00000000000 --- a/kerberosIV/kadm/Makefile +++ /dev/null @@ -1,29 +0,0 @@ -# $OpenBSD: Makefile,v 1.9 1999/03/09 00:01:42 niklas Exp $ - -.include <bsd.obj.mk> - -LIB= kadm -SRCS= kadm_err.c kadm_cli_wrap.c kadm_stream.c kadm_supp.c check_password.c -CFLAGS+=-I. -I${.CURDIR} -.if exists(${.CURDIR}/../krb/${__objdir}) -CFLAGS+=-I${.CURDIR}/../krb/${__objdir} -.else -CFLAGS+=-I${.CURDIR}/../krb -.endif -LDADD+= ${COM_ERR} -CLEANFILES+= kadm_err.c kadm_err.h - -kadm_err.c kadm_err.h: kadm_err.et - test -e kadm_err.et || ln -s ${.CURDIR}/kadm_err.et . - compile_et kadm_err.et - -test -h kadm_err.et && rm kadm_err.et - -beforedepend prereq: kadm_err.h - -includes: kadm_err.h - -cd ${.OBJDIR}; cmp -s kadm_err.h \ - ${DESTDIR}/usr/include/kerberosIV/kadm_err.h || \ - install -c -o ${BINOWN} -g ${BINGRP} -m 444 kadm_err.h \ - ${DESTDIR}/usr/include/kerberosIV - -.include <bsd.lib.mk> diff --git a/kerberosIV/kadm/check_password.c b/kerberosIV/kadm/check_password.c deleted file mode 100644 index 39903eb8301..00000000000 --- a/kerberosIV/kadm/check_password.c +++ /dev/null @@ -1,61 +0,0 @@ -/* $OpenBSD: check_password.c,v 1.1 1998/05/15 06:22:17 art Exp $ */ -/* $KTH: check_password.c,v 1.1 1998/01/16 23:10:18 joda Exp $ */ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm_locl.h" - -/* This is a client side password check. Should perhaps be merged with - kadmind version that lives in pw_check.c */ - -int -kadm_check_pw (const char *password) -{ - const char *t; - if (strlen(password) == 0) - return KADM_PASS_Q_NULL; - if (strlen(password) < MIN_KPW_LEN) - return KADM_PASS_Q_TOOSHORT; - - /* Don't allow all lower case passwords regardless of length */ - for (t = password; *t && islower(*t); t++) - ; - if (*t == '\0') - return KADM_PASS_Q_CLASS; - return 0; -} diff --git a/kerberosIV/kadm/kadm_cli_wrap.c b/kerberosIV/kadm/kadm_cli_wrap.c deleted file mode 100644 index 7f61ace9084..00000000000 --- a/kerberosIV/kadm/kadm_cli_wrap.c +++ /dev/null @@ -1,645 +0,0 @@ -/* $OpenBSD: kadm_cli_wrap.c,v 1.7 1999/03/03 08:41:27 csapuntz Exp $ */ -/* $KTH: kadm_cli_wrap.c,v 1.22 1997/08/17 07:30:04 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -/* - * Kerberos administration server client-side routines - */ - -/* - * kadm_cli_wrap.c the client side wrapping of the calls to the admin server - */ - -#include "kadm_locl.h" - -#ifndef NULL -#define NULL 0 -#endif - -static Kadm_Client client_parm; - -/* Macros for use in returning data... used in kadm_cli_send */ -#define RET_N_FREE(r) {clear_secrets(); free((char *)act_st); act_st = NULL; free((char *)priv_pak); priv_pak = NULL; return r;} - -/* Keys for use in the transactions */ -static des_cblock sess_key; /* to be filled in by kadm_cli_keyd */ -static des_key_schedule sess_sched; - -static void -clear_secrets(void) -{ - memset(sess_key, 0, sizeof(sess_key)); - memset(sess_sched, 0, sizeof(sess_sched)); -} - -static void (*opipe)(); - -static void -kadm_cli_disconn(void) -{ - close(client_parm.admin_fd); - signal(SIGPIPE, opipe); -} - -/* - * kadm_init_link - * receives : name, inst, realm - * - * initializes client parm, the Kadm_Client structure which holds the - * data about the connection between the server and client, the services - * used, the locations and other fun things - */ - -int -kadm_init_link(char *n, char *i, char *r) -{ - struct hostent *hop; /* host we will talk to */ - char adm_hostname[MAXHOSTNAMELEN]; - - init_kadm_err_tbl(); - init_krb_err_tbl(); - strncpy(client_parm.sname, n, ANAME_SZ - 1); - client_parm.sname[ANAME_SZ - 1] = '\0'; - strncpy(client_parm.sinst, i, INST_SZ - 1); - client_parm.sinst[INST_SZ - 1] = '\0'; - strncpy(client_parm.krbrlm, r, REALM_SZ - 1); - client_parm.krbrlm[REALM_SZ - 1] = '\0'; - client_parm.admin_fd = -1; - - /* set up the admin_addr - fetch name of admin host */ - if (krb_get_admhst(adm_hostname, client_parm.krbrlm, 1) != KSUCCESS) - return KADM_NO_HOST; - if ((hop = gethostbyname(adm_hostname)) == NULL) - return KADM_UNK_HOST; - memset(&client_parm.admin_addr, 0, sizeof(client_parm.admin_addr)); - client_parm.admin_addr.sin_port = - k_getportbyname(KADM_SNAME, "tcp", htons(KADM_PORT)); - client_parm.admin_addr.sin_family = hop->h_addrtype; - memcpy(&client_parm.admin_addr.sin_addr, hop->h_addr, - sizeof(client_parm.admin_addr.sin_addr)); - - return KADM_SUCCESS; -} - -static int -kadm_cli_conn(void) -{ /* this connects and sets my_addr */ - int on = 1; - - if ((client_parm.admin_fd = - socket(client_parm.admin_addr.sin_family, SOCK_STREAM,0)) < 0) - return KADM_NO_SOCK; /* couldnt create the socket */ - - if (connect(client_parm.admin_fd, - (struct sockaddr *) & client_parm.admin_addr, - sizeof(client_parm.admin_addr))) { - close(client_parm.admin_fd); - client_parm.admin_fd = -1; - return KADM_NO_CONN; /* couldnt get the connect */ - } - - opipe = signal(SIGPIPE, SIG_IGN); - - client_parm.my_addr_len = sizeof(client_parm.my_addr); - if (getsockname(client_parm.admin_fd, - (struct sockaddr *) & client_parm.my_addr, - &client_parm.my_addr_len) < 0) { - close(client_parm.admin_fd); - client_parm.admin_fd = -1; - signal(SIGPIPE, opipe); - return KADM_NO_HERE; /* couldnt find out who we are */ - } - - if (setsockopt(client_parm.admin_fd, SOL_SOCKET, SO_KEEPALIVE, - (void *)&on, - sizeof(on)) < 0) { - close(client_parm.admin_fd); - client_parm.admin_fd = -1; - signal(SIGPIPE, opipe); - return KADM_NO_CONN; /* XXX */ - } - - return KADM_SUCCESS; -} - -/* takes in the sess_key and key_schedule and sets them appropriately */ -static int -kadm_cli_keyd(des_cblock (*s_k), struct des_ks_struct *s_s) - /* session key */ - /* session key schedule */ -{ - CREDENTIALS cred; /* to get key data */ - int stat; - - /* want .sname and .sinst here.... */ - if ((stat = krb_get_cred(client_parm.sname, client_parm.sinst, - client_parm.krbrlm, &cred))) - return stat + krb_err_base; - memcpy(s_k, cred.session, sizeof(des_cblock)); - memset(cred.session, 0, sizeof(des_cblock)); -#ifdef NOENCRYPTION - memset(s_s, 0, sizeof(des_key_schedule)); -#else - if ((stat = des_key_sched(s_k,s_s))) - return(stat+krb_err_base); -#endif - return KADM_SUCCESS; -} /* This code "works" */ - -static int -kadm_cli_out(u_char *dat, int dat_len, u_char **ret_dat, int *ret_siz) -{ - u_int16_t dlen; - int retval; - char tmp[4]; - - dlen = (u_int16_t) dat_len; - - if (dat_len != (int)dlen) - return (KADM_NO_ROOM); - - tmp[0] = (dlen >> 8) & 0xff; - tmp[1] = dlen & 0xff; - if (krb_net_write(client_parm.admin_fd, tmp, 2) != 2) - return (errno); /* XXX */ - - if (krb_net_write(client_parm.admin_fd, (char *) dat, dat_len) < 0) - return (errno); /* XXX */ - - - if ((retval = krb_net_read(client_parm.admin_fd, tmp, 2)) != 2){ - if (retval < 0) - return(errno); /* XXX */ - else - return(EPIPE); /* short read ! */ - } - dlen = (tmp[0] << 8) | tmp[1]; - - *ret_dat = (u_char *)malloc((unsigned)dlen); - if (*ret_dat == NULL) - return(KADM_NOMEM); - - if ((retval = krb_net_read(client_parm.admin_fd, *ret_dat, - dlen) != dlen)) { - if (retval < 0) - return(errno); /* XXX */ - else - return(EPIPE); /* short read ! */ - } - *ret_siz = (int) dlen; - return KADM_SUCCESS; -} - -/* - * kadm_cli_send - * recieves : opcode, packet, packet length, serv_name, serv_inst - * returns : return code from the packet build, the server, or - * something else - * - * It assembles a packet as follows: - * 8 bytes : VERSION STRING - * 4 bytes : LENGTH OF MESSAGE DATA and OPCODE - * : KTEXT - * : OPCODE \ - * : DATA > Encrypted (with make priv) - * : ...... / - * - * If it builds the packet and it is small enough, then it attempts to open the - * connection to the admin server. If the connection is succesfully open - * then it sends the data and waits for a reply. - */ -static int -kadm_cli_send(u_char *st_dat, int st_siz, u_char **ret_dat, int *ret_siz) - /* the actual data */ - /* length of said data */ - /* to give return info */ - /* length of returned info */ -{ - int act_len, retdat; /* current offset into packet, return - * data */ - KTEXT_ST authent; /* the authenticator we will build */ - u_char *act_st; /* the pointer to the complete packet */ - u_char *temp; - u_char *priv_pak; /* private version of the packet */ - int priv_len; /* length of private packet */ - u_int32_t cksum; /* checksum of the packet */ - MSG_DAT mdat; - u_char *return_dat; - - act_st = (u_char *) malloc(KADM_VERSIZE); /* verstr stored first */ - if (act_st == NULL) { - clear_secrets(); - return KADM_NOMEM; - } - - strncpy((char *)act_st, KADM_VERSTR, KADM_VERSIZE); - act_len = KADM_VERSIZE; - - if ((retdat = kadm_cli_keyd(&sess_key, sess_sched)) != KADM_SUCCESS) { - free(act_st); - act_st = NULL; - clear_secrets(); - return retdat; /* couldnt get key working */ - } - - priv_pak = (u_char *) malloc((unsigned)(st_siz + 200)); - if (priv_pak == NULL) { - free(act_st); - act_st = NULL; - clear_secrets(); - return KADM_NOMEM; - } - - /* 200 bytes for extra info case */ - if ((priv_len = krb_mk_priv(st_dat, priv_pak, (u_int32_t)st_siz, - sess_sched, &sess_key, &client_parm.my_addr, - &client_parm.admin_addr)) < 0) - RET_N_FREE(KADM_NO_ENCRYPT); /* whoops... we got a lose - * here */ - - /* here is the length of priv data. receiver calcs - size of authenticator by subtracting vno size, priv size, and - sizeof(u_int32_t) (for the size indication) from total size */ - - act_len += vts_long((u_int32_t) priv_len, &act_st, act_len); -#ifdef NOENCRYPTION - cksum = 0; -#else - cksum = des_quad_cksum((des_cblock *)priv_pak, (des_cblock *)0, - (long)priv_len, 0, &sess_key); -#endif - if ((retdat = krb_mk_req(&authent, client_parm.sname, client_parm.sinst, - client_parm.krbrlm, cksum))) { - /* authenticator? */ - RET_N_FREE(retdat + krb_err_base); - } - - temp = (u_char *) realloc(act_st, - act_len + authent.length + priv_len); - if (temp == NULL) { - clear_secrets(); - free(priv_pak); - free(act_st); - priv_pak = NULL; - return KADM_NOMEM; - } - act_st = temp; - - memcpy((char *)act_st + act_len, authent.dat, authent.length); - memcpy((char *)act_st + act_len + authent.length, priv_pak, priv_len); - free(priv_pak); - priv_pak = NULL; - - if ((retdat = kadm_cli_out(act_st, - act_len + authent.length + priv_len, - ret_dat, ret_siz)) != KADM_SUCCESS) - RET_N_FREE(retdat); - free(act_st); - act_st = NULL; -#define RET_N_FREE2(r) {free(*ret_dat); *ret_dat = NULL; *ret_siz = 0; clear_secrets(); return(r);} - - /* first see if it's a YOULOUSE */ - if ((*ret_siz >= KADM_VERSIZE) && - !strncmp(KADM_ULOSE, (char *)*ret_dat, KADM_VERSIZE)) { - unsigned char *p; - /* it's a youlose packet */ - if (*ret_siz < KADM_VERSIZE + 4) - RET_N_FREE2(KADM_BAD_VER); - p = (*ret_dat)+KADM_VERSIZE; - retdat = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - RET_N_FREE2(retdat); - } - /* need to decode the ret_dat */ - if ((retdat = krb_rd_priv(*ret_dat, (u_int32_t)*ret_siz, sess_sched, - &sess_key, &client_parm.admin_addr, - &client_parm.my_addr, &mdat))) - RET_N_FREE2(retdat+krb_err_base); - if (mdat.app_length < KADM_VERSIZE + 4) - /* too short! */ - RET_N_FREE2(KADM_BAD_VER); - if (strncmp((char *)mdat.app_data, KADM_VERSTR, KADM_VERSIZE)) - /* bad version */ - RET_N_FREE2(KADM_BAD_VER); - { - unsigned char *p = mdat.app_data+KADM_VERSIZE; - retdat = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - } - { - int s=mdat.app_length - KADM_VERSIZE - 4; - if(s<=0) s=1; - if (!(return_dat = (u_char *)malloc(s))) - RET_N_FREE2(KADM_NOMEM); - } - memcpy(return_dat, - (char *) mdat.app_data + KADM_VERSIZE + 4, - mdat.app_length - KADM_VERSIZE - 4); - free(*ret_dat); - *ret_dat = NULL; - clear_secrets(); - *ret_dat = return_dat; - *ret_siz = mdat.app_length - KADM_VERSIZE - 4; - return retdat; -} - - - -/* - * kadm_change_pw_plain - * - * see kadm_change_pw - * - */ -int kadm_change_pw_plain(unsigned char *newkey, char *password, char **pw_msg) -{ - int stsize, retc; /* stream size and return code */ - u_char *send_st; /* send stream */ - u_char *temp; - u_char *ret_st; - int ret_sz; - int status; - static char msg[128]; - - if ((retc = kadm_cli_conn()) != KADM_SUCCESS) - return retc ; - /* possible problem with vts_long on a non-multiple of four boundary */ - - stsize = 0; /* start of our output packet */ - send_st = (u_char *) malloc(1);/* to make it reallocable */ - if (send_st == NULL) - return KADM_NOMEM; - - send_st[stsize++] = (u_char) CHANGE_PW; - - /* change key to stream */ - - temp = realloc(send_st, stsize + 8); - if (temp == NULL) { - free(send_st); - return KADM_NOMEM; - } - send_st = temp; - - memcpy(send_st + stsize + 4, newkey, 4); /* yes, this is backwards */ - memcpy(send_st + stsize, newkey + 4, 4); - stsize += 8; - - if(password != NULL && password[0] != '\0') - stsize += vts_string(password, &send_st, stsize); - - retc = kadm_cli_send(send_st, stsize, &ret_st, &ret_sz); - free(send_st); - send_st = NULL; - - if(retc != KADM_SUCCESS){ - status = stv_string(ret_st, msg, 0, sizeof(msg), ret_sz); - if(status<0) - msg[0]=0; - *pw_msg=msg; - } - - if (ret_st != NULL) { - free(ret_st); - ret_st = NULL; - } - - kadm_cli_disconn(); - return(retc); -} - -/* - * This function is here for compatibility with CNS - */ - -int kadm_change_pw2(unsigned char *newkey, char *password, char **pw_msg) -{ - return kadm_change_pw_plain (newkey, password, pw_msg); -} - - -/* - * kadm_change_pw - * recieves : key - * - * Replaces the password (i.e. des key) of the caller with that specified in - * key. Returns no actual data from the master server, since this is called - * by a user - */ - -int kadm_change_pw(unsigned char *newkey) -{ - char *pw_msg; - return kadm_change_pw_plain(newkey, "", &pw_msg); -} - -/* - * kadm_add - * receives : vals - * returns : vals - * - * Adds and entry containing values to the database returns the values of the - * entry, so if you leave certain fields blank you will be able to determine - * the default values they are set to - */ -int -kadm_add(Kadm_vals *vals) -{ - u_char *st, *st2; /* st will hold the stream of values */ - int st_len; /* st2 the final stream with opcode */ - int retc; /* return code from call */ - u_char *ret_st; - int ret_sz; - - if ((retc = kadm_cli_conn()) != KADM_SUCCESS) - return(retc); - st_len = vals_to_stream(vals, &st); - st2 = (u_char *) malloc((unsigned)(1 + st_len)); - if (st2 == NULL) - return KADM_NOMEM; - - *st2 = (u_char) ADD_ENT; /* here's the opcode */ - memcpy((char *) st2 + 1, st, st_len); /* append st on */ - retc = kadm_cli_send(st2, st_len + 1, &ret_st, &ret_sz); - free(st); - st = NULL; - free(st2); - st2 = NULL; - - if (retc == KADM_SUCCESS) { - /* ret_st has vals */ - if (stream_to_vals(ret_st, vals, ret_sz) < 0) - retc = KADM_LENGTH_ERROR; - free(ret_st); - ret_st = NULL; - } - kadm_cli_disconn(); - return(retc); -} - -/* - * kadm_mod - * receives : KTEXT, {values, values} - * returns : CKSUM, RETCODE, {values} - * acl : su, sms (as register or dealloc) - * - * Modifies all entries corresponding to the first values so they match the - * second values. returns the values for the changed entries in vals2 - */ -int -kadm_mod(Kadm_vals *vals1, Kadm_vals *vals2) -{ - u_char *st, *st2; /* st will hold the stream of values */ - int st_len, nlen; /* st2 the final stream with opcode */ - u_char *ret_st; - u_char *temp; - int ret_sz; - - /* nlen is the length of second vals */ - int retc; /* return code from call */ - - if ((retc = kadm_cli_conn()) != KADM_SUCCESS) - return(retc); - - st_len = vals_to_stream(vals1, &st); - st2 = (u_char *) malloc((unsigned)(1 + st_len)); - if (st2 == NULL) - return KADM_NOMEM; - - *st2 = (u_char) MOD_ENT; /* here's the opcode */ - memcpy((char *)st2 + 1, st, st_len++); /* append st on */ - free(st); - st = NULL; - - nlen = vals_to_stream(vals2, &st); - temp = (u_char *) realloc((char *) st2, (unsigned)(st_len + nlen)); - if (temp == NULL) { - free(st2); - return KADM_NOMEM; - } - st2 = temp; - - memcpy((char *) st2 + st_len, st, nlen); /* append st on */ - retc = kadm_cli_send(st2, st_len + nlen, &ret_st, &ret_sz); - - free(st); - st = NULL; - free(st2); - st2 = NULL; - - if (retc == KADM_SUCCESS) { - /* ret_st has vals */ - if (stream_to_vals(ret_st, vals2, ret_sz) < 0) - retc = KADM_LENGTH_ERROR; - free(ret_st); - ret_st = NULL; - } - kadm_cli_disconn(); - return retc; -} - - -int -kadm_del(Kadm_vals *vals) -{ - unsigned char *st, *st2; /* st will hold the stream of values */ - int st_len; /* st2 the final stream with opcode */ - int retc; /* return code from call */ - u_char *ret_st; - int ret_sz; - - if ((retc = kadm_cli_conn()) != KADM_SUCCESS) - return retc; - st_len = vals_to_stream(vals, &st); - st2 = (unsigned char *) malloc(st_len + 1); - if (st2 == NULL) - return KADM_NOMEM; - - *st2 = DEL_ENT; /* here's the opcode */ - memcpy(st2 + 1, st, st_len); /* append st on */ - retc = kadm_cli_send(st2, st_len + 1, &ret_st, &ret_sz); - free(st); - st = NULL; - free(st2); - st2 = NULL; - kadm_cli_disconn(); - return(retc); -} - - -/* - * kadm_get - * receives : KTEXT, {values, flags} - * returns : CKSUM, RETCODE, {count, values, values, values} - * acl : su - * - * gets the fields requested by flags from all entries matching values returns - * this data for each matching recipient, after a count of how many such - * matches there were - */ -int -kadm_get(Kadm_vals *vals, u_char *fl) -{ - int loop; /* for copying the fields data */ - u_char *st, *st2; /* st will hold the stream of values */ - int st_len; /* st2 the final stream with opcode */ - int retc; /* return code from call */ - u_char *ret_st; - int ret_sz; - - if ((retc = kadm_cli_conn()) != KADM_SUCCESS) - return(retc); - st_len = vals_to_stream(vals, &st); - st2 = (u_char *) malloc((unsigned)(1 + st_len + FLDSZ)); - if (st2 == NULL) - return KADM_NOMEM; - - *st2 = (u_char) GET_ENT; /* here's the opcode */ - memcpy((char *)st2 + 1, st, st_len); /* append st on */ - for (loop = FLDSZ - 1; loop >= 0; loop--) - *(st2 + st_len + FLDSZ - loop) = fl[loop]; /* append the flags */ - retc = kadm_cli_send(st2, st_len + 1 + FLDSZ, &ret_st, &ret_sz); - free(st); - st = NULL; - free(st2); - st2 = NULL; - if (retc == KADM_SUCCESS) { - /* ret_st has vals */ - if (stream_to_vals(ret_st, vals, ret_sz) < 0) - retc = KADM_LENGTH_ERROR; - free(ret_st); - ret_st = NULL; - } - kadm_cli_disconn(); - return(retc); -} diff --git a/kerberosIV/kadm/kadm_err.et b/kerberosIV/kadm/kadm_err.et deleted file mode 100644 index 22e9b5c0e7a..00000000000 --- a/kerberosIV/kadm/kadm_err.et +++ /dev/null @@ -1,76 +0,0 @@ -# $OpenBSD: kadm_err.et,v 1.5 1998/05/15 06:22:17 art Exp $ -# $KTH: kadm_err.et,v 1.5 1998/01/16 23:11:27 joda Exp $ - -#- -# Copyright (C) 1988 by the Massachusetts Institute of Technology -# -# Export of this software from the United States of America is assumed -# to require a specific license from the United States Government. -# It is the responsibility of any person or organization contemplating -# export to obtain such a license before exporting. -# -# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -# distribute this software and its documentation for any purpose and -# without fee is hereby granted, provided that the above copyright -# notice appear in all copies and that both that copyright notice and -# this permission notice appear in supporting documentation, and that -# the name of M.I.T. not be used in advertising or publicity pertaining -# to distribution of the software without specific, written prior -# permission. M.I.T. makes no representations about the suitability of -# this software for any purpose. It is provided "as is" without express -# or implied warranty. - - et kadm - -# KADM_SUCCESS, as all success codes should be, is zero - -ec KADM_RCSID, "$OpenBSD: kadm_err.et,v 1.5 1998/05/15 06:22:17 art Exp $" -# /* Building and unbuilding the packet errors */ -ec KADM_NO_REALM, "Cannot fetch local realm" -ec KADM_NO_CRED, "Unable to fetch credentials" -ec KADM_BAD_KEY, "Bad key supplied" -ec KADM_NO_ENCRYPT, "Can't encrypt data" -ec KADM_NO_AUTH, "Cannot encode/decode authentication info" -ec KADM_WRONG_REALM, "Principal attempting change is in wrong realm" -ec KADM_NO_ROOM, "Packet is too large" -ec KADM_BAD_VER, "Version number is incorrect" -ec KADM_BAD_CHK, "Checksum does not match" -ec KADM_NO_READ, "Unsealing private data failed" -ec KADM_NO_OPCODE, "Unsupported operation" -ec KADM_NO_HOST, "Could not find administrating host" -ec KADM_UNK_HOST, "Administrating host name is unknown" -ec KADM_NO_SERV, "Could not find service name in services database" -ec KADM_NO_SOCK, "Could not create socket" -ec KADM_NO_CONN, "Could not connect to server" -ec KADM_NO_HERE, "Could not fetch local socket address" -ec KADM_NO_MAST, "Could not fetch master key" -ec KADM_NO_VERI, "Could not verify master key" - -# /* From the server side routines */ -ec KADM_INUSE, "Entry already exists in database" -ec KADM_UK_SERROR, "Database store error" -ec KADM_UK_RERROR, "Database read error" -ec KADM_UNAUTH, "Insufficient access to perform requested operation" -# KADM_DATA isn't really an error, but... -ec KADM_DATA, "Data is available for return to client" -ec KADM_NOENTRY, "No such entry in the database" - -ec KADM_NOMEM, "Memory exhausted" -ec KADM_NO_HOSTNAME, "Could not fetch system hostname" -ec KADM_NO_BIND, "Could not bind port" -ec KADM_LENGTH_ERROR, "Length mismatch problem" -ec KADM_ILL_WILDCARD, "Illegal use of wildcard" - -ec KADM_DB_INUSE, "Database is locked or in use--try again later" - -ec KADM_INSECURE_PW, "Insecure password rejected" -ec KADM_PW_MISMATCH, "Cleartext password and DES key did not match" - -ec KADM_NOT_SERV_PRINC, "Invalid principal for change srvtab request" -ec KADM_IMMUTABLE, "Attempt to delete immutable principal" -# password quality basically stolen from OV libkadm5 -ec KADM_PASS_Q_NULL, "Null passwords are not allowed" -ec KADM_PASS_Q_TOOSHORT,"Password is too short" -ec KADM_PASS_Q_CLASS, "Too few character classes in password" -ec KADM_PASS_Q_DICT, "Password is in the password dictionary" -end diff --git a/kerberosIV/kadm/kadm_stream.c b/kerberosIV/kadm/kadm_stream.c deleted file mode 100644 index 791a553a0b4..00000000000 --- a/kerberosIV/kadm/kadm_stream.c +++ /dev/null @@ -1,354 +0,0 @@ -/* $OpenBSD: kadm_stream.c,v 1.5 1998/08/16 02:42:06 art Exp $ */ -/* $KTH: kadm_stream.c,v 1.11 1997/05/02 10:28:05 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -/* - * Stream conversion functions for Kerberos administration server - */ - -/* - * kadm_stream.c - * this holds the stream support routines for the kerberos administration - * server - * - * vals_to_stream: converts a vals struct to a stream for transmission - * internals build_field_header, vts_[string, char, long, short] - * stream_to_vals: converts a stream to a vals struct - * internals check_field_header, stv_[string, char, long, short] - * error: prints out a kadm error message, returns - * fatal: prints out a kadm fatal error message, exits - */ - -#include "kadm_locl.h" - -static int -build_field_header(u_char *cont, u_char **st) - /* container for fields data */ - /* stream */ -{ - *st = (u_char *) malloc (4); - if (st == NULL) - return -1; - memcpy(*st, cont, 4); - return 4; /* return pointer to current stream location */ -} - -static int -check_field_header(u_char *st, u_char *cont, int maxlen) - /* stream */ - /* container for fields data */ - -{ - if (maxlen < 4 || cont == NULL || st == NULL) - return(-1); - memcpy(cont, st, 4); - return 4; /* return pointer to current stream location */ -} - -int -vts_string(char *dat, u_char **st, int loc) - /* a string to put on the stream */ - /* base pointer to the stream */ - /* offset into the stream for current data */ -{ - u_char *temp; - - temp = (u_char *) realloc (*st, (unsigned) (loc + strlen(dat) + 1)); - if (temp == NULL) { - free(*st); - return -1; - } - *st = temp; - - memcpy(*st + loc, dat, strlen(dat)+1); - return strlen(dat)+1; -} - - -static int -vts_short(u_int16_t dat, u_char **st, int loc) - /* the attributes field */ - /* a base pointer to the stream */ - /* offset into the stream for current data */ -{ - unsigned char *p; - - p = realloc(*st, loc + 2); - if (p == NULL) { - abort(); - } - p[loc] = (dat >> 8) & 0xff; - p[loc+1] = dat & 0xff; - *st = p; - return 2; -} - -static int -vts_char(u_char dat, u_char **st, int loc) - /* the attributes field */ - /* a base pointer to the stream */ - /* offset into the stream for current data */ -{ - unsigned char *p = realloc(*st, loc + 1); - if (p == NULL) { - abort(); - } - p[loc] = dat; - *st = p; - return 1; -} - -int -vts_long(u_int32_t dat, u_char **st, int loc) - /* the attributes field */ - /* a base pointer to the stream */ - /* offset into the stream for current data */ -{ - unsigned char *p = realloc(*st, loc + 4); - if(p == NULL){ - abort(); - } - p[loc] = (dat >> 24) & 0xff; - p[loc+1] = (dat >> 16) & 0xff; - p[loc+2] = (dat >> 8) & 0xff; - p[loc+3] = dat & 0xff; - *st = p; - return 4; -} - -#ifndef min -#define min(a,b) (a < b ? a : b) -#endif - -int -stv_string(u_char *st, /* base pointer to the stream */ - char *dat, /* a string to read from the stream */ - int loc, /* offset into the stream for current data */ - int stlen, /* max length of string to copy in */ - int maxlen) /* max length of input stream */ -{ - int maxcount; /* max count of chars to copy */ - - maxcount = min(maxlen - loc, stlen); - - if(maxcount <= 0) - return -1; - - strncpy(dat, (char *)st + loc, maxcount); - - if (dat[maxcount - 1]) /* not null-term --> not enough room */ - return -1; - return strlen(dat)+1; -} - -static int -stv_short(u_char *st, u_int16_t *dat, int loc, int maxlen) - /* a base pointer to the stream */ - /* the attributes field */ - /* offset into the stream for current data */ - -{ - if (maxlen - loc < 2) - return -1; - - *dat = (st[loc] << 8) | st[loc + 1]; - return 2; -} - -int -stv_long(u_char *st, u_int32_t *dat, int loc, int maxlen) - /* a base pointer to the stream */ - /* the attributes field */ - /* offset into the stream for current data */ - /* maximum length of st */ -{ - if (maxlen - loc < 4) - return -1; - - *dat = (st[loc] << 24) | (st[loc+1] << 16) | (st[loc+2] << 8) | st[loc+3]; - return 4; -} - -static int -stv_char(u_char *st, u_char *dat, int loc, int maxlen) - /* a base pointer to the stream */ - /* the attributes field */ - /* offset into the stream for current data */ - -{ - if (maxlen - loc < 1) - return -1; - - *dat = st[loc]; - return 1; -} - -/* - * vals_to_stream - * recieves : kadm_vals *, u_char * - * returns : a realloced and filled in u_char * - * - * this function creates a byte-stream representation of the kadm_vals - * structure - */ - -int -vals_to_stream(Kadm_vals *dt_in, u_char **dt_out) -{ - int vsloop, stsize, stsizetemp; /* loop counter, stream size */ - - stsize = build_field_header(dt_in->fields, dt_out); - if (stsize < 0) - return -1; - - for (vsloop=31; vsloop>=0; vsloop--) - if (IS_FIELD(vsloop, dt_in->fields)) { - switch (vsloop) { - case KADM_NAME: - stsizetemp = vts_string(dt_in->name, dt_out, stsize); - if (stsizetemp < 0) - return -1; - stsize += stsizetemp; - break; - case KADM_INST: - stsizetemp = vts_string(dt_in->instance, dt_out, stsize); - if (stsizetemp < 0) - return -1; - stsize += stsizetemp; - break; - case KADM_EXPDATE: - stsizetemp = vts_long(dt_in->exp_date, dt_out, stsize); - if (stsizetemp < 0) - return -1; - stsize += stsizetemp; - break; - case KADM_ATTR: - stsizetemp = vts_short(dt_in->attributes, dt_out, stsize); - if (stsizetemp < 0) - return -1; - stsize += stsizetemp; - break; - case KADM_MAXLIFE: - stsizetemp = vts_char(dt_in->max_life, dt_out, stsize); - if (stsizetemp < 0) - return -1; - stsize += stsizetemp; - break; - case KADM_DESKEY: - stsizetemp = vts_long(dt_in->key_high, dt_out, stsize); - if (stsizetemp < 0) - return -1; - stsize += stsizetemp; - stsizetemp = vts_long(dt_in->key_low, dt_out, stsize); - if (stsizetemp < 0) - return -1; - stsize += stsizetemp; - break; - default: - break; - } - } - return(stsize); -} - -/* - * stream_to_vals - * recieves : u_char *, kadm_vals * - * returns : a kadm_vals filled in according to u_char * - * - * this decodes a byte stream represntation of a vals struct into kadm_vals - */ -int -stream_to_vals(u_char *dt_in, Kadm_vals *dt_out, int maxlen) - - - /* max length to use */ -{ - int vsloop, stsize; /* loop counter, stream size */ - int status; - - memset(dt_out, 0, sizeof(*dt_out)); - - stsize = check_field_header(dt_in, dt_out->fields, maxlen); - if (stsize < 0) - return(-1); - for (vsloop=31; vsloop>=0; vsloop--) - if (IS_FIELD(vsloop,dt_out->fields)) - switch (vsloop) { - case KADM_NAME: - if ((status = stv_string(dt_in, dt_out->name, stsize, - sizeof(dt_out->name), maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_INST: - if ((status = stv_string(dt_in, dt_out->instance, stsize, - sizeof(dt_out->instance), maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_EXPDATE: - if ((status = stv_long(dt_in, &dt_out->exp_date, stsize, - maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_ATTR: - if ((status = stv_short(dt_in, &dt_out->attributes, stsize, - maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_MAXLIFE: - if ((status = stv_char(dt_in, &dt_out->max_life, stsize, - maxlen)) < 0) - return(-1); - stsize += status; - break; - case KADM_DESKEY: - if ((status = stv_long(dt_in, &dt_out->key_high, stsize, - maxlen)) < 0) - return(-1); - stsize += status; - if ((status = stv_long(dt_in, &dt_out->key_low, stsize, - maxlen)) < 0) - return(-1); - stsize += status; - break; - default: - break; - } - return stsize; -} diff --git a/kerberosIV/kadm/kadm_supp.c b/kerberosIV/kadm/kadm_supp.c deleted file mode 100644 index f3ff2fca573..00000000000 --- a/kerberosIV/kadm/kadm_supp.c +++ /dev/null @@ -1,123 +0,0 @@ -/* $OpenBSD: kadm_supp.c,v 1.3 1997/12/12 10:02:46 art Exp $ */ -/* $KTH: kadm_supp.c,v 1.8 1997/05/02 10:27:58 joda Exp $ */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -/* - * Support functions for Kerberos administration server & clients - */ - -/* - kadm_supp.c - this holds the support routines for the kerberos administration server - - error: prints out a kadm error message, returns - fatal: prints out a kadm fatal error message, exits - prin_vals: prints out data associated with a Principal in the vals - structure -*/ - -#include "kadm_locl.h" - -/* -prin_vals: - recieves : a vals structure -*/ -void -prin_vals(Kadm_vals *vals) -{ - printf("Info in Database for %s.%s:\n", vals->name, vals->instance); - printf(" Max Life: %d (%s) Exp Date: %s\n", - vals->max_life, - krb_life_to_atime(vals->max_life), - asctime(k_localtime(&vals->exp_date))); - printf(" Attribs: %.2x key: %#lx %#lx\n", - vals->attributes, - (long)vals->key_low, (long)vals->key_high); -} - -/* kadm_prin_to_vals takes a fields arguments, a Kadm_vals and a Principal, - it copies the fields in Principal specified by fields into Kadm_vals, - i.e from old to new */ - -void -kadm_prin_to_vals(u_char *fields, Kadm_vals *new, Principal *old) -{ - if (new == NULL) - return; - - memset(new, 0, sizeof(*new)); - if (IS_FIELD(KADM_NAME,fields)) { - strncpy(new->name, old->name, ANAME_SZ - 1); - new->name[ANAME_SZ - 1] = '\0'; - SET_FIELD(KADM_NAME, new->fields); - } - if (IS_FIELD(KADM_INST,fields)) { - strncpy(new->instance, old->instance, INST_SZ - 1); - new->instance[INST_SZ - 1] = '\0'; - SET_FIELD(KADM_INST, new->fields); - } - if (IS_FIELD(KADM_EXPDATE,fields)) { - new->exp_date = old->exp_date; - SET_FIELD(KADM_EXPDATE, new->fields); - } - if (IS_FIELD(KADM_ATTR,fields)) { - new->attributes = old->attributes; - SET_FIELD(KADM_ATTR, new->fields); - } - if (IS_FIELD(KADM_MAXLIFE,fields)) { - new->max_life = old->max_life; - SET_FIELD(KADM_MAXLIFE, new->fields); - } - if (IS_FIELD(KADM_DESKEY,fields)) { - new->key_low = old->key_low; - new->key_high = old->key_high; - SET_FIELD(KADM_DESKEY, new->fields); - } -} - -void -kadm_vals_to_prin(u_char *fields, Principal *new, Kadm_vals *old) -{ - if (new == NULL) - return; - - memset(new, 0, sizeof(*new)); - if (IS_FIELD(KADM_NAME,fields)) { - strncpy(new->name, old->name, ANAME_SZ); - new->name[ANAME_SZ - 1] = '\0'; - } - if (IS_FIELD(KADM_INST,fields)) { - strncpy(new->instance, old->instance, INST_SZ); - new->instance[KADM_INST - 1] = '\0'; - } - if (IS_FIELD(KADM_EXPDATE,fields)) - new->exp_date = old->exp_date; - if (IS_FIELD(KADM_ATTR,fields)) - new->attributes = old->attributes; - if (IS_FIELD(KADM_MAXLIFE,fields)) - new->max_life = old->max_life; - if (IS_FIELD(KADM_DESKEY,fields)) { - new->key_low = old->key_low; - new->key_high = old->key_high; - } -} diff --git a/kerberosIV/kadm/shlib_version b/kerberosIV/kadm/shlib_version deleted file mode 100644 index 3066b9771e7..00000000000 --- a/kerberosIV/kadm/shlib_version +++ /dev/null @@ -1,2 +0,0 @@ -major=5 -minor=0 diff --git a/kerberosIV/kadmin/Makefile b/kerberosIV/kadmin/Makefile deleted file mode 100644 index bc3d2ccc933..00000000000 --- a/kerberosIV/kadmin/Makefile +++ /dev/null @@ -1,25 +0,0 @@ -# $Id: Makefile,v 1.7 1998/04/26 22:32:11 art Exp $ - -.include <bsd.obj.mk> - -PROG= kadmin -SRCS= kadmin.c new_pwd.c sl.c - -.if exists(${.CURDIR}/../kadm/${__objdir}) -CFLAGS+=-I${.CURDIR}/../kadm/${__objdir} -.else -CFLAGS+=-I${.CURDIR}/../kadm -.endif - -.if exists(${.CURDIR}/../krb/${__objdir}) -CFLAGS+=-I${.CURDIR}/../krb/${__objdir} -.else -CFLAGS+=-I${.CURDIR}/../krb -.endif - -LDADD+= -lkadm -lkrb -ldes -lcom_err -DPADD+= ${LIBKADM} ${LIBKRB} ${LIBDES} ${LIBCOM_ERR} -CLEANFILES+= kadmin_cmds.c -MAN= kadmin.8 - -.include <bsd.prog.mk> diff --git a/kerberosIV/kadmin/kadmin.8 b/kerberosIV/kadmin/kadmin.8 deleted file mode 100644 index e0e447b0f1a..00000000000 --- a/kerberosIV/kadmin/kadmin.8 +++ /dev/null @@ -1,180 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kadmin.8,v 1.4 1998/02/25 15:50:43 art Exp $ -.TH KADMIN 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kadmin \- network utility for Kerberos database administration -.SH SYNOPSIS -.B kadmin [-u user] [-r default_realm] [-m] -.SH DESCRIPTION -This utility provides a unified administration interface to -the -Kerberos -master database. -Kerberos -administrators -use -.I kadmin -to register new users and services to the master database, -and to change information about existing database entries. -For instance, an administrator can use -.I kadmin -to change a user's -Kerberos -password. -A Kerberos administrator is a user with an ``admin'' instance -whose name appears on one of the Kerberos administration access control -lists. If the \-u option is used, -.I user -will be used as the administrator instead of the local user. -If the \-r option is used, -.I default_realm -will be used as the default realm for transactions. Otherwise, -the local realm will be used by default. -If the \-m option is used, multiple requests will be permitted -on only one entry of the admin password. Some sites won't -support this option. - -The -.I kadmin -program communicates over the network with the -.I kadmind -program, which runs on the machine housing the Kerberos master -database. -The -.I kadmind -creates new entries and makes modifications to the database. - -When you enter the -.I kadmin -command, -the program displays a message that welcomes you and explains -how to ask for help. -Then -.I kadmin -waits for you to enter commands (which are described below). -It then asks you for your -.I admin -password before accessing the database. - -Use the -.I add_new_key -(or -.I ank -for short) -command to register a new principal -with the master database. -The command requires one argument, -the principal's name. The name -given can be fully qualified using -the standard -.I name.instance@realm -convention. -You are asked to enter your -.I admin -password, -then prompted twice to enter the principal's -new password. If no realm is specified, -the local realm is used unless another was -given on the commandline with the \-r flag. -If no instance is -specified, a null instance is used. If -a realm other than the default realm is specified, -you will need to supply your admin password for -the other realm. - -Use the -.I change_password (cpw) -to change a principal's -Kerberos -password. -The command requires one argument, -the principal's -name. -You are asked to enter your -.I admin -password, -then prompted twice to enter the principal's new password. -The name -given can be fully qualified using -the standard -.I name.instance@realm -convention. - -Use the -.I change_admin_password (cap) -to change your -.I admin -instance password. -This command requires no arguments. -It prompts you for your old -.I admin -password, then prompts you twice to enter the new -.I admin -password. If this is your first command, -the default realm is used. Otherwise, the realm -used in the last command is used. - -Use the -.I destroy_tickets (dest) -command to destroy your admin tickets explicitly. - -Use the -.I list_requests (lr) -command to get a list of possible commands. - -Use the -.I help -command to display -.IR kadmin's -various help messages. -If entered without an argument, -.I help -displays a general help message. -You can get detailed information on specific -.I kadmin -commands -by entering -.I help -.IR command_name . - -To quit the program, type -.IR quit . - -.SH BUGS -The user interface is primitive, and the command names could be better. - -.SH "SEE ALSO" -kerberos(1), kadmind(8), kpasswd(1), ksrvutil(8) -.br -``A Subsystem Utilities Package for UNIX'' by Ken Raeburn -.SH AUTHORS -Jeffrey I. Schiller, MIT Project Athena -.br -Emanuel Jay Berkenbilt, MIT Project Athena diff --git a/kerberosIV/kadmin/kadmin.c b/kerberosIV/kadmin/kadmin.c deleted file mode 100644 index 0ddc290f1dd..00000000000 --- a/kerberosIV/kadmin/kadmin.c +++ /dev/null @@ -1,862 +0,0 @@ -/* $OpenBSD: kadmin.c,v 1.8 1999/05/23 17:19:24 aaron Exp $ */ -/* $KTH: kadmin.c,v 1.50 1997/11/03 19:51:46 assar Exp $ */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Kerberos database administrator's tool. - * - * The default behavior of kadmin is if the -m option is given - * on the commandline, multiple requests are allowed to be given - * with one entry of the admin password (until the tickets expire). - */ - -#include "kadm_locl.h" - -static int change_password(int argc, char **argv); -static int change_key(int argc, char **argv); -static int change_admin_password(int argc, char **argv); -static int add_new_key(int argc, char **argv); -static int del_entry(int argc, char **argv); -static int get_entry(int argc, char **argv); -static int mod_entry(int argc, char **argv); -static int help(int argc, char **argv); -static int clean_up_cmd(int argc, char **argv); -static int quit_cmd(int argc, char **argv); - -static SL_cmd cmds[] = { - {"change_password", change_password, "Change a user's password"}, - {"cpw"}, - {"passwd"}, - {"change_key", change_key, "Change a user's password as a DES binary key"}, - {"ckey"}, - {"change_admin_password", change_admin_password, - "Change your admin password"}, - {"cap"}, - {"add_new_key", add_new_key, "Add new user to kerberos database"}, - {"ank"}, - {"del_entry", del_entry, "Delete entry from database"}, - {"del"}, - {"delete"}, - {"get_entry", get_entry, "Get entry from kerberos database"}, - {"mod_entry", mod_entry, "Modify entry in kerberos database"}, - {"destroy_tickets", clean_up_cmd, "Destroy admin tickets"}, - {"exit", quit_cmd, "Exit program"}, - {"quit"}, - {"help", help, "Help"}, - {"?"}, - {NULL} -}; - -#define BAD_PW 1 -#define GOOD_PW 0 -#define FUDGE_VALUE 15 /* for ticket expiration time */ -#define PE_NO 0 -#define PE_YES 1 -#define PE_UNSURE 2 - -/* for get_password, whether it should do the swapping...necessary for - using vals structure, unnecessary for change_pw requests */ -#define DONTSWAP 0 -#define SWAP 1 - -static krb_principal pr; -static char default_realm[REALM_SZ]; /* default kerberos realm */ -static char krbrlm[REALM_SZ]; /* current realm being administered */ -static int multiple = 0; /* Allow multiple requests per ticket */ - -#ifdef NOENCRYPTION -#define read_long_pw_string placebo_read_pw_string -#else -#define read_long_pw_string des_read_pw_string -#endif - -time_t -tm2time (struct tm tm, int local) -{ - time_t t; - - tm.tm_isdst = -1; - - t = mktime (&tm); - - if (!local) - t += t - mktime (gmtime (&t)); - return t; -} - -static void -get_maxlife(Kadm_vals *vals) -{ - char buff[BUFSIZ]; - time_t life; - int l; - - do { - printf("Maximum ticket lifetime? (%d) [%s] ", - vals->max_life, krb_life_to_atime(vals->max_life)); - fflush(stdout); - if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') { - clearerr(stdin); - return; - } - life = krb_atime_to_life(buff); - } while (life <= 0); - - l = strlen(buff); - if (buff[l-2] == 'm') - life = krb_time_to_life(0L, life*60); - if (buff[l-2] == 'h') - life = krb_time_to_life(0L, life*60*60); - - vals->max_life = life; - SET_FIELD(KADM_MAXLIFE,vals->fields); -} - -static void -get_attr(Kadm_vals *vals) -{ - char buff[BUFSIZ], *out; - int attr; - - do { - printf("Attributes? [0x%.2x] ", vals->attributes); - fflush(stdout); - if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') { - clearerr(stdin); - return; - } - attr = strtol(buff, &out, 0); - if (attr == 0 && out == buff) - attr = -1; - } while (attr < 0 || attr > 0xffff); - - vals->attributes = attr; - SET_FIELD(KADM_ATTR,vals->fields); -} - -static void -get_expdate(Kadm_vals *vals) -{ - char buff[BUFSIZ]; - struct tm edate; - - memset(&edate, 0, sizeof(edate)); - do { - printf("Expiration date (enter yyyy-mm-dd) ? [%.24s] ", - asctime(k_localtime(&vals->exp_date))); - fflush(stdout); - if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') { - clearerr(stdin); - return; - } - if (sscanf(buff, "%d-%d-%d", - &edate.tm_year, &edate.tm_mon, &edate.tm_mday) == 3) { - edate.tm_mon--; /* January is 0, not 1 */ - edate.tm_hour = 23; /* nearly midnight at the end of the */ - edate.tm_min = 59; /* specified day */ - } - } while (krb_check_tm (edate)); - - edate.tm_year -= 1900; - vals->exp_date = tm2time (edate, 1); - SET_FIELD(KADM_EXPDATE,vals->fields); -} - -static int -princ_exists(char *name, char *instance, char *realm) -{ - int status; - - int old = krb_use_admin_server(1); - status = krb_get_pw_in_tkt(name, instance, realm, - KRB_TICKET_GRANTING_TICKET, - realm, 1, ""); - krb_use_admin_server(old); - - if ((status == KSUCCESS) || (status == INTK_BADPW)) - return(PE_YES); - else if (status == KDC_PR_UNKNOWN) - return(PE_NO); - else - return(PE_UNSURE); -} - -static int -get_password(u_int32_t *low, u_int32_t *high, char *prompt, int byteswap) -{ - char new_passwd[MAX_KPW_LEN]; /* new password */ - des_cblock newkey; - - if (read_long_pw_string(new_passwd, sizeof(new_passwd)-1, prompt, 1)) - return(BAD_PW); - if (strlen(new_passwd) == 0) { - printf("Using random password.\n"); -#ifdef NOENCRYPTION - memset(newkey, 0, sizeof(newkey)); -#else - des_new_random_key(&newkey); -#endif - } else { -#ifdef NOENCRYPTION - memset(newkey, 0, sizeof(newkey)); -#else - des_string_to_key(new_passwd, &newkey); -#endif - memset(new_passwd, 0, sizeof(new_passwd)); - } - - memcpy(low, newkey, 4); - memcpy(high, ((char *)newkey) + 4, 4); - - memset(newkey, 0, sizeof(newkey)); - -#ifdef NOENCRYPTION - *low = 1; -#endif - - if (byteswap != DONTSWAP) { - *low = htonl(*low); - *high = htonl(*high); - } - return(GOOD_PW); -} - -static int -get_admin_password(void) -{ - int status; - char admin_passwd[MAX_KPW_LEN]; /* Admin's password */ - int ticket_life = 1; /* minimum ticket lifetime */ - CREDENTIALS c; - - if (multiple) { - /* If admin tickets exist and are valid, just exit. */ - memset(&c, 0, sizeof(c)); - if (krb_get_cred(PWSERV_NAME, KADM_SINST, krbrlm, &c) == KSUCCESS) - /* - * If time is less than lifetime - FUDGE_VALUE after issue date, - * tickets will probably last long enough for the next - * transaction. - */ - if (time(0) < (c.issue_date + (5 * 60 * c.lifetime) - FUDGE_VALUE)) - return(KADM_SUCCESS); - ticket_life = DEFAULT_TKT_LIFE; - } - - if (princ_exists(pr.name, pr.instance, pr.realm) != PE_NO) { - char prompt[256]; - snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&pr)); - if (read_long_pw_string(admin_passwd, - sizeof(admin_passwd)-1, - prompt, 0)) { - warnx ("Error reading admin password."); - goto bad; - } - status = krb_get_pw_in_tkt(pr.name, pr.instance, pr.realm, - PWSERV_NAME, KADM_SINST, - ticket_life, admin_passwd); - memset(admin_passwd, 0, sizeof(admin_passwd)); - - /* Initialize non shared random sequence from session key. */ - memset(&c, 0, sizeof(c)); - krb_get_cred(PWSERV_NAME, KADM_SINST, krbrlm, &c); - des_init_random_number_generator(&c.session); - } - else - status = KDC_PR_UNKNOWN; - - switch(status) { - case GT_PW_OK: - return(GOOD_PW); - case KDC_PR_UNKNOWN: - printf("Principal %s does not exist.\n", krb_unparse_name(&pr)); - goto bad; - case GT_PW_BADPW: - printf("Incorrect admin password.\n"); - goto bad; - default: - com_err("kadmin", status+krb_err_base, - "while getting password tickets"); - goto bad; - } - - bad: - memset(admin_passwd, 0, sizeof(admin_passwd)); - dest_tkt(); - return(BAD_PW); -} - -static void -usage(void) -{ - fprintf (stderr, "Usage: kadmin [[-u|-p] admin_name] [-r default_realm]" - " [-m]\n" - " -m allows multiple admin requests to be " - "serviced with one entry of admin\n" - " password.\n"); - exit (1); -} - -/* GLOBAL */ -static void -clean_up() -{ - dest_tkt(); -} - -static int -clean_up_cmd (int argc, char **argv) -{ - clean_up(); - return 0; -} - -static int -quit_cmd (int argc, char **argv) -{ - return 1; -} - -static void -do_init(int argc, char **argv) -{ - int c; - int tflag = 0; - char tktstring[MAXPATHLEN]; - int k_errno; - - memset(&pr, 0, sizeof(pr)); - if (krb_get_default_principal(pr.name, pr.instance, default_realm) < 0) - errx (1, "I could not even guess who you might be"); - while ((c = getopt(argc, argv, "p:u:r:mt")) != -1) - switch (c) { - case 'p': - case 'u': - if((k_errno = krb_parse_name(optarg, &pr)) != KSUCCESS) - errx (1, "%s", krb_get_err_text(k_errno)); - break; - case 'r': - memset(default_realm, 0, sizeof(default_realm)); - strncpy(default_realm, optarg, sizeof(default_realm) - 1); - break; - case 'm': - multiple++; - break; - case 't': - tflag++; - break; - default: - usage(); - break; - } - if (optind < argc) - usage(); - - strncpy(krbrlm, default_realm, REALM_SZ - 1); - krbrlm[REALM_SZ - 1] = '\0'; - - if (kadm_init_link(PWSERV_NAME, KRB_MASTER, krbrlm) != KADM_SUCCESS) - krbrlm[0] = '\0'; - if (pr.realm[0] == '\0') { - strncpy (pr.realm, krbrlm, REALM_SZ - 1); - pr.realm[REALM_SZ - 1] = '\0'; - } - if (pr.instance[0] == '\0') { - strncpy(pr.instance, "admin", INST_SZ - 1); - pr.instance[INST_SZ - 1] = '\0'; - } - - if (!tflag) { - snprintf(tktstring, sizeof(tktstring), TKT_ROOT "_adm_%d",(int)getpid()); - krb_set_tkt_string(tktstring); - } - -} - -int -main(int argc, char **argv) -{ - do_init(argc, argv); - - printf("Welcome to the Kerberos Administration Program, version 2\n"); - printf("Type \"help\" if you need it.\n"); - sl_loop (cmds, "kadmin: "); - printf("\nCleaning up and exiting.\n"); - clean_up(); - exit(0); -} - -static int -setvals(Kadm_vals *vals, char *string) -{ - char realm[REALM_SZ]; - int status = KADM_SUCCESS; - - memset(vals, 0, sizeof(*vals)); - memset(realm, 0, sizeof(realm)); - - SET_FIELD(KADM_NAME,vals->fields); - SET_FIELD(KADM_INST,vals->fields); - if ((status = kname_parse(vals->name, vals->instance, realm, string))) { - printf("kerberos error: %s\n", krb_get_err_text(status)); - return status; - } - if (realm[0] == '\0') { - strncpy(realm, default_realm, REALM_SZ - 1); - realm[REALM_SZ - 1] = '\0'; - } - if (strcmp(realm, krbrlm)) { - strncpy(krbrlm, realm, REALM_SZ - 1); - krbrlm[REALM_SZ - 1] = '\0'; - if ((status = kadm_init_link(PWSERV_NAME, KRB_MASTER, krbrlm)) - != KADM_SUCCESS) - printf("kadm error for realm %s: %s\n", - krbrlm, error_message(status)); - } - if (status) - return 1; - else - return KADM_SUCCESS; -} - -static int -change_password(int argc, char **argv) -{ - Kadm_vals old, new; - int status; - char pw_prompt[BUFSIZ]; - - if (argc != 2) { - printf("Usage: change_password loginname\n"); - return 0; - } - - if (setvals(&old, argv[1]) != KADM_SUCCESS) - return 0; - - new = old; - - SET_FIELD(KADM_DESKEY,new.fields); - - if (princ_exists(old.name, old.instance, krbrlm) != PE_NO) { - /* get the admin's password */ - if (get_admin_password() != GOOD_PW) - return 0; - - /* get the new password */ - snprintf(pw_prompt, sizeof(pw_prompt), "New password for %s:", argv[1]); - - if (get_password(&new.key_low, &new.key_high, - pw_prompt, SWAP) == GOOD_PW) { - status = kadm_mod(&old, &new); - if (status == KADM_SUCCESS) { - printf("Password changed for %s.\n", argv[1]); - } else { - printf("kadmin: %s\nwhile changing password for %s", - error_message(status), argv[1]); - } - } else - printf("Error reading password; password unchanged\n"); - memset(&new, 0, sizeof(new)); - if (!multiple) - clean_up(); - } - else - printf("kadmin: Principal %s does not exist.\n", - krb_unparse_name_long (old.name, old.instance, krbrlm)); - return 0; -} - -static int -getkey(unsigned char *k) -{ - int i, c; - for (i = 0; i < 8; i++) - { - c = getchar(); - if (c == EOF) - return 0; - else if (c == '\\') - { - int oct = -1; - scanf("%03o", &oct); - if (oct < 0 || oct > 255) - return 0; - k[i] = oct; - } - else if (!isalpha(c)) - return 0; - else - k[i] = c; - } - c = getchar(); - if (c != '\n') - return 0; - return 1; /* Success */ -} - -static void -printkey(unsigned char *tkey) -{ - int j; - for(j = 0; j < 8; j++) - if(tkey[j] != '\\' && isalpha(tkey[j]) != 0) - printf("%c", tkey[j]); - else - printf("\\%03o",(unsigned char)tkey[j]); - printf("\n"); -} - -static int -change_key(int argc, char **argv) -{ - Kadm_vals old, new; - unsigned char newkey[8]; - int status; - - if (argc != 2) { - printf("Usage: change_key principal-name\n"); - return 0; - } - - if (setvals(&old, argv[1]) != KADM_SUCCESS) - return 0; - - new = old; - - SET_FIELD(KADM_DESKEY,new.fields); - - if (princ_exists(old.name, old.instance, krbrlm) != PE_NO) { - /* get the admin's password */ - if (get_admin_password() != GOOD_PW) - return 0; - - /* get the new password */ - printf("New DES key for %s: ", argv[1]); - - if (getkey(newkey)) { - memcpy(&new.key_low, newkey, 4); - memcpy(&new.key_high, ((char *)newkey) + 4, 4); - printf("Entered key for %s: ", argv[1]); - printkey(newkey); - memset(newkey, 0, sizeof(newkey)); - - status = kadm_mod(&old, &new); - if (status == KADM_SUCCESS) { - printf("Key changed for %s.\n", argv[1]); - } else { - printf("kadmin: %s\nwhile changing key for %s", - error_message(status), argv[1]); - } - } else - printf("Error reading key; key unchanged\n"); - memset(&new, 0, sizeof(new)); - if (!multiple) - clean_up(); - } - else - printf("kadmin: Principal %s does not exist.\n", - krb_unparse_name_long (old.name, old.instance, krbrlm)); - return 0; -} - -static int -change_admin_password(int argc, char **argv) -{ - des_cblock newkey; - int status; - char pword[MAX_KPW_LEN]; - char *pw_msg; - - if (argc != 1) { - printf("Usage: change_admin_password\n"); - return 0; - } - if (get_pw_new_pwd(pword, sizeof(pword), &pr, 1) == 0) { - des_string_to_key(pword, &newkey); - status = kadm_change_pw_plain(newkey, pword, &pw_msg); - if(status == KADM_INSECURE_PW) - printf("Insecure password: %s\n", pw_msg); - else if (status == KADM_SUCCESS) - printf("Admin password changed\n"); - else - printf("kadm error: %s\n",error_message(status)); - memset(newkey, 0, sizeof(newkey)); - memset(pword, 0, sizeof(pword)); - } - if (!multiple) - clean_up(); - return 0; -} - -static int -add_new_key(int argc, char **argv) -{ - Kadm_vals new; - char pw_prompt[BUFSIZ]; - int status; - - if (argc != 2) { - printf("Usage: add_new_key user_name.\n"); - return 0; - } - if (setvals(&new, argv[1]) != KADM_SUCCESS) - return 0; - - SET_FIELD(KADM_EXPDATE,new.fields); - SET_FIELD(KADM_ATTR,new.fields); - SET_FIELD(KADM_MAXLIFE,new.fields); - SET_FIELD(KADM_DESKEY,new.fields); - - if (princ_exists(new.name, new.instance, krbrlm) != PE_YES) { - Kadm_vals vals; - u_char fields[4]; - char n[ANAME_SZ + INST_SZ + 1]; - - /* get the admin's password */ - if (get_admin_password() != GOOD_PW) - return 0; - - memset(fields, 0, sizeof(fields)); - SET_FIELD(KADM_NAME,fields); - SET_FIELD(KADM_INST,fields); - SET_FIELD(KADM_EXPDATE,fields); - SET_FIELD(KADM_ATTR,fields); - SET_FIELD(KADM_MAXLIFE,fields); - snprintf (n, sizeof(n), "default.%s", new.instance); - if (setvals(&vals, n) != KADM_SUCCESS) - return 0; - - if (kadm_get(&vals, fields) != KADM_SUCCESS) { - if (setvals(&vals, "default") != KADM_SUCCESS) - return 0; - if ((status = kadm_get(&vals, fields)) != KADM_SUCCESS) { - printf ("kadm error: %s\n", error_message(status)); - return 0; - } - } - - if (vals.max_life == 255) /* Defaults not set! */ { - /* This is the default maximum lifetime for new principals. */ - if (strcmp(new.instance, "admin") == 0) - vals.max_life = 1 + (CLOCK_SKEW/(5*60)); /* 5+5 minutes */ - else if (strcmp(new.instance, "root") == 0) - vals.max_life = 96; /* 8 hours */ - else if (krb_life_to_time(0, 162) >= 24*60*60) - vals.max_life = 162; /* ca 100 hours */ - else - vals.max_life = 255; /* ca 21 hours (maximum) */ - - /* Also fix expiration date. */ - if (strcmp(new.name, "rcmd") == 0) - vals.exp_date = 1104814999; /* Tue Jan 4 06:03:19 2005 */ - else - vals.exp_date = time(0) + 2*(365*24*60*60); /* + ca 2 years */ - } - - new.max_life = vals.max_life; - new.exp_date = vals.exp_date; - new.attributes = vals.attributes; - get_maxlife(&new); - get_attr(&new); - get_expdate(&new); - - /* get the new password */ - snprintf(pw_prompt, sizeof(pw_prompt), "Password for %s:", argv[1]); - - if (get_password(&new.key_low, &new.key_high, - pw_prompt, SWAP) == GOOD_PW) { - status = kadm_add(&new); - if (status == KADM_SUCCESS) { - printf("%s added to database.\n", argv[1]); - } else { - printf("kadm error: %s\n",error_message(status)); - } - } else - printf("Error reading password; %s not added\n",argv[1]); - memset(&new, 0, sizeof(new)); - if (!multiple) - clean_up(); - } - else - printf("kadmin: Principal already exists.\n"); - return 0; -} - -static int -del_entry(int argc, char **argv) -{ - int status; - Kadm_vals vals; - - if (argc != 2) { - printf("Usage: del_entry username\n"); - return 0; - } - - if (setvals(&vals, argv[1]) != KADM_SUCCESS) - return 0; - - if (princ_exists(vals.name, vals.instance, krbrlm) != PE_NO) { - /* get the admin's password */ - if (get_admin_password() != GOOD_PW) - return 0; - - if ((status = kadm_del(&vals)) == KADM_SUCCESS){ - printf("%s removed from database.\n", argv[1]); - } else { - printf("kadm error: %s\n",error_message(status)); - } - - if (!multiple) - clean_up(); - } - else - printf("kadmin: Principal %s does not exist.\n", - krb_unparse_name_long (vals.name, vals.instance, krbrlm)); - return 0; -} - -static int -get_entry(int argc, char **argv) -{ - int status; - u_char fields[4]; - Kadm_vals vals; - - if (argc != 2) { - printf("Usage: get_entry username\n"); - return 0; - } - - memset(fields, 0, sizeof(fields)); - - SET_FIELD(KADM_NAME,fields); - SET_FIELD(KADM_INST,fields); - SET_FIELD(KADM_EXPDATE,fields); - SET_FIELD(KADM_ATTR,fields); - SET_FIELD(KADM_MAXLIFE,fields); -#if 0 - SET_FIELD(KADM_DESKEY,fields); -#endif - - if (setvals(&vals, argv[1]) != KADM_SUCCESS) - return 0; - - - if (princ_exists(vals.name, vals.instance, krbrlm) != PE_NO) { - /* get the admin's password */ - if (get_admin_password() != GOOD_PW) - return 0; - - if ((status = kadm_get(&vals, fields)) == KADM_SUCCESS) - prin_vals(&vals); - else - printf("kadm error: %s\n",error_message(status)); - - if (!multiple) - clean_up(); - } - else - printf("kadmin: Principal %s does not exist.\n", - krb_unparse_name_long (vals.name, vals.instance, krbrlm)); - return 0; -} - -static int -mod_entry(int argc, char **argv) -{ - int status; - u_char fields[4]; - Kadm_vals ovals, nvals; - - if (argc != 2) { - printf("Usage: mod_entry username\n"); - return 0; - } - - memset(fields, 0, sizeof(fields)); - - SET_FIELD(KADM_NAME,fields); - SET_FIELD(KADM_INST,fields); - SET_FIELD(KADM_EXPDATE,fields); - SET_FIELD(KADM_ATTR,fields); - SET_FIELD(KADM_MAXLIFE,fields); - - if (setvals(&ovals, argv[1]) != KADM_SUCCESS) - return 0; - - nvals = ovals; - - if (princ_exists(ovals.name, ovals.instance, krbrlm) == PE_NO) { - printf("kadmin: Principal %s does not exist.\n", - krb_unparse_name_long (ovals.name, ovals.instance, krbrlm)); - return 0; - } - - /* get the admin's password */ - if (get_admin_password() != GOOD_PW) - return 0; - - if ((status = kadm_get(&ovals, fields)) != KADM_SUCCESS) { - printf("[ unable to retrieve current settings: %s ]\n", - error_message(status)); - nvals.max_life = DEFAULT_TKT_LIFE; - nvals.exp_date = 0; - nvals.attributes = 0; - } else { - nvals.max_life = ovals.max_life; - nvals.exp_date = ovals.exp_date; - nvals.attributes = ovals.attributes; - } - - get_maxlife(&nvals); - get_attr(&nvals); - get_expdate(&nvals); - - if (IS_FIELD(KADM_MAXLIFE, nvals.fields) || - IS_FIELD(KADM_ATTR, nvals.fields) || - IS_FIELD(KADM_EXPDATE, nvals.fields)) { - if ((status = kadm_mod(&ovals, &nvals)) != KADM_SUCCESS) { - printf("kadm error: %s\n",error_message(status)); - goto out; - } - if ((status = kadm_get(&ovals, fields)) != KADM_SUCCESS) { - printf("kadm error: %s\n",error_message(status)); - goto out; - } - } - prin_vals(&ovals); - -out: - if (!multiple) - clean_up(); - return 0; -} - -static int -help(int argc, char **argv) -{ - sl_help (cmds, argc, argv); - return 0; -} diff --git a/kerberosIV/kadmin/new_pwd.c b/kerberosIV/kadmin/new_pwd.c deleted file mode 100644 index 950fe42218c..00000000000 --- a/kerberosIV/kadmin/new_pwd.c +++ /dev/null @@ -1,147 +0,0 @@ -/* $OpenBSD: new_pwd.c,v 1.2 1998/02/18 11:53:46 art Exp $ */ -/* $KTH: new_pwd.c,v 1.11 1997/05/02 14:28:54 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm_locl.h" - -#ifdef NOENCRYPTION -#define read_long_pw_string placebo_read_pw_string -#else -#define read_long_pw_string des_read_pw_string -#endif - -static char * -check_pw (char *pword) -{ - if (strlen(pword) == 0) - return "Null passwords are not allowed - Please enter a longer password."; - - if (strlen(pword) < MIN_KPW_LEN) - return "Password is to short - Please enter a longer password."; - - /* Don't allow all lower case passwords regardless of length */ - { - char *t; - for (t = pword; *t && islower(*t); t++) - ; - if (*t == 0) - return "Please don't use an all-lower case password.\n" - "\tUnusual capitalization, delimiter characters or " - "digits are suggested."; - } - - return NULL; -} - -int -get_pw_new_pwd(char *pword, int pwlen, krb_principal *pr, int print_realm) -{ - char ppromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */ - char npromp[40+ANAME_SZ+INST_SZ+REALM_SZ]; /* for the password prompt */ - - char p[MAX_K_NAME_SZ]; - - char local_realm[REALM_SZ]; - int status; - char *expl; - - /* - * We don't care about failure; this is to determine whether or - * not to print the realm in the prompt for a new password. - */ - krb_get_lrealm(local_realm, 1); - - if (strcmp(local_realm, pr->realm)) - print_realm++; - - { - char *q; - krb_unparse_name_r(pr, p); - if(print_realm == 0 && (q = strrchr(p, '@'))) - *q = 0; - } - - snprintf(ppromp, sizeof(ppromp), "Old password for %s:", p); - if (read_long_pw_string(pword, pwlen-1, ppromp, 0)) { - fprintf(stderr, "Error reading old password.\n"); - return -1; - } - - status = krb_get_pw_in_tkt(pr->name, pr->instance, pr->realm, - PWSERV_NAME, KADM_SINST, 1, pword); - if (status != KSUCCESS) { - if (status == INTK_BADPW) { - printf("Incorrect old password.\n"); - return -1; - } - else { - fprintf(stderr, "Kerberos error: %s\n", krb_get_err_text(status)); - return -1; - } - } - memset(pword, 0, pwlen); - - do { - char verify[MAX_KPW_LEN]; - snprintf(npromp, sizeof(npromp), "New Password for %s:",p); - if (read_long_pw_string(pword, pwlen-1, npromp, 0)) { - fprintf(stderr, - "Error reading new password, password unchanged.\n"); - return -1; - } - expl = check_pw (pword); - if (expl) { - printf("\n\t%s\n\n", expl); - continue; - } - /* Now we got an ok password, verify it. */ - snprintf(npromp, sizeof(npromp), "Verifying New Password for %s:", p); - if (read_long_pw_string(verify, MAX_KPW_LEN-1, npromp, 0)) { - fprintf(stderr, - "Error reading new password, password unchanged.\n"); - return -1; - } - if (strcmp(pword, verify) != 0) { - printf("Verify failure - try again\n"); - expl = ""; /* continue */ - } - } while (expl); - return 0; -} diff --git a/kerberosIV/kadmin/sl.c b/kerberosIV/kadmin/sl.c deleted file mode 100644 index 5ec5500406a..00000000000 --- a/kerberosIV/kadmin/sl.c +++ /dev/null @@ -1,206 +0,0 @@ -/* $OpenBSD: sl.c,v 1.3 1998/08/16 02:42:07 art Exp $ */ -/* $KTH: sl.c,v 1.15 1997/10/19 23:12:40 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "sl_locl.h" - -static SL_cmd * -sl_match (SL_cmd *cmds, char *cmd, int exactp) -{ - SL_cmd *c, *current = NULL, *partial_cmd = NULL; - int partial_match = 0; - - for (c = cmds; c->name; ++c) { - if (c->func) - current = c; - if (strcmp (cmd, c->name) == 0) - return current; - else if (strncmp (cmd, c->name, strlen(cmd)) == 0 && - partial_cmd != current) { - ++partial_match; - partial_cmd = current; - } - } - if (partial_match == 1 && !exactp) - return partial_cmd; - else - return NULL; -} - -void -sl_help (SL_cmd *cmds, int argc, char **argv) -{ - SL_cmd *c, *prev_c; - - if (argc == 1) { - prev_c = NULL; - for (c = cmds; c->name; ++c) { - if (c->func) { - if(prev_c) - printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "", - prev_c->usage ? "\n" : ""); - prev_c = c; - printf ("%s", c->name); - } else - printf (", %s", c->name); - } - if(prev_c) - printf ("\n\t%s%s", prev_c->usage ? prev_c->usage : "", - prev_c->usage ? "\n" : ""); - } else { - c = sl_match (cmds, argv[1], 0); - if (c == NULL) - printf ("No such command: %s. " - "Try \"help\" for a list of all commands\n", - argv[1]); - else { - printf ("%s\t%s", c->name, c->usage); - if(c->help && *c->help) - printf ("%s\n", c->help); - if((++c)->name && c->func == NULL) { - printf ("\nSynonyms:"); - while (c->name && c->func == NULL) - printf ("\t%s", (c++)->name); - } - printf ("\n"); - } - } -} - -static char * -readline(char *prompt) -{ - char buf[BUFSIZ]; - printf ("%s", prompt); - fflush (stdout); - if(fgets(buf, sizeof(buf), stdin) == NULL) - return NULL; - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - return strdup(buf); -} - -static void -add_history(char *p) -{ -} - -int -sl_command(SL_cmd *cmds, int argc, char **argv) -{ - SL_cmd *c; - c = sl_match (cmds, argv[0], 0); - if (c == NULL) - return -1; - return (*c->func)(argc, argv); -} - -int -sl_loop (SL_cmd *cmds, char *prompt) -{ - unsigned max_count; - char **ptr; - int ret; - - max_count = 17; - ptr = malloc(max_count * sizeof(*ptr)); - if (ptr == NULL) { - printf ("sl_loop: failed to allocate %u bytes of memory\n", - (int) max_count * sizeof(*ptr)); - return -1; - } - - for (;;) { - char *buf; - unsigned count; - SL_cmd *c; - - ret = 0; - buf = readline(prompt); - if(buf == NULL) - break; - - if(*buf) - add_history(buf); - count = 0; - { - char *foo = NULL; - char *p; - - for(p = strtok_r (buf, " \t", &foo); - p; - p = strtok_r (NULL, " \t", &foo)) { - if(count == max_count) { - char **temp; - - max_count *= 2; - temp = realloc (ptr, max_count * sizeof(*ptr)); - if (temp == NULL) { - printf ("sl_loop: failed to allocate %u " - "bytes of memory\n", - (unsigned) max_count * sizeof(*ptr)); - - free(ptr); - return -1; - } - ptr = temp; - } - ptr[count++] = p; - } - } - if (count > 0) { - c = sl_match (cmds, ptr[0], 0); - if (c) { - ret = (*c->func)(count, ptr); - if (ret != 0) { - free (buf); - buf = NULL; - break; - } - } else - printf ("Unrecognized command: %s\n", ptr[0]); - } - free(buf); - buf = NULL; - } - free (ptr); - ptr = NULL; - return 0; -} diff --git a/kerberosIV/kadmind/Makefile b/kerberosIV/kadmind/Makefile deleted file mode 100644 index 6588bd72fb6..00000000000 --- a/kerberosIV/kadmind/Makefile +++ /dev/null @@ -1,25 +0,0 @@ -# $OpenBSD: Makefile,v 1.8 1998/04/26 22:33:25 art Exp $ - -.include <bsd.obj.mk> - -PROG= kadmind -SRCS= admin_server.c kadm_funcs.c kadm_ser_wrap.c kadm_server.c pw_check.c - -.if exists(${.CURDIR}/../kadm/${__objdir}) -CFLAGS+=-I${.CURDIR}/../kadm/${__objdir} -.else -CFLAGS+=-I${.CURDIR}/../kadm -.endif - -.if exists(${.CURDIR}/../krb/${__objdir}) -CFLAGS+=-I${.CURDIR}/../krb/${__objdir} -.else -CFLAGS+=-I${.CURDIR}/../krb -.endif - -LDADD+= -lkadm -lkdb -lkrb -ldes -lacl -lcom_err -DPADD= ${LIBKADM} ${LIBKDB} ${LIBKRB} ${LIBDES} ${LIBACL} ${LIBCOM_ERR} -MAN= kadmind.8 -BINDIR=/usr/libexec - -.include <bsd.prog.mk> diff --git a/kerberosIV/kadmind/admin_server.c b/kerberosIV/kadmind/admin_server.c deleted file mode 100644 index 8c50c24c536..00000000000 --- a/kerberosIV/kadmind/admin_server.c +++ /dev/null @@ -1,428 +0,0 @@ -/* $OpenBSD: admin_server.c,v 1.5 1999/05/23 17:19:24 aaron Exp $ */ -/* $KTH: admin_server.c,v 1.42 1997/12/04 19:31:39 assar Exp $ */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Top-level loop of the kerberos Administration server - */ - -/* - admin_server.c - this holds the main loop and initialization and cleanup code for the server -*/ - -#include "kadm_locl.h" - -/* Almost all procs and such need this, so it is global */ -admin_params prm; /* The command line parameters struct */ - -/* GLOBAL */ -char *acldir = DEFAULT_ACL_DIR; -static char krbrlm[REALM_SZ]; - -static unsigned pidarraysize = 0; -static int *pidarray = (int *)0; - -static int exit_now = 0; - -void -doexit(int sig) -{ - exit_now = 1; - return; -} - -void -do_child(int sig) -{ - int pid; - int i, j; - - int status; - - pid = wait(&status); - - /* Reinstall signal handlers for SysV. Must be done *after* wait */ - signal(SIGCHLD, do_child); - - for (i = 0; i < pidarraysize; i++) - if (pidarray[i] == pid) { - /* found it */ - for (j = i; j < pidarraysize-1; j++) - /* copy others down */ - pidarray[j] = pidarray[j+1]; - pidarraysize--; - if ((WIFEXITED(status) && WEXITSTATUS(status) != 0) - || WIFSIGNALED(status)) - krb_log("child %d: termsig %d, retcode %d", pid, - WTERMSIG(status), WEXITSTATUS(status)); - return; - } - krb_log("child %d not in list: termsig %d, retcode %d", pid, - WTERMSIG(status), WEXITSTATUS(status)); -} - -static void -kill_children(void) -{ - int i; - - for (i = 0; i < pidarraysize; i++) { - kill(pidarray[i], SIGINT); - krb_log("killing child %d", pidarray[i]); - } -} - -/* close the system log file */ -static void -close_syslog(void) -{ - krb_log("Shutting down admin server"); -} - -static void -byebye(void) /* say goodnight gracie */ -{ - printf("Admin Server (kadm server) has completed operation.\n"); -} - -static void -clear_secrets(void) -{ - memset(server_parm.master_key, 0, sizeof(server_parm.master_key)); - memset(server_parm.master_key_schedule, 0, - sizeof(server_parm.master_key_schedule)); - server_parm.master_key_version = 0L; -} - -#ifdef DEBUG -#define cleanexit(code) {kerb_fini(); return;} -#endif - -#ifndef DEBUG -static void -cleanexit(int val) -{ - kerb_fini(); - clear_secrets(); - exit(val); -} -#endif - -static void -process_client(int fd, struct sockaddr_in *who) -{ - u_char *dat; - int dat_len; - u_short dlen; - int retval; - int on = 1; - Principal service; - des_cblock skey; - int more; - int status; - - if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, sizeof(on)) < 0) - krb_log("setsockopt keepalive: %d",errno); - - server_parm.recv_addr = *who; - - if (kerb_init()) { /* Open as client */ - krb_log("can't open krb db"); - cleanexit(1); - } - /* need to set service key to changepw.KRB_MASTER */ - - status = kerb_get_principal(server_parm.sname, server_parm.sinst, &service, - 1, &more); - if (status == -1) { - /* db locked */ - int32_t retcode = KADM_DB_INUSE; - char *pdat; - - dat_len = KADM_VERSIZE + sizeof(retcode); - dat = (u_char *) malloc((unsigned)dat_len); - pdat = (char *) dat; - retcode = htonl((u_int32_t) KADM_DB_INUSE); - strncpy(pdat, KADM_ULOSE, KADM_VERSIZE); - memcpy(pdat+KADM_VERSIZE, &retcode, sizeof(retcode)); - goto out; - } else if (!status) { - krb_log("no service %s.%s",server_parm.sname, server_parm.sinst); - cleanexit(2); - } - - copy_to_key(&service.key_low, &service.key_high, skey); - memset(&service, 0, sizeof(service)); - kdb_encrypt_key (&skey, &skey, &server_parm.master_key, - server_parm.master_key_schedule, DES_DECRYPT); - krb_set_key(skey, 0); /* if error, will show up when - rd_req fails */ - memset(skey, 0, sizeof(skey)); - - while (1) { - if ((retval = krb_net_read(fd, &dlen, sizeof(u_short))) != - sizeof(u_short)) { - if (retval < 0) - krb_log("dlen read: %s",error_message(errno)); - else if (retval) - krb_log("short dlen read: %d",retval); - close(fd); - cleanexit(retval ? 3 : 0); - } - if (exit_now) { - cleanexit(0); - } - dat_len = ntohs(dlen); - dat = (u_char *) malloc(dat_len); - if (!dat) { - krb_log("malloc: No memory"); - close(fd); - cleanexit(4); - } - if ((retval = krb_net_read(fd, dat, dat_len)) != dat_len) { - if (retval < 0) - krb_log("data read: %s",error_message(errno)); - else - krb_log("short read: %d vs. %d", dat_len, retval); - close(fd); - cleanexit(5); - } - if (exit_now) { - cleanexit(0); - } - if ((retval = kadm_ser_in(&dat,&dat_len)) != KADM_SUCCESS) - krb_log("processing request: %s", error_message(retval)); - - /* kadm_ser_in did the processing and returned stuff in - dat & dat_len , return the appropriate data */ - - out: - dlen = htons(dat_len); - - if (krb_net_write(fd, &dlen, sizeof(u_short)) < 0) { - krb_log("writing dlen to client: %s",error_message(errno)); - close(fd); - cleanexit(6); - } - - if (krb_net_write(fd, dat, dat_len) < 0) { - krb_log("writing to client: %s", error_message(errno)); - close(fd); - cleanexit(7); - } - free(dat); - } - /*NOTREACHED*/ -} - -/* -kadm_listen -listen on the admin servers port for a request -*/ -static int -kadm_listen(void) -{ - int found; - int admin_fd; - int peer_fd; - fd_set mask, readfds; - struct sockaddr_in peer; - int addrlen; - int pid; - int *temp; - - signal(SIGINT, doexit); - signal(SIGTERM, doexit); - signal(SIGHUP, doexit); - signal(SIGQUIT, doexit); - signal(SIGPIPE, SIG_IGN); /* get errors on write() */ - signal(SIGALRM, doexit); - signal(SIGCHLD, do_child); - if (setsid() < 0) - krb_log("setsid() failed"); - - if ((admin_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) - return KADM_NO_SOCK; - { - int one=1; - setsockopt(admin_fd, SOL_SOCKET, SO_REUSEADDR, (void *)&one, - sizeof(one)); - } - if (bind(admin_fd, (struct sockaddr *)&server_parm.admin_addr, - sizeof(struct sockaddr_in)) < 0) - return KADM_NO_BIND; - listen(admin_fd, 1); - FD_ZERO(&mask); - FD_SET(admin_fd, &mask); - - for (;;) { /* loop nearly forever */ - if (exit_now) { - clear_secrets(); - kill_children(); - return(0); - } - readfds = mask; - if ((found = select(admin_fd+1, &readfds, 0, - 0, (struct timeval *)0)) == 0) - continue; /* no things read */ - if (found < 0) { - if (errno != EINTR) - krb_log("select: %s",error_message(errno)); - continue; - } - if (FD_ISSET(admin_fd, &readfds)) { - /* accept the conn */ - addrlen = sizeof(peer); - if ((peer_fd = accept(admin_fd, (struct sockaddr *)&peer, - &addrlen)) < 0) { - krb_log("accept: %s",error_message(errno)); - continue; - } -#ifndef DEBUG - /* grow the pidarray before forking, so we can catch the errors */ - temp = realloc(pidarray, ++pidarraysize); - if (temp == NULL) { - krb_log("realloc: %s", error_message(errno)); - close(peer_fd); - continue; - } - pidarray = temp; - /* if you want a sep daemon for each server */ - if ((pid = fork())) { - /* parent */ - if (pid < 0) { - krb_log("fork: %s",error_message(errno)); - close(peer_fd); - continue; - } - /* fork succeded: keep tabs on child */ - close(peer_fd); - pidarray[pidarraysize-1] = pid; - } else { - /* child */ - close(admin_fd); -#endif /* DEBUG */ - /* - * If we are multihomed we need to figure out which - * local address that is used this time since it is - * used in "direction" comparison. - */ - getsockname(peer_fd, - (struct sockaddr *)&server_parm.admin_addr, - &addrlen); - /* do stuff */ - process_client (peer_fd, &peer); -#ifndef DEBUG - } -#endif - } else { - krb_log("something else woke me up!"); - return(0); - } - } - /*NOTREACHED*/ -} - -/* -** Main does the logical thing, it sets up the database and RPC interface, -** as well as handling the creation and maintenance of the syslog file... -*/ -int -main(int argc, char **argv) /* admin_server main routine */ -{ - int errval; - int c; - - umask(077); /* Create protected files */ - - /* initialize the admin_params structure */ - prm.sysfile = KADM_SYSLOG; /* default file name */ - prm.inter = 0; - - memset(krbrlm, 0, sizeof(krbrlm)); - - while ((c = getopt(argc, argv, "f:hmnd:a:r:")) != -1) - switch(c) { - case 'f': /* Syslog file name change */ - prm.sysfile = optarg; - break; - case 'n': - prm.inter = 0; - break; - case 'm': - prm.inter = 1; - break; - case 'a': /* new acl directory */ - acldir = optarg; - break; - case 'd': - /* put code to deal with alt database place */ - if ((errval = kerb_db_set_name(optarg))) - errx (1, "opening database %s: %s", - optarg, error_message(errval)); - break; - case 'r': - strncpy(krbrlm, optarg, sizeof(krbrlm) - 1); - krbrlm[sizeof(krbrlm) - 1] = '\0'; - break; - case 'h': /* get help on using admin_server */ - default: - errx(1, "Usage: kadmind [-h] [-n] [-m] [-r realm] [-d dbname] [-f filename] [-a acldir]"); - } - - if (krbrlm[0] == 0) - if (krb_get_lrealm(krbrlm, 0) != KSUCCESS) - errx (1, "Unable to get local realm. Fix krb.conf or use -r."); - - printf("KADM Server %s initializing\n",KADM_VERSTR); - printf("Please do not use 'kill -9' to kill this job, use a\n"); - printf("regular kill instead\n\n"); - - kset_logfile(prm.sysfile); - krb_log("Admin server starting"); - - kerb_db_set_lockmode(KERB_DBL_NONBLOCKING); - errval = kerb_init(); /* Open the Kerberos database */ - if (errval) { - warnx ("error: kerb_init() failed"); - close_syslog(); - byebye(); - } - /* set up the server_parm struct */ - if ((errval = kadm_ser_init(prm.inter, krbrlm))==KADM_SUCCESS) { - kerb_fini(); /* Close the Kerberos database-- - will re-open later */ - errval = kadm_listen(); /* listen for calls to server from - clients */ - } - if (errval != KADM_SUCCESS) { - warnx("error: %s",error_message(errval)); - kerb_fini(); /* Close if error */ - } - close_syslog(); /* Close syslog file, print - closing note */ - byebye(); /* Say bye bye on the terminal - in use */ - exit(1); -} /* procedure main */ diff --git a/kerberosIV/kadmind/kadm_funcs.c b/kerberosIV/kadmind/kadm_funcs.c deleted file mode 100644 index 3e1c45c1bda..00000000000 --- a/kerberosIV/kadmind/kadm_funcs.c +++ /dev/null @@ -1,451 +0,0 @@ -/* $OpenBSD: kadm_funcs.c,v 1.3 1997/12/15 17:56:21 art Exp $ */ -/* $KTH: kadm_funcs.c,v 1.16 1997/05/02 14:28:49 assar Exp $ */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - -*/ - -/* - * Kerberos administration server-side database manipulation routines - */ - -/* - * kadm_funcs.c - * the actual database manipulation code - */ - -#include "kadm_locl.h" - -static int -check_access(char *pname, char *pinst, char *prealm, enum acl_types acltype) -{ - char checkname[MAX_K_NAME_SZ]; - char filename[MAXPATHLEN]; - - snprintf(checkname, sizeof(checkname), "%s.%s@%s", pname, pinst, prealm); - - switch (acltype) { - case ADDACL: - snprintf(filename, sizeof(filename), "%s%s", acldir, ADD_ACL_FILE); - break; - case GETACL: - snprintf(filename, sizeof(filename), "%s%s", acldir, GET_ACL_FILE); - break; - case MODACL: - snprintf(filename, sizeof(filename), "%s%s", acldir, MOD_ACL_FILE); - break; - case DELACL: - snprintf(filename, sizeof(filename), "%s%s", acldir, DEL_ACL_FILE); - break; - default: - krb_log("WARNING in check_access: default case in switch"); - return 0; - } - return(acl_check(filename, checkname)); -} - -static int -wildcard(char *str) -{ - if (!strcmp(str, WILDCARD_STR)) - return(1); - return(0); -} - -static int -fail(int code, char *oper, char *princ) -{ - krb_log("ERROR: %s: %s (%s)", oper, princ, error_message(code)); - return code; -} - -#define failadd(code) { fail(code, "ADD", victim); return code; } -#define faildelete(code) { fail(code, "DELETE", victim); return code; } -#define failget(code) { fail(code, "GET", victim); return code; } -#define failmod(code) { fail(code, "MOD", victim); return code; } -#define failchange(code) { fail(code, "CHANGE", admin); return code; } - -int -kadm_add_entry (char *rname, char *rinstance, char *rrealm, - Kadm_vals *valsin, Kadm_vals *valsout) -{ - long numfound; /* check how many we get written */ - int more; /* pointer to more grabbed records */ - Principal data_i, data_o; /* temporary principal */ - u_char flags[4]; - des_cblock newpw; - Principal default_princ; - - char admin[MAX_K_NAME_SZ], victim[MAX_K_NAME_SZ]; - - strncpy(admin, - krb_unparse_name_long(rname, rinstance, rrealm), - MAX_K_NAME_SZ -1); - admin[MAX_K_NAME_SZ -1] = '\0'; - - strncpy(victim, - krb_unparse_name_long(valsin->name, valsin->instance, NULL), - MAX_K_NAME_SZ -1); - victim[MAX_K_NAME_SZ -1] = '\0'; - - krb_log("ADD: %s by %s", victim, admin); - - if (!check_access(rname, rinstance, rrealm, ADDACL)) { - krb_log("WARNING: ADD: %s permission denied", admin); - return KADM_UNAUTH; - } - - /* Need to check here for "legal" name and instance */ - if (wildcard(valsin->name) || wildcard(valsin->instance)) { - failadd(KADM_ILL_WILDCARD); - } - - numfound = kerb_get_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST, - &default_princ, 1, &more); - if (numfound == -1) { - failadd(KADM_DB_INUSE); - } else if (numfound != 1) { - failadd(KADM_UK_RERROR); - } - - kadm_vals_to_prin(valsin->fields, &data_i, valsin); - strncpy(data_i.name, valsin->name, ANAME_SZ - 1); - data_i.name[ANAME_SZ - 1] = '\0'; - strncpy(data_i.instance, valsin->instance, INST_SZ - 1); - data_i.instance[INST_SZ - 1] = '\0'; - - if (!IS_FIELD(KADM_EXPDATE,valsin->fields)) - data_i.exp_date = default_princ.exp_date; - if (!IS_FIELD(KADM_ATTR,valsin->fields)) - data_i.attributes = default_princ.attributes; - if (!IS_FIELD(KADM_MAXLIFE,valsin->fields)) - data_i.max_life = default_princ.max_life; - - memset(&default_princ, 0, sizeof(default_princ)); - - /* convert to host order */ - data_i.key_low = ntohl(data_i.key_low); - data_i.key_high = ntohl(data_i.key_high); - - - copy_to_key(&data_i.key_low, &data_i.key_high, newpw); - - /* encrypt new key in master key */ - kdb_encrypt_key (&newpw, &newpw, &server_parm.master_key, - server_parm.master_key_schedule, DES_ENCRYPT); - copy_from_key(newpw, &data_i.key_low, &data_i.key_high); - memset(newpw, 0, sizeof(newpw)); - - data_o = data_i; - numfound = kerb_get_principal(valsin->name, valsin->instance, - &data_o, 1, &more); - if (numfound == -1) { - failadd(KADM_DB_INUSE); - } else if (numfound) { - failadd(KADM_INUSE); - } else { - data_i.key_version++; - data_i.kdc_key_ver = server_parm.master_key_version; - strncpy(data_i.mod_name, rname, sizeof(data_i.mod_name) - 1); - data_i.mod_name[sizeof(data_i.mod_name) - 1] = '\0'; - strncpy(data_i.mod_instance, rinstance, - sizeof(data_i.mod_instance) - 1); - data_i.mod_instance[sizeof(data_i.mod_instance - 1)] = '\0'; - - numfound = kerb_put_principal(&data_i, 1); - if (numfound == -1) { - failadd(KADM_DB_INUSE); - } else if (numfound) { - failadd(KADM_UK_SERROR); - } else { - numfound = kerb_get_principal(valsin->name, valsin->instance, - &data_o, 1, &more); - if ((numfound!=1) || (more!=0)) { - failadd(KADM_UK_RERROR); - } - memset(flags, 0, sizeof(flags)); - SET_FIELD(KADM_NAME,flags); - SET_FIELD(KADM_INST,flags); - SET_FIELD(KADM_EXPDATE,flags); - SET_FIELD(KADM_ATTR,flags); - SET_FIELD(KADM_MAXLIFE,flags); - kadm_prin_to_vals(flags, valsout, &data_o); - krb_log("ADD: %s added", victim); - return KADM_DATA; /* Set all the appropriate fields */ - } - } -} - -int -kadm_delete_entry (char *rname, char *rinstance, char *rrealm, - Kadm_vals *valsin) -{ - int ret; - - char admin[MAX_K_NAME_SZ], victim[MAX_K_NAME_SZ]; - - strncpy(admin, - krb_unparse_name_long(rname, rinstance, rrealm), - MAX_K_NAME_SZ - 1); - admin[MAX_K_NAME_SZ - 1] = '\0'; - strncpy(victim, - krb_unparse_name_long(valsin->name, valsin->instance, NULL), - MAX_K_NAME_SZ - 1); - victim[MAX_K_NAME_SZ - 1] = '\0'; - - krb_log("DELETE: %s by %s", victim, admin); - - if (!check_access(rname, rinstance, rrealm, DELACL)) { - krb_log("WARNING: DELETE: %s permission denied", admin); - return KADM_UNAUTH; - } - - /* Need to check here for "legal" name and instance */ - if (wildcard(valsin->name) || wildcard(valsin->instance)) { - faildelete(KADM_ILL_WILDCARD); - } - -#define EQ(V,N,I) (strcmp((V)->name, (N)) == 0 && strcmp((V)->instance, (I)) == 0) - - if(EQ(valsin, PWSERV_NAME, KRB_MASTER) || - EQ(valsin, "K", "M") || - EQ(valsin, "default", "") || - EQ(valsin, KRB_TICKET_GRANTING_TICKET, server_parm.krbrlm)){ - krb_log("WARNING: DELETE: %s is immutable", victim); - return KADM_IMMUTABLE; /* XXX */ - } - - ret = kerb_delete_principal(valsin->name, valsin->instance); - if(ret == -1) - return KADM_DB_INUSE; /* XXX */ - krb_log("DELETE: %s removed.", victim); - return KADM_SUCCESS; -} - - -int -kadm_get_entry (char *rname, char *rinstance, char *rrealm, - Kadm_vals *valsin, u_char *flags, Kadm_vals *valsout) -{ - long numfound; /* check how many were returned */ - int more; /* To point to more name.instances */ - Principal data_o; /* Data object to hold Principal */ - - char admin[MAX_K_NAME_SZ], victim[MAX_K_NAME_SZ]; - - strncpy(admin, - krb_unparse_name_long(rname, rinstance, rrealm), - MAX_K_NAME_SZ - 1); - admin[MAX_K_NAME_SZ - 1] = '\0'; - strncpy(victim, - krb_unparse_name_long(valsin->name, valsin->instance, NULL), - MAX_K_NAME_SZ - 1); - victim[MAX_K_NAME_SZ - 1] = '\0'; - - krb_log("GET: %s by %s", victim, admin); - - if (!check_access(rname, rinstance, rrealm, GETACL)) { - krb_log("WARNING: GET: %s permission denied", admin); - return KADM_UNAUTH; - } - - if (wildcard(valsin->name) || wildcard(valsin->instance)) { - failget(KADM_ILL_WILDCARD); - } - - /* Look up the record in the database */ - numfound = kerb_get_principal(valsin->name, valsin->instance, - &data_o, 1, &more); - if (numfound == -1) { - failget(KADM_DB_INUSE); - } else if (numfound) { /* We got the record, let's return it */ - kadm_prin_to_vals(flags, valsout, &data_o); - krb_log("GET: %s retrieved", victim); - return KADM_DATA; /* Set all the appropriate fields */ - } else { - failget(KADM_NOENTRY); /* Else whimper and moan */ - } -} - -int -kadm_mod_entry (char *rname, char *rinstance, char *rrealm, - Kadm_vals *valsin, Kadm_vals *valsin2, Kadm_vals *valsout) -{ - long numfound; - int more; - Principal data_o, temp_key; - u_char fields[4]; - des_cblock newpw; - - char admin[MAX_K_NAME_SZ], victim[MAX_K_NAME_SZ]; - - strncpy(admin, - krb_unparse_name_long(rname, rinstance, rrealm), - MAX_K_NAME_SZ - 1); - admin[MAX_K_NAME_SZ - 1] = '\0'; - strncpy(victim, - krb_unparse_name_long(valsin->name, valsin->instance, NULL), - MAX_K_NAME_SZ - 1); - victim[MAX_K_NAME_SZ - 1] = '\0'; - - - krb_log("MOD: %s by %s", victim, admin); - - if (wildcard(valsin->name) || wildcard(valsin->instance)) { - failmod(KADM_ILL_WILDCARD); - } - - if (!check_access(rname, rinstance, rrealm, MODACL)) { - krb_log("WARNING: MOD: %s permission denied", admin); - return KADM_UNAUTH; - } - - numfound = kerb_get_principal(valsin->name, valsin->instance, - &data_o, 1, &more); - if (numfound == -1) { - failmod(KADM_DB_INUSE); - } else if (numfound) { - kadm_vals_to_prin(valsin2->fields, &temp_key, valsin2); - strncpy(data_o.name, valsin->name, ANAME_SZ - 1); - data_o.name[ANAME_SZ - 1] = '\0'; - strncpy(data_o.instance, valsin->instance, INST_SZ - 1); - data_o.instance[INST_SZ - 1] = '\0'; - if (IS_FIELD(KADM_EXPDATE,valsin2->fields)) - data_o.exp_date = temp_key.exp_date; - if (IS_FIELD(KADM_ATTR,valsin2->fields)) - data_o.attributes = temp_key.attributes; - if (IS_FIELD(KADM_MAXLIFE,valsin2->fields)) - data_o.max_life = temp_key.max_life; - if (IS_FIELD(KADM_DESKEY,valsin2->fields)) { - data_o.key_version++; - data_o.kdc_key_ver = server_parm.master_key_version; - - - /* convert to host order */ - temp_key.key_low = ntohl(temp_key.key_low); - temp_key.key_high = ntohl(temp_key.key_high); - - - copy_to_key(&temp_key.key_low, &temp_key.key_high, newpw); - - /* encrypt new key in master key */ - kdb_encrypt_key (&newpw, &newpw, &server_parm.master_key, - server_parm.master_key_schedule, DES_ENCRYPT); - copy_from_key(newpw, &data_o.key_low, &data_o.key_high); - memset(newpw, 0, sizeof(newpw)); - } - memset(&temp_key, 0, sizeof(temp_key)); - - strncpy(data_o.mod_name, rname, sizeof(data_o.mod_name)-1); - data_o.mod_name[sizeof(data_o.mod_name) - 1] = '\0'; - strncpy(data_o.mod_instance, rinstance, - sizeof(data_o.mod_instance)-1); - data_o.mod_instance[sizeof(data_o.mod_instance) - 1] = '\0'; - more = kerb_put_principal(&data_o, 1); - - memset(&data_o, 0, sizeof(data_o)); - - if (more == -1) { - failmod(KADM_DB_INUSE); - } else if (more) { - failmod(KADM_UK_SERROR); - } else { - numfound = kerb_get_principal(valsin->name, valsin->instance, - &data_o, 1, &more); - if ((more!=0)||(numfound!=1)) { - failmod(KADM_UK_RERROR); - } - memset(fields, 0, sizeof(fields)); - SET_FIELD(KADM_NAME,fields); - SET_FIELD(KADM_INST,fields); - SET_FIELD(KADM_EXPDATE,fields); - SET_FIELD(KADM_ATTR,fields); - SET_FIELD(KADM_MAXLIFE,fields); - kadm_prin_to_vals(fields, valsout, &data_o); - krb_log("MOD: %s modified", victim); - return KADM_DATA; /* Set all the appropriate fields */ - } - } - else { - failmod(KADM_NOENTRY); - } -} - -int -kadm_change (char *rname, char *rinstance, char *rrealm, unsigned char *newpw) -{ - long numfound; - int more; - Principal data_o; - des_cblock local_pw; - - char admin[MAX_K_NAME_SZ]; - - strncpy(admin, - krb_unparse_name_long(rname, rinstance, rrealm), - MAX_K_NAME_SZ - 1); - admin[MAX_K_NAME_SZ - 1] = '\0'; - - krb_log("CHANGE: %s", admin); - - if (strcmp(server_parm.krbrlm, rrealm)) { - krb_log("ERROR: CHANGE: request from wrong realm %s", rrealm); - return(KADM_WRONG_REALM); - } - - if (wildcard(rname) || wildcard(rinstance)) { - failchange(KADM_ILL_WILDCARD); - } - - memcpy(local_pw, newpw, sizeof(local_pw)); - - /* encrypt new key in master key */ - kdb_encrypt_key (&local_pw, &local_pw, &server_parm.master_key, - server_parm.master_key_schedule, DES_ENCRYPT); - - numfound = kerb_get_principal(rname, rinstance, - &data_o, 1, &more); - if (numfound == -1) { - failchange(KADM_DB_INUSE); - } else if (numfound) { - copy_from_key(local_pw, &data_o.key_low, &data_o.key_high); - data_o.key_version++; - data_o.kdc_key_ver = server_parm.master_key_version; - strncpy(data_o.mod_name, rname, sizeof(data_o.mod_name)-1); - data_o.mod_name[sizeof(data_o.mod_name) - 1] = '\0'; - strncpy(data_o.mod_instance, rinstance, - sizeof(data_o.mod_instance)-1); - data_o.mod_instance[sizeof(data_o.mod_instance) - 1] = '\0'; - more = kerb_put_principal(&data_o, 1); - memset(local_pw, 0, sizeof(local_pw)); - memset(&data_o, 0, sizeof(data_o)); - if (more == -1) { - failchange(KADM_DB_INUSE); - } else if (more) { - failchange(KADM_UK_SERROR); - } else { - krb_log("CHANGE: %s's password changed", admin); - return KADM_SUCCESS; - } - } - else { - failchange(KADM_NOENTRY); - } -} diff --git a/kerberosIV/kadmind/kadm_ser_wrap.c b/kerberosIV/kadmind/kadm_ser_wrap.c deleted file mode 100644 index 62064699dc8..00000000000 --- a/kerberosIV/kadmind/kadm_ser_wrap.c +++ /dev/null @@ -1,236 +0,0 @@ -/* $OpenBSD: kadm_ser_wrap.c,v 1.5 1997/12/15 17:56:22 art Exp $ */ -/* $KTH: kadm_ser_wrap.c,v 1.21 1997/12/05 01:27:29 assar Exp $ */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Kerberos administration server-side support functions - */ - -/* - * kadm_ser_wrap.c - * unwraps wrapped packets and calls the appropriate server subroutine - */ - -#include "kadm_locl.h" - -/* GLOBAL */ -Kadm_Server server_parm; - -/* - * kadm_ser_init - * set up the server_parm structure - */ -int -kadm_ser_init(int inter, char *realm) - /* interactive or from file */ - -{ - struct hostent *hp; - char hostname[MAXHOSTNAMELEN]; - - init_kadm_err_tbl(); - init_krb_err_tbl(); - if (gethostname(hostname, sizeof(hostname))) - return KADM_NO_HOSTNAME; - - strncpy(server_parm.sname, PWSERV_NAME, ANAME_SZ - 1); - server_parm.sname[ANAME_SZ - 1] = '\0'; - strncpy(server_parm.sinst, KRB_MASTER, INST_SZ - 1); - server_parm.sinst[INST_SZ - 1] = '\0'; - strncpy(server_parm.krbrlm, realm, REALM_SZ - 1); - server_parm.krbrlm[REALM_SZ - 1] = '\0'; - - server_parm.admin_fd = -1; - /* setting up the addrs */ - memset(&server_parm.admin_addr,0, sizeof(server_parm.admin_addr)); - - server_parm.admin_addr.sin_port = k_getportbyname (KADM_SNAME, - "tcp", - htons(751)); - server_parm.admin_addr.sin_family = AF_INET; - if ((hp = gethostbyname(hostname)) == NULL) - return KADM_NO_HOSTNAME; - server_parm.admin_addr.sin_addr.s_addr = INADDR_ANY; - /* setting up the database */ - if (kdb_get_master_key((inter==1), &server_parm.master_key, - server_parm.master_key_schedule) != 0) - return KADM_NO_MAST; - if ((server_parm.master_key_version = - kdb_verify_master_key(&server_parm.master_key, - server_parm.master_key_schedule,stderr))<0) - return KADM_NO_VERI; - return KADM_SUCCESS; -} - -static void errpkt(u_char **dat, int *dat_len, int code) -{ - u_int32_t retcode; - char *pdat; - - free(*dat); /* free up req */ - *dat_len = KADM_VERSIZE + sizeof(u_int32_t); - *dat = (u_char *) malloc((unsigned)*dat_len); - if (dat == NULL) - return; - pdat = (char *) *dat; - retcode = htonl((u_int32_t) code); - strncpy(pdat, KADM_ULOSE, KADM_VERSIZE); - memcpy(&pdat[KADM_VERSIZE], &retcode, sizeof(u_int32_t)); - return; -} - -/* - * kadm_ser_in - * unwrap the data stored in dat, process, and return it. - */ - -int -kadm_ser_in(u_char **dat, int *dat_len) -{ - u_char *in_st; /* pointer into the sent packet */ - int in_len,retc; /* where in packet we are, for - returns */ - u_int32_t r_len; /* length of the actual packet */ - KTEXT_ST authent; /* the authenticator */ - AUTH_DAT ad; /* who is this, klink */ - u_int32_t ncksum; /* checksum of encrypted data */ - des_key_schedule sess_sched; /* our schedule */ - MSG_DAT msg_st; - u_char *retdat, *tmpdat; - int retval, retlen; - - if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) { - errpkt(dat, dat_len, KADM_BAD_VER); - return KADM_BAD_VER; - } - in_len = KADM_VERSIZE; - /* get the length */ - if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0) - return KADM_LENGTH_ERROR; - in_len += retc; - authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_int32_t); - authent.length = MIN( authent.length, MAX_KTXT_LEN ); - memcpy(authent.dat, (char *)(*dat) + in_len, authent.length); - authent.mbz = 0; - /* service key should be set before here */ - if ((retc = krb_rd_req(&authent, server_parm.sname, server_parm.sinst, - server_parm.recv_addr.sin_addr.s_addr, &ad, NULL))) - { - errpkt(dat, dat_len,retc + krb_err_base); - return retc + krb_err_base; - } - -#define clr_cli_secrets() {memset(sess_sched, 0, sizeof(sess_sched)); memset(ad.session, 0,sizeof(ad.session));} - - in_st = *dat + *dat_len - r_len; -#ifdef NOENCRYPTION - ncksum = 0; -#else - ncksum = des_quad_cksum((des_cblock *)in_st, (des_cblock *)0, (long) r_len, 0, &ad.session); -#endif - if (ncksum!=ad.checksum) { /* yow, are we correct yet */ - clr_cli_secrets(); - errpkt(dat, dat_len,KADM_BAD_CHK); - return KADM_BAD_CHK; - } -#ifdef NOENCRYPTION - memset(sess_sched, 0, sizeof(sess_sched)); -#else - des_key_sched(&ad.session, sess_sched); -#endif - if ((retc = (int) krb_rd_priv(in_st, r_len, sess_sched, &ad.session, - &server_parm.recv_addr, - &server_parm.admin_addr, &msg_st))) { - clr_cli_secrets(); - errpkt(dat, dat_len,retc + krb_err_base); - return retc + krb_err_base; - } - switch (msg_st.app_data[0]) { - case CHANGE_PW: - retval = kadm_ser_cpw(msg_st.app_data+1,(int) msg_st.app_length - 1, - &ad, &retdat, &retlen); - break; - case ADD_ENT: - retval = kadm_ser_add(msg_st.app_data+1,(int) msg_st.app_length - 1, - &ad, &retdat, &retlen); - break; - case GET_ENT: - retval = kadm_ser_get(msg_st.app_data+1,(int) msg_st.app_length - 1, - &ad, &retdat, &retlen); - break; - case MOD_ENT: - retval = kadm_ser_mod(msg_st.app_data+1,(int) msg_st.app_length - 1, - &ad, &retdat, &retlen); - break; - case DEL_ENT: - retval = kadm_ser_delete(msg_st.app_data + 1, msg_st.app_length - 1, - &ad, &retdat, &retlen); - break; - default: - clr_cli_secrets(); - errpkt(dat, dat_len, KADM_NO_OPCODE); - return KADM_NO_OPCODE; - } - /* Now seal the response back into a priv msg */ - free(*dat); - *dat = NULL; - - tmpdat = (u_char *) malloc((unsigned)(retlen + KADM_VERSIZE + - sizeof(u_int32_t))); - if (tmpdat == NULL) { - clr_cli_secrets(); - return KADM_NOMEM; - } - - strncpy((char *)tmpdat, KADM_VERSTR, KADM_VERSIZE); - retval = htonl((u_int32_t)retval); - memcpy((char *)tmpdat + KADM_VERSIZE, &retval, sizeof(u_int32_t)); - if (retlen) { - memcpy((char *)tmpdat + KADM_VERSIZE + sizeof(u_int32_t), retdat, - retlen); - free(retdat); - retdat = NULL; - } - /* slop for mk_priv stuff */ - *dat = (u_char *) malloc((unsigned) (retlen + KADM_VERSIZE + - sizeof(u_int32_t) + 200)); - if (*dat == NULL) { - free(tmpdat); - tmpdat = NULL; - clr_cli_secrets(); - return KADM_NOMEM; - } - - if ((*dat_len = krb_mk_priv(tmpdat, *dat, - (u_int32_t) (retlen + KADM_VERSIZE + - sizeof(u_int32_t)), - sess_sched, - &ad.session, &server_parm.admin_addr, - &server_parm.recv_addr)) < 0) { - clr_cli_secrets(); - errpkt(dat, dat_len, KADM_NO_ENCRYPT); - return KADM_NO_ENCRYPT; - } - clr_cli_secrets(); - return KADM_SUCCESS; -} diff --git a/kerberosIV/kadmind/kadm_server.c b/kerberosIV/kadmind/kadm_server.c deleted file mode 100644 index a18c2398a39..00000000000 --- a/kerberosIV/kadmind/kadm_server.c +++ /dev/null @@ -1,201 +0,0 @@ -/* $OpenBSD: kadm_server.c,v 1.2 1997/12/15 17:56:22 art Exp $ */ -/* $KTH: kadm_server.c,v 1.9 1997/05/02 10:29:08 joda Exp $ */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Kerberos administration server-side subroutines - */ - -#include "kadm_locl.h" - -/* - *kadm_ser_cpw - the server side of the change_password routine - * recieves : KTEXT, {key} - * returns : CKSUM, RETCODE - * acl : caller can change only own password - * - * Replaces the password (i.e. des key) of the caller with that specified in - * key. Returns no actual data from the master server, since this is called - * by a user - */ -int -kadm_ser_cpw(u_char *dat, int len, AUTH_DAT *ad, u_char **datout, int *outlen) -{ - u_int32_t keylow, keyhigh; - des_cblock newkey; - int status; - int stvlen=0; - char *pw_msg; - char pword[MAX_KPW_LEN]; - char *strings[4]; - - /* take key off the stream, and change the database */ - - if ((status = stv_long(dat, &keyhigh, 0, len)) < 0) - return(KADM_LENGTH_ERROR); - stvlen=status; - if ((status = stv_long(dat, &keylow, stvlen, len)) < 0) - return(KADM_LENGTH_ERROR); - stvlen+=status; - - if((status = stv_string(dat, pword, stvlen, sizeof(pword), len))<0) - pword[0]=0; - - keylow = ntohl(keylow); - keyhigh = ntohl(keyhigh); - memcpy(((char *)newkey) + 4, &keyhigh, 4); - memcpy(newkey, &keylow, 4); - - strings[0] = ad->pname; - strings[1] = ad->pinst; - strings[2] = ad->prealm; - strings[3] = NULL; - status = kadm_pw_check(pword, &newkey, &pw_msg, strings); - - memset(pword, 0, sizeof(pword)); - memset(dat, 0, len); - - if(status != KADM_SUCCESS){ - *datout=malloc(0); - *outlen=vts_string(pw_msg, datout, 0); - return status; - } - *datout=0; - *outlen=0; - - return(kadm_change(ad->pname, ad->pinst, ad->prealm, newkey)); -} - - -/* - * kadm_ser_add - the server side of the add_entry routine - * recieves : KTEXT, {values} - * returns : CKSUM, RETCODE, {values} - * acl : su, sms (as alloc) - * - * Adds and entry containing values to the database - * returns the values of the entry, so if you leave certain fields blank - * you will be able to determine the default values they are set to - * - */ -int -kadm_ser_add(u_char *dat, int len, AUTH_DAT *ad, u_char **datout, int *outlen) -{ - Kadm_vals values, retvals; - long status; - - if ((status = stream_to_vals(dat, &values, len)) < 0) - return(KADM_LENGTH_ERROR); - if ((status = kadm_add_entry(ad->pname, ad->pinst, ad->prealm, - &values, &retvals)) == KADM_DATA) { - *outlen = vals_to_stream(&retvals,datout); - return KADM_SUCCESS; - } else { - *outlen = 0; - return status; - } -} - -/* - * kadm_ser_mod - the server side of the mod_entry routine - * recieves : KTEXT, {values, values} - * returns : CKSUM, RETCODE, {values} - * acl : su, sms (as register or dealloc) - * - * Modifies all entries corresponding to the first values so they match the - * second values. - * returns the values for the changed entries - */ -int -kadm_ser_mod(u_char *dat, int len, AUTH_DAT *ad, u_char **datout, int *outlen) -{ - Kadm_vals vals1, vals2, retvals; - int wh; - long status; - - if ((wh = stream_to_vals(dat, &vals1, len)) < 0) - return KADM_LENGTH_ERROR; - if ((status = stream_to_vals(dat+wh,&vals2, len-wh)) < 0) - return KADM_LENGTH_ERROR; - if ((status = kadm_mod_entry(ad->pname, ad->pinst, ad->prealm, &vals1, - &vals2, &retvals)) == KADM_DATA) { - *outlen = vals_to_stream(&retvals,datout); - return KADM_SUCCESS; - } else { - *outlen = 0; - return status; - } -} - -int -kadm_ser_delete(u_char *dat, int len, AUTH_DAT *ad, - u_char **datout, int *outlen) -{ - Kadm_vals values; - int wh; - int status; - - if((wh = stream_to_vals(dat, &values, len)) < 0) - return KADM_LENGTH_ERROR; - if(wh != len) - return KADM_LENGTH_ERROR; - status = kadm_delete_entry(ad->pname, ad->pinst, ad->prealm, - &values); - *outlen = 0; - return status; -} - -/* - * kadm_ser_get - * recieves : KTEXT, {values, flags} - * returns : CKSUM, RETCODE, {count, values, values, values} - * acl : su - * - * gets the fields requested by flags from all entries matching values - * returns this data for each matching recipient, after a count of how many - * such matches there were - */ -int -kadm_ser_get(u_char *dat, int len, AUTH_DAT *ad, u_char **datout, int *outlen) -{ - Kadm_vals values, retvals; - u_char fl[FLDSZ]; - int loop,wh; - long status; - - if ((wh = stream_to_vals(dat, &values, len)) < 0) - return KADM_LENGTH_ERROR; - if (wh + FLDSZ > len) - return KADM_LENGTH_ERROR; - for (loop=FLDSZ-1; loop>=0; loop--) - fl[loop] = dat[wh++]; - if ((status = kadm_get_entry(ad->pname, ad->pinst, ad->prealm, - &values, fl, &retvals)) == KADM_DATA) { - *outlen = vals_to_stream(&retvals,datout); - return KADM_SUCCESS; - } else { - *outlen = 0; - return status; - } -} - diff --git a/kerberosIV/kadmind/kadmind.8 b/kerberosIV/kadmind/kadmind.8 deleted file mode 100644 index a694a88a57e..00000000000 --- a/kerberosIV/kadmind/kadmind.8 +++ /dev/null @@ -1,126 +0,0 @@ -.\" Copyright 1987, 1988, 1989 by the Student Information Processing Board -.\" of the Massachusetts Institute of Technology -.\" -.\" Permission to use, copy, modify, and distribute this software -.\" and its documentation for any purpose and without fee is -.\" hereby granted, provided that the above copyright notice -.\" appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, -.\" and that the names of M.I.T. and the M.I.T. S.I.P.B. not be -.\" used in advertising or publicity pertaining to distribution -.\" of the software without specific, written prior permission. -.\" M.I.T. and the M.I.T. S.I.P.B. make no representations about -.\" the suitability of this software for any purpose. It is -.\" provided "as is" without express or implied warranty. -.\" -.\" $OpenBSD: kadmind.8,v 1.2 1997/05/30 03:11:20 gene Exp $ -.TH KADMIND 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kadmind \- Kerberos database administration daemon -.SH SYNOPSIS -.B kadmind -[ -.B \-n -] [ -.B \-h -] [ -.B \-r realm -] [ -.B \-f filename -] [ -.B \-d dbname -] [ -.B \-a acldir -] -.SH DESCRIPTION -.I kadmind -is the network database server for the Kerberos password-changing and -administration tools. -.PP -Upon execution, it prompts the user to enter the master key string for -the database. -.PP -If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -If the -.B \-r -.I realm -option is specified, the admin server will pretend that its -local realm is -.I realm -instead of the actual local realm of the host it is running on. -This makes it possible to run a server for a foreign kerberos -realm. -.PP -If the -.B \-f -.I filename -option is specified, then that file is used to hold the log information -instead of the default. -.PP -If the -.B \-d -.I dbname -option is specified, then that file is used as the database name instead -of the default. -.PP -If the -.B \-a -.I acldir -option is specified, then -.I acldir -is used as the directory in which to search for access control lists -instead of the default. -.PP -If the -.B \-h -option is specified, -.I kadmind -prints out a short summary of the permissible control arguments, and -then exits. -.PP -When performing requests on behalf of clients, -.I kadmind -checks access control lists (ACLs) to determine the authorization of the client -to perform the requested action. -Currently three distinct access types are supported: -.TP 1i -Addition -(.add ACL file). If a principal is on this list, it may add new -principals to the database. -.TP -Retrieval -(.get ACL file). If a principal is on this list, it may retrieve -database entries. NOTE: A principal's private key is never returned by -the get functions. -.TP -Modification -(.mod ACL file). If a principal is on this list, it may modify entries -in the database. -.PP -A principal is always granted authorization to change its own password. -.SH FILES -.TP 20n -/var/log/admin_server.log -Default log file. -.TP -/etc/kerberosIV -Default access control list directory. -.TP -admin_acl.{add,get,mod} -Access control list files (within the directory) -.TP -/etc/kerberosIV/principal.pag, /etc/kerberosIV/principal.dir -Default DBM files containing database -.TP -/etc/kerberosIV/master_key -Master key cache file. -.SH "SEE ALSO" -kerberos(1), kpasswd(1), kadmin(8), acl_check(3) -.SH AUTHORS -Douglas A. Church, MIT Project Athena -.br -John T. Kohl, Project Athena/Digital Equipment Corporation diff --git a/kerberosIV/kadmind/pw_check.c b/kerberosIV/kadmind/pw_check.c deleted file mode 100644 index 96d9c9ec398..00000000000 --- a/kerberosIV/kadmind/pw_check.c +++ /dev/null @@ -1,88 +0,0 @@ -/* $OpenBSD: pw_check.c,v 1.1 1997/12/15 17:56:23 art Exp $ */ -/* $KTH: pw_check.c,v 1.13 1997/04/01 08:17:50 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm_locl.h" - -/* - * kadm_pw_check - * - * pw : new password or "" if none passed - * newkey : key for pw as passed from client - * strings : interesting strings to check for - * - * returns NULL if pw is ok, else an explanatory string - */ -int -kadm_pw_check(char *pw, des_cblock *newkey, char **pw_msg, - char **strings) -{ - des_cblock pwkey; - int status=KADM_SUCCESS; - - if (pw == NULL || *pw == '\0') - return status; /* XXX - Change this later */ - -#ifndef NO_PW_CHECK - *pw_msg = NULL; - des_string_to_key(pw, &pwkey); /* Check AFS string to key also! */ - if (memcmp(pwkey, *newkey, sizeof(pwkey)) != 0) - { - /* no password or bad key */ - status=KADM_PW_MISMATCH; - *pw_msg = "Password doesn't match supplied DES key"; - } - else if (strlen(pw) < MIN_KPW_LEN) - { - status = KADM_INSECURE_PW; - *pw_msg="Password is too short"; - } - -#ifdef DICTPATH - *pw_msg = FascistCheck(pw, DICTPATH, strings); - if (*pw_msg) - return KADM_INSECURE_PW; -#endif - - memset(pwkey, 0, sizeof(pwkey)); -#endif - - return status; -} diff --git a/kerberosIV/kafs/Makefile b/kerberosIV/kafs/Makefile deleted file mode 100644 index fce4e7b1546..00000000000 --- a/kerberosIV/kafs/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# $Id: Makefile,v 1.4 1998/08/12 23:49:01 art Exp $ - -LIB= kafs -CFLAGS+=-I${.CURDIR} -I${.CURDIR}/../roken -SRCS= afskrb.c afssys.c common.c -.PATH: ${.CURDIR}/../roken -SRCS+= resolve.c - -.include <bsd.own.mk> # for AFS - -.if (${AFS} != "yes") -CFLAGS+=-DNO_AFS -.endif - -.include <bsd.lib.mk> diff --git a/kerberosIV/kafs/afskrb.c b/kerberosIV/kafs/afskrb.c deleted file mode 100644 index 8f85cd4e35d..00000000000 --- a/kerberosIV/kafs/afskrb.c +++ /dev/null @@ -1,113 +0,0 @@ -/* $OpenBSD: afskrb.c,v 1.2 1997/12/12 11:46:31 art Exp $ */ -/* $KTH: afskrb.c,v 1.8 1997/10/14 23:00:39 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kafs_locl.h" - -struct krb_kafs_data { - const char *realm; -}; - -static int -get_cred(kafs_data *data, const char *name, const char *inst, - const char *realm, CREDENTIALS *c) -{ - KTEXT_ST tkt; - int ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c); - - if (ret) { - ret = krb_mk_req(&tkt, (char*)name, (char*)inst, (char*)realm, 0); - if (ret == KSUCCESS) - ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c); - } - return ret; -} - -static int -afslog_uid_int(kafs_data *data, const char *cell, uid_t uid) -{ - int ret; - CREDENTIALS c; - struct krb_kafs_data *d = data->data; - char realm[REALM_SZ], *lrealm; - - if (cell == 0 || cell[0] == 0) - return _kafs_afslog_all_local_cells (data, uid); - - ret = krb_get_lrealm(realm , 0); - if(ret == KSUCCESS && (d->realm == NULL || strcmp(d->realm, realm))) - lrealm = realm; - else - lrealm = NULL; - - ret = _kafs_get_cred(data, cell, d->realm, lrealm, &c); - - if(ret == 0) - ret = kafs_settoken(cell, uid, &c); - return ret; -} - -static char * -get_realm(kafs_data *data, const char *host) -{ - char *r = krb_realmofhost(host); - if(r != NULL) - return strdup(r); - return NULL; -} - -int -krb_afslog_uid(const char *cell, const char *realm, uid_t uid) -{ - kafs_data kd; - struct krb_kafs_data d; - kd.afslog_uid = afslog_uid_int; - kd.get_cred = get_cred; - kd.get_realm = get_realm; - kd.data = &d; - d.realm = realm; - return afslog_uid_int(&kd, cell, uid); -} - -int -krb_afslog(const char *cell, const char *realm) -{ - return krb_afslog_uid (cell, realm, getuid()); -} diff --git a/kerberosIV/kafs/afssys.c b/kerberosIV/kafs/afssys.c deleted file mode 100644 index cca824920ff..00000000000 --- a/kerberosIV/kafs/afssys.c +++ /dev/null @@ -1,99 +0,0 @@ -/* $OpenBSD: afssys.c,v 1.10 1999/03/19 10:43:33 art Exp $ */ -/* $KTH: afssys.c,v 1.57 1998/05/09 17:19:03 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kafs_locl.h" - -int _kafs_debug; - -int -k_pioctl(char *a_path, - int o_opcode, - struct ViceIoctl *a_paramsP, - int a_followSymlinks) -{ - return xfspioctl(AFSCALL_PIOCTL, a_path, o_opcode, a_paramsP, - a_followSymlinks); -} - -int -k_afs_cell_of_file(const char *path, char *cell, int len) -{ - struct ViceIoctl parms; - - parms.in = NULL; - parms.in_size = 0; - parms.out = cell; - parms.out_size = len; - - return k_pioctl((char*)path, VIOC_FILE_CELL_NAME, &parms, 1); -} - -int -k_unlog(void) -{ - struct ViceIoctl parms; - - memset(&parms, 0, sizeof(parms)); - - return k_pioctl(0, VIOCUNLOG, &parms, 0); -} - -int -k_setpag(void) -{ - return xfspioctl(AFSCALL_SETPAG, NULL, 0, NULL, 0); -} - -int -k_hasafs(void) -{ - struct ViceIoctl parms; - - bzero(&parms, sizeof(struct ViceIoctl)); - - k_pioctl(NULL, VIOCSETTOK, &parms, 0); - - /* - * An ENOSYS means failure. Anything else is success (including EINVAL). - */ - - return errno != ENOSYS; -} diff --git a/kerberosIV/kafs/common.c b/kerberosIV/kafs/common.c deleted file mode 100644 index 7ec08a022f5..00000000000 --- a/kerberosIV/kafs/common.c +++ /dev/null @@ -1,368 +0,0 @@ -/* $OpenBSD: common.c,v 1.6 1999/02/28 14:14:12 art Exp $ */ -/* $KTH: common.c,v 1.10 1998/04/04 13:08:31 assar Exp $ */ - -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kafs_locl.h" -#include <resolve.h> - -#define AUTH_SUPERUSER "afs" - -/* - * Here only ASCII characters are relevant. - */ - -#define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z') - -#define ToAsciiUpper(c) ((c) - 'a' + 'A') - -static void -foldup(char *a, const char *b) -{ - for (; *b; a++, b++) - if (IsAsciiLower(*b)) - *a = ToAsciiUpper(*b); - else - *a = *b; - *a = '\0'; -} - -int -kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c) -{ - struct ViceIoctl parms; - struct ClearToken ct; - int32_t sizeof_x; - char buf[2048], *t; - int ret; - - /* - * Build a struct ClearToken - */ - ct.AuthHandle = c->kvno; - memcpy (ct.HandShakeKey, c->session, sizeof(c->session)); - ct.ViceId = uid; - ct.BeginTimestamp = c->issue_date; - ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime); - if(ct.EndTimestamp < time(NULL)) - return 0; /* don't store tokens that has expired (and possibly - overwriting valid tokens)*/ - -#define ODD(x) ((x) & 1) - /* According to Transarc conventions ViceId is valid iff - * (EndTimestamp - BeginTimestamp) is odd. By decrementing EndTime - * the transformations: - * - * (issue_date, life) -> (StartTime, EndTime) -> (issue_date, life) - * preserves the original values. - */ - if (uid != 0) /* valid ViceId */ - { - if (!ODD(ct.EndTimestamp - ct.BeginTimestamp)) - ct.EndTimestamp--; - } - else /* not valid ViceId */ - { - if (ODD(ct.EndTimestamp - ct.BeginTimestamp)) - ct.EndTimestamp--; - } - - t = buf; - /* - * length of secret token followed by secret token - */ - sizeof_x = c->ticket_st.length; - memcpy(t, &sizeof_x, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - memcpy(t, c->ticket_st.dat, sizeof_x); - t += sizeof_x; - /* - * length of clear token followed by clear token - */ - sizeof_x = sizeof(ct); - memcpy(t, &sizeof_x, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - memcpy(t, &ct, sizeof_x); - t += sizeof_x; - - /* - * do *not* mark as primary cell - */ - sizeof_x = 0; - memcpy(t, &sizeof_x, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - /* - * follow with cell name - */ - sizeof_x = strlen(cell) + 1; - memcpy(t, cell, sizeof_x); - t += sizeof_x; - - /* - * Build argument block - */ - parms.in = buf; - parms.in_size = t - buf; - parms.out = 0; - parms.out_size = 0; - ret = k_pioctl(0, VIOCSETTOK, &parms, 0); - return ret; -} - -/* Try to get a db-server for an AFS cell from a AFSDB record */ - -static int -dns_find_cell(const char *cell, char *dbserver, size_t len) -{ - struct dns_reply *r; - int ok = -1; - r = dns_lookup(cell, "afsdb"); - if(r){ - struct resource_record *rr = r->head; - while(rr){ - if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){ - strncpy(dbserver, rr->u.afsdb->domain, len); - dbserver[len - 1] = '\0'; - ok = 0; - break; - } - rr = rr->next; - } - dns_free_data(r); - } - return ok; -} - - -/* - * Try to find the cells we should try to klog to in "file". - */ -static void -find_cells(char *file, char ***cells, int *index) -{ - FILE *f; - char cell[64]; - int i; - int ind = *index; - - f = fopen(file, "r"); - if (f == NULL) - return; - while (fgets(cell, sizeof(cell), f)) { - char *nl = strchr(cell, '\n'); - if (nl) *nl = 0; - - /* skip blank lines */ - if (!cell[0]) continue; - - for(i = 0; i < ind; i++) - if(strcmp((*cells)[i], cell) == 0) - break; - if(i == ind){ - *cells = realloc(*cells, (ind + 1) * sizeof(**cells)); - if (*cells == NULL) - break; - (*cells)[ind] = strdup(cell); - if ((*cells)[ind] == NULL) - break; - ++ind; - } - } - fclose(f); - *index = ind; -} - -/* - * Get tokens for all cells[] - */ -static int -afslog_cells(kafs_data *data, char **cells, int max, uid_t uid) -{ - int ret = 0; - int i; - for(i = 0; i < max; i++) - ret = (*data->afslog_uid)(data, cells[i], uid); - return ret; -} - -int -_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid) -{ - int ret; - char **cells = NULL; - int index = 0; - - char *p; - - if ((p = getenv("HOME"))) { - char home[MAXPATHLEN]; - snprintf(home, sizeof(home), "%s/.TheseCells", p); - find_cells(home, &cells, &index); - } - find_cells(_PATH_THESECELLS, &cells, &index); - find_cells(_PATH_THISCELL, &cells, &index); - find_cells(_PATH_ARLA_THESECELLS, &cells, &index); - find_cells(_PATH_ARLA_THISCELL, &cells, &index); - - ret = afslog_cells(data, cells, index, uid); - while(index > 0) { - free(cells[--index]); - cells[index] = NULL; - } - free(cells); - cells = NULL; - return ret; -} - - -/* Find the realm associated with cell. Do this by opening - /usr/vice/etc/CellServDB and getting the realm-of-host for the - first VL-server for the cell. - - This does not work when the VL-server is living in one realm, but - the cell it is serving is living in another realm. - - Return 0 on success, -1 otherwise. - */ - -static int -realm_of_cell(kafs_data *data, const char *cell, char **realm) -{ - FILE *F; - char buf[1024]; - char *p; - int ret = -1; - - if ((F = fopen(_PATH_CELLSERVDB, "r")) - || (F = fopen(_PATH_ARLA_CELLSERVDB, "r"))) { - while (fgets(buf, sizeof(buf), F)) { - if (buf[0] != '>') - continue; /* Not a cell name line, try next line */ - if (strncmp(buf + 1, cell, strlen(cell)) == 0) { - /* - * We found the cell name we're looking for. - * Read next line on the form ip-address '#' hostname - */ - if (fgets(buf, sizeof(buf), F) == NULL) - break; /* Read failed, give up */ - p = strchr(buf, '#'); - if (p == NULL) - break; /* No '#', give up */ - p++; - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; - *realm = (*data->get_realm)(data, p); - if (*realm && **realm != '\0') - ret = 0; - break; /* Won't try any more */ - } - } - fclose(F); - } - if (*realm == NULL && dns_find_cell(cell, buf, sizeof(buf)) == 0) - *realm = strdup(krb_realmofhost(buf)); - return ret; -} - -int -_kafs_get_cred(kafs_data *data, - const char *cell, - const char *krealm, - const char *lrealm, - CREDENTIALS *c) -{ - int ret = -1; - char *vl_realm; - char CELL[64]; - - /* We're about to find the the realm that holds the key for afs in - * the specified cell. The problem is that null-instance - * afs-principals are common and that hitting the wrong realm might - * yield the wrong afs key. The following assumptions were made. - * - * Any realm passed to us is preferred. - * - * If there is a realm with the same name as the cell, it is most - * likely the correct realm to talk to. - * - * In most (maybe even all) cases the database servers of the cell - * will live in the realm we are looking for. - * - * Try the local realm, but if the previous cases fail, this is - * really a long shot. - * - */ - - /* comments on the ordering of these tests */ - - /* If the user passes a realm, she probably knows something we don't - * know and we should try afs@krealm (otherwise we're talking with a - * blondino and she might as well have it.) - */ - - if (krealm != NULL) { - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, krealm, c); - if (ret == 0) return 0; - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", krealm, c); - } - if (ret == 0) return 0; - - foldup(CELL, cell); - - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c); - if (ret == 0) return 0; - - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c); - if (ret == 0) return 0; - - /* this might work in some cases */ - if (realm_of_cell(data, cell, &vl_realm) == 0) { - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c); - if (ret) - ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c); - free(vl_realm); - if (ret == 0) return 0; - } - - if (lrealm) - ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, lrealm, c); - return ret; -} - - diff --git a/kerberosIV/kafs/shlib_version b/kerberosIV/kafs/shlib_version deleted file mode 100644 index 900b4048a96..00000000000 --- a/kerberosIV/kafs/shlib_version +++ /dev/null @@ -1,2 +0,0 @@ -major=5 -minor=1 diff --git a/kerberosIV/kauth/Makefile b/kerberosIV/kauth/Makefile deleted file mode 100644 index 2fbefa16160..00000000000 --- a/kerberosIV/kauth/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 1998/08/12 23:55:56 art Exp $ - -.include <bsd.obj.mk> - -SRCS= encdata.c rkinit.c kauth.c marshall.c -.PATH: ${.CURDIR}/../roken -SRCS+= simple_exec.c -CFLAGS+= -I${.CURDIR}/../roken -PROG= kauth -LDADD+= -lkrb -lkafs -ldes -DPADD+= ${LIBKRB} ${LIBKAFS} -BINDIR= /usr/bin -MAN= kauth.1 - -.include <bsd.prog.mk> diff --git a/kerberosIV/kauth/encdata.c b/kerberosIV/kauth/encdata.c deleted file mode 100644 index 71e1a998c6e..00000000000 --- a/kerberosIV/kauth/encdata.c +++ /dev/null @@ -1,106 +0,0 @@ -/* $OpenBSD: encdata.c,v 1.1 1997/12/18 22:28:02 art Exp $ */ -/* $KTH: encdata.c,v 1.9 1997/04/01 08:17:30 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kauth.h" - -int -write_encrypted (int fd, void *buf, size_t len, des_key_schedule schedule, - des_cblock *session, struct sockaddr_in *me, - struct sockaddr_in *him) -{ - void *outbuf; - int32_t outlen, l; - int i; - unsigned char tmp[4]; - - outbuf = malloc(len + 30); - if (outbuf == NULL) - return -1; - - outlen = krb_mk_priv (buf, outbuf, len, schedule, session, me, him); - if (outlen < 0) { - free(outbuf); - return -1; - } - - l = outlen; - for(i = 3; i >= 0; i--, l = l >> 8) - tmp[i] = l & 0xff; - if (krb_net_write (fd, tmp, 4) != 4 || - krb_net_write (fd, outbuf, outlen) != outlen) { - free(outbuf); - outbuf = NULL; - return -1; - } - - free(outbuf); - outbuf = NULL; - return 0; -} - - -int -read_encrypted (int fd, void *buf, size_t len, void **ret, - des_key_schedule schedule, des_cblock *session, - struct sockaddr_in *him, struct sockaddr_in *me) -{ - int status; - int32_t l; - MSG_DAT msg; - unsigned char tmp[4]; - - l = krb_net_read (fd, tmp, 4); - if (l != 4) - return l; - l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; - if (l > len) - return -1; - if (krb_net_read (fd, buf, l) != l) - return -1; - status = krb_rd_priv (buf, l, schedule, session, him, me, &msg); - if (status != RD_AP_OK) { - fprintf (stderr, "read_encrypted: %s\n", - krb_get_err_text(status)); - return -1; - } - *ret = msg.app_data; - return msg.app_length; -} diff --git a/kerberosIV/kauth/kauth.1 b/kerberosIV/kauth/kauth.1 deleted file mode 100644 index b956e1a5a7d..00000000000 --- a/kerberosIV/kauth/kauth.1 +++ /dev/null @@ -1,66 +0,0 @@ -.\" $Id: kauth.1,v 1.4 1999/07/09 13:35:58 aaron Exp $ -.\" -.Dd May 4, 1996 -.Dt KAUTH 1 -.Os -.Sh NAME -.Nm kauth -.Nd -overworked Kerberos login program -.Sh SYNOPSIS -.Nm kauth -.Op Fl n Ar name -.Op Fl r Ar remote user -.Op Fl t Pa remote ticket file -.Op Fl h Ar hosts... -.Op Fl l Ar lifetime -.Op Fl f Pa srvtab -.Op Fl c Ar cell -.Op Ar command ... -.Sh DESCRIPTION -The -.Nm -command obtains ticket granting tickets as well as AFS ticket and -tokens. It also does a whole lot of other stuff. -.Pp -The following flags are supported: -.Bl -tag -width xxxx -.It Fl n -Principal to get tickets for. If no other arguments are present this -can be given without the -.Fl n -flag. -.It Fl h -Remote hosts to obtain tickets for. This works similar to the MIT -Athena Kerberos 4 patchlevel 10 command -.Xr rkinit 1 , -however not in a compatible way. It requires that the remote host runs -the -.Xr kauthd 8 , -server. The -.Fl r -and -.Fl t -flags are useful only with this option. -.It Fl r -User on the remote host that should own the ticket file. -.It Fl t -Ticket file on remote host. -.It Fl l -Lifetime of tickets in minutes. A value of -1 is used for maximum -ticket lifetime. -.It Fl f -Srvtab to get service keys from. Default is -.Pa /etc/kerberosIV/srvtab . -This is mainly used with batch services that need to run -authenticated. If any command is given, it will be executed in an -authenticated fashion and when the program exits the tickets are -destroyed. For long running jobs the tickets will be renewed. -.It Fl c -AFS cell to get tokens for, default is your local cell. -.El -.Sh SEE ALSO -.Xr kinit 1 , -.Xr kauthd 8 -.Sh BUGS -There is no help-switch. diff --git a/kerberosIV/kauth/kauth.c b/kerberosIV/kauth/kauth.c deleted file mode 100644 index 4d89ff18c33..00000000000 --- a/kerberosIV/kauth/kauth.c +++ /dev/null @@ -1,334 +0,0 @@ -/* $OpenBSD: kauth.c,v 1.5 1999/05/23 17:19:24 aaron Exp $ */ -/* $KTH: kauth.c,v 1.81 1997/12/09 10:36:33 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Little program that reads an srvtab or password and - * creates a suitable ticketfile and associated AFS tokens. - * - * If an optional command is given the command is executed in a - * new PAG and when the command exits the tickets are destroyed. - */ - -#include "kauth.h" -#include <simple_exec.h> - -krb_principal princ; -static char srvtab[MAXPATHLEN]; -static int lifetime = DEFAULT_TKT_LIFE; -static char remote_tktfile[MAXPATHLEN]; -static char remoteuser[100]; -static char *cell = 0; -static char progname[] = "kauth"; - -char * -strupr(char *str) -{ - char *s; - - for(s = str; *s; s++) - *s = toupper(*s); - return str; -} - -static void -usage(void) -{ - fprintf(stderr, - "Usage: %s -n <name> [-r remoteuser] [-t remote ticketfile] " - "[-l lifetime (in minutes) ] [-f srvtab ] " - "[-c AFS cell name ] [-h hosts... [--]] [command ... ]\n", - progname); - fprintf(stderr, "\nA fully qualified name can be given user[.instance][@realm]\nRealm is converted to uppercase!\n"); - exit(1); -} - -#define EX_NOEXEC 126 -#define EX_NOTFOUND 127 - -static int -doexec(int argc, char **argv) -{ - int ret = simple_execvp(argv[0], argv); - if(ret == -2) - warn ("fork"); - if(ret == -3) - warn("waitpid"); - if (ret < 0) - return EX_NOEXEC; - if(ret == EX_NOEXEC || ret == EX_NOTFOUND) - warnx("Can't exec program ``%s''", argv[0]); - - return ret; -} - -static void -renew(int sig) -{ - int code; - - signal(SIGALRM, renew); - - code = krb_get_svc_in_tkt(princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, - princ.realm, lifetime, srvtab); - if (code) - warnx ("%s", krb_get_err_text(code)); - else if (k_hasafs()) - { - if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) { - warnx ("%s", krb_get_err_text(code)); - } - } - - alarm(krb_life_to_time(0, lifetime)/2 - 60); -} - -static int -zrefresh(void) -{ - switch (fork()) { - case -1: - err (1, "Warning: Failed to fork zrefresh"); - return -1; - case 0: - /* Child */ - execlp("zrefresh", "zrefresh", 0); - execl("/usr/bin/zrefresh", "zrefresh", 0); - exit(1); - default: - /* Parent */ - break; - } - return 0; -} - -static int -key_to_key(char *user, char *instance, char *realm, void *arg, - des_cblock *key) -{ - memcpy(key, arg, sizeof(des_cblock)); - return 0; -} - -int -main(int argc, char **argv) -{ - int code, more_args; - int ret; - int c; - char *file; - int pflag = 0; - char passwd[100]; - des_cblock key; - char **host; - int nhost; - char tf[MAXPATHLEN]; - - if ((file = getenv("KRBTKFILE")) == 0) - file = TKT_FILE; - - memset(&princ, 0, sizeof(princ)); - memset(srvtab, 0, sizeof(srvtab)); - *remoteuser = '\0'; - nhost = 0; - host = NULL; - - /* Look for kerberos name */ - if (argc > 1 && - argv[1][0] != '-' && - krb_parse_name(argv[1], &princ) == 0) - { - argc--; argv++; - strupr(princ.realm); - } - - while ((c = getopt(argc, argv, "r:t:f:hdl:n:c:")) != -1) - switch (c) { - case 'd': - krb_enable_debug(); - _kafs_debug = 1; - break; - case 'f': - strncpy(srvtab, optarg, sizeof(srvtab) - 1); - srvtab[sizeof(srvtab) - 1] = '\0'; - break; - case 't': - strncpy(remote_tktfile, optarg, sizeof(remote_tktfile) - 1); - remote_tktfile[sizeof(remote_tktfile)] = '\0'; - break; - case 'r': - strncpy(remoteuser, optarg, sizeof(remoteuser) - 1); - remoteuser[sizeof(remoteuser) - 1] = '\0'; - break; - case 'l': - lifetime = atoi(optarg); - if (lifetime == -1) - lifetime = 255; - else if (lifetime < 5) - lifetime = 1; - else - lifetime = krb_time_to_life(0, lifetime*60); - if (lifetime > 255) - lifetime = 255; - break; - case 'n': - if ((code = krb_parse_name(optarg, &princ)) != 0) { - warnx ("%s", krb_get_err_text(code)); - usage(); - } - strupr(princ.realm); - pflag = 1; - break; - case 'c': - cell = optarg; - break; - case 'h': - host = argv + optind; - for(nhost = 0; optind < argc && *argv[optind] != '-'; ++optind) - ++nhost; - break; - case '?': - default: - usage(); - break; - } - - if (princ.name[0] == '\0' && krb_get_default_principal (princ.name, - princ.instance, - princ.realm) < 0) - errx (1, "Could not get default principal"); - - /* With root tickets assume remote user is root */ - if (*remoteuser == '\0') { - if (strcmp(princ.instance, "root") == 0) { - strncpy(remoteuser, princ.instance, sizeof(remoteuser) - 1); - remoteuser[sizeof(remoteuser) - 1] = '\0'; - } - else { - strncpy(remoteuser, princ.name, sizeof(remoteuser) - 1); - remoteuser[sizeof(remoteuser) - 1] = '\0'; - } - } - - more_args = argc - optind; - - if (princ.realm[0] == '\0') - if (krb_get_lrealm(princ.realm, 1) != KSUCCESS) { - strncpy(princ.realm, KRB_REALM, REALM_SZ - 1); - princ.realm[REALM_SZ - 1] = '\0'; - } - - if (more_args) { - int f; - - do{ - snprintf(tf, sizeof(tf), - TKT_ROOT "%u_%u", - (unsigned)getuid(), - (unsigned)(getpid()*time(0))); - f = open(tf, O_CREAT|O_EXCL|O_RDWR); - } while(f < 0); - close(f); - unlink(tf); - setenv("KRBTKFILE", tf, 1); - krb_set_tkt_string (tf); - } - - if (srvtab[0]) - { - signal(SIGALRM, renew); - - code = read_service_key (princ.name, princ.instance, princ.realm, 0, - srvtab, (char *)&key); - if (code == KSUCCESS) - code = krb_get_in_tkt(princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, - princ.realm, lifetime, - key_to_key, NULL, key); - alarm(krb_life_to_time(0, lifetime)/2 - 60); - } - else { - char prompt[128]; - - snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&princ)); - if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){ - memset(passwd, 0, sizeof(passwd)); - exit(1); - } - code = krb_get_pw_in_tkt2(princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, princ.realm, - lifetime, passwd, &key); - - memset(passwd, 0, sizeof(passwd)); - } - if (code) { - memset (key, 0, sizeof(key)); - errx (1, "%s", krb_get_err_text(code)); - } - - if (k_hasafs()) { - if (more_args) - k_setpag(); - if ((code = krb_afslog(cell, NULL)) != 0 && code != KDC_PR_UNKNOWN) { - if(code > 0) - warnx ("%s", krb_get_err_text(code)); - else - warnx ("failed to store AFS token"); - } - } - - for(ret = 0; nhost-- > 0; host++) - ret += rkinit(&princ, lifetime, remoteuser, remote_tktfile, &key, *host); - - if (ret) - return ret; - - if (more_args) { - ret = doexec(more_args, &argv[optind]); - dest_tkt(); - if (k_hasafs()) - k_unlog(); - } - else - zrefresh(); - - return ret; -} diff --git a/kerberosIV/kauth/kauth.h b/kerberosIV/kauth/kauth.h deleted file mode 100644 index 2355d379e8b..00000000000 --- a/kerberosIV/kauth/kauth.h +++ /dev/null @@ -1,82 +0,0 @@ -/* $OpenBSD: kauth.h,v 1.2 1998/02/18 11:53:47 art Exp $ */ -/* $KTH: kauth.h,v 1.18 1997/05/20 18:40:31 bg Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <string.h> -#include <signal.h> -#include <fcntl.h> -#include <errno.h> -#include <unistd.h> -#include <pwd.h> -#include <grp.h> - -#include <sys/time.h> -#include <time.h> -#include <sys/resource.h> -#include <sys/wait.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netdb.h> - -#include <err.h> - -#include <kerberosIV/krb.h> -#include <kerberosIV/kafs.h> - -#define KAUTH_PORT 2120 - -#define KAUTH_VERSION "RKINIT.0" - -int rkinit (krb_principal*, int, char*, char*, des_cblock*, char*); - -int write_encrypted (int, void*, size_t, des_key_schedule, - des_cblock*, struct sockaddr_in*, struct sockaddr_in*); - -int read_encrypted (int, void*, size_t, void **, des_key_schedule, - des_cblock*, struct sockaddr_in*, struct sockaddr_in*); - -unsigned pack_args (char *, krb_principal*, int, char*, char*); - -int unpack_args (char*, krb_principal*, int*, char*, char*); diff --git a/kerberosIV/kauth/marshall.c b/kerberosIV/kauth/marshall.c deleted file mode 100644 index 982991509c7..00000000000 --- a/kerberosIV/kauth/marshall.c +++ /dev/null @@ -1,98 +0,0 @@ -/* $OpenBSD: marshall.c,v 1.1 1997/12/18 22:28:04 art Exp $ */ -/* $KTH: marshall.c,v 1.7 1997/04/01 08:17:32 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kauth.h" - -unsigned -pack_args (char *buf, krb_principal *pr, int lifetime, - char *locuser, char *tktfile) -{ - char *p; - - p = buf; - strcpy (p, pr->name); - p += strlen (pr->name) + 1; - strcpy (p, pr->instance); - p += strlen (pr->instance) + 1; - strcpy (p, pr->realm); - p += strlen (pr->realm) + 1; - *p++ = (unsigned char)lifetime; - strcpy(p, locuser); - p += strlen (locuser) + 1; - strcpy(p, tktfile); - p += strlen(tktfile) + 1; - return p - buf; -} - -int -unpack_args (char *buf, krb_principal *pr, int *lifetime, - char *locuser, char *tktfile) -{ - int len; - - len = strlen(buf); - if (len > SNAME_SZ) - return -1; - strncpy(pr->name, buf, len + 1); - buf += len + 1; - len = strlen (buf); - if (len > INST_SZ) - return -1; - strncpy (pr->instance, buf, len + 1); - buf += len + 1; - len = strlen (buf); - if (len > REALM_SZ) - return -1; - strncpy (pr->realm, buf, len + 1); - buf += len + 1; - *lifetime = (unsigned char)*buf++; - len = strlen(buf); - if (len > SNAME_SZ) - return -1; - strncpy (locuser, buf, len + 1); - buf += len + 1; - len = strlen(buf); - if (len > MAXPATHLEN) - return -1; - strncpy (tktfile, buf, len + 1); - buf += len + 1; - return 0; -} diff --git a/kerberosIV/kauth/rkinit.c b/kerberosIV/kauth/rkinit.c deleted file mode 100644 index 713c9df9547..00000000000 --- a/kerberosIV/kauth/rkinit.c +++ /dev/null @@ -1,228 +0,0 @@ -/* $OpenBSD: rkinit.c,v 1.2 1998/08/16 02:42:10 art Exp $ */ -/* $KTH: rkinit.c,v 1.19 1997/04/01 08:17:33 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kauth.h" - -static struct in_addr * -getalladdrs (char *hostname, unsigned *count) -{ - struct hostent *hostent; - struct in_addr **h; - struct in_addr *addr; - struct in_addr *temp; - unsigned naddr; - unsigned maxaddr; - - hostent = gethostbyname (hostname); - if (hostent == NULL) { - warnx ("gethostbyname '%s' failed: %s\n", - hostname, -#ifdef HAVE_H_ERRNO - hstrerror(h_errno) -#else - "unknown error" -#endif - ); - return NULL; - } - maxaddr = 1; - naddr = 0; - addr = malloc(sizeof(*addr) * maxaddr); - if (addr == NULL) { - warnx ("out of memory"); - return NULL; - } - for (h = (struct in_addr **)(hostent->h_addr_list); - *h != NULL; - h++) { - if (naddr >= maxaddr) { - maxaddr *= 2; - temp = realloc (addr, sizeof(*addr) * maxaddr); - if (temp == NULL) { - warnx ("out of memory"); - free(addr); - return NULL; - } - addr = temp; - } - addr[naddr++] = **h; - } - temp = realloc (addr, sizeof(*addr) * naddr); - if (temp == NULL) { - warnx ("out of memory"); - free(addr); - return NULL; - } - addr = temp; - *count = naddr; - return addr; -} - -static int -doit_host (krb_principal *princ, int lifetime, char *locuser, - char *tktfile, des_cblock *key, int s, char *hostname) -{ - char buf[BUFSIZ]; - int inlen; - KTEXT_ST text; - CREDENTIALS cred; - MSG_DAT msg; - int status; - des_key_schedule schedule; - struct sockaddr_in thisaddr, thataddr; - int addrlen; - void *ret; - - addrlen = sizeof(thisaddr); - if (getsockname (s, (struct sockaddr *)&thisaddr, &addrlen) < 0 || - addrlen != sizeof(thisaddr)) { - warn ("getsockname(%s)", hostname); - return 1; - } - addrlen = sizeof(thataddr); - if (getpeername (s, (struct sockaddr *)&thataddr, &addrlen) < 0 || - addrlen != sizeof(thataddr)) { - warn ("getpeername(%s)", hostname); - return 1; - } - - status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd", - hostname, krb_realmofhost (hostname), - getpid(), &msg, &cred, schedule, - &thisaddr, &thataddr, KAUTH_VERSION); - if (status != KSUCCESS) { - warnx ("%s: %s\n", hostname, krb_get_err_text(status)); - return 1; - } - inlen = pack_args (buf, princ, lifetime, locuser, tktfile); - - if (write_encrypted(s, buf, inlen, schedule, &cred.session, - &thisaddr, &thataddr) < 0) { - warn ("write to %s", hostname); - return 1; - } - - inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, - &cred.session, &thataddr, &thisaddr); - if (inlen < 0) { - warn ("read from %s failed", hostname); - return 1; - } - - if (strncmp(ret, "ok", inlen) != 0) { - warnx ("error from %s: %.*s\n", - hostname, inlen, (char *)ret); - return 1; - } - - inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, - &cred.session, &thataddr, &thisaddr); - if (inlen < 0) { - warn ("read from %s", hostname); - return 1; - } - - { - des_key_schedule key_s; - - des_key_sched(key, key_s); - des_pcbc_encrypt(ret, ret, inlen, key_s, key, DES_DECRYPT); - memset(key_s, 0, sizeof(key_s)); - } - write_encrypted (s, ret, inlen, schedule, &cred.session, - &thisaddr, &thataddr); - - inlen = read_encrypted (s, buf, sizeof(buf), &ret, schedule, - &cred.session, &thataddr, &thisaddr); - if (inlen < 0) { - warn ("read from %s", hostname); - return 1; - } - - if (strncmp(ret, "ok", inlen) != 0) { - warnx ("error from %s: %.*s\n", - hostname, inlen, (char *)ret); - return 1; - } - return 0; -} - -int -rkinit (krb_principal *princ, int lifetime, char *locuser, - char *tktfile, des_cblock *key, char *hostname) -{ - struct in_addr *addr; - unsigned naddr; - unsigned i; - int port; - int success; - - addr = getalladdrs (hostname, &naddr); - if (addr == NULL) - return 1; - port = k_getportbyname ("kauth", "tcp", htons(KAUTH_PORT)); - success = 0; - for (i = 0; !success && i < naddr; ++i) { - struct sockaddr_in a; - int s; - - memset(&a, 0, sizeof(a)); - a.sin_family = AF_INET; - a.sin_port = port; - a.sin_addr = addr[i]; - - s = socket (AF_INET, SOCK_STREAM, 0); - if (s < 0) { - warn("socket"); - return 1; - } - if (connect(s, (struct sockaddr *)&a, sizeof(a)) < 0) { - warn("connect(%s)", hostname); - continue; - } - - success = success || !doit_host (princ, lifetime, - locuser, tktfile, key, - s, hostname); - close (s); - } - return !success; -} diff --git a/kerberosIV/kauthd/Makefile b/kerberosIV/kauthd/Makefile deleted file mode 100644 index c513ae3de50..00000000000 --- a/kerberosIV/kauthd/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 1998/02/26 00:16:47 art Exp $ - -.include <bsd.obj.mk> - -SRCS= kauthd.c inaddr2str.c mini_inetd.c -.PATH: ${.CURDIR}/../kauth -SRCS+= encdata.c marshall.c -PROG= kauthd -LDADD+= -lkrb -lkafs -ldes -DPADD+= ${LIBKRB} ${LIBKAFS} -CFLAGS+= -I${.CURDIR}/../kauth -BINDIR=/usr/libexec -MAN= kauthd.8 - -.include <bsd.prog.mk> diff --git a/kerberosIV/kauthd/inaddr2str.c b/kerberosIV/kauthd/inaddr2str.c deleted file mode 100644 index 485aafb61c4..00000000000 --- a/kerberosIV/kauthd/inaddr2str.c +++ /dev/null @@ -1,75 +0,0 @@ -/* $OpenBSD: inaddr2str.c,v 1.1 1998/02/18 07:10:24 art Exp $ */ -/* $KTH: inaddr2str.c,v 1.8 1997/10/29 01:32:55 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdlib.h> -#include <string.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netdb.h> - -/* - * Get a verified name for `addr'. - * If unable to find it in the DNS, return x.y.z.a - */ - -void -inaddr2str(struct in_addr addr, char *s, size_t len) -{ - struct hostent *h; - char *p; - - h = gethostbyaddr ((const char *)&addr, sizeof(addr), AF_INET); - if (h) { - h = gethostbyname (h->h_name); - if(h) - while ((p = *(h->h_addr_list)++)) - if (memcmp (p, &addr, sizeof(addr)) == 0) { - strncpy (s, h->h_name, len); - s[len - 1] = '\0'; - return; - } - } - strncpy (s, inet_ntoa (addr), len); - s[len - 1] = '\0'; - return; -} diff --git a/kerberosIV/kauthd/kauthd.8 b/kerberosIV/kauthd/kauthd.8 deleted file mode 100644 index e142279dd49..00000000000 --- a/kerberosIV/kauthd/kauthd.8 +++ /dev/null @@ -1,28 +0,0 @@ -.\" $KTH: kauthd.8,v 1.2 1996/09/28 22:04:48 assar Exp $ -.\" $OpenBSD: kauthd.8,v 1.3 1999/05/23 14:11:10 aaron Exp $ -.\" -.Dd September 27, 1996 -.Dt KAUTHD 8 -.Os -.Sh NAME -.Nm kauthd -.Nd -remote Kerberos login daemon -.Sh SYNOPSIS -.Nm kauthd -.Sh DESCRIPTION -Daemon for the -.Xr kauth 1 -command. -.Pp -Options supported by -.Nm kauthd : -.Bl -tag -width Ds -.It Fl i -Interactive. Do not expect to be started by -.Nm inetd, -but allocate and listen to the socket yourself. Handy for testing -and debugging. -.El -.Sh SEE ALSO -.Xr kauth 1 diff --git a/kerberosIV/kauthd/kauthd.c b/kerberosIV/kauthd/kauthd.c deleted file mode 100644 index 3ec59f76ad6..00000000000 --- a/kerberosIV/kauthd/kauthd.c +++ /dev/null @@ -1,204 +0,0 @@ -/* $OpenBSD: kauthd.c,v 1.1 1998/02/18 07:10:24 art Exp $ */ -/* $KTH: kauthd.c,v 1.22 1997/05/18 20:37:55 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <kauth.h> -#include <syslog.h> -#include <varargs.h> - -krb_principal princ; -static char locuser[SNAME_SZ + 1]; -static int lifetime; -static char tktfile[MAXPATHLEN + 1]; - -struct remote_args { - int sock; - des_key_schedule *schedule; - des_cblock *session; - struct sockaddr_in *me, *her; -}; - -static int -decrypt_remote_tkt (char *user, char *inst, char *realm, void *varg, - key_proc_t key_proc, KTEXT *cipp) -{ - char buf[BUFSIZ]; - void *ptr; - int len; - KTEXT cip = *cipp; - struct remote_args *args = (struct remote_args *)varg; - - write_encrypted (args->sock, cip->dat, cip->length, - *args->schedule, args->session, args->me, - args->her); - len = read_encrypted (args->sock, buf, sizeof(buf), &ptr, *args->schedule, - args->session, args->her, args->me); - memcpy(cip->dat, ptr, cip->length); - - return 0; -} - -static int -doit(int sock) -{ - int status; - KTEXT_ST ticket; - AUTH_DAT auth; - char instance[INST_SZ + 1]; - des_key_schedule schedule; - struct sockaddr_in thisaddr, thataddr; - int addrlen; - int len; - char buf[BUFSIZ]; - void *data; - struct passwd *passwd; - char version[KRB_SENDAUTH_VLEN + 1]; - char remotehost[MAXHOSTNAMELEN]; - - addrlen = sizeof(thisaddr); - if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 || - addrlen != sizeof(thisaddr)) { - return 1; - } - addrlen = sizeof(thataddr); - if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 || - addrlen != sizeof(thataddr)) { - return 1; - } - - inaddr2str (thataddr.sin_addr, remotehost, sizeof(remotehost)); - - k_getsockinst (sock, instance, sizeof(instance)); - status = krb_recvauth (KOPT_DO_MUTUAL, sock, &ticket, "rcmd", instance, - &thataddr, &thisaddr, &auth, "", schedule, - version); - if (status != KSUCCESS || - strncmp(version, KAUTH_VERSION, KRB_SENDAUTH_VLEN) != 0) { - return 1; - } - len = read_encrypted (sock, buf, sizeof(buf), &data, schedule, - &auth.session, &thataddr, &thisaddr); - if (len < 0) { - write_encrypted (sock, "read_enc failed", - sizeof("read_enc failed") - 1, schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - if (unpack_args(data, &princ, &lifetime, locuser, - tktfile)) { - write_encrypted (sock, "unpack_args failed", - sizeof("unpack_args failed") - 1, schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - - if( kuserok(&auth, locuser) != 0) { - snprintf(buf, sizeof(buf), "%s cannot get tickets for %s", - locuser, krb_unparse_name(&princ)); - syslog (LOG_ERR, buf); - write_encrypted (sock, buf, strlen(buf), schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - passwd = getpwnam (locuser); - if (passwd == NULL) { - snprintf (buf, sizeof(buf), "No user '%s'", locuser); - syslog (LOG_ERR, buf); - write_encrypted (sock, buf, strlen(buf), schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - if (setgid (passwd->pw_gid) || - initgroups(passwd->pw_name, passwd->pw_gid) || - setuid(passwd->pw_uid)) { - snprintf (buf, sizeof(buf), "Could not change user"); - syslog (LOG_ERR, buf); - write_encrypted (sock, buf, strlen(buf), schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } - write_encrypted (sock, "ok", sizeof("ok") - 1, schedule, - &auth.session, &thisaddr, &thataddr); - - if (*tktfile == 0) - snprintf(tktfile, sizeof(tktfile), "%s%u", TKT_ROOT, (unsigned)getuid()); - krb_set_tkt_string (tktfile); - - { - struct remote_args arg; - - arg.sock = sock; - arg.schedule = &schedule; - arg.session = &auth.session; - arg.me = &thisaddr; - arg.her = &thataddr; - - status = krb_get_in_tkt (princ.name, princ.instance, princ.realm, - KRB_TICKET_GRANTING_TICKET, - princ.realm, - lifetime, NULL, decrypt_remote_tkt, &arg); - } - if (status == KSUCCESS) { - syslog (LOG_INFO, "from %s(%s): %s -> %s", - remotehost, - inet_ntoa(thataddr.sin_addr), - locuser, - krb_unparse_name (&princ)); - write_encrypted (sock, "ok", sizeof("ok") - 1, schedule, - &auth.session, &thisaddr, &thataddr); - return 0; - } else { - snprintf (buf, sizeof(buf), "TGT failed: %s", krb_get_err_text(status)); - syslog (LOG_NOTICE, buf); - write_encrypted (sock, buf, strlen(buf), schedule, - &auth.session, &thisaddr, &thataddr); - return 1; - } -} - -int -main (int argc, char **argv) -{ - openlog ("kauthd", LOG_ODELAY, LOG_AUTH); - - if(argc > 1 && strcmp(argv[1], "-i") == 0) - mini_inetd (k_getportbyname("kauth", "tcp", htons(KAUTH_PORT))); - return doit(STDIN_FILENO); -} diff --git a/kerberosIV/kauthd/mini_inetd.c b/kerberosIV/kauthd/mini_inetd.c deleted file mode 100644 index b2452c82b06..00000000000 --- a/kerberosIV/kauthd/mini_inetd.c +++ /dev/null @@ -1,90 +0,0 @@ -/* $OpenBSD: mini_inetd.c,v 1.1 1998/02/18 07:10:25 art Exp $ */ -/* $KTH : mini_inetd.c,v 1.12 1997/11/02 04:14:12 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - - -#include <stdio.h> - -#include <unistd.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> - -void -mini_inetd (int port) -{ - struct sockaddr_in sa; - int s = socket(AF_INET, SOCK_STREAM, 0); - int s2; - int one = 1; - if(s < 0){ - perror("socket"); - exit(1); - } -#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT) - if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, - sizeof(one)) < 0){ - perror("setsockopt"); - exit(1); - } -#endif - memset(&sa, 0, sizeof(sa)); - sa.sin_family = AF_INET; - sa.sin_port = port; - sa.sin_addr.s_addr = INADDR_ANY; - if(bind(s, (struct sockaddr*)&sa, sizeof(sa)) < 0){ - perror("bind"); - exit(1); - } - if(listen(s, SOMAXCONN) < 0){ - perror("listen"); - exit(1); - } - s2 = accept(s, NULL, 0); - if(s2 < 0){ - perror("accept"); - exit(1); - } - close(s); - dup2(s2, STDIN_FILENO); - dup2(s2, STDOUT_FILENO); - /* dup2(s2, STDERR_FILENO); */ - close(s2); -} diff --git a/kerberosIV/kdb/Makefile b/kerberosIV/kdb/Makefile deleted file mode 100644 index d316af871d9..00000000000 --- a/kerberosIV/kdb/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.4 1999/05/24 16:54:03 millert Exp $ - -LIB= kdb -CFLAGS+=-I${.CURDIR} -SRCS= copykey.c krb_cache.c krb_dbm.c krb_kdb_utils.c krb_lib.c print_princ.c -CFLAGS+= -DNDBM -DHAVE_NEW_DB - -.include <bsd.lib.mk> diff --git a/kerberosIV/kdb/copykey.c b/kerberosIV/kdb/copykey.c deleted file mode 100644 index ad1b703dafa..00000000000 --- a/kerberosIV/kdb/copykey.c +++ /dev/null @@ -1,56 +0,0 @@ -/* $OpenBSD: copykey.c,v 1.2 1997/12/12 11:29:23 art Exp $ */ -/* $KTH: copykey.c,v 1.10 1997/04/01 08:18:17 joda Exp $" */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <kdb_locl.h> - -void -copy_from_key(des_cblock in, u_int32_t *lo, u_int32_t *hi) -{ - memcpy(lo, ((char *) in) + 0, 4); - memcpy(hi, ((char *) in) + 4, 4); -} - -void -copy_to_key(u_int32_t *lo, u_int32_t *hi, des_cblock out) -{ - memcpy(((char *)out) + 0, lo, 4); - memcpy(((char *)out) + 4, hi, 4); -} diff --git a/kerberosIV/kdb/kdb_locl.h b/kerberosIV/kdb/kdb_locl.h deleted file mode 100644 index 4bb06dc5c93..00000000000 --- a/kerberosIV/kdb/kdb_locl.h +++ /dev/null @@ -1,89 +0,0 @@ -/* $OpenBSD: kdb_locl.h,v 1.4 1997/12/12 11:29:23 art Exp $ */ -/* $KTH: kdb_locl.h,v 1.9 1997/05/02 14:29:08 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __kdb_locl_h -#define __kdb_locl_h - -#include <kerberosIV/site.h> - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <unistd.h> -#include <errno.h> - -#include <sys/types.h> - -#include <sys/time.h> -#include <time.h> - -#include <sys/stat.h> -#include <fcntl.h> -#include <utime.h> -#include <sys/file.h> - -#include <kerberosIV/krb.h> -#include <kerberosIV/krb_db.h> - -/* --- */ - -/* Globals! */ - -/* Utils */ - -int kerb_db_set_lockmode __P((int)); -void kerb_db_fini __P((void)); -int kerb_db_init __P((void)); -int kerb_db_get_principal __P((char *name, char *, Principal *, unsigned int, int *)); -int kerb_db_get_dba __P((char *, char *, Dba *, unsigned int, int *)); - -void delta_stat __P((DB_stat *, DB_stat *, DB_stat *)); - -int kerb_cache_init __P((void)); -int kerb_cache_get_principal __P((char *name, char *, Principal *, unsigned int)); -int kerb_cache_put_principal __P((Principal *, unsigned int)); -int kerb_cache_get_dba __P((char *, char *, Dba *, unsigned int)); -int kerb_cache_put_dba __P((Dba *, unsigned int)); - -void krb_print_principal __P((Principal *)); - -#endif /* __kdb_locl_h */ diff --git a/kerberosIV/kdb/krb_cache.c b/kerberosIV/kdb/krb_cache.c deleted file mode 100644 index 0deb618b83f..00000000000 --- a/kerberosIV/kdb/krb_cache.c +++ /dev/null @@ -1,202 +0,0 @@ -/* $OpenBSD: krb_cache.c,v 1.5 1998/05/15 06:10:47 art Exp $ */ -/* $KTH: krb_cache.c,v 1.6 1997/05/02 10:27:53 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * This is where a cache would be implemented, if it were necessary. - */ - -#include "kdb_locl.h" - -#ifdef DEBUG -extern int debug; -extern long kerb_debug; -#endif -static int init = 0; - -/* - * initialization routine for cache - */ - -int -kerb_cache_init(void) -{ - init = 1; - return (0); -} - -/* - * look up a principal in the cache returns number of principals found - */ - -int -kerb_cache_get_principal(char *serv, char *inst, Principal *principal, unsigned int max) - /* could have wild card */ - /* could have wild card */ - - /* max number of name structs to return */ - -{ - int found = 0; - - if (!init) - kerb_cache_init(); -#ifdef DEBUG - if (kerb_debug & 2) - fprintf(stderr, "cache_get_principal for %s %s max = %d\n", - serv, inst, max); -#endif /* DEBUG */ - -#ifdef DEBUG - if (kerb_debug & 2) { - if (found) { - fprintf(stderr, "cache get %s %s found %s %s sid = %d\n", - serv, inst, principal->name, principal->instance); - } else { - fprintf(stderr, "cache %s %s not found\n", serv, - inst); - } - } -#endif - return found; -} - -/* - * insert/replace a principal in the cache returns number of principals - * inserted - */ - -int -kerb_cache_put_principal(Principal *principal, unsigned int max) - - /* max number of principal structs to - * insert */ - -{ - u_long i; - int count = 0; - - if (!init) - kerb_cache_init(); - -#ifdef DEBUG - if (kerb_debug & 2) { - fprintf(stderr, "kerb_cache_put_principal max = %d", - max); - } -#endif - - for (i = 0; i < max; i++) { -#ifdef DEBUG - if (kerb_debug & 2) - fprintf(stderr, "\n %s %s", - principal->name, principal->instance); -#endif - /* DO IT */ - count++; - principal++; - } - return count; -} - -/* - * look up a dba in the cache returns number of dbas found - */ - -int -kerb_cache_get_dba(char *serv, char *inst, Dba *dba, unsigned int max) - /* could have wild card */ - /* could have wild card */ - - /* max number of name structs to return */ - -{ - int found = 0; - - if (!init) - kerb_cache_init(); - -#ifdef DEBUG - if (kerb_debug & 2) - fprintf(stderr, "cache_get_dba for %s %s max = %d\n", - serv, inst, max); -#endif - -#ifdef DEBUG - if (kerb_debug & 2) { - if (found) { - fprintf(stderr, "cache get %s %s found %s %s sid = %d\n", - serv, inst, dba->name, dba->instance); - } else { - fprintf(stderr, "cache %s %s not found\n", serv, inst); - } - } -#endif - return found; -} - -/* - * insert/replace a dba in the cache returns number of dbas inserted - */ - -int -kerb_cache_put_dba(Dba *dba, unsigned int max) - - /* max number of dba structs to insert */ - -{ - u_long i; - int count = 0; - - if (!init) - kerb_cache_init(); -#ifdef DEBUG - if (kerb_debug & 2) { - fprintf(stderr, "kerb_cache_put_dba max = %d", max); - } -#endif - for (i = 0; i < max; i++) { -#ifdef DEBUG - if (kerb_debug & 2) - fprintf(stderr, "\n %s %s", - dba->name, dba->instance); -#endif - /* DO IT */ - count++; - dba++; - } - return count; -} - diff --git a/kerberosIV/kdb/krb_dbm.c b/kerberosIV/kdb/krb_dbm.c deleted file mode 100644 index ceeb95ee9a4..00000000000 --- a/kerberosIV/kdb/krb_dbm.c +++ /dev/null @@ -1,791 +0,0 @@ -/* $OpenBSD: krb_dbm.c,v 1.7 1998/05/15 06:10:48 art Exp $ */ -/* $KTH: krb_dbm.c,v 1.31 1997/12/14 22:48:17 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "kdb_locl.h" - -#include <xdbm.h> - -#define KERB_DB_MAX_RETRY 5 - -#ifdef DEBUG -extern int debug; -extern long kerb_debug; -extern char *progname; -#endif - -static int init = 0; -static char default_db_name[] = DBM_FILE; -static char *current_db_name = default_db_name; - -static struct timeval timestamp; /* current time of request */ -static int non_blocking = 0; - -/* - * This module contains all of the code which directly interfaces to - * the underlying representation of the Kerberos database; this - * implementation uses a DBM or NDBM indexed "file" (actually - * implemented as two separate files) to store the relations, plus a - * third file as a semaphore to allow the database to be replaced out - * from underneath the KDC server. - */ - -/* - * Locking: - * - * There are two distinct locking protocols used. One is designed to - * lock against processes (the admin_server, for one) which make - * incremental changes to the database; the other is designed to lock - * against utilities (kdb_util, kpropd) which replace the entire - * database in one fell swoop. - * - * The first locking protocol is implemented using flock() in the - * krb_dbl_lock() and krb_dbl_unlock routines. - * - * The second locking protocol is necessary because DBM "files" are - * actually implemented as two separate files, and it is impossible to - * atomically rename two files simultaneously. It assumes that the - * database is replaced only very infrequently in comparison to the time - * needed to do a database read operation. - * - * A third file is used as a "version" semaphore; the modification - * time of this file is the "version number" of the database. - * At the start of a read operation, the reader checks the version - * number; at the end of the read operation, it checks again. If the - * version number changed, or if the semaphore was nonexistant at - * either time, the reader sleeps for a second to let things - * stabilize, and then tries again; if it does not succeed after - * KERB_DB_MAX_RETRY attempts, it gives up. - * - * On update, the semaphore file is deleted (if it exists) before any - * update takes place; at the end of the update, it is replaced, with - * a version number strictly greater than the version number which - * existed at the start of the update. - * - * If the system crashes in the middle of an update, the semaphore - * file is not automatically created on reboot; this is a feature, not - * a bug, since the database may be inconsistant. Note that the - * absence of a semaphore file does not prevent another _update_ from - * taking place later. Database replacements take place automatically - * only on slave servers; a crash in the middle of an update will be - * fixed by the next slave propagation. A crash in the middle of an - * update on the master would be somewhat more serious, but this would - * likely be noticed by an administrator, who could fix the problem and - * retry the operation. - */ - - -/* - * Utility routine: generate name of database file. - */ - -static char * -gen_dbsuffix(char *db_name, char *sfx) -{ - char *dbsuffix; - - if (sfx == NULL) - sfx = ".ok"; - - asprintf (&dbsuffix, "%s%s", db_name, sfx); - if (dbsuffix == NULL) { /* This might not be the nest solution */ - fprintf(stderr, "gen_dbsuffix: not enough memory\n"); - exit(1); - } - return dbsuffix; -} - -static void -decode_princ_key(datum *key, char *name, char *instance) -{ - strncpy(name, key->dptr, ANAME_SZ); - strncpy(instance, (char *)key->dptr + ANAME_SZ, INST_SZ); - name[ANAME_SZ - 1] = '\0'; - instance[INST_SZ - 1] = '\0'; -} - -static void -encode_princ_contents(datum *contents, Principal *principal) -{ - contents->dsize = sizeof(*principal); - contents->dptr = (char *) principal; -} - -static void -decode_princ_contents (datum *contents, Principal *principal) -{ - memcpy(principal, contents->dptr, sizeof(*principal)); -} - -static void -encode_princ_key (datum *key, char *name, char *instance) -{ - static char keystring[ANAME_SZ + INST_SZ]; - - memset(keystring, 0, ANAME_SZ + INST_SZ); - strncpy(keystring, name, ANAME_SZ); - strncpy(&keystring[ANAME_SZ], instance, INST_SZ); - key->dptr = keystring; - key->dsize = ANAME_SZ + INST_SZ; -} - -static int dblfd = -1; /* db LOCK fd */ -static int mylock = 0; -static int inited = 0; - -static int -kerb_dbl_init(void) -{ - if (!inited) { - char *filename = gen_dbsuffix (current_db_name, ".ok"); - if ((dblfd = open(filename, O_RDWR)) < 0) { - fprintf(stderr, "kerb_dbl_init: couldn't open %s\n", filename); - fflush(stderr); - perror("open"); - exit(1); - } - free(filename); - filename = NULL; - inited++; - } - return 0; -} - -static void -kerb_dbl_fini(void) -{ - close(dblfd); - dblfd = -1; - inited = 0; - mylock = 0; -} - -static int -kerb_dbl_lock(int mode) -{ - int flock_mode; - - if (!inited) - kerb_dbl_init(); - if (mylock) { /* Detect lock call when lock already - * locked */ - fprintf(stderr, "Kerberos locking error (mylock)\n"); - fflush(stderr); - exit(1); - } - switch (mode) { - case KERB_DBL_EXCLUSIVE: - flock_mode = K_LOCK_EX; - break; - case KERB_DBL_SHARED: - flock_mode = K_LOCK_SH; - break; - default: - fprintf(stderr, "invalid lock mode %d\n", mode); - abort(); - } - if (non_blocking) - flock_mode |= K_LOCK_NB; - - if (flock(dblfd, flock_mode) < 0) - return errno; - mylock++; - return 0; -} - -static void -kerb_dbl_unlock(void) -{ - if (!mylock) { /* lock already unlocked */ - fprintf(stderr, "Kerberos database lock not locked when unlocking.\n"); - fflush(stderr); - exit(1); - } - if (flock(dblfd, K_LOCK_UN) < 0) { - fprintf(stderr, "Kerberos database lock error. (unlocking)\n"); - fflush(stderr); - perror("flock"); - exit(1); - } - mylock = 0; -} - -int -kerb_db_set_lockmode(int mode) -{ - int old = non_blocking; - non_blocking = mode; - return old; -} - -/* - * initialization for data base routines. - */ - -int -kerb_db_init(void) -{ - init = 1; - return (0); -} - -/* - * gracefully shut down database--must be called by ANY program that does - * a kerb_db_init - */ - -void -kerb_db_fini(void) -{ -} - -/* - * Set the "name" of the current database to some alternate value. - * - * Passing a null pointer as "name" will set back to the default. - * If the alternate database doesn't exist, nothing is changed. - */ - -int -kerb_db_set_name(char *name) -{ - DBM *db; - - if (name == NULL) - name = default_db_name; - db = dbm_open(name, 0, 0); - if (db == NULL) - return errno; - dbm_close(db); - kerb_dbl_fini(); - current_db_name = name; - return 0; -} - -/* - * Return the last modification time of the database. - */ - -time_t -kerb_get_db_age(void) -{ - struct stat st; - char *okname; - time_t age; - - okname = gen_dbsuffix(current_db_name, ".ok"); - - if (stat (okname, &st) < 0) - age = 0; - else - age = st.st_mtime; - - free (okname); - okname = NULL; - return age; -} - -/* - * Remove the semaphore file; indicates that database is currently - * under renovation. - * - * This is only for use when moving the database out from underneath - * the server (for example, during slave updates). - */ - -static time_t -kerb_start_update(char *db_name) -{ - char *okname = gen_dbsuffix(db_name, ".ok"); - time_t age = kerb_get_db_age(); - - if (unlink(okname) < 0 - && errno != ENOENT) { - age = -1; - } - free (okname); - okname = NULL; - return age; -} - -static int -kerb_end_update(char *db_name, time_t age) -{ - int fd; - int retval = 0; - char *new_okname = gen_dbsuffix(db_name, ".ok#"); - char *okname = gen_dbsuffix(db_name, ".ok"); - - fd = open (new_okname, O_CREAT|O_RDWR|O_TRUNC, 0600); - if (fd < 0) - retval = errno; - else { - struct stat st; - struct utimbuf tv; - /* make sure that semaphore is "after" previous value. */ - if (fstat (fd, &st) == 0 - && st.st_mtime <= age) { - tv.actime = st.st_atime; - tv.modtime = age; - /* set times.. */ - utime (new_okname, &tv); - fsync(fd); - } - close(fd); - if (rename (new_okname, okname) < 0) - retval = errno; - } - - free (new_okname); - new_okname = NULL; - free (okname); - okname = NULL; - - return retval; -} - -static time_t -kerb_start_read(void) -{ - return kerb_get_db_age(); -} - -static int -kerb_end_read(time_t age) -{ - if (kerb_get_db_age() != age || age == -1) { - return -1; - } - return 0; -} - -/* - * Create the database, assuming it's not there. - */ -int -kerb_db_create(char *db_name) -{ - char *okname = gen_dbsuffix(db_name, ".ok"); - int fd; - int ret = 0; -#ifdef NDBM - DBM *db; - - db = dbm_open(db_name, O_RDWR|O_CREAT|O_EXCL, 0600); - if (db == NULL) - ret = errno; - else - dbm_close(db); -#else - char *dirname = gen_dbsuffix(db_name, ".dir"); - char *pagname = gen_dbsuffix(db_name, ".pag"); - - fd = open(dirname, O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd < 0) - ret = errno; - else { - close(fd); - fd = open (pagname, O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd < 0) - ret = errno; - else - close(fd); - } - if (dbminit(db_name) < 0) - ret = errno; -#endif - if (ret == 0) { - fd = open (okname, O_CREAT|O_RDWR|O_TRUNC, 0600); - if (fd < 0) - ret = errno; - close(fd); - } - return ret; -} - -/* - * "Atomically" rename the database in a way that locks out read - * access in the middle of the rename. - * - * Not perfect; if we crash in the middle of an update, we don't - * necessarily know to complete the transaction the rename, but... - */ - -int -kerb_db_rename(char *from, char *to) -{ -#ifdef HAVE_NEW_DB - char *fromdb = gen_dbsuffix (from, ".db"); - char *todb = gen_dbsuffix (to, ".db"); -#else - char *fromdir = gen_dbsuffix (from, ".dir"); - char *todir = gen_dbsuffix (to, ".dir"); - char *frompag = gen_dbsuffix (from , ".pag"); - char *topag = gen_dbsuffix (to, ".pag"); -#endif - char *fromok = gen_dbsuffix(from, ".ok"); - long trans = kerb_start_update(to); - int ok = 0; - -#ifdef HAVE_NEW_DB - if (rename (fromdb, todb) == 0) { - unlink (fromok); - ok = 1; - } - free (fromdb); - fromdb = NULL; - free (todb); - todb = NULL; -#else - if ((rename (fromdir, todir) == 0) - && (rename (frompag, topag) == 0)) { - unlink (fromok); - ok = 1; - } - free (fromdir); - fromdir = NULL; - free (todir); - todir = NULL; - free (frompag); - frompag = NULL; - free (topag); - topag = NULL; -#endif - free (fromok); - fromok = NULL; - if (ok) - return kerb_end_update(to, trans); - else - return -1; -} - -int -kerb_db_delete_principal (char *name, char *inst) -{ - DBM *db; - int try; - int done = 0; - int code; - datum key; - - if(!init) - kerb_db_init(); - - for(try = 0; try < KERB_DB_MAX_RETRY; try++){ - if((code = kerb_dbl_lock(KERB_DBL_SHARED)) != 0) - return -1; - - db = dbm_open(current_db_name, O_RDWR, 0600); - if(db == NULL) - return -1; - encode_princ_key(&key, name, inst); - if(dbm_delete(db, key) == 0) - done = 1; - - dbm_close(db); - kerb_dbl_unlock(); - if(done) - break; - if(!non_blocking) - sleep(1); - } - if(!done) - return -1; - return 0; -} - - -/* - * look up a principal in the data base returns number of principals - * found , and whether there were more than requested. - */ - -int -kerb_db_get_principal (char *name, char *inst, Principal *principal, - unsigned int max, int *more) -{ - int found = 0, code; - int wildp, wildi; - datum key, contents; - char testname[ANAME_SZ], testinst[INST_SZ]; - u_long trans; - int try; - DBM *db; - - if (!init) - kerb_db_init(); /* initialize database routines */ - - for (try = 0; try < KERB_DB_MAX_RETRY; try++) { - trans = kerb_start_read(); - - if ((code = kerb_dbl_lock(KERB_DBL_SHARED)) != 0) - return -1; - - db = dbm_open(current_db_name, O_RDONLY, 0600); - - *more = 0; - -#ifdef DEBUG - if (kerb_debug & 2) - fprintf(stderr, - "%s: db_get_principal for %s %s max = %d", - progname, name, inst, max); -#endif - - wildp = !strcmp(name, "*"); - wildi = !strcmp(inst, "*"); - - if (!wildi && !wildp) { /* nothing's wild */ - encode_princ_key(&key, name, inst); - contents = dbm_fetch(db, key); - if (contents.dptr == NULL) { - found = 0; - goto done; - } - decode_princ_contents(&contents, principal); -#ifdef DEBUG - if (kerb_debug & 1) { - fprintf(stderr, "\t found %s %s p_n length %d t_n length %d\n", - principal->name, principal->instance, - strlen(principal->name), - strlen(principal->instance)); - } -#endif - found = 1; - goto done; - } - /* process wild cards by looping through entire database */ - - for (key = dbm_firstkey(db); key.dptr != NULL; - key = dbm_next(db, key)) { - decode_princ_key(&key, testname, testinst); - if ((wildp || !strcmp(testname, name)) && - (wildi || !strcmp(testinst, inst))) { /* have a match */ - if (found >= max) { - *more = 1; - goto done; - } else { - found++; - contents = dbm_fetch(db, key); - decode_princ_contents(&contents, principal); -#ifdef DEBUG - if (kerb_debug & 1) { - fprintf(stderr, - "\tfound %s %s p_n length %d t_n length %d\n", - principal->name, principal->instance, - strlen(principal->name), - strlen(principal->instance)); - } -#endif - principal++; /* point to next */ - } - } - } - - done: - kerb_dbl_unlock(); /* unlock read lock */ - dbm_close(db); - if (kerb_end_read(trans) == 0) - break; - found = -1; - if (!non_blocking) - sleep(1); - } - return (found); -} - -/* Use long * rather than DBM * so that the database structure is private */ - -long * -kerb_db_begin_update(void) -{ - int code; - - gettimeofday(×tamp, NULL); - - if (!init) - kerb_db_init(); - - if ((code = kerb_dbl_lock(KERB_DBL_EXCLUSIVE)) != 0) - return 0; - - return (long *) dbm_open(current_db_name, O_RDWR, 0600); -} - -void -kerb_db_end_update(long *db) -{ - dbm_close((DBM *)db); - kerb_dbl_unlock(); /* unlock database */ -} - -int -kerb_db_update(long *db, Principal *principal, unsigned int max) -{ - int found = 0; - u_long i; - datum key, contents; - -#ifdef DEBUG - if (kerb_debug & 2) - fprintf(stderr, "%s: kerb_db_put_principal max = %d", - progname, max); -#endif - - /* for each one, stuff temps, and do replace/append */ - for (i = 0; i < max; i++) { - encode_princ_contents(&contents, principal); - encode_princ_key(&key, principal->name, principal->instance); - if(dbm_store((DBM *)db, key, contents, DBM_REPLACE) < 0) - return found; /* XXX some better mechanism to report - failure should exist */ -#ifdef DEBUG - if (kerb_debug & 1) { - fprintf(stderr, "\n put %s %s\n", - principal->name, principal->instance); - } -#endif - found++; - principal++; /* bump to next struct */ - } - return found; -} - -/* - * Update a name in the data base. Returns number of names - * successfully updated. - */ - -int -kerb_db_put_principal(Principal *principal, - unsigned max) - -{ - int found; - long *db; - - db = kerb_db_begin_update(); - if (db == 0) - return -1; - - found = kerb_db_update(db, principal, max); - - kerb_db_end_update(db); - return (found); -} - -void -kerb_db_get_stat(DB_stat *s) -{ - gettimeofday(×tamp, NULL); - - s->cpu = 0; - s->elapsed = 0; - s->dio = 0; - s->pfault = 0; - s->t_stamp = timestamp.tv_sec; - s->n_retrieve = 0; - s->n_replace = 0; - s->n_append = 0; - s->n_get_stat = 0; - s->n_put_stat = 0; - /* update local copy too */ -} - -void -kerb_db_put_stat(DB_stat *s) -{ -} - -void -delta_stat(DB_stat *a, DB_stat *b, DB_stat *c) -{ - /* c = a - b then b = a for the next time */ - - c->cpu = a->cpu - b->cpu; - c->elapsed = a->elapsed - b->elapsed; - c->dio = a->dio - b->dio; - c->pfault = a->pfault - b->pfault; - c->t_stamp = a->t_stamp - b->t_stamp; - c->n_retrieve = a->n_retrieve - b->n_retrieve; - c->n_replace = a->n_replace - b->n_replace; - c->n_append = a->n_append - b->n_append; - c->n_get_stat = a->n_get_stat - b->n_get_stat; - c->n_put_stat = a->n_put_stat - b->n_put_stat; - - memcpy(b, a, sizeof(DB_stat)); -} - -/* - * look up a dba in the data base returns number of dbas found , and - * whether there were more than requested. - */ - -int -kerb_db_get_dba(char *dba_name, /* could have wild card */ - char *dba_inst, /* could have wild card */ - Dba *dba, - unsigned max, /* max number of name structs to return */ - int *more) /* where there more than 'max' tuples? */ -{ - *more = 0; - return (0); -} - -int -kerb_db_iterate (k_iter_proc_t func, void *arg) -{ - datum key, contents; - Principal *principal; - int code; - DBM *db; - - kerb_db_init(); /* initialize and open the database */ - if ((code = kerb_dbl_lock(KERB_DBL_SHARED)) != 0) - return code; - - db = dbm_open(current_db_name, O_RDONLY, 0600); - - for (key = dbm_firstkey (db); key.dptr != NULL; key = dbm_next(db, key)) { - contents = dbm_fetch (db, key); - /* XXX may not be properly aligned */ - principal = (Principal *) contents.dptr; - if ((code = (*func)(arg, principal)) != 0) - return code; - } - dbm_close(db); - kerb_dbl_unlock(); - return 0; -} diff --git a/kerberosIV/kdb/krb_kdb_utils.c b/kerberosIV/kdb/krb_kdb_utils.c deleted file mode 100644 index 439cb89e01a..00000000000 --- a/kerberosIV/kdb/krb_kdb_utils.c +++ /dev/null @@ -1,254 +0,0 @@ -/* $OpenBSD: krb_kdb_utils.c,v 1.5 1999/05/07 15:40:09 deraadt Exp $ */ -/* $KTH: krb_kdb_utils.c,v 1.23 1997/05/02 14:29:10 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Utility routines for Kerberos programs which directly access - * the database. This code was duplicated in too many places - * before I gathered it here. - * - * Jon Rochlis, MIT Telecom, March 1988 - */ - -#include "kdb_locl.h" - -#include <kdc.h> - -/* always try /.k for backwards compatibility */ -static char *master_key_files[] = { MKEYFILE, "/.k", NULL }; - -#define k_strerror(e) strerror(e) - -int -kdb_new_get_master_key(des_cblock *key, des_key_schedule schedule) -{ - int kfile; - int i; - char buf[1024]; - - char **mkey; - - for(mkey = master_key_files; *mkey; mkey++){ - kfile = open(*mkey, O_RDONLY); - if(kfile < 0 && errno != ENOENT) - fprintf(stderr, "Failed to open master key file \"%s\": %s\n", - *mkey, - k_strerror(errno)); - if(kfile >= 0) - break; - } - if(*mkey != NULL){ - int bytes; - bytes = read(kfile, (char*)key, sizeof(des_cblock)); - close(kfile); - if(bytes == sizeof(des_cblock)){ - des_key_sched(key, schedule); - return 0; - } - fprintf(stderr, "Could only read %d bytes from master key file %s\n", - bytes, *mkey); - }else{ - fprintf(stderr, "No master key file found.\n"); - } - - - i=0; - while(i < 3){ - if(des_read_pw_string(buf, sizeof(buf), "Enter master password: ", 0)) - break; - - /* buffer now contains either an old format master key password or a - * new format base64 encoded master key - */ - - /* try to verify as old password */ - des_string_to_key(buf, key); - des_key_sched(key, schedule); - - if(kdb_verify_master_key(key, schedule, NULL) != -1){ - memset(buf, 0, sizeof(buf)); - return 0; - } - - /* failed test, so must be base64 encoded */ - - if(base64_decode(buf, key) == 8){ - des_key_sched(key, schedule); - if(kdb_verify_master_key(key, schedule, NULL) != -1){ - memset(buf, 0, sizeof(buf)); - return 0; - } - } - - memset(buf, 0, sizeof(buf)); - fprintf(stderr, "Failed to verify master key.\n"); - i++; - } - - /* life sucks */ - fprintf(stderr, "You lose.\n"); - exit(1); -} - -int kdb_new_get_new_master_key(des_cblock *key, des_key_schedule schedule, - int verify) -{ -#ifndef RANDOM_MKEY - des_read_password(key, "\nEnter Kerberos master password: ", verify); - printf ("\n"); -#else - char buf[1024]; - des_generate_random_block (key); - des_key_sched(key, schedule); - - des_read_pw_string(buf, sizeof(buf), "Enter master key seed: ", 0); - des_cbc_cksum((des_cblock*)buf, key, sizeof(buf), schedule, key); - memset(buf, 0, sizeof(buf)); -#endif - des_key_sched(key, schedule); - return 0; -} - -int kdb_get_master_key(int prompt, des_cblock *master_key, - des_key_schedule master_key_sched) -{ - int ask = (prompt == KDB_GET_TWICE); -#ifndef RANDOM_MKEY - ask |= (prompt == KDB_GET_PROMPT); -#endif - - if(ask) - kdb_new_get_new_master_key(master_key, master_key_sched, - prompt == KDB_GET_TWICE); - else - kdb_new_get_master_key(master_key, master_key_sched); - return 0; -} - -int kdb_kstash(des_cblock *master_key, char *file) -{ - int kfile; - kfile = open(file, O_TRUNC | O_RDWR | O_CREAT, 0600); - if (kfile < 0) { - return -1; - } - if (write(kfile, master_key, sizeof(des_cblock)) != sizeof(des_cblock)) { - close(kfile); - return -1; - } - close(kfile); - return 0; -} - -/* The old algorithm used the key schedule as the initial vector which - was byte order depedent ... */ - -void -kdb_encrypt_key (des_cblock (*in), des_cblock (*out), - des_cblock (*master_key), - des_key_schedule master_key_sched, int e_d_flag) -{ -#ifdef NOENCRYPTION - memcpy(out, in, sizeof(des_cblock)); -#else - des_pcbc_encrypt(in, out, (long)sizeof(des_cblock), master_key_sched, - master_key, e_d_flag); -#endif -} - -/* The caller is reasponsible for cleaning up the master key and sched, - even if we can't verify the master key */ - -/* Returns master key version if successful, otherwise -1 */ - -long -kdb_verify_master_key (des_cblock *master_key, - des_key_schedule master_key_sched, - FILE *out) /* NULL -> no output */ -{ - des_cblock key_from_db; - Principal principal_data[1]; - int n, more = 0; - long master_key_version; - - /* lookup the master key version */ - n = kerb_get_principal(KERB_M_NAME, KERB_M_INST, principal_data, - 1 /* only one please */, &more); - if ((n != 1) || more) { - if (out != (FILE *) NULL) - fprintf(out, - "verify_master_key: %s, %d found.\n", - "Kerberos error on master key version lookup", - n); - return (-1); - } - - master_key_version = (long) principal_data[0].key_version; - - /* set up the master key */ - if (out != (FILE *) NULL) /* should we punt this? */ - fprintf(out, "Current Kerberos master key version is %d.\n", - principal_data[0].kdc_key_ver); - - /* - * now use the master key to decrypt the key in the db, had better - * be the same! - */ - copy_to_key(&principal_data[0].key_low, - &principal_data[0].key_high, - key_from_db); - kdb_encrypt_key (&key_from_db, &key_from_db, - master_key, master_key_sched, DES_DECRYPT); - - /* the decrypted database key had better equal the master key */ - n = memcmp(master_key, key_from_db, sizeof(master_key)); - /* this used to zero the master key here! */ - memset(key_from_db, 0, sizeof(key_from_db)); - memset(principal_data, 0, sizeof (principal_data)); - - if (n && (out != (FILE *) NULL)) { - fprintf(out, "\n\07\07verify_master_key: Invalid master key; "); - fprintf(out, "does not match database.\n"); - } - if(n) - return (-1); - - if (out != (FILE *) NULL) { - fprintf(out, "\nMaster key entered. BEWARE!\07\07\n"); - fflush(out); - } - - return master_key_version; -} diff --git a/kerberosIV/kdb/krb_lib.c b/kerberosIV/kdb/krb_lib.c deleted file mode 100644 index d5884580b0d..00000000000 --- a/kerberosIV/kdb/krb_lib.c +++ /dev/null @@ -1,272 +0,0 @@ -/* $OpenBSD: krb_lib.c,v 1.6 1998/05/15 06:10:51 art Exp $ */ -/* $KTH: krb_lib.c,v 1.11 1997/05/07 01:36:08 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "kdb_locl.h" - -#ifdef DEBUG -extern int debug; -extern char *progname; -long kerb_debug; -#endif - -static int init = 0; - -/* - * initialization routine for data base - */ - -int -kerb_init(void) -{ -#ifdef DEBUG - if (!init) { - char *dbg = getenv("KERB_DBG"); - if (dbg) - sscanf(dbg, "%d", &kerb_debug); - init = 1; - } -#endif - kerb_db_init(); - -#ifdef CACHE - kerb_cache_init(); -#endif - - /* successful init, return 0, else errcode */ - return (0); -} - -/* - * finalization routine for database -- NOTE: MUST be called by any - * program using kerb_init. ALSO will have to be modified to finalize - * caches, if they're ever really implemented. - */ - -void -kerb_fini(void) -{ - kerb_db_fini(); -} - - -int -kerb_delete_principal(char *name, char *inst) -{ - int ret; - - if (!init) - kerb_init(); - - ret = kerb_db_delete_principal(name, inst); -#ifdef CACHE - if(ret == 0){ - kerb_cache_delete_principal(name, inst); - } -#endif - return ret; -} - - -/* - * look up a principal in the cache or data base returns number of - * principals found - */ - -int -kerb_get_principal(char *name, char *inst, Principal *principal, - unsigned int max, int *more) - /* could have wild card */ - /* could have wild card */ - - /* max number of name structs to return */ - /* more tuples than room for */ - -{ - int found = 0; -#ifdef CACHE - static int wild = 0; -#endif - if (!init) - kerb_init(); - -#ifdef DEBUG - if (kerb_debug & 1) - fprintf(stderr, "\n%s: kerb_get_principal for %s %s max = %d\n", - progname, name, inst, max); -#endif - - /* - * if this is a request including a wild card, have to go to db - * since the cache may not be exhaustive. - */ - - /* clear the principal area */ - memset(principal, 0, max * sizeof(Principal)); - -#ifdef CACHE - /* - * so check to see if the name contains a wildcard "*" or "?", not - * preceeded by a backslash. - */ - wild = 0; - if (index(name, '*') || index(name, '?') || - index(inst, '*') || index(inst, '?')) - wild = 1; - - if (!wild) { - /* try the cache first */ - found = kerb_cache_get_principal(name, inst, principal, max, more); - if (found) - return (found); - } -#endif - /* If we didn't try cache, or it wasn't there, try db */ - found = kerb_db_get_principal(name, inst, principal, max, more); - /* try to insert principal(s) into cache if it was found */ -#ifdef CACHE - if (found) { - kerb_cache_put_principal(principal, found); - } -#endif - return (found); -} - -/* principals */ -int -kerb_put_principal(Principal *principal, unsigned int n) - - /* number of principal structs to write */ -{ - struct tm *tp; - - /* set mod date */ - principal->mod_date = time((time_t *)0); - /* and mod date string */ - - tp = k_localtime(&principal->mod_date); - snprintf(principal->mod_date_txt, - sizeof(principal->mod_date_txt), - "%4d-%2d-%2d", - tp->tm_year + 1900, - tp->tm_mon + 1, tp->tm_mday); /* January is 0, not 1 */ -#ifdef DEBUG - if (kerb_debug & 1) { - int i; - fprintf(stderr, "\nkerb_put_principal..."); - for (i = 0; i < n; i++) { - krb_print_principal(&principal[i]); - } - } -#endif - /* write database */ - if (kerb_db_put_principal(principal, n) < 0) { -#ifdef DEBUG - if (kerb_debug & 1) - fprintf(stderr, "\n%s: kerb_db_put_principal err", progname); - /* watch out for cache */ -#endif - return -1; - } -#ifdef CACHE - /* write cache */ - if (!kerb_cache_put_principal(principal, n)) { -#ifdef DEBUG - if (kerb_debug & 1) - fprintf(stderr, "\n%s: kerb_cache_put_principal err", progname); -#endif - return -1; - } -#endif - return 0; -} - -int -kerb_get_dba(char *name, char *inst, Dba *dba, unsigned int max, int *more) - /* could have wild card */ - /* could have wild card */ - - /* max number of name structs to return */ - /* more tuples than room for */ - -{ - int found = 0; -#ifdef CACHE - static int wild = 0; -#endif - if (!init) - kerb_init(); - -#ifdef DEBUG - if (kerb_debug & 1) - fprintf(stderr, "\n%s: kerb_get_dba for %s %s max = %d\n", - progname, name, inst, max); -#endif - /* - * if this is a request including a wild card, have to go to db - * since the cache may not be exhaustive. - */ - - /* clear the dba area */ - memset(dba, 0, max * sizeof(Dba)); - -#ifdef CACHE - /* - * so check to see if the name contains a wildcard "*" or "?", not - * preceeded by a backslash. - */ - - wild = 0; - if (index(name, '*') || index(name, '?') || - index(inst, '*') || index(inst, '?')) - wild = 1; - - if (!wild) { - /* try the cache first */ - found = kerb_cache_get_dba(name, inst, dba, max, more); - if (found) - return (found); - } -#endif - /* If we didn't try cache, or it wasn't there, try db */ - found = kerb_db_get_dba(name, inst, dba, max, more); -#ifdef CACHE - /* try to insert dba(s) into cache if it was found */ - if (found) { - kerb_cache_put_dba(dba, found); - } -#endif - return found; -} diff --git a/kerberosIV/kdb/print_princ.c b/kerberosIV/kdb/print_princ.c deleted file mode 100644 index d9182e08d26..00000000000 --- a/kerberosIV/kdb/print_princ.c +++ /dev/null @@ -1,61 +0,0 @@ -/* $OpenBSD: print_princ.c,v 1.4 1998/05/15 06:10:52 art Exp $ */ -/* $KTH: print_princ.c,v 1.5 1997/05/07 01:37:13 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "kdb_locl.h" - -void -krb_print_principal(Principal *a_n) -{ - struct tm *time_p; - - /* run-time database does not contain string versions */ - time_p = k_localtime(&(a_n->exp_date)); - - fprintf(stderr, - "\n%s %s expires %4d-%2d-%2d %2d:%2d, max_life %d*5 = %d min attr 0x%02x", - a_n->name, a_n->instance, - time_p->tm_year + 1900, - time_p->tm_mon + 1, time_p->tm_mday, - time_p->tm_hour, time_p->tm_min, - a_n->max_life, 5 * a_n->max_life, a_n->attributes); - - fprintf(stderr, - "\n\tkey_ver %d k_low 0x%08lx k_high 0x%08lx akv %d exists %ld\n", - a_n->key_version, (long)a_n->key_low, (long)a_n->key_high, - a_n->kdc_key_ver, (long)a_n->old); - - fflush(stderr); -} diff --git a/kerberosIV/kdb/shlib_version b/kerberosIV/kdb/shlib_version deleted file mode 100644 index 3066b9771e7..00000000000 --- a/kerberosIV/kdb/shlib_version +++ /dev/null @@ -1,2 +0,0 @@ -major=5 -minor=0 diff --git a/kerberosIV/kdb_destroy/Makefile b/kerberosIV/kdb_destroy/Makefile deleted file mode 100644 index b2db756c887..00000000000 --- a/kerberosIV/kdb_destroy/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.2 1999/06/22 11:27:01 art Exp $ - -PROG= kdb_destroy -MAN= kdb_destroy.8 -CFLAGS+= -DHAVE_NEW_DB - -.include <bsd.prog.mk> diff --git a/kerberosIV/kdb_destroy/kdb_destroy.8 b/kerberosIV/kdb_destroy/kdb_destroy.8 deleted file mode 100644 index 01317256574..00000000000 --- a/kerberosIV/kdb_destroy/kdb_destroy.8 +++ /dev/null @@ -1,55 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kdb_destroy.8,v 1.4 1998/02/25 15:50:45 art Exp $ -.TH KDB_DESTROY 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_destroy \- destroy Kerberos key distribution center database -.SH SYNOPSIS -kdb_destroy -.SH DESCRIPTION -.I kdb_destroy -deletes a Kerberos key distribution center database. -.PP -The user is prompted to verify that the database should be destroyed. A -response beginning with `y' or `Y' confirms deletion. -Any other response aborts deletion. -.SH DIAGNOSTICS -.TP 20n -"Database cannot be deleted at /etc/kerberosIV/principal" -The attempt to delete the database failed (probably due to a system or -access permission error). -.TP -"Database not deleted." -The user aborted the deletion. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.pag, /etc/kerberosIV/principal.dir -DBM files containing database -.SH SEE ALSO -kdb_init(8) diff --git a/kerberosIV/kdb_destroy/kdb_destroy.c b/kerberosIV/kdb_destroy/kdb_destroy.c deleted file mode 100644 index 36a1bd80403..00000000000 --- a/kerberosIV/kdb_destroy/kdb_destroy.c +++ /dev/null @@ -1,68 +0,0 @@ -/* $OpenBSD: kdb_destroy.c,v 1.4 1998/02/18 11:53:48 art Exp $ */ -/* $KTH: kdb_destroy.c,v 1.7 1997/03/31 02:25:21 assar Exp $ */ - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -#include "adm_locl.h" - -int -main(int argc, char **argv) -{ - char answer[10]; /* user input */ - char dbm[256]; /* database path and name */ - char dbm1[256]; /* database path and name */ -#ifdef HAVE_NEW_DB - char *file; /* database file names */ -#else - char *file1, *file2; /* database file names */ -#endif - - strncpy(dbm, DBM_FILE, sizeof(dbm) - 5); - dbm[sizeof(dbm) - 5] = '\0'; -#ifdef HAVE_NEW_DB - file = strcat(dbm, ".db"); - file[sizeof(dbm) - 1] = '\0'; -#else - strncpy(dbm1, DBM_FILE, sizeof(dbm) - 5); - file1 = strcat(dbm, ".dir"); - file1[sizeof(dbm) - 1] = '\0'; - file2 = strcat(dbm1, ".pag"); - file2[sizeof(dbm) - 1] = '\0'; -#endif - - printf("You are about to destroy the Kerberos database "); - printf("on this machine.\n"); - printf("Are you sure you want to do this (y/n)? "); - fgets(answer, sizeof(answer), stdin); - - if (answer[0] == 'y' || answer[0] == 'Y') { -#ifdef HAVE_NEW_DB - if (unlink(file) == 0) -#else - if (unlink(file1) == 0 && unlink(file2) == 0) -#endif - { - warnx ("Database deleted at %s", DBM_FILE); - return 0; - } - else - warn ("Database cannot be deleted at %s", DBM_FILE); - } else - warnx ("Database not deleted at %s", DBM_FILE); - return 1; -} diff --git a/kerberosIV/kdb_edit/Makefile b/kerberosIV/kdb_edit/Makefile deleted file mode 100644 index 7c4e43feaa6..00000000000 --- a/kerberosIV/kdb_edit/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.2 1997/12/17 10:21:26 art Exp $ - -PROG= kdb_edit -SRCS= kdb_edit.c -CFLAGS+=-I${.CURDIR} -DPADD= ${LIBKDB} ${LIBKRB} ${LIBDES} -LDADD= -lkdb -lkrb -ldes -MAN= kdb_edit.8 - -.include <bsd.prog.mk> diff --git a/kerberosIV/kdb_edit/kdb_edit.8 b/kerberosIV/kdb_edit/kdb_edit.8 deleted file mode 100644 index 34187a5a5b1..00000000000 --- a/kerberosIV/kdb_edit/kdb_edit.8 +++ /dev/null @@ -1,77 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kdb_edit.8,v 1.4 1998/02/25 15:50:47 art Exp $ -.TH KDB_EDIT 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_edit \- Kerberos key distribution center database editing utility -.SH SYNOPSIS -kdb_edit [ -.B \-n -] -.SH DESCRIPTION -.I kdb_edit -is used to create or change principals stored in the Kerberos key -distribution center (KDC) database. -.PP -When executed, -.I kdb_edit -prompts for the master key string and verifies that it matches the -master key stored in the database. -If the -.B \-n -option is specified, the master key is instead fetched from the master -key cache file. -.PP -Once the master key has been verified, -.I kdb_edit -begins a prompt loop. The user is prompted for the principal and -instance to be modified. If the entry is not found the user may create -it. -Once an entry is found or created, the user may set the password, -expiration date, maximum ticket lifetime, and attributes. -Default expiration dates, maximum ticket lifetimes, and attributes are -presented in brackets; if the user presses return the default is selected. -There is no default password. -The password RANDOM is interpreted specially, and if entered -the user may have the program select a random DES key for the -principal. -.PP -Upon successfully creating or changing the entry, ``Edit O.K.'' is -printed. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.pag, /etc/kerberosIV/principal.dir -DBM files containing database -.TP -/etc/kerberosIV/master_key -Master key cache file. diff --git a/kerberosIV/kdb_edit/kdb_edit.c b/kerberosIV/kdb_edit/kdb_edit.c deleted file mode 100644 index 8f3d42fd9a6..00000000000 --- a/kerberosIV/kdb_edit/kdb_edit.c +++ /dev/null @@ -1,433 +0,0 @@ -/* $OpenBSD: kdb_edit.c,v 1.4 1997/12/17 10:21:26 art Exp $ */ -/* $KTH: kdb_edit.c,v 1.25 1997/05/07 01:34:05 assar Exp $ */ - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -/* - * This routine changes the Kerberos encryption keys for principals, - * i.e., users or services. - */ - -/* - * exit returns 0 ==> success -1 ==> error - */ - -#include "adm_locl.h" - -#ifdef DEBUG -extern kerb_debug; -#endif - -#define zaptime(foo) memset((foo), 0, sizeof(*(foo))) - -static int nflag = 0; -static int debug; - -static des_cblock new_key; - -static int i, j; -static int more; - -static char input_name[ANAME_SZ]; -static char input_instance[INST_SZ]; - -#define MAX_PRINCIPAL 10 -static Principal principal_data[MAX_PRINCIPAL]; - -static Principal old_principal; -static Principal default_princ; - -static des_cblock master_key; -static des_cblock session_key; -static des_key_schedule master_key_schedule; -static char pw_str[255]; -static long master_key_version; - -static char progname[]="kdb_edit"; - -time_t -tm2time (struct tm tm, int local) -{ - time_t t; - - tm.tm_isdst = -1; - - t = mktime (&tm); - - if (!local) - t += t - mktime (gmtime (&t)); - return t; -} - -static void -Usage(void) -{ - fprintf(stderr, "Usage: %s [-n]\n", progname); - exit(1); -} - -static char * -n_gets(char *buf, int size) -{ - char *p; - char *ret; - ret = fgets(buf, size, stdin); - - if (ret && (p = strchr(buf, '\n'))) - *p = 0; - return ret; -} - - -static int -change_principal(void) -{ - static char temp[255]; - int creating = 0; - int editpw = 0; - int changed = 0; - long temp_long; /* Don't change to int32_t, used by scanf */ - int n; - struct tm *tp, edate; - - fprintf(stdout, "\nPrincipal name: "); - fflush(stdout); - if (!n_gets(input_name, sizeof(input_name)) || *input_name == '\0') - return 0; - fprintf(stdout, "Instance: "); - fflush(stdout); - /* instance can be null */ - n_gets(input_instance, sizeof(input_instance)); - j = kerb_get_principal(input_name, input_instance, principal_data, - MAX_PRINCIPAL, &more); - if (!j) { - fprintf(stdout, "\n\07\07<Not found>, Create [y] ? "); - fflush(stdout); - n_gets(temp, sizeof(temp)); /* Default case should work, it didn't */ - if (temp[0] != 'y' && temp[0] != 'Y' && temp[0] != '\0') - return -1; - /* make a new principal, fill in defaults */ - j = 1; - creating = 1; - strncpy(principal_data[0].name, input_name, ANAME_SZ - 1); - principal_data[0].name[ANAME_SZ - 1] = '\0'; - strncpy(principal_data[0].instance, input_instance, INST_SZ - 1); - principal_data[0].instance[INST_SZ - 1] = '\0'; - - principal_data[0].old = NULL; - principal_data[0].exp_date = default_princ.exp_date; - if (strcmp(input_instance, "admin") == 0) - principal_data[0].max_life = 1 + (CLOCK_SKEW/(5*60)); /*5+5 minutes*/ - else if (strcmp(input_instance, "root") == 0) - principal_data[0].max_life = 96; /* 8 hours */ - else - principal_data[0].max_life = default_princ.max_life; - principal_data[0].attributes = default_princ.attributes; - principal_data[0].kdc_key_ver = (unsigned char) master_key_version; - principal_data[0].key_version = 0; /* bumped up later */ - } - tp = k_localtime(&principal_data[0].exp_date); - snprintf(principal_data[0].exp_date_txt, - sizeof(principal_data[0].exp_date_txt), - "%4d-%02d-%02d", - tp->tm_year + 1900, - tp->tm_mon + 1, tp->tm_mday); /* January is 0, not 1 */ - for (i = 0; i < j; i++) { - for (;;) { - fprintf(stdout, - "\nPrincipal: %s, Instance: %s, kdc_key_ver: %d", - principal_data[i].name, principal_data[i].instance, - principal_data[i].kdc_key_ver); - fflush(stdout); - editpw = 1; - changed = 0; - if (!creating) { - /* - * copy the existing data so we can use the old values - * for the qualifier clause of the replace - */ - principal_data[i].old = (char *) &old_principal; - memcpy(&old_principal, &principal_data[i], - sizeof(old_principal)); - printf("\nChange password [n] ? "); - n_gets(temp, sizeof(temp)); - if (strcmp("y", temp) && strcmp("Y", temp)) - editpw = 0; - } - /* password */ - if (editpw) { -#ifdef NOENCRYPTION - placebo_read_pw_string(pw_str, sizeof pw_str, - "\nNew Password: ", TRUE); -#else - if(des_read_pw_string(pw_str, sizeof pw_str, - "\nNew Password: ", TRUE)) - continue; -#endif - if ( strcmp(pw_str, "RANDOM") == 0 - || strcmp(pw_str, "") == 0) { - printf("\nRandom password [y] ? "); - n_gets(temp, sizeof(temp)); - if (!strcmp("n", temp) || !strcmp("N", temp)) { - /* no, use literal */ -#ifdef NOENCRYPTION - memset(new_key, 0, sizeof(des_cblock)); - new_key[0] = 127; -#else - des_string_to_key(pw_str, &new_key); -#endif - memset(pw_str, 0, sizeof pw_str); /* "RANDOM" */ - } else { -#ifdef NOENCRYPTION - memset(new_key, 0, sizeof(des_cblock)); - new_key[0] = 127; -#else - des_new_random_key(&new_key); -#endif - memset(pw_str, 0, sizeof pw_str); - } - } else if (!strcmp(pw_str, "NULL")) { - printf("\nNull Key [y] ? "); - n_gets(temp, sizeof(temp)); - if (!strcmp("n", temp) || !strcmp("N", temp)) { - /* no, use literal */ -#ifdef NOENCRYPTION - memset(new_key, 0, sizeof(des_cblock)); - new_key[0] = 127; -#else - des_string_to_key(pw_str, &new_key); -#endif - memset(pw_str, 0, sizeof pw_str); /* "NULL" */ - } else { - - principal_data[i].key_low = 0; - principal_data[i].key_high = 0; - goto null_key; - } - } else { -#ifdef NOENCRYPTION - memset(new_key, 0, sizeof(des_cblock)); - new_key[0] = 127; -#else - des_string_to_key(pw_str, &new_key); -#endif - memset(pw_str, 0, sizeof pw_str); - } - - /* seal it under the kerberos master key */ - kdb_encrypt_key (&new_key, &new_key, - &master_key, master_key_schedule, - DES_ENCRYPT); - copy_from_key(new_key, - &principal_data[i].key_low, - &principal_data[i].key_high); - memset(new_key, 0, sizeof(new_key)); - null_key: - /* set master key version */ - principal_data[i].kdc_key_ver = - (unsigned char) master_key_version; - /* bump key version # */ - principal_data[i].key_version++; - fprintf(stdout, - "\nPrincipal's new key version = %d\n", - principal_data[i].key_version); - fflush(stdout); - changed = 1; - } - /* expiration date */ - fprintf(stdout, "Expiration date (enter yyyy-mm-dd) [ %s ] ? ", - principal_data[i].exp_date_txt); - fflush(stdout); - zaptime(&edate); - while (n_gets(temp, sizeof(temp)) && ((n = strlen(temp)) > - sizeof(principal_data[0].exp_date_txt))) { - bad_date: - fprintf(stdout, "\07\07Date Invalid\n"); - fprintf(stdout, - "Expiration date (enter yyyy-mm-dd) [ %s ] ? ", - principal_data[i].exp_date_txt); - fflush(stdout); - zaptime(&edate); - } - - if (*temp) { - if (sscanf(temp, "%d-%d-%d", &edate.tm_year, - &edate.tm_mon, &edate.tm_mday) != 3) - goto bad_date; - edate.tm_mon--; /* January is 0, not 1 */ - edate.tm_hour = 23; /* nearly midnight at the end of the */ - edate.tm_min = 59; /* specified day */ - if (krb_check_tm (edate)) - goto bad_date; - edate.tm_year -= 1900; - temp_long = tm2time (edate, 1); - strcpy(principal_data[i].exp_date_txt, temp); - principal_data[i].exp_date = temp_long; - changed = 1; - } - - /* maximum lifetime */ - fprintf(stdout, "Max ticket lifetime (*5 minutes) [ %d ] ? ", - principal_data[i].max_life); - fflush(stdout); - while (n_gets(temp, sizeof(temp)) && *temp) { - if (sscanf(temp, "%ld", &temp_long) != 1) - goto bad_life; - if (temp_long > 255 || (temp_long < 0)) { - bad_life: - fprintf(stdout, "\07\07Invalid, choose 0-255\n"); - fprintf(stdout, - "Max ticket lifetime (*5 minutes) [ %d ] ? ", - principal_data[i].max_life); - fflush(stdout); - continue; - } - changed = 1; - /* dont clobber */ - principal_data[i].max_life = (unsigned short) temp_long; - break; - } - - /* attributes */ - fprintf(stdout, "Attributes [ %d ] ? ", - principal_data[i].attributes); - fflush(stdout); - while (n_gets(temp, sizeof(temp)) && *temp) { - if (sscanf(temp, "%ld", &temp_long) != 1) - goto bad_att; - if (temp_long > 65535 || (temp_long < 0)) { - bad_att: - fprintf(stdout, "\07\07Invalid, choose 0-65535\n"); - fprintf(stdout, "Attributes [ %d ] ? ", - principal_data[i].attributes); - fflush(stdout); - continue; - } - changed = 1; - /* dont clobber */ - principal_data[i].attributes = - (unsigned short) temp_long; - break; - } - - /* - * remaining fields -- key versions and mod info, should - * not be directly manipulated - */ - if (changed) { - if (kerb_put_principal(&principal_data[i], 1)) { - fprintf(stdout, - "\nError updating Kerberos database"); - } else { - fprintf(stdout, "Edit O.K."); - } - } else { - fprintf(stdout, "Unchanged"); - } - - - memset(&principal_data[i].key_low, 0, 4); - memset(&principal_data[i].key_high, 0, 4); - fflush(stdout); - break; - } - } - if (more) { - fprintf(stdout, "\nThere were more tuples found "); - fprintf(stdout, "than there were space for"); - } - return 1; -} - -static void -cleanup(void) -{ - - memset(master_key, 0, sizeof(master_key)); - memset(session_key, 0, sizeof(session_key)); - memset(master_key_schedule, 0, sizeof(master_key_schedule)); - memset(principal_data, 0, sizeof(principal_data)); - memset(new_key, 0, sizeof(new_key)); - memset(pw_str, 0, sizeof(pw_str)); -} - -int -main(int argc, char **argv) -{ - /* Local Declarations */ - - long n; - - while (--argc > 0 && (*++argv)[0] == '-') - for (i = 1; argv[0][i] != '\0'; i++) { - switch (argv[0][i]) { - - /* debug flag */ - case 'd': - debug = 1; - continue; - - /* debug flag */ -#ifdef DEBUG - case 'l': - kerb_debug |= 1; - continue; -#endif - case 'n': /* read MKEYFILE for master key */ - nflag = 1; - continue; - - default: - warnx ("illegal flag \"%c\"", argv[0][i]); - Usage(); /* Give message and die */ - } - } - - fprintf(stdout, "Opening database...\n"); - fflush(stdout); - kerb_init(); - if (argc > 0) - if (kerb_db_set_name(*argv) != 0) - errx (1, "Could not open altername database name"); - - if (kdb_get_master_key ((nflag == 0) ? KDB_GET_PROMPT : 0, - &master_key, master_key_schedule) != 0) - errx (1, "Couldn't read master key."); - - if ((master_key_version = kdb_verify_master_key(&master_key, - master_key_schedule, - stdout)) < 0) - return 1; - - /* Initialize non shared random sequence */ - des_init_random_number_generator(&master_key); - - /* lookup the default values */ - n = kerb_get_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST, - &default_princ, 1, &more); - if (n != 1) - errx (1, "Kerberos error on default value lookup, %ld found.", n); - fprintf(stdout, "Previous or default values are in [brackets] ,\n"); - fprintf(stdout, "enter return to leave the same, or new value.\n"); - - while (change_principal()) { - } - - cleanup(); - return 0; -} diff --git a/kerberosIV/kdb_init/Makefile b/kerberosIV/kdb_init/Makefile deleted file mode 100644 index 17071789b4c..00000000000 --- a/kerberosIV/kdb_init/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.1 1995/12/14 06:52:42 tholo Exp $ - -PROG= kdb_init -DPADD= ${LIBKDB} ${LIBKRB} ${LIBDES} -LDADD= -lkdb -lkrb -ldes -MAN= kdb_init.8 - -.include <bsd.prog.mk> diff --git a/kerberosIV/kdb_init/kdb_init.8 b/kerberosIV/kdb_init/kdb_init.8 deleted file mode 100644 index 156d9fe2272..00000000000 --- a/kerberosIV/kdb_init/kdb_init.8 +++ /dev/null @@ -1,63 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kdb_init.8,v 1.4 1998/02/25 15:50:48 art Exp $ -.TH KDB_INIT 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_init \- Initialize Kerberos key distribution center database -.SH SYNOPSIS -kdb_init [ -.B realm -] -.SH DESCRIPTION -.I kdb_init -initializes a Kerberos key distribution center database, creating the -necessary principals. -.PP -If the optional -.I realm -argument is not present, -.I kdb_init -prompts for a realm name (defaulting to the definition in /usr/include/kerberosIV/krb.h). -After determining the realm to be created, it prompts for -a master key password. The master key password is used to encrypt -every encryption key stored in the database. -.SH DIAGNOSTICS -.TP 20n -"/etc/kerberosIV/principal: File exists" -An attempt was made to create a database on a machine which already had -an existing database. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.pag, /etc/kerberosIV/principal.dir -DBM files containing database -.TP -/usr/include/kerberosIV/krb.h -Include file defining default realm -.SH SEE ALSO -kdb_destroy(8) diff --git a/kerberosIV/kdb_init/kdb_init.c b/kerberosIV/kdb_init/kdb_init.c deleted file mode 100644 index fe3eec833f0..00000000000 --- a/kerberosIV/kdb_init/kdb_init.c +++ /dev/null @@ -1,196 +0,0 @@ -/* $OpenBSD: kdb_init.c,v 1.5 1999/08/20 11:00:32 art Exp $ */ -/* $KTH: kdb_init.c,v 1.23 1997/03/30 17:45:05 assar Exp $ */ - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -/* - * program to initialize the database, reports error if database file - * already exists. - */ - -#include "adm_locl.h" - -enum ap_op { - NULL_KEY, /* setup null keys */ - MASTER_KEY, /* use master key as new key */ - RANDOM_KEY /* choose a random key */ -}; - -static des_cblock master_key; -static des_key_schedule master_key_schedule; - -static char progname[]="kdb_init"; - -/* use a return code to indicate success or failure. check the return */ -/* values of the routines called by this routine. */ - -static int -add_principal(char *name, char *instance, enum ap_op aap_op, int maxlife) -{ - Principal principal; - struct tm *tm; - des_cblock new_key; - - memset(&principal, 0, sizeof(principal)); - strncpy(principal.name, name, ANAME_SZ - 1); - principal.name[ANAME_SZ - 1] = '\0'; - strncpy(principal.instance, instance, INST_SZ - 1); - principal.instance[INST_SZ - 1] = '\0'; - - switch (aap_op) { - case NULL_KEY: - principal.key_low = 0; - principal.key_high = 0; - break; - case RANDOM_KEY: -#ifdef NOENCRYPTION - memset(new_key, 0, sizeof(des_cblock)); - new_key[0] = 127; -#else - des_new_random_key(&new_key); -#endif - kdb_encrypt_key (&new_key, &new_key, &master_key, master_key_schedule, - DES_ENCRYPT); - copy_from_key(new_key, &principal.key_low, &principal.key_high); - memset(new_key, 0, sizeof(new_key)); - break; - case MASTER_KEY: - memcpy(new_key, master_key, sizeof (des_cblock)); - kdb_encrypt_key (&new_key, &new_key, &master_key, master_key_schedule, - DES_ENCRYPT); - copy_from_key(new_key, &principal.key_low, &principal.key_high); - break; - } - principal.mod_date = time(0); - principal.exp_date = KDBINIT_EXPDATE; - strncpy(principal.exp_date_txt, KDBINIT_EXPDATE_TXT, DATE_SZ); - - tm = k_localtime(&principal.mod_date); - principal.attributes = 0; - principal.max_life = maxlife; - - principal.kdc_key_ver = 1; - principal.key_version = 1; - - strncpy(principal.mod_name, "db_creation", ANAME_SZ - 1); - principal.mod_name[ANAME_SZ - 1] = '\0'; - strncpy(principal.mod_instance, "", INST_SZ - 1); - principal.mod_instance[INST_SZ - 1] = '\0'; - principal.old = 0; - - if (kerb_db_put_principal(&principal, 1) != 1) - return -1; /* FAIL */ - - /* let's play it safe */ - memset(new_key, 0, sizeof (des_cblock)); - memset(&principal.key_low, 0, 4); - memset(&principal.key_high, 0, 4); - return 0; -} - -int -main(int argc, char **argv) -{ - char realm[REALM_SZ]; - char *cp; - int code; - char *database; - - if (argc > 3) { - fprintf(stderr, "Usage: %s [realm-name] [database-name]\n", progname); - return 1; - } - if (argc == 3) { - database = argv[2]; - --argc; - } else - database = DBM_FILE; - - /* Do this first, it'll fail if the database exists */ - if ((code = kerb_db_create(database)) != 0) - err (1, "Couldn't create database %s", database); - kerb_db_set_name(database); - - if (argc == 2) - strncpy(realm, argv[1], REALM_SZ); - else { - if (krb_get_lrealm(realm, 1) != KSUCCESS) { - strncpy(realm, KRB_REALM, REALM_SZ - 1); - realm[REALM_SZ - 1] = '\0'; - } - fprintf(stderr, "Realm name [default %s ]: ", realm); - if (fgets(realm, sizeof(realm), stdin) == NULL) - errx (1, "\nEOF reading realm"); - if ((cp = strchr(realm, '\n'))) - *cp = '\0'; - if (!*realm) /* no realm given */ - if (krb_get_lrealm(realm, 1) != KSUCCESS) { - strncpy(realm, KRB_REALM, REALM_SZ - 1); - realm[REALM_SZ - 1] = '\0'; - } - } - if (!k_isrealm(realm)) - errx (1, "Bad kerberos realm name \"%s\"", realm); -#ifndef RANDOM_MKEY - printf("You will be prompted for the database Master Password.\n"); - printf("It is important that you NOT FORGET this password.\n"); -#else - printf("To generate a master key, please enter some random data.\n"); - printf("You do not have to remember this.\n"); -#endif - fflush(stdout); - - if (kdb_get_master_key (KDB_GET_TWICE, &master_key, - master_key_schedule) != 0) - errx (1, "Couldn't read master key."); - -#ifdef RANDOM_MKEY - if(kdb_kstash(&master_key, MKEYFILE) < 0) - err (1, "Error writing master key"); - fprintf(stderr, "Wrote master key to %s\n", MKEYFILE); -#endif - - /* Initialize non shared random sequence */ - des_init_random_number_generator(&master_key); - - /* Maximum lifetime for changepw.kerberos (kadmin) tickets, 10 minutes */ -#define ADMLIFE (1 + (CLOCK_SKEW/(5*60))) - - /* Maximum lifetime for ticket granting tickets, 4 days or 21.25h */ -#define TGTLIFE ((krb_life_to_time(0, 162) >= 24*60*60) ? 161 : 255) - - /* This means that default lifetimes have not been initialized */ -#define DEFLIFE 255 - -#define NOLIFE 0 - - if ( - add_principal(KERB_M_NAME, KERB_M_INST, MASTER_KEY, NOLIFE) || - add_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST, NULL_KEY,DEFLIFE)|| - add_principal(KRB_TICKET_GRANTING_TICKET, realm, RANDOM_KEY, TGTLIFE)|| - add_principal(PWSERV_NAME, KRB_MASTER, RANDOM_KEY, ADMLIFE) - ) { - putc ('\n', stderr); - errx (1, "couldn't initialize database."); - } - - /* play it safe */ - memset(master_key, 0, sizeof (des_cblock)); - memset(master_key_schedule, 0, sizeof (des_key_schedule)); - return 0; -} diff --git a/kerberosIV/kdb_util/Makefile b/kerberosIV/kdb_util/Makefile deleted file mode 100644 index 1daf3010ee2..00000000000 --- a/kerberosIV/kdb_util/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.2 1997/12/18 08:50:14 art Exp $ - -PROG= kdb_util -SRCS= kdb_util.c -.PATH: ${.CURDIR}/../kdb_edit -DPADD= ${LIBKDB} ${LIBKRB} ${LIBDES} -LDADD= -lkdb -lkrb -ldes -MAN= kdb_util.8 - -.include <bsd.prog.mk> diff --git a/kerberosIV/kdb_util/kdb_util.8 b/kerberosIV/kdb_util/kdb_util.8 deleted file mode 100644 index 0a0cb4e6a53..00000000000 --- a/kerberosIV/kdb_util/kdb_util.8 +++ /dev/null @@ -1,86 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kdb_util.8,v 1.4 1998/02/25 15:50:50 art Exp $ -.TH KDB_UTIL 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdb_util \- Kerberos key distribution center database utility -.SH SYNOPSIS -kdb_util -.B operation filename -.SH DESCRIPTION -.I kdb_util -allows the Kerberos key distribution center (KDC) database administrator to -perform utility functions on the database. -.PP -.I Operation -must be one of the following: -.TP 10n -.I load -initializes the KDC database with the records described by the -text contained in the file -.IR filename . -Any existing database is overwritten. -.TP -.I dump -dumps the KDC database into a text representation in the file -.IR filename . -.TP -.I slave_dump -performs a database dump like the -.I dump -operation, and additionally creates a semaphore file signalling the -propagation software that an update is available for distribution to -slave KDC databases. -.TP -.I new_master_key -prompts for the old and new master key strings, and then dumps the KDC -database into a text representation in the file -.IR filename . -The keys in the text representation are encrypted in the new master key. -.TP -.I convert_old_db -prompts for the master key string, and then dumps the KDC database into -a text representation in the file -.IR filename . -The existing database is assumed to be encrypted using the old format -(encrypted by the key schedule of the master key); the dumped database -is encrypted using the new format (encrypted directly with master key). -.PP -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.pag, /etc/kerberosIV/principal.dir -DBM files containing database -.TP -.IR filename .ok -semaphore file created by -.IR slave_dump. diff --git a/kerberosIV/kdb_util/kdb_util.c b/kerberosIV/kdb_util/kdb_util.c deleted file mode 100644 index a3bad3b0665..00000000000 --- a/kerberosIV/kdb_util/kdb_util.c +++ /dev/null @@ -1,552 +0,0 @@ -/* $OpenBSD: kdb_util.c,v 1.6 1998/05/15 01:03:20 art Exp $ */ -/* $KTH: kdb_util.c,v 1.36 1997/12/05 04:21:50 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1987, 1988 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Kerberos database manipulation utility. This program allows you to - * dump a kerberos database to an ascii readable file and load this - * file into the database. Read locking of the database is done during a - * dump operation. NO LOCKING is done during a load operation. Loads - * should happen with other processes shutdown. - * - * Written July 9, 1987 by Jeffrey I. Schiller - */ - -#include "adm_locl.h" - -static des_cblock master_key, new_master_key; -static des_key_schedule master_key_schedule, new_master_key_schedule; - -#define zaptime(foo) memset((foo), 0, sizeof(*(foo))) - -/* cv_key is a procedure which takes a principle and changes its key, - either for a new method of encrypting the keys, or a new master key. - if cv_key is null no transformation of key is done (other than net byte - order). */ - -struct callback_args { - void (*cv_key)(Principal *); - FILE *output_file; -}; - -time_t -tm2time (struct tm tm, int local) -{ - time_t t; - - tm.tm_isdst = -1; - - t = mktime (&tm); - - if (!local) - t += t - mktime (gmtime (&t)); - return t; -} - -static void -print_time(FILE *file, time_t timeval) -{ - struct tm *tm; - tm = gmtime(&timeval); - fprintf(file, " %04d%02d%02d%02d%02d", - tm->tm_year + 1900, - tm->tm_mon + 1, - tm->tm_mday, - tm->tm_hour, - tm->tm_min); -} - -static time_t -time_explode(char *cp) -{ - char wbuf[5]; - struct tm tp; - int local; - - if (cp == NULL) - return -1; - - zaptime(&tp); /* clear out the struct */ - - if (strlen(cp) > 10) { /* new format */ - strncpy(wbuf, cp, 4); - wbuf[4] = 0; - tp.tm_year = atoi(wbuf) - 1900; - cp += 4; /* step over the year */ - local = 0; /* GMT */ - } else { /* old format: local time, - year is 2 digits, assuming 19xx */ - wbuf[0] = *cp++; - wbuf[1] = *cp++; - wbuf[2] = 0; - tp.tm_year = atoi(wbuf); - local = 1; /* local */ - } - - wbuf[0] = *cp++; - wbuf[1] = *cp++; - wbuf[2] = 0; - tp.tm_mon = atoi(wbuf)-1; - - wbuf[0] = *cp++; - wbuf[1] = *cp++; - tp.tm_mday = atoi(wbuf); - - wbuf[0] = *cp++; - wbuf[1] = *cp++; - tp.tm_hour = atoi(wbuf); - - wbuf[0] = *cp++; - wbuf[1] = *cp++; - tp.tm_min = atoi(wbuf); - - - return(tm2time(tp, local)); -} - -static int -dump_db_1(void *arg, Principal *principal) -{ /* replace null strings with "*" */ - struct callback_args *a = (struct callback_args *)arg; - - if (principal == NULL) - return -1; - - if (principal->instance[0] == '\0') { - principal->instance[0] = '*'; - principal->instance[1] = '\0'; - } - if (principal->mod_name[0] == '\0') { - principal->mod_name[0] = '*'; - principal->mod_name[1] = '\0'; - } - if (principal->mod_instance[0] == '\0') { - principal->mod_instance[0] = '*'; - principal->mod_instance[1] = '\0'; - } - if (a->cv_key != NULL) { - (*a->cv_key) (principal); - } - fprintf(a->output_file, "%s %s %d %d %d %d %x %x", - principal->name, - principal->instance, - principal->max_life, - principal->kdc_key_ver, - principal->key_version, - principal->attributes, - (int)htonl (principal->key_low), - (int)htonl (principal->key_high)); - print_time(a->output_file, principal->exp_date); - print_time(a->output_file, principal->mod_date); - fprintf(a->output_file, " %s %s\n", - principal->mod_name, - principal->mod_instance); - return 0; -} - -static int -dump_db (char *db_file, FILE *output_file, void (*cv_key) (Principal *)) -{ - struct callback_args a; - - a.cv_key = cv_key; - a.output_file = output_file; - - kerb_db_iterate ((k_iter_proc_t)dump_db_1, &a); - return fflush(output_file); -} - -static int -add_file(void *db, FILE *file) -{ - int ret; - int lineno = 0; - char line[1024]; - unsigned long key[2]; /* yes, long */ - Principal pr; - char *format = NULL; - - char exp_date[64], mod_date[64]; - - int life, kkvno, kvno; - - while(1){ - memset(&pr, 0, sizeof(pr)); - errno = 0; - if(fgets(line, sizeof(line), file) == NULL){ - if(errno != 0) - err (1, "fgets"); - break; - } - lineno++; - - asprintf(&format, - "%%%ds %%%ds %%d %%d %%d %%hd %%lx %%lx %%%ds %%%ds %%%ds %%%ds", - ANAME_SZ - 1, INST_SZ - 1, sizeof(exp_date) - 1, - sizeof(mod_date) - 1, ANAME_SZ - 1, INST_SZ - 1); - - if (format == NULL) - err(1, "malloc"); - - ret = sscanf(line, format, - pr.name, pr.instance, - &life, &kkvno, &kvno, - &pr.attributes, - &key[0], &key[1], - exp_date, mod_date, - pr.mod_name, pr.mod_instance); - - free(format); - format = NULL; - - if(ret != 12){ - warnx("Line %d malformed (ignored)", lineno); - continue; - } - pr.key_low = ntohl (key[0]); - pr.key_high = ntohl (key[1]); - pr.max_life = life; - pr.kdc_key_ver = kkvno; - pr.key_version = kvno; - pr.exp_date = time_explode(exp_date); - pr.mod_date = time_explode(mod_date); - if (pr.instance[0] == '*') - pr.instance[0] = 0; - if (pr.mod_name[0] == '*') - pr.mod_name[0] = 0; - if (pr.mod_instance[0] == '*') - pr.mod_instance[0] = 0; - if (kerb_db_update(db, &pr, 1) != 1) { - warn ("store %s.%s aborted", - pr.name, pr.instance); - return 1; - } - } - return 0; -} - -static void -load_db (char *db_file, FILE *input_file) -{ - long *db; - int code; - char *temp_db_file; - - asprintf (&temp_db_file, "%s~", db_file); - if(temp_db_file == NULL) - errx (1, "out of memory"); - - /* Create the database */ - if ((code = kerb_db_create(temp_db_file)) != 0) - err (1, "creating temp database %s", temp_db_file); - kerb_db_set_name(temp_db_file); - db = kerb_db_begin_update(); - if (db == NULL) - err (1, "opening temp database %s", temp_db_file); - - if(add_file(db, input_file)) - errx (1, "Load aborted"); - - kerb_db_end_update(db); - if ((code = kerb_db_rename(temp_db_file, db_file)) != 0) - warn("database rename failed"); - fclose(input_file); - free(temp_db_file); -} - -static void -merge_db(char *db_file, FILE *input_file) -{ - void *db; - - db = kerb_db_begin_update(); - if(db == NULL) - err (1, "Couldn't open database"); - if(add_file(db, input_file)) - errx (1, "Merge aborted"); - kerb_db_end_update(db); -} - -static void -update_ok_file (char *file_name) -{ - /* handle slave locking/failure stuff */ - char *file_ok; - int fd; - static char ok[]=".dump_ok"; - - asprintf (&file_ok, "%s%s", file_name, ok); - if (file_ok == NULL) - errx (1, "out of memory"); - if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0400)) < 0) - err (1, "Error creating %s", file_ok); - free(file_ok); - close(fd); -} - -static void -convert_key_new_master (Principal *p) -{ - des_cblock key; - - /* leave null keys alone */ - if ((p->key_low == 0) && (p->key_high == 0)) return; - - /* move current key to des_cblock for encryption, special case master key - since that's changing */ - if ((strncmp (p->name, KERB_M_NAME, ANAME_SZ) == 0) && - (strncmp (p->instance, KERB_M_INST, INST_SZ) == 0)) { - memcpy (key, new_master_key, sizeof(des_cblock)); - (p->key_version)++; - } else { - copy_to_key(&p->key_low, &p->key_high, key); - kdb_encrypt_key (&key, &key, &master_key, master_key_schedule, DES_DECRYPT); - } - - kdb_encrypt_key (&key, &key, &new_master_key, new_master_key_schedule, DES_ENCRYPT); - - copy_from_key(key, &(p->key_low), &(p->key_high)); - memset(key, 0, sizeof (key)); /* a little paranoia ... */ - - (p->kdc_key_ver)++; -} - -static void -clear_secrets (void) -{ - memset(master_key, 0, sizeof (des_cblock)); - memset(master_key_schedule, 0, sizeof (des_key_schedule)); - memset(new_master_key, 0, sizeof (des_cblock)); - memset(new_master_key_schedule, 0, sizeof (des_key_schedule)); -} - -static void -convert_new_master_key (char *db_file, FILE *out) -{ -#ifdef RANDOM_MKEY - errx (1, "Sorry, this function is not available with " - "the new master key scheme."); -#else - printf ("\n\nEnter the CURRENT master key."); - if (kdb_get_master_key (KDB_GET_PROMPT, &master_key, - master_key_schedule) != 0) { - errx (1, "Couldn't get master key."); - } - - if (kdb_verify_master_key (&master_key, master_key_schedule, stderr) < 0) { - exit (1); - } - - printf ("\n\nNow enter the NEW master key. Do not forget it!!"); - if (kdb_get_master_key (KDB_GET_TWICE, &new_master_key, - new_master_key_schedule) != 0) { - errx (1, "Couldn't get new master key."); - } - - dump_db (db_file, out, convert_key_new_master); - { - char fname[128]; - snprintf(fname, sizeof(fname), "%s.new", MKEYFILE); - kdb_kstash(&new_master_key, fname); - } -#endif /* RANDOM_MKEY */ -} - -static void -convert_key_old_db (Principal *p) -{ - des_cblock key; - - /* leave null keys alone */ - if ((p->key_low == 0) && (p->key_high == 0)) return; - - copy_to_key(&p->key_low, &p->key_high, key); - -#ifndef NOENCRYPTION - des_pcbc_encrypt((des_cblock *)key,(des_cblock *)key, - (long)sizeof(des_cblock),master_key_schedule, - (des_cblock *)master_key_schedule, DES_DECRYPT); -#endif - - /* make new key, new style */ - kdb_encrypt_key (&key, &key, &master_key, master_key_schedule, DES_ENCRYPT); - - copy_from_key(key, &(p->key_low), &(p->key_high)); - memset(key, 0, sizeof (key)); /* a little paranoia ... */ -} - -static void -convert_old_format_db (char *db_file, FILE *out) -{ - des_cblock key_from_db; - Principal principal_data[1]; - int n, more; - - if (kdb_get_master_key (KDB_GET_PROMPT, &master_key, - master_key_schedule) != 0L) { - errx (1, "Couldn't get master key."); - } - - /* can't call kdb_verify_master_key because this is an old style db */ - /* lookup the master key version */ - n = kerb_get_principal(KERB_M_NAME, KERB_M_INST, principal_data, - 1 /* only one please */, &more); - if ((n != 1) || more) - errx (1, "verify_master_key: Kerberos error on master key lookup, %d found.\n", n); - - /* set up the master key */ - fprintf(stderr, "Current Kerberos master key version is %d.\n", - principal_data[0].kdc_key_ver); - - /* - * now use the master key to decrypt (old style) the key in the db, had better - * be the same! - */ - copy_to_key(&principal_data[0].key_low, - &principal_data[0].key_high, - key_from_db); -#ifndef NOENCRYPTION - des_pcbc_encrypt(&key_from_db,&key_from_db,(long)sizeof(key_from_db), - master_key_schedule,(des_cblock *)master_key_schedule, DES_DECRYPT); -#endif - /* the decrypted database key had better equal the master key */ - - n = memcmp(master_key, key_from_db, sizeof(master_key)); - memset(key_from_db, 0, sizeof(key_from_db)); - - if (n) { - fprintf(stderr, "\n\07\07verify_master_key: Invalid master key, "); - fprintf(stderr, "does not match database.\n"); - exit (1); - } - - fprintf(stderr, "Master key verified.\n"); - - dump_db (db_file, out, convert_key_old_db); -} - -int -main(int argc, char **argv) -{ - int ret; - FILE *file; - enum { - OP_LOAD, - OP_MERGE, - OP_DUMP, - OP_SLAVE_DUMP, - OP_NEW_MASTER, - OP_CONVERT_OLD_DB - } op; - char *file_name; - char *db_name; - - atexit(clear_secrets); - - if (argc != 3 && argc != 4) { - fprintf(stderr, "Usage: %s operation file [database name].\n", - argv[0]); - fprintf(stderr, "Operation is one of: " - "load, merge, dump, slave_dump, new_master_key, " - "convert_old_db\n"); - exit(1); - } - if (argc == 3) - db_name = DBM_FILE; - else - db_name = argv[3]; - - ret = kerb_db_set_name (db_name); - - /* this makes starting slave servers ~14.3 times easier */ - if(ret && strcmp(argv[1], "load") == 0) - ret = kerb_db_create (db_name); - - if(ret) - err (1, "Can't open database"); - - if (!strcmp(argv[1], "load")) - op = OP_LOAD; - else if (!strcmp(argv[1], "merge")) - op = OP_MERGE; - else if (!strcmp(argv[1], "dump")) - op = OP_DUMP; - else if (!strcmp(argv[1], "slave_dump")) - op = OP_SLAVE_DUMP; - else if (!strcmp(argv[1], "new_master_key")) - op = OP_NEW_MASTER; - else if (!strcmp(argv[1], "convert_old_db")) - op = OP_CONVERT_OLD_DB; - else { - warnx ("%s is an invalid operation.", argv[1]); - warnx ("Valid operations are \"load\", \"merge\", " - "\"dump\", \"slave_dump\", \"new_master_key\", " - "and \"convert_old_db\""); - return 1; - } - - file_name = argv[2]; - file = fopen(file_name, (op == OP_LOAD || op == OP_MERGE) ? "r" : "w"); - if (file == NULL) - err (1, "open %s", argv[2]); - - switch (op) { - case OP_DUMP: - if ((dump_db (db_name, file, (void (*)(Principal *)) 0) == EOF) || - (fclose(file) == EOF)) - err (1, "%s", file_name); - break; - case OP_SLAVE_DUMP: - if ((dump_db (db_name, file, (void (*)(Principal *)) 0) == EOF) || - (fclose(file) == EOF)) - err (1, "%s", file_name); - update_ok_file (file_name); - break; - case OP_LOAD: - load_db (db_name, file); - break; - case OP_MERGE: - merge_db (db_name, file); - break; - case OP_NEW_MASTER: - convert_new_master_key (db_name, file); - printf("Don't forget to do a `kdb_util load %s' to reload the database!\n", file_name); - break; - case OP_CONVERT_OLD_DB: - convert_old_format_db (db_name, file); - printf("Don't forget to do a `kdb_util load %s' to reload the database!\n", file_name); - break; - } - return 0; -} diff --git a/kerberosIV/kdestroy/Makefile b/kerberosIV/kdestroy/Makefile deleted file mode 100644 index 4ef04233e07..00000000000 --- a/kerberosIV/kdestroy/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 - -PROG= kdestroy -SRCS= kdestroy.c -.PATH: ${.CURDIR}/../roken -SRCS+= getarg.c get_window_size.c -DPADD= ${LIBKRB} ${LIBDES} -LDADD= -lkrb -ldes -lkafs -BINDIR= /usr/bin -CFLAGS+= -I${.CURDIR}/../roken - -.include <bsd.prog.mk> diff --git a/kerberosIV/kdestroy/kdestroy.1 b/kerberosIV/kdestroy/kdestroy.1 deleted file mode 100644 index e21f2b42cd0..00000000000 --- a/kerberosIV/kdestroy/kdestroy.1 +++ /dev/null @@ -1,103 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kdestroy.1,v 1.4 1998/02/25 15:50:53 art Exp $ -.TH KDESTROY 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kdestroy \- destroy Kerberos tickets -.SH SYNOPSIS -.B kdestroy -[ -.B \-f -] -[ -.B \-q -] -.SH DESCRIPTION -The -.I kdestroy -utility destroys the user's active -Kerberos -authorization tickets by writing zeros to the file that contains them. -If the ticket file does not exist, -.I kdestroy -displays a message to that effect. -.PP -After overwriting the file, -.I kdestroy -removes the file from the system. -The utility -displays a message indicating the success or failure of the -operation. -If -.I kdestroy -is unable to destroy the ticket file, -the utility will warn you by making your terminal beep. -.PP -In the Athena workstation environment, -the -.I toehold -service automatically destroys your tickets when you -end a workstation session. -If your site does not provide a similar ticket-destroying mechanism, -you can place the -.I kdestroy -command in your -.I .logout -file so that your tickets are destroyed automatically -when you logout. -.PP -The options to -.I kdestroy -are as follows: -.TP 7 -.B \-f -.I kdestroy -runs without displaying the status message. -.TP -.B \-q -.I kdestroy -will not make your terminal beep if it fails to destroy the tickets. -.SH FILES -KRBTKFILE environment variable if set, otherwise -.br -/tmp/tkt[uid] -.SH SEE ALSO -kerberos(1), kinit(1), klist(1) -.SH BUGS -.PP -Only the tickets in the user's current ticket file are destroyed. -Separate ticket files are used to hold root instance and password -changing tickets. These files should probably be destroyed too, or -all of a user's tickets kept in a single ticket file. -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.br -Clifford Neuman, MIT Project Athena -.br -Bill Sommerfeld, MIT Project Athena diff --git a/kerberosIV/kdestroy/kdestroy.c b/kerberosIV/kdestroy/kdestroy.c deleted file mode 100644 index b6bd612a9ce..00000000000 --- a/kerberosIV/kdestroy/kdestroy.c +++ /dev/null @@ -1,123 +0,0 @@ -/* $OpenBSD: kdestroy.c,v 1.6 1998/08/12 23:39:40 art Exp $ */ -/* $KTH: kdestroy.c,v 1.10 1998/05/13 22:44:24 assar Exp $ */ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdlib.h> -#include <stdio.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> -#include <time.h> -#include <sys/stat.h> -#include <kerberosIV/krb.h> -#include <kerberosIV/kafs.h> -#include <getarg.h> -#include <err.h> - -int quiet_flag; -#ifdef LEGACY_KDESTROY -int unlog_flag; -#else -int unlog_flag = 1; -#endif -int help_flag; -int version_flag; - -struct getargs args[] = { - { "quiet", 'q', arg_flag, &quiet_flag, - "don't print any messages" }, - { NULL, 'f', arg_flag, &quiet_flag }, -#ifdef LEGACY_KDESTROY - { "unlog", 0, arg_flag, &unlog_flag, - "destroy tokens" }, - { NULL, 't', arg_negative_flag, &unlog_flag, - "don't destroy tokens (default)" }, -#else - { "unlog", 't', arg_negative_flag, &unlog_flag, - "don't destroy tokens" }, -#endif - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag } -}; - -int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(int code) -{ - arg_printusage(args, num_args, ""); - exit(code); -} - -int -main(int argc, char **argv) -{ - int optind = 0; - int ret; - - if(getarg(args, num_args, argc, argv, &optind)) - usage(1); - - if(help_flag) - usage(0); - - if(version_flag) - errx(0, "%s", krb4_version); - - ret = dest_tkt(); - - if(unlog_flag && k_hasafs()) - k_unlog(); - - if (quiet_flag) { - if (ret != 0 && ret != RET_TKFIL) - exit(1); - else - exit(0); - } - if (ret == 0) - printf("Tickets destroyed.\n"); - else if (ret == RET_TKFIL) - printf("No tickets to destroy.\n"); - else { - printf("Tickets NOT destroyed.\n"); - exit(1); - } - exit(0); -} diff --git a/kerberosIV/kerberos/Makefile b/kerberosIV/kerberos/Makefile deleted file mode 100644 index 57d77660778..00000000000 --- a/kerberosIV/kerberos/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.3 1998/01/23 08:32:07 art Exp $ - -PROG= kerberos -DPADD= ${LIBKDB} ${LIBKRB} ${LIBDES} -LDADD= -lkdb -lkrb -ldes -MAN= kerberos.8 - -BINDIR= /usr/libexec - -CFLAGS+=-I${.CURDIR} - -.include <bsd.prog.mk> diff --git a/kerberosIV/kerberos/kerberos.8 b/kerberosIV/kerberos/kerberos.8 deleted file mode 100644 index d69715977cd..00000000000 --- a/kerberosIV/kerberos/kerberos.8 +++ /dev/null @@ -1,281 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kerberos.8,v 1.4 1998/02/25 15:50:56 art Exp $ -.TH KERBEROS 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kerberos \- introduction to the Kerberos system - -.SH DESCRIPTION -The -Kerberos -system authenticates -individual users in a network environment. -After authenticating yourself to -Kerberos, -you can use network utilities such as -.IR rlogin , -.IR rcp , -and -.IR rsh -without -having to present passwords to remote hosts and without having to bother -with -.I \.rhosts -files. -Note that these utilities will work without passwords only if -the remote machines you deal with -support the -Kerberos -system. -All Athena timesharing machines and public workstations support -Kerberos. -.PP -Before you can use -Kerberos, -you must register as an Athena user, -and you must make sure you have been added to -the -Kerberos -database. -You can use the -.I kinit -command to find out. -This command -tries to log you into the -Kerberos -system. -.I kinit -will prompt you for a username and password. -Enter your username and password. -If the utility lets you login without giving you a message, -you have already been registered. -.PP -If you enter your username and -.I kinit -responds with this message: -.nf - -Principal unknown (kerberos) - -.fi -you haven't been registered as a -Kerberos -user. -See your system administrator. -.PP -A Kerberos name contains three parts. -The first is the -.I principal name, -which is usually a user's or service's name. -The second is the -.I instance, -which in the case of a user is usually null. -Some users may have privileged instances, however, -such as ``root'' or ``admin''. -In the case of a service, the instance is the -name of the machine on which it runs; i.e. there -can be an -.I rlogin -service running on the machine ABC, which -is different from the rlogin service running on -the machine XYZ. -The third part of a Kerberos name -is the -.I realm. -The realm corresponds to the Kerberos service providing -authentication for the principal. -For example, at MIT there is a Kerberos running at the -Laboratory for Computer Science and one running at -Project Athena. -.PP -When writing a Kerberos name, the principal name is -separated from the instance (if not null) by a period, -and the realm (if not the local realm) follows, preceded by -an ``@'' sign. -The following are examples of valid Kerberos names: -.sp -.nf -.in +8 -billb -jis.admin -srz@lcs.mit.edu -treese.root@athena.mit.edu -.in -8 -.fi -.PP -When you authenticate yourself with -Kerberos, -through either the workstation -.I toehold -system or the -.I kinit -command, -Kerberos -gives you an initial -Kerberos -.IR ticket . -(A -Kerberos -ticket -is an encrypted protocol message that provides authentication.) -Kerberos -uses this ticket for network utilities -such as -.I rlogin -and -.IR rcp . -The ticket transactions are done transparently, -so you don't have to worry about their management. -.PP -Note, however, that tickets expire. -Privileged tickets, such as root instance tickets, -expire in a few minutes, while tickets that carry more ordinary -privileges may be good for several hours or a day, depending on the -installation's policy. -If your login session extends beyond the time limit, -you will have to re-authenticate yourself to -Kerberos -to get new tickets. -Use the -.IR kinit -command to re-authenticate yourself. -.PP -If you use the -.I kinit -command to get your tickets, -make sure you use the -.I kdestroy -command -to destroy your tickets before you end your login session. -You should probably put the -.I kdestroy -command in your -.I \.logout -file so that your tickets will be destroyed automatically when you logout. -For more information about the -.I kinit -and -.I kdestroy -commands, -see the -.I kinit(1) -and -.I kdestroy(1) -manual pages. -.PP -Currently, -Kerberos -supports the following network services: -.IR rlogin , -.IR rsh , -and -.IR rcp . -Other services are being worked on, -such as the -.IR pop -mail system and NFS (network file system), -but are not yet available. - -.SH "SEE ALSO" -kdestroy(1), kinit(1), klist(1), kpasswd(1), des_crypt(3), kerberos(3), -kadmin(8) -.SH BUGS -Kerberos -will not do authentication forwarding. -In other words, -if you use -.I rlogin -to login to a remote host, -you cannot use -Kerberos -services from that host -until you authenticate yourself explicitly on that host. -Although you may need to authenticate yourself on the remote -host, -be aware that when you do so, -.I rlogin -sends your password across the network in clear text. - -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.br -Clifford Neuman, MIT Project Athena - -The following people helped out on various aspects of the system: - -Jeff Schiller designed and wrote the administration server and its -user interface, kadmin. -He also wrote the dbm version of the database management system. - -Mark Colan developed the -Kerberos -versions of -.IR rlogin , -.IR rsh , -and -.IR rcp , -as well as contributing work on the servers. - -John Ostlund developed the -Kerberos -versions of -.I passwd -and -.IR userreg . - -Stan Zanarotti pioneered Kerberos in a foreign realm (LCS), -and made many contributions based on that experience. - -Many people contributed code and/or useful ideas, including -Jim Aspnes, -Bob Baldwin, -John Barba, -Richard Basch, -Jim Bloom, -Bill Bryant, -Rob French, -Dan Geer, -David Jedlinsky, -John Kohl, -John Kubiatowicz, -Bob McKie, -Brian Murphy, -Ken Raeburn, -Chris Reed, -Jon Rochlis, -Mike Shanzer, -Bill Sommerfeld, -Jennifer Steiner, -Ted Ts'o, -and -Win Treese. - -.SH RESTRICTIONS - -COPYRIGHT 1985,1986 Massachusetts Institute of Technology diff --git a/kerberosIV/kerberos/kerberos.c b/kerberosIV/kerberos/kerberos.c deleted file mode 100644 index 567e7d2fef6..00000000000 --- a/kerberosIV/kerberos/kerberos.c +++ /dev/null @@ -1,1021 +0,0 @@ -/* $OpenBSD: kerberos.c,v 1.16 1999/05/23 17:19:24 aaron Exp $ */ -/* $KTH: kerberos.c,v 1.70 1997/09/26 18:06:38 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> - -#include <sys/types.h> -#include <sys/time.h> -#include <time.h> -#include <sys/select.h> -#include <errno.h> -#include <unistd.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <sys/ioctl.h> -#include <sys/filio.h> - -#include <netdb.h> -#include <stdarg.h> -#include <err.h> - -#include <des.h> -#include <kerberosIV/krb.h> -#include <kerberosIV/krb_db.h> -#include <kerberosIV/prot.h> -#include "klog.h" - -#include "version.h" -#include "krb_log.h" -#include "kdc.h" - -static des_key_schedule master_key_schedule; -static des_cblock master_key; - -static struct timeval kerb_time; -static u_char master_key_version; -static char k_instance[INST_SZ]; -static char *lt; -static int more; - -static int mflag; /* Are we invoked manually? */ -static char *log_file = KRBLOG; /* name of alt. log file */ -static int nflag; /* don't check max age */ -static int rflag; /* alternate realm specified */ - -/* fields within the received request packet */ -static char *req_name_ptr; -static char *req_inst_ptr; -static char *req_realm_ptr; -static u_int32_t req_time_ws; - -static char local_realm[REALM_SZ]; - -/* options */ -static int max_age = -1; -static int pause_int = -1; -static char progname[]="kerberos"; - -#ifndef MAX -#define MAX(a,b) (((a)>(b))?(a):(b)) -#endif /* MAX */ - -#ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) -#endif /* MIN */ - -/* - * Print usage message and exit. - */ -static void -usage(void) -{ - fprintf(stderr, "Usage: %s [-s] [-m] [-n] [-p pause_seconds]" - " [-a max_age] [-l log_file] [-i address_to_listen_on]" - " [-r realm] [database_pathname]\n", - progname); - exit(1); -} - -/* - * kerb_err_reply creates an error reply packet and sends it to the - * client. - */ - -static void -kerb_err_reply(int f, struct sockaddr_in *client, int err, char *string) -{ - static KTEXT_ST e_pkt_st; - KTEXT e_pkt = &e_pkt_st; - static char e_msg[128]; - - strncpy(e_msg, "\nKerberos error -- ", sizeof(e_msg)); - if (strlen(e_msg) < sizeof(e_msg)) - strncat(e_msg, string, sizeof(e_msg) - strlen(e_msg) - 1); - e_msg[sizeof(e_msg) - 1] = '\0'; - cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, - req_time_ws, err, e_msg); - sendto(f, (char*)e_pkt->dat, e_pkt->length, 0, (struct sockaddr *)client, - sizeof(*client)); -} - -static void -hang(void) -{ - if (pause_int == -1) { - klog(L_KRB_PERR, "Kerberos will pause so as not to loop init"); - for (;;) - pause(); - } else { - char buf[256]; - snprintf(buf, sizeof(buf), - "Kerberos will wait %d seconds before dying so as not to loop init", - pause_int); - klog(L_KRB_PERR, buf); - sleep(pause_int); - klog(L_KRB_PERR, "Do svedania....\n"); - exit(1); - } -} - -static int -check_princ(char *p_name, char *instance, unsigned int lifetime, Principal *p) -{ - static int n; - static int more; - - n = kerb_get_principal(p_name, instance, p, 1, &more); - - if (n < 0) { - lt = klog(L_KRB_PERR, "Database unavailable!"); - hang(); - } - - /* - * if more than one p_name, pick one, randomly create a session key, - * compute maximum lifetime, lookup authorizations if applicable, - * and stuff into cipher. - */ - if (n == 0) { - /* service unknown, log error, skip to next request */ - lt = klog(L_ERR_UNK, "UNKNOWN %s.%s", p_name, instance); - return KERB_ERR_PRINCIPAL_UNKNOWN; - } - if (more) { - /* not unique, log error */ - lt = klog(L_ERR_NUN, "Principal not unique %s.%s", p_name, instance); - return KERB_ERR_PRINCIPAL_NOT_UNIQUE; - } - /* If the user's key is null, we want to return an error */ - if ((p->key_low == 0) && (p->key_high == 0)) { - /* User has a null key */ - lt = klog(L_ERR_NKY, "Null key %s.%s", p_name, instance); - return KERB_ERR_NULL_KEY; - } - if (master_key_version != p->kdc_key_ver) { - /* log error reply */ - lt = klog(L_ERR_MKV, - "Incorrect master key version for %s.%s: %d (should be %d)", - p->name, p->instance, p->kdc_key_ver, master_key_version); - return KERB_ERR_NAME_MAST_KEY_VER; - } - /* make sure the service hasn't expired */ - if ((u_int32_t) p->exp_date < (u_int32_t) kerb_time.tv_sec) { - /* service did expire, log it */ - time_t t = p->exp_date; - lt = klog(L_ERR_SEXP, - "Principal %s.%s expired at %s", p->name, p->instance, - krb_stime(&t)); - return KERB_ERR_NAME_EXP; - } - /* ok is zero */ - return 0; -} - -static void -unseal(des_cblock *key) -{ - kdb_encrypt_key(key, key, &master_key, master_key_schedule, DES_DECRYPT); -} - - -/* Set the key for krb_rd_req so we can check tgt */ -static int -set_tgtkey(char *r) - /* Realm for desired key */ -{ - int n; - static char lastrealm[REALM_SZ]; - Principal p_st; - Principal *p = &p_st; - des_cblock key; - - if (!strcmp(lastrealm, r)) - return (KSUCCESS); - - klog(L_ALL_REQ, "Getting key for %s", r); - - n = kerb_get_principal(KRB_TICKET_GRANTING_TICKET, r, p, 1, &more); - if (n == 0) - return (KFAILURE); - - /* unseal tgt key from master key */ - copy_to_key(&p->key_low, &p->key_high, key); - unseal(&key); - krb_set_key(key, 0); - strncpy(lastrealm, r, sizeof(lastrealm) - 1); - lastrealm[sizeof(lastrealm) - 1] = '\0'; - return (KSUCCESS); -} - - -static int -kerberos(unsigned char *buf, int len, - char *proto, struct sockaddr_in *client, - struct sockaddr_in *server, - KTEXT rpkt) -{ - int pvno; - int msg_type; - int lsb; - int life; - int flags = 0; - char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; - char service[SNAME_SZ], sinst[INST_SZ]; - u_int32_t req_time; - static KTEXT_ST ticket, cipher, adat; - KTEXT tk = &ticket, ciph = &cipher, auth = &adat; - AUTH_DAT ad; - des_cblock session, key; - int err; - Principal a_name, s_name; - - char *msg; - - - unsigned char *p = buf; - if(len < 2){ - strncpy((char*)rpkt->dat, "Packet too short", MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN - 1] = '\0'; - return KFAILURE; - } - - gettimeofday(&kerb_time, NULL); - - pvno = *p++; - if(pvno != KRB_PROT_VERSION){ - msg = klog(L_KRB_PERR, "KRB protocol version mismatch (%d)", pvno); - strncpy((char*)rpkt->dat, msg, MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN - 1] = '\0'; - return KERB_ERR_PKT_VER; - } - msg_type = *p++; - lsb = msg_type & 1; - msg_type &= ~1; - switch(msg_type){ - case AUTH_MSG_KDC_REQUEST: - /* XXX range check */ - p += krb_get_nir(p, name, inst, realm); - p += krb_get_int(p, &req_time, 4, lsb); - life = *p++; - p += krb_get_nir(p, service, sinst, NULL); - klog(L_INI_REQ, - "AS REQ %s.%s@%s for %s.%s from %s (%s/%u)", - name, inst, realm, service, sinst, - inet_ntoa(client->sin_addr), - proto, ntohs(server->sin_port)); - if((err = check_princ(name, inst, 0, &a_name))){ - strncpy((char*)rpkt->dat, krb_get_err_text(err), MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN - 1] = '\0'; - return err; - } - tk->length = 0; - if((err = check_princ(service, sinst, 0, &s_name))){ - strncpy((char*)rpkt->dat, krb_get_err_text(err), MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN -1] = '\0'; - return err; - } - life = MIN(life, s_name.max_life); - life = MIN(life, a_name.max_life); - - des_new_random_key(&session); - copy_to_key(&s_name.key_low, &s_name.key_high, key); - unseal(&key); - krb_create_ticket(tk, flags, a_name.name, a_name.instance, - local_realm, client->sin_addr.s_addr, - session, - life, kerb_time.tv_sec, - s_name.name, s_name.instance, &key); - copy_to_key(&a_name.key_low, &a_name.key_high, key); - unseal(&key); - create_ciph(ciph, session, s_name.name, s_name.instance, - local_realm, life, s_name.key_version, tk, - kerb_time.tv_sec, &key); - memset(&session, 0, sizeof(session)); - memset(&key, 0, sizeof(key)); - { - KTEXT r; - r = create_auth_reply(name, inst, realm, req_time, 0, - a_name.exp_date, a_name.key_version, ciph); - memcpy(rpkt, r, sizeof(*rpkt)); - } - return 0; - case AUTH_MSG_APPL_REQUEST: - strncpy(realm, (char*)buf + 3, REALM_SZ - 1); - realm[REALM_SZ - 1] = '\0'; - if((err = set_tgtkey(realm))){ - msg = klog(L_ERR_UNK, - "Unknown realm %s from %s (%s/%u)", - realm, inet_ntoa(client->sin_addr), - proto, ntohs(server->sin_port)); - strncpy((char*)rpkt->dat, msg, MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN -1] = '\0'; - return err; - } - p = buf + strlen(realm) + 4; - p = p + p[0] + p[1] + 2; - auth->length = p - buf; - memcpy(auth->dat, buf, auth->length); - err = krb_rd_req(auth, KRB_TICKET_GRANTING_TICKET, - realm, client->sin_addr.s_addr, &ad, 0); - if(err){ - msg = klog(L_ERR_UNK, - "krb_rd_req from %s (%s/%u): %s", - inet_ntoa(client->sin_addr), - proto, - ntohs(server->sin_port), - krb_get_err_text(err)); - strncpy((char*)rpkt->dat, msg, MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN - 1] = '\0'; - return err; - } - p += krb_get_int(p, &req_time, 4, lsb); - life = *p++; - p += krb_get_nir(p, service, sinst, NULL); - klog(L_APPL_REQ, - "APPL REQ %s.%s@%s for %s.%s from %s (%s/%u)", - ad.pname, ad.pinst, ad.prealm, - service, sinst, - inet_ntoa(client->sin_addr), - proto, - ntohs(server->sin_port)); - - if(strcmp(ad.prealm, realm)){ - msg = klog(L_ERR_UNK, "Can't hop realms: %s -> %s", - realm, ad.prealm); - strncpy((char*)rpkt->dat, msg, MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN - 1] = '\0'; - return KERB_ERR_PRINCIPAL_UNKNOWN; - } - - if(!strcmp(service, "changepw")){ - strncpy((char*)rpkt->dat, - "Can't authorize password changed based on TGT", - MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN - 1] = '\0'; - return KERB_ERR_PRINCIPAL_UNKNOWN; - } - - err = check_princ(service, sinst, life, &s_name); - if(err){ - strncpy((char*)rpkt->dat, krb_get_err_text(err), MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN - 1] = '\0'; - return err; - } - life = MIN(life, - krb_time_to_life(kerb_time.tv_sec, - krb_life_to_time(ad.time_sec, - ad.life))); - life = MIN(life, s_name.max_life); - copy_to_key(&s_name.key_low, &s_name.key_high, key); - unseal(&key); - des_new_random_key(&session); - krb_create_ticket(tk, flags, ad.pname, ad.pinst, ad.prealm, - client->sin_addr.s_addr, &session, - life, kerb_time.tv_sec, - s_name.name, s_name.instance, - &key); - - memset(&key, 0, sizeof(key)); - - create_ciph(ciph, session, service, sinst, local_realm, - life, s_name.key_version, tk, - kerb_time.tv_sec, &ad.session); - - memset(&session, 0, sizeof(session)); - memset(ad.session, 0, sizeof(ad.session)); - { - KTEXT r; - r =create_auth_reply(ad.pname, ad.pinst, ad.prealm, - req_time, 0, 0, 0, ciph); - memcpy(rpkt, r, sizeof(*rpkt)); - } - memset(&s_name, 0, sizeof(s_name)); - return 0; - - case AUTH_MSG_ERR_REPLY: - return -1; - default: - msg = klog(L_KRB_PERR, - "Unknown message type: %d from %s (%s/%u)", - msg_type, - inet_ntoa(client->sin_addr), - proto, - ntohs(server->sin_port)); - strncpy((char*)rpkt->dat, msg, MAX_KTXT_LEN - 1); - rpkt->dat[MAX_KTXT_LEN - 1] = '\0'; - return KFAILURE; - } -} - - -static void -kerberos_wrap(int s, KTEXT data, char *proto, struct sockaddr_in *client, - struct sockaddr_in *server) -{ - KTEXT_ST pkt; - int http_flag = strcmp(proto, "http") == 0; - int err = kerberos(data->dat, data->length, proto, client, server, &pkt); - if(err == -1) - return; - if(http_flag){ - const char *msg = - "HTTP/1.1 200 OK\r\n" - "Server: KTH-KRB/" VERSION "\r\n" - "Content-type: application/octet-stream\r\n" - "Content-transfer-encoding: binary\r\n\r\n"; - sendto(s, msg, strlen(msg), 0, (struct sockaddr *)client, - sizeof(*client)); - } - if(err){ - kerb_err_reply(s, client, err, (char*)pkt.dat); - return; - } - sendto(s, pkt.dat, pkt.length, 0, (struct sockaddr *)client, - sizeof(*client)); -} - - -/* - * setup_disc - * - * disconnect all descriptors, remove ourself from the process - * group that spawned us. - */ - -static void -setup_disc(void) -{ - int s; - - for (s = 0; s < 3; s++) { - close(s); - } - - open("/dev/null", 0); - dup2(0, 1); - dup2(0, 2); - - setsid(); - - chdir("/tmp"); - return; -} - -/* - * Make sure that database isn't stale. - * - * Exit if it is; we don't want to tell lies. - */ - -static void -check_db_age(void) -{ - long age; - - if (max_age != -1) { - /* Requires existance of kerb_get_db_age() */ - gettimeofday(&kerb_time, 0); - age = kerb_get_db_age(); - if (age == 0) { - klog(L_KRB_PERR, "Database currently being updated!"); - hang(); - } - if ((age + max_age) < kerb_time.tv_sec) { - klog(L_KRB_PERR, "Database out of date!"); - hang(); - /* NOTREACHED */ - } - } -} - -struct descr{ - int s; - KTEXT_ST buf; - int type; - int timeout; - struct sockaddr_in addr; -}; - -static void -mksocket(struct descr *d, struct in_addr addr, int type, - const char *service, int port) -{ - int on = 1; - int sock; - - memset(d, 0, sizeof(struct descr)); - if ((sock = socket(AF_INET, type, 0)) < 0) - err (1, "socket"); - if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, - sizeof(on)) < 0) - warn ("setsockopt (SO_REUSEADDR)"); - memset(&d->addr, 0, sizeof(d->addr)); - d->addr.sin_family = AF_INET; - d->addr.sin_port = port; - d->addr.sin_addr = addr; - if (bind(sock, (struct sockaddr *)&d->addr, sizeof(d->addr)) < 0) - err (1, "bind '%s/%s' (%d)", - service, (type == SOCK_DGRAM) ? "udp" : "tcp", - ntohs(d->addr.sin_port)); - - if(type == SOCK_STREAM) - listen(sock, SOMAXCONN); - d->s = sock; - d->type = type; -} - - -static void loop(struct descr *fds, int maxfd); - -struct port_spec { - int port; - int type; -}; - -static int -add_port(struct port_spec **ports, int *num_ports, int port, int type) -{ - struct port_spec *tmp; - tmp = realloc(*ports, (*num_ports + 1) * sizeof(*tmp)); - if(tmp == NULL) { - free(*ports); - return ENOMEM; - } - *ports = tmp; - tmp[*num_ports].port = port; - tmp[*num_ports].type = type; - (*num_ports)++; - return 0; -} - -void make_sockets(char *port_spec, struct in_addr *i_addr, - struct descr **fds, int *nfds) -{ - int tp; - struct in_addr *a; - char *p, *q, *pos = NULL; - struct servent *sp; - struct port_spec *ports = NULL; - int num_ports = 0; - int i, j; - - - for(p = strtok_r(port_spec, ", \t", &pos); - p; - p = strtok_r(NULL, ", \t", &pos)){ - if(strcmp(p, "+") == 0){ - add_port(&ports, &num_ports, 88, SOCK_DGRAM); - add_port(&ports, &num_ports, 88, SOCK_STREAM); - add_port(&ports, &num_ports, 750, SOCK_DGRAM); - add_port(&ports, &num_ports, 750, SOCK_STREAM); - }else{ - q = strchr(p, '/'); - if(q){ - *q = 0; - q++; - } - sp = getservbyname(p, q); - if(sp) - tp = ntohs(sp->s_port); - else if(sscanf(p, "%d", &tp) != 1) { - warnx("Unknown port: %s%s%s", p, q ? "/" : "", q ? q : ""); - continue; - } - if(q){ - if(strcasecmp(q, "tcp") == 0) - add_port(&ports, &num_ports, tp, SOCK_STREAM); - else if(strcasecmp(q, "udp") == 0) - add_port(&ports, &num_ports, tp, SOCK_DGRAM); - else - warnx("Unknown protocol type: %s", q); - }else{ - add_port(&ports, &num_ports, tp, SOCK_DGRAM); - add_port(&ports, &num_ports, tp, SOCK_STREAM); - } - } - } - - if(num_ports == 0) - errx(1, "No valid ports specified!"); - - if (i_addr) { - *nfds = 1; - a = malloc(sizeof(*a) * *nfds); - if (a == NULL) - errx (1, "Failed to allocate %u bytes", - sizeof(*a) * *nfds); - memcpy(a, i_addr, sizeof(struct in_addr)); - } else - *nfds = k_get_all_addrs (&a); - if (*nfds < 0) { - struct in_addr any; - - any.s_addr = INADDR_ANY; - - warnx ("Could not get local addresses, binding to INADDR_ANY"); - *nfds = 1; - a = malloc(sizeof(*a) * *nfds); - if (a == NULL) - errx (1, "Failed to allocate %u bytes", - sizeof(*a) * *nfds); - memcpy(a, &any, sizeof(struct in_addr)); - } - *fds = malloc(*nfds * num_ports * sizeof(**fds)); - if (*fds == NULL) - errx (1, "Failed to allocate %u bytes", - *nfds * num_ports * sizeof(**fds)); - for (i = 0; i < *nfds; i++) { - for(j = 0; j < num_ports; j++) { - mksocket(*fds + num_ports * i + j, a[i], - ports[j].type, "", htons(ports[j].port)); - } - } - *nfds *= num_ports; - free(ports); - free (a); -} - - -int -main(int argc, char **argv) -{ - int child; - int c; - struct descr *fds; - int nfds; - int n; - int kerror; - int i_flag = 0; - struct in_addr i_addr; - char *port_spec = "+"; - - umask(077); /* Create protected files */ - - while ((c = getopt(argc, argv, "snmp:P:a:l:r:i:")) != -1) { - switch(c) { - case 's': - /* - * Set parameters to slave server defaults. - */ - if (max_age == -1 && !nflag) - max_age = ONE_DAY; /* 24 hours */ - if (pause_int == -1) - pause_int = FIVE_MINUTES; /* 5 minutes */ - break; - case 'n': - max_age = -1; /* don't check max age. */ - nflag++; - break; - case 'm': - mflag++; /* running manually; prompt for master key */ - break; - case 'p': - /* Set pause interval. */ - if (!isdigit(optarg[0])) - usage(); - pause_int = atoi(optarg); - if ((pause_int < 5) || (pause_int > ONE_HOUR)) { - fprintf(stderr, "pause_int must be between 5 and 3600 seconds.\n"); - usage(); - } - break; - case 'P': - port_spec = optarg; - break; - case 'a': - /* Set max age. */ - if (!isdigit(optarg[0])) - usage(); - max_age = atoi(optarg); - if ((max_age < ONE_HOUR) || (max_age > THREE_DAYS)) { - fprintf(stderr, "max_age must be between one hour and three days, in seconds\n"); - usage(); - } - break; - case 'l': - /* Set alternate log file */ - log_file = optarg; - break; - case 'r': - /* Set realm name */ - rflag++; - strncpy(local_realm, optarg, REALM_SZ - 1); - local_realm[REALM_SZ - 1] = '\0'; - break; - case 'i': - /* Only listen on this address */ - if(inet_aton (optarg, &i_addr) == 0) { - fprintf (stderr, "Bad address: %s\n", optarg); - exit (1); - } - ++i_flag; - break; - default: - usage(); - break; - } - } - - if (optind == (argc-1)) { - if (kerb_db_set_name(argv[optind]) != 0) { - fprintf(stderr, "Could not set alternate database name\n"); - exit(1); - } - optind++; - } - - if (optind != argc) - usage(); - - printf("Kerberos server starting\n"); - - if ((!nflag) && (max_age != -1)) - printf("\tMaximum database age: %d seconds\n", max_age); - if (pause_int != -1) - printf("\tSleep for %d seconds on error\n", pause_int); - else - printf("\tSleep forever on error\n"); - if (mflag) - printf("\tMaster key will be entered manually\n"); - - printf("\tLog file is %s\n", log_file); - - kset_logfile(log_file); - - { - char hostname[MAXHOSTNAMELEN]; - /* find our hostname, and use it as the instance */ - if (gethostname(hostname, sizeof(hostname))) - err (1, "gethostname"); - strncpy(k_instance, hostname, sizeof(k_instance) - 1); - k_instance[sizeof(k_instance) - 1] = '\0'; - } - - make_sockets(port_spec, i_flag ? &i_addr : NULL, &fds, &nfds); - - /* do all the database and cache inits */ - if ((n = kerb_init())) { - if (mflag) { - printf("Kerberos db and cache init "); - printf("failed = %d ...exiting\n", n); - exit (1); - } else { - klog(L_KRB_PERR, - "Kerberos db and cache init failed = %d ...exiting", n); - hang(); - } - } - - /* Make sure database isn't stale */ - check_db_age(); - - /* setup master key */ - if (kdb_get_master_key (mflag, &master_key, master_key_schedule) != 0) { - klog (L_KRB_PERR, "kerberos: couldn't get master key."); - exit (1); - } - kerror = kdb_verify_master_key (&master_key, master_key_schedule, stdout); - if (kerror < 0) { - klog (L_KRB_PERR, "Can't verify master key."); - memset(master_key, 0, sizeof (master_key)); - memset (master_key_schedule, 0, sizeof (master_key_schedule)); - exit (1); - } - - master_key_version = (u_char) kerror; - - fprintf(stdout, "\nCurrent Kerberos master key version is %d\n", - master_key_version); - des_init_random_number_generator(&master_key); - - if (!rflag) { - /* Look up our local realm */ - krb_get_lrealm(local_realm, 1); - } - fprintf(stdout, "Local realm: %s\n", local_realm); - fflush(stdout); - - if (set_tgtkey(local_realm)) { - /* Ticket granting service unknown */ - klog(L_KRB_PERR, "Ticket granting ticket service unknown"); - fprintf(stderr, "Ticket granting ticket service unknown\n"); - exit(1); - } - if (mflag) { - if ((child = fork()) != 0) { - printf("Kerberos started, PID=%d\n", child); - exit(0); - } - setup_disc(); - } - - klog(L_ALL_REQ, "Starting Kerberos for %s (kvno %d)", - local_realm, master_key_version); - - /* receive loop */ - loop(fds, nfds); - exit(1); -} - - -void -read_socket(struct descr *n) -{ - int b; - struct sockaddr_in from; - int fromlen = sizeof(from); - b = recvfrom(n->s, n->buf.dat + n->buf.length, - MAX_PKT_LEN - n->buf.length, 0, - (struct sockaddr *)&from, &fromlen); - if(b < 0){ - if(n->type == SOCK_STREAM){ - close(n->s); - n->s = -1; - } - n->buf.length = 0; - return; - } - n->buf.length += b; - if(n->type == SOCK_STREAM){ - char *proto = "tcp"; - if(n->buf.length > 4 && - strncmp((char *)n->buf.dat, "GET ", 4) == 0 && - strncmp((char *)n->buf.dat + n->buf.length - 4, - "\r\n\r\n", 4) == 0){ - char *p; - char *save = NULL; - - n->buf.dat[n->buf.length - 1] = 0; - strtok_r(n->buf.dat, " \t\r\n", &save); - p = strtok_r(NULL, " \t\r\n", &save); - if(p == NULL) - p = ""; - if(*p == '/') p++; - n->buf.length = base64_decode(p, n->buf.dat); - if(n->buf.length <= 0){ - const char *msg = - "HTTP/1.1 404 Not found\r\n" - "Server: KTH-KRB/" VERSION "\r\n" - "Content-type: text/html\r\n" - "Content-transfer-encoding: 8bit\r\n\r\n" - "<TITLE>404 Not found</TITLE>\r\n" - "<H1>404 Not found</H1>\r\n" - "That page does not exist. Information about " - "<A HREF=\"http://www.pdc.kth.se/kth-krb\">KTH-KRB</A> " - "is available elsewhere.\r\n"; - fromlen = sizeof(from); - if(getpeername(n->s,(struct sockaddr*)&from, &fromlen) == 0) - klog(L_KRB_PERR, "Unknown HTTP request from %s", - inet_ntoa(from.sin_addr)); - else - klog(L_KRB_PERR, "Unknown HTTP request from <unknown>"); - write(n->s, msg, strlen(msg)); - close(n->s); - n->s = -1; - n->buf.length = 0; - return; - } - proto = "http"; - b = 0; - } - else if(n->buf.length >= 4 && n->buf.dat[0] == 0){ - /* if this is a new type of packet (with - the length attached to the head of the - packet), and there is no more data to - be read, fake an old packet, so the - code below will work */ - u_int32_t len; - krb_get_int(n->buf.dat, &len, 4, 0); - if(n->buf.length == len + 4){ - memmove(n->buf.dat, n->buf.dat + 4, len); - b = 0; - } - } - if(b == 0){ - /* handle request if there are - no more bytes to read */ - fromlen = sizeof(from); - getpeername(n->s,(struct sockaddr*)&from, &fromlen); - kerberos_wrap(n->s, &n->buf, proto, &from, - &n->addr); - n->buf.length = 0; - close(n->s); - n->s = -1; - } - }else{ - /* udp packets are atomic */ - kerberos_wrap(n->s, &n->buf, "udp", &from, - &n->addr); - n->buf.length = 0; - } -} - -static void -loop(struct descr *fds, int nfds) -{ - for (;;) { - int ret; - fd_set readfds; - struct timeval tv; - int maxfd = 0; - struct descr *n, *minfree; - int accepted; /* accept at most one socket per `round' */ - - FD_ZERO(&readfds); - gettimeofday(&tv, NULL); - maxfd = 0; - minfree = NULL; - /* Remove expired TCP sockets, and add all other - to the set we are selecting on */ - for(n = fds; n < fds + nfds; n++){ - if(n->s >= 0 && n->timeout && tv.tv_sec > n->timeout){ - kerb_err_reply(n->s, NULL, KERB_ERR_TIMEOUT, "Timeout"); - close(n->s); - n->s = -1; - } - if(n->s < 0){ - if(minfree == NULL) minfree = n; - continue; - } - FD_SET(n->s, &readfds); - maxfd = MAX(maxfd, n->s); - } - /* add more space for sockets */ - if(minfree == NULL){ - int i = nfds; - struct descr *new; - nfds *=2; - new = realloc(fds, sizeof(struct descr) * nfds); - if(new){ - fds = new; - minfree = fds + i; - for(; i < nfds; i++) fds[i].s = -1; - } - } - ret = select(maxfd + 1, &readfds, 0, 0, 0); - accepted = 0; - for (n = fds; n < fds + nfds; n++){ - if(n->s < 0) continue; - if (FD_ISSET(n->s, &readfds)){ - if(n->type == SOCK_STREAM && n->timeout == 0){ - /* add accepted socket to list of sockets we are - selecting on */ - int s; - if(accepted) continue; - accepted = 1; - s = accept(n->s, NULL, 0); - if(minfree == NULL){ - kerb_err_reply(s, NULL, KFAILURE, "Out of memory"); - close(s); - }else{ - minfree->s = s; - minfree->type = SOCK_STREAM; - gettimeofday(&tv, NULL); - minfree->timeout = tv.tv_sec + 4; /* XXX */ - minfree->buf.length = 0; - memcpy(&minfree->addr, &n->addr, sizeof(minfree->addr)); - } - }else - read_socket(n); - } - } - } -} diff --git a/kerberosIV/kinit/Makefile b/kerberosIV/kinit/Makefile deleted file mode 100644 index a687f5af15c..00000000000 --- a/kerberosIV/kinit/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.3 1998/03/12 14:00:01 art Exp $ - -PROG= kinit -DPADD= ${LIBKRB} ${LIBDES} -LDADD= -lkrb -ldes -BINDIR= /usr/bin - -.include <bsd.prog.mk> diff --git a/kerberosIV/kinit/kinit.1 b/kerberosIV/kinit/kinit.1 deleted file mode 100644 index 91175eaf88c..00000000000 --- a/kerberosIV/kinit/kinit.1 +++ /dev/null @@ -1,155 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kinit.1,v 1.5 1998/08/03 07:43:18 deraadt Exp $ -.TH KINIT 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kinit \- Kerberos login utility -.SH SYNOPSIS -.B kinit -[ -.B \-irvl -] -.SH DESCRIPTION -The -.I kinit -command is used to login to the -Kerberos -authentication and authorization system. -Note that only registered -Kerberos -users can use the -Kerberos -system. -For information about registering as a -Kerberos -user, -see the -.I kerberos(1) -manual page. -.PP -If you are logged in to a workstation that is running the -.I toehold -service, -you do not have to use -.I kinit. -The -.I toehold -login procedure will log you into -Kerberos -automatically. -You will need to use -.I kinit -only in those situations in which -your original tickets have expired. -(Tickets expire in about a day.) -Note as well that -.I toehold -will automatically destroy your tickets when you logout from the workstation. -.PP -When you use -.I kinit -without options, -the utility -prompts for your username and Kerberos password, -and tries to authenticate your login with the local -Kerberos -server. -.PP -If -Kerberos -authenticates the login attempt, -.I kinit -retrieves your initial ticket and puts it in the ticket file specified by -your KRBTKFILE environment variable. -If this variable is undefined, -your ticket will be stored in the -.IR /tmp -directory, -in the file -.I tktuid , -where -.I uid -specifies your user identification number. -.PP -If you have logged in to -Kerberos -without the benefit of the workstation -.I toehold -system, -make sure you use the -.I kdestroy -command to destroy any active tickets before you end your login session. -You may want to put the -.I kdestroy -command in your -.I \.logout -file so that your tickets will be destroyed automatically when you logout. -.PP -The options to -.I kinit -are as follows: -.TP 7 -.B \-i -.I kinit -prompts you for a -Kerberos -instance. -.TP -.B \-r -.I kinit -prompts you for a -Kerberos -realm. -This option lets you authenticate yourself with a remote -Kerberos -server. -.TP -.B \-v -Verbose mode. -.I kinit -prints the name of the ticket file used, and -a status message indicating the success or failure of -your login attempt. -.TP -.B \-l -.I kinit -prompts you for a ticket lifetime in minutes. Due to protocol -restrictions in Kerberos Version 4, this value must be between 5 and -1275 minutes. -.SH SEE ALSO -.PP -kerberos(1), kdestroy(1), klist(1) -.SH BUGS -The -.B \-r -option has not been fully implemented. -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.br -Clifford Neuman, MIT Project Athena diff --git a/kerberosIV/kinit/kinit.c b/kerberosIV/kinit/kinit.c deleted file mode 100644 index ad0b7e92a0d..00000000000 --- a/kerberosIV/kinit/kinit.c +++ /dev/null @@ -1,173 +0,0 @@ -/* $OpenBSD: kinit.c,v 1.4 1998/07/13 20:08:55 art Exp $ */ -/* $Id: kinit.c,v 1.4 1998/07/13 20:08:55 art Exp $ */ -/* $KTH: kinit.c,v 1.15 1997/03/30 18:58:46 assar Exp $ */ - - - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -/* - * Routine to initialize user to Kerberos. Prompts optionally for - * user, instance and realm. Authenticates user and gets a ticket - * for the Kerberos ticket-granting service for future use. - * - * Options are: - * - * -i[instance] - * -r[realm] - * -v[erbose] - * -l[ifetime] - * -p - */ - -#include <kuser_locl.h> -#include <sys/param.h> - -#define LIFE DEFAULT_TKT_LIFE /* lifetime of ticket in 5-minute units */ -#define CHPASSLIFE 2 - -char progname[] = "kinit"; - -static void -get_input(char *s, int size, FILE *stream) -{ - char *p; - - if (fgets(s, size, stream) == NULL) - exit(1); - if ( (p = strchr(s, '\n')) != NULL) - *p = '\0'; -} - -static void -usage(void) -{ - fprintf(stderr, "Usage: %s [-irvlp] [name]\n", progname); - exit(1); -} - -int -main(int argc, char **argv) -{ - char aname[ANAME_SZ]; - char inst[INST_SZ]; - char realm[REALM_SZ]; - char buf[MAXHOSTNAMELEN]; - char name[MAX_K_NAME_SZ]; - char *username = NULL; - int iflag, rflag, vflag, lflag, pflag, lifetime, k_errno; - int i; - - *inst = *realm = '\0'; - iflag = rflag = vflag = lflag = pflag = 0; - lifetime = LIFE; - - while (--argc) { - if ((*++argv)[0] != '-') { - if (username) - usage(); - username = *argv; - continue; - } - for (i = 1; (*argv)[i] != '\0'; i++) - switch ((*argv)[i]) { - case 'i': /* Instance */ - ++iflag; - continue; - case 'r': /* Realm */ - ++rflag; - continue; - case 'v': /* Verbose */ - ++vflag; - continue; - case 'l': - ++lflag; - continue; - case 'p': - ++pflag; /* chpass-tickets */ - lifetime = CHPASSLIFE; - break; - default: - usage(); - } - } - if (username && - (k_errno = kname_parse(aname, inst, realm, username)) != KSUCCESS) { - warnx("%s", krb_get_err_text(k_errno)); - iflag = rflag = 1; - username = NULL; - } - if (gethostname(buf, sizeof(buf))) - errx(1, "gethostname failed"); - printf("%s (%s)\n", ORGANIZATION, buf); - if (username) { - printf("Kerberos Initialization for \"%s", aname); - if (*inst) - printf(".%s", inst); - if (*realm) - printf("@%s", realm); - printf("\"\n"); - } else { - printf("Kerberos Initialization\n"); - printf("Kerberos name: "); - get_input(name, sizeof(name), stdin); - if (!*name) - return 0; - if ((k_errno = kname_parse(aname, inst, realm, name)) != KSUCCESS ) - errx(1, "%s", krb_get_err_text(k_errno)); - } - /* optional instance */ - if (iflag) { - printf("Kerberos instance: "); - get_input(inst, sizeof(inst), stdin); - if (!k_isinst(inst)) - errx(1, "bad Kerberos instance format"); - } - if (rflag) { - printf("Kerberos realm: "); - get_input(realm, sizeof(realm), stdin); - if (!k_isrealm(realm)) - errx(1, "bad Kerberos realm format"); - } - if (lflag) { - printf("Kerberos ticket lifetime (minutes): "); - get_input(buf, sizeof(buf), stdin); - lifetime = atoi(buf); - if (lifetime < 5) - lifetime = 1; - else - lifetime = krb_time_to_life(0, lifetime*60); - /* This should be changed if the maximum ticket lifetime */ - /* changes */ - if (lifetime > 255) - lifetime = 255; - } - if (!*realm && krb_get_lrealm(realm, 1)) - errx(1, "krb_get_lrealm failed"); - k_errno = krb_get_pw_in_tkt(aname, inst, realm, - pflag ? PWSERV_NAME : - KRB_TICKET_GRANTING_TICKET, - pflag ? KADM_SINST : realm, - lifetime, 0); - if (vflag) { - printf("Kerberos realm %s:\n", realm); - printf("%s\n", krb_get_err_text(k_errno)); - } else if (k_errno) - errx(1, "%s", krb_get_err_text(k_errno)); - exit(0); -} diff --git a/kerberosIV/klist/Makefile b/kerberosIV/klist/Makefile deleted file mode 100644 index 277c2813add..00000000000 --- a/kerberosIV/klist/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.3 1998/05/18 01:24:53 art Exp $ - -PROG= klist -SRCS= klist.c -.PATH: ${.CURDIR}/../roken -SRCS+= parse_time.c parse_units.c -DPADD= ${LIBKRB} ${LIBDES} -LDADD= -lkrb -ldes -lkafs -BINDIR= /usr/bin -CFLAGS+= -I${.CURDIR}/../roken - -.include <bsd.prog.mk> diff --git a/kerberosIV/klist/klist.1 b/kerberosIV/klist/klist.1 deleted file mode 100644 index a18393603f1..00000000000 --- a/kerberosIV/klist/klist.1 +++ /dev/null @@ -1,106 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: klist.1,v 1.4 1998/02/25 15:51:01 art Exp $ -.TH KLIST 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -klist \- list currently held Kerberos tickets -.SH SYNOPSIS -.B klist -[ -\fB\-s \fR|\fB \-t\fR -] [ -.B \-file -name ] [ -.B \-srvtab -] -.br -.SH DESCRIPTION -.I klist -prints the name of the tickets file and the -identity of the principal the tickets are for (as listed in the -tickets file), and -lists the principal names of all Kerberos tickets currently held by -the user, along with the issue and expire time for each authenticator. -Principal names are listed in the form -.I name.instance@realm, -with the '.' omitted if the instance is null, -and the '@' omitted if the realm is null. - -If given the -.B \-s -option, -.I klist -does not print the issue and expire times, the name of the tickets file, -or the identity of the principal. - -If given the -.B \-t -option, -.B klist -checks for the existence of a non-expired ticket-granting-ticket in the -ticket file. If one is present, it exits with status 0, else it exits -with status 1. No output is generated when this option is specified. - -If given the -.B \-file -option, the following argument is used as the ticket file. -Otherwise, if the -.B KRBTKFILE -environment variable is set, it is used. -If this environment variable -is not set, the file -.B /tmp/tkt[uid] -is used, where -.B uid -is the current user-id of the user. - -If given the -.B \-srvtab -option, the file is treated as a service key file, and the names of the -keys contained therein are printed. If no file is -specified with a -.B \-file -option, the default is -.IR /etc/srvtab . -.SH FILES -.TP 2i -/etc/krb.conf -to get the name of the local realm -.TP -/tmp/tkt[uid] -as the default ticket file ([uid] is the decimal UID of the user). -.TP -/etc/srvtab -as the default service key file -.SH SEE ALSO -.PP -kerberos(1), kinit(1), kdestroy(1) -.SH BUGS -When reading a file as a service key file, very little sanity or error -checking is performed. diff --git a/kerberosIV/klist/klist.c b/kerberosIV/klist/klist.c deleted file mode 100644 index e2aec4c6b74..00000000000 --- a/kerberosIV/klist/klist.c +++ /dev/null @@ -1,369 +0,0 @@ -/* $OpenBSD: klist.c,v 1.6 1998/05/18 01:24:55 art Exp $ */ -/* $KTH: klist.c,v 1.35 1998/05/01 05:16:33 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Lists your current Kerberos tickets. - * Written by Bill Sommerfeld, MIT Project Athena. - */ - -#include "kuser_locl.h" - -#include <sys/ioctl.h> -#include <sys/ioccom.h> -#include <kerberosIV/kafs.h> - -static int option_verbose = 0; - -static char progname[]="klist"; - -static char * -short_date(time_t dp) -{ - char *cp; - time_t t = (time_t)dp; - - if (t == (time_t)(-1L)) return "*** Never *** "; - cp = ctime(&t) + 4; - cp[15] = '\0'; - return (cp); -} - -/* prints the approximate kdc time differential as something human - readable */ -static void -print_time_diff(void) -{ - int d = abs(krb_get_kdc_time_diff()); - char buf[80]; - - if ((option_verbose && d > 0) || d > 60) { - unparse_time_approx (d, buf, sizeof(buf)); - printf ("Time diff:\t%s\n", buf); - } -} - -static void -display_tktfile(char *file, int tgt_test, int long_form) -{ - krb_principal pr; - char buf1[20], buf2[20]; - int k_errno; - CREDENTIALS c; - int header = 1; - - if ((file == NULL) && ((file = getenv("KRBTKFILE")) == NULL)) - file = TKT_FILE; - - if (long_form) - printf("Ticket file: %s\n", file); - - /* - * Since krb_get_tf_realm will return a ticket_file error, - * we will call tf_init and tf_close first to filter out - * things like no ticket file. Otherwise, the error that - * the user would see would be - * klist: can't find realm of ticket file: No ticket file (tf_util) - * instead of - * klist: No ticket file (tf_util) - */ - - /* Open ticket file */ - if ((k_errno = tf_init(file, R_TKT_FIL))) { - if (!tgt_test) - warnx("%s", krb_get_err_text(k_errno)); - exit(1); - } - /* Close ticket file */ - tf_close(); - - /* - * We must find the realm of the ticket file here before calling - * tf_init because since the realm of the ticket file is not - * really stored in the principal section of the file, the - * routine we use must itself call tf_init and tf_close. - */ - if ((k_errno = krb_get_tf_realm(file, pr.realm)) != KSUCCESS) { - if (!tgt_test) - warnx("can't find realm of ticket file: %s", - krb_get_err_text(k_errno)); - exit(1); - } - - /* Open ticket file */ - if ((k_errno = tf_init(file, R_TKT_FIL))) { - if (!tgt_test) - warnx("%s", krb_get_err_text(k_errno)); - exit(1); - } - /* Get principal name and instance */ - if ((k_errno = tf_get_pname(pr.name)) || - (k_errno = tf_get_pinst(pr.instance))) { - if (!tgt_test) - warnx("%s", krb_get_err_text(k_errno)); - exit(1); - } - - /* - * You may think that this is the obvious place to get the - * realm of the ticket file, but it can't be done here as the - * routine to do this must open the ticket file. This is why - * it was done before tf_init. - */ - - if (!tgt_test && long_form) - printf("Principal:\t%s\n", krb_unparse_name(&pr)); - print_time_diff(); - printf("\n"); - while ((k_errno = tf_get_cred(&c)) == KSUCCESS) { - if (!tgt_test && long_form && header) { - printf("%-15s %-15s %s%s\n", - " Issued", " Expires", " Principal", - option_verbose ? " (kvno)" : ""); - header = 0; - } - if (tgt_test) { - c.issue_date = krb_life_to_time(c.issue_date, c.lifetime); - if (!strcmp(c.service, KRB_TICKET_GRANTING_TICKET) && - !strcmp(c.instance, pr.realm)) { - if (time(0) < c.issue_date) - exit(0); /* tgt hasn't expired */ - else - exit(1); /* has expired */ - } - continue; /* not a tgt */ - } - if (long_form) { - struct timeval tv; - - strcpy(buf1, short_date(c.issue_date)); - c.issue_date = krb_life_to_time(c.issue_date, c.lifetime); - krb_kdctimeofday(&tv); - if (option_verbose || tv.tv_sec < (unsigned long) c.issue_date) - strcpy(buf2, short_date(c.issue_date)); - else - strcpy(buf2, ">>> Expired <<<"); - printf("%s %s ", buf1, buf2); - } - printf("%s", krb_unparse_name_long(c.service, c.instance, c.realm)); - if(long_form && option_verbose) - printf(" (%d)", c.kvno); - printf("\n"); - } - if (tgt_test) - exit(1); /* no tgt found */ - if (header && long_form && k_errno == EOF) { - printf("No tickets in file.\n"); - } -} - -/* adapted from getst() in librkb */ -/* - * ok_getst() takes a file descriptor, a string and a count. It reads - * from the file until either it has read "count" characters, or until - * it reads a null byte. When finished, what has been read exists in - * the given string "s". If "count" characters were actually read, the - * last is changed to a null, so the returned string is always null- - * terminated. ok_getst() returns the number of characters read, including - * the null terminator. - * - * If there is a read error, it returns -1 (like the read(2) system call) - */ - -static int -ok_getst(int fd, char *s, int n) -{ - int count = n; - int err; - - if (s == NULL) - return -1; - - while ((err = read(fd, s, 1)) > 0 && (--count) != 0) - if (*s++ == '\0') - return (n - count); - if (err < 0) - return(-1); - *s = '\0'; - return (n - count); -} - -static void -display_tokens(void) -{ - u_int32_t i; - unsigned char t[128]; - struct ViceIoctl parms; - - parms.in = (void *)&i; - parms.in_size = sizeof(i); - parms.out = (void *)t; - parms.out_size = sizeof(t); - - for (i = 0; k_pioctl(NULL, VIOCGETTOK, &parms, 0) == 0; i++) { - int32_t size_secret_tok, size_public_tok; - char *cell; - struct ClearToken ct; - unsigned char *r = t; - - memcpy(&size_secret_tok, r, sizeof(size_secret_tok)); - /* dont bother about the secret token */ - r += size_secret_tok + sizeof(size_secret_tok); - memcpy(&size_public_tok, r, sizeof(size_public_tok)); - r += sizeof(size_public_tok); - memcpy(&ct, r, size_public_tok); - r += size_public_tok; - /* there is a int32_t with length of cellname, but we dont read it */ - r += sizeof(int32_t); - cell = r; - - printf("%-15s ", short_date(ct.BeginTimestamp)); - printf("%-15s ", short_date(ct.EndTimestamp)); - if ((ct.EndTimestamp - ct.BeginTimestamp) & 1) - printf("User's (AFS ID %d) tokens for %s", ct.ViceId, cell); - else - printf("Tokens for %s", cell); - if (option_verbose) - printf(" (%d)", ct.AuthHandle); - putchar('\n'); - } -} - -static void -display_srvtab(char *file) -{ - int stab; - char serv[SNAME_SZ]; - char inst[INST_SZ]; - char rlm[REALM_SZ]; - unsigned char key[8]; - unsigned char vno; - int count; - - printf("Server key file: %s\n", file); - - if ((stab = open(file, O_RDONLY, 0400)) < 0) { - perror(file); - exit(1); - } - printf("%-15s %-15s %-10s %s\n","Service","Instance","Realm", - "Key Version"); - printf("------------------------------------------------------\n"); - - /* argh. getst doesn't return error codes, it silently fails */ - while (((count = ok_getst(stab, serv, SNAME_SZ)) > 0) - && ((count = ok_getst(stab, inst, INST_SZ)) > 0) - && ((count = ok_getst(stab, rlm, REALM_SZ)) > 0)) { - if (((count = read(stab, &vno,1)) != 1) || - ((count = read(stab, key,8)) != 8)) { - if (count < 0) - err(1, "reading from key file"); - else - errx(1, "key file truncated"); - } - printf("%-15s %-15s %-15s %d\n",serv,inst,rlm,vno); - } - if (count < 0) - warn(file); - close(stab); -} - -static void -usage(void) -{ - fprintf(stderr, - "Usage: %s [ -v | -s | -t ] [ -f filename ] [-tokens] [-srvtab ]\n", - progname); - exit(1); -} - -/* ARGSUSED */ -int -main(int argc, char **argv) -{ - int long_form = 1; - int tgt_test = 0; - int do_srvtab = 0; - int do_tokens = 0; - char *tkt_file = NULL; - - while (*(++argv) != NULL) { - if (!strcmp(*argv, "-v")) { - option_verbose = 1; - continue; - } - if (!strcmp(*argv, "-s")) { - long_form = 0; - continue; - } - if (!strcmp(*argv, "-t")) { - tgt_test = 1; - long_form = 0; - continue; - } - if (strcmp(*argv, "-tokens") == 0 - || strcmp(*argv, "-T") == 0) { - do_tokens = k_hasafs(); - continue; - } - if (!strcmp(*argv, "-l")) { /* now default */ - continue; - } - if (!strncmp(*argv, "-f", 2)) { - if (*(++argv)) { - tkt_file = *argv; - continue; - } else - usage(); - } - if (!strcmp(*argv, "-srvtab")) { - if (tkt_file == NULL) /* if no other file spec'ed, - set file to default srvtab */ - tkt_file = KEYFILE; - do_srvtab = 1; - continue; - } - usage(); - } - - if (do_srvtab) - display_srvtab(tkt_file); - else - display_tktfile(tkt_file, tgt_test, long_form); - if (long_form && do_tokens){ - printf("\nAFS tokens:\n"); - display_tokens(); - } - exit(0); -} diff --git a/kerberosIV/kprop/Makefile b/kerberosIV/kprop/Makefile deleted file mode 100644 index f8cf5ebf3fe..00000000000 --- a/kerberosIV/kprop/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $Id: Makefile,v 1.3 1998/02/18 12:55:16 art Exp $ - -PROG= kprop -LDADD+= -lkrb -ldes -DPADD+= ${LIBKRB} ${LIBDES} -MAN= kprop.8 -CFLAGS+=-Wall - -.include <bsd.prog.mk> diff --git a/kerberosIV/kprop/kprop.8 b/kerberosIV/kprop/kprop.8 deleted file mode 100644 index 567e5931cf2..00000000000 --- a/kerberosIV/kprop/kprop.8 +++ /dev/null @@ -1,130 +0,0 @@ -.\" -.\" Copyright (c) 1997 Jason L. Wright. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Jason L. Wright -.\" 4. The name of Jason L. Wright may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY Jason L. Wright ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL Jason L. Wright BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd July 2, 1997 -.Dt KPROP 8 -.Os -.Sh NAME -.Nm kprop -.Nd network utility for Kerberos database propagation -.Sh SYNOPSIS -.Nm kadmin database slaves_file [-force] [-safe | -clear] [-realm realm] -.Sh DESCRIPTION -The -.Nm kprop -daemon runs on a Kerberos master and propagates the Kerberos -database to the Kerberos slaves, where it is received by the waiting -.Xr kpropd 8 -daemon. -.Pp -The first parameter, -.Nm database , -is the name of the file out of which data is -extracted. This file is not the db-formatted Kerberos database, -.Pa /etc/kerberosIV/principal.db . -See the -.Nm db(3) -reference page for more -information. The database is a file created by the -.Nm kdb_util slave dump -command. It is an ASCII representation of the Kerberos database. -.Pp -The second parameter that must be supplied is -.Nm slaves_file , -the name of the -file on the Kerberos master that lists the Kerberos slaves to which kprop -propagates the Kerberos master database. The slaves file contains one -line for each host running a secondary server consisting on just the hostname -of the machine. -.Pp -The Kerberos utility first determines whether the ASCII Kerberos database, -database, was correctly dumped by -.Nm kdb_util . -It accomplishes this by -determining if database is older than the -.Pa database.dump.ok -file created by -.Nm kdb_util -during the slave dump operation. If it is older, the dump did not -succeed or is not yet finished. If the dump did not complete successfully -or has not yet completed, the master database is not transferred to any -Kerberos slave. Otherwise, -.Nm kprop -determines, for each slave server listed -in the slaves file, whether or not the database has changed since the last -successful transfer to the slave. It determines this for slave server -.Nm cactus -by comparing the modification time of the -.Pa cactus-last-prop -file, which is stored in the same directory as the slaves file, -with the modification time of database. If the -.Pa /etc/kerberosIV/cactus-last-prop -file -is newer, then the database, need not be transferred to -.Nm cactus . -Finally, -.Nm kprop -propagates the database to those servers which need a new -copy of the database and updates the modification time of the -.Pa /etc/kerberosIV/server-last-prop -file for these slave servers. -.Ss Parameters -.Bl -tag -width Fl -.It Fl safe -Data sent over the network will be authenticated at the destination -and protected against modifications in transit. In other words, -.Nm kprop -and -.Nm kpropd -will become Kerberos authenticated to each other and send messages formatted -with -.Xr krb_mk_safe 3 . -.It Fl clear -Data will be sent in cleartext (not encrypted). This switch is useful when -first setting up the Kerberos environment. -.It Fl realm -Use the specified realm instead of the default from -.Xr krb.conf 5 . -.It Fl force -Force propagation to slaves even if there have been no recent changes to -the master database. Normally, propagation only takes place if the database -file has changed since the last transfer. -.Sh BUGS -This utility does not support the transfer of encrypted data. -.Pp -The -.Nm -clear -and -.Nm -safe -options are not implemented. -.Sh SEE ALSO -.Xr kerberos 1 , -.Xr kdb_util 8 , -.Xr kpropd 8 diff --git a/kerberosIV/kprop/kprop.c b/kerberosIV/kprop/kprop.c deleted file mode 100644 index aa239e90f03..00000000000 --- a/kerberosIV/kprop/kprop.c +++ /dev/null @@ -1,535 +0,0 @@ -/* $OpenBSD: kprop.c,v 1.6 1998/02/25 15:51:03 art Exp $ */ -/* $KTH: kprop.c,v 1.30 1997/12/05 01:34:49 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1987 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include <slav_locl.h> -#include <kprop.h> -#include <sys/param.h> -#include <err.h> - -static char kprop_version[KPROP_PROT_VERSION_LEN] = KPROP_PROT_VERSION; - -int debug = 0; - -char my_realm[REALM_SZ]; -int princ_data_size = 3 * sizeof(int32_t) + 3 * sizeof(unsigned char); -short transfer_mode, net_transfer_mode; -int force_flag; -static char ok[] = ".dump_ok"; - -struct slave_host { - u_int32_t net_addr; - char *name; - char *instance; - char *realm; - int not_time_yet; - int succeeded; - struct slave_host *next; -}; - -static -int get_slaves(struct slave_host **psl, char *file, time_t ok_mtime) -{ - FILE *fin; - char namebuf[128], *inst; - char *pc; - struct hostent *host; - struct slave_host **th; - char path[256]; - char *ppath; - struct stat stbuf; - - if ((fin = fopen(file, "r")) == NULL) - err(1, "open(%s)", file); - strcpy(path, file); - if ((ppath = strrchr(path, '/'))) { - ppath += 1; - } else { - ppath = path; - } - th = psl; - while(fgets(namebuf, sizeof(namebuf), fin)){ - if ((pc = strchr(namebuf, '\n'))) { - *pc = '\0'; - } else { - if(strlen(namebuf) == sizeof(namebuf) - 1){ - warnx ("Hostname too long (>= %d chars) in '%s'.", - (int) sizeof(namebuf), file); - do{ - if(fgets(namebuf, sizeof(namebuf), fin) == NULL) - break; - }while(strchr(namebuf, '\n') == NULL); - continue; - } - } - if(namebuf[0] == 0 || namebuf[0] == '#') - continue; - host = gethostbyname(namebuf); - if (host == NULL) { - warnx ("Ignoring host '%s' in '%s': %s", - namebuf, file, - "unknown error" - ); - continue; - } - (*th) = (struct slave_host *) malloc(sizeof(struct slave_host)); - if (!*th) - errx (1, "No memory reading host list from '%s'.", - file); - memset(*th, 0, sizeof(struct slave_host)); - (*th)->name = strdup(namebuf); - if ((*th)->name == NULL) - errx (1, "No memory reading host list from '%s'.", - file); - /* get kerberos cannonical instance name */ - inst = krb_get_phost ((*th)->name); - (*th)->instance = strdup(inst); - if ((*th)->instance == NULL) - errx (1, "No memory reading host list from '%s'.", - file); - /* what a concept, slave servers in different realms! */ - (*th)->realm = my_realm; - memcpy(&(*th)->net_addr, host->h_addr, sizeof((*th)->net_addr)); - (*th)->not_time_yet = 0; - (*th)->succeeded = 0; - (*th)->next = NULL; - strcat(strcpy(ppath, (*th)->name), "-last-prop"); - if (!force_flag && !stat(path, &stbuf) && stbuf.st_mtime > ok_mtime) { - (*th)->not_time_yet = 1; - (*th)->succeeded = 1; /* no change since last success */ - } - th = &(*th)->next; - } - fclose(fin); - return (1); -} - -/* The master -> slave protocol looks like this: - 1) 8 byte version string - 2) 2 bytes of "transfer mode" (net byte order of course) - 3) ticket/authentication send by sendauth - 4) 4 bytes of "block" length (u_int32_t) - 5) data - - 4 and 5 repeat til EOF ... -*/ - -static int -prop_to_slaves(struct slave_host *sl, int fd, char *fslv) -{ - u_char buf[KPROP_BUFSIZ]; - u_char obuf[KPROP_BUFSIZ + 64]; /* leave room for private msg overhead */ - struct sockaddr_in sin, my_sin; - int i, n, s; - struct slave_host *cs; /* current slave */ - char path[256], my_host_name[MAXHOSTNAMELEN], *p_my_host_name; - char kprop_service_instance[INST_SZ]; - char *pc; - u_int32_t cksum; - u_int32_t length, nlength; - long kerror; - KTEXT_ST ticket; - CREDENTIALS cred; - MSG_DAT msg_dat; - static char tkstring[] = "/tmp/kproptktXXXXXXXXXX"; - - des_key_schedule session_sched; - - close(mkstemp(tkstring)); - krb_set_tkt_string(tkstring); - - memset(&sin, 0, sizeof sin); - sin.sin_family = AF_INET; - sin.sin_port = k_getportbyname ("krb_prop", "tcp", htons(KPROP_PORT)); - sin.sin_addr.s_addr = INADDR_ANY; - - strcpy(path, fslv); - if ((pc = strrchr(path, '/'))) { - pc += 1; - } else { - pc = path; - } - - for (i = 0; i < 5; i++) { /* try each slave five times max */ - for (cs = sl; cs; cs = cs->next) { - if (!cs->succeeded) { - if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) - err (1, "socket"); - memcpy(&sin.sin_addr, &cs->net_addr, - sizeof cs->net_addr); - - if (connect(s, (struct sockaddr *) &sin, sizeof sin) < 0) { - warn ("connect(%s)", cs->name); - close(s); - continue; /*** NEXT SLAVE ***/ - } - - /* for krb_mk_{priv, safe} */ - memset(&my_sin, 0, sizeof my_sin); - n = sizeof my_sin; - if (getsockname (s, (struct sockaddr *) &my_sin, &n) != 0) { - warn ("getsockname(%s)", cs->name); - close (s); - continue; /*** NEXT SLAVE ***/ - } - if (n != sizeof (my_sin)) { - warnx ("can't get socketname %s length", cs->name); - close (s); - continue; /*** NEXT SLAVE ***/ - } - - /* Get ticket */ - kerror = krb_mk_req (&ticket, KPROP_SERVICE_NAME, - cs->instance, cs->realm, (u_int32_t) 0); - /* if ticket has expired try to get a new one, but - * first get a TGT ... - */ - if (kerror != MK_AP_OK) { - if (gethostname (my_host_name, sizeof(my_host_name)) != 0) { - warnx ("gethostname(%s): %s", - my_host_name, - "unknown error" - ); - close (s); - break; /* next one can't work either! */ - } - /* get canonical kerberos service instance name */ - p_my_host_name = krb_get_phost (my_host_name); - /* copy it to make sure gethostbyname static doesn't - * screw us. */ - strcpy (kprop_service_instance, p_my_host_name); - kerror = krb_get_svc_in_tkt (KPROP_SERVICE_NAME, -#if 0 - kprop_service_instance, -#else - KRB_MASTER, -#endif - my_realm, - KRB_TICKET_GRANTING_TICKET, - my_realm, - 96, - KPROP_SRVTAB); - if (kerror != INTK_OK) { - warnx ("%s: %s. While getting initial ticket\n", - cs->name, krb_get_err_text(kerror)); - close (s); - goto punt; - } - kerror = krb_mk_req (&ticket, KPROP_SERVICE_NAME, - cs->instance, cs->realm, (u_int32_t) 0); - } - if (kerror != MK_AP_OK) { - warnx ("%s: krb_mk_req: %s", - cs->name, krb_get_err_text(kerror)); - close (s); - continue; /*** NEXT SLAVE ***/ - } - - if (write(s, kprop_version, sizeof(kprop_version)) - != sizeof(kprop_version)) { - warn ("%s", cs->name); - close (s); - continue; /*** NEXT SLAVE ***/ - } - - net_transfer_mode = htons (transfer_mode); - if (write(s, &net_transfer_mode, sizeof(net_transfer_mode)) - != sizeof(net_transfer_mode)) { - warn ("write(%s)", cs->name); - close (s); - continue; /*** NEXT SLAVE ***/ - } - - kerror = krb_get_cred (KPROP_SERVICE_NAME, cs->instance, - cs->realm, &cred); - if (kerror != KSUCCESS) { - warnx ("%s: %s. Getting session key.", - cs->name, krb_get_err_text(kerror)); - close (s); - continue; /*** NEXT SLAVE ***/ - } -#ifdef NOENCRYPTION - memset(session_sched, 0, sizeof(session_sched)); -#else - if (des_key_sched (&cred.session, session_sched)) { - warnx ("%s: can't make key schedule.", - cs->name); - close (s); - continue; /*** NEXT SLAVE ***/ - } -#endif - /* SAFE (quad_cksum) and CLEAR are just not good enough */ - cksum = 0; -#ifdef not_working_yet - if (transfer_mode != KPROP_TRANSFER_PRIVATE) { - cksum = get_data_checksum(fd, session_sched); - lseek(fd, 0L, 0); - } - else -#endif - { - struct stat st; - fstat (fd, &st); - cksum = st.st_size; - } - kerror = krb_sendauth(KOPT_DO_MUTUAL, - s, - &ticket, - KPROP_SERVICE_NAME, - cs->instance, - cs->realm, - cksum, - &msg_dat, - &cred, - session_sched, - &my_sin, - &sin, - KPROP_PROT_VERSION); - if (kerror != KSUCCESS) { - warnx ("%s: krb_sendauth: %s.", - cs->name, krb_get_err_text(kerror)); - close (s); - continue; /*** NEXT SLAVE ***/ - } - - lseek(fd, 0L, SEEK_SET); /* Rewind file before rereading it. */ - while ((n = read(fd, buf, sizeof buf))) { - if (n < 0) - err (1, "read"); - switch (transfer_mode) { - case KPROP_TRANSFER_PRIVATE: - case KPROP_TRANSFER_SAFE: - if (transfer_mode == KPROP_TRANSFER_PRIVATE) - length = krb_mk_priv (buf, obuf, n, - session_sched, &cred.session, - &my_sin, &sin); - else - length = krb_mk_safe (buf, obuf, n, - &cred.session, - &my_sin, &sin); - if (length == -1) { - warnx ("%s: %s failed.", - cs->name, - (transfer_mode == KPROP_TRANSFER_PRIVATE) - ? "krb_rd_priv" : "krb_rd_safe"); - close (s); - continue; /*** NEXT SLAVE ***/ - } - nlength = htonl(length); - if (write(s, &nlength, sizeof nlength) - != sizeof nlength) { - warn ("write(%s)", cs->name); - close (s); - continue; /*** NEXT SLAVE ***/ - } - if (write(s, obuf, length) != length) { - warn ("write(%s)", cs->name); - close(s); - continue; /*** NEXT SLAVE ***/ - } - break; - case KPROP_TRANSFER_CLEAR: - if (write(s, buf, n) != n) { - warn ("write(%s)", cs->name); - close(s); - continue; /*** NEXT SLAVE ***/ - } - break; - } - } - close(s); - cs->succeeded = 1; - fprintf(stderr, "%s: success.\n", cs->name); - strcat(strcpy(pc, cs->name), "-last-prop"); - unlink(path); - close(creat(path, 0600)); - } - } - } -punt: - - dest_tkt(); - for (cs = sl; cs; cs = cs->next) { - if (!cs->succeeded) - return (0); /* didn't get this slave */ - } - return (1); -} - -static void -usage() -{ - /* already got floc and fslv, what is this? */ - fprintf(stderr, - "\nUsage: kprop [-force] [-realm realm] [-private" -#ifdef not_safe_yet - "|-safe|-clear" -#endif - "] [data_file [slaves_file]]\n\n"); - exit(1); -} - - -int -main(int argc, char **argv) -{ - int fd, i; - char *floc, *floc_ok; - char *fslv; - struct stat stbuf, stbuf_ok; - time_t l_init, l_final; - char *pc; - int l_diff; - static struct slave_host *slave_host_list = NULL; - struct slave_host *sh; - - transfer_mode = KPROP_TRANSFER_PRIVATE; - - time(&l_init); - pc = ctime(&l_init); - pc[strlen(pc) - 1] = '\0'; - printf("\nStart slave propagation: %s\n", pc); - - floc = NULL; - fslv = NULL; - - if (krb_get_lrealm(my_realm,1) != KSUCCESS) - errx (1, "Getting my kerberos realm. Check krb.conf"); - - for (i = 1; i < argc; i++) - switch (argv[i][0]) { - case '-': - if (strcmp (argv[i], "-private") == 0) - transfer_mode = KPROP_TRANSFER_PRIVATE; -#ifdef not_safe_yet - else if (strcmp (argv[i], "-safe") == 0) - transfer_mode = KPROP_TRANSFER_SAFE; - else if (strcmp (argv[i], "-clear") == 0) - transfer_mode = KPROP_TRANSFER_CLEAR; -#endif - else if (strcmp (argv[i], "-realm") == 0) { - i++; - if (i < argc) - strcpy(my_realm, argv[i]); - else - usage(); - } else if (strcmp (argv[i], "-force") == 0) - force_flag++; - else { - warnx("unknown control argument %s.", argv[i]); - usage (); - } - break; - default: - /* positional arguments are marginal at best ... */ - if (floc == NULL) - floc = argv[i]; - else { - if (fslv == NULL) - fslv = argv[i]; - else - usage(); - } - } - if(floc == NULL) - floc = DB_DIR "/slave_dump"; - if(fslv == NULL) - fslv = DB_DIR "/slaves"; - - asprintf (&floc_ok, "%s%s", floc, ok); - if (floc_ok == NULL) - errx (1, "out of memory in copying %s", floc); - - if ((fd = open(floc, O_RDONLY)) < 0) - err (1, "open(%s)", floc); - if (flock(fd, K_LOCK_SH | K_LOCK_NB)) - err (1, "flock(%s)", floc); - if (stat(floc, &stbuf)) - err (1, "stat(%s)", floc); - if (stat(floc_ok, &stbuf_ok)) - err (1, "stat(%s)", floc_ok); - if (stbuf.st_mtime > stbuf_ok.st_mtime) - errx (1, "'%s' more recent than '%s'.", floc, floc_ok); - if (!get_slaves(&slave_host_list, fslv, stbuf_ok.st_mtime)) - errx (1, "can't read slave host file '%s'.", fslv); -#ifdef KPROP_DBG - { - struct slave_host *sh; - int i; - fprintf(stderr, "\n\n"); - fflush(stderr); - for (sh = slave_host_list; sh; sh = sh->next) { - fprintf(stderr, "slave %d: %s, %s", i++, sh->name, - inet_ntoa(sh->net_addr)); - fflush(stderr); - } - } -#endif /* KPROP_DBG */ - - if (!prop_to_slaves(slave_host_list, fd, fslv)) - errx (1, "propagation failed."); - if (flock(fd, K_LOCK_UN)) - err (1, "flock(%s, LOCK_UN)", floc); - fprintf(stderr, "\n\n"); - for (sh = slave_host_list; sh; sh = sh->next) { - fprintf(stderr, "%s:\t\t%s\n", sh->name, - (sh->not_time_yet? "Not time yet" : (sh->succeeded ? "Succeeded" : "FAILED"))); - } - - time(&l_final); - l_diff = l_final - l_init; - printf("propagation finished, %d:%02d:%02d elapsed\n", - l_diff / 3600, (l_diff % 3600) / 60, l_diff % 60); - - exit(0); -} - -#ifdef doesnt_work_yet -u_long get_data_checksum(fd, key_sched) - int fd; - des_key_schedule key_sched; -{ - u_int32_t cksum = 0; - int n; - char buf[BUFSIZ]; - u_int32_t obuf[2]; - - while (n = read(fd, buf, sizeof buf)) { - if (n < 0) - err (1, "read"); - cksum = cbc_cksum(buf, obuf, n, key_sched, key_sched); - } - return cksum; -} -#endif diff --git a/kerberosIV/kpropd/Makefile b/kerberosIV/kpropd/Makefile deleted file mode 100644 index ca125810852..00000000000 --- a/kerberosIV/kpropd/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $Id: Makefile,v 1.2 1997/06/29 07:21:19 deraadt Exp $ - -PROG= kpropd -LDADD+= -lkrb -ldes -DPADD+= ${LIBKRB} ${LIBDES} -MAN= kpropd.8 -BINDIR=/usr/libexec - -.include <bsd.prog.mk> diff --git a/kerberosIV/kpropd/kpropd.8 b/kerberosIV/kpropd/kpropd.8 deleted file mode 100644 index 99834cdd1af..00000000000 --- a/kerberosIV/kpropd/kpropd.8 +++ /dev/null @@ -1,106 +0,0 @@ -.\" -.\" Copyright (c) 1997 Jason L. Wright. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Jason L. Wright -.\" 4. The name of Jason L. Wright may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY Jason L. Wright ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL Jason L. Wright BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd July 2, 1997 -.Dt KPROPD 8 -.Os -.Sh NAME -.Nm kpropd -.Nd network utility for Kerberos database propagation -.Sh SYNOPSIS -.Nm kpropd [-r realm] [-s srvtab] [-d database_file] [-l logfile] -.Nm [-p kdb_util_path] output_file -.Sh DESCRIPTION -This daemon runs on a Kerberos slave and waits to receive the -Kerberos database propagated from a -.Nm kprop -process on a Kerberos master. -The first parameter, -.Nm output_file , -that you must supply to the daemon is the name of a text file in which -data will be placed when it comes over the network. -.Pp -This utility executes the -.Nm kdb_util -utility, which loads the database -from the file specified in -.Nm output_file , -puts it in -.Nm db(3) -format, and copies it into the Kerberos database in the directory -.Pa /etc/kerberosIV . -.Ss Parameters -.Bl -tag -width Fl -.It Fl r -Specifies the receiver realm for which data is accepted; -.Pa /etc/kerberosIV/krb.conf -specifies the default. -.It Fl s -Specifies the service table file from which to read the password -of the daemon, because a password cannot be entered manually when -running as a daemon. The default is: -.Pa /etc/kerberosIV/srvtab . -.It Fl d -Specifies the primary Kerberos database file of a -Kerberos slave. -This file receives a new or updated -database propagated from the Kerberos master. -The default is the database -.Pa /etc/kerberosIV/principal.db . -.It Fl i -Run stand-alone. If this flag is not given, it is assumed to have -been started by inetd. -.It Fl l -Specifies the name of the log file to be used. The default is: -.Pa /var/log/kpropd.log . -.It Fl p -Specifies the full path (with directory and command) to the program -.Nm kdb_util . -The default is just: -.Nm kdb_util -which relies on the PATH environment variable to be searched to find it. -.It Fl P -Synonym for -.Nm -p . -.Sh BUGS -This utility does not support the transfer of encrypted data. -.Pp -If the -.Nm -P -or -.Nm -p -options are not specified and the PATH environment variable does not -contain the directory with -.Nm kdb_util , -this program will fail. -.Sh SEE ALSO -.Xr kerberos 1 , -.Xr kdb_util 8 , -.Xr kprop 8 diff --git a/kerberosIV/kpropd/kpropd.c b/kerberosIV/kpropd/kpropd.c deleted file mode 100644 index eee0f4e23bd..00000000000 --- a/kerberosIV/kpropd/kpropd.c +++ /dev/null @@ -1,343 +0,0 @@ -/* $OpenBSD: kpropd.c,v 1.8 2000/01/12 19:54:47 ericj Exp $ */ -/* $KTH: kpropd.c,v 2.24 1997/12/05 01:34:57 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ -#include <stdio.h> -#include <stdarg.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> - -#include <errno.h> -#include <unistd.h> - -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <time.h> -#include <sys/file.h> -#include <sys/wait.h> - -#include <netinet/in.h> -#include <arpa/inet.h> -#include <sys/socket.h> -#include <netdb.h> -#include <err.h> - - -#include <kerberosIV/krb.h> -#include <kerberosIV/krb_db.h> -#include <klog.h> -#include <kerberosIV/prot.h> -#include <kdc.h> - -#include <krb_log.h> - -#include "kprop.h" - -#ifndef SBINDIR -#define SBINDIR "/usr/sbin" -#endif - -struct sockaddr_in master, slave; - -char *database = DBM_FILE; - -char *lockfile = DB_DIR "/slave_propagation"; - -char *logfile = K_LOGFIL; - -char *kdb_util = SBINDIR "/kdb_util"; - -char *kdb_util_command = "load"; - -char *srvtab = ""; - -char realm[REALM_SZ]; - -static -int -copy_data(int from, int to, des_cblock *session, des_key_schedule schedule) -{ - unsigned char tmp[4]; - char buf[KPROP_BUFSIZ + 26]; - u_int32_t length; - int n; - - int kerr; - MSG_DAT m; - - while(1){ - n = krb_net_read(from, tmp, 4); - if(n == 0) - break; - if(n < 0){ - klog(L_KRB_PERR, "krb_net_read: %s", strerror(errno)); - return -1; - } - if(n != 4){ - klog(L_KRB_PERR, "Premature end of data"); - return -1; - } - length = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; - if(length > sizeof(buf)){ - klog(L_KRB_PERR, "Giant packet received: %d", length); - return -1; - } - if(krb_net_read(from, buf, length) != length){ - klog(L_KRB_PERR, "Premature end of data"); - return -1; - } - kerr = krb_rd_priv (buf, length, schedule, session, &master, &slave, &m); - if(kerr != KSUCCESS){ - klog(L_KRB_PERR, "Kerberos error: %s", krb_get_err_text(kerr)); - return -1; - } - write(to, m.app_data, m.app_length); - } - return 0; -} - - -static -int -kprop(int s) -{ - char buf[128]; - int n; - KTEXT_ST ticket; - AUTH_DAT ad; - char sinst[INST_SZ]; - char command[1024]; - des_key_schedule schedule; - int mode; - int kerr; - int lock; - - n = sizeof(master); - if(getpeername(s, (struct sockaddr*)&master, &n) < 0){ - klog(L_KRB_PERR, "getpeername: %s", strerror(errno)); - return 1; - } - - n = sizeof(slave); - if(getsockname(s, (struct sockaddr*)&slave, &n) < 0){ - klog(L_KRB_PERR, "getsockname: %s", strerror(errno)); - return 1; - } - - klog(L_KRB_PERR, "Connection from %s", inet_ntoa(master.sin_addr)); - - n = krb_net_read(s, buf, KPROP_PROT_VERSION_LEN + 2); - if(n < KPROP_PROT_VERSION_LEN + 2){ - klog(L_KRB_PERR, "Premature end of data"); - return 1; - } - if(memcmp(buf, KPROP_PROT_VERSION, KPROP_PROT_VERSION_LEN) != 0){ - klog(L_KRB_PERR, "Bad protocol version string received"); - return 1; - } - mode = (buf[n-2] << 8) | buf[n-1]; - if(mode != KPROP_TRANSFER_PRIVATE){ - klog(L_KRB_PERR, "Bad transfer mode received: %d", mode); - return 1; - } - k_getsockinst(s, sinst, sizeof(sinst)); - kerr = krb_recvauth(KOPT_DO_MUTUAL, s, &ticket, - KPROP_SERVICE_NAME, sinst, - &master, &slave, - &ad, srvtab, schedule, - buf); - if(kerr != KSUCCESS){ - klog(L_KRB_PERR, "Kerberos error: %s", krb_get_err_text(kerr)); - return 1; - } - - if(strcmp(ad.pname, KPROP_SERVICE_NAME) || -#if 0 - strcmp(ad.pinst, /* XXX remote host */) || -#else - strcmp(ad.pinst, KRB_MASTER) || -#endif - strcmp(ad.prealm, realm)){ - klog(L_KRB_PERR, "Connection from unauthorized client: %s", - krb_unparse_name_long(ad.pname, ad.pinst, ad.prealm)); - return 1; - } - - des_set_key(&ad.session, schedule); - - lock = open(lockfile, O_WRONLY|O_CREAT, 0600); - if(lock < 0){ - klog(L_KRB_PERR, "Failed to open file: %s", strerror(errno)); - return 1; - } - if(flock(lock, K_LOCK_EX | K_LOCK_NB)){ - close(lock); - klog(L_KRB_PERR, "Failed to lock file: %s", strerror(errno)); - return 1; - } - - if(ftruncate(lock, 0) < 0){ - close(lock); - klog(L_KRB_PERR, "Failed to lock file: %s", strerror(errno)); - return 1; - } - - if(copy_data(s, lock, &ad.session, schedule)){ - close(lock); - return 1; - } - close(lock); - snprintf(command, sizeof(command), - "%s %s %s %s", kdb_util, kdb_util_command, - lockfile, database); - if(system(command) == 0){ - klog(L_KRB_PERR, "Propagation finished successfully"); - return 0; - } - klog(L_KRB_PERR, "*** Propagation failed ***"); - return 1; -} - -static int -doit(void) -{ - return kprop(0); -} - -static int -doit_interactive(void) -{ - struct sockaddr_in sa; - int salen; - int s, s2; - int ret; - - s = socket(AF_INET, SOCK_STREAM, 0); - if(s < 0){ - klog(L_KRB_PERR, "socket: %s", strerror(errno)); - return 1; - } - memset(&sa, 0, sizeof(sa)); - sa.sin_family = AF_INET; - sa.sin_port = k_getportbyname ("krb_prop", "tcp", htons(KPROP_PORT)); - ret = bind(s, (struct sockaddr*)&sa, sizeof(sa)); - if (ret < 0) { - klog(L_KRB_PERR, "bind: %s", strerror(errno)); - return 1; - } - ret = listen(s, SOMAXCONN); - if (ret < 0) { - klog(L_KRB_PERR, "listen: %s", strerror(errno)); - return 1; - } - for(;;) { - salen = sizeof(sa); - s2 = accept(s, (struct sockaddr*)&sa, &salen); - switch(fork()){ - case -1: - klog(L_KRB_PERR, "fork: %s", strerror(errno)); - return 1; - case 0: - close(s); - kprop(s2); - return 1; - default: { - int status; - close(s2); - wait(&status); - } - } - } -} - -static void -usage (void) -{ - fprintf (stderr, - "Usage: kpropd [-i] [-d database] [-l log] [-m] [-[p|P] program]" - " [-r realm] [-s srvtab]\n"); - exit (1); -} - -int -main(int argc, char **argv) -{ - int opt; - int interactive = 0; - - krb_get_lrealm(realm, 1); - - while((opt = getopt(argc, argv, ":d:l:mp:P:r:s:i")) != -1){ - switch(opt){ - case 'd': - database = optarg; - break; - case 'l': - logfile = optarg; - break; - case 'm': - kdb_util_command = "merge"; - break; - case 'p': - case 'P': - kdb_util = optarg; - break; - case 'r': - strncpy(realm, optarg, sizeof(realm)); - break; - case 's': - srvtab = optarg; - break; - case 'i': - interactive = 1; - break; - default: - klog(L_KRB_PERR, "Bad option: -%c", optopt); - usage (); - exit(1); - } - } - kset_logfile(logfile); - if (interactive) - return doit_interactive (); - else - return doit (); -} diff --git a/kerberosIV/krb/Makefile b/kerberosIV/krb/Makefile deleted file mode 100644 index 5ff92eab57f..00000000000 --- a/kerberosIV/krb/Makefile +++ /dev/null @@ -1,110 +0,0 @@ -# @(#)Makefile 8.1 (Berkeley) 6/1/93 - -LIB= krb -CFLAGS+=-I${.CURDIR} -SRCS= base64.c \ - check_time.c \ - cr_err_reply.c \ - create_auth_reply.c \ - create_ciph.c \ - create_death_packet.c \ - create_ticket.c \ - debug_decl.c \ - decomp_ticket.c \ - dest_tkt.c \ - encrypt_ktext.c \ - extra.c \ - get_ad_tkt.c \ - get_cred.c \ - get_default_principal.c \ - get_host.c \ - get_in_tkt.c \ - get_krbrlm.c \ - get_svc_in_tkt.c \ - get_tf_fullname.c \ - get_tf_realm.c \ - getaddrs.c \ - getfile.c \ - getrealm.c \ - getst.c \ - k_concat.c \ - k_getport.c \ - k_getsockinst.c \ - k_localtime.c \ - kdc_reply.c \ - kntoln.c \ - krb_check_auth.c \ - krb_equiv.c \ - krb_err.c \ - krb_err_txt.c \ - krb_get_in_tkt.c \ - kuserok.c \ - lifetime.c \ - logging.c \ - lsb_addr_comp.c \ - mk_auth.c \ - mk_err.c \ - mk_priv.c \ - mk_req.c \ - mk_safe.c \ - month_sname.c \ - name2name.c \ - netread.c \ - netwrite.c \ - one.c \ - parse_name.c \ - rd_err.c\ - rd_priv.c \ - rd_req.c \ - rd_safe.c \ - read_service_key.c \ - realm_parse.c \ - recvauth.c \ - resolve.c \ - rw.c \ - save_credentials.c \ - send_to_kdc.c \ - sendauth.c \ - stime.c \ - str2key.c \ - time.c \ - tf_util.c \ - tkt_string.c \ - unparse_name.c \ - verify_user.c \ - version.c - - -# XXX base64.c should really be somewhere else. -# (or replaced) (they are from libroken) - -MAN= kerberos.3 krb_realmofhost.3 krb_sendauth.3 krb_set_tkt_string.3 \ - kuserok.3 tf_util.3 -MLINKS+=kerberos.3 krb_mk_req.3 kerberos.3 krb_rd_req.3 kerberos.3 krb_kntoln.3 \ - kerberos.3 krb_set_key.3 kerberos.3 krb_get_cred.3 kerberos.3 krb_mk_priv.3 \ - kerberos.3 krb_rd_priv.3 kerberos.3 krb_mk_safe.3 kerberos.3 krb_rd_safe.3 \ - kerberos.3 krb_mk_err.3 kerberos.3 krb_rd_err.3 kerberos.3 krb_ck_repl.3 -MLINKS+=krb_realmofhost.3 krb_get_phost.3 krb_realmofhost.3 krb_get_krbhst.3 \ - krb_realmofhost.3 krb_get_admhst.3 krb_realmofhost.3 krb_get_lrealm.3 -MLINKS+=krb_sendauth.3 krb_recvauth.3 krb_sendauth.3 krb_net_write.3 \ - krb_sendauth.3 krb_net_read.3 -MLINKS+=tf_util.3 tf_init.3 tf_util.3 tf_get_pname.3 tf_util.3 tf_get_pinst.3 \ - tf_util.3 tf_get_cred.3 tf_util.3 tf_close.3 - -LDADD+= ${COM_ERR} -CLEANFILES+= krb_err.c krb_err.h - -krb_err.c krb_err.h: krb_err.et - test -e krb_err.et || ln -s ${.CURDIR}/krb_err.et . - compile_et krb_err.et - -test -h krb_err.et && rm krb_err.et - -beforedepend prereq: krb_err.h - -includes: krb_err.h - -cd ${.OBJDIR}; cmp -s krb_err.h \ - ${DESTDIR}/usr/include/kerberosIV/krb_err.h || \ - ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ - krb_err.h ${DESTDIR}/usr/include/kerberosIV - -.include <bsd.lib.mk> diff --git a/kerberosIV/krb/base64.c b/kerberosIV/krb/base64.c deleted file mode 100644 index 2a7b9438253..00000000000 --- a/kerberosIV/krb/base64.c +++ /dev/null @@ -1,150 +0,0 @@ -/* $OpenBSD: base64.c,v 1.2 1997/12/09 07:57:09 art Exp $ */ -/* $KTH: base64.c,v 1.1 1997/08/27 22:41:56 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdlib.h> -#include <string.h> - -static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; - -static int pos(char c) -{ - char *p; - for(p = base64; *p; p++) - if(*p == c) - return p - base64; - return -1; -} - -int base64_encode(const void *data, int size, char **str) -{ - char *s, *p; - int i; - int c; - unsigned char *q; - - p = s = (char*)malloc(size*4/3+4); - if (p == NULL || data == NULL || str == NULL) - return -1; - - q = (unsigned char*)data; - i=0; - for(i = 0; i < size;){ - c=q[i++]; - c*=256; - if(i < size) - c+=q[i]; - i++; - c*=256; - if(i < size) - c+=q[i]; - i++; - p[0]=base64[(c&0x00fc0000) >> 18]; - p[1]=base64[(c&0x0003f000) >> 12]; - p[2]=base64[(c&0x00000fc0) >> 6]; - p[3]=base64[(c&0x0000003f) >> 0]; - if(i > size) - p[3]='='; - if(i > size+1) - p[2]='='; - p+=4; - } - *p=0; - *str = s; - return strlen(s); -} - -int base64_decode(const char *str, void *data) -{ - const char *p; - unsigned char *q; - int c; - int x; - int done = 0; - q=(unsigned char*)data; - for(p=str; *p && !done; p+=4){ - x = pos(p[0]); - if(x >= 0) - c = x; - else{ - done = 3; - break; - } - c*=64; - - x = pos(p[1]); - if(x >= 0) - c += x; - else - return -1; - c*=64; - - if(p[2] == '=') - done++; - else{ - x = pos(p[2]); - if(x >= 0) - c += x; - else - return -1; - } - c*=64; - - if(p[3] == '=') - done++; - else{ - if(done) - return -1; - x = pos(p[3]); - if(x >= 0) - c += x; - else - return -1; - } - if(done < 3) - *q++=(c&0x00ff0000)>>16; - - if(done < 2) - *q++=(c&0x0000ff00)>>8; - if(done < 1) - *q++=(c&0x000000ff)>>0; - } - return q - (unsigned char*)data; -} diff --git a/kerberosIV/krb/check_time.c b/kerberosIV/krb/check_time.c deleted file mode 100644 index ac5d9d8d0a0..00000000000 --- a/kerberosIV/krb/check_time.c +++ /dev/null @@ -1,57 +0,0 @@ -/* $OpenBSD: check_time.c,v 1.2 1997/12/09 07:57:10 art Exp $ */ -/* $KTH: check_time.c,v 1.4 1997/04/01 08:18:18 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -int -krb_check_tm (struct tm tm) -{ - return tm.tm_mon < 0 - || tm.tm_mon > 11 - || tm.tm_hour < 0 - || tm.tm_hour > 23 - || tm.tm_min < 0 - || tm.tm_min > 59 - || tm.tm_sec < 0 - || tm.tm_sec > 59 - || tm.tm_year < 1901 - || tm.tm_year > 2038; -} diff --git a/kerberosIV/krb/cr_err_reply.c b/kerberosIV/krb/cr_err_reply.c deleted file mode 100644 index ea95e8e4121..00000000000 --- a/kerberosIV/krb/cr_err_reply.c +++ /dev/null @@ -1,100 +0,0 @@ -/* $OpenBSD: cr_err_reply.c,v 1.3 1997/12/09 07:57:10 art Exp $ */ -/* $KTH: cr_err_reply.c,v 1.9 1997/04/01 08:18:19 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * This routine is used by the Kerberos authentication server to - * create an error reply packet to send back to its client. - * - * It takes a pointer to the packet to be built, the name, instance, - * and realm of the principal, the client's timestamp, an error code - * and an error string as arguments. Its return value is undefined. - * - * The packet is built in the following format: - * - * type variable data - * or constant - * ---- ----------- ---- - * - * unsigned char req_ack_vno protocol version number - * - * unsigned char AUTH_MSG_ERR_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned long e error code - * - * string e_string error text - */ - -void -cr_err_reply(KTEXT pkt, char *pname, char *pinst, char *prealm, - u_int32_t time_ws, u_int32_t e, char *e_string) -{ - unsigned char *p = pkt->dat; - - p += krb_put_int(KRB_PROT_VERSION, p, 1); - p += krb_put_int(AUTH_MSG_ERR_REPLY, p, 1); - - if (pname == NULL) pname = ""; - if (pinst == NULL) pinst = ""; - if (prealm == NULL) prealm = ""; - - p += krb_put_nir(pname, pinst, prealm, p); - - p += krb_put_int(time_ws, p, 4); - - p += krb_put_int(e, p, 4); - - p += krb_put_string(e_string, p); - - pkt->length = p - pkt->dat; -} diff --git a/kerberosIV/krb/create_auth_reply.c b/kerberosIV/krb/create_auth_reply.c deleted file mode 100644 index 0178ebaf897..00000000000 --- a/kerberosIV/krb/create_auth_reply.c +++ /dev/null @@ -1,127 +0,0 @@ -/* $OpenBSD: create_auth_reply.c,v 1.4 1998/07/07 19:06:44 art Exp $ */ -/* $KTH: create_auth_reply.c,v 1.11 1997/04/01 08:18:20 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * This routine is called by the Kerberos authentication server - * to create a reply to an authentication request. The routine - * takes the user's name, instance, and realm, the client's - * timestamp, the number of tickets, the user's key version - * number and the ciphertext containing the tickets themselves. - * It constructs a packet and returns a pointer to it. - * - * Notes: The packet returned by this routine is static. Thus, if you - * intend to keep the result beyond the next call to this routine, you - * must copy it elsewhere. - * - * The packet is built in the following format: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * unsigned char KRB_PROT_VERSION protocol version number - * - * unsigned char AUTH_MSG_KDC_REPLY protocol message type - * - * [least significant HOST_BYTE_ORDER sender's (server's) byte - * bit of above field] order - * - * string pname principal's name - * - * string pinst principal's instance - * - * string prealm principal's realm - * - * unsigned long time_ws client's timestamp - * - * unsigned char n number of tickets - * - * unsigned long x_date expiration date - * - * unsigned char kvno master key version - * - * short w_1 cipher length - * - * --- cipher->dat cipher data - */ - -KTEXT -create_auth_reply(char *pname, /* Principal's name */ - char *pinst, /* Principal's instance */ - char *prealm, /* Principal's authentication domain */ - int32_t time_ws, /* Workstation time */ - int n, /* Number of tickets */ - u_int32_t x_date, /* Principal's expiration date */ - int kvno, /* Principal's key version number */ - KTEXT cipher) /* Cipher text with tickets and session keys */ -{ - static KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; - - unsigned char *p = pkt->dat; - - if(n != 0) - return NULL; - - p += krb_put_int(KRB_PROT_VERSION, p, 1); - p += krb_put_int(AUTH_MSG_KDC_REPLY, p, 1); - - p += krb_put_nir(pname, pinst, prealm, p); - - p += krb_put_int(time_ws, p, 4); - - p += krb_put_int(n, p, 1); - - p += krb_put_int(x_date, p, 4); - - p += krb_put_int(kvno, p, 1); - - p += krb_put_int(cipher->length, p, 2); - - memcpy(p, cipher->dat, cipher->length); - p += cipher->length; - - pkt->length = p - pkt->dat; - - return pkt; -} diff --git a/kerberosIV/krb/create_ciph.c b/kerberosIV/krb/create_ciph.c deleted file mode 100644 index 65d9bbc0be4..00000000000 --- a/kerberosIV/krb/create_ciph.c +++ /dev/null @@ -1,119 +0,0 @@ -/* $OpenBSD: create_ciph.c,v 1.3 1997/12/09 07:57:11 art Exp $ */ - -/* $KTH: create_ciph.c,v 1.9 1997/04/01 08:18:20 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * This routine is used by the authentication server to create - * a packet for its client, containing a ticket for the requested - * service (given in "tkt"), and some information about the ticket, - * - * Returns KSUCCESS no matter what. - * - * The length of the cipher is stored in c->length; the format of - * c->dat is as follows: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * - * 8 bytes session session key for client, service - * - * string service service name - * - * string instance service instance - * - * string realm KDC realm - * - * unsigned char life ticket lifetime - * - * unsigned char kvno service key version number - * - * unsigned char tkt->length length of following ticket - * - * data tkt->dat ticket for service - * - * 4 bytes kdc_time KDC's timestamp - * - * <=7 bytes null null pad to 8 byte multiple - * - */ - -int -create_ciph(KTEXT c, /* Text block to hold ciphertext */ - unsigned char *session, /* Session key to send to user */ - char *service, /* Service name on ticket */ - char *instance, /* Instance name on ticket */ - char *realm, /* Realm of this KDC */ - u_int32_t life, /* Lifetime of the ticket */ - int kvno, /* Key version number for service */ - KTEXT tkt, /* The ticket for the service */ - u_int32_t kdc_time, /* KDC time */ - des_cblock *key) /* Key to encrypt ciphertext with */ - -{ - unsigned char *p = c->dat; - - memset(c, 0, sizeof(KTEXT_ST)); - - memcpy(p, session, 8); - p += 8; - - p += krb_put_nir(service, instance, realm, p); - - p += krb_put_int(life, p, 1); - p += krb_put_int(kvno, p, 1); - - p += krb_put_int(tkt->length, p, 1); - - memcpy(p, tkt->dat, tkt->length); - p += tkt->length; - - p += krb_put_int(kdc_time, p, 4); - - /* multiple of eight bytes */ - c->length = (p - c->dat + 7) & ~7; - - encrypt_ktext(c, key, DES_ENCRYPT); - return KSUCCESS; -} diff --git a/kerberosIV/krb/create_death_packet.c b/kerberosIV/krb/create_death_packet.c deleted file mode 100644 index fb1c54488d7..00000000000 --- a/kerberosIV/krb/create_death_packet.c +++ /dev/null @@ -1,86 +0,0 @@ -/* $OpenBSD: create_death_packet.c,v 1.3 1997/12/09 07:57:11 art Exp $ */ -/* $KTH: create_death_packet.c,v 1.8 1997/04/01 08:18:21 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * This routine creates a packet to type AUTH_MSG_DIE which is sent to - * the Kerberos server to make it shut down. It is used only in the - * development environment. - * - * It takes a string "a_name" which is sent in the packet. A pointer - * to the packet is returned. - * - * The format of the killer packet is: - * - * type variable data - * or constant - * ---- ----------- ---- - * - * unsigned char KRB_PROT_VERSION protocol version number - * - * unsigned char AUTH_MSG_DIE message type - * - * [least significant HOST_BYTE_ORDER byte order of sender - * bit of above field] - * - * string a_name presumably, name of - * principal sending killer - * packet - */ - -#ifdef DEBUG -KTEXT -krb_create_death_packet(char *a_name) -{ - static KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; - - unsigned char *p = pkt->dat; - - p += krb_put_int(KRB_PROT_VERSION, p, 1); - p += krb_put_int(AUTH_MSG_DIE, p, 1); - - p += krb_put_string(a_name, p); - pkt->length = p - pkt->dat; - return pkt; -} -#endif /* DEBUG */ diff --git a/kerberosIV/krb/create_ticket.c b/kerberosIV/krb/create_ticket.c deleted file mode 100644 index 8c74a2a654a..00000000000 --- a/kerberosIV/krb/create_ticket.c +++ /dev/null @@ -1,135 +0,0 @@ -/* $OpenBSD: create_ticket.c,v 1.3 1997/12/09 07:57:12 art Exp $ */ -/* $KTH: create_ticket.c,v 1.12 1997/04/01 08:18:21 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * Create ticket takes as arguments information that should be in a - * ticket, and the KTEXT object in which the ticket should be - * constructed. It then constructs a ticket and returns, leaving the - * newly created ticket in tkt. - * The length of the ticket is a multiple of - * eight bytes and is in tkt->length. - * - * If the ticket is too long, the ticket will contain nulls. - * - * The corresponding routine to extract information from a ticket it - * decomp_ticket. When changes are made to this routine, the - * corresponding changes should also be made to that file. - * - * The packet is built in the following format: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * tkt->length length of ticket (multiple of 8 bytes) - * - * tkt->dat: - * - * unsigned char flags namely, HOST_BYTE_ORDER - * - * string pname client's name - * - * string pinstance client's instance - * - * string prealm client's realm - * - * 4 bytes paddress client's address - * - * 8 bytes session session key - * - * 1 byte life ticket lifetime - * - * 4 bytes time_sec KDC timestamp - * - * string sname service's name - * - * string sinstance service's instance - * - * <=7 bytes null null pad to 8 byte multiple - * - */ - -int -krb_create_ticket(KTEXT tkt, /* Gets filled in by the ticket */ - unsigned char flags, /* Various Kerberos flags */ - char *pname, /* Principal's name */ - char *pinstance, /* Principal's instance */ - char *prealm, /* Principal's authentication domain */ - int32_t paddress, /* Net address of requesting entity */ - void *session, /* Session key inserted in ticket */ - int16_t life, /* Lifetime of the ticket */ - int32_t time_sec, /* Issue time and date */ - char *sname, /* Service Name */ - char *sinstance, /* Instance Name */ - des_cblock *key) /* Service's secret key */ -{ - unsigned char *p = tkt->dat; - - memset(tkt, 0, sizeof(KTEXT_ST)); - - p += krb_put_int(flags, p, 1); - p += krb_put_nir(pname, pinstance, prealm, p); - - p += krb_put_address(paddress, p); - - memcpy(p, session, 8); - p += 8; - - p += krb_put_int(life, p, 1); - p += krb_put_int(time_sec, p, 4); - - p += krb_put_nir(sname, sinstance, NULL, p); - - /* multiple of eight bytes */ - tkt->length = (p - tkt->dat + 7) & ~7; - - /* Check length of ticket */ - if (tkt->length > (sizeof(KTEXT_ST) - 7)) { - memset(tkt->dat, 0, tkt->length); - tkt->length = 0; - return KFAILURE /* XXX */; - } - - encrypt_ktext(tkt, key, DES_ENCRYPT); - return KSUCCESS; -} diff --git a/kerberosIV/krb/debug_decl.c b/kerberosIV/krb/debug_decl.c deleted file mode 100644 index 2f968657d6e..00000000000 --- a/kerberosIV/krb/debug_decl.c +++ /dev/null @@ -1,49 +0,0 @@ -/* $OpenBSD: debug_decl.c,v 1.6 1998/07/07 19:06:45 art Exp $ */ -/* $KTH: debug_decl.c,v 1.7 1997/10/28 15:44:00 bg Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* Declare global debugging variables. */ - -int krb_ap_req_debug = 0; -int krb_debug = 0; -int krb_dns_debug = 0; - -int -krb_enable_debug(void) -{ - krb_ap_req_debug = krb_debug = krb_dns_debug = 1; -} diff --git a/kerberosIV/krb/decomp_ticket.c b/kerberosIV/krb/decomp_ticket.c deleted file mode 100644 index fe7e99b2b2a..00000000000 --- a/kerberosIV/krb/decomp_ticket.c +++ /dev/null @@ -1,120 +0,0 @@ -/* $OpenBSD: decomp_ticket.c,v 1.5 1997/12/12 05:30:19 art Exp $ */ -/* $KTH: decomp_ticket.c,v 1.16 1997/04/01 08:18:22 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * This routine takes a ticket and pointers to the variables that - * should be filled in based on the information in the ticket. It - * fills in values for its arguments. - * - * The routine returns KFAILURE if any of the "pname", "pinstance", - * or "prealm" fields is too big, otherwise it returns KSUCCESS. - * - * The corresponding routine to generate tickets is create_ticket. - * When changes are made to this routine, the corresponding changes - * should also be made to that file. - * - * See create_ticket.c for the format of the ticket packet. - */ - -int -decomp_ticket(KTEXT tkt, /* The ticket to be decoded */ - unsigned char *flags, /* Kerberos ticket flags */ - char *pname, /* Authentication name */ - char *pinstance, /* Principal's instance */ - char *prealm, /* Principal's authentication domain */ - u_int32_t *paddress,/* Net address of entity requesting ticket */ - unsigned char *session, /* Session key inserted in ticket */ - int *life, /* Lifetime of the ticket */ - u_int32_t *time_sec, /* Issue time and date */ - char *sname, /* Service name */ - char *sinstance, /* Service instance */ - des_cblock *key, /* Service's secret key (to decrypt the ticket) */ - des_key_schedule schedule) /* The precomputed key schedule */ - -{ - unsigned char *p = tkt->dat; - - int little_endian; - - des_pcbc_encrypt((des_cblock *)tkt->dat, (des_cblock *)tkt->dat, - tkt->length, schedule, key, DES_DECRYPT); - - tkt->mbz = 0; - - *flags = *p++; - - little_endian = *flags & 1; - - if(strlen((char*)p) > ANAME_SZ) - return KFAILURE; - p += krb_get_string(p, pname); - - if(strlen((char*)p) > INST_SZ) - return KFAILURE; - p += krb_get_string(p, pinstance); - - if(strlen((char*)p) > REALM_SZ) - return KFAILURE; - p += krb_get_string(p, prealm); - - if(tkt->length - (p - tkt->dat) < 8 + 1 + 4) - return KFAILURE; - p += krb_get_address(p, paddress); - - memcpy(session, p, 8); - p += 8; - - *life = *p++; - - p += krb_get_int(p, time_sec, 4, little_endian); - - if(strlen((char*)p) > SNAME_SZ) - return KFAILURE; - p += krb_get_string(p, sname); - - if(strlen((char*)p) > INST_SZ) - return KFAILURE; - p += krb_get_string(p, sinstance); - - return KSUCCESS; -} diff --git a/kerberosIV/krb/dest_tkt.c b/kerberosIV/krb/dest_tkt.c deleted file mode 100644 index 8a3a8f70308..00000000000 --- a/kerberosIV/krb/dest_tkt.c +++ /dev/null @@ -1,89 +0,0 @@ -/* $OpenBSD: dest_tkt.c,v 1.5 1998/02/25 15:51:06 art Exp $ */ -/* $KTH: dest_tkt.c,v 1.11 1997/05/19 03:03:40 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * dest_tkt() is used to destroy the ticket store upon logout. - * If the ticket file does not exist, dest_tkt() returns RET_TKFIL. - * Otherwise the function returns RET_OK on success, KFAILURE on - * failure. - * - * The ticket file (TKT_FILE) is defined in "krb.h". - */ - -int -dest_tkt(void) -{ - char *file = TKT_FILE; - int i,fd; - struct stat statb; - char buf[BUFSIZ]; - - errno = 0; - if (lstat(file, &statb) < 0) - goto out; - - if (!(statb.st_mode & S_IFREG) -#ifdef notdef - || statb.st_mode & 077 -#endif - ) - goto out; - - if ((fd = open(file, O_RDWR, 0)) < 0) - goto out; - - memset(buf, 0, BUFSIZ); - - for (i = 0; i < statb.st_size; i += sizeof(buf)) - if (write(fd, buf, sizeof(buf)) != sizeof(buf)) { - fsync(fd); - close(fd); - goto out; - } - - - fsync(fd); - close(fd); - - unlink(file); - -out: - if (errno == ENOENT) return RET_TKFIL; - else if (errno != 0) return KFAILURE; - return(KSUCCESS); -} diff --git a/kerberosIV/krb/encrypt_ktext.c b/kerberosIV/krb/encrypt_ktext.c deleted file mode 100644 index 95d1348b0fc..00000000000 --- a/kerberosIV/krb/encrypt_ktext.c +++ /dev/null @@ -1,52 +0,0 @@ -/* $OpenBSD: encrypt_ktext.c,v 1.2 1997/12/09 07:57:14 art Exp $ */ -/* $KTH: encrypt_ktext.c,v 1.4 1997/04/01 08:18:26 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -void -encrypt_ktext(KTEXT cip, des_cblock *key, int encrypt) -{ - des_key_schedule schedule; - des_set_key(key, schedule); - des_pcbc_encrypt((des_cblock*)cip->dat, (des_cblock*)cip->dat, - cip->length, schedule, key, encrypt); - memset(schedule, 0, sizeof(des_key_schedule)); -} diff --git a/kerberosIV/krb/extra.c b/kerberosIV/krb/extra.c deleted file mode 100644 index 8f86a63da3f..00000000000 --- a/kerberosIV/krb/extra.c +++ /dev/null @@ -1,208 +0,0 @@ -/* $OpenBSD: extra.c,v 1.1 1998/07/07 19:06:47 art Exp $ */ -/* $KTH: extra.c,v 1.4 1998/06/03 03:24:09 joda Exp $ */ - -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -struct value { - char *variable; - char *value; - struct value *next; -}; - -static struct value *_extra_values; - -static int _krb_extra_read = 0; - -static int -define_variable(const char *variable, const char *value) -{ - struct value *e; - e = malloc(sizeof(*e)); - if(e == NULL) - return ENOMEM; - e->variable = strdup(variable); - if(e->variable == NULL) { - free(e); - return ENOMEM; - } - e->value = strdup(value); - if(e->value == NULL) { - free(e->variable); - free(e); - return ENOMEM; - } - e->next = _extra_values; - _extra_values = e; -} - -#ifndef WIN32 - -struct obsolete { - const char *from; - const char *to; -} obsolete [] = { - { "KDC_TIMESYNC", "kdc_timesync" }, - { "KRB_REVERSE_DIRECTION", "reverse_lsb_test"}, - { "krb4_proxy", "krb4_proxy"}, - { NULL, NULL } -}; - -static void -check_obsolete(void) -{ - struct obsolete *r; - for(r = obsolete; r->from; r++) { - if(getenv(r->from)) { - krb_warning("The environment variable `%s' is obsolete;\n" - "set `%s' in your `krb.extra' file instead\n", - r->from, r->to); - define_variable(r->to, getenv(r->from)); - } - } -} - -static int -read_extra_file(void) -{ - int i = 0; - char file[128]; - char line[1024]; - if(_krb_extra_read) - return 0; - _krb_extra_read = 1; - check_obsolete(); - while(krb_get_krbextra(i++, file, sizeof(file)) == 0) { - FILE *f = fopen(file, "r"); - if(f == NULL) - continue; - while(fgets(line, sizeof(line), f)) { - char *save = NULL; - char *var, *tmp, *val; - - /* skip initial whitespace */ - var = line + strspn(line, " \t"); - /* skip non-whitespace */ - tmp = var + strcspn(var, " \t="); - /* skip whitespace */ - val = tmp + strspn(tmp, " \t="); - *tmp = '\0'; - tmp = val + strcspn(val, " \t\n"); - *tmp = '\0'; - if(*var == '\0' || *var == '#' || *val == '\0') - continue; - if(krb_debug) - krb_warning("%s: setting `%s' to `%s'\n", file, var, val); - define_variable(var, val); - } - fclose(f); - return 0; - } - return ENOENT; -} - -#else /* WIN32 */ - -static int -read_extra_file(void) -{ - char name[1024], data[1024]; - DWORD name_sz, data_sz; - DWORD type; - int num = 0; - HKEY reg_key; - - if(_krb_extra_read) - return 0; - _krb_extra_read = 1; - - if(RegCreateKey(HKEY_CURRENT_USER, "krb4", ®_key) != 0) - return -1; - - - while(1) { - name_sz = sizeof(name); - data_sz = sizeof(data); - if(RegEnumValue(reg_key, - num++, - name, - &name_sz, - NULL, - &type, - data, - &data_sz) != 0) - break; - if(type == REG_SZ) - define_variable(name, data); - } - RegCloseKey(reg_key); - return 0; -} - -#endif - -static const char* -find_variable(const char *variable) -{ - struct value *e; - for(e = _extra_values; e; e = e->next) { - if(strcasecmp(variable, e->variable) == 0) - return e->value; - } - return NULL; -} - -const char * -krb_get_config_string(const char *variable) -{ - read_extra_file(); - return find_variable(variable); -} - -int -krb_get_config_bool(const char *variable) -{ - const char *value = krb_get_config_string(variable); - if(value == NULL) - return 0; - return strcasecmp(value, "yes") == 0 || - strcasecmp(value, "true") == 0 || - atoi(value); -} diff --git a/kerberosIV/krb/get_ad_tkt.c b/kerberosIV/krb/get_ad_tkt.c deleted file mode 100644 index 0308f2eae71..00000000000 --- a/kerberosIV/krb/get_ad_tkt.c +++ /dev/null @@ -1,193 +0,0 @@ -/* $OpenBSD: get_ad_tkt.c,v 1.6 1998/05/18 00:53:38 art Exp $ */ -/* $KTH: get_ad_tkt.c,v 1.18 1998/02/19 19:13:29 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * get_ad_tkt obtains a new service ticket from Kerberos, using - * the ticket-granting ticket which must be in the ticket file. - * It is typically called by krb_mk_req() when the client side - * of an application is creating authentication information to be - * sent to the server side. - * - * get_ad_tkt takes four arguments: three pointers to strings which - * contain the name, instance, and realm of the service for which the - * ticket is to be obtained; and an integer indicating the desired - * lifetime of the ticket. - * - * It returns an error status if the ticket couldn't be obtained, - * or AD_OK if all went well. The ticket is stored in the ticket - * cache. - * - * The request sent to the Kerberos ticket-granting service looks - * like this: - * - * pkt->dat - * - * TEXT original contents of authenticator+ticket - * pkt->dat built in krb_mk_req call - * - * 4 bytes time_ws always 0 (?) - * char lifetime lifetime argument passed - * string service service name argument - * string sinstance service instance arg. - * - * See "prot.h" for the reply packet layout and definitions of the - * extraction macros like pkt_version(), pkt_msg_type(), etc. - */ - -int -get_ad_tkt(char *service, char *sinstance, char *realm, int lifetime) -{ - static KTEXT_ST pkt_st; - KTEXT pkt = & pkt_st; /* Packet to KDC */ - static KTEXT_ST rpkt_st; - KTEXT rpkt = &rpkt_st; /* Returned packet */ - - CREDENTIALS cr; - char lrealm[REALM_SZ]; - u_int32_t time_ws = 0; - int kerror; - unsigned char *p; - - /* - * First check if we have a "real" TGT for the corresponding - * realm, if we don't, use ordinary inter-realm authentication. - */ - - kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET, realm, realm, &cr); - if (kerror == KSUCCESS) { - strncpy(lrealm, realm, REALM_SZ); - lrealm[REALM_SZ - 1] = '\0'; - } else - kerror = krb_get_tf_realm(TKT_FILE, lrealm); - - if (kerror != KSUCCESS) - return(kerror); - - /* - * Look for the session key (and other stuff we don't need) - * in the ticket file for krbtgt.realm@lrealm where "realm" - * is the service's realm (passed in "realm" argument) and - * lrealm is the realm of our initial ticket. If we don't - * have this, we will try to get it. - */ - - if ((kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET, - realm, lrealm, &cr)) != KSUCCESS) { - /* - * If realm == lrealm, we have no hope, so let's not even try. - */ - if ((strncmp(realm, lrealm, REALM_SZ)) == 0) - return(AD_NOTGT); - else { - if ((kerror = - get_ad_tkt(KRB_TICKET_GRANTING_TICKET, - realm, lrealm, lifetime)) != KSUCCESS) { - if (kerror == KDC_PR_UNKNOWN) - return(AD_INTR_RLM_NOTGT); - else - return(kerror); - } - if ((kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET, - realm, lrealm, &cr)) != KSUCCESS) - return(kerror); - } - } - - /* - * Make up a request packet to the "krbtgt.realm@lrealm". - * Start by calling krb_mk_req() which puts ticket+authenticator - * into "pkt". Then tack other stuff on the end. - */ - - kerror = krb_mk_req(pkt, - KRB_TICKET_GRANTING_TICKET, - realm,lrealm,0L); - - if (kerror) - return(AD_NOTGT); - - p = pkt->dat + pkt->length; - - p += krb_put_int(time_ws, p, 4); - p += krb_put_int(lifetime, p, 1); - p += krb_put_nir(service, sinstance, NULL, p); - - pkt->length = p - pkt->dat; - rpkt->length = 0; - - /* Send the request to the local ticket-granting server */ - if ((kerror = send_to_kdc(pkt, rpkt, realm))) return(kerror); - - /* check packet version of the returned packet */ - - { - KTEXT_ST cip; - CREDENTIALS cred; - struct timeval tv; - - kerror = kdc_reply_cipher(rpkt, &cip); - if(kerror != KSUCCESS) - return kerror; - - encrypt_ktext(&cip, &cr.session, DES_DECRYPT); - - kerror = kdc_reply_cred(&cip, &cred); - if(kerror != KSUCCESS) - return kerror; - - if (strcmp(cred.service, service) || strcmp(cred.instance, sinstance) || - strcmp(cred.realm, realm)) /* not what we asked for */ - return INTK_ERR; /* we need a better code here XXX */ - - krb_kdctimeofday(&tv); - if (abs((int)(tv.tv_sec - cred.issue_date)) > CLOCK_SKEW) { - return RD_AP_TIME; /* XXX should probably be better code */ - } - - - kerror = save_credentials(cred.service, cred.instance, cred.realm, - cred.session, cred.lifetime, cred.kvno, - &cred.ticket_st, tv.tv_sec); - return kerror; - } -} diff --git a/kerberosIV/krb/get_cred.c b/kerberosIV/krb/get_cred.c deleted file mode 100644 index 0cd6ef07fd9..00000000000 --- a/kerberosIV/krb/get_cred.c +++ /dev/null @@ -1,84 +0,0 @@ -/* $OpenBSD: get_cred.c,v 1.6 1998/05/17 23:21:55 art Exp $ */ -/* $KTH: get_cred.c,v 1.7 1997/12/15 17:12:55 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - - -#include "krb_locl.h" - -/* - * krb_get_cred takes a service name, instance, and realm, and a - * structure of type CREDENTIALS to be filled in with ticket - * information. It then searches the ticket file for the appropriate - * ticket and fills in the structure with the corresponding - * information from the file. If successful, it returns KSUCCESS. - * On failure it returns a Kerberos error code. - */ - -int -krb_get_cred(char *service, /* Service name */ - char *instance, /* Instance */ - char *realm, /* Auth domain */ - CREDENTIALS *c) /* Credentials struct */ -{ - int tf_status; /* return value of tf function calls */ - CREDENTIALS cr; - - if (c == NULL) - c = &cr; - - /* Open ticket file and lock it for shared reading */ - if ((tf_status = tf_init(TKT_FILE, R_TKT_FIL)) != KSUCCESS) - return(tf_status); - - /* Copy principal's name and instance into the CREDENTIALS struc c */ - - if ( (tf_status = tf_get_pname(c->pname)) != KSUCCESS || - (tf_status = tf_get_pinst(c->pinst)) != KSUCCESS ) - return (tf_status); - - /* Search for requested service credentials and copy into c */ - - while ((tf_status = tf_get_cred(c)) == KSUCCESS) { - if ((strcmp(c->service,service) == 0) && - (strcmp(c->instance,instance) == 0) && - (strcmp(c->realm,realm) == 0)) - break; - } - tf_close(); - - if (tf_status == EOF) - return (GC_NOTKT); - return(tf_status); -} diff --git a/kerberosIV/krb/get_default_principal.c b/kerberosIV/krb/get_default_principal.c deleted file mode 100644 index a2569e306c2..00000000000 --- a/kerberosIV/krb/get_default_principal.c +++ /dev/null @@ -1,91 +0,0 @@ -/* $OpenBSD: get_default_principal.c,v 1.2 1997/12/09 07:57:16 art Exp $ */ -/* $KTH: get_default_principal.c,v 1.10 1997/04/01 08:18:28 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -int -krb_get_default_principal(char *name, char *instance, char *realm) -{ - char *file; - int ret; - - char *p; - - if ((file = getenv("KRBTKFILE")) == NULL) - file = TKT_FILE; - - ret = krb_get_tf_fullname(file, name, instance, realm); - if(ret == KSUCCESS) - return 0; - - p = getenv("KRB4PRINCIPAL"); - if(p && kname_parse(name, instance, realm, p) == KSUCCESS) - return 1; - - { - struct passwd *pw; - pw = getpwuid(getuid()); - if(pw == NULL){ - return -1; - } - - strncpy(name, pw->pw_name, ANAME_SZ); - name[ANAME_SZ-1] = '\0'; - strncpy(instance, "", 2); - krb_get_lrealm(realm, 1); - - if(strcmp(name, "root") == 0){ - p = NULL; - p = getlogin(); - if(p == NULL) - p = getenv("USER"); - if(p == NULL) - p = getenv("LOGNAME"); - if(p){ - strncpy (name, p, ANAME_SZ); - name[ANAME_SZ - 1] = '\0'; - strncpy(instance, "root", 5); - } - } - return 1; - } - return -1; -} diff --git a/kerberosIV/krb/get_host.c b/kerberosIV/krb/get_host.c deleted file mode 100644 index 6b6e91b3bfc..00000000000 --- a/kerberosIV/krb/get_host.c +++ /dev/null @@ -1,368 +0,0 @@ -/* $OpenBSD: get_host.c,v 1.9 1998/07/07 19:06:47 art Exp $ */ -/* $KTH: get_host.c,v 1.37 1998/01/17 00:05:47 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -static struct host_list { - struct krb_host *this; - struct host_list *next; -} *hosts; - -static int krb_port = 0; - -static void -free_hosts(struct host_list *h) -{ - struct host_list *t; - while(h){ - if(h->this->realm != NULL) - { - free(h->this->realm); - h->this->realm = NULL; - } - if(h->this->host != NULL) - { - free(h->this->host); - h->this->host = NULL; - } - t = h; - h = h->next; - free(t); - t=NULL; - } -} - -static int -parse_address(char *address, enum krb_host_proto *proto, - char **host, int *port) -{ - char *p, *q; - int default_port = krb_port; - - if (proto == NULL || address == NULL || port == NULL || host == NULL) - return -1; - - *proto = PROTO_UDP; - if(strncmp(address, "http://", 7) == 0){ - p = address + 7; - *proto = PROTO_HTTP; - default_port = 80; - }else{ - p = strchr(address, '/'); - if(p){ - char prot[32]; - - strncpy(prot, address, MIN(p - address, 32)); - prot[ MIN(p - address, 32-1) ] = '\0'; - if(strcasecmp(prot, "udp") == 0) - *proto = PROTO_UDP; - else if(strcasecmp(prot, "tcp") == 0) - *proto = PROTO_TCP; - else if(strcasecmp(prot, "http") == 0) { - *proto = PROTO_HTTP; - default_port = 80; - } else - krb_warning("Unknown protocol `%s', Using default `udp'.\n", - prot); - p++; - }else - p = address; - } - q = strchr(p, ':'); - if(q != NULL){ - *host = (char*)malloc(q - p + 1); - if (*host == NULL) - return -1; - strncpy(*host, p, q - p); - (*host)[q - p] = '\0'; - q++; - { - struct servent *sp = getservbyname(q, NULL); - if(sp) - *port = ntohs(sp->s_port); - else - if(sscanf(q, "%d", port) != 1){ - krb_warning("Bad port specification `%s', using port %d.", - q, krb_port); - *port = krb_port; - } - } - }else{ - *host = strdup(p); - if(*host == NULL) - return -1; - *port = default_port; - } - return 0; -} - -static int -add_host(char *realm, char *address, int admin, int validate) -{ - struct krb_host *host; - struct host_list *p, **last = &hosts; - - host = (struct krb_host*)malloc(sizeof(struct krb_host)); - if (host == NULL) - return 1; - if(parse_address(address, &host->proto, &host->host, &host->port) < 0) - return 1; - if (validate) { - if (krb_dns_debug) - krb_warning("Getting host entry for %s...", host->host); - if(gethostbyname(host->host) == NULL) { - if (krb_dns_debug) - krb_warning("Didn't get it.\n"); - free(host->host); - host->host = NULL; - free(host); - host = NULL; - return 1; - } else if (krb_dns_debug) - krb_warning("Got it.\n"); - } - host->admin = admin; - for(p = hosts; p; p = p->next){ - if(strcmp(realm, p->this->realm) == 0 && - strcmp(host->host, p->this->host) == 0 && - host->proto == p->this->proto && - host->port == p->this->port){ - free(host->host); - host->host = NULL; - free(host); - host = NULL; - return 1; - } - last = &p->next; - } - host->realm = strdup(realm); - if (host->realm == NULL) { - free(host->host); - host->host = NULL; - free(host); - host = NULL; - return 1; - } - p = (struct host_list*)malloc(sizeof(struct host_list)); - if (p == NULL) { - free(host->realm); - host->realm = NULL; - free(host->host); - host->host = NULL; - free(host); - host = NULL; - return 1; - } - p->this = host; - p->next = NULL; - *last = p; - return 0; - } - - -static int -read_file(const char *filename, const char *r) -{ - char line[1024]; - char realm[1024]; - char address[1024]; - char scratch[1024]; - int n; - int nhosts = 0; - FILE *f; - - if (filename == NULL) - return -1; - - f = fopen(filename, "r"); - if(f == NULL) - return -1; - while(fgets(line, sizeof(line), f) != NULL) { - char *format = NULL; - - asprintf(&format, "%%%ds %%%ds admin %%%ds", sizeof(realm) - 1, - sizeof(address) - 1, sizeof(scratch) - 1); - if (format == NULL) { - fclose(f); - return -1; - } - n = sscanf(line, format, realm, address, scratch); - free(format); - format = NULL; - if(n == 2 || n == 3){ - if(strcmp(realm, r)) - continue; - if(add_host(realm, address, n == 3, 0) == 0) - nhosts++; - } - } - fclose(f); - return nhosts; -} - -static int -init_hosts(char *realm) -{ - int i; - char file[MAXPATHLEN]; - - krb_port = ntohs(k_getportbyname (KRB_SERVICE, NULL, htons(KRB_PORT))); - for(i = 0; krb_get_krbconf(i, file, sizeof(file)) == 0; i++) - read_file(file, realm); - return 0; -} - -static void -srv_find_realm(char *realm, char *proto, char *service) -{ - char *domain; - struct dns_reply *r; - struct resource_record *rr; - - if (proto == NULL || realm == NULL || service == NULL) - return; - - k_mconcat(&domain, 1024, service, ".", proto, ".", realm, ".", NULL); - - if(domain == NULL) - return; - - r = dns_lookup(domain, "srv"); - if(r == NULL) - r = dns_lookup(domain, "txt"); - if(r == NULL){ - free(domain); - domain = NULL; - return; - } - for(rr = r->head; rr; rr = rr->next){ - if(rr->type == T_SRV){ - char buf[1024]; - - if (snprintf (buf, - sizeof(buf), - "%s/%s:%u", - proto, - rr->u.srv->target, - rr->u.srv->port) < sizeof(buf)) - add_host(realm, buf, 0, 0); - }else if(rr->type == T_TXT) - add_host(realm, rr->u.txt, 0, 0); - } - dns_free_data(r); - free(domain); - domain = NULL; -} - -struct krb_host* -krb_get_host(int nth, char *realm, int admin) -{ - struct host_list *p; - static char orealm[REALM_SZ]; - if(orealm[0] == 0 || strcmp(realm, orealm)){ - /* quick optimization */ - if(realm && realm[0]){ - strncpy(orealm, realm, sizeof(orealm) - 1); - orealm[sizeof(orealm) - 1] = '\0'; - }else{ - int ret = krb_get_lrealm(orealm, 1); - if(ret != KSUCCESS) - return NULL; - } - - if(hosts){ - free_hosts(hosts); - hosts = NULL; - } - - init_hosts(orealm); - - srv_find_realm(orealm, "udp", KRB_SERVICE); - srv_find_realm(orealm, "tcp", KRB_SERVICE); - srv_find_realm(orealm, "http", KRB_SERVICE); - - { - /* XXX this assumes no one has more than 99999 kerberos - servers */ - char host[REALM_SZ + sizeof("kerberos-XXXXX..")]; - int i = 0; - snprintf(host, sizeof(host), "kerberos.%s.", orealm); - add_host(orealm, host, 1, 1); - do{ - i++; - sprintf(host, "kerberos-%d.%s.", i, orealm); - }while(i < 100000 && add_host(orealm, host, 0, 1) == 0); - } - } - - for(p = hosts; p; p = p->next){ - if(strcmp(orealm, p->this->realm) == 0 && - (!admin || p->this->admin)) { - if(nth == 1) - return p->this; - else - nth--; - } - } - return NULL; -} - -int -krb_get_krbhst(char *host, char *realm, int nth) -{ - struct krb_host *p = krb_get_host(nth, realm, 0); - if(p == NULL) - return KFAILURE; - strncpy(host, p->host, MAXHOSTNAMELEN); - host[MAXHOSTNAMELEN-1] = '\0'; - return KSUCCESS; -} - -int -krb_get_admhst(char *host, char *realm, int nth) -{ - struct krb_host *p = krb_get_host(nth, realm, 1); - if(p == NULL) - return KFAILURE; - strncpy(host, p->host, MAXHOSTNAMELEN); - host[MAXHOSTNAMELEN-1] = '\0'; - return KSUCCESS; -} diff --git a/kerberosIV/krb/get_in_tkt.c b/kerberosIV/krb/get_in_tkt.c deleted file mode 100644 index 8c27528e521..00000000000 --- a/kerberosIV/krb/get_in_tkt.c +++ /dev/null @@ -1,162 +0,0 @@ -/* $OpenBSD: get_in_tkt.c,v 1.10 1998/07/07 19:06:49 art Exp $ */ -/* $KTH: get_in_tkt.c,v 1.19 1997/10/03 21:51:42 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * This file contains three routines: passwd_to_key() and - * passwd_to_afskey() converts a password into a DES key, using the - * normal strinttokey and the AFS one, respectively, and - * krb_get_pw_in_tkt() gets an initial ticket for a user. - */ - -/* - * passwd_to_key() and passwd_to_afskey: given a password, return a DES key. - */ - -int -passwd_to_key(char *user, char *instance, char *realm, void *passwd, - des_cblock *key) -{ -#ifndef NOENCRYPTION - des_string_to_key((char *)passwd, key); -#endif - return 0; -} - -int -passwd_to_5key(char *user, char *instance, char *realm, void *passwd, - des_cblock *key) -{ - char *p; - size_t len; - len = k_mconcat (&p, 512, passwd, realm, user, instance, NULL); - if(len == 0) - return -1; - des_string_to_key(p, key); - memset(p, 0, len); - free(p); - p = NULL; - return 0; -} - - -int -passwd_to_afskey(char *user, char *instance, char *realm, void *passwd, - des_cblock *key) -{ -#ifndef NOENCRYPTION - afs_string_to_key((char *)passwd, realm, key); -#endif - return (0); -} - -/* - * krb_get_pw_in_tkt() takes the name of the server for which the initial - * ticket is to be obtained, the name of the principal the ticket is - * for, the desired lifetime of the ticket, and the user's password. - * It passes its arguments on to krb_get_in_tkt(), which contacts - * Kerberos to get the ticket, decrypts it using the password provided, - * and stores it away for future use. - * - * krb_get_pw_in_tkt() passes two additional arguments to krb_get_in_tkt(): - * the name of a routine (passwd_to_key()) to be used to get the - * password in case the "password" argument is null and NULL for the - * decryption procedure indicating that krb_get_in_tkt should use the - * default method of decrypting the response from the KDC. - * - * The result of the call to krb_get_in_tkt() is returned. - */ - -int -krb_get_pw_in_tkt2(char *user, char *instance, char *realm, char *service, - char *sinstance, int life, char *password, des_cblock *key) -{ - char pword[100]; /* storage for the password */ - int code; - - /* Only request password once! */ - if (password == NULL) { - if (des_read_pw_string(pword, sizeof(pword)-1, "Password: ", 0)){ - memset(pword, 0, sizeof(pword)); - return INTK_BADPW; - } - password = pword; - } - - { - KTEXT_ST as_rep; - CREDENTIALS cred; - int ret = 0; - key_proc_t key_procs[] = { passwd_to_key, passwd_to_afskey, - passwd_to_5key, NULL }; - key_proc_t *kp; - - code = krb_mk_as_req(user, instance, realm, - service, sinstance, life, &as_rep); - if(code) - return code; - for(kp = key_procs; *kp; kp++){ - KTEXT_ST tmp; - memcpy(&tmp, &as_rep, sizeof(as_rep)); - code = krb_decode_as_rep(user, instance, realm, service, sinstance, - *kp, NULL, password, &tmp, &cred); - if(code == 0){ - if(key) - (**kp)(user, instance, realm, password, key); - break; - } - if(code != INTK_BADPW) - ret = code; /* this is probably a better code than - what code gets after this loop */ - } - if(code) - return ret ? ret : code; - - code = tf_setup(&cred, user, instance); - } - if (password == pword) - memset(pword, 0, sizeof(pword)); - return(code); -} - -int -krb_get_pw_in_tkt(char *user, char *instance, char *realm, char *service, - char *sinstance, int life, char *password) -{ - return krb_get_pw_in_tkt2(user, instance, realm, - service, sinstance, life, password, NULL); -} diff --git a/kerberosIV/krb/get_krbrlm.c b/kerberosIV/krb/get_krbrlm.c deleted file mode 100644 index 5af27ca2dc6..00000000000 --- a/kerberosIV/krb/get_krbrlm.c +++ /dev/null @@ -1,134 +0,0 @@ -/* $OpenBSD: get_krbrlm.c,v 1.15 1998/05/18 00:53:41 art Exp $ */ -/* $KTH: get_krbrlm.c,v 1.20 1998/03/18 13:46:51 bg Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * krb_get_lrealm takes a pointer to a string, and a number, n. It fills - * in the string, r, with the name of the nth realm specified on the - * first line of the kerberos config file (KRB_CONF, defined in "krb.h"). - * It returns 0 (KSUCCESS) on success, and KFAILURE on failure. If the - * config file does not exist, and if n=1, a successful return will occur - * with r = KRB_REALM (also defined in "krb.h"). - * - * NOTE: for archaic & compatibility reasons, this routine will only return - * valid results when n = 1. - * - * For the format of the KRB_CONF file, see comments describing the routine - * krb_get_krbhst(). - */ - -static int -krb_get_lrealm_f(char *r, int n, const char *fname) -{ - FILE *f; - int ret = KFAILURE; - f = fopen(fname, "r"); - if(f){ - char buf[REALM_SZ]; - if(fgets(buf, sizeof(buf), f)){ - char *p = buf + strspn(buf, " \t"); - p[strcspn(p, " \t\r\n")] = 0; - p[REALM_SZ - 1] = 0; - strncpy(r, p, REALM_SZ); - r[REALM_SZ-1] = '\0'; - if (*p != '#') - ret = KSUCCESS; - } - fclose(f); - } - return ret; -} - -static const char *no_default_realm = "NO.DEFAULT.REALM"; - -int -krb_get_lrealm(char *r, int n) -{ - int i; - char file[MAXPATHLEN]; - - if (n > 1) - return(KFAILURE); /* Temporary restriction */ - - r[0] = '#'; - - for (i = 0; krb_get_krbconf(i, file, sizeof(file)) == 0; i++) - if (krb_get_lrealm_f(r, n, file) == KSUCCESS) - return KSUCCESS; - - if (r[0] == '#') - return(KFAILURE); - - /* When nothing else works try default realm */ - if (n == 1) { - char *t = krb_get_default_realm(); - - if (strcmp(t, no_default_realm) == 0) - return KFAILURE; - - strncpy (r, t, REALM_SZ - 1); - r[REALM_SZ - 1] = '\0'; - - return KSUCCESS; - } - else - return(KFAILURE); -} - -/* For SunOS5 compat. */ -char * -krb_get_default_realm(void) -{ - static char local_realm[REALM_SZ]; /* Local kerberos realm */ - - if (local_realm[0] == 0) - { - char *t, hostname[MAXHOSTNAMELEN]; - - strncpy(local_realm, no_default_realm, sizeof(local_realm) - 1); - local_realm[sizeof(local_realm) - 1] = '\0'; - - gethostname(hostname, sizeof(hostname)); - t = krb_realmofhost(hostname); - if (t && strcmp(t, no_default_realm) != 0) { - strncpy(local_realm, t, sizeof(local_realm) - 1); - local_realm[sizeof(local_realm) - 1] = '\0'; - } - } - - return local_realm; -} diff --git a/kerberosIV/krb/get_svc_in_tkt.c b/kerberosIV/krb/get_svc_in_tkt.c deleted file mode 100644 index 0a88d52b4ca..00000000000 --- a/kerberosIV/krb/get_svc_in_tkt.c +++ /dev/null @@ -1,89 +0,0 @@ -/* $OpenBSD: get_svc_in_tkt.c,v 1.5 1998/02/25 15:51:11 art Exp $ */ -/* $KTH: get_svc_in_tkt.c,v 1.8 1997/03/23 03:53:09 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * This file contains two routines: srvtab_to_key(), which gets - * a server's key from a srvtab file, and krb_get_svc_in_tkt() which - * gets an initial ticket for a server. - */ - -/* - * srvtab_to_key(): given a "srvtab" file (where the keys for the - * service on a host are stored), return the private key of the - * given service (user.instance@realm). - * - * srvtab_to_key() passes its arguments on to read_service_key(), - * plus one additional argument, the key version number. - * (Currently, the key version number is always 0; this value - * is treated as a wildcard by read_service_key().) - * - * If the "srvtab" argument is null, KEYFILE (defined in "krb.h") - * is passed in its place. - * - * It returns the return value of the read_service_key() call. - * The service key is placed in "key". - */ - -int -srvtab_to_key(char *user, char *instance, char *realm, void *srvtab, - des_cblock *key) -{ - if (!srvtab) - srvtab = KEYFILE; - - return(read_service_key(user, instance, realm, 0, (char *)srvtab, - (char *)key)); -} - -/* - * krb_get_svc_in_tkt() passes its arguments on to krb_get_in_tkt(), - * plus two additional arguments: a pointer to the srvtab_to_key() - * function to be used to get the key from the key file and a NULL - * for the decryption procedure indicating that krb_get_in_tkt should - * use the default method of decrypting the response from the KDC. - * - * It returns the return value of the krb_get_in_tkt() call. - */ - -int -krb_get_svc_in_tkt(char *user, char *instance, char *realm, char *service, - char *sinstance, int life, char *srvtab) -{ - return(krb_get_in_tkt(user, instance, realm, service, sinstance, - life, srvtab_to_key, NULL, srvtab)); -} diff --git a/kerberosIV/krb/get_tf_fullname.c b/kerberosIV/krb/get_tf_fullname.c deleted file mode 100644 index bf2187e079f..00000000000 --- a/kerberosIV/krb/get_tf_fullname.c +++ /dev/null @@ -1,89 +0,0 @@ -/* $OpenBSD: get_tf_fullname.c,v 1.6 1998/02/25 15:51:13 art Exp $ */ -/* $KTH: get_tf_fullname.c,v 1.6 1997/03/23 03:53:10 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * This file contains a routine to extract the fullname of a user - * from the ticket file. - */ - -/* - * krb_get_tf_fullname() takes four arguments: the name of the - * ticket file, and variables for name, instance, and realm to be - * returned in. Since the realm of a ticket file is not really fully - * supported, the realm used will be that of the the first ticket in - * the file as this is the one that was obtained with a password by - * krb_get_in_tkt(). - */ - -int -krb_get_tf_fullname(char *ticket_file, char *name, char *instance, char *realm) -{ - int tf_status; - CREDENTIALS c; - - if ((tf_status = tf_init(ticket_file, R_TKT_FIL)) != KSUCCESS) - return(tf_status); - - if (((tf_status = tf_get_pname(c.pname)) != KSUCCESS) || - ((tf_status = tf_get_pinst(c.pinst)) != KSUCCESS)) - return (tf_status); - - if (name != NULL){ - strncpy(name, c.pname, ANAME_SZ); - name[ANAME_SZ-1] = '\0'; - } - if (instance != NULL){ - strncpy(instance, c.pinst, INST_SZ); - instance[INST_SZ-1] = '\0'; - } - if ((tf_status = tf_get_cred(&c)) == KSUCCESS) { - if (realm != NULL){ - strncpy(realm, c.realm, REALM_SZ); - realm[REALM_SZ-1] = '\0'; - } - } - else { - if (tf_status == EOF) - return(KFAILURE); - else - return(tf_status); - } - tf_close(); - - return(tf_status); -} diff --git a/kerberosIV/krb/get_tf_realm.c b/kerberosIV/krb/get_tf_realm.c deleted file mode 100644 index 4940cc49ebc..00000000000 --- a/kerberosIV/krb/get_tf_realm.c +++ /dev/null @@ -1,54 +0,0 @@ -/* $OpenBSD: get_tf_realm.c,v 1.5 1998/02/25 15:51:14 art Exp $ */ -/* $KTH: get_tf_realm.c,v 1.5 1997/03/23 03:53:10 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * This file contains a routine to extract the realm of a kerberos - * ticket file. - */ - -/* - * krb_get_tf_realm() takes two arguments: the name of a ticket - * and a variable to store the name of the realm in. - * - */ - -int -krb_get_tf_realm(char *ticket_file, char *realm) -{ - return(krb_get_tf_fullname(ticket_file, 0, 0, realm)); -} diff --git a/kerberosIV/krb/getaddrs.c b/kerberosIV/krb/getaddrs.c deleted file mode 100644 index 90a2a9b0d62..00000000000 --- a/kerberosIV/krb/getaddrs.c +++ /dev/null @@ -1,122 +0,0 @@ -/* $OpenBSD: getaddrs.c,v 1.9 1998/08/16 20:48:37 art Exp $ */ -/* $KTH: getaddrs.c,v 1.24 1998/04/26 15:10:44 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -#include <sys/ioctl.h> -#include <net/if.h> -#include <sys/sockio.h> - -#include <err.h> - -#ifndef MAX -#define MAX(a,b) (((a)>(b))?(a):(b)) -#endif /* MAX */ - -#ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) -#endif /* MIN */ - -/* - * Return number and list of all local adresses. - */ - -int -k_get_all_addrs (struct in_addr **l) -{ - int fd; - char buf[BUFSIZ]; - struct ifreq ifreq; - struct ifconf ifconf; - int num, j; - char *p; - size_t sz; - - if (l == NULL) - return -1; - - fd = socket(AF_INET, SOCK_DGRAM, 0); - if (fd < 0) - return -1; - - ifconf.ifc_len = sizeof(buf); - ifconf.ifc_buf = buf; - if(ioctl(fd, SIOCGIFCONF, &ifconf) < 0) - return -1; - - num = ifconf.ifc_len / sizeof(struct ifreq); - *l = malloc(num * sizeof(struct in_addr)); - if(*l == NULL) { - close(fd); - return -1; - } - - j = 0; - ifreq.ifr_name[0] = '\0'; - for (p = ifconf.ifc_buf; p < ifconf.ifc_buf + ifconf.ifc_len; p += sz) { - struct ifreq *ifr = (struct ifreq *)p; - sz = sizeof(*ifr); - sz = MAX(sz, sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len); - - if(strncmp(ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name))) { - if(ioctl(fd, SIOCGIFFLAGS, ifr) < 0) - continue; - if (ifr->ifr_flags & IFF_UP) { - if(ioctl(fd, SIOCGIFADDR, ifr) < 0) - continue; - (*l)[j++] = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr; - } - ifreq = *ifr; - } - } - if (j != num) { - struct in_addr *temp; - if ((temp = realloc (*l, j * sizeof(struct in_addr))) == NULL) { - free(*l); - close(fd); - return -1; - } - *l = temp; - } - - close(fd); - return j; -} diff --git a/kerberosIV/krb/getfile.c b/kerberosIV/krb/getfile.c deleted file mode 100644 index 8ab20c0b5f1..00000000000 --- a/kerberosIV/krb/getfile.c +++ /dev/null @@ -1,85 +0,0 @@ -/* $OpenBSD: getfile.c,v 1.3 1998/07/07 19:06:51 art Exp $ */ -/* $KTH: getfile.c,v 1.2 1998/04/04 17:56:35 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -static int -get_file(const char **files, int num, const char *file, char *buf, size_t len) -{ - const char *p, **q; - int i = 0; - if(!issetugid() && (p = getenv("KRBCONFDIR"))){ - if(num == i){ - snprintf(buf, len, "%s/%s", p, file); - return 0; - } - i++; - } - for(q = files; *q != NULL; q++, i++){ - if(num == i){ - snprintf(buf, len, "%s", *q); - return 0; - } - } - return -1; -} - -int -krb_get_krbconf(int num, char *buf, size_t len) -{ - const char *files[] = KRB_CNF_FILES; - return get_file(files, num, "krb.conf", buf, len); -} - -int -krb_get_krbrealms(int num, char *buf, size_t len) -{ - const char *files[] = KRB_RLM_FILES; - return get_file(files, num, "krb.realms", buf, len); -} - -int -krb_get_krbextra(int num, char *buf, size_t len) -{ - const char *files[] = { "/etc/kerberosIV/krb.extra", "/etc/krb.extra", - NULL }; - return get_file(files, num, "krb.extra", buf, len); -} diff --git a/kerberosIV/krb/getrealm.c b/kerberosIV/krb/getrealm.c deleted file mode 100644 index 2eecd2177dd..00000000000 --- a/kerberosIV/krb/getrealm.c +++ /dev/null @@ -1,199 +0,0 @@ -/* $OpenBSD: getrealm.c,v 1.11 1998/05/18 00:53:44 art Exp $ */ -/* $KTH: getrealm.c,v 1.26 1997/10/08 22:51:13 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -#define MATCH_SUBDOMAINS 0 - -/* - * krb_realmofhost. - * Given a fully-qualified domain-style primary host name, - * return the name of the Kerberos realm for the host. - * If the hostname contains no discernable domain, or an error occurs, - * return the local realm name, as supplied by get_krbrlm(). - * If the hostname contains a domain, but no translation is found, - * the hostname's domain is converted to upper-case and returned. - * - * The format of each line of the translation file is: - * domain_name kerberos_realm - * -or- - * host_name kerberos_realm - * - * domain_name should be of the form .XXX.YYY (e.g. .LCS.MIT.EDU) - * host names should be in the usual form (e.g. FOO.BAR.BAZ) - */ - -/* To automagically find the correct realm of a host (without - * krb.realms) add a text record for your domain with the name of your - * realm, like this: - * - * krb4-realm IN TXT FOO.SE - * - * The search is recursive, so you can also add entries for specific - * hosts. To find the realm of host a.b.c, it first tries - * krb4-realm.a.b.c, then krb4-realm.b.c and so on. - */ - -static int -dns_find_realm(char *hostname, char *realm) -{ - char domain[MAXHOSTNAMELEN + sizeof("krb4-realm..")]; - char *p; - int level = 0; - struct dns_reply *r; - - p = hostname; - - while(1){ - snprintf(domain, sizeof(domain), "krb4-realm.%s.", p); - p = strchr(p, '.'); - if(p == NULL) - break; - p++; - r = dns_lookup(domain, "TXT"); - if(r){ - struct resource_record *rr = r->head; - while(rr){ - if(rr->type == T_TXT){ - strncpy(realm, rr->u.txt, REALM_SZ); - realm[REALM_SZ - 1] = 0; - dns_free_data(r); - return level; - } - rr = rr->next; - } - dns_free_data(r); - } - level++; - } - return -1; -} - - -static FILE * -open_krb_realms(void) -{ - int i; - char file[MAXPATHLEN]; - FILE *res; - - for(i = 0; krb_get_krbrealms(i, file, sizeof(file)) == 0; i++) - if ((res = fopen(file, "r")) != NULL) - return res; - - return NULL; -} - -static int -file_find_realm(const char *phost, const char *domain, - char *ret_realm, size_t ret_realm_sz) -{ - FILE *trans_file; - char buf[1024]; - int ret = -1; - - if ((trans_file = open_krb_realms()) == NULL) - return -1; - - while (fgets(buf, sizeof(buf), trans_file) != NULL) { - char *save = NULL; - char *tok; - char *tmp_host; - char *tmp_realm; - - tok = strtok_r(buf, " \t\r\n", &save); - if(tok == NULL) - continue; - tmp_host = tok; - tok = strtok_r(NULL, " \t\r\n", &save); - if(tok == NULL) - continue; - tmp_realm = tok; - if (strcasecmp(tmp_host, phost) == 0) { - /* exact match of hostname, so return the realm */ - strncpy(ret_realm, tmp_realm, ret_realm_sz); - ret_realm[ret_realm_sz - 1] = '\0'; - ret = 0; - break; - } - if ((tmp_host[0] == '.') && domain) { - const char *cp = domain; - do { - if(strcasecmp(tmp_host, domain) == 0){ - /* domain match, save for later */ - strncpy(ret_realm, tmp_realm, ret_realm_sz); - ret_realm[ret_realm_sz - 1] = '\0'; - ret = 0; - break; - } - cp = strchr(cp + 1, '.'); - } while(MATCH_SUBDOMAINS && cp); - } - } - fclose(trans_file); - return ret; -} - -char * -krb_realmofhost(const char *host) -{ - static char ret_realm[REALM_SZ]; - char *domain; - char phost[MAXHOSTNAMELEN]; - - krb_name_to_name(host, phost, sizeof(phost)); - - domain = strchr(phost, '.'); - - if(file_find_realm(phost, domain, ret_realm, sizeof(ret_realm)) == 0) - return ret_realm; - - if(dns_find_realm(phost, ret_realm) >= 0) - return ret_realm; - - if (domain) { - char *cp; - - strncpy(ret_realm, &domain[1], REALM_SZ); - ret_realm[REALM_SZ - 1] = 0; - /* Upper-case realm */ - for (cp = ret_realm; *cp; cp++) - *cp = toupper(*cp); - } else { - strncpy(ret_realm, krb_get_default_realm(), REALM_SZ); /* Wild guess */ - } - return ret_realm; -} diff --git a/kerberosIV/krb/getst.c b/kerberosIV/krb/getst.c deleted file mode 100644 index eabc891386f..00000000000 --- a/kerberosIV/krb/getst.c +++ /dev/null @@ -1,58 +0,0 @@ -/* $OpenBSD: getst.c,v 1.5 1998/02/25 15:51:16 art Exp $ */ -/* $KTH: getst.c,v 1.6 1997/03/23 03:53:11 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * getst() takes a file descriptor, a string and a count. It reads - * from the file until either it has read "count" characters, or until - * it reads a null byte. When finished, what has been read exists in - * the given string "s". If "count" characters were actually read, the - * last is changed to a null, so the returned string is always null- - * terminated. getst() returns the number of characters read, including - * the null terminator. - */ - -int -getst(int fd, char *s, int n) -{ - int count = n; - while (read(fd, s, 1) > 0 && --count) - if (*s++ == '\0') - return (n - count); - *s = '\0'; - return (n - count); -} diff --git a/kerberosIV/krb/k_concat.c b/kerberosIV/krb/k_concat.c deleted file mode 100644 index 341bc19d71d..00000000000 --- a/kerberosIV/krb/k_concat.c +++ /dev/null @@ -1,118 +0,0 @@ -/* $OpenBSD: k_concat.c,v 1.2 1997/12/09 07:57:20 art Exp $ */ -/* $KTH: k_concat.c,v 1.5 1997/05/02 08:56:39 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -int -k_concat (char *s, size_t len, ...) -{ - int ret; - va_list args; - - va_start(args, len); - ret = k_vconcat (s, len, args); - va_end(args); - return ret; -} - -int -k_vconcat (char *s, size_t len, va_list args) -{ - const char *a; - - while ((a = va_arg(args, const char*))) { - size_t n = strlen (a); - - if (n >= len) - return -1; - strncpy (s, a, n); - s += n; - len -= n; - } - *s = '\0'; - return 0; -} - -size_t -k_vmconcat (char **s, size_t max_len, va_list args) -{ - const char *a; - char *p, *q; - size_t len = 0; - *s = NULL; - p = malloc(1); - if(p == NULL) - return 0; - *p = 0; - len = 1; - while ((a = va_arg(args, const char*))) { - size_t n = strlen (a); - - if(max_len && len + n > max_len){ - free(p); - p = NULL; - return 0; - } - q = realloc(p, len + n); - if(q == NULL){ - free(p); - p = NULL; - return 0; - } - p = q; - len += n; - strcat(p, a); - } - *s = p; - return len; -} - -size_t -k_mconcat (char **s, size_t max_len, ...) -{ - int ret; - va_list args; - - va_start(args, max_len); - ret = k_vmconcat (s, max_len, args); - va_end(args); - return ret; -} diff --git a/kerberosIV/krb/k_getport.c b/kerberosIV/krb/k_getport.c deleted file mode 100644 index a1f691f2155..00000000000 --- a/kerberosIV/krb/k_getport.c +++ /dev/null @@ -1,58 +0,0 @@ -/* $OpenBSD: k_getport.c,v 1.2 1997/12/09 07:57:21 art Exp $ */ -/* $KTH: k_getport.c,v 1.10 1997/04/01 08:18:30 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -int -k_getportbyname (const char *service, const char *proto, int default_port) -{ - struct servent *sp; - - sp = getservbyname(service, proto); - if(sp != NULL) - return sp->s_port; - - krb_warning ("%s/%s unknown service, using default port %d\n", - service, proto ? proto : "*", ntohs(default_port)); - return default_port; -} - - diff --git a/kerberosIV/krb/k_getsockinst.c b/kerberosIV/krb/k_getsockinst.c deleted file mode 100644 index f36c3264b3e..00000000000 --- a/kerberosIV/krb/k_getsockinst.c +++ /dev/null @@ -1,77 +0,0 @@ -/* $OpenBSD: k_getsockinst.c,v 1.2 1997/12/09 07:57:22 art Exp $ */ -/* $KTH: k_getsockinst.c,v 1.10 1997/05/02 14:29:17 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * Return in inst the name of the local interface bound to socket - * fd. On Failure return the 'wildcard' instance "*". - */ - -int -k_getsockinst(int fd, char *inst, size_t inst_size) -{ - struct sockaddr_in addr; - int len = sizeof(addr); - struct hostent *hnam; - - if (inst == NULL) - return -1; - - if (getsockname(fd, (struct sockaddr *)&addr, &len) < 0) - goto fail; - - hnam = gethostbyaddr((char *)&addr.sin_addr, - sizeof(addr.sin_addr), - addr.sin_family); - if (hnam == 0) - goto fail; - - strncpy (inst, hnam->h_name, inst_size); - inst[inst_size - 1] = '\0'; - k_ricercar(inst); /* Canonicalize name */ - return 0; /* Success */ - - fail: - inst[0] = '*'; - inst[1] = 0; - return -1; -} diff --git a/kerberosIV/krb/k_localtime.c b/kerberosIV/krb/k_localtime.c deleted file mode 100644 index 36f26df2b2a..00000000000 --- a/kerberosIV/krb/k_localtime.c +++ /dev/null @@ -1,49 +0,0 @@ -/* $OpenBSD: k_localtime.c,v 1.3 1997/12/09 07:57:22 art Exp $ */ -/* $KTH: k_localtime.c,v 1.7 1997/04/01 08:18:31 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -struct tm *k_localtime(u_int32_t *tp) -{ - time_t t; - t = *tp; - return localtime(&t); -} diff --git a/kerberosIV/krb/kdc_reply.c b/kerberosIV/krb/kdc_reply.c deleted file mode 100644 index a8e988fd103..00000000000 --- a/kerberosIV/krb/kdc_reply.c +++ /dev/null @@ -1,137 +0,0 @@ -/* $OpenBSD: kdc_reply.c,v 1.3 1998/05/18 00:53:46 art Exp $ */ -/* $KTH: kdc_reply.c,v 1.10 1998/03/19 15:45:28 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -static int little_endian; /* XXX ugly */ - -int -kdc_reply_cred(KTEXT cip, CREDENTIALS *cred) -{ - unsigned char *p = cip->dat; - - if (cred == NULL || p == NULL) - return KFAILURE; - - memcpy(cred->session, p, 8); - p += 8; - - if(p + strlen((char*)p) > cip->dat + cip->length) - return INTK_BADPW; - p += krb_get_string(p, cred->service); - - if(p + strlen((char*)p) > cip->dat + cip->length) - return INTK_BADPW; - p += krb_get_string(p, cred->instance); - - if(p + strlen((char*)p) > cip->dat + cip->length) - return INTK_BADPW; - p += krb_get_string(p, cred->realm); - - if(p + 3 > cip->dat + cip->length) - return INTK_BADPW; - cred->lifetime = *p++; - cred->kvno = *p++; - cred->ticket_st.length = *p++; - - if(p + cred->ticket_st.length + 4 > cip->dat + cip->length) - return INTK_BADPW; - memcpy(cred->ticket_st.dat, p, cred->ticket_st.length); - p += cred->ticket_st.length; - - p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, little_endian); - - return KSUCCESS; -} - -int -kdc_reply_cipher(KTEXT reply, KTEXT cip) -{ - unsigned char *p; - unsigned char pvno; - unsigned char type; - - char aname[ANAME_SZ]; - char inst[INST_SZ]; - char realm[REALM_SZ]; - - u_int32_t kdc_time; - u_int32_t exp_date; - u_int32_t clen; - - p = reply->dat; - - pvno = *p++; - - if (pvno != KRB_PROT_VERSION ) - return INTK_PROT; - - type = *p++; - little_endian = type & 1; - - type &= ~1; - - if(type == AUTH_MSG_ERR_REPLY){ - u_int32_t code; - p += strlen((char*)p) + 1; /* name */ - p += strlen((char*)p) + 1; /* instance */ - p += strlen((char*)p) + 1; /* realm */ - p += 4; /* time */ - p += krb_get_int(p, &code, 4, little_endian); - if(code == 0) - code = KFAILURE; /* things will go bad otherwise */ - return code; - } - if(type != AUTH_MSG_KDC_REPLY) - return INTK_PROT; - - p += krb_get_nir(p, aname, inst, realm); - p += krb_get_int(p, &kdc_time, 4, little_endian); - p++; /* number of tickets */ - p += krb_get_int(p, &exp_date, 4, little_endian); - p++; /* master key version number */ - p += krb_get_int(p, &clen, 2, little_endian); - cip->length = clen; - memcpy(cip->dat, p, clen); - p += clen; - - return KSUCCESS; -} diff --git a/kerberosIV/krb/kerberos.3 b/kerberosIV/krb/kerberos.3 deleted file mode 100644 index 996b76f6b5b..00000000000 --- a/kerberosIV/krb/kerberos.3 +++ /dev/null @@ -1,482 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kerberos.3,v 1.4 1998/02/25 15:51:18 art Exp $ -.TH KERBEROS 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, krb_get_cred, -krb_mk_priv, krb_rd_priv, krb_mk_safe, krb_rd_safe, krb_mk_err, -krb_rd_err, krb_ck_repl \- Kerberos authentication library -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/des.h> -#include <kerberosIV/krb.h> -.PP -.ft B -extern char *krb_err_txt[]; -.PP -.ft B -int krb_mk_req(authent,service,instance,realm,checksum) -KTEXT authent; -char *service; -char *instance; -char *realm; -u_long checksum; -.PP -.ft B -int krb_rd_req(authent,service,instance,from_addr,ad,fn) -KTEXT authent; -char *service; -char *instance; -u_long from_addr; -AUTH_DAT *ad; -char *fn; -.PP -.ft B -int krb_kntoln(ad,lname) -AUTH_DAT *ad; -char *lname; -.PP -.ft B -int krb_set_key(key,cvt) -char *key; -int cvt; -.PP -.ft B -int krb_get_cred(service,instance,realm,c) -char *service; -char *instance; -char *realm; -CREDENTIALS *c; -.PP -.ft B -long krb_mk_priv(in,out,in_length,schedule,key,sender,receiver) -u_char *in; -u_char *out; -u_long in_length; -des_cblock key; -des_key_schedule schedule; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -.PP -.ft B -long krb_rd_priv(in,in_length,schedule,key,sender,receiver,msg_data) -u_char *in; -u_long in_length; -Key_schedule schedule; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -MSG_DAT *msg_data; -.PP -.ft B -long krb_mk_safe(in,out,in_length,key,sender,receiver) -u_char *in; -u_char *out; -u_long in_length; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -.PP -.ft B -long krb_rd_safe(in,length,key,sender,receiver,msg_data) -u_char *in; -u_long length; -des_cblock key; -struct sockaddr_in *sender; -struct sockaddr_in *receiver; -MSG_DAT *msg_data; -.PP -.ft B -long krb_mk_err(out,code,string) -u_char *out; -long code; -char *string; -.PP -.ft B -long krb_rd_err(in,length,code,msg_data) -u_char *in; -u_long length; -long code; -MSG_DAT *msg_data; -.fi -.ft R -.SH DESCRIPTION -This library supports network authentication and various related -operations. The library contains many routines beyond those described -in this man page, but they are not intended to be used directly. -Instead, they are called by the routines that are described, the -authentication server and the login program. -.PP -.I krb_err_txt[] -contains text string descriptions of various Kerberos error codes returned -by some of the routines below. -.PP -.I krb_mk_req -takes a pointer to a text structure in which an authenticator is to be -built. It also takes the name, instance, and realm of the service to be -used and an optional checksum. It is up to the application to decide -how to generate the checksum. -.I krb_mk_req -then retrieves a ticket for the desired service and creates an -authenticator. The authenticator is built in -.I authent -and is accessible -to the calling procedure. -.PP -It is up to the application to get the authenticator to the service -where it will be read by -.I krb_rd_req. -Unless an attacker posesses the session key contained in the ticket, it -will be unable to modify the authenticator. Thus, the checksum can be -used to verify the authenticity of the other data that will pass through -a connection. -.PP -.I krb_rd_req -takes an authenticator of type -.B KTEXT, -a service name, an instance, the address of the -host originating the request, and a pointer to a structure of type -.B AUTH_DAT -which is filled in with information obtained from the authenticator. -It also optionally takes the name of the file in which it will find the -secret key(s) for the service. -If the supplied -.I instance -contains "*", then the first service key with the same service name -found in the service key file will be used, and the -.I instance -argument will be filled in with the chosen instance. This means that -the caller must provide space for such an instance name. -.PP -It is used to find out information about the principal when a request -has been made to a service. It is up to the application protocol to get -the authenticator from the client to the service. The authenticator is -then passed to -.I krb_rd_req -to extract the desired information. -.PP -.I krb_rd_req -returns zero (RD_AP_OK) upon successful authentication. If a packet was -forged, modified, or replayed, authentication will fail. If the -authentication fails, a non-zero value is returned indicating the -particular problem encountered. See -.I krb.h -for the list of error codes. -.PP -If the last argument is the null string (""), krb_rd_req will use the -file /etc/srvtab to find its keys. If the last argument is NULL, it -will assume that the key has been set by -.I krb_set_key -and will not bother looking further. -.PP -.I krb_kntoln -converts a Kerberos name to a local name. It takes a structure -of type AUTH_DAT and uses the name and instance to look in the database -/etc/aname to find the corresponding local name. The local name is -returned and can be used by an application to change uids, directories, -or other parameters. It is not an integral part of Kerberos, but is -instead provided to support the use of Kerberos in existing utilities. -.PP -.I krb_set_key -takes as an argument a des key. It then creates -a key schedule from it and saves the original key to be used as an -initialization vector. -It is used to set the server's key which -must be used to decrypt tickets. -.PP -If called with a non-zero second argument, -.I krb_set_key -will first convert the input from a string of arbitrary length to a DES -key by encrypting it with a one-way function. -.PP -In most cases it should not be necessary to call -.I krb_set_key. -The necessary keys will usually be obtained and set inside -.I krb_rd_req. krb_set_key -is provided for those applications that do not wish to place the -application keys on disk. -.PP -.I krb_get_cred -searches the caller's ticket file for a ticket for the given service, instance, -and realm; and, if a ticket is found, fills in the given CREDENTIALS structure -with the ticket information. -.PP -If the ticket was found, -.I krb_get_cred -returns GC_OK. -If the ticket file can't be found, can't be read, doesn't belong to -the user (other than root), isn't a regular file, or is in the wrong -mode, the error GC_TKFIL is returned. -.PP -.I krb_mk_priv -creates an encrypted, authenticated -message from any arbitrary application data, pointed to by -.I in -and -.I in_length -bytes long. -The private session key, pointed to by -.I key -and the key schedule, -.I schedule, -are used to encrypt the data and some header information using -.I pcbc_encrypt. -.I sender -and -.I receiver -point to the Internet address of the two parties. -In addition to providing privacy, this protocol message protects -against modifications, insertions or replays. The encapsulated message and -header are placed in the area pointed to by -.I out -and the routine returns the length of the output, or -1 indicating -an error. -.PP -.I krb_rd_priv -decrypts and authenticates a received -.I krb_mk_priv -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -The private session key, pointed to by -.I key, -and the key schedule, -.I schedule, -are used to decrypt and verify the received message. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h. -The routine fills in the -.I app_data -field with a pointer to the decrypted application data, -.I app_length -with the length of the -.I app_data -field, -.I time_sec -and -.I time_5ms -with the timestamps in the message, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. (The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). The -.I hash -field returns a value useful as input to the -.I krb_ck_repl -routine. - -The routine returns zero if ok, or a Kerberos error code. Modified messages -and old messages cause errors, but it is up to the caller to -check the time sequence of messages, and to check against recently replayed -messages using -.I krb_ck_repl -if so desired. -.PP -.I krb_mk_safe -creates an authenticated, but unencrypted message from any arbitrary -application data, -pointed to by -.I in -and -.I in_length -bytes long. -The private session key, pointed to by -.I key, -is used to seed the -.I quad_cksum() -checksum algorithm used as part of the authentication. -.I sender -and -.I receiver -point to the Internet address of the two parties. -This message does not provide privacy, but does protect (via detection) -against modifications, insertions or replays. The encapsulated message and -header are placed in the area pointed to by -.I out -and the routine returns the length of the output, or -1 indicating -an error. -The authentication provided by this routine is not as strong as that -provided by -.I krb_mk_priv -or by computing the checksum using -.I cbc_cksum -instead, both of which authenticate via DES. -.PP - -.I krb_rd_safe -authenticates a received -.I krb_mk_safe -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -The private session key, pointed to by -.I key, -is used to seed the quad_cksum() routine as part of the authentication. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h . -The routine fills in these -.I MSG_DAT -fields: -the -.I app_data -field with a pointer to the application data, -.I app_length -with the length of the -.I app_data -field, -.I time_sec -and -.I time_5ms -with the timestamps in the message, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. -(The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). The -.I hash -field returns a value useful as input to the -.I krb_ck_repl -routine. - -The routine returns zero if ok, or a Kerberos error code. Modified messages -and old messages cause errors, but it is up to the caller to -check the time sequence of messages, and to check against recently replayed -messages using -.I krb_ck_repl -if so desired. -.PP -.I krb_mk_err -constructs an application level error message that may be used along -with -.I krb_mk_priv -or -.I krb_mk_safe. -.I out -is a pointer to the output buffer, -.I code -is an application specific error code, and -.I string -is an application specific error string. - -.PP -.I krb_rd_err -unpacks a received -.I krb_mk_err -message. -.I in -points to the beginning of the received message, whose length -is specified in -.I in_length. -.I code -is a pointer to a value to be filled in with the error -value provided by the application. -.I msg_data -is a pointer to a -.I MSG_DAT -struct, defined in -.I krb.h . -The routine fills in these -.I MSG_DAT -fields: the -.I app_data -field with a pointer to the application error text, -.I app_length -with the length of the -.I app_data -field, and -.I swap -with a 1 if the byte order of the receiver is different than that of -the sender. (The application must still determine if it is appropriate -to byte-swap application data; the Kerberos protocol fields are already taken -care of). - -The routine returns zero if the error message has been successfully received, -or a Kerberos error code. -.PP -The -.I KTEXT -structure is used to pass around text of varying lengths. It consists -of a buffer for the data, and a length. krb_rd_req takes an argument of this -type containing the authenticator, and krb_mk_req returns the -authenticator in a structure of this type. KTEXT itself is really a -pointer to the structure. The actual structure is of type KTEXT_ST. -.PP -The -.I AUTH_DAT -structure is filled in by krb_rd_req. It must be allocated before -calling krb_rd_req, and a pointer to it is passed. The structure is -filled in with data obtained from Kerberos. -.I MSG_DAT -structure is filled in by either krb_rd_priv, krb_rd_safe, or -krb_rd_err. It must be allocated before the call and a pointer to it -is passed. The structure is -filled in with data obtained from Kerberos. -.PP -.SH FILES -/usr/include/kerberosIV/krb.h -.br -/usr/lib/libkrb.a -.br -/usr/include/kerberosIV/des.h -.br -/usr/lib/libdes.a -.br -/etc/aname -.br -/etc/kerberosIV/srvtab -.br -/tmp/tkt[uid] -.SH "SEE ALSO" -kerberos(1), des_crypt(3) -.SH BUGS -The caller of -.I krb_rd_req, krb_rd_priv, and krb_rd_safe -must check time order and for replay attempts. -.I krb_ck_repl -is not implemented yet. -.SH AUTHORS -Clifford Neuman, MIT Project Athena -.br -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.SH RESTRICTIONS -COPYRIGHT 1985,1986,1989 Massachusetts Institute of Technology diff --git a/kerberosIV/krb/kntoln.c b/kerberosIV/krb/kntoln.c deleted file mode 100644 index 89df8a53a51..00000000000 --- a/kerberosIV/krb/kntoln.c +++ /dev/null @@ -1,206 +0,0 @@ -/* $OpenBSD: kntoln.c,v 1.7 1998/05/17 13:53:48 art Exp $ */ -/* $KTH: kntoln.c,v 1.8 1997/12/11 15:00:11 bg Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * krb_kntoln converts an auth name into a local name by looking up - * the auth name in the /etc/aname file. The format of the aname - * file is: - * - * +-----+-----+-----+-----+------+----------+-------+-------+ - * | anl | inl | rll | lnl | name | instance | realm | lname | - * +-----+-----+-----+-----+------+----------+-------+-------+ - * | 1by | 1by | 1by | 1by | name | instance | realm | lname | - * +-----+-----+-----+-----+------+----------+-------+-------+ - * - * If the /etc/aname file can not be opened it will set the - * local name to the auth name. Thus, in this case it performs as - * the identity function. - * - * The name instance and realm are passed to krb_kntoln through - * the AUTH_DAT structure (ad). - * - * Now here's what it *really* does: - * - * Given a Kerberos name in an AUTH_DAT structure, check that the - * instance is null, and that the realm is the same as the local - * realm, and return the principal's name in "lname". Return - * KSUCCESS if all goes well, otherwise KFAILURE. - */ - -#include "krb_locl.h" - -int -krb_kntoln(AUTH_DAT *ad, char *lname) -{ - static char lrealm[REALM_SZ] = ""; - - if (ad == NULL || lname == NULL) - return KFAILURE; - - if (!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) - return(KFAILURE); - - if (strcmp(ad->pinst, "")) - return(KFAILURE); - if (strcmp(ad->prealm, lrealm)) - return(KFAILURE); - strncpy(lname, ad->pname, ANAME_SZ); - lname[ANAME_SZ-1] = '\0'; - return(KSUCCESS); -} - -#if 0 -/* Posted to usenet by "Derrick J. Brashear" <shadow+@andrew.cmu.edu> */ - -#include <krb.h> -#include <ndbm.h> -#include <stdio.h> -#include <sys/file.h> -#include <strings.h> -#include <sys/syslog.h> -#include <sys/errno.h> - -extern int errno; -/* - * antoln converts an authentication name into a local name by looking up - * the authentication name in the /etc/aname dbm database. - * - * If the /etc/aname file can not be opened it will set the - * local name to the principal name. Thus, in this case it performs as - * the identity function. - * - * The name instance and realm are passed to antoln through - * the AUTH_DAT structure (ad). - */ - -static char lrealm[REALM_SZ] = ""; - -int -an_to_ln(AUTH_DAT *ad, - char *lname) -{ - static DBM *aname = NULL; - char keyname[ANAME_SZ+INST_SZ+REALM_SZ+2]; - - if(!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) - return(KFAILURE); - - if((strcmp(ad->pinst,"") && strcmp(ad->pinst,"root")) || -strcmp(ad->prealm,lrealm)) { - datum val; - datum key; - /* - * Non-local name (or) non-null and non-root instance. - * Look up in dbm file. - */ - if (!aname) { - if ((aname = dbm_open("/etc/aname", O_RDONLY, 0)) - == NULL) return (KFAILURE); - } - /* Construct dbm lookup key. */ - an_to_a(ad, keyname); - key.dptr = keyname; - key.dsize = strlen(keyname)+1; - flock(dbm_dirfno(aname), LOCK_SH); - val = dbm_fetch(aname, key); - flock(dbm_dirfno(aname), LOCK_UN); - if (!val.dptr) { - dbm_close(aname); - return(KFAILURE); - } - /* Got it! */ - strncpy(lname, val.dptr, ANAME_SZ); - lname[ANAME_SZ-1] = '\0'; - return(KSUCCESS); - } else{ - strncpy(lname, ad->pname, ANAME_SZ); - lname[ANAME_SZ-1] = '\0'; - } - return(KSUCCESS); -} - -int -an_to_a(AUTH_DAT *ad, - char *str) -{ - strncpy(str, ad->pname, ANAME_SZ); - str[ANAME_SZ-1] = '\0'; - if(*ad->pinst) { - strcat(str, "."); - strcat(str, ad->pinst); - } - strcat(str, "@"); - strcat(str, ad->prealm); -} - -/* - * Parse a string of the form "user[.instance][@realm]" - * into a struct AUTH_DAT. - */ -int -a_to_an(char *str, AUTH_DAT *ad) -{ - char *buf = (char *)malloc(strlen(str)+1); - char *rlm, *inst, *princ; - - if (buf == NULL) - return KFAILURE; - - if(!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) { - free(buf); - buf = NULL; - return(KFAILURE); - } - /* destructive string hacking is more fun.. */ - strncpy(buf, str, strlen(str)+1); - buf[strlen(str)] = '\0'; - - if (rlm = index(buf, '@')) { - *rlm++ = '\0'; - } - if (inst = index(buf, '.')) { - *inst++ = '\0'; - } - strcpy(ad->pname, buf); - if(inst) strcpy(ad->pinst, inst); - else *ad->pinst = '\0'; - if (rlm) strcpy(ad->prealm, rlm); - else strcpy(ad->prealm, lrealm); - free(buf); - buf = NULL; - return(KSUCCESS); -} -#endif diff --git a/kerberosIV/krb/krb-archaeology.h b/kerberosIV/krb/krb-archaeology.h deleted file mode 100644 index a1bbbacf42d..00000000000 --- a/kerberosIV/krb/krb-archaeology.h +++ /dev/null @@ -1,157 +0,0 @@ -/* $OpenBSD: krb-archaeology.h,v 1.3 1998/02/25 15:51:20 art Exp $ */ -/* $KTH: krb-archaeology.h,v 1.2 1997/12/05 02:04:44 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/* - * Most of the cruft in this file is probably: - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#ifndef __KRB_ARCHAEOLOGY_H__ -#define __KRB_ARCHAEOLOGY_H__ - -/* Compare x and y in VAX byte order, result is -1, 0 or 1. */ - -#define krb_lsb_antinet_ulong_less(x, y) (((x) == (y)) ? 0 : krb_lsb_antinet_ulong_cmp(x, y)) - -#define krb_lsb_antinet_ushort_less(x, y) (((x) == (y)) ? 0 : krb_lsb_antinet_ushort_cmp(x, y)) - -int krb_lsb_antinet_ulong_cmp(u_int32_t x, u_int32_t y); -int krb_lsb_antinet_ushort_cmp(u_int16_t x, u_int16_t y); -u_int32_t lsb_time(time_t t, struct sockaddr_in *src, struct sockaddr_in *dst); - -/* Macro's to obtain various fields from a packet */ - -#define pkt_version(packet) (unsigned int) *(packet->dat) -#define pkt_msg_type(packet) (unsigned int) *(packet->dat+1) -#define pkt_a_name(packet) (packet->dat+2) -#define pkt_a_inst(packet) \ - (packet->dat+3+strlen((char *)pkt_a_name(packet))) -#define pkt_a_realm(packet) \ - (pkt_a_inst(packet)+1+strlen((char *)pkt_a_inst(packet))) - -/* Macro to obtain realm from application request */ -#define apreq_realm(auth) (auth->dat + 3) - -#define pkt_time_ws(packet) (char *) \ - (packet->dat+5+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet))) - -#define pkt_no_req(packet) (unsigned short) \ - *(packet->dat+9+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet))) -#define pkt_x_date(packet) (char *) \ - (packet->dat+10+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet))) -#define pkt_err_code(packet) ( (char *) \ - (packet->dat+9+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet)))) -#define pkt_err_text(packet) \ - (packet->dat+13+strlen((char *)pkt_a_name(packet)) + \ - strlen((char *)pkt_a_inst(packet)) + \ - strlen((char *)pkt_a_realm(packet))) - -/* - * macros for byte swapping; also scratch space - * u_quad 0-->7, 1-->6, 2-->5, 3-->4, 4-->3, 5-->2, 6-->1, 7-->0 - * u_int32_t 0-->3, 1-->2, 2-->1, 3-->0 - * u_int16_t 0-->1, 1-->0 - */ - -#define swap_u_16(x) {\ - u_int32_t _krb_swap_tmp[4];\ - swab(((char *) x) +0, ((char *) _krb_swap_tmp) +14 ,2); \ - swab(((char *) x) +2, ((char *) _krb_swap_tmp) +12 ,2); \ - swab(((char *) x) +4, ((char *) _krb_swap_tmp) +10 ,2); \ - swab(((char *) x) +6, ((char *) _krb_swap_tmp) +8 ,2); \ - swab(((char *) x) +8, ((char *) _krb_swap_tmp) +6 ,2); \ - swab(((char *) x) +10,((char *) _krb_swap_tmp) +4 ,2); \ - swab(((char *) x) +12,((char *) _krb_swap_tmp) +2 ,2); \ - swab(((char *) x) +14,((char *) _krb_swap_tmp) +0 ,2); \ - memcpy(x, _krb_swap_tmp, 16);\ - } - -#define swap_u_12(x) {\ - u_int32_t _krb_swap_tmp[4];\ - swab(( char *) x, ((char *) _krb_swap_tmp) +10 ,2); \ - swab(((char *) x) +2, ((char *) _krb_swap_tmp) +8 ,2); \ - swab(((char *) x) +4, ((char *) _krb_swap_tmp) +6 ,2); \ - swab(((char *) x) +6, ((char *) _krb_swap_tmp) +4 ,2); \ - swab(((char *) x) +8, ((char *) _krb_swap_tmp) +2 ,2); \ - swab(((char *) x) +10,((char *) _krb_swap_tmp) +0 ,2); \ - memcpy(x, _krb_swap_tmp, 12);\ - } - -#define swap_C_Block(x) {\ - u_int32_t _krb_swap_tmp[4];\ - swab(( char *) x, ((char *) _krb_swap_tmp) +6 ,2); \ - swab(((char *) x) +2,((char *) _krb_swap_tmp) +4 ,2); \ - swab(((char *) x) +4,((char *) _krb_swap_tmp) +2 ,2); \ - swab(((char *) x) +6,((char *) _krb_swap_tmp) ,2); \ - memcpy(x, _krb_swap_tmp, 8);\ - } -#define swap_u_quad(x) {\ - u_int32_t _krb_swap_tmp[4];\ - swab(( char *) &x, ((char *) _krb_swap_tmp) +6 ,2); \ - swab(((char *) &x) +2,((char *) _krb_swap_tmp) +4 ,2); \ - swab(((char *) &x) +4,((char *) _krb_swap_tmp) +2 ,2); \ - swab(((char *) &x) +6,((char *) _krb_swap_tmp) ,2); \ - memcpy(x, _krb_swap_tmp, 8);\ - } - -#define swap_u_long(x) {\ - u_int32_t _krb_swap_tmp[4];\ - swab((char *) &x, ((char *) _krb_swap_tmp) +2 ,2); \ - swab(((char *) &x) +2,((char *) _krb_swap_tmp),2); \ - x = _krb_swap_tmp[0]; \ - } - -#define swap_u_short(x) {\ - u_int16_t _krb_swap_sh_tmp; \ - swab((char *) &x, ( &_krb_swap_sh_tmp) ,2); \ - x = (u_int16_t) _krb_swap_sh_tmp; \ - } -/* Kerberos ticket flag field bit definitions */ -#define K_FLAG_ORDER 0 /* bit 0 --> lsb */ -#define K_FLAG_1 /* reserved */ -#define K_FLAG_2 /* reserved */ -#define K_FLAG_3 /* reserved */ -#define K_FLAG_4 /* reserved */ -#define K_FLAG_5 /* reserved */ -#define K_FLAG_6 /* reserved */ -#define K_FLAG_7 /* reserved, bit 7 --> msb */ - -#endif /* __KRB_ARCHAEOLOGY_H__ */ diff --git a/kerberosIV/krb/krb_check_auth.c b/kerberosIV/krb/krb_check_auth.c deleted file mode 100644 index 47b8e546ef2..00000000000 --- a/kerberosIV/krb/krb_check_auth.c +++ /dev/null @@ -1,77 +0,0 @@ -/* $OpenBSD: krb_check_auth.c,v 1.2 1997/12/09 07:57:23 art Exp $ */ -/* $KTH: krb_check_auth.c,v 1.4 1997/04/01 08:18:33 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * - * Receive an mutual-authenticator for a server in `packet', with - * `checksum', `session', and `schedule' having the appropriate values - * and return the data in `msg_data'. - * - * Return KSUCCESS if the received checksum is correct. - * - */ - -int -krb_check_auth(KTEXT packet, - u_int32_t checksum, - MSG_DAT *msg_data, - des_cblock *session, - struct des_ks_struct *schedule, - struct sockaddr_in *laddr, - struct sockaddr_in *faddr) -{ - int ret; - u_int32_t checksum2; - - ret = krb_rd_priv (packet->dat, packet->length, schedule, session, faddr, - laddr, msg_data); - if (ret != RD_AP_OK) - return ret; - if (msg_data->app_length != 4) - return KFAILURE; - krb_get_int (msg_data->app_data, &checksum2, 4, 0); - if (checksum2 == checksum + 1) - return KSUCCESS; - else - return KFAILURE; -} diff --git a/kerberosIV/krb/krb_equiv.c b/kerberosIV/krb/krb_equiv.c deleted file mode 100644 index ccc3972a109..00000000000 --- a/kerberosIV/krb/krb_equiv.c +++ /dev/null @@ -1,145 +0,0 @@ -/* $OpenBSD: krb_equiv.c,v 1.4 1997/12/09 07:57:24 art Exp $ */ -/* $KTH: krb_equiv.c,v 1.13 1997/04/01 08:18:33 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * int krb_equiv(u_int32_t ipaddr_a, u_int32_t ipaddr_b); - * - * Given two IP adresses return true if they match - * or are considered to belong to the same host. - * - * For example if /etc/krb.equiv looks like - * - * 130.237.223.3 192.16.126.3 # alv alv1 - * 130.237.223.4 192.16.126.4 # byse byse1 - * 130.237.228.152 192.16.126.9 # topsy topsy1 - * - * krb_equiv(alv, alv1) would return true but - * krb_equiv(alv, byse1) would not. - * - * A comment starts with an '#' and ends with '\n'. - * - */ -#include "krb_locl.h" - -int krb_ignore_ip_address = 0; - -int -krb_equiv(u_int32_t a, u_int32_t b) -{ - FILE *fil; - char line[256]; - int hit_a, hit_b; - int iscomment; - - if (a == b) /* trivial match, also the common case */ - return 1; - - if (krb_ignore_ip_address) - return 1; /* if we have decided not to compare */ - - a = ntohl(a); - b = ntohl(b); - - fil = fopen(KRB_EQUIV, "r"); - if (fil == NULL) /* open failed */ - return 0; - - hit_a = hit_b = 0; - iscomment = 0; - while (fgets(line, sizeof(line)-1, fil) != NULL) /* for each line */ - { - char *t = line; - int len = strlen(t); - - /* for each item on this line */ - while (*t != 0) /* more addresses on this line? */ - if (*t == '\n') { - iscomment = hit_a = hit_b = 0; - break; - } else if (iscomment) - t = line + len - 1; - else if (*t == '#') { /* rest is comment */ - iscomment = 1; - ++t; - } else if (*t == '\\' ) /* continuation */ - break; - else if (isspace(*t)) /* skip space */ - t++; - else if (isdigit(*t)) /* an address? */ - { - u_int32_t tmp; - u_int32_t tmpa, tmpb, tmpc, tmpd; - - sscanf(t, "%d.%d.%d.%d", &tmpa, &tmpb, &tmpc, &tmpd); - tmp = (tmpa << 24) | (tmpb << 16) | (tmpc << 8) | tmpd; - - while (*t == '.' || isdigit(*t)) /* done with this address */ - t++; - - if (tmp != -1) { /* an address (and not broadcast) */ - u_int32_t mask = (u_int32_t)~0; - - if (*t == '/') { - ++t; - mask <<= 32 - atoi(t); - - while(isdigit(*t)) - ++t; - } - - if ((tmp & mask) == (a & mask)) - hit_a = 1; - if ((tmp & mask) == (b & mask)) - hit_b = 1; - if (hit_a && hit_b) { - fclose(fil); - return 1; - } - } - } - else - ++t; /* garbage on this line, skip it */ - - } - - fclose(fil); - return 0; -} diff --git a/kerberosIV/krb/krb_err.et b/kerberosIV/krb/krb_err.et deleted file mode 100644 index 850b31e491d..00000000000 --- a/kerberosIV/krb/krb_err.et +++ /dev/null @@ -1,117 +0,0 @@ -# This source code is no longer held under any constraint of USA\ -# `cryptographic laws' since it was exported legally. The cryptographic\ -# functions were removed from the code and a "Bones" distribution was\ -# made. A Commodity Jurisdiction Request #012-94 was filed with the\ -# USA State Department, who handed it to the Commerce department. The\ -# code was determined to fall under General License GTDA under ECCN 5D96G,\ -# and hence exportable. The cryptographic interfaces were re-added by Eric\ -# Young, and then KTH proceeded to maintain the code in the free world. -# -# Copyright 1987,1988 Massachusetts Institute of Technology -# -# Export of this software from the United States of America is assumed -# to require a specific license from the United States Government. -# It is the responsibility of any person or organization contemplating -# export to obtain such a license before exporting. -# -# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -# distribute this software and its documentation for any purpose and -# without fee is hereby granted, provided that the above copyright -# notice appear in all copies and that both that copyright notice and -# this permission notice appear in supporting documentation, and that -# the name of M.I.T. not be used in advertising or publicity pertaining -# to distribution of the software without specific, written prior -# permission. M.I.T. makes no representations about the suitability of -# this software for any purpose. It is provided "as is" without express -# or implied warranty. -# -# -# $KTH: krb_err.et,v 1.4 1996/10/27 13:30:28 bg Exp $ -# $OpenBSD: krb_err.et,v 1.5 1998/07/07 19:06:55 art Exp $ -# -error_table krb - -ec KRBET_KSUCCESS, "Kerberos successful" -ec KRBET_KDC_NAME_EXP, "Kerberos principal expired" -ec KRBET_KDC_SERVICE_EXP, "Kerberos service expired" -ec KRBET_KDC_AUTH_EXP, "Kerberos auth expired" -ec KRBET_KDC_PKT_VER, "Incorrect kerberos master key version" -ec KRBET_KDC_P_MKEY_VER, "Incorrect kerberos master key version" -ec KRBET_KDC_S_MKEY_VER, "Incorrect kerberos master key version" -ec KRBET_KDC_BYTE_ORDER, "Kerberos error: byte order unknown" -ec KRBET_KDC_PR_UNKNOWN, "Kerberos principal unknown" -ec KRBET_KDC_PR_N_UNIQUE, "Kerberos principal not unique" -ec KRBET_KDC_NULL_KEY, "Kerberos principal has null key" -ec KRBET_KRB_RES11, "Reserved 11" -ec KRBET_KRB_RES12, "Reserved 12" -ec KRBET_KRB_RES13, "Reserved 13" -ec KRBET_KRB_RES14, "Reserved 14" -ec KRBET_KRB_RES15, "Reserved 15" -ec KRBET_KRB_RES16, "Reserved 16" -ec KRBET_KRB_RES17, "Reserved 17" -ec KRBET_KRB_RES18, "Reserved 18" -ec KRBET_KRB_RES19, "Reserved 19" -ec KRBET_KDC_GEN_ERR, "Generic error from Kerberos KDC" -ec KRBET_GC_TKFIL, "Can't read Kerberos ticket file" -ec KRBET_GC_NOTKT, "Can't find Kerberos ticket or TGT" -ec KRBET_KRB_RES23, "Reserved 23" -ec KRBET_KRB_RES24, "Reserved 24" -ec KRBET_KRB_RES25, "Reserved 25" -ec KRBET_MK_AP_TGTEXP, "Kerberos TGT Expired" -ec KRBET_KRB_RES27, "Reserved 27" -ec KRBET_KRB_RES28, "Reserved 28" -ec KRBET_KRB_RES29, "Reserved 29" -ec KRBET_KRB_RES30, "Reserved 30" -ec KRBET_RD_AP_UNDEC, "Kerberos error: Can't decode authenticator" -ec KRBET_RD_AP_EXP, "Kerberos ticket expired" -ec KRBET_RD_AP_NYV, "Kerberos ticket not yet valid" -ec KRBET_RD_AP_REPEAT, "Kerberos error: Repeated request" -ec KRBET_RD_AP_NOT_US, "The kerberos ticket isn't for us" -ec KRBET_RD_AP_INCON, "Kerberos request inconsistent" -ec KRBET_RD_AP_TIME, "Kerberos error: delta_t too big" -ec KRBET_RD_AP_BADD, "Kerberos error: incorrect net address" -ec KRBET_RD_AP_VERSION, "Kerberos protocol version mismatch" -ec KRBET_RD_AP_MSG_TYPE, "Kerberos error: invalid msg type" -ec KRBET_RD_AP_MODIFIED, "Kerberos error: message stream modified" -ec KRBET_RD_AP_ORDER, "Kerberos error: message out of order" -ec KRBET_RD_AP_UNAUTHOR, "Kerberos error: unauthorized request" -ec KRBET_KRB_RES44, "Reserved 44" -ec KRBET_KRB_RES45, "Reserved 45" -ec KRBET_KRB_RES46, "Reserved 46" -ec KRBET_KRB_RES47, "Reserved 47" -ec KRBET_KRB_RES48, "Reserved 48" -ec KRBET_KRB_RES49, "Reserved 49" -ec KRBET_KRB_RES50, "Reserved 50" -ec KRBET_GT_PW_NULL, "Kerberos error: current PW is null" -ec KRBET_GT_PW_BADPW, "Kerberos error: Incorrect current password" -ec KRBET_GT_PW_PROT, "Kerberos protocol error" -ec KRBET_GT_PW_KDCERR, "Error returned by Kerberos KDC" -ec KRBET_GT_PW_NULLTKT, "Null Kerberos ticket returned by KDC" -ec KRBET_SKDC_RETRY, "Kerberos error: Retry count exceeded" -ec KRBET_SKDC_CANT, "Kerberos error: Can't send request" -ec KRBET_KRB_RES58, "Reserved 58" -ec KRBET_KRB_RES59, "Reserved 59" -ec KRBET_KRB_RES60, "Reserved 60" -ec KRBET_INTK_W_NOTALL, "Kerberos error: not all tickets returned" -ec KRBET_INTK_BADPW, "Kerberos error: incorrect password" -ec KRBET_INTK_PROT, "Kerberos error: Protocol Error" -ec KRBET_KRB_RES64, "Reserved 64" -ec KRBET_KRB_RES65, "Reserved 65" -ec KRBET_KRB_RES66, "Reserved 66" -ec KRBET_KRB_RES67, "Reserved 67" -ec KRBET_KRB_RES68, "Reserved 68" -ec KRBET_KRB_RES69, "Reserved 69" -ec KRBET_INTK_ERR, "Other error" -ec KRBET_AD_NOTGT, "Don't have Kerberos ticket-granting ticket" -ec KRBET_KRB_RES72, "Reserved 72" -ec KRBET_KRB_RES73, "Reserved 73" -ec KRBET_KRB_RES74, "Reserved 74" -ec KRBET_KRB_RES75, "Reserved 75" -ec KRBET_NO_TKT_FIL, "No ticket file found" -ec KRBET_TKT_FIL_ACC, "Couldn't access ticket file" -ec KRBET_TKT_FIL_LCK, "Couldn't lock ticket file" -ec KRBET_TKT_FIL_FMT, "Bad ticket file format" -ec KRBET_TKT_FIL_INI, "tf_init not called first" -ec KRBET_KNAME_FMT, "Bad Kerberos name format" -end - diff --git a/kerberosIV/krb/krb_err_txt.c b/kerberosIV/krb/krb_err_txt.c deleted file mode 100644 index c8c2fcd97a4..00000000000 --- a/kerberosIV/krb/krb_err_txt.c +++ /dev/null @@ -1,313 +0,0 @@ -/* $OpenBSD: krb_err_txt.c,v 1.6 1998/05/18 00:53:47 art Exp $ */ -/* $KTH: krb_err_txt.c,v 1.13 1998/01/31 08:11:52 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - - -/* - * This file contains an array of error text strings. - * The associated error codes (which are defined in "krb.h") - * follow the string in the comments at the end of each line. - */ - -const char *krb_err_txt[256] = { - "OK", /* 000 */ - "Principal expired (kerberos)", /* 001 */ - "Service expired (kerberos)", /* 002 */ - "Authentication expired (kerberos)", /* 003 */ - "Unknown protocol version number (kerberos)", /* 004 */ - "Principal: Incorrect master key version (kerberos)", /* 005 */ - "Service: Incorrect master key version (kerberos)", /* 006 */ - "Bad byte order (kerberos)", /* 007 */ - "Principal unknown (kerberos)", /* 008 */ - "Principal not unique (kerberos)", /* 009 */ - "Principal has null key (kerberos)", /* 010 */ - "Timeout in request (kerberos)", /* 011 */ - "Reserved error message 12 (kerberos)", /* 012 */ - "Reserved error message 13 (kerberos)", /* 013 */ - "Reserved error message 14 (kerberos)", /* 014 */ - "Reserved error message 15 (kerberos)", /* 015 */ - "Reserved error message 16 (kerberos)", /* 016 */ - "Reserved error message 17 (kerberos)", /* 017 */ - "Reserved error message 18 (kerberos)", /* 018 */ - "Reserved error message 19 (kerberos)", /* 019 */ - "Permission Denied (kerberos)", /* 020 */ - "Can't read ticket file (krb_get_cred)", /* 021 */ - "Can't find ticket (krb_get_cred)", /* 022 */ - "Reserved error message 23 (krb_get_cred)", /* 023 */ - "Reserved error message 24 (krb_get_cred)", /* 024 */ - "Reserved error message 25 (krb_get_cred)", /* 025 */ - "Ticket granting ticket expired (krb_mk_req)", /* 026 */ - "Reserved error message 27 (krb_mk_req)", /* 027 */ - "Reserved error message 28 (krb_mk_req)", /* 028 */ - "Reserved error message 29 (krb_mk_req)", /* 029 */ - "Reserved error message 30 (krb_mk_req)", /* 030 */ - "Can't decode authenticator (krb_rd_req)", /* 031 */ - "Ticket expired (krb_rd_req)", /* 032 */ - "Ticket issue date too far in the future (krb_rd_req)",/* 033 */ - "Repeat request (krb_rd_req)", /* 034 */ - "Ticket for wrong server (krb_rd_req)", /* 035 */ - "Request inconsistent (krb_rd_req)", /* 036 */ - "Time is out of bounds (krb_rd_req)", /* 037 */ - "Incorrect network address (krb_rd_req)", /* 038 */ - "Protocol version mismatch (krb_rd_req)", /* 039 */ - "Invalid message type (krb_rd_req)", /* 040 */ - "Message integrity error (krb_rd_req)", /* 041 */ - "Message duplicate or out of order (krb_rd_req)", /* 042 */ - "Unauthorized request (krb_rd_req)", /* 043 */ - "Reserved error message 44 (krb_rd_req)", /* 044 */ - "Reserved error message 45 (krb_rd_req)", /* 045 */ - "Reserved error message 46 (krb_rd_req)", /* 046 */ - "Reserved error message 47 (krb_rd_req)", /* 047 */ - "Reserved error message 48 (krb_rd_req)", /* 048 */ - "Reserved error message 49 (krb_rd_req)", /* 049 */ - "Reserved error message 50 (krb_rd_req)", /* 050 */ - "Current password is NULL (get_pw_tkt)", /* 051 */ - "Current password incorrect (get_pw_tkt)", /* 052 */ - "Protocol error (gt_pw_tkt)", /* 053 */ - "Error returned by KDC (gt_pw_tkt)", /* 054 */ - "Null ticket returned by KDC (gt_pw_tkt)", /* 055 */ - "Retry count exceeded (send_to_kdc)", /* 056 */ - "Can't send request (send_to_kdc)", /* 057 */ - "Reserved error message 58 (send_to_kdc)", /* 058 */ - "Reserved error message 59 (send_to_kdc)", /* 059 */ - "Reserved error message 60 (send_to_kdc)", /* 060 */ - "Warning: Not ALL tickets returned", /* 061 */ - "Password incorrect", /* 062 */ - "Protocol error (get_in_tkt)", /* 063 */ - "Reserved error message 64 (get_in_tkt)", /* 064 */ - "Reserved error message 65 (get_in_tkt)", /* 065 */ - "Reserved error message 66 (get_in_tkt)", /* 066 */ - "Reserved error message 67 (get_in_tkt)", /* 067 */ - "Reserved error message 68 (get_in_tkt)", /* 068 */ - "Reserved error message 69 (get_in_tkt)", /* 069 */ - "Generic error (get_in_tkt)(can't write ticket file)", /* 070 */ - "Don't have ticket granting ticket (get_ad_tkt)", /* 071 */ - "Can't get inter-realm ticket granting ticket (get_ad_tkt)", /* 072 */ - "Reserved error message 73 (get_ad_tkt)", /* 073 */ - "Reserved error message 74 (get_ad_tkt)", /* 074 */ - "Reserved error message 75 (get_ad_tkt)", /* 075 */ - "No ticket file (tf_util)", /* 076 */ - "Can't access ticket file (tf_util)", /* 077 */ - "Can't lock ticket file; try later (tf_util)", /* 078 */ - "Bad ticket file format (tf_util)", /* 079 */ - "Read ticket file before tf_init (tf_util)", /* 080 */ - "Bad Kerberos name format (kname_parse)", /* 081 */ - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "(reserved)", - "Generic kerberos error (kfailure)", /* 255 */ -}; - -static const char err_failure[] = "Unknown error code passed (krb_get_err_text)"; - -const char * -krb_get_err_text(int code) -{ - if(code < 0 || code >= MAX_KRB_ERRORS) - return err_failure; - return krb_err_txt[code]; -} diff --git a/kerberosIV/krb/krb_get_in_tkt.c b/kerberosIV/krb/krb_get_in_tkt.c deleted file mode 100644 index 327bc3f3d0f..00000000000 --- a/kerberosIV/krb/krb_get_in_tkt.c +++ /dev/null @@ -1,197 +0,0 @@ -/* $OpenBSD: krb_get_in_tkt.c,v 1.6 1998/07/07 19:06:57 art Exp $ */ -/* $KTH: krb_get_in_tkt.c,v 1.25 1998/05/01 05:18:08 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * decrypt_tkt(): Given user, instance, realm, passwd, key_proc - * and the cipher text sent from the KDC, decrypt the cipher text - * using the key returned by key_proc. - */ - -static int -decrypt_tkt(char *user, char *instance, char *realm, - void *arg, key_proc_t key_proc, KTEXT *cip) -{ - des_cblock key; /* Key for decrypting cipher */ - int ret; - - ret = key_proc(user, instance, realm, arg, &key); - if (ret != 0) - return ret; - - encrypt_ktext(*cip, &key, DES_DECRYPT); - - memset(&key, 0, sizeof(key)); - return 0; -} - -/* - * krb_get_in_tkt() gets a ticket for a given principal to use a given - * service and stores the returned ticket and session key for future - * use. - * - * The "user", "instance", and "realm" arguments give the identity of - * the client who will use the ticket. The "service" and "sinstance" - * arguments give the identity of the server that the client wishes - * to use. (The realm of the server is the same as the Kerberos server - * to whom the request is sent.) The "life" argument indicates the - * desired lifetime of the ticket; the "key_proc" argument is a pointer - * to the routine used for getting the client's private key to decrypt - * the reply from Kerberos. The "decrypt_proc" argument is a pointer - * to the routine used to decrypt the reply from Kerberos; and "arg" - * is an argument to be passed on to the "key_proc" routine. - * - * If all goes well, krb_get_in_tkt() returns INTK_OK, otherwise it - * returns an error code: If an AUTH_MSG_ERR_REPLY packet is returned - * by Kerberos, then the error code it contains is returned. Other - * error codes returned by this routine include INTK_PROT to indicate - * wrong protocol version, INTK_BADPW to indicate bad password (if - * decrypted ticket didn't make sense), INTK_ERR if the ticket was for - * the wrong server or the ticket store couldn't be initialized. - * - * The format of the message sent to Kerberos is as follows: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_KDC_REQUEST | message type - * HOST_BYTE_ORDER local byte order in lsb - * string user client's name - * string instance client's instance - * string realm client's realm - * 4 bytes tlocal.tv_sec timestamp in seconds - * 1 byte life desired lifetime - * string service service's name - * string sinstance service's instance - */ - -int -krb_mk_as_req(char *user, char *instance, char *realm, - char *service, char *sinstance, int life, KTEXT cip) -{ - KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; /* Packet to KDC */ - KTEXT_ST rpkt_st; - KTEXT rpkt = &rpkt_st; /* Reply from KDC */ - - int kerror; - struct timeval tv; - - /* BUILD REQUEST PACKET */ - - unsigned char *p = pkt->dat; - - p += krb_put_int(KRB_PROT_VERSION, p, 1); - p += krb_put_int(AUTH_MSG_KDC_REQUEST, p, 1); - - p += krb_put_nir(user, instance, realm, p); - - gettimeofday(&tv, NULL); - p += krb_put_int(tv.tv_sec, p, 4); - p += krb_put_int(life, p, 1); - - p += krb_put_nir(service, sinstance, NULL, p); - - pkt->length = p - pkt->dat; - - rpkt->length = 0; - - /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */ - - kerror = send_to_kdc(pkt, rpkt, realm); - if(kerror) return kerror; - kerror = kdc_reply_cipher(rpkt, cip); - return kerror; -} - -int -krb_decode_as_rep(char *user, char *instance, char *realm, - char *service, char *sinstance, - key_proc_t key_proc, decrypt_proc_t decrypt_proc, void *arg, - KTEXT as_rep, CREDENTIALS *cred) -{ - int kerror; - time_t now; - - if (decrypt_proc == NULL) - decrypt_proc = decrypt_tkt; - (*decrypt_proc)(user, instance, realm, arg, key_proc, &as_rep); - - kerror = kdc_reply_cred(as_rep, cred); - if(kerror != KSUCCESS) - return kerror; - - if (strcmp(cred->service, service) || - strcmp(cred->instance, sinstance) || - strcmp(cred->realm, realm)) /* not what we asked for */ - return INTK_ERR; /* we need a better code here XXX */ - - now = time(NULL); - if(krb_get_config_bool("kdc_timesync")) - krb_set_kdc_time_diff(cred->issue_date - now); - else if (abs((int)(now - cred->issue_date)) > CLOCK_SKEW) - return RD_AP_TIME; /* XXX should probably be better code */ - - return 0; -} - -int -krb_get_in_tkt(char *user, char *instance, char *realm, - char *service, char *sinstance, int life, - key_proc_t key_proc, decrypt_proc_t decrypt_proc, void *arg) -{ - KTEXT_ST as_rep; - CREDENTIALS cred; - int ret; - - ret = krb_mk_as_req(user, instance, realm, - service, sinstance, life, &as_rep); - if(ret) - return ret; - ret = krb_decode_as_rep(user, instance, realm, service, sinstance, - key_proc, decrypt_proc, arg, &as_rep, &cred); - if(ret) - return ret; - - return tf_setup(&cred, user, instance); -} diff --git a/kerberosIV/krb/krb_locl.h b/kerberosIV/krb/krb_locl.h deleted file mode 100644 index 618cfb5e10e..00000000000 --- a/kerberosIV/krb/krb_locl.h +++ /dev/null @@ -1,148 +0,0 @@ -/* $OpenBSD: krb_locl.h,v 1.7 1998/11/28 23:41:02 art Exp $ */ -/* $KTH: krb_locl.h,v 1.48 1998/04/04 17:56:49 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __krb_locl_h -#define __krb_locl_h - -#include <sys/cdefs.h> -#include <kerberosIV/site.h> - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <assert.h> -#include <stdarg.h> - -#include <errno.h> - -#include <pwd.h> -#include <unistd.h> -#include <sys/types.h> -#include <sys/time.h> -#include <time.h> -#include <sys/time.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <sys/file.h> -#include <sys/select.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include <errno.h> - -#include <kerberosIV/krb.h> -#include <kerberosIV/prot.h> - -#include "resolve.h" -#include "krb_log.h" - -/* --- */ - -/* Utils */ -int -krb_name_to_name __P(( - const char *host, - char *phost, - size_t phost_size)); - -void -encrypt_ktext __P(( - KTEXT cip, - des_cblock *key, - int encrypt)); - -int -kdc_reply_cipher __P(( - KTEXT reply, - KTEXT cip)); - -int -kdc_reply_cred __P(( - KTEXT cip, - CREDENTIALS *cred)); - -void -k_ricercar __P((char *name)); - -/* used in rd_safe.c and mk_safe.c */ -void -fixup_quad_cksum __P(( - void *start, - size_t len, - des_cblock *key, - void *new_checksum, - void *old_checksum, - int little)); - -void -krb_kdctimeofday __P((struct timeval *tv)); - -/* stuff from libroken*/ - -#ifndef TRUE -#define TRUE 1 -#endif - -#ifndef FALSE -#define FALSE 0 -#endif - -char *strtok_r(char *s1, const char *s2, char **lasts); - -int k_concat(char *, size_t, ...); -int k_vconcat(char *, size_t, va_list); -size_t k_vmconcat(char **, size_t, va_list); -size_t k_mconcat(char **, size_t, ...); - -/* Temporary fixes for krb_{rd,mk}_safe */ -#define DES_QUAD_GUESS 0 -#define DES_QUAD_NEW 1 -#define DES_QUAD_OLD 2 - -/* Set this to one of the constants above to specify default checksum - type to emit */ -#define DES_QUAD_DEFAULT DES_QUAD_GUESS - -#endif /* __krb_locl_h */ diff --git a/kerberosIV/krb/krb_realmofhost.3 b/kerberosIV/krb/krb_realmofhost.3 deleted file mode 100644 index 93793078ae8..00000000000 --- a/kerberosIV/krb/krb_realmofhost.3 +++ /dev/null @@ -1,183 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: krb_realmofhost.3,v 1.5 1999/05/12 13:26:47 aaron Exp $ -.TH KRB_REALMOFHOST 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_realmofhost, krb_get_phost, krb_get_krbhst, krb_get_admhst, -krb_get_lrealm \- additional Kerberos utility routines -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -#include <kerberosIV/des.h> -#include <kerberosIV/netinet/in.h> -.PP -.ft B -char *krb_realmofhost(host) -char *host; -.PP -.ft B -char *krb_get_phost(alias) -char *alias; -.PP -.ft B -krb_get_krbhst(host,realm,n) -char *host; -char *realm; -int n; -.PP -.ft B -krb_get_admhst(host,realm,n) -char *host; -char *realm; -int n; -.PP -.ft B -krb_get_lrealm(realm,n) -char *realm; -int n; -.fi -.ft R -.SH DESCRIPTION -.I krb_realmofhost -returns the Kerberos realm of the host -.IR host , -as determined by the translation table -.IR /etc/krb.realms . -.I host -should be the fully qualified domain-style primary host name of the host -in question. In order to prevent certain security attacks, this routine -must either have -.I a priori -knowledge of a host's realm, or obtain such information securely. -.PP -The format of the translation file is described by -.IR krb.realms (5). -If -.I host -exactly matches a host_name line, the corresponding realm -is returned. -Otherwise, if the domain portion of -.I host -matches a domain_name line, the corresponding realm -is returned. -If -.I host -contains a domain, but no translation is found, -.IR host 's -domain is converted to upper-case and returned. -If -.I host -contains no discernable domain, or an error occurs, -the local realm name, as supplied by -.IR krb_get_lrealm (3), -is returned. -.PP -.I krb_get_phost -converts the hostname -.I alias -(which can be either an official name or an alias) into the instance -name to be used in obtaining Kerberos tickets for most services, -including the Berkeley rcmd suite (rlogin, rcp, rsh). -.br -The current convention is to return the first segment of the official -domain-style name after conversion to lower case. -.PP -.I krb_get_krbhst -fills in -.I host -with the hostname of the -.IR n th -host running a Kerberos key distribution center (KDC) -for realm -.IR realm , -as specified in the configuration file (\fI/etc/krb.conf\fR). -The configuration file is described by -.IR krb.conf (5). -If the host is successfully filled in, the routine -returns KSUCCESS. -If the file cannot be opened, and -.I n -equals 1, then the value of KRB_HOST as defined in -.I <krb.h> -is filled in, and KSUCCESS is returned. If there are fewer than -.I n -hosts running a Kerberos KDC for the requested realm, or the -configuration file is malformed, the routine -returns KFAILURE. -.PP -.I krb_get_admhst -fills in -.I host -with the hostname of the -.IR n th -host running a Kerberos KDC database administration server -for realm -.IR realm , -as specified in the configuration file (\fI/etc/krb.conf\fR). -If the file cannot be opened or is malformed, or there are fewer than -.I n -hosts running a Kerberos KDC database administration server, -the routine returns KFAILURE. -.PP -The character arrays used as return values for -.IR krb_get_krbhst , -.IR krb_get_admhst , -should be large enough to -hold any hostname (MAXHOSTNAMELEN from <sys/param.h>). -.PP -.I krb_get_lrealm -fills in -.I realm -with the -.IR n th -realm of the local host, as specified in the configuration file. -.I realm -should be at least REALM_SZ (from -.IR <krb.h>) characters long. -.PP -.SH SEE ALSO -kerberos(3), krb.conf(5), krb.realms(5) -.SH FILES -.TP 20n -/etc/krb.realms -translation file for host-to-realm mapping. -.TP -/etc/krb.conf -local realm-name and realm/server configuration file. -.SH BUGS -The current convention for instance names is too limited; the full -domain name should be used. -.PP -.I krb_get_lrealm -currently only supports -.I n -= 1. It should really consult the user's ticket cache to determine the -user's current realm, rather than consulting a file on the host. diff --git a/kerberosIV/krb/krb_sendauth.3 b/kerberosIV/krb/krb_sendauth.3 deleted file mode 100644 index 4cca0cda727..00000000000 --- a/kerberosIV/krb/krb_sendauth.3 +++ /dev/null @@ -1,370 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1988 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: krb_sendauth.3,v 1.5 1999/09/23 04:11:59 alex Exp $ -.TH KRB_SENDAUTH 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_sendauth, krb_recvauth, krb_net_write, krb_net_read \- -Kerberos routines for sending authentication via network stream sockets -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -#include <kerberosIV/des.h> -#include <netinet/in.h> -.PP -.fi -.HP 1i -.ft B -int krb_sendauth(options, fd, ktext, service, inst, realm, checksum, -msg_data, cred, schedule, laddr, faddr, version) -.nf -.RS 0 -.ft B -long options; -int fd; -KTEXT ktext; -char *service, *inst, *realm; -u_long checksum; -MSG_DAT *msg_data; -CREDENTIALS *cred; -Key_schedule schedule; -struct sockaddr_in *laddr, *faddr; -char *version; -.PP -.fi -.HP 1i -.ft B -int krb_recvauth(options, fd, ktext, service, inst, faddr, laddr, -auth_data, filename, schedule, version) -.nf -.RS 0 -.ft B -long options; -int fd; -KTEXT ktext; -char *service, *inst; -struct sockaddr_in *faddr, *laddr; -AUTH_DAT *auth_data; -char *filename; -Key_schedule schedule; -char *version; -.PP -.ft B -int krb_net_write(fd, buf, len) -int fd; -char *buf; -int len; -.PP -.ft B -int krb_net_read(fd, buf, len) -int fd; -char *buf; -int len; -.fi -.SH DESCRIPTION -.PP -These functions, -which are built on top of the core Kerberos library, -provide a convenient means for client and server -programs to send authentication messages -to one another through network connections. -The -.I krb_sendauth -function sends an authenticated ticket from the client program to -the server program by writing the ticket to a network socket. -The -.I krb_recvauth -function receives the ticket from the client by -reading from a network socket. - -.SH KRB_SENDAUTH -.PP -This function writes the ticket to -the network socket specified by the -file descriptor -.IR fd, -returning KSUCCESS if the write proceeds successfully, -and an error code if it does not. - -The -.I ktext -argument should point to an allocated KTEXT_ST structure. -The -.IR service, -.IR inst, -and -.IR realm -arguments specify the server program's Kerberos principal name, -instance, and realm. -If you are writing a client that uses the local realm exclusively, -you can set the -.I realm -argument to NULL. - -The -.I version -argument allows the client program to pass an application-specific -version string that the server program can then match against -its own version string. -The -.I version -string can be up to KSEND_VNO_LEN (see -.IR <krb.h> ) -characters in length. - -The -.I checksum -argument can be used to pass checksum information to the -server program. -The client program is responsible for specifying this information. -This checksum information is difficult to corrupt because -.I krb_sendauth -passes it over the network in encrypted form. -The -.I checksum -argument is passed as the checksum argument to -.IR krb_mk_req . - -You can set -.IR krb_sendauth's -other arguments to NULL unless you want the -client and server programs to mutually authenticate -themselves. -In the case of mutual authentication, -the client authenticates itself to the server program, -and demands that the server in turn authenticate itself to -the client. - -.SH KRB_SENDAUTH AND MUTUAL AUTHENTICATION -.PP -If you want mutual authentication, -make sure that you read all pending data from the local socket -before calling -.IR krb_sendauth. -Set -.IR krb_sendauth's -.I options -argument to -.BR KOPT_DO_MUTUAL -(this macro is defined in the -.IR krb.h -file); -make sure that the -.I laddr -argument points to -the address of the local socket, -and that -.I faddr -points to the foreign socket's network address. - -.I Krb_sendauth -fills in the other arguments-- -.IR msg_data , -.IR cred , -and -.IR schedule --before -sending the ticket to the server program. -You must, however, allocate space for these arguments -before calling the function. - -.I Krb_sendauth -supports two other options: -.BR KOPT_DONT_MK_REQ, -and -.BR KOPT_DONT_CANON. -If called with -.I options -set as KOPT_DONT_MK_REQ, -.I krb_sendauth -will not use the -.I krb_mk_req -function to retrieve the ticket from the Kerberos server. -The -.I ktext -argument must point to an existing ticket and authenticator (such as -would be created by -.IR krb_mk_req ), -and the -.IR service, -.IR inst, -and -.IR realm -arguments can be set to NULL. - -If called with -.I options -set as KOPT_DONT_CANON, -.I krb_sendauth -will not convert the service's instance to canonical form using -.IR krb_get_phost (3). - -If you want to call -.I krb_sendauth -with a multiple -.I options -specification, -construct -.I options -as a bitwise-OR of the options you want to specify. - -.SH KRB_RECVAUTH -.PP -The -.I krb_recvauth -function -reads a ticket/authenticator pair from the socket pointed to by the -.I fd -argument. -Set the -.I options -argument -as a bitwise-OR of the options desired. -Currently only KOPT_DO_MUTUAL is useful to the receiver. - -The -.I ktext -argument -should point to an allocated KTEXT_ST structure. -.I Krb_recvauth -fills -.I ktext -with the -ticket/authenticator pair read from -.IR fd , -then passes it to -.IR krb_rd_req . - -The -.I service -and -.I inst -arguments -specify the expected service and instance for which the ticket was -generated. They are also passed to -.IR krb_rd_req. -The -.I inst -argument may be set to "*" if the caller wishes -.I krb_mk_req -to fill in the instance used (note that there must be space in the -.I inst -argument to hold a full instance name, see -.IR krb_mk_req (3)). - -The -.I faddr -argument -should point to the address of the peer which is presenting the ticket. -It is also passed to -.IR krb_rd_req . - -If the client and server plan to mutually authenticate -one another, -the -.I laddr -argument -should point to the local address of the file descriptor. -Otherwise you can set this argument to NULL. - -The -.I auth_data -argument -should point to an allocated AUTH_DAT area. -It is passed to and filled in by -.IR krb_rd_req . -The checksum passed to the corresponding -.I krb_sendauth -is available as part of the filled-in AUTH_DAT area. - -The -.I filename -argument -specifies the filename -which the service program should use to obtain its service key. -.I Krb_recvauth -passes -.I filename -to the -.I krb_rd_req -function. -If you set this argument to "", -.I krb_rd_req -looks for the service key in the file -.IR /etc/srvtab. - -If the client and server are performing mutual authentication, -the -.I schedule -argument -should point to an allocated Key_schedule. -Otherwise it is ignored and may be NULL. - -The -.I version -argument should point to a character array of at least KSEND_VNO_LEN -characters. It is filled in with the version string passed by the client to -.IR krb_sendauth. -.PP -.SH KRB_NET_WRITE AND KRB_NET_READ -.PP -The -.I krb_net_write -function -emulates the write(2) system call, but guarantees that all data -specified is written to -.I fd -before returning, unless an error condition occurs. -.PP -The -.I krb_net_read -function -emulates the read(2) system call, but guarantees that the requested -amount of data is read from -.I fd -before returning, unless an error condition occurs. -.PP -.SH BUGS -.IR krb_sendauth, -.IR krb_recvauth, -.IR krb_net_write, -and -.IR krb_net_read -will not work properly on sockets set to non-blocking I/O mode. - -.SH SEE ALSO - -krb_mk_req(3), krb_rd_req(3), krb_get_phost(3) - -.SH AUTHOR -John T. Kohl, MIT Project Athena -.SH RESTRICTIONS -Copyright 1988, Massachusetts Instititute of Technology. -For copying and distribution information, -please see the file <mit-copyright.h>. diff --git a/kerberosIV/krb/krb_set_tkt_string.3 b/kerberosIV/krb/krb_set_tkt_string.3 deleted file mode 100644 index 6e1f1def01e..00000000000 --- a/kerberosIV/krb/krb_set_tkt_string.3 +++ /dev/null @@ -1,65 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: krb_set_tkt_string.3,v 1.4 1998/02/25 15:51:27 art Exp $ -.TH KRB_SET_TKT_STRING 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -krb_set_tkt_string \- set Kerberos ticket cache file name -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -.PP -.ft B -void krb_set_tkt_string(filename) -char *filename; -.fi -.ft R -.SH DESCRIPTION -.I krb_set_tkt_string -sets the name of the file that holds the user's -cache of Kerberos server tickets and associated session keys. -.PP -The string -.I filename -passed in is copied into local storage. -Only MAXPATHLEN-1 (see <sys/param.h>) characters of the filename are -copied in for use as the cache file name. -.PP -This routine should be called during initialization, before other -Kerberos routines are called; otherwise the routines which fetch the -ticket cache file name may be called and return an undesired ticket file -name until this routine is called. -.SH FILES -.TP 20n -/tmp/tkt[uid] -default ticket file name, unless the environment variable KRBTKFILE is set. -[uid] denotes the user's uid, in decimal. -.SH SEE ALSO -kerberos(3), setenv(3) diff --git a/kerberosIV/krb/kuserok.3 b/kerberosIV/krb/kuserok.3 deleted file mode 100644 index 8a7ce4c7d83..00000000000 --- a/kerberosIV/krb/kuserok.3 +++ /dev/null @@ -1,85 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kuserok.3,v 1.5 1998/03/25 21:00:39 art Exp $ -.TH KUSEROK 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kuserok \- Kerberos version of ruserok -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -.PP -.ft B -kuserok(kdata, localuser) -AUTH_DAT *auth_data; -char *localuser; -.fi -.ft R -.SH DESCRIPTION -.I kuserok -determines whether a Kerberos principal described by the structure -.I auth_data -is authorized to login as user -.I localuser -according to the authorization file -("~\fIlocaluser\fR/.klogin" by default). It returns 0 (zero) if authorized, -1 (one) if not authorized. -.PP -If there is no account for -.I localuser -on the local machine, authorization is not granted. -If there is no authorization file, and the Kerberos principal described -by -.I auth_data -translates to -.I localuser -(using -.IR krb_kntoln (3)), -authorization is granted. -If the authorization file -can't be accessed, or the file is not owned by -.IR localuser, -authorization is denied. Otherwise, the file is searched for -a matching principal name, instance, and realm. If a match is found, -authorization is granted, else authorization is denied. -.PP -The file entries are in the format: -.nf -.in +5n - name.instance@realm -.in -5n -.fi -with one entry per line. -.SH SEE ALSO -kerberos(3), ruserok(3), krb_kntoln(3) -.SH FILES -.TP 20n -~\fIlocaluser\fR/.klogin -authorization list diff --git a/kerberosIV/krb/kuserok.c b/kerberosIV/krb/kuserok.c deleted file mode 100644 index 0888a83c20f..00000000000 --- a/kerberosIV/krb/kuserok.c +++ /dev/null @@ -1,165 +0,0 @@ -/* $OpenBSD: kuserok.c,v 1.6 1997/12/12 05:30:26 art Exp $ */ -/* $KTH: kuserok.c,v 1.21 1997/04/01 08:18:35 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -#define OK 0 -#define NOTOK 1 -#define MAX_USERNAME 10 - -/* - * Given a Kerberos principal and a local username, determine whether - * user is authorized to login according to the authorization file - * ("~luser/.klogin" by default). Returns OK if authorized, NOTOK if - * not authorized. - * - * IMPORTANT CHANGE: To eliminate the need of making a distinction - * between the 3 cases: - * - * 1. We can't verify that a .klogin file doesn't exist (no home dir). - * 2. It's there but we aren't allowed to read it. - * 3. We can read it and ~luser@LOCALREALM is (not) included. - * - * We instead make the assumption that luser@LOCALREALM is *always* - * included. Thus it is impossible to have an empty .klogin file and - * also to exclude luser@LOCALREALM from it. Root is treated differently - * since it's home should always be available. - * - * OLD STRATEGY: - * If there is no account for "luser" on the local machine, returns - * NOTOK. If there is no authorization file, and the given Kerberos - * name "kdata" translates to the same name as "luser" (using - * krb_kntoln()), returns OK. Otherwise, if the authorization file - * can't be accessed, returns NOTOK. Otherwise, the file is read for - * a matching principal name, instance, and realm. If one is found, - * returns OK, if none is found, returns NOTOK. - * - * The file entries are in the format: - * - * name.instance@realm - * - * one entry per line. - * - */ - -int -krb_kuserok(char *name, char *instance, char *realm, char *luser) -{ - struct passwd *pwd; - char lrealm[REALM_SZ]; - FILE *f; - char line[1024]; - char file[MAXPATHLEN]; - struct stat st; - - if (luser == NULL) - return NOTOK; - - pwd = getpwnam(luser); - if(pwd == NULL) - return NOTOK; - - if(krb_get_lrealm(lrealm, 1)) - return NOTOK; - - if(pwd->pw_uid != 0 && - strcmp(name, luser) == 0 && - strcmp(instance, "") == 0 && - strcmp(realm, lrealm) == 0) - return OK; - - snprintf(file, sizeof(file), "%s/.klogin", pwd->pw_dir); - - f = fopen(file, "r"); - if(f == NULL) - return NOTOK; - - /* this is not a working test in filesystems like AFS and DFS */ - if(fstat(fileno(f), &st) < 0){ - fclose(f); - return NOTOK; - } - - if(st.st_uid != pwd->pw_uid){ - fclose(f); - return NOTOK; - } - - while(fgets(line, sizeof(line), f)){ - char fname[ANAME_SZ], finst[INST_SZ], frealm[REALM_SZ]; - if(line[strlen(line) - 1] != '\n') - /* read till end of line */ - while(1){ - int c = fgetc(f); - if(c == '\n' || c == EOF) - break; - } - else - line[strlen(line) - 1] = 0; - - if(kname_parse(fname, finst, frealm, line)) - continue; - if(strcmp(name, fname)) - continue; - if(strcmp(instance, finst)) - continue; - if(frealm[0] == 0) - { - strncpy(frealm, lrealm, REALM_SZ); - frealm[REALM_SZ-1] = '\0'; - } - if(strcmp(realm, frealm)) - continue; - fclose(f); - return OK; - } - fclose(f); - return NOTOK; -} - -/* compatibility interface */ - -int -kuserok(AUTH_DAT *auth, char *luser) -{ - return krb_kuserok(auth->pname, auth->pinst, auth->prealm, luser); -} - diff --git a/kerberosIV/krb/lifetime.c b/kerberosIV/krb/lifetime.c deleted file mode 100644 index 3a02f1a4a01..00000000000 --- a/kerberosIV/krb/lifetime.c +++ /dev/null @@ -1,217 +0,0 @@ -/* $OpenBSD: lifetime.c,v 1.4 1997/12/09 07:57:26 art Exp $ */ -/* $KTH: lifetime.c,v 1.9 1997/05/02 14:29:18 assar Exp $ */ - -/* - * Ticket lifetime. This defines the table used to lookup lifetime - * for the fixed part of rande of the one byte lifetime field. Values - * less than 0x80 are intrpreted as the number of 5 minute intervals. - * Values from 0x80 to 0xBF should be looked up in this table. The - * value of 0x80 is the same using both methods: 10 and two-thirds - * hours . The lifetime of 0xBF is 30 days. The intervening values - * of have a fixed ratio of roughly 1.06914. The value 0xFF is - * defined to mean a ticket has no expiration time. This should be - * used advisedly since individual servers may impose defacto - * upperbounds on ticket lifetimes. - */ - -#include "krb_locl.h" - -/* If you want to disable this feature */ -int krb_no_long_lifetimes = 0; - -#define TKTLIFENUMFIXED 64 -#define TKTLIFEMINFIXED 0x80 -#define TKTLIFEMAXFIXED 0xBF -#define TKTLIFENOEXPIRE 0xFF -#define MAXTKTLIFETIME (30*24*3600) /* 30 days */ -#ifndef NEVERDATE -#define NEVERDATE ((unsigned long)0x7fffffffL) -#endif - -static const int tkt_lifetimes[TKTLIFENUMFIXED] = { - 38400, /* 10.67 hours, 0.44 days */ - 41055, /* 11.40 hours, 0.48 days */ - 43894, /* 12.19 hours, 0.51 days */ - 46929, /* 13.04 hours, 0.54 days */ - 50174, /* 13.94 hours, 0.58 days */ - 53643, /* 14.90 hours, 0.62 days */ - 57352, /* 15.93 hours, 0.66 days */ - 61318, /* 17.03 hours, 0.71 days */ - 65558, /* 18.21 hours, 0.76 days */ - 70091, /* 19.47 hours, 0.81 days */ - 74937, /* 20.82 hours, 0.87 days */ - 80119, /* 22.26 hours, 0.93 days */ - 85658, /* 23.79 hours, 0.99 days */ - 91581, /* 25.44 hours, 1.06 days */ - 97914, /* 27.20 hours, 1.13 days */ - 104684, /* 29.08 hours, 1.21 days */ - 111922, /* 31.09 hours, 1.30 days */ - 119661, /* 33.24 hours, 1.38 days */ - 127935, /* 35.54 hours, 1.48 days */ - 136781, /* 37.99 hours, 1.58 days */ - 146239, /* 40.62 hours, 1.69 days */ - 156350, /* 43.43 hours, 1.81 days */ - 167161, /* 46.43 hours, 1.93 days */ - 178720, /* 49.64 hours, 2.07 days */ - 191077, /* 53.08 hours, 2.21 days */ - 204289, /* 56.75 hours, 2.36 days */ - 218415, /* 60.67 hours, 2.53 days */ - 233517, /* 64.87 hours, 2.70 days */ - 249664, /* 69.35 hours, 2.89 days */ - 266926, /* 74.15 hours, 3.09 days */ - 285383, /* 79.27 hours, 3.30 days */ - 305116, /* 84.75 hours, 3.53 days */ - 326213, /* 90.61 hours, 3.78 days */ - 348769, /* 96.88 hours, 4.04 days */ - 372885, /* 103.58 hours, 4.32 days */ - 398668, /* 110.74 hours, 4.61 days */ - 426234, /* 118.40 hours, 4.93 days */ - 455705, /* 126.58 hours, 5.27 days */ - 487215, /* 135.34 hours, 5.64 days */ - 520904, /* 144.70 hours, 6.03 days */ - 556921, /* 154.70 hours, 6.45 days */ - 595430, /* 165.40 hours, 6.89 days */ - 636601, /* 176.83 hours, 7.37 days */ - 680618, /* 189.06 hours, 7.88 days */ - 727680, /* 202.13 hours, 8.42 days */ - 777995, /* 216.11 hours, 9.00 days */ - 831789, /* 231.05 hours, 9.63 days */ - 889303, /* 247.03 hours, 10.29 days */ - 950794, /* 264.11 hours, 11.00 days */ - 1016537, /* 282.37 hours, 11.77 days */ - 1086825, /* 301.90 hours, 12.58 days */ - 1161973, /* 322.77 hours, 13.45 days */ - 1242318, /* 345.09 hours, 14.38 days */ - 1328218, /* 368.95 hours, 15.37 days */ - 1420057, /* 394.46 hours, 16.44 days */ - 1518247, /* 421.74 hours, 17.57 days */ - 1623226, /* 450.90 hours, 18.79 days */ - 1735464, /* 482.07 hours, 20.09 days */ - 1855462, /* 515.41 hours, 21.48 days */ - 1983758, /* 551.04 hours, 22.96 days */ - 2120925, /* 589.15 hours, 24.55 days */ - 2267576, /* 629.88 hours, 26.25 days */ - 2424367, /* 673.44 hours, 28.06 days */ - 2592000}; /* 720.00 hours, 30.00 days */ - -/* - * krb_life_to_time - takes a start time and a Kerberos standard - * lifetime char and returns the corresponding end time. There are - * four simple cases to be handled. The first is a life of 0xff, - * meaning no expiration, and results in an end time of 0xffffffff. - * The second is when life is less than the values covered by the - * table. In this case, the end time is the start time plus the - * number of 5 minute intervals specified by life. The third case - * returns start plus the MAXTKTLIFETIME if life is greater than - * TKTLIFEMAXFIXED. The last case, uses the life value (minus - * TKTLIFEMINFIXED) as an index into the table to extract the lifetime - * in seconds, which is added to start to produce the end time. - */ -u_int32_t -krb_life_to_time(u_int32_t start, int life_) -{ - unsigned char life = (unsigned char) life_; - - if (krb_no_long_lifetimes) return start + life*5*60; - - if (life == TKTLIFENOEXPIRE) return NEVERDATE; - if (life < TKTLIFEMINFIXED) return start + life*5*60; - if (life > TKTLIFEMAXFIXED) return start + MAXTKTLIFETIME; - return start + tkt_lifetimes[life - TKTLIFEMINFIXED]; -} - -/* - * krb_time_to_life - takes start and end times for the ticket and - * returns a Kerberos standard lifetime char, possibily using the - * tkt_lifetimes table for lifetimes above 127*5 minutes. First, the - * special case of (end == NEVERDATE) is handled to mean no - * expiration. Then negative lifetimes and those greater than the - * maximum ticket lifetime are rejected. Then lifetimes less than the - * first table entry are handled by rounding the requested lifetime - * *up* to the next 5 minute interval. The final step is to search - * the table for the smallest entry *greater than or equal* to the - * requested entry. - */ -int krb_time_to_life(u_int32_t start, u_int32_t end) -{ - int i; - long lifetime = end - start; - - if (krb_no_long_lifetimes) return (lifetime + 5*60 - 1)/(5*60); - - if (end >= NEVERDATE) return TKTLIFENOEXPIRE; - if (lifetime > MAXTKTLIFETIME || lifetime <= 0) return 0; - if (lifetime < tkt_lifetimes[0]) return (lifetime + 5*60 - 1)/(5*60); - for (i=0; i<TKTLIFENUMFIXED; i++) { - if (lifetime <= tkt_lifetimes[i]) { - return i+TKTLIFEMINFIXED; - } - } - return 0; -} - -char * -krb_life_to_atime(int life) -{ - static char atime[11+1+2+1+2+1+2+1]; - unsigned long when; - int secs, mins, hours; - - if (life == TKTLIFENOEXPIRE && !krb_no_long_lifetimes) - return("Forever"); - when = krb_life_to_time(0, life); - secs = when%60; - when /= 60; - mins = when%60; - when /= 60; - hours = when%24; - when /= 24; - snprintf(atime, sizeof(atime), "%d+%02d:%02d:%02d", (int)when, hours, mins, secs); - return(atime); -} - -int -krb_atime_to_life(char *atime) -{ - unsigned long when = 0; - char *cp; - int colon = 0, plus = 0; - int n = 0; - - if (atime == NULL) - return 0; - - if (strcasecmp(atime, "forever") == 0) - return(TKTLIFENOEXPIRE); - - for (cp=atime; *cp; cp++) { - switch(*cp) { - case '0': case '1': case '2': case '3': case '4': - case '5': case '6': case '7': case '8': case '9': - n = n*10 + *cp-'0'; - break; - case '+': - plus++; - when += n; - when *= 24; - n = 0; - break; - case ':': - colon++; - when += n; - when *= 60; - n = 0; - break; - default: - break; - } - } - when += n; - if (plus == 0 && colon == 0) - return((unsigned char)when); - while (colon < 2) { - when *= 60; - colon++; - } - return(krb_time_to_life(0,when)); -} diff --git a/kerberosIV/krb/logging.c b/kerberosIV/krb/logging.c deleted file mode 100644 index 68ad7074d8d..00000000000 --- a/kerberosIV/krb/logging.c +++ /dev/null @@ -1,244 +0,0 @@ -/* $OpenBSD: logging.c,v 1.2 1997/12/09 07:57:27 art Exp $ */ -/* $KTH: logging.c,v 1.14 1997/05/11 09:01:40 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" -#include <klog.h> - -struct krb_log_facility { - char filename[MAXPATHLEN]; - FILE *file; - krb_log_func_t func; -}; - -int -krb_vlogger(struct krb_log_facility *f, const char *format, va_list args) -{ - FILE *file = NULL; - int ret; - - if (f->file != NULL) - file = f->file; - else if (f->filename && f->filename[0]) - file = fopen(f->filename, "a"); - - ret = f->func(file, format, args); - - if (file != f->file) - fclose(file); - return ret; -} - -int -krb_logger(struct krb_log_facility *f, const char *format, ...) -{ - va_list args; - int ret; - va_start(args, format); - ret = krb_vlogger(f, format, args); - va_end(args); - return ret; -} - -/* - * If FILE * is given log to it, otherwise, log to filename. When - * given a file name the file is opened and closed for each log - * record. - */ -int -krb_openlog(struct krb_log_facility *f, - char *filename, - FILE *file, - krb_log_func_t func) -{ - if (f == NULL) - return KFAILURE; - strncpy(f->filename, filename, MAXPATHLEN); - f->filename[MAXPATHLEN-1] = '\0'; - f->file = file; - f->func = func; - return KSUCCESS; -} - -/* ------------------------------------------------------------ - Compatibility functions from warning.c - ------------------------------------------------------------ */ - -static int -log_tty(FILE *f, const char *format, va_list args) -{ - if (f != NULL && isatty(fileno(f))) - vfprintf(f, format, args); - return KSUCCESS; -} - -/* stderr */ -static struct krb_log_facility std_log = { "/dev/tty", NULL, log_tty }; - -static void -init_std_log () -{ - static int done = 0; - - if (!done) { - std_log.file = stderr; - done = 1; - } -} - -/* - * - */ -void -krb_set_warnfn (krb_warnfn_t newfunc) -{ - init_std_log (); - std_log.func = newfunc; -} - -/* - * - */ -krb_warnfn_t -krb_get_warnfn (void) -{ - init_std_log (); - return std_log.func; -} - -/* - * Log warnings to stderr if it's a tty. - */ -void -krb_warning (const char *format, ...) -{ - va_list args; - - init_std_log (); - va_start(args, format); - krb_vlogger(&std_log, format, args); - va_end(args); -} - -/* ------------------------------------------------------------ - Compatibility functions from klog.c and log.c - ------------------------------------------------------------ */ - -/* - * Used by kerberos and kadmind daemons and in libkrb (rd_req.c). - * - * By default they log to the kerberos server log-file (KRBLOG) to be - * backwards compatible. - */ - -static int -log_with_timestamp_and_nl(FILE *file, const char *format, va_list args) -{ - time_t now; - if(file == NULL) - return KFAILURE; - time(&now); - fputs(krb_stime(&now), file); - fputs(": ", file); - vfprintf(file, format, args); - fputs("\n", file); - fflush(file); - return KSUCCESS; -} - -static struct krb_log_facility -file_log = { KRBLOG, NULL, log_with_timestamp_and_nl }; - -/* - * kset_logfile() changes the name of the file to which - * messages are logged. If kset_logfile() is not called, - * the logfile defaults to KRBLOG, defined in "krb.h". - */ - -void -kset_logfile(char *filename) -{ - krb_openlog(&file_log, filename, NULL, log_with_timestamp_and_nl); -} - -/* - * krb_log() and klog() is used to add entries to the logfile. - * - * The log entry consists of a timestamp and the given arguments - * printed according to the given "format" string. - * - * The log file is opened and closed for each log entry. - * - * If the given log type "type" is unknown, or if the log file - * cannot be opened, no entry is made to the log file. - * - * CHANGE: the type is always ignored - * - * The return value of klog() is always a pointer to the formatted log - * text string "logtxt". - */ - -/* Used in kerberos.c only. */ -char * -klog(int type, const char *format, ...) -{ - static char logtxt[1024]; - - va_list ap; - - va_start(ap, format); - vsnprintf(logtxt, sizeof(logtxt), format, ap); - va_end(ap); - - krb_logger(&file_log, "%s", logtxt); - - return logtxt; -} - -/* Used in kadmind and rd_req.c */ -void -krb_log(const char *format, ...) -{ - va_list args; - - va_start(args, format); - krb_vlogger(&file_log, format, args); - va_end(args); -} diff --git a/kerberosIV/krb/lsb_addr_comp.c b/kerberosIV/krb/lsb_addr_comp.c deleted file mode 100644 index 81930cf5d40..00000000000 --- a/kerberosIV/krb/lsb_addr_comp.c +++ /dev/null @@ -1,143 +0,0 @@ -/* $OpenBSD: lsb_addr_comp.c,v 1.4 1998/07/07 19:06:58 art Exp $ */ -/* $KTH: lsb_addr_comp.c,v 1.14 1998/05/26 20:37:32 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -#include "krb-archaeology.h" - -int -krb_lsb_antinet_ulong_cmp(u_int32_t x, u_int32_t y) -{ - int i; - u_int32_t a = 0, b = 0; - u_int8_t *p = (u_int8_t*) &x; - u_int8_t *q = (u_int8_t*) &y; - - for(i = sizeof(u_int32_t) - 1; i >= 0; i--){ - a = (a << 8) | p[i]; - b = (b << 8) | q[i]; - } - if(a > b) - return 1; - if(a < b) - return -1; - return 0; -} - -int -krb_lsb_antinet_ushort_cmp(u_int16_t x, u_int16_t y) -{ - int i; - u_int16_t a = 0, b = 0; - u_int8_t *p = (u_int8_t*) &x; - u_int8_t *q = (u_int8_t*) &y; - - for(i = sizeof(u_int16_t) - 1; i >= 0; i--){ - a = (a << 8) | p[i]; - b = (b << 8) | q[i]; - } - if(a > b) - return 1; - if(a < b) - return -1; - return 0; -} - -u_int32_t -lsb_time(time_t t, struct sockaddr_in *src, struct sockaddr_in *dst) -{ - int dir = 1; - const char *fw; - - /* - * direction bit is the sign bit of the timestamp. Ok until - * 2038?? - */ - if(krb_debug) { - krb_warning("lsb_time: src = %s:%u\n", - inet_ntoa(src->sin_addr), ntohs(src->sin_port)); - krb_warning("lsb_time: dst = %s:%u\n", - inet_ntoa(dst->sin_addr), ntohs(dst->sin_port)); - } - - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - if (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr, /* src < recv */ - dst->sin_addr.s_addr) < 0) - dir = -1; - else if (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr, - dst->sin_addr.s_addr)==0) - if (krb_lsb_antinet_ushort_less(src->sin_port, dst->sin_port) < 0) - dir = -1; - /* - * all that for one tiny bit! Heaven help those that talk to - * themselves. - */ - if(krb_get_config_bool("reverse_lsb_test")) { - if(krb_debug) - krb_warning("lsb_time: reversing direction: %d -> %d\n", dir, -dir); - dir = -dir; - }else if((fw = krb_get_config_string("firewall_address"))) { - struct in_addr fw_addr; - fw_addr.s_addr = inet_addr(fw); - if(fw_addr.s_addr != INADDR_NONE) { - int a, b, c; - krb_warning("lsb_time: fw = %s\n", inet_ntoa(fw_addr)); - /* negate if src < dst and firewall is outside the - [src,dst] interval */ - a = (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr, - dst->sin_addr.s_addr) == -1); - b = (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr, - fw_addr.s_addr) == 1); - c = (krb_lsb_antinet_ulong_less(fw_addr.s_addr, - dst->sin_addr.s_addr) == 1); - if(a && (b || c)) { - if(krb_debug) - krb_warning("lsb_time: reversing direction: %d -> %d\n", - dir, -dir); - dir = -dir; - } - } - } - t = t * dir; - t = t & 0xffffffff; - return t; -} diff --git a/kerberosIV/krb/mk_auth.c b/kerberosIV/krb/mk_auth.c deleted file mode 100644 index 196e085e782..00000000000 --- a/kerberosIV/krb/mk_auth.c +++ /dev/null @@ -1,101 +0,0 @@ -/* $OpenBSD: mk_auth.c,v 1.2 1997/12/09 07:57:28 art Exp $ */ -/* $KTH: mk_auth.c,v 1.4 1997/04/01 08:18:35 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * Generate an authenticator for service.instance@realm. - * instance is canonicalized by `krb_get_phost' - * realm is set to the local realm if realm == NULL - * The ticket acquired by `krb_mk_req' is returned in `ticket' and the - * authenticator in `buf'. - * Options control the behaviour (see krb_sendauth). - */ - -int -krb_mk_auth(int32_t options, - KTEXT ticket, - char *service, - char *instance, - char *realm, - u_int32_t checksum, - char *version, - KTEXT buf) -{ - char realinst[INST_SZ]; - char realrealm[REALM_SZ]; - int ret; - unsigned char *p; - char *tmp; - - if (options & KOPT_DONT_CANON) - tmp = instance; - else - tmp = krb_get_phost (instance); - - strncpy(realinst, tmp, sizeof(realinst)); - realinst[sizeof(realinst) - 1] = '\0'; - - if (realm == NULL) { - ret = krb_get_lrealm (realrealm, 1); - if (ret != KSUCCESS) - return ret; - realm = realrealm; - } - - if(!(options & KOPT_DONT_MK_REQ)) { - ret = krb_mk_req (ticket, service, realinst, realm, checksum); - if (ret != KSUCCESS) - return ret; - } - - p = buf->dat; - - memcpy (p, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN); - p += KRB_SENDAUTH_VLEN; - memcpy (p, version, KRB_SENDAUTH_VLEN); - p += KRB_SENDAUTH_VLEN; - p += krb_put_int(ticket->length, p, 4); - memcpy(p, ticket->dat, ticket->length); - p += ticket->length; - buf->length = p - buf->dat; - return KSUCCESS; -} diff --git a/kerberosIV/krb/mk_err.c b/kerberosIV/krb/mk_err.c deleted file mode 100644 index 3277a6712a7..00000000000 --- a/kerberosIV/krb/mk_err.c +++ /dev/null @@ -1,69 +0,0 @@ -/* $OpenBSD: mk_err.c,v 1.5 1998/02/25 15:51:29 art Exp $ */ -/* $KTH: mk_err.c,v 1.6 1997/03/23 03:53:14 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * This routine creates a general purpose error reply message. It - * doesn't use KTEXT because application protocol may have long - * messages, and may want this part of buffer contiguous to other - * stuff. - * - * The error reply is built in "p", using the error code "e" and - * error text "e_string" given. The length of the error reply is - * returned. - * - * The error reply is in the following format: - * - * unsigned char KRB_PROT_VERSION protocol version no. - * unsigned char AUTH_MSG_APPL_ERR message type - * (least significant - * bit of above) HOST_BYTE_ORDER local byte order - * 4 bytes e given error code - * string e_string given error text - */ - -int32_t -krb_mk_err(u_char *p, int32_t e, char *e_string) -{ - unsigned char *start = p; - p += krb_put_int(KRB_PROT_VERSION, p, 1); - p += krb_put_int(AUTH_MSG_APPL_ERR, p, 1); - - p += krb_put_int(e, p, 4); - p += krb_put_string(e_string, p); - return p - start; -} diff --git a/kerberosIV/krb/mk_priv.c b/kerberosIV/krb/mk_priv.c deleted file mode 100644 index 3e4bf42bfed..00000000000 --- a/kerberosIV/krb/mk_priv.c +++ /dev/null @@ -1,129 +0,0 @@ -/* $OpenBSD: mk_priv.c,v 1.6 1998/05/18 00:53:51 art Exp $ */ -/* $KTH: mk_priv.c,v 1.20 1998/02/19 19:13:40 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* application include files */ -#include "krb-archaeology.h" - -/* - * krb_mk_priv() constructs an AUTH_MSG_PRIVATE message. It takes - * some user data "in" of "length" bytes and creates a packet in "out" - * consisting of the user data, a timestamp, and the sender's network - * address. - * The packet is encrypted by pcbc_encrypt(), using the given - * "key" and "schedule". - * The length of the resulting packet "out" is - * returned. - * - * It is similar to krb_mk_safe() except for the additional key - * schedule argument "schedule" and the fact that the data is encrypted - * rather than appended with a checksum. The protocol version is - * KRB_PROT_VERSION, defined in "krb.h". - * - * The "out" packet consists of: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_PRIVATE | message type plus local - * HOST_BYTE_ORDER byte order in low bit - * - * 4 bytes c_length length of data - * we encrypt from here with pcbc_encrypt - * - * 4 bytes length length of user data - * length in user data - * 1 byte msg_time_5ms timestamp milliseconds - * 4 bytes sender->sin.addr.s_addr sender's IP address - * - * 4 bytes msg_time_sec or timestamp seconds with - * -msg_time_sec direction in sign bit - * - * 0<=n<=7 bytes pad to 8 byte multiple zeroes - */ - -int32_t -krb_mk_priv(void *in, void *out, u_int32_t length, - struct des_ks_struct *schedule, des_cblock *key, - struct sockaddr_in *sender, struct sockaddr_in *receiver) -{ - unsigned char *p = (unsigned char*)out; - unsigned char *cipher; - - struct timeval tv; - u_int32_t src_addr; - u_int32_t len; - - if (p == NULL) - return 0; - - p += krb_put_int(KRB_PROT_VERSION, p, 1); - p += krb_put_int(AUTH_MSG_PRIVATE, p, 1); - - len = 4 + length + 1 + 4 + 4; - len = (len + 7) & ~7; - p += krb_put_int(len, p, 4); - - cipher = p; - - p += krb_put_int(length, p, 4); - - memcpy(p, in, length); - p += length; - - krb_kdctimeofday(&tv); - - *p++ =tv.tv_usec / 5000; - - src_addr = sender->sin_addr.s_addr; - p += krb_put_address(src_addr, p); - - p += krb_put_int(lsb_time(tv.tv_sec, sender, receiver), p, 4); - - memset(p, 0, 7); - - des_pcbc_encrypt((des_cblock *)cipher, (des_cblock *)cipher, - len, schedule, key, DES_ENCRYPT); - - return (cipher - (unsigned char*)out) + len; -} diff --git a/kerberosIV/krb/mk_req.c b/kerberosIV/krb/mk_req.c deleted file mode 100644 index 7822732bf77..00000000000 --- a/kerberosIV/krb/mk_req.c +++ /dev/null @@ -1,217 +0,0 @@ -/* $OpenBSD: mk_req.c,v 1.5 1998/05/18 00:53:53 art Exp $ */ -/* $KTH: mk_req.c,v 1.19 1998/02/19 19:13:51 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -static int lifetime = 255; /* But no longer than TGT says. */ - - -static void -build_request(KTEXT req, char *name, char *inst, char *realm, - u_int32_t checksum) -{ - struct timeval tv; - unsigned char *p = req->dat; - - p += krb_put_nir(name, inst, realm, p); - - p += krb_put_int(checksum, p, 4); - - - /* Fill in the times on the request id */ - krb_kdctimeofday(&tv); - - *p++ = tv.tv_usec / 5000; /* 5ms */ - - p += krb_put_int(tv.tv_sec, p, 4); - - /* Fill to a multiple of 8 bytes for DES */ - req->length = ((p - req->dat + 7)/8) * 8; -} - - -/* - * krb_mk_req takes a text structure in which an authenticator is to - * be built, the name of a service, an instance, a realm, - * and a checksum. It then retrieves a ticket for - * the desired service and creates an authenticator in the text - * structure passed as the first argument. krb_mk_req returns - * KSUCCESS on success and a Kerberos error code on failure. - * - * The peer procedure on the other end is krb_rd_req. When making - * any changes to this routine it is important to make corresponding - * changes to krb_rd_req. - * - * The authenticator consists of the following: - * - * authent->dat - * - * unsigned char KRB_PROT_VERSION protocol version no. - * unsigned char AUTH_MSG_APPL_REQUEST message type - * (least significant - * bit of above) HOST_BYTE_ORDER local byte ordering - * unsigned char kvno from ticket server's key version - * string realm server's realm - * unsigned char tl ticket length - * unsigned char idl request id length - * text ticket->dat ticket for server - * text req_id->dat request id - * - * The ticket information is retrieved from the ticket cache or - * fetched from Kerberos. The request id (called the "authenticator" - * in the papers on Kerberos) contains the following: - * - * req_id->dat - * - * string cr.pname {name, instance, and - * string cr.pinst realm of principal - * string myrealm making this request} - * 4 bytes checksum checksum argument given - * unsigned char tv_local.tf_usec time (milliseconds) - * 4 bytes tv_local.tv_sec time (seconds) - * - * req_id->length = 3 strings + 3 terminating nulls + 5 bytes for time, - * all rounded up to multiple of 8. - */ - -int -krb_mk_req(KTEXT authent, char *service, char *instance, char *realm, - int32_t checksum) -{ - KTEXT_ST req_st; - KTEXT req_id = &req_st; - - CREDENTIALS cr; /* Credentials used by retr */ - KTEXT ticket = &(cr.ticket_st); /* Pointer to tkt_st */ - int retval; /* Returned by krb_get_cred */ - - char myrealm[REALM_SZ]; - - unsigned char *p = authent->dat; - - p += krb_put_int(KRB_PROT_VERSION, p, 1); - - p += krb_put_int(AUTH_MSG_APPL_REQUEST, p, 1); - - /* Get the ticket and move it into the authenticator */ - if (krb_ap_req_debug) - krb_warning("Realm: %s\n", realm); - - retval = krb_get_cred(service,instance,realm,&cr); - - if (retval == RET_NOTKT) { - retval = get_ad_tkt(service, instance, realm, lifetime); - if (retval == KSUCCESS) - retval = krb_get_cred(service, instance, realm, &cr); - } - - if (retval != KSUCCESS) - return retval; - - - /* - * With multi realm ticket files either find a matching TGT or - * else use the first TGT for inter-realm authentication. - * - * In myrealm hold the realm of the principal "owning" the - * corresponding ticket-granting-ticket. - */ - - retval = krb_get_cred(KRB_TICKET_GRANTING_TICKET, realm, realm, 0); - if (retval == KSUCCESS) { - strncpy(myrealm, realm, REALM_SZ); - myrealm[REALM_SZ - 1] = '\0'; - } else - retval = krb_get_tf_realm(TKT_FILE, myrealm); - - if (retval != KSUCCESS) - return retval; - - if (krb_ap_req_debug) - krb_warning("serv=%s.%s@%s princ=%s.%s@%s\n", service, instance, realm, - cr.pname, cr.pinst, myrealm); - - p += krb_put_int(cr.kvno, p, 1); - - p += krb_put_string(realm, p); - - p += krb_put_int(ticket->length, p, 1); - - build_request(req_id, cr.pname, cr.pinst, myrealm, checksum); - - encrypt_ktext(req_id, &cr.session, DES_ENCRYPT); - - p += krb_put_int(req_id->length, p, 1); - - memcpy(p, ticket->dat, ticket->length); - - p += ticket->length; - - memcpy(p, req_id->dat, req_id->length); - - p += req_id->length; - - authent->length = p - authent->dat; - - memset(&cr, 0, sizeof(cr)); - memset(&req_st, 0, sizeof(req_st)); - - if (krb_ap_req_debug) - krb_warning("Authent->length = %d\n", authent->length); - - return KSUCCESS; -} - -/* - * krb_set_lifetime sets the default lifetime for additional tickets - * obtained via krb_mk_req(). - * - * It returns the previous value of the default lifetime. - */ - -int -krb_set_lifetime(int newval) -{ - int olife = lifetime; - - lifetime = newval; - return(olife); -} diff --git a/kerberosIV/krb/mk_safe.c b/kerberosIV/krb/mk_safe.c deleted file mode 100644 index e0691faefe6..00000000000 --- a/kerberosIV/krb/mk_safe.c +++ /dev/null @@ -1,135 +0,0 @@ -/* $OpenBSD: mk_safe.c,v 1.6 1998/05/18 00:53:54 art Exp $ */ -/* $KTH: mk_safe.c,v 1.23 1998/02/19 19:14:02 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* application include files */ -#include "krb-archaeology.h" - - -/* from rd_safe.c */ -extern int dqc_type; -void fixup_quad_cksum(void*, size_t, des_cblock*, void*, void*, int); - -/* - * krb_mk_safe() constructs an AUTH_MSG_SAFE message. It takes some - * user data "in" of "length" bytes and creates a packet in "out" - * consisting of the user data, a timestamp, and the sender's network - * address, followed by a checksum computed on the above, using the - * given "key". The length of the resulting packet is returned. - * - * The "out" packet consists of: - * - * Size Variable Field - * ---- -------- ----- - * - * 1 byte KRB_PROT_VERSION protocol version number - * 1 byte AUTH_MSG_SAFE | message type plus local - * HOST_BYTE_ORDER byte order in low bit - * - * ===================== begin checksum ================================ - * - * 4 bytes length length of user data - * length in user data - * 1 byte msg_time_5ms timestamp milliseconds - * 4 bytes sender->sin.addr.s_addr sender's IP address - * - * 4 bytes msg_time_sec or timestamp seconds with - * -msg_time_sec direction in sign bit - * - * ======================= end checksum ================================ - * - * 16 bytes big_cksum quadratic checksum of - * above using "key" - */ - -int32_t -krb_mk_safe(void *in, void *out, u_int32_t length, des_cblock *key, - struct sockaddr_in *sender, struct sockaddr_in *receiver) -{ - unsigned char * p = (unsigned char*)out; - struct timeval tv; - unsigned char *start; - u_int32_t src_addr; - - if (p == NULL) - return 0; - - p += krb_put_int(KRB_PROT_VERSION, p, 1); - p += krb_put_int(AUTH_MSG_SAFE, p, 1); - - start = p; - - p += krb_put_int(length, p, 4); - - memcpy(p, in, length); - p += length; - - krb_kdctimeofday(&tv); - - *p++ = tv.tv_usec/5000; /* 5ms */ - - src_addr = sender->sin_addr.s_addr; - p += krb_put_address(src_addr, p); - - p += krb_put_int(lsb_time(tv.tv_sec, sender, receiver), p, 4); - - { - /* We are faking big endian mode, so we need to fix the - * checksum (that is byte order dependent). We always send a - * checksum of the new type, unless we know that we are - * talking to an old client (this requires a call to - * krb_rd_safe first). - */ - unsigned char new_checksum[16]; - unsigned char old_checksum[16]; - fixup_quad_cksum(start, p - start, key, new_checksum, old_checksum, 0); - - if((dqc_type == DES_QUAD_GUESS && DES_QUAD_DEFAULT == DES_QUAD_OLD) || - dqc_type == DES_QUAD_OLD) - memcpy(p, old_checksum, 16); - else - memcpy(p, new_checksum, 16); - } - p += 16; - - return p - (unsigned char*)out; -} diff --git a/kerberosIV/krb/month_sname.c b/kerberosIV/krb/month_sname.c deleted file mode 100644 index 2c24a6f65a5..00000000000 --- a/kerberosIV/krb/month_sname.c +++ /dev/null @@ -1,52 +0,0 @@ -/* $OpenBSD: month_sname.c,v 1.5 1998/02/25 15:51:30 art Exp $ */ -/* $KTH: month_sname.c,v 1.5 1997/03/23 03:53:14 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * Given an integer 1-12, month_sname() returns a string - * containing the first three letters of the corresponding - * month. Returns 0 if the argument is out of range. - */ - -const char *month_sname(int n) -{ - static const char *name[] = { - "Jan","Feb","Mar","Apr","May","Jun", - "Jul","Aug","Sep","Oct","Nov","Dec" - }; - return((n < 1 || n > 12) ? 0 : name [n-1]); -} diff --git a/kerberosIV/krb/name2name.c b/kerberosIV/krb/name2name.c deleted file mode 100644 index 3a3b1055d56..00000000000 --- a/kerberosIV/krb/name2name.c +++ /dev/null @@ -1,107 +0,0 @@ -/* $OpenBSD: name2name.c,v 1.3 1998/05/18 00:53:55 art Exp $ */ -/* $KTH: name2name.c,v 1.16 1998/01/19 15:28:38 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* convert host to a more fully qualified domain name, returns 0 if - * phost is the same as host, 1 otherwise. phost should be - * phost_size bytes long. - */ - -int -krb_name_to_name(const char *host, char *phost, size_t phost_size) -{ - struct hostent *hp; - struct in_addr adr; - const char *tmp; - - if (phost == NULL || phost_size == 0) - return 1; - - adr.s_addr = inet_addr(host); - if (adr.s_addr != INADDR_NONE) - hp = gethostbyaddr((char *)&adr, sizeof(adr), AF_INET); - else - hp = gethostbyname(host); - if (hp == NULL) - tmp = host; - else - tmp = hp->h_name; - strncpy (phost, tmp, phost_size); - phost[phost_size - 1] = '\0'; - - if (strcmp(phost, host) == 0) - return 0; - else - return 1; -} - -/* lowercase and truncate */ - -void -k_ricercar(char *name) -{ - char *p = name; - while(*p && *p != '.'){ - if(isupper(*p)) - *p = tolower(*p); - p++; - } - if(*p == '.') - *p = 0; -} - -/* - * This routine takes an alias for a host name and returns the first - * field, in lower case, of its domain name. - * - * Example: "fOo.BAR.com" -> "foo" - */ - -char * -krb_get_phost(const char *alias) -{ - static char phost[MAXHOSTNAMELEN]; - - krb_name_to_name(alias, phost, sizeof(phost)); - k_ricercar(phost); - return phost; -} diff --git a/kerberosIV/krb/netread.c b/kerberosIV/krb/netread.c deleted file mode 100644 index 17b0c36a6b7..00000000000 --- a/kerberosIV/krb/netread.c +++ /dev/null @@ -1,71 +0,0 @@ -/* $OpenBSD: netread.c,v 1.5 1998/02/25 15:51:32 art Exp $ */ -/* $KTH: netread.c,v 1.7 1997/06/19 23:56:44 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * krb_net_read() reads from the file descriptor "fd" to the buffer - * "buf", until either 1) "len" bytes have been read or 2) cannot - * read anymore from "fd". It returns the number of bytes read - * or a read() error. (The calling interface is identical to - * read(2).) - * - * XXX must not use non-blocking I/O - */ - -int -krb_net_read (int fd, void *v, size_t len) -{ - int cc, len2 = 0; - char *buf = v; - - if (buf == NULL) - return -1; - - do { - cc = read(fd, buf, len); - if (cc < 0) - return(cc); /* errno is already set */ - else if (cc == 0) { - return(len2); - } else { - buf += cc; - len2 += cc; - len -= cc; - } - } while (len > 0); - return(len2); -} diff --git a/kerberosIV/krb/netwrite.c b/kerberosIV/krb/netwrite.c deleted file mode 100644 index bfcd45b2b9d..00000000000 --- a/kerberosIV/krb/netwrite.c +++ /dev/null @@ -1,68 +0,0 @@ -/* $OpenBSD: netwrite.c,v 1.5 1998/02/25 15:51:33 art Exp $ */ -/* $KTH: netwrite.c,v 1.8 1997/06/19 23:56:25 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * krb_net_write() writes "len" bytes from "buf" to the file - * descriptor "fd". It returns the number of bytes written or - * a write() error. (The calling interface is identical to - * write(2).) - * - * XXX must not use non-blocking I/O - */ - -int -krb_net_write(int fd, const void *v, size_t len) -{ - int cc; - int wrlen = len; - const char *buf = (const char*)v; - - if (buf == NULL) - return -1; - - do { - cc = write(fd, buf, wrlen); - if (cc < 0) - return(cc); - else { - buf += cc; - wrlen -= cc; - } - } while (wrlen > 0); - return(len); -} diff --git a/kerberosIV/krb/one.c b/kerberosIV/krb/one.c deleted file mode 100644 index 56c8d047b8c..00000000000 --- a/kerberosIV/krb/one.c +++ /dev/null @@ -1,41 +0,0 @@ -/* $OpenBSD: one.c,v 1.5 1998/02/25 15:51:34 art Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * definition of variable set to 1. - * used in krb_conf.h to determine host byte order. - */ - -int krbONE = 1; diff --git a/kerberosIV/krb/parse_name.c b/kerberosIV/krb/parse_name.c deleted file mode 100644 index 6c7f3366f66..00000000000 --- a/kerberosIV/krb/parse_name.c +++ /dev/null @@ -1,208 +0,0 @@ -/* $OpenBSD: parse_name.c,v 1.2 1997/12/09 07:57:33 art Exp $ */ -/* $KTH: parse_name.c,v 1.4 1997/04/01 08:18:39 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -int -krb_parse_name(const char *fullname, krb_principal *principal) -{ - const char *p; - char *ns, *np; - enum {n, i, r} pos = n; - int quote = 0; - - if (principal == NULL) - return KFAILURE; - - ns = np = principal->name; - - principal->name[0] = '\0'; - principal->instance[0] = '\0'; - principal->realm[0] = '\0'; - - for(p = fullname; *p; p++){ - if(np - ns == ANAME_SZ - 1) /* XXX they have the same size */ - return KNAME_FMT; - if(quote){ - *np++ = *p; - quote = 0; - continue; - } - if(*p == '\\') - quote = 1; - else if(*p == '.' && pos == n){ - *np = 0; - ns = np = principal->instance; - pos = i; - }else if(*p == '@' && (pos == n || pos == i)){ - *np = 0; - ns = np = principal->realm; - pos = r; - }else - *np++ = *p; - } - *np = 0; - if(quote || principal->name[0] == '\0') - return KNAME_FMT; - return KSUCCESS; -} - -int -kname_parse(char *np, char *ip, char *rp, char *fullname) -{ - krb_principal p; - int ret; - if((ret = krb_parse_name(fullname, &p)) == 0){ - strncpy(np, p.name, ANAME_SZ); - np[ANAME_SZ-1] = '\0'; - strncpy(ip, p.instance, INST_SZ); - ip[INST_SZ-1] = '\0'; - if(p.realm[0] != '\0'){ - strncpy(rp, p.realm, REALM_SZ); - rp[REALM_SZ-1] = '\0'; - } - } - return ret; -} -/* - * k_isname() returns 1 if the given name is a syntactically legitimate - * Kerberos name; returns 0 if it's not. - */ - -int -k_isname(char *s) -{ - char c; - int backslash = 0; - - if (s[0] == '\0') - return 0; - if (strlen(s) > ANAME_SZ - 1) - return 0; - while ((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '.': - return 0; - /* break; */ - case '@': - return 0; - /* break; */ - } - } - return 1; -} - - -/* - * k_isinst() returns 1 if the given name is a syntactically legitimate - * Kerberos instance; returns 0 if it's not. - */ - -int -k_isinst(char *s) -{ - char c; - int backslash = 0; - - if (strlen(s) > INST_SZ - 1) - return 0; - while ((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '.': -#if INSTANCE_DOTS_OK - break; -#else /* INSTANCE_DOTS_OK */ - return 0; -#endif /* INSTANCE_DOTS_OK */ - /* break; */ - case '@': - return 0; - /* break; */ - } - } - return 1; -} - -/* - * k_isrealm() returns 1 if the given name is a syntactically legitimate - * Kerberos realm; returns 0 if it's not. - */ - -int -k_isrealm(char *s) -{ - char c; - int backslash = 0; - - if (s[0] == '\0') - return 0; - if (strlen(s) > REALM_SZ - 1) - return 0; - while ((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '@': - return 0; - /* break; */ - } - } - return 1; -} diff --git a/kerberosIV/krb/rd_err.c b/kerberosIV/krb/rd_err.c deleted file mode 100644 index 38508825873..00000000000 --- a/kerberosIV/krb/rd_err.c +++ /dev/null @@ -1,86 +0,0 @@ -/* $OpenBSD: rd_err.c,v 1.3 1997/12/09 07:57:33 art Exp $ */ -/* $KTH: rd_err.c,v 1.8 1997/04/01 08:18:40 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* - * Given an AUTH_MSG_APPL_ERR message, "in" and its length "in_length", - * return the error code from the message in "code" and the text in - * "m_data" as follows: - * - * m_data->app_data points to the error text - * m_data->app_length points to the length of the error text - * - * If all goes well, return RD_AP_OK. If the version number - * is wrong, return RD_AP_VERSION, and if it's not an AUTH_MSG_APPL_ERR - * type message, return RD_AP_MSG_TYPE. - * - * The AUTH_MSG_APPL_ERR message format can be found in mk_err.c - */ - -int -krb_rd_err(u_char *in, u_int32_t in_length, int32_t *code, MSG_DAT *m_data) -{ - unsigned char *p = (unsigned char*)in; - - unsigned char pvno, type; - int little_endian; - - if (p == NULL) - return KFAILURE; - - pvno = *p++; - if(pvno != KRB_PROT_VERSION) - return RD_AP_VERSION; - - type = *p++; - little_endian = type & 1; - type &= ~1; - - if(type != AUTH_MSG_APPL_ERR) - return RD_AP_MSG_TYPE; - - p += krb_get_int(p, (u_int32_t *)&code, 4, little_endian); - - m_data->app_data = p; - m_data->app_length = in_length; /* XXX is this correct? */ - return KSUCCESS; -} diff --git a/kerberosIV/krb/rd_priv.c b/kerberosIV/krb/rd_priv.c deleted file mode 100644 index 85ee4397ee4..00000000000 --- a/kerberosIV/krb/rd_priv.c +++ /dev/null @@ -1,133 +0,0 @@ -/* $OpenBSD: rd_priv.c,v 1.5 1997/12/12 05:30:28 art Exp $ */ -/* $KTH: rd_priv.c,v 1.24 1997/05/14 17:53:29 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* application include files */ -#include "krb-archaeology.h" - -/* - * krb_rd_priv() decrypts and checks the integrity of an - * AUTH_MSG_PRIVATE message. Given the message received, "in", - * the length of that message, "in_length", the key "schedule" - * and "key", and the network addresses of the - * "sender" and "receiver" of the message, krb_rd_safe() returns - * RD_AP_OK if the message is okay, otherwise some error code. - * - * The message data retrieved from "in" are returned in the structure - * "m_data". The pointer to the application data - * (m_data->app_data) refers back to the appropriate place in "in". - * - * See the file "mk_priv.c" for the format of the AUTH_MSG_PRIVATE - * message. The structure containing the extracted message - * information, MSG_DAT, is defined in "krb.h". - */ - -int32_t -krb_rd_priv(void *in, u_int32_t in_length, - struct des_ks_struct *schedule, des_cblock *key, - struct sockaddr_in *sender, struct sockaddr_in *receiver, - MSG_DAT *m_data) -{ - unsigned char *p = (unsigned char*)in; - int little_endian; - u_int32_t clen; - struct timeval tv; - u_int32_t src_addr; - int delta_t; - - unsigned char pvno, type; - - if (p == NULL) - return KFAILURE; - - pvno = *p++; - if(pvno != KRB_PROT_VERSION) - return RD_AP_VERSION; - - type = *p++; - little_endian = type & 1; - type &= ~1; - - p += krb_get_int(p, &clen, 4, little_endian); - - if(clen + 2 > in_length) - return RD_AP_MODIFIED; - - des_pcbc_encrypt((des_cblock*)p, (des_cblock*)p, clen, - schedule, key, DES_DECRYPT); - - p += krb_get_int(p, &m_data->app_length, 4, little_endian); - if(m_data->app_length + 17 > in_length) - return RD_AP_MODIFIED; - - m_data->app_data = p; - p += m_data->app_length; - - m_data->time_5ms = *p++; - - p += krb_get_address(p, &src_addr); - - if (!krb_equiv(src_addr, sender->sin_addr.s_addr)) - return RD_AP_BADD; - - p += krb_get_int(p, (u_int32_t *)&m_data->time_sec, 4, little_endian); - - m_data->time_sec = lsb_time(m_data->time_sec, sender, receiver); - - gettimeofday(&tv, NULL); - - /* check the time integrity of the msg */ - delta_t = abs((int)((long) tv.tv_sec - m_data->time_sec)); - if (delta_t > CLOCK_SKEW) - return RD_AP_TIME; - if (krb_debug) - krb_warning("\ndelta_t = %d", (int) delta_t); - - /* - * caller must check timestamps for proper order and - * replays, since server might have multiple clients - * each with its own timestamps and we don't assume - * tightly synchronized clocks. - */ - - return KSUCCESS; -} diff --git a/kerberosIV/krb/rd_req.c b/kerberosIV/krb/rd_req.c deleted file mode 100644 index 2072c0519e1..00000000000 --- a/kerberosIV/krb/rd_req.c +++ /dev/null @@ -1,328 +0,0 @@ -/* $OpenBSD: rd_req.c,v 1.5 1997/12/09 07:57:34 art Exp $ */ -/* $KTH: rd_req.c,v 1.24 1997/05/11 11:05:28 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -static struct timeval t_local = { 0, 0 }; - -/* - * Keep the following information around for subsequent calls - * to this routine by the same server using the same key. - */ - -static des_key_schedule serv_key; /* Key sched to decrypt ticket */ -static des_cblock ky; /* Initialization vector */ -static int st_kvno; /* version number for this key */ -static char st_rlm[REALM_SZ]; /* server's realm */ -static char st_nam[ANAME_SZ]; /* service name */ -static char st_inst[INST_SZ]; /* server's instance */ - -/* - * This file contains two functions. krb_set_key() takes a DES - * key or password string and returns a DES key (either the original - * key, or the password converted into a DES key) and a key schedule - * for it. - * - * krb_rd_req() reads an authentication request and returns information - * about the identity of the requestor, or an indication that the - * identity information was not authentic. - */ - -/* - * krb_set_key() takes as its first argument either a DES key or a - * password string. The "cvt" argument indicates how the first - * argument "key" is to be interpreted: if "cvt" is null, "key" is - * taken to be a DES key; if "cvt" is non-null, "key" is taken to - * be a password string, and is converted into a DES key using - * string_to_key(). In either case, the resulting key is returned - * in the external static variable "ky". A key schedule is - * generated for "ky" and returned in the external static variable - * "serv_key". - * - * This routine returns the return value of des_key_sched. - * - * krb_set_key() needs to be in the same .o file as krb_rd_req() so that - * the key set by krb_set_key() is available in private storage for - * krb_rd_req(). - */ - -int -krb_set_key(void *key, int cvt) -{ -#ifdef NOENCRYPTION - memset(ky, 0, sizeof(ky)); - return KSUCCESS; -#else /* Encrypt */ - if (cvt) - des_string_to_key((char*)key, &ky); - else - memcpy((char*)ky, key, 8); - return(des_key_sched(&ky, serv_key)); -#endif /* NOENCRYPTION */ -} - - -/* - * krb_rd_req() takes an AUTH_MSG_APPL_REQUEST or - * AUTH_MSG_APPL_REQUEST_MUTUAL message created by krb_mk_req(), - * checks its integrity and returns a judgement as to the requestor's - * identity. - * - * The "authent" argument is a pointer to the received message. - * The "service" and "instance" arguments name the receiving server, - * and are used to get the service's ticket to decrypt the ticket - * in the message, and to compare against the server name inside the - * ticket. "from_addr" is the network address of the host from which - * the message was received; this is checked against the network - * address in the ticket. If "from_addr" is zero, the check is not - * performed. "ad" is an AUTH_DAT structure which is - * filled in with information about the sender's identity according - * to the authenticator and ticket sent in the message. Finally, - * "fn" contains the name of the file containing the server's key. - * (If "fn" is NULL, the server's key is assumed to have been set - * by krb_set_key(). If "fn" is the null string ("") the default - * file KEYFILE, defined in "krb.h", is used.) - * - * krb_rd_req() returns RD_AP_OK if the authentication information - * was genuine, or one of the following error codes (defined in - * "krb.h"): - * - * RD_AP_VERSION - wrong protocol version number - * RD_AP_MSG_TYPE - wrong message type - * RD_AP_UNDEC - couldn't decipher the message - * RD_AP_INCON - inconsistencies found - * RD_AP_BADD - wrong network address - * RD_AP_TIME - client time (in authenticator) - * too far off server time - * RD_AP_NYV - Kerberos time (in ticket) too - * far off server time - * RD_AP_EXP - ticket expired - * - * For the message format, see krb_mk_req(). - * - * Mutual authentication is not implemented. - */ - -int -krb_rd_req(KTEXT authent, /* The received message */ - char *service, /* Service name */ - char *instance, /* Service instance */ - int32_t from_addr, /* Net address of originating host */ - AUTH_DAT *ad, /* Structure to be filled in */ - char *fn) /* Filename to get keys from */ -{ - static KTEXT_ST ticket; /* Temp storage for ticket */ - static KTEXT tkt = &ticket; - static KTEXT_ST req_id_st; /* Temp storage for authenticator */ - KTEXT req_id = &req_id_st; - - char realm[REALM_SZ]; /* Realm of issuing kerberos */ - - unsigned char skey[KKEY_SZ]; /* Session key from ticket */ - char sname[SNAME_SZ]; /* Service name from ticket */ - char iname[INST_SZ]; /* Instance name from ticket */ - char r_aname[ANAME_SZ]; /* Client name from authenticator */ - char r_inst[INST_SZ]; /* Client instance from authenticator */ - char r_realm[REALM_SZ]; /* Client realm from authenticator */ - u_int32_t r_time_sec; /* Coarse time from authenticator */ - unsigned long delta_t; /* Time in authenticator - local time */ - long tkt_age; /* Age of ticket */ - static unsigned char s_kvno;/* Version number of the server's key - * Kerberos used to encrypt ticket */ - - struct timeval tv; - int status; - - int pvno; - int type; - int little_endian; - - unsigned char *p; - - if (authent->length <= 0) - return(RD_AP_MODIFIED); - - p = authent->dat; - - /* get msg version, type and byte order, and server key version */ - - pvno = *p++; - - if(pvno != KRB_PROT_VERSION) - return RD_AP_VERSION; - - type = *p++; - - little_endian = type & 1; - type &= ~1; - - if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) - return RD_AP_MSG_TYPE; - - s_kvno = *p++; - - p += krb_get_string(p, realm); - - /* - * If "fn" is NULL, key info should already be set; don't - * bother with ticket file. Otherwise, check to see if we - * already have key info for the given server and key version - * (saved in the static st_* variables). If not, go get it - * from the ticket file. If "fn" is the null string, use the - * default ticket file. - */ - if (fn && (strcmp(st_nam,service) || strcmp(st_inst,instance) || - strcmp(st_rlm,realm) || (st_kvno != s_kvno))) { - if (*fn == 0) fn = KEYFILE; - st_kvno = s_kvno; - if (read_service_key(service, instance, realm, s_kvno, - fn, (char *)skey)) - return(RD_AP_UNDEC); - if ((status = krb_set_key((char*)skey, 0))) - return(status); - strncpy(st_rlm, realm, REALM_SZ); - st_rlm[REALM_SZ-1] = '\0'; - strncpy(st_nam, service, SNAME_SZ); - st_nam[SNAME_SZ-1] = '\0'; - strncpy(st_inst, instance, INST_SZ); - st_inst[INST_SZ-1] = '\0'; - } - - tkt->length = *p++; - - req_id->length = *p++; - - if(tkt->length + (p - authent->dat) > authent->length) - return RD_AP_MODIFIED; - - memcpy(tkt->dat, p, tkt->length); - p += tkt->length; - - if (krb_ap_req_debug) - krb_log("ticket->length: %d",tkt->length); - - /* Decrypt and take apart ticket */ - if (decomp_ticket(tkt, &ad->k_flags, ad->pname, ad->pinst, ad->prealm, - &ad->address, ad->session, &ad->life, - &ad->time_sec, sname, iname, &ky, serv_key)) - return RD_AP_UNDEC; - - if (krb_ap_req_debug) { - krb_log("Ticket Contents."); - krb_log(" Aname: %s.%s",ad->pname, ad->prealm); - krb_log(" Service: %s", krb_unparse_name_long(sname, iname, NULL)); - } - - /* Extract the authenticator */ - - if(req_id->length + (p - authent->dat) > authent->length) - return RD_AP_MODIFIED; - - memcpy(req_id->dat, p, req_id->length); - p = req_id->dat; - -#ifndef NOENCRYPTION - /* And decrypt it with the session key from the ticket */ - if (krb_ap_req_debug) krb_log("About to decrypt authenticator"); - - encrypt_ktext(req_id, &ad->session, DES_DECRYPT); - - if (krb_ap_req_debug) krb_log("Done."); -#endif /* NOENCRYPTION */ - - /* cast req_id->length to int? */ -#define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED); - - p += krb_get_nir(p, r_aname, r_inst, r_realm); /* XXX no rangecheck */ - - p += krb_get_int(p, &ad->checksum, 4, little_endian); - - p++; /* time_5ms is not used */ - - p += krb_get_int(p, &r_time_sec, 4, little_endian); - - /* Check for authenticity of the request */ - if (krb_ap_req_debug) - krb_log("Principal: %s.%s@%s / %s.%s@%s",ad->pname,ad->pinst, ad->prealm, - r_aname, r_inst, r_realm); - if (strcmp(ad->pname, r_aname) != 0 || - strcmp(ad->pinst, r_inst) != 0 || - strcmp(ad->prealm, r_realm) != 0) - return RD_AP_INCON; - - if (krb_ap_req_debug) - krb_log("Address: %x %x", ad->address, from_addr); - - if (from_addr && (!krb_equiv(ad->address, from_addr))) - return RD_AP_BADD; - - gettimeofday(&tv, NULL); - delta_t = abs((int)(tv.tv_sec - r_time_sec)); - if (delta_t > CLOCK_SKEW) { - if (krb_ap_req_debug) - krb_log("Time out of range: %lu - %lu = %lu", - (unsigned long)t_local.tv_sec, - (unsigned long)r_time_sec, - (unsigned long)delta_t); - return RD_AP_TIME; - } - - /* Now check for expiration of ticket */ - - tkt_age = tv.tv_sec - ad->time_sec; - if (krb_ap_req_debug) - krb_log("Time: %ld Issue Date: %lu Diff: %ld Life %x", - (long)tv.tv_sec, - (unsigned long)ad->time_sec, - tkt_age, - ad->life); - - if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) - return RD_AP_NYV; - - if (tv.tv_sec > krb_life_to_time(ad->time_sec, ad->life)) - return RD_AP_EXP; - - /* All seems OK */ - ad->reply.length = 0; - - return(RD_AP_OK); -} diff --git a/kerberosIV/krb/rd_safe.c b/kerberosIV/krb/rd_safe.c deleted file mode 100644 index f532a462f9f..00000000000 --- a/kerberosIV/krb/rd_safe.c +++ /dev/null @@ -1,184 +0,0 @@ -/* $OpenBSD: rd_safe.c,v 1.5 1997/12/12 05:30:29 art Exp $ */ -/* $KTH: rd_safe.c,v 1.24 1997/04/19 23:18:20 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* application include files */ -#include "krb-archaeology.h" - -/* Generate two checksums in the given byteorder of the data, one - * new-form and one old-form. It has to be done this way to be - * compatible with the old version of des_quad_cksum. - */ - -/* des_quad_chsum-type; 0 == unknown, 1 == new PL10++, 2 == old */ -int dqc_type = DES_QUAD_DEFAULT; - -void -fixup_quad_cksum(void *start, size_t len, des_cblock *key, - void *new_checksum, void *old_checksum, int little) -{ - if (old_checksum == NULL || new_checksum == NULL) - return; - - des_quad_cksum((des_cblock*)start, (des_cblock*)new_checksum, len, 2, key); - if(HOST_BYTE_ORDER){ - if(little){ - memcpy(old_checksum, new_checksum, 16); - }else{ - u_int32_t *tmp = (u_int32_t*)new_checksum; - memcpy(old_checksum, new_checksum, 16); - swap_u_16(old_checksum); - swap_u_long(tmp[0]); - swap_u_long(tmp[1]); - swap_u_long(tmp[2]); - swap_u_long(tmp[3]); - } - }else{ - if(little){ - u_int32_t *tmp = (u_int32_t*)new_checksum; - swap_u_long(tmp[0]); - swap_u_long(tmp[1]); - swap_u_long(tmp[2]); - swap_u_long(tmp[3]); - memcpy(old_checksum, new_checksum, 16); - }else{ - u_int32_t tmp[4]; - tmp[0] = ((u_int32_t*)new_checksum)[3]; - tmp[1] = ((u_int32_t*)new_checksum)[2]; - tmp[2] = ((u_int32_t*)new_checksum)[1]; - tmp[3] = ((u_int32_t*)new_checksum)[0]; - memcpy(old_checksum, tmp, 16); - } - } -} - -/* - * krb_rd_safe() checks the integrity of an AUTH_MSG_SAFE message. - * Given the message received, "in", the length of that message, - * "in_length", the "key" to compute the checksum with, and the - * network addresses of the "sender" and "receiver" of the message, - * krb_rd_safe() returns RD_AP_OK if message is okay, otherwise - * some error code. - * - * The message data retrieved from "in" is returned in the structure - * "m_data". The pointer to the application data (m_data->app_data) - * refers back to the appropriate place in "in". - * - * See the file "mk_safe.c" for the format of the AUTH_MSG_SAFE - * message. The structure containing the extracted message - * information, MSG_DAT, is defined in "krb.h". - */ - -int32_t -krb_rd_safe(void *in, u_int32_t in_length, des_cblock *key, - struct sockaddr_in *sender, struct sockaddr_in *receiver, - MSG_DAT *m_data) -{ - unsigned char *p = (unsigned char*)in, *start; - - unsigned char pvno, type; - int little_endian; - struct timeval tv; - u_int32_t src_addr; - int delta_t; - - if (p == NULL) - return KFAILURE; - - pvno = *p++; - if(pvno != KRB_PROT_VERSION) - return RD_AP_VERSION; - - type = *p++; - little_endian = type & 1; - type &= ~1; - if(type != AUTH_MSG_SAFE) - return RD_AP_MSG_TYPE; - - start = p; - - p += krb_get_int(p, &m_data->app_length, 4, little_endian); - - if(m_data->app_length + 31 > in_length) - return RD_AP_MODIFIED; - - m_data->app_data = p; - - p += m_data->app_length; - - m_data->time_5ms = *p++; - - p += krb_get_address(p, &src_addr); - - if (!krb_equiv(src_addr, sender->sin_addr.s_addr)) - return RD_AP_BADD; - - p += krb_get_int(p, (u_int32_t *)&m_data->time_sec, 4, little_endian); - m_data->time_sec = lsb_time(m_data->time_sec, sender, receiver); - - gettimeofday(&tv, NULL); - - delta_t = abs((int)((long) tv.tv_sec - m_data->time_sec)); - if (delta_t > CLOCK_SKEW) return RD_AP_TIME; - - /* - * caller must check timestamps for proper order and replays, since - * server might have multiple clients each with its own timestamps - * and we don't assume tightly synchronized clocks. - */ - - { - unsigned char new_checksum[16]; - unsigned char old_checksum[16]; - fixup_quad_cksum(start, p - start, key, - new_checksum, old_checksum, little_endian); - if((dqc_type == DES_QUAD_GUESS || dqc_type == DES_QUAD_NEW) && - memcmp(new_checksum, p, 16) == 0) - dqc_type = DES_QUAD_NEW; - else if((dqc_type == DES_QUAD_GUESS || dqc_type == DES_QUAD_OLD) && - memcmp(old_checksum, p, 16) == 0) - dqc_type = DES_QUAD_OLD; - else - return RD_AP_MODIFIED; - } - return KSUCCESS; -} diff --git a/kerberosIV/krb/read_service_key.c b/kerberosIV/krb/read_service_key.c deleted file mode 100644 index 0a84415a57f..00000000000 --- a/kerberosIV/krb/read_service_key.c +++ /dev/null @@ -1,134 +0,0 @@ -/* $OpenBSD: read_service_key.c,v 1.6 1998/02/25 15:51:35 art Exp $ */ -/* $KTH: read_service_key.c,v 1.8 1997/03/23 03:53:16 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * The private keys for servers on a given host are stored in a - * "srvtab" file (typically "/etc/srvtab"). This routine extracts - * a given server's key from the file. - * - * read_service_key() takes the server's name ("service"), "instance", - * and "realm" and a key version number "kvno", and looks in the given - * "file" for the corresponding entry, and if found, returns the entry's - * key field in "key". - * - * If "instance" contains the string "*", then it will match - * any instance, and the chosen instance will be copied to that - * string. For this reason it is important that the there is enough - * space beyond the "*" to receive the entry. - * - * If "kvno" is 0, it is treated as a wild card and the first - * matching entry regardless of the "vno" field is returned. - * - * This routine returns KSUCCESS on success, otherwise KFAILURE. - * - * The format of each "srvtab" entry is as follows: - * - * Size Variable Field in file - * ---- -------- ------------- - * string serv server name - * string inst server instance - * string realm server realm - * 1 byte vno server key version # - * 8 bytes key server's key - * ... ... ... - */ - - -int -read_service_key(char *service, /* Service Name */ - char *instance, /* Instance name or "*" */ - char *realm, /* Realm */ - int kvno, /* Key version number */ - char *file, /* Filename */ - char *key) /* Pointer to key to be filled in */ -{ - char serv[SNAME_SZ]; - char inst[INST_SZ]; - char rlm[REALM_SZ]; - unsigned char vno; /* Key version number */ - int wcard; - - int stab; - - if ((stab = open(file, O_RDONLY, 0)) < 0) - return KFAILURE; - - if (instance == NULL) - return KFAILURE; - - wcard = (instance[0] == '*') && (instance[1] == '\0'); - - while (getst(stab, serv, SNAME_SZ) > 0) { /* Read sname */ - getst(stab, inst, INST_SZ); /* Instance */ - getst(stab, rlm, REALM_SZ); /* Realm */ - /* Vers number */ - if (read(stab, &vno, 1) != 1) { - close(stab); - return KFAILURE; - } - /* Key */ - if (read(stab, key, 8) != 8) { - close(stab); - return KFAILURE; - } - /* Is this the right service */ - if (service != NULL && strcmp(serv, service)) - continue; - /* How about instance */ - if (wcard == '\0' && strcmp(inst,instance)) - continue; - if (wcard != 0) { - strncpy(instance, inst, INST_SZ); - instance[INST_SZ - 1] = '\0'; - } - /* Is this the right realm */ - if (realm != NULL && strcmp(rlm, realm)) - continue; - - /* How about the key version number */ - if (kvno && kvno != (int) vno) - continue; - - close(stab); - return KSUCCESS; - } - - /* Can't find the requested service */ - close(stab); - return(KFAILURE); -} diff --git a/kerberosIV/krb/realm_parse.c b/kerberosIV/krb/realm_parse.c deleted file mode 100644 index 7041db9d5ca..00000000000 --- a/kerberosIV/krb/realm_parse.c +++ /dev/null @@ -1,81 +0,0 @@ -/* $OpenBSD: realm_parse.c,v 1.5 1998/07/07 19:07:00 art Exp $ */ -/* $KTH: realm_parse.c,v 1.14 1997/12/15 17:19:13 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -static int -realm_parse(char *realm, int length, const char *file) -{ - FILE *F; - char tr[128]; - char *p; - - if ((F = fopen(file,"r")) == NULL) - return -1; - - while(fgets(tr, sizeof(tr), F)){ - char *unused = NULL; - p = strtok_r(tr, " \t\n\r", &unused); - if(p && strcasecmp(p, realm) == 0){ - fclose(F); - strncpy(realm, p, length); - realm[length - 1] = '\0'; - return 0; - } - } - fclose(F); - return -1; -} - -static const char *const files[] = KRB_CNF_FILES; - -int -krb_realm_parse(char *realm, int length) -{ - int i; - char file[MAXPATHLEN]; - - for(i = 0; krb_get_krbconf(i, file, sizeof(file)) == 0; i++) - if (realm_parse(realm, length, file) == 0) - return 0; - - return -1; -} diff --git a/kerberosIV/krb/recvauth.c b/kerberosIV/krb/recvauth.c deleted file mode 100644 index 786d573ca99..00000000000 --- a/kerberosIV/krb/recvauth.c +++ /dev/null @@ -1,213 +0,0 @@ -/* $OpenBSD: recvauth.c,v 1.6 1998/02/25 15:51:37 art Exp $ */ -/* $KTH: recvauth.c,v 1.18 1997/07/05 01:35:15 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -#ifndef MAX -#define MAX(a,b) (((a)>(b))?(a):(b)) -#endif /* MAX */ - -#ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) -#endif /* MIN */ - -/* - * krb_recvauth() reads (and optionally responds to) a message sent - * using krb_sendauth(). The "options" argument is a bit-field of - * selected options (see "sendauth.c" for options description). - * The only option relevant to krb_recvauth() is KOPT_DO_MUTUAL - * (mutual authentication requested). The "fd" argument supplies - * a file descriptor to read from (and write to, if mutual authenti- - * cation is requested). - * - * Part of the received message will be a Kerberos ticket sent by the - * client; this is read into the "ticket" argument. The "service" and - * "instance" arguments supply the server's Kerberos name. If the - * "instance" argument is the string "*", it is treated as a wild card - * and filled in during the krb_rd_req() call (see read_service_key()). - * - * The "faddr" and "laddr" give the sending (client) and receiving - * (local server) network addresses. ("laddr" may be left NULL unless - * mutual authentication is requested, in which case it must be set.) - * - * The authentication information extracted from the message is returned - * in "kdata". The "filename" argument indicates the file where the - * server's key can be found. (It is passed on to krb_rd_req().) If - * left null, the default "/etc/srvtab" will be used. - * - * If mutual authentication is requested, the session key schedule must - * be computed in order to reply; this schedule is returned in the - * "schedule" argument. A string containing the application version - * number from the received message is returned in "version", which - * should be large enough to hold a KRB_SENDAUTH_VLEN-character string. - * - * See krb_sendauth() for the format of the received client message. - * - * krb_recvauth() first reads the protocol version string from the - * given file descriptor. If it doesn't match the current protocol - * version (KRB_SENDAUTH_VERS), the old-style format is assumed. In - * that case, the string of characters up to the first space is read - * and interpreted as the ticket length, then the ticket is read. - * - * If the first string did match KRB_SENDAUTH_VERS, krb_recvauth() - * next reads the application protocol version string. Then the - * ticket length and ticket itself are read. - * - * The ticket is decrypted and checked by the call to krb_rd_req(). - * If no mutual authentication is required, the result of the - * krb_rd_req() call is retured by this routine. If mutual authenti- - * cation is required, a message in the following format is returned - * on "fd": - * - * Size Variable Field - * ---- -------- ----- - * - * 4 bytes tkt_len length of ticket or -1 - * if error occurred - * - * priv_len tmp_buf "private" message created - * by krb_mk_priv() which - * contains the incremented - * checksum sent by the client - * encrypted in the session - * key. (This field is not - * present in case of error.) - * - * If all goes well, KSUCCESS is returned; otherwise KFAILURE or some - * other error code is returned. - */ - -static int -send_error_reply(int fd) -{ - unsigned char tmp[4] = { 255, 255, 255, 255 }; - if(krb_net_write(fd, tmp, sizeof(tmp)) != sizeof(tmp)) - return -1; - return 0; -} - -int -krb_recvauth(int32_t options, /* bit-pattern of options */ - int fd, /* file descr. to read from */ - KTEXT ticket, /* storage for client's ticket */ - char *service, /* service expected */ - char *instance, /* inst expected (may be filled in) */ - struct sockaddr_in *faddr, /* address of foreign host on fd */ - struct sockaddr_in *laddr, /* local address */ - AUTH_DAT *kdata, /* kerberos data (returned) */ - char *filename, /* name of file with service keys */ - struct des_ks_struct *schedule, /* key schedule (return) */ - char *version) /* version string (filled in) */ -{ - int cc; - char krb_vers[KRB_SENDAUTH_VLEN + 1]; /* + 1 for the null terminator */ - int rem; - int32_t priv_len; - u_char tmp_buf[MAX_KTXT_LEN+MAX(KRB_SENDAUTH_VLEN+1,21)]; - - if (!(options & KOPT_IGNORE_PROTOCOL)) { - /* read the protocol version number */ - if (krb_net_read(fd, krb_vers, KRB_SENDAUTH_VLEN) != KRB_SENDAUTH_VLEN) - return(errno); - krb_vers[KRB_SENDAUTH_VLEN] = '\0'; - } - - /* read the application version string */ - if (krb_net_read(fd, version, KRB_SENDAUTH_VLEN) != KRB_SENDAUTH_VLEN) - return(errno); - version[KRB_SENDAUTH_VLEN] = '\0'; - - /* get the length of the ticket */ - { - char tmp[4]; - if (krb_net_read(fd, tmp, 4) != 4) - return -1; - krb_get_int(tmp, &ticket->length, 4, 0); - } - - /* sanity check */ - if (ticket->length <= 0 || ticket->length > MAX_KTXT_LEN) { - if (options & KOPT_DO_MUTUAL) { - if(send_error_reply(fd)) - return -1; - return KFAILURE; - } else - return KFAILURE; /* XXX there may still be junk on the fd? */ - } - - /* read the ticket */ - if (krb_net_read(fd, ticket->dat, ticket->length) != ticket->length) - return -1; - /* - * now have the ticket. decrypt it to get the authenticated - * data. - */ - rem = krb_rd_req(ticket, service, instance, faddr->sin_addr.s_addr, - kdata, filename); - - /* if we are doing mutual auth, compose a response */ - if (options & KOPT_DO_MUTUAL) { - if (rem != KSUCCESS){ - /* the krb_rd_req failed */ - if(send_error_reply(fd)) - return -1; - return rem; - } - - /* add one to the (formerly) sealed checksum, and re-seal it - for return to the client */ - { - unsigned char cs[4]; - krb_put_int(kdata->checksum + 1, cs, 4); -#ifndef NOENCRYPTION - des_key_sched(&kdata->session,schedule); -#endif - priv_len = krb_mk_priv(cs, - tmp_buf+4, - 4, - schedule, - &kdata->session, - laddr, - faddr); - } - /* mk_priv will never fail */ - priv_len += krb_put_int(priv_len, tmp_buf, 4); - - if((cc = krb_net_write(fd, tmp_buf, priv_len)) != priv_len) - return -1; - } - return rem; -} diff --git a/kerberosIV/krb/resolve.c b/kerberosIV/krb/resolve.c deleted file mode 100644 index 112814a27eb..00000000000 --- a/kerberosIV/krb/resolve.c +++ /dev/null @@ -1,280 +0,0 @@ -/* $OpenBSD: resolve.c,v 1.3 1997/12/12 05:30:31 art Exp $ */ -/* $KTH: resolve.c,v 1.12 1997/10/28 15:37:39 bg Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" -#include "resolve.h" - -#define DECL(X) {#X, T_##X} - -static struct stot{ - char *name; - int type; -}stot[] = { - DECL(A), - DECL(NS), - DECL(CNAME), - DECL(PTR), - DECL(MX), - DECL(TXT), - DECL(AFSDB), - DECL(SRV), - {NULL, 0} -}; - -static int -string_to_type(const char *name) -{ - struct stot *p = stot; - for(p = stot; p->name; p++) - if(strcasecmp(name, p->name) == 0) - return p->type; - return -1; -} - -#if 0 -static char * -type_to_string(int type) -{ - struct stot *p = stot; - for(p = stot; p->name; p++) - if(type == p->type) - return p->name; - return NULL; -} -#endif - -void -dns_free_data(struct dns_reply *r) -{ - struct resource_record *rr; - if(r->q.domain){ - free(r->q.domain); - r->q.domain = NULL; - } - for(rr = r->head; rr;){ - struct resource_record *tmp = rr; - if(rr->domain){ - free(rr->domain); - rr->domain = NULL; - } - if(rr->u.data){ - free(rr->u.data); - rr->u.data = NULL; - } - rr = rr->next; - free(tmp); - tmp = NULL; - } - free (r); - r = NULL; -} - -static struct dns_reply* -parse_reply(unsigned char *data, int len) -{ - unsigned char *p; - char host[128]; - int status; - - struct dns_reply *r; - struct resource_record **rr; - - r = (struct dns_reply*)malloc(sizeof(struct dns_reply)); - - if (r == NULL) - return NULL; - - memset(r, 0, sizeof(struct dns_reply)); - - p = data; - memcpy(&r->h, p, sizeof(HEADER)); - p += sizeof(HEADER); - status = dn_expand(data, data + len, p, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - r->q.domain = strdup(host); - if(r->q.domain == NULL) { - dns_free_data(r); - return NULL; - } - - p += status; - r->q.type = (p[0] << 8 | p[1]); - p += 2; - r->q.class = (p[0] << 8 | p[1]); - p += 2; - rr = &r->head; - while(p < data + len){ - int type, class, ttl, size; - status = dn_expand(data, data + len, p, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - p += status; - type = (p[0] << 8) | p[1]; - p += 2; - class = (p[0] << 8) | p[1]; - p += 2; - ttl = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - p += 4; - size = (p[0] << 8) | p[1]; - p += 2; - *rr = (struct resource_record*)calloc(1, - sizeof(struct resource_record)); - if(*rr == NULL) { - dns_free_data(r); - return NULL; - } - (*rr)->domain = strdup(host); - if((*rr)->domain == NULL) { - dns_free_data(r); - return NULL; - } - (*rr)->type = type; - (*rr)->class = class; - (*rr)->ttl = ttl; - (*rr)->size = size; - switch(type){ - case T_NS: - case T_CNAME: - case T_PTR: - status = dn_expand(data, data + len, p, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - (*rr)->u.txt = strdup(host); - if((*rr)->u.txt == NULL) { - dns_free_data(r); - return NULL; - } - break; - case T_MX: - case T_AFSDB:{ - status = dn_expand(data, data + len, p + 2, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - (*rr)->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + - strlen(host)); - if((*rr)->u.mx == NULL) { - dns_free_data(r); - return NULL; - } - (*rr)->u.mx->preference = (p[0] << 8) | p[1]; - strncpy((*rr)->u.mx->domain, host, MAXHOSTNAMELEN); - (*rr)->u.mx->domain[MAXHOSTNAMELEN-1] = '\0'; - break; - } - case T_SRV:{ - status = dn_expand(data, data + len, p + 6, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - (*rr)->u.srv = - (struct srv_record*)malloc(sizeof(struct srv_record) + - strlen(host)); - if((*rr)->u.srv == NULL) { - dns_free_data(r); - return NULL; - } - (*rr)->u.srv->priority = (p[0] << 8) | p[1]; - (*rr)->u.srv->weight = (p[2] << 8) | p[3]; - (*rr)->u.srv->port = (p[4] << 8) | p[5]; - strncpy((*rr)->u.srv->target, host, MAXHOSTNAMELEN); - (*rr)->u.srv->target[MAXHOSTNAMELEN-1] = '\0'; - break; - } - case T_TXT:{ - (*rr)->u.txt = (char*)malloc(size + 1); - if((*rr)->u.txt == NULL) { - dns_free_data(r); - return NULL; - } - strncpy((*rr)->u.txt, (char*)p + 1, *p); - (*rr)->u.txt[*p] = 0; - break; - } - - default: - (*rr)->u.data = (unsigned char*)malloc(size); - if((*rr)->u.data == NULL) { - dns_free_data(r); - return NULL; - } - memcpy((*rr)->u.data, p, size); - } - p += size; - rr = &(*rr)->next; - } - *rr = NULL; - return r; -} - -struct dns_reply * -dns_lookup(const char *domain, const char *type_name) -{ - unsigned char reply[1024]; - int len; - int type; - struct dns_reply *r = NULL; - u_long old_options = 0; - - type = string_to_type(type_name); - if (krb_dns_debug) { - old_options = _res.options; - _res.options |= RES_DEBUG; - krb_warning("dns_lookup(%s, %s)\n", domain, type_name); - } - len = res_search(domain, C_IN, type, reply, sizeof(reply)); - if (krb_dns_debug) { - _res.options = old_options; - krb_warning("dns_lookup(%s, %s) --> %d\n", domain, type_name, len); - } - if (len >= 0) - r = parse_reply(reply, len); - return r; -} diff --git a/kerberosIV/krb/resolve.h b/kerberosIV/krb/resolve.h deleted file mode 100644 index 523c65c9da5..00000000000 --- a/kerberosIV/krb/resolve.h +++ /dev/null @@ -1,96 +0,0 @@ -/* $OpenBSD: resolve.h,v 1.2 1998/02/18 11:54:05 art Exp $ */ -/* $KTH: resolve.h,v 1.5 1997/05/14 17:41:25 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* THIS IS NOT (yet) A PUBLIC INTERFACE */ - - -#ifndef __RESOLVE_H__ -#define __RESOLVE_H__ - -/* We use these, but they are not always present in <arpa/nameser.h> */ - -struct dns_query{ - char *domain; - unsigned type; - unsigned class; -}; - -struct mx_record{ - unsigned preference; - char domain[1]; -}; - -struct srv_record{ - unsigned priority; - unsigned weight; - unsigned port; - char target[1]; -}; - -struct resource_record{ - char *domain; - unsigned type; - unsigned class; - unsigned ttl; - unsigned size; - union { - void *data; - struct mx_record *mx; - struct mx_record *afsdb; /* mx and afsdb are identical */ - struct srv_record *srv; - struct in_addr *a; - char *txt; - }u; - struct resource_record *next; -}; - -struct dns_reply{ - HEADER h; - struct dns_query q; - struct resource_record *head; -}; - - -struct dns_reply* dns_lookup(const char *, const char *); - -void dns_free_data(struct dns_reply *r); - -#endif /* __RESOLVE_H__ */ diff --git a/kerberosIV/krb/rw.c b/kerberosIV/krb/rw.c deleted file mode 100644 index f032f83b2e7..00000000000 --- a/kerberosIV/krb/rw.c +++ /dev/null @@ -1,148 +0,0 @@ -/* $OpenBSD: rw.c,v 1.2 1997/12/09 07:57:37 art Exp $ */ -/* $KTH: rw.c,v 1.8 1997/04/01 08:18:44 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Almost all programs use these routines (implicitly) so it's a good - * place to put the version string. */ - -#include "version.h" - -#include "krb_locl.h" - -int -krb_get_int(void *f, u_int32_t *to, int size, int lsb) -{ - int i; - unsigned char *from = (unsigned char *)f; - - if (from == NULL) - return 0; - - *to = 0; - if(lsb){ - for(i = size-1; i >= 0; i--) - *to = (*to << 8) | from[i]; - }else{ - for(i = 0; i < size; i++) - *to = (*to << 8) | from[i]; - } - return size; -} - -int -krb_put_int(u_int32_t from, void *to, int size) -{ - int i; - unsigned char *p = (unsigned char *)to; - - if (p == NULL) - return 0; - - for(i = size - 1; i >= 0; i--){ - p[i] = from & 0xff; - from >>= 8; - } - return size; -} - - -/* addresses are always sent in network byte order */ - -int -krb_get_address(void *from, u_int32_t *to) -{ - unsigned char *p = (unsigned char*)from; - - if (from == NULL || p == NULL) - return 0; - - *to = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); - return 4; -} - -int -krb_put_address(u_int32_t addr, void *to) -{ - return krb_put_int(ntohl(addr), to, 4); -} - -int -krb_put_string(char *from, void *to) -{ - if (to == NULL || from == NULL) - return 0; - strcpy((char *)to, from); - return strlen(from) + 1; -} - -int -krb_get_string(void *from, char *to) -{ - return krb_put_string(from, to); -} - -int -krb_get_nir(void *from, char *name, char *instance, char *realm) -{ - char *p = (char *)from; - - if (p == NULL) - return 0; - - p += krb_get_string(p, name); - p += krb_get_string(p, instance); - if(realm) - p += krb_get_string(p, realm); - return p - (char *)from; -} - -int -krb_put_nir(char *name, char *instance, char *realm, void *to) -{ - char *p = (char *)to; - if (p == NULL) - return 0; - - p += krb_put_string(name, p); - p += krb_put_string(instance, p); - if(realm) - p += krb_put_string(realm, p); - return p - (char *)to; -} diff --git a/kerberosIV/krb/save_credentials.c b/kerberosIV/krb/save_credentials.c deleted file mode 100644 index 8be21d9a217..00000000000 --- a/kerberosIV/krb/save_credentials.c +++ /dev/null @@ -1,72 +0,0 @@ -/* $OpenBSD: save_credentials.c,v 1.5 1998/02/25 15:51:38 art Exp $ */ -/* $KTH: save_credentials.c,v 1.5 1997/03/23 03:53:17 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * This routine takes a ticket and associated info and calls - * tf_save_cred() to store them in the ticket cache. The peer - * routine for extracting a ticket and associated info from the - * ticket cache is krb_get_cred(). When changes are made to - * this routine, the corresponding changes should be made - * in krb_get_cred() as well. - * - * Returns KSUCCESS if all goes well, otherwise an error returned - * by the tf_init() or tf_save_cred() routines. - */ - -int -save_credentials(char *service, /* Service name */ - char *instance, /* Instance */ - char *realm, /* Auth domain */ - unsigned char *session, /* Session key */ - int lifetime, /* Lifetime */ - int kvno, /* Key version number */ - KTEXT ticket, /* The ticket itself */ - int32_t issue_date) /* The issue time */ -{ - int tf_status; /* return values of the tf_util calls */ - - /* Open and lock the ticket file for writing */ - if ((tf_status = tf_init(TKT_FILE, W_TKT_FIL)) != KSUCCESS) - return(tf_status); - - /* Save credentials by appending to the ticket file */ - tf_status = tf_save_cred(service, instance, realm, session, - lifetime, kvno, ticket, issue_date); - tf_close(); - return (tf_status); -} diff --git a/kerberosIV/krb/send_to_kdc.c b/kerberosIV/krb/send_to_kdc.c deleted file mode 100644 index 2c4c538e510..00000000000 --- a/kerberosIV/krb/send_to_kdc.c +++ /dev/null @@ -1,477 +0,0 @@ -/* $OpenBSD: send_to_kdc.c,v 1.13 1998/08/16 20:48:39 art Exp $ */ -/* $KTH: send_to_kdc.c,v 1.54 1998/02/17 23:55:35 bg Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -struct host { - struct sockaddr_in addr; - enum krb_host_proto proto; -}; - -static const char *prog = "send_to_kdc"; -static send_recv(KTEXT pkt, KTEXT rpkt, int f, - struct sockaddr_in *adr, struct host *addrs, - int h_hosts); - -/* - * send_to_kdc() sends a message to the Kerberos authentication - * server(s) in the given realm and returns the reply message. - * The "pkt" argument points to the message to be sent to Kerberos; - * the "rpkt" argument will be filled in with Kerberos' reply. - * The "realm" argument indicates the realm of the Kerberos server(s) - * to transact with. If the realm is null, the local realm is used. - * - * If more than one Kerberos server is known for a given realm, - * different servers will be queried until one of them replies. - * Several attempts (retries) are made for each server before - * giving up entirely. - * - * If an answer was received from a Kerberos host, KSUCCESS is - * returned. The following errors can be returned: - * - * SKDC_CANT - can't get local realm - * - can't find "kerberos" in /etc/services database - * - can't open socket - * - can't bind socket - * - all ports in use - * - couldn't find any Kerberos host - * - * SKDC_RETRY - couldn't get an answer from any Kerberos server, - * after several retries - */ - -/* always use the admin server */ -static int krb_use_admin_server_flag = 0; - -int -krb_use_admin_server(int flag) -{ - int old = krb_use_admin_server_flag; - krb_use_admin_server_flag = flag; - return old; -} - -int -send_to_kdc(KTEXT pkt, KTEXT rpkt, char *realm) -{ - int i; - int no_host; /* was a kerberos host found? */ - int retry; - int n_hosts; - int retval; - struct hostent *host; - char lrealm[REALM_SZ]; - struct krb_host *k_host; - struct host *hosts = malloc(sizeof(*hosts)); - - if (hosts == NULL) - return SKDC_CANT; - - /* - * If "realm" is non-null, use that, otherwise get the - * local realm. - */ - if (realm != NULL){ - strncpy(lrealm, realm, REALM_SZ); - lrealm[REALM_SZ-1] = '\0'; - } - else - if (krb_get_lrealm(lrealm,1)) { - if (krb_debug) - krb_warning("%s: can't get local realm\n", prog); - return(SKDC_CANT); - } - if (krb_debug) - krb_warning("lrealm is %s\n", lrealm); - - no_host = 1; - /* get an initial allocation */ - n_hosts = 0; - for (i = 1; (k_host = krb_get_host(i, lrealm, krb_use_admin_server_flag)); - ++i) { - char *p; - - if (krb_debug) - krb_warning("Getting host entry for %s...", k_host->host); - host = gethostbyname(k_host->host); - if (krb_debug) { - krb_warning("%s.\n", - host ? "Got it" : "Didn't get it"); - } - if (!host) - continue; - no_host = 0; /* found at least one */ - while ((p = *(host->h_addr_list)++)) { - struct host *temp; - - temp = realloc(hosts, sizeof(*hosts) * (n_hosts + 1)); - if (temp == NULL) { - free(hosts); - return SKDC_CANT; - } - hosts = temp; - memset (&hosts[n_hosts].addr, 0, sizeof(hosts[n_hosts].addr)); - hosts[n_hosts].addr.sin_family = host->h_addrtype; - hosts[n_hosts].addr.sin_port = htons(k_host->port); - hosts[n_hosts].proto = k_host->proto; - memcpy(&hosts[n_hosts].addr.sin_addr, p, - sizeof(hosts[n_hosts].addr.sin_addr)); - ++n_hosts; - if (send_recv(pkt, rpkt, hosts[n_hosts-1].proto, - &hosts[n_hosts-1].addr, hosts, n_hosts)) { - retval = KSUCCESS; - goto rtn; - } - if (krb_debug) { - krb_warning("Timeout, error, or wrong descriptor\n"); - } - } - } - if (no_host) { - if (krb_debug) - krb_warning("%s: can't find any Kerberos host.\n", - prog); - retval = SKDC_CANT; - goto rtn; - } - /* retry each host in sequence */ - for (retry = 0; retry < CLIENT_KRB_RETRY; ++retry) { - for (i = 0; i < n_hosts; ++i) { - if (send_recv(pkt, rpkt, - hosts[i].proto, - &hosts[i].addr, - hosts, - n_hosts)) { - retval = KSUCCESS; - goto rtn; - } - } - } - retval = SKDC_RETRY; -rtn: - free(hosts); - hosts = NULL; - return(retval); -} - -static int udp_socket(void) -{ - return socket(AF_INET, SOCK_DGRAM, 0); -} - -static int udp_connect(int s, struct sockaddr_in *adr) -{ - if(krb_debug) { - krb_warning("connecting to %s udp, port %d\n", - inet_ntoa(adr->sin_addr), - ntohs(adr->sin_port)); - } - - return connect(s, (struct sockaddr*)adr, sizeof(*adr)); -} - -static int udp_send(int s, struct sockaddr_in* adr, KTEXT pkt) -{ - if(krb_debug) { - krb_warning("sending %d bytes to %s, udp port %d\n", - pkt->length, - inet_ntoa(adr->sin_addr), - ntohs(adr->sin_port)); - } - - return send(s, pkt->dat, pkt->length, 0); -} - -static int tcp_socket(void) -{ - return socket(AF_INET, SOCK_STREAM, 0); -} - -static int tcp_connect(int s, struct sockaddr_in *adr) -{ - if(krb_debug) { - krb_warning("connecting to %s, tcp port %d\n", - inet_ntoa(adr->sin_addr), - ntohs(adr->sin_port)); - } - - return connect(s, (struct sockaddr*)adr, sizeof(*adr)); -} - -static int tcp_send(int s, struct sockaddr_in* adr, KTEXT pkt) -{ - unsigned char len[4]; - - if(krb_debug) { - krb_warning("sending %d bytes to %s, tcp port %d\n", - pkt->length, - inet_ntoa(adr->sin_addr), - ntohs(adr->sin_port)); - } - - krb_put_int(pkt->length, len, 4); - if(send(s, len, sizeof(len), 0) != sizeof(len)) - return -1; - return send(s, pkt->dat, pkt->length, 0); -} - -static int udptcp_recv(void *buf, size_t len, KTEXT rpkt) -{ - int pktlen=MIN(len, MAX_KTXT_LEN - 1); - - if(krb_debug) - krb_warning("recieved %d bytes on udp/tcp socket\n", len); - - memcpy(rpkt->dat, buf, pktlen); - rpkt->length = pktlen; - return 0; -} - -static int url_parse(const char *url, char *host, size_t len, short *port) -{ - const char *p; - if (url == NULL || host == NULL) - return -1; - if(strncmp(url, "http://", 7)) - return -1; - url += 7; - strncpy(host, url, len); - p = strchr(url, ':'); - if(p){ - *port = atoi(p+1); - if(p - url >= len) - return -1; - host[p - url] = 0; - }else{ - *port = 80; - host[len - 1] = 0; - } - return 0; -} - -#define PROXY_VAR "krb4_proxy" - -static int http_connect(int s, struct sockaddr_in *adr) -{ - const char *proxy = krb_get_config_string(PROXY_VAR); - char host[MAXHOSTNAMELEN]; - short port; - struct hostent *hp; - struct sockaddr_in sin; - - if (adr == NULL) - return -1; - - if(proxy == NULL) { - if(krb_debug) - krb_warning("Not using proxy.\n"); - return tcp_connect(s, adr); - } - - if(url_parse(proxy, host, sizeof(host), &port) < 0) - return -1; - - hp = gethostbyname(host); - if(hp == NULL) - return -1; - - memset(&sin, 0, sizeof(sin)); - sin.sin_family = AF_INET; - memcpy(&sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr)); - sin.sin_port = htons(port); - if(krb_debug) { - krb_warning("connecting to proxy on %s (%s) port %d\n", - host, inet_ntoa(sin.sin_addr), port); - } - - return connect(s, (struct sockaddr*)&sin, sizeof(sin)); -} - -static int http_send(int s, struct sockaddr_in* adr, KTEXT pkt) -{ - char *str; - char *msg; - - if(base64_encode(pkt->dat, pkt->length, &str) < 0) - return -1; - - if(krb_get_config_string(PROXY_VAR)){ - if(krb_debug) { - krb_warning("sending %d bytes to %s, tcp port %d (via proxy)\n", - pkt->length, - inet_ntoa(adr->sin_addr), - ntohs(adr->sin_port)); - } - - asprintf(&msg, "GET http://%s:%d/%s HTTP/1.0\r\n\r\n", - inet_ntoa(adr->sin_addr), - ntohs(adr->sin_port), - str); - } else { - if(krb_debug) { - krb_warning("sending %d bytes to %s, http port %d\n", - pkt->length, - inet_ntoa(adr->sin_addr), - ntohs(adr->sin_port)); - } - asprintf(&msg, "GET %s HTTP/1.0\r\n\r\n", str); - } - free(str); - str = NULL; - - if (msg == NULL) - return -1; - - if(send(s, msg, strlen(msg), 0) != strlen(msg)){ - free(msg); - msg = NULL; - return -1; - } - free(msg); - msg = NULL; - return 0; -} - -static int http_recv(void *buf, size_t len, KTEXT rpkt) -{ - char *p; - int pktlen; - char *tmp = malloc(len + 1); - if (tmp == NULL) - return -1; - - memcpy(tmp, buf, len); - tmp[len] = 0; - p = strstr(tmp, "\r\n\r\n"); - if(p == NULL){ - free(tmp); - tmp = NULL; - return -1; - } - - p += 4; - if(krb_debug) - krb_warning("recieved %d bytes on http socket\n", (tmp + len) - p); - if (p >= tmp+len) { - free(tmp); - tmp = NULL; - return -1; - } - pktlen = MIN((tmp + len) - p, MAX_KTXT_LEN - 1); - memcpy(rpkt->dat, p, pktlen); - - rpkt->dat[pktlen] = '\0'; - rpkt->length = pktlen; - free(tmp); - tmp = NULL; - return 0; -} - -static struct proto_descr { - int proto; - int stream_flag; - int (*socket)(void); - int (*connect)(int, struct sockaddr_in*); - int (*send)(int, struct sockaddr_in*, KTEXT); - int (*recv)(void*, size_t, KTEXT); -} protos[] = { - { PROTO_UDP, 0, udp_socket, udp_connect, udp_send, udptcp_recv }, - { PROTO_TCP, 1, tcp_socket, tcp_connect, tcp_send, udptcp_recv }, - { PROTO_HTTP, 1, tcp_socket, http_connect, http_send, http_recv } -}; - -static int -send_recv(KTEXT pkt, KTEXT rpkt, int proto, struct sockaddr_in *adr, - struct host *addrs, int n_hosts) -{ - int i; - int s; - unsigned char buf[MAX_KTXT_LEN]; - int offset = 0; - fd_set *fdsp = NULL; - int fdsn; - - for(i = 0; i < sizeof(protos) / sizeof(protos[0]); i++){ - if(protos[i].proto == proto) - break; - } - if(i == sizeof(protos) / sizeof(protos[0])) - return FALSE; - if((s = (*protos[i].socket)()) < 0) - return FALSE; - if((*protos[i].connect)(s, adr) < 0){ - close(s); - return FALSE; - } - if((*protos[i].send)(s, adr, pkt) < 0){ - close(s); - return FALSE; - } - fdsn = howmany(s+1, NFDBITS) * sizeof(fd_mask); - if ((fdsp = (fd_set *)malloc(fdsn)) == NULL) { - close(s); - return FALSE; - } - do{ - struct timeval timeout; - int len; - timeout.tv_sec = CLIENT_KRB_TIMEOUT; - timeout.tv_usec = 0; - - memset(fdsp, 0, fdsn); - FD_SET(s, fdsp); - - /* select - either recv is ready, or timeout */ - /* see if timeout or error or wrong descriptor */ - if(select(s + 1, fdsp, 0, 0, &timeout) < 1 - || !FD_ISSET(s, fdsp)) { - if (krb_debug) - krb_warning("select failed: errno = %d\n", errno); - close(s); - free(fdsp); - return FALSE; - } - len = recv(s, buf + offset, sizeof(buf) - offset, 0); - if(len <= 0) - break; - offset += len; - }while(protos[i].stream_flag); - free(fdsp); - close(s); - if((*protos[i].recv)(buf, offset, rpkt) < 0) - return FALSE; - return TRUE; -} diff --git a/kerberosIV/krb/sendauth.c b/kerberosIV/krb/sendauth.c deleted file mode 100644 index 49e208a65f9..00000000000 --- a/kerberosIV/krb/sendauth.c +++ /dev/null @@ -1,179 +0,0 @@ -/* $OpenBSD: sendauth.c,v 1.7 1998/02/25 15:51:40 art Exp $ */ -/* $KTH: sendauth.c,v 1.15 1997/04/18 14:11:36 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * krb_sendauth() transmits a ticket over a file descriptor for a - * desired service, instance, and realm, doing mutual authentication - * with the server if desired. - */ - -/* - * The first argument to krb_sendauth() contains a bitfield of - * options (the options are defined in "krb.h"): - * - * KOPT_DONT_CANON Don't canonicalize instance as a hostname. - * (If this option is not chosen, krb_get_phost() - * is called to canonicalize it.) - * - * KOPT_DONT_MK_REQ Don't request server ticket from Kerberos. - * A ticket must be supplied in the "ticket" - * argument. - * (If this option is not chosen, and there - * is no ticket for the given server in the - * ticket cache, one will be fetched using - * krb_mk_req() and returned in "ticket".) - * - * KOPT_DO_MUTUAL Do mutual authentication, requiring that the - * receiving server return the checksum+1 encrypted - * in the session key. The mutual authentication - * is done using krb_mk_priv() on the other side - * (see "recvauth.c") and krb_rd_priv() on this - * side. - * - * The "fd" argument is a file descriptor to write to the remote - * server on. The "ticket" argument is used to store the new ticket - * from the krb_mk_req() call. If the KOPT_DONT_MK_REQ options is - * chosen, the ticket must be supplied in the "ticket" argument. - * The "service", "inst", and "realm" arguments identify the ticket. - * If "realm" is null, the local realm is used. - * - * The following arguments are only needed if the KOPT_DO_MUTUAL option - * is chosen: - * - * The "checksum" argument is a number that the server will add 1 to - * to authenticate itself back to the client; the "msg_data" argument - * holds the returned mutual-authentication message from the server - * (i.e., the checksum+1); the "cred" structure is used to hold the - * session key of the server, extracted from the ticket file, for use - * in decrypting the mutual authentication message from the server; - * and "schedule" holds the key schedule for that decryption. The - * the local and server addresses are given in "laddr" and "faddr". - * - * The application protocol version number (of up to KRB_SENDAUTH_VLEN - * characters) is passed in "version". - * - * If all goes well, KSUCCESS is returned, otherwise some error code. - * - * The format of the message sent to the server is: - * - * Size Variable Field - * ---- -------- ----- - * - * KRB_SENDAUTH_VLEN KRB_SENDAUTH_VER sendauth protocol - * bytes version number - * - * KRB_SENDAUTH_VLEN version application protocol - * bytes version number - * - * 4 bytes ticket->length length of ticket - * - * ticket->length ticket->dat ticket itself - */ - -int -krb_sendauth(int32_t options, /* bit-pattern of options */ - int fd, /* file descriptor to write onto */ - KTEXT ticket, /* where to put ticket (return); or - * supplied in case of KOPT_DONT_MK_REQ */ - char *service, /* service name, instance, realm */ - char *instance, - char *realm, - u_int32_t checksum, /* checksum to include in request */ - MSG_DAT *msg_data, /* mutual auth MSG_DAT (return) */ - CREDENTIALS *cred, /* credentials (return) */ - struct des_ks_struct *schedule, /* key schedule (return) */ - struct sockaddr_in *laddr, /* local address */ - struct sockaddr_in *faddr, /* address of foreign host on fd */ - char *version) /* version string */ -{ - int ret; - KTEXT_ST buf; - char realrealm[REALM_SZ]; - - if (realm == NULL) { - ret = krb_get_lrealm (realrealm, 1); - if (ret != KSUCCESS) - return ret; - realm = realrealm; - } - ret = krb_mk_auth (options, ticket, service, instance, realm, checksum, - version, &buf); - if (ret != KSUCCESS) - return ret; - ret = krb_net_write(fd, buf.dat, buf.length); - if(ret < 0) - return -1; - - if (options & KOPT_DO_MUTUAL) { - char tmp[4]; - u_int32_t len; - char inst[INST_SZ]; - char *i; - - ret = krb_net_read (fd, tmp, 4); - if (ret < 0) - return -1; - - krb_get_int (tmp, &len, 4, 0); - if (len == 0xFFFFFFFF || len > sizeof(buf.dat)) - return KFAILURE; - buf.length = len; - ret = krb_net_read (fd, buf.dat, len); - if (ret < 0) - return -1; - - if (options & KOPT_DONT_CANON) - i = instance; - else - i = krb_get_phost(instance); - strncpy (inst, i, sizeof(inst)); - inst[sizeof(inst) - 1] = '\0'; - - ret = krb_get_cred (service, inst, realm, cred); - if (ret != KSUCCESS) - return ret; - - des_key_sched(&cred->session, schedule); - - ret = krb_check_auth (&buf, checksum, msg_data, &cred->session, - schedule, laddr, faddr); - if (ret != KSUCCESS) - return ret; - } - return KSUCCESS; -} diff --git a/kerberosIV/krb/shlib_version b/kerberosIV/krb/shlib_version deleted file mode 100644 index 5b844bbf422..00000000000 --- a/kerberosIV/krb/shlib_version +++ /dev/null @@ -1,2 +0,0 @@ -major=7 -minor=0 diff --git a/kerberosIV/krb/stime.c b/kerberosIV/krb/stime.c deleted file mode 100644 index 0c88eb0e48c..00000000000 --- a/kerberosIV/krb/stime.c +++ /dev/null @@ -1,59 +0,0 @@ -/* $OpenBSD: stime.c,v 1.4 1998/02/25 15:51:42 art Exp $ */ -/* $KTH: stime.c,v 1.6 1997/05/02 14:29:20 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1985, 1986, 1987, 1988 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * Given a pointer to a long containing the number of seconds - * since the beginning of time (midnight 1 Jan 1970 GMT), return - * a string containing the local time in the form: - * - * "25-Jan-1988 10:17:56" - */ - -const char * -krb_stime(time_t *t) -{ - static char st[40]; - struct tm *tm; - - tm = localtime(t); - snprintf(st, sizeof(st), - "%2d-%s-%04d %02d:%02d:%02d",tm->tm_mday, - month_sname(tm->tm_mon + 1),tm->tm_year + 1900, - tm->tm_hour, tm->tm_min, tm->tm_sec); - return st; -} diff --git a/kerberosIV/krb/str2key.c b/kerberosIV/krb/str2key.c deleted file mode 100644 index 4c2d1e839d8..00000000000 --- a/kerberosIV/krb/str2key.c +++ /dev/null @@ -1,106 +0,0 @@ -/* $OpenBSD: str2key.c,v 1.6 1998/06/22 15:22:27 beck Exp $ */ -/* $KTH: str2key.c,v 1.10 1997/03/23 03:53:19 joda Exp $ */ - -/* This defines the Andrew string_to_key function. It accepts a password - * string as input and converts its via a one-way encryption algorithm to a DES - * encryption key. It is compatible with the original Andrew authentication - * service password database. - */ - -#include "krb_locl.h" - -static void -mklower(char *s) -{ - for (; s[0] != '\0'; s++) - if ('A' <= *s && *s <= 'Z') - *s = *s - 'A' + 'a'; -} - -/* - * Short passwords, i.e 8 characters or less. - */ -static void -afs_cmu_StringToKey (char *str, char *cell, des_cblock *key) -{ - char password[8+1]; /* crypt is limited to 8 chars anyway */ - int i; - int passlen; - - memset(key, 0, sizeof(key)); - memset(password, 0, sizeof(password)); - - strncpy (password, cell, 8); - password[8] = '\0'; - passlen = strlen (str); - if (passlen > 8) passlen = 8; - - for (i=0; i<passlen; i++) - password[i] = str[i] ^ cell[i]; /* make sure cell is zero padded */ - - for (i=0; i<8; i++) - if (password[i] == '\0') password[i] = 'X'; - - /* crypt only considers the first 8 characters of password but for some - reason returns eleven characters of result (plus the two salt chars). */ - strncpy((char *)key, (char *)des_crypt(password, "#~") + 2, sizeof(des_cblock)); - - /* parity is inserted into the LSB so leftshift each byte up one bit. This - allows ascii characters with a zero MSB to retain as much significance - as possible. */ - { char *keybytes = (char *)key; - unsigned int temp; - - for (i = 0; i < 8; i++) { - temp = (unsigned int) keybytes[i]; - keybytes[i] = (unsigned char) (temp << 1); - } - } - des_fixup_key_parity (key); -} - -/* - * Long passwords, i.e 9 characters or more. - */ -static void -afs_transarc_StringToKey (char *str, char *cell, des_cblock *key) -{ - des_key_schedule schedule; - des_cblock temp_key; - des_cblock ivec; - char password[512]; - int passlen; - - strncpy (password, str, sizeof(password)); - password[sizeof(password)-1] = '\0'; - if ((passlen = strlen (password)) < sizeof(password)-1) - strncat (password, cell, sizeof(password)-passlen); - if ((passlen = strlen(password)) > sizeof(password)) passlen = sizeof(password); - - memcpy(&ivec, "kerberos", 8); - memcpy(&temp_key, "kerberos", 8); - des_fixup_key_parity (&temp_key); - des_key_sched (&temp_key, schedule); - des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec); - - memcpy(&temp_key, &ivec, 8); - des_fixup_key_parity (&temp_key); - des_key_sched (&temp_key, schedule); - des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec); - - des_fixup_key_parity (key); -} - -void -afs_string_to_key(char *str, char *cell, des_cblock *key) -{ - char realm[REALM_SZ+1]; - strncpy(realm, cell, REALM_SZ); - realm[REALM_SZ] = 0; - mklower(realm); - - if (strlen(str) > 8) - afs_transarc_StringToKey (str, realm, key); - else - afs_cmu_StringToKey (str, realm, key); -} diff --git a/kerberosIV/krb/strtok_r.c b/kerberosIV/krb/strtok_r.c deleted file mode 100644 index 8da8c9d57a0..00000000000 --- a/kerberosIV/krb/strtok_r.c +++ /dev/null @@ -1,62 +0,0 @@ -/* $OpenBSD: strtok_r.c,v 1.2 1997/12/09 07:57:40 art Exp $ */ -/* $KTH: strtok_r.c,v 1.4 1997/05/19 03:05:47 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <string.h> - -char * -strtok_r(char *s1, const char *s2, char **lasts) -{ - char *ret; - - if (s1 == NULL) - s1 = *lasts; - while(*s1 && strchr(s2, *s1)) - ++s1; - if(*s1 == '\0') - return NULL; - ret = s1; - while(*s1 && !strchr(s2, *s1)) - ++s1; - if(*s1) - *s1++ = '\0'; - *lasts = s1; - return ret; -} diff --git a/kerberosIV/krb/tf_util.3 b/kerberosIV/krb/tf_util.3 deleted file mode 100644 index 47bfb8efb38..00000000000 --- a/kerberosIV/krb/tf_util.3 +++ /dev/null @@ -1,173 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: tf_util.3,v 1.4 1998/02/25 15:51:43 art Exp $ -.TH TF_UTIL 3 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -tf_init, tf_get_pname, tf_get_pinst, tf_get_cred, tf_close \ -\- Routines for manipulating a Kerberos ticket file -.SH SYNOPSIS -.nf -.nj -.ft B -#include <kerberosIV/krb.h> -.PP -.ft B -extern char *krb_err_txt[]; -.PP -.ft B -tf_init(tf_name, rw) -char *tf_name; -int rw; -.PP -.ft B -tf_get_pname(pname) -char *pname; -.PP -.ft B -tf_get_pinst(pinst) -char *pinst; -.PP -.ft B -tf_get_cred(c) -CREDENTIALS *c; -.PP -.ft B -tf_close() -.PP -.fi -.SH DESCRIPTION -This group of routines are provided to manipulate the Kerberos tickets -file. A ticket file has the following format: -.nf -.in +4 -.sp -principal's name (null-terminated string) -principal's instance (null-terminated string) -CREDENTIAL_1 -CREDENTIAL_2 - ... -CREDENTIAL_n -EOF -.sp -.in -4 -.LP -Where "CREDENTIAL_x" consists of the following fixed-length -fields from the CREDENTIALS structure (defined in <krb.h>): -.nf -.sp -.in +4 - char service[ANAME_SZ] - char instance[INST_SZ] - char realm[REALM_SZ] - des_cblock session - int lifetime - int kvno - KTEXT_ST ticket_st - long issue_date -.in -4 -.sp -.fi -.PP -.I tf_init -must be called before the other ticket file -routines. -It takes the name of the ticket file to use, -and a read/write flag as arguments. -It tries to open the ticket file, checks the mode and if -everything is okay, locks the file. If it's opened for -reading, the lock is shared. If it's opened for writing, -the lock is exclusive. -KSUCCESS is returned if all went well, otherwise one of the -following: -.nf -.sp -NO_TKT_FIL - file wasn't there -TKT_FIL_ACC - file was in wrong mode, etc. -TKT_FIL_LCK - couldn't lock the file, even after a retry -.sp -.fi -.PP -The -.I tf_get_pname -reads the principal's name from a ticket file. -It should only be called after tf_init has been called. The -principal's name is filled into the -.I pname -parameter. If all goes -well, KSUCCESS is returned. -If tf_init wasn't called, TKT_FIL_INI -is returned. -If the principal's name was null, or EOF was encountered, or the -name was longer than ANAME_SZ, TKT_FIL_FMT is returned. -.PP -The -.I tf_get_pinst -reads the principal's instance from a ticket file. -It should only be called after tf_init and tf_get_pname -have been called. -The principal's instance is filled into the -.I pinst -parameter. -If all goes -well, KSUCCESS is returned. -If tf_init wasn't called, TKT_FIL_INI -is returned. -If EOF was encountered, or the -name was longer than INST_SZ, TKT_FIL_FMT is returned. -Note that, unlike the principal name, the instance name may be null. -.PP -The -.I tf_get_cred -routine reads a CREDENTIALS record from a ticket file and -fills in the given structure. -It should only be called after -tf_init, tf_get_pname, and tf_get_pinst have been called. -If all goes well, KSUCCESS is returned. Possible error codes -are: -.nf -.sp -TKT_FIL_INI - tf_init wasn't called first -TKT_FIL_FMT - bad format -EOF - end of file encountered -.sp -.fi -.PP -.I tf_close -closes the ticket file and releases the lock on it. -.SH "SEE ALSO" -krb(3) -.SH DIAGNOSTICS -.SH BUGS -The ticket file routines have to be called in a certain order. -.SH AUTHORS -Jennifer Steiner, MIT Project Athena -.br -Bill Bryant, MIT Project Athena -.SH RESTRICTIONS -Copyright 1987 Massachusetts Institute of Technology diff --git a/kerberosIV/krb/tf_util.c b/kerberosIV/krb/tf_util.c deleted file mode 100644 index 137d7e3bdce..00000000000 --- a/kerberosIV/krb/tf_util.c +++ /dev/null @@ -1,689 +0,0 @@ -/* $OpenBSD: tf_util.c,v 1.7 1998/05/18 00:54:00 art Exp $ */ -/* $KTH: tf_util.c,v 1.30 1998/04/22 13:10:15 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -#define TOO_BIG -1 -#define TF_LCK_RETRY ((unsigned)2) /* seconds to sleep before - * retry if ticket file is - * locked */ -#define TF_LCK_RETRY_COUNT (50) /* number of retries */ - -#ifndef O_BINARY -#define O_BINARY 0 -#endif - -/* - * fd must be initialized to something that won't ever occur as a real - * file descriptor. Since open(2) returns only non-negative numbers as - * valid file descriptors, and tf_init always stuffs the return value - * from open in here even if it is an error flag, we must - * a. Initialize fd to a negative number, to indicate that it is - * not initially valid. - * b. When checking for a valid fd, assume that negative values - * are invalid (ie. when deciding whether tf_init has been - * called.) - * c. In tf_close, be sure it gets reinitialized to a negative - * number. - */ -static int fd = -1; -static int curpos; /* Position in tfbfr */ -static int lastpos; /* End of tfbfr */ -static char tfbfr[BUFSIZ]; /* Buffer for ticket data */ - -static int tf_gets(char *s, int n); -static int tf_read(void *s, int n); - -/* - * This file contains routines for manipulating the ticket cache file. - * - * The ticket file is in the following format: - * - * principal's name (null-terminated string) - * principal's instance (null-terminated string) - * CREDENTIAL_1 - * CREDENTIAL_2 - * ... - * CREDENTIAL_n - * EOF - * - * Where "CREDENTIAL_x" consists of the following fixed-length - * fields from the CREDENTIALS structure (see "krb.h"): - * - * char service[ANAME_SZ] - * char instance[INST_SZ] - * char realm[REALM_SZ] - * C_Block session - * int lifetime - * int kvno - * KTEXT_ST ticket_st - * u_int32_t issue_date - * - * Short description of routines: - * - * tf_init() opens the ticket file and locks it. - * - * tf_get_pname() returns the principal's name. - * - * tf_put_pname() writes the principal's name to the ticket file. - * - * tf_get_pinst() returns the principal's instance (may be null). - * - * tf_put_pinst() writes the instance. - * - * tf_get_cred() returns the next CREDENTIALS record. - * - * tf_save_cred() appends a new CREDENTIAL record to the ticket file. - * - * tf_close() closes the ticket file and releases the lock. - * - * tf_gets() returns the next null-terminated string. It's an internal - * routine used by tf_get_pname(), tf_get_pinst(), and tf_get_cred(). - * - * tf_read() reads a given number of bytes. It's an internal routine - * used by tf_get_cred(). - */ - -/* - * tf_init() should be called before the other ticket file routines. - * It takes the name of the ticket file to use, "tf_name", and a - * read/write flag "rw" as arguments. - * - * It tries to open the ticket file, checks the mode, and if everything - * is okay, locks the file. If it's opened for reading, the lock is - * shared. If it's opened for writing, the lock is exclusive. - * - * Returns KSUCCESS if all went well, otherwise one of the following: - * - * NO_TKT_FIL - file wasn't there - * TKT_FIL_ACC - file was in wrong mode, etc. - * TKT_FIL_LCK - couldn't lock the file, even after a retry - */ - -int -tf_init(char *tf_name, int rw) -{ - /* Unix implementation */ - int wflag; - struct stat stat_buf; - int i_retry; - - switch (rw) { - case R_TKT_FIL: - wflag = 0; - break; - case W_TKT_FIL: - wflag = 1; - break; - default: - if (krb_debug) - krb_warning("tf_init: illegal parameter\n"); - return TKT_FIL_ACC; - } - if (lstat(tf_name, &stat_buf) < 0) - switch (errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - if (!S_ISREG(stat_buf.st_mode)) - return TKT_FIL_ACC; - - /* The code tries to guess when the calling program is running - * set-uid and prevent unauthorized access. - * - * All library functions now assume that the right set of userids - * are set upon entry, therefore it's not strictly necessary to - * perform these test for programs adhering to these assumptions. - */ - { - uid_t me = getuid(); - if (stat_buf.st_uid != me && me != 0) - return TKT_FIL_ACC; - } - - /* - * If "wflag" is set, open the ticket file in append-writeonly mode - * and lock the ticket file in exclusive mode. If unable to lock - * the file, sleep and try again. If we fail again, return with the - * proper error message. - */ - - curpos = sizeof(tfbfr); - - - if (wflag) { - fd = open(tf_name, O_RDWR | O_BINARY, 0600); - if (fd < 0) { - return TKT_FIL_ACC; - } - for (i_retry = 0; i_retry < TF_LCK_RETRY_COUNT; i_retry++) { - if (flock(fd, K_LOCK_EX | K_LOCK_NB) < 0) { - if (krb_debug) - krb_warning("tf_init: retry %d of write lock of `%s'.\n", - i_retry, tf_name); - sleep (TF_LCK_RETRY); - } else { - return KSUCCESS; /* all done */ - } - } - close (fd); - fd = -1; - return TKT_FIL_LCK; - } - /* - * Otherwise "wflag" is not set and the ticket file should be opened - * for read-only operations and locked for shared access. - */ - - fd = open(tf_name, O_RDONLY | O_BINARY, 0600); - if (fd < 0) { - return TKT_FIL_ACC; - } - - for (i_retry = 0; i_retry < TF_LCK_RETRY_COUNT; i_retry++) { - if (flock(fd, K_LOCK_SH | K_LOCK_NB) < 0) { - if (krb_debug) - krb_warning("tf_init: retry %d of read lock of `%s'.\n", - i_retry, tf_name); - sleep (TF_LCK_RETRY); - } else { - return KSUCCESS; /* all done */ - } - } - /* failure */ - close(fd); - fd = -1; - return TKT_FIL_LCK; -} - -/* - * tf_create() should be called when creating a new ticket file. - * The only argument is the name of the ticket file. - * After calling this, it should be possible to use other tf_* functions. - * - * New algoritm for creating ticket file: - * 1. try to erase contents of existing file. - * 2. try to remove old file. - * 3. try to open with O_CREAT and O_EXCL - * 4. if this fails, someone has created a file in between 1 and 2 and - * we should fail. Otherwise, all is wonderful. - */ - -int -tf_create(char *tf_name) -{ - struct stat statbuf; - char garbage[BUFSIZ]; - - fd = open(tf_name, O_RDWR | O_BINARY, 0); - if (fd >= 0) { - if (fstat (fd, &statbuf) == 0) { - int i; - - for (i = 0; i < statbuf.st_size; i += sizeof(garbage)) - write (fd, garbage, sizeof(garbage)); - } - close (fd); - } - - if (unlink (tf_name) && errno != ENOENT) - return TKT_FIL_ACC; - - fd = open(tf_name, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); - if (fd < 0) - return TKT_FIL_ACC; - if (flock(fd, K_LOCK_EX | K_LOCK_NB) < 0) { - sleep(TF_LCK_RETRY); - if (flock(fd, K_LOCK_EX | K_LOCK_NB) < 0) { - close(fd); - fd = -1; - return TKT_FIL_LCK; - } - } - return KSUCCESS; -} - -/* - * tf_get_pname() reads the principal's name from the ticket file. It - * should only be called after tf_init() has been called. The - * principal's name is filled into the "p" parameter. If all goes well, - * KSUCCESS is returned. If tf_init() wasn't called, TKT_FIL_INI is - * returned. If the name was null, or EOF was encountered, or the name - * was longer than ANAME_SZ, TKT_FIL_FMT is returned. - */ - -int -tf_get_pname(char *p) -{ - if (fd < 0) { - if (krb_debug) - krb_warning("tf_get_pname called before tf_init.\n"); - return TKT_FIL_INI; - } - if (tf_gets(p, ANAME_SZ) < 2) /* can't be just a null */ - { - if (krb_debug) - krb_warning ("tf_get_pname: pname < 2.\n"); - return TKT_FIL_FMT; - } - return KSUCCESS; -} - -/* - * tf_put_pname() sets the principal's name in the ticket file. Call - * after tf_create(). - */ - -int -tf_put_pname(char *p) -{ - unsigned count; - - if (fd < 0) { - if (krb_debug) - krb_warning("tf_put_pname called before tf_create.\n"); - return TKT_FIL_INI; - } - count = strlen(p)+1; - if (write(fd,p,count) != count) - return(KFAILURE); - return KSUCCESS; -} - -/* - * tf_get_pinst() reads the principal's instance from a ticket file. - * It should only be called after tf_init() and tf_get_pname() have been - * called. The instance is filled into the "inst" parameter. If all - * goes well, KSUCCESS is returned. If tf_init() wasn't called, - * TKT_FIL_INI is returned. If EOF was encountered, or the instance - * was longer than ANAME_SZ, TKT_FIL_FMT is returned. Note that the - * instance may be null. - */ - -int -tf_get_pinst(char *inst) -{ - if (fd < 0) { - if (krb_debug) - krb_warning("tf_get_pinst called before tf_init.\n"); - return TKT_FIL_INI; - } - if (tf_gets(inst, INST_SZ) < 1) - { - if (krb_debug) - krb_warning("tf_get_pinst: inst_sz < 1.\n"); - return TKT_FIL_FMT; - } - return KSUCCESS; -} - -/* - * tf_put_pinst writes the principal's instance to the ticket file. - * Call after tf_create. - */ - -int -tf_put_pinst(char *inst) -{ - unsigned count; - - if (fd < 0) { - if (krb_debug) - krb_warning("tf_put_pinst called before tf_create.\n"); - return TKT_FIL_INI; - } - count = strlen(inst)+1; - if (write(fd,inst,count) != count) - return(KFAILURE); - return KSUCCESS; -} - -/* - * tf_get_cred() reads a CREDENTIALS record from a ticket file and fills - * in the given structure "c". It should only be called after tf_init(), - * tf_get_pname(), and tf_get_pinst() have been called. If all goes well, - * KSUCCESS is returned. Possible error codes are: - * - * TKT_FIL_INI - tf_init wasn't called first - * TKT_FIL_FMT - bad format - * EOF - end of file encountered - */ - -#define MAGIC_TICKET_NAME "magic" -#define MAGIC_TICKET_INST "time-diff" - -int -tf_get_cred(CREDENTIALS *c) -{ - KTEXT ticket = &c->ticket_st; /* pointer to ticket */ - int k_errno; - - if (fd < 0) { - if (krb_debug) - krb_warning ("tf_get_cred called before tf_init.\n"); - return TKT_FIL_INI; - } -again: - if ((k_errno = tf_gets(c->service, SNAME_SZ)) < 2) - switch (k_errno) { - case TOO_BIG: - if (krb_debug) - krb_warning("tf_get_cred: too big service cred.\n"); - case 1: /* can't be just a null */ - tf_close(); - if (krb_debug) - krb_warning("tf_get_cred: null service cred.\n"); - return TKT_FIL_FMT; - case 0: - return EOF; - } - if ((k_errno = tf_gets(c->instance, INST_SZ)) < 1) - switch (k_errno) { - case TOO_BIG: - if (krb_debug) - krb_warning ("tf_get_cred: too big instance cred.\n"); - return TKT_FIL_FMT; - case 0: - return EOF; - } - if ((k_errno = tf_gets(c->realm, REALM_SZ)) < 2) - switch (k_errno) { - case TOO_BIG: - if (krb_debug) - krb_warning ("tf_get_cred: too big realm cred.\n"); - case 1: /* can't be just a null */ - tf_close(); - if (krb_debug) - krb_warning ("tf_get_cred: null realm cred.\n"); - return TKT_FIL_FMT; - case 0: - return EOF; - } - if ( - tf_read((c->session), DES_KEY_SZ) < 1 || - tf_read(&(c->lifetime), sizeof(c->lifetime)) < 1 || - tf_read(&(c->kvno), sizeof(c->kvno)) < 1 || - tf_read(&(ticket->length), sizeof(ticket->length)) - < 1 || - /* don't try to read a silly amount into ticket->dat */ - ticket->length > MAX_KTXT_LEN || - tf_read((ticket->dat), ticket->length) < 1 || - tf_read(&(c->issue_date), sizeof(c->issue_date)) < 1 - ) { - tf_close(); - if (krb_debug) - krb_warning ("tf_get_cred: failed tf_read.\n"); - return TKT_FIL_FMT; - } - if(strcmp(c->service, MAGIC_TICKET_NAME) == 0 && - strcmp(c->instance, MAGIC_TICKET_INST) == 0) { - /* we found the magic `time diff' ticket; update the kdc time - differential, and then get the next ticket */ - u_int32_t d; - - krb_get_int(c->ticket_st.dat, &d, 4, 0); - krb_set_kdc_time_diff(d); - goto again; - } - return KSUCCESS; -} - -/* - * tf_close() closes the ticket file and sets "fd" to -1. If "fd" is - * not a valid file descriptor, it just returns. It also clears the - * buffer used to read tickets. - * - * The return value is not defined. - */ - -void -tf_close(void) -{ - if (!(fd < 0)) { - flock(fd, K_LOCK_UN); - close(fd); - fd = -1; /* see declaration of fd above */ - } - memset(tfbfr, 0, sizeof(tfbfr)); -} - -/* - * tf_gets() is an internal routine. It takes a string "s" and a count - * "n", and reads from the file until either it has read "n" characters, - * or until it reads a null byte. When finished, what has been read exists - * in "s". If it encounters EOF or an error, it closes the ticket file. - * - * Possible return values are: - * - * n the number of bytes read (including null terminator) - * when all goes well - * - * 0 end of file or read error - * - * TOO_BIG if "count" characters are read and no null is - * encountered. This is an indication that the ticket - * file is seriously ill. - */ - -static int -tf_gets(char *s, int n) -{ - int count; - - if (fd < 0) { - if (krb_debug) - krb_warning ("tf_gets called before tf_init.\n"); - return TKT_FIL_INI; - } - for (count = n - 1; count > 0; --count) { - if (curpos >= sizeof(tfbfr)) { - lastpos = read(fd, tfbfr, sizeof(tfbfr)); - curpos = 0; - } - if (curpos == lastpos) { - tf_close(); - return 0; - } - *s = tfbfr[curpos++]; - if (*s++ == '\0') - return (n - count); - } - tf_close(); - return TOO_BIG; -} - -/* - * tf_read() is an internal routine. It takes a string "s" and a count - * "n", and reads from the file until "n" bytes have been read. When - * finished, what has been read exists in "s". If it encounters EOF or - * an error, it closes the ticket file. - * - * Possible return values are: - * - * n the number of bytes read when all goes well - * - * 0 on end of file or read error - */ - -static int -tf_read(void *v, int n) -{ - char *s = (char *)v; - int count; - - for (count = n; count > 0; --count) { - if (curpos >= sizeof(tfbfr)) { - lastpos = read(fd, tfbfr, sizeof(tfbfr)); - curpos = 0; - } - if (curpos == lastpos) { - tf_close(); - return 0; - } - *s++ = tfbfr[curpos++]; - } - return n; -} - -/* - * tf_save_cred() appends an incoming ticket to the end of the ticket - * file. You must call tf_init() before calling tf_save_cred(). - * - * The "service", "instance", and "realm" arguments specify the - * server's name; "session" contains the session key to be used with - * the ticket; "kvno" is the server key version number in which the - * ticket is encrypted, "ticket" contains the actual ticket, and - * "issue_date" is the time the ticket was requested (local host's time). - * - * Returns KSUCCESS if all goes well, TKT_FIL_INI if tf_init() wasn't - * called previously, and KFAILURE for anything else that went wrong. - */ - -int -tf_save_cred(char *service, /* Service name */ - char *instance, /* Instance */ - char *realm, /* Auth domain */ - unsigned char *session, /* Session key */ - int lifetime, /* Lifetime */ - int kvno, /* Key version number */ - KTEXT ticket, /* The ticket itself */ - u_int32_t issue_date) /* The issue time */ -{ - int count; /* count for write */ - - if (fd < 0) { /* fd is ticket file as set by tf_init */ - if (krb_debug) - krb_warning ("tf_save_cred called before tf_init.\n"); - return TKT_FIL_INI; - } - /* Find the end of the ticket file */ - lseek(fd, 0L, SEEK_END); - - /* Write the ticket and associated data */ - /* Service */ - count = strlen(service) + 1; - if (write(fd, service, count) != count) - goto bad; - /* Instance */ - count = strlen(instance) + 1; - if (write(fd, instance, count) != count) - goto bad; - /* Realm */ - count = strlen(realm) + 1; - if (write(fd, realm, count) != count) - goto bad; - /* Session key */ - if (write(fd, session, 8) != 8) - goto bad; - /* Lifetime */ - if (write(fd, &lifetime, sizeof(int)) != sizeof(int)) - goto bad; - /* Key vno */ - if (write(fd, &kvno, sizeof(int)) != sizeof(int)) - goto bad; - /* Tkt length */ - if (write(fd, &(ticket->length), sizeof(int)) != - sizeof(int)) - goto bad; - /* Ticket */ - count = ticket->length; - if (write(fd, ticket->dat, count) != count) - goto bad; - /* Issue date */ - if (write(fd, &issue_date, sizeof(issue_date)) != sizeof(issue_date)) - goto bad; - - return (KSUCCESS); -bad: - return (KFAILURE); -} - -int -tf_setup(CREDENTIALS *cred, char *pname, char *pinst) -{ - int ret; - ret = tf_create(tkt_string()); - if (ret != KSUCCESS) - return ret; - - if (tf_put_pname(pname) != KSUCCESS || - tf_put_pinst(pinst) != KSUCCESS) { - tf_close(); - return INTK_ERR; - } - - if(krb_get_kdc_time_diff() != 0) { - /* Add an extra magic ticket containing the time differential - to the kdc. The first ticket defines which realm we belong - to, but since this ticket gets the same realm as the tgt, - this shouldn't be a problem */ - CREDENTIALS magic; - des_cblock s = { 0, 0, 0, 0, 0, 0, 0, 0 }; - KTEXT_ST t; - int d = krb_get_kdc_time_diff(); - krb_put_int(d, t.dat, 4); - t.length = 4; - tf_save_cred(MAGIC_TICKET_NAME, MAGIC_TICKET_INST, cred->realm, s, - cred->lifetime, 0, &t, cred->issue_date); - } - - ret = tf_save_cred(cred->service, cred->instance, cred->realm, - cred->session, cred->lifetime, cred->kvno, - &cred->ticket_st, cred->issue_date); - tf_close(); - return ret; -} - -int -in_tkt(char *pname, char *pinst) -{ - int ret; - - ret = tf_create (tkt_string()); - if (ret != KSUCCESS) - return ret; - - if (tf_put_pname(pname) != KSUCCESS || - tf_put_pinst(pinst) != KSUCCESS) { - tf_close(); - return INTK_ERR; - } - - tf_close(); - return KSUCCESS; -} diff --git a/kerberosIV/krb/time.c b/kerberosIV/krb/time.c deleted file mode 100644 index 4cfc9aeaff4..00000000000 --- a/kerberosIV/krb/time.c +++ /dev/null @@ -1,76 +0,0 @@ -/* $OpenBSD: time.c,v 1.3 1998/06/23 12:25:00 art Exp $ */ -/* $KTH: time.c,v 1.1 1998/02/19 19:12:55 joda Exp $ */ -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* number of seconds the kdc clock is ahead of us */ -static int time_diff; - -void -krb_set_kdc_time_diff(int diff) -{ - time_diff = diff; - if(krb_debug) - krb_warning("Setting time diff to %d\n", diff); -} - -int -krb_get_kdc_time_diff(void) -{ - return time_diff; -} - -/* return the time at the kdc (local time corrected with a time - differential) */ -void -krb_kdctimeofday(struct timeval *tv) -{ - time_t t; - - gettimeofday(tv, NULL); - t = (time_t)tv->tv_sec; - - if(krb_debug) - krb_warning("Machine time: %s", ctime(&t)); - tv->tv_sec += krb_get_kdc_time_diff(); - t = (time_t)tv->tv_sec; - if(krb_debug) - krb_warning("Correcting to %s", ctime(&t)); -} diff --git a/kerberosIV/krb/tkt_string.c b/kerberosIV/krb/tkt_string.c deleted file mode 100644 index 97b6f6a3e92..00000000000 --- a/kerberosIV/krb/tkt_string.c +++ /dev/null @@ -1,92 +0,0 @@ -/* $OpenBSD: tkt_string.c,v 1.8 1998/05/18 00:54:02 art Exp $ */ -/* $KTH: tkt_string.c,v 1.13 1998/04/04 17:56:53 assar Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * This routine is used to generate the name of the file that holds - * the user's cache of server tickets and associated session keys. - * - * If it is set, krb_ticket_string contains the ticket file name. - * Otherwise, the filename is constructed as follows: - * - * If it is set, the environment variable "KRBTKFILE" will be used as - * the ticket file name. Otherwise TKT_ROOT (defined in "krb.h") and - * the user's uid are concatenated to produce the ticket file name - * (e.g., "/tmp/tkt123"). A pointer to the string containing the ticket - * file name is returned. - */ - -static char krb_ticket_string[MAXPATHLEN] = ""; - -char * -tkt_string(void) -{ - char *env; - - if (krb_ticket_string[0] == '\0') { - if ((env = getenv("KRBTKFILE"))) { - strncpy(krb_ticket_string, env, - sizeof(krb_ticket_string)-1); - krb_ticket_string[sizeof(krb_ticket_string)-1] = '\0'; - } else { - snprintf(krb_ticket_string, sizeof(krb_ticket_string), - "%s%u",TKT_ROOT,(unsigned)getuid()); - } - } - return krb_ticket_string; -} - -/* - * This routine is used to set the name of the file that holds the user's - * cache of server tickets and associated session keys. - * - * The value passed in is copied into local storage. - * - * NOTE: This routine should be called during initialization, before other - * Kerberos routines are called; otherwise tkt_string() above may be called - * and return an undesired ticket file name until this routine is called. - */ - -void -krb_set_tkt_string(const char *val) -{ - - strncpy(krb_ticket_string, val, sizeof(krb_ticket_string)-1); - krb_ticket_string[sizeof(krb_ticket_string)-1] = '\0'; - - return; -} diff --git a/kerberosIV/krb/unparse_name.c b/kerberosIV/krb/unparse_name.c deleted file mode 100644 index 78f3675a775..00000000000 --- a/kerberosIV/krb/unparse_name.c +++ /dev/null @@ -1,118 +0,0 @@ -/* $OpenBSD: unparse_name.c,v 1.3 1997/12/09 09:07:09 art Exp $ */ -/* $KTH: unparse_name.c,v 1.7 1997/04/01 08:18:46 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -static void -quote_string(char *quote, char *from, char *to) -{ - while(*from){ - if(strchr(quote, *from)) - *to++ = '\\'; - *to++ = *from++; - } - *to = 0; -} - -/* To be compatible with old functions, we quote differently in each - part of the principal*/ - -char * -krb_unparse_name_r(krb_principal *pr, char *fullname) -{ - quote_string("'@\\", pr->name, fullname); - if(pr->instance[0]){ - strncat(fullname, ".", MAXPATHLEN - strlen(fullname)); - fullname[MAXPATHLEN-1] = '\0'; - quote_string("@\\", pr->instance, fullname + strlen(fullname)); - } - if(pr->realm[0]){ - strncat(fullname, "@", MAXPATHLEN - strlen(fullname)); - fullname[MAXPATHLEN-1] = '\0'; - quote_string("\\", pr->realm, fullname + strlen(fullname)); - } - return fullname; -} - -char * -krb_unparse_name_long_r(char *name, char *instance, char *realm, - char *fullname) -{ - krb_principal pr; - memset(&pr, 0, sizeof(pr)); - strncpy(pr.name, name, ANAME_SZ-1); - pr.name[ANAME_SZ-1] = '\0'; - if(instance != NULL){ - strncpy(pr.instance, instance, INST_SZ-1); - pr.instance[INST_SZ-1] = '\0'; - } - if(realm != NULL){ - strncpy(pr.realm, realm, REALM_SZ-1); - pr.realm[REALM_SZ-1] = '\0'; - } - return krb_unparse_name_r(&pr, fullname); -} - -char * -krb_unparse_name(krb_principal *pr) -{ - static char principal[MAX_K_NAME_SZ]; - krb_unparse_name_r(pr, principal); - return principal; -} - -char * -krb_unparse_name_long(char *name, char *instance, char *realm) -{ - krb_principal pr; - memset(&pr, 0, sizeof(pr)); - strncpy(pr.name, name, ANAME_SZ-1); - pr.name[ANAME_SZ-1] = '\0'; - if(instance != NULL){ - strncpy(pr.instance, instance, INST_SZ-1); - pr.instance[INST_SZ-1] = '\0'; - } - if(realm != NULL){ - strncpy(pr.realm, realm, REALM_SZ-1); - pr.realm[REALM_SZ-1] = '\0'; - } - return krb_unparse_name(&pr); -} diff --git a/kerberosIV/krb/util.c b/kerberosIV/krb/util.c deleted file mode 100644 index a7dbaa71a83..00000000000 --- a/kerberosIV/krb/util.c +++ /dev/null @@ -1,88 +0,0 @@ -/* $OpenBSD: util.c,v 1.4 1998/02/25 15:51:47 art Exp $ */ -/* $KTH: util.c,v 1.6 1996/10/05 00:18:34 joda Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - * - */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include "krb_locl.h" - -/* - * Print some of the contents of the given authenticator structure - * (AUTH_DAT defined in "krb.h"). Fields printed are: - * - * pname, pinst, prealm, netaddr, flags, cksum, timestamp, session - */ - -void -ad_print(AUTH_DAT *x) -{ - /* - * Print the contents of an auth_dat struct. - */ - struct in_addr address; - address.s_addr = x->address; - printf("\n%s %s %s %s flags %u cksum 0x%X\n\ttkt_tm 0x%X sess_key", - x->pname, x->pinst, x->prealm, - inet_ntoa(address), x->k_flags, - x->checksum, x->time_sec); - printf("[8] ="); -#ifdef NOENCRYPTION - placebo_cblock_print(x->session); -#else - des_cblock_print_file(&x->session,stdout); -#endif - /* skip reply for now */ -} - -/* - * Print in hex the 8 bytes of the given session key. - * - * Printed format is: " 0x { x, x, x, x, x, x, x, x }" - */ - -#ifdef NOENCRYPTION -placebo_cblock_print(x) - des_cblock x; -{ - unsigned char *y = (unsigned char *) x; - int i = 0; - - printf(" 0x { "); - - while (i++ <8) { - printf("%x",*y++); - if (i<8) printf(", "); - } - printf(" }"); -} -#endif diff --git a/kerberosIV/krb/verify_user.c b/kerberosIV/krb/verify_user.c deleted file mode 100644 index a9f064fa9be..00000000000 --- a/kerberosIV/krb/verify_user.c +++ /dev/null @@ -1,139 +0,0 @@ -/* $OpenBSD: verify_user.c,v 1.4 1998/05/18 00:54:03 art Exp $ */ -/* $KTH: verify_user.c,v 1.11 1997/12/24 14:32:38 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "krb_locl.h" - -/* Verify user with password. If secure, also verify against local - * service key, this can (usually) only be done by root. - * - * As a side effect, fresh tickets are obtained. - * - * srvtab is where the key is found. - * - * Returns zero if ok, a positive kerberos error or -1 for system - * errors. - */ - -int -krb_verify_user_srvtab(char *name, - char *instance, - char *realm, - char *password, - int secure, - char *linstance, - char *srvtab) -{ - int ret; - ret = krb_get_pw_in_tkt(name, instance, realm, - KRB_TICKET_GRANTING_TICKET, - realm, - DEFAULT_TKT_LIFE, password); - if(ret != KSUCCESS) - return ret; - - if(secure){ - struct hostent *hp; - int32_t addr; - - KTEXT_ST ticket; - AUTH_DAT auth; - - char lrealm[REALM_SZ]; - char hostname[MAXHOSTNAMELEN]; - char *phost; - - if (gethostname(hostname, sizeof(hostname)) == -1) { - dest_tkt(); - return -1; - } - - hp = gethostbyname(hostname); - if(hp == NULL){ - dest_tkt(); - return -1; - } - memcpy(&addr, hp->h_addr, sizeof(addr)); - - ret = krb_get_lrealm(lrealm, 1); - if(ret != KSUCCESS){ - dest_tkt(); - return ret; - } - phost = krb_get_phost(hostname); - - if (linstance == NULL) - linstance = "rcmd"; - - ret = krb_mk_req(&ticket, linstance, phost, lrealm, 33); - if(ret != KSUCCESS){ - dest_tkt(); - return ret; - } - - ret = krb_rd_req(&ticket, linstance, phost, addr, &auth, srvtab); - if(ret != KSUCCESS){ - dest_tkt(); - return ret; - } - } - return 0; -} - -/* - * Compat function without srvtab. - */ - -int -krb_verify_user(char *name, - char *instance, - char *realm, - char *password, - int secure, - char *linstance) -{ - return krb_verify_user_srvtab (name, - instance, - realm, - password, - secure, - linstance, - ""); -} diff --git a/kerberosIV/krb/version.c b/kerberosIV/krb/version.c deleted file mode 100644 index 3c2a7132bc2..00000000000 --- a/kerberosIV/krb/version.c +++ /dev/null @@ -1,5 +0,0 @@ -/* $OpenBSD: version.c,v 1.3 1998/02/18 11:54:06 art Exp $ */ -#include <version.h> - -char *krb4_long_version = "@(#)$Version: "VERSION; -char *krb4_version = VERSION; diff --git a/kerberosIV/ksrvtgt/Makefile b/kerberosIV/ksrvtgt/Makefile deleted file mode 100644 index 28025791f91..00000000000 --- a/kerberosIV/ksrvtgt/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.1 1995/12/14 06:52:51 tholo Exp $ - -PROG= ksrvtgt -CFLAGS+=-DKERBEROS -DPADD= ${LIBKRB} ${LIBDES} -LDADD= -lkrb -ldes -BINDIR= /usr/bin - -.include <bsd.prog.mk> diff --git a/kerberosIV/ksrvtgt/ksrvtgt.1 b/kerberosIV/ksrvtgt/ksrvtgt.1 deleted file mode 100644 index 558c501934e..00000000000 --- a/kerberosIV/ksrvtgt/ksrvtgt.1 +++ /dev/null @@ -1,73 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: ksrvtgt.1,v 1.4 1998/02/25 15:51:48 art Exp $ -.TH KSRVTGT 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -ksrvtgt \- fetch and store Kerberos ticket-granting-ticket using a -service key -.SH SYNOPSIS -.B ksrvtgt -name instance [[realm] srvtab] -.SH DESCRIPTION -.I ksrvtgt -retrieves a ticket-granting ticket with a lifetime of five (5) minutes -for the principal -.I name.instance@realm -(or -.I name.instance@localrealm -if -.I realm -is not supplied on the command line), decrypts the response using -the service key found in -.I srvtab -(or in -.B /etc/kerberosIV/srvtab -if -.I srvtab -is not specified on the command line), and stores the ticket in the -standard ticket cache. -.PP -This command is intended primarily for use in shell scripts and other -batch-type facilities. -.SH DIAGNOSTICS -"Generic kerberos failure (kfailure)" can indicate a whole range of -problems, the most common of which is the inability to read the service -key file. -.SH FILES -.TP 2i -/etc/kerberosIV/krb.conf -to get the name of the local realm. -.TP -/tmp/tkt[uid] -The default ticket file. -.TP -/etc/kerberosIV/srvtab -The default service key file. -.SH SEE ALSO -kerberos(1), kinit(1), kdestroy(1) diff --git a/kerberosIV/ksrvtgt/ksrvtgt.c b/kerberosIV/ksrvtgt/ksrvtgt.c deleted file mode 100644 index edb2dc715f6..00000000000 --- a/kerberosIV/ksrvtgt/ksrvtgt.c +++ /dev/null @@ -1,81 +0,0 @@ -/* $OpenBSD: ksrvtgt.c,v 1.5 1998/02/25 15:51:50 art Exp $ */ - -/* - * This source code is no longer held under any constraint of USA - * `cryptographic laws' since it was exported legally. The cryptographic - * functions were removed from the code and a "Bones" distribution was - * made. A Commodity Jurisdiction Request #012-94 was filed with the - * USA State Department, who handed it to the Commerce department. The - * code was determined to fall under General License GTDA under ECCN 5D96G, - * and hence exportable. The cryptographic interfaces were re-added by Eric - * Young, and then KTH proceeded to maintain the code in the free world. - */ - -/*- - * Copyright (C) 1988 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#include <stdio.h> -#include <string.h> -#include <sys/param.h> -#include <des.h> -#include <kerberosIV/krb.h> - -const char rcsid[] = - "$Id: ksrvtgt.c,v 1.5 1998/02/25 15:51:50 art Exp $"; - -main(argc,argv) - int argc; - char **argv; -{ - char realm[REALM_SZ + 1]; - register int code; - char srvtab[MAXPATHLEN + 1]; - - bzero(realm, sizeof(realm)); - bzero(srvtab, sizeof(srvtab)); - - if (argc < 3 || argc > 5) { - fprintf(stderr, "Usage: %s name instance [[realm] srvtab]\n", - argv[0]); - exit(1); - } - - if (argc == 4) - (void) strncpy(srvtab, argv[3], sizeof(srvtab) -1); - - if (argc == 5) { - (void) strncpy(realm, argv[3], sizeof(realm) - 1); - (void) strncpy(srvtab, argv[4], sizeof(srvtab) -1); - } - - if (srvtab[0] == 0) - (void) strcpy(srvtab, KEYFILE); - - if (realm[0] == 0) - if (krb_get_lrealm(realm, 1) != KSUCCESS) - exit(1); - - code = krb_get_svc_in_tkt(argv[1], argv[2], realm, - "krbtgt", realm, 1, srvtab); - if (code) - fprintf(stderr, "%s\n", krb_err_txt[code]); - exit(code); -} diff --git a/kerberosIV/ksrvutil/Makefile b/kerberosIV/ksrvutil/Makefile deleted file mode 100644 index 94dc17c2e2f..00000000000 --- a/kerberosIV/ksrvutil/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 1997/12/17 07:50:16 art Exp $ - -.include <bsd.obj.mk> - -SRCS= ksrvutil.c ksrvutil_get.c -PROG= ksrvutil -.if exists(${.CURDIR}/../kadm/${__objdir}) -CFLAGS+=-I${.CURDIR}/../kadm/${__objdir} -.else -CFLAGS+=-I${.CURDIR}/../kadm -.endif -.if exists(${.CURDIR}/../krb/${__objdir}) -CFLAGS+=-I${.CURDIR}/../krb/${__objdir} -.else -CFLAGS+=-I${.CURDIR}/../krb -.endif -LDADD+= -lkadm -lkrb -ldes -lcom_err -DPADD+= ${LIBKADM} ${LIBKRB} ${LIBDES} ${LIBCOM_ERR} -MAN= ksrvutil.8 - -.include <bsd.prog.mk> diff --git a/kerberosIV/ksrvutil/ksrvutil.8 b/kerberosIV/ksrvutil/ksrvutil.8 deleted file mode 100644 index 65227821d84..00000000000 --- a/kerberosIV/ksrvutil/ksrvutil.8 +++ /dev/null @@ -1,124 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: ksrvutil.8,v 1.5 1998/02/25 15:51:51 art Exp $ -.TH KSRVUTIL 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -ksrvutil \- host kerberos keyfile (srvtab) manipulation utility -.SH SYNOPSIS -ksrvutil -.B operation -[ -.B \-k -] [ -.B \-i -] [ -.B \-a -] [ -.B \-f filename -] -.SH DESCRIPTION -.I ksrvutil -allows a system manager to list or change keys currently in his -keyfile or to add new keys to the keyfile. -.PP - -Operation must be one of the following: -.TP 10n -.I list -lists the keys in a keyfile showing version number and principal -name. If the \-k option is given, keys will also be shown. -.TP 10n -.I change -changes all the keys in the keyfile by using the regular admin -protocol. If the \-i flag is given, -.I ksrvutil -will prompt for yes or no before changing each key. If the \-k -option is used, the old and new keys will be displayed. -.TP 10n -.I add -allows the user to add a key. -.I add -prompts for name, instance, realm, and key version number, asks -for confirmation, and then asks for a password. -.I ksrvutil -then converts the password to a key and appends the keyfile with -the new information. If the \-k option is used, the key is -displayed. - -.PP -In all cases, the default file used is KEY_FILE as defined in -krb.h unless this is overridden by the \-f option. - -.PP -A good use for -.I ksrvutil -would be for adding keys to a keyfile. A system manager could -ask a kerberos administrator to create a new service key with -.IR kadmin (8) -and could supply an initial password. Then, he could use -.I ksrvutil -to add the key to the keyfile and then to change the key so that -it will be random and unknown to either the system manager or -the kerberos administrator. - -.PP -If the \-a option is given, -.I ksrvutil -uses the AFS string-to-key function. Use this if you are running -an AFS kaserver. - -.PP -.I ksrvutil -always makes a backup copy of the keyfile before making any -changes. - -.SH DIAGNOSTICS -If -.I ksrvutil -should exit on an error condition at any time during a change or -add, a copy of the -original keyfile can be found in -.IR filename .old -where -.I filename -is the name of the keyfile, and a copy of the file with all new -keys changed or added so far can be found in -.IR filename .work. -The original keyfile is left unmodified until the program exits -at which point it is removed and replaced it with the workfile. -Appending the workfile to the backup copy and replacing the -keyfile with the result should always give a usable keyfile, -although the resulting keyfile will have some out of date keys -in it. - -.SH SEE ALSO -kadmin(8), ksrvtgt(1) - -.SH AUTHOR -Emanuel Jay Berkenbilt, MIT Project Athena diff --git a/kerberosIV/ksrvutil/ksrvutil.c b/kerberosIV/ksrvutil/ksrvutil.c deleted file mode 100644 index 5fd37b25fb8..00000000000 --- a/kerberosIV/ksrvutil/ksrvutil.c +++ /dev/null @@ -1,612 +0,0 @@ -/* $OpenBSD: ksrvutil.c,v 1.6 1999/05/23 17:19:24 aaron Exp $ */ -/* $KTH: ksrvutil.c,v 1.39 1997/05/02 14:28:52 assar Exp $ */ - -/* - * Copyright (C) 1989 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * list and update contents of srvtab files - */ - -/* - * ksrvutil - * list and update the contents of srvtab files - */ - -#include "kadm_locl.h" - -#include "ksrvutil.h" - -#ifdef NOENCRYPTION -#define read_long_pw_string placebo_read_pw_string -#else /* NOENCRYPTION */ -#define read_long_pw_string des_read_pw_string -#endif /* NOENCRYPTION */ - -#define SRVTAB_MODE 0600 /* rw------- */ -#define PAD " " -#define VNO_HEADER "Version" -#define VNO_FORMAT "%4d " -#define KEY_HEADER " Key " /* 17 characters long */ -#define PRINC_HEADER " Principal\n" -#define PRINC_FORMAT "%s" - -char u_name[ANAME_SZ]; -char u_inst[INST_SZ]; -char u_realm[REALM_SZ]; - -char progname[] = "ksrvutil"; - -int destroyp = FALSE; /* Should the ticket file be destroyed? */ - -static unsigned short -get_mode(char *filename) -{ - struct stat statbuf; - unsigned short mode; - - memset(&statbuf, 0, sizeof(statbuf)); - - if (stat(filename, &statbuf) < 0) - mode = SRVTAB_MODE; - else - mode = statbuf.st_mode; - - return(mode); -} - -static void -copy_keyfile(char *keyfile, char *backup_keyfile) -{ - int keyfile_fd; - int backup_keyfile_fd; - int keyfile_mode; - char buf[BUFSIZ]; /* for copying keyfiles */ - int rcount; /* for copying keyfiles */ - int try_again; - - memset(buf, 0, sizeof(buf)); - - do { - try_again = FALSE; - if ((keyfile_fd = open(keyfile, O_RDONLY, 0)) < 0) { - if (errno != ENOENT) - err (1, "read %s", keyfile); - else { - try_again = TRUE; - if ((keyfile_fd = - open(keyfile, - O_WRONLY | O_TRUNC | O_CREAT, SRVTAB_MODE)) < 0) - err(1, "create %s", keyfile); - else - if (close(keyfile_fd) < 0) - err (1, "close %s", keyfile); - } - } - } while(try_again); - - keyfile_mode = get_mode(keyfile); - - if ((backup_keyfile_fd = - open(backup_keyfile, O_WRONLY | O_TRUNC | O_CREAT, - keyfile_mode)) < 0) - err (1, "write %s", backup_keyfile); - do { - if ((rcount = read(keyfile_fd, buf, sizeof(buf))) < 0) - err (1, "read %s", keyfile); - if (rcount && (write(backup_keyfile_fd, buf, rcount) != rcount)) - err (1, "write %s", backup_keyfile); - } while (rcount); - if (close(backup_keyfile_fd) < 0) - err(1, "close %s", backup_keyfile); - if (close(keyfile_fd) < 0) - err(1, "close %s", keyfile); -} - -void -leave(char *str, int x) -{ - if (str) - fprintf(stderr, "%s\n", str); - if (destroyp) - dest_tkt(); - exit(x); -} - -void -safe_read_stdin(char *prompt, char *buf, size_t size) -{ - printf("%s", prompt); - fflush(stdout); - memset(buf, 0, size); - if (read(0, buf, size - 1) < 0) { - warn("read stdin"); - leave(NULL, 1); - } - buf[strlen(buf)-1] = 0; -} - -void -safe_write(char *filename, int fd, void *buf, size_t len) -{ - if (write(fd, buf, len) != len) { - warn("write %s", filename); - close(fd); - leave("In progress srvtab in this file.", 1); - } -} - -static int -yes_no(char *string, int dflt) -{ - char ynbuf[5]; - - printf("%s (y,n) [%c]", string, dflt?'y':'n'); - for (;;) { - safe_read_stdin("", ynbuf, sizeof(ynbuf)); - - if ((ynbuf[0] == 'n') || (ynbuf[0] == 'N')) - return(0); - else if ((ynbuf[0] == 'y') || (ynbuf[0] == 'Y')) - return(1); - else if(ynbuf[0] == 0) - return dflt; - else { - printf("Please enter 'y' or 'n': "); - fflush(stdout); - } - } -} - -int yn(char *string) -{ - return yes_no(string, 1); -} - -int ny(char *string) -{ - return yes_no(string, 0); -} - -static void -append_srvtab(char *filename, int fd, char *sname, char *sinst, char *srealm, unsigned char key_vno, unsigned char *key) -{ - /* Add one to append null */ - safe_write(filename, fd, sname, strlen(sname) + 1); - safe_write(filename, fd, sinst, strlen(sinst) + 1); - safe_write(filename, fd, srealm, strlen(srealm) + 1); - safe_write(filename, fd, &key_vno, 1); - safe_write(filename, fd, key, sizeof(des_cblock)); - fsync(fd); -} - -static void -print_key(unsigned char *key) -{ - int i; - - for (i = 0; i < 4; i++) - printf("%02x", key[i]); - printf(" "); - for (i = 4; i < 8; i++) - printf("%02x", key[i]); -} - -static void -print_name(char *name, char *inst, char *realm) -{ - printf("%s", krb_unparse_name_long(name, inst, realm)); -} - -static int -get_svc_new_key(des_cblock *new_key, char *sname, char *sinst, - char *srealm, char *keyfile) -{ - int status = KADM_SUCCESS; - - if (((status = krb_get_svc_in_tkt(sname, sinst, srealm, PWSERV_NAME, - KADM_SINST, 1, keyfile)) == KSUCCESS) && - ((status = kadm_init_link(PWSERV_NAME, KRB_MASTER, srealm)) == - KADM_SUCCESS)) { -#ifdef NOENCRYPTION - memset(new_key, 0, sizeof(des_cblock)); - (*new_key)[0] = (unsigned char) 1; -#else /* NOENCRYPTION */ - des_new_random_key(new_key); -#endif /* NOENCRYPTION */ - return(KADM_SUCCESS); - } - - return(status); -} - -static void -get_key_from_password(des_cblock (*key), char *cellname) -{ - char password[MAX_KPW_LEN]; /* storage for the password */ - - if (read_long_pw_string(password, sizeof(password)-1, "Password: ", 1)) - leave("Error reading password.", 1); - -#ifdef NOENCRYPTION - memset(key, 0, sizeof(des_cblock)); - (*key)[0] = (unsigned char) 1; -#else /* NOENCRYPTION */ - if (strlen(cellname) == 0) - des_string_to_key(password, key); - else - afs_string_to_key(password, cellname, key); -#endif /* NOENCRYPTION */ - memset(password, 0, sizeof(password)); -} - -static void -usage(void) -{ - fprintf(stderr, "Usage: ksrvutil [-f keyfile] [-i] [-k] "); - fprintf(stderr, "[-p principal] [-r realm] "); - fprintf(stderr, "[-c AFS cellname] "); - fprintf(stderr, "{list | change | add | get}\n"); - fprintf(stderr, " -i causes the program to ask for "); - fprintf(stderr, "confirmation before changing keys.\n"); - fprintf(stderr, " -k causes the key to printed for list or "); - fprintf(stderr, "change.\n"); - exit(1); -} - -int -main(int argc, char **argv) -{ - char sname[ANAME_SZ]; /* name of service */ - char sinst[INST_SZ]; /* instance of service */ - char srealm[REALM_SZ]; /* realm of service */ - unsigned char key_vno; /* key version number */ - int status; /* general purpose error status */ - des_cblock new_key; - des_cblock old_key; - char change_tkt[MAXPATHLEN]; /* Ticket to use for key change */ - char keyfile[MAXPATHLEN]; /* Original keyfile */ - char work_keyfile[MAXPATHLEN]; /* Working copy of keyfile */ - char backup_keyfile[MAXPATHLEN]; /* Backup copy of keyfile */ - unsigned short keyfile_mode; /* Protections on keyfile */ - int work_keyfile_fd = -1; /* Initialize so that */ - int backup_keyfile_fd = -1; /* compiler doesn't complain */ - char local_realm[REALM_SZ]; /* local kerberos realm */ - char cellname[1024]; /* AFS cell name */ - int c; - int interactive = FALSE; - int list = FALSE; - int change = FALSE; - int add = FALSE; - int get = FALSE; - int key = FALSE; /* do we show keys? */ - int arg_entered = FALSE; - int change_this_key = FALSE; - char databuf[BUFSIZ]; - int first_printed = FALSE; /* have we printed the first item? */ - - memset(sname, 0, sizeof(sname)); - memset(sinst, 0, sizeof(sinst)); - memset(srealm, 0, sizeof(srealm)); - - memset(change_tkt, 0, sizeof(change_tkt)); - memset(keyfile, 0, sizeof(keyfile)); - memset(work_keyfile, 0, sizeof(work_keyfile)); - memset(backup_keyfile, 0, sizeof(backup_keyfile)); - memset(local_realm, 0, sizeof(local_realm)); - memset(cellname, 0, sizeof(cellname)); - - if (krb_get_default_principal(u_name, u_inst, u_realm) < 0) - errx (1, "could not get default principal"); - - /* This is used only as a default for adding keys */ - if (krb_get_lrealm(local_realm, 1) != KSUCCESS) { - strncpy(local_realm, KRB_REALM, REALM_SZ - 1); - local_realm[REALM_SZ - 1] = '\0'; - } - - while((c = getopt(argc, argv, "ikc:f:p:r:")) != -1) { - switch (c) { - case 'i': - interactive++; - break; - case 'k': - key++; - break; - case 'c': - strcpy(cellname, optarg); - break; - case 'f': - strcpy(keyfile, optarg); - break; - case 'p': - if((status = kname_parse (u_name, u_inst, u_realm, optarg)) != - KSUCCESS) - errx (1, "principal %s: %s", optarg, - krb_get_err_text(status)); - break; - case 'r': - strcpy(u_realm, optarg); - break; - case '?': - usage(); - } - } - if (optind >= argc) - usage(); - if (*u_realm == '\0') - strcpy (u_realm, local_realm); - if (strcmp(argv[optind], "list") == 0) { - if (arg_entered) - usage(); - else { - arg_entered++; - list++; - } - } - else if (strcmp(argv[optind], "change") == 0) { - if (arg_entered) - usage(); - else { - arg_entered++; - change++; - } - } - else if (strcmp(argv[optind], "add") == 0) { - if (arg_entered) - usage(); - else { - arg_entered++; - add++; - } - } - else if (strcmp(argv[optind], "get") == 0) { - if (arg_entered) - usage(); - else { - arg_entered++; - get++; - } - } - else - usage(); - ++optind; - - if (!arg_entered) - usage(); - - if (!keyfile[0]) - strcpy(keyfile, KEYFILE); - - strcpy(work_keyfile, keyfile); - strcpy(backup_keyfile, keyfile); - - if (change || add || get) { - strcat(work_keyfile, ".work"); - strcat(backup_keyfile, ".old"); - - copy_keyfile(keyfile, backup_keyfile); - } - - if (add || get) - copy_keyfile(backup_keyfile, work_keyfile); - - keyfile_mode = get_mode(keyfile); - - if (change || list) - if ((backup_keyfile_fd = open(backup_keyfile, O_RDONLY, 0)) < 0) - err (1, "open %s", backup_keyfile); - - if (change) { - if ((work_keyfile_fd = - open(work_keyfile, O_WRONLY | O_CREAT | O_TRUNC, - SRVTAB_MODE)) < 0) - err (1, "creat %s", work_keyfile); - } - else if (add) { - if ((work_keyfile_fd = - open(work_keyfile, O_APPEND | O_WRONLY, SRVTAB_MODE)) < 0) - err (1, "open with append %s", work_keyfile ); - } - else if (get) { - if ((work_keyfile_fd = - open(work_keyfile, O_RDWR | O_CREAT, SRVTAB_MODE)) < 0) - err (1, "open for writing %s", work_keyfile); - } - - if (change || list) { - while ((getst(backup_keyfile_fd, sname, SNAME_SZ) > 0) && - (getst(backup_keyfile_fd, sinst, INST_SZ) > 0) && - (getst(backup_keyfile_fd, srealm, REALM_SZ) > 0) && - (read(backup_keyfile_fd, &key_vno, 1) > 0) && - (read(backup_keyfile_fd, old_key, sizeof(old_key)) > 0)) { - if (list) { - if (!first_printed) { - printf(VNO_HEADER); - printf(PAD); - if (key) { - printf(KEY_HEADER); - printf(PAD); - } - printf(PRINC_HEADER); - first_printed = 1; - } - printf(VNO_FORMAT, key_vno); - printf(PAD); - if (key) { - print_key(old_key); - printf(PAD); - } - print_name(sname, sinst, srealm); - printf("\n"); - } - else if (change) { - snprintf(change_tkt, sizeof(change_tkt), - TKT_ROOT "_ksrvutil.%u", - (unsigned)getpid()); - krb_set_tkt_string(change_tkt); - destroyp = TRUE; - - printf("\nPrincipal: "); - print_name(sname, sinst, srealm); - printf("; version %d\n", key_vno); - if (interactive) - change_this_key = yn("Change this key?"); - else if (change) - change_this_key = 1; - else - change_this_key = 0; - - if (change_this_key) - printf("Changing to version %d.\n", key_vno + 1); - else if (change) - printf("Not changing this key.\n"); - - if (change_this_key) { - /* - * This is not a good choice of seed when/if the - * key has been compromised so we also use a - * random sequence number! - */ - des_init_random_number_generator(&old_key); -#if 0 /* kth-krb has own addidtions to libdes */ - { - des_cblock seqnum; - des_generate_random_block(&seqnum); - des_set_sequence_number((unsigned char *)&seqnum); - } -#endif - /* - * Pick a new key and determine whether or not - * it is safe to change - */ - if ((status = - get_svc_new_key(&new_key, sname, sinst, - srealm, keyfile)) == KADM_SUCCESS) - key_vno++; - else { - memcpy(new_key, old_key, sizeof(new_key)); - warnx ("Key NOT changed: %s\n", - krb_get_err_text(status)); - change_this_key = FALSE; - } - } - else - memcpy(new_key, old_key, sizeof(new_key)); - append_srvtab(work_keyfile, work_keyfile_fd, - sname, sinst, srealm, key_vno, new_key); - if (key && change_this_key) { - printf("Old key: "); - print_key(old_key); - printf("; new key: "); - print_key(new_key); - printf("\n"); - } - if (change_this_key) { - if ((status = kadm_change_pw(new_key)) == KADM_SUCCESS) { - printf("Key changed.\n"); - dest_tkt(); - } - else { - com_err(progname, status, - " attempting to change password."); - dest_tkt(); - /* XXX This knows the format of a keyfile */ - if (lseek(work_keyfile_fd, -9, SEEK_CUR) >= 0) { - key_vno--; - safe_write(work_keyfile, - work_keyfile_fd, &key_vno, 1); - safe_write(work_keyfile, work_keyfile_fd, - old_key, sizeof(des_cblock)); - fsync(work_keyfile_fd); - fprintf(stderr,"Key NOT changed.\n"); - } else { - warn ("Unable to revert keyfile"); - leave("", 1); - } - } - } - } - memset(old_key, 0, sizeof(des_cblock)); - memset(new_key, 0, sizeof(des_cblock)); - } - } - else if (add) { - do { - do { - safe_read_stdin("Name: ", databuf, sizeof(databuf)); - strncpy(sname, databuf, sizeof(sname) - 1); - sname[sizeof(sname) - 1] = '\0'; - if (strchr(sname, '.') != 0) { - strncpy(sinst, strchr(sname, '.') + 1, sizeof(sinst) - 1); - sinst[sizeof(sinst) - 1] = '\0'; - *(strchr(sname, '.')) = 0; - } else { - safe_read_stdin("Instance: ", databuf, sizeof(databuf)); - strncpy(sinst, databuf, sizeof(sinst) - 1); - sinst[sizeof(sinst) - 1] = '\0'; - } - safe_read_stdin("Realm: ", databuf, sizeof(databuf)); - strncpy(srealm, databuf, sizeof(srealm) - 1); - srealm[sizeof(srealm) - 1] = '\0'; - safe_read_stdin("Version number: ", databuf, sizeof(databuf)); - key_vno = atoi(databuf); - if (key_vno == 0) - key_vno = 1; /* Version numbers are never 0 */ - if (!srealm[0]) { - strncpy(srealm, local_realm, sizeof(srealm) - 1); - srealm[sizeof(srealm) - 1] = '\0'; - } - printf("New principal: "); - print_name(sname, sinst, srealm); - printf("; version %d\n", key_vno); - } while (!yn("Is this correct?")); - get_key_from_password(&new_key, cellname); - if (key) { - printf("Key: "); - print_key(new_key); - printf("\n"); - } - append_srvtab(work_keyfile, work_keyfile_fd, - sname, sinst, srealm, key_vno, new_key); - printf("Key successfully added.\n"); - } while (yn("Would you like to add another key?")); - } - else if (get) { - ksrvutil_get(work_keyfile_fd, work_keyfile, - argc - optind, argv + optind); - } - - if (change || list) - if (close(backup_keyfile_fd) < 0) - warn ("close %s", backup_keyfile); - - if (change || add || get) { - if (close(work_keyfile_fd) < 0) - err (1, "close %s", work_keyfile); - if (rename(work_keyfile, keyfile) < 0) - err (1, "rename(%s, %s)", work_keyfile, keyfile); - chmod(backup_keyfile, keyfile_mode); - chmod(keyfile, keyfile_mode); - printf("Old keyfile in %s.\n", backup_keyfile); - } - return 0; -} diff --git a/kerberosIV/ksrvutil/ksrvutil_get.c b/kerberosIV/ksrvutil/ksrvutil_get.c deleted file mode 100644 index b199e713077..00000000000 --- a/kerberosIV/ksrvutil/ksrvutil_get.c +++ /dev/null @@ -1,429 +0,0 @@ -/* $OpenBSD: ksrvutil_get.c,v 1.1 1997/12/17 07:50:17 art Exp $ */ -/* $KTH: ksrvutil_get.c,v 1.35 1997/12/05 04:27:02 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "kadm_locl.h" -#include "ksrvutil.h" - -#define BAD_PW 1 -#define GOOD_PW 0 -#define FUDGE_VALUE 15 /* for ticket expiration time */ -#define PE_NO 0 -#define PE_YES 1 -#define PE_UNSURE 2 - -static char tktstring[128]; - -static int -princ_exists(char *name, char *instance, char *realm) -{ - int status; - - status = krb_get_pw_in_tkt(name, instance, realm, - KRB_TICKET_GRANTING_TICKET, - realm, 1, ""); - - if ((status == KSUCCESS) || (status == INTK_BADPW)) - return(PE_YES); - else if (status == KDC_PR_UNKNOWN) - return(PE_NO); - else - return(PE_UNSURE); -} - -static int -get_admin_password(char *myname, char *myinst, char *myrealm) -{ - int status; - char admin_passwd[MAX_KPW_LEN]; /* Admin's password */ - int ticket_life = 1; /* minimum ticket lifetime */ - char buf[1024]; - CREDENTIALS c; - - if (princ_exists(myname, myinst, myrealm) != PE_NO) { - snprintf(buf, sizeof(buf), "Password for %s: ", - krb_unparse_name_long (myname, myinst, myrealm)); - if (des_read_pw_string(admin_passwd, sizeof(admin_passwd)-1, - buf, 0)) { - fprintf(stderr, "Error reading admin password.\n"); - goto bad; - } - status = krb_get_pw_in_tkt(myname, myinst, myrealm, PWSERV_NAME, - KADM_SINST, ticket_life, admin_passwd); - memset(admin_passwd, 0, sizeof(admin_passwd)); - - /* Initialize non shared random sequence from session key. */ - memset(&c, 0, sizeof(c)); - krb_get_cred(PWSERV_NAME, KADM_SINST, myrealm, &c); - des_init_random_number_generator(&c.session); - } - else - status = KDC_PR_UNKNOWN; - - switch(status) { - case GT_PW_OK: - return(GOOD_PW); - case KDC_PR_UNKNOWN: - printf("Principal %s does not exist.\n", - krb_unparse_name_long(myname, myinst, myrealm)); - goto bad; - case GT_PW_BADPW: - printf("Incorrect admin password.\n"); - goto bad; - default: - com_err("kadmin", status+krb_err_base, - "while getting password tickets"); - goto bad; - } - -bad: - memset(admin_passwd, 0, sizeof(admin_passwd)); - dest_tkt(); - return(BAD_PW); -} - -static void -srvtab_put_key (int fd, char *filename, char *name, char *inst, char *realm, - int8_t kvno, des_cblock key) -{ - char sname[ANAME_SZ]; /* name of service */ - char sinst[INST_SZ]; /* instance of service */ - char srealm[REALM_SZ]; /* realm of service */ - int8_t skvno; - des_cblock skey; - - lseek(fd, 0, SEEK_SET); - - while(getst(fd, sname, SNAME_SZ) > 0 && - getst(fd, sinst, INST_SZ) > 0 && - getst(fd, srealm, REALM_SZ) > 0 && - read(fd, &skvno, sizeof(skvno)) > 0 && - read(fd, skey, sizeof(skey)) > 0) { - if(strcmp(name, sname) == 0 && - strcmp(inst, sinst) == 0 && - strcmp(realm, srealm) == 0) { - lseek(fd, lseek(fd,0,SEEK_CUR)-(sizeof(skvno) + sizeof(skey)), SEEK_SET); - safe_write(filename, fd, &kvno, sizeof(kvno)); - safe_write(filename, fd, key, sizeof(des_cblock)); - return; - } - } - safe_write(filename, fd, name, strlen(name) + 1); - safe_write(filename, fd, inst, strlen(inst) + 1); - safe_write(filename, fd, realm, strlen(realm) + 1); - safe_write(filename, fd, &kvno, sizeof(kvno)); - safe_write(filename, fd, key, sizeof(des_cblock)); -} - -/* - * node list of services - */ - -struct srv_ent{ - char name[SNAME_SZ]; - char inst[INST_SZ]; - char realm[REALM_SZ]; - struct srv_ent *next; -}; - -static int -key_to_key(char *user, char *instance, char *realm, void *arg, - des_cblock *key) -{ - memcpy(key, arg, sizeof(des_cblock)); - return 0; -} - -static void -get_srvtab_ent(int fd, char *filename, char *name, char *inst, char *realm) -{ - char chname[128]; - des_cblock newkey; - char old_tktfile[MAXPATHLEN], new_tktfile[MAXPATHLEN]; - char garbage_name[ANAME_SZ]; - char garbage_inst[ANAME_SZ]; - CREDENTIALS c; - u_int8_t kvno; - Kadm_vals values; - int ret; - - strncpy(chname, krb_get_phost(inst), sizeof(chname) - 1); - chname[sizeof(chname) - 1] = '\0'; - if(strcmp(inst, chname)) - fprintf(stderr, - "Warning: Are you sure `%s' should not be `%s'?\n", - inst, chname); - - memset(&values, 0, sizeof(values)); - strncpy(values.name, name, ANAME_SZ - 1); - values.name[ANAME_SZ - 1] = '\0'; - strncpy(values.instance, inst, INST_SZ - 1); - values.instance[INST_SZ - 1] = '\0'; - des_new_random_key(&newkey); - values.key_low = (newkey[0] << 24) | (newkey[1] << 16) - | (newkey[2] << 8) | (newkey[3] << 0); - values.key_high = (newkey[4] << 24) | (newkey[5] << 16) - | (newkey[6] << 8) | (newkey[7] << 0); - - SET_FIELD(KADM_NAME,values.fields); - SET_FIELD(KADM_INST,values.fields); - SET_FIELD(KADM_DESKEY,values.fields); - - ret = kadm_mod(&values, &values); - if(ret == KADM_NOENTRY) - ret = kadm_add(&values); - if (ret != KSUCCESS) { - warnx ("Couldn't get srvtab entry for %s.%s: %s", - name, inst, error_message(ret)); - return; - } - - values.key_low = values.key_high = 0; - - /* get the key version number */ - - { - int old = krb_use_admin_server(1); - strncpy(old_tktfile, tkt_string(), sizeof(old_tktfile) - 1); - old_tktfile[sizeof(old_tktfile) - 1] = '\0'; - snprintf(new_tktfile, sizeof(new_tktfile), - TKT_ROOT "_ksrvutil-get.%u", - (unsigned)getpid()); - krb_set_tkt_string(new_tktfile); - - ret = krb_get_in_tkt(name, inst, realm, name, inst, - 1, key_to_key, NULL, &newkey); - krb_use_admin_server(old); - } - - if (ret == KSUCCESS && - (ret = tf_init(tkt_string(), R_TKT_FIL)) == KSUCCESS && - (ret = tf_get_pname(garbage_name)) == KSUCCESS && - (ret = tf_get_pinst(garbage_inst)) == KSUCCESS && - (ret = tf_get_cred(&c)) == KSUCCESS) - kvno = c.kvno; - else { - warnx ("Could not find the cred in the ticket file"); - return; - } - - tf_close(); - krb_set_tkt_string(old_tktfile); - unlink(new_tktfile); - - if(ret != KSUCCESS) { - memset(&newkey, 0, sizeof(newkey)); - warnx ("Could not get a ticket for %s: %s\n", - krb_unparse_name_long(name, inst, realm), - krb_get_err_text(ret)); - return; - } - - /* Write the new key & c:o to the srvtab file */ - - srvtab_put_key (fd, filename, name, inst, realm, kvno, newkey); - memset(&newkey, 0, sizeof(newkey)); - - fprintf (stderr, "Added %s\n", krb_unparse_name_long (name, inst, realm)); -} - -static void -ksrvutil_kadm(int fd, char *filename, struct srv_ent *p) -{ - int ret; - CREDENTIALS c; - - ret = kadm_init_link(PWSERV_NAME, KADM_SINST, u_realm); - if (ret != KADM_SUCCESS) { - warnx("Couldn't initialize kadmin link: %s", error_message(ret)); - leave(NULL, 1); - } - - ret = krb_get_cred (PWSERV_NAME, KADM_SINST, u_realm, &c); - if (ret == KSUCCESS) - des_init_random_number_generator (&c.session); - else { - umask(077); - - /* - * create ticket file and get admin tickets - */ - snprintf(tktstring, sizeof(tktstring), TKT_ROOT "_ksrvutil_%d", (int)getpid()); - krb_set_tkt_string(tktstring); - destroyp = TRUE; - - ret = get_admin_password(u_name, u_inst, u_realm); - if (ret) { - warnx("Couldn't get admin password."); - leave(NULL, 1); - } - } - for(;p;){ - get_srvtab_ent(fd, filename, p->name, p->inst, p->realm); - p=p->next; - } - unlink(tktstring); -} - -static void -parseinput (char *result, size_t sz, char *val, char *def) -{ - char *lim; - int inq; - - if (val[0] == '\0') { - strncpy (result, def, sz-1); - result[sz - 1] = '\0'; - return; - } - lim = result + sz - 1; - inq = 0; - while(*val && result < lim) { - switch(*val) { - case '\'' : - inq = !inq; - ++val; - break; - case '\\' : - if(!inq) - val++; - default: - *result++ = *val++; - break; - } - } - *result = '\0'; -} - -void -ksrvutil_get(int fd, char *filename, int argc, char **argv) -{ - char sname[ANAME_SZ]; /* name of service */ - char sinst[INST_SZ]; /* instance of service */ - char srealm[REALM_SZ]; /* realm of service */ - char databuf[BUFSIZ]; - char local_hostname[MAXHOSTNAMELEN]; - char prompt[100]; - struct srv_ent *head=NULL; - int i; - - gethostname(local_hostname, sizeof(local_hostname)); - strncpy(local_hostname, - krb_get_phost(local_hostname), - sizeof(local_hostname) - 1); - local_hostname[sizeof(local_hostname) - 1] = '\0'; - - if (argc) - for(i=0; i < argc; ++i) { - struct srv_ent *p=malloc(sizeof(*p)); - - if(p == NULL) { - warnx ("out of memory in malloc"); - leave(NULL,1); - } - p->next = head; - strncpy (p->realm, u_realm, REALM_SZ - 1); - p->realm[REALM_SZ - 1] = '\0'; - if (kname_parse (p->name, p->inst, p->realm, argv[i]) != - KSUCCESS) { - warnx ("parse error on '%s'\n", argv[i]); - free(p); - p = NULL; - continue; - } - if (p->name[0] == '\0') { - strncpy(p->name, "rcmd", ANAME_SZ - 1); - p->name[ANAME_SZ - 1] = '\0'; - } - if (p->inst[0] == '\0') { - strncpy(p->inst, local_hostname, INST_SZ - 1); - p->inst[INST_SZ - 1] = '\0'; - } - if (p->realm[0] == '\0') { - strncpy(p->realm, u_realm, REALM_SZ - 1); - p->realm[REALM_SZ - 1] = '\0'; - } - head = p; - } - - else - do{ - safe_read_stdin("Name [rcmd]: ", databuf, sizeof(databuf)); - parseinput (sname, sizeof(sname), databuf, "rcmd"); - - snprintf(prompt, sizeof(prompt), "Instance [%s]: ", local_hostname); - safe_read_stdin(prompt, databuf, sizeof(databuf)); - parseinput (sinst, sizeof(sinst), databuf, local_hostname); - - snprintf(prompt, sizeof(prompt), "Realm [%s]: ", u_realm); - safe_read_stdin(prompt, databuf, sizeof(databuf)); - parseinput (srealm, sizeof(srealm), databuf, u_realm); - - if(yn("Is this correct?")){ - struct srv_ent *p=(struct srv_ent*)malloc(sizeof(struct srv_ent)); - if (p == NULL) { - warnx ("out of memory in malloc"); - leave(NULL,1); - } - p->next=head; - head=p; - strncpy(p->name, sname, ANAME_SZ - 1); - p->name[ANAME_SZ - 1] = '\0'; - strncpy(p->inst, sinst, INST_SZ - 1); - p->inst[INST_SZ - 1] = '\0'; - strncpy(p->realm, srealm, REALM_SZ - 1); - p->realm[REALM_SZ - 1] = '\0'; - } - }while(ny("Add more keys?")); - - - ksrvutil_kadm(fd, filename, head); - - { - struct srv_ent *p=head, *q; - while(p){ - q=p; - p=p->next; - free(q); - q = NULL; - } - } - -} diff --git a/kerberosIV/kstash/Makefile b/kerberosIV/kstash/Makefile deleted file mode 100644 index da8233be4bc..00000000000 --- a/kerberosIV/kstash/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.1 1995/12/14 06:52:41 tholo Exp $ - -PROG= kstash -DPADD= ${LIBKDB} ${LIBKRB} ${LIBDES} -LDADD= -lkdb -lkrb -ldes -MAN= kstash.8 - -.include <bsd.prog.mk> diff --git a/kerberosIV/kstash/kstash.8 b/kerberosIV/kstash/kstash.8 deleted file mode 100644 index 8d9c7b4f61c..00000000000 --- a/kerberosIV/kstash/kstash.8 +++ /dev/null @@ -1,63 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kstash.8,v 1.4 1998/02/25 15:51:53 art Exp $ -.TH KSTASH 8 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kstash \- stash Kerberos key distribution center database master key -.SH SYNOPSIS -kstash -.SH DESCRIPTION -.I kstash -saves the Kerberos key distribution center (KDC) database master key in -the master key cache file. -.PP -The user is prompted to enter the key, to verify the authenticity of the -key and the authorization to store the key in the file. -.SH DIAGNOSTICS -.TP 20n -"verify_master_key: Invalid master key, does not match database." -The master key string entered was incorrect. -.TP -"kstash: Unable to open master key file" -The attempt to open the cache file for writing failed (probably due to a -system or access permission error). -.TP -"kstash: Write I/O error on master key file" -The -.BR write (2) -system call returned an error while -.I kstash -was attempting to write the key to the file. -.SH FILES -.TP 20n -/etc/kerberosIV/principal.pag, /etc/kerberosIV/principal.dir -DBM files containing database -.TP -/etc/kerberosIV/master_key -Master key cache file. diff --git a/kerberosIV/kstash/kstash.c b/kerberosIV/kstash/kstash.c deleted file mode 100644 index 7ec0a7f903d..00000000000 --- a/kerberosIV/kstash/kstash.c +++ /dev/null @@ -1,65 +0,0 @@ -/* $OpenBSD: kstash.c,v 1.3 1998/02/18 11:54:09 art Exp $ */ -/* $KTH: kstash.c,v 1.10 1997/03/30 17:35:37 assar Exp $ */ - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -#include "adm_locl.h" - -/* change this later, but krblib_dbm needs it for now */ - -static des_cblock master_key; -static des_key_schedule master_key_schedule; - -static void -clear_secrets(void) -{ - memset(master_key_schedule, 0, sizeof(master_key_schedule)); - memset(master_key, 0, sizeof(master_key)); -} - -static char progname[] = "kstash"; - -int -main(int argc, char **argv) -{ - long n; - int ret = 0; - - if (atexit(clear_secrets)) - errx(1, "Out of resources\n"); - - if ((n = kerb_init())) - errx(1, "Kerberos db and cache init failed = %ld\n", n); - - if (kdb_get_master_key (KDB_GET_PROMPT, &master_key, - master_key_schedule) != 0) { - errx(1, "Couldn't read master key."); - } - - if (kdb_verify_master_key (&master_key, master_key_schedule, stderr) < 0) { - return 1; - } - - ret = kdb_kstash(&master_key, MKEYFILE); - if(ret < 0) - warn("writing master key"); - else - fprintf(stderr, "Wrote master key to %s\n", MKEYFILE); - - return ret; -} diff --git a/kerberosIV/man/Makefile b/kerberosIV/man/Makefile deleted file mode 100644 index 19dc8a7f4a5..00000000000 --- a/kerberosIV/man/Makefile +++ /dev/null @@ -1,6 +0,0 @@ -# from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.2 1996/01/29 19:18:49 tholo Exp $ - -MAN= kerberos.1 krb.conf.5 krb.realms.5 - -.include <bsd.prog.mk> diff --git a/kerberosIV/man/kerberos.1 b/kerberosIV/man/kerberos.1 deleted file mode 100644 index 88c6aa0ba3e..00000000000 --- a/kerberosIV/man/kerberos.1 +++ /dev/null @@ -1,283 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: kerberos.1,v 1.5 1998/02/25 15:51:54 art Exp $ -.TH KERBEROS 1 "Kerberos Version 4.0" "MIT Project Athena" -.SH NAME -kerberos \- introduction to the Kerberos system - -.SH DESCRIPTION -For better documentation please check the info-files in /usr/share/info - -The -Kerberos -system authenticates -individual users in a network environment. -After authenticating yourself to -Kerberos, -you can use network utilities such as -.IR rlogin , -.IR rcp , -and -.IR rsh -without -having to present passwords to remote hosts and without having to bother -with -.I \.rhosts -files. -Note that these utilities will work without passwords only if -the remote machines you deal with -support the -Kerberos -system. -All Athena timesharing machines and public workstations support -Kerberos. -.PP -Before you can use -Kerberos, -you must register as an Athena user, -and you must make sure you have been added to -the -Kerberos -database. -You can use the -.I kinit -command to find out. -This command -tries to log you into the -Kerberos -system. -.I kinit -will prompt you for a username and password. -Enter your username and password. -If the utility lets you login without giving you a message, -you have already been registered. -.PP -If you enter your username and -.I kinit -responds with this message: -.nf - -Principal unknown (kerberos) - -.fi -you haven't been registered as a -Kerberos -user. -See your system administrator. -.PP -A Kerberos name contains three parts. -The first is the -.I principal name, -which is usually a user's or service's name. -The second is the -.I instance, -which in the case of a user is usually null. -Some users may have privileged instances, however, -such as ``root'' or ``admin''. -In the case of a service, the instance is the -name of the machine on which it runs; i.e. there -can be an -.I rlogin -service running on the machine ABC, which -is different from the rlogin service running on -the machine XYZ. -The third part of a Kerberos name -is the -.I realm. -The realm corresponds to the Kerberos service providing -authentication for the principal. -For example, at MIT there is a Kerberos running at the -Laboratory for Computer Science and one running at -Project Athena. -.PP -When writing a Kerberos name, the principal name is -separated from the instance (if not null) by a period, -and the realm (if not the local realm) follows, preceded by -an ``@'' sign. -The following are examples of valid Kerberos names: -.sp -.nf -.in +8 -billb -jis.admin -srz@lcs.mit.edu -treese.root@athena.mit.edu -.in -8 -.fi -.PP -When you authenticate yourself with -Kerberos, -through either the workstation -.I toehold -system or the -.I kinit -command, -Kerberos -gives you an initial -Kerberos -.IR ticket . -(A -Kerberos -ticket -is an encrypted protocol message that provides authentication.) -Kerberos -uses this ticket for network utilities -such as -.I rlogin -and -.IR rcp . -The ticket transactions are done transparently, -so you don't have to worry about their management. -.PP -Note, however, that tickets expire. -Privileged tickets, such as root instance tickets, -expire in a few minutes, while tickets that carry more ordinary -privileges may be good for several hours or a day, depending on the -installation's policy. -If your login session extends beyond the time limit, -you will have to re-authenticate yourself to -Kerberos -to get new tickets. -Use the -.IR kinit -command to re-authenticate yourself. -.PP -If you use the -.I kinit -command to get your tickets, -make sure you use the -.I kdestroy -command -to destroy your tickets before you end your login session. -You should probably put the -.I kdestroy -command in your -.I \.logout -file so that your tickets will be destroyed automatically when you logout. -For more information about the -.I kinit -and -.I kdestroy -commands, -see the -.I kinit(1) -and -.I kdestroy(1) -manual pages. -.PP -Currently, -Kerberos -supports the following network services: -.IR rlogin , -.IR rsh , -and -.IR rcp . -Other services are being worked on, -such as the -.IR pop -mail system and NFS (network file system), -but are not yet available. - -.SH "SEE ALSO" -kdestroy(1), kinit(1), klist(1), kpasswd(1), des_crypt(3), kerberos(3), -kadmin(8) -.SH BUGS -Kerberos -will not do authentication forwarding. -In other words, -if you use -.I rlogin -to login to a remote host, -you cannot use -Kerberos -services from that host -until you authenticate yourself explicitly on that host. -Although you may need to authenticate yourself on the remote -host, -be aware that when you do so, -.I rlogin -sends your password across the network in clear text. - -.SH AUTHORS -Steve Miller, MIT Project Athena/Digital Equipment Corporation -.br -Clifford Neuman, MIT Project Athena - -The following people helped out on various aspects of the system: - -Jeff Schiller designed and wrote the administration server and its -user interface, kadmin. -He also wrote the dbm version of the database management system. - -Mark Colan developed the -Kerberos -versions of -.IR rlogin , -.IR rsh , -and -.IR rcp , -as well as contributing work on the servers. - -John Ostlund developed the -Kerberos -versions of -.I passwd -and -.IR userreg . - -Stan Zanarotti pioneered Kerberos in a foreign realm (LCS), -and made many contributions based on that experience. - -Many people contributed code and/or useful ideas, including -Jim Aspnes, -Bob Baldwin, -John Barba, -Richard Basch, -Jim Bloom, -Bill Bryant, -Rob French, -Dan Geer, -David Jedlinsky, -John Kohl, -John Kubiatowicz, -Bob McKie, -Brian Murphy, -Ken Raeburn, -Chris Reed, -Jon Rochlis, -Mike Shanzer, -Bill Sommerfeld, -Jennifer Steiner, -Ted Ts'o, -and -Win Treese. - -.SH RESTRICTIONS - -COPYRIGHT 1985,1986 Massachusetts Institute of Technology diff --git a/kerberosIV/man/krb.conf.5 b/kerberosIV/man/krb.conf.5 deleted file mode 100644 index 406f5834db4..00000000000 --- a/kerberosIV/man/krb.conf.5 +++ /dev/null @@ -1,77 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: krb.conf.5,v 1.9 1999/07/07 10:50:15 aaron Exp $ -.Dd June 15, 1999 -.Dt KRB.CONF 5 -.Os -.Sh NAME -.Nm krb.conf -.Nd Kerberos configuration file -.Sh DESCRIPTION -.Nm -contains configuration information describing the Kerberos realm and the -Kerberos key distribution center (KDC) servers for known realms. -.Pp -The first line of -.Nm -contains the name of the local realm. If the first character in the first line -is a hash sign -.Pq Ql # , -then Kerberos authentication is disabled. -.Pp -Subsequent lines are of the form -.Bd -ragged -offset indent -.Fa realm -.Fa KDC_server -.Op admin server -.Ed -.Pp -where -.Fa realm -is a Kerberos realm name and -.Fa KDC_server -is the name of a host running a KDC for -.Fa realm . -The words -.Dq admin server -following -.Fa KDC_server -indicate that the host also provides an administrative database server. -.Sh EXAMPLES -A krb.conf file for a host in the ATHENA.MIT.EDU realm might look like: -.Bd -literal -offset indent -ATHENA.MIT.EDU -ATHENA.MIT.EDU kerberos-1.mit.edu admin server -ATHENA.MIT.EDU kerberos-2.mit.edu -LCS.MIT.EDU kerberos.lcs.mit.edu admin server -.Ed -.Sh SEE ALSO -.Xr krb_get_krbhst 3 , -.Xr krb_get_lrealm 3 , -.Xr krb.realms 5 diff --git a/kerberosIV/man/krb.realms.5 b/kerberosIV/man/krb.realms.5 deleted file mode 100644 index b89a0b1cbc3..00000000000 --- a/kerberosIV/man/krb.realms.5 +++ /dev/null @@ -1,64 +0,0 @@ -.\" -.\" This source code is no longer held under any constraint of USA -.\" `cryptographic laws' since it was exported legally. The cryptographic -.\" functions were removed from the code and a "Bones" distribution was -.\" made. A Commodity Jurisdiction Request #012-94 was filed with the -.\" USA State Department, who handed it to the Commerce department. The -.\" code was determined to fall under General License GTDA under ECCN 5D96G, -.\" and hence exportable. The cryptographic interfaces were re-added by Eric -.\" Young, and then KTH proceeded to maintain the code in the free world. -.\" -.\"Copyright (C) 1989 by the Massachusetts Institute of Technology -.\" -.\"Export of this software from the United States of America is assumed -.\"to require a specific license from the United States Government. -.\"It is the responsibility of any person or organization contemplating -.\"export to obtain such a license before exporting. -.\" -.\"WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\"distribute this software and its documentation for any purpose and -.\"without fee is hereby granted, provided that the above copyright -.\"notice appear in all copies and that both that copyright notice and -.\"this permission notice appear in supporting documentation, and that -.\"the name of M.I.T. not be used in advertising or publicity pertaining -.\"to distribution of the software without specific, written prior -.\"permission. M.I.T. makes no representations about the suitability of -.\"this software for any purpose. It is provided "as is" without express -.\"or implied warranty. -.\" -.\" $OpenBSD: krb.realms.5,v 1.8 1999/07/07 10:50:15 aaron Exp $ -.Dd June 15, 1999 -.Dt KRB.REALMS 5 -.Os -.Sh NAME -.Nm krb.realms -.Nd host to Kerberos realm translation file -.Sh DESCRIPTION -.Nm -provides a translation from a hostname to the Kerberos realm name for -the services provided by that host. -.Pp -Each line of the translation file is in one of the following forms -.Pf ( Fa domain_name -should be of the form .XXX.YYY, e.g. .LCS.MIT.EDU): -.Bd -literal -offset indent -host_name kerberos_realm -domain_name kerberos_realm -.Ed -.Pp -If a hostname exactly matches the -.Fa host_name -field in a line of the first form, the corresponding -.Fa kerberos_realm -is the realm of the host. If a hostname does not match any -.Fa host_name -in the file, but its domain exactly matches the -.Fa domain_name -field in a line of the second form, the corresponding -.Fa kerberos_realm -is the realm of the host. -.Pp -If no translation entry applies, the host's realm is considered to be -the hostname's domain portion converted to upper case. -.Sh SEE ALSO -.Xr krb_realmofhost 3 diff --git a/kerberosIV/roken/get_window_size.c b/kerberosIV/roken/get_window_size.c deleted file mode 100644 index 628efb5e824..00000000000 --- a/kerberosIV/roken/get_window_size.c +++ /dev/null @@ -1,100 +0,0 @@ -/* $OpenBSD: get_window_size.c,v 1.1 1998/08/12 23:36:41 art Exp $ */ -/* $KTH: get_window_size.c,v 1.6 1998/05/30 21:22:35 joda Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdlib.h> -#include <unistd.h> -#include <sys/types.h> -#include <termios.h> - -int -get_window_size(int fd, struct winsize *wp) -{ - char *s; - struct winsize tmp; - int ret = -1; - - memset(wp, 0, sizeof(*wp)); - memset(&tmp, 0, sizeof(tmp)); - if((s = getenv("COLUMNS"))) - wp->ws_col = atoi(s); - if((s = getenv("LINES"))) - wp->ws_row = atoi(s); - if(wp->ws_col > 0 && wp->ws_row > 0) - return 0; - -#if defined(TIOGCWINSZ) - ret = ioctl(fd, TIOGCWINSZ, &tmp); -#elif defined(TIOCGSIZE) - { - struct ttysize ts; - - ret = ioctl(fd, TIOCGSIZE, &ts); - if(ret == 0) { - tmp.ws_row = ts.ts_lines; - tmp.ws_row = ts.ts_cols; - tmp.ws_xpixel = 0; - tmp.ws_ypixel = 0; - } - } -#elif defined(HAVE__SCRSIZE) - { - int dst[2]; - - _scrsize(dst); - tmp.ws_row = dst[1]; - tmp.ws_col = dst[0]; - tmp.ws_xpixel = 0; - tmp.ws_ypixel = 0; - ret = 0; - } -#endif - if(ret == 0) { - if(wp->ws_col == 0) { - wp->ws_col = tmp.ws_col; - wp->ws_xpixel = tmp.ws_xpixel; - } - if(wp->ws_row == 0) { - wp->ws_row = tmp.ws_row; - wp->ws_ypixel = tmp.ws_ypixel; - } - } - return ret; -} diff --git a/kerberosIV/roken/get_window_size.h b/kerberosIV/roken/get_window_size.h deleted file mode 100644 index 26b3e4ec038..00000000000 --- a/kerberosIV/roken/get_window_size.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef GET_WINDOW_SIZE_H -#define GET_WINDOW_SIZE_H -struct winsize { - unsigned short ws_row, ws_col; - unsigned short ws_xpixel, ws_ypixel; -}; - -int get_window_size(int fd, struct winsize *ws); -#endif diff --git a/kerberosIV/roken/getarg.c b/kerberosIV/roken/getarg.c deleted file mode 100644 index d5081e5aa0e..00000000000 --- a/kerberosIV/roken/getarg.c +++ /dev/null @@ -1,530 +0,0 @@ -/* $OpenBSD: getarg.c,v 1.3 1998/08/16 20:54:49 art Exp $ */ -/* $KTH: getarg.c,v 1.18 1998/01/22 20:23:16 joda Exp $ */ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/param.h> -#include <stdio.h> -#include <stdlib.h> -#include <time.h> -#include <string.h> -#include <ctype.h> -#include "getarg.h" -#include "get_window_size.h" - -extern const char *__progname; - -#define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag) - -char * -strupr(char *str) -{ - char *s; - - for(s = str; *s; s++) - *s = toupper(*s); - return str; -} - -int -strcpy_truncate (char *dst, const char *src, size_t dst_sz) -{ - int n; - char *p; - - for (p = dst, n = 0; - n + 1 < dst_sz && *src != '\0'; - ++p, ++src, ++n) - *p = *src; - *p = '\0'; - if (*src == '\0') - return n; - else - return dst_sz; -} - -int -strcat_truncate(char *dst, const char *src, size_t dst_sz) -{ - int len = strlen(dst); - - return len + strcpy_truncate(dst + len, src, MIN(dst_sz - len, dst_sz)); -} - -static size_t -print_arg (char *string, size_t len, int mdoc, int longp, struct getargs *arg) -{ - const char *s; - - *string = '\0'; - - if (ISFLAG(*arg)) - return 0; - - if(mdoc){ - if(longp) - strcat_truncate(string, "= Ns", len); - strcat_truncate(string, " Ar ", len); - }else - if (longp) - strcat_truncate (string, "=", len); - else - strcat_truncate (string, " ", len); - - if (arg->arg_help) - s = arg->arg_help; - else if (arg->type == arg_integer) - s = "number"; - else if (arg->type == arg_string) - s = "string"; - else - s = "<undefined>"; - - strcat_truncate(string, s, len); - return 1 + strlen(s); -} - -static void -mandoc_template(struct getargs *args, - size_t num_args, - const char *extra_string) -{ - int i; - char timestr[64], cmd[64]; - char buf[128]; - const char *p; - time_t t; - - printf(".\\\" Things to fix:\n"); - printf(".\\\" * correct section, and operating system\n"); - printf(".\\\" * remove Op from mandatory flags\n"); - printf(".\\\" * use better macros for arguments (like .Pa for files)\n"); - printf(".\\\"\n"); - t = time(NULL); - strftime(timestr, sizeof(timestr), "%b %d, %Y", localtime(&t)); - printf(".Dd %s\n", timestr); - p = strrchr(__progname, '/'); - if(p) p++; else p = __progname; - strncpy(cmd, p, sizeof(cmd)); - cmd[sizeof(cmd)-1] = '\0'; - strupr(cmd); - - printf(".Dt %s SECTION\n", cmd); - printf(".Os OPERATING_SYSTEM\n"); - printf(".Sh NAME\n"); - printf(".Nm %s\n", p); - printf(".Nd\n"); - printf("in search of a description\n"); - printf(".Sh SYNOPSIS\n"); - printf(".Nm\n"); - for(i = 0; i < num_args; i++){ - /* we seem to hit a limit on number of arguments if doing - short and long flags with arguments -- split on two lines */ - if(ISFLAG(args[i]) || - args[i].short_name == 0 || args[i].long_name == NULL) { - printf(".Op "); - - if(args[i].short_name) { - print_arg(buf, sizeof(buf), 1, 0, args + i); - printf("Fl %c%s", args[i].short_name, buf); - if(args[i].long_name) - printf(" | "); - } - if(args[i].long_name) { - print_arg(buf, sizeof(buf), 1, 1, args + i); - printf("Fl -%s%s", args[i].long_name, buf); - } - printf("\n"); - } else { - print_arg(buf, sizeof(buf), 1, 0, args + i); - printf(".Oo Fl %c%s \\*(Ba Xo\n", args[i].short_name, buf); - print_arg(buf, sizeof(buf), 1, 1, args + i); - printf(".Fl -%s%s Oc\n.Xc\n", args[i].long_name, buf); - } - /* - if(args[i].type == arg_strings) - fprintf (stderr, "..."); - */ - } - if (extra_string && *extra_string) - printf (".Ar %s\n", extra_string); - printf(".Sh DESCRIPTION\n"); - printf("Supported options:\n"); - printf(".Bl -tag -width Ds\n"); - for(i = 0; i < num_args; i++){ - printf(".It Xo\n"); - if(args[i].short_name){ - printf(".Fl %c", args[i].short_name); - print_arg(buf, sizeof(buf), 1, 0, args + i); - printf("%s", buf); - if(args[i].long_name) - printf(" Ns ,"); - printf("\n"); - } - if(args[i].long_name){ - printf(".Fl -%s", args[i].long_name); - print_arg(buf, sizeof(buf), 1, 1, args + i); - printf("%s\n", buf); - } - printf(".Xc\n"); - if(args[i].help) - printf("%s\n", args[i].help); - /* - if(args[i].type == arg_strings) - fprintf (stderr, "..."); - */ - } - printf(".El\n"); - printf(".\\\".Sh ENVIRONMENT\n"); - printf(".\\\".Sh FILES\n"); - printf(".\\\".Sh EXAMPLES\n"); - printf(".\\\".Sh DIAGNOSTICS\n"); - printf(".\\\".Sh SEE ALSO\n"); - printf(".\\\".Sh STANDARDS\n"); - printf(".\\\".Sh HISTORY\n"); - printf(".\\\".Sh AUTHORS\n"); - printf(".\\\".Sh BUGS\n"); -} - -static int -check_column(FILE *f, int col, int len, int columns) -{ - if(col + len > columns) { - fprintf(f, "\n"); - col = fprintf(f, " "); - } - return col; -} - -void -arg_printusage (struct getargs *args, - size_t num_args, - const char *extra_string) -{ - int i; - size_t max_len = 0; - char buf[128]; - int col = 0, columns; - struct winsize ws; - - if(getenv("GETARGMANDOC")){ - mandoc_template(args, num_args, extra_string); - return; - } - if(get_window_size(2, &ws) == 0) - columns = ws.ws_col; - else - columns = 80; - col = 0; - col += fprintf (stderr, "Usage: %s", __progname); - for (i = 0; i < num_args; ++i) { - size_t len = 0; - - if (args[i].long_name) { - buf[0] = '\0'; - strcat_truncate(buf, "[--", sizeof(buf)); - len += 2; - if(args[i].type == arg_negative_flag) { - strcat_truncate(buf, "no-", sizeof(buf)); - len += 3; - } - strcat_truncate(buf, args[i].long_name, sizeof(buf)); - len += strlen(args[i].long_name); - len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), - 0, 1, &args[i]); - strcat_truncate(buf, "]", sizeof(buf)); - if(args[i].type == arg_strings) - strcat_truncate(buf, "...", sizeof(buf)); - col = check_column(stderr, col, strlen(buf) + 1, columns); - col += fprintf(stderr, " %s", buf); - } - if (args[i].short_name) { - snprintf(buf, sizeof(buf), "[-%c", args[i].short_name); - len += 2; - len += print_arg(buf + strlen(buf), sizeof(buf) - strlen(buf), - 0, 0, &args[i]); - strcat_truncate(buf, "]", sizeof(buf)); - if(args[i].type == arg_strings) - strcat_truncate(buf, "...", sizeof(buf)); - col = check_column(stderr, col, strlen(buf) + 1, columns); - col += fprintf(stderr, " %s", buf); - } - if (args[i].long_name && args[i].short_name) - len += 2; /* ", " */ - max_len = MAX(max_len, len); - } - if (extra_string) { - col = check_column(stderr, col, strlen(extra_string) + 1, columns); - fprintf (stderr, " %s\n", extra_string); - } else - fprintf (stderr, "\n"); - for (i = 0; i < num_args; ++i) { - if (args[i].help) { - size_t count = 0; - - if (args[i].short_name) { - count += fprintf (stderr, "-%c", args[i].short_name); - print_arg (buf, sizeof(buf), 0, 0, &args[i]); - count += fprintf(stderr, "%s", buf); - } - if (args[i].short_name && args[i].long_name) - count += fprintf (stderr, ", "); - if (args[i].long_name) { - count += fprintf (stderr, "--"); - if (args[i].type == arg_negative_flag) - count += fprintf (stderr, "no-"); - count += fprintf (stderr, "%s", args[i].long_name); - print_arg (buf, sizeof(buf), 0, 1, &args[i]); - count += fprintf(stderr, "%s", buf); - } - while(count++ <= max_len) - putc (' ', stderr); - fprintf (stderr, "%s\n", args[i].help); - } - } -} - -static void -add_string(getarg_strings *s, char *value) -{ - char **temp; - - temp = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings)); - if (temp == NULL){ - free (s->strings); - err(1, "realloc:"); - } - s->strings = temp; - - s->strings[s->num_strings] = value; - s->num_strings++; -} - -static int -arg_match_long(struct getargs *args, size_t num_args, - char *argv) -{ - int i; - char *optarg = NULL; - int negate = 0; - int partial_match = 0; - struct getargs *partial = NULL; - struct getargs *current = NULL; - int argv_len; - char *p; - - argv_len = strlen(argv); - p = strchr (argv, '='); - if (p != NULL) - argv_len = p - argv; - - for (i = 0; i < num_args; ++i) { - if(args[i].long_name) { - int len = strlen(args[i].long_name); - char *p = argv; - int p_len = argv_len; - negate = 0; - - for (;;) { - if (strncmp (args[i].long_name, p, p_len) == 0) { - if(p_len == len) - current = &args[i]; - else { - ++partial_match; - partial = &args[i]; - } - optarg = p + p_len; - } else if (ISFLAG(args[i]) && strncmp (p, "no-", 3) == 0) { - negate = !negate; - p += 3; - p_len -= 3; - continue; - } - break; - } - if (current) - break; - } - } - if (current == NULL) - if (partial_match == 1) - current = partial; - else - return ARG_ERR_NO_MATCH; - - if(*optarg == '\0' && !ISFLAG(*current)) - return ARG_ERR_NO_MATCH; - switch(current->type){ - case arg_integer: - { - int tmp; - if(sscanf(optarg + 1, "%d", &tmp) != 1) - return ARG_ERR_BAD_ARG; - *(int*)current->value = tmp; - return 0; - } - case arg_string: - { - *(char**)current->value = optarg + 1; - return 0; - } - case arg_strings: - { - add_string((getarg_strings*)current->value, optarg + 1); - return 0; - } - case arg_flag: - case arg_negative_flag: - { - int *flag = current->value; - if(*optarg == '\0' || - strcmp(optarg + 1, "yes") == 0 || - strcmp(optarg + 1, "true") == 0){ - *flag = !negate; - return 0; - } else if (*optarg && strcmp(optarg + 1, "maybe") == 0) { - *flag = rand() & 1; - } else { - *flag = negate; - return 0; - } - return ARG_ERR_BAD_ARG; - } - default: - abort (); - } -} - -int -getarg(struct getargs *args, size_t num_args, - int argc, char **argv, int *optind) -{ - int i, j, k; - int ret = 0; - - srand (time(NULL)); - (*optind)++; - for(i = *optind; i < argc; i++) { - if(argv[i][0] != '-') - break; - if(argv[i][1] == '-'){ - if(argv[i][2] == 0){ - i++; - break; - } - ret = arg_match_long (args, num_args, argv[i] + 2); - if(ret) - return ret; - }else{ - for(j = 1; argv[i][j]; j++) { - for(k = 0; k < num_args; k++) { - char *optarg; - if(args[k].short_name == 0) - continue; - if(argv[i][j] == args[k].short_name){ - if(args[k].type == arg_flag){ - *(int*)args[k].value = 1; - break; - } - if(args[k].type == arg_negative_flag){ - *(int*)args[k].value = 0; - break; - } - if(argv[i][j + 1]) - optarg = &argv[i][j + 1]; - else{ - i++; - optarg = argv[i]; - } - if(optarg == NULL) - return ARG_ERR_NO_ARG; - if(args[k].type == arg_integer){ - int tmp; - if(sscanf(optarg, "%d", &tmp) != 1) - return ARG_ERR_BAD_ARG; - *(int*)args[k].value = tmp; - goto out; - }else if(args[k].type == arg_string){ - *(char**)args[k].value = optarg; - goto out; - }else if(args[k].type == arg_strings){ - add_string((getarg_strings*)args[k].value, optarg); - goto out; - } - return ARG_ERR_BAD_ARG; - } - - } - if (k == num_args) - return ARG_ERR_NO_MATCH; - } - out:; - } - } - *optind = i; - return 0; -} - -#if TEST -int foo_flag = 2; -int flag1 = 0; -int flag2 = 0; -int bar_int; -char *baz_string; - -struct getargs args[] = { - { NULL, '1', arg_flag, &flag1, "one", NULL }, - { NULL, '2', arg_flag, &flag2, "two", NULL }, - { "foo", 'f', arg_negative_flag, &foo_flag, "foo", NULL }, - { "bar", 'b', arg_integer, &bar_int, "bar", "seconds"}, - { "baz", 'x', arg_string, &baz_string, "baz", "name" }, -}; - -int main(int argc, char **argv) -{ - int optind = 0; - while(getarg(args, 5, argc, argv, &optind)) - printf("Bad arg: %s\n", argv[optind]); - printf("flag1 = %d\n", flag1); - printf("flag2 = %d\n", flag2); - printf("foo_flag = %d\n", foo_flag); - printf("bar_int = %d\n", bar_int); - printf("baz_flag = %s\n", baz_string); - arg_printusage (args, 5, "nothing here"); -} -#endif diff --git a/kerberosIV/roken/getarg.h b/kerberosIV/roken/getarg.h deleted file mode 100644 index f078f523f97..00000000000 --- a/kerberosIV/roken/getarg.h +++ /dev/null @@ -1,73 +0,0 @@ -/* $OpenBSD: getarg.h,v 1.1 1998/05/18 01:43:07 art Exp $ */ -/* $KTH: getarg.h,v 1.4 1997/08/08 22:40:12 joda Exp $ */ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __GETARG_H__ -#define __GETARG_H__ - -#include <stddef.h> - -struct getargs{ - const char *long_name; - char short_name; - enum { arg_integer, arg_string, arg_flag, arg_negative_flag, arg_strings } type; - void *value; - const char *help; - const char *arg_help; -}; - -enum { - ARG_ERR_NO_MATCH = 1, - ARG_ERR_BAD_ARG, - ARG_ERR_NO_ARG -}; - -typedef struct getarg_strings { - int num_strings; - char **strings; -} getarg_strings; - -int getarg(struct getargs *args, size_t num_args, - int argc, char **argv, int *optind); - -void arg_printusage (struct getargs *args, - size_t num_args, - const char *extra_string); - -#endif /* __GETARG_H__ */ diff --git a/kerberosIV/roken/parse_time.c b/kerberosIV/roken/parse_time.c deleted file mode 100644 index 94241568346..00000000000 --- a/kerberosIV/roken/parse_time.c +++ /dev/null @@ -1,80 +0,0 @@ -/* $OpenBSD: parse_time.c,v 1.1 1998/05/18 01:22:47 art Exp $ */ -/* $KTH: parse_time.c,v 1.4 1998/02/20 07:51:44 assar Exp $ */ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <parse_units.h> -#include "parse_time.h" - -static units time_units[] = { - {"year", 365 * 24 * 60 * 60}, - {"month", 30 * 24 * 60 * 60}, - {"week", 7 * 24 * 60 * 60}, - {"day", 24 * 60 * 60}, - {"hour", 60 * 60}, - {"h", 60 * 60}, - {"minute", 60}, - {"m", 60}, - {"second", 1}, - {"s", 1}, - {NULL, 0}, -}; - -int -parse_time (const char *s, const char *def_unit) -{ - return parse_units (s, time_units, def_unit); -} - -size_t -unparse_time (int t, char *s, size_t len) -{ - return unparse_units (t, time_units, s, len); -} - -size_t -unparse_time_approx (int t, char *s, size_t len) -{ - return unparse_units_approx (t, time_units, s, len); -} - -void -print_time_table (FILE *f) -{ - print_units_table (time_units, f); -} diff --git a/kerberosIV/roken/parse_time.h b/kerberosIV/roken/parse_time.h deleted file mode 100644 index 57e9ec6b44c..00000000000 --- a/kerberosIV/roken/parse_time.h +++ /dev/null @@ -1,56 +0,0 @@ -/* $OpenBSD: parse_time.h,v 1.1 1998/05/18 01:22:48 art Exp $ */ -/* $KTH: parse_time.h,v 1.3 1998/02/20 07:51:55 assar Exp $ */ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __PARSE_TIME_H__ -#define __PARSE_TIME_H__ - -int -parse_time (const char *s, const char *def_unit); - -size_t -unparse_time (int t, char *s, size_t len); - -size_t -unparse_time_approx (int t, char *s, size_t len); - -void -print_time_table (FILE *f); - -#endif /* __PARSE_TIME_H__ */ diff --git a/kerberosIV/roken/parse_units.c b/kerberosIV/roken/parse_units.c deleted file mode 100644 index d53109bb7dd..00000000000 --- a/kerberosIV/roken/parse_units.c +++ /dev/null @@ -1,325 +0,0 @@ -/* $OpenBSD: parse_units.c,v 1.1 1998/05/18 01:22:48 art Exp $ */ -/* $KTH: parse_units.c,v 1.6 1998/02/20 07:51:04 assar Exp $ */ -/* - * Copyright (c) 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <string.h> -#include "parse_units.h" - -/* - * Parse string in `s' according to `units' and return value. - * def_unit defines the default unit. - */ - -static int -parse_something (const char *s, const struct units *units, - const char *def_unit, - int (*func)(int res, int val, unsigned mult), - int init, - int accept_no_val_p) -{ - const char *p; - int res = init; - unsigned def_mult = 1; - - if (def_unit != NULL) { - const struct units *u; - - for (u = units; u->name; ++u) { - if (strcasecmp (u->name, def_unit) == 0) { - def_mult = u->mult; - break; - } - } - if (u->name == NULL) - return -1; - } - - p = s; - while (*p) { - double val; - char *next; - const struct units *u, *partial_unit; - size_t u_len; - unsigned partial; - - while(isspace(*p) || *p == ',') - ++p; - - val = strtod (p, &next); /* strtol(p, &next, 0); */ - if (val == 0 && p == next) { - if(accept_no_val_p) - val = 1; - else - return -1; - } - p = next; - while (isspace(*p)) - ++p; - if (*p == '\0') { - res = (*func)(res, val, def_mult); - if (res < 0) - return res; - break; - } else if (*p == '+') { - ++p; - } else if (*p == '-') { - ++p; - val = -1; - } - u_len = strcspn (p, ", \t"); - partial = 0; - partial_unit = NULL; - if (u_len > 1 && p[u_len - 1] == 's') - --u_len; - for (u = units; u->name; ++u) { - if (strncasecmp (p, u->name, u_len) == 0) { - if (u_len == strlen (u->name)) { - p += u_len; - res = (*func)(res, val, u->mult); - if (res < 0) - return res; - break; - } else { - ++partial; - partial_unit = u; - } - } - } - if (u->name == NULL) { - if (partial == 1) { - p += u_len; - res = (*func)(res, val, partial_unit->mult); - if (res < 0) - return res; - } else { - return -1; - } - } - if (*p == 's') - ++p; - } - return res; -} - -/* - * The string consists of a sequence of `n unit' - */ - -static int -acc_units(int res, int val, unsigned mult) -{ - return res + val * mult; -} - -int -parse_units (const char *s, const struct units *units, - const char *def_unit) -{ - return parse_something (s, units, def_unit, acc_units, 0, 0); -} - -/* - * The string consists of a sequence of `[+-]flag'. `orig' consists - * the original set of flags, those are then modified and returned as - * the function value. - */ - -static int -acc_flags(int res, int val, unsigned mult) -{ - if(val == 1) - return res | mult; - else if(val == -1) - return res & ~mult; - else - return -1; -} - -int -parse_flags (const char *s, const struct units *units, - int orig) -{ - return parse_something (s, units, NULL, acc_flags, orig, 1); -} - -/* - * Return a string representation according to `units' of `num' in `s' - * with maximum length `len'. The actual length is the function value. - */ - -static size_t -unparse_something (int num, const struct units *units, char *s, size_t len, - int (*print) (char *s, size_t len, int div, - const char *name, int rem), - int (*update) (int in, unsigned mult), - const char *zero_string) -{ - const struct units *u; - size_t ret = 0, tmp; - - if (num == 0) - return snprintf (s, len, "%s", zero_string); - - for (u = units; num > 0 && u->name; ++u) { - int div; - - div = num / u->mult; - if (div) { - num = (*update) (num, u->mult); - tmp = (*print) (s, len, div, u->name, num); - - len -= tmp; - s += tmp; - ret += tmp; - } - } - return ret; -} - -static int -print_unit (char *s, size_t len, int div, const char *name, int rem) -{ - return snprintf (s, len, "%u %s%s%s", - div, name, - div == 1 ? "" : "s", - rem > 0 ? " " : ""); -} - -static int -update_unit (int in, unsigned mult) -{ - return in % mult; -} - -static int -update_unit_approx (int in, unsigned mult) -{ - if (in / mult > 0) - return 0; - else - return update_unit (in, mult); -} - -size_t -unparse_units (int num, const struct units *units, char *s, size_t len) -{ - return unparse_something (num, units, s, len, - print_unit, - update_unit, - "0"); -} - -size_t -unparse_units_approx (int num, const struct units *units, char *s, size_t len) -{ - return unparse_something (num, units, s, len, - print_unit, - update_unit_approx, - "0"); -} - -#ifndef MAX -#define MAX(a,b) (a)>(b)?(a):(b) -#endif - -void -print_units_table (const struct units *units, FILE *f) -{ - const struct units *u, *u2; - unsigned max_sz = 0; - - for (u = units; u->name; ++u) { - max_sz = MAX(max_sz, strlen(u->name)); - } - - for (u = units; u->name;) { - char buf[1024]; - const struct units *next; - - for (next = u + 1; next->name && next->mult == u->mult; ++next) - ; - - if (next->name) { - for (u2 = next; - u2->name && u->mult % u2->mult != 0; - ++u2) - ; - if (u2->name == NULL) - --u2; - unparse_units (u->mult, u2, buf, sizeof(buf)); - fprintf (f, "1 %*s = %s\n", max_sz, u->name, buf); - } else { - fprintf (f, "1 %s\n", u->name); - } - u = next; - } -} - -static int -print_flag (char *s, size_t len, int div, const char *name, int rem) -{ - return snprintf (s, len, "%s%s", name, rem > 0 ? ", " : ""); -} - -static int -update_flag (int in, unsigned mult) -{ - return in - mult; -} - -size_t -unparse_flags (int num, const struct units *units, char *s, size_t len) -{ - return unparse_something (num, units, s, len, - print_flag, - update_flag, - ""); -} - -void -print_flags_table (const struct units *units, FILE *f) -{ - const struct units *u; - - for(u = units; u->name; ++u) - fprintf(f, "%s%s", u->name, (u+1)->name ? ", " : "\n"); -} diff --git a/kerberosIV/roken/parse_units.h b/kerberosIV/roken/parse_units.h deleted file mode 100644 index 826edef0b57..00000000000 --- a/kerberosIV/roken/parse_units.h +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (c) 1997 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id: parse_units.h,v 1.1 1998/05/18 01:22:49 art Exp $ */ - -#ifndef __PARSE_UNITS_H__ -#define __PARSE_UNITS_H__ - -#include <stdio.h> -#include <stddef.h> - -struct units { - const char *name; - unsigned mult; -}; - -typedef struct units units; - -int -parse_units (const char *s, const struct units *units, - const char *def_unit); - -void -print_units_table (const struct units *units, FILE *f); - -int -parse_flags (const char *s, const struct units *units, - int orig); - -size_t -unparse_units (int num, const struct units *units, char *s, size_t len); - -size_t -unparse_units_approx (int num, const struct units *units, char *s, - size_t len); - -size_t -unparse_flags (int num, const struct units *units, char *s, size_t len); - -void -print_flags_table (const struct units *units, FILE *f); - -#endif /* __PARSE_UNITS_H__ */ diff --git a/kerberosIV/roken/resolve.c b/kerberosIV/roken/resolve.c deleted file mode 100644 index 465496ff06b..00000000000 --- a/kerberosIV/roken/resolve.c +++ /dev/null @@ -1,319 +0,0 @@ -/* $OpenBSD: resolve.c,v 1.1 1998/08/12 23:45:13 art Exp $ */ -/* $KTH: resolve.c,v 1.16 1998/04/26 14:35:43 assar Exp $ */ - -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <netinet/in.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include <stdlib.h> -#include <string.h> -#include "resolve.h" - -#define DECL(X) {#X, T_##X} - -static struct stot{ - char *name; - int type; -}stot[] = { - DECL(A), - DECL(NS), - DECL(CNAME), - DECL(PTR), - DECL(MX), - DECL(TXT), - DECL(AFSDB), - DECL(SRV), - {NULL, 0} -}; - -int _resolve_debug; - -static int -string_to_type(const char *name) -{ - struct stot *p = stot; - for(p = stot; p->name; p++) - if(strcasecmp(name, p->name) == 0) - return p->type; - return -1; -} - - -void -dns_free_data(struct dns_reply *r) -{ - struct resource_record *rr; - if(r->q.domain) - free(r->q.domain); - for(rr = r->head; rr;){ - struct resource_record *tmp = rr; - if(rr->domain) - free(rr->domain); - if(rr->u.data) - free(rr->u.data); - rr = rr->next; - free(tmp); - } - free (r); -} - -static struct dns_reply* -parse_reply(unsigned char *data, int len) -{ - unsigned char *p; - char host[128]; - int status; - - struct dns_reply *r; - struct resource_record **rr; - - r = (struct dns_reply*)malloc(sizeof(struct dns_reply)); - if (r == NULL) - return NULL; - memset(r, 0, sizeof(struct dns_reply)); - - p = data; - memcpy(&r->h, p, sizeof(HEADER)); - p += sizeof(HEADER); - status = dn_expand(data, data + len, p, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - r->q.domain = strdup(host); - if(r->q.domain == NULL) { - dns_free_data(r); - return NULL; - } - p += status; - r->q.type = (p[0] << 8 | p[1]); - p += 2; - r->q.class = (p[0] << 8 | p[1]); - p += 2; - rr = &r->head; - while(p < data + len){ - int type, class, ttl, size; - status = dn_expand(data, data + len, p, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - p += status; - type = (p[0] << 8) | p[1]; - p += 2; - class = (p[0] << 8) | p[1]; - p += 2; - ttl = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - p += 4; - size = (p[0] << 8) | p[1]; - p += 2; - *rr = (struct resource_record*)calloc(1, - sizeof(struct resource_record)); - if(*rr == NULL) { - dns_free_data(r); - return NULL; - } - (*rr)->domain = strdup(host); - if((*rr)->domain == NULL) { - dns_free_data(r); - return NULL; - } - (*rr)->type = type; - (*rr)->class = class; - (*rr)->ttl = ttl; - (*rr)->size = size; - switch(type){ - case T_NS: - case T_CNAME: - case T_PTR: - status = dn_expand(data, data + len, p, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - (*rr)->u.txt = strdup(host); - if((*rr)->u.txt == NULL) { - dns_free_data(r); - return NULL; - } - break; - case T_MX: - case T_AFSDB:{ - status = dn_expand(data, data + len, p + 2, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - (*rr)->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + - strlen(host)); - if((*rr)->u.mx == NULL) { - dns_free_data(r); - return NULL; - } - (*rr)->u.mx->preference = (p[0] << 8) | p[1]; - strcpy((*rr)->u.mx->domain, host); - break; - } - case T_SRV:{ - status = dn_expand(data, data + len, p + 6, host, sizeof(host)); - if(status < 0){ - dns_free_data(r); - return NULL; - } - (*rr)->u.srv = - (struct srv_record*)malloc(sizeof(struct srv_record) + - strlen(host)); - if((*rr)->u.srv == NULL) { - dns_free_data(r); - return NULL; - } - (*rr)->u.srv->priority = (p[0] << 8) | p[1]; - (*rr)->u.srv->weight = (p[2] << 8) | p[3]; - (*rr)->u.srv->port = (p[4] << 8) | p[5]; - strcpy((*rr)->u.srv->target, host); - break; - } - case T_TXT:{ - (*rr)->u.txt = (char*)malloc(size + 1); - if((*rr)->u.txt == NULL) { - dns_free_data(r); - return NULL; - } - strncpy((*rr)->u.txt, (char*)p + 1, *p); - (*rr)->u.txt[*p] = 0; - break; - } - - default: - (*rr)->u.data = (unsigned char*)malloc(size); - if((*rr)->u.data == NULL) { - dns_free_data(r); - return NULL; - } - memcpy((*rr)->u.data, p, size); - } - p += size; - rr = &(*rr)->next; - } - *rr = NULL; - return r; -} - -struct dns_reply * -dns_lookup(const char *domain, const char *type_name) -{ - unsigned char reply[1024]; - int len; - int type; - struct dns_reply *r = NULL; - u_long old_options = 0; - - type = string_to_type(type_name); - if (_resolve_debug) { - old_options = _res.options; - _res.options |= RES_DEBUG; - fprintf(stderr, "dns_lookup(%s, %s)\n", domain, type_name); - } - len = res_search(domain, C_IN, type, reply, sizeof(reply)); - if (_resolve_debug) { - _res.options = old_options; - fprintf(stderr, "dns_lookup(%s, %s) --> %d\n", domain, type_name, len); - } - if (len >= 0) - r = parse_reply(reply, len); - return r; -} - -#ifdef TEST -static char * -type_to_string(int type) -{ - struct stot *p = stot; - for(p = stot; p->name; p++) - if(type == p->type) - return p->name; - return NULL; -} - -int -main(int argc, char **argv) -{ - struct dns_reply *r; - struct resource_record *rr; - r = dns_lookup(argv[1], argv[2]); - if(r == NULL){ - printf("No reply.\n"); - return 1; - } - for(rr = r->head; rr;rr=rr->next){ - printf("%s %s %d ", rr->domain, type_to_string(rr->type), rr->ttl); - switch(rr->type){ - case T_NS: - printf("%s\n", (char*)rr->u.data); - break; - case T_A: - printf("%d.%d.%d.%d\n", - ((unsigned char*)rr->u.data)[0], - ((unsigned char*)rr->u.data)[1], - ((unsigned char*)rr->u.data)[2], - ((unsigned char*)rr->u.data)[3]); - break; - case T_MX: - case T_AFSDB:{ - struct mx_record *mx = (struct mx_record*)rr->u.data; - printf("%d %s\n", mx->preference, mx->domain); - break; - } - case T_SRV:{ - struct srv_record *srv = (struct srv_record*)rr->u.data; - printf("%d %d %d %s\n", srv->priority, srv->weight, - srv->port, srv->target); - break; - } - default: - printf("\n"); - break; - } - } - - return 0; -} -#endif diff --git a/kerberosIV/roken/resolve.h b/kerberosIV/roken/resolve.h deleted file mode 100644 index c70e52eac0e..00000000000 --- a/kerberosIV/roken/resolve.h +++ /dev/null @@ -1,106 +0,0 @@ -/* $OpenBSD: resolve.h,v 1.1 1998/08/12 23:45:14 art Exp $ */ -/* $KTH: resolve.h,v 1.6 1998/03/04 17:37:11 joda Exp $ */ -/* - * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef __RESOLVE_H__ -#define __RESOLVE_H__ - -/* We use these, but they are not always present in <arpa/nameser.h> */ - -#ifndef T_TXT -#define T_TXT 16 -#endif -#ifndef T_AFSDB -#define T_AFSDB 18 -#endif -#ifndef T_SRV -#define T_SRV 33 -#endif - -struct dns_query{ - char *domain; - unsigned type; - unsigned class; -}; - -struct mx_record{ - unsigned preference; - char domain[1]; -}; - -struct srv_record{ - unsigned priority; - unsigned weight; - unsigned port; - char target[1]; -}; - -struct resource_record{ - char *domain; - unsigned type; - unsigned class; - unsigned ttl; - unsigned size; - union { - void *data; - struct mx_record *mx; - struct mx_record *afsdb; /* mx and afsdb are identical */ - struct srv_record *srv; - struct in_addr *a; - char *txt; - }u; - struct resource_record *next; -}; - -#ifndef T_A /* XXX if <arpa/nameser.h> isn't included */ -typedef int HEADER; /* will never be used */ -#endif - -struct dns_reply{ - HEADER h; - struct dns_query q; - struct resource_record *head; -}; - - -struct dns_reply* dns_lookup(const char *, const char *); - -void dns_free_data(struct dns_reply *r); - -#endif /* __RESOLVE_H__ */ diff --git a/kerberosIV/roken/simple_exec.c b/kerberosIV/roken/simple_exec.c deleted file mode 100644 index fe8766f712d..00000000000 --- a/kerberosIV/roken/simple_exec.c +++ /dev/null @@ -1,113 +0,0 @@ -/* $OpenBSD: simple_exec.c,v 1.1 1998/08/12 23:53:53 art Exp $ */ -/* $KTH: simple_exec.c,v 1.1 1998/03/19 19:41:19 joda Exp $ */ - -/* - * Copyright (c) 1998 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <stdarg.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/wait.h> -#include <unistd.h> -#include <errno.h> - -#define EX_NOEXEC 126 -#define EX_NOTFOUND 127 - -/* return values: - -1 on `unspecified' system errors - -2 on fork failures - -3 on waitpid errors - 0- is return value from subprocess - 126 if the program couldn't be executed - 127 if the program couldn't be found - 128- is 128 + signal that killed subprocess - */ - -int -simple_execvp(const char *file, char *const args[]) -{ - pid_t pid = fork(); - switch(pid){ - case -1: - return -2; - case 0: - execvp(file, args); - exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC); - default: - while(1) { - int status; - if(waitpid(pid, &status, 0) < 0) { - return -3; - } - if(WIFSTOPPED(status)) - continue; - if(WIFEXITED(status)) - return WEXITSTATUS(status); - if(WIFSIGNALED(status)) - return WTERMSIG(status) + 128; - } - } -} - -int -simple_execlp(const char *file, ...) -{ - va_list ap; - char **argv; - int argc, i; - - argc = i = 0; - va_start(ap, file); - do { - if(i == argc) { - char **tmp = realloc(argv, (argc + 5) * sizeof(*argv)); - if(tmp == NULL) { - errno = ENOMEM; - return -1; - } - argv = tmp; - argc += 5; - } - argv[i++] = va_arg(ap, char*); - } while(argv[i - 1] != NULL); - va_end(ap); - i = simple_execvp(file, argv); - free(argv); - return i; -} diff --git a/kerberosIV/roken/simple_exec.h b/kerberosIV/roken/simple_exec.h deleted file mode 100644 index e22e33423fb..00000000000 --- a/kerberosIV/roken/simple_exec.h +++ /dev/null @@ -1,7 +0,0 @@ -#ifndef SIMPLE_EXEC_H -#define SIMPLE_EXEC_H - -int simple_execvp(const char *file, char *const args[]); -int simple_execlp(const char *file, ...); - -#endif |