diff options
| author | Artur Grabowski <art@cvs.openbsd.org> | 1997-11-28 12:49:35 +0000 |
|---|---|---|
| committer | Artur Grabowski <art@cvs.openbsd.org> | 1997-11-28 12:49:35 +0000 |
| commit | c7b7a71f79cef9dbb230f353d9bbf3d6ef3a5aed (patch) | |
| tree | 5817f345511882de1c9e1a57f3095352ce671421 /kerberosIV | |
| parent | 0857c8c45edb4fe59f82903f40d99a3aa19a04f7 (diff) | |
The first big step towards a complete upgrade to kth-krb4-0.9.7
Diffstat (limited to 'kerberosIV')
110 files changed, 8674 insertions, 6717 deletions
diff --git a/kerberosIV/Makefile b/kerberosIV/Makefile index 730a24d1f5b..2868f4cc819 100644 --- a/kerberosIV/Makefile +++ b/kerberosIV/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.10 1997/06/29 14:54:18 provos Exp $ +# $OpenBSD: Makefile,v 1.11 1997/11/28 12:48:37 art Exp $ # from @(#)Makefile 5.1 (Berkeley) 6/25/90 SUBDIR= @@ -9,10 +9,12 @@ SUBDIR+=include SUBDIR+=acl krb kadm kafs kdb -SUBDIR+=ext_srvtab kadmin kadmind kdb_destroy kdb_edit kdb_init kdb_util \ - kdestroy kerberos kinit klist kpasswdd kprop kpropd ksrvtgt ksrvutil \ +SUBDIR+=ext_srvtab kadmin kdb_destroy kdb_edit kdb_init kdb_util \ + kdestroy kerberos kinit klist kprop kpropd ksrvtgt ksrvutil \ kstash make_keypair register registerd +#removed: kpasswdd kadmind + SUBDIR+=man build: diff --git a/kerberosIV/include/kafs_locl.h b/kerberosIV/include/kafs_locl.h new file mode 100644 index 00000000000..0971f359469 --- /dev/null +++ b/kerberosIV/include/kafs_locl.h @@ -0,0 +1,90 @@ +/* $KTH: kafs_locl.h,v 1.7 1997/10/14 22:57:11 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef __KAFS_LOCL_H__ +#define __KAFS_LOCL_H__ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <signal.h> +#include <setjmp.h> +#include <errno.h> + +#include <sys/types.h> +#include <unistd.h> +#include <sys/ioctl.h> +#include <sys/filio.h> + +#include <sys/syscall.h> +#include <sys/socket.h> +#include <netinet/in.h> + +#include <netdb.h> + +#include <arpa/nameser.h> +#include <resolv.h> + +#include <kerberosIV/krb.h> +#include <kerberosIV/kafs.h> + +#include "afssysdefs.h" + +struct kafs_data; +typedef int (*afslog_uid_func_t)(struct kafs_data*, const char*, uid_t); + +typedef int (*get_cred_func_t)(struct kafs_data*, const char*, const char*, + const char*, CREDENTIALS*); + +typedef char* (*get_realm_func_t)(struct kafs_data*, const char*); + +typedef struct kafs_data { + afslog_uid_func_t afslog_uid; + get_cred_func_t get_cred; + get_realm_func_t get_realm; + void *data; +} kafs_data; + +int _kafs_afslog_all_local_cells(kafs_data*, uid_t); + +int _kafs_get_cred(kafs_data*, const char*, const char*, const char *, + CREDENTIALS*); + +#endif /* __KAFS_LOCL_H__ */ diff --git a/kerberosIV/include/kerberosIV/kafs.h b/kerberosIV/include/kerberosIV/kafs.h index d085e8f98ad..d67d0f3b1ea 100644 --- a/kerberosIV/include/kerberosIV/kafs.h +++ b/kerberosIV/include/kerberosIV/kafs.h @@ -1,21 +1,63 @@ -/* $Id: kafs.h,v 1.1 1995/12/14 06:52:34 tholo Exp $ */ +/* $KTH: kafs.h,v 1.24 1997/10/14 23:00:16 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ #ifndef __KAFS_H #define __KAFS_H +/* XXX must include krb5.h or krb.h */ + +/* sys/ioctl.h must be included manually before kafs.h */ + +/* + */ #define AFSCALL_PIOCTL 20 #define AFSCALL_SETPAG 21 #ifndef _VICEIOCTL -#if defined(__STDC__) || defined(sgi) #define _VICEIOCTL(id) ((unsigned int ) _IOW('V', id, struct ViceIoctl)) -#else -#define _VICEIOCTL(id) ((unsigned int ) _IOW(V, id, struct ViceIoctl)) -#endif #endif /* _VICEIOCTL */ -#define VIOCSETTOK _VICEIOCTL(3) -#define VIOCUNLOG _VICEIOCTL(9) +#define VIOCSETTOK _VICEIOCTL(3) +#define VIOCGETTOK _VICEIOCTL(8) +#define VIOCUNLOG _VICEIOCTL(9) +#define VIOC_FILE_CELL_NAME _VICEIOCTL(30) struct ViceIoctl { caddr_t in, out; @@ -36,12 +78,44 @@ struct ClearToken { int k_hasafs __P((void)); -int k_afsklog __P((char *realm)); +int krb_afslog __P((const char *cell, const char *realm)); +int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid)); +/* compat */ +#define k_afsklog krb_afslog +#define k_afsklog_uid krb_afslog_uid + int k_pioctl __P((char *a_path, int o_opcode, struct ViceIoctl *a_paramsP, int a_followSymlinks)); int k_unlog __P((void)); int k_setpag __P((void)); +int k_afs_cell_of_file __P((const char *path, char *cell, int len)); + +/* XXX */ +#ifdef KFAILURE +#define KRB_H_INCLUDED +#endif + +#ifdef KRB5_RECVAUTH_IGNORE_VERSION +#define KRB5_H_INCLUDED +#endif + +#ifdef KRB_H_INCLUDED +int kafs_settoken __P((const char*, uid_t, CREDENTIALS*)); +#endif + +#ifdef KRB5_H_INCLUDED +krb5_error_code krb5_afslog_uid __P((krb5_context, krb5_ccache, + const char*, krb5_const_realm, uid_t)); +krb5_error_code krb5_afslog __P((krb5_context, krb5_ccache, + const char*, krb5_const_realm)); +#endif + + +#define _PATH_VICE "/usr/vice/etc/" +#define _PATH_THISCELL _PATH_VICE "ThisCell" +#define _PATH_CELLSERVDB _PATH_VICE "CellServDB" +#define _PATH_THESECELLS _PATH_VICE "TheseCells" #endif /* __KAFS_H */ diff --git a/kerberosIV/include/kerberosIV/krb.h b/kerberosIV/include/kerberosIV/krb.h index 9397884e53d..20ac571badf 100644 --- a/kerberosIV/include/kerberosIV/krb.h +++ b/kerberosIV/include/kerberosIV/krb.h @@ -1,6 +1,7 @@ -/* $Id: krb.h,v 1.4 1997/06/29 10:48:36 provos Exp $ */ +/* $Id: krb.h,v 1.5 1997/11/28 12:48:41 art Exp $ */ +/* $KTH: krb.h,v 1.85 1997/10/24 10:18:16 assar Exp $ */ -/*- +/* * Copyright 1987, 1988 by the Student Information Processing Board * of the Massachusetts Institute of Technology * @@ -21,13 +22,14 @@ * Include file for the Kerberos library. */ -/* Only one time, please */ -#ifndef KRB_DEFS -#define KRB_DEFS - #include <sys/cdefs.h> #include <sys/types.h> +#ifndef __KRB_H__ +#define __KRB_H__ + +__BEGIN_DECLS + /* Include site.h file to define paths */ #include <kerberosIV/site.h> @@ -35,16 +37,19 @@ #include <des.h> /* Global library variables. */ +extern int krb_ignore_ip_address; /* To turn off IP address comparison */ +extern int krb_no_long_lifetimes; /* To disable AFS compatible lifetimes */ extern int krbONE; #define HOST_BYTE_ORDER (* (char *) &krbONE) -extern int private_msg_ver; /* in rd_priv.c */ -extern int req_act_vno; /* this is defined in the kerberos server code */ - /* Text describing error codes */ #define MAX_KRB_ERRORS 256 extern const char *krb_err_txt[MAX_KRB_ERRORS]; +/* Use this function rather than indexing in krb_err_txt */ +const char *krb_get_err_text __P((int code)); + + /* General definitions */ #define KSUCCESS 0 #define KFAILURE 255 @@ -54,33 +59,68 @@ extern const char *krb_err_txt[MAX_KRB_ERRORS]; * * KRBLOG is the log file for the kerberos master server. KRB_CONF is * the configuration file where different host machines running master - * and slave servers can be found. + * and slave servers can be found. KRB_MASTER is the name of the + * machine with the master database. The admin_server runs on this + * machine, and all changes to the db (as opposed to read-only + * requests, which can go to slaves) must go to it. KRB_HOST is the + * default machine * when looking for a kerberos slave server. Other + * possibilities are * in the KRB_CONF file. KRB_REALM is the name of + * the realm. */ +/* /etc/kerberosIV is only for backwards compatibility, don't use it! */ +#ifndef KRB_CONF +#define KRB_CONF "/etc/krb.conf" +#endif +#ifndef KRB_RLM_TRANS +#define KRB_RLM_TRANS "/etc/krb.realms" +#endif +#ifndef KRB_CNF_FILES +#define KRB_CNF_FILES { KRB_CONF, "/etc/kerberosIV/krb.conf", 0} +#endif +#ifndef KRB_RLM_FILES +#define KRB_RLM_FILES { KRB_RLM_TRANS, "/etc/kerberosIV/krb.realms", 0} +#endif +#ifndef KRB_EQUIV +#define KRB_EQUIV "/etc/krb.equiv" +#endif +#define KRB_MASTER "kerberos" +#ifndef KRB_REALM +#define KRB_REALM (krb_get_default_realm()) +#endif + /* The maximum sizes for aname, realm, sname, and instance +1 */ #define ANAME_SZ 40 #define REALM_SZ 40 #define SNAME_SZ 40 #define INST_SZ 40 -/* include space for '.' and '@' */ -#define MAX_K_NAME_SZ (ANAME_SZ + INST_SZ + REALM_SZ + 2) +/* Leave space for quoting */ +#define MAX_K_NAME_SZ (2*ANAME_SZ + 2*INST_SZ + 2*REALM_SZ - 3) #define KKEY_SZ 100 #define VERSION_SZ 1 #define MSG_TYPE_SZ 1 #define DATE_SZ 26 /* RTI date output */ -#define MAX_HSTNM 100 +#define MAX_HSTNM 100 /* for compatibility */ + +typedef struct krb_principal{ + char name[ANAME_SZ]; + char instance[INST_SZ]; + char realm[REALM_SZ]; +}krb_principal; #ifndef DEFAULT_TKT_LIFE /* allow compile-time override */ /* default lifetime for krb_mk_req & co., 10 hrs */ #define DEFAULT_TKT_LIFE 120 #endif +#define KRB_TICKET_GRANTING_TICKET "krbtgt" + /* Definition of text structure used to pass text around */ #define MAX_KTXT_LEN 1250 struct ktext { - int length; /* Length of the text */ + unsigned int length; /* Length of the text */ unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ u_int32_t mbz; /* zero to catch runaway strings */ }; @@ -101,6 +141,10 @@ typedef struct ktext KTEXT_ST; /* Parameters for rd_ap_req */ /* Maximum alloable clock skew in seconds */ #define CLOCK_SKEW 5*60 +/* Filename for readservkey */ +#ifndef KEYFILE +#define KEYFILE "/etc/srvtab" +#endif /* Structure definition for rd_ap_req */ @@ -149,6 +193,16 @@ struct msg_dat { typedef struct msg_dat MSG_DAT; +struct krb_host { + char *realm; + char *host; + enum krb_host_proto { PROTO_UDP, PROTO_TCP, PROTO_HTTP } proto; + int port; + int admin; +}; + +struct krb_host *krb_get_host __P((int, char*, int)); + /* Location of ticket file for save_cred and get_cred */ #define TKT_FILE tkt_string() @@ -226,6 +280,7 @@ typedef struct msg_dat MSG_DAT; /* Values returned by get_adtkt */ #define AD_OK 0 /* Ticket Obtained */ #define AD_NOTGT 71 /* Don't have tgt */ +#define AD_INTR_RLM_NOTGT 72 /* Can't get inter-realm tgt */ /* Error codes returned by ticket file utilities */ #define NO_TKT_FIL 76 /* No ticket file found */ @@ -257,7 +312,7 @@ typedef struct msg_dat MSG_DAT; swab(((char *) x) +10,((char *) _krb_swap_tmp) +4 ,2); \ swab(((char *) x) +12,((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) x) +14,((char *) _krb_swap_tmp) +0 ,2); \ - bcopy((char *)_krb_swap_tmp,(char *)x,16);\ + memcpy(x, _krb_swap_tmp, 16);\ } #define swap_u_12(x) {\ @@ -268,7 +323,7 @@ typedef struct msg_dat MSG_DAT; swab(((char *) x) +6, ((char *) _krb_swap_tmp) +4 ,2); \ swab(((char *) x) +8, ((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) x) +10,((char *) _krb_swap_tmp) +0 ,2); \ - bcopy((char *)_krb_swap_tmp,(char *)x,12);\ + memcpy(x, _krb_swap_tmp, 12);\ } #define swap_C_Block(x) {\ @@ -277,7 +332,7 @@ typedef struct msg_dat MSG_DAT; swab(((char *) x) +2,((char *) _krb_swap_tmp) +4 ,2); \ swab(((char *) x) +4,((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) x) +6,((char *) _krb_swap_tmp) ,2); \ - bcopy((char *)_krb_swap_tmp,(char *)x,8);\ + memcpy(x, _krb_swap_tmp, 8);\ } #define swap_u_quad(x) {\ u_int32_t _krb_swap_tmp[4];\ @@ -285,7 +340,7 @@ typedef struct msg_dat MSG_DAT; swab(((char *) &x) +2,((char *) _krb_swap_tmp) +4 ,2); \ swab(((char *) &x) +4,((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) &x) +6,((char *) _krb_swap_tmp) ,2); \ - bcopy((char *)_krb_swap_tmp,(char *)&x,8);\ + memcpy(x, _krb_swap_tmp, 8);\ } #define swap_u_long(x) {\ @@ -320,17 +375,29 @@ typedef struct msg_dat MSG_DAT; * a hostname */ +#define KOPT_IGNORE_PROTOCOL 0x0008 + #define KRB_SENDAUTH_VLEN 8 /* length for version strings */ -#ifdef ATHENA_COMPAT -#define KOPT_DO_OLDSTYLE 0x00000008 /* use the old-style protocol */ -#endif /* ATHENA_COMPAT */ -struct tm; +/* File locking */ +#define K_LOCK_SH 1 /* Shared lock */ +#define K_LOCK_EX 2 /* Exclusive lock */ +#define K_LOCK_NB 4 /* Don't block when locking */ +#define K_LOCK_UN 8 /* Unlock */ +int k_flock __P((int fd, int operation)); struct tm *k_localtime __P((u_int32_t *)); +int k_getsockinst __P((int fd, char *inst, size_t)); +int k_getportbyname __P((const char *service, const char *proto, int default_port)); + +extern char *krb4_version; + +struct in_addr; + +int k_get_all_addrs __P((struct in_addr **l)); -/* --- Random prototypes */ -#include <sys/types.h> /* to get u_char */ +/* Host address comparison */ +int krb_equiv __P((u_int32_t, u_int32_t)); /* Password conversion */ void mit_string_to_key __P((char *str, char *cell, des_cblock *key)); @@ -346,20 +413,25 @@ int krb_atime_to_life __P((char *atime)); int tf_get_cred __P((CREDENTIALS *)); int tf_get_pinst __P((char *)); int tf_get_pname __P((char *)); +int tf_put_pinst __P((char *)); +int tf_put_pname __P((char *)); int tf_init __P((char *, int)); +int tf_create __P((char *)); int tf_save_cred __P((char *, char *, char *, unsigned char *, int , int , KTEXT ticket, u_int32_t)); void tf_close __P((void)); +int tf_setup __P((CREDENTIALS *cred, char *pname, char *pinst)); /* Private communication */ struct sockaddr_in; -int32_t krb_mk_priv __P((u_char *, u_char *, u_int32_t , struct des_ks_struct *, des_cblock *, struct sockaddr_in *, struct sockaddr_in *)); -int32_t krb_rd_priv __P((u_char *, u_int32_t, struct des_ks_struct *, des_cblock *, struct sockaddr_in *, struct sockaddr_in *, MSG_DAT *)); + +int32_t krb_mk_priv __P((void *, void *, u_int32_t, struct des_ks_struct *, des_cblock *, struct sockaddr_in *, struct sockaddr_in *)); +int32_t krb_rd_priv __P((void *, u_int32_t, struct des_ks_struct *, des_cblock *, struct sockaddr_in *, struct sockaddr_in *, MSG_DAT *)); /* Misc */ KTEXT create_auth_reply __P((char *, char *, char *, int32_t, int, u_int32_t, int, KTEXT)); -char *krb_get_phost __P((char *)); -char *krb_realmofhost __P((char *)); +char *krb_get_phost __P((const char *)); +char *krb_realmofhost __P((const char *)); char *tkt_string __P((void)); int create_ciph __P((KTEXT, unsigned char *, char *, char *, char *, u_int32_t, int, KTEXT, u_int32_t, des_cblock *)); @@ -368,56 +440,103 @@ int dest_tkt __P((void)); int get_ad_tkt __P((char *, char *, char *, int)); int get_pw_tkt __P((char *, char *, char *, char *)); int get_request __P((KTEXT, int, char **, char **)); -int get_request __P((KTEXT, int, char **, char **)); int in_tkt __P((char *, char *)); +int k_gethostname __P((char *, int )); int k_isinst __P((char *)); int k_isname __P((char *)); int k_isrealm __P((char *)); int kname_parse __P((char *, char *, char *, char *)); -int krb_create_ticket __P((KTEXT, unsigned char, char *, char *, char *, int32_t, char *, int16_t, int32_t, char *, char *, des_cblock *)); -int krb_get_admhst __P((char *, char *, int)); +int krb_parse_name __P((const char*, krb_principal*)); +char *krb_unparse_name __P((krb_principal*)); +char *krb_unparse_name_r __P((krb_principal*, char*)); +char *krb_unparse_name_long __P((char*, char*, char*)); +char *krb_unparse_name_long_r __P((char *name, char *instance, char *realm, char *fullname)); +int krb_create_ticket __P((KTEXT, unsigned char, char *, char *, char *, int32_t, void *, int16_t, int32_t, char *, char *, des_cblock *)); int krb_get_admhst __P((char *, char *, int)); int krb_get_cred __P((char *, char *, char *, CREDENTIALS *)); -int krb_get_in_tkt __P((char *, char *, char *, char *, char *, int , int (*key_proc) (/* ??? */), int (*decrypt_proc) (/* ??? */), char *)); -int krb_get_krbhst __P((char *, char *, int)); -int krb_get_krbhst __P((char *, char *, int)); + +typedef int (*key_proc_t) __P((char*, char*, char*, void*, des_cblock*)); + +typedef int (*decrypt_proc_t) __P((char*, char*, char*, void*, + key_proc_t, KTEXT*)); + +int krb_mk_as_req __P((char*, char*, char*, char*, char*, int, KTEXT)); +int krb_decode_as_rep __P((char*, char*, char*, char*, char*, + key_proc_t, decrypt_proc_t, void*, + KTEXT, CREDENTIALS*)); +int krb_get_in_tkt __P((char*, char*, char*, char*, char*, int, key_proc_t, + decrypt_proc_t, void*)); + +int srvtab_to_key __P((char *, char *, char *, void *, des_cblock *)); +int passwd_to_key __P((char *, char *, char *, void *, des_cblock *)); +int passwd_to_afskey __P((char *, char *, char *, void *, des_cblock *)); + int krb_get_krbhst __P((char *, char *, int)); int krb_get_lrealm __P((char *, int)); +char *krb_get_default_realm __P((void)); int krb_get_pw_in_tkt __P((char *, char *, char *, char *, char *, int, char *)); int krb_get_svc_in_tkt __P((char *, char *, char *, char *, char *, int, char *)); int krb_get_tf_fullname __P((char *, char *, char *, char *)); int krb_get_tf_realm __P((char *, char *)); int krb_kntoln __P((AUTH_DAT *, char *)); int krb_mk_req __P((KTEXT , char *, char *, char *, int32_t)); -int krb_net_read __P((int , char *, int)); -int krb_net_write __P((int , char *, int)); +int krb_net_read __P((int , void *, size_t)); +int krb_net_write __P((int , const void *, size_t)); int krb_rd_err __P((u_char *, u_int32_t, int32_t *, MSG_DAT *)); int krb_rd_req __P((KTEXT , char *, char *, int32_t, AUTH_DAT *, char *)); int krb_recvauth __P((int32_t, int, KTEXT, char *, char *, struct sockaddr_in *, struct sockaddr_in *, AUTH_DAT *, char *, struct des_ks_struct *, char *)); int krb_sendauth __P((int32_t, int, KTEXT, char *, char *, char *, u_int32_t, MSG_DAT *, CREDENTIALS *, struct des_ks_struct *, struct sockaddr_in *, struct sockaddr_in *, char *)); -int krb_set_key __P((char *, int)); +int krb_mk_auth __P((int32_t, KTEXT, char *, char *, char *, u_int32_t, char *, KTEXT)); +int krb_check_auth __P((KTEXT, u_int32_t, MSG_DAT *, des_cblock *, struct des_ks_struct *, struct sockaddr_in *, struct sockaddr_in *)); +int krb_set_key __P((void *, int)); int krb_set_lifetime __P((int)); +int krb_kuserok __P((char *, char *, char *, char *)); int kuserok __P((AUTH_DAT *, char *)); int read_service_key __P((char *, char *, char *, int , char *, char *)); int save_credentials __P((char *, char *, char *, unsigned char *, int , int , KTEXT , int32_t)); int send_to_kdc __P((KTEXT , KTEXT , char *)); int32_t krb_mk_err __P((u_char *, int32_t, char *)); -int32_t krb_mk_safe __P((u_char *, u_char *, u_int32_t, des_cblock *, struct sockaddr_in *, struct sockaddr_in *)); -int32_t krb_rd_safe __P((u_char *, u_int32_t, des_cblock *, struct sockaddr_in *, struct sockaddr_in *, MSG_DAT *)); +int32_t krb_mk_safe __P((void *, void *, u_int32_t, des_cblock *, struct sockaddr_in *, struct sockaddr_in *)); +int32_t krb_rd_safe __P((void *, u_int32_t, des_cblock *, struct sockaddr_in *, struct sockaddr_in *, MSG_DAT *)); void ad_print __P((AUTH_DAT *)); void cr_err_reply __P((KTEXT, char *, char *, char *, u_int32_t, u_int32_t, char *)); void extract_ticket __P((KTEXT, int, char *, int *, int *, char *, KTEXT)); -void krb_set_tkt_string __P((char *)); +void krb_set_tkt_string __P((const char *)); -void kset_logfile __P((char *)); -void set_logfile __P((char *)); - -void log (); -char *klog (); +int krb_get_default_principal __P((char *, char *, char *)); +int krb_realm_parse __P((char *, int)); +int krb_verify_user __P((char*, char*, char*, char*, int, char *)); int getst __P((int, char *, int)); +const char *month_sname __P((int)); +const char *krb_stime __P((time_t *)); +struct tm; +int krb_check_tm __P((struct tm)); + +int krb_get_int __P((void *from, u_int32_t *to, int size, int lsb)); +int krb_put_int __P((u_int32_t from, void *to, int size)); +int krb_get_address __P((void *from, u_int32_t *to)); +int krb_put_address __P((u_int32_t addr, void *to)); +int krb_put_string __P((char *from, void *to)); +int krb_get_string __P((void *from, char *to)); +int krb_get_nir __P((void *from, char *name, char *instance, char *realm)); +int krb_put_nir __P((char *name, char *instance, char *realm, void *to)); + +/* XXX - this should really be somewhere else (from libroken)*/ +char *strtok_r __P((char *s1, const char *s2, char **lasts)); +int base64_encode __P((const void *data, int size, char **str)); +int base64_decode __P((const char *str, void *data)); + +#if !defined(__GNUC__) && !defined(__attribute__) +#define __attribute__(x) +#endif + +int asprintf (char **ret, const char *format, ...) + __attribute__ ((format (printf, 2, 3))); + +__END_DECLS -#endif /* KRB_DEFS */ +#endif /* __KRB_H__ */ diff --git a/kerberosIV/include/klog.h b/kerberosIV/include/klog.h index 7053d77278e..331ed34bfef 100644 --- a/kerberosIV/include/klog.h +++ b/kerberosIV/include/klog.h @@ -1,6 +1,6 @@ -/* $Id: klog.h,v 1.1 1995/12/14 06:52:34 tholo Exp $ */ +/* $KTH: klog.h,v 1.5 1997/05/11 11:05:28 assar Exp $ */ -/*- +/* * Copyright 1988 by the Massachusetts Institute of Technology. * * For copying and distribution information, please see the file @@ -13,6 +13,12 @@ #ifndef KLOG_DEFS #define KLOG_DEFS +#ifndef KRBLOG +#define KRBLOG "/var/log/kerberos.log" /* master server */ +#endif +#ifndef KRBSLAVELOG +#define KRBSLAVELOG "/var/log/kerberos_slave.log" /* slave server */ +#endif #define NLOGTYPE 100 /* Maximum number of log msg types */ #define L_NET_ERR 1 /* Error in network code */ @@ -32,6 +38,10 @@ #define L_APPL_REQ 15 /* Application requests (using tgt) */ #define L_KRB_PWARN 16 /* Protocol warning messages */ -char *klog(); +char * klog __P((int type, const char *format, ...)) +#ifdef __GNUC__ +__attribute__ ((format (printf, 2, 3))) +#endif +; #endif /* KLOG_DEFS */ diff --git a/kerberosIV/include/krb_log.h b/kerberosIV/include/krb_log.h new file mode 100644 index 00000000000..53e846d70f1 --- /dev/null +++ b/kerberosIV/include/krb_log.h @@ -0,0 +1,83 @@ +/* $KTH krb_log.h,v 1.2 1997/09/26 17:40:33 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <kerberosIV/krb.h> + +#ifndef __KRB_LOG_H__ +#define __KRB_LOG_H__ + +#if !defined(__GNUC__) && !defined(__attribute__) +#define __attribute__(X) +#endif + +__BEGIN_DECLS + +/* logging.c */ + +typedef int (*krb_log_func_t) __P((FILE *, const char *, va_list)); + +typedef krb_log_func_t krb_warnfn_t; + +struct krb_log_facility; + +int krb_vlogger __P((struct krb_log_facility*, const char *, va_list)) + __attribute__ ((format (printf, 2, 0))); +int krb_logger __P((struct krb_log_facility*, const char *, ...)) + __attribute__ ((format (printf, 2, 3))); +int krb_openlog __P((struct krb_log_facility*, char*, FILE*, krb_log_func_t)); + +void krb_set_warnfn __P((krb_warnfn_t)); +krb_warnfn_t krb_get_warnfn __P((void)); +void krb_warning __P((const char*, ...)) + __attribute__ ((format (printf, 1, 2))); + +void kset_logfile __P((char*)); +void krb_log __P((const char*, ...)) + __attribute__ ((format (printf, 1, 2))); +char *klog __P((int, const char*, ...)) + __attribute__ ((format (printf, 2, 3))); + +__END_DECLS + +#endif /* __KRB_LOG_H__ */ + + + + diff --git a/kerberosIV/include/kuser_locl.h b/kerberosIV/include/kuser_locl.h index 15f24c285de..c15ee92591b 100644 --- a/kerberosIV/include/kuser_locl.h +++ b/kerberosIV/include/kuser_locl.h @@ -1,6 +1,47 @@ -/* $Id: kuser_locl.h,v 1.1 1995/12/14 06:52:33 tholo Exp $ */ +/* $Id: kuser_locl.h,v 1.2 1997/11/28 12:48:39 art Exp $ */ +/* $KTH: kuser_locl.h,v 1.10 1997/05/20 18:40:43 bg Exp $ */ -#include "kerberosIV/site.h" + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + + +#include <kerberosIV/site.h> #include <stdio.h> #include <stdlib.h> @@ -12,8 +53,17 @@ #include <fcntl.h> #include <time.h> #include <sys/file.h> +#include <sys/socket.h> +#include <netinet/in.h> #include <pwd.h> +#include <err.h> + #include <kerberosIV/krb.h> +#include <kerberosIV/krb_db.h> +#include <kerberosIV/kadm.h> #include <prot.h> + + + diff --git a/kerberosIV/include/prot.h b/kerberosIV/include/prot.h index 4a0a29ae101..629ea104e2f 100644 --- a/kerberosIV/include/prot.h +++ b/kerberosIV/include/prot.h @@ -1,6 +1,6 @@ -/* $Id: prot.h,v 1.1 1995/12/14 06:52:33 tholo Exp $ */ +/* $KTH: prot.h,v 1.7 1997/03/23 03:52:27 joda Exp $ */ -/*- +/* * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute * of Technology. * @@ -13,12 +13,12 @@ #ifndef PROT_DEFS #define PROT_DEFS +#define KRB_SERVICE "kerberos-iv" #define KRB_PORT 750 /* PC's don't have * /etc/services */ #define KRB_PROT_VERSION 4 #define MAX_PKT_LEN 1000 #define MAX_TXT_LEN 1000 -#define TICKET_GRANTING_TICKET "krbtgt" /* Macro's to obtain various fields from a packet */ @@ -57,8 +57,12 @@ /* Routines to create and read packets may be found in prot.c */ -KTEXT create_auth_reply(); -KTEXT create_death_packet(); +KTEXT create_auth_reply(char *pname, char *pinst, char *prealm, + int32_t time_ws, int n, u_int32_t x_date, + int kvno, KTEXT cipher); +#ifdef DEBUG +KTEXT krb_create_death_packet(char *a_name); +#endif /* Message types , always leave lsb for byte order */ @@ -70,6 +74,8 @@ KTEXT create_death_packet(); #define AUTH_MSG_PRIVATE 6<<1 #define AUTH_MSG_SAFE 7<<1 #define AUTH_MSG_APPL_ERR 8<<1 +#define AUTH_MSG_KDC_FORWARD 9<<1 +#define AUTH_MSG_KDC_RENEW 10<<1 #define AUTH_MSG_DIE 63<<1 /* values for kerb error codes */ @@ -85,5 +91,15 @@ KTEXT create_death_packet(); #define KERB_ERR_PRINCIPAL_UNKNOWN 8 #define KERB_ERR_PRINCIPAL_NOT_UNIQUE 9 #define KERB_ERR_NULL_KEY 10 +#define KERB_ERR_TIMEOUT 11 + +/* sendauth - recvauth */ + +/* + * If the protocol changes, you will need to change the version string + * be sure to support old versions of krb_sendauth! + */ + +#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ #endif /* PROT_DEFS */ diff --git a/kerberosIV/kafs/Makefile b/kerberosIV/kafs/Makefile index bfe28c1326e..10122fcfe1c 100644 --- a/kerberosIV/kafs/Makefile +++ b/kerberosIV/kafs/Makefile @@ -1,6 +1,7 @@ -# $Id: Makefile,v 1.1 1995/12/14 06:52:46 tholo Exp $ +# $Id: Makefile,v 1.2 1997/11/28 12:48:42 art Exp $ LIB= kafs -SRCS= afssys.c +CFLAGS+=-I${.CURDIR} -DNO_AFS +SRCS= afskrb.c afssys.c common.c .include <bsd.lib.mk> diff --git a/kerberosIV/kafs/afskrb.c b/kerberosIV/kafs/afskrb.c new file mode 100644 index 00000000000..d6809e541ed --- /dev/null +++ b/kerberosIV/kafs/afskrb.c @@ -0,0 +1,112 @@ +/* $KTH: afskrb.c,v 1.8 1997/10/14 23:00:39 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kafs_locl.h" + +struct krb_kafs_data { + const char *realm; +}; + +static int +get_cred(kafs_data *data, const char *name, const char *inst, + const char *realm, CREDENTIALS *c) +{ + KTEXT_ST tkt; + int ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c); + + if (ret) { + ret = krb_mk_req(&tkt, (char*)name, (char*)inst, (char*)realm, 0); + if (ret == KSUCCESS) + ret = krb_get_cred((char*)name, (char*)inst, (char*)realm, c); + } + return ret; +} + +static int +afslog_uid_int(kafs_data *data, const char *cell, uid_t uid) +{ + int ret; + CREDENTIALS c; + struct krb_kafs_data *d = data->data; + char realm[REALM_SZ], *lrealm; + + if (cell == 0 || cell[0] == 0) + return _kafs_afslog_all_local_cells (data, uid); + + ret = krb_get_lrealm(realm , 0); + if(ret == KSUCCESS && (d->realm == NULL || strcmp(d->realm, realm))) + lrealm = realm; + else + lrealm = NULL; + + ret = _kafs_get_cred(data, cell, d->realm, lrealm, &c); + + if(ret == 0) + ret = kafs_settoken(cell, uid, &c); + return ret; +} + +static char * +get_realm(kafs_data *data, const char *host) +{ + char *r = krb_realmofhost(host); + if(r) + return strdup(r); + return NULL; +} + +int +krb_afslog_uid(const char *cell, const char *realm, uid_t uid) +{ + kafs_data kd; + struct krb_kafs_data d; + kd.afslog_uid = afslog_uid_int; + kd.get_cred = get_cred; + kd.get_realm = get_realm; + kd.data = &d; + d.realm = realm; + return afslog_uid_int(&kd, cell, uid); +} + +int +krb_afslog(const char *cell, const char *realm) +{ + return krb_afslog_uid (cell, realm, getuid()); +} diff --git a/kerberosIV/kafs/afssys.c b/kerberosIV/kafs/afssys.c index 2c831e41abf..eb849791abc 100644 --- a/kerberosIV/kafs/afssys.c +++ b/kerberosIV/kafs/afssys.c @@ -1,302 +1,220 @@ -/* $Id: afssys.c,v 1.2 1996/09/16 03:18:08 tholo Exp $ */ - -#include <sys/types.h> -#include <sys/ioctl.h> -#include <signal.h> -#include <setjmp.h> -#include <errno.h> -#include <string.h> -#include <unistd.h> - -#include <kerberosIV/krb.h> -#include <kerberosIV/kafs.h> - -#include "afssysdefs.h" - -#define AUTH_SUPERUSER "afs" +/* $KTH: afssys.c,v 1.53 1997/05/04 02:30:41 assar Exp $ */ /* - * Here only ASCII characters are relevant. + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#define IsAsciiUpper(c) ('A' <= (c) && (c) <= 'Z') - -#define ToAsciiLower(c) ((c) - 'A' + 'a') - -static void -folddown(a, b) - char *a, *b; -{ - for (; *b; a++, b++) - if (IsAsciiUpper(*b)) - *a = ToAsciiLower(*b); - else - *a = *b; - *a = '\0'; -} - -#if !defined(linux) /* won't work there -- no SIGSYS, no syscall */ - -int -k_afsklog(realm) - char *realm; -{ - int k_errno; - CREDENTIALS c; - KTEXT_ST ticket; - char username[256]; - char krealm[REALM_SZ]; - - if (!k_hasafs()) - return KSUCCESS; - - if (realm == 0 || realm[0] == 0) - { - k_errno = krb_get_lrealm(krealm, 0); - if (k_errno != KSUCCESS) - return k_errno; - realm = krealm; - } - - k_errno = krb_get_cred(AUTH_SUPERUSER, "", realm, &c); - if (k_errno != KSUCCESS) - { - k_errno = krb_mk_req(&ticket, AUTH_SUPERUSER, "", realm, 0); - if (k_errno == KSUCCESS) - k_errno = krb_get_cred(AUTH_SUPERUSER, "", realm, &c); - } - - if (k_errno == KSUCCESS) - { - char cell[256]; - struct ViceIoctl parms; - struct ClearToken ct; - int32_t sizeof_x; - char buf[2048], *t; - - folddown(cell, realm); - - /* - * Build a struct ClearToken - */ - ct.AuthHandle = c.kvno; - bcopy((char *)c.session, ct.HandShakeKey, sizeof(c.session)); - ct.ViceId = getuid(); /* is this always valid? */ - ct.BeginTimestamp = 1 + c.issue_date; - ct.EndTimestamp = krb_life_to_time(c.issue_date, c.lifetime); - - t = buf; - /* - * length of secret token followed by secret token - */ - sizeof_x = c.ticket_st.length; - bcopy((char *)&sizeof_x, t, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - bcopy((char *)c.ticket_st.dat, t, sizeof_x); - t += sizeof_x; - /* - * length of clear token followed by clear token - */ - sizeof_x = sizeof(ct); - bcopy((char *)&sizeof_x, t, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - bcopy((char *)&ct, t, sizeof_x); - t += sizeof_x; - - /* - * do *not* mark as primary cell - */ - sizeof_x = 0; - bcopy((char *)&sizeof_x, t, sizeof(sizeof_x)); - t += sizeof(sizeof_x); - /* - * follow with cell name - */ - sizeof_x = strlen(cell) + 1; - bcopy(cell, t, sizeof_x); - t += sizeof_x; - - /* - * Build argument block - */ - parms.in = buf; - parms.in_size = t - buf; - parms.out = 0; - parms.out_size = 0; - (void) k_pioctl(0, VIOCSETTOK, &parms, 0); - } - return k_errno; -} +#include "kafs_locl.h" #define NO_ENTRY_POINT 0 #define SINGLE_ENTRY_POINT 1 #define MULTIPLE_ENTRY_POINT 2 #define SINGLE_ENTRY_POINT2 3 -#define AIX_ENTRY_POINTS 4 -#define UNKNOWN_ENTRY_POINT 5 +#define SINGLE_ENTRY_POINT3 4 +#define AIX_ENTRY_POINTS 5 +#define UNKNOWN_ENTRY_POINT 6 static int afs_entry_point = UNKNOWN_ENTRY_POINT; +static int afs_syscalls[2]; + int -k_pioctl(a_path, o_opcode, a_paramsP, a_followSymlinks) - char *a_path; - int o_opcode; - struct ViceIoctl *a_paramsP; - int a_followSymlinks; +k_pioctl(char *a_path, + int o_opcode, + struct ViceIoctl *a_paramsP, + int a_followSymlinks) { -#ifdef AFS_SYSCALL - if (afs_entry_point == SINGLE_ENTRY_POINT) - return syscall(AFS_SYSCALL, AFSCALL_PIOCTL, - a_path, o_opcode, a_paramsP, a_followSymlinks); +#ifndef NO_AFS + switch(afs_entry_point){ +#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3) + case SINGLE_ENTRY_POINT: + case SINGLE_ENTRY_POINT2: + case SINGLE_ENTRY_POINT3: + return syscall(afs_syscalls[0], AFSCALL_PIOCTL, + a_path, o_opcode, a_paramsP, a_followSymlinks); #endif - -#ifdef AFS_PIOCTL - if (afs_entry_point == MULTIPLE_ENTRY_POINT) - return syscall(AFS_PIOCTL, - a_path, o_opcode, a_paramsP, a_followSymlinks); +#if defined(AFS_PIOCTL) + case MULTIPLE_ENTRY_POINT: + return syscall(afs_syscalls[0], + a_path, o_opcode, a_paramsP, a_followSymlinks); #endif - -#ifdef AFS_SYSCALL2 - if (afs_entry_point == SINGLE_ENTRY_POINT2) - return syscall(AFS_SYSCALL2, AFSCALL_PIOCTL, - a_path, o_opcode, a_paramsP, a_followSymlinks); -#endif - -#ifdef _AIX - if (afs_entry_point == AIX_ENTRY_POINTS) - return lpioctl(a_path, o_opcode, a_paramsP, a_followSymlinks); -#endif - - errno = ENOSYS; - kill(getpid(), SIGSYS); /* You loose! */ - return -1; + } + + errno = ENOSYS; + kill(getpid(), SIGSYS); /* You loose! */ +#endif /* NO_AFS */ + return -1; } int -k_unlog() +k_afs_cell_of_file(const char *path, char *cell, int len) { - struct ViceIoctl parms; - bzero((char *)&parms, sizeof(parms)); - return k_pioctl(0, VIOCUNLOG, &parms, 0); + struct ViceIoctl parms; + parms.in = NULL; + parms.in_size = 0; + parms.out = cell; + parms.out_size = len; + return k_pioctl((char*)path, VIOC_FILE_CELL_NAME, &parms, 1); } int -k_setpag() +k_unlog(void) { -#ifdef AFS_SYSCALL - if (afs_entry_point == SINGLE_ENTRY_POINT) - return syscall(AFS_SYSCALL, AFSCALL_SETPAG); -#endif - -#ifdef AFS_SETPAG - if (afs_entry_point == MULTIPLE_ENTRY_POINT) - return syscall(AFS_SETPAG); -#endif + struct ViceIoctl parms; + memset(&parms, 0, sizeof(parms)); + return k_pioctl(0, VIOCUNLOG, &parms, 0); +} -#ifdef AFS_SYSCALL2 - if (afs_entry_point == SINGLE_ENTRY_POINT2) - return syscall(AFS_SYSCALL2, AFSCALL_SETPAG); +int +k_setpag(void) +{ +#ifndef NO_AFS + switch(afs_entry_point){ +#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3) + case SINGLE_ENTRY_POINT: + case SINGLE_ENTRY_POINT2: + case SINGLE_ENTRY_POINT3: + return syscall(afs_syscalls[0], AFSCALL_SETPAG); #endif - -#ifdef _AIX - if (afs_entry_point == AIX_ENTRY_POINTS) - return lsetpag(); +#if defined(AFS_PIOCTL) + case MULTIPLE_ENTRY_POINT: + return syscall(afs_syscalls[1]); #endif - - errno = ENOSYS; - kill(getpid(), SIGSYS); /* You loose! */ - return -1; + } + + errno = ENOSYS; + kill(getpid(), SIGSYS); /* You loose! */ +#endif /* NO_AFS */ + return -1; } -#endif /* defined(linux) */ + static jmp_buf catch_SIGSYS; -static void -SIGSYS_handler() +void +SIGSYS_handler(int sig) { - errno = 0; - longjmp(catch_SIGSYS, 1); + errno = 0; + longjmp(catch_SIGSYS, 1); } int -k_hasafs() +k_hasafs(void) { - int saved_errno; - void (*saved_func)(); - struct ViceIoctl parms; + int saved_errno; + void (*saved_func)(); + struct ViceIoctl parms; -#if defined(linux) - return 0; -#else - /* - * Already checked presence of AFS syscalls? - */ - if (afs_entry_point != UNKNOWN_ENTRY_POINT) - return afs_entry_point != NO_ENTRY_POINT; - - /* - * Probe kernel for AFS specific syscalls, - * they (currently) come in two flavors. - * If the syscall is absent we recive a SIGSYS. - */ - afs_entry_point = NO_ENTRY_POINT; - bzero(&parms, sizeof(parms)); + /* + * Already checked presence of AFS syscalls? + */ + if (afs_entry_point != UNKNOWN_ENTRY_POINT) + return afs_entry_point != NO_ENTRY_POINT; + + /* + * Probe kernel for AFS specific syscalls, + * they (currently) come in two flavors. + * If the syscall is absent we recive a SIGSYS. + */ + afs_entry_point = NO_ENTRY_POINT; + memset(&parms, 0, sizeof(parms)); - saved_errno = errno; - saved_func = signal(SIGSYS, SIGSYS_handler); + saved_errno = errno; +#ifndef NO_AFS + saved_func = signal(SIGSYS, SIGSYS_handler); #ifdef AFS_SYSCALL - if (setjmp(catch_SIGSYS) == 0) - { - syscall(AFS_SYSCALL, AFSCALL_PIOCTL, - 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); - if (errno == EINVAL) + if (setjmp(catch_SIGSYS) == 0) { - afs_entry_point = SINGLE_ENTRY_POINT; - goto done; + syscall(AFS_SYSCALL, AFSCALL_PIOCTL, + 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); + if (errno == EINVAL) + { + afs_entry_point = SINGLE_ENTRY_POINT; + afs_syscalls[0] = AFS_SYSCALL; + goto done; + } } - } #endif /* AFS_SYSCALL */ #ifdef AFS_PIOCTL - if (setjmp(catch_SIGSYS) == 0) - { - syscall(AFS_PIOCTL, - 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); - if (errno == EINVAL) + if (setjmp(catch_SIGSYS) == 0) { - afs_entry_point = MULTIPLE_ENTRY_POINT; - goto done; + syscall(AFS_PIOCTL, + 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); + if (errno == EINVAL) + { + afs_entry_point = MULTIPLE_ENTRY_POINT; + afs_syscalls[0] = AFS_PIOCTL; + afs_syscalls[1] = AFS_SETPAG; + goto done; + } } - } #endif /* AFS_PIOCTL */ #ifdef AFS_SYSCALL2 - if (setjmp(catch_SIGSYS) == 0) - { - syscall(AFS_SYSCALL2, AFSCALL_PIOCTL, - 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); - if (errno == EINVAL) + if (setjmp(catch_SIGSYS) == 0) { - afs_entry_point = SINGLE_ENTRY_POINT2; - goto done; + syscall(AFS_SYSCALL2, AFSCALL_PIOCTL, + 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); + if (errno == EINVAL) + { + afs_entry_point = SINGLE_ENTRY_POINT2; + afs_syscalls[0] = AFS_SYSCALL2; + goto done; + } } - } #endif /* AFS_SYSCALL */ -#ifdef _AIX - if (setjmp(catch_SIGSYS) == 0) - { - lpioctl(0, 0, 0, 0); - if (errno == EINVAL) +#ifdef AFS_SYSCALL3 + if (setjmp(catch_SIGSYS) == 0) { - afs_entry_point = AIX_ENTRY_POINTS; - goto done; + syscall(AFS_SYSCALL3, AFSCALL_PIOCTL, + 0, VIOCSETTOK, &parms, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); + if (errno == EINVAL) + { + afs_entry_point = SINGLE_ENTRY_POINT3; + afs_syscalls[0] = AFS_SYSCALL3; + goto done; + } } - } -#endif +#endif /* AFS_SYSCALL */ - done: - (void) signal(SIGSYS, saved_func); - errno = saved_errno; - return afs_entry_point != NO_ENTRY_POINT; -#endif /* linux */ +done: + signal(SIGSYS, saved_func); +#endif /* NO_AFS */ + errno = saved_errno; + return afs_entry_point != NO_ENTRY_POINT; } diff --git a/kerberosIV/kafs/afssysdefs.h b/kerberosIV/kafs/afssysdefs.h index 2920141794e..7aa113d6f78 100644 --- a/kerberosIV/kafs/afssysdefs.h +++ b/kerberosIV/kafs/afssysdefs.h @@ -1,29 +1,71 @@ -/* $Id: afssysdefs.h,v 1.1 1995/12/14 06:52:46 tholo Exp $ */ +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* $Id: afssysdefs.h,v 1.2 1997/11/28 12:48:43 art Exp $ */ /* * This section is for machines using single entry point AFS syscalls! - * or + * and/or * This section is for machines using multiple entry point AFS syscalls! + * + * SunOS 4 is an example of single entry point and sgi of multiple + * entry point syscalls. */ -#if defined(sun) && !defined(__svr4__) +#if SunOS == 4 #define AFS_SYSCALL 31 #endif -#if defined(sun) && defined(__svr4__) +#if SunOS == 5 #define AFS_SYSCALL 105 #endif -#if defined(hpux) +#if defined(__hpux) #define AFS_SYSCALL 50 #define AFS_SYSCALL2 49 +#define AFS_SYSCALL3 48 #endif #if defined(_AIX) /* _AIX is too weird */ #endif -#if defined(sgi) +#if defined(__sgi) #define AFS_PIOCTL (64+1000) #define AFS_SETPAG (65+1000) #endif @@ -32,3 +74,15 @@ #define AFS_SYSCALL 232 #define AFS_SYSCALL2 258 #endif + +#if defined(__ultrix) +#define AFS_SYSCALL 31 +#endif + +#if defined(__NetBSD__) +#define AFS_SYSCALL 210 +#endif + +#ifdef SYS_afs_syscall +#define AFS_SYSCALL3 SYS_afs_syscall +#endif diff --git a/kerberosIV/kafs/common.c b/kerberosIV/kafs/common.c new file mode 100644 index 00000000000..c7f2061a4aa --- /dev/null +++ b/kerberosIV/kafs/common.c @@ -0,0 +1,340 @@ +/* $KTH: common.c,v 1.3 1997/11/03 20:35:24 bg Exp $ */ + +/* + * Copyright (c) 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kafs_locl.h" + +#define AUTH_SUPERUSER "afs" + +/* + * Here only ASCII characters are relevant. + */ + +#define IsAsciiLower(c) ('a' <= (c) && (c) <= 'z') + +#define ToAsciiUpper(c) ((c) - 'a' + 'A') + +static void +foldup(char *a, const char *b) +{ + for (; *b; a++, b++) + if (IsAsciiLower(*b)) + *a = ToAsciiUpper(*b); + else + *a = *b; + *a = '\0'; +} + +int +kafs_settoken(const char *cell, uid_t uid, CREDENTIALS *c) +{ + struct ViceIoctl parms; + struct ClearToken ct; + int32_t sizeof_x; + char buf[2048], *t; + int ret; + + /* + * Build a struct ClearToken + */ + ct.AuthHandle = c->kvno; + memcpy (ct.HandShakeKey, c->session, sizeof(c->session)); + ct.ViceId = uid; /* is this always valid? */ + ct.BeginTimestamp = 1 + c->issue_date; + ct.EndTimestamp = krb_life_to_time(c->issue_date, c->lifetime); + +#define ODD(x) ((x) & 1) + /* If we don't know the numerical ID lifetime should be even? */ + if (uid == 0 && ODD(ct.EndTimestamp - ct.BeginTimestamp)) + ct.BeginTimestamp--; + + t = buf; + /* + * length of secret token followed by secret token + */ + sizeof_x = c->ticket_st.length; + memcpy(t, &sizeof_x, sizeof(sizeof_x)); + t += sizeof(sizeof_x); + memcpy(t, c->ticket_st.dat, sizeof_x); + t += sizeof_x; + /* + * length of clear token followed by clear token + */ + sizeof_x = sizeof(ct); + memcpy(t, &sizeof_x, sizeof(sizeof_x)); + t += sizeof(sizeof_x); + memcpy(t, &ct, sizeof_x); + t += sizeof_x; + + /* + * do *not* mark as primary cell + */ + sizeof_x = 0; + memcpy(t, &sizeof_x, sizeof(sizeof_x)); + t += sizeof(sizeof_x); + /* + * follow with cell name + */ + sizeof_x = strlen(cell) + 1; + memcpy(t, cell, sizeof_x); + t += sizeof_x; + + /* + * Build argument block + */ + parms.in = buf; + parms.in_size = t - buf; + parms.out = 0; + parms.out_size = 0; + ret = k_pioctl(0, VIOCSETTOK, &parms, 0); + return ret; +} + +#if 0 +/* Try to get a db-server for an AFS cell from a AFSDB record */ + +static int +dns_find_cell(const char *cell, char *dbserver) +{ + struct dns_reply *r; + int ok = -1; + r = dns_lookup(cell, "afsdb"); + if(r){ + struct resource_record *rr = r->head; + while(rr){ + if(rr->type == T_AFSDB && rr->u.afsdb->preference == 1){ + strncpy(dbserver, rr->u.afsdb->domain, MAXHOSTNAMELEN); + dbserver[MaxHostNameLen - 1] = 0; + ok = 0; + break; + } + rr = rr->next; + } + dns_free_data(r); + } + return ok; +} +#endif + + +/* + * Try to find the cells we should try to klog to in "file". + */ +static void +find_cells(char *file, char ***cells, int *index) +{ + FILE *f; + char cell[64]; + int i; + f = fopen(file, "r"); + if (f == NULL) + return; + while (fgets(cell, sizeof(cell), f)) { + char *nl = strchr(cell, '\n'); + if (nl) *nl = 0; + for(i = 0; i < *index; i++) + if(strcmp((*cells)[i], cell) == 0) + break; + if(i == *index){ + *cells = realloc(*cells, (*index + 1) * sizeof(**cells)); + (*cells)[(*index)++] = strdup(cell); + } + } + fclose(f); +} + +/* + * Get tokens for all cells[] + */ +static int +afslog_cells(kafs_data *data, char **cells, int max, uid_t uid) +{ + int ret = 0; + int i; + for(i = 0; i < max; i++) + ret = (*data->afslog_uid)(data, cells[i], uid); + return ret; +} + +int +_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid) +{ + int ret; + char **cells = NULL; + int index = 0; + + char *p; + + if ((p = getenv("HOME"))) { + char home[MAXPATHLEN]; + snprintf(home, sizeof(home), "%s/.TheseCells", p); + find_cells(home, &cells, &index); + } + find_cells(_PATH_THESECELLS, &cells, &index); + find_cells(_PATH_THISCELL, &cells, &index); + + ret = afslog_cells(data, cells, index, uid); + while(index > 0) + free(cells[--index]); + free(cells); + return ret; +} + + +/* Find the realm associated with cell. Do this by opening + /usr/vice/etc/CellServDB and getting the realm-of-host for the + first VL-server for the cell. + + This does not work when the VL-server is living in one realm, but + the cell it is serving is living in another realm. + + Return 0 on success, -1 otherwise. + */ + +static int +realm_of_cell(kafs_data *data, const char *cell, char **realm) +{ + FILE *F; + char buf[1024]; + char *p; + int ret = -1; + + if ((F = fopen(_PATH_CELLSERVDB, "r"))) + { + while (fgets(buf, sizeof(buf), F)) + { + if (buf[0] != '>') + continue; /* Not a cell name line, try next line */ + if (strncmp(buf + 1, cell, strlen(cell)) == 0) + { + /* + * We found the cell name we're looking for. + * Read next line on the form ip-address '#' hostname + */ + if (fgets(buf, sizeof(buf), F) == NULL) + break; /* Read failed, give up */ + p = strchr(buf, '#'); + if (p == NULL) + break; /* No '#', give up */ + p++; + if (buf[strlen(buf) - 1] == '\n') + buf[strlen(buf) - 1] = 0; + *realm = (*data->get_realm)(data, p); + if (*realm && **realm != 0) + ret = 0; + break; /* Won't try any more */ + } + } + fclose(F); + } +#if 0 + if (realm == NULL) { + if (dns_find_cell(cell, buf) == 0) + realm = krb_realmofhost(buf); + } +#endif + return ret; +} + +int +_kafs_get_cred(kafs_data *data, + const char *cell, + const char *krealm, + const char *lrealm, + CREDENTIALS *c) +{ + int ret = -1; + char *vl_realm; + char CELL[64]; + + /* We're about to find the the realm that holds the key for afs in + * the specified cell. The problem is that null-instance + * afs-principals are common and that hitting the wrong realm might + * yield the wrong afs key. The following assumptions were made. + * + * Any realm passed to us is preferred. + * + * If there is a realm with the same name as the cell, it is most + * likely the correct realm to talk to. + * + * In most (maybe even all) cases the database servers of the cell + * will live in the realm we are looking for. + * + * Try the local realm, but if the previous cases fail, this is + * really a long shot. + * + */ + + /* comments on the ordering of these tests */ + + /* If the user passes a realm, she probably knows something we don't + * know and we should try afs@krealm (otherwise we're talking with a + * blondino and she might as well have it.) + */ + + if (krealm) { + ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, krealm, c); + if (ret == 0) return 0; + ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", krealm, c); + } + if (ret == 0) return 0; + + foldup(CELL, cell); + + ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, CELL, c); + if (ret == 0) return 0; + + ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", CELL, c); + if (ret == 0) return 0; + + /* this might work in some cases */ + if (realm_of_cell(data, cell, &vl_realm) == 0) { + ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, vl_realm, c); + if (ret) + ret = (*data->get_cred)(data, AUTH_SUPERUSER, "", vl_realm, c); + free(vl_realm); + if (ret == 0) return 0; + } + + if (lrealm) + ret = (*data->get_cred)(data, AUTH_SUPERUSER, cell, lrealm, c); + return ret; +} + + diff --git a/kerberosIV/kafs/shlib_version b/kerberosIV/kafs/shlib_version index d9961ea9fef..3066b9771e7 100644 --- a/kerberosIV/kafs/shlib_version +++ b/kerberosIV/kafs/shlib_version @@ -1,2 +1,2 @@ -major=4 +major=5 minor=0 diff --git a/kerberosIV/kdb/kdb_locl.h b/kerberosIV/kdb/kdb_locl.h index 0ea18e9e41b..2aa6670ab75 100644 --- a/kerberosIV/kdb/kdb_locl.h +++ b/kerberosIV/kdb/kdb_locl.h @@ -1,4 +1,43 @@ -/* $Id: kdb_locl.h,v 1.1 1995/12/14 06:52:37 tholo Exp $ */ +/* $Id: kdb_locl.h,v 1.2 1997/11/28 12:48:45 art Exp $ */ +/* $KTH: kdb_locl.h,v 1.9 1997/05/02 14:29:08 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ #ifndef __kdb_locl_h #define __kdb_locl_h diff --git a/kerberosIV/kerberos/Makefile b/kerberosIV/kerberos/Makefile index 455fe5ad922..8b16fd72bcc 100644 --- a/kerberosIV/kerberos/Makefile +++ b/kerberosIV/kerberos/Makefile @@ -1,9 +1,11 @@ # from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.1 1995/12/14 06:52:52 tholo Exp $ +# $Id: Makefile,v 1.2 1997/11/28 12:48:46 art Exp $ PROG= kerberos DPADD= ${LIBKDB} ${LIBKRB} ${LIBDES} LDADD= -lkdb -lkrb -ldes MAN= kerberos.8 +CFLAGS+=-I${.CURDIR} + .include <bsd.prog.mk> diff --git a/kerberosIV/kerberos/kerberos.c b/kerberosIV/kerberos/kerberos.c index 9d0dbe42550..7f66aa55e65 100644 --- a/kerberosIV/kerberos/kerberos.c +++ b/kerberosIV/kerberos/kerberos.c @@ -1,103 +1,73 @@ -/* $Id: kerberos.c,v 1.5 1997/06/29 10:32:14 provos Exp $ */ +/* $KTH: kerberos.c,v 1.70 1997/09/26 18:06:38 joda Exp $ */ -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology + +/* + * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute + * of Technology. * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. + * For copying and distribution information, please see the file + * <mit-copyright.h>. */ -#include "kerberosIV/site.h" - #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include <sys/types.h> - #include <sys/time.h> #include <time.h> - -#include <sys/stat.h> -#include <fcntl.h> -#include <sys/ioctl.h> - +#include <sys/select.h> #include <errno.h> #include <unistd.h> - +#include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> -#include <sys/socket.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <sys/ioctl.h> +#include <sys/filio.h> #include <netdb.h> +#include <stdarg.h> +#include <err.h> #include <des.h> #include <kerberosIV/krb.h> #include <kerberosIV/krb_db.h> - #include <prot.h> -#include <klog.h> -#include <kdc.h> +#include "klog.h" -static struct sockaddr_in sina = {AF_INET}; -int f; - -/* XXX several files in libkdb know about this */ -char *progname; +#include "version.h" +#include "krb_log.h" +#include "kdc.h" static des_key_schedule master_key_schedule; static des_cblock master_key; static struct timeval kerb_time; -static Principal a_name_data; /* for requesting user */ -static Principal s_name_data; /* for services requested */ -static des_cblock session_key; static u_char master_key_version; static char k_instance[INST_SZ]; static char *lt; static int more; static int mflag; /* Are we invoked manually? */ -static int lflag; /* Have we set an alterate log file? */ -static char *log_file; /* name of alt. log file */ +static char *log_file = KRBLOG; /* name of alt. log file */ static int nflag; /* don't check max age */ static int rflag; /* alternate realm specified */ /* fields within the received request packet */ -static u_char req_msg_type; -static u_char req_version; static char *req_name_ptr; static char *req_inst_ptr; static char *req_realm_ptr; -static u_long req_time_ws; - -int req_act_vno = KRB_PROT_VERSION; /* Temporary for version skew */ +static u_int32_t req_time_ws; static char local_realm[REALM_SZ]; -/* statistics */ -static int q_bytes; /* current bytes remaining in queue */ -static int q_n; /* how many consecutive non-zero - * q_bytes */ -static int max_q_bytes; -static int max_q_n; -static int n_auth_req; -static int n_appl_req; -static int n_packets; - +/* options */ static int max_age = -1; static int pause_int = -1; +static char progname[]="kerberos"; /* * Print usage message and exit. @@ -105,31 +75,31 @@ static int pause_int = -1; static void usage(void) { - fprintf(stderr, "Usage: %s [-s] [-m] [-n] [-p pause_seconds]%s%s\n", progname, - " [-a max_age] [-l log_file] [-r realm]" - ," [database_pathname]" - ); + fprintf(stderr, "Usage: %s [-s] [-m] [-n] [-p pause_seconds]" + " [-a max_age] [-l log_file] [-i address_to_listen_on]" + " [-r realm] [database_pathname]\n", + progname); exit(1); } /* - * kerb_er_reply creates an error reply packet and sends it to the + * kerb_err_reply creates an error reply packet and sends it to the * client. */ static void -kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) +kerb_err_reply(int f, struct sockaddr_in *client, int err, char *string) { static KTEXT_ST e_pkt_st; KTEXT e_pkt = &e_pkt_st; static char e_msg[128]; - bzero(e_msg, sizeof e_msg); strcpy(e_msg, "\nKerberos error -- "); strcat(e_msg, string); cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, err, e_msg); - sendto(f, e_pkt->dat, e_pkt->length, 0, (struct sockaddr*)client, S_AD_SZ); + sendto(f, (char*)e_pkt->dat, e_pkt->length, 0, (struct sockaddr *)client, + sizeof(*client)); } static void @@ -141,9 +111,9 @@ hang(void) pause(); } else { char buf[256]; - (void) snprintf(buf, sizeof(buf), - "Kerberos will wait %d seconds before dying so as not to loop init", - pause_int); + snprintf(buf, sizeof(buf), + "Kerberos will wait %d seconds before dying so as not to loop init", + pause_int); klog(L_KRB_PERR, buf); sleep(pause_int); klog(L_KRB_PERR, "Do svedania....\n"); @@ -151,29 +121,6 @@ hang(void) } } -/* - * Given a pointer to a long containing the number of seconds - * since the beginning of time (midnight 1 Jan 1970 GMT), return - * a string containing the local time in the form: - * - * "25-Jan-88 10:17:56" - */ - -static char * -strtime(time_t *t) -{ - static char st_data[40]; - static char *st = st_data; - struct tm *tm; - char *month_sname(int n); - - tm = localtime(t); - (void) snprintf(st, sizeof(st_data), "%2d-%s-%02d %02d:%02d:%02d", - tm->tm_mday, month_sname(tm->tm_mon + 1), tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - return st; -} - static int check_princ(char *p_name, char *instance, unsigned int lifetime, Principal *p) { @@ -181,9 +128,6 @@ check_princ(char *p_name, char *instance, unsigned int lifetime, Principal *p) static int more; n = kerb_get_principal(p_name, instance, p, 1, &more); - klog(L_ALL_REQ, - "Principal: \"%s\", Instance: \"%s\" Lifetime = %d n = %d", - p_name, instance, lifetime, n, 0); if (n < 0) { lt = klog(L_KRB_PERR, "Database unavailable!"); @@ -197,43 +141,47 @@ check_princ(char *p_name, char *instance, unsigned int lifetime, Principal *p) */ if (n == 0) { /* service unknown, log error, skip to next request */ - lt = klog(L_ERR_UNK, "UNKNOWN \"%s\" \"%s\"", p_name, - instance, 0); + lt = klog(L_ERR_UNK, "UNKNOWN %s.%s", p_name, instance); return KERB_ERR_PRINCIPAL_UNKNOWN; } if (more) { /* not unique, log error */ - lt = klog(L_ERR_NUN, "Principal NOT UNIQUE \"%s\" \"%s\"", - p_name, instance, 0); + lt = klog(L_ERR_NUN, "Principal not unique %s.%s", p_name, instance); return KERB_ERR_PRINCIPAL_NOT_UNIQUE; } /* If the user's key is null, we want to return an error */ if ((p->key_low == 0) && (p->key_high == 0)) { /* User has a null key */ - lt = klog(L_ERR_NKY, "Null key \"%s\" \"%s\"", p_name, - instance, 0); + lt = klog(L_ERR_NKY, "Null key %s.%s", p_name, instance); return KERB_ERR_NULL_KEY; } if (master_key_version != p->kdc_key_ver) { /* log error reply */ lt = klog(L_ERR_MKV, - "Key vers incorrect, KRB = %d, \"%s\" \"%s\" = %d", - master_key_version, p->name, p->instance, p->kdc_key_ver, - 0); + "Incorrect master key version for %s.%s: %d (should be %d)", + p->name, p->instance, p->kdc_key_ver, master_key_version); return KERB_ERR_NAME_MAST_KEY_VER; } /* make sure the service hasn't expired */ - if ((u_long) p->exp_date < (u_long) kerb_time.tv_sec) { + if ((u_int32_t) p->exp_date < (u_int32_t) kerb_time.tv_sec) { /* service did expire, log it */ + time_t t = p->exp_date; lt = klog(L_ERR_SEXP, - "EXPIRED \"%s\" \"%s\" %s", p->name, p->instance, - strtime((time_t*)&(p->exp_date)), 0); + "Principal %s.%s expired at %s", p->name, p->instance, + krb_stime(&t)); return KERB_ERR_NAME_EXP; } /* ok is zero */ return 0; } +static void +unseal(des_cblock *key) +{ + kdb_encrypt_key(key, key, &master_key, master_key_schedule, DES_DECRYPT); +} + + /* Set the key for krb_rd_req so we can check tgt */ static int set_tgtkey(char *r) @@ -248,315 +196,236 @@ set_tgtkey(char *r) if (!strcmp(lastrealm, r)) return (KSUCCESS); - log("Getting key for %s", r); + klog(L_ALL_REQ, "Getting key for %s", r); - n = kerb_get_principal("krbtgt", r, p, 1, &more); + n = kerb_get_principal(KRB_TICKET_GRANTING_TICKET, r, p, 1, &more); if (n == 0) return (KFAILURE); /* unseal tgt key from master key */ - bcopy(&p->key_low, key, 4); - bcopy(&p->key_high, ((long *) key) + 1, 4); - kdb_encrypt_key(&key, &key, &master_key, - master_key_schedule, DES_DECRYPT); + copy_to_key(&p->key_low, &p->key_high, key); + unseal(&key); krb_set_key(key, 0); strcpy(lastrealm, r); return (KSUCCESS); } -static void -kerberos(struct sockaddr_in *client, KTEXT pkt) -{ - static KTEXT_ST rpkt_st; - KTEXT rpkt = &rpkt_st; - static KTEXT_ST ciph_st; - KTEXT ciph = &ciph_st; - static KTEXT_ST tk_st; - KTEXT tk = &tk_st; - static KTEXT_ST auth_st; - KTEXT auth = &auth_st; - AUTH_DAT ad_st; - AUTH_DAT *ad = &ad_st; - - - static struct in_addr client_host; - static int msg_byte_order; - static int swap_bytes; - static u_char k_flags; - u_long lifetime; - int i; - des_cblock key; - des_key_schedule key_s; - char *ptr; - - - - ciph->length = 0; - client_host = client->sin_addr; - - /* eval macros and correct the byte order and alignment as needed */ - req_version = pkt_version(pkt); /* 1 byte, version */ - req_msg_type = pkt_msg_type(pkt); /* 1 byte, Kerberos msg type */ - - req_act_vno = req_version; - - /* check packet version */ - if (req_version != KRB_PROT_VERSION) { - lt = klog(L_KRB_PERR, - "KRB prot version mismatch: KRB =%d request = %d", - KRB_PROT_VERSION, req_version, 0); - /* send an error reply */ - kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - return; - } - msg_byte_order = req_msg_type & 1; - - swap_bytes = 0; - if (msg_byte_order != HOST_BYTE_ORDER) { - swap_bytes++; +static int +kerberos(unsigned char *buf, int len, + char *proto, struct sockaddr_in *client, + struct sockaddr_in *server, + KTEXT rpkt) +{ + int pvno; + int msg_type; + int lsb; + int life; + int flags = 0; + char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; + char service[SNAME_SZ], sinst[INST_SZ]; + u_int32_t req_time; + static KTEXT_ST ticket, cipher, adat; + KTEXT tk = &ticket, ciph = &cipher, auth = &adat; + AUTH_DAT ad; + des_cblock session, key; + int err; + Principal a_name, s_name; + + char *msg; + + + unsigned char *p = buf; + if(len < 2){ + strcpy((char*)rpkt->dat, "Packet too short"); + return KFAILURE; } - klog(L_KRB_PINFO, - "Prot version: %d, Byte order: %d, Message type: %d", - req_version, msg_byte_order, req_msg_type); - switch (req_msg_type & ~1) { + gettimeofday(&kerb_time, NULL); + pvno = *p++; + if(pvno != KRB_PROT_VERSION){ + msg = klog(L_KRB_PERR, "KRB protocol version mismatch (%d)", pvno); + strcpy((char*)rpkt->dat, msg); + return KERB_ERR_PKT_VER; + } + msg_type = *p++; + lsb = msg_type & 1; + msg_type &= ~1; + switch(msg_type){ case AUTH_MSG_KDC_REQUEST: + /* XXX range check */ + p += krb_get_nir(p, name, inst, realm); + p += krb_get_int(p, &req_time, 4, lsb); + life = *p++; + p += krb_get_nir(p, service, sinst, NULL); + klog(L_INI_REQ, + "AS REQ %s.%s@%s for %s.%s from %s (%s/%u)", + name, inst, realm, service, sinst, + inet_ntoa(client->sin_addr), + proto, ntohs(server->sin_port)); + if((err = check_princ(name, inst, 0, &a_name))){ + strcpy((char*)rpkt->dat, krb_get_err_text(err)); + return err; + } + tk->length = 0; + if((err = check_princ(service, sinst, 0, &s_name))){ + strcpy((char*)rpkt->dat, krb_get_err_text(err)); + return err; + } + life = min(life, s_name.max_life); + life = min(life, a_name.max_life); + + des_new_random_key(&session); + copy_to_key(&s_name.key_low, &s_name.key_high, key); + unseal(&key); + krb_create_ticket(tk, flags, a_name.name, a_name.instance, + local_realm, client->sin_addr.s_addr, + session, + life, kerb_time.tv_sec, + s_name.name, s_name.instance, &key); + copy_to_key(&a_name.key_low, &a_name.key_high, key); + unseal(&key); + create_ciph(ciph, session, s_name.name, s_name.instance, + local_realm, life, s_name.key_version, tk, + kerb_time.tv_sec, &key); + memset(&session, 0, sizeof(session)); + memset(&key, 0, sizeof(key)); { - u_long req_life; /* Requested liftime */ - char *service; /* Service name */ - char *instance; /* Service instance */ - - n_auth_req++; - tk->length = 0; - k_flags = 0; /* various kerberos flags */ - - - /* set up and correct for byte order and alignment */ - req_name_ptr = (char *) pkt_a_name(pkt); - req_inst_ptr = (char *) pkt_a_inst(pkt); - req_realm_ptr = (char *) pkt_a_realm(pkt); - bcopy(pkt_time_ws(pkt), &req_time_ws, sizeof(req_time_ws)); - /* time has to be diddled */ - if (swap_bytes) { - swap_u_long(req_time_ws); - } - ptr = (char *) pkt_time_ws(pkt) + 4; - - req_life = (unsigned char) (*ptr++); - - service = ptr; - instance = ptr + strlen(service) + 1; - - rpkt = &rpkt_st; - klog(L_INI_REQ, - "Initial ticket request Host: %s User: \"%s\" \"%s\"", - inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0); - - if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, - &a_name_data))) { - kerb_err_reply(client, pkt, i, lt); - return; - } - tk->length = 0; /* init */ - if (strcmp(service, "krbtgt")) - klog(L_NTGT_INTK, - "INITIAL request from %s.%s for %s.%s", - req_name_ptr, req_inst_ptr, service, instance, 0); - /* this does all the checking */ - if ((i = check_princ(service, instance, 0, - &s_name_data))) { - kerb_err_reply(client, pkt, i, lt); - return; - } - /* Bound requested lifetime with service and user */ - lifetime = min(req_life, ((u_long) s_name_data.max_life)); - lifetime = min(lifetime, ((u_long) a_name_data.max_life)); - -#ifdef NOENCRYPTION - bzero(session_key, sizeof(des_cblock)); -#else - des_new_random_key(&session_key); -#endif - /* unseal server's key from master key */ - bcopy(&s_name_data.key_low, key, 4); - bcopy(&s_name_data.key_high, ((long *) key) + 1, 4); - kdb_encrypt_key(&key, &key, &master_key, - master_key_schedule, DES_DECRYPT); - /* construct and seal the ticket */ - krb_create_ticket(tk, k_flags, a_name_data.name, - a_name_data.instance, local_realm, - client_host.s_addr, session_key, lifetime, kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, &key); - bzero(key, sizeof(key)); - bzero(key_s, sizeof(key_s)); - - /* - * get the user's key, unseal it from the server's key, and - * use it to seal the cipher - */ - - /* a_name_data.key_low a_name_data.key_high */ - bcopy(&a_name_data.key_low, key, 4); - bcopy(&a_name_data.key_high, ((long *) key) + 1, 4); - - /* unseal the a_name key from the master key */ - kdb_encrypt_key(&key, &key, &master_key, - master_key_schedule, DES_DECRYPT); - - create_ciph(ciph, session_key, s_name_data.name, - s_name_data.instance, local_realm, lifetime, - s_name_data.key_version, tk, kerb_time.tv_sec, &key); - - /* clear session key */ - bzero(session_key, sizeof(session_key)); - - bzero(key, sizeof(key)); - - - - /* always send a reply packet */ - rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, - req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, - a_name_data.key_version, ciph); - sendto(f, rpkt->dat, rpkt->length, 0, (struct sockaddr*)client, S_AD_SZ); - bzero(&a_name_data, sizeof(a_name_data)); - bzero(&s_name_data, sizeof(s_name_data)); - break; + KTEXT r; + r = create_auth_reply(name, inst, realm, req_time, 0, + a_name.exp_date, a_name.key_version, ciph); + memcpy(rpkt, r, sizeof(*rpkt)); } + return 0; case AUTH_MSG_APPL_REQUEST: - { - u_long time_ws; /* Workstation time */ - u_long req_life; /* Requested liftime */ - char *service; /* Service name */ - char *instance; /* Service instance */ - int kerno; /* Kerberos error number */ - char tktrlm[REALM_SZ]; - - n_appl_req++; - tk->length = 0; - k_flags = 0; /* various kerberos flags */ - - auth->length = 4 + strlen((char*)pkt->dat + 3); - auth->length += (int) *(pkt->dat + auth->length) + - (int) *(pkt->dat + auth->length + 1) + 2; - - bcopy(pkt->dat, auth->dat, auth->length); - - strncpy(tktrlm, (char*)(auth->dat + 3), REALM_SZ); - if (set_tgtkey(tktrlm)) { - lt = klog(L_ERR_UNK, - "FAILED realm %s unknown. Host: %s ", - tktrlm, inet_ntoa(client_host)); - kerb_err_reply(client, pkt, kerno, lt); - return; - } - kerno = krb_rd_req(auth, "ktbtgt", tktrlm, client_host.s_addr, - ad, 0); - - if (kerno) { - klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", - inet_ntoa(client_host), krb_err_txt[kerno]); - kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); - return; - } - ptr = (char *) pkt->dat + auth->length; - - bcopy(ptr, &time_ws, 4); - ptr += 4; - - req_life = (unsigned char) (*ptr++); - - service = ptr; - instance = ptr + strlen(service) + 1; + strcpy(realm, (char*)buf + 3); + if((err = set_tgtkey(realm))){ + msg = klog(L_ERR_UNK, + "Unknown realm %s from %s (%s/%u)", + realm, inet_ntoa(client->sin_addr), + proto, ntohs(server->sin_port)); + strcpy((char*)rpkt->dat, msg); + return err; + } + p = buf + strlen(realm) + 4; + p = p + p[0] + p[1] + 2; + auth->length = p - buf; + memcpy(auth->dat, buf, auth->length); + err = krb_rd_req(auth, KRB_TICKET_GRANTING_TICKET, + realm, client->sin_addr.s_addr, &ad, 0); + if(err){ + msg = klog(L_ERR_UNK, + "krb_rd_req from %s (%s/%u): %s", + inet_ntoa(client->sin_addr), + proto, + ntohs(server->sin_port), + krb_get_err_text(err)); + strcpy((char*)rpkt->dat, msg); + return err; + } + p += krb_get_int(p, &req_time, 4, lsb); + life = *p++; + p += krb_get_nir(p, service, sinst, NULL); + klog(L_APPL_REQ, + "APPL REQ %s.%s@%s for %s.%s from %s (%s/%u)", + ad.pname, ad.pinst, ad.prealm, + service, sinst, + inet_ntoa(client->sin_addr), + proto, + ntohs(server->sin_port)); + + if(strcmp(ad.prealm, realm)){ + msg = klog(L_ERR_UNK, "Can't hop realms: %s -> %s", + realm, ad.prealm); + strcpy((char*)rpkt->dat, msg); + return KERB_ERR_PRINCIPAL_UNKNOWN; + } - klog(L_APPL_REQ, "APPL Request %s.%s@%s on %s for %s.%s", - ad->pname, ad->pinst, ad->prealm, inet_ntoa(client_host), - service, instance, 0); + if(!strcmp(service, "changepw")){ + strcpy((char*)rpkt->dat, + "Can't authorize password changed based on TGT"); + return KERB_ERR_PRINCIPAL_UNKNOWN; + } - if (strcmp(ad->prealm, tktrlm)) { - kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't hop realms"); - return; - } - if (!strcmp(service, "changepw")) { - kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't authorize password changed based on TGT"); - return; - } - kerno = check_princ(service, instance, req_life, - &s_name_data); - if (kerno) { - kerb_err_reply(client, pkt, kerno, lt); - return; - } - /* Bound requested lifetime with service and user */ - lifetime = min(req_life, - krb_time_to_life(kerb_time.tv_sec,krb_life_to_time(ad->time_sec,ad->life))); - lifetime = min(lifetime, ((u_long) s_name_data.max_life)); - - /* unseal server's key from master key */ - bcopy(&s_name_data.key_low, key, 4); - bcopy(&s_name_data.key_high, ((long *) key) + 1, 4); - kdb_encrypt_key(&key, &key, &master_key, - master_key_schedule, DES_DECRYPT); - /* construct and seal the ticket */ - -#ifdef NOENCRYPTION - bzero(session_key, sizeof(des_cblock)); -#else - des_new_random_key(&session_key); -#endif - - krb_create_ticket(tk, k_flags, ad->pname, ad->pinst, - ad->prealm, client_host.s_addr, - session_key, lifetime, kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - &key); - bzero(key, sizeof(key)); - bzero(key_s, sizeof(key_s)); - - create_ciph(ciph, session_key, service, instance, - local_realm, - lifetime, s_name_data.key_version, tk, - kerb_time.tv_sec, &ad->session); - - /* clear session key */ - bzero(session_key, sizeof(session_key)); - - bzero(ad->session, sizeof(ad->session)); - - rpkt = create_auth_reply(ad->pname, ad->pinst, - ad->prealm, time_ws, - 0, 0, 0, ciph); - sendto(f, rpkt->dat, rpkt->length, 0, (struct sockaddr*)client, S_AD_SZ); - bzero(&s_name_data, sizeof(s_name_data)); - break; + err = check_princ(service, sinst, life, &s_name); + if(err){ + strcpy((char*)rpkt->dat, krb_get_err_text(err)); + return err; } + life = min(life, + krb_time_to_life(kerb_time.tv_sec, + krb_life_to_time(ad.time_sec, + ad.life))); + life = min(life, s_name.max_life); + copy_to_key(&s_name.key_low, &s_name.key_high, key); + unseal(&key); + des_new_random_key(&session); + krb_create_ticket(tk, flags, ad.pname, ad.pinst, ad.prealm, + client->sin_addr.s_addr, &session, + life, kerb_time.tv_sec, + s_name.name, s_name.instance, + &key); + + memset(&key, 0, sizeof(key)); + create_ciph(ciph, session, service, sinst, local_realm, + life, s_name.key_version, tk, + kerb_time.tv_sec, &ad.session); -#ifdef notdef_DIE - case AUTH_MSG_DIE: + memset(&session, 0, sizeof(session)); + memset(ad.session, 0, sizeof(ad.session)); { - lt = klog(L_DEATH_REQ, - "Host: %s User: \"%s\" \"%s\" Kerberos killed", - inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0); - exit(0); + KTEXT r; + r =create_auth_reply(ad.pname, ad.pinst, ad.prealm, + req_time, 0, 0, 0, ciph); + memcpy(rpkt, r, sizeof(*rpkt)); } -#endif /* notdef_DIE */ - + memset(&s_name, 0, sizeof(s_name)); + return 0; + + case AUTH_MSG_ERR_REPLY: + return -1; default: - { - lt = klog(L_KRB_PERR, - "Unknown message type: %d from %s port %u", - req_msg_type, inet_ntoa(client_host), - ntohs(client->sin_port)); - break; - } + msg = klog(L_KRB_PERR, + "Unknown message type: %d from %s (%s/%u)", + msg_type, + inet_ntoa(client->sin_addr), + proto, + ntohs(server->sin_port)); + strcpy((char*)rpkt->dat, msg); + return KFAILURE; + } +} + + +static void +kerberos_wrap(int s, KTEXT data, char *proto, struct sockaddr_in *client, + struct sockaddr_in *server) +{ + KTEXT_ST pkt; + int http_flag = strcmp(proto, "http") == 0; + int err = kerberos(data->dat, data->length, proto, client, server, &pkt); + if(err == -1) + return; + if(http_flag){ + const char *msg = + "HTTP/1.1 200 OK\r\n" + "Server: KTH-KRB/" VERSION "\r\n" + "Content-type: application/octet-stream\r\n" + "Content-transfer-encoding: binary\r\n\r\n"; + sendto(s, msg, strlen(msg), 0, (struct sockaddr *)client, + sizeof(*client)); + } + if(err){ + kerb_err_reply(s, client, err, (char*)pkt.dat); + return; } + sendto(s, pkt.dat, pkt.length, 0, (struct sockaddr *)client, + sizeof(*client)); } + /* * setup_disc * @@ -570,16 +439,16 @@ setup_disc(void) int s; for (s = 0; s < 3; s++) { - (void) close(s); + close(s); } - (void) open("/dev/null", 0); - (void) dup2(0, 1); - (void) dup2(0, 2); + open("/dev/null", 0); + dup2(0, 1); + dup2(0, 2); setsid(); - (void) chdir("/tmp"); + chdir("/tmp"); return; } @@ -589,7 +458,8 @@ setup_disc(void) * Exit if it is; we don't want to tell lies. */ -static void check_db_age(void) +static void +check_db_age(void) { long age; @@ -609,25 +479,159 @@ static void check_db_age(void) } } +struct descr{ + int s; + KTEXT_ST buf; + int type; + int timeout; + struct sockaddr_in addr; +}; + +static void +mksocket(struct descr *d, struct in_addr addr, int type, + const char *service, int port) +{ + int on = 1; + int sock; + + memset(d, 0, sizeof(struct descr)); + if ((sock = socket(AF_INET, type, 0)) < 0) + err (1, "socket"); + if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, + sizeof(on)) < 0) + warn ("setsockopt (SO_REUSEADDR)"); + memset(&d->addr, 0, sizeof(d->addr)); + d->addr.sin_family = AF_INET; + d->addr.sin_port = port; + d->addr.sin_addr = addr; + if (bind(sock, (struct sockaddr *)&d->addr, sizeof(d->addr)) < 0) + err (1, "bind '%s/%s' (%d)", + service, (type == SOCK_DGRAM) ? "udp" : "tcp", + ntohs(d->addr.sin_port)); + + if(type == SOCK_STREAM) + listen(sock, SOMAXCONN); + d->s = sock; + d->type = type; +} + + +static void loop(struct descr *fds, int maxfd); + +struct port_spec { + int port; + int type; +}; + +static int +add_port(struct port_spec **ports, int *num_ports, int port, int type) +{ + struct port_spec *tmp; + tmp = realloc(*ports, (*num_ports + 1) * sizeof(*tmp)); + if(tmp == NULL) + return ENOMEM; + *ports = tmp; + tmp[*num_ports].port = port; + tmp[*num_ports].type = type; + (*num_ports)++; + return 0; +} + +void make_sockets(char *port_spec, struct in_addr *i_addr, + struct descr **fds, int *nfds) +{ + int tp; + struct in_addr *a; + char *p, *q, *pos = NULL; + struct servent *sp; + struct port_spec *ports = NULL; + int num_ports = 0; + int i, j; + + + for(p = strtok_r(port_spec, " \t", &pos); + p; + p = strtok_r(NULL, " \t", &pos)){ + if(strcmp(p, "+") == 0){ + add_port(&ports, &num_ports, 88, SOCK_DGRAM); + add_port(&ports, &num_ports, 88, SOCK_STREAM); + add_port(&ports, &num_ports, 750, SOCK_DGRAM); + add_port(&ports, &num_ports, 750, SOCK_STREAM); + }else{ + q = strchr(p, '/'); + if(q){ + *q = 0; + q++; + } + sp = getservbyname(p, q); + if(sp) + tp = ntohs(sp->s_port); + else if(sscanf(p, "%d", &tp) != 1) { + warnx("Unknown port: %s%s%s", p, q ? "/" : "", q ? q : ""); + continue; + } + if(q){ + if(strcasecmp(q, "tcp") == 0) + add_port(&ports, &num_ports, tp, SOCK_STREAM); + else if(strcasecmp(q, "udp") == 0) + add_port(&ports, &num_ports, tp, SOCK_DGRAM); + else + warnx("Unknown protocol type: %s", q); + }else{ + add_port(&ports, &num_ports, tp, SOCK_DGRAM); + add_port(&ports, &num_ports, tp, SOCK_STREAM); + } + } + } + + if(num_ports == 0) + errx(1, "No valid ports specified!"); + + if (i_addr) { + *nfds = 1; + a = malloc(sizeof(*a) * *nfds); + memcpy(a, i_addr, sizeof(struct in_addr)); + } else + *nfds = k_get_all_addrs (&a); + if (*nfds < 0) { + struct in_addr any; + + any.s_addr = INADDR_ANY; + + warnx ("Could not get local addresses, binding to INADDR_ANY"); + *nfds = 1; + a = malloc(sizeof(*a) * *nfds); + memcpy(a, &any, sizeof(struct in_addr)); + } + *fds = malloc(*nfds * num_ports * sizeof(**fds)); + for (i = 0; i < *nfds; i++) { + for(j = 0; j < num_ports; j++) { + mksocket(*fds + num_ports * i + j, a[i], + ports[j].type, "", htons(ports[j].port)); + } + } + *nfds *= num_ports; + free(ports); + free (a); +} + + int main(int argc, char **argv) { - struct sockaddr_in from; - register int n; - int on = 1; int child; - struct servent *sp; - int fromlen; - static KTEXT_ST pkt_st; - KTEXT pkt = &pkt_st; - int kerror; int c; - extern char *optarg; - extern int optind; + struct descr *fds; + int nfds; + int n; + int kerror; + int i_flag = 0; + struct in_addr i_addr; + char *port_spec = "+"; - progname = argv[0]; + umask(077); /* Create protected files */ - while ((c = getopt(argc, argv, "snmp:a:l:r:")) != -1) { + while ((c = getopt(argc, argv, "snmp:P:a:l:r:i:")) != EOF) { switch(c) { case 's': /* @@ -637,10 +641,6 @@ main(int argc, char **argv) max_age = ONE_DAY; /* 24 hours */ if (pause_int == -1) pause_int = FIVE_MINUTES; /* 5 minutes */ - if (lflag == 0) { - log_file = KRBSLAVELOG; - lflag++; - } break; case 'n': max_age = -1; /* don't check max age. */ @@ -659,6 +659,9 @@ main(int argc, char **argv) usage(); } break; + case 'P': + port_spec = optarg; + break; case 'a': /* Set max age. */ if (!isdigit(optarg[0])) @@ -671,7 +674,6 @@ main(int argc, char **argv) break; case 'l': /* Set alternate log file */ - lflag++; log_file = optarg; break; case 'r': @@ -679,12 +681,20 @@ main(int argc, char **argv) rflag++; strcpy(local_realm, optarg); break; + case 'i': + /* Only listen on this address */ + if(inet_aton (optarg, &i_addr) == 0) { + fprintf (stderr, "Bad address: %s\n", optarg); + exit (1); + } + ++i_flag; + break; default: usage(); break; } } - + if (optind == (argc-1)) { if (kerb_db_set_name(argv[optind]) != 0) { fprintf(stderr, "Could not set alternate database name\n"); @@ -707,40 +717,22 @@ main(int argc, char **argv) if (mflag) printf("\tMaster key will be entered manually\n"); - printf("\tLog file is %s\n", lflag ? log_file : KRBLOG); + printf("\tLog file is %s\n", log_file); - if (lflag) - kset_logfile(log_file); + kset_logfile(log_file); /* find our hostname, and use it as the instance */ - if (gethostname(k_instance, INST_SZ)) { - fprintf(stderr, "%s: gethostname error\n", progname); - exit(1); - } - - if ((sp = getservbyname("kerberos", "udp")) == 0) { - fprintf(stderr, "%s: udp/kerberos unknown service\n", progname); - exit(1); - } - sina.sin_port = sp->s_port; + if (k_gethostname(k_instance, INST_SZ)) + err (1, "gethostname"); - if ((f = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { - fprintf(stderr, "%s: Can't open socket\n", progname); - exit(1); - } - if (setsockopt(f, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) - fprintf(stderr, "%s: setsockopt (SO_REUSEADDR)\n", progname); + make_sockets(port_spec, i_flag ? &i_addr : NULL, &fds, &nfds); - if (bind(f, (struct sockaddr*)&sina, sizeof(sina)) < 0) { - fprintf(stderr, "%s: Can't bind socket\n", progname); - exit(1); - } /* do all the database and cache inits */ if ((n = kerb_init())) { if (mflag) { printf("Kerberos db and cache init "); printf("failed = %d ...exiting\n", n); - exit(-1); + exit (1); } else { klog(L_KRB_PERR, "Kerberos db and cache init failed = %d ...exiting", n); @@ -753,15 +745,15 @@ main(int argc, char **argv) /* setup master key */ if (kdb_get_master_key (mflag, &master_key, master_key_schedule) != 0) { - klog (L_KRB_PERR, "kerberos: couldn't get master key.\n"); - exit (-1); + klog (L_KRB_PERR, "kerberos: couldn't get master key."); + exit (1); } kerror = kdb_verify_master_key (&master_key, master_key_schedule, stdout); if (kerror < 0) { klog (L_KRB_PERR, "Can't verify master key."); - bzero (master_key, sizeof (master_key)); - bzero (master_key_schedule, sizeof (master_key_schedule)); - exit (-1); + memset(master_key, 0, sizeof (master_key)); + memset (master_key_schedule, 0, sizeof (master_key_schedule)); + exit (1); } master_key_version = (u_char) kerror; @@ -790,28 +782,170 @@ main(int argc, char **argv) } setup_disc(); } + + klog(L_ALL_REQ, "Starting Kerberos for %s (kvno %d)", + local_realm, master_key_version); + /* receive loop */ + loop(fds, nfds); + exit(1); +} + + +void +read_socket(struct descr *n) +{ + int b; + struct sockaddr_in from; + int fromlen = sizeof(from); + b = recvfrom(n->s, n->buf.dat + n->buf.length, + MAX_PKT_LEN - n->buf.length, 0, + (struct sockaddr *)&from, &fromlen); + if(b < 0){ + if(n->type == SOCK_STREAM){ + close(n->s); + n->s = -1; + } + n->buf.length = 0; + return; + } + n->buf.length += b; + if(n->type == SOCK_STREAM){ + char *proto = "tcp"; + if(n->buf.length > 4 && + strncmp(n->buf.dat, "GET ", 4) == 0 && + strncmp(n->buf.dat + n->buf.length - 4, + "\r\n\r\n", 4) == 0){ + char *p; + n->buf.dat[n->buf.length - 1] = 0; + strtok(n->buf.dat, " \t\r\n"); + p = strtok(NULL, " \t\r\n"); + if(p == NULL) + p = ""; + if(*p == '/') p++; + p = strdup(p); + n->buf.length = base64_decode(p, n->buf.dat); + free(p); + if(n->buf.length <= 0){ + const char *msg = + "HTTP/1.1 404 Not found\r\n" + "Server: KTH-KRB/" VERSION "\r\n" + "Content-type: text/html\r\n" + "Content-transfer-encoding: 8bit\r\n\r\n" + "<TITLE>404 Not found</TITLE>\r\n" + "<H1>404 Not found</H1>\r\n" + "That page does not exist. Information about " + "<A HREF=\"http://www.pdc.kth.se/kth-krb\">KTH-KRB</A> " + "is available elsewhere.\r\n"; + write(n->s, msg, strlen(msg)); + close(n->s); + n->s = -1; + n->buf.length = 0; + return; + } + proto = "http"; + b = 0; + } + else if(n->buf.length >= 4 && n->buf.dat[0] == 0){ + /* if this is a new type of packet (with + the length attached to the head of the + packet), and there is no more data to + be read, fake an old packet, so the + code below will work */ + u_int32_t len; + krb_get_int(n->buf.dat, &len, 4, 0); + if(n->buf.length == len + 4){ + memmove(n->buf.dat, n->buf.dat + 4, len); + b = 0; + } + } + if(b == 0){ + /* handle request if there are + no more bytes to read */ + fromlen = sizeof(from); + getpeername(n->s,(struct sockaddr*)&from, &fromlen); + kerberos_wrap(n->s, &n->buf, proto, &from, + &n->addr); + n->buf.length = 0; + close(n->s); + n->s = -1; + } + }else{ + /* udp packets are atomic */ + kerberos_wrap(n->s, &n->buf, "udp", &from, + &n->addr); + n->buf.length = 0; + } +} + +static void +loop(struct descr *fds, int nfds) +{ for (;;) { - fromlen = S_AD_SZ; - n = recvfrom(f, pkt->dat, MAX_PKT_LEN, 0, (struct sockaddr*)&from, &fromlen); - if (n > 0) { - pkt->length = n; - pkt->mbz = 0; /* force zeros to catch runaway strings */ - /* see what is left in the input queue */ - ioctl(f, FIONREAD, &q_bytes); - gettimeofday(&kerb_time, NULL); - q_n++; - max_q_n = max(max_q_n, q_n); - n_packets++; - klog(L_NET_INFO, - "q_byt %d, q_n %d, rd_byt %d, mx_q_b %d, mx_q_n %d, n_pkt %d", - q_bytes, q_n, n, max_q_bytes, max_q_n, n_packets, 0); - max_q_bytes = max(max_q_bytes, q_bytes); - if (!q_bytes) - q_n = 0; /* reset consecutive packets */ - kerberos(&from, pkt); - } else - klog(L_NET_ERR, - "%s: bad recvfrom n = %d errno = %d", progname, n, errno, 0); + int ret; + fd_set readfds; + struct timeval tv; + int maxfd = 0; + struct descr *n, *minfree; + int accepted; /* accept at most one socket per `round' */ + + FD_ZERO(&readfds); + gettimeofday(&tv, NULL); + maxfd = 0; + minfree = NULL; + /* Remove expired TCP sockets, and add all other + to the set we are selecting on */ + for(n = fds; n < fds + nfds; n++){ + if(n->s >= 0 && n->timeout && tv.tv_sec > n->timeout){ + kerb_err_reply(n->s, NULL, KERB_ERR_TIMEOUT, "Timeout"); + close(n->s); + n->s = -1; + } + if(n->s < 0){ + if(minfree == NULL) minfree = n; + continue; + } + FD_SET(n->s, &readfds); + maxfd = max(maxfd, n->s); + } + /* add more space for sockets */ + if(minfree == NULL){ + int i = nfds; + struct descr *new; + nfds *=2; + new = realloc(fds, sizeof(struct descr) * nfds); + if(new){ + fds = new; + minfree = fds + i; + for(; i < nfds; i++) fds[i].s = -1; + } + } + ret = select(maxfd + 1, &readfds, 0, 0, 0); + accepted = 0; + for (n = fds; n < fds + nfds; n++){ + if(n->s < 0) continue; + if (FD_ISSET(n->s, &readfds)){ + if(n->type == SOCK_STREAM && n->timeout == 0){ + /* add accepted socket to list of sockets we are + selecting on */ + int s; + if(accepted) continue; + accepted = 1; + s = accept(n->s, NULL, 0); + if(minfree == NULL){ + kerb_err_reply(s, NULL, KFAILURE, "Out of memory"); + close(s); + }else{ + minfree->s = s; + minfree->type = SOCK_STREAM; + gettimeofday(&tv, NULL); + minfree->timeout = tv.tv_sec + 4; /* XXX */ + minfree->buf.length = 0; + memcpy(&minfree->addr, &n->addr, sizeof(minfree->addr)); + } + }else + read_socket(n); + } + } } } diff --git a/kerberosIV/kinit/kinit.c b/kerberosIV/kinit/kinit.c index bd7ca653887..d3aa92b8661 100644 --- a/kerberosIV/kinit/kinit.c +++ b/kerberosIV/kinit/kinit.c @@ -1,4 +1,7 @@ -/* $Id: kinit.c,v 1.1 1995/12/14 06:52:51 tholo Exp $ */ +/* $Id: kinit.c,v 1.2 1997/11/28 12:48:47 art Exp $ */ +/* $KTH: kinit.c,v 1.15 1997/03/30 18:58:46 assar Exp $ */ + + /*- * Copyright 1987, 1988 by the Student Information Processing Board @@ -28,55 +31,50 @@ * -r[realm] * -v[erbose] * -l[ifetime] + * -p */ #include <kuser_locl.h> #include <sys/param.h> #define LIFE DEFAULT_TKT_LIFE /* lifetime of ticket in 5-minute units */ +#define CHPASSLIFE 2 -char *progname; +char progname[] = "kinit"; static void -get_input(s, size, stream) -char *s; -int size; -FILE *stream; +get_input(char *s, int size, FILE *stream) { - char *p; + char *p; - if (fgets(s, size, stream) == NULL) - exit(1); - if ( (p = strchr(s, '\n')) != NULL) - *p = '\0'; + if (fgets(s, size, stream) == NULL) + exit(1); + if ( (p = strchr(s, '\n')) != NULL) + *p = '\0'; } - static void -usage() +usage(void) { - fprintf(stderr, "Usage: %s [-irvl] [name]\n", progname); + fprintf(stderr, "Usage: %s [-irvlp] [name]\n", progname); exit(1); } int -main(argc, argv) - int argc; - char *argv[]; +main(int argc, char **argv) { char aname[ANAME_SZ]; char inst[INST_SZ]; char realm[REALM_SZ]; char buf[MAXHOSTNAMELEN]; + char name[MAX_K_NAME_SZ]; char *username = NULL; - int iflag, rflag, vflag, lflag, lifetime, k_errno; - register char *cp; - register i; + int iflag, rflag, vflag, lflag, pflag, lifetime, k_errno; + int i; *inst = *realm = '\0'; - iflag = rflag = vflag = lflag = 0; + iflag = rflag = vflag = lflag = pflag = 0; lifetime = LIFE; - progname = (cp = strrchr(*argv, '/')) ? cp + 1 : *argv; while (--argc) { if ((*++argv)[0] != '-') { @@ -99,22 +97,22 @@ main(argc, argv) case 'l': ++lflag; continue; + case 'p': + ++pflag; /* chpass-tickets */ + lifetime = CHPASSLIFE; + break; default: usage(); - exit(1); } } if (username && - (k_errno = kname_parse(aname, inst, realm, username)) - != KSUCCESS) { - fprintf(stderr, "%s: %s\n", progname, krb_err_txt[k_errno]); + (k_errno = kname_parse(aname, inst, realm, username)) != KSUCCESS) { + warnx("%s", krb_get_err_text(k_errno)); iflag = rflag = 1; username = NULL; } - if (gethostname(buf, MAXHOSTNAMELEN)) { - fprintf(stderr, "%s: gethostname failed\n", progname); - exit(1); - } + if (k_gethostname(buf, MAXHOSTNAMELEN)) + errx(1, "k_gethostname failed"); printf("%s (%s)\n", ORGANIZATION, buf); if (username) { printf("Kerberos Initialization for \"%s", aname); @@ -126,33 +124,24 @@ main(argc, argv) } else { printf("Kerberos Initialization\n"); printf("Kerberos name: "); - get_input(aname, sizeof(aname), stdin); - if (!*aname) - exit(0); - if (!k_isname(aname)) { - fprintf(stderr, "%s: bad Kerberos name format\n", - progname); - exit(1); - } + get_input(name, sizeof(name), stdin); + if (!*name) + return 0; + if ((k_errno = kname_parse(aname, inst, realm, name)) != KSUCCESS ) + errx(1, "%s", krb_get_err_text(k_errno)); } /* optional instance */ if (iflag) { printf("Kerberos instance: "); get_input(inst, sizeof(inst), stdin); - if (!k_isinst(inst)) { - fprintf(stderr, "%s: bad Kerberos instance format\n", - progname); - exit(1); - } + if (!k_isinst(inst)) + errx(1, "bad Kerberos instance format"); } if (rflag) { printf("Kerberos realm: "); get_input(realm, sizeof(realm), stdin); - if (!k_isrealm(realm)) { - fprintf(stderr, "%s: bad Kerberos realm format\n", - progname); - exit(1); - } + if (!k_isrealm(realm)) + errx(1, "bad Kerberos realm format"); } if (lflag) { printf("Kerberos ticket lifetime (minutes): "); @@ -161,24 +150,23 @@ main(argc, argv) if (lifetime < 5) lifetime = 1; else - lifetime /= krb_time_to_life(0, lifetime*60); + lifetime = krb_time_to_life(0, lifetime*60); /* This should be changed if the maximum ticket lifetime */ /* changes */ if (lifetime > 255) lifetime = 255; } - if (!*realm && krb_get_lrealm(realm, 1)) { - fprintf(stderr, "%s: krb_get_lrealm failed\n", progname); - exit(1); - } - k_errno = krb_get_pw_in_tkt(aname, inst, realm, "krbtgt", realm, + if (!*realm && krb_get_lrealm(realm, 1)) + errx(1, "krb_get_lrealm failed"); + k_errno = krb_get_pw_in_tkt(aname, inst, realm, + pflag ? PWSERV_NAME : + KRB_TICKET_GRANTING_TICKET, + pflag ? KADM_SINST : realm, lifetime, 0); if (vflag) { printf("Kerberos realm %s:\n", realm); - printf("%s\n", krb_err_txt[k_errno]); - } else if (k_errno) { - fprintf(stderr, "%s: %s\n", progname, krb_err_txt[k_errno]); - exit(1); - } + printf("%s\n", krb_get_err_text(k_errno)); + } else if (k_errno) + errx(1, "%s", krb_get_err_text(k_errno)); exit(0); } diff --git a/kerberosIV/klist/Makefile b/kerberosIV/klist/Makefile index 9f9c2acbe57..c0e03f4818f 100644 --- a/kerberosIV/klist/Makefile +++ b/kerberosIV/klist/Makefile @@ -1,9 +1,9 @@ # from @(#)Makefile 8.1 (Berkeley) 6/1/93 -# $Id: Makefile,v 1.1 1995/12/14 06:52:50 tholo Exp $ +# $Id: Makefile,v 1.2 1997/11/28 12:48:48 art Exp $ PROG= klist DPADD= ${LIBKRB} ${LIBDES} -LDADD= -lkrb -ldes +LDADD= -lkrb -ldes -lkafs BINDIR= /usr/bin .include <bsd.prog.mk> diff --git a/kerberosIV/klist/klist.c b/kerberosIV/klist/klist.c index 90ccd7c91c2..e16b353b37c 100644 --- a/kerberosIV/klist/klist.c +++ b/kerberosIV/klist/klist.c @@ -1,51 +1,41 @@ -/* $Id: klist.c,v 1.1 1995/12/14 06:52:50 tholo Exp $ */ - -/*- - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ +/* $KTH: klist.c,v 1.28 1997/05/26 17:33:50 bg Exp $ */ /* + * Copyright 1987, 1988 by the Massachusetts Institute of Technology. + * + * For copying and distribution information, please see the file + * <mit-copyright.h>. + * * Lists your current Kerberos tickets. * Written by Bill Sommerfeld, MIT Project Athena. */ -#include <kuser_locl.h> +#include "kuser_locl.h" + +#include <sys/ioctl.h> +#include <sys/ioccom.h> +#include <kerberosIV/kafs.h> -char *whoami; /* What was I invoked as?? */ +static int option_verbose = 0; + +static char progname[]="klist"; static char * -short_date(dp) - time_t *dp; +short_date(int32_t dp) { - register char *cp; + char *cp; + time_t t = (time_t)dp; - if (*dp == (time_t)(-1L)) return "*** Never *** "; - cp = ctime(dp) + 4; + if (t == (time_t)(-1L)) return "*** Never *** "; + cp = ctime(&t) + 4; cp[15] = '\0'; return (cp); } static void -display_tktfile(file, tgt_test, long_form) -char *file; -int tgt_test, long_form; +display_tktfile(char *file, int tgt_test, int long_form) { - char pname[ANAME_SZ]; - char pinst[INST_SZ]; - char prealm[REALM_SZ]; + krb_principal pr; char buf1[20], buf2[20]; int k_errno; CREDENTIALS c; @@ -70,11 +60,11 @@ int tgt_test, long_form; /* Open ticket file */ if ((k_errno = tf_init(file, R_TKT_FIL))) { if (!tgt_test) - fprintf(stderr, "%s: %s\n", whoami, krb_err_txt[k_errno]); + warnx("%s", krb_get_err_text(k_errno)); exit(1); } /* Close ticket file */ - (void) tf_close(); + tf_close(); /* * We must find the realm of the ticket file here before calling @@ -82,25 +72,25 @@ int tgt_test, long_form; * really stored in the principal section of the file, the * routine we use must itself call tf_init and tf_close. */ - if ((k_errno = krb_get_tf_realm(file, prealm)) != KSUCCESS) { + if ((k_errno = krb_get_tf_realm(file, pr.realm)) != KSUCCESS) { if (!tgt_test) - fprintf(stderr, "%s: can't find realm of ticket file: %s\n", - whoami, krb_err_txt[k_errno]); + warnx("can't find realm of ticket file: %s", + krb_get_err_text(k_errno)); exit(1); } /* Open ticket file */ if ((k_errno = tf_init(file, R_TKT_FIL))) { if (!tgt_test) - fprintf(stderr, "%s: %s\n", whoami, krb_err_txt[k_errno]); + warnx("%s", krb_get_err_text(k_errno)); exit(1); } /* Get principal name and instance */ - if ((k_errno = tf_get_pname(pname)) || - (k_errno = tf_get_pinst(pinst))) { - if (!tgt_test) - fprintf(stderr, "%s: %s\n", whoami, krb_err_txt[k_errno]); - exit(1); + if ((k_errno = tf_get_pname(pr.name)) || + (k_errno = tf_get_pinst(pr.instance))) { + if (!tgt_test) + warnx("%s", krb_get_err_text(k_errno)); + exit(1); } /* @@ -111,19 +101,18 @@ int tgt_test, long_form; */ if (!tgt_test && long_form) - printf("Principal:\t%s%s%s%s%s\n\n", pname, - (pinst[0] ? "." : ""), pinst, - (prealm[0] ? "@" : ""), prealm); + printf("Principal:\t%s\n\n", krb_unparse_name(&pr)); while ((k_errno = tf_get_cred(&c)) == KSUCCESS) { if (!tgt_test && long_form && header) { - printf("%-15s %-15s %s\n", - " Issued", " Expires", " Principal"); + printf("%-15s %-15s %s%s\n", + " Issued", " Expires", " Principal", + option_verbose ? " (kvno)" : ""); header = 0; } if (tgt_test) { c.issue_date = krb_life_to_time(c.issue_date, c.lifetime); - if (!strcmp(c.service, TICKET_GRANTING_TICKET) && - !strcmp(c.instance, prealm)) { + if (!strcmp(c.service, KRB_TICKET_GRANTING_TICKET) && + !strcmp(c.instance, pr.realm)) { if (time(0) < c.issue_date) exit(0); /* tgt hasn't expired */ else @@ -132,17 +121,18 @@ int tgt_test, long_form; continue; /* not a tgt */ } if (long_form) { - (void) strcpy(buf1, short_date(&c.issue_date)); + strcpy(buf1, short_date(c.issue_date)); c.issue_date = krb_life_to_time(c.issue_date, c.lifetime); if (time(0) < (unsigned long) c.issue_date) - (void) strcpy(buf2, short_date(&c.issue_date)); + strcpy(buf2, short_date(c.issue_date)); else - (void) strcpy(buf2, ">>> Expired <<< "); + strcpy(buf2, ">>> Expired <<<"); printf("%s %s ", buf1, buf2); } - printf("%s%s%s%s%s\n", - c.service, (c.instance[0] ? "." : ""), c.instance, - (c.realm[0] ? "@" : ""), c.realm); + printf("%s", krb_unparse_name_long(c.service, c.instance, c.realm)); + if(long_form && option_verbose) + printf(" (%d)", c.kvno); + printf("\n"); } if (tgt_test) exit(1); /* no tgt found */ @@ -165,12 +155,9 @@ int tgt_test, long_form; */ static int -ok_getst(fd, s, n) - int fd; - register char *s; - int n; +ok_getst(int fd, char *s, int n) { - register count = n; + int count = n; int err; while ((err = read(fd, s, 1)) > 0 && --count) if (*s++ == '\0') @@ -182,8 +169,40 @@ ok_getst(fd, s, n) } static void -display_srvtab(file) -char *file; +display_tokens() +{ + u_int32_t i; + unsigned char t[128]; + struct ViceIoctl parms; + struct ClearToken ct; + int size_secret_tok, size_public_tok; + + parms.in = (void *)&i; + parms.in_size = sizeof(i); + parms.out = (void *)t; + parms.out_size = sizeof(t); + + for (i = 0; k_pioctl(NULL, VIOCGETTOK, &parms, 0) == 0; i++) { + char *cell; + memcpy(&size_secret_tok, t, 4); + memcpy(&size_public_tok, t + 4 + size_secret_tok, 4); + memcpy(&ct, t + 4 + size_secret_tok + 4, size_public_tok); + cell = t + 4 + size_secret_tok + 4 + size_public_tok + 4; + + printf("%-15s ", short_date(ct.BeginTimestamp)); + printf("%-15s ", short_date(ct.EndTimestamp)); + if ((ct.EndTimestamp - ct.BeginTimestamp) & 1) + printf("User's (AFS ID %d) tokens for %s", ct.ViceId, cell); + else + printf("Tokens for %s", cell); + if (option_verbose) + printf(" (%d)", ct.AuthHandle); + putchar('\n'); + } +} + +static void +display_srvtab(char *file) { int stab; char serv[SNAME_SZ]; @@ -207,44 +226,44 @@ char *file; while (((count = ok_getst(stab, serv, SNAME_SZ)) > 0) && ((count = ok_getst(stab, inst, INST_SZ)) > 0) && ((count = ok_getst(stab, rlm, REALM_SZ)) > 0)) { - if (((count = read(stab,(char *) &vno,1)) != 1) || - ((count = read(stab,(char *) key,8)) != 8)) { + if (((count = read(stab, &vno,1)) != 1) || + ((count = read(stab, key,8)) != 8)) { if (count < 0) - perror("reading from key file"); + err(1, "reading from key file"); else - fprintf(stderr, "key file truncated\n"); - exit(1); + errx(1, "key file truncated"); } printf("%-15s %-15s %-15s %d\n",serv,inst,rlm,vno); } if (count < 0) - perror(file); - (void) close(stab); + warn(file); + close(stab); } static void -usage() +usage(void) { fprintf(stderr, - "Usage: %s [ -s | -t ] [ -file filename ] [ -srvtab ]\n", whoami); + "Usage: %s [ -v | -s | -t ] [ -f filename ] [-tokens] [-srvtab ]\n", + progname); exit(1); } /* ARGSUSED */ int -main(argc, argv) - int argc; - char **argv; +main(int argc, char **argv) { int long_form = 1; int tgt_test = 0; int do_srvtab = 0; + int do_tokens = 0; char *tkt_file = NULL; - char *cp; - - whoami = (cp = strrchr(*argv, '/')) ? cp + 1 : *argv; while (*(++argv)) { + if (!strcmp(*argv, "-v")) { + option_verbose = 1; + continue; + } if (!strcmp(*argv, "-s")) { long_form = 0; continue; @@ -254,10 +273,15 @@ main(argc, argv) long_form = 0; continue; } + if (strcmp(*argv, "-tokens") == 0 + || strcmp(*argv, "-T") == 0) { + do_tokens = k_hasafs(); + continue; + } if (!strcmp(*argv, "-l")) { /* now default */ continue; } - if (!strcmp(*argv, "-file")) { + if (!strncmp(*argv, "-f", 2)) { if (*(++argv)) { tkt_file = *argv; continue; @@ -278,5 +302,7 @@ main(argc, argv) display_srvtab(tkt_file); else display_tktfile(tkt_file, tgt_test, long_form); + if (long_form && do_tokens) + display_tokens(); exit(0); } diff --git a/kerberosIV/krb/Makefile b/kerberosIV/krb/Makefile index d7bf05e3e05..295aa22d559 100644 --- a/kerberosIV/krb/Makefile +++ b/kerberosIV/krb/Makefile @@ -1,19 +1,83 @@ # @(#)Makefile 8.1 (Berkeley) 6/1/93 LIB= krb -CFLAGS+=-I${.CURDIR} -SRCS= cr_err_reply.c create_auth_reply.c create_ciph.c \ - create_death_packet.c create_ticket.c debug_decl.c decomp_ticket.c \ - dest_tkt.c extract_ticket.c fgetst.c get_ad_tkt.c get_admhst.c \ - get_cred.c get_in_tkt.c get_krbhst.c get_krbrlm.c get_phost.c \ - get_pw_tkt.c get_request.c get_svc_in_tkt.c get_tf_fullname.c \ - get_tf_realm.c getrealm.c getst.c in_tkt.c k_localtime.c klog.c \ - kname_parse.c kntoln.c kparse.c krb_err.c krb_err_txt.c \ - krb_get_in_tkt.c kuserok.c lifetime.c log.c mk_err.c mk_priv.c \ - mk_req.c mk_safe.c month_sname.c netread.c netwrite.c one.c \ - pkt_cipher.c pkt_clen.c rd_err.c rd_priv.c rd_req.c rd_safe.c \ - read_service_key.c recvauth.c save_credentials.c send_to_kdc.c \ - sendauth.c str2key.c tf_util.c tkt_string.c +CFLAGS+=-I${.CURDIR} -DPARANOIA +SRCS= cr_err_reply.c \ + create_auth_reply.c \ + create_ciph.c \ + create_death_packet.c \ + create_ticket.c \ + dest_tkt.c \ + get_in_tkt.c \ + get_svc_in_tkt.c \ + getrealm.c \ + k_localtime.c \ + krb_err_txt.c \ + krb_get_in_tkt.c \ + kuserok.c \ + parse_name.c \ + kntoln.c \ + mk_auth.c \ + krb_check_auth.c \ + mk_err.c \ + mk_safe.c \ + rd_err.c \ + rd_safe.c \ + recvauth.c \ + mk_priv.c \ + rd_req.c \ + decomp_ticket.c \ + lifetime.c \ + month_sname.c \ + stime.c \ + read_service_key.c \ + getst.c \ + sendauth.c \ + netread.c \ + netwrite.c \ + rd_priv.c \ + krb_equiv.c \ + str2key.c \ + get_ad_tkt.c \ + mk_req.c \ + get_cred.c \ + get_tf_realm.c \ + get_tf_fullname.c \ + one.c \ + save_credentials.c \ + send_to_kdc.c \ + get_host.c \ + get_krbrlm.c \ + k_gethostname.c \ + tf_util.c \ + debug_decl.c \ + k_flock.c \ + tkt_string.c \ + getaddrs.c \ + k_getsockinst.c \ + k_getport.c \ + lsb_addr_comp.c \ + name2name.c \ + get_default_principal.c \ + realm_parse.c \ + verify_user.c \ + rw.c \ + kdc_reply.c \ + encrypt_ktext.c \ + check_time.c \ + krb_err.c \ + et_list.c \ + resolve.c \ + unparse_name.c \ + logging.c \ + k_concat.c \ + strtok_r.c \ + asprintf.c \ + base64.c + +# XXX base64.c, strtok_r.c and asprintf.c should really be somewhere else. +# (or replaced) (they are from libroken) + MAN= kerberos.3 krb_realmofhost.3 krb_sendauth.3 krb_set_tkt_string.3 \ kuserok.3 tf_util.3 MLINKS+=kerberos.3 krb_mk_req.3 kerberos.3 krb_rd_req.3 kerberos.3 krb_kntoln.3 \ diff --git a/kerberosIV/krb/asprintf.c b/kerberosIV/krb/asprintf.c new file mode 100644 index 00000000000..7a08bd181cb --- /dev/null +++ b/kerberosIV/krb/asprintf.c @@ -0,0 +1,556 @@ +/* $KTH: snprintf.c,v 1.15 1997/08/17 08:51:55 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + + +#include <stdio.h> +#include <stdarg.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> + +enum format_flags { + minus_flag = 1, + plus_flag = 2, + space_flag = 4, + alternate_flag = 8, + zero_flag = 16 +}; + +/* + * Common state + */ + +struct state { + char *str; + char *s; + char *theend; + size_t sz; + size_t max_sz; + int (*append_char)(struct state *, char); + int (*reserve)(struct state *, size_t); + /* XXX - methods */ +}; + +static int +sn_reserve (struct state *state, size_t n) +{ + return state->s + n > state->theend; +} + +static int +sn_append_char (struct state *state, char c) +{ + if (sn_reserve (state, 1)) { + *state->s++ = '\0'; + return 1; + } else { + *state->s++ = c; + return 0; + } +} + +static int +as_reserve (struct state *state, size_t n) +{ + while (state->s + n > state->theend) { + int off = state->s - state->str; + char *tmp; + + if (state->max_sz && state->sz >= state->max_sz) + return 1; + + if (state->max_sz) + state->sz = min(state->max_sz, state->sz*2); + else + state->sz *= 2; + tmp = realloc (state->str, state->sz); + if (tmp == NULL) + return 1; + state->str = tmp; + state->s = state->str + off; + state->theend = state->str + state->sz - 1; + } + return 0; +} + +static int +as_append_char (struct state *state, char c) +{ + if(as_reserve (state, 1)) + return 1; + else { + *state->s++ = c; + return 0; + } +} + +static int +append_number(struct state *state, + unsigned long num, unsigned base, char *rep, + int width, int prec, int flags, int minusp) +{ + int len = 0; + int i; + + /* given precision, ignore zero flag */ + if(prec != -1) + flags &= ~zero_flag; + else + prec = 1; + /* zero value with zero precision -> "" */ + if(prec == 0 && num == 0) + return 0; + do{ + if((*state->append_char)(state, rep[num % base])) + return 1; + len++; + num /= base; + }while(num); + prec -= len; + /* pad with prec zeros */ + while(prec-- > 0){ + if((*state->append_char)(state, '0')) + return 1; + len++; + } + /* add length of alternate prefix (added later) to len */ + if(flags & alternate_flag && (base == 16 || base == 8)) + len += base / 8; + /* pad with zeros */ + if(flags & zero_flag){ + width -= len; + if(minusp || (flags & space_flag) || (flags & plus_flag)) + width--; + while(width-- > 0){ + if((*state->append_char)(state, '0')) + return 1; + len++; + } + } + /* add alternate prefix */ + if(flags & alternate_flag && (base == 16 || base == 8)){ + if(base == 16) + if((*state->append_char)(state, rep[10] + 23)) /* XXX */ + return 1; + if((*state->append_char)(state, '0')) + return 1; + } + /* add sign */ + if(minusp){ + if((*state->append_char)(state, '-')) + return 1; + len++; + } else if(flags & plus_flag) { + if((*state->append_char)(state, '+')) + return 1; + len++; + } else if(flags & space_flag) { + if((*state->append_char)(state, ' ')) + return 1; + len++; + } + if(flags & minus_flag) + /* swap before padding with spaces */ + for(i = 0; i < len / 2; i++){ + char c = state->s[-i-1]; + state->s[-i-1] = state->s[-len+i]; + state->s[-len+i] = c; + } + width -= len; + while(width-- > 0){ + if((*state->append_char)(state, ' ')) + return 1; + len++; + } + if(!(flags & minus_flag)) + /* swap after padding with spaces */ + for(i = 0; i < len / 2; i++){ + char c = state->s[-i-1]; + state->s[-i-1] = state->s[-len+i]; + state->s[-len+i] = c; + } + + return 0; +} + +static int +append_string (struct state *state, + char *arg, + int width, + int prec, + int flags) +{ + if(prec != -1) + width -= prec; + else + width -= strlen(arg); + if(!(flags & minus_flag)) + while(width-- > 0) + if((*state->append_char) (state, ' ')) + return 1; + if (prec != -1) { + while (*arg && prec--) + if ((*state->append_char) (state, *arg++)) + return 1; + } else { + while (*arg) + if ((*state->append_char) (state, *arg++)) + return 1; + } + if(flags & minus_flag) + while(width-- > 0) + if((*state->append_char) (state, ' ')) + return 1; + return 0; +} + +static int +append_char(struct state *state, + char arg, + int width, + int flags) +{ + while(!(flags & minus_flag) && --width > 0) + if((*state->append_char) (state, ' ')) + return 1; + + if((*state->append_char) (state, arg)) + return 1; + while((flags & minus_flag) && --width > 0) + if((*state->append_char) (state, ' ')) + return 1; + + return 0; +} + +/* + * This can't be made into a function... + */ + +#define PARSE_INT_FORMAT(res, arg, unsig) \ +if (long_flag) \ + res = va_arg(arg, unsig long); \ +else if (short_flag) \ + res = va_arg(arg, unsig short); \ +else \ + res = va_arg(arg, unsig int) + +/* + * zyxprintf - return 0 or -1 + */ + +static int +xyzprintf (struct state *state, const char *format, va_list ap) +{ + char c; + + while((c = *format++)) { + if (c == '%') { + int flags = 0; + int width = 0; + int prec = -1; + int long_flag = 0; + int short_flag = 0; + + /* flags */ + while((c = *format++)){ + if(c == '-') + flags |= minus_flag; + else if(c == '+') + flags |= plus_flag; + else if(c == ' ') + flags |= space_flag; + else if(c == '#') + flags |= alternate_flag; + else if(c == '0') + flags |= zero_flag; + else + break; + } + + if((flags & space_flag) && (flags & plus_flag)) + flags ^= space_flag; + + if((flags & minus_flag) && (flags & zero_flag)) + flags ^= zero_flag; + + /* width */ + if (isdigit(c)) + do { + width = width * 10 + c - '0'; + c = *format++; + } while(isdigit(c)); + else if(c == '*') { + width = va_arg(ap, int); + c = *format++; + } + + /* precision */ + if (c == '.') { + prec = 0; + c = *format++; + if (isdigit(c)) + do { + prec = prec * 10 + c - '0'; + c = *format++; + } while(isdigit(c)); + else if (c == '*') { + prec = va_arg(ap, int); + c = *format++; + } + } + + /* size */ + + if (c == 'h') { + short_flag = 1; + c = *format++; + } else if (c == 'l') { + long_flag = 1; + c = *format++; + } + + switch (c) { + case 'c' : + if(append_char(state, va_arg(ap, int), width, flags)) + return -1; + break; + case 's' : + if (append_string(state, + va_arg(ap, char*), + width, + prec, + flags)) + return -1; + break; + case 'd' : + case 'i' : { + long arg; + unsigned long num; + int minusp = 0; + + PARSE_INT_FORMAT(arg, ap, signed); + + if (arg < 0) { + minusp = 1; + num = -arg; + } else + num = arg; + + if (append_number (state, num, 10, "0123456789", + width, prec, flags, minusp)) + return -1; + break; + } + case 'u' : { + unsigned long arg; + + PARSE_INT_FORMAT(arg, ap, unsigned); + + if (append_number (state, arg, 10, "0123456789", + width, prec, flags, 0)) + return -1; + break; + } + case 'o' : { + unsigned long arg; + + PARSE_INT_FORMAT(arg, ap, unsigned); + + if (append_number (state, arg, 010, "01234567", + width, prec, flags, 0)) + return -1; + break; + } + case 'x' : { + unsigned long arg; + + PARSE_INT_FORMAT(arg, ap, unsigned); + + if (append_number (state, arg, 0x10, "0123456789abcdef", + width, prec, flags, 0)) + return -1; + break; + } + case 'X' :{ + unsigned long arg; + + PARSE_INT_FORMAT(arg, ap, unsigned); + + if (append_number (state, arg, 0x10, "0123456789ABCDEF", + width, prec, flags, 0)) + return -1; + break; + } + case 'p' : { + unsigned long arg = (unsigned long)va_arg(ap, void*); + + if (append_number (state, arg, 0x10, "0123456789ABCDEF", + width, prec, flags, 0)) + return -1; + break; + } + case 'n' : { + int *arg = va_arg(ap, int*); + *arg = state->s - state->str; + break; + } + case '%' : + if ((*state->append_char)(state, c)) + return -1; + break; + default : + if ( (*state->append_char)(state, '%') + || (*state->append_char)(state, c)) + return -1; + break; + } + } else + if ((*state->append_char) (state, c)) + return -1; + } + return 0; +} + +int +asprintf (char **ret, const char *format, ...) +{ + va_list args; + int val; + + va_start(args, format); + val = vasprintf (ret, format, args); + +#ifdef PARANOIA + { + int ret2; + char *tmp; + tmp = malloc (val + 1); + if (tmp == NULL) + abort (); + + ret2 = vsprintf (tmp, format, args); + if (val != ret2 || strcmp(*ret, tmp)) + abort (); + free (tmp); + } +#endif + + va_end(args); + return val; +} + +int +asnprintf (char **ret, size_t max_sz, const char *format, ...) +{ + va_list args; + int val; + + va_start(args, format); + val = vasnprintf (ret, max_sz, format, args); + +#ifdef PARANOIA + { + int ret2; + char *tmp; + tmp = malloc (val + 1); + if (tmp == NULL) + abort (); + + ret2 = vsprintf (tmp, format, args); + if (val != ret2 || strcmp(*ret, tmp)) + abort (); + free (tmp); + } +#endif + + va_end(args); + return val; +} + +int +vasprintf (char **ret, const char *format, va_list args) +{ + return vasnprintf (ret, 0, format, args); +} + + +int +vasnprintf (char **ret, size_t max_sz, const char *format, va_list args) +{ + int st; + size_t len; + struct state state; + + state.max_sz = max_sz; + if (max_sz) + state.sz = min(1, max_sz); + else + state.sz = 1; + state.str = malloc(state.sz); + if (state.str == NULL) { + *ret = NULL; + return -1; + } + state.s = state.str; + state.theend = state.s + state.sz - 1; + state.append_char = as_append_char; + state.reserve = as_reserve; + + st = xyzprintf (&state, format, args); + if (st) { + free (state.str); + *ret = NULL; + return -1; + } else { + char *tmp; + + *state.s = '\0'; + len = state.s - state.str; + tmp = realloc (state.str, len+1); + if (state.str == NULL) { + free (state.str); + *ret = NULL; + return -1; + } + *ret = tmp; + return len; + } +} diff --git a/kerberosIV/krb/base64.c b/kerberosIV/krb/base64.c new file mode 100644 index 00000000000..4c67412fc64 --- /dev/null +++ b/kerberosIV/krb/base64.c @@ -0,0 +1,146 @@ +/* $KTH: base64.c,v 1.1 1997/08/27 22:41:56 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <stdlib.h> +#include <string.h> + +static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + +static int pos(char c) +{ + char *p; + for(p = base64; *p; p++) + if(*p == c) + return p - base64; + return -1; +} + +int base64_encode(const void *data, int size, char **str) +{ + char *s, *p; + int i; + int c; + unsigned char *q; + + p = s = (char*)malloc(size*4/3+4); + q = (unsigned char*)data; + i=0; + for(i = 0; i < size;){ + c=q[i++]; + c*=256; + if(i < size) + c+=q[i]; + i++; + c*=256; + if(i < size) + c+=q[i]; + i++; + p[0]=base64[(c&0x00fc0000) >> 18]; + p[1]=base64[(c&0x0003f000) >> 12]; + p[2]=base64[(c&0x00000fc0) >> 6]; + p[3]=base64[(c&0x0000003f) >> 0]; + if(i > size) + p[3]='='; + if(i > size+1) + p[2]='='; + p+=4; + } + *p=0; + *str = s; + return strlen(s); +} + +int base64_decode(const char *str, void *data) +{ + const char *p; + unsigned char *q; + int c; + int x; + int done = 0; + q=(unsigned char*)data; + for(p=str; *p && !done; p+=4){ + x = pos(p[0]); + if(x >= 0) + c = x; + else{ + done = 3; + break; + } + c*=64; + + x = pos(p[1]); + if(x >= 0) + c += x; + else + return -1; + c*=64; + + if(p[2] == '=') + done++; + else{ + x = pos(p[2]); + if(x >= 0) + c += x; + else + return -1; + } + c*=64; + + if(p[3] == '=') + done++; + else{ + if(done) + return -1; + x = pos(p[3]); + if(x >= 0) + c += x; + else + return -1; + } + if(done < 3) + *q++=(c&0x00ff0000)>>16; + + if(done < 2) + *q++=(c&0x0000ff00)>>8; + if(done < 1) + *q++=(c&0x000000ff)>>0; + } + return q - (unsigned char*)data; +} diff --git a/kerberosIV/krb/check_time.c b/kerberosIV/krb/check_time.c new file mode 100644 index 00000000000..fb00538256d --- /dev/null +++ b/kerberosIV/krb/check_time.c @@ -0,0 +1,56 @@ +/* $KTH: check_time.c,v 1.4 1997/04/01 08:18:18 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +int +krb_check_tm (struct tm tm) +{ + return tm.tm_mon < 0 + || tm.tm_mon > 11 + || tm.tm_hour < 0 + || tm.tm_hour > 23 + || tm.tm_min < 0 + || tm.tm_min > 59 + || tm.tm_sec < 0 + || tm.tm_sec > 59 + || tm.tm_year < 1901 + || tm.tm_year > 2038; +} diff --git a/kerberosIV/krb/cr_err_reply.c b/kerberosIV/krb/cr_err_reply.c index 8feaa6544e2..e2890e9be0d 100644 --- a/kerberosIV/krb/cr_err_reply.c +++ b/kerberosIV/krb/cr_err_reply.c @@ -1,42 +1,46 @@ +/* $KTH: cr_err_reply.c,v 1.9 1997/04/01 08:18:19 joda Exp $ */ + /* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/cr_err_reply.c,v $ - * - * $Locker: $ + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - #include "krb_locl.h" /* - * req_act_vno used to be defined as an extern ("defined in server"). - * However, that does noone anything good, so we define our own so - * that the shared libraries do not turn up with an undefined variable! - */ -static int my_req_act_vno = KRB_PROT_VERSION; - -/* * This routine is used by the Kerberos authentication server to * create an error reply packet to send back to its client. * @@ -71,47 +75,25 @@ static int my_req_act_vno = KRB_PROT_VERSION; */ void -cr_err_reply(pkt, pname, pinst, prealm, time_ws, e, e_string) - KTEXT pkt; - char *pname; /* Principal's name */ - char *pinst; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - u_int32_t time_ws; /* Workstation time */ - u_int32_t e; /* Error code */ - char *e_string; /* Text of error */ +cr_err_reply(KTEXT pkt, char *pname, char *pinst, char *prealm, + u_int32_t time_ws, u_int32_t e, char *e_string) { - u_char *v = (u_char *) pkt->dat; /* Prot vers number */ - u_char *t = (u_char *)(pkt->dat+1); /* Prot message type */ + unsigned char *p = pkt->dat; + + p += krb_put_int(KRB_PROT_VERSION, p, 1); + p += krb_put_int(AUTH_MSG_ERR_REPLY, p, 1); + + if (pname == NULL) pname = ""; + if (pinst == NULL) pinst = ""; + if (prealm == NULL) prealm = ""; - /* Create fixed part of packet */ - *v = (unsigned char) my_req_act_vno; /* KRB_PROT_VERSION; */ - *t = (unsigned char) AUTH_MSG_ERR_REPLY; - *t |= HOST_BYTE_ORDER; + p += krb_put_nir(pname, pinst, prealm, p); + + p += krb_put_int(time_ws, p, 4); - if (pname == 0) - pname = ""; - if (pinst == 0) - pinst = ""; - if (prealm == 0) - prealm = ""; + p += krb_put_int(e, p, 4); - /* Add the basic info */ - (void) strcpy((char *) (pkt->dat+2),pname); - pkt->length = 3 + strlen(pname); - (void) strcpy((char *)(pkt->dat+pkt->length),pinst); - pkt->length += 1 + strlen(pinst); - (void) strcpy((char *)(pkt->dat+pkt->length),prealm); - pkt->length += 1 + strlen(prealm); - /* ws timestamp */ - bcopy((char *) &time_ws,(char *)(pkt->dat+pkt->length),4); - pkt->length += 4; - /* err code */ - bcopy((char *) &e,(char *)(pkt->dat+pkt->length),4); - pkt->length += 4; - /* err text */ - (void) strcpy((char *)(pkt->dat+pkt->length),e_string); - pkt->length += 1 + strlen(e_string); + p += krb_put_string(e_string, p); - /* And return */ - return; + pkt->length = p - pkt->dat; } diff --git a/kerberosIV/krb/create_auth_reply.c b/kerberosIV/krb/create_auth_reply.c index 80169848cfe..0c2fc35cb8d 100644 --- a/kerberosIV/krb/create_auth_reply.c +++ b/kerberosIV/krb/create_auth_reply.c @@ -1,32 +1,43 @@ +/* $KTH: create_auth_reply.c,v 1.11 1997/04/01 08:18:20 joda Exp $ */ + /* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/create_auth_reply.c,v $ - * - * $Locker: $ + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - #include "krb_locl.h" /* @@ -74,55 +85,47 @@ or implied warranty. */ KTEXT -create_auth_reply(pname, pinst, prealm, time_ws, n, x_date, kvno, cipher) - char *pname; /* Principal's name */ - char *pinst; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - int32_t time_ws; /* Workstation time */ - int n; /* Number of tickets */ - u_int32_t x_date; /* Principal's expiration date */ - int kvno; /* Principal's key version number */ - KTEXT cipher; /* Cipher text with tickets and - * session keys */ +create_auth_reply(char *pname, /* Principal's name */ + char *pinst, /* Principal's instance */ + char *prealm, /* Principal's authentication domain */ + int32_t time_ws, /* Workstation time */ + int n, /* Number of tickets */ + u_int32_t x_date, /* Principal's expiration date */ + int kvno, /* Principal's key version number */ + KTEXT cipher) /* Cipher text with tickets and session keys */ { static KTEXT_ST pkt_st; KTEXT pkt = &pkt_st; - unsigned char *v = pkt->dat; /* Prot vers number */ - unsigned char *t = (pkt->dat+1); /* Prot message type */ - short w_l; /* Cipher length */ + + unsigned char *p = pkt->dat; + + p += krb_put_int(KRB_PROT_VERSION, p, 1); + p += krb_put_int(AUTH_MSG_KDC_REPLY, p, 1); + + if(n != 0){ + /* barf on old code */ + krb_warning("create_auth_reply: don't give me no krb3 crap!" + " (n == %d)\n", n); + return NULL; + } - /* Create fixed part of packet */ - *v = (unsigned char) KRB_PROT_VERSION; - *t = (unsigned char) AUTH_MSG_KDC_REPLY; - *t |= HOST_BYTE_ORDER; - if (n != 0) - *v = 3; + p += krb_put_nir(pname, pinst, prealm, p); - /* Add the basic info */ - (void) strcpy((char *) (pkt->dat+2), pname); - pkt->length = 3 + strlen(pname); - (void) strcpy((char *) (pkt->dat+pkt->length),pinst); - pkt->length += 1 + strlen(pinst); - (void) strcpy((char *) (pkt->dat+pkt->length),prealm); - pkt->length += 1 + strlen(prealm); - /* Workstation timestamp */ - bcopy((char *) &time_ws, (char *) (pkt->dat+pkt->length), 4); - pkt->length += 4; - *(pkt->dat+(pkt->length)++) = (unsigned char) n; - /* Expiration date */ - bcopy((char *) &x_date, (char *) (pkt->dat+pkt->length),4); - pkt->length += 4; + p += krb_put_int(time_ws, p, 4); + + p += krb_put_int(n, p, 1); + + p += krb_put_int(x_date, p, 4); + + p += krb_put_int(kvno, p, 1); + + p += krb_put_int(cipher->length, p, 2); + + memcpy(p, cipher->dat, cipher->length); + p += cipher->length; - /* Now send the ciphertext and info to help decode it */ - *(pkt->dat+(pkt->length)++) = (unsigned char) kvno; - w_l = (short) cipher->length; - bcopy((char *) &w_l,(char *) (pkt->dat+pkt->length),2); - pkt->length += 2; - bcopy((char *) (cipher->dat), (char *) (pkt->dat+pkt->length), - cipher->length); - pkt->length += cipher->length; + pkt->length = p - pkt->dat; - /* And return the packet */ return pkt; } diff --git a/kerberosIV/krb/create_ciph.c b/kerberosIV/krb/create_ciph.c index 4bf44f953d9..ab5a41f8232 100644 --- a/kerberosIV/krb/create_ciph.c +++ b/kerberosIV/krb/create_ciph.c @@ -1,31 +1,43 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/create_ciph.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. +/* $KTH: create_ciph.c,v 1.9 1997/04/01 08:18:20 joda Exp $ */ -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ #include "krb_locl.h" @@ -67,56 +79,40 @@ or implied warranty. */ int -create_ciph(c, session, service, instance, realm, - life, kvno, tkt, kdc_time, key) - KTEXT c; /* Text block to hold ciphertext */ - unsigned char *session; /* Session key to send to user */ - char *service; /* Service name on ticket */ - char *instance; /* Instance name on ticket */ - char *realm; /* Realm of this KDC */ - u_int32_t life; /* Lifetime of the ticket */ - int kvno; /* Key version number for service */ - KTEXT tkt; /* The ticket for the service */ - u_int32_t kdc_time; /* KDC time */ - des_cblock *key; /* Key to encrypt ciphertext with */ -{ - char *ptr; - des_key_schedule key_s; +create_ciph(KTEXT c, /* Text block to hold ciphertext */ + unsigned char *session, /* Session key to send to user */ + char *service, /* Service name on ticket */ + char *instance, /* Instance name on ticket */ + char *realm, /* Realm of this KDC */ + u_int32_t life, /* Lifetime of the ticket */ + int kvno, /* Key version number for service */ + KTEXT tkt, /* The ticket for the service */ + u_int32_t kdc_time, /* KDC time */ + des_cblock *key) /* Key to encrypt ciphertext with */ - ptr = (char *) c->dat; - - bcopy((char *) session, ptr, 8); - ptr += 8; - - (void) strcpy(ptr,service); - ptr += strlen(service) + 1; - - (void) strcpy(ptr,instance); - ptr += strlen(instance) + 1; - - (void) strcpy(ptr,realm); - ptr += strlen(realm) + 1; +{ + unsigned char *p = c->dat; - *(ptr++) = (unsigned char) life; - *(ptr++) = (unsigned char) kvno; - *(ptr++) = (unsigned char) tkt->length; + memset(c, 0, sizeof(KTEXT_ST)); - bcopy((char *)(tkt->dat),ptr,tkt->length); - ptr += tkt->length; + memcpy(p, session, 8); + p += 8; + + p += krb_put_nir(service, instance, realm, p); + + p += krb_put_int(life, p, 1); + p += krb_put_int(kvno, p, 1); - bcopy((char *) &kdc_time,ptr,4); - ptr += 4; + p += krb_put_int(tkt->length, p, 1); - /* guarantee null padded encrypted data to multiple of 8 bytes */ - bzero(ptr, 7); + memcpy(p, tkt->dat, tkt->length); + p += tkt->length; - c->length = (((ptr - (char *) c->dat) + 7) / 8) * 8; + p += krb_put_int(kdc_time, p, 4); -#ifndef NOENCRYPTION - des_key_sched(key,key_s); - des_pcbc_encrypt((des_cblock *)c->dat,(des_cblock *)c->dat,(long) c->length,key_s, - key, DES_ENCRYPT); -#endif /* NOENCRYPTION */ + /* multiple of eight bytes */ + c->length = (p - c->dat + 7) & ~7; - return(KSUCCESS); + encrypt_ktext(c, key, DES_ENCRYPT); + return KSUCCESS; } diff --git a/kerberosIV/krb/create_death_packet.c b/kerberosIV/krb/create_death_packet.c index f7333097513..c6fd5ecc60c 100644 --- a/kerberosIV/krb/create_death_packet.c +++ b/kerberosIV/krb/create_death_packet.c @@ -1,32 +1,43 @@ +/* $KTH: create_death_packet.c,v 1.8 1997/04/01 08:18:21 joda Exp $ */ + /* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/create_death_packet.c,v $ - * - * $Locker: $ + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - #include "krb_locl.h" /* @@ -57,19 +68,18 @@ or implied warranty. #ifdef DEBUG KTEXT -krb_create_death_packet(a_name) - char *a_name; +krb_create_death_packet(char *a_name) { static KTEXT_ST pkt_st; KTEXT pkt = &pkt_st; - unsigned char *v = pkt->dat; - unsigned char *t = (pkt->dat+1); - *v = (unsigned char) KRB_PROT_VERSION; - *t = (unsigned char) AUTH_MSG_DIE; - *t |= HOST_BYTE_ORDER; - (void) strcpy((char *) (pkt->dat+2),a_name); - pkt->length = 3 + strlen(a_name); + unsigned char *p = pkt->dat; + + p += krb_put_int(KRB_PROT_VERSION, p, 1); + p += krb_put_int(AUTH_MSG_DIE, p, 1); + + p += krb_put_string(a_name, p); + pkt->length = p - pkt->dat; return pkt; } #endif /* DEBUG */ diff --git a/kerberosIV/krb/create_ticket.c b/kerberosIV/krb/create_ticket.c index 944007c9e7a..7f355b52589 100644 --- a/kerberosIV/krb/create_ticket.c +++ b/kerberosIV/krb/create_ticket.c @@ -1,32 +1,43 @@ +/* $KTH: create_ticket.c,v 1.12 1997/04/01 08:18:21 joda Exp $ */ + /* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/create_ticket.c,v $ - * - * $Locker: $ + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - #include "krb_locl.h" /* @@ -38,7 +49,6 @@ or implied warranty. * eight bytes and is in tkt->length. * * If the ticket is too long, the ticket will contain nulls. - * The return value of the routine is undefined. * * The corresponding routine to extract information from a ticket it * decomp_ticket. When changes are made to this routine, the @@ -79,63 +89,46 @@ or implied warranty. */ int -krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, key) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned char flags; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - int32_t paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int16_t life; /* Lifetime of the ticket */ - int32_t time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ - des_cblock *key; /* Service's secret key */ +krb_create_ticket(KTEXT tkt, /* Gets filled in by the ticket */ + unsigned char flags, /* Various Kerberos flags */ + char *pname, /* Principal's name */ + char *pinstance, /* Principal's instance */ + char *prealm, /* Principal's authentication domain */ + int32_t paddress, /* Net address of requesting entity */ + void *session, /* Session key inserted in ticket */ + int16_t life, /* Lifetime of the ticket */ + int32_t time_sec, /* Issue time and date */ + char *sname, /* Service Name */ + char *sinstance, /* Instance Name */ + des_cblock *key) /* Service's secret key */ { - des_key_schedule key_s; - register char *data; /* running index into ticket */ + unsigned char *p = tkt->dat; + + memset(tkt, 0, sizeof(KTEXT_ST)); + + p += krb_put_int(flags, p, 1); + p += krb_put_nir(pname, pinstance, prealm, p); + + p += krb_put_address(paddress, p); + + memcpy(p, session, 8); + p += 8; - tkt->length = 0; /* Clear previous data */ - flags |= HOST_BYTE_ORDER; /* ticket byte order */ - bcopy((char *) &flags,(char *) (tkt->dat),sizeof(flags)); - data = ((char *)tkt->dat) + sizeof(flags); - (void) strcpy(data, pname); - data += 1 + strlen(pname); - (void) strcpy(data, pinstance); - data += 1 + strlen(pinstance); - (void) strcpy(data, prealm); - data += 1 + strlen(prealm); - bcopy((char *) &paddress, data, 4); - data += 4; + p += krb_put_int(life, p, 1); + p += krb_put_int(time_sec, p, 4); - bcopy((char *) session, data, 8); - data += 8; - *(data++) = (char) life; - /* issue time */ - bcopy((char *) &time_sec, data, 4); - data += 4; - (void) strcpy(data, sname); - data += 1 + strlen(sname); - (void) strcpy(data, sinstance); - data += 1 + strlen(sinstance); + p += krb_put_nir(sname, sinstance, NULL, p); - /* guarantee null padded ticket to multiple of 8 bytes */ - bzero(data, 7); - tkt->length = ((data - ((char *)tkt->dat) + 7)/8)*8; + /* multiple of eight bytes */ + tkt->length = (p - tkt->dat + 7) & ~7; /* Check length of ticket */ if (tkt->length > (sizeof(KTEXT_ST) - 7)) { - bzero(tkt->dat, tkt->length); + memset(tkt->dat, 0, tkt->length); tkt->length = 0; return KFAILURE /* XXX */; } -#ifndef NOENCRYPTION - des_key_sched(key,key_s); - des_pcbc_encrypt((des_cblock *)tkt->dat,(des_cblock *)tkt->dat,(long)tkt->length, - key_s,key, DES_ENCRYPT); -#endif - return 0; + encrypt_ktext(tkt, key, DES_ENCRYPT); + return KSUCCESS; } diff --git a/kerberosIV/krb/debug_decl.c b/kerberosIV/krb/debug_decl.c index 5489acd99cb..b96afa63baf 100644 --- a/kerberosIV/krb/debug_decl.c +++ b/kerberosIV/krb/debug_decl.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/debug_decl.c,v $ - * - * $Locker: $ - */ +/* $KTH: debug_decl.c,v 1.7 1997/10/28 15:44:00 bg Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -27,7 +21,10 @@ or implied warranty. */ +#include "krb_locl.h" + /* Declare global debugging variables. */ int krb_ap_req_debug = 0; int krb_debug = 0; +int krb_dns_debug = 0; diff --git a/kerberosIV/krb/decomp_ticket.c b/kerberosIV/krb/decomp_ticket.c index a0de714ccbe..d1c3b7a8e18 100644 --- a/kerberosIV/krb/decomp_ticket.c +++ b/kerberosIV/krb/decomp_ticket.c @@ -1,32 +1,43 @@ +/* $KTH: decomp_ticket.c,v 1.16 1997/04/01 08:18:22 joda Exp $ */ + /* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/decomp_ticket.c,v $ - * - * $Locker: $ + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - #include "krb_locl.h" /* @@ -34,15 +45,6 @@ or implied warranty. * should be filled in based on the information in the ticket. It * fills in values for its arguments. * - * Note: if the client realm field in the ticket is the null string, - * then the "prealm" variable is filled in with the local realm. - * - * If the ticket byte order is different than the host's byte order - * (as indicated by the byte order bit of the "flags" field), then - * the KDC timestamp "time_sec" is byte-swapped. The other fields - * potentially affected by byte order, "paddress" and "session" are - * not byte-swapped. - * * The routine returns KFAILURE if any of the "pname", "pinstance", * or "prealm" fields is too big, otherwise it returns KSUCCESS. * @@ -54,80 +56,64 @@ or implied warranty. */ int -decomp_ticket(tkt, flags, pname, pinstance, prealm, paddress, session, - life, time_sec, sname, sinstance, key, key_s) - KTEXT tkt; /* The ticket to be decoded */ - unsigned char *flags; /* Kerberos ticket flags */ - char *pname; /* Authentication name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - u_int32_t *paddress; /* Net address of entity - * requesting ticket */ - unsigned char *session; /* Session key inserted in ticket */ - int *life; /* Lifetime of the ticket */ - u_int32_t *time_sec; /* Issue time and date */ - char *sname; /* Service name */ - char *sinstance; /* Service instance */ - des_cblock *key; /* Service's secret key - * (to decrypt the ticket) */ - struct des_ks_struct *key_s; /* The precomputed key schedule */ +decomp_ticket(KTEXT tkt, /* The ticket to be decoded */ + unsigned char *flags, /* Kerberos ticket flags */ + char *pname, /* Authentication name */ + char *pinstance, /* Principal's instance */ + char *prealm, /* Principal's authentication domain */ + u_int32_t *paddress,/* Net address of entity requesting ticket */ + unsigned char *session, /* Session key inserted in ticket */ + int *life, /* Lifetime of the ticket */ + u_int32_t *time_sec, /* Issue time and date */ + char *sname, /* Service name */ + char *sinstance, /* Service instance */ + des_cblock *key, /* Service's secret key (to decrypt the ticket) */ + des_key_schedule schedule) /* The precomputed key schedule */ + { - static int tkt_swap_bytes; - unsigned char *uptr; - char *ptr = (char *)tkt->dat; - -#ifndef NOENCRYPTION - des_pcbc_encrypt((des_cblock *)tkt->dat,(des_cblock *)tkt->dat,(long)tkt->length, - key_s,key, DES_DECRYPT); -#endif /* ! NOENCRYPTION */ - - *flags = *ptr; /* get flags byte */ - ptr += sizeof(*flags); - tkt_swap_bytes = 0; - if (HOST_BYTE_ORDER != ((*flags >> K_FLAG_ORDER)& 1)) - tkt_swap_bytes++; - - if (strlen(ptr) > ANAME_SZ) - return(KFAILURE); - (void) strcpy(pname,ptr); /* pname */ - ptr += strlen(pname) + 1; - - if (strlen(ptr) > INST_SZ) - return(KFAILURE); - (void) strcpy(pinstance,ptr); /* instance */ - ptr += strlen(pinstance) + 1; - - if (strlen(ptr) > REALM_SZ) - return(KFAILURE); - (void) strcpy(prealm,ptr); /* realm */ - ptr += strlen(prealm) + 1; - /* temporary hack until realms are dealt with properly */ - if (*prealm == 0 && krb_get_lrealm(prealm, 1) != KSUCCESS) - return(KFAILURE); - - bcopy(ptr,(char *)paddress,4); /* net address */ - ptr += 4; - - bcopy(ptr,(char *)session,8); /* session key */ - ptr+= 8; -#ifdef notdef /* DONT SWAP SESSION KEY spm 10/22/86 */ - if (tkt_swap_bytes) - swap_C_Block(session); -#endif - - /* get lifetime, being certain we don't get negative lifetimes */ - uptr = (unsigned char *) ptr++; - *life = (int) *uptr; - - bcopy(ptr,(char *) time_sec,4); /* issue time */ - ptr += 4; - if (tkt_swap_bytes) - swap_u_long(*time_sec); - - (void) strcpy(sname,ptr); /* service name */ - ptr += 1 + strlen(sname); - - (void) strcpy(sinstance,ptr); /* instance */ - ptr += 1 + strlen(sinstance); - return(KSUCCESS); + unsigned char *p = tkt->dat; + + int little_endian; + + des_pcbc_encrypt((des_cblock *)tkt->dat, (des_cblock *)tkt->dat, + tkt->length, schedule, key, DES_DECRYPT); + + tkt->mbz = 0; + + *flags = *p++; + + little_endian = (*flags >> K_FLAG_ORDER) & 1; + + if(strlen((char*)p) > ANAME_SZ) + return KFAILURE; + p += krb_get_string(p, pname); + + if(strlen((char*)p) > INST_SZ) + return KFAILURE; + p += krb_get_string(p, pinstance); + + if(strlen((char*)p) > REALM_SZ) + return KFAILURE; + p += krb_get_string(p, prealm); + + if(tkt->length - (p - tkt->dat) < 8 + 1 + 4) + return KFAILURE; + p += krb_get_address(p, paddress); + + memcpy(session, p, 8); + p += 8; + + *life = *p++; + + p += krb_get_int(p, time_sec, 4, little_endian); + + if(strlen((char*)p) > SNAME_SZ) + return KFAILURE; + p += krb_get_string(p, sname); + + if(strlen((char*)p) > INST_SZ) + return KFAILURE; + p += krb_get_string(p, sinstance); + + return KSUCCESS; } diff --git a/kerberosIV/krb/dest_tkt.c b/kerberosIV/krb/dest_tkt.c index 2386a5afdc9..18f2f9a84a4 100644 --- a/kerberosIV/krb/dest_tkt.c +++ b/kerberosIV/krb/dest_tkt.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/dest_tkt.c,v $ - * - * $Locker: $ - */ +/* $KTH: dest_tkt.c,v 1.11 1997/05/19 03:03:40 assar Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -29,13 +23,6 @@ or implied warranty. #include "krb_locl.h" -#include <sys/file.h> -#include <sys/types.h> -#include <sys/stat.h> -#ifdef TKT_SHMEM -#include <sys/param.h> -#endif - /* * dest_tkt() is used to destroy the ticket store upon logout. * If the ticket file does not exist, dest_tkt() returns RET_TKFIL. @@ -46,18 +33,15 @@ or implied warranty. */ int -dest_tkt() +dest_tkt(void) { char *file = TKT_FILE; int i,fd; struct stat statb; char buf[BUFSIZ]; -#ifdef TKT_SHMEM - char shmidname[MaxPathLen]; -#endif /* TKT_SHMEM */ errno = 0; - if (lstat(file,&statb) < 0) + if (lstat(file, &statb) < 0) goto out; if (!(statb.st_mode & S_IFREG) @@ -70,31 +54,23 @@ dest_tkt() if ((fd = open(file, O_RDWR, 0)) < 0) goto out; - bzero(buf, BUFSIZ); + memset(buf, 0, BUFSIZ); - for (i = 0; i < statb.st_size; i += BUFSIZ) - if (write(fd, buf, BUFSIZ) != BUFSIZ) { - (void) fsync(fd); - (void) close(fd); + for (i = 0; i < statb.st_size; i += sizeof(buf)) + if (write(fd, buf, sizeof(buf)) != sizeof(buf)) { + fsync(fd); + close(fd); goto out; } + - (void) fsync(fd); - (void) close(fd); - - (void) unlink(file); + fsync(fd); + close(fd); + + unlink(file); out: if (errno == ENOENT) return RET_TKFIL; else if (errno != 0) return KFAILURE; -#ifdef TKT_SHMEM - /* - * handle the shared memory case - */ - (void) strcpy(shmidname, file); - (void) strcat(shmidname, ".shm"); - if ((i = krb_shm_dest(shmidname)) != KSUCCESS) - return(i); -#endif /* TKT_SHMEM */ return(KSUCCESS); } diff --git a/kerberosIV/krb/encrypt_ktext.c b/kerberosIV/krb/encrypt_ktext.c new file mode 100644 index 00000000000..89b78ec455f --- /dev/null +++ b/kerberosIV/krb/encrypt_ktext.c @@ -0,0 +1,51 @@ +/* $KTH: encrypt_ktext.c,v 1.4 1997/04/01 08:18:26 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +void +encrypt_ktext(KTEXT cip, des_cblock *key, int encrypt) +{ + des_key_schedule schedule; + des_set_key(key, schedule); + des_pcbc_encrypt((des_cblock*)cip->dat, (des_cblock*)cip->dat, + cip->length, schedule, key, encrypt); + memset(schedule, 0, sizeof(des_key_schedule)); +} diff --git a/kerberosIV/krb/et_list.c b/kerberosIV/krb/et_list.c new file mode 100644 index 00000000000..380c1b5d48a --- /dev/null +++ b/kerberosIV/krb/et_list.c @@ -0,0 +1,54 @@ +/* $KTH: et_list.c,v 1.12 1997/05/13 09:45:01 bg Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +struct et_list { + struct et_list *next; + const struct error_table *table; +}; + +#if defined(__GNUC__) + +struct et_list * _et_list __attribute__ ((weak)) = 0; + +#else /* !__GNUC__ */ + +struct et_list * _et_list = 0; + +#endif /* !__GNUC__ */ diff --git a/kerberosIV/krb/extract_ticket.c b/kerberosIV/krb/extract_ticket.c deleted file mode 100644 index 7a32e712edf..00000000000 --- a/kerberosIV/krb/extract_ticket.c +++ /dev/null @@ -1,71 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/extract_ticket.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -/* - * This routine is obsolete. - * - * This routine accepts the ciphertext returned by kerberos and - * extracts the nth ticket. It also fills in the variables passed as - * session, liftime and kvno. - */ - -void -extract_ticket(cipher, n, session, lifetime, kvno, realm, ticket) - KTEXT cipher; /* The ciphertext */ - int n; /* Which ticket */ - char *session; /* The session key for this tkt */ - int *lifetime; /* The life of this ticket */ - int *kvno; /* The kvno for the service */ - char *realm; /* Realm in which tkt issued */ - KTEXT ticket; /* The ticket itself */ -{ - char *ptr; - int i; - - /* Start after the ticket lengths */ - ptr = (char *) cipher->dat; - ptr = ptr + 1 + (int) *(cipher->dat); - - /* Step through earlier tickets */ - for (i = 1; i < n; i++) - ptr = ptr + 11 + strlen(ptr+10) + (int) *(cipher->dat+i); - bcopy(ptr, (char *) session, 8); /* Save the session key */ - ptr += 8; - *lifetime = (unsigned char) *(ptr++); /* Save the life of the ticket */ - *kvno = *(ptr++); /* Save the kvno */ - (void) strcpy(realm,ptr); /* instance */ - ptr += strlen(realm) + 1; - - /* Save the ticket if its length is non zero */ - ticket->length = *(cipher->dat+n); - if (ticket->length) - bcopy(ptr, (char *) (ticket->dat), ticket->length); -} diff --git a/kerberosIV/krb/get_ad_tkt.c b/kerberosIV/krb/get_ad_tkt.c index 7250b443fd1..98c9349daf2 100644 --- a/kerberosIV/krb/get_ad_tkt.c +++ b/kerberosIV/krb/get_ad_tkt.c @@ -1,76 +1,44 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_ad_tkt.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -static int swap_bytes; +/* $KTH: get_ad_tkt.c,v 1.16 1997/05/30 17:43:34 bg Exp $ */ /* - * Given a pointer to an AUTH_MSG_KDC_REPLY packet, return the length of - * its ciphertext portion. The external variable "swap_bytes" is assumed - * to have been set to indicate whether or not the packet is in local - * byte order. pkt_clen() takes this into account when reading the - * ciphertext length out of the packet. + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -static int -pkt_clen(pkt) - KTEXT pkt; -{ - static unsigned short temp,temp2; - int clen = 0; - - /* Start of ticket list */ - unsigned char *ptr = pkt_a_realm(pkt) + 10 - + strlen((char *)pkt_a_realm(pkt)); - - /* Finally the length */ - bcopy((char *)(++ptr),(char *)&temp,2); /* alignment */ - if (swap_bytes) { - /* assume a short is 2 bytes?? */ - swab((char *)&temp,(char *)&temp2,2); - temp = temp2; - } - - clen = (int) temp; - - if (krb_debug) - printf("Clen is %d\n",clen); - return(clen); -} - -/* use the bsd time.h struct defs for PC too! */ -#include <sys/time.h> -#include <sys/types.h> - -static struct timeval tt_local = { 0, 0 }; -static unsigned long rep_err_code; +#include "krb_locl.h" /* * get_ad_tkt obtains a new service ticket from Kerberos, using @@ -106,45 +74,33 @@ static unsigned long rep_err_code; */ int -get_ad_tkt(service, sinstance, realm, lifetime) - char *service; - char *sinstance; - char *realm; - int lifetime; +get_ad_tkt(char *service, char *sinstance, char *realm, int lifetime) { static KTEXT_ST pkt_st; KTEXT pkt = & pkt_st; /* Packet to KDC */ static KTEXT_ST rpkt_st; KTEXT rpkt = &rpkt_st; /* Returned packet */ - static KTEXT_ST cip_st; - KTEXT cip = &cip_st; /* Returned Ciphertext */ - static KTEXT_ST tkt_st; - KTEXT tkt = &tkt_st; /* Current ticket */ - des_cblock ses; /* Session key for tkt */ + CREDENTIALS cr; - int kvno; /* Kvno for session key */ char lrealm[REALM_SZ]; - des_cblock key; /* Key for decrypting cipher */ - des_key_schedule key_s; - long time_ws = 0; - - char s_name[SNAME_SZ]; - char s_instance[INST_SZ]; - int msg_byte_order; + u_int32_t time_ws = 0; int kerror; - char rlm[REALM_SZ]; - char *ptr; + unsigned char *p; - unsigned long kdc_time; /* KDC time */ + /* + * First check if we have a "real" TGT for the corresponding + * realm, if we don't, use ordinary inter-realm authentication. + */ - if ((kerror = krb_get_tf_realm(TKT_FILE, lrealm)) != KSUCCESS) + kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET, realm, realm, &cr); + if (kerror == KSUCCESS) + strncpy(lrealm, realm, REALM_SZ); + else + kerror = krb_get_tf_realm(TKT_FILE, lrealm); + + if (kerror != KSUCCESS) return(kerror); - /* Create skeleton of packet to be sent */ - (void) gettimeofday(&tt_local,(struct timezone *) 0); - - pkt->length = 0; - /* * Look for the session key (and other stuff we don't need) * in the ticket file for krbtgt.realm@lrealm where "realm" @@ -153,7 +109,8 @@ get_ad_tkt(service, sinstance, realm, lifetime) * have this, we will try to get it. */ - if ((kerror = krb_get_cred("krbtgt",realm,lrealm,&cr)) != KSUCCESS) { + if ((kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET, + realm, lrealm, &cr)) != KSUCCESS) { /* * If realm == lrealm, we have no hope, so let's not even try. */ @@ -161,9 +118,14 @@ get_ad_tkt(service, sinstance, realm, lifetime) return(AD_NOTGT); else{ if ((kerror = - get_ad_tkt("krbtgt",realm,lrealm,lifetime)) != KSUCCESS) - return(kerror); - if ((kerror = krb_get_cred("krbtgt",realm,lrealm,&cr)) != KSUCCESS) + get_ad_tkt(KRB_TICKET_GRANTING_TICKET, + realm, lrealm, lifetime)) != KSUCCESS) + if (kerror == KDC_PR_UNKNOWN) + return(AD_INTR_RLM_NOTGT); + else + return(kerror); + if ((kerror = krb_get_cred(KRB_TICKET_GRANTING_TICKET, + realm, lrealm, &cr)) != KSUCCESS) return(kerror); } } @@ -174,105 +136,55 @@ get_ad_tkt(service, sinstance, realm, lifetime) * into "pkt". Then tack other stuff on the end. */ - kerror = krb_mk_req(pkt,"krbtgt",realm,lrealm,0L); + kerror = krb_mk_req(pkt, + KRB_TICKET_GRANTING_TICKET, + realm,lrealm,0L); if (kerror) return(AD_NOTGT); - /* timestamp */ - bcopy((char *) &time_ws,(char *) (pkt->dat+pkt->length),4); - pkt->length += 4; - *(pkt->dat+(pkt->length)++) = (char) lifetime; - (void) strcpy((char *) (pkt->dat+pkt->length),service); - pkt->length += 1 + strlen(service); - (void) strcpy((char *)(pkt->dat+pkt->length),sinstance); - pkt->length += 1 + strlen(sinstance); + p = pkt->dat + pkt->length; + p += krb_put_int(time_ws, p, 4); + p += krb_put_int(lifetime, p, 1); + p += krb_put_nir(service, sinstance, NULL, p); + + pkt->length = p - pkt->dat; rpkt->length = 0; - + /* Send the request to the local ticket-granting server */ if ((kerror = send_to_kdc(pkt, rpkt, realm))) return(kerror); /* check packet version of the returned packet */ - if (pkt_version(rpkt) != KRB_PROT_VERSION ) - return(INTK_PROT); - - /* Check byte order */ - msg_byte_order = pkt_msg_type(rpkt) & 1; - swap_bytes = 0; - if (msg_byte_order != HOST_BYTE_ORDER) - swap_bytes++; - - switch (pkt_msg_type(rpkt) & ~1) { - case AUTH_MSG_KDC_REPLY: - break; - case AUTH_MSG_ERR_REPLY: - bcopy(pkt_err_code(rpkt), (char *) &rep_err_code, 4); - if (swap_bytes) - swap_u_long(rep_err_code); - return(rep_err_code); - - default: - return(INTK_PROT); - } - - /* Extract the ciphertext */ - cip->length = pkt_clen(rpkt); /* let clen do the swap */ - - bcopy((char *) pkt_cipher(rpkt),(char *) (cip->dat),cip->length); -#ifndef NOENCRYPTION - /* Attempt to decrypt it */ - - des_key_sched(&cr.session,key_s); - if (krb_debug) printf("About to do decryption ..."); - des_pcbc_encrypt((des_cblock *)cip->dat,(des_cblock *)cip->dat, - (long) cip->length,key_s,&cr.session,0); -#endif /* !NOENCRYPTION */ - /* Get rid of all traces of key */ - bzero((char *) cr.session, sizeof(key)); - bzero((char *) key_s, sizeof(key_s)); - - ptr = (char *) cip->dat; - - bcopy(ptr,(char *)ses,8); - ptr += 8; - - (void) strcpy(s_name,ptr); - ptr += strlen(s_name) + 1; - - (void) strcpy(s_instance,ptr); - ptr += strlen(s_instance) + 1; - - (void) strcpy(rlm,ptr); - ptr += strlen(rlm) + 1; - - lifetime = (unsigned char) ptr[0]; - kvno = (unsigned long) ptr[1]; - tkt->length = (int) ptr[2]; - ptr += 3; - bcopy(ptr,(char *)(tkt->dat),tkt->length); - ptr += tkt->length; - - if (strcmp(s_name, service) || strcmp(s_instance, sinstance) || - strcmp(rlm, realm)) /* not what we asked for */ - return(INTK_ERR); /* we need a better code here XXX */ - - /* check KDC time stamp */ - bcopy(ptr,(char *)&kdc_time,4); /* Time (coarse) */ - if (swap_bytes) swap_u_long(kdc_time); - - ptr += 4; + { + KTEXT_ST cip; + CREDENTIALS cred; + struct timeval tv; + + kerror = kdc_reply_cipher(rpkt, &cip); + if(kerror != KSUCCESS) + return kerror; + + encrypt_ktext(&cip, &cr.session, DES_DECRYPT); + + kerror = kdc_reply_cred(&cip, &cred); + if(kerror != KSUCCESS) + return kerror; + + if (strcmp(cred.service, service) || strcmp(cred.instance, sinstance) || + strcmp(cred.realm, realm)) /* not what we asked for */ + return INTK_ERR; /* we need a better code here XXX */ + + gettimeofday(&tv, NULL); + if (abs((int)(tv.tv_sec - cred.issue_date)) > CLOCK_SKEW) { + return RD_AP_TIME; /* XXX should probably be better code */ + } + - (void) gettimeofday(&tt_local,(struct timezone *) 0); - if (abs((int)(tt_local.tv_sec - kdc_time)) > CLOCK_SKEW) { - return(RD_AP_TIME); /* XXX should probably be better - code */ + kerror = save_credentials(cred.service, cred.instance, cred.realm, + cred.session, cred.lifetime, cred.kvno, + &cred.ticket_st, tv.tv_sec); + return kerror; } - - if ((kerror = save_credentials(s_name,s_instance,rlm,ses,lifetime, - kvno,tkt,tt_local.tv_sec))) - return(kerror); - - return(AD_OK); } diff --git a/kerberosIV/krb/get_admhst.c b/kerberosIV/krb/get_admhst.c deleted file mode 100644 index 59d11450829..00000000000 --- a/kerberosIV/krb/get_admhst.c +++ /dev/null @@ -1,100 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_admhst.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -/* - * Given a Kerberos realm, find a host on which the Kerberos database - * administration server can be found. - * - * krb_get_admhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer n, and - * returns (in h) the nth administrative host entry from the configuration - * file (KRB_CONF, defined in "krb.h") associated with the specified realm. - * - * On error, get_admhst returns KFAILURE. If all goes well, the routine - * returns KSUCCESS. - * - * For the format of the KRB_CONF file, see comments describing the routine - * krb_get_krbhst(). - * - * This is a temporary hack to allow us to find the nearest system running - * a Kerberos admin server. In the long run, this functionality will be - * provided by a nameserver. - */ - -int -krb_get_admhst(h, r, n) - char *h; - char *r; - int n; -{ - FILE *cnffile; - char tr[REALM_SZ]; - char linebuf[BUFSIZ]; - char scratch[64]; - register int i; - - if ((cnffile = fopen(KRB_CONF,"r")) == NULL) { - char tbuf[128]; - char *tdir = NULL; - if (issetugid() == 0) - tdir = (char *) getenv("KRBCONFDIR"); - strncpy(tbuf, tdir ? tdir : "/etc", sizeof(tbuf)-1); - tbuf[sizeof(tbuf)-1] = 0; - strncat(tbuf, "/krb.conf", sizeof(tbuf)-strlen(tbuf)); - if ((cnffile = fopen(tbuf,"r")) == NULL) - return(KFAILURE); - } - if (fgets(linebuf, BUFSIZ, cnffile) == NULL) { - /* error reading */ - (void) fclose(cnffile); - return(KFAILURE); - } - if (!strchr(linebuf, '\n')) { - /* didn't all fit into buffer, punt */ - (void) fclose(cnffile); - return(KFAILURE); - } - for (i = 0; i < n; ) { - /* run through the file, looking for admin host */ - if (fgets(linebuf, BUFSIZ, cnffile) == NULL) { - (void) fclose(cnffile); - return(KFAILURE); - } - /* need to scan for a token after 'admin' to make sure that - admin matched correctly */ - if (sscanf(linebuf, "%s %s admin %s", tr, h, scratch) != 3) - continue; - if (!strcmp(tr,r)) - i++; - } - (void) fclose(cnffile); - return(KSUCCESS); -} diff --git a/kerberosIV/krb/get_cred.c b/kerberosIV/krb/get_cred.c index 2882de597ad..03d38bf4fce 100644 --- a/kerberosIV/krb/get_cred.c +++ b/kerberosIV/krb/get_cred.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_cred.c,v $ - * - * $Locker: $ - */ +/* $KTH: get_cred.c,v 1.6 1997/05/30 17:38:29 bg Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -39,13 +33,16 @@ or implied warranty. */ int -krb_get_cred(service, instance, realm, c) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - CREDENTIALS *c; /* Credentials struct */ +krb_get_cred(char *service, /* Service name */ + char *instance, /* Instance */ + char *realm, /* Auth domain */ + CREDENTIALS *c) /* Credentials struct */ { int tf_status; /* return value of tf function calls */ + CREDENTIALS cr; + + if (c == 0) + c = &cr; /* Open ticket file and lock it for shared reading */ if ((tf_status = tf_init(TKT_FILE, R_TKT_FIL)) != KSUCCESS) @@ -60,13 +57,12 @@ krb_get_cred(service, instance, realm, c) /* Search for requested service credentials and copy into c */ while ((tf_status = tf_get_cred(c)) == KSUCCESS) { - /* Is this the right ticket? */ if ((strcmp(c->service,service) == 0) && (strcmp(c->instance,instance) == 0) && (strcmp(c->realm,realm) == 0)) break; } - (void) tf_close(); + tf_close(); if (tf_status == EOF) return (GC_NOTKT); diff --git a/kerberosIV/krb/get_default_principal.c b/kerberosIV/krb/get_default_principal.c new file mode 100644 index 00000000000..01054df3167 --- /dev/null +++ b/kerberosIV/krb/get_default_principal.c @@ -0,0 +1,89 @@ +/* $KTH: get_default_principal.c,v 1.10 1997/04/01 08:18:28 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +int +krb_get_default_principal(char *name, char *instance, char *realm) +{ + char *file; + int ret; + + char *p; + + if ((file = getenv("KRBTKFILE")) == NULL) + file = TKT_FILE; + + ret = krb_get_tf_fullname(file, name, instance, realm); + if(ret == KSUCCESS) + return 0; + + p = getenv("KRB4PRINCIPAL"); + if(p && kname_parse(name, instance, realm, p) == KSUCCESS) + return 1; + + { + struct passwd *pw; + pw = getpwuid(getuid()); + if(pw == NULL){ + return -1; + } + + strcpy(name, pw->pw_name); + strcpy(instance, ""); + krb_get_lrealm(realm, 1); + + if(strcmp(name, "root") == 0){ + p = NULL; + p = getlogin(); + if(p == NULL) + p = getenv("USER"); + if(p == NULL) + p = getenv("LOGNAME"); + if(p){ + strncpy (name, p, ANAME_SZ); + name[ANAME_SZ - 1] = '\0'; + strcpy(instance, "root"); + } + } + return 1; + } + return -1; +} diff --git a/kerberosIV/krb/get_host.c b/kerberosIV/krb/get_host.c new file mode 100644 index 00000000000..8e62ceedf3e --- /dev/null +++ b/kerberosIV/krb/get_host.c @@ -0,0 +1,309 @@ +/* $KTH: get_host.c,v 1.31 1997/09/26 17:42:37 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +static struct host_list { + struct krb_host *this; + struct host_list *next; +} *hosts; + +static int krb_port = 0; + +static void +free_hosts(struct host_list *h) +{ + struct host_list *t; + while(h){ + if(h->this->realm) + free(h->this->realm); + if(h->this->host) + free(h->this->host); + t = h; + h = h->next; + free(t); + } +} + +static int +parse_address(char *address, enum krb_host_proto *proto, char **host, int *port) +{ + char *p, *q; + int default_port = krb_port; + *proto = PROTO_UDP; + if(strncmp(address, "http://", 7) == 0){ + p = address + 7; + *proto = PROTO_HTTP; + default_port = 80; + }else{ + p = strchr(address, '/'); + if(p){ + char prot[32]; + struct protoent *pp; + strncpy(prot, address, p - address); + prot[p - address] = 0; + if((pp = getprotobyname(prot))){ + switch(pp->p_proto){ + case IPPROTO_UDP: + *proto = PROTO_UDP; + break; + case IPPROTO_TCP: + *proto = PROTO_TCP; + break; + default: + krb_warning("Unknown protocol `%s', Using default `udp'.\n", + prot); + } + } else + krb_warning("Bad protocol name `%s', Using default `udp'.\n", + prot); + p++; + }else + p = address; + } + q = strchr(p, ':'); + if(q){ + *host = (char*)malloc(q - p + 1); + strncpy(*host, p, q - p); + (*host)[q - p] = 0; + q++; + { + struct servent *sp = getservbyname(q, NULL); + if(sp) + *port = ntohs(sp->s_port); + else + if(sscanf(q, "%d", port) != 1){ + krb_warning("Bad port specification `%s', using port %d.", + q, krb_port); + *port = krb_port; + } + } + }else{ + *host = strdup(p); + *port = default_port; + } + return 0; +} + +static int +add_host(char *realm, char *address, int admin, int validate) +{ + struct krb_host *host; + struct host_list *p, **last = &hosts; + host = (struct krb_host*)malloc(sizeof(struct krb_host)); + parse_address(address, &host->proto, &host->host, &host->port); + if(validate && gethostbyname(host->host) == NULL){ + free(host->host); + free(host); + return 1; + } + host->admin = admin; + for(p = hosts; p; p = p->next){ + if(strcmp(realm, p->this->realm) == 0 && + strcmp(host->host, p->this->host) == 0 && + host->proto == p->this->proto && + host->port == p->this->port){ + free(host->host); + free(host); + return 1; + } + last = &p->next; + } + host->realm = strdup(realm); + p = (struct host_list*)malloc(sizeof(struct host_list)); + p->this = host; + p->next = NULL; + *last = p; + return 0; +} + + + +static int +read_file(const char *filename, const char *r) +{ + char line[1024]; + char realm[1024]; + char address[1024]; + char scratch[1024]; + int n; + int nhosts = 0; + + FILE *f = fopen(filename, "r"); + if(f == NULL) + return -1; + while(fgets(line, sizeof(line), f)){ + n = sscanf(line, "%s %s admin %s", realm, address, scratch); + if(n == 2 || n == 3){ + if(strcmp(realm, r)) + continue; + if(add_host(realm, address, n == 3, 0) == 0) + nhosts++; + } + } + fclose(f); + return nhosts; +} + +static int +init_hosts(char *realm) +{ + static const char *files[] = KRB_CNF_FILES; + int i; + char *dir = getenv("KRBCONFDIR"); + + krb_port = ntohs(k_getportbyname (KRB_SERVICE, NULL, htons(KRB_PORT))); + if(dir){ + char file[MAXPATHLEN]; + if(k_concat(file, sizeof(file), dir, "/krb.conf", NULL) == 0) + read_file(file, realm); + } + for(i = 0; files[i]; i++) + read_file(files[i], realm); + return 0; +} + +static void +srv_find_realm(char *realm, char *proto, char *service) +{ + char *domain; + struct dns_reply *r; + struct resource_record *rr; + + k_mconcat(&domain, 1024, service, ".", proto, ".", realm, ".", NULL); + + if(domain == NULL) + return; + + r = dns_lookup(domain, "srv"); + if(r == NULL) + r = dns_lookup(domain, "txt"); + if(r == NULL){ + free(domain); + return; + } + for(rr = r->head; rr; rr = rr->next){ + if(rr->type == T_SRV){ + char buf[1024]; + + if (snprintf (buf, + sizeof(buf), + "%s/%s:%u", + proto, + rr->u.srv->target, + rr->u.srv->port) < sizeof(buf)) + add_host(realm, buf, 0, 0); + }else if(rr->type == T_TXT) + add_host(realm, rr->u.txt, 0, 0); + } + dns_free_data(r); + free(domain); +} + +struct krb_host* +krb_get_host(int nth, char *realm, int admin) +{ + struct host_list *p; + static char orealm[REALM_SZ]; + if(orealm[0] == 0 || strcmp(realm, orealm)){ + /* quick optimization */ + if(realm && realm[0]){ + strncpy(orealm, realm, sizeof(orealm) - 1); + orealm[sizeof(orealm) - 1] = 0; + }else{ + int ret = krb_get_lrealm(orealm, 1); + if(ret != KSUCCESS) + return NULL; + } + + if(hosts){ + free_hosts(hosts); + hosts = NULL; + } + + init_hosts(orealm); + + srv_find_realm(orealm, "udp", KRB_SERVICE); + srv_find_realm(orealm, "tcp", KRB_SERVICE); + + { + /* XXX this assumes no one has more than 99999 kerberos + servers */ + char host[REALM_SZ + sizeof("kerberos-XXXXX..")]; + int i = 0; + sprintf(host, "kerberos.%s.", orealm); + add_host(orealm, host, 1, 1); + do{ + i++; + sprintf(host, "kerberos-%d.%s.", i, orealm); + }while(i < 100000 && add_host(orealm, host, 0, 1) == 0); + } + } + + for(p = hosts; p; p = p->next){ + if(strcmp(orealm, p->this->realm) == 0 && + (!admin || p->this->admin)) + if(nth == 1) + return p->this; + else + nth--; + } + return NULL; +} + +int +krb_get_krbhst(char *host, char *realm, int nth) +{ + struct krb_host *p = krb_get_host(nth, realm, 0); + if(p == NULL) + return KFAILURE; + strcpy(host, p->host); + return KSUCCESS; +} + +int +krb_get_admhst(char *host, char *realm, int nth) +{ + struct krb_host *p = krb_get_host(nth, realm, 1); + if(p == NULL) + return KFAILURE; + strcpy(host, p->host); + return KSUCCESS; +} diff --git a/kerberosIV/krb/get_in_tkt.c b/kerberosIV/krb/get_in_tkt.c index f894640af3e..393f25b8ab5 100644 --- a/kerberosIV/krb/get_in_tkt.c +++ b/kerberosIV/krb/get_in_tkt.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_in_tkt.c,v $ - * - * $Locker: $ - */ +/* $KTH: get_in_tkt.c,v 1.19 1997/10/03 21:51:42 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -30,67 +24,49 @@ or implied warranty. #include "krb_locl.h" /* - * This file contains two routines: passwd_to_key() converts - * a password into a DES key (prompting for the password if - * not supplied), and krb_get_pw_in_tkt() gets an initial ticket for - * a user. + * This file contains three routines: passwd_to_key() and + * passwd_to_afskey() converts a password into a DES key, using the + * normal strinttokey and the AFS one, respectively, and + * krb_get_pw_in_tkt() gets an initial ticket for a user. */ /* - * passwd_to_key(): given a password, return a DES key. - * There are extra arguments here which (used to be?) - * used by srvtab_to_key(). - * - * If the "passwd" argument is not null, generate a DES - * key from it, using string_to_key(). - * - * If the "passwd" argument is null, call des_read_password() - * to prompt for a password and then convert it into a DES key. - * - * In either case, the resulting key is put in the "key" argument, - * and 0 is returned. + * passwd_to_key() and passwd_to_afskey: given a password, return a DES key. */ -/*ARGSUSED */ -static int -passwd_to_key(user, instance, realm, passwd, key) - char *user; - char *instance; - char *realm; - char *passwd; - des_cblock *key; +int +passwd_to_key(char *user, char *instance, char *realm, void *passwd, + des_cblock *key) { -#ifdef NOENCRYPTION - if (!passwd) - placebo_read_password(key, "Kerberos Password: ", 0); -#else - if (passwd) - des_string_to_key(passwd,key); - else - des_read_password(key,"Kerberos Password: ",0); +#ifndef NOENCRYPTION + des_string_to_key((char *)passwd, key); #endif - return (0); + return 0; } -/*ARGSUSED */ -static int -afs_passwd_to_key(user, instance, realm, passwd, key) - char *user; - char *instance; - char *realm; - char *passwd; - des_cblock *key; +int +passwd_to_5key(char *user, char *instance, char *realm, void *passwd, + des_cblock *key) { -#ifdef NOENCRYPTION - if (!passwd) - placebo_read_password(key, "Kerberos Password: ", 0); -#else /* Do encyryption */ - if (passwd) - afs_string_to_key(passwd, realm, key); - else { - des_read_password(key, "Kerberos Password: ", 0); - } -#endif /* NOENCRYPTION */ + char *p; + size_t len; + len = k_mconcat (&p, 512, passwd, realm, user, instance, NULL); + if(len == 0) + return -1; + des_string_to_key(p, key); + memset(p, 0, len); + free(p); + return 0; +} + + +int +passwd_to_afskey(char *user, char *instance, char *realm, void *passwd, + des_cblock *key) +{ +#ifndef NOENCRYPTION + afs_string_to_key((char *)passwd, realm, key); +#endif return (0); } @@ -112,208 +88,50 @@ afs_passwd_to_key(user, instance, realm, passwd, key) */ int -krb_get_pw_in_tkt(user, instance, realm, service, sinstance, life, password) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - char *password; +krb_get_pw_in_tkt(char *user, char *instance, char *realm, char *service, + char *sinstance, int life, char *password) { char pword[100]; /* storage for the password */ int code; /* Only request password once! */ if (!password) { - if (des_read_pw_string(pword, sizeof(pword)-1, "Kerberos Password: ", 0)) - pword[0] = '\0'; /* something wrong */ + if (des_read_pw_string(pword, sizeof(pword)-1, "Password: ", 0)){ + memset(pword, 0, sizeof(pword)); + return INTK_BADPW; + } password = pword; } - code = krb_get_in_tkt(user,instance,realm,service,sinstance,life, - passwd_to_key, NULL, password); - if (code != INTK_BADPW) - goto done; - - code = krb_get_in_tkt(user,instance,realm,service,sinstance,life, - afs_passwd_to_key, NULL, password); - if (code != INTK_BADPW) - goto done; + { + KTEXT_ST as_rep; + CREDENTIALS cred; + int ret = 0; + key_proc_t key_procs[] = { passwd_to_key, passwd_to_afskey, + passwd_to_5key, NULL }; + key_proc_t *kp; + + code = krb_mk_as_req(user, instance, realm, + service, sinstance, life, &as_rep); + if(code) + return code; + for(kp = key_procs; *kp; kp++){ + KTEXT_ST tmp; + memcpy(&tmp, &as_rep, sizeof(as_rep)); + code = krb_decode_as_rep(user, instance, realm, service, sinstance, + *kp, NULL, password, &tmp, &cred); + if(code == 0) + break; + if(code != INTK_BADPW) + ret = code; /* this is probably a better code than + what code gets after this loop */ + } + if(code) + return ret ? ret : code; - done: + code = tf_setup(&cred, user, instance); + } if (password == pword) - bzero(pword, sizeof(pword)); + memset(pword, 0, sizeof(pword)); return(code); } - -#ifdef NOENCRYPTION -/* - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_in_tkt.c,v $ - * $Author: millert $ - * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - * - * This routine prints the supplied string to standard - * output as a prompt, and reads a password string without - * echoing. - */ - -#ifndef lint -static char rcsid_read_password_c[] = -"Bones$Header: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_in_tkt.c,v 1.4 1997/08/18 03:11:21 millert Exp $"; -#endif /* lint */ - -#include <des.h> -#include "conf.h" - -#include <stdio.h> -#include <string.h> -#include <sys/ioctl.h> -#include <signal.h> -#include <setjmp.h> - -static jmp_buf env; - -static void sig_restore(); -static push_signals(), pop_signals(); -int placebo_read_pw_string(); - -/*** Routines ****************************************************** */ -int -placebo_read_password(k,prompt,verify) - des_cblock *k; - char *prompt; - int verify; -{ - int ok; - char key_string[BUFSIZ]; - - if (setjmp(env)) { - ok = -1; - goto lose; - } - - ok = placebo_read_pw_string(key_string, BUFSIZ, prompt, verify); - if (ok == 0) - bzero(k, sizeof(C_Block)); - -lose: - bzero(key_string, sizeof (key_string)); - return ok; -} - -/* - * This version just returns the string, doesn't map to key. - * - * Returns 0 on success, non-zero on failure. - */ - -int -placebo_read_pw_string(s,max,prompt,verify) - char *s; - int max; - char *prompt; - int verify; -{ - int ok = 0; - char *ptr; - - jmp_buf old_env; - struct sgttyb tty_state; - char key_string[BUFSIZ]; - - if (max > BUFSIZ) { - return -1; - } - - bcopy(old_env, env, sizeof(env)); - if (setjmp(env)) - goto lose; - - /* save terminal state*/ - if (ioctl(0,TIOCGETP,&tty_state) == -1) - return -1; - - push_signals(); - /* Turn off echo */ - tty_state.sg_flags &= ~ECHO; - if (ioctl(0,TIOCSETP,&tty_state) == -1) - return -1; - while (!ok) { - printf(prompt); - fflush(stdout); - if (!fgets(s, max, stdin)) { - clearerr(stdin); - continue; - } - if ((ptr = strchr(s, '\n'))) - *ptr = '\0'; - if (verify) { - printf("\nVerifying, please re-enter %s",prompt); - fflush(stdout); - if (!fgets(key_string, sizeof(key_string), stdin)) { - clearerr(stdin); - continue; - } - if ((ptr = strchr(key_string, '\n'))) - *ptr = '\0'; - if (strcmp(s,key_string)) { - printf("\n\07\07Mismatch - try again\n"); - fflush(stdout); - continue; - } - } - ok = 1; - } - -lose: - if (!ok) - bzero(s, max); - printf("\n"); - /* turn echo back on */ - tty_state.sg_flags |= ECHO; - if (ioctl(0,TIOCSETP,&tty_state)) - ok = 0; - pop_signals(); - bcopy(env, old_env, sizeof(env)); - if (verify) - bzero(key_string, sizeof (key_string)); - s[max-1] = 0; /* force termination */ - return !ok; /* return nonzero if not okay */ -} - -/* - * this can be static since we should never have more than - * one set saved.... - */ -static RETSIGTYPE (*old_sigfunc[NSIG])(); - -static -push_signals() -{ - register i; - for (i = 0; i < NSIG; i++) - old_sigfunc[i] = signal(i,sig_restore); -} - -static -pop_signals() -{ - register i; - for (i = 0; i < NSIG; i++) - signal(i,old_sigfunc[i]); -} - -static void -sig_restore(sig,code,scp) - int sig,code; - struct sigcontext *scp; -{ - longjmp(env,1); -} -#endif /* NOENCRYPTION */ diff --git a/kerberosIV/krb/get_krbhst.c b/kerberosIV/krb/get_krbhst.c deleted file mode 100644 index 0dd0eb96ba1..00000000000 --- a/kerberosIV/krb/get_krbhst.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_krbhst.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -/* - * Given a Kerberos realm, find a host on which the Kerberos authenti- - * cation server can be found. - * - * krb_get_krbhst takes a pointer to be filled in, a pointer to the name - * of the realm for which a server is desired, and an integer, n, and - * returns (in h) the nth entry from the configuration file (KRB_CONF, - * defined in "krb.h") associated with the specified realm. - * - * On end-of-file, krb_get_krbhst returns KFAILURE. If all goes well, - * the routine returns KSUCCESS. - * - * The KRB_CONF file contains the name of the local realm in the first - * line (not used by this routine), followed by lines indicating realm/host - * entries. The words "admin server" following the hostname indicate that - * the host provides an administrative database server. - * - * For example: - * - * ATHENA.MIT.EDU - * ATHENA.MIT.EDU kerberos-1.mit.edu admin server - * ATHENA.MIT.EDU kerberos-2.mit.edu - * LCS.MIT.EDU kerberos.lcs.mit.edu admin server - * - * This is a temporary hack to allow us to find the nearest system running - * kerberos. In the long run, this functionality will be provided by a - * nameserver. - */ - -int -krb_get_krbhst(h, r, n) - char *h; - char *r; - int n; -{ - FILE *cnffile; - char tr[REALM_SZ]; - char linebuf[BUFSIZ]; - register int i; - - if ((cnffile = fopen(KRB_CONF,"r")) == NULL) { - char tbuf[128]; - char *tdir = NULL; - if (issetugid() == 0) - tdir = (char *) getenv("KRBCONFDIR"); - strncpy(tbuf, tdir ? tdir : "/etc", sizeof(tbuf)-1); - tbuf[sizeof(tbuf)-1] = 0; - strncat(tbuf, "/krb.conf", sizeof(tbuf)-strlen(tbuf)); - if ((cnffile = fopen(tbuf,"r")) == NULL) - return(KFAILURE); - } - if (fscanf(cnffile,"%s",tr) == EOF) - return(KFAILURE); - /* run through the file, looking for the nth server for this realm */ - for (i = 1; i <= n;) { - if (fgets(linebuf, BUFSIZ, cnffile) == NULL) { - (void) fclose(cnffile); - return(KFAILURE); - } - if (sscanf(linebuf, "%s %s", tr, h) != 2) - continue; - if (!strcmp(tr,r)) - i++; - } - (void) fclose(cnffile); - return(KSUCCESS); -} diff --git a/kerberosIV/krb/get_krbrlm.c b/kerberosIV/krb/get_krbrlm.c index ff9f0ebc532..24dfd680b4b 100644 --- a/kerberosIV/krb/get_krbrlm.c +++ b/kerberosIV/krb/get_krbrlm.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_krbrlm.c,v $ - * - * $Locker: $ - */ +/* $KTH: get_krbrlm.c,v 1.16 1997/05/02 01:26:22 assar Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -33,7 +27,9 @@ or implied warranty. * krb_get_lrealm takes a pointer to a string, and a number, n. It fills * in the string, r, with the name of the nth realm specified on the * first line of the kerberos config file (KRB_CONF, defined in "krb.h"). - * It returns 0 (KSUCCESS) on success, and KFAILURE on failure. + * It returns 0 (KSUCCESS) on success, and KFAILURE on failure. If the + * config file does not exist, and if n=1, a successful return will occur + * with r = KRB_REALM (also defined in "krb.h"). * * NOTE: for archaic & compatibility reasons, this routine will only return * valid results when n = 1. @@ -42,32 +38,79 @@ or implied warranty. * krb_get_krbhst(). */ +static int +krb_get_lrealm_f(char *r, int n, const char *fname) +{ + FILE *f; + int ret = KFAILURE; + f = fopen(fname, "r"); + if(f){ + char buf[REALM_SZ]; + if(fgets(buf, sizeof(buf), f)){ + char *p = buf + strspn(buf, " \t"); + p[strcspn(p, " \t\r\n")] = 0; + p[REALM_SZ - 1] = 0; + strcpy(r, p); + ret = KSUCCESS; + } + fclose(f); + } + return ret; +} + int -krb_get_lrealm(r, n) - char *r; - int n; +krb_get_lrealm(char *r, int n) { - FILE *cnffile; + static const char *const files[] = KRB_CNF_FILES; + int i; + + const char *dir = getenv("KRBCONFDIR"); - if (n > 1) - return(KFAILURE); /* Temporary restriction */ + if (n > 1) + return(KFAILURE); /* Temporary restriction */ - if ((cnffile = fopen(KRB_CONF, "r")) == NULL) { - char tbuf[128]; - char *tdir = NULL; - if (issetugid() == 0) - tdir = (char *) getenv("KRBCONFDIR"); - strncpy(tbuf, tdir ? tdir : "/etc", sizeof(tbuf)-1); - tbuf[sizeof(tbuf)-1] = 0; - strncat(tbuf, "/krb.conf", sizeof(tbuf)-strlen(tbuf)); - if ((cnffile = fopen(tbuf,"r")) == NULL) - return(KFAILURE); - } + /* First try user specified file */ + if (dir != 0) { + char fname[MAXPATHLEN]; + if(k_concat(fname, sizeof(fname), dir, "/krb.conf", NULL) == 0) + if (krb_get_lrealm_f(r, n, fname) == KSUCCESS) + return KSUCCESS; + } + + for (i = 0; files[i] != 0; i++) + if (krb_get_lrealm_f(r, n, files[i]) == KSUCCESS) + return KSUCCESS; + + /* If nothing else works try LOCALDOMAIN, if it exists */ + if (n == 1) + { + char *t, hostname[MAXHOSTNAMELEN]; + k_gethostname(hostname, sizeof(hostname)); + t = krb_realmofhost(hostname); + if (t) { + strcpy (r, t); + return KSUCCESS; + } + t = strchr(hostname, '.'); + if (t == 0) + return KFAILURE; /* No domain part, you loose */ - if (fscanf(cnffile,"%s",r) != 1) { - (void) fclose(cnffile); - return(KFAILURE); + t++; /* Skip leading dot and upcase the rest */ + for (; *t; t++, r++) + *r = toupper(*t); + *r = 0; + return(KSUCCESS); } - (void) fclose(cnffile); - return(*r == '#' ? KFAILURE : KSUCCESS); + else + return(KFAILURE); +} + +/* For SunOS5 compat. */ +char * +krb_get_default_realm(void) +{ + static char local_realm[REALM_SZ]; /* local kerberos realm */ + if (krb_get_lrealm(local_realm, 1) != KSUCCESS) + strcpy(local_realm, "NO.DEFAULT.REALM"); + return local_realm; } diff --git a/kerberosIV/krb/get_phost.c b/kerberosIV/krb/get_phost.c deleted file mode 100644 index 8c6c6caef9a..00000000000 --- a/kerberosIV/krb/get_phost.c +++ /dev/null @@ -1,74 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_phost.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -#define USE_FULL_HOST_NAME 0 - -#include <ctype.h> -#include <netdb.h> - -/* - * This routine takes an alias for a host name and returns the first - * field, lower case, of its domain name. For example, if "menel" is - * an alias for host officially named "menelaus" (in /etc/hosts), for - * the host whose official name is "MENELAUS.MIT.EDU", the name "menelaus" - * is returned. - * - * This is done for historical Athena reasons: the Kerberos name of - * rcmd servers (rlogin, rsh, rcp) is of the form "rcmd.host@realm" - * where "host"is the lowercase for of the host name ("menelaus"). - * This should go away: the instance should be the domain name - * (MENELAUS.MIT.EDU). But for now we need this routine... - * - * A pointer to the name is returned, if found, otherwise a pointer - * to the original "alias" argument is returned. - */ - -char * -krb_get_phost(alias) - char *alias; -{ - struct hostent *h; - char *phost = alias; - if ((h=gethostbyname(alias)) != (struct hostent *)NULL ) { -#if USE_FULL_HOST_NAME - char *p; -#else /* USE_FULL_HOST_NAME */ - char *p = strchr( h->h_name, '.' ); - if (p) - *p = 0; -#endif /* USE_FULL_HOST_NAME */ - p = phost = h->h_name; - do { - if (isupper(*p)) *p=tolower(*p); - } while (*p++); - } - return(phost); -} diff --git a/kerberosIV/krb/get_pw_tkt.c b/kerberosIV/krb/get_pw_tkt.c deleted file mode 100644 index d2dbf5ee2e1..00000000000 --- a/kerberosIV/krb/get_pw_tkt.c +++ /dev/null @@ -1,93 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_pw_tkt.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" -#include <sys/param.h> - -/* - * Get a ticket for the password-changing server ("changepw.KRB_MASTER"). - * - * Given the name, instance, realm, and current password of the - * principal for which the user wants a password-changing-ticket, - * return either: - * - * GT_PW_BADPW if current password was wrong, - * GT_PW_NULL if principal had a NULL password, - * or the result of the krb_get_pw_in_tkt() call. - * - * First, try to get a ticket for "user.instance@realm" to use the - * "changepw.KRB_MASTER" server (KRB_MASTER is defined in "krb.h"). - * The requested lifetime for the ticket is "1", and the current - * password is the "cpw" argument given. - * - * If the password was bad, give up. - * - * If the principal had a NULL password in the Kerberos database - * (indicating that the principal is known to Kerberos, but hasn't - * got a password yet), try instead to get a ticket for the principal - * "default.changepw@realm" to use the "changepw.KRB_MASTER" server. - * Use the password "changepwkrb" instead of "cpw". Return GT_PW_NULL - * if all goes well, otherwise the error. - * - * If this routine succeeds, a ticket and session key for either the - * principal "user.instance@realm" or "default.changepw@realm" to use - * the password-changing server will be in the user's ticket file. - */ - -int -get_pw_tkt(user, instance, realm, cpw) - char *user; - char *instance; - char *realm; - char *cpw; -{ - char *dot, admin[MAXHOSTNAMELEN]; - int kerror; - - if ((kerror = krb_get_admhst(admin, realm, 1)) != KSUCCESS) - return(GT_PW_BADPW); - if ((dot = strchr(admin, '.')) != NULL) - *dot = '\0'; - - kerror = krb_get_pw_in_tkt(user, instance, realm, "changepw", - admin, 1, cpw); - - if (kerror == INTK_BADPW) - return(GT_PW_BADPW); - - if (kerror == KDC_NULL_KEY) { - kerror = krb_get_pw_in_tkt("default","changepw",realm,"changepw", - admin,1,"changepwkrb"); - if (kerror) - return(kerror); - return(GT_PW_NULL); - } - - return(kerror); -} diff --git a/kerberosIV/krb/get_request.c b/kerberosIV/krb/get_request.c deleted file mode 100644 index ba0e0daaa67..00000000000 --- a/kerberosIV/krb/get_request.c +++ /dev/null @@ -1,66 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_request.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -/* - * This procedure is obsolete. It is used in the kerberos_slave - * code for Version 3 tickets. - * - * This procedure sets s_name, and instance to point to - * the corresponding fields from tne nth request in the packet. - * it returns the lifetime requested. Garbage will be returned - * if there are less than n requests in the packet. - */ - -int -get_request(pkt, n, s_name, instance) - KTEXT pkt; /* The packet itself */ - int n; /* Which request do we want */ - char **s_name; /* Service name to be filled in */ - char **instance; /* Instance name to be filled in */ -{ - /* Go to the beginning of the request list */ - char *ptr = (char *) pkt_a_realm(pkt) + 6 + - strlen((char *)pkt_a_realm(pkt)); - - /* Read requests until we hit the right one */ - while (n-- > 1) { - ptr++; - ptr += 1 + strlen(ptr); - ptr += 1 + strlen(ptr); - } - - /* Set the arguments to point to the right place */ - *s_name = 1 + ptr; - *instance = 2 + ptr + strlen(*s_name); - - /* Return the requested lifetime */ - return((int) *ptr); -} diff --git a/kerberosIV/krb/get_svc_in_tkt.c b/kerberosIV/krb/get_svc_in_tkt.c index 57f1942cbb9..13171952f42 100644 --- a/kerberosIV/krb/get_svc_in_tkt.c +++ b/kerberosIV/krb/get_svc_in_tkt.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_svc_in_tkt.c,v $ - * - * $Locker: $ - */ +/* $KTH: get_svc_in_tkt.c,v 1.8 1997/03/23 03:53:09 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -52,18 +46,14 @@ or implied warranty. * The service key is placed in "key". */ -static int -srvtab_to_key(user, instance, realm, srvtab, key) - char *user; - char *instance; - char *realm; - char *srvtab; - unsigned char *key; +int +srvtab_to_key(char *user, char *instance, char *realm, void *srvtab, + des_cblock *key) { if (!srvtab) srvtab = KEYFILE; - return(read_service_key(user, instance, realm, 0, srvtab, + return(read_service_key(user, instance, realm, 0, (char *)srvtab, (char *)key)); } @@ -78,14 +68,8 @@ srvtab_to_key(user, instance, realm, srvtab, key) */ int -krb_get_svc_in_tkt(user, instance, realm, service, sinstance, life, srvtab) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - char *srvtab; +krb_get_svc_in_tkt(char *user, char *instance, char *realm, char *service, + char *sinstance, int life, char *srvtab) { return(krb_get_in_tkt(user, instance, realm, service, sinstance, life, srvtab_to_key, NULL, srvtab)); diff --git a/kerberosIV/krb/get_tf_fullname.c b/kerberosIV/krb/get_tf_fullname.c index 40ec5986eb7..893f49506c8 100644 --- a/kerberosIV/krb/get_tf_fullname.c +++ b/kerberosIV/krb/get_tf_fullname.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_tf_fullname.c,v $ - * - * $Locker: $ - */ +/* $KTH: get_tf_fullname.c,v 1.6 1997/03/23 03:53:10 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -38,17 +32,13 @@ or implied warranty. * krb_get_tf_fullname() takes four arguments: the name of the * ticket file, and variables for name, instance, and realm to be * returned in. Since the realm of a ticket file is not really fully - * supported, the realm used will be that of the first ticket in the - * file as this is the one that was obtained with a password by + * supported, the realm used will be that of the the first ticket in + * the file as this is the one that was obtained with a password by * krb_get_in_tkt(). */ int -krb_get_tf_fullname(ticket_file, name, instance, realm) - char *ticket_file; - char *name; - char *instance; - char *realm; +krb_get_tf_fullname(char *ticket_file, char *name, char *instance, char *realm) { int tf_status; CREDENTIALS c; @@ -74,7 +64,7 @@ krb_get_tf_fullname(ticket_file, name, instance, realm) else return(tf_status); } - (void) tf_close(); + tf_close(); return(tf_status); } diff --git a/kerberosIV/krb/get_tf_realm.c b/kerberosIV/krb/get_tf_realm.c index 04b19894ac2..fb02f775085 100644 --- a/kerberosIV/krb/get_tf_realm.c +++ b/kerberosIV/krb/get_tf_realm.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/get_tf_realm.c,v $ - * - * $Locker: $ - */ +/* $KTH: get_tf_realm.c,v 1.5 1997/03/23 03:53:10 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -41,9 +35,7 @@ or implied warranty. */ int -krb_get_tf_realm(ticket_file, realm) - char *ticket_file; - char *realm; +krb_get_tf_realm(char *ticket_file, char *realm) { return(krb_get_tf_fullname(ticket_file, 0, 0, realm)); } diff --git a/kerberosIV/krb/getaddrs.c b/kerberosIV/krb/getaddrs.c new file mode 100644 index 00000000000..9a45422b090 --- /dev/null +++ b/kerberosIV/krb/getaddrs.c @@ -0,0 +1,105 @@ +/* $KTH: getaddrs.c,v 1.20 1997/11/09 06:13:32 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +#include <sys/ioctl.h> +#include <net/if.h> +#include <sys/sockio.h> + +/* + * Return number and list of all local adresses. + */ + +int +k_get_all_addrs (struct in_addr **l) +{ + int fd; + char buf[BUFSIZ]; + struct ifreq ifreq; + struct ifconf ifconf; + int num, j; + char *p; + + fd = socket(AF_INET, SOCK_DGRAM, 0); + if (fd < 0) + return -1; + + ifconf.ifc_len = sizeof(buf); + ifconf.ifc_buf = buf; + if(ioctl(fd, SIOCGIFCONF, &ifconf) < 0) + return -1; + num = ifconf.ifc_len / sizeof(struct ifreq); + *l = malloc(num * sizeof(struct in_addr)); + if(*l == NULL) { + close (fd); + return -1; + } + + j = 0; + ifreq.ifr_name[0] = '\0'; + for (p = ifconf.ifc_buf; p < ifconf.ifc_buf + ifconf.ifc_len;) { + struct ifreq *ifr = (struct ifreq *)p; + size_t sz = sizeof(*ifr); + sz = max(sz, sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len); + + if(strncmp(ifreq.ifr_name, ifr->ifr_name, sizeof(ifr->ifr_name))) { + if(ioctl(fd, SIOCGIFFLAGS, ifr) < 0) { + close (fd); + free (*l); + return -1; + } + if (ifr->ifr_flags & IFF_UP) { + if(ioctl(fd, SIOCGIFADDR, ifr) < 0) { + close (fd); + free (*l); + return -1; + } + (*l)[j++] = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr; + } + ifreq = *ifr; + } + p = p + sz; + } + if (j != num) + *l = realloc (*l, j * sizeof(struct in_addr)); + close (fd); + return j; +} diff --git a/kerberosIV/krb/getrealm.c b/kerberosIV/krb/getrealm.c index 7d303287d60..91878e8817a 100644 --- a/kerberosIV/krb/getrealm.c +++ b/kerberosIV/krb/getrealm.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/getrealm.c,v $ - * - * $Locker: $ - */ +/* $KTH: getrealm.c,v 1.26 1997/10/08 22:51:13 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -28,15 +22,9 @@ or implied warranty. */ #include "krb_locl.h" -#include <netdb.h> #define MATCH_SUBDOMAINS 0 -/* for Ultrix and friends ... */ -#ifndef MAXHOSTNAMELEN -#define MAXHOSTNAMELEN 64 -#endif - /* * krb_realmofhost. * Given a fully-qualified domain-style primary host name, @@ -55,78 +43,152 @@ or implied warranty. * host names should be in the usual form (e.g. FOO.BAR.BAZ) */ -static char ret_realm[REALM_SZ+1]; +/* To automagically find the correct realm of a host (without + * krb.realms) add a text record for your domain with the name of your + * realm, like this: + * + * krb4-realm IN TXT FOO.SE + * + * The search is recursive, so you can also add entries for specific + * hosts. To find the realm of host a.b.c, it first tries + * krb4-realm.a.b.c, then krb4-realm.b.c and so on. + */ -char * -krb_realmofhost(host) - char *host; +static int +dns_find_realm(char *hostname, char *realm) { - char *domain; - FILE *trans_file; - char trans_host[MAXHOSTNAMELEN+1]; - char trans_realm[REALM_SZ+1]; - struct hostent *hp; - int retval; - - if ((hp = gethostbyname(host)) != NULL) - host = hp->h_name; - - domain = strchr(host, '.'); - - /* prepare default */ - if (domain) { - ret_realm[0] = '\0'; - } else { - krb_get_lrealm(ret_realm, 1); + char domain[MAXHOSTNAMELEN + sizeof("krb4-realm..")]; + char *p; + int level = 0; + struct dns_reply *r; + + p = hostname; + + while(1){ + snprintf(domain, sizeof(domain), "krb4-realm.%s.", p); + p = strchr(p, '.'); + if(p == NULL) + break; + p++; + r = dns_lookup(domain, "TXT"); + if(r){ + struct resource_record *rr = r->head; + while(rr){ + if(rr->type == T_TXT){ + strncpy(realm, rr->u.txt, REALM_SZ); + realm[REALM_SZ - 1] = 0; + dns_free_data(r); + return level; + } + rr = rr->next; + } + dns_free_data(r); } + level++; + } + return -1; +} + + +static FILE * +open_krb_realms(void) +{ + static const char *const files[] = KRB_RLM_FILES; + FILE *res; + int i; + + const char *dir = getenv("KRBCONFDIR"); - if ((trans_file = fopen(KRB_RLM_TRANS, "r")) == (FILE *) 0) { - char tbuf[128]; - char *tdir = NULL; - if (issetugid() == 0) - tdir = (char *) getenv("KRBCONFDIR"); - strncpy(tbuf, tdir ? tdir : "/etc", sizeof(tbuf)-1); - tbuf[sizeof(tbuf)-1] = '\0'; - strncat(tbuf, "/krb.realms", sizeof(tbuf) - strlen(tbuf)); - if ((trans_file = fopen(tbuf,"r")) == NULL) - return(ret_realm[0] ? ret_realm : NULL); /* krb_errno = KRB_NO_TRANS */ + /* First try user specified file */ + if (dir != 0) { + char fname[MAXPATHLEN]; + + if(k_concat(fname, sizeof(fname), dir, "/krb.realms", NULL) == 0) + if ((res = fopen(fname, "r")) != NULL) + return res; + } + + for (i = 0; files[i] != 0; i++) + if ((res = fopen(files[i], "r")) != NULL) + return res; + + return NULL; +} + +static int +file_find_realm(const char *phost, const char *domain, char *ret_realm) +{ + FILE *trans_file; + char buf[1024]; + char trans_host[MAXHOSTNAMELEN]; + char trans_realm[REALM_SZ]; + int ret = -1; + + if ((trans_file = open_krb_realms()) == NULL) + return -1; + + while (fgets(buf, sizeof(buf), trans_file)) { + char *save = NULL; + char *tok = strtok_r(buf, " \t\r\n", &save); + if(tok == NULL) + continue; + strncpy(trans_host, tok, MAXHOSTNAMELEN); + trans_host[MAXHOSTNAMELEN - 1] = 0; + tok = strtok_r(NULL, " \t\r\n", &save); + if(tok == NULL) + continue; + strcpy(trans_realm, tok); + trans_realm[REALM_SZ - 1] = 0; + if (!strcasecmp(trans_host, phost)) { + /* exact match of hostname, so return the realm */ + strcpy(ret_realm, trans_realm); + ret = 0; + break; } - while (1) { - if ((retval = fscanf(trans_file, "%s %s", - trans_host, trans_realm)) != 2) { - if (retval == EOF) { - fclose(trans_file); - return(ret_realm[0] ? ret_realm : NULL); - } - continue; /* ignore broken lines */ - } - trans_host[MAXHOSTNAMELEN] = '\0'; - trans_realm[REALM_SZ] = '\0'; - if (!strcasecmp(trans_host, host)) { - /* exact match of hostname, so return the realm */ - (void) strcpy(ret_realm, trans_realm); - fclose(trans_file); - return(ret_realm[0] ? ret_realm : NULL); - } - if ((trans_host[0] == '.') && domain) { -#if MATCH_SUBDOMAINS - char *cp; - for (cp = domain; cp != NULL; cp = strchr(cp+1, '.')) { - /* this is a domain match */ - if (!strcasecmp(trans_host, cp)) { - /* domain match, save for later */ - (void) strcpy(ret_realm, trans_realm); - continue; - } - } -#else /* MATCH_SUBDOMAINS */ - /* this is a domain match */ - if (!strcasecmp(trans_host, domain)) { - /* domain match, save for later */ - (void) strcpy(ret_realm, trans_realm); - continue; - } -#endif /* MATCH_SUBDOMAINS */ + if ((trans_host[0] == '.') && domain) { + const char *cp = domain; + do { + if(strcasecmp(trans_host, domain) == 0){ + /* domain match, save for later */ + strcpy(ret_realm, trans_realm); + ret = 0; + break; } + cp = strchr(cp + 1, '.'); + } while(MATCH_SUBDOMAINS && cp); } + } + fclose(trans_file); + return ret; +} + +char * +krb_realmofhost(const char *host) +{ + static char ret_realm[REALM_SZ]; + char *domain; + char phost[MAXHOSTNAMELEN]; + + krb_name_to_name(host, phost, sizeof(phost)); + + domain = strchr(phost, '.'); + + if(file_find_realm(phost, domain, ret_realm) == 0) + return ret_realm; + + if(dns_find_realm(phost, ret_realm) >= 0) + return ret_realm; + + if (domain) { + char *cp; + + strncpy(ret_realm, &domain[1], REALM_SZ); + ret_realm[REALM_SZ - 1] = 0; + /* Upper-case realm */ + for (cp = ret_realm; *cp; cp++) + *cp = toupper(*cp); + } else { + krb_get_lrealm(ret_realm, 1); + } + return ret_realm; } diff --git a/kerberosIV/krb/getst.c b/kerberosIV/krb/getst.c index a7b73af0947..a7c5a031b19 100644 --- a/kerberosIV/krb/getst.c +++ b/kerberosIV/krb/getst.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/getst.c,v $ - * - * $Locker: $ - */ +/* $KTH: getst.c,v 1.6 1997/03/23 03:53:11 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -40,12 +34,9 @@ or implied warranty. */ int -getst(fd, s, n) - int fd; - register char *s; - int n; +getst(int fd, char *s, int n) { - register count = n; + int count = n; while (read(fd, s, 1) > 0 && --count) if (*s++ == '\0') return (n - count); diff --git a/kerberosIV/krb/in_tkt.c b/kerberosIV/krb/in_tkt.c deleted file mode 100644 index 9eb958d6b90..00000000000 --- a/kerberosIV/krb/in_tkt.c +++ /dev/null @@ -1,147 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/in_tkt.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -#include <sys/file.h> -#include <sys/types.h> -#include <sys/stat.h> -#ifdef TKT_SHMEM -#include <sys/param.h> -#endif - -/* - * in_tkt() is used to initialize the ticket store. It creates the - * file to contain the tickets and writes the given user's name "pname" - * and instance "pinst" in the file. in_tkt() returns KSUCCESS on - * success, or KFAILURE if something goes wrong. - */ - -int -in_tkt(pname, pinst) - char *pname; - char *pinst; -{ - int tktfile; - uid_t me, metoo; - struct stat buf; - int count; - char *file = TKT_FILE; - int fd; - register int i; - char charbuf[BUFSIZ]; -#ifdef TKT_SHMEM - char shmidname[MaxPathLen]; -#endif /* TKT_SHMEM */ - - me = getuid (); - metoo = geteuid(); - if (lstat(file,&buf) == 0) { - if (buf.st_uid != me || !(buf.st_mode & S_IFREG) || - buf.st_mode & 077 || buf.st_nlink != 1) { - if (krb_debug) - fprintf(stderr,"Error initializing %s",file); - return(KFAILURE); - } - /* file already exists, and permissions appear ok, so nuke it */ - if ((fd = open(file, O_RDWR, 0)) < 0) - goto out; /* can't zero it, but we can still try truncating it */ - - bzero(charbuf, sizeof(charbuf)); - - for (i = 0; i < buf.st_size; i += sizeof(charbuf)) - if (write(fd, charbuf, sizeof(charbuf)) != sizeof(charbuf)) - break; - - (void) fsync(fd); - (void) close(fd); - (void) unlink (file); - } - out: - /* arrange so the file is owned by the ruid - (swap real & effective uid if necessary). - This isn't a security problem, since the ticket file, if it already - exists, has the right uid (== ruid) and mode. */ - if (me != metoo) { - if (seteuid(me) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("in_tkt: seteuid"); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n",(int)metoo,(int)me); - } - if ((tktfile = open (file,O_CREAT|O_EXCL|O_WRONLY,0600)) < 0) { - if (krb_debug) - fprintf(stderr,"Error initializing %s",TKT_FILE); - return(KFAILURE); - } - if (me != metoo) { - if (seteuid(metoo) < 0) { - /* can't switch??? barf! */ - if (krb_debug) - perror("in_tkt: seteuid2"); - return(KFAILURE); - } else - if (krb_debug) - printf("swapped UID's %d and %d\n",(int)me,(int)metoo); - } - if (lstat(file,&buf) < 0) { - if (krb_debug) - fprintf(stderr,"Error initializing %s",TKT_FILE); - return(KFAILURE); - } - - if (buf.st_uid != me || !(buf.st_mode & S_IFREG) || - buf.st_mode & 077) { - if (krb_debug) - fprintf(stderr,"Error initializing %s",TKT_FILE); - return(KFAILURE); - } - - count = strlen(pname)+1; - if (write(tktfile,pname,count) != count) { - (void) close(tktfile); - return(KFAILURE); - } - count = strlen(pinst)+1; - if (write(tktfile,pinst,count) != count) { - (void) close(tktfile); - return(KFAILURE); - } - (void) close(tktfile); -#ifdef TKT_SHMEM - (void) strcpy(shmidname, file); - (void) strcat(shmidname, ".shm"); - return(krb_shm_create(shmidname)); -#else /* !TKT_SHMEM */ - return(KSUCCESS); -#endif /* TKT_SHMEM */ -} diff --git a/kerberosIV/krb/k_concat.c b/kerberosIV/krb/k_concat.c new file mode 100644 index 00000000000..354c8ddcb49 --- /dev/null +++ b/kerberosIV/krb/k_concat.c @@ -0,0 +1,116 @@ +/* $KTH: k_concat.c,v 1.5 1997/05/02 08:56:39 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +int +k_concat (char *s, size_t len, ...) +{ + int ret; + va_list args; + + va_start(args, len); + ret = k_vconcat (s, len, args); + va_end(args); + return ret; +} + +int +k_vconcat (char *s, size_t len, va_list args) +{ + const char *a; + + while ((a = va_arg(args, const char*))) { + size_t n = strlen (a); + + if (n >= len) + return -1; + strncpy (s, a, n); + s += n; + len -= n; + } + *s = '\0'; + return 0; +} + +size_t +k_vmconcat (char **s, size_t max_len, va_list args) +{ + const char *a; + char *p, *q; + size_t len = 0; + *s = NULL; + p = malloc(1); + if(p == NULL) + return 0; + *p = 0; + len = 1; + while ((a = va_arg(args, const char*))) { + size_t n = strlen (a); + + if(max_len && len + n > max_len){ + free(p); + return 0; + } + q = realloc(p, len + n); + if(q == NULL){ + free(p); + return 0; + } + p = q; + len += n; + strcat(p, a); + } + *s = p; + return len; +} + +size_t +k_mconcat (char **s, size_t max_len, ...) +{ + int ret; + va_list args; + + va_start(args, max_len); + ret = k_vmconcat (s, max_len, args); + va_end(args); + return ret; +} + diff --git a/kerberosIV/krb/k_flock.c b/kerberosIV/krb/k_flock.c new file mode 100644 index 00000000000..6891dbc3845 --- /dev/null +++ b/kerberosIV/krb/k_flock.c @@ -0,0 +1,59 @@ +/* $KTH: k_flock.c,v 1.8 1997/04/01 08:18:30 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +#define K_OP_MASK (K_LOCK_SH | K_LOCK_EX | K_LOCK_UN) + +int +k_flock(int fd, int operation) +{ + int op = 0; + if (operation & K_LOCK_SH) + op |= LOCK_SH; + if (operation & K_LOCK_EX) + op |= LOCK_EX; + if (operation & K_LOCK_UN) + op |= LOCK_UN; + if (operation & K_LOCK_NB) + op |= LOCK_NB; + + return flock(fd, op); +} diff --git a/kerberosIV/krb/pkt_cipher.c b/kerberosIV/krb/k_gethostname.c index 2beb0f6a53f..78e64acdd22 100644 --- a/kerberosIV/krb/pkt_cipher.c +++ b/kerberosIV/krb/k_gethostname.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/pkt_cipher.c,v $ - * - * $Locker: $ - */ +/* $KTH: k_gethostname.c,v 1.10 1997/03/23 03:53:12 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -29,22 +23,18 @@ or implied warranty. #include "krb_locl.h" +#include <sys/utsname.h> + /* - * This routine takes a reply packet from the Kerberos ticket-granting - * service and returns a pointer to the beginning of the ciphertext in it. - * - * See "prot.h" for packet format. + * Return the local host's name in "name", up to "namelen" characters. + * "name" will be null-terminated if "namelen" is big enough. + * The return code is 0 on success, -1 on failure. (The calling + * interface is identical to gethostname(2).) */ -char * -pkt_cipher(packet) - KTEXT packet; +int +k_gethostname(char *name, int namelen) { - unsigned char *ptr = pkt_a_realm(packet) + 6 - + strlen((char *)pkt_a_realm(packet)); - /* Skip a few more fields */ - ptr += 3 + 4; /* add 4 for exp_date */ + return gethostname(name, namelen); - /* And return the pointer */ - return((char*)ptr); } diff --git a/kerberosIV/krb/k_getport.c b/kerberosIV/krb/k_getport.c new file mode 100644 index 00000000000..be4c2f534f1 --- /dev/null +++ b/kerberosIV/krb/k_getport.c @@ -0,0 +1,57 @@ +/* $KTH: k_getport.c,v 1.10 1997/04/01 08:18:30 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +int +k_getportbyname (const char *service, const char *proto, int default_port) +{ + struct servent *sp; + + sp = getservbyname(service, proto); + if(sp != NULL) + return sp->s_port; + + krb_warning ("%s/%s unknown service, using default port %d\n", + service, proto ? proto : "*", ntohs(default_port)); + return default_port; +} + + diff --git a/kerberosIV/krb/k_getsockinst.c b/kerberosIV/krb/k_getsockinst.c new file mode 100644 index 00000000000..89468812dec --- /dev/null +++ b/kerberosIV/krb/k_getsockinst.c @@ -0,0 +1,73 @@ +/* $KTH: k_getsockinst.c,v 1.10 1997/05/02 14:29:17 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +/* + * Return in inst the name of the local interface bound to socket + * fd. On Failure return the 'wildcard' instance "*". + */ + +int +k_getsockinst(int fd, char *inst, size_t inst_size) +{ + struct sockaddr_in addr; + int len = sizeof(addr); + struct hostent *hnam; + + if (getsockname(fd, (struct sockaddr *)&addr, &len) < 0) + goto fail; + + hnam = gethostbyaddr((char *)&addr.sin_addr, + sizeof(addr.sin_addr), + addr.sin_family); + if (hnam == 0) + goto fail; + + strncpy (inst, hnam->h_name, inst_size); + inst[inst_size - 1] = '\0'; + k_ricercar(inst); /* Canonicalize name */ + return 0; /* Success */ + + fail: + inst[0] = '*'; + inst[1] = 0; + return -1; +} diff --git a/kerberosIV/krb/k_localtime.c b/kerberosIV/krb/k_localtime.c index db54f81f681..09fb165c158 100644 --- a/kerberosIV/krb/k_localtime.c +++ b/kerberosIV/krb/k_localtime.c @@ -1,33 +1,46 @@ -/* - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/k_localtime.c,v $ - * - * $Locker: $ - */ +/* $KTH: k_localtime.c,v 1.7 1997/04/01 08:18:31 joda Exp $ */ /* - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology - * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -#include <kerberosIV/krb.h> - -#include <time.h> +#include "krb_locl.h" -struct tm * -k_localtime(tp) - u_int32_t *tp; +struct tm *k_localtime(u_int32_t *tp) { time_t t; t = *tp; diff --git a/kerberosIV/krb/kdc_reply.c b/kerberosIV/krb/kdc_reply.c new file mode 100644 index 00000000000..3561955847f --- /dev/null +++ b/kerberosIV/krb/kdc_reply.c @@ -0,0 +1,131 @@ +/* $KTH: kdc_reply.c,v 1.9 1997/04/15 21:52:14 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +static int little_endian; /* XXX ugly */ + +int +kdc_reply_cred(KTEXT cip, CREDENTIALS *cred) +{ + unsigned char *p = cip->dat; + + memcpy(cred->session, p, 8); + p += 8; + + if(p + strlen((char*)p) > cip->dat + cip->length) + return INTK_BADPW; + p += krb_get_string(p, cred->service); + + if(p + strlen((char*)p) > cip->dat + cip->length) + return INTK_BADPW; + p += krb_get_string(p, cred->instance); + + if(p + strlen((char*)p) > cip->dat + cip->length) + return INTK_BADPW; + p += krb_get_string(p, cred->realm); + + if(p + 3 > cip->dat + cip->length) + return INTK_BADPW; + cred->lifetime = *p++; + cred->kvno = *p++; + cred->ticket_st.length = *p++; + + if(p + cred->ticket_st.length + 4 > cip->dat + cip->length) + return INTK_BADPW; + memcpy(cred->ticket_st.dat, p, cred->ticket_st.length); + p += cred->ticket_st.length; + + p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, little_endian); + + return KSUCCESS; +} + +int +kdc_reply_cipher(KTEXT reply, KTEXT cip) +{ + unsigned char *p; + unsigned char pvno; + unsigned char type; + + char aname[ANAME_SZ]; + char inst[INST_SZ]; + char realm[REALM_SZ]; + + u_int32_t kdc_time; + u_int32_t exp_date; + u_int32_t clen; + + p = reply->dat; + + pvno = *p++; + + if (pvno != KRB_PROT_VERSION ) + return INTK_PROT; + + type = *p++; + little_endian = type & 1; + + type &= ~1; + + if(type == AUTH_MSG_ERR_REPLY){ + u_int32_t code; + p += strlen((char*)p) + 1; /* name */ + p += strlen((char*)p) + 1; /* instance */ + p += strlen((char*)p) + 1; /* realm */ + p += 4; /* time */ + p += krb_get_int(p, &code, 4, little_endian); + return code; + } + if(type != AUTH_MSG_KDC_REPLY) + return INTK_PROT; + + p += krb_get_nir(p, aname, inst, realm); + p += krb_get_int(p, &kdc_time, 4, little_endian); + p++; /* number of tickets */ + p += krb_get_int(p, &exp_date, 4, little_endian); + p++; /* master key version number */ + p += krb_get_int(p, &clen, 2, little_endian); + cip->length = clen; + memcpy(cip->dat, p, clen); + p += clen; + + return KSUCCESS; +} diff --git a/kerberosIV/krb/klog.c b/kerberosIV/krb/klog.c deleted file mode 100644 index 5e2768f279d..00000000000 --- a/kerberosIV/krb/klog.c +++ /dev/null @@ -1,124 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/klog.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -#include <sys/time.h> - -#include <klog.h> - -static char *log_name = KRBLOG; -static int is_open; -static char logtxt[1000]; - -/* - * This file contains two logging routines: kset_logfile() - * to determine the file to which log entries should be written; - * and klog() to write log entries to the file. - */ - -/* - * klog() is used to add entries to the logfile (see kset_logfile() - * below). Note that it is probably not portable since it makes - * assumptions about what the compiler will do when it is called - * with less than the correct number of arguments which is the - * way it is usually called. - * - * The log entry consists of a timestamp and the given arguments - * printed according to the given "format" string. - * - * The log file is opened and closed for each log entry. - * - * If the given log type "type" is unknown, or if the log file - * cannot be opened, no entry is made to the log file. - * - * The return value is always a pointer to the formatted log - * text string "logtxt". - */ - -char * -klog(type, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a0) - int type; - char *format; - int a1, a2, a3, a4, a5, a6, a7, a8, a9, a0; -{ - FILE *logfile; - time_t now; - char *month_sname(int n); - struct tm *tm; - static int logtype_array[NLOGTYPE] = {0,0}; - static int array_initialized; - - if (!(array_initialized++)) { - logtype_array[L_NET_ERR] = 1; - logtype_array[L_KRB_PERR] = 1; - logtype_array[L_KRB_PWARN] = 1; - logtype_array[L_APPL_REQ] = 1; - logtype_array[L_INI_REQ] = 1; - logtype_array[L_DEATH_REQ] = 1; - logtype_array[L_NTGT_INTK] = 1; - logtype_array[L_ERR_SEXP] = 1; - logtype_array[L_ERR_MKV] = 1; - logtype_array[L_ERR_NKY] = 1; - logtype_array[L_ERR_NUN] = 1; - logtype_array[L_ERR_UNK] = 1; - } - - (void) snprintf(logtxt,sizeof(logtxt),format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0); - - if (!logtype_array[type]) - return(logtxt); - - if ((logfile = fopen(log_name,"a")) == NULL) - return(logtxt); - - (void) time(&now); - tm = localtime(&now); - - fprintf(logfile,"%2d-%s-%02d %02d:%02d:%02d ",tm->tm_mday, - month_sname(tm->tm_mon + 1),tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - fprintf(logfile,"%s\n",logtxt); - (void) fclose(logfile); - return(logtxt); -} - -/* - * kset_logfile() changes the name of the file to which - * messages are logged. If kset_logfile() is not called, - * the logfile defaults to KRBLOG, defined in "krb.h". - */ - -void -kset_logfile(filename) - char *filename; -{ - log_name = filename; - is_open = 0; -} diff --git a/kerberosIV/krb/kname_parse.c b/kerberosIV/krb/kname_parse.c deleted file mode 100644 index 3acdcce0a24..00000000000 --- a/kerberosIV/krb/kname_parse.c +++ /dev/null @@ -1,262 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/kname_parse.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -#define INSTANCE_DOTS_OK 0 - -/* max size of full name */ -#define FULL_SZ (ANAME_SZ + INST_SZ + REALM_SZ) - -#define NAME 0 /* which field are we in? */ -#define INST 1 -#define REALM 2 - -/* - * This file contains four routines for handling Kerberos names. - * - * kname_parse() breaks a Kerberos name into its name, instance, - * and realm components. - * - * k_isname(), k_isinst(), and k_isrealm() check a given string to see if - * it's a syntactically legitimate respective part of a Kerberos name, - * returning 1 if it is, 0 if it isn't. - * - * Definition of "syntactically legitimate" names is according to - * the Project Athena Technical Plan Section E.2.1, page 7 "Specifying - * names", version dated 21 Dec 1987. - */ - -/* - * kname_parse() takes a Kerberos name "fullname" of the form: - * - * username[.instance][@realm] - * - * and returns the three components ("name", "instance", and "realm" - * in the example above) in the given arguments "np", "ip", and "rp". - * - * If successful, it returns KSUCCESS. If there was an error, - * KNAME_FMT is returned. - */ - -int -kname_parse(np, ip, rp, fullname) - char *np; - char *ip; - char *rp; - char *fullname; -{ - static char buf[FULL_SZ]; - char *rnext, *wnext; /* next char to read, write */ - register char c; - int backslash; - int field; - - backslash = 0; - rnext = buf; - wnext = np; - field = NAME; - - if (strlen(fullname) > FULL_SZ) - return KNAME_FMT; - (void) strcpy(buf, fullname); - - while ((c = *rnext++)) { - if (backslash) { - *wnext++ = c; - backslash = 0; - continue; - } - switch (c) { - case '\\': - backslash++; - break; - case '.': - switch (field) { - case NAME: - if (wnext == np) - return KNAME_FMT; - *wnext = '\0'; - field = INST; - wnext = ip; - break; - case INST: -#if INSTANCE_DOTS_OK - *wnext++ = c; - break; -#else /* INSTANCE_DOTS_OK */ - return KNAME_FMT; -#endif /* INSTANCE_DOTS_OK */ - /* break; */ - case REALM: - *wnext++ = c; - break; - default: - fprintf(stderr, "unknown field value\n"); - exit(1); - } - break; - case '@': - switch (field) { - case NAME: - if (wnext == np) - return KNAME_FMT; - *ip = '\0'; - /* fall through */ - case INST: - *wnext = '\0'; - field = REALM; - wnext = rp; - break; - case REALM: - return KNAME_FMT; - default: - fprintf(stderr, "unknown field value\n"); - exit(1); - } - break; - default: - *wnext++ = c; - } - } - *wnext = '\0'; - if ((strlen(np) > ANAME_SZ - 1) || - (strlen(ip) > INST_SZ - 1) || - (strlen(rp) > REALM_SZ - 1)) - return KNAME_FMT; - return KSUCCESS; -} - -/* - * k_isname() returns 1 if the given name is a syntactically legitimate - * Kerberos name; returns 0 if it's not. - */ - -int -k_isname(s) - char *s; -{ - register char c; - int backslash = 0; - - if (!*s) - return 0; - if (strlen(s) > ANAME_SZ - 1) - return 0; - while ((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '.': - return 0; - /* break; */ - case '@': - return 0; - /* break; */ - } - } - return 1; -} - - -/* - * k_isinst() returns 1 if the given name is a syntactically legitimate - * Kerberos instance; returns 0 if it's not. - */ - -int -k_isinst(s) - char *s; -{ - register char c; - int backslash = 0; - - if (strlen(s) > INST_SZ - 1) - return 0; - while ((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '.': -#if INSTANCE_DOTS_OK - break; -#else /* INSTANCE_DOTS_OK */ - return 0; -#endif /* INSTANCE_DOTS_OK */ - /* break; */ - case '@': - return 0; - /* break; */ - } - } - return 1; -} - -/* - * k_isrealm() returns 1 if the given name is a syntactically legitimate - * Kerberos realm; returns 0 if it's not. - */ - -int -k_isrealm(s) - char *s; -{ - register char c; - int backslash = 0; - - if (!*s) - return 0; - if (strlen(s) > REALM_SZ - 1) - return 0; - while ((c = *s++)) { - if (backslash) { - backslash = 0; - continue; - } - switch(c) { - case '\\': - backslash = 1; - break; - case '@': - return 0; - /* break; */ - } - } - return 1; -} diff --git a/kerberosIV/krb/kntoln.c b/kerberosIV/krb/kntoln.c index 3f4239e2703..8d63ac7f1d9 100644 --- a/kerberosIV/krb/kntoln.c +++ b/kerberosIV/krb/kntoln.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/kntoln.c,v $ - * - * $Locker: $ - */ +/* $KTH: kntoln.c,v 1.7 1997/03/23 03:53:12 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -56,19 +50,131 @@ or implied warranty. #include "krb_locl.h" int -krb_kntoln(ad, lname) - AUTH_DAT *ad; - char *lname; +krb_kntoln(AUTH_DAT *ad, char *lname) { static char lrealm[REALM_SZ] = ""; if (!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) return(KFAILURE); - if (strcmp(ad->pinst,"")) + if (strcmp(ad->pinst, "")) return(KFAILURE); - if (strcmp(ad->prealm,lrealm)) + if (strcmp(ad->prealm, lrealm)) return(KFAILURE); - (void) strcpy(lname,ad->pname); + strcpy(lname, ad->pname); return(KSUCCESS); } + +#if 0 +/* Posted to usenet by "Derrick J. Brashear" <shadow+@andrew.cmu.edu> */ + +#include <krb.h> +#include <ndbm.h> +#include <stdio.h> +#include <sys/file.h> +#include <strings.h> +#include <sys/syslog.h> +#include <sys/errno.h> + +extern int errno; +/* + * antoln converts an authentication name into a local name by looking up + * the authentication name in the /etc/aname dbm database. + * + * If the /etc/aname file can not be opened it will set the + * local name to the principal name. Thus, in this case it performs as + * the identity function. + * + * The name instance and realm are passed to antoln through + * the AUTH_DAT structure (ad). + */ + +static char lrealm[REALM_SZ] = ""; + +an_to_ln(ad,lname) +AUTH_DAT *ad; +char *lname; +{ + static DBM *aname = NULL; + char keyname[ANAME_SZ+INST_SZ+REALM_SZ+2]; + + if(!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) + return(KFAILURE); + + if((strcmp(ad->pinst,"") && strcmp(ad->pinst,"root")) || +strcmp(ad->prealm,lrealm)) { + datum val; + datum key; + /* + * Non-local name (or) non-null and non-root instance. + * Look up in dbm file. + */ + if (!aname) { + if ((aname = dbm_open("/etc/aname", O_RDONLY, 0)) + == NULL) return (KFAILURE); + } + /* Construct dbm lookup key. */ + an_to_a(ad, keyname); + key.dptr = keyname; + key.dsize = strlen(keyname)+1; + flock(dbm_dirfno(aname), LOCK_SH); + val = dbm_fetch(aname, key); + flock(dbm_dirfno(aname), LOCK_UN); + if (!val.dptr) { + dbm_close(aname); + return(KFAILURE); + } + /* Got it! */ + strcpy(lname,val.dptr); + return(KSUCCESS); + } else strcpy(lname,ad->pname); + return(KSUCCESS); +} + +an_to_a(ad, str) + AUTH_DAT *ad; + char *str; +{ + strcpy(str, ad->pname); + if(*ad->pinst) { + strcat(str, "."); + strcat(str, ad->pinst); + } + strcat(str, "@"); + strcat(str, ad->prealm); +} + +/* + * Parse a string of the form "user[.instance][@realm]" + * into a struct AUTH_DAT. + */ + +a_to_an(str, ad) + AUTH_DAT *ad; + char *str; +{ + char *buf = (char *)malloc(strlen(str)+1); + char *rlm, *inst, *princ; + + if(!(*lrealm) && (krb_get_lrealm(lrealm,1) == KFAILURE)) { + free(buf); + return(KFAILURE); + } + /* destructive string hacking is more fun.. */ + strcpy(buf, str); + + if (rlm = index(buf, '@')) { + *rlm++ = '\0'; + } + if (inst = index(buf, '.')) { + *inst++ = '\0'; + } + strcpy(ad->pname, buf); + if(inst) strcpy(ad->pinst, inst); + else *ad->pinst = '\0'; + if (rlm) strcpy(ad->prealm, rlm); + else strcpy(ad->prealm, lrealm); + free(buf); + return(KSUCCESS); +} +#endif diff --git a/kerberosIV/krb/kparse.c b/kerberosIV/krb/kparse.c deleted file mode 100644 index 1f029177c1e..00000000000 --- a/kerberosIV/krb/kparse.c +++ /dev/null @@ -1,796 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/kparse.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -/* - * Purpose: - * This module was developed to parse the "~/.klogin" files for - * Kerberos-authenticated rlogin/rcp/rsh services. However, it is - * general purpose and can be used to parse any such parameter file. - * - * The parameter file should consist of one or more entries, with each - * entry on a separate line and consisting of zero or more - * "keyword=value" combinations. The keyword is case insensitive, but - * the value is not. Any string may be enclosed in quotes, and - * c-style "\" literals are supported. A comma may be used to - * separate the k/v combinations, and multiple commas are ignored. - * Whitespace (blank or tab) may be used freely and is ignored. - * - * Full error processing is available. When PS_BAD_KEYWORD or - * PS_SYNTAX is returned from fGetParameterSet(), the string ErrorMsg - * contains a meaningful error message. - * - * Keywords and their default values are programmed by an external - * table. - * - * Routines: - * fGetParameterSet() parse one line of the parameter file - * fGetKeywordValue() parse one "keyword=value" combo - * fGetToken() parse one token - * - * " <- emacs fix - */ - -#include "krb_locl.h" - -#include <kerberosIV/kparse.h> - -#ifndef FALSE -#define FALSE 0 -#define TRUE 1 -#endif - -#define MAXKEY 80 -#define MAXVALUE 80 - -int LineNbr=1; /* current line nbr in parameter file */ -char ErrorMsg[80]; /* meaningful only when KV_SYNTAX, PS_SYNTAX, - * or PS_BAD_KEYWORD is returned by - * fGetKeywordValue or fGetParameterSet */ - -int -fGetParameterSet(fp, parm, parmcount) - FILE *fp; - parmtable *parm; - int parmcount; -{ - int rc,i; - char keyword[MAXKEY]; - char value[MAXVALUE]; - - while (TRUE) { - rc=fGetKeywordValue(fp,keyword,MAXKEY,value,MAXVALUE); - - switch (rc) { - - case KV_EOF: - return(PS_EOF); - - case KV_EOL: - return(PS_OKAY); - - case KV_SYNTAX: - return(PS_SYNTAX); - - case KV_OKAY: - /* - * got a reasonable keyword/value pair. Search the - * parameter table to see if we recognize the keyword; if - * not, return an error. If we DO recognize it, make sure - * it has not already been given. If not already given, - * save the value. - */ - for (i=0; i<parmcount; i++) { - if (strcmp(strutol(keyword),parm[i].keyword)==0) { - if (parm[i].value) { - snprintf(ErrorMsg, sizeof(ErrorMsg), - "duplicate keyword \"%s\" found", keyword); - return(PS_BAD_KEYWORD); - } - parm[i].value = strsave( value ); - break; - } - } - if (i >= parmcount) { - snprintf(ErrorMsg, sizeof(ErrorMsg), - "unrecognized keyword \"%s\" found", keyword); - return(PS_BAD_KEYWORD); - } - break; - - default: - snprintf(ErrorMsg, sizeof(ErrorMsg), - "panic: bad return (%d) from fGetToken()",rc); - break; - } - } -} - -/* - * Routine: ParmCompare - * - * Purpose: - * ParmCompare checks a specified value for a particular keyword. - * fails if keyword not found or keyword found but the value was - * different. Like strcmp, ParmCompare returns 0 for a match found, -1 - * otherwise - */ -int -ParmCompare(parm, parmcount, keyword, value) - parmtable *parm; - int parmcount; - char *keyword; - char *value; -{ - int i; - - for (i=0; i<parmcount; i++) { - if (strcmp(parm[i].keyword,keyword)==0) { - if (parm[i].value) { - return(strcmp(parm[i].value,value)); - } else { - return(strcmp(parm[i].defvalue,value)); - } - } - } - return(-1); -} - -void -FreeParameterSet(parm, parmcount) - parmtable *parm; - int parmcount; -{ - int i; - - for (i=0; i<parmcount; i++) { - if (parm[i].value) { - free(parm[i].value); - parm[i].value = (char *)NULL; - } - } -} - -int -fGetKeywordValue(fp, keyword, klen, value, vlen) - FILE *fp; - char *keyword; - int klen; - char *value; - int vlen; -{ - int rc; - int gotit; - - *keyword = *value = '\0'; /* preset strings to NULL */ - - /* - * Looking for a keyword. - * return an exception for EOF or BAD_QSTRING - * ignore leading WHITEspace - * ignore any number of leading commas - * newline means we have all the parms for this - * statement; give an indication that there is - * nothing more on this line. - * stop looking if we find QSTRING, STRING, or NUMBER - * return syntax error for any other PUNKtuation - */ - gotit = FALSE; - do { - rc = fGetToken(fp,keyword,klen); - - switch (rc) { - - case GTOK_WHITE: - break; - - case GTOK_EOF: - return(KV_EOF); - - case GTOK_BAD_QSTRING: - snprintf(ErrorMsg, sizeof(ErrorMsg), - "unterminated string \"%s found",keyword); - return(KV_SYNTAX); - - case GTOK_PUNK: - if (strcmp("\n",keyword)==0) { - return(KV_EOL); - } else if (strcmp(",",keyword)!=0) { - snprintf(ErrorMsg, sizeof(ErrorMsg), - "expecting rvalue, found \'%s\'", keyword); - } - break; - - case GTOK_STRING: - case GTOK_QSTRING: - case GTOK_NUMBER: - gotit = TRUE; - break; - - default: - snprintf(ErrorMsg, sizeof(ErrorMsg), - "panic: bad return (%d) from fGetToken()", rc); - return(KV_SYNTAX); - } - - } while (!gotit); - - /* - * now we expect an equal sign. - * skip any whitespace - * stop looking if we find an equal sign - * anything else causes a syntax error - */ - gotit = FALSE; - do { - rc = fGetToken(fp,value,vlen); - - switch (rc) { - - case GTOK_WHITE: - break; - - case GTOK_BAD_QSTRING: - snprintf(ErrorMsg, sizeof(ErrorMsg), - "expecting \'=\', found unterminated string \"%s", - value); - return(KV_SYNTAX); - - case GTOK_PUNK: - if (strcmp("=",value)==0) { - gotit = TRUE; - } else { - if (strcmp("\n",value)==0) { - snprintf(ErrorMsg, sizeof(ErrorMsg), - "expecting \"=\", found newline"); - fUngetChar('\n',fp); - } else { - snprintf(ErrorMsg, sizeof(ErrorMsg), - "expecting rvalue, found \'%s\'",keyword); - } - return(KV_SYNTAX); - } - break; - - case GTOK_STRING: - case GTOK_QSTRING: - case GTOK_NUMBER: - snprintf(ErrorMsg, sizeof(ErrorMsg), - "expecting \'=\', found \"%s\"", value); - return(KV_SYNTAX); - - case GTOK_EOF: - snprintf(ErrorMsg, sizeof(ErrorMsg), "expecting \'=\', found EOF"); - return(KV_SYNTAX); - - default: - snprintf(ErrorMsg, sizeof(ErrorMsg), - "panic: bad return (%d) from fGetToken()",rc); - return(KV_SYNTAX); - } - - } while ( !gotit ); - - /* - * got the keyword and equal sign, now get a value. - * ignore any whitespace - * any punctuation is a syntax error - */ - gotit = FALSE; - do { - rc = fGetToken(fp,value,vlen); - - switch (rc) { - - case GTOK_WHITE: - break; - - case GTOK_EOF: - snprintf(ErrorMsg, sizeof(ErrorMsg), "expecting rvalue, found EOF"); - return(KV_SYNTAX); - - case GTOK_BAD_QSTRING: - snprintf(ErrorMsg, sizeof(ErrorMsg), - "unterminated quoted string \"%s", value); - return(KV_SYNTAX); - - case GTOK_PUNK: - if (strcmp("\n",value)==0) { - snprintf(ErrorMsg, sizeof(ErrorMsg), - "expecting rvalue, found newline"); - fUngetChar('\n',fp); - } else { - snprintf(ErrorMsg, sizeof(ErrorMsg), - "expecting rvalue, found \'%s\'",value); - } - return(KV_SYNTAX); - break; - - case GTOK_STRING: - case GTOK_QSTRING: - case GTOK_NUMBER: - gotit = TRUE; - return(KV_OKAY); - - default: - snprintf(ErrorMsg, sizeof(ErrorMsg), - "panic: bad return (%d) from fGetToken()",rc); - return(KV_SYNTAX); - } - - } while ( !gotit ); - /*NOTREACHED*/ - return(KV_SYNTAX); -} - -/* - * Routine Name: fGetToken - * - * Function: read the next token from the specified file. - * A token is defined as a group of characters - * terminated by a white space char (SPACE, CR, - * LF, FF, TAB). The token returned is stripped of - * both leading and trailing white space, and is - * terminated by a NULL terminator. An alternate - * definition of a token is a string enclosed in - * single or double quotes. - * - * Explicit Parameters: - * fp pointer to the input FILE - * dest pointer to destination buffer - * maxlen length of the destination buffer. The buffer - * length INCLUDES the NULL terminator. - * - * Implicit Parameters: stderr where the "token too long" message goes - * - * External Procedures: fgetc - * - * Side Effects: None - * - * Return Value: A token classification value, as - * defined in kparse.h. Note that the - * classification for end of file is - * always zero. - */ -int -fGetToken(fp, dest, maxlen) - FILE *fp; - char *dest; - int maxlen; -{ - int ch='\0'; - int len=0; - char *p = dest; - int digits; - - ch=fGetChar(fp); - - /* - * check for a quoted string. If found, take all characters - * that fit until a closing quote is found. Note that this - * algorithm will not behave well for a string which is too long. - */ - if (ISQUOTE(ch)) { - int done = FALSE; - do { - ch = fGetChar(fp); - done = ((maxlen<++len)||ISLINEFEED(ch)||(ch==EOF) - ||ISQUOTE(ch)); - if (ch=='\\') - ch = fGetLiteral(fp); - if (!done) - *p++ = ch; - else if ((ch!=EOF) && !ISQUOTE(ch)) - fUngetChar(ch,fp); - } while (!done); - *p = '\0'; - if (ISLINEFEED(ch)) return(GTOK_BAD_QSTRING); - return(GTOK_QSTRING); - } - - /* - * Not a quoted string. If its a token character (rules are - * defined via the ISTOKENCHAR macro, in kparse.h) take it and all - * token chars following it until we run out of space. - */ - digits=TRUE; - if (ISTOKENCHAR(ch)) { - while ( (ISTOKENCHAR(ch)) && len<maxlen-1 ) { - if (!isdigit(ch)) digits=FALSE; - *p++ = ch; - len++; - ch = fGetChar(fp); - }; - *p = '\0'; - - if (ch!=EOF) { - fUngetChar(ch,fp); - } - if (digits) { - return(GTOK_NUMBER); - } else { - return(GTOK_STRING); - } - } - - /* - * Neither a quoted string nor a token character. Return a string - * with just that one character in it. - */ - if (ch==EOF) { - return(GTOK_EOF); - } - if (!ISWHITESPACE(ch)) { - *p++ = ch; - *p='\0'; - } else { - *p++ = ' '; /* white space is always the - * blank character */ - *p='\0'; - /* - * The character is a white space. Flush all additional white - * space. - */ - while (ISWHITESPACE(ch) && ((ch=fGetChar(fp)) != EOF)) - ; - if (ch!=EOF) { - fUngetChar(ch,fp); - } - return(GTOK_WHITE); - } - return(GTOK_PUNK); -} - -/* - * fGetLiteral is called after we find a '\' in the input stream. A - * string of numbers following the backslash are converted to the - * appropriate value; hex (0xn), octal (0n), and decimal (otherwise) - * are all supported. If the char after the \ is not a number, we - * special case certain values (\n, \f, \r, \b) or return a literal - * otherwise (useful for \", for example). - * - * " <- emacs fix - */ - -int -fGetLiteral(fp) - FILE *fp; -{ - int ch; - int n=0; - int base; - - ch = fGetChar(fp); - - if (!isdigit(ch)) { - switch (ch) { - case 'n': return('\n'); - case 'f': return('\f'); - case 'r': return('\r'); - case 'b': return('\b'); - default: return(ch); - } - } - - /* - * got a number. might be decimal (no prefix), octal (prefix 0), - * or hexadecimal (prefix 0x). Set the base appropriately. - */ - if (ch!='0') { - base=10; /* its a decimal number */ - } else { - /* - * found a zero, its either hex or octal - */ - ch = fGetChar(fp); - if ((ch!='x') && (ch!='X')) { - base=010; - } else { - ch = fGetChar(fp); - base=0x10; - } - } - - switch (base) { - - case 010: /* octal */ - while (ISOCTAL(ch)) { - n = (n*base) + ch - '0'; - ch = fGetChar(fp); - } - break; - - case 10: /* decimal */ - while (isdigit(ch)) { - n = (n*base) + ch - '0'; - ch = fGetChar(fp); - } - break; - case 0x10: /* hexadecimal */ - while (isxdigit(ch)) { - if (isdigit(ch)) { - n = (n*base) + ch - '0'; - } else { - n = (n*base) + toupper(ch) - 'A' + 0xA ; - } - ch = fGetChar(fp); - } - break; - default: - fprintf(stderr,"fGetLiteral() died real bad. Fix gettoken.c."); - exit(1); - break; - } - fUngetChar(ch,fp); - return(n); -} - -/* - * exactly the same as ungetc(3) except that the line number of the - * input file is maintained. - */ -int -fUngetChar(ch, fp) - int ch; - FILE *fp; -{ - if (ch=='\n') LineNbr--; - return(ungetc(ch,fp)); -} - -/* - * exactly the same as fgetc(3) except that the line number of the - * input file is maintained. - */ -int -fGetChar(fp) - FILE *fp; -{ - int ch = fgetc(fp); - if (ch=='\n') LineNbr++; - return(ch); -} - - -/* - * Routine Name: strsave - * - * Function: return a pointer to a saved copy of the - * input string. the copy will be allocated - * as large as necessary. - * - * Explicit Parameters: pointer to string to save - * - * Implicit Parameters: None - * - * External Procedures: malloc,strcpy,strlen - * - * Side Effects: None - * - * Return Value: pointer to copied string - * - */ -char * -strsave(p) - char *p; -{ - return(strcpy(malloc(strlen(p)+1),p)); -} - - -/* - * strutol changes all characters in a string to lower case, in place. - * the pointer to the beginning of the string is returned. - */ - -char * -strutol(start) - char *start; -{ - char *q; - for (q=start; *q; q++) - if (isupper(*q)) - *q=tolower(*q); - return(start); -} - -#ifdef GTOK_TEST /* mainline test routine for fGetToken() */ - -#define MAXTOKEN 100 - -char *pgm = "gettoken"; - -main(argc,argv) - int argc; - char **argv; -{ - char *p; - int type; - FILE *fp; - - if (--argc) { - fp = fopen(*++argv,"ra"); - if (fp == (FILE *)NULL) { - fprintf(stderr,"can\'t open \"%s\"\n",*argv); - } - } else - fp = stdin; - - p = malloc(MAXTOKEN); - while (type = fGetToken(fp,p,MAXTOKEN)) { - switch(type) { - case GTOK_BAD_QSTRING: - printf("BAD QSTRING!\t"); - break; - case GTOK_EOF: - printf("EOF!\t"); - break; - case GTOK_QSTRING: - printf("QSTRING\t"); - break; - case GTOK_STRING: - printf("STRING\t"); - break; - case GTOK_NUMBER: - printf("NUMBER\t"); - break; - case GTOK_PUNK: - printf("PUNK\t"); - break; - case GTOK_WHITE: - printf("WHITE\t"); - break; - default: - printf("HUH?\t"); - break; - } - if (*p=='\n') - printf("\\n\n"); - else - printf("%s\n",p); - } - exit(0); -} -#endif - -#ifdef KVTEST - -main(argc,argv) - int argc; - char **argv; -{ - int rc,ch; - FILE *fp; - char key[MAXKEY],valu[MAXVALUE]; - char *filename; - - if (argc != 2) { - fprintf(stderr,"usage: test <filename>\n"); - exit(1); - } - - if (!(fp=fopen(*++argv,"r"))) { - fprintf(stderr,"can\'t open input file \"%s\"\n",filename); - exit(1); - } - filename = *argv; - - while ((rc=fGetKeywordValue(fp,key,MAXKEY,valu,MAXVALUE))!=KV_EOF){ - - switch (rc) { - - case KV_EOL: - printf("%s, line %d: nada mas.\n",filename,LineNbr-1); - break; - - case KV_SYNTAX: - printf("%s, line %d: syntax error: %s\n", - filename,LineNbr,ErrorMsg); - while ( ((ch=fGetChar(fp))!=EOF) && (ch!='\n') ); - break; - - case KV_OKAY: - printf("%s, line %d: okay, %s=\"%s\"\n", - filename,LineNbr,key,valu); - break; - - default: - printf("panic: bad return (%d) from fGetKeywordValue\n",rc); - break; - } - } - printf("EOF"); - fclose(fp); - exit(0); -} -#endif - -#ifdef PSTEST - -parmtable kparm[] = { - /* keyword, default, found value */ - { "user", "", (char *)NULL }, - { "realm", "Athena", (char *)NULL }, - { "instance", "", (char *)NULL } -}; - -main(argc,argv) - int argc; - char **argv; -{ - int rc,i,ch; - FILE *fp; - char *filename; - - if (argc != 2) { - fprintf(stderr,"usage: test <filename>\n"); - exit(1); - } - - if (!(fp=fopen(*++argv,"r"))) { - fprintf(stderr,"can\'t open input file \"%s\"\n",filename); - exit(1); - } - filename = *argv; - - while ((rc=fGetParameterSet(fp,kparm,PARMCOUNT(kparm))) != PS_EOF) { - - switch (rc) { - - case PS_BAD_KEYWORD: - printf("%s, line %d: %s\n",filename,LineNbr,ErrorMsg); - while ( ((ch=fGetChar(fp))!=EOF) && (ch!='\n') ); - break; - - case PS_SYNTAX: - printf("%s, line %d: syntax error: %s\n", - filename,LineNbr,ErrorMsg); - while ( ((ch=fGetChar(fp))!=EOF) && (ch!='\n') ); - break; - - case PS_OKAY: - printf("%s, line %d: valid parameter set found:\n", - filename,LineNbr-1); - for (i=0; i<PARMCOUNT(kparm); i++) { - printf("\t%s = \"%s\"\n",kparm[i].keyword, - (kparm[i].value ? kparm[i].value - : kparm[i].defvalue)); - } - break; - - default: - printf("panic: bad return (%d) from fGetParameterSet\n",rc); - break; - } - FreeParameterSet(kparm,PARMCOUNT(kparm)); - } - printf("EOF"); - fclose(fp); - exit(0); -} -#endif diff --git a/kerberosIV/krb/krb_check_auth.c b/kerberosIV/krb/krb_check_auth.c new file mode 100644 index 00000000000..ddb52d6a9f0 --- /dev/null +++ b/kerberosIV/krb/krb_check_auth.c @@ -0,0 +1,76 @@ +/* $KTH: krb_check_auth.c,v 1.4 1997/04/01 08:18:33 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +/* + * + * Receive an mutual-authenticator for a server in `packet', with + * `checksum', `session', and `schedule' having the appropriate values + * and return the data in `msg_data'. + * + * Return KSUCCESS if the received checksum is correct. + * + */ + +int +krb_check_auth(KTEXT packet, + u_int32_t checksum, + MSG_DAT *msg_data, + des_cblock *session, + struct des_ks_struct *schedule, + struct sockaddr_in *laddr, + struct sockaddr_in *faddr) +{ + int ret; + u_int32_t checksum2; + + ret = krb_rd_priv (packet->dat, packet->length, schedule, session, faddr, + laddr, msg_data); + if (ret != RD_AP_OK) + return ret; + if (msg_data->app_length != 4) + return KFAILURE; + krb_get_int (msg_data->app_data, &checksum2, 4, 0); + if (checksum2 == checksum + 1) + return KSUCCESS; + else + return KFAILURE; +} diff --git a/kerberosIV/krb/krb_equiv.c b/kerberosIV/krb/krb_equiv.c new file mode 100644 index 00000000000..8dcc7184853 --- /dev/null +++ b/kerberosIV/krb/krb_equiv.c @@ -0,0 +1,144 @@ +/* $KTH: krb_equiv.c,v 1.13 1997/04/01 08:18:33 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * int krb_equiv(u_int32_t ipaddr_a, u_int32_t ipaddr_b); + * + * Given two IP adresses return true if they match + * or are considered to belong to the same host. + * + * For example if /etc/krb.equiv looks like + * + * 130.237.223.3 192.16.126.3 # alv alv1 + * 130.237.223.4 192.16.126.4 # byse byse1 + * 130.237.228.152 192.16.126.9 # topsy topsy1 + * + * krb_equiv(alv, alv1) would return true but + * krb_equiv(alv, byse1) would not. + * + * A comment starts with an '#' and ends with '\n'. + * + */ +#include "krb_locl.h" + +int krb_ignore_ip_address = 0; + +int +krb_equiv(u_int32_t a, u_int32_t b) +{ + FILE *fil; + char line[256]; + int hit_a, hit_b; + int iscomment; + + if (a == b) /* trivial match, also the common case */ + return 1; + + if (krb_ignore_ip_address) + return 1; /* if we have decided not to compare */ + + a = ntohl(a); + b = ntohl(b); + + fil = fopen(KRB_EQUIV, "r"); + if (fil == NULL) /* open failed */ + return 0; + + hit_a = hit_b = 0; + iscomment = 0; + while (fgets(line, sizeof(line)-1, fil) != NULL) /* for each line */ + { + char *t = line; + int len = strlen(t); + + /* for each item on this line */ + while (*t != 0) /* more addresses on this line? */ + if (*t == '\n') { + iscomment = hit_a = hit_b = 0; + break; + } else if (iscomment) + t = line + len - 1; + else if (*t == '#') { /* rest is comment */ + iscomment = 1; + ++t; + } else if (*t == '\\' ) /* continuation */ + break; + else if (isspace(*t)) /* skip space */ + t++; + else if (isdigit(*t)) /* an address? */ + { + u_int32_t tmp; + u_int32_t tmpa, tmpb, tmpc, tmpd; + + sscanf(t, "%d.%d.%d.%d", &tmpa, &tmpb, &tmpc, &tmpd); + tmp = (tmpa << 24) | (tmpb << 16) | (tmpc << 8) | tmpd; + + while (*t == '.' || isdigit(*t)) /* done with this address */ + t++; + + if (tmp != -1) { /* an address (and not broadcast) */ + u_int32_t mask = (u_int32_t)~0; + + if (*t == '/') { + ++t; + mask <<= 32 - atoi(t); + + while(isdigit(*t)) + ++t; + } + + if ((tmp & mask) == (a & mask)) + hit_a = 1; + if ((tmp & mask) == (b & mask)) + hit_b = 1; + if (hit_a && hit_b) { + fclose(fil); + return 1; + } + } + } + else + ++t; /* garbage on this line, skip it */ + + } + + fclose(fil); + return 0; +} diff --git a/kerberosIV/krb/krb_err.et b/kerberosIV/krb/krb_err.et index 6c7d37df89e..172e61f12ba 100644 --- a/kerberosIV/krb/krb_err.et +++ b/kerberosIV/krb/krb_err.et @@ -3,9 +3,7 @@ # For copying and distribution information, see the file # "mit-copyright.h". # -# $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/krb_err.et,v $ -# $Author: tholo $ -# $Header: /cvs/OpenBSD/src/kerberosIV/krb/Attic/krb_err.et,v 1.1 1995/12/14 06:52:37 tholo Exp $ +# $KTH: krb_err.et,v 1.4 1996/10/27 13:30:28 bg Exp $ # error_table krb @@ -226,7 +224,7 @@ "Don't have Kerberos ticket-granting ticket" ec KRBET_KRB_RES72, - "Reserved 72" + "Can't get Kerberos inter-realm ticket-granting ticket" ec KRBET_KRB_RES73, "Reserved 73" diff --git a/kerberosIV/krb/krb_err_txt.c b/kerberosIV/krb/krb_err_txt.c index 8423d20e81a..18eb61bba8c 100644 --- a/kerberosIV/krb/krb_err_txt.c +++ b/kerberosIV/krb/krb_err_txt.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/krb_err_txt.c,v $ - * - * $Locker: $ - */ +/* $KTH: krb_err_txt.c,v 1.12 1997/04/02 05:37:10 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -29,6 +23,7 @@ or implied warranty. #include "krb_locl.h" + /* * This file contains an array of error text strings. * The associated error codes (which are defined in "krb.h") @@ -47,7 +42,7 @@ const char *krb_err_txt[256] = { "Principal unknown (kerberos)", /* 008 */ "Principal not unique (kerberos)", /* 009 */ "Principal has null key (kerberos)", /* 010 */ - "Reserved error message 11 (kerberos)", /* 011 */ + "Timeout in request (kerberos)", /* 011 */ "Reserved error message 12 (kerberos)", /* 012 */ "Reserved error message 13 (kerberos)", /* 013 */ "Reserved error message 14 (kerberos)", /* 014 */ @@ -99,16 +94,16 @@ const char *krb_err_txt[256] = { "Reserved error message 60 (send_to_kdc)", /* 060 */ "Warning: Not ALL tickets returned", /* 061 */ "Password incorrect", /* 062 */ - "Protocol error (get_intkt)", /* 063 */ + "Protocol error (get_in_tkt)", /* 063 */ "Reserved error message 64 (get_in_tkt)", /* 064 */ "Reserved error message 65 (get_in_tkt)", /* 065 */ "Reserved error message 66 (get_in_tkt)", /* 066 */ "Reserved error message 67 (get_in_tkt)", /* 067 */ "Reserved error message 68 (get_in_tkt)", /* 068 */ "Reserved error message 69 (get_in_tkt)", /* 069 */ - "Generic error (get_intkt)", /* 070 */ + "Generic error (get_in_tkt)(can't write ticket file)", /* 070 */ "Don't have ticket granting ticket (get_ad_tkt)", /* 071 */ - "Reserved error message 72 (get_ad_tkt)", /* 072 */ + "Can't get inter-realm ticket granting ticket (get_ad_tkt)", /* 072 */ "Reserved error message 73 (get_ad_tkt)", /* 073 */ "Reserved error message 74 (get_ad_tkt)", /* 074 */ "Reserved error message 75 (get_ad_tkt)", /* 075 */ @@ -293,3 +288,13 @@ const char *krb_err_txt[256] = { "(reserved)", "Generic kerberos error (kfailure)", /* 255 */ }; + +static const char err_failure[] = "Illegal error code passed (krb_get_err_text)"; + +const char * +krb_get_err_text(int code) +{ + if(code < 0 || code >= MAX_KRB_ERRORS) + return err_failure; + return krb_err_txt[code]; +} diff --git a/kerberosIV/krb/krb_get_in_tkt.c b/kerberosIV/krb/krb_get_in_tkt.c index 1ce8c9926b7..4910e1fe052 100644 --- a/kerberosIV/krb/krb_get_in_tkt.c +++ b/kerberosIV/krb/krb_get_in_tkt.c @@ -1,64 +1,45 @@ +/* $KTH: krb_get_in_tkt.c,v 1.22 1997/08/23 15:49:11 joda Exp $ */ + /* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/krb_get_in_tkt.c,v $ - * - * $Locker: $ + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - #include "krb_locl.h" -#include <sys/time.h> - -int swap_bytes; - -static int -pkt_clen(pkt) - KTEXT pkt; -{ - static unsigned short temp,temp2; - int clen = 0; - - /* Start of ticket list */ - unsigned char *ptr = pkt_a_realm(pkt) + 10 - + strlen((char *)pkt_a_realm(pkt)); - - /* Finally the length */ - bcopy((char *)(++ptr),(char *)&temp,2); /* alignment */ - if (swap_bytes) { - /* assume a short is 2 bytes?? */ - swab((char *)&temp,(char *)&temp2,2); - temp = temp2; - } - - clen = (int) temp; - - if (krb_debug) - printf("Clen is %d\n",clen); - return(clen); -} - /* * decrypt_tkt(): Given user, instance, realm, passwd, key_proc * and the cipher text sent from the KDC, decrypt the cipher text @@ -66,41 +47,20 @@ pkt_clen(pkt) */ static int -decrypt_tkt(user, instance, realm, arg, key_proc, cipp) - char *user; - char *instance; - char *realm; - char *arg; - int (*key_proc)(); - KTEXT *cipp; +decrypt_tkt(char *user, char *instance, char *realm, + void *arg, key_proc_t key_proc, KTEXT *cip) { - KTEXT cip = *cipp; des_cblock key; /* Key for decrypting cipher */ - des_key_schedule key_s; + int ret; -#ifndef NOENCRYPTION - /* Attempt to decrypt it */ -#endif - - /* generate a key */ - - { - register int rc; - rc = (*key_proc)(user,instance,realm,arg,key); - if (rc) - return(rc); - } + ret = key_proc(user, instance, realm, arg, &key); + if (ret != 0) + return ret; -#ifndef NOENCRYPTION - des_key_sched(&key,key_s); - des_pcbc_encrypt((des_cblock *)cip->dat,(des_cblock *)cip->dat, - (long) cip->length,key_s,&key,DES_DECRYPT); -#endif /* !NOENCRYPTION */ - /* Get rid of all traces of key */ - bzero((char *)key,sizeof(key)); - bzero((char *)key_s,sizeof(key_s)); + encrypt_ktext(*cip, &key, DES_DECRYPT); - return(0); + memset(&key, 0, sizeof(key)); + return 0; } /* @@ -145,187 +105,92 @@ decrypt_tkt(user, instance, realm, arg, key_proc, cipp) */ int -krb_get_in_tkt(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, arg) - char *user; - char *instance; - char *realm; - char *service; - char *sinstance; - int life; - int (*key_proc)(); - int (*decrypt_proc)(); - char *arg; +krb_mk_as_req(char *user, char *instance, char *realm, + char *service, char *sinstance, int life, KTEXT cip) { KTEXT_ST pkt_st; KTEXT pkt = &pkt_st; /* Packet to KDC */ KTEXT_ST rpkt_st; - KTEXT rpkt = &rpkt_st; /* Returned packet */ - KTEXT_ST cip_st; - KTEXT cip = &cip_st; /* Returned Ciphertext */ - KTEXT_ST tkt_st; - KTEXT tkt = &tkt_st; /* Current ticket */ - des_cblock ses; /* Session key for tkt */ - int kvno; /* Kvno for session key */ - unsigned char *v = pkt->dat; /* Prot vers no */ - unsigned char *t = (pkt->dat+1); /* Prot msg type */ - - char s_name[SNAME_SZ]; - char s_instance[INST_SZ]; - char rlm[REALM_SZ]; - int lifetime; - int msg_byte_order; + KTEXT rpkt = &rpkt_st; /* Reply from KDC */ + int kerror; - unsigned long exp_date; - char *ptr; - - struct timeval t_local; - - unsigned long rep_err_code; - - unsigned long kdc_time; /* KDC time */ + struct timeval tv; /* BUILD REQUEST PACKET */ - /* Set up the fixed part of the packet */ - *v = (unsigned char) KRB_PROT_VERSION; - *t = (unsigned char) AUTH_MSG_KDC_REQUEST; - *t |= HOST_BYTE_ORDER; + unsigned char *p = pkt->dat; + + p += krb_put_int(KRB_PROT_VERSION, p, 1); + p += krb_put_int(AUTH_MSG_KDC_REQUEST, p, 1); + + p += krb_put_nir(user, instance, realm, p); - /* Now for the variable info */ - (void) strcpy((char *)(pkt->dat+2),user); /* aname */ - pkt->length = 3 + strlen(user); - (void) strcpy((char *)(pkt->dat+pkt->length), - instance); /* instance */ - pkt->length += 1 + strlen(instance); - (void) strcpy((char *)(pkt->dat+pkt->length),realm); /* realm */ - pkt->length += 1 + strlen(realm); + gettimeofday(&tv, NULL); + p += krb_put_int(tv.tv_sec, p, 4); + p += krb_put_int(life, p, 1); - (void) gettimeofday(&t_local,(struct timezone *) 0); - /* timestamp */ - bcopy((char *)&(t_local.tv_sec),(char *)(pkt->dat+pkt->length), 4); - pkt->length += 4; + p += krb_put_nir(service, sinstance, NULL, p); - *(pkt->dat+(pkt->length)++) = (char) life; - (void) strcpy((char *)(pkt->dat+pkt->length),service); - pkt->length += 1 + strlen(service); - (void) strcpy((char *)(pkt->dat+pkt->length),sinstance); - pkt->length += 1 + strlen(sinstance); + pkt->length = p - pkt->dat; rpkt->length = 0; /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */ - if ((kerror = send_to_kdc(pkt, rpkt, realm))) return(kerror); - - /* check packet version of the returned packet */ - if (pkt_version(rpkt) != KRB_PROT_VERSION) - return(INTK_PROT); - - /* Check byte order */ - msg_byte_order = pkt_msg_type(rpkt) & 1; - swap_bytes = 0; - if (msg_byte_order != HOST_BYTE_ORDER) { - swap_bytes++; - } - - switch (pkt_msg_type(rpkt) & ~1) { - case AUTH_MSG_KDC_REPLY: - break; - case AUTH_MSG_ERR_REPLY: - bcopy(pkt_err_code(rpkt),(char *) &rep_err_code,4); - if (swap_bytes) swap_u_long(rep_err_code); - return((int)rep_err_code); - default: - return(INTK_PROT); - } - - /* EXTRACT INFORMATION FROM RETURN PACKET */ - - /* get the principal's expiration date */ - bcopy(pkt_x_date(rpkt),(char *) &exp_date,sizeof(exp_date)); - if (swap_bytes) swap_u_long(exp_date); - - /* Extract the ciphertext */ - cip->length = pkt_clen(rpkt); /* let clen do the swap */ - - if ((cip->length < 0) || (cip->length > sizeof(cip->dat))) - return(INTK_ERR); /* no appropriate error code - currently defined for INTK_ */ - /* copy information from return packet into "cip" */ - bcopy((char *) pkt_cipher(rpkt),(char *)(cip->dat),cip->length); + kerror = send_to_kdc(pkt, rpkt, realm); + if(kerror) return kerror; + kerror = kdc_reply_cipher(rpkt, cip); + return kerror; +} - /* Attempt to decrypt the reply. */ +int +krb_decode_as_rep(char *user, char *instance, char *realm, + char *service, char *sinstance, + key_proc_t key_proc, decrypt_proc_t decrypt_proc, void *arg, + KTEXT as_rep, CREDENTIALS *cred) +{ + int kerror; + unsigned char *p; + time_t now; + if (decrypt_proc == NULL) decrypt_proc = decrypt_tkt; - (*decrypt_proc)(user, instance, realm, arg, key_proc, &cip); - - ptr = (char *) cip->dat; - - /* extract session key */ - bcopy(ptr,(char *)ses,8); - ptr += 8; - - if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length) - return(INTK_BADPW); - - /* extract server's name */ - (void) strcpy(s_name,ptr); - ptr += strlen(s_name) + 1; - - if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length) - return(INTK_BADPW); - - /* extract server's instance */ - (void) strcpy(s_instance,ptr); - ptr += strlen(s_instance) + 1; - - if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length) - return(INTK_BADPW); - - /* extract server's realm */ - (void) strcpy(rlm,ptr); - ptr += strlen(rlm) + 1; - - /* extract ticket lifetime, server key version, ticket length */ - /* be sure to avoid sign extension on lifetime! */ - lifetime = (unsigned char) ptr[0]; - kvno = (unsigned char) ptr[1]; - tkt->length = (unsigned char) ptr[2]; - ptr += 3; - - if ((tkt->length < 0) || - ((tkt->length + (ptr - (char *) cip->dat)) > cip->length)) - return(INTK_BADPW); - - /* extract ticket itself */ - bcopy(ptr,(char *)(tkt->dat),tkt->length); - ptr += tkt->length; - - if (strcmp(s_name, service) || strcmp(s_instance, sinstance) || - strcmp(rlm, realm)) /* not what we asked for */ - return(INTK_ERR); /* we need a better code here XXX */ - - /* check KDC time stamp */ - bcopy(ptr,(char *)&kdc_time,4); /* Time (coarse) */ - if (swap_bytes) swap_u_long(kdc_time); - - ptr += 4; - - (void) gettimeofday(&t_local,(struct timezone *) 0); - if (abs((int)(t_local.tv_sec - kdc_time)) > CLOCK_SKEW) { - return(RD_AP_TIME); /* XXX should probably be better - code */ + (*decrypt_proc)(user, instance, realm, arg, key_proc, &as_rep); + + kerror = kdc_reply_cred(as_rep, cred); + if(kerror != KSUCCESS) + return kerror; + + if (strcmp(cred->service, service) || + strcmp(cred->instance, sinstance) || + strcmp(cred->realm, realm)) /* not what we asked for */ + return INTK_ERR; /* we need a better code here XXX */ + + now = time(NULL); + if (abs((int)(now - cred->issue_date)) > CLOCK_SKEW) { + return RD_AP_TIME; /* XXX should probably be better code */ } - /* initialize ticket cache */ - if (in_tkt(user,instance) != KSUCCESS) - return(INTK_ERR); - - /* stash ticket, session key, etc. for future use */ - if ((kerror = save_credentials(s_name, s_instance, rlm, ses, - lifetime, kvno, tkt, t_local.tv_sec))) - return(kerror); + return 0; +} - return(INTK_OK); +int +krb_get_in_tkt(char *user, char *instance, char *realm, + char *service, char *sinstance, int life, + key_proc_t key_proc, decrypt_proc_t decrypt_proc, void *arg) +{ + KTEXT_ST as_rep; + CREDENTIALS cred; + int ret; + + ret = krb_mk_as_req(user, instance, realm, + service, sinstance, life, &as_rep); + if(ret) + return ret; + ret = krb_decode_as_rep(user, instance, realm, service, sinstance, + key_proc, decrypt_proc, arg, &as_rep, &cred); + if(ret) + return ret; + + return tf_setup(&cred, user, instance); } diff --git a/kerberosIV/krb/krb_locl.h b/kerberosIV/krb/krb_locl.h index 45f46bbf991..75b668a5170 100644 --- a/kerberosIV/krb/krb_locl.h +++ b/kerberosIV/krb/krb_locl.h @@ -1,40 +1,128 @@ -/* $Id: krb_locl.h,v 1.1 1995/12/14 06:52:38 tholo Exp $ */ +/* $KTH: krb_locl.h,v 1.44 1997/10/28 15:37:40 bg Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ #ifndef __krb_locl_h #define __krb_locl_h #include <sys/cdefs.h> -#include "kerberosIV/site.h" +#include <kerberosIV/site.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> +#include <assert.h> +#include <stdarg.h> + +#include <errno.h> +#include <pwd.h> #include <unistd.h> #include <sys/types.h> +#include <sys/time.h> #include <time.h> +#include <sys/time.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/file.h> +#include <sys/select.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <netdb.h> +#include <arpa/nameser.h> +#include <resolv.h> #include <errno.h> #include <kerberosIV/krb.h> #include <prot.h> +#include "resolve.h" +#include "krb_log.h" + /* --- */ /* Globals! */ extern int krb_debug; extern int krb_ap_req_debug; +extern int krb_dns_debug; + +/* Temporary fixes for krb_{rd,mk}_safe */ +#define DES_QUAD_GUESS 0 +#define DES_QUAD_NEW 1 +#define DES_QUAD_OLD 2 + +/* Set this to one of the constants above to specify default checksum + type to emit */ +#define DES_QUAD_DEFAULT DES_QUAD_GUESS /* Utils */ -char *pkt_cipher __P((KTEXT)); +int krb_name_to_name(const char *, char *, size_t); + +void encrypt_ktext(KTEXT cip, des_cblock *key, int encrypt); +int kdc_reply_cred(KTEXT cip, CREDENTIALS *cred); +int kdc_reply_cipher(KTEXT reply, KTEXT cip); + +void k_ricercar(char*); + +/* safe multiple strcat */ +int k_concat(char*, size_t, ...); +int k_vconcat(char*, size_t, va_list); + +/* mallocing versions of the above */ +size_t k_vmconcat (char**, size_t, va_list); +size_t k_mconcat (char**, size_t, ...); + +/* used in rd_safe.c and mk_safe.c */ + +void fixup_quad_cksum(void *start, size_t len, des_cblock *key, + void *new_checksum, void *old_checksum, int little); + +/* stuff from libroken*/ -int new_log __P((time_t, char *)); -char *klog (); +#ifndef TRUE +#define TRUE 1 +#endif -char *month_sname __P((int)); -int fgetst __P((FILE *, char *, int)); +#ifndef FALSE +#define FALSE 0 +#endif #endif /* __krb_locl_h */ diff --git a/kerberosIV/krb/kuserok.c b/kerberosIV/krb/kuserok.c index 7cc7e4af413..6908354e5fe 100644 --- a/kerberosIV/krb/kuserok.c +++ b/kerberosIV/krb/kuserok.c @@ -1,55 +1,68 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/kuserok.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ +/* $KTH: kuserok.c,v 1.21 1997/04/01 08:18:35 joda Exp $ */ /* - * kuserok: check if a kerberos principal has - * access to a local account + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb_locl.h" -#include <pwd.h> -#include <sys/param.h> -#include <sys/socket.h> -#include <sys/stat.h> -#include <sys/file.h> - #define OK 0 #define NOTOK 1 #define MAX_USERNAME 10 -/* - * Given a Kerberos principal "kdata", and a local username "luser", - * determine whether user is authorized to login according to the - * authorization file ("~luser/.klogin" by default). Returns OK - * if authorized, NOTOK if not authorized. +/* + * Given a Kerberos principal and a local username, determine whether + * user is authorized to login according to the authorization file + * ("~luser/.klogin" by default). Returns OK if authorized, NOTOK if + * not authorized. + * + * IMPORTANT CHANGE: To eliminate the need of making a distinction + * between the 3 cases: + * + * 1. We can't verify that a .klogin file doesn't exist (no home dir). + * 2. It's there but we aren't allowed to read it. + * 3. We can read it and ~luser@LOCALREALM is (not) included. + * + * We instead make the assumption that luser@LOCALREALM is *always* + * included. Thus it is impossible to have an empty .klogin file and + * also to exclude luser@LOCALREALM from it. Root is treated differently + * since it's home should always be available. * + * OLD STRATEGY: * If there is no account for "luser" on the local machine, returns * NOTOK. If there is no authorization file, and the given Kerberos * name "kdata" translates to the same name as "luser" (using @@ -64,148 +77,80 @@ or implied warranty. * * one entry per line. * - * The ATHENA_COMPAT code supports old-style Athena ~luser/.klogin - * file entries. See the file "kparse.c". */ -#ifdef ATHENA_COMPAT - -#include <kparse.h> - -/* - * The parmtable defines the keywords we will recognize with their - * default values, and keeps a pointer to the found value. The found - * value should be filled in with strsave(), since FreeParameterSet() - * will release memory for all non-NULL found strings. - * -*** NOTE WELL! *** - * - * The table below is very nice, but we cannot hard-code a default for the - * realm: we have to get the realm via krb_get_lrealm(). Even though the - * default shows as "from krb_get_lrealm, below", it gets changed in - * kuserok to whatever krb_get_lrealm() tells us. That code assumes that - * the realm will be the entry number in the table below, so if you - * change the order of the entries below, you have to change the - * #definition of REALM_SCRIPT to reflect it. - */ -#define REALM_SUBSCRIPT 1 -parmtable kparm[] = { - -/* keyword default found value */ -{"user", "", (char *) NULL}, -{"realm", "see krb_get_lrealm, below", (char *) NULL}, -{"instance", "", (char *) NULL}, -}; -#define KPARMS kparm,PARMCOUNT(kparm) -#endif /* ATHENA_COMPAT */ - int -kuserok(kdata, luser) - AUTH_DAT *kdata; - char *luser; +krb_kuserok(char *name, char *instance, char *realm, char *luser) { - struct stat sbuf; struct passwd *pwd; - char pbuf[MAXPATHLEN]; - int isok = NOTOK, rc; - FILE *fp; - char kuser[MAX_USERNAME]; - char principal[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; - char linebuf[BUFSIZ]; - char *newline; - int gobble; -#ifdef ATHENA_COMPAT - char local_realm[REALM_SZ]; -#endif /* ATHENA_COMPAT */ - - /* no account => no access */ - if ((pwd = getpwnam(luser)) == NULL) { - return(NOTOK); + char lrealm[REALM_SZ]; + FILE *f; + char line[1024]; + char file[MAXPATHLEN]; + struct stat st; + + pwd = getpwnam(luser); + if(pwd == NULL) + return NOTOK; + if(krb_get_lrealm(lrealm, 1)) + return NOTOK; + if(pwd->pw_uid != 0 && + strcmp(name, luser) == 0 && + strcmp(instance, "") == 0 && + strcmp(realm, lrealm) == 0) + return OK; + strcpy(file, pwd->pw_dir); + strcat(file, "/.klogin"); + + f = fopen(file, "r"); + if(f == NULL) + return NOTOK; + + /* this is not a working test in filesystems like AFS and DFS */ + if(fstat(fileno(f), &st) < 0){ + fclose(f); + return NOTOK; } - snprintf(pbuf, sizeof pbuf, "%s/.klogin", pwd->pw_dir); - - if (access(pbuf, F_OK)) { /* not accessible */ - /* - * if he's trying to log in as himself, and there is no .klogin file, - * let him. To find out, call - * krb_kntoln to convert the triple in kdata to a name which we can - * string compare. - */ - if (!krb_kntoln(kdata, kuser) && (strcmp(kuser, luser) == 0)) { - return(OK); - } - } - /* open ~/.klogin */ - if ((fp = fopen(pbuf, "r")) == NULL) { - return(NOTOK); + + if(st.st_uid != pwd->pw_uid){ + fclose(f); + return NOTOK; } - /* - * security: if the user does not own his own .klogin file, - * do not grant access - */ - if (fstat(fileno(fp), &sbuf)) { - fclose(fp); - return(NOTOK); + + while(fgets(line, sizeof(line), f)){ + char fname[ANAME_SZ], finst[INST_SZ], frealm[REALM_SZ]; + if(line[strlen(line) - 1] != '\n') + /* read till end of line */ + while(1){ + int c = fgetc(f); + if(c == '\n' || c == EOF) + break; + } + else + line[strlen(line) - 1] = 0; + + if(kname_parse(fname, finst, frealm, line)) + continue; + if(strcmp(name, fname)) + continue; + if(strcmp(instance, finst)) + continue; + if(frealm[0] == 0) + strcpy(frealm, lrealm); + if(strcmp(realm, frealm)) + continue; + fclose(f); + return OK; } - if (sbuf.st_uid != pwd->pw_uid) { - fclose(fp); - return(NOTOK); - } - -#ifdef ATHENA_COMPAT - /* Accept old-style .klogin files */ - - /* - * change the default realm from the hard-coded value to the - * accepted realm that Kerberos specifies. - */ - rc = krb_get_lrealm(local_realm, 1); - if (rc == KSUCCESS) - kparm[REALM_SUBSCRIPT].defvalue = local_realm; - else - return (rc); - - /* check each line */ - while ((isok != OK) && (rc = fGetParameterSet(fp, KPARMS)) != PS_EOF) { - switch (rc) { - case PS_BAD_KEYWORD: - case PS_SYNTAX: - while (((gobble = fGetChar(fp)) != EOF) && (gobble != '\n')); - break; - - case PS_OKAY: - isok = (ParmCompare(KPARMS, "user", kdata->pname) || - ParmCompare(KPARMS, "instance", kdata->pinst) || - ParmCompare(KPARMS, "realm", kdata->prealm)); - break; + fclose(f); + return NOTOK; +} - default: - break; - } - FreeParameterSet(kparm, PARMCOUNT(kparm)); - } - /* reset the stream for parsing new-style names, if necessary */ - rewind(fp); -#endif /* ATHENA_COMPAT */ +/* compatibility interface */ - /* check each line */ - while ((isok != OK) && (fgets(linebuf, BUFSIZ, fp) != NULL)) { - /* null-terminate the input string */ - linebuf[BUFSIZ-1] = '\0'; - newline = NULL; - /* nuke the newline if it exists */ - if ((newline = strchr(linebuf, '\n'))) - *newline = '\0'; - rc = kname_parse(principal, inst, realm, linebuf); - if (rc == KSUCCESS) { - isok = (strncmp(kdata->pname, principal, ANAME_SZ) || - strncmp(kdata->pinst, inst, INST_SZ) || - strncmp(kdata->prealm, realm, REALM_SZ)); - } - /* clean up the rest of the line if necessary */ - if (!newline) - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); - } - fclose(fp); - return(isok); +int +kuserok(AUTH_DAT *auth, char *luser) +{ + return krb_kuserok(auth->pname, auth->pinst, auth->prealm, luser); } + diff --git a/kerberosIV/krb/lifetime.c b/kerberosIV/krb/lifetime.c index 9b04bd0ba4d..1795bade304 100644 --- a/kerberosIV/krb/lifetime.c +++ b/kerberosIV/krb/lifetime.c @@ -1,25 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/lifetime.c,v $ - * - * $Locker: $ - */ - -/*************************************************************************** - * PRE-HISTORY - * - * Revision 2.1.2.2 91/11/08 00:35:25 mja - * Lower NEVERDATE to a positive value since time values are not - * handled properly by most of the rest of the system when - * negative; add krb_life_to_atime() and krb_atime_to_life(). - * [91/11/07 22:52:50 mja] - * - * Revision 2.1.2.1 91/07/09 22:50:42 mja - * Created. - * [91/01/30 jm36@ANDREW.CMU.EDU] - * - ***************************************************************************/ +/* $KTH: lifetime.c,v 1.9 1997/05/02 14:29:18 assar Exp $ */ /* * Ticket lifetime. This defines the table used to lookup lifetime @@ -36,6 +15,9 @@ #include "krb_locl.h" +/* If you want to disable this feature */ +int krb_no_long_lifetimes = 0; + #define TKTLIFENUMFIXED 64 #define TKTLIFEMINFIXED 0x80 #define TKTLIFEMAXFIXED 0xBF @@ -125,11 +107,12 @@ static const int tkt_lifetimes[TKTLIFENUMFIXED] = { * in seconds, which is added to start to produce the end time. */ u_int32_t -krb_life_to_time(start, life) - u_int32_t start; - int life; +krb_life_to_time(u_int32_t start, int life_) { - life = (unsigned char) life; + unsigned char life = (unsigned char) life_; + + if (krb_no_long_lifetimes) return start + life*5*60; + if (life == TKTLIFENOEXPIRE) return NEVERDATE; if (life < TKTLIFEMINFIXED) return start + life*5*60; if (life > TKTLIFEMAXFIXED) return start + MAXTKTLIFETIME; @@ -148,16 +131,14 @@ krb_life_to_time(start, life) * the table for the smallest entry *greater than or equal* to the * requested entry. */ -int -krb_time_to_life(start, end) - u_int32_t start; - u_int32_t end; +int krb_time_to_life(u_int32_t start, u_int32_t end) { - long lifetime; int i; + long lifetime = end - start; + + if (krb_no_long_lifetimes) return (lifetime + 5*60 - 1)/(5*60); if (end >= NEVERDATE) return TKTLIFENOEXPIRE; - lifetime = end - start; if (lifetime > MAXTKTLIFETIME || lifetime <= 0) return 0; if (lifetime < tkt_lifetimes[0]) return (lifetime + 5*60 - 1)/(5*60); for (i=0; i<TKTLIFENUMFIXED; i++) { @@ -169,14 +150,13 @@ krb_time_to_life(start, end) } char * -krb_life_to_atime(life) - int life; +krb_life_to_atime(int life) { static char atime[11+1+2+1+2+1+2+1]; unsigned long when; int secs, mins, hours; - if (life == TKTLIFENOEXPIRE) + if (life == TKTLIFENOEXPIRE && !krb_no_long_lifetimes) return("Forever"); when = krb_life_to_time(0, life); secs = when%60; @@ -185,17 +165,15 @@ krb_life_to_atime(life) when /= 60; hours = when%24; when /= 24; - snprintf(atime, sizeof(atime), "%d+%02d:%02d:%02d", (int)when, hours, - mins, secs); + snprintf(atime, sizeof(atime), "%d+%02d:%02d:%02d", (int)when, hours, mins, secs); return(atime); } int -krb_atime_to_life(atime) - char *atime; +krb_atime_to_life(char *atime) { unsigned long when = 0; - register char *cp; + char *cp; int colon = 0, plus = 0; int n = 0; diff --git a/kerberosIV/krb/log.c b/kerberosIV/krb/log.c deleted file mode 100644 index 5cea8483276..00000000000 --- a/kerberosIV/krb/log.c +++ /dev/null @@ -1,133 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/log.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#include "krb_locl.h" - -#include <sys/time.h> - -#include <klog.h> - -static char *log_name = KRBLOG; -static is_open; - -/* - * This file contains three logging routines: set_logfile() - * to determine the file that log entries should be written to; - * and log() and new_log() to write log entries to the file. - */ - -/* - * log() is used to add entries to the logfile (see set_logfile() - * below). Note that it is probably not portable since it makes - * assumptions about what the compiler will do when it is called - * with less than the correct number of arguments which is the - * way it is usually called. - * - * The log entry consists of a timestamp and the given arguments - * printed according to the given "format". - * - * The log file is opened and closed for each log entry. - * - * The return value is undefined. - */ - -/*VARARGS1 */ -void -log(format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a0) - char *format; - int a1, a2, a3, a4, a5, a6, a7, a8, a9, a0; -{ - FILE *logfile; - time_t now; - struct tm *tm; - - if ((logfile = fopen(log_name,"a")) == NULL) - return; - - (void) time(&now); - tm = localtime(&now); - - fprintf(logfile,"%2d-%s-%02d %02d:%02d:%02d ",tm->tm_mday, - month_sname(tm->tm_mon + 1),tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - fprintf(logfile,format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0); - fprintf(logfile,"\n"); - (void) fclose(logfile); - return; -} - -/* - * set_logfile() changes the name of the file to which - * messages are logged. If set_logfile() is not called, - * the logfile defaults to KRBLOG, defined in "krb.h". - */ - -void -set_logfile(filename) - char *filename; -{ - log_name = filename; - is_open = 0; -} - -/* - * new_log() appends a log entry containing the give time "t" and the - * string "string" to the logfile (see set_logfile() above). The file - * is opened once and left open. The routine returns 1 on failure, 0 - * on success. - */ - -int -new_log(t, string) - time_t t; - char *string; -{ - static FILE *logfile; - - struct tm *tm; - - if (!is_open) { - if ((logfile = fopen(log_name,"a")) == NULL) return(1); - is_open = 1; - } - - if (t) { - tm = localtime(&t); - - fprintf(logfile,"\n%2d-%s-%02d %02d:%02d:%02d %s",tm->tm_mday, - month_sname(tm->tm_mon + 1),tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec, string); - } - else { - fprintf(logfile,"\n%20s%s","",string); - } - - (void) fflush(logfile); - return(0); -} diff --git a/kerberosIV/krb/logging.c b/kerberosIV/krb/logging.c new file mode 100644 index 00000000000..46c7ba2c998 --- /dev/null +++ b/kerberosIV/krb/logging.c @@ -0,0 +1,240 @@ +/* $KTH: logging.c,v 1.14 1997/05/11 09:01:40 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" +#include <klog.h> + +struct krb_log_facility { + char filename[MAXPATHLEN]; + FILE *file; + krb_log_func_t func; +}; + +int +krb_vlogger(struct krb_log_facility *f, const char *format, va_list args) +{ + FILE *file = NULL; + int ret; + + if (f->file != NULL) + file = f->file; + else if (f->filename && f->filename[0]) + file = fopen(f->filename, "a"); + + ret = f->func(file, format, args); + + if (file != f->file) + fclose(file); + return ret; +} + +int +krb_logger(struct krb_log_facility *f, const char *format, ...) +{ + va_list args; + int ret; + va_start(args, format); + ret = krb_vlogger(f, format, args); + va_end(args); + return ret; +} + +/* + * If FILE * is given log to it, otherwise, log to filename. When + * given a file name the file is opened and closed for each log + * record. + */ +int +krb_openlog(struct krb_log_facility *f, + char *filename, + FILE *file, + krb_log_func_t func) +{ + strcpy(f->filename, filename); + f->file = file; + f->func = func; + return KSUCCESS; +} + +/* ------------------------------------------------------------ + Compatibility functions from warning.c + ------------------------------------------------------------ */ + +static int +log_tty(FILE *f, const char *format, va_list args) +{ + if (f != NULL && isatty(fileno(f))) + vfprintf(f, format, args); + return KSUCCESS; +} + +/* stderr */ +static struct krb_log_facility std_log = { "/dev/tty", NULL, log_tty }; + +static void +init_std_log () +{ + static int done = 0; + + if (!done) { + std_log.file = stderr; + done = 1; + } +} + +/* + * + */ +void +krb_set_warnfn (krb_warnfn_t newfunc) +{ + init_std_log (); + std_log.func = newfunc; +} + +/* + * + */ +krb_warnfn_t +krb_get_warnfn (void) +{ + init_std_log (); + return std_log.func; +} + +/* + * Log warnings to stderr if it's a tty. + */ +void +krb_warning (const char *format, ...) +{ + va_list args; + + init_std_log (); + va_start(args, format); + krb_vlogger(&std_log, format, args); + va_end(args); +} + +/* ------------------------------------------------------------ + Compatibility functions from klog.c and log.c + ------------------------------------------------------------ */ + +/* + * Used by kerberos and kadmind daemons and in libkrb (rd_req.c). + * + * By default they log to the kerberos server log-file (KRBLOG) to be + * backwards compatible. + */ + +static int +log_with_timestamp_and_nl(FILE *file, const char *format, va_list args) +{ + time_t now; + if(file == NULL) + return KFAILURE; + time(&now); + fputs(krb_stime(&now), file); + fputs(": ", file); + vfprintf(file, format, args); + fputs("\n", file); + fflush(file); + return KSUCCESS; +} + +static struct krb_log_facility +file_log = { KRBLOG, NULL, log_with_timestamp_and_nl }; + +/* + * kset_logfile() changes the name of the file to which + * messages are logged. If kset_logfile() is not called, + * the logfile defaults to KRBLOG, defined in "krb.h". + */ + +void +kset_logfile(char *filename) +{ + krb_openlog(&file_log, filename, NULL, log_with_timestamp_and_nl); +} + +/* + * krb_log() and klog() is used to add entries to the logfile. + * + * The log entry consists of a timestamp and the given arguments + * printed according to the given "format" string. + * + * The log file is opened and closed for each log entry. + * + * If the given log type "type" is unknown, or if the log file + * cannot be opened, no entry is made to the log file. + * + * CHANGE: the type is always ignored + * + * The return value of klog() is always a pointer to the formatted log + * text string "logtxt". + */ + +/* Used in kerberos.c only. */ +char * +klog(int type, const char *format, ...) +{ + static char logtxt[1024]; + + va_list ap; + + va_start(ap, format); + vsnprintf(logtxt, sizeof(logtxt), format, ap); + va_end(ap); + + krb_logger(&file_log, "%s", logtxt); + + return logtxt; +} + +/* Used in kadmind and rd_req.c */ +void +krb_log(const char *format, ...) +{ + va_list args; + + va_start(args, format); + krb_vlogger(&file_log, format, args); + va_end(args); +} diff --git a/kerberosIV/krb/lsb_addr_comp.c b/kerberosIV/krb/lsb_addr_comp.c new file mode 100644 index 00000000000..6e1c11fed0b --- /dev/null +++ b/kerberosIV/krb/lsb_addr_comp.c @@ -0,0 +1,105 @@ +/* $KTH: lsb_addr_comp.c,v 1.9 1997/04/01 08:18:37 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +#include "lsb_addr_comp.h" + +int +krb_lsb_antinet_ulong_cmp(u_int32_t x, u_int32_t y) +{ + int i; + u_int32_t a = 0, b = 0; + u_int8_t *p = (u_int8_t*) &x; + u_int8_t *q = (u_int8_t*) &y; + + for(i = sizeof(u_int32_t) - 1; i >= 0; i--){ + a = (a << 8) | p[i]; + b = (b << 8) | q[i]; + } + if(a > b) + return 1; + if(a < b) + return -1; + return 0; +} + +int +krb_lsb_antinet_ushort_cmp(u_int16_t x, u_int16_t y) +{ + int i; + u_int16_t a = 0, b = 0; + u_int8_t *p = (u_int8_t*) &x; + u_int8_t *q = (u_int8_t*) &y; + + for(i = sizeof(u_int16_t) - 1; i >= 0; i--){ + a = (a << 8) | p[i]; + b = (b << 8) | q[i]; + } + if(a > b) + return 1; + if(a < b) + return -1; + return 0; +} + +u_int32_t +lsb_time(time_t t, struct sockaddr_in *src, struct sockaddr_in *dst) +{ + /* + * direction bit is the sign bit of the timestamp. Ok until + * 2038?? + */ + /* For compatibility with broken old code, compares are done in VAX + byte order (LSBFIRST) */ + if (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr, /* src < recv */ + dst->sin_addr.s_addr) < 0) + t = -t; + else if (krb_lsb_antinet_ulong_less(src->sin_addr.s_addr, + dst->sin_addr.s_addr)==0) + if (krb_lsb_antinet_ushort_less(src->sin_port, dst->sin_port) < 0) + t = -t; + /* + * all that for one tiny bit! Heaven help those that talk to + * themselves. + */ + t = t & 0xffffffff; + return t; +} diff --git a/kerberosIV/krb/lsb_addr_comp.h b/kerberosIV/krb/lsb_addr_comp.h index 75a517de9cb..6fc76946816 100644 --- a/kerberosIV/krb/lsb_addr_comp.h +++ b/kerberosIV/krb/lsb_addr_comp.h @@ -1,25 +1,11 @@ -/* - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/lsb_addr_comp.h,v $ - */ +/* $KTH: lsb_addr_comp.h,v 1.6 1996/10/05 00:18:02 joda Exp $ */ /* - * Copyright 1987, 1988 by the Student Information Processing Board - * of the Massachusetts Institute of Technology + * Copyright 1988 by the Massachusetts Institute of Technology. + * + * For copying and distribution information, please see the file + * <mit-copyright.h>. * - * Permission to use, copy, modify, and distribute this software - * and its documentation for any purpose and without fee is - * hereby granted, provided that the above copyright notice - * appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, - * and that the names of M.I.T. and the M.I.T. S.I.P.B. not be - * used in advertising or publicity pertaining to distribution - * of the software without specific, written prior permission. - * M.I.T. and the M.I.T. S.I.P.B. make no representations about - * the suitability of this software for any purpose. It is - * provided "as is" without express or implied warranty. - */ - -/* * Comparison macros to emulate LSBFIRST comparison results of network * byte-order quantities */ @@ -27,28 +13,14 @@ #ifndef LSB_ADDR_COMP_DEFS #define LSB_ADDR_COMP_DEFS -#if BYTE_ORDER == BIG_ENDIAN - -#define u_char_comp(x,y) \ - (((x)>(y))?(1):(((x)==(y))?(0):(-1))) -/* This is gross, but... */ -#define lsb_net_ulong_less(x, y) long_less_than((u_char *)&x, (u_char *)&y) -#define lsb_net_ushort_less(x, y) short_less_than((u_char *)&x, (u_char *)&y) - -#define long_less_than(x,y) \ - (u_char_comp((x)[3],(y)[3])?u_char_comp((x)[3],(y)[3]): \ - (u_char_comp((x)[2],(y)[2])?u_char_comp((x)[2],(y)[2]): \ - (u_char_comp((x)[1],(y)[1])?u_char_comp((x)[1],(y)[1]): \ - (u_char_comp((x)[0],(y)[0]))))) -#define short_less_than(x,y) \ - (u_char_comp((x)[1],(y)[1])?u_char_comp((x)[1],(y)[1]): \ - (u_char_comp((x)[0],(y)[0]))) +/* Compare x and y in VAX byte order, result is -1, 0 or 1. */ -#else /* !WORDS_BIGENDIAN */ +#define krb_lsb_antinet_ulong_less(x, y) (((x) == (y)) ? 0 : krb_lsb_antinet_ulong_cmp(x, y)) -#define lsb_net_ulong_less(x,y) ((x < y) ? -1 : ((x > y) ? 1 : 0)) -#define lsb_net_ushort_less(x,y) ((x < y) ? -1 : ((x > y) ? 1 : 0)) +#define krb_lsb_antinet_ushort_less(x, y) (((x) == (y)) ? 0 : krb_lsb_antinet_ushort_cmp(x, y)) -#endif /* !WORDS_BIGENDIAN */ +int krb_lsb_antinet_ulong_cmp(u_int32_t x, u_int32_t y); +int krb_lsb_antinet_ushort_cmp(u_int16_t x, u_int16_t y); +u_int32_t lsb_time(time_t t, struct sockaddr_in *src, struct sockaddr_in *dst); #endif /* LSB_ADDR_COMP_DEFS */ diff --git a/kerberosIV/krb/mk_auth.c b/kerberosIV/krb/mk_auth.c new file mode 100644 index 00000000000..343f05acc80 --- /dev/null +++ b/kerberosIV/krb/mk_auth.c @@ -0,0 +1,96 @@ +/* $KTH: mk_auth.c,v 1.4 1997/04/01 08:18:35 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +/* + * Generate an authenticator for service.instance@realm. + * instance is canonicalized by `krb_get_phost' + * realm is set to the local realm if realm == NULL + * The ticket acquired by `krb_mk_req' is returned in `ticket' and the + * authenticator in `buf'. + * Options control the behaviour (see krb_sendauth). + */ + +int +krb_mk_auth(int32_t options, + KTEXT ticket, + char *service, + char *instance, + char *realm, + u_int32_t checksum, + char *version, + KTEXT buf) +{ + char realinst[INST_SZ]; + char realrealm[REALM_SZ]; + int ret; + unsigned char *p; + + if (options & KOPT_DONT_CANON) + strncpy(realinst, instance, sizeof(realinst)); + else + strncpy(realinst, krb_get_phost (instance), sizeof(realinst)); + + if (realm == NULL) { + ret = krb_get_lrealm (realrealm, 1); + if (ret != KSUCCESS) + return ret; + realm = realrealm; + } + + if(!(options & KOPT_DONT_MK_REQ)) { + ret = krb_mk_req (ticket, service, realinst, realm, checksum); + if (ret != KSUCCESS) + return ret; + } + + p = buf->dat; + + memcpy (p, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN); + p += KRB_SENDAUTH_VLEN; + memcpy (p, version, KRB_SENDAUTH_VLEN); + p += KRB_SENDAUTH_VLEN; + p += krb_put_int(ticket->length, p, 4); + memcpy(p, ticket->dat, ticket->length); + p += ticket->length; + buf->length = p - buf->dat; + return KSUCCESS; +} diff --git a/kerberosIV/krb/mk_err.c b/kerberosIV/krb/mk_err.c index 4c37a83430a..1a28e4d178a 100644 --- a/kerberosIV/krb/mk_err.c +++ b/kerberosIV/krb/mk_err.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/mk_err.c,v $ - * - * $Locker: $ - */ +/* $KTH: mk_err.c,v 1.6 1997/03/23 03:53:14 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -29,8 +23,6 @@ or implied warranty. #include "krb_locl.h" -#include <sys/types.h> - /* * This routine creates a general purpose error reply message. It * doesn't use KTEXT because application protocol may have long @@ -52,26 +44,13 @@ or implied warranty. */ int32_t -krb_mk_err(p, e, e_string) - u_char *p; /* Where to build error packet */ - int32_t e; /* Error code */ - char *e_string; /* Text of error */ +krb_mk_err(u_char *p, int32_t e, char *e_string) { - u_char *start; - - start = p; - - /* Create fixed part of packet */ - *p++ = (unsigned char) KRB_PROT_VERSION; - *p = (unsigned char) AUTH_MSG_APPL_ERR; - *p++ |= HOST_BYTE_ORDER; - - /* Add the basic info */ - bcopy((char *)&e,(char *)p,4); /* err code */ - p += sizeof(e); - (void) strcpy((char *)p,e_string); /* err text */ - p += strlen(e_string); - - /* And return the length */ - return p-start; + unsigned char *start = p; + p += krb_put_int(KRB_PROT_VERSION, p, 1); + p += krb_put_int(AUTH_MSG_APPL_ERR, p, 1); + + p += krb_put_int(e, p, 4); + p += krb_put_string(e_string, p); + return p - start; } diff --git a/kerberosIV/krb/mk_priv.c b/kerberosIV/krb/mk_priv.c index b591bc6f59a..6075f361b1f 100644 --- a/kerberosIV/krb/mk_priv.c +++ b/kerberosIV/krb/mk_priv.c @@ -1,76 +1,61 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/mk_priv.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ +/* $KTH: mk_priv.c,v 1.18 1997/04/01 08:18:37 joda Exp $ */ /* - * This routine constructs a Kerberos 'private msg', i.e. - * cryptographically sealed with a private session key. - * - * Note-- bcopy is used to avoid alignment problems on IBM RT. - * - * Note-- It's too bad that it did a long int compare on the RT before. - * - * Returns either < 0 ===> error, or resulting size of message - * - * Steve Miller Project Athena MIT/DEC + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb_locl.h" -#include <sys/types.h> -#include <netinet/in.h> -#include <sys/time.h> - /* application include files */ #include "lsb_addr_comp.h" -/* static storage */ -static u_int32_t c_length; -static struct timeval msg_time; -static u_char msg_time_5ms; -static int32_t msg_time_sec; - /* * krb_mk_priv() constructs an AUTH_MSG_PRIVATE message. It takes * some user data "in" of "length" bytes and creates a packet in "out" * consisting of the user data, a timestamp, and the sender's network * address. -#ifndef NOENCRYTION * The packet is encrypted by pcbc_encrypt(), using the given * "key" and "schedule". -#endif * The length of the resulting packet "out" is * returned. * * It is similar to krb_mk_safe() except for the additional key * schedule argument "schedule" and the fact that the data is encrypted - * rather than appended with a checksum. Also, the protocol version - * number is "private_msg_ver", defined in krb_rd_priv.c, rather than + * rather than appended with a checksum. The protocol version is * KRB_PROT_VERSION, defined in "krb.h". * * The "out" packet consists of: @@ -78,14 +63,12 @@ static int32_t msg_time_sec; * Size Variable Field * ---- -------- ----- * - * 1 byte private_msg_ver protocol version number + * 1 byte KRB_PROT_VERSION protocol version number * 1 byte AUTH_MSG_PRIVATE | message type plus local * HOST_BYTE_ORDER byte order in low bit * * 4 bytes c_length length of data -#ifndef NOENCRYPT * we encrypt from here with pcbc_encrypt -#endif * * 4 bytes length length of user data * length in user data @@ -99,111 +82,44 @@ static int32_t msg_time_sec; */ int32_t -krb_mk_priv(in, out, length, schedule, key, sender, receiver) - u_char *in; /* application data */ - u_char *out; /* put msg here, leave room for - * header! breaks if in and out - * (header stuff) overlap */ - u_int32_t length; /* of in data */ - struct des_ks_struct *schedule; /* precomputed key schedule */ - des_cblock *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender address */ - struct sockaddr_in *receiver; /* receiver address */ +krb_mk_priv(void *in, void *out, u_int32_t length, + struct des_ks_struct *schedule, des_cblock *key, + struct sockaddr_in *sender, struct sockaddr_in *receiver) { - register u_char *p,*q; - static u_char *c_length_ptr; - - /* - * get the current time to use instead of a sequence #, since - * process lifetime may be shorter than the lifetime of a session - * key. - */ - if (gettimeofday(&msg_time,(struct timezone *)0)) { - return -1; - } - msg_time_sec = (int32_t) msg_time.tv_sec; - msg_time_5ms = msg_time.tv_usec/5000; /* 5ms quanta */ + unsigned char *p = (unsigned char*)out; + unsigned char *cipher; - p = out; + struct timeval tv; + u_int32_t src_addr; + u_int32_t len; - *p++ = private_msg_ver; - *p++ = AUTH_MSG_PRIVATE | HOST_BYTE_ORDER; + p += krb_put_int(KRB_PROT_VERSION, p, 1); + p += krb_put_int(AUTH_MSG_PRIVATE, p, 1); - /* calculate cipher length */ - c_length_ptr = p; - p += sizeof(c_length); + len = 4 + length + 1 + 4 + 4; + len = (len + 7) & ~7; + p += krb_put_int(len, p, 4); + + cipher = p; - q = p; - - /* stuff input length */ - bcopy((char *)&length,(char *)p,sizeof(length)); - p += sizeof(length); - -#ifdef NOENCRYPTION - /* make all the stuff contiguous for checksum */ -#else - /* make all the stuff contiguous for checksum and encryption */ -#endif - bcopy((char *)in,(char *)p,(int) length); + p += krb_put_int(length, p, 4); + + memcpy(p, in, length); p += length; + + gettimeofday(&tv, NULL); - /* stuff time 5ms */ - bcopy((char *)&msg_time_5ms,(char *)p,sizeof(msg_time_5ms)); - p += sizeof(msg_time_5ms); - - /* stuff source address */ - bcopy((char *)&sender->sin_addr.s_addr,(char *)p, - sizeof(sender->sin_addr.s_addr)); - p += sizeof(sender->sin_addr.s_addr); - - /* - * direction bit is the sign bit of the timestamp. Ok - * until 2038?? - */ - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - if (lsb_net_ulong_less(sender->sin_addr.s_addr, /* src < recv */ - receiver->sin_addr.s_addr)==-1) - msg_time_sec = -msg_time_sec; - else if (lsb_net_ulong_less(sender->sin_addr.s_addr, - receiver->sin_addr.s_addr)==0) - if (lsb_net_ushort_less(sender->sin_port,receiver->sin_port) == -1) - msg_time_sec = -msg_time_sec; - /* stuff time sec */ - bcopy((char *)&msg_time_sec,(char *)p,sizeof(msg_time_sec)); - p += sizeof(msg_time_sec); - - /* - * All that for one tiny bit! Heaven help those that talk to - * themselves. - */ - -#ifdef notdef - /* - * calculate the checksum of the length, address, sequence, and - * inp data - */ - cksum = des_quad_cksum(q,NULL,p-q,0,key); - if (krb_debug) - printf("\ncksum = %u",cksum); - /* stuff checksum */ - bcopy((char *) &cksum,(char *) p,sizeof(cksum)); - p += sizeof(cksum); -#endif - - /* - * All the data have been assembled, compute length - */ + *p++ =tv.tv_usec / 5000; + + src_addr = sender->sin_addr.s_addr; + p += krb_put_address(src_addr, p); - c_length = p - q; - c_length = ((c_length + sizeof(des_cblock) -1)/sizeof(des_cblock)) * - sizeof(des_cblock); - /* stuff the length */ - bcopy((char *) &c_length,(char *)c_length_ptr,sizeof(c_length)); + p += krb_put_int(lsb_time(tv.tv_sec, sender, receiver), p, 4); + + memset(p, 0, 7); -#ifndef NOENCRYPTION - des_pcbc_encrypt((des_cblock *)q,(des_cblock *)q,(long)(p-q),schedule,key, DES_ENCRYPT); -#endif /* NOENCRYPTION */ + des_pcbc_encrypt((des_cblock *)cipher, (des_cblock *)cipher, + len, schedule, key, DES_ENCRYPT); - return (q - out + c_length); /* resulting size */ + return (cipher - (unsigned char*)out) + len; } diff --git a/kerberosIV/krb/mk_req.c b/kerberosIV/krb/mk_req.c index f8c4afe38fd..7219fa957ff 100644 --- a/kerberosIV/krb/mk_req.c +++ b/kerberosIV/krb/mk_req.c @@ -1,39 +1,72 @@ +/* $KTH: mk_req.c,v 1.17 1997/05/30 17:42:38 bg Exp $ */ + /* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/mk_req.c,v $ - * - * $Locker: $ + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - #include "krb_locl.h" -#include <sys/time.h> - -static struct timeval tv_local = { 0, 0 }; static int lifetime = 255; /* But no longer than TGT says. */ + +static void +build_request(KTEXT req, char *name, char *inst, char *realm, + u_int32_t checksum) +{ + struct timeval tv; + unsigned char *p = req->dat; + + p += krb_put_nir(name, inst, realm, p); + + p += krb_put_int(checksum, p, 4); + + + /* Fill in the times on the request id */ + gettimeofday(&tv, NULL); + + *p++ = tv.tv_usec / 5000; /* 5ms */ + + p += krb_put_int(tv.tv_sec, p, 4); + + /* Fill to a multiple of 8 bytes for DES */ + req->length = ((p - req->dat + 7)/8) * 8; +} + + /* * krb_mk_req takes a text structure in which an authenticator is to * be built, the name of a service, an instance, a realm, @@ -79,114 +112,90 @@ static int lifetime = 255; /* But no longer than TGT says. */ */ int -krb_mk_req(authent, service, instance, realm, checksum) - register KTEXT authent; /* Place to build the authenticator */ - char *service; /* Name of the service */ - char *instance; /* Service instance */ - char *realm; /* Authentication domain of service */ - int32_t checksum; /* Checksum of data (optional) */ +krb_mk_req(KTEXT authent, char *service, char *instance, char *realm, + int32_t checksum) { - static KTEXT_ST req_st; /* Temp storage for req id */ - register KTEXT req_id = &req_st; - unsigned char *v = authent->dat; /* Prot version number */ - unsigned char *t = (authent->dat+1); /* Message type */ - unsigned char *kv = (authent->dat+2); /* Key version no */ - unsigned char *tl = (authent->dat+4+strlen(realm)); /* Tkt len */ - unsigned char *idl = (authent->dat+5+strlen(realm)); /* Reqid len */ + KTEXT_ST req_st; + KTEXT req_id = &req_st; + CREDENTIALS cr; /* Credentials used by retr */ - register KTEXT ticket = &(cr.ticket_st); /* Pointer to tkt_st */ + KTEXT ticket = &(cr.ticket_st); /* Pointer to tkt_st */ int retval; /* Returned by krb_get_cred */ - static des_key_schedule key_s; + char myrealm[REALM_SZ]; - /* The fixed parts of the authenticator */ - *v = (unsigned char) KRB_PROT_VERSION; - *t = (unsigned char) AUTH_MSG_APPL_REQUEST; - *t |= HOST_BYTE_ORDER; + unsigned char *p = authent->dat; + p += krb_put_int(KRB_PROT_VERSION, p, 1); + + p += krb_put_int(AUTH_MSG_APPL_REQUEST, p, 1); + /* Get the ticket and move it into the authenticator */ if (krb_ap_req_debug) - printf("Realm: %s\n",realm); - /* - * Determine realm of these tickets. We will send this to the - * KDC from which we are requesting tickets so it knows what to - * with our session key. - */ - if ((retval = krb_get_tf_realm(TKT_FILE, myrealm)) != KSUCCESS) - return(retval); - + krb_warning("Realm: %s\n", realm); + retval = krb_get_cred(service,instance,realm,&cr); if (retval == RET_NOTKT) { - if ((retval = get_ad_tkt(service,instance,realm,lifetime))) - return(retval); - if ((retval = krb_get_cred(service,instance,realm,&cr))) - return(retval); + retval = get_ad_tkt(service, instance, realm, lifetime); + if (retval == KSUCCESS) + retval = krb_get_cred(service, instance, realm, &cr); } - if (retval != KSUCCESS) return (retval); + if (retval != KSUCCESS) + return retval; + + /* + * With multi realm ticket files either find a matching TGT or + * else use the first TGT for inter-realm authentication. + * + * In myrealm hold the realm of the principal "owning" the + * corresponding ticket-granting-ticket. + */ + + retval = krb_get_cred(KRB_TICKET_GRANTING_TICKET, realm, realm, 0); + if (retval == KSUCCESS) + strncpy(myrealm, realm, REALM_SZ); + else + retval = krb_get_tf_realm(TKT_FILE, myrealm); + + if (retval != KSUCCESS) + return retval; + if (krb_ap_req_debug) - printf("%s %s %s %s %s\n", service, instance, realm, - cr.pname, cr.pinst); - *kv = (unsigned char) cr.kvno; - (void) strcpy((char *)(authent->dat+3),realm); - *tl = (unsigned char) ticket->length; - bcopy((char *)(ticket->dat),(char *)(authent->dat+6+strlen(realm)), - ticket->length); - authent->length = 6 + strlen(realm) + ticket->length; - if (krb_ap_req_debug) - printf("Ticket->length = %d\n",ticket->length); - if (krb_ap_req_debug) - printf("Issue date: %d\n",cr.issue_date); - - /* Build request id */ - (void) strcpy((char *)(req_id->dat),cr.pname); /* Auth name */ - req_id->length = strlen(cr.pname)+1; - /* Principal's instance */ - (void) strcpy((char *)(req_id->dat+req_id->length),cr.pinst); - req_id->length += strlen(cr.pinst)+1; - /* Authentication domain */ - (void) strcpy((char *)(req_id->dat+req_id->length),myrealm); - req_id->length += strlen(myrealm)+1; - /* Checksum */ - bcopy((char *)&checksum,(char *)(req_id->dat+req_id->length),4); - req_id->length += 4; + krb_warning("serv=%s.%s@%s princ=%s.%s@%s\n", service, instance, realm, + cr.pname, cr.pinst, myrealm); - /* Fill in the times on the request id */ - (void) gettimeofday(&tv_local,(struct timezone *) 0); - *(req_id->dat+(req_id->length)++) = - (unsigned char) tv_local.tv_usec; - /* Time (coarse) */ - bcopy((char *)&(tv_local.tv_sec), - (char *)(req_id->dat+req_id->length), 4); - req_id->length += 4; + p += krb_put_int(cr.kvno, p, 1); - /* Fill to a multiple of 8 bytes for DES */ - req_id->length = ((req_id->length+7)/8)*8; - -#ifndef NOENCRYPTION - des_key_sched(&cr.session,key_s); - des_pcbc_encrypt((des_cblock *)req_id->dat,(des_cblock *)req_id->dat, - (long)req_id->length,key_s,&cr.session, DES_ENCRYPT); - bzero((char *) key_s, sizeof(key_s)); -#endif /* NOENCRYPTION */ - - /* Copy it into the authenticator */ - bcopy((char *)(req_id->dat),(char *)(authent->dat+authent->length), - req_id->length); - authent->length += req_id->length; - /* And set the id length */ - *idl = (unsigned char) req_id->length; - /* clean up */ - bzero((char *)req_id, sizeof(*req_id)); + p += krb_put_string(realm, p); + + p += krb_put_int(ticket->length, p, 1); + + build_request(req_id, cr.pname, cr.pinst, myrealm, checksum); + + encrypt_ktext(req_id, &cr.session, DES_ENCRYPT); + + p += krb_put_int(req_id->length, p, 1); + + memcpy(p, ticket->dat, ticket->length); + + p += ticket->length; + + memcpy(p, req_id->dat, req_id->length); + + p += req_id->length; + + authent->length = p - authent->dat; + + memset(&cr, 0, sizeof(cr)); + memset(&req_st, 0, sizeof(req_st)); if (krb_ap_req_debug) - printf("Authent->length = %d\n",authent->length); - if (krb_ap_req_debug) - printf("idl = %d, tl = %d\n",(int) *idl, (int) *tl); + krb_warning("Authent->length = %d\n", authent->length); - return(KSUCCESS); + return KSUCCESS; } /* @@ -197,8 +206,7 @@ krb_mk_req(authent, service, instance, realm, checksum) */ int -krb_set_lifetime(newval) - int newval; +krb_set_lifetime(int newval) { int olife = lifetime; diff --git a/kerberosIV/krb/mk_safe.c b/kerberosIV/krb/mk_safe.c index 3ee06da4930..1f2abc91244 100644 --- a/kerberosIV/krb/mk_safe.c +++ b/kerberosIV/krb/mk_safe.c @@ -1,60 +1,52 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/mk_safe.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ +/* $KTH: mk_safe.c,v 1.21 1997/04/19 23:18:03 joda Exp $ */ /* - * This routine constructs a Kerberos 'safe msg', i.e. authenticated - * using a private session key to seed a checksum. Msg is NOT - * encrypted. - * - * Note-- bcopy is used to avoid alignment problems on IBM RT - * - * Returns either <0 ===> error, or resulting size of message - * - * Steve Miller Project Athena MIT/DEC + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb_locl.h" -/* system include files */ -#include <sys/types.h> -#include <netinet/in.h> -#include <sys/time.h> - /* application include files */ #include "lsb_addr_comp.h" -/* static storage */ -static u_int32_t cksum; -static des_cblock big_cksum[2]; -static struct timeval msg_time; -static u_char msg_time_5ms; -static int32_t msg_time_sec; + +/* from rd_safe.c */ +extern int dqc_type; +void fixup_quad_cksum(void*, size_t, des_cblock*, void*, void*, int); /* * krb_mk_safe() constructs an AUTH_MSG_SAFE message. It takes some @@ -89,89 +81,51 @@ static int32_t msg_time_sec; */ int32_t -krb_mk_safe(in, out, length, key, sender, receiver) - u_char *in; /* application data */ - u_char *out; /* - * put msg here, leave room for header! - * breaks if in and out (header stuff) - * overlap - */ - u_int32_t length; /* of in data */ - des_cblock *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender address */ - struct sockaddr_in *receiver; /* receiver address */ +krb_mk_safe(void *in, void *out, u_int32_t length, des_cblock *key, + struct sockaddr_in *sender, struct sockaddr_in *receiver) { - register u_char *p,*q; + unsigned char * p = (unsigned char*)out; + struct timeval tv; + unsigned char *start; + u_int32_t src_addr; - /* - * get the current time to use instead of a sequence #, since - * process lifetime may be shorter than the lifetime of a session - * key. - */ - if (gettimeofday(&msg_time,(struct timezone *)0)) { - return -1; - } - msg_time_sec = (int32_t) msg_time.tv_sec; - msg_time_5ms = msg_time.tv_usec/5000; /* 5ms quanta */ - - p = out; + p += krb_put_int(KRB_PROT_VERSION, p, 1); + p += krb_put_int(AUTH_MSG_SAFE, p, 1); + + start = p; - *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_SAFE | HOST_BYTE_ORDER; + p += krb_put_int(length, p, 4); - q = p; /* start for checksum stuff */ - /* stuff input length */ - bcopy((char *)&length,(char *)p,sizeof(length)); - p += sizeof(length); - - /* make all the stuff contiguous for checksum */ - bcopy((char *)in,(char *)p,(int) length); + memcpy(p, in, length); p += length; + + gettimeofday(&tv, NULL); + + *p++ = tv.tv_usec/5000; /* 5ms */ + + src_addr = sender->sin_addr.s_addr; + p += krb_put_address(src_addr, p); + + p += krb_put_int(lsb_time(tv.tv_sec, sender, receiver), p, 4); + + { + /* We are faking big endian mode, so we need to fix the + * checksum (that is byte order dependent). We always send a + * checksum of the new type, unless we know that we are + * talking to an old client (this requires a call to + * krb_rd_safe first). + */ + unsigned char new_checksum[16]; + unsigned char old_checksum[16]; + fixup_quad_cksum(start, p - start, key, new_checksum, old_checksum, 0); + + if((dqc_type == DES_QUAD_GUESS && DES_QUAD_DEFAULT == DES_QUAD_OLD) || + dqc_type == DES_QUAD_OLD) + memcpy(p, old_checksum, 16); + else + memcpy(p, new_checksum, 16); + } + p += 16; - /* stuff time 5ms */ - bcopy((char *)&msg_time_5ms,(char *)p,sizeof(msg_time_5ms)); - p += sizeof(msg_time_5ms); - - /* stuff source address */ - bcopy((char *) &sender->sin_addr.s_addr,(char *)p, - sizeof(sender->sin_addr.s_addr)); - p += sizeof(sender->sin_addr.s_addr); - - /* - * direction bit is the sign bit of the timestamp. Ok until - * 2038?? - */ - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - if (lsb_net_ulong_less(sender->sin_addr.s_addr, /* src < recv */ - receiver->sin_addr.s_addr)==-1) - msg_time_sec = -msg_time_sec; - else if (lsb_net_ulong_less(sender->sin_addr.s_addr, - receiver->sin_addr.s_addr)==0) - if (lsb_net_ushort_less(sender->sin_port,receiver->sin_port) == -1) - msg_time_sec = -msg_time_sec; - /* - * all that for one tiny bit! Heaven help those that talk to - * themselves. - */ - - /* stuff time sec */ - bcopy((char *)&msg_time_sec,(char *)p,sizeof(msg_time_sec)); - p += sizeof(msg_time_sec); - -#ifdef NOENCRYPTION - cksum = 0; - bzero(big_cksum, sizeof(big_cksum)); -#else - cksum = des_quad_cksum((des_cblock *)q,big_cksum,p-q,2,key); -#endif - if (krb_debug) - printf("\ncksum = %u",(u_int) cksum); - - /* stuff checksum */ - bcopy((char *)big_cksum,(char *)p,sizeof(big_cksum)); - p += sizeof(big_cksum); - - return ((int32_t)(p - out)); /* resulting size */ - + return p - (unsigned char*)out; } diff --git a/kerberosIV/krb/month_sname.c b/kerberosIV/krb/month_sname.c index 885809a6603..32542c27501 100644 --- a/kerberosIV/krb/month_sname.c +++ b/kerberosIV/krb/month_sname.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/month_sname.c,v $ - * - * $Locker: $ - */ +/* $KTH: month_sname.c,v 1.5 1997/03/23 03:53:14 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -35,11 +29,9 @@ or implied warranty. * month. Returns 0 if the argument is out of range. */ -char * -month_sname(n) - int n; +const char *month_sname(int n) { - static char *name[] = { + static const char *name[] = { "Jan","Feb","Mar","Apr","May","Jun", "Jul","Aug","Sep","Oct","Nov","Dec" }; diff --git a/kerberosIV/krb/name2name.c b/kerberosIV/krb/name2name.c new file mode 100644 index 00000000000..aa847057353 --- /dev/null +++ b/kerberosIV/krb/name2name.c @@ -0,0 +1,102 @@ +/* $KTH: name2name.c,v 1.15 1997/04/30 04:30:36 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +/* convert host to a more fully qualified domain name, returns 0 if + * phost is the same as host, 1 otherwise. phost should be + * phost_size bytes long. + */ + +int +krb_name_to_name(const char *host, char *phost, size_t phost_size) +{ + struct hostent *hp; + struct in_addr adr; + const char *tmp; + + adr.s_addr = inet_addr(host); + hp = gethostbyname(host); + if (hp == NULL && adr.s_addr != INADDR_NONE) + hp = gethostbyaddr((char *)&adr, sizeof(adr), AF_INET); + if (hp == NULL) + tmp = host; + else + tmp = hp->h_name; + strncpy (phost, tmp, phost_size); + phost[phost_size - 1] = '\0'; + + if (strcmp(phost, host) == 0) + return 0; + else + return 1; +} + +/* lowercase and truncate */ + +void +k_ricercar(char *name) +{ + char *p = name; + while(*p && *p != '.'){ + if(isupper(*p)) + *p = tolower(*p); + p++; + } + if(*p == '.') + *p = 0; +} + +/* + * This routine takes an alias for a host name and returns the first + * field, in lower case, of its domain name. + * + * Example: "fOo.BAR.com" -> "foo" + */ + +char * +krb_get_phost(const char *alias) +{ + static char phost[MAXHOSTNAMELEN]; + + krb_name_to_name(alias, phost, sizeof(phost)); + k_ricercar(phost); + return phost; +} diff --git a/kerberosIV/krb/netread.c b/kerberosIV/krb/netread.c index e223b7915ac..0149aba2635 100644 --- a/kerberosIV/krb/netread.c +++ b/kerberosIV/krb/netread.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/netread.c,v $ - * - * $Locker: $ - */ +/* $KTH: netread.c,v 1.7 1997/06/19 23:56:44 assar Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -40,12 +34,10 @@ or implied warranty. */ int -krb_net_read(fd, buf, len) - int fd; - register char *buf; - register int len; +krb_net_read (int fd, void *v, size_t len) { int cc, len2 = 0; + char *buf = v; do { cc = read(fd, buf, len); diff --git a/kerberosIV/krb/netwrite.c b/kerberosIV/krb/netwrite.c index c95033c0bf2..edd2d80b476 100644 --- a/kerberosIV/krb/netwrite.c +++ b/kerberosIV/krb/netwrite.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/netwrite.c,v $ - * - * $Locker: $ - */ +/* $KTH: netwrite.c,v 1.8 1997/06/19 23:56:25 assar Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -39,13 +33,12 @@ or implied warranty. */ int -krb_net_write(fd, buf, len) - int fd; - register char *buf; - int len; +krb_net_write(int fd, const void *v, size_t len) { int cc; - register int wrlen = len; + int wrlen = len; + const char *buf = (const char*)v; + do { cc = write(fd, buf, wrlen); if (cc < 0) diff --git a/kerberosIV/krb/one.c b/kerberosIV/krb/one.c index 316d80465f7..d43b2840e08 100644 --- a/kerberosIV/krb/one.c +++ b/kerberosIV/krb/one.c @@ -1,11 +1,3 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/one.c,v $ - * - * $Locker: $ - */ - /* Copyright (C) 1989 by the Massachusetts Institute of Technology diff --git a/kerberosIV/krb/parse_name.c b/kerberosIV/krb/parse_name.c new file mode 100644 index 00000000000..281a3389391 --- /dev/null +++ b/kerberosIV/krb/parse_name.c @@ -0,0 +1,199 @@ +/* $KTH: parse_name.c,v 1.4 1997/04/01 08:18:39 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +int +krb_parse_name(const char *fullname, krb_principal *principal) +{ + const char *p; + char *ns, *np; + enum {n, i, r} pos = n; + int quote = 0; + ns = np = principal->name; + + principal->name[0] = 0; + principal->instance[0] = 0; + principal->realm[0] = 0; + + for(p = fullname; *p; p++){ + if(np - ns == ANAME_SZ - 1) /* XXX they have the same size */ + return KNAME_FMT; + if(quote){ + *np++ = *p; + quote = 0; + continue; + } + if(*p == '\\') + quote = 1; + else if(*p == '.' && pos == n){ + *np = 0; + ns = np = principal->instance; + pos = i; + }else if(*p == '@' && (pos == n || pos == i)){ + *np = 0; + ns = np = principal->realm; + pos = r; + }else + *np++ = *p; + } + *np = 0; + if(quote || principal->name[0] == 0) + return KNAME_FMT; + return KSUCCESS; +} + +int +kname_parse(char *np, char *ip, char *rp, char *fullname) +{ + krb_principal p; + int ret; + if((ret = krb_parse_name(fullname, &p)) == 0){ + strcpy(np, p.name); + strcpy(ip, p.instance); + if(p.realm[0]) + strcpy(rp, p.realm); + } + return ret; +} +/* + * k_isname() returns 1 if the given name is a syntactically legitimate + * Kerberos name; returns 0 if it's not. + */ + +int +k_isname(char *s) +{ + char c; + int backslash = 0; + + if (!*s) + return 0; + if (strlen(s) > ANAME_SZ - 1) + return 0; + while ((c = *s++)) { + if (backslash) { + backslash = 0; + continue; + } + switch(c) { + case '\\': + backslash = 1; + break; + case '.': + return 0; + /* break; */ + case '@': + return 0; + /* break; */ + } + } + return 1; +} + + +/* + * k_isinst() returns 1 if the given name is a syntactically legitimate + * Kerberos instance; returns 0 if it's not. + */ + +int +k_isinst(char *s) +{ + char c; + int backslash = 0; + + if (strlen(s) > INST_SZ - 1) + return 0; + while ((c = *s++)) { + if (backslash) { + backslash = 0; + continue; + } + switch(c) { + case '\\': + backslash = 1; + break; + case '.': +#if INSTANCE_DOTS_OK + break; +#else /* INSTANCE_DOTS_OK */ + return 0; +#endif /* INSTANCE_DOTS_OK */ + /* break; */ + case '@': + return 0; + /* break; */ + } + } + return 1; +} + +/* + * k_isrealm() returns 1 if the given name is a syntactically legitimate + * Kerberos realm; returns 0 if it's not. + */ + +int +k_isrealm(char *s) +{ + char c; + int backslash = 0; + + if (!*s) + return 0; + if (strlen(s) > REALM_SZ - 1) + return 0; + while ((c = *s++)) { + if (backslash) { + backslash = 0; + continue; + } + switch(c) { + case '\\': + backslash = 1; + break; + case '@': + return 0; + /* break; */ + } + } + return 1; +} diff --git a/kerberosIV/krb/pkt_clen.c b/kerberosIV/krb/pkt_clen.c deleted file mode 100644 index af9d2a12cfa..00000000000 --- a/kerberosIV/krb/pkt_clen.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/pkt_clen.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - -#if defined(horrible_function_using_global_variable_had_to_be_inlined) - -#include "krb_locl.h" - -/* - * Given a pointer to an AUTH_MSG_KDC_REPLY packet, return the length of - * its ciphertext portion. The external variable "swap_bytes" is assumed - * to have been set to indicate whether or not the packet is in local - * byte order. pkt_clen() takes this into account when reading the - * ciphertext length out of the packet. - */ - -int -pkt_clen(pkt) - KTEXT pkt; -{ - static unsigned short temp,temp2; - int clen = 0; - - /* Start of ticket list */ - unsigned char *ptr = pkt_a_realm(pkt) + 10 - + strlen((char *)pkt_a_realm(pkt)); - - /* Finally the length */ - bcopy((char *)(++ptr),(char *)&temp,2); /* alignment */ - if (swap_bytes) { - /* assume a short is 2 bytes?? */ - swab((char *)&temp,(char *)&temp2,2); - temp = temp2; - } - - clen = (int) temp; - - if (krb_debug) - printf("Clen is %d\n",clen); - return(clen); -} - -#endif /* defined(horrible_function_using_global_variable_had_to_be_inlined) */ diff --git a/kerberosIV/krb/rd_err.c b/kerberosIV/krb/rd_err.c index 8b3a26fe8d7..c1024ace9e3 100644 --- a/kerberosIV/krb/rd_err.c +++ b/kerberosIV/krb/rd_err.c @@ -1,49 +1,45 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/rd_err.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ +/* $KTH: rd_err.c,v 1.8 1997/04/01 08:18:40 joda Exp $ */ /* - * This routine dissects a a Kerberos 'safe msg', - * checking its integrity, and returning a pointer to the application - * data contained and its length. - * - * Returns 0 (RD_AP_OK) for success or an error code (RD_AP_...) - * - * Steve Miller Project Athena MIT/DEC + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb_locl.h" -/* system include files */ -#include <sys/types.h> -#include <netinet/in.h> -#include <sys/time.h> - /* * Given an AUTH_MSG_APPL_ERR message, "in" and its length "in_length", * return the error code from the message in "code" and the text in @@ -60,32 +56,27 @@ or implied warranty. */ int -krb_rd_err(in, in_length, code, m_data) - u_char *in; /* pointer to the msg received */ - u_int32_t in_length; /* of in msg */ - int32_t *code; /* received error code */ - MSG_DAT *m_data; +krb_rd_err(u_char *in, u_int32_t in_length, int32_t *code, MSG_DAT *m_data) { - register u_char *p; - int swap_bytes = 0; - p = in; /* beginning of message */ - - if (*p++ != KRB_PROT_VERSION) - return(RD_AP_VERSION); - if (((*p) & ~1) != AUTH_MSG_APPL_ERR) - return(RD_AP_MSG_TYPE); - if ((*p++ & 1) != HOST_BYTE_ORDER) - swap_bytes++; - - /* safely get code */ - bcopy((char *)p,(char *)code,sizeof(*code)); - if (swap_bytes) - swap_u_long(*code); - p += sizeof(*code); /* skip over */ - - m_data->app_data = p; /* we're now at the error text - * message */ - m_data->app_length = in_length; + unsigned char *p = (unsigned char*)in; + + unsigned char pvno, type; + int little_endian; - return(RD_AP_OK); /* OK == 0 */ + pvno = *p++; + if(pvno != KRB_PROT_VERSION) + return RD_AP_VERSION; + + type = *p++; + little_endian = type & 1; + type &= ~1; + + if(type != AUTH_MSG_APPL_ERR) + return RD_AP_MSG_TYPE; + + p += krb_get_int(p, (u_int32_t *)&code, 4, little_endian); + + m_data->app_data = p; + m_data->app_length = in_length; /* XXX is this correct? */ + return KSUCCESS; } diff --git a/kerberosIV/krb/rd_priv.c b/kerberosIV/krb/rd_priv.c index be52843cb95..9c8c6327dcf 100644 --- a/kerberosIV/krb/rd_priv.c +++ b/kerberosIV/krb/rd_priv.c @@ -1,69 +1,50 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/rd_priv.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ +/* $KTH: rd_priv.c,v 1.24 1997/05/14 17:53:29 joda Exp $ */ /* - * This routine dissects a a Kerberos 'private msg', decrypting it, - * checking its integrity, and returning a pointer to the application - * data contained and its length. - * - * Returns 0 (RD_AP_OK) for success or an error code (RD_AP_...). If - * the return value is RD_AP_TIME, then either the times are too far - * out of synch, OR the packet was modified. - * - * Steve Miller Project Athena MIT/DEC + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb_locl.h" -/* system include files */ -#include <sys/types.h> -#include <netinet/in.h> -#include <sys/time.h> - /* application include files */ #include "lsb_addr_comp.h" -/* static storage */ -static u_int32_t c_length; -static int swap_bytes; -static struct timeval local_time; -static long delta_t; - -/* Global! */ -int private_msg_ver = KRB_PROT_VERSION; - /* -#ifdef NOENCRPYTION - * krb_rd_priv() checks the integrity of an -#else * krb_rd_priv() decrypts and checks the integrity of an -#endif * AUTH_MSG_PRIVATE message. Given the message received, "in", * the length of that message, "in_length", the key "schedule" * and "key", and the network addresses of the @@ -80,111 +61,62 @@ int private_msg_ver = KRB_PROT_VERSION; */ int32_t -krb_rd_priv(in, in_length, schedule, key, sender, receiver, m_data) - u_char *in; /* pointer to the msg received */ - u_int32_t in_length; /* length of "in" msg */ - struct des_ks_struct *schedule; /* precomputed key schedule */ - des_cblock *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; - struct sockaddr_in *receiver; - MSG_DAT *m_data; /*various input/output data from msg */ +krb_rd_priv(void *in, u_int32_t in_length, + struct des_ks_struct *schedule, des_cblock *key, + struct sockaddr_in *sender, struct sockaddr_in *receiver, + MSG_DAT *m_data) { - register u_char *p,*q; - static u_int32_t src_addr; /* Can't send structs since no - * guarantees on size */ - - if (gettimeofday(&local_time,(struct timezone *)0)) - return -1; - - p = in; /* beginning of message */ - swap_bytes = 0; - - if (*p++ != KRB_PROT_VERSION && *(p-1) != 3) - return RD_AP_VERSION; - private_msg_ver = *(p-1); - if (((*p) & ~1) != AUTH_MSG_PRIVATE) - return RD_AP_MSG_TYPE; - if ((*p++ & 1) != HOST_BYTE_ORDER) - swap_bytes++; - - /* get cipher length */ - bcopy((char *)p,(char *)&c_length,sizeof(c_length)); - if (swap_bytes) - swap_u_long(c_length); - p += sizeof(c_length); - /* check for rational length so we don't go comatose */ - if (VERSION_SZ + MSG_TYPE_SZ + c_length > in_length) - return RD_AP_MODIFIED; - - - q = p; /* mark start of encrypted stuff */ - -#ifndef NOENCRYPTION - des_pcbc_encrypt((des_cblock *)q,(des_cblock *)q,(long)c_length,schedule,key,DES_DECRYPT); -#endif - - /* safely get application data length */ - bcopy((char *) p,(char *)&(m_data->app_length), - sizeof(m_data->app_length)); - if (swap_bytes) - swap_u_long(m_data->app_length); - p += sizeof(m_data->app_length); /* skip over */ - - if (m_data->app_length + sizeof(c_length) + sizeof(in_length) + - sizeof(m_data->time_sec) + sizeof(m_data->time_5ms) + - sizeof(src_addr) + VERSION_SZ + MSG_TYPE_SZ - > in_length) - return RD_AP_MODIFIED; - -#ifndef NOENCRYPTION - /* we're now at the decrypted application data */ -#endif - m_data->app_data = p; + unsigned char *p = (unsigned char*)in; + int little_endian; + u_int32_t clen; + struct timeval tv; + u_int32_t src_addr; + int delta_t; + + unsigned char pvno, type; + + pvno = *p++; + if(pvno != KRB_PROT_VERSION) + return RD_AP_VERSION; + + type = *p++; + little_endian = type & 1; + type &= ~1; + + p += krb_get_int(p, &clen, 4, little_endian); + + if(clen + 2 > in_length) + return RD_AP_MODIFIED; + + des_pcbc_encrypt((des_cblock*)p, (des_cblock*)p, clen, + schedule, key, DES_DECRYPT); + + p += krb_get_int(p, &m_data->app_length, 4, little_endian); + if(m_data->app_length + 17 > in_length) + return RD_AP_MODIFIED; + m_data->app_data = p; p += m_data->app_length; + + m_data->time_5ms = *p++; - /* safely get time_5ms */ - bcopy((char *) p, (char *)&(m_data->time_5ms), - sizeof(m_data->time_5ms)); - /* don't need to swap-- one byte for now */ - p += sizeof(m_data->time_5ms); - - /* safely get src address */ - bcopy((char *) p,(char *)&src_addr,sizeof(src_addr)); - /* don't swap, net order always */ - p += sizeof(src_addr); - - /* safely get time_sec */ - bcopy((char *) p, (char *)&(m_data->time_sec), - sizeof(m_data->time_sec)); - if (swap_bytes) swap_u_long(m_data->time_sec); - - p += sizeof(m_data->time_sec); - - /* check direction bit is the sign bit */ - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - if (lsb_net_ulong_less(sender->sin_addr.s_addr, - receiver->sin_addr.s_addr)==-1) - /* src < recv */ - m_data->time_sec = - m_data->time_sec; - else if (lsb_net_ulong_less(sender->sin_addr.s_addr, - receiver->sin_addr.s_addr)==0) - if (lsb_net_ushort_less(sender->sin_port,receiver->sin_port)==-1) - /* src < recv */ - m_data->time_sec = - m_data->time_sec; - /* - * all that for one tiny bit! - * Heaven help those that talk to themselves. - */ + p += krb_get_address(p, &src_addr); + + if (!krb_equiv(src_addr, sender->sin_addr.s_addr)) + return RD_AP_BADD; + + p += krb_get_int(p, (u_int32_t *)&m_data->time_sec, 4, little_endian); + + m_data->time_sec = lsb_time(m_data->time_sec, sender, receiver); + + gettimeofday(&tv, NULL); /* check the time integrity of the msg */ - delta_t = abs((int)((long) local_time.tv_sec - - m_data->time_sec)); + delta_t = abs((int)((long) tv.tv_sec - m_data->time_sec)); if (delta_t > CLOCK_SKEW) return RD_AP_TIME; if (krb_debug) - printf("\ndelta_t = %d", (int) delta_t); + krb_warning("\ndelta_t = %d", (int) delta_t); /* * caller must check timestamps for proper order and @@ -193,20 +125,5 @@ krb_rd_priv(in, in_length, schedule, key, sender, receiver, m_data) * tightly synchronized clocks. */ -#ifdef notdef - bcopy((char *) p,(char *)&cksum,sizeof(cksum)); - if (swap_bytes) swap_u_long(cksum) - /* - * calculate the checksum of the length, sequence, - * and input data, on the sending byte order!! - */ - calc_cksum = des_quad_cksum(q,NULL,p-q,0,key); - - if (krb_debug) - printf("\ncalc_cksum = %u, received cksum = %u", - calc_cksum, cksum); - if (cksum != calc_cksum) - return RD_AP_MODIFIED; -#endif - return RD_AP_OK; /* OK == 0 */ + return KSUCCESS; } diff --git a/kerberosIV/krb/rd_req.c b/kerberosIV/krb/rd_req.c index 61a5f9dcc90..adcbabe8937 100644 --- a/kerberosIV/krb/rd_req.c +++ b/kerberosIV/krb/rd_req.c @@ -1,36 +1,45 @@ +/* $KTH: rd_req.c,v 1.24 1997/05/11 11:05:28 assar Exp $ */ + /* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/rd_req.c,v $ - * - * $Locker: $ + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ - #include "krb_locl.h" -#include <sys/time.h> - static struct timeval t_local = { 0, 0 }; /* @@ -75,19 +84,17 @@ static char st_inst[INST_SZ]; /* server's instance */ */ int -krb_set_key(key, cvt) - char *key; - int cvt; +krb_set_key(void *key, int cvt) { #ifdef NOENCRYPTION - bzero(ky, sizeof(ky)); + memset(ky, 0, sizeof(ky)); return KSUCCESS; #else /* Encrypt */ if (cvt) - des_string_to_key(key,&ky); + des_string_to_key((char*)key, &ky); else - bcopy(key,(char *)ky,8); - return(des_key_sched(&ky,serv_key)); + memcpy((char*)ky, key, 8); + return(des_key_sched(&ky, serv_key)); #endif /* NOENCRYPTION */ } @@ -134,75 +141,64 @@ krb_set_key(key, cvt) */ int -krb_rd_req(authent, service, instance, from_addr, ad, fn) - register KTEXT authent; /* The received message */ - char *service; /* Service name */ - char *instance; /* Service instance */ - int32_t from_addr; /* Net address of originating host */ - AUTH_DAT *ad; /* Structure to be filled in */ - char *fn; /* Filename to get keys from */ +krb_rd_req(KTEXT authent, /* The received message */ + char *service, /* Service name */ + char *instance, /* Service instance */ + int32_t from_addr, /* Net address of originating host */ + AUTH_DAT *ad, /* Structure to be filled in */ + char *fn) /* Filename to get keys from */ { static KTEXT_ST ticket; /* Temp storage for ticket */ static KTEXT tkt = &ticket; static KTEXT_ST req_id_st; /* Temp storage for authenticator */ - register KTEXT req_id = &req_id_st; + KTEXT req_id = &req_id_st; char realm[REALM_SZ]; /* Realm of issuing kerberos */ - static des_key_schedule seskey_sched; /* Key sched for session key */ + unsigned char skey[KKEY_SZ]; /* Session key from ticket */ char sname[SNAME_SZ]; /* Service name from ticket */ char iname[INST_SZ]; /* Instance name from ticket */ char r_aname[ANAME_SZ]; /* Client name from authenticator */ char r_inst[INST_SZ]; /* Client instance from authenticator */ char r_realm[REALM_SZ]; /* Client realm from authenticator */ - unsigned int r_time_ms; /* Fine time from authenticator */ - unsigned long r_time_sec; /* Coarse time from authenticator */ - register char *ptr; /* For stepping through */ + u_int32_t r_time_sec; /* Coarse time from authenticator */ unsigned long delta_t; /* Time in authenticator - local time */ long tkt_age; /* Age of ticket */ - static int swap_bytes; /* Need to swap bytes? */ - static int mutual; /* Mutual authentication requested? */ static unsigned char s_kvno;/* Version number of the server's key * Kerberos used to encrypt ticket */ + + struct timeval tv; int status; + int pvno; + int type; + int little_endian; + + unsigned char *p; + if (authent->length <= 0) return(RD_AP_MODIFIED); - ptr = (char *) authent->dat; + p = authent->dat; /* get msg version, type and byte order, and server key version */ - /* check version */ - if (KRB_PROT_VERSION != (unsigned int) *ptr++) - return(RD_AP_VERSION); - - /* byte order */ - swap_bytes = 0; - if ((*ptr & 1) != HOST_BYTE_ORDER) - swap_bytes++; - - /* check msg type */ - mutual = 0; - switch (*ptr++ & ~1) { - case AUTH_MSG_APPL_REQUEST: - break; - case AUTH_MSG_APPL_REQUEST_MUTUAL: - mutual++; - break; - default: - return(RD_AP_MSG_TYPE); - } + pvno = *p++; + + if(pvno != KRB_PROT_VERSION) + return RD_AP_VERSION; + + type = *p++; + + little_endian = type & 1; + type &= ~1; + + if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) + return RD_AP_MSG_TYPE; -#ifdef lint - /* XXX mutual is set but not used; why??? */ - /* this is a crock to get lint to shut up */ - if (mutual) - mutual = 0; -#endif /* lint */ - s_kvno = *ptr++; /* get server key version */ - (void) strncpy(realm,ptr, REALM_SZ); /* And the realm of the issuing KDC */ - ptr += strlen(ptr) + 1; /* skip the realm "hint" */ + s_kvno = *p++; + + p += krb_get_string(p, realm); /* * If "fn" is NULL, key info should already be set; don't @@ -216,124 +212,110 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) strcmp(st_rlm,realm) || (st_kvno != s_kvno))) { if (*fn == 0) fn = KEYFILE; st_kvno = s_kvno; -#ifndef NOENCRYPTION - if (read_service_key(service,instance,realm,(int) s_kvno, - fn,(char *)skey)) + if (read_service_key(service, instance, realm, s_kvno, + fn, (char *)skey)) return(RD_AP_UNDEC); - if ((status = krb_set_key((char *)skey,0))) + if ((status = krb_set_key((char*)skey, 0))) return(status); -#endif /* !NOENCRYPTION */ - (void) strcpy(st_rlm,realm); - (void) strcpy(st_nam,service); - (void) strcpy(st_inst,instance); + strcpy(st_rlm, realm); + strcpy(st_nam, service); + strcpy(st_inst, instance); } - /* Get ticket from authenticator */ - tkt->length = (int) *ptr++; - if ((tkt->length + (ptr+1 - (char *) authent->dat)) > authent->length) - return(RD_AP_MODIFIED); - bcopy(ptr+1,(char *)(tkt->dat),tkt->length); + tkt->length = *p++; - if (krb_ap_req_debug) - log("ticket->length: %d",tkt->length); + req_id->length = *p++; -#ifndef NOENCRYPTION - /* Decrypt and take apart ticket */ -#endif + if(tkt->length + (p - authent->dat) > authent->length) + return RD_AP_MODIFIED; - if (decomp_ticket(tkt,&ad->k_flags,ad->pname,ad->pinst,ad->prealm, - &(ad->address),ad->session, &(ad->life), - &(ad->time_sec),sname,iname,&ky,serv_key)) - return(RD_AP_UNDEC); + memcpy(tkt->dat, p, tkt->length); + p += tkt->length; + if (krb_ap_req_debug) + krb_log("ticket->length: %d",tkt->length); + + /* Decrypt and take apart ticket */ + if (decomp_ticket(tkt, &ad->k_flags, ad->pname, ad->pinst, ad->prealm, + &ad->address, ad->session, &ad->life, + &ad->time_sec, sname, iname, &ky, serv_key)) + return RD_AP_UNDEC; + if (krb_ap_req_debug) { - log("Ticket Contents."); - log(" Aname: %s.%s",ad->pname, - ((int)*(ad->prealm) ? ad->prealm : "Athena")); - log(" Service: %s%s%s",sname,((int)*iname ? "." : ""),iname); + krb_log("Ticket Contents."); + krb_log(" Aname: %s.%s",ad->pname, ad->prealm); + krb_log(" Service: %s", krb_unparse_name_long(sname, iname, NULL)); } /* Extract the authenticator */ - req_id->length = (int) *(ptr++); - if ((req_id->length + (ptr + tkt->length - (char *) authent->dat)) > - authent->length) - return(RD_AP_MODIFIED); - bcopy(ptr + tkt->length, (char *)(req_id->dat),req_id->length); + + if(req_id->length + (p - authent->dat) > authent->length) + return RD_AP_MODIFIED; + memcpy(req_id->dat, p, req_id->length); + p = req_id->dat; + #ifndef NOENCRYPTION /* And decrypt it with the session key from the ticket */ - if (krb_ap_req_debug) log("About to decrypt authenticator"); - des_key_sched(&ad->session,seskey_sched); - des_pcbc_encrypt((des_cblock *)req_id->dat,(des_cblock *)req_id->dat, - (long) req_id->length, seskey_sched,&ad->session,DES_DECRYPT); - if (krb_ap_req_debug) log("Done."); + if (krb_ap_req_debug) krb_log("About to decrypt authenticator"); + + encrypt_ktext(req_id, &ad->session, DES_DECRYPT); + + if (krb_ap_req_debug) krb_log("Done."); #endif /* NOENCRYPTION */ + /* cast req_id->length to int? */ #define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED); - ptr = (char *) req_id->dat; - (void) strcpy(r_aname,ptr); /* Authentication name */ - ptr += strlen(r_aname)+1; - check_ptr(); - (void) strcpy(r_inst,ptr); /* Authentication instance */ - ptr += strlen(r_inst)+1; - check_ptr(); - (void) strcpy(r_realm,ptr); /* Authentication name */ - ptr += strlen(r_realm)+1; - check_ptr(); - bcopy(ptr,(char *)&ad->checksum,4); /* Checksum */ - ptr += 4; - check_ptr(); - if (swap_bytes) swap_u_long(ad->checksum); - r_time_ms = *(ptr++); /* Time (fine) */ -#ifdef lint - /* XXX r_time_ms is set but not used. why??? */ - /* this is a crock to get lint to shut up */ - if (r_time_ms) - r_time_ms = 0; -#endif /* lint */ - check_ptr(); - /* assume sizeof(r_time_sec) == 4 ?? */ - bcopy(ptr,(char *)&r_time_sec,4); /* Time (coarse) */ - if (swap_bytes) swap_u_long(r_time_sec); + p += krb_get_nir(p, r_aname, r_inst, r_realm); /* XXX no rangecheck */ + + p += krb_get_int(p, &ad->checksum, 4, little_endian); + + p++; /* time_5ms is not used */ + + p += krb_get_int(p, &r_time_sec, 4, little_endian); /* Check for authenticity of the request */ if (krb_ap_req_debug) - log("Pname: %s %s",ad->pname,r_aname); - if (strcmp(ad->pname,r_aname) != 0) - return(RD_AP_INCON); - if (strcmp(ad->pinst,r_inst) != 0) - return(RD_AP_INCON); + krb_log("Principal: %s.%s@%s / %s.%s@%s",ad->pname,ad->pinst, ad->prealm, + r_aname, r_inst, r_realm); + if (strcmp(ad->pname, r_aname) != 0 || + strcmp(ad->pinst, r_inst) != 0 || + strcmp(ad->prealm, r_realm) != 0) + return RD_AP_INCON; + if (krb_ap_req_debug) - log("Realm: %s %s",ad->prealm,r_realm); - if ((strcmp(ad->prealm,r_realm) != 0)) - return(RD_AP_INCON); + krb_log("Address: %x %x", ad->address, from_addr); - if (krb_ap_req_debug) - log("Address: %d %d",ad->address,from_addr); + if (from_addr && (!krb_equiv(ad->address, from_addr))) + return RD_AP_BADD; - (void) gettimeofday(&t_local,(struct timezone *) 0); - delta_t = abs((int)(t_local.tv_sec - r_time_sec)); + gettimeofday(&tv, NULL); + delta_t = abs((int)(tv.tv_sec - r_time_sec)); if (delta_t > CLOCK_SKEW) { if (krb_ap_req_debug) - log("Time out of range: %d - %d = %d", - t_local.tv_sec,r_time_sec,delta_t); - return(RD_AP_TIME); + krb_log("Time out of range: %lu - %lu = %lu", + (unsigned long)t_local.tv_sec, + (unsigned long)r_time_sec, + (unsigned long)delta_t); + return RD_AP_TIME; } /* Now check for expiration of ticket */ - tkt_age = t_local.tv_sec - ad->time_sec; + tkt_age = tv.tv_sec - ad->time_sec; if (krb_ap_req_debug) - log("Time: %d Issue Date: %d Diff: %d Life %x", - t_local.tv_sec,ad->time_sec,tkt_age,ad->life); - - if (t_local.tv_sec < ad->time_sec) { - if ((ad->time_sec - t_local.tv_sec) > CLOCK_SKEW) - return(RD_AP_NYV); - } - else if (t_local.tv_sec > krb_life_to_time(ad->time_sec, ad->life)) - return(RD_AP_EXP); + krb_log("Time: %ld Issue Date: %lu Diff: %ld Life %x", + (long)tv.tv_sec, + (unsigned long)ad->time_sec, + tkt_age, + ad->life); + + if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) + return RD_AP_NYV; + + if (tv.tv_sec > krb_life_to_time(ad->time_sec, ad->life)) + return RD_AP_EXP; /* All seems OK */ ad->reply.length = 0; diff --git a/kerberosIV/krb/rd_safe.c b/kerberosIV/krb/rd_safe.c index 5d868fa1459..90d97b06365 100644 --- a/kerberosIV/krb/rd_safe.c +++ b/kerberosIV/krb/rd_safe.c @@ -1,58 +1,91 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/rd_safe.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology - - Export of this software from the United States of America is assumed - to require a specific license from the United States Government. - It is the responsibility of any person or organization contemplating - export to obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - - */ +/* $KTH: rd_safe.c,v 1.24 1997/04/19 23:18:20 joda Exp $ */ /* - * This routine dissects a a Kerberos 'safe msg', checking its - * integrity, and returning a pointer to the application data - * contained and its length. - * - * Returns 0 (RD_AP_OK) for success or an error code (RD_AP_...) - * - * Steve Miller Project Athena MIT/DEC + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb_locl.h" -/* system include files */ -#include <sys/types.h> -#include <netinet/in.h> -#include <sys/time.h> - /* application include files */ #include "lsb_addr_comp.h" -/* static storage */ -static des_cblock calc_cksum[2]; -static des_cblock big_cksum[2]; -static int swap_bytes; -static struct timeval local_time; -static u_int32_t delta_t; +/* Generate two checksums in the given byteorder of the data, one + * new-form and one old-form. It has to be done this way to be + * compatible with the old version of des_quad_cksum. + */ + +/* des_quad_chsum-type; 0 == unknown, 1 == new PL10++, 2 == old */ +int dqc_type = DES_QUAD_DEFAULT; + +void +fixup_quad_cksum(void *start, size_t len, des_cblock *key, + void *new_checksum, void *old_checksum, int little) +{ + des_quad_cksum((des_cblock*)start, (des_cblock*)new_checksum, len, 2, key); + if(HOST_BYTE_ORDER){ + if(little){ + memcpy(old_checksum, new_checksum, 16); + }else{ + u_int32_t *tmp = (u_int32_t*)new_checksum; + memcpy(old_checksum, new_checksum, 16); + swap_u_16(old_checksum); + swap_u_long(tmp[0]); + swap_u_long(tmp[1]); + swap_u_long(tmp[2]); + swap_u_long(tmp[3]); + } + }else{ + if(little){ + u_int32_t *tmp = (u_int32_t*)new_checksum; + swap_u_long(tmp[0]); + swap_u_long(tmp[1]); + swap_u_long(tmp[2]); + swap_u_long(tmp[3]); + memcpy(old_checksum, new_checksum, 16); + }else{ + u_int32_t tmp[4]; + tmp[0] = ((u_int32_t*)new_checksum)[3]; + tmp[1] = ((u_int32_t*)new_checksum)[2]; + tmp[2] = ((u_int32_t*)new_checksum)[1]; + tmp[3] = ((u_int32_t*)new_checksum)[0]; + memcpy(old_checksum, tmp, 16); + } + } +} /* * krb_rd_safe() checks the integrity of an AUTH_MSG_SAFE message. @@ -72,93 +105,53 @@ static u_int32_t delta_t; */ int32_t -krb_rd_safe(in, in_length, key, sender, receiver, m_data) - u_char *in; /* pointer to the msg received */ - u_int32_t in_length; /* length of "in" msg */ - des_cblock *key; /* encryption key for seed and ivec */ - struct sockaddr_in *sender; /* sender's address */ - struct sockaddr_in *receiver; /* receiver's address -- me */ - MSG_DAT *m_data; /* where to put message information */ +krb_rd_safe(void *in, u_int32_t in_length, des_cblock *key, + struct sockaddr_in *sender, struct sockaddr_in *receiver, + MSG_DAT *m_data) { - register u_char *p,*q; - static u_int32_t src_addr; /* Can't send structs since no - * guarantees on size */ - /* Be very conservative */ - if (sizeof(src_addr) != sizeof(struct in_addr)) { - fprintf(stderr,"\n\ -krb_rd_safe protocol err sizeof(src_addr) != sizeof(struct in_addr)"); - exit(-1); - } - - if (gettimeofday(&local_time,(struct timezone *)0)) - return -1; - - p = in; /* beginning of message */ - swap_bytes = 0; + unsigned char *p = (unsigned char*)in, *start; + + unsigned char pvno, type; + int little_endian; + struct timeval tv; + u_int32_t src_addr; + int delta_t; + + + pvno = *p++; + if(pvno != KRB_PROT_VERSION) + return RD_AP_VERSION; + + type = *p++; + little_endian = type & 1; + type &= ~1; + if(type != AUTH_MSG_SAFE) + return RD_AP_MSG_TYPE; + + start = p; + + p += krb_get_int(p, &m_data->app_length, 4, little_endian); + + if(m_data->app_length + 31 > in_length) + return RD_AP_MODIFIED; + + m_data->app_data = p; - if (*p++ != KRB_PROT_VERSION) return RD_AP_VERSION; - if (((*p) & ~1) != AUTH_MSG_SAFE) return RD_AP_MSG_TYPE; - if ((*p++ & 1) != HOST_BYTE_ORDER) swap_bytes++; - - q = p; /* mark start of cksum stuff */ - - /* safely get length */ - bcopy((char *)p,(char *)&(m_data->app_length), - sizeof(m_data->app_length)); - if (swap_bytes) swap_u_long(m_data->app_length); - p += sizeof(m_data->app_length); /* skip over */ + p += m_data->app_length; - if (m_data->app_length + sizeof(in_length) - + sizeof(m_data->time_sec) + sizeof(m_data->time_5ms) - + sizeof(big_cksum) + sizeof(src_addr) - + VERSION_SZ + MSG_TYPE_SZ > in_length) - return(RD_AP_MODIFIED); + m_data->time_5ms = *p++; - m_data->app_data = p; /* we're now at the application data */ + p += krb_get_address(p, &src_addr); - /* skip app data */ - p += m_data->app_length; + if (!krb_equiv(src_addr, sender->sin_addr.s_addr)) + return RD_AP_BADD; - /* safely get time_5ms */ - bcopy((char *)p, (char *)&(m_data->time_5ms), - sizeof(m_data->time_5ms)); - - /* don't need to swap-- one byte for now */ - p += sizeof(m_data->time_5ms); - - /* safely get src address */ - bcopy((char *)p,(char *)&src_addr,sizeof(src_addr)); - - /* don't swap, net order always */ - p += sizeof(src_addr); - - /* safely get time_sec */ - bcopy((char *)p, (char *)&(m_data->time_sec), - sizeof(m_data->time_sec)); - if (swap_bytes) - swap_u_long(m_data->time_sec); - p += sizeof(m_data->time_sec); - - /* check direction bit is the sign bit */ - /* For compatibility with broken old code, compares are done in VAX - byte order (LSBFIRST) */ - if (lsb_net_ulong_less(sender->sin_addr.s_addr, - receiver->sin_addr.s_addr)==-1) - /* src < recv */ - m_data->time_sec = - m_data->time_sec; - else if (lsb_net_ulong_less(sender->sin_addr.s_addr, - receiver->sin_addr.s_addr)==0) - if (lsb_net_ushort_less(sender->sin_port,receiver->sin_port)==-1) - /* src < recv */ - m_data->time_sec = - m_data->time_sec; + p += krb_get_int(p, (u_int32_t *)&m_data->time_sec, 4, little_endian); + m_data->time_sec = lsb_time(m_data->time_sec, sender, receiver); + + gettimeofday(&tv, NULL); - /* - * All that for one tiny bit! Heaven help those that talk to - * themselves. - */ - - /* check the time integrity of the msg */ - delta_t = abs((int)((long) local_time.tv_sec - m_data->time_sec)); + delta_t = abs((int)((long) tv.tv_sec - m_data->time_sec)); if (delta_t > CLOCK_SKEW) return RD_AP_TIME; /* @@ -167,20 +160,19 @@ krb_rd_safe protocol err sizeof(src_addr) != sizeof(struct in_addr)"); * and we don't assume tightly synchronized clocks. */ - bcopy((char *)p,(char *)big_cksum,sizeof(big_cksum)); - if (swap_bytes) swap_u_16(big_cksum); - -#ifdef NOENCRYPTION - bzero(calc_cksum, sizeof(calc_cksum)); -#else - des_quad_cksum((des_cblock *)q,calc_cksum,p-q,2,key); -#endif - - if (krb_debug) - printf("\ncalc_cksum = %u, received cksum = %u", - (u_int) calc_cksum[0], (u_int) big_cksum[0]); - if (bcmp((char *)big_cksum,(char *)calc_cksum,sizeof(big_cksum))) - return(RD_AP_MODIFIED); - - return(RD_AP_OK); /* OK == 0 */ + { + unsigned char new_checksum[16]; + unsigned char old_checksum[16]; + fixup_quad_cksum(start, p - start, key, + new_checksum, old_checksum, little_endian); + if((dqc_type == DES_QUAD_GUESS || dqc_type == DES_QUAD_NEW) && + memcmp(new_checksum, p, 16) == 0) + dqc_type = DES_QUAD_NEW; + else if((dqc_type == DES_QUAD_GUESS || dqc_type == DES_QUAD_OLD) && + memcmp(old_checksum, p, 16) == 0) + dqc_type = DES_QUAD_OLD; + else + return RD_AP_MODIFIED; + } + return KSUCCESS; } diff --git a/kerberosIV/krb/read_service_key.c b/kerberosIV/krb/read_service_key.c index 31ba2e84ee0..5bee36177f2 100644 --- a/kerberosIV/krb/read_service_key.c +++ b/kerberosIV/krb/read_service_key.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/read_service_key.c,v $ - * - * $Locker: $ - */ +/* $KTH: read_service_key.c,v 1.8 1997/03/23 03:53:16 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -62,15 +56,13 @@ or implied warranty. */ -/*ARGSUSED */ int -read_service_key(service, instance, realm, kvno, file, key) - char *service; /* Service Name */ - char *instance; /* Instance name or "*" */ - char *realm; /* Realm */ - int kvno; /* Key version number */ - char *file; /* Filename */ - char *key; /* Pointer to key to be filled in */ +read_service_key(char *service, /* Service Name */ + char *instance, /* Instance name or "*" */ + char *realm, /* Realm */ + int kvno, /* Key version number */ + char *file, /* Filename */ + char *key) /* Pointer to key to be filled in */ { char serv[SNAME_SZ]; char inst[INST_SZ]; @@ -78,18 +70,18 @@ read_service_key(service, instance, realm, kvno, file, key) unsigned char vno; /* Key version number */ int wcard; - int stab, open(const char *, int, ...); + int stab; - if ((stab = open(file, 0, 0)) < 0) + if ((stab = open(file, O_RDONLY, 0)) < 0) return(KFAILURE); wcard = (instance[0] == '*') && (instance[1] == '\0'); while (getst(stab,serv,SNAME_SZ) > 0) { /* Read sname */ - (void) getst(stab,inst,INST_SZ); /* Instance */ - (void) getst(stab,rlm,REALM_SZ); /* Realm */ + getst(stab,inst,INST_SZ); /* Instance */ + getst(stab,rlm,REALM_SZ); /* Realm */ /* Vers number */ - if (read(stab,(char *)&vno,1) != 1) { + if (read(stab, &vno, 1) != 1) { close(stab); return(KFAILURE); } @@ -105,29 +97,20 @@ read_service_key(service, instance, realm, kvno, file, key) if (!wcard && strcmp(inst,instance)) continue; if (wcard) - (void) strncpy(instance,inst,INST_SZ); + strncpy(instance,inst,INST_SZ); /* Is this the right realm */ -#ifdef ATHENA_COMPAT - /* XXX For backward compatibility: if keyfile says "Athena" - and caller wants "ATHENA.MIT.EDU", call it a match */ - if (strcmp(rlm,realm) && - (strcmp(rlm,"Athena") || - strcmp(realm,"ATHENA.MIT.EDU"))) - continue; -#else /* ! ATHENA_COMPAT */ if (strcmp(rlm,realm)) continue; -#endif /* ATHENA_COMPAT */ /* How about the key version number */ if (kvno && kvno != (int) vno) continue; - (void) close(stab); + close(stab); return(KSUCCESS); } /* Can't find the requested service */ - (void) close(stab); + close(stab); return(KFAILURE); } diff --git a/kerberosIV/krb/realm_parse.c b/kerberosIV/krb/realm_parse.c new file mode 100644 index 00000000000..8ce892c1835 --- /dev/null +++ b/kerberosIV/krb/realm_parse.c @@ -0,0 +1,88 @@ +/* $KTH: realm_parse.c,v 1.10 1997/06/01 03:14:50 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +static int +realm_parse(char *realm, int length, const char *file) +{ + FILE *F; + char tr[128]; + char *p; + + if ((F = fopen(file,"r")) == NULL) + return -1; + + while(fgets(tr, sizeof(tr), F)){ + char *unused = NULL; + p = strtok_r(tr, " \t\n\r", &unused); + if(p && strcasecmp(p, realm) == 0){ + fclose(F); + strncpy(realm, p, length); + return 0; + } + } + fclose(F); + return -1; +} + +static const char *const files[] = KRB_CNF_FILES; + +int +krb_realm_parse(char *realm, int length) +{ + int i; + + const char *dir = getenv("KRBCONFDIR"); + + /* First try user specified file */ + if (dir != 0) { + char fname[MAXPATHLEN]; + + if(k_concat(fname, sizeof(fname), dir, "/krb.conf", NULL) == 0) + if (realm_parse(realm, length, fname) == 0) + return 0; + } + + for (i = 0; files[i] != NULL; i++) + if (realm_parse(realm, length, files[i]) == 0) + return 0; + return -1; +} diff --git a/kerberosIV/krb/recvauth.c b/kerberosIV/krb/recvauth.c index d5706120d42..f1286ebe3f6 100644 --- a/kerberosIV/krb/recvauth.c +++ b/kerberosIV/krb/recvauth.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/recvauth.c,v $ - * - * $Locker: $ - */ +/* $KTH: recvauth.c,v 1.18 1997/07/05 01:35:15 assar Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -29,18 +23,6 @@ or implied warranty. #include "krb_locl.h" -#include <sys/types.h> -#include <netinet/in.h> -#include <syslog.h> - -/* - * If the protocol changes, you will need to change the version string - * and make appropriate changes in krb_sendauth.c - * be sure to support old versions of krb_sendauth! - */ -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN - chars */ - /* * krb_recvauth() reads (and optionally responds to) a message sent * using krb_sendauth(). The "options" argument is a bit-field of @@ -73,21 +55,6 @@ or implied warranty. * * See krb_sendauth() for the format of the received client message. * - * This routine supports another client format, for backward - * compatibility, consisting of: - * - * Size Variable Field - * ---- -------- ----- - * - * string tmp_buf, tkt_len length of ticket, in - * ascii - * - * char ' ' (space char) separator - * - * tkt_len ticket->dat the ticket - * - * This old-style version does not support mutual authentication. - * * krb_recvauth() first reads the protocol version string from the * given file descriptor. If it doesn't match the current protocol * version (KRB_SENDAUTH_VERS), the old-style format is assumed. In @@ -122,174 +89,104 @@ or implied warranty. * other error code is returned. */ -#ifndef max -#define max(a,b) (((a) > (b)) ? (a) : (b)) -#endif /* max */ +static int +send_error_reply(int fd) +{ + unsigned char tmp[4] = { 255, 255, 255, 255 }; + if(krb_net_write(fd, tmp, sizeof(tmp)) != sizeof(tmp)) + return -1; + return 0; +} int -krb_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata, - filename, schedule, version) - int32_t options; /* bit-pattern of options */ - int fd; /* file descr. to read from */ - KTEXT ticket; /* storage for client's ticket */ - char *service; /* service expected */ - char *instance; /* inst expected (may be filled in) */ - struct sockaddr_in *faddr; /* address of foreign host on fd */ - struct sockaddr_in *laddr; /* local address */ - AUTH_DAT *kdata; /* kerberos data (returned) */ - char *filename; /* name of file with service keys */ - struct des_ks_struct *schedule; /* key schedule (return) */ - char *version; /* version string (filled in) */ +krb_recvauth(int32_t options, /* bit-pattern of options */ + int fd, /* file descr. to read from */ + KTEXT ticket, /* storage for client's ticket */ + char *service, /* service expected */ + char *instance, /* inst expected (may be filled in) */ + struct sockaddr_in *faddr, /* address of foreign host on fd */ + struct sockaddr_in *laddr, /* local address */ + AUTH_DAT *kdata, /* kerberos data (returned) */ + char *filename, /* name of file with service keys */ + struct des_ks_struct *schedule, /* key schedule (return) */ + char *version) /* version string (filled in) */ { - - int i, cc, old_vers = 0; + int cc; char krb_vers[KRB_SENDAUTH_VLEN + 1]; /* + 1 for the null terminator */ - char *cp; int rem; - long tkt_len, priv_len; - u_int32_t cksum; + int32_t priv_len; u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)]; - /* read the protocol version number */ - if (krb_net_read(fd, krb_vers, KRB_SENDAUTH_VLEN) != - KRB_SENDAUTH_VLEN) + if (!(options & KOPT_IGNORE_PROTOCOL)) { + /* read the protocol version number */ + if (krb_net_read(fd, krb_vers, KRB_SENDAUTH_VLEN) != KRB_SENDAUTH_VLEN) return(errno); - krb_vers[KRB_SENDAUTH_VLEN] = '\0'; - - /* check version string */ - if (strcmp(krb_vers,KRB_SENDAUTH_VERS)) { - /* Assume the old version of sendkerberosdata: send ascii - length, ' ', and ticket. */ - if (options & KOPT_DO_MUTUAL) - return(KFAILURE); /* XXX can't do old style with mutual auth */ - old_vers = 1; - - /* copy what we have read into tmp_buf */ - (void) bcopy(krb_vers, (char *) tmp_buf, KRB_SENDAUTH_VLEN); - - /* search for space, and make it a null */ - for (i = 0; i < KRB_SENDAUTH_VLEN; i++) - if (tmp_buf[i]== ' ') { - tmp_buf[i] = '\0'; - /* point cp to the beginning of the real ticket */ - cp = (char *) &tmp_buf[i+1]; - break; - } - - if (i == KRB_SENDAUTH_VLEN) - /* didn't find the space, keep reading to find it */ - for (; i<20; i++) { - if (read(fd, (char *)&tmp_buf[i], 1) != 1) { - return(KFAILURE); - } - if (tmp_buf[i] == ' ') { - tmp_buf[i] = '\0'; - /* point cp to the beginning of the real ticket */ - cp = (char *) &tmp_buf[i+1]; - break; - } - } - - tkt_len = (long) atoi((char *) tmp_buf); - - /* sanity check the length */ - if ((i==20)||(tkt_len<=0)||(tkt_len>MAX_KTXT_LEN)) - return(KFAILURE); - - if (i < KRB_SENDAUTH_VLEN) { - /* since we already got the space, and part of the ticket, - we read fewer bytes to get the rest of the ticket */ - if (krb_net_read(fd, (char *)(tmp_buf+KRB_SENDAUTH_VLEN), - (int) (tkt_len - KRB_SENDAUTH_VLEN + 1 + i)) - != (int)(tkt_len - KRB_SENDAUTH_VLEN + 1 + i)) - return(errno); - } else { - if (krb_net_read(fd, (char *)(tmp_buf+i), (int)tkt_len) != - (int) tkt_len) - return(errno); - } - ticket->length = tkt_len; - /* copy the ticket into the struct */ - (void) bcopy(cp, (char *) ticket->dat, ticket->length); - - } else { - /* read the application version string */ - if (krb_net_read(fd, version, KRB_SENDAUTH_VLEN) != - KRB_SENDAUTH_VLEN) - return(errno); - version[KRB_SENDAUTH_VLEN] = '\0'; + krb_vers[KRB_SENDAUTH_VLEN] = '\0'; + } - /* get the length of the ticket */ - if (krb_net_read(fd, (char *)&tkt_len, sizeof(tkt_len)) != - sizeof(tkt_len)) - return(errno); + /* read the application version string */ + if (krb_net_read(fd, version, KRB_SENDAUTH_VLEN) != KRB_SENDAUTH_VLEN) + return(errno); + version[KRB_SENDAUTH_VLEN] = '\0'; + + /* get the length of the ticket */ + { + char tmp[4]; + if (krb_net_read(fd, tmp, 4) != 4) + return -1; + krb_get_int(tmp, &ticket->length, 4, 0); + } - /* sanity check */ - ticket->length = ntohl((unsigned long)tkt_len); - if ((ticket->length <= 0) || (ticket->length > MAX_KTXT_LEN)) { - if (options & KOPT_DO_MUTUAL) { - rem = KFAILURE; - goto mutual_fail; - } else - return(KFAILURE); /* XXX there may still be junk on the fd? */ - } - - /* read the ticket */ - if (krb_net_read(fd, (char *) ticket->dat, ticket->length) - != ticket->length) - return(errno); + /* sanity check */ + if (ticket->length <= 0 || ticket->length > MAX_KTXT_LEN) { + if (options & KOPT_DO_MUTUAL) { + if(send_error_reply(fd)) + return -1; + return KFAILURE; + } else + return KFAILURE; /* XXX there may still be junk on the fd? */ } + + /* read the ticket */ + if (krb_net_read(fd, ticket->dat, ticket->length) != ticket->length) + return -1; /* * now have the ticket. decrypt it to get the authenticated * data. */ - rem = krb_rd_req(ticket,service,instance,faddr->sin_addr.s_addr, - kdata,filename); - - if (old_vers) return(rem); /* XXX can't do mutual with old client */ + rem = krb_rd_req(ticket, service, instance, faddr->sin_addr.s_addr, + kdata, filename); /* if we are doing mutual auth, compose a response */ if (options & KOPT_DO_MUTUAL) { - if (rem != KSUCCESS) + if (rem != KSUCCESS){ /* the krb_rd_req failed */ - goto mutual_fail; - + if(send_error_reply(fd)) + return -1; + return rem; + } + /* add one to the (formerly) sealed checksum, and re-seal it for return to the client */ - cksum = kdata->checksum + 1; - cksum = htonl(cksum); + { + unsigned char cs[4]; + krb_put_int(kdata->checksum + 1, cs, 4); #ifndef NOENCRYPTION - des_key_sched(&kdata->session,schedule); + des_key_sched(&kdata->session,schedule); #endif - priv_len = krb_mk_priv((unsigned char *)&cksum, - tmp_buf, - (unsigned long) sizeof(cksum), - schedule, - &kdata->session, - laddr, - faddr); - if (priv_len < 0) { - /* re-sealing failed; notify the client */ - rem = KFAILURE; /* XXX */ -mutual_fail: - priv_len = -1; - tkt_len = htonl((unsigned long) priv_len); - /* a length of -1 is interpreted as an authentication - failure by the client */ - if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len))) - != sizeof(tkt_len)) - return(cc); - return(rem); - } else { - /* re-sealing succeeded, send the private message */ - tkt_len = htonl((unsigned long)priv_len); - if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len))) - != sizeof(tkt_len)) - return(cc); - if ((cc = krb_net_write(fd, (char *)tmp_buf, (int) priv_len)) - != (int) priv_len) - return(cc); + priv_len = krb_mk_priv(cs, + tmp_buf+4, + 4, + schedule, + &kdata->session, + laddr, + faddr); } + /* mk_priv will never fail */ + priv_len += krb_put_int(priv_len, tmp_buf, 4); + + if((cc = krb_net_write(fd, tmp_buf, priv_len)) != priv_len) + return -1; } - return(rem); + return rem; } diff --git a/kerberosIV/krb/resolve.c b/kerberosIV/krb/resolve.c new file mode 100644 index 00000000000..2fe607d13af --- /dev/null +++ b/kerberosIV/krb/resolve.c @@ -0,0 +1,232 @@ +/* $KTH: resolve.c,v 1.12 1997/10/28 15:37:39 bg Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" +#include "resolve.h" + +#define DECL(X) {#X, T_##X} + +static struct stot{ + char *name; + int type; +}stot[] = { + DECL(A), + DECL(NS), + DECL(CNAME), + DECL(PTR), + DECL(MX), + DECL(TXT), + DECL(AFSDB), + DECL(SRV), + {NULL, 0} +}; + +static int +string_to_type(const char *name) +{ + struct stot *p = stot; + for(p = stot; p->name; p++) + if(strcasecmp(name, p->name) == 0) + return p->type; + return -1; +} + +#if 0 +static char * +type_to_string(int type) +{ + struct stot *p = stot; + for(p = stot; p->name; p++) + if(type == p->type) + return p->name; + return NULL; +} +#endif + +void +dns_free_data(struct dns_reply *r) +{ + struct resource_record *rr; + if(r->q.domain) + free(r->q.domain); + for(rr = r->head; rr;){ + struct resource_record *tmp = rr; + if(rr->domain) + free(rr->domain); + if(rr->u.data) + free(rr->u.data); + rr = rr->next; + free(tmp); + } + free (r); +} + +static struct dns_reply* +parse_reply(unsigned char *data, int len) +{ + unsigned char *p; + char host[128]; + int status; + + struct dns_reply *r; + struct resource_record **rr; + + r = (struct dns_reply*)malloc(sizeof(struct dns_reply)); + memset(r, 0, sizeof(struct dns_reply)); + + p = data; + memcpy(&r->h, p, sizeof(HEADER)); + p += sizeof(HEADER); + status = dn_expand(data, data + len, p, host, sizeof(host)); + if(status < 0){ + dns_free_data(r); + return NULL; + } + r->q.domain = strdup(host); + p += status; + r->q.type = (p[0] << 8 | p[1]); + p += 2; + r->q.class = (p[0] << 8 | p[1]); + p += 2; + rr = &r->head; + while(p < data + len){ + int type, class, ttl, size; + status = dn_expand(data, data + len, p, host, sizeof(host)); + if(status < 0){ + dns_free_data(r); + return NULL; + } + p += status; + type = (p[0] << 8) | p[1]; + p += 2; + class = (p[0] << 8) | p[1]; + p += 2; + ttl = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; + p += 4; + size = (p[0] << 8) | p[1]; + p += 2; + *rr = (struct resource_record*)calloc(1, + sizeof(struct resource_record)); + (*rr)->domain = strdup(host); + (*rr)->type = type; + (*rr)->class = class; + (*rr)->ttl = ttl; + (*rr)->size = size; + switch(type){ + case T_NS: + case T_CNAME: + case T_PTR: + status = dn_expand(data, data + len, p, host, sizeof(host)); + if(status < 0){ + dns_free_data(r); + return NULL; + } + (*rr)->u.txt = strdup(host); + break; + case T_MX: + case T_AFSDB:{ + status = dn_expand(data, data + len, p + 2, host, sizeof(host)); + if(status < 0){ + dns_free_data(r); + return NULL; + } + (*rr)->u.mx = (struct mx_record*)malloc(sizeof(struct mx_record) + + strlen(host)); + (*rr)->u.mx->preference = (p[0] << 8) | p[1]; + strcpy((*rr)->u.mx->domain, host); + break; + } + case T_SRV:{ + status = dn_expand(data, data + len, p + 6, host, sizeof(host)); + if(status < 0){ + dns_free_data(r); + return NULL; + } + (*rr)->u.srv = + (struct srv_record*)malloc(sizeof(struct srv_record) + + strlen(host)); + (*rr)->u.srv->priority = (p[0] << 8) | p[1]; + (*rr)->u.srv->weight = (p[2] << 8) | p[3]; + (*rr)->u.srv->port = (p[4] << 8) | p[5]; + strcpy((*rr)->u.srv->target, host); + break; + } + case T_TXT:{ + (*rr)->u.txt = (char*)malloc(size + 1); + strncpy((*rr)->u.txt, (char*)p + 1, *p); + (*rr)->u.txt[*p] = 0; + break; + } + + default: + (*rr)->u.data = (unsigned char*)malloc(size); + memcpy((*rr)->u.data, p, size); + } + p += size; + rr = &(*rr)->next; + } + *rr = NULL; + return r; +} + +struct dns_reply * +dns_lookup(const char *domain, const char *type_name) +{ + unsigned char reply[1024]; + int len; + int type; + struct dns_reply *r = NULL; + u_long old_options; + + type = string_to_type(type_name); + if (krb_dns_debug) { + old_options = _res.options; + _res.options |= RES_DEBUG; + krb_warning("dns_lookup(%s, %s)\n", domain, type_name); + } + len = res_search(domain, C_IN, type, reply, sizeof(reply)); + if (krb_dns_debug) { + _res.options = old_options; + krb_warning("dns_lookup(%s, %s) --> %d\n", domain, type_name, len); + } + if (len >= 0) + r = parse_reply(reply, len); + return r; +} diff --git a/kerberosIV/krb/resolve.h b/kerberosIV/krb/resolve.h new file mode 100644 index 00000000000..30c2a1fc629 --- /dev/null +++ b/kerberosIV/krb/resolve.h @@ -0,0 +1,95 @@ +/* $KTH: resolve.h,v 1.5 1997/05/14 17:41:25 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* THIS IS NOT (yet) A PUBLIC INTERFACE */ + + +#ifndef __RESOLVE_H__ +#define __RESOLVE_H__ + +/* We use these, but they are not always present in <arpa/nameser.h> */ + +struct dns_query{ + char *domain; + unsigned type; + unsigned class; +}; + +struct mx_record{ + unsigned preference; + char domain[1]; +}; + +struct srv_record{ + unsigned priority; + unsigned weight; + unsigned port; + char target[1]; +}; + +struct resource_record{ + char *domain; + unsigned type; + unsigned class; + unsigned ttl; + unsigned size; + union { + void *data; + struct mx_record *mx; + struct mx_record *afsdb; /* mx and afsdb are identical */ + struct srv_record *srv; + struct in_addr *a; + char *txt; + }u; + struct resource_record *next; +}; + +struct dns_reply{ + HEADER h; + struct dns_query q; + struct resource_record *head; +}; + + +struct dns_reply* dns_lookup(const char *, const char *); + +void dns_free_data(struct dns_reply *r); + +#endif /* __RESOLVE_H__ */ diff --git a/kerberosIV/krb/rw.c b/kerberosIV/krb/rw.c new file mode 100644 index 00000000000..7ee546050a2 --- /dev/null +++ b/kerberosIV/krb/rw.c @@ -0,0 +1,128 @@ +/* $KTH: rw.c,v 1.8 1997/04/01 08:18:44 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* Almost all programs use these routines (implicitly) so it's a good + * place to put the version string. */ + +#include "version.h" + +#include "krb_locl.h" + +int +krb_get_int(void *f, u_int32_t *to, int size, int lsb) +{ + int i; + unsigned char *from = (unsigned char *)f; + + *to = 0; + if(lsb){ + for(i = size-1; i >= 0; i--) + *to = (*to << 8) | from[i]; + }else{ + for(i = 0; i < size; i++) + *to = (*to << 8) | from[i]; + } + return size; +} + +int +krb_put_int(u_int32_t from, void *to, int size) +{ + int i; + unsigned char *p = (unsigned char *)to; + for(i = size - 1; i >= 0; i--){ + p[i] = from & 0xff; + from >>= 8; + } + return size; +} + + +/* addresses are always sent in network byte order */ + +int +krb_get_address(void *from, u_int32_t *to) +{ + unsigned char *p = (unsigned char*)from; + *to = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); + return 4; +} + +int +krb_put_address(u_int32_t addr, void *to) +{ + return krb_put_int(ntohl(addr), to, 4); +} + +int +krb_put_string(char *from, void *to) +{ + strcpy((char *)to, from); + return strlen(from) + 1; +} + +int +krb_get_string(void *from, char *to) +{ + return krb_put_string(from, to); +} + +int +krb_get_nir(void *from, char *name, char *instance, char *realm) +{ + char *p = (char *)from; + + p += krb_get_string(p, name); + p += krb_get_string(p, instance); + if(realm) + p += krb_get_string(p, realm); + return p - (char *)from; +} + +int +krb_put_nir(char *name, char *instance, char *realm, void *to) +{ + char *p = (char *)to; + p += krb_put_string(name, p); + p += krb_put_string(instance, p); + if(realm) + p += krb_put_string(realm, p); + return p - (char *)to; +} diff --git a/kerberosIV/krb/save_credentials.c b/kerberosIV/krb/save_credentials.c index b9b58d48704..d9ef94b449d 100644 --- a/kerberosIV/krb/save_credentials.c +++ b/kerberosIV/krb/save_credentials.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/save_credentials.c,v $ - * - * $Locker: $ - */ +/* $KTH: save_credentials.c,v 1.5 1997/03/23 03:53:17 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -42,16 +36,14 @@ or implied warranty. */ int -save_credentials(service, instance, realm, session, lifetime, kvno, - ticket, issue_date) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - unsigned char *session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - int32_t issue_date; /* The issue time */ +save_credentials(char *service, /* Service name */ + char *instance, /* Instance */ + char *realm, /* Auth domain */ + unsigned char *session, /* Session key */ + int lifetime, /* Lifetime */ + int kvno, /* Key version number */ + KTEXT ticket, /* The ticket itself */ + int32_t issue_date) /* The issue time */ { int tf_status; /* return values of the tf_util calls */ @@ -62,6 +54,6 @@ save_credentials(service, instance, realm, session, lifetime, kvno, /* Save credentials by appending to the ticket file */ tf_status = tf_save_cred(service, instance, realm, session, lifetime, kvno, ticket, issue_date); - (void) tf_close(); + tf_close(); return (tf_status); } diff --git a/kerberosIV/krb/send_to_kdc.c b/kerberosIV/krb/send_to_kdc.c index aa19c4065cb..f7a5865ad93 100644 --- a/kerberosIV/krb/send_to_kdc.c +++ b/kerberosIV/krb/send_to_kdc.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/send_to_kdc.c,v $ - * - * $Locker: $ - */ +/* $KTH: send_to_kdc.c,v 1.47 1997/11/07 17:31:38 bg Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -29,28 +23,15 @@ or implied warranty. #include "krb_locl.h" -#include <sys/time.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netdb.h> - -#define S_AD_SZ sizeof(struct sockaddr_in) +struct host { + struct sockaddr_in addr; + enum krb_host_proto proto; +}; -static int krb_udp_port = 0; - -/* CLIENT_KRB_TIMEOUT indicates the time to wait before - * retrying a server. It's defined in "krb.h". - */ -static struct timeval timeout = { CLIENT_KRB_TIMEOUT, 0}; -static char *prog = "send_to_kdc"; -static send_recv(KTEXT pkt, KTEXT rpkt, int f, struct sockaddr_in *_to, struct hostent *addrs); - -/* - * This file contains two routines, send_to_kdc() and send_recv(). - * send_recv() is a static routine used by send_to_kdc(). - */ +static const char *prog = "send_to_kdc"; +static send_recv(KTEXT pkt, KTEXT rpkt, int f, + struct sockaddr_in *adr, struct host *addrs, + int h_hosts); /* * send_to_kdc() sends a message to the Kerberos authentication @@ -79,246 +60,300 @@ static send_recv(KTEXT pkt, KTEXT rpkt, int f, struct sockaddr_in *_to, struct h * after several retries */ +/* always use the admin server */ +static int krb_use_admin_server_flag = 0; + int -send_to_kdc(pkt, rpkt, realm) - KTEXT pkt; - KTEXT rpkt; - char *realm; +krb_use_admin_server(int flag) { - int i, f; + int old = krb_use_admin_server_flag; + krb_use_admin_server_flag = flag; + return old; +} + +int +send_to_kdc(KTEXT pkt, KTEXT rpkt, char *realm) +{ + int i; int no_host; /* was a kerberos host found? */ int retry; int n_hosts; int retval; - struct sockaddr_in to; - struct hostent *host, *hostlist; - char *cp; - char krbhst[MAX_HSTNM]; + struct hostent *host; char lrealm[REALM_SZ]; + struct krb_host *k_host; + struct host *hosts = malloc(sizeof(*hosts)); + + if (hosts == NULL) + return SKDC_CANT; /* * If "realm" is non-null, use that, otherwise get the * local realm. */ if (realm) - (void) strcpy(lrealm, realm); + strcpy(lrealm, realm); else if (krb_get_lrealm(lrealm,1)) { if (krb_debug) - fprintf(stderr, "%s: can't get local realm\n", prog); + krb_warning("%s: can't get local realm\n", prog); return(SKDC_CANT); } if (krb_debug) - printf("lrealm is %s\n", lrealm); - if (krb_udp_port == 0) { - register struct servent *sp; - if ((sp = getservbyname("kerberos","udp")) == 0) { - if (krb_debug) - fprintf(stderr, "%s: Can't get kerberos/udp service\n", - prog); - krb_udp_port = 750; /* Was return(SKDC_CANT); */ - } - else - krb_udp_port = sp->s_port; - if (krb_debug) - printf("krb_udp_port is %d\n", krb_udp_port); - } - bzero((char *)&to, S_AD_SZ); - hostlist = (struct hostent *) malloc(sizeof(struct hostent)); - if (!hostlist) - return (/*errno */SKDC_CANT); - if ((f = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { - if (krb_debug) - fprintf(stderr,"%s: Can't open socket\n", prog); - return(SKDC_CANT); - } - /* from now on, exit through rtn label for cleanup */ + krb_warning("lrealm is %s\n", lrealm); no_host = 1; /* get an initial allocation */ n_hosts = 0; - bzero((char *)&hostlist[n_hosts], sizeof(struct hostent)); - for (i = 1; krb_get_krbhst(krbhst, lrealm, i) == KSUCCESS; ++i) { - if (krb_debug) { - printf("Getting host entry for %s...",krbhst); - (void) fflush(stdout); - } - host = gethostbyname(krbhst); + for (i = 1; (k_host = krb_get_host(i, lrealm, krb_use_admin_server_flag)); + ++i) { + char *p; + + if (krb_debug) + krb_warning("Getting host entry for %s...", k_host->host); + host = gethostbyname(k_host->host); if (krb_debug) { - printf("%s.\n", - host ? "Got it" : "Didn't get it"); - (void) fflush(stdout); + krb_warning("%s.\n", + host ? "Got it" : "Didn't get it"); } if (!host) continue; no_host = 0; /* found at least one */ - n_hosts++; - /* preserve host network address to check later - * (would be better to preserve *all* addresses, - * take care of that later) - */ - hostlist = (struct hostent *) - realloc((char *)hostlist, - (unsigned) - sizeof(struct hostent)*(n_hosts+1)); - if (!hostlist) - return /*errno */SKDC_CANT; - bcopy((char *)host, (char *)&hostlist[n_hosts-1], - sizeof(struct hostent)); - host = &hostlist[n_hosts-1]; - cp = malloc((unsigned)host->h_length); - if (!cp) { - retval = /*errno */SKDC_CANT; - goto rtn; - } - bcopy((char *)host->h_addr, cp, host->h_length); -/* At least Sun OS version 3.2 (or worse) and Ultrix version 2.2 - (or worse) only return one name ... */ -#if defined(h_addr) - host->h_addr_list = (char **)malloc(2*sizeof(char *)); - if (!host->h_addr_list) { - retval = /*errno */SKDC_CANT; - goto rtn; - } - host->h_addr_list[1] = NULL; -#endif /* defined(h_addr) */ - host->h_addr = cp; - bzero((char *)&hostlist[n_hosts], - sizeof(struct hostent)); - to.sin_family = host->h_addrtype; - bcopy(host->h_addr, (char *)&to.sin_addr, - host->h_length); - to.sin_port = krb_udp_port; - if (send_recv(pkt, rpkt, f, &to, hostlist)) { - retval = KSUCCESS; - goto rtn; - } - if (krb_debug) { - printf("Timeout, error, or wrong descriptor\n"); - (void) fflush(stdout); - } + while ((p = *(host->h_addr_list)++)) { + hosts = realloc(hosts, sizeof(*hosts) * (n_hosts + 1)); + if (hosts == NULL) + return SKDC_CANT; + memset (&hosts[n_hosts].addr, 0, sizeof(hosts[n_hosts].addr)); + hosts[n_hosts].addr.sin_family = host->h_addrtype; + hosts[n_hosts].addr.sin_port = htons(k_host->port); + hosts[n_hosts].proto = k_host->proto; + memcpy(&hosts[n_hosts].addr.sin_addr, p, + sizeof(hosts[n_hosts].addr.sin_addr)); + ++n_hosts; + if (send_recv(pkt, rpkt, hosts[n_hosts-1].proto, + &hosts[n_hosts-1].addr, hosts, n_hosts)) { + retval = KSUCCESS; + goto rtn; + } + if (krb_debug) { + krb_warning("Timeout, error, or wrong descriptor\n"); + } + } } if (no_host) { if (krb_debug) - fprintf(stderr, "%s: can't find any Kerberos host.\n", - prog); + krb_warning("%s: can't find any Kerberos host.\n", + prog); retval = SKDC_CANT; goto rtn; } /* retry each host in sequence */ for (retry = 0; retry < CLIENT_KRB_RETRY; ++retry) { - for (host = hostlist; host->h_name != (char *)NULL; host++) { - to.sin_family = host->h_addrtype; - bcopy(host->h_addr, (char *)&to.sin_addr, - host->h_length); - if (send_recv(pkt, rpkt, f, &to, hostlist)) { - retval = KSUCCESS; - goto rtn; - } + for (i = 0; i < n_hosts; ++i) { + if (send_recv(pkt, rpkt, + hosts[i].proto, + &hosts[i].addr, + hosts, + n_hosts)) { + retval = KSUCCESS; + goto rtn; + } } } retval = SKDC_RETRY; rtn: - (void) close(f); - if (hostlist) { - register struct hostent *hp; - for (hp = hostlist; hp->h_name; hp++) -#if defined(h_addr) - if (hp->h_addr_list) { -#endif /* defined(h_addr) */ - if (hp->h_addr) - free(hp->h_addr); -#if defined(h_addr) - free((char *)hp->h_addr_list); - } -#endif /* defined(h_addr) */ - free((char *)hostlist); - } + free(hosts); return(retval); } -/* - * try to send out and receive message. - * return 1 on success, 0 on failure - */ +static int udp_socket(void) +{ + return socket(AF_INET, SOCK_DGRAM, 0); +} -static int -send_recv(pkt, rpkt, f, _to, addrs) - KTEXT pkt; - KTEXT rpkt; - int f; - struct sockaddr_in *_to; - struct hostent *addrs; +static int udp_connect(int s, struct sockaddr_in *adr) +{ + return connect(s, (struct sockaddr*)adr, sizeof(*adr)); +} + +static int udp_send(int s, struct sockaddr_in* adr, KTEXT pkt) { - fd_set readfds; - register struct hostent *hp; - struct sockaddr_in from; - int sin_size; - int numsent; + return send(s, pkt->dat, pkt->length, 0); +} - if (krb_debug) { - if (_to->sin_family == AF_INET) - printf("Sending message to %s...", - inet_ntoa(_to->sin_addr)); - else - printf("Sending message..."); - (void) fflush(stdout); - } - if ((numsent = sendto(f,(char *)(pkt->dat), pkt->length, 0, - (struct sockaddr *)_to, - S_AD_SZ)) != pkt->length) { - if (krb_debug) - printf("sent only %d/%d\n",numsent, pkt->length); - return 0; +static int tcp_socket(void) +{ + return socket(AF_INET, SOCK_STREAM, 0); +} + +static int tcp_connect(int s, struct sockaddr_in *adr) +{ + return connect(s, (struct sockaddr*)adr, sizeof(*adr)); +} + +static int tcp_send(int s, struct sockaddr_in* adr, KTEXT pkt) +{ + unsigned char len[4]; + krb_put_int(pkt->length, len, 4); + if(send(s, len, sizeof(len), 0) != sizeof(len)) + return -1; + return send(s, pkt->dat, pkt->length, 0); +} + +static int udptcp_recv(void *buf, size_t len, KTEXT rpkt) +{ + memcpy(rpkt->dat, buf, len); + rpkt->length = len; + return 0; +} + +static int url_parse(const char *url, char *host, size_t len, short *port) +{ + const char *p; + if(strncmp(url, "http://", 7)) + return -1; + url += 7; + strncpy(host, url, len); + p = strchr(url, ':'); + if(p){ + *port = atoi(p+1); + if(p - url >= len) + return -1; + host[p - url] = 0; + }else{ + *port = 80; + host[len - 1] = 0; } - if (krb_debug) { - printf("Sent\nWaiting for reply..."); - (void) fflush(stdout); + return 0; +} + +#define PROXY_VAR "krb4_proxy" + +static int http_connect(int s, struct sockaddr_in *adr) +{ + char *proxy = getenv(PROXY_VAR); + char host[MAXHOSTNAMELEN + 1]; + short port; + struct hostent *hp; + struct sockaddr_in sin; + if(proxy == NULL) + return tcp_connect(s, adr); + if(url_parse(proxy, host, sizeof(host), &port) < 0) + return -1; + hp = gethostbyname(host); + if(hp == NULL) + return -1; + memset(&sin, 0, sizeof(sin)); + sin.sin_family = AF_INET; + memcpy(&sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr)); + sin.sin_port = htons(port); + return connect(s, (struct sockaddr*)&sin, sizeof(sin)); +} + +static int http_send(int s, struct sockaddr_in* adr, KTEXT pkt) +{ + char *str; + char *msg; + + base64_encode(pkt->dat, pkt->length, &str); + if(getenv(PROXY_VAR)){ + asprintf(&msg, "GET http://%s:%d/%s HTTP/1.0\r\n\r\n", + inet_ntoa(adr->sin_addr), + ntohs(adr->sin_port), + str); + }else + asprintf(&msg, "GET %s HTTP/1.0\r\n\r\n", str); + free(str); + + if(send(s, msg, strlen(msg), 0) != strlen(msg)){ + free(msg); + return -1; } - FD_ZERO(&readfds); - FD_SET(f, &readfds); - errno = 0; - /* select - either recv is ready, or timeout */ - /* see if timeout or error or wrong descriptor */ - if (select(f + 1, &readfds, (fd_set *)0, (fd_set *)0, &timeout) < 1 - || !FD_ISSET(f, &readfds)) { - if (krb_debug) { - long rfds; - bcopy(&readfds, &rfds, sizeof(rfds)); - fprintf(stderr, "select failed: readfds=%lx", - rfds); - perror(""); - } - return 0; + free(msg); + return 0; +} + +static int http_recv(void *buf, size_t len, KTEXT rpkt) +{ + char *p; + char *tmp = malloc(len + 1); + memcpy(tmp, buf, len); + tmp[len] = 0; + p = strstr(tmp, "\r\n\r\n"); + if(p == NULL){ + free(tmp); + return -1; } - sin_size = sizeof(from); - if (recvfrom(f, (char *)(rpkt->dat), sizeof(rpkt->dat), 0, - (struct sockaddr *)&from, &sin_size) - < 0) { - if (krb_debug) - perror("recvfrom"); - return 0; + p += 4; + memcpy(rpkt->dat, p, (tmp + len) - p); + rpkt->length = (tmp + len) - p; + free(tmp); + return 0; +} + +static struct proto_descr { + int proto; + int stream_flag; + int (*socket)(void); + int (*connect)(int, struct sockaddr_in*); + int (*send)(int, struct sockaddr_in*, KTEXT); + int (*recv)(void*, size_t, KTEXT); +} protos[] = { + { PROTO_UDP, 0, udp_socket, udp_connect, udp_send, udptcp_recv }, + { PROTO_TCP, 1, tcp_socket, tcp_connect, tcp_send, udptcp_recv }, + { PROTO_HTTP, 1, tcp_socket, http_connect, http_send, http_recv } +}; + +static int +send_recv(KTEXT pkt, KTEXT rpkt, int proto, struct sockaddr_in *adr, + struct host *addrs, int n_hosts) +{ + int i; + int s; + unsigned char buf[2048]; + int offset = 0; + + for(i = 0; i < sizeof(protos) / sizeof(protos[0]); i++){ + if(protos[i].proto == proto) + break; } - if (krb_debug) { - printf("received packet from %s\n", inet_ntoa(from.sin_addr)); - fflush(stdout); + if(i == sizeof(protos) / sizeof(protos[0])) + return FALSE; + if((s = (*protos[i].socket)()) < 0) + return FALSE; + if((*protos[i].connect)(s, adr) < 0){ + close(s); + return FALSE; } - for (hp = addrs; hp->h_name != (char *)NULL; hp++) { - if (!bcmp(hp->h_addr, (char *)&from.sin_addr.s_addr, - hp->h_length)) { - if (krb_debug) { - printf("Received it\n"); - (void) fflush(stdout); - } - return 1; - } - if (krb_debug) - fprintf(stderr, - "packet not from %lx\n", - from.sin_addr.s_addr); + if((*protos[i].send)(s, adr, pkt) < 0){ + close(s); + return FALSE; } - if (krb_debug) - fprintf(stderr, "%s: received packet from wrong host! (%x)\n", - "send_to_kdc(send_rcv)", (int)from.sin_addr.s_addr); - return 0; + do{ + fd_set readfds; + struct timeval timeout; + int len; + timeout.tv_sec = CLIENT_KRB_TIMEOUT; + timeout.tv_usec = 0; + FD_ZERO(&readfds); + FD_SET(s, &readfds); + + /* select - either recv is ready, or timeout */ + /* see if timeout or error or wrong descriptor */ + if(select(s + 1, &readfds, 0, 0, &timeout) < 1 + || !FD_ISSET(s, &readfds)) { + if (krb_debug) + krb_warning("select failed: errno = %d\n", errno); + close(s); + return FALSE; + } + len = recv(s, buf + offset, sizeof(buf) - offset, 0); + if(len <= 0) + break; + offset += len; + }while(protos[i].stream_flag); + close(s); + if((*protos[i].recv)(buf, offset, rpkt) < 0) + return FALSE; + return TRUE; } diff --git a/kerberosIV/krb/sendauth.c b/kerberosIV/krb/sendauth.c index 14637548597..96ff7c30ba5 100644 --- a/kerberosIV/krb/sendauth.c +++ b/kerberosIV/krb/sendauth.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/sendauth.c,v $ - * - * $Locker: $ - */ +/* $KTH: sendauth.c,v 1.15 1997/04/18 14:11:36 joda Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -29,25 +23,10 @@ or implied warranty. #include "krb_locl.h" -#include <sys/types.h> -#include <netinet/in.h> -#include <syslog.h> - /* - * If the protocol changes, you will need to change the version string - * and make appropriate changes in krb_recvauth.c - */ -#define KRB_SENDAUTH_VERS "AUTHV0.1" /* MUST be KRB_SENDAUTH_VLEN chars */ - - -/* - * This file contains two routines: krb_sendauth() and krb_sendsrv(). - * * krb_sendauth() transmits a ticket over a file descriptor for a * desired service, instance, and realm, doing mutual authentication * with the server if desired. - * - * krb_sendsvc() sends a service name to a remote knetd server. */ /* @@ -113,157 +92,72 @@ or implied warranty. * ticket->length ticket->dat ticket itself */ -/* - * XXX: Note that krb_rd_priv() is coded in such a way that - * "msg_data->app_data" will be pointing into "priv_buf", which - * will disappear when krb_sendauth() returns. - */ - int -krb_sendauth(options, fd, ticket, service, inst, realm, checksum, - msg_data, cred, schedule, laddr, faddr, version) - int32_t options; /* bit-pattern of options */ - int fd; /* file descriptor to write onto */ - KTEXT ticket; /* where to put ticket (return); or +krb_sendauth(int32_t options, /* bit-pattern of options */ + int fd, /* file descriptor to write onto */ + KTEXT ticket, /* where to put ticket (return); or * supplied in case of KOPT_DONT_MK_REQ */ - char *service; /* service name, instance, realm */ - char *inst; /* checksum to include in request */ - char *realm; /* mutual auth MSG_DAT (return) */ - u_int32_t checksum; /* credentials (return) */ - MSG_DAT *msg_data; /* key schedule (return) */ - CREDENTIALS *cred; /* local address */ - struct des_ks_struct *schedule; - struct sockaddr_in *faddr; /* address of foreign host on fd */ - struct sockaddr_in *laddr; - char *version; /* version string */ + char *service, /* service name, instance, realm */ + char *instance, + char *realm, + u_int32_t checksum, /* checksum to include in request */ + MSG_DAT *msg_data, /* mutual auth MSG_DAT (return) */ + CREDENTIALS *cred, /* credentials (return) */ + struct des_ks_struct *schedule, /* key schedule (return) */ + struct sockaddr_in *laddr, /* local address */ + struct sockaddr_in *faddr, /* address of foreign host on fd */ + char *version) /* version string */ { - int rem, i, cc; - char srv_inst[INST_SZ]; - char krb_realm[REALM_SZ]; - char buf[BUFSIZ]; - u_int32_t tkt_len; - u_char priv_buf[1024]; - u_int32_t cksum; - - rem=KSUCCESS; - - /* get current realm if not passed in */ - if (!realm) { - rem = krb_get_lrealm(krb_realm,1); - if (rem != KSUCCESS) - return(rem); - realm = krb_realm; - } - - /* copy instance into local storage, canonicalizing if desired */ - if (options & KOPT_DONT_CANON) - (void) strncpy(srv_inst, inst, INST_SZ); - else - (void) strncpy(srv_inst, krb_get_phost(inst), INST_SZ); - - /* get the ticket if desired */ - if (!(options & KOPT_DONT_MK_REQ)) { - rem = krb_mk_req(ticket, service, srv_inst, realm, checksum); - if (rem != KSUCCESS) - return(rem); - } - -#ifdef ATHENA_COMPAT - /* this is only for compatibility with old servers */ - if (options & KOPT_DO_OLDSTYLE) { - (void) snprintf(buf, sizeof(buf), "%d ", ticket->length); - (void) write(fd, buf, strlen(buf)); - (void) write(fd, (char *) ticket->dat, ticket->length); - return(rem); + int ret; + KTEXT_ST buf; + char realrealm[REALM_SZ]; + + if (realm == NULL) { + ret = krb_get_lrealm (realrealm, 1); + if (ret != KSUCCESS) + return ret; + realm = realrealm; } -#endif /* ATHENA_COMPAT */ - /* if mutual auth, get credentials so we have service session - keys for decryption below */ - if (options & KOPT_DO_MUTUAL) - if ((cc = krb_get_cred(service, srv_inst, realm, cred))) - return(cc); - - /* zero the buffer */ - (void) bzero(buf, BUFSIZ); - - /* insert version strings */ - (void) strncpy(buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN); - (void) strncpy(buf+KRB_SENDAUTH_VLEN, version, KRB_SENDAUTH_VLEN); - - /* increment past vers strings */ - i = 2*KRB_SENDAUTH_VLEN; - - /* put ticket length into buffer */ - tkt_len = htonl(ticket->length); - (void) bcopy((char *) &tkt_len, buf+i, sizeof(tkt_len)); - i += sizeof(tkt_len); - - /* put ticket into buffer */ - (void) bcopy((char *) ticket->dat, buf+i, ticket->length); - i += ticket->length; - - /* write the request to the server */ - if ((cc = krb_net_write(fd, buf, i)) != i) - return(cc); - - /* mutual authentication, if desired */ + ret = krb_mk_auth (options, ticket, service, instance, realm, checksum, + version, &buf); + if (ret != KSUCCESS) + return ret; + ret = krb_net_write(fd, buf.dat, buf.length); + if(ret < 0) + return -1; + if (options & KOPT_DO_MUTUAL) { - /* get the length of the reply */ - if (krb_net_read(fd, (char *) &tkt_len, sizeof(tkt_len)) != - sizeof(tkt_len)) - return(errno); - tkt_len = ntohl(tkt_len); - - /* if the length is negative, the server failed to recognize us. */ - if ((tkt_len < 0) || (tkt_len > sizeof(priv_buf))) - return(KFAILURE); /* XXX */ - /* read the reply... */ - if (krb_net_read(fd, (char *)priv_buf, (int) tkt_len) != (int) tkt_len) - return(errno); - - /* ...and decrypt it */ -#ifndef NOENCRYPTION - des_key_sched(&cred->session,schedule); -#endif - if ((cc = krb_rd_priv(priv_buf, tkt_len, schedule, - &cred->session, faddr, laddr, msg_data))) - return(cc); - - /* fetch the (modified) checksum */ - (void) bcopy((char *)msg_data->app_data, (char *)&cksum, - sizeof(cksum)); - cksum = ntohl(cksum); - - /* if it doesn't match, fail */ - if (cksum != checksum + 1) - return(KFAILURE); /* XXX */ + char tmp[4]; + u_int32_t len; + char inst[INST_SZ]; + + ret = krb_net_read (fd, tmp, 4); + if (ret < 0) + return -1; + + krb_get_int (tmp, &len, 4, 0); + if (len == 0xFFFFFFFF || len > sizeof(buf.dat)) + return KFAILURE; + buf.length = len; + ret = krb_net_read (fd, buf.dat, len); + if (ret < 0) + return -1; + + if (options & KOPT_DONT_CANON) + strncpy (inst, instance, sizeof(inst)); + else + strncpy (inst, krb_get_phost(instance), sizeof(inst)); + + ret = krb_get_cred (service, inst, realm, cred); + if (ret != KSUCCESS) + return ret; + + des_key_sched(&cred->session, schedule); + + ret = krb_check_auth (&buf, checksum, msg_data, &cred->session, + schedule, laddr, faddr); + if (ret != KSUCCESS) + return ret; } - return(KSUCCESS); -} - -#ifdef ATHENA_COMPAT -/* - * krb_sendsvc - */ - -int -krb_sendsvc(fd, service) - int fd; - char *service; -{ - /* write the service name length and then the service name to - the fd */ - u_int32_t serv_length; - int cc; - - serv_length = htonl(strlen(service)); - if ((cc = krb_net_write(fd, (char *) &serv_length, - sizeof(serv_length))) - != sizeof(serv_length)) - return(cc); - if ((cc = krb_net_write(fd, service, strlen(service))) - != strlen(service)) - return(cc); - return(KSUCCESS); + return KSUCCESS; } -#endif /* ATHENA_COMPAT */ diff --git a/kerberosIV/krb/shlib_version b/kerberosIV/krb/shlib_version index 890c57389b5..3066b9771e7 100644 --- a/kerberosIV/krb/shlib_version +++ b/kerberosIV/krb/shlib_version @@ -1,2 +1,2 @@ -major=4 -minor=1 +major=5 +minor=0 diff --git a/kerberosIV/krb/fgetst.c b/kerberosIV/krb/stime.c index dfc268fb3f2..b3f5ce270ec 100644 --- a/kerberosIV/krb/fgetst.c +++ b/kerberosIV/krb/stime.c @@ -1,14 +1,8 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/fgetst.c,v $ - * - * $Locker: $ - */ - -/* - Copyright (C) 1989 by the Massachusetts Institute of Technology +/* $KTH: stime.c,v 1.6 1997/05/02 14:29:20 assar Exp $ */ +/* + Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute of Technology. + Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating @@ -25,31 +19,28 @@ permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. - */ + */ #include "krb_locl.h" /* - * fgetst takes a file descriptor, a character pointer, and a count. - * It reads from the file it has either read "count" characters, or - * until it reads a null byte. When finished, what has been read exists - * in "s". If "count" characters were actually read, the last is changed - * to a null, so the returned string is always null-terminated. fgetst - * returns the number of characters read, including the null terminator. + * Given a pointer to a long containing the number of seconds + * since the beginning of time (midnight 1 Jan 1970 GMT), return + * a string containing the local time in the form: + * + * "25-Jan-1988 10:17:56" */ -int -fgetst(f, s, n) - FILE *f; - register char *s; - int n; +const char * +krb_stime(time_t *t) { - register count = n; - int ch; /* NOT char; otherwise you don't see EOF */ - - while ((ch = getc(f)) != EOF && ch && --count) { - *s++ = ch; - } - *s = '\0'; - return (n - count); + static char st[40]; + struct tm *tm; + + tm = localtime(t); + snprintf(st, sizeof(st), + "%2d-%s-%04d %02d:%02d:%02d",tm->tm_mday, + month_sname(tm->tm_mon + 1),tm->tm_year + 1900, + tm->tm_hour, tm->tm_min, tm->tm_sec); + return st; } diff --git a/kerberosIV/krb/str2key.c b/kerberosIV/krb/str2key.c index 681f4bfee57..8e967a63610 100644 --- a/kerberosIV/krb/str2key.c +++ b/kerberosIV/krb/str2key.c @@ -1,13 +1,6 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/str2key.c,v $ - * - * $Locker: $ - */ +/* $KTH: str2key.c,v 1.10 1997/03/23 03:53:19 joda Exp $ */ -/* - * This defines the Andrew string_to_key function. It accepts a password +/* This defines the Andrew string_to_key function. It accepts a password * string as input and converts its via a one-way encryption algorithm to a DES * encryption key. It is compatible with the original Andrew authentication * service password database. @@ -15,13 +8,8 @@ #include "krb_locl.h" -/* -EXPORT void afs_string_to_key(char *passwd, char *cell, des_cblock *key); -*/ - static void -mklower(s) - char *s; +mklower(char *s) { for (; *s; s++) if ('A' <= *s && *s <= 'Z') @@ -32,17 +20,14 @@ mklower(s) * Short passwords, i.e 8 characters or less. */ static void -afs_cmu_StringToKey (str, cell, key) - char *str; - char *cell; - des_cblock *key; +afs_cmu_StringToKey (char *str, char *cell, des_cblock *key) { char password[8+1]; /* crypt is limited to 8 chars anyway */ int i; int passlen; - bzero (key, sizeof(key)); - bzero(password, sizeof(password)); + memset (key, 0, sizeof(key)); + memset(password, 0, sizeof(password)); strncpy (password, cell, 8); passlen = strlen (str); @@ -56,7 +41,7 @@ afs_cmu_StringToKey (str, cell, key) /* crypt only considers the first 8 characters of password but for some reason returns eleven characters of result (plus the two salt chars). */ - strncpy((void *)key, (char *)des_crypt(password, "#~") + 2, sizeof(des_cblock)); + strncpy((char *)key, (char *)crypt(password, "#~") + 2, sizeof(des_cblock)); /* parity is inserted into the LSB so leftshift each byte up one bit. This allows ascii characters with a zero MSB to retain as much significance @@ -72,38 +57,30 @@ afs_cmu_StringToKey (str, cell, key) des_fixup_key_parity (key); } -#undef BUFSIZ -#define BUFSIZ 512 - /* * Long passwords, i.e 9 characters or more. -*/ + */ static void -afs_transarc_StringToKey (str, cell, key) - char *str; - char *cell; - des_cblock *key; +afs_transarc_StringToKey (char *str, char *cell, des_cblock *key) { des_key_schedule schedule; des_cblock temp_key; des_cblock ivec; - char password[BUFSIZ]; + char password[512]; int passlen; - strncpy (password, str, sizeof(password)-1); - password[sizeof(password)-1] = '\0'; + strncpy (password, str, sizeof(password)); if ((passlen = strlen (password)) < sizeof(password)-1) strncat (password, cell, sizeof(password)-passlen); - if ((passlen = strlen(password)) > sizeof(password)) - passlen = sizeof(password); + if ((passlen = strlen(password)) > sizeof(password)) passlen = sizeof(password); - bcopy ("kerberos", &ivec, 8); - bcopy ("kerberos", &temp_key, 8); + memcpy(&ivec, "kerberos", 8); + memcpy(&temp_key, "kerberos", 8); des_fixup_key_parity (&temp_key); des_key_sched (&temp_key, schedule); des_cbc_cksum ((des_cblock *)password, &ivec, passlen, schedule, &ivec); - bcopy (&ivec, &temp_key, 8); + memcpy(&temp_key, &ivec, 8); des_fixup_key_parity (&temp_key); des_key_sched (&temp_key, schedule); des_cbc_cksum ((des_cblock *)password, key, passlen, schedule, &ivec); @@ -111,18 +88,13 @@ afs_transarc_StringToKey (str, cell, key) des_fixup_key_parity (key); } -#undef REALM_SZ -#define REALM_SZ 41 - void -afs_string_to_key(str, cell, key) - char *str; - char *cell; - des_cblock *key; +afs_string_to_key(char *str, char *cell, des_cblock *key) { - char realm[REALM_SZ]; - (void)strcpy(realm, cell); - (void)mklower(realm); + char realm[REALM_SZ+1]; + strncpy(realm, cell, REALM_SZ); + realm[REALM_SZ] = 0; + mklower(realm); if (strlen(str) > 8) afs_transarc_StringToKey (str, realm, key); diff --git a/kerberosIV/krb/strtok_r.c b/kerberosIV/krb/strtok_r.c new file mode 100644 index 00000000000..30c4874d469 --- /dev/null +++ b/kerberosIV/krb/strtok_r.c @@ -0,0 +1,61 @@ +/* $KTH: strtok_r.c,v 1.4 1997/05/19 03:05:47 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <string.h> + +char * +strtok_r(char *s1, const char *s2, char **lasts) +{ + char *ret; + + if (s1 == NULL) + s1 = *lasts; + while(*s1 && strchr(s2, *s1)) + ++s1; + if(*s1 == '\0') + return NULL; + ret = s1; + while(*s1 && !strchr(s2, *s1)) + ++s1; + if(*s1) + *s1++ = '\0'; + *lasts = s1; + return ret; +} diff --git a/kerberosIV/krb/tf_util.c b/kerberosIV/krb/tf_util.c index 37254df1cc1..f37c2f242d6 100644 --- a/kerberosIV/krb/tf_util.c +++ b/kerberosIV/krb/tf_util.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/tf_util.c,v $ - * - * $Locker: $ - */ +/* $KTH: tf_util.c,v 1.25 1997/11/04 09:44:28 bg Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -26,29 +20,18 @@ this software for any purpose. It is provided "as is" without express or implied warranty. */ - + #include "krb_locl.h" -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/file.h> - -#ifdef TKT_SHMEM -#include <sys/param.h> -#include <sys/ipc.h> -#include <sys/shm.h> -#endif /* TKT_SHMEM */ - #define TOO_BIG -1 #define TF_LCK_RETRY ((unsigned)2) /* seconds to sleep before * retry if ticket file is * locked */ +#define TF_LCK_RETRY_COUNT (50) /* number of retries */ -#ifdef TKT_SHMEM -static char *krb_shm_addr = 0; -static char *tmp_shm_addr = 0; -static char krb_dummy_skey[8] = {0,0,0,0,0,0,0,0}; -#endif /* TKT_SHMEM */ +#ifndef O_BINARY +#define O_BINARY 0 +#endif /* * fd must be initialized to something that won't ever occur as a real @@ -63,12 +46,13 @@ static char krb_dummy_skey[8] = {0,0,0,0,0,0,0,0}; * c. In tf_close, be sure it gets reinitialized to a negative * number. */ -static fd = -1; -static curpos; /* Position in tfbfr */ -static lastpos; /* End of tfbfr */ +static int fd = -1; +static int curpos; /* Position in tfbfr */ +static int lastpos; /* End of tfbfr */ static char tfbfr[BUFSIZ]; /* Buffer for ticket data */ -static tf_gets(register char *s, int n), tf_read(register char *s, register int n); +static int tf_gets(char *s, int n); +static int tf_read(void *s, int n); /* * This file contains routines for manipulating the ticket cache file. @@ -101,8 +85,12 @@ static tf_gets(register char *s, int n), tf_read(register char *s, register int * * tf_get_pname() returns the principal's name. * + * tf_put_pname() writes the principal's name to the ticket file. + * * tf_get_pinst() returns the principal's instance (may be null). * + * tf_put_pinst() writes the instance. + * * tf_get_cred() returns the next CREDENTIALS record. * * tf_save_cred() appends a new CREDENTIAL record to the ticket file. @@ -133,133 +121,148 @@ static tf_gets(register char *s, int n), tf_read(register char *s, register int */ int -tf_init(tf_name, rw) - char *tf_name; - int rw; +tf_init(char *tf_name, int rw) { - int wflag; - uid_t me, getuid(void); - struct stat stat_buf; -#ifdef TKT_SHMEM - char shmidname[MaxPathLen]; - FILE *sfp; - int shmid; -#endif - - switch (rw) { - case R_TKT_FIL: - wflag = 0; - break; - case W_TKT_FIL: - wflag = 1; - break; + /* Unix implementation */ + int wflag; + struct stat stat_buf; + int i_retry; + + switch (rw) { + case R_TKT_FIL: + wflag = 0; + break; + case W_TKT_FIL: + wflag = 1; + break; + default: + if (krb_debug) + krb_warning("tf_init: illegal parameter\n"); + return TKT_FIL_ACC; + } + if (lstat(tf_name, &stat_buf) < 0) + switch (errno) { + case ENOENT: + return NO_TKT_FIL; default: - if (krb_debug) fprintf(stderr, "tf_init: illegal parameter\n"); - return TKT_FIL_ACC; + return TKT_FIL_ACC; } - if (lstat(tf_name, &stat_buf) < 0) - switch (errno) { - case ENOENT: - return NO_TKT_FIL; - default: - return TKT_FIL_ACC; - } - me = getuid(); - if ((stat_buf.st_uid != me && me != 0) || - ((stat_buf.st_mode & S_IFMT) != S_IFREG)) - return TKT_FIL_ACC; -#ifdef TKT_SHMEM - (void) strcpy(shmidname, tf_name); - (void) strcat(shmidname, ".shm"); - if (stat(shmidname,&stat_buf) < 0) - return(TKT_FIL_ACC); - if ((stat_buf.st_uid != me && me != 0) || - ((stat_buf.st_mode & S_IFMT) != S_IFREG)) - return TKT_FIL_ACC; -#endif /* TKT_SHMEM */ - - /* - * If "wflag" is set, open the ticket file in append-writeonly mode - * and lock the ticket file in exclusive mode. If unable to lock - * the file, sleep and try again. If we fail again, return with the - * proper error message. - */ - - curpos = sizeof(tfbfr); - -#ifdef TKT_SHMEM - sfp = fopen(shmidname, "r"); /* only need read/write on the - actual tickets */ - if (sfp == 0) - return TKT_FIL_ACC; - shmid = -1; - { - char buf[BUFSIZ]; - int val; /* useful for debugging fscanf */ - /* We provide our own buffer here since some STDIO libraries - barf on unbuffered input with fscanf() */ - - setbuf(sfp, buf); - if ((val = fscanf(sfp,"%d",&shmid)) != 1) { - (void) fclose(sfp); - return TKT_FIL_ACC; - } - if (shmid < 0) { - (void) fclose(sfp); - return TKT_FIL_ACC; - } - (void) fclose(sfp); + if (!S_ISREG(stat_buf.st_mode)) + return TKT_FIL_ACC; + + /* The code tries to guess when the calling program is running + * set-uid and prevent unauthorized access. + * + * All library functions now assume that the right set of userids + * are set upon entry, therefore it's not strictly necessary to + * perform these test for programs adhering to these assumptions. + */ + { + uid_t me = getuid(); + if (stat_buf.st_uid != me && me != 0) + return TKT_FIL_ACC; + } + + /* + * If "wflag" is set, open the ticket file in append-writeonly mode + * and lock the ticket file in exclusive mode. If unable to lock + * the file, sleep and try again. If we fail again, return with the + * proper error message. + */ + + curpos = sizeof(tfbfr); + + + if (wflag) { + fd = open(tf_name, O_RDWR | O_BINARY, 0600); + if (fd < 0) { + return TKT_FIL_ACC; } - /* - * global krb_shm_addr is initialized to 0. Ultrix bombs when you try and - * attach the same segment twice so we need this check. - */ - if (!krb_shm_addr) { - if ((krb_shm_addr = shmat(shmid,0,0)) == -1){ - if (krb_debug) - fprintf(stderr, - "cannot attach shared memory for segment %d\n", - shmid); - krb_shm_addr = 0; /* reset so we catch further errors */ - return TKT_FIL_ACC; - } + for (i_retry = 0; i_retry < TF_LCK_RETRY_COUNT; i_retry++) { + if (k_flock(fd, K_LOCK_EX | K_LOCK_NB) < 0) { + if (krb_debug) + krb_warning("tf_init: retry %d of write lock of `%s'.\n", + i_retry, tf_name); + sleep (TF_LCK_RETRY); + } else { + return KSUCCESS; /* all done */ + } } - tmp_shm_addr = krb_shm_addr; -#endif /* TKT_SHMEM */ - - if (wflag) { - fd = open(tf_name, O_RDWR, 0600); - if (fd < 0) { - return TKT_FIL_ACC; - } - if (flock(fd, LOCK_EX | LOCK_NB) < 0) { - sleep(TF_LCK_RETRY); - if (flock(fd, LOCK_EX | LOCK_NB) < 0) { - (void) close(fd); - fd = -1; - return TKT_FIL_LCK; - } - } - return KSUCCESS; + close (fd); + fd = -1; + return TKT_FIL_LCK; + } + /* + * Otherwise "wflag" is not set and the ticket file should be opened + * for read-only operations and locked for shared access. + */ + + fd = open(tf_name, O_RDONLY | O_BINARY, 0600); + if (fd < 0) { + return TKT_FIL_ACC; + } + + for (i_retry = 0; i_retry < TF_LCK_RETRY_COUNT; i_retry++) { + if (k_flock(fd, K_LOCK_SH | K_LOCK_NB) < 0) { + if (krb_debug) + krb_warning("tf_init: retry %d of read lock of `%s'.\n", + i_retry, tf_name); + sleep (TF_LCK_RETRY); + } else { + return KSUCCESS; /* all done */ } - /* - * Otherwise "wflag" is not set and the ticket file should be opened - * for read-only operations and locked for shared access. - */ + } + /* failure */ + close(fd); + fd = -1; + return TKT_FIL_LCK; +} - fd = open(tf_name, O_RDONLY, 0600); - if (fd < 0) { - return TKT_FIL_ACC; +/* + * tf_create() should be called when creating a new ticket file. + * The only argument is the name of the ticket file. + * After calling this, it should be possible to use other tf_* functions. + * + * New algoritm for creating ticket file: + * 1. try to erase contents of existing file. + * 2. try to remove old file. + * 3. try to open with O_CREAT and O_EXCL + * 4. if this fails, someone has created a file in between 1 and 2 and + * we should fail. Otherwise, all is wonderful. + */ + +int +tf_create(char *tf_name) +{ + struct stat statbuf; + char garbage[BUFSIZ]; + + fd = open(tf_name, O_RDWR | O_BINARY, 0); + if (fd >= 0) { + if (fstat (fd, &statbuf) == 0) { + int i; + + for (i = 0; i < statbuf.st_size; i += sizeof(garbage)) + write (fd, garbage, sizeof(garbage)); } - if (flock(fd, LOCK_SH | LOCK_NB) < 0) { - sleep(TF_LCK_RETRY); - if (flock(fd, LOCK_SH | LOCK_NB) < 0) { - (void) close(fd); - fd = -1; - return TKT_FIL_LCK; - } + close (fd); + } + + if (unlink (tf_name) && errno != ENOENT) + return TKT_FIL_ACC; + + fd = open(tf_name, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600); + if (fd < 0) + return TKT_FIL_ACC; + if (k_flock(fd, K_LOCK_EX | K_LOCK_NB) < 0) { + sleep(TF_LCK_RETRY); + if (k_flock(fd, K_LOCK_EX | K_LOCK_NB) < 0) { + close(fd); + fd = -1; + return TKT_FIL_LCK; } - return KSUCCESS; + } + return KSUCCESS; } /* @@ -272,17 +275,41 @@ tf_init(tf_name, rw) */ int -tf_get_pname(p) - char *p; +tf_get_pname(char *p) { - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_pname called before tf_init.\n"); - return TKT_FIL_INI; + if (fd < 0) { + if (krb_debug) + krb_warning("tf_get_pname called before tf_init.\n"); + return TKT_FIL_INI; + } + if (tf_gets(p, ANAME_SZ) < 2) /* can't be just a null */ + { + if (krb_debug) + krb_warning ("tf_get_pname: pname < 2.\n"); + return TKT_FIL_FMT; } - if (tf_gets(p, ANAME_SZ) < 2) /* can't be just a null */ - return TKT_FIL_FMT; - return KSUCCESS; + return KSUCCESS; +} + +/* + * tf_put_pname() sets the principal's name in the ticket file. Call + * after tf_create(). + */ + +int +tf_put_pname(char *p) +{ + unsigned count; + + if (fd < 0) { + if (krb_debug) + krb_warning("tf_put_pname called before tf_create.\n"); + return TKT_FIL_INI; + } + count = strlen(p)+1; + if (write(fd,p,count) != count) + return(KFAILURE); + return KSUCCESS; } /* @@ -296,17 +323,41 @@ tf_get_pname(p) */ int -tf_get_pinst(inst) - char *inst; +tf_get_pinst(char *inst) { - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_pinst called before tf_init.\n"); - return TKT_FIL_INI; + if (fd < 0) { + if (krb_debug) + krb_warning("tf_get_pinst called before tf_init.\n"); + return TKT_FIL_INI; + } + if (tf_gets(inst, INST_SZ) < 1) + { + if (krb_debug) + krb_warning("tf_get_pinst: inst_sz < 1.\n"); + return TKT_FIL_FMT; } - if (tf_gets(inst, INST_SZ) < 1) - return TKT_FIL_FMT; - return KSUCCESS; + return KSUCCESS; +} + +/* + * tf_put_pinst writes the principal's instance to the ticket file. + * Call after tf_create. + */ + +int +tf_put_pinst(char *inst) +{ + unsigned count; + + if (fd < 0) { + if (krb_debug) + krb_warning("tf_put_pinst called before tf_create.\n"); + return TKT_FIL_INI; + } + count = strlen(inst)+1; + if (write(fd,inst,count) != count) + return(KFAILURE); + return KSUCCESS; } /* @@ -321,61 +372,68 @@ tf_get_pinst(inst) */ int -tf_get_cred(c) - CREDENTIALS *c; +tf_get_cred(CREDENTIALS *c) { - KTEXT ticket = &c->ticket_st; /* pointer to ticket */ - int k_errno; - - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_get_cred called before tf_init.\n"); - return TKT_FIL_INI; + KTEXT ticket = &c->ticket_st; /* pointer to ticket */ + int k_errno; + + if (fd < 0) { + if (krb_debug) + krb_warning ("tf_get_cred called before tf_init.\n"); + return TKT_FIL_INI; + } + if ((k_errno = tf_gets(c->service, SNAME_SZ)) < 2) + switch (k_errno) { + case TOO_BIG: + if (krb_debug) + krb_warning("tf_get_cred: too big service cred.\n"); + case 1: /* can't be just a null */ + tf_close(); + if (krb_debug) + krb_warning("tf_get_cred: null service cred.\n"); + return TKT_FIL_FMT; + case 0: + return EOF; } - if ((k_errno = tf_gets(c->service, SNAME_SZ)) < 2) - switch (k_errno) { - case TOO_BIG: - case 1: /* can't be just a null */ - tf_close(); - return TKT_FIL_FMT; - case 0: - return EOF; - } - if ((k_errno = tf_gets(c->instance, INST_SZ)) < 1) - switch (k_errno) { - case TOO_BIG: - return TKT_FIL_FMT; - case 0: - return EOF; - } - if ((k_errno = tf_gets(c->realm, REALM_SZ)) < 2) - switch (k_errno) { - case TOO_BIG: - case 1: /* can't be just a null */ - tf_close(); - return TKT_FIL_FMT; - case 0: - return EOF; - } - if ( - tf_read((char *) (c->session), DES_KEY_SZ) < 1 || - tf_read((char *) &(c->lifetime), sizeof(c->lifetime)) < 1 || - tf_read((char *) &(c->kvno), sizeof(c->kvno)) < 1 || - tf_read((char *) &(ticket->length), sizeof(ticket->length)) - < 1 || - /* don't try to read a silly amount into ticket->dat */ - ticket->length > MAX_KTXT_LEN || - tf_read((char *) (ticket->dat), ticket->length) < 1 || - tf_read((char *) &(c->issue_date), sizeof(c->issue_date)) < 1 - ) { - tf_close(); - return TKT_FIL_FMT; + if ((k_errno = tf_gets(c->instance, INST_SZ)) < 1) + switch (k_errno) { + case TOO_BIG: + if (krb_debug) + krb_warning ("tf_get_cred: too big instance cred.\n"); + return TKT_FIL_FMT; + case 0: + return EOF; } -#ifdef TKT_SHMEM - bcopy(tmp_shm_addr,c->session,KEY_SZ); - tmp_shm_addr += KEY_SZ; -#endif /* TKT_SHMEM */ - return KSUCCESS; + if ((k_errno = tf_gets(c->realm, REALM_SZ)) < 2) + switch (k_errno) { + case TOO_BIG: + if (krb_debug) + krb_warning ("tf_get_cred: too big realm cred.\n"); + case 1: /* can't be just a null */ + tf_close(); + if (krb_debug) + krb_warning ("tf_get_cred: null realm cred.\n"); + return TKT_FIL_FMT; + case 0: + return EOF; + } + if ( + tf_read((c->session), DES_KEY_SZ) < 1 || + tf_read(&(c->lifetime), sizeof(c->lifetime)) < 1 || + tf_read(&(c->kvno), sizeof(c->kvno)) < 1 || + tf_read(&(ticket->length), sizeof(ticket->length)) + < 1 || + /* don't try to read a silly amount into ticket->dat */ + ticket->length > MAX_KTXT_LEN || + tf_read((ticket->dat), ticket->length) < 1 || + tf_read(&(c->issue_date), sizeof(c->issue_date)) < 1 + ) { + tf_close(); + if (krb_debug) + krb_warning ("tf_get_cred: failed tf_read.\n"); + return TKT_FIL_FMT; + } + return KSUCCESS; } /* @@ -387,23 +445,14 @@ tf_get_cred(c) */ void -tf_close() +tf_close(void) { - if (!(fd < 0)) { -#ifdef TKT_SHMEM - if (shmdt(krb_shm_addr)) { - /* what kind of error? */ - if (krb_debug) - fprintf(stderr, "shmdt 0x%x: errno %d",krb_shm_addr, errno); - } else { - krb_shm_addr = 0; - } -#endif /* TKT_SHMEM */ - (void) flock(fd, LOCK_UN); - (void) close(fd); - fd = -1; /* see declaration of fd above */ - } - bzero(tfbfr, sizeof(tfbfr)); + if (!(fd < 0)) { + k_flock(fd, K_LOCK_UN); + close(fd); + fd = -1; /* see declaration of fd above */ + } + memset(tfbfr, 0, sizeof(tfbfr)); } /* @@ -425,32 +474,30 @@ tf_close() */ static int -tf_gets(s, n) - register char *s; - int n; +tf_gets(char *s, int n) { - register count; - - if (fd < 0) { - if (krb_debug) - fprintf(stderr, "tf_gets called before tf_init.\n"); - return TKT_FIL_INI; + int count; + + if (fd < 0) { + if (krb_debug) + krb_warning ("tf_gets called before tf_init.\n"); + return TKT_FIL_INI; + } + for (count = n - 1; count > 0; --count) { + if (curpos >= sizeof(tfbfr)) { + lastpos = read(fd, tfbfr, sizeof(tfbfr)); + curpos = 0; } - for (count = n - 1; count > 0; --count) { - if (curpos >= sizeof(tfbfr)) { - lastpos = read(fd, tfbfr, sizeof(tfbfr)); - curpos = 0; - } - if (curpos == lastpos) { - tf_close(); - return 0; - } - *s = tfbfr[curpos++]; - if (*s++ == '\0') - return (n - count); + if (curpos == lastpos) { + tf_close(); + return 0; } - tf_close(); - return TOO_BIG; + *s = tfbfr[curpos++]; + if (*s++ == '\0') + return (n - count); + } + tf_close(); + return TOO_BIG; } /* @@ -467,28 +514,25 @@ tf_gets(s, n) */ static int -tf_read(s, n) - register char *s; - register int n; +tf_read(void *v, int n) { - register count; + char *s = (char *)v; + int count; - for (count = n; count > 0; --count) { - if (curpos >= sizeof(tfbfr)) { - lastpos = read(fd, tfbfr, sizeof(tfbfr)); - curpos = 0; - } - if (curpos == lastpos) { - tf_close(); - return 0; - } - *s++ = tfbfr[curpos++]; + for (count = n; count > 0; --count) { + if (curpos >= sizeof(tfbfr)) { + lastpos = read(fd, tfbfr, sizeof(tfbfr)); + curpos = 0; + } + if (curpos == lastpos) { + tf_close(); + return 0; } - return n; + *s++ = tfbfr[curpos++]; + } + return n; } -char *tkt_string(void); - /* * tf_save_cred() appends an incoming ticket to the end of the ticket * file. You must call tf_init() before calling tf_save_cred(). @@ -502,89 +546,102 @@ char *tkt_string(void); * Returns KSUCCESS if all goes well, TKT_FIL_INI if tf_init() wasn't * called previously, and KFAILURE for anything else that went wrong. */ - + +int +tf_save_cred(char *service, /* Service name */ + char *instance, /* Instance */ + char *realm, /* Auth domain */ + unsigned char *session, /* Session key */ + int lifetime, /* Lifetime */ + int kvno, /* Key version number */ + KTEXT ticket, /* The ticket itself */ + u_int32_t issue_date) /* The issue time */ +{ + int count; /* count for write */ + + if (fd < 0) { /* fd is ticket file as set by tf_init */ + if (krb_debug) + krb_warning ("tf_save_cred called before tf_init.\n"); + return TKT_FIL_INI; + } + /* Find the end of the ticket file */ + lseek(fd, 0L, SEEK_END); + + /* Write the ticket and associated data */ + /* Service */ + count = strlen(service) + 1; + if (write(fd, service, count) != count) + goto bad; + /* Instance */ + count = strlen(instance) + 1; + if (write(fd, instance, count) != count) + goto bad; + /* Realm */ + count = strlen(realm) + 1; + if (write(fd, realm, count) != count) + goto bad; + /* Session key */ + if (write(fd, session, 8) != 8) + goto bad; + /* Lifetime */ + if (write(fd, &lifetime, sizeof(int)) != sizeof(int)) + goto bad; + /* Key vno */ + if (write(fd, &kvno, sizeof(int)) != sizeof(int)) + goto bad; + /* Tkt length */ + if (write(fd, &(ticket->length), sizeof(int)) != + sizeof(int)) + goto bad; + /* Ticket */ + count = ticket->length; + if (write(fd, ticket->dat, count) != count) + goto bad; + /* Issue date */ + if (write(fd, &issue_date, sizeof(issue_date)) != sizeof(issue_date)) + goto bad; + + return (KSUCCESS); +bad: + return (KFAILURE); +} + int -tf_save_cred(service, instance, realm, session, - lifetime, kvno, ticket, issue_date) - char *service; /* Service name */ - char *instance; /* Instance */ - char *realm; /* Auth domain */ - unsigned char *session; /* Session key */ - int lifetime; /* Lifetime */ - int kvno; /* Key version number */ - KTEXT ticket; /* The ticket itself */ - u_int32_t issue_date; /* The issue time */ +tf_setup(CREDENTIALS *cred, char *pname, char *pinst) { + int ret; + ret = tf_create(tkt_string()); + if (ret != KSUCCESS) + return ret; + + if (tf_put_pname(pname) != KSUCCESS || + tf_put_pinst(pinst) != KSUCCESS) { + tf_close(); + return INTK_ERR; + } - off_t lseek(int, off_t, int); - int count; /* count for write */ -#ifdef TKT_SHMEM - int *skey_check; -#endif /* TKT_SHMEM */ + ret = tf_save_cred(cred->service, cred->instance, cred->realm, + cred->session, cred->lifetime, cred->kvno, + &cred->ticket_st, cred->issue_date); + tf_close(); + return ret; +} - if (fd < 0) { /* fd is ticket file as set by tf_init */ - if (krb_debug) - fprintf(stderr, "tf_save_cred called before tf_init.\n"); - return TKT_FIL_INI; +int +in_tkt(char *pname, char *pinst) +{ + int ret; + + ret = tf_create (tkt_string()); + if (ret != KSUCCESS) + return ret; + + if (tf_put_pname(pname) != KSUCCESS || + tf_put_pinst(pinst) != KSUCCESS) { + tf_close(); + return INTK_ERR; } - /* Find the end of the ticket file */ - (void) lseek(fd, 0L, 2); -#ifdef TKT_SHMEM - /* scan to end of existing keys: pick first 'empty' slot. - we assume that no real keys will be completely zero (it's a weak - key under DES) */ - - skey_check = (int *) krb_shm_addr; - - while (*skey_check && *(skey_check+1)) - skey_check += 2; - tmp_shm_addr = (char *)skey_check; -#endif /* TKT_SHMEM */ - - /* Write the ticket and associated data */ - /* Service */ - count = strlen(service) + 1; - if (write(fd, service, count) != count) - goto bad; - /* Instance */ - count = strlen(instance) + 1; - if (write(fd, instance, count) != count) - goto bad; - /* Realm */ - count = strlen(realm) + 1; - if (write(fd, realm, count) != count) - goto bad; - /* Session key */ -#ifdef TKT_SHMEM - bcopy(session,tmp_shm_addr,8); - tmp_shm_addr+=8; - if (write(fd,krb_dummy_skey,8) != 8) - goto bad; -#else /* ! TKT_SHMEM */ - if (write(fd, (char *) session, 8) != 8) - goto bad; -#endif /* TKT_SHMEM */ - /* Lifetime */ - if (write(fd, (char *) &lifetime, sizeof(int)) != sizeof(int)) - goto bad; - /* Key vno */ - if (write(fd, (char *) &kvno, sizeof(int)) != sizeof(int)) - goto bad; - /* Tkt length */ - if (write(fd, (char *) &(ticket->length), sizeof(int)) != - sizeof(int)) - goto bad; - /* Ticket */ - count = ticket->length; - if (write(fd, (char *) (ticket->dat), count) != count) - goto bad; - /* Issue date */ - if (write(fd, (char *) &issue_date, sizeof(issue_date)) - != sizeof(issue_date)) - goto bad; - - /* Actually, we should check each write for success */ - return (KSUCCESS); -bad: - return (KFAILURE); + + tf_close(); + return KSUCCESS; } diff --git a/kerberosIV/krb/tkt_string.c b/kerberosIV/krb/tkt_string.c index 1c63f0346e8..5bc67e2562c 100644 --- a/kerberosIV/krb/tkt_string.c +++ b/kerberosIV/krb/tkt_string.c @@ -1,10 +1,4 @@ -/* - * This software may now be redistributed outside the US. - * - * $Source: /cvs/OpenBSD/src/kerberosIV/krb/Attic/tkt_string.c,v $ - * - * $Locker: $ - */ +/* $KTH: tkt_string.c,v 1.11 1997/10/24 10:18:07 assar Exp $ */ /* Copyright (C) 1989 by the Massachusetts Institute of Technology @@ -29,9 +23,6 @@ or implied warranty. #include "krb_locl.h" -#include <sys/param.h> -#include <sys/types.h> - /* * This routine is used to generate the name of the file that holds * the user's cache of server tickets and associated session keys. @@ -49,21 +40,18 @@ or implied warranty. static char krb_ticket_string[MAXPATHLEN] = ""; char * -tkt_string() +tkt_string(void) { char *env; - uid_t getuid(void); if (!*krb_ticket_string) { if ((env = getenv("KRBTKFILE"))) { - (void) strncpy(krb_ticket_string, env, + strncpy(krb_ticket_string, env, sizeof(krb_ticket_string)-1); krb_ticket_string[sizeof(krb_ticket_string)-1] = '\0'; } else { - /* 32 bits of signed integer will always fit in 11 characters - (including the sign), so no need to worry about overflow */ - (void) snprintf(krb_ticket_string, sizeof(krb_ticket_string), - "%s%u", TKT_ROOT, getuid()); + snprintf(krb_ticket_string, sizeof(krb_ticket_string), + "%s%u",TKT_ROOT,(unsigned)getuid()); } } return krb_ticket_string; @@ -81,11 +69,10 @@ tkt_string() */ void -krb_set_tkt_string(val) - char *val; +krb_set_tkt_string(const char *val) { - (void) strncpy(krb_ticket_string, val, sizeof(krb_ticket_string)-1); + strncpy(krb_ticket_string, val, sizeof(krb_ticket_string)-1); krb_ticket_string[sizeof(krb_ticket_string)-1] = '\0'; return; diff --git a/kerberosIV/krb/unparse_name.c b/kerberosIV/krb/unparse_name.c new file mode 100644 index 00000000000..e7cde58fda7 --- /dev/null +++ b/kerberosIV/krb/unparse_name.c @@ -0,0 +1,105 @@ +/* $KTH: unparse_name.c,v 1.7 1997/04/01 08:18:46 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +static void +quote_string(char *quote, char *from, char *to) +{ + while(*from){ + if(strchr(quote, *from)) + *to++ = '\\'; + *to++ = *from++; + } + *to = 0; +} + +/* To be compatible with old functions, we quote differently in each + part of the principal*/ + +char * +krb_unparse_name_r(krb_principal *pr, char *fullname) +{ + quote_string("'@\\", pr->name, fullname); + if(pr->instance[0]){ + strcat(fullname, "."); + quote_string("@\\", pr->instance, fullname + strlen(fullname)); + } + if(pr->realm[0]){ + strcat(fullname, "@"); + quote_string("\\", pr->realm, fullname + strlen(fullname)); + } + return fullname; +} + +char * +krb_unparse_name_long_r(char *name, char *instance, char *realm, + char *fullname) +{ + krb_principal pr; + memset(&pr, 0, sizeof(pr)); + strcpy(pr.name, name); + if(instance) + strcpy(pr.instance, instance); + if(realm) + strcpy(pr.realm, realm); + return krb_unparse_name_r(&pr, fullname); +} + +char * +krb_unparse_name(krb_principal *pr) +{ + static char principal[MAX_K_NAME_SZ]; + krb_unparse_name_r(pr, principal); + return principal; +} + +char * +krb_unparse_name_long(char *name, char *instance, char *realm) +{ + krb_principal pr; + memset(&pr, 0, sizeof(pr)); + strcpy(pr.name, name); + if(instance) + strcpy(pr.instance, instance); + if(realm) + strcpy(pr.realm, realm); + return krb_unparse_name(&pr); +} diff --git a/kerberosIV/krb/util.c b/kerberosIV/krb/util.c new file mode 100644 index 00000000000..b187276ffd7 --- /dev/null +++ b/kerberosIV/krb/util.c @@ -0,0 +1,76 @@ +/* $KTH: util.c,v 1.6 1996/10/05 00:18:34 joda Exp $ */ + +/* + Copyright 1988 by the Massachusetts Institute of Technology. + + Export of this software from the United States of America is assumed + to require a specific license from the United States Government. + It is the responsibility of any person or organization contemplating + export to obtain such a license before exporting. + +WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +distribute this software and its documentation for any purpose and +without fee is hereby granted, provided that the above copyright +notice appear in all copies and that both that copyright notice and +this permission notice appear in supporting documentation, and that +the name of M.I.T. not be used in advertising or publicity pertaining +to distribution of the software without specific, written prior +permission. M.I.T. makes no representations about the suitability of +this software for any purpose. It is provided "as is" without express +or implied warranty. + + Miscellaneous debug printing utilities + */ + +#include "krb_locl.h" + +/* + * Print some of the contents of the given authenticator structure + * (AUTH_DAT defined in "krb.h"). Fields printed are: + * + * pname, pinst, prealm, netaddr, flags, cksum, timestamp, session + */ + +void +ad_print(AUTH_DAT *x) +{ + /* + * Print the contents of an auth_dat struct. + */ + struct in_addr address; + address.s_addr = x->address; + printf("\n%s %s %s %s flags %u cksum 0x%X\n\ttkt_tm 0x%X sess_key", + x->pname, x->pinst, x->prealm, + inet_ntoa(address), x->k_flags, + x->checksum, x->time_sec); + printf("[8] ="); +#ifdef NOENCRYPTION + placebo_cblock_print(x->session); +#else + des_cblock_print_file(&x->session,stdout); +#endif + /* skip reply for now */ +} + +/* + * Print in hex the 8 bytes of the given session key. + * + * Printed format is: " 0x { x, x, x, x, x, x, x, x }" + */ + +#ifdef NOENCRYPTION +placebo_cblock_print(x) + des_cblock x; +{ + unsigned char *y = (unsigned char *) x; + int i = 0; + + printf(" 0x { "); + + while (i++ <8) { + printf("%x",*y++); + if (i<8) printf(", "); + } + printf(" }"); +} +#endif diff --git a/kerberosIV/krb/verify_user.c b/kerberosIV/krb/verify_user.c new file mode 100644 index 00000000000..0058a00a64f --- /dev/null +++ b/kerberosIV/krb/verify_user.c @@ -0,0 +1,111 @@ +/* $KTH: verify_user.c,v 1.8 1997/04/01 08:18:46 joda Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +/* Verify user with password. If secure, also verify against local + * service key, this can (usually) only be done by root. + * + * As a side effect, fresh tickets are obtained. + * + * Returns zero if ok, a positive kerberos error or -1 for system + * errors. + */ + +int +krb_verify_user(char *name, char *instance, char *realm, char *password, + int secure, char *linstance) +{ + int ret; + ret = krb_get_pw_in_tkt(name, instance, realm, + KRB_TICKET_GRANTING_TICKET, + realm, + DEFAULT_TKT_LIFE, password); + if(ret != KSUCCESS) + return ret; + + if(secure){ + struct hostent *hp; + int32_t addr; + + KTEXT_ST ticket; + AUTH_DAT auth; + + char lrealm[REALM_SZ]; + char hostname[MAXHOSTNAMELEN]; + char *phost; + + if (k_gethostname(hostname, sizeof(hostname)) == -1) { + dest_tkt(); + return -1; + } + + hp = gethostbyname(hostname); + if(hp == NULL){ + dest_tkt(); + return -1; + } + memcpy(&addr, hp->h_addr, sizeof(addr)); + + ret = krb_get_lrealm(lrealm, 1); + if(ret != KSUCCESS){ + dest_tkt(); + return ret; + } + phost = krb_get_phost(hostname); + + if (linstance == NULL) + linstance = "rcmd"; + + ret = krb_mk_req(&ticket, linstance, phost, lrealm, 33); + if(ret != KSUCCESS){ + dest_tkt(); + return ret; + } + + ret = krb_rd_req(&ticket, linstance, phost, addr, &auth, ""); + if(ret != KSUCCESS){ + dest_tkt(); + return ret; + } + } + return 0; +} + |