diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/krb4/ChangeLog | 58 | ||||
| -rw-r--r-- | src/lib/krb4/Makefile.in | 333 | ||||
| -rw-r--r-- | src/lib/krb4/change_password.c | 138 | ||||
| -rw-r--r-- | src/lib/krb4/configure.in | 28 | ||||
| -rw-r--r-- | src/lib/krb4/g_in_tkt.c | 146 | ||||
| -rw-r--r-- | src/lib/krb4/g_pw_in_tkt.c | 12 | ||||
| -rw-r--r-- | src/lib/krb4/kadm_err.et | 58 | ||||
| -rw-r--r-- | src/lib/krb4/kadm_net.c | 383 | ||||
| -rw-r--r-- | src/lib/krb4/kadm_stream.c | 319 | ||||
| -rw-r--r-- | src/lib/krb4/mk_req.c | 137 | ||||
| -rw-r--r-- | src/lib/krb4/one.c | 15 | ||||
| -rw-r--r-- | src/lib/krb4/password_to_key.c | 146 | ||||
| -rw-r--r-- | src/lib/krb4/prot_client.c | 4 | ||||
| -rw-r--r-- | src/lib/krb4/prot_kdc.c | 6 | ||||
| -rw-r--r-- | src/lib/krb4/rd_req.c | 162 | ||||
| -rw-r--r-- | src/lib/krb4/tf_util.c | 2 | ||||
| -rw-r--r-- | src/lib/krb4/tkt_string.c | 27 |
17 files changed, 1658 insertions, 316 deletions
diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog index ecaba3b349..2287b6d9a2 100644 --- a/src/lib/krb4/ChangeLog +++ b/src/lib/krb4/ChangeLog @@ -1,3 +1,61 @@ +2002-11-26 Tom Yu <tlyu@mit.edu> + + * Makefile.in (OBJS, SRCS): Add change_password.c, kadm_err.c, + kadm_net.c, kadm_stream.c. Remove one.c. + Also, add com_err support for kadm_err.et. Update dependencies. + + * change_password.c: New file. + + * configure.in: Remove checks for BITS16, BITS32, MSBFIRST, and + LSBFIRST. + + * g_in_tkt.c (krb_mk_in_tkt_preauth): Update to optionally return + local address -- not yet fully implemented. + (krb_parse_in_tkt_creds): Renamed from krb_parse_in_tkt(). Now + fills in a CREDENTIALS instead of storing into a ticket file. + (krb_get_in_tkt_preauth_creds): Renamed from + krb_get_in_tkt_preauth(). Now fills in a CREDENTIALS instead of + storing into a ticket file. + (krb_get_in_tkt_creds): Port from KfM. + (krb_get_in_tkt_preauth): Reimplement in terms of + krb_get_in_tkt_creds_preauth(). + + * g_pw_in_tkt.c (krb_get_pw_in_tkt_creds): Port from KfM. + + * kadm_err.et: + * kadm_net.c: + * kadm_stream.c: New files to implement password changing, ported + from KfM. + + * mk_req.c (krb_mk_req_creds_prealm): New internal function -- + similar to krb_mk_req_creds() but takes the client's realm, since + it's needed for forming a correct request but is not present in a + CREDENTIALS. + (krb_mk_req): Reimplement in terms of krb_mk_req_creds_prealm(). + Move the logic for acquiring credentials and determining client's + realm here. + (krb_mk_req_creds): Port from KfM. + (krb_set_lifetime): Make KRB5_CALLCONV now. + + * one.c: Remove. + + * password_to_key.c: New file, ported from KfM. Will eventually + implement some string-to-key stuff. + + * prot_client.c: Eliminate references to {LSB,MSB}_FIRST. + + * prot_kdc.c: Eliminate references to {LSB,MSB}_FIRST. + + * rd_req.c (krb_rd_req_with_key): New internal function -- can + take a key schedule or a krb5_keyblock and use one of those to + decrypt the ticket. + (krb_rd_req_int): Ported from KfM. Calls into + krb_rd_req_with_key(). + (krb_rd_req): Reimplement in terms of krb_rd_req_with_key(). Copy + some of the realm and kvno reading logic here. + + * tkt_string.c: Returns pointer to const now. + 2002-08-29 Ken Raeburn <raeburn@mit.edu> * Makefile.in: Revert $(S)=>/ change, for Windows support. diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in index 98da61abbe..26870a9faf 100644 --- a/src/lib/krb4/Makefile.in +++ b/src/lib/krb4/Makefile.in @@ -30,6 +30,7 @@ SHLIB_RDIRS=$(KRB5_LIBDIR) EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV OBJS = \ + $(OUTPRE)change_password.$(OBJEXT) \ $(OUTPRE)cr_auth_repl.$(OBJEXT) \ $(OUTPRE)cr_ciph.$(OBJEXT) \ $(OUTPRE)cr_tkt.$(OBJEXT) \ @@ -44,6 +45,9 @@ OBJS = \ $(OUTPRE)g_tkt_svc.$(OBJEXT) \ $(OUTPRE)gethostname.$(OBJEXT) \ $(OUTPRE)getst.$(OBJEXT) \ + $(OUTPRE)kadm_err.$(OBJEXT) \ + $(OUTPRE)kadm_net.$(OBJEXT) \ + $(OUTPRE)kadm_stream.$(OBJEXT) \ $(OUTPRE)kname_parse.$(OBJEXT) \ $(OUTPRE)lifetime.$(OBJEXT) \ $(OUTPRE)mk_auth.$(OBJEXT) \ @@ -52,7 +56,6 @@ OBJS = \ $(OUTPRE)mk_req.$(OBJEXT) \ $(OUTPRE)mk_safe.$(OBJEXT) \ $(OUTPRE)month_sname.$(OBJEXT) \ - $(OUTPRE)one.$(OBJEXT) \ $(OUTPRE)prot_client.$(OBJEXT) \ $(OUTPRE)prot_common.$(OBJEXT) \ $(OUTPRE)prot_kdc.$(OBJEXT) \ @@ -70,6 +73,7 @@ OBJS = \ $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) SRCS = \ + $(srcdir)/change_password.c \ $(srcdir)/cr_auth_repl.c \ $(srcdir)/cr_ciph.c \ $(srcdir)/cr_tkt.c \ @@ -82,6 +86,8 @@ SRCS = \ $(srcdir)/g_tkt_svc.c \ $(srcdir)/getst.c \ $(srcdir)/gethostname.c \ + $(srcdir)/kadm_net.c \ + $(srcdir)/kadm_stream.c \ $(srcdir)/kname_parse.c \ $(srcdir)/err_txt.c \ $(srcdir)/lifetime.c \ @@ -92,7 +98,6 @@ SRCS = \ $(srcdir)/mk_req.c \ $(srcdir)/mk_safe.c \ $(srcdir)/month_sname.c \ - $(srcdir)/one.c \ $(srcdir)/pkt_cipher.c \ $(srcdir)/pkt_clen.c \ $(srcdir)/prot_client.c \ @@ -190,7 +195,7 @@ CODE=$(SRCS) Makefile.in krb_err.et # We want *library* compiler options... DBG=$(DBG_LIB) -all-unix:: krb_err.h includes all-liblinks +all-unix:: krb_err.h kadm_err.h includes all-liblinks ##DOS##LIBOBJS = $(OBJS) @@ -198,7 +203,10 @@ all-unix:: krb_err.h includes all-liblinks krb_err.h:: krb_err.et krb_err.c: krb_err.et -depend:: krb_err.h +kadm_err.h: kadm_err.et +kadm_err.c: kadm_err.et + +depend:: krb_err.h kadm_err.h depend:: $(CODE) includes:: krb_err.h @@ -208,8 +216,16 @@ includes:: krb_err.h $(CP) krb_err.h $(EHDRDIR)/krb_err.h) ; \ fi +includes:: kadm_err.h + if cmp kadm_err.h $(EHDRDIR)/kadm_err.h >/dev/null 2>&1; then :; \ + else \ + (set -x; $(RM) $(EHDRDIR)/kadm_err.h; \ + $(CP) kadm_err.h $(EHDRDIR)/kadm_err.h) ; \ + fi + clean-unix:: $(RM) $(EHDRDIR)/krb_err.h + $(RM) $(EHDRDIR)/kadm_err.h @@ -227,7 +243,10 @@ clean-:: clean-unix clean-unix:: -$(RM) krb_err.c -$(RM) krb_err.h + -$(RM) kadm_err.c + -$(RM) kadm_err.h -$(RM) ../../include/kerberosIV/krb_err.h + -$(RM) ../../include/kerberosIV/kadm_err.h clean-unix:: clean-liblinks clean-libs clean-libobjs @@ -243,222 +262,294 @@ install-unix:: install-libs # Makefile dependencies follow. This must be the last section in # the Makefile.in file # +change_password.so change_password.po $(OUTPRE)change_password.$(OBJEXT): change_password.c \ + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/kerberosIV/kadm.h \ + $(SRCTOP)/include/kerberosIV/prot.h cr_auth_repl.so cr_auth_repl.po $(OUTPRE)cr_auth_repl.$(OBJEXT): cr_auth_repl.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h cr_ciph.so cr_ciph.po $(OUTPRE)cr_ciph.$(OBJEXT): cr_ciph.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h cr_tkt.so cr_tkt.po $(OUTPRE)cr_tkt.$(OBJEXT): cr_tkt.c $(BUILDTOP)/include/krb5.h \ $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/krb.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h debug.so debug.po $(OUTPRE)debug.$(OBJEXT): debug.c $(SRCTOP)/include/kerberosIV/mit-copyright.h decomp_tkt.so decomp_tkt.po $(OUTPRE)decomp_tkt.$(OBJEXT): decomp_tkt.c $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/krb.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/krb54proto.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h g_ad_tkt.so g_ad_tkt.po $(OUTPRE)g_ad_tkt.$(OBJEXT): g_ad_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h g_pw_in_tkt.so g_pw_in_tkt.po $(OUTPRE)g_pw_in_tkt.$(OBJEXT): g_pw_in_tkt.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/kerberosIV/krb.h \ $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h g_phost.so g_phost.po $(OUTPRE)g_phost.$(OBJEXT): g_phost.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(BUILDTOP)/include/krb5/autoconf.h g_pw_tkt.so g_pw_tkt.po $(OUTPRE)g_pw_tkt.$(OBJEXT): g_pw_tkt.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h g_tkt_svc.so g_tkt_svc.po $(OUTPRE)g_tkt_svc.$(OBJEXT): g_tkt_svc.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ $(BUILDTOP)/include/krb5/autoconf.h getst.so getst.po $(OUTPRE)getst.$(OBJEXT): getst.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h gethostname.so gethostname.po $(OUTPRE)gethostname.$(OBJEXT): gethostname.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h +kadm_net.so kadm_net.po $(OUTPRE)kadm_net.$(OBJEXT): kadm_net.c $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h $(SRCTOP)/include/kerberosIV/krb.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krbports.h \ + $(SRCTOP)/include/kerberosIV/kadm.h $(BUILDTOP)/include/kerberosIV/kadm_err.h \ + $(SRCTOP)/include/kerberosIV/prot.h +kadm_stream.so kadm_stream.po $(OUTPRE)kadm_stream.$(OBJEXT): kadm_stream.c $(SRCTOP)/include/kerberosIV/kadm.h \ + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/kerberosIV/kadm_err.h \ + $(SRCTOP)/include/kerberosIV/prot.h kname_parse.so kname_parse.po $(OUTPRE)kname_parse.$(OBJEXT): kname_parse.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h err_txt.so err_txt.po $(OUTPRE)err_txt.$(OBJEXT): err_txt.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h lifetime.so lifetime.po $(OUTPRE)lifetime.$(OBJEXT): lifetime.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h g_in_tkt.so g_in_tkt.po $(OUTPRE)g_in_tkt.$(OBJEXT): g_in_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h mk_auth.so mk_auth.po $(OUTPRE)mk_auth.$(OBJEXT): mk_auth.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h mk_err.so mk_err.po $(OUTPRE)mk_err.$(OBJEXT): mk_err.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h mk_priv.so mk_priv.po $(OUTPRE)mk_priv.$(OBJEXT): mk_priv.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h mk_req.so mk_req.po $(OUTPRE)mk_req.$(OBJEXT): mk_req.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h krb4int.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + krb4int.h mk_safe.so mk_safe.po $(OUTPRE)mk_safe.$(OBJEXT): mk_safe.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h month_sname.so month_sname.po $(OUTPRE)month_sname.$(OBJEXT): month_sname.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h krb4int.h -one.so one.po $(OUTPRE)one.$(OBJEXT): one.c + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h pkt_cipher.so pkt_cipher.po $(OUTPRE)pkt_cipher.$(OBJEXT): pkt_cipher.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h pkt_clen.so pkt_clen.po $(OUTPRE)pkt_clen.$(OBJEXT): pkt_clen.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h prot_client.so prot_client.po $(OUTPRE)prot_client.$(OBJEXT): prot_client.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h prot_common.so prot_common.po $(OUTPRE)prot_common.$(OBJEXT): prot_common.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h prot_kdc.so prot_kdc.po $(OUTPRE)prot_kdc.$(OBJEXT): prot_kdc.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h rd_err.so rd_err.po $(OUTPRE)rd_err.$(OBJEXT): rd_err.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h rd_priv.so rd_priv.po $(OUTPRE)rd_priv.$(OBJEXT): rd_priv.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h rd_safe.so rd_safe.po $(OUTPRE)rd_safe.$(OBJEXT): rd_safe.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h \ - $(SRCTOP)/include/kerberosIV/mit-copyright.h $(SRCTOP)/include/port-sockets.h \ - $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(SRCTOP)/include/kerberosIV/lsb_addr_cmp.h $(SRCTOP)/include/kerberosIV/mit-copyright.h \ + $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h send_to_kdc.so send_to_kdc.po $(OUTPRE)send_to_kdc.$(OBJEXT): send_to_kdc.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krbports.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krbports.h \ + $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/port-sockets.h \ $(BUILDTOP)/include/krb5/autoconf.h stime.so stime.po $(OUTPRE)stime.$(OBJEXT): stime.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h strnlen.so strnlen.po $(OUTPRE)strnlen.$(OBJEXT): strnlen.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h rd_preauth.so rd_preauth.po $(OUTPRE)rd_preauth.$(OBJEXT): rd_preauth.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb_db.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h \ - krb4int.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/krb_db.h \ + $(SRCTOP)/include/kerberosIV/prot.h krb4int.h mk_preauth.so mk_preauth.po $(OUTPRE)mk_preauth.$(OBJEXT): mk_preauth.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): unix_time.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h unix_time.so unix_time.po $(OUTPRE)unix_time.$(OBJEXT): unix_time.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h tf_util.so tf_util.po $(OUTPRE)tf_util.$(OBJEXT): tf_util.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h krb4int.h + krb4int.h dest_tkt.so dest_tkt.po $(OUTPRE)dest_tkt.$(OBJEXT): dest_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h in_tkt.so in_tkt.po $(OUTPRE)in_tkt.$(OBJEXT): in_tkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h -tkt_string.so tkt_string.po $(OUTPRE)tkt_string.$(OBJEXT): tkt_string.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h +tkt_string.so tkt_string.po $(OUTPRE)tkt_string.$(OBJEXT): tkt_string.c $(SRCTOP)/include/kerberosIV/krb.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h g_tf_fname.so g_tf_fname.po $(OUTPRE)g_tf_fname.$(OBJEXT): g_tf_fname.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h g_tf_realm.so g_tf_realm.po $(OUTPRE)g_tf_realm.$(OBJEXT): g_tf_realm.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h g_cred.so g_cred.po $(OUTPRE)g_cred.$(OBJEXT): g_cred.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h save_creds.so save_creds.po $(OUTPRE)save_creds.$(OBJEXT): save_creds.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h unix_glue.so unix_glue.po $(OUTPRE)unix_glue.$(OBJEXT): unix_glue.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h krb4int.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h klog.so klog.po $(OUTPRE)klog.$(OBJEXT): klog.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/kerberosIV/klog.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/kerberosIV/klog.h kuserok.so kuserok.po $(OUTPRE)kuserok.$(OBJEXT): kuserok.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h log.so log.po $(OUTPRE)log.$(OBJEXT): log.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/kerberosIV/klog.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/kerberosIV/klog.h kntoln.so kntoln.po $(OUTPRE)kntoln.$(OBJEXT): kntoln.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h + $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h fgetst.so fgetst.po $(OUTPRE)fgetst.$(OBJEXT): fgetst.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h rd_svc_key.so rd_svc_key.po $(OUTPRE)rd_svc_key.$(OBJEXT): rd_svc_key.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \ - $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/k5-int.h \ + $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ + $(SRCTOP)/include/krb54proto.h $(SRCTOP)/include/kerberosIV/prot.h cr_err_repl.so cr_err_repl.po $(OUTPRE)cr_err_repl.$(OBJEXT): cr_err_repl.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h rd_req.so rd_req.po $(OUTPRE)rd_req.$(OBJEXT): rd_req.c $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h $(BUILDTOP)/include/krb5.h \ - $(COM_ERR_DEPS) $(SRCTOP)/include/krb54proto.h + $(SRCTOP)/include/kerberosIV/krb.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/krb54proto.h g_svc_in_tkt.so g_svc_in_tkt.po $(OUTPRE)g_svc_in_tkt.$(OBJEXT): g_svc_in_tkt.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/prot.h $(SRCTOP)/include/kerberosIV/krb_conf.h \ + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h \ krb4int.h recvauth.so recvauth.po $(OUTPRE)recvauth.$(OBJEXT): recvauth.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h krb_err.so krb_err.po $(OUTPRE)krb_err.$(OBJEXT): krb_err.c $(COM_ERR_DEPS) ad_print.so ad_print.po $(OUTPRE)ad_print.$(OBJEXT): ad_print.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h cr_death_pkt.so cr_death_pkt.po $(OUTPRE)cr_death_pkt.$(OBJEXT): cr_death_pkt.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/prot.h \ - $(SRCTOP)/include/kerberosIV/krb_conf.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/prot.h kparse.so kparse.po $(OUTPRE)kparse.$(OBJEXT): kparse.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/kerberosIV/kparse.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/kerberosIV/kparse.h put_svc_key.so put_svc_key.po $(OUTPRE)put_svc_key.$(OBJEXT): put_svc_key.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h krb4int.h + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h krb4int.h sendauth.so sendauth.po $(OUTPRE)sendauth.$(OBJEXT): sendauth.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h netread.so netread.po $(OUTPRE)netread.$(OBJEXT): netread.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h netwrite.so netwrite.po $(OUTPRE)netwrite.$(OBJEXT): netwrite.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h g_cnffile.so g_cnffile.po $(OUTPRE)g_cnffile.$(OBJEXT): g_cnffile.c $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/kerberosIV/des.h $(BUILDTOP)/include/kerberosIV/krb_err.h \ + $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h $(SRCTOP)/include/k5-int.h \ $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/profile.h krb4int.h + krb4int.h g_krbhst.so g_krbhst.po $(OUTPRE)g_krbhst.$(OBJEXT): g_krbhst.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h g_krbrlm.so g_krbrlm.po $(OUTPRE)g_krbrlm.$(OBJEXT): g_krbrlm.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h g_admhst.so g_admhst.po $(OUTPRE)g_admhst.$(OBJEXT): g_admhst.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h krb4int.h realmofhost.so realmofhost.po $(OUTPRE)realmofhost.$(OBJEXT): realmofhost.c $(SRCTOP)/include/kerberosIV/mit-copyright.h \ $(SRCTOP)/include/kerberosIV/krb.h $(SRCTOP)/include/kerberosIV/des.h \ - $(SRCTOP)/include/port-sockets.h $(BUILDTOP)/include/krb5/autoconf.h \ - krb4int.h + $(BUILDTOP)/include/kerberosIV/krb_err.h $(COM_ERR_DEPS) \ + $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ + $(BUILDTOP)/include/krb5/autoconf.h krb4int.h diff --git a/src/lib/krb4/change_password.c b/src/lib/krb4/change_password.c new file mode 100644 index 0000000000..8bceec28d5 --- /dev/null +++ b/src/lib/krb4/change_password.c @@ -0,0 +1,138 @@ +/* + * g_pw_in_tkt.c + * + * Copyright 1987, 1988, 2002 by the Massachusetts Institute of + * Technology. All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include <string.h> +#include <stdlib.h> +#include <netdb.h> + +#if TARGET_OS_MAC /* XXX */ +#include <Kerberos/CredentialsCache.h> +#endif +#include "krb.h" +#include "krb4int.h" +#include "kadm.h" +#include "prot.h" + +/* + * krb_change_password(): This disgusting function handles changing passwords + * in a krb4-only environment. + * -1783126240 + * THIS IS NOT A NORMAL KRB4 API FUNCTION! DON'T USE IN PORTABLE CODE! + */ + +int KRB5_CALLCONV +krb_change_password(char *principal, char *instance, char *realm, + char *oldPassword, char *newPassword) +{ + KRB_INT32 err; + des_cblock key; + KRB_UINT32 tempKey; + size_t sendSize; + u_char *sendStream; + size_t receiveSize; + u_char *receiveStream; + Kadm_Client client_parm; + u_char *p; + + err = 0; + /* + * Get tickets to change the old password and shove them in the + * client_parm + */ + err = krb_get_pw_in_tkt_creds(principal, instance, realm, + PWSERV_NAME, KADM_SINST, 1, + oldPassword, &client_parm.creds); + if (err != KSUCCESS) + goto cleanup; + +#if TARGET_OS_MAC + /* Now create the key to send to the server */ + switch (client_parm.creds.stk_type) { + case cc_v4_stk_des: + mit_passwd_to_key(principal, instance, realm, newPassword, key); + break; + case cc_v4_stk_afs: + afs_passwd_to_key(principal, instance, realm, newPassword, key); + break; + case cc_v4_stk_krb5: + krb5_passwd_to_key(principal, instance, realm, newPassword, key); + break; + default: + /* + * Okay, actually afs_string_to_key sites can't use this + * protocol to change passwords + */ + mit_passwd_to_key(principal, instance, realm, newPassword, key); + break; + } +#else + des_string_to_key(newPassword, key); /* XXX check this! */ +#endif + /* Create the link to the server */ + err = kadm_init_link(PWSERV_NAME, KRB_MASTER, realm, &client_parm, 1); + if (err != KADM_SUCCESS) + goto cleanup; + + /* Connect to the KDC */ + err = kadm_cli_conn(&client_parm); + if (err != KADM_SUCCESS) + goto cleanup; + + /* possible problem with vts_long on a non-multiple of four boundary */ + sendSize = 0; /* start of our output packet */ + sendStream = malloc(1); /* to make it reallocable */ + sendStream[sendSize++] = CHANGE_PW; + + /* change key to stream */ + /* This looks backwards but gets inverted on the server side. */ + p = key + 4; + KRB4_GET32BE(tempKey, p); + sendSize += vts_long(tempKey, &sendStream, (int)sendSize); + p = key; + KRB4_GET32BE(tempKey, p); + sendSize += vts_long(tempKey, &sendStream, (int)sendSize); + + if (newPassword) { + sendSize += vts_string(newPassword, &sendStream, (int)sendSize); + } + + /* send the data to the kdc */ + err = kadm_cli_send(&client_parm, sendStream, sendSize, + &receiveStream, &receiveSize); + free(sendStream); + if (receiveSize > 0) + /* If there is a string from the kdc, free it - we don't care */ + free(receiveStream); + if (err != KADM_SUCCESS) + goto disconnect; + +disconnect: + /* Disconnect */ + kadm_cli_disconn(&client_parm); + +cleanup: + return err; +} diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in index 874555ddf7..0512949a53 100644 --- a/src/lib/krb4/configure.in +++ b/src/lib/krb4/configure.in @@ -10,33 +10,6 @@ dnl Could check for full stdc environment, but will only test dnl for stdlib.h AC_CHECK_HEADERS(stdlib.h) -AC_C_CROSS dnl pretty up output, eval this before AC_TRY_RUN -dnl need MSBFIRST, LSBFIRST, BITS16, BITS32 -AC_MSG_CHECKING([if system is msbfirst]) -AC_CACHE_VAL(krb5_cv_is_msbfirst, -[AC_TRY_RUN( -[#include <stdio.h> -int main() -{ - int one = 1; - exit (*(char*) &one); /* MSBFIRST iff 1 */ -}], -krb5_cv_is_msbfirst=yes, krb5_cv_is_msbfirst=no -)])dnl fail on cross for now -AC_MSG_RESULT($krb5_cv_is_msbfirst) -if test $krb5_cv_is_msbfirst = yes; then - AC_DEFINE(MSBFIRST) -else - AC_DEFINE(LSBFIRST) -fi -dnl -dnl check int, set bits16/bits32 based on it -AC_CHECK_SIZEOF(int) -if test $ac_cv_sizeof_int = 2; then - AC_DEFINE(BITS16) -else - AC_DEFINE(BITS32) -fi AC_TYPE_MODE_T AC_TYPE_UID_T AC_DEFINE(KRB4_USE_KEYTAB) @@ -45,4 +18,3 @@ AC_PROG_AWK KRB5_BUILD_LIBOBJS KRB5_BUILD_LIBRARY_WITH_DEPS V5_AC_OUTPUT_MAKEFILE - diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c index 16b19660d3..43997a6982 100644 --- a/src/lib/krb4/g_in_tkt.c +++ b/src/lib/krb4/g_in_tkt.c @@ -44,13 +44,12 @@ typedef int (*decrypt_tkt_type) (char *, char *, char *, char *, key_proc_type, KTEXT *); #endif -static int -krb_mk_in_tkt_preauth(char *, char *, char *, char *, char *, - int, char *, int, KTEXT, int *); - -static int -krb_parse_in_tkt(char *, char *, char *, char *, char *, - int, KTEXT, int); +static int decrypt_tkt(char *, char *, char *, char *, key_proc_type, KTEXT *); +static int krb_mk_in_tkt_preauth(char *, char *, char *, char *, char *, + int, char *, int, KTEXT, int *, + struct sockaddr_in *); +static int krb_parse_in_tkt_creds(char *, char *, char *, char *, char *, + int, KTEXT, int, CREDENTIALS *); /* * decrypt_tkt(): Given user, instance, realm, passwd, key_proc @@ -135,7 +134,7 @@ decrypt_tkt(user, instance, realm, arg, key_proc, cipp) static int krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, - preauth_p, preauth_len, cip, byteorder) + preauth_p, preauth_len, cip, byteorder, local_addr) char *user; char *instance; char *realm; @@ -146,6 +145,7 @@ krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, int preauth_len; KTEXT cip; int *byteorder; + struct sockaddr_in *local_addr; { KTEXT_ST pkt_st; KTEXT pkt = &pkt_st; /* Packet to KDC */ @@ -213,7 +213,11 @@ krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, /* SEND THE REQUEST AND RECEIVE THE RETURN PACKET */ rpkt->length = 0; +#if 0 /* XXX */ + kerror = send_to_kdc_addr(pkt, rpkt, realm, local_addr); +#else kerror = send_to_kdc(pkt, rpkt, realm); +#endif if (kerror) return kerror; @@ -281,8 +285,8 @@ krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, } static int -krb_parse_in_tkt(user, instance, realm, service, sinstance, life, cip, - byteorder) +krb_parse_in_tkt_creds(user, instance, realm, service, sinstance, life, cip, + byteorder, creds) char *user; char *instance; char *realm; @@ -291,9 +295,9 @@ krb_parse_in_tkt(user, instance, realm, service, sinstance, life, cip, int life; KTEXT cip; int byteorder; + CREDENTIALS *creds; { unsigned char *ptr; - C_Block ses; /* Session key for tkt */ int len; int kvno; /* Kvno for session key */ char s_name[SNAME_SZ]; @@ -304,7 +308,6 @@ krb_parse_in_tkt(user, instance, realm, service, sinstance, life, cip, unsigned long kdc_time; /* KDC time */ unsigned KRB4_32 t_local; /* Must be 4 bytes long for memcpy below! */ KRB4_32 t_diff; /* Difference between timestamps */ - int kerror; int lifetime; ptr = cip->dat; @@ -368,24 +371,26 @@ krb_parse_in_tkt(user, instance, realm, service, sinstance, life, cip, return RD_AP_TIME; /* XXX should probably be better code */ } - /* initialize ticket cache */ - if (in_tkt(user,instance) != KSUCCESS) - return INTK_ERR; /* stash ticket, session key, etc. for future use */ - memcpy(ses, cip->dat, 8); - kerror = krb_save_credentials(s_name, s_instance, rlm, ses, - lifetime, kvno, - tkt, (KRB4_32)t_local); - memset(ses, 0, 8); - if (kerror) - return kerror; + strncpy(creds->service, s_name, sizeof(creds->service)); + strncpy(creds->instance, s_instance, sizeof(creds->instance)); + strncpy(creds->realm, rlm, sizeof(creds->realm)); + memmove(creds->session, cip->dat, sizeof(C_Block)); + creds->lifetime = lifetime; + creds->kvno = kvno; + creds->ticket_st.length = tkt->length; + memmove(creds->ticket_st.dat, tkt->dat, (size_t)tkt->length); + creds->issue_date = t_local; + strncpy(creds->pname, user, sizeof(creds->pname)); + strncpy(creds->pinst, instance, sizeof(creds->pinst)); return INTK_OK; } int -krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, - key_proc, decrypt_proc, arg, preauth_p, preauth_len) +krb_get_in_tkt_preauth_creds(user, instance, realm, service, sinstance, life, + key_proc, decrypt_proc, + arg, preauth_p, preauth_len, creds) char *user; char *instance; char *realm; @@ -397,16 +402,27 @@ krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, char *arg; char *preauth_p; int preauth_len; + CREDENTIALS *creds; { KTEXT_ST cip_st; KTEXT cip = &cip_st; /* Returned Ciphertext */ int kerror; int byteorder; +#if TARGET_OS_MAC + struct sockaddr_in local_addr; +#endif +#if TARGET_OS_MAC kerror = krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life, preauth_p, preauth_len, - cip, &byteorder); + cip, &byteorder, &local_addr); +#else + kerror = krb_mk_in_tkt_preauth(user, instance, realm, + service, sinstance, + life, preauth_p, preauth_len, + cip, &byteorder, NULL); +#endif if (kerror) return kerror; /* Attempt to decrypt the reply. */ @@ -415,15 +431,87 @@ krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, else (*decrypt_proc)(user, instance, realm, arg, key_proc, &cip); - kerror = krb_parse_in_tkt(user, instance, realm, - service, sinstance, - life, cip, byteorder); + kerror = krb_parse_in_tkt_creds(user, instance, realm, + service, sinstance, + life, cip, byteorder, creds); +#if TARGET_OS_MAC + /* Do this here to avoid OS dependency in parse_in_tkt prototype. */ + creds->address = local_addr->sin_addr.s_addr; +#endif /* stomp stomp stomp */ memset(cip->dat, 0, (size_t)cip->length); return kerror; } int +krb_get_in_tkt_creds(user, instance, realm, service, sinstance, life, + key_proc, decrypt_proc, arg, creds) + char *user; + char *instance; + char *realm; + char *service; + char *sinstance; + int life; + key_proc_type key_proc; + decrypt_tkt_type decrypt_proc; + char *arg; + CREDENTIALS *creds; +{ + return krb_get_in_tkt_preauth_creds(user, instance, realm, + service, sinstance, life, + key_proc, decrypt_proc, arg, + NULL, 0, creds); +} + +int +krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, + key_proc, decrypt_proc, + arg, preauth_p, preauth_len) + char *user; + char *instance; + char *realm; + char *service; + char *sinstance; + int life; + key_proc_type key_proc; + decrypt_tkt_type decrypt_proc; + char *arg; + char *preauth_p; + int preauth_len; +{ + int retval; + CREDENTIALS creds; + + do { + retval = krb_get_in_tkt_preauth_creds(user, instance, realm, + service, sinstance, life, + key_proc, decrypt_proc, + arg, preauth_p, preauth_len, + &creds); + if (retval != KSUCCESS) break; + if (in_tkt(user, instance) != KSUCCESS) { + retval = INTK_ERR; + break; + } +#if TARGET_OS_MAC /* XXX */ + retval = krb_save_credentials_addr(creds.service, creds.instance, + creds.realm, creds.session, + creds.lifetime, creds.kvno, + &creds.ticket_st, creds.issue_date, + creds.address, creds.stk_type); +#else + retval = krb_save_credentials(creds.service, creds.instance, + creds.realm, creds.session, + creds.lifetime, creds.kvno, + &creds.ticket_st, creds.issue_date); +#endif + if (retval != KSUCCESS) break; + } while (0); + memset(&creds, 0, sizeof(creds)); + return retval; +} + +int krb_get_in_tkt(user, instance, realm, service, sinstance, life, key_proc, decrypt_proc, arg) char *user; @@ -439,5 +527,5 @@ krb_get_in_tkt(user, instance, realm, service, sinstance, life, return krb_get_in_tkt_preauth(user, instance, realm, service, sinstance, life, key_proc, decrypt_proc, arg, - (char *)NULL, 0); + NULL, 0); } diff --git a/src/lib/krb4/g_pw_in_tkt.c b/src/lib/krb4/g_pw_in_tkt.c index f878b77bdd..3396fcbd9d 100644 --- a/src/lib/krb4/g_pw_in_tkt.c +++ b/src/lib/krb4/g_pw_in_tkt.c @@ -115,6 +115,18 @@ krb_get_pw_in_tkt(user,instance,realm,service,sinstance,life,password) (decrypt_tkt_type)NULL, password)); } +int KRB5_CALLCONV +krb_get_pw_in_tkt_creds( + char *user, char *instance, char *realm, char *service, char *sinstance, + int life, char *password, CREDENTIALS *creds) +{ + return krb_get_in_tkt_creds(user, instance, realm, + service, sinstance, life, + (key_proc_type)passwd_to_key, + NULL, password, creds); +} + + /* * krb_get_pw_in_tkt_preauth() gets handed the password or key explicitly, * since the whole point of "pre" authentication is to prove that we've diff --git a/src/lib/krb4/kadm_err.et b/src/lib/krb4/kadm_err.et new file mode 100644 index 0000000000..07ab9da4b2 --- /dev/null +++ b/src/lib/krb4/kadm_err.et @@ -0,0 +1,58 @@ +# kadmin.v4/server/kadm_err.et +# +# Copyright 1988 by the Massachusetts Institute of Technology. +# +# For copying and distribution information, please see the file +# <mit-copyright.h>. +# +# Kerberos administration server error table +# + et kadm + +# KADM_SUCCESS, as all success codes should be, is zero + +ec KADM_RCSID, "$Header$" +# /* Building and unbuilding the packet errors */ +ec KADM_NO_REALM, "Cannot fetch local realm" +ec KADM_NO_CRED, "Unable to fetch credentials" +ec KADM_BAD_KEY, "Bad key supplied" +ec KADM_NO_ENCRYPT, "Can't encrypt data" +ec KADM_NO_AUTH, "Cannot encode/decode authentication info" +ec KADM_WRONG_REALM, "Principal attemping change is in wrong realm" +ec KADM_NO_ROOM, "Packet is too large" +ec KADM_BAD_VER, "Version number is incorrect" +ec KADM_BAD_CHK, "Checksum does not match" +ec KADM_NO_READ, "Unsealing private data failed" +ec KADM_NO_OPCODE, "Unsupported operation" +ec KADM_NO_HOST, "Could not find administrating host" +ec KADM_UNK_HOST, "Administrating host name is unknown" +ec KADM_NO_SERV, "Could not find service name in services database" +ec KADM_NO_SOCK, "Could not create socket" +ec KADM_NO_CONN, "Could not connect to server" +ec KADM_NO_HERE, "Could not fetch local socket address" +ec KADM_NO_MAST, "Could not fetch master key" +ec KADM_NO_VERI, "Could not verify master key" + +# /* From the server side routines */ +ec KADM_INUSE, "Entry already exists in database" +ec KADM_UK_SERROR, "Database store error" +ec KADM_UK_RERROR, "Database read error" +ec KADM_UNAUTH, "Insufficient access to perform requested operation" +# KADM_DATA isn't really an error, but... +ec KADM_DATA, "Data is available for return to client" +ec KADM_NOENTRY, "No such entry in the database" + +ec KADM_NOMEM, "Memory exhausted" +ec KADM_NO_HOSTNAME, "Could not fetch system hostname" +ec KADM_NO_BIND, "Could not bind port" +ec KADM_LENGTH_ERROR, "Length mismatch problem" +ec KADM_ILL_WILDCARD, "Illegal use of wildcard" + +ec KADM_DB_INUSE, "Database locked or in use" + +ec KADM_INSECURE_PW, "Insecure password rejected" +ec KADM_PW_MISMATCH, "Cleartext password and DES key did not match" + +ec KADM_NOT_SERV_PRINC, "Invalid principal for change srvtab request" +ec KADM_REALM_TOO_LONG, "Realm name too long" +end diff --git a/src/lib/krb4/kadm_net.c b/src/lib/krb4/kadm_net.c new file mode 100644 index 0000000000..37a660319a --- /dev/null +++ b/src/lib/krb4/kadm_net.c @@ -0,0 +1,383 @@ +/* + * kadm_net.c + * + * Copyright 1988, 2002 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Kerberos administration server client-side network access routines + * These routines do actual network traffic, in a machine dependent manner. + */ + +#include <errno.h> +#include <signal.h> +#include <string.h> +#include <stdlib.h> +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif + +#define DEFINE_SOCKADDR /* Ask krb.h for struct sockaddr, etc */ +#include "port-sockets.h" +#include "krb.h" +#include "krbports.h" +#include "kadm.h" +#include "kadm_err.h" +#include "prot.h" + +/* XXX FIXME! */ +#if defined(_WINDOWS) || defined(macintosh) + #define SIGNAL(s, f) 0 +#else + #define SIGNAL(s, f) signal(s, f) + extern int errno; +#endif + +static void clear_secrets(des_cblock sess_key, Key_schedule sess_sched); +/* XXX FIXME! */ +static sigtype (*opipe)(); + + +/* + * kadm_init_link + * receives : principal, instance, realm + * + * initializes client parm, the Kadm_Client structure which holds the + * data about the connection between the server and client, the services + * used, the locations and other fun things + */ +int +kadm_init_link(char *principal, char *instance, char *realm, + Kadm_Client *client_parm, int changepw) +{ + struct servent *sep; /* service we will talk to */ + u_short sep_port; + struct hostent *hop; /* host we will talk to */ + char adm_hostname[MAXHOSTNAMELEN]; + char *scol = 0; + + (void) strcpy(client_parm->sname, principal); + (void) strcpy(client_parm->sinst, instance); + (void) strcpy(client_parm->krbrlm, realm); + client_parm->admin_fd = -1; + client_parm->default_port = 1; + + /* + * set up the admin_addr - fetch name of admin or kpasswd host + * (usually the admin host is the kpasswd host unless you have + * some sort of realm on crack) + */ + if (changepw) { +#if 0 /* XXX */ + if (krb_get_kpasswdhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) +#endif + if (krb_get_admhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) + return KADM_NO_HOST; + } else { + if (krb_get_admhst(adm_hostname, client_parm->krbrlm, 1) != KSUCCESS) + return KADM_NO_HOST; + } + scol = strchr(adm_hostname,':'); + if (scol) *scol = 0; + if ((hop = gethostbyname(adm_hostname)) == NULL) + /* + * couldn't find the admin servers address + */ + return KADM_UNK_HOST; + if (scol) { + sep_port = htons(atoi(scol+1)); + client_parm->default_port = 0; + } else if ((sep = getservbyname(KADM_SNAME, "tcp")) != NULL) + sep_port = sep->s_port; + else + sep_port = htons(KADM_PORT); /* KADM_SNAME = kerberos_master/tcp */ + memset(&client_parm->admin_addr, 0, sizeof(client_parm->admin_addr)); + client_parm->admin_addr.sin_family = hop->h_addrtype; + memcpy(&client_parm->admin_addr.sin_addr, hop->h_addr, hop->h_length); + client_parm->admin_addr.sin_port = sep_port; + + return KADM_SUCCESS; +} + +/* + * kadm_cli_send + * recieves : opcode, packet, packet length, serv_name, serv_inst + * returns : return code from the packet build, the server, or + * something else + * + * It assembles a packet as follows: + * 8 bytes : VERSION STRING + * 4 bytes : LENGTH OF MESSAGE DATA and OPCODE + * : KTEXT + * : OPCODE \ + * : DATA > Encrypted (with make priv) + * : ...... / + * + * If it builds the packet and it is small enough, then it attempts to open the + * connection to the admin server. If the connection is succesfully open + * then it sends the data and waits for a reply. + */ +int +kadm_cli_send(Kadm_Client *client_parm, + u_char *st_dat, /* the actual data */ + size_t st_siz, /* length of said data */ + u_char **ret_dat, /* to give return info */ + size_t *ret_siz) /* length of returned info */ +{ +/* Macros for use in returning data... used in kadm_cli_send */ +#define RET_N_FREE(r) {clear_secrets(sess_key, sess_sched); free((char *)act_st); free((char *)priv_pak); return r;} +#define RET_N_FREE2(r) {free((char *)*ret_dat); *ret_dat = 0; *ret_siz = 0; clear_secrets(sess_key, sess_sched); return(r);} + + int act_len; /* current offset into packet, return */ + KRB_INT32 retdat; /* data */ + KTEXT_ST authent; /* the authenticator we will build */ + u_char *act_st; /* the pointer to the complete packet */ + u_char *priv_pak; /* private version of the packet */ + long priv_len; /* length of private packet */ + u_long cksum; /* checksum of the packet */ + MSG_DAT mdat; + u_char *return_dat; + u_char *p; + KRB_UINT32 uretdat; + + /* Keys for use in the transactions */ + des_cblock sess_key; /* to be filled in by kadm_cli_keyd */ + Key_schedule sess_sched; + + act_st = malloc(KADM_VERSIZE); /* verstr stored first */ + strncpy((char *)act_st, KADM_VERSTR, KADM_VERSIZE); + act_len = KADM_VERSIZE; + + if ((retdat = kadm_cli_keyd(client_parm, sess_key, sess_sched)) != KADM_SUCCESS) { + free(act_st); + return retdat; /* couldnt get key working */ + } + priv_pak = malloc(st_siz + 200); + /* 200 bytes for extra info case */ + /* XXX Check mk_priv return type */ + if ((priv_len = krb_mk_priv(st_dat, priv_pak, (u_long)st_siz, + sess_sched, (C_Block *)sess_key, + &client_parm->my_addr, + &client_parm->admin_addr)) < 0) + RET_N_FREE(KADM_NO_ENCRYPT); /* whoops... we got a lose here */ + /* + * here is the length of priv data. receiver calcs size of + * authenticator by subtracting vno size, priv size, and + * sizeof(u_long) (for the size indication) from total size + */ + act_len += vts_long((KRB_UINT32)priv_len, &act_st, (int)act_len); +#ifdef NOENCRYPTION + cksum = 0; +#else + cksum = quad_cksum(priv_pak, NULL, priv_len, 0, &sess_key); +#endif + /* XXX cast unsigned->signed */ + if ((retdat = krb_mk_req_creds(&authent, &client_parm->creds, (long)cksum)) != NULL) { + /* authenticator? */ + RET_N_FREE(retdat); + } + + act_st = realloc(act_st, (unsigned) (act_len + authent.length + + priv_len)); + if (!act_st) { + clear_secrets(sess_key, sess_sched); + free(priv_pak); + return KADM_NOMEM; + } + memcpy(act_st + act_len, authent.dat, authent.length); + memcpy(act_st + act_len + authent.length, priv_pak, priv_len); + free(priv_pak); + if ((retdat = kadm_cli_out(client_parm, act_st, + act_len + authent.length + priv_len, + ret_dat, ret_siz)) != KADM_SUCCESS) + RET_N_FREE(retdat); + free(act_st); + + /* first see if it's a YOULOSE */ + if ((*ret_siz >= KADM_VERSIZE) && + !strncmp(KADM_ULOSE, (char *)*ret_dat, KADM_VERSIZE)) + { + /* it's a youlose packet */ + if (*ret_siz < KADM_VERSIZE + 4) + RET_N_FREE2(KADM_BAD_VER); + p = *ret_dat + KADM_VERSIZE; + KRB4_GET32BE(uretdat, p); + /* XXX unsigned->signed */ + retdat = (KRB_INT32)uretdat; + RET_N_FREE2(retdat); + } + /* need to decode the ret_dat */ + if ((retdat = krb_rd_priv(*ret_dat, (u_long)*ret_siz, sess_sched, + (C_Block *)sess_key, &client_parm->admin_addr, + &client_parm->my_addr, &mdat)) != NULL) + RET_N_FREE2(retdat); + if (mdat.app_length < KADM_VERSIZE + 4) + /* too short! */ + RET_N_FREE2(KADM_BAD_VER); + if (strncmp((char *)mdat.app_data, KADM_VERSTR, KADM_VERSIZE)) + /* bad version */ + RET_N_FREE2(KADM_BAD_VER); + p = mdat.app_data + KADM_VERSIZE; + KRB4_GET32BE(uretdat, p); + /* XXX unsigned->signed */ + retdat = (KRB_INT32)uretdat; + if ((mdat.app_length - KADM_VERSIZE - 4) != 0) { + if (!(return_dat = + malloc((unsigned)(mdat.app_length - KADM_VERSIZE - 4)))) + RET_N_FREE2(KADM_NOMEM); + memcpy(return_dat, p, mdat.app_length - KADM_VERSIZE - 4); + } else { + /* If it's zero length, still need to malloc a 1 byte string; */ + /* malloc's of zero will return NULL on AIX & A/UX */ + if (!(return_dat = malloc((unsigned) 1))) + RET_N_FREE2(KADM_NOMEM); + *return_dat = '\0'; + } + free(*ret_dat); + clear_secrets(sess_key, sess_sched); + *ret_dat = return_dat; + *ret_siz = mdat.app_length - KADM_VERSIZE - 4; + return retdat; +} + +int kadm_cli_conn(Kadm_Client *client_parm) +{ /* this connects and sets my_addr */ +#if 0 + int on = 1; +#endif + if ((client_parm->admin_fd = + socket(client_parm->admin_addr.sin_family, SOCK_STREAM,0)) < 0) + return KADM_NO_SOCK; /* couldnt create the socket */ + if (SOCKET_CONNECT(client_parm->admin_fd, + (struct sockaddr *) & client_parm->admin_addr, + sizeof(client_parm->admin_addr))) { + (void) SOCKET_CLOSE(client_parm->admin_fd); + client_parm->admin_fd = -1; + + /* The V4 kadmind port number is 751. The RFC assigned + number, for V5, is 749. Sometimes the entry in + /etc/services on a client machine will say 749, but the + server may be listening on port 751. We try to partially + cope by automatically falling back to try port 751 if we + don't get a reply on port we are using. */ + if (client_parm->admin_addr.sin_port != htons(KADM_PORT) + && client_parm->default_port) { + client_parm->admin_addr.sin_port = htons(KADM_PORT); + return kadm_cli_conn(client_parm); + } + + return KADM_NO_CONN; /* couldnt get the connect */ + } + opipe = SIGNAL(SIGPIPE, SIG_IGN); + client_parm->my_addr_len = sizeof(client_parm->my_addr); + if (SOCKET_GETSOCKNAME(client_parm->admin_fd, + (struct sockaddr *) & client_parm->my_addr, + &client_parm->my_addr_len) < 0) { + (void) SOCKET_CLOSE(client_parm->admin_fd); + client_parm->admin_fd = -1; + (void) SIGNAL(SIGPIPE, opipe); + return KADM_NO_HERE; /* couldnt find out who we are */ + } +#if 0 + if (setsockopt(client_parm.admin_fd, SOL_SOCKET, SO_KEEPALIVE, (char *)&on, + sizeof(on)) < 0) { + (void) closesocket(client_parm.admin_fd); + client_parm.admin_fd = -1; + (void) SIGNAL(SIGPIPE, opipe); + return KADM_NO_CONN; /* XXX */ + } +#endif + return KADM_SUCCESS; +} + +void kadm_cli_disconn(Kadm_Client *client_parm) +{ + (void) SOCKET_CLOSE(client_parm->admin_fd); + (void) SIGNAL(SIGPIPE, opipe); + return; +} + +int kadm_cli_out(Kadm_Client *client_parm, u_char *dat, int dat_len, + u_char **ret_dat, size_t *ret_siz) +{ + u_short dlen; + int retval; + unsigned char buf[2], *p; + + dlen = (u_short)dat_len; + if (dlen > 0x7fff) /* XXX krb_net_write signedness */ + return KADM_NO_ROOM; + + p = buf; + KRB4_PUT16BE(p, dlen); + if (krb_net_write(client_parm->admin_fd, (char *)buf, 2) < 0) + return SOCKET_ERRNO; /* XXX */ + + if (krb_net_write(client_parm->admin_fd, (char *)dat, (int)dat_len) < 0) + return SOCKET_ERRNO; /* XXX */ + + retval = krb_net_read(client_parm->admin_fd, (char *)buf, 2); + if (retval != 2) { + if (retval < 0) + return SOCKET_ERRNO; /* XXX */ + else + return EPIPE; /* short read ! */ + } + + p = buf; + KRB4_GET16BE(dlen, p); + if (dlen > INT_MAX) /* XXX krb_net_read signedness */ + return KADM_NO_ROOM; + *ret_dat = malloc(dlen); + if (!*ret_dat) + return KADM_NOMEM; + + retval = krb_net_read(client_parm->admin_fd, (char *)*ret_dat, (int)dlen); + if (retval != dlen) { + if (retval < 0) + return SOCKET_ERRNO; /* XXX */ + else + return EPIPE; /* short read ! */ + } + *ret_siz = dlen; + return KADM_SUCCESS; +} + +static void +clear_secrets(des_cblock sess_key, Key_schedule sess_sched) +{ + memset(sess_key, 0, sizeof(sess_key)); + memset(sess_sched, 0, sizeof(sess_sched)); + return; +} + +/* takes in the sess_key and key_schedule and sets them appropriately */ +int kadm_cli_keyd(Kadm_Client *client_parm, + des_cblock s_k, des_key_schedule s_s) +{ + int stat; + + memcpy(s_k, client_parm->creds.session, sizeof(des_cblock)); + stat = key_sched(s_k, s_s); + if (stat) + return stat; + return KADM_SUCCESS; +} /* This code "works" */ diff --git a/src/lib/krb4/kadm_stream.c b/src/lib/krb4/kadm_stream.c new file mode 100644 index 0000000000..3a9861eda4 --- /dev/null +++ b/src/lib/krb4/kadm_stream.c @@ -0,0 +1,319 @@ +/* + * kadm_stream.c + * + * Copyright 1988, 2002 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * Stream conversion functions for Kerberos administration server + */ + +/* + kadm_stream.c + this holds the stream support routines for the kerberos administration server + + vals_to_stream: converts a vals struct to a stream for transmission + internals build_field_header, vts_[string, char, long, short] + stream_to_vals: converts a stream to a vals struct + internals check_field_header, stv_[string, char, long, short] + error: prints out a kadm error message, returns + fatal: prints out a kadm fatal error message, exits +*/ + +#include <string.h> +#include <stdlib.h> + +#include "kadm.h" +#include "kadm_err.h" +#include "prot.h" + +#define min(a,b) (((a) < (b)) ? (a) : (b)) + +/* +vals_to_stream + recieves : kadm_vals *, u_char * + returns : a realloced and filled in u_char * + +this function creates a byte-stream representation of the kadm_vals structure +*/ +int +vals_to_stream(Kadm_vals *dt_in, u_char **dt_out) +{ + int vsloop, stsize; /* loop counter, stream size */ + + stsize = build_field_header(dt_in->fields, dt_out); + for (vsloop = 31; vsloop >= 0; vsloop--) + if (IS_FIELD(vsloop, dt_in->fields)) { + switch (vsloop) { + case KADM_NAME: + stsize += vts_string(dt_in->name, dt_out, stsize); + break; + case KADM_INST: + stsize += vts_string(dt_in->instance, dt_out, stsize); + break; + case KADM_EXPDATE: + stsize += vts_long((KRB_UINT32)dt_in->exp_date, + dt_out, stsize); + break; + case KADM_ATTR: + stsize += vts_short(dt_in->attributes, dt_out, stsize); + break; + case KADM_MAXLIFE: + stsize += vts_char(dt_in->max_life, dt_out, stsize); + break; + case KADM_DESKEY: + stsize += vts_long(dt_in->key_high, dt_out, stsize); + stsize += vts_long(dt_in->key_low, dt_out, stsize); + break; + default: + break; + } + } + return stsize; +} + +int +build_field_header( + u_char *cont, /* container for fields data */ + u_char **st) /* stream */ +{ + *st = malloc(4); + if (*st == NULL) + return -1; + memcpy(*st, cont, 4); + return 4; /* return pointer to current stream location */ +} + +int +vts_string(char *dat, u_char **st, int loc) +{ + size_t len; + unsigned char *p; + + if (loc < 0) + return -1; + len = strlen(dat) + 1; + p = realloc(*st, (size_t)loc + len); + if (p == NULL) + return -1; + memcpy(p + loc, dat, len); + *st = p; + return len; +} + +int +vts_short(KRB_UINT32 dat, u_char **st, int loc) +{ + unsigned char *p; + + if (loc < 0) + return -1; + p = realloc(*st, (size_t)loc + 2); + if (p == NULL) + return -1; + + KRB4_PUT16BE(p, dat); + *st = p; + return 2; +} + +int +vts_long(KRB_UINT32 dat, u_char **st, int loc) +{ + unsigned char *p; + + if (loc < 0) + return -1; + p = realloc(*st, (size_t)loc + 4); + if (p == NULL) + return -1; + + KRB4_PUT32BE(p, dat); + *st = p; + return 4; +} + +int +vts_char(KRB_UINT32 dat, u_char **st, int loc) +{ + unsigned char *p; + + if (loc < 0) + return -1; + p = realloc(*st, (size_t)loc + 1); + if (p == NULL) + return -1; + p[loc] = dat & 0xff; + *st = p; + return 1; +} + +/* +stream_to_vals + recieves : u_char *, kadm_vals * + returns : a kadm_vals filled in according to u_char * + +this decodes a byte stream represntation of a vals struct into kadm_vals +*/ +int +stream_to_vals( + u_char *dt_in, + Kadm_vals *dt_out, + int maxlen) /* max length to use */ +{ + register int vsloop, stsize; /* loop counter, stream size */ + register int status; + + memset(dt_out, 0, sizeof(*dt_out)); + + stsize = check_field_header(dt_in, dt_out->fields, maxlen); + if (stsize < 0) + return -1; + for (vsloop = 31; vsloop >= 0; vsloop--) + if (IS_FIELD(vsloop, dt_out->fields)) + switch (vsloop) { + case KADM_NAME: + status = stv_string(dt_in, dt_out->name, stsize, + sizeof(dt_out->name), maxlen); + if (status < 0) + return -1; + stsize += status; + break; + case KADM_INST: + status = stv_string(dt_in, dt_out->instance, stsize, + sizeof(dt_out->instance), maxlen); + if (status < 0) + return -1; + stsize += status; + break; + case KADM_EXPDATE: + { + KRB_UINT32 exp_date; + + status = stv_long(dt_in, &exp_date, stsize, maxlen); + if (status < 0) + return -1; + dt_out->exp_date = exp_date; + stsize += status; + } + break; + case KADM_ATTR: + status = stv_short(dt_in, &dt_out->attributes, stsize, + maxlen); + if (status < 0) + return -1; + stsize += status; + break; + case KADM_MAXLIFE: + status = stv_char(dt_in, &dt_out->max_life, stsize, + maxlen); + if (status < 0) + return -1; + stsize += status; + break; + case KADM_DESKEY: + status = stv_long(dt_in, &dt_out->key_high, stsize, + maxlen); + if (status < 0) + return -1; + stsize += status; + status = stv_long(dt_in, &dt_out->key_low, stsize, + maxlen); + if (status < 0) + return -1; + stsize += status; + break; + default: + break; + } + return stsize; +} + +int +check_field_header( + u_char *st, /* stream */ + u_char *cont, /* container for fields data */ + int maxlen) +{ + if (4 > maxlen) + return -1; + memcpy(cont, st, 4); + return 4; /* return pointer to current stream location */ +} + +int +stv_string( + register u_char *st, /* base pointer to the stream */ + char *dat, /* a string to read from the stream */ + register int loc, /* offset into the stream for current data */ + int stlen, /* max length of string to copy in */ + int maxlen) /* max length of input stream */ +{ + int maxcount; /* max count of chars to copy */ + + if (loc < 0) + return -1; + maxcount = min(maxlen - loc, stlen); + if (maxcount <= 0) /* No strings left in the input stream */ + return -1; + + (void) strncpy(dat, (char *)st + loc, (size_t)maxcount); + + if (dat[maxcount - 1]) /* not null-term --> not enuf room */ + return -1; + return strlen(dat) + 1; +} + +int +stv_short(u_char *st, u_short *dat, int loc, int maxlen) +{ + u_short temp; + unsigned char *p; + + if (loc < 0 || loc + 2 > maxlen) + return -1; + p = st + loc; + KRB4_GET16BE(temp, p); + *dat = temp; + return 2; +} + +int +stv_long(u_char *st, KRB_UINT32 *dat, int loc, int maxlen) +{ + KRB_UINT32 temp; + unsigned char *p; + + if (loc < 0 || loc + 4 > maxlen) + return -1; + p = st + loc; + KRB4_GET32BE(temp, p); + *dat = temp; + return 4; +} + +int +stv_char(u_char *st, u_char *dat, int loc, int maxlen) +{ + if (loc < 0 || loc + 1 > maxlen) + return -1; + *dat = *(st + loc); + return 1; +} diff --git a/src/lib/krb4/mk_req.c b/src/lib/krb4/mk_req.c index b5f02529be..698d2c2ad7 100644 --- a/src/lib/krb4/mk_req.c +++ b/src/lib/krb4/mk_req.c @@ -1,7 +1,7 @@ /* * lib/krb4/mk_req.c * - * Copyright 1985, 1986, 1987, 1988, 2000 by the Massachusetts + * Copyright 1985, 1986, 1987, 1988, 2000, 2002 by the Massachusetts * Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may @@ -33,6 +33,8 @@ extern int krb_ap_req_debug; static int lifetime = 255; /* Default based on the TGT */ +static int krb_mk_req_creds_prealm(KTEXT, CREDENTIALS *, KRB4_32, char *); + /* * krb_mk_req takes a text structure in which an authenticator is to * be built, the name of a service, an instance, a realm, @@ -83,83 +85,51 @@ static int lifetime = 255; /* Default based on the TGT */ * all rounded up to multiple of 8. */ -int KRB5_CALLCONV -krb_mk_req(authent, service, instance, realm, checksum) +static int +krb_mk_req_creds_prealm(authent, creds, checksum, myrealm) register KTEXT authent; /* Place to build the authenticator */ - char *service; /* Name of the service */ - char *instance; /* Service instance */ - char *realm; /* Authentication domain of service */ + CREDENTIALS *creds; KRB4_32 checksum; /* Checksum of data (optional) */ + char *myrealm; /* Client's realm */ { KTEXT_ST req_st; /* Temp storage for req id */ KTEXT req_id = &req_st; unsigned char *p, *q, *reqid_lenp; int tl; /* Tkt len */ int idl; /* Reqid len */ - CREDENTIALS cr; /* Credentials used by retr */ - register KTEXT ticket = &(cr.ticket_st); /* Pointer to tkt_st */ - int retval; /* Returned by krb_get_cred */ + register KTEXT ticket; /* Pointer to tkt_st */ Key_schedule key_s; - char krb_realm[REALM_SZ]; /* Our local realm, if not specified */ - char myrealm[REALM_SZ]; /* Realm of our TGT */ size_t realmlen, pnamelen, pinstlen, myrealmlen; unsigned KRB4_32 time_secs; unsigned KRB4_32 time_usecs; - /* get current realm if not passed in */ - if (realm == NULL) { - retval = krb_get_lrealm(krb_realm, 1); - if (retval != KSUCCESS) - return retval; - realm = krb_realm; - } - + ticket = &creds->ticket_st; /* Get the ticket and move it into the authenticator */ if (krb_ap_req_debug) - DEB (("Realm: %s\n",realm)); - /* - * Determine realm of these tickets. We will send this to the - * KDC from which we are requesting tickets so it knows what to - * with our session key. - */ - retval = krb_get_tf_realm(TKT_FILE, myrealm); - if (retval != KSUCCESS) - return retval; + DEB (("Realm: %s\n", creds->realm)); - retval = krb_get_cred(service, instance, realm, &cr); - if (retval == RET_NOTKT) { - retval = get_ad_tkt(service, instance, realm, lifetime); - if (retval) - return retval; - retval = krb_get_cred(service, instance, realm, &cr); - if (retval) - return retval; - } - if (retval != KSUCCESS) - return retval; - - realmlen = strlen(realm) + 1; + realmlen = strlen(creds->realm) + 1; if (sizeof(authent->dat) < (1 + 1 + 1 + realmlen + 1 + 1 + ticket->length) || ticket->length < 0 || ticket->length > 255) { authent->length = 0; - memset(cr.session, 0, sizeof(cr.session)); + memset(creds->session, 0, sizeof(creds->session)); return KFAILURE; } if (krb_ap_req_debug) - DEB (("%s %s %s %s %s\n", service, instance, realm, - cr.pname, cr.pinst)); + DEB (("%s %s %s %s %s\n", creds->service, creds->instance, + creds->realm, creds->pname, creds->pinst)); p = authent->dat; /* The fixed parts of the authenticator */ *p++ = KRB_PROT_VERSION; *p++ = AUTH_MSG_APPL_REQUEST; - *p++ = cr.kvno; + *p++ = creds->kvno; - memcpy(p, realm, realmlen); + memcpy(p, creds->realm, realmlen); p += realmlen; tl = ticket->length; @@ -173,14 +143,14 @@ krb_mk_req(authent, service, instance, realm, checksum) if (krb_ap_req_debug) DEB (("Ticket->length = %d\n",ticket->length)); if (krb_ap_req_debug) - DEB (("Issue date: %d\n",cr.issue_date)); + DEB (("Issue date: %d\n",creds->issue_date)); - pnamelen = strlen(cr.pname) + 1; - pinstlen = strlen(cr.pinst) + 1; + pnamelen = strlen(creds->pname) + 1; + pinstlen = strlen(creds->pinst) + 1; myrealmlen = strlen(myrealm) + 1; if (sizeof(req_id->dat) / 8 < (pnamelen + pinstlen + myrealmlen + 4 + 1 + 4 + 7) / 8) { - memset(cr.session, 0, sizeof(cr.session)); + memset(creds->session, 0, sizeof(creds->session)); return KFAILURE; } @@ -188,10 +158,10 @@ krb_mk_req(authent, service, instance, realm, checksum) /* Build request id */ /* Auth name */ - memcpy(q, cr.pname, pnamelen); + memcpy(q, creds->pname, pnamelen); q += pnamelen; /* Principal's instance */ - memcpy(q, cr.pinst, pinstlen); + memcpy(q, creds->pinst, pinstlen); q += pinstlen; /* Authentication domain */ memcpy(q, myrealm, myrealmlen); @@ -210,12 +180,12 @@ krb_mk_req(authent, service, instance, realm, checksum) #ifndef NOENCRYPTION /* Encrypt the request ID using the session key */ - key_sched(cr.session, key_s); + key_sched(creds->session, key_s); pcbc_encrypt((C_Block *)req_id->dat, (C_Block *)req_id->dat, - (long)req_id->length, key_s, &cr.session, 1); + (long)req_id->length, key_s, &creds->session, 1); /* clean up */ memset(key_s, 0, sizeof(key_s)); - memset(cr.session, 0, sizeof(cr.session)); + memset(creds->session, 0, sizeof(creds->session)); #endif /* NOENCRYPTION */ /* Copy it into the authenticator */ @@ -239,6 +209,61 @@ krb_mk_req(authent, service, instance, realm, checksum) return KSUCCESS; } +int KRB5_CALLCONV +krb_mk_req(authent, service, instance, realm, checksum) + register KTEXT authent; /* Place to build the authenticator */ + char *service; /* Name of the service */ + char *instance; /* Service instance */ + char *realm; /* Authentication domain of service */ + KRB4_32 checksum; /* Checksum of data (optional) */ +{ + char krb_realm[REALM_SZ]; /* Our local realm, if not specified */ + char myrealm[REALM_SZ]; /* Realm of initial TGT. */ + int retval; + CREDENTIALS creds; + + /* get current realm if not passed in */ + if (realm == NULL) { + retval = krb_get_lrealm(krb_realm, 1); + if (retval != KSUCCESS) + return retval; + realm = krb_realm; + } + /* + * Determine realm of these tickets. We will send this to the + * KDC from which we are requesting tickets so it knows what to + * with our session key. + */ + retval = krb_get_tf_realm(TKT_FILE, myrealm); + if (retval != KSUCCESS) + retval = krb_get_lrealm(myrealm, 1); + if (retval != KSUCCESS) + return retval; + + retval = krb_get_cred(service, instance, realm, &creds); + if (retval == RET_NOTKT) { + retval = get_ad_tkt(service, instance, realm, lifetime); + if (retval) + return retval; + retval = krb_get_cred(service, instance, realm, &creds); + if (retval) + return retval; + } + if (retval != KSUCCESS) + return retval; + + return krb_mk_req_creds_prealm(authent, &creds, checksum, myrealm); +} + +int KRB5_CALLCONV +krb_mk_req_creds(authent, creds, checksum) + register KTEXT authent; /* Place to build the authenticator */ + CREDENTIALS *creds; + KRB4_32 checksum; /* Checksum of data (optional) */ +{ + return krb_mk_req_creds_prealm(authent, creds, checksum, creds->realm); +} + /* * krb_set_lifetime sets the default lifetime for additional tickets * obtained via krb_mk_req(). @@ -246,7 +271,7 @@ krb_mk_req(authent, service, instance, realm, checksum) * It returns the previous value of the default lifetime. */ -int +int KRB5_CALLCONV krb_set_lifetime(newval) int newval; { diff --git a/src/lib/krb4/one.c b/src/lib/krb4/one.c deleted file mode 100644 index 47a16e27fd..0000000000 --- a/src/lib/krb4/one.c +++ /dev/null @@ -1,15 +0,0 @@ -/* - * one.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * <mit-copyright.h>. - */ - -/* - * definition of variable set to 1. - * used in krb_conf.h to determine host byte order. - */ - -const int krbONE = 1; diff --git a/src/lib/krb4/password_to_key.c b/src/lib/krb4/password_to_key.c new file mode 100644 index 0000000000..be307a42d0 --- /dev/null +++ b/src/lib/krb4/password_to_key.c @@ -0,0 +1,146 @@ +/* + * password_to_key.c -- password_to_key functions merged from KfM + * + * Copyright 1999, 2002 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include <string.h> +#include <stdlib.h> + +#if TARGET_OS_MAC +#include <Kerberos/CredentialsCache.h> +#endif +#include "krb.h" +#include "krb4int.h" + +/* + * passwd_to_key(): given a password, return a DES key. + * There are extra arguments here which (used to be?) + * used by srvtab_to_key(). + * + * If the "passwd" argument is not null, generate a DES + * key from it, using string_to_key(). + * + * If the "passwd" argument is null, then on a Unix system we call + * des_read_password() to prompt for a password and then convert it + * into a DES key. But "prompting" the user is harder in a Windows or + * Macintosh environment, so we rely on our caller to explicitly do + * that now. + * + * In either case, the resulting key is put in the "key" argument, + * and 0 is returned. + */ + +#if TARGET_OS_MAC +/*ARGSUSED */ +int +krb_get_keyprocs(KRB_UINT32 stkType, + key_proc_array kps, key_proc_type_array sts) +{ + /* generates the list of key procs */ + /* always try them all, but try the specified one first */ + switch (stkType) { + case cc_v4_stk_afs: + kps[0] = afs_passwd_to_key; + sts[0] = cc_v4_stk_afs; + + kps[1] = mit_passwd_to_key; + sts[1] = cc_v4_stk_des; + + kps[2] = krb5_passwd_to_key; + sts[2] = cc_v4_stk_krb5; + + kps[3] = NULL; + break; + case cc_v4_stk_des: + case cc_v4_stk_unknown: + default: + kps[0] = mit_passwd_to_key; + sts[0] = cc_v4_stk_des; + + kps[1] = afs_passwd_to_key; + sts[1] = cc_v4_stk_afs; + + kps[2] = krb5_passwd_to_key; + sts[2] = cc_v4_stk_krb5; + + kps[3] = NULL; + break; + } + return KSUCCESS; +} +#endif + +int +mit_passwd_to_key(char *user, char *instance, char *realm, + char *passwd, C_Block key) +{ +#pragma unused(user) +#pragma unused(instance) +#pragma unused(realm) + + if (passwd) + mit_string_to_key(passwd, key); +#if !(defined(_WINDOWS) || defined(macintosh)) + else { + des_read_password((C_Block *)key, "Password: ", 0); + } +#endif /* unix */ + return (0); +} + +/* So we can use a v4 kinit against a v5 kdc with no krb4 salted key */ +int +krb5_passwd_to_key(char *user, char *instance, char *realm, + char *passwd, C_Block key) +{ + if (user && instance && realm && passwd) { + unsigned int len = MAX_K_NAME_SZ + strlen(passwd) + 1; + char *p = malloc (len); + if (p != NULL) { + snprintf (p, len, "%s%s%s%s", passwd, realm, user, instance); + p[len - 1] = '\0'; + mit_string_to_key (p, key); + free (p); + return 0; + } + } + return -1; +} + +int +afs_passwd_to_key(char *user, char *instance, char *realm, + char *passwd, C_Block key) +{ +#pragma unused(user) +#pragma unused(instance) + + if (passwd) + afs_string_to_key(passwd, realm, key); +#if !(defined(_WINDOWS) || defined(macintosh)) + else { + des_read_password((C_Block *)key, "Password: ", 0); + } +#endif /* unix */ + return (0); +} diff --git a/src/lib/krb4/prot_client.c b/src/lib/krb4/prot_client.c index d254e89493..315f7f08a4 100644 --- a/src/lib/krb4/prot_client.c +++ b/src/lib/krb4/prot_client.c @@ -64,7 +64,7 @@ krb4prot_encode_kdc_request(char *pname, char *pinst, char *prealm, p = pkt->dat; *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_KDC_REQUEST | (le ? LSB_FIRST : MSB_FIRST); + *p++ = AUTH_MSG_KDC_REQUEST | !!le; ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, pkt, &p); @@ -235,7 +235,7 @@ krb4prot_encode_apreq(int kvno, char *realm, p = pkt->dat; /* Assume >= 3 bytes in a KTEXT. */ *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_APPL_REQUEST | (le ? LSB_FIRST : MSB_FIRST); + *p++ = AUTH_MSG_APPL_REQUEST | !!le; *p++ = kvno; diff --git a/src/lib/krb4/prot_kdc.c b/src/lib/krb4/prot_kdc.c index d733c25891..aaaa9d00c4 100644 --- a/src/lib/krb4/prot_kdc.c +++ b/src/lib/krb4/prot_kdc.c @@ -91,7 +91,7 @@ krb4prot_encode_kdc_reply(char *pname, char *pinst, char *prealm, else *p++ = KRB_PROT_VERSION; /* little-endianness based on input, usually big-endian, though. */ - *p++ = AUTH_MSG_KDC_REPLY | (le ? LSB_FIRST : MSB_FIRST); + *p++ = AUTH_MSG_KDC_REPLY | !!le; ret = krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, outbuf, &p); @@ -281,7 +281,7 @@ krb4prot_encode_tkt(unsigned int flags, * Assume at least one byte in a KTEXT. If not, we have bigger * problems. Also, bitwise-OR in the little-endian flag. */ - *p++ = flags | (le ? LSB_FIRST : MSB_FIRST); + *p++ = flags | !!le; if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, tkt, &p)) @@ -369,7 +369,7 @@ krb4prot_encode_err_reply(char *pname, char *pinst, char *prealm, p = pkt->dat; /* Assume >= 2 bytes in KTEXT. */ *p++ = KRB_PROT_VERSION; - *p++ = AUTH_MSG_ERR_REPLY | (le ? LSB_FIRST : MSB_FIRST); + *p++ = AUTH_MSG_ERR_REPLY | !!le; if (krb4prot_encode_naminstrlm(pname, pinst, prealm, chklen, pkt, &p)) diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c index b97bdbe0a4..1b8de0cf3a 100644 --- a/src/lib/krb4/rd_req.c +++ b/src/lib/krb4/rd_req.c @@ -1,8 +1,8 @@ /* * lib/krb4/rd_req.c * - * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts - * Institute of Technology. All Rights Reserved. + * Copyright 1985, 1986, 1987, 1988, 2000, 2001, 2002 by the + * Massachusetts Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -33,6 +33,10 @@ extern int krb_ap_req_debug; +static int +krb_rd_req_with_key(KTEXT, char *, char *, KRB_UINT32, AUTH_DAT *, + Key_schedule, krb5_keyblock *); + /* declared in krb.h */ int krb_ignore_ip_address = 0; @@ -162,14 +166,15 @@ krb_clear_key_krb5(ctx) * Mutual authentication is not implemented. */ -int KRB5_CALLCONV -krb_rd_req(authent, service, instance, from_addr, ad, fn) +static int +krb_rd_req_with_key(authent, service, instance, from_addr, ad, ks, k5key) register KTEXT authent; /* The received message */ char *service; /* Service name */ char *instance; /* Service instance */ unsigned KRB4_32 from_addr; /* Net address of originating host */ AUTH_DAT *ad; /* Structure to be filled in */ - char *fn; /* Filename to get keys from */ + Key_schedule ks; + krb5_keyblock *k5key; { KTEXT_ST ticket; /* Temp storage for ticket */ KTEXT tkt = &ticket; @@ -178,7 +183,6 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) char realm[REALM_SZ]; /* Realm of issuing kerberos */ Key_schedule seskey_sched; /* Key sched for session key */ - unsigned char skey[KKEY_SZ]; /* Session key from ticket */ char sname[SNAME_SZ]; /* Service name from ticket */ char iname[INST_SZ]; /* Instance name from ticket */ char r_aname[ANAME_SZ]; /* Client name from authenticator */ @@ -199,8 +203,6 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) Kerberos used to encrypt ticket */ int ret; int len; - krb5_keyblock keyblock; - int status; tkt->mbz = req_id->mbz = 0; @@ -248,49 +250,6 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) (void)memcpy(realm, ptr, (size_t)len); ptr += len; /* skip the realm "hint" */ - /* - * If "fn" is NULL, key info should already be set; don't - * bother with ticket file. Otherwise, check to see if we - * already have key info for the given server and key version - * (saved in the static st_* variables). If not, go get it - * from the ticket file. If "fn" is the null string, use the - * default ticket file. - */ - if (fn && (strcmp(st_nam,service) || strcmp(st_inst,instance) - || strcmp(st_rlm,realm) || (st_kvno != s_kvno))) { - if (*fn == 0) - fn = KEYFILE; - st_kvno = s_kvno; -#ifndef NOENCRYPTION - if (read_service_key(service,instance,realm, (int)s_kvno, - fn, (char *)skey) == 0) { - if ((status = krb_set_key((char *)skey,0))) - return(status); -#ifdef KRB4_USE_KEYTAB - } else if (krb54_get_service_keyblock(service, instance, - realm, (int)s_kvno, - fn, &keyblock) == 0) { - krb_set_key_krb5(krb5__krb4_context, &keyblock); - krb5_free_keyblock_contents(krb5__krb4_context, &keyblock); -#endif - } else - return RD_AP_UNDEC; -#endif /* !NOENCRYPTION */ - - len = krb4int_strnlen(realm, sizeof(st_rlm)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_rlm, realm, (size_t)len); - len = krb4int_strnlen(service, sizeof(st_nam)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_nam, service, (size_t)len); - len = krb4int_strnlen(instance, sizeof(st_inst)) + 1; - if (len <= 0) - return KFAILURE; - memcpy(st_inst, instance, (size_t)len); - } - /* Get ticket length */ tkt->length = *ptr++; /* Get authenticator length while we're at it. */ @@ -312,10 +271,10 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) /* Decrypt and take apart ticket */ #endif - if (!krb5_key) { + if (k5key == NULL) { if (decomp_ticket(tkt,&ad->k_flags,ad->pname,ad->pinst,ad->prealm, &(ad->address),ad->session, &(ad->life), - &(ad->time_sec),sname,iname,ky,serv_key)) { + &(ad->time_sec),sname,iname,ky,ks)) { #ifdef KRB_CRYPT_DEBUG log("Can't decode ticket"); #endif @@ -325,7 +284,7 @@ krb_rd_req(authent, service, instance, from_addr, ad, fn) if (decomp_tkt_krb5(tkt, &ad->k_flags, ad->pname, ad->pinst, ad->prealm, &ad->address, ad->session, &ad->life, &ad->time_sec, sname, iname, - &srv_k5key)) { + k5key)) { return RD_AP_UNDEC; } } @@ -471,3 +430,98 @@ cleanup: return RD_AP_OK; } + +int KRB5_CALLCONV +krb_rd_req_int(authent, service, instance, from_addr, ad, key) + KTEXT authent; /* The received message */ + char *service; /* Service name */ + char *instance; /* Service instance */ + KRB_UINT32 from_addr; /* Net address of originating host */ + AUTH_DAT *ad; /* Structure to be filled in */ + C_Block key; /* Key to decrypt ticket with */ +{ + Key_schedule ks; + int ret; + + do { + ret = des_key_sched(key, ks); + if (ret) break; + ret = krb_rd_req_with_key(authent, service, instance, + from_addr, ad, ks, NULL); + } while (0); + memset(ks, 0, sizeof(ks)); + return ret; +} + +int KRB5_CALLCONV +krb_rd_req(authent, service, instance, from_addr, ad, fn) + register KTEXT authent; /* The received message */ + char *service; /* Service name */ + char *instance; /* Service instance */ + unsigned KRB4_32 from_addr; /* Net address of originating host */ + AUTH_DAT *ad; /* Structure to be filled in */ + char *fn; /* Filename to get keys from */ +{ + unsigned char *ptr; + unsigned char s_kvno; + char realm[REALM_SZ]; + unsigned char skey[KKEY_SZ]; + krb5_keyblock keyblock; + int len; + int status; + +#define AUTHENT_REMAIN (authent->length - (ptr - authent->dat)) + if (authent->length < 3) + return RD_AP_MODIFIED; + ptr = authent->dat + 2; + s_kvno = *ptr++; /* get server key version */ + len = krb4int_strnlen((char *)ptr, AUTHENT_REMAIN) + 1; + if (len <= 0 || len > sizeof(realm)) + return RD_AP_MODIFIED; + (void)memcpy(realm, ptr, (size_t)len); +#undef AUTHENT_REMAIN + /* + * If "fn" is NULL, key info should already be set; don't + * bother with ticket file. Otherwise, check to see if we + * already have key info for the given server and key version + * (saved in the static st_* variables). If not, go get it + * from the ticket file. If "fn" is the null string, use the + * default ticket file. + */ + if (fn && (strcmp(st_nam,service) || strcmp(st_inst,instance) + || strcmp(st_rlm,realm) || (st_kvno != s_kvno))) { + if (*fn == 0) + fn = KEYFILE; + st_kvno = s_kvno; + if (read_service_key(service,instance,realm, (int)s_kvno, + fn, (char *)skey) == 0) { + if ((status = krb_set_key((char *)skey,0))) + return(status); +#ifdef KRB4_USE_KEYTAB + } else if (krb54_get_service_keyblock(service, instance, + realm, (int)s_kvno, + fn, &keyblock) == 0) { + krb_set_key_krb5(krb5__krb4_context, &keyblock); + krb5_free_keyblock_contents(krb5__krb4_context, &keyblock); +#endif + } else + return RD_AP_UNDEC; + + len = krb4int_strnlen(realm, sizeof(st_rlm)) + 1; + if (len <= 0) + return KFAILURE; + memcpy(st_rlm, realm, (size_t)len); + len = krb4int_strnlen(service, sizeof(st_nam)) + 1; + if (len <= 0) + return KFAILURE; + memcpy(st_nam, service, (size_t)len); + len = krb4int_strnlen(instance, sizeof(st_inst)) + 1; + if (len <= 0) + return KFAILURE; + memcpy(st_inst, instance, (size_t)len); + } + return krb_rd_req_with_key(authent, service, instance, + from_addr, ad, + krb5_key ? NULL : serv_key, + krb5_key ? &srv_k5key : NULL); +} diff --git a/src/lib/krb4/tf_util.c b/src/lib/krb4/tf_util.c index 5ceee51c2d..473c597ad3 100644 --- a/src/lib/krb4/tf_util.c +++ b/src/lib/krb4/tf_util.c @@ -689,8 +689,6 @@ tf_read(s, n) return n; } -char *tkt_string(); - /* * tf_save_cred() appends an incoming ticket to the end of the ticket * file. You must call tf_init() before calling tf_save_cred(). diff --git a/src/lib/krb4/tkt_string.c b/src/lib/krb4/tkt_string.c index 68ef84365e..36625fc0b1 100644 --- a/src/lib/krb4/tkt_string.c +++ b/src/lib/krb4/tkt_string.c @@ -1,14 +1,29 @@ /* * tkt_string.c * - * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute - * of Technology. + * Copyright 1985, 1986, 1987, 1988, 2002 by the Massachusetts + * Institute of Technology. All Rights Reserved. * - * For copying and distribution information, please see the file - * <mit-copyright.h>. + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. */ -#include "mit-copyright.h" #include "krb.h" #include <stdio.h> #include <string.h> @@ -44,7 +59,7 @@ uid_t getuid(void) { return 0; } static char krb_ticket_string[MAXPATHLEN]; -char *tkt_string() +const char *tkt_string() { char *env; uid_t getuid(); |