diff options
| author | Greg Hudson <ghudson@mit.edu> | 2008-12-18 18:31:16 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2008-12-18 18:31:16 +0000 |
| commit | 3bee8ea39e56d0ddd369bfb365cca9d51fdcfc37 (patch) | |
| tree | f808e8013717b9f044e86d49a29a8288d0437783 /src/krb524 | |
| parent | 1d86f863efc9f6bc838438f90c6fdda236b6cedd (diff) | |
| download | krb5-3bee8ea39e56d0ddd369bfb365cca9d51fdcfc37.tar.gz krb5-3bee8ea39e56d0ddd369bfb365cca9d51fdcfc37.tar.xz krb5-3bee8ea39e56d0ddd369bfb365cca9d51fdcfc37.zip | |
Remove krb524, lib/des425, lib/krb4, and include/kerberosIV.
Remove krb4 build system references and conditionals.
Move des425 header stuff referenced by des_int.h into des_int.h.
Remove krb4 test cases.
ticket: 6303
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21544 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/krb524')
| -rw-r--r-- | src/krb524/Makefile.in | 175 | ||||
| -rw-r--r-- | src/krb524/README | 154 | ||||
| -rw-r--r-- | src/krb524/cnv_tkt_skey.c | 223 | ||||
| -rw-r--r-- | src/krb524/k524init.M | 47 | ||||
| -rw-r--r-- | src/krb524/k524init.c | 183 | ||||
| -rw-r--r-- | src/krb524/krb524.c | 47 | ||||
| -rw-r--r-- | src/krb524/krb524.def | 13 | ||||
| -rw-r--r-- | src/krb524/krb524_prot | 11 | ||||
| -rw-r--r-- | src/krb524/krb524d.M | 74 | ||||
| -rw-r--r-- | src/krb524/krb524d.c | 637 | ||||
| -rw-r--r-- | src/krb524/krb524d.h | 48 | ||||
| -rw-r--r-- | src/krb524/libinit.c | 27 | ||||
| -rw-r--r-- | src/krb524/test.c | 353 |
13 files changed, 0 insertions, 1992 deletions
diff --git a/src/krb524/Makefile.in b/src/krb524/Makefile.in deleted file mode 100644 index e832733f2..000000000 --- a/src/krb524/Makefile.in +++ /dev/null @@ -1,175 +0,0 @@ -thisconfigdir=.. -myfulldir=krb524 -mydir=krb524 -BUILDTOP=$(REL).. -KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) -DEFS= - -# Copyright 1994 by OpenVision Technologies, Inc. -# -# Permission to use, copy, modify, distribute, and sell this software -# and its documentation for any purpose is hereby granted without fee, -# provided that the above copyright notice appears in all copies and -# that both that copyright notice and this permission notice appear in -# supporting documentation, and that the name of OpenVision not be used -# in advertising or publicity pertaining to distribution of the software -# without specific, written prior permission. OpenVision makes no -# representations about the suitability of this software for any -# purpose. It is provided "as is" without express or implied warranty. -# -# OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, -# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO -# EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR -# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF -# USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR -# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. -# - -DEFINES = -DUSE_MASTER -DKRB524_PRIVATE=1 -PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) -PROG_RPATH=$(KRB5_LIBDIR) - -##WIN32##!if ("$(CPU)" == "i386") && defined(USE_ALTERNATE_KRB4_INCLUDES) -##WIN32##KRB4_INCLUDES=-I$(USE_ALTERNATE_KRB4_INCLUDES) -##WIN32##!endif - -##WIN32##!if ("$(CPU)" == "i386") && defined(USE_ALTERNATE_KRB4_LIB) -##WIN32##K4LIB=$(USE_ALTERNATE_KRB4_LIB) -##WIN32##!endif - -K524EXE = $(OUTPRE)k524init.exe -K524LIB = $(OUTPRE)krb524.lib -K524DEP = $(K524LIB) -K524DEF = krb524.def -WINLIBS = kernel32.lib ws2_32.lib user32.lib shell32.lib oldnames.lib \ - version.lib advapi32.lib gdi32.lib - -LOCALINCLUDES= $(KRB4_INCLUDES) -I. -I$(srcdir) - -# Library sources -SRCS = \ - $(srcdir)/cnv_tkt_skey.c \ - $(srcdir)/libinit.c \ - $(srcdir)/krb524.c - -EXTRADEPSRCS = \ - $(srcdir)/test.c \ - $(srcdir)/k524init.c \ - $(srcdir)/krb524d.c - -##WIN32##!ifdef KRB524_STATIC_HACK -##WIN32##LPREFIX=..\lib -##WIN32##K5_GLUE=$(LPREFIX)\$(OUTPRE)k5_glue.obj -##WIN32##KLIBS = $(LPREFIX)\krb5\$(OUTPRE)krb5.lib \ -##WIN32## $(LPREFIX)\crypto\$(OUTPRE)crypto.lib \ -##WIN32## $(BUILDTOP)\util\profile\$(OUTPRE)profile.lib \ -##WIN32## $(LPREFIX)\des425\$(OUTPRE)des425.lib -##WIN32##KLIB=$(KLIBS) $(DNSLIBS) $(K5_GLUE) $(CLIB) -##WIN32##STLIBOBJS=$(STLIBOBJS:libinit=globals) -##WIN32##K524DEP=$(STLIBOBJS) -##WIN32##!endif - -##WIN32##VERSIONRC = $(BUILDTOP)\windows\version.rc -##WIN32##RCFLAGS=$(CPPFLAGS) -I$(SRCTOP) -D_WIN32 -DRES_ONLY - -##WIN32##EXERES=$(K524EXE:.exe=.res) -##WIN32##LIBRES=$(K524LIB:.lib=.res) - -##WIN32##$(EXERES): $(VERSIONRC) -##WIN32## $(RC) $(RCFLAGS) -DKRB524_INIT -fo $@ -r $** -##WIN32##$(LIBRES): $(VERSIONRC) -##WIN32## $(RC) $(RCFLAGS) -DKRB524_LIB -fo $@ -r $** - -all-unix:: krb524d krb524test k524init - -##WIN32##all-windows:: $(K524EXE) $(K524LIB) - -krb524test: test.o $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o krb524test test.o $(KRB5_LIB) $(KRB4COMPAT_LIBS) - -SERVER_OBJS= krb524d.o cnv_tkt_skey.o -CLIENT_OBJS= $(OUTPRE)k524init.$(OBJEXT) - -krb524d: $(SERVER_OBJS) $(KADMSRV_DEPLIBS) $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB) - $(CC_LINK) -o krb524d $(SERVER_OBJS) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_LIB) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB) - -k524init: $(CLIENT_OBJS) $(KRB5_DEPLIB) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o k524init $(CLIENT_OBJS) $(KRB5_LIB) $(KRB4COMPAT_LIBS) - -##WIN32##$(K524LIB): $(OUTPRE)krb524.$(OBJEXT) $(OUTPRE)libinit.$(OBJEXT) $(KLIB) $(CLIB) $(LIBRES) -##WIN32## link $(DLL_LINKOPTS) -def:$(K524DEF) -out:$*.dll $** $(WINLIBS) -##WIN32## $(_VC_MANIFEST_EMBED_DLL) - -##WIN32##$(K524EXE): $(OUTPRE)k524init.$(OBJEXT) $(KLIB) $(K4LIB) $(CLIB) $(EXERES) $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib -##WIN32## link $(EXE_LINKOPTS) -out:$@ $** $(WINLIBS) $(SCLIB) -##WIN32## $(_VC_MANIFEST_EMBED_EXE) - -install-unix:: - $(INSTALL_PROGRAM) krb524d $(DESTDIR)$(SERVER_BINDIR)/krb524d - $(INSTALL_PROGRAM) k524init $(DESTDIR)$(CLIENT_BINDIR)/krb524init - $(INSTALL_DATA) $(srcdir)/krb524d.M $(DESTDIR)$(SERVER_MANDIR)/krb524d.8 - $(INSTALL_DATA) $(srcdir)/k524init.M \ - $(DESTDIR)$(CLIENT_MANDIR)/krb524init.1 - -clean-unix:: - $(RM) $(OBJS) core *~ *.bak #* - $(RM) krb524test krb524d k524init test.o $(CLIENT_OBJS) $(SERVER_OBJS) - - -# +++ Dependency line eater +++ -# -# Makefile dependencies follow. This must be the last section in -# the Makefile.in file -# -$(OUTPRE)cnv_tkt_skey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h cnv_tkt_skey.c krb524d.h -$(OUTPRE)libinit.$(OBJEXT): libinit.c -$(OUTPRE)krb524.$(OBJEXT): krb524.c -$(OUTPRE)test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h test.c -$(OUTPRE)k524init.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(KRB_ERR_H_DEP) $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ - $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \ - $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \ - $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h k524init.c -$(OUTPRE)krb524d.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(KRB_ERR_H_DEP) \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \ - $(SRCTOP)/include/gssrpc/auth.h $(SRCTOP)/include/gssrpc/auth_gss.h \ - $(SRCTOP)/include/gssrpc/auth_unix.h $(SRCTOP)/include/gssrpc/clnt.h \ - $(SRCTOP)/include/gssrpc/rename.h $(SRCTOP)/include/gssrpc/rpc.h \ - $(SRCTOP)/include/gssrpc/rpc_msg.h $(SRCTOP)/include/gssrpc/svc.h \ - $(SRCTOP)/include/gssrpc/svc_auth.h $(SRCTOP)/include/gssrpc/xdr.h \ - $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ - $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ - $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ - $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \ - $(SRCTOP)/include/kerberosIV/des.h $(SRCTOP)/include/kerberosIV/krb.h \ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h krb524d.c krb524d.h diff --git a/src/krb524/README b/src/krb524/README deleted file mode 100644 index dd7ca9c23..000000000 --- a/src/krb524/README +++ /dev/null @@ -1,154 +0,0 @@ -Copyright 1994 by OpenVision Technologies, Inc. - -Permission to use, copy, modify, distribute, and sell this software -and its documentation for any purpose is hereby granted without fee, -provided that the above copyright notice appears in all copies and -that both that copyright notice and this permission notice appear in -supporting documentation, and that the name of OpenVision not be used -in advertising or publicity pertaining to distribution of the software -without specific, written prior permission. OpenVision makes no -representations about the suitability of this software for any -purpose. It is provided "as is" without express or implied warranty. - -OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, -INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO -EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR -CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF -USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR -OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -PERFORMANCE OF THIS SOFTWARE. - - -Kerberos V5 to Kerberos V4 Credentials Converting Service, ALPHA RELEASE -======================================================================== - -krb524 is a service that converts Kerberos V5 credentials into -Kerberos V4 credentials suitable for use with applications that for -whatever reason do not use V5 directly. The service consists of a -server that has access to the secret key of the Kerberos service for -which credentials will be converted, and a library for use by client -programs that wish to use the server. - -The protocol is simple. Suppose that a client C wishes to obtain V4 -credentials for a V5 service S by using the krb524 server. The -notation {C,S}_n represents a Vn service ticket for S for use by C. - -(1) C obtains V5 credentials, including a ticket {C,S}_5, for S by the -normal V5 means. - -(2) C transmits {C,S}_5 to KRB524. - -(3) KRB524 converts {C,S}_5 into {C,S}_4. - -(4) KRB524 transmits {C,S}_4 to C. - -(5) C creates a V4 credentials strucuture from the plaintext -information in the V5 credential and {C,S}_4. - -Steps (2) through (4) are encapsulated in a single function call in -the krb524 library. - -An alternate conversion is provided for AFS servers that support the -encrypted part of a krb5 ticket as an AFS token. If the krb524d is -converting a principal whose first component is afs and if the -encrypted part of the ticket fits in 344 bytes, then it will default -to simply returning the encrypted part of the ticket as a token. If -it turns out that the AFS server does not support the ticket, then -users will get an unknown key version error and the krb524d must be -configured to use v4 tickets for this AFS service. - - -Obviously, not all V5 credentials can be completely converted to V4 -credentials, since the former is a superset of the latter. The -precise semantics of the conversion function are still undecided. -UTSL. - -Programs contained in this release -====================================================================== - -krb524d [-m[aster]] [-k[eytab]] - -The krb524 server. It accepts UDP requests on the krb524 service -port, specified in /etc/services, or on port 4444 by default. (A -request for an official port assignment is underway.) The -m argument -causes krb524d to access the KDC master database directly; the -k -argument causes krb524d to use the default keytab (and therefore only -be able to convert tickets for services in the keytab). Only one of --m or -k can be specified. - -test -remote server client service - -A test program that obtains a V5 credential for {client,service}, -converts it to a V4 credential, and prints out the entire contents of -both versions. It prompts for service's secret key, which it needs to -decrypt both tickets in order to print them out. Enter it as an eight -digit ASCII hex number. - -k524init [-n] [-p principal] - -Convert a V5 credential into a V4 credential and store it in a V4 -ticket file. The client is 'principal', or krbtgt at the V5 ccache's -default principal's realm if not specified. The -n argument causes -the new ticket to be added to the existing ticket file; otherwise, the -ticket file is initialized. - -Configuring krb524d AFS Conversion -====================================================================== - -The krb524d looks in the appdefaults section of krb5.conf for an -application called afs_krb5 to determine whether afs principals -support encrypted ticket parts as tokens. The following configuration -fragment says that afs/sipb.mit.edu@ATHENA.MIT.EDU supports the new -token format but afs@ATHENA.MIT.EDU and -afs/athena.mit.edu@ATHENA.MIT.EDU do not. Note that the default is to -assume afs servers support the new format. - -[appdefaults] -afs_krb5 = { - ATHENA.MIT.EDU = { - # This stanza describes principals in the - #ATHENA.MIT.EDU realm - afs = false - afs/athena.mit.edu = false - afs/sipb.mit.edu = true - } -} - - -Using libkrb524.a -====================================================================== - -To use libkrb524.a, #include "krb524.h", link against libkrb524.a, -call krb524_init_ets() at the beginning of your program, and call one -of the following two functions: - -int krb524_convert_creds_addr(krb5_creds *v5creds, CREDENTIALS *v4creds, - struct sockaddr *saddr) - -int krb524_convert_creds_kdc(krb5_creds *v5creds, CREDENTIALS *v4creds) - -Both convert the V5 credential in v5creds into a V4 credential in -v4creds. One assumes krb524d is running on the KDC, the other uses an -explicit host. You only need to specify the address for saddr; the -port is filled in automatically. - -Unresolved issues / Bugs -====================================================================== - -o krb524d requires access to the secret key of any service to be -converted. Should krb524d run on the KDC or on individual server -machines? The latter is more paranoid, since it prevents bugs in -krb524d from provided unauthorized access to the master database. -However, it also requires the client to provide the address of the -server to be used. The client will usually have this information -(since presumably it will be sending the converted V4 credentials to -the same server) but it may not be in a convenient form. It seems -"cleaner" to have krb524d run on the KDC. - -o Even if krb524d uses keytabs on server machines, it needs to be more -flexible. You only want to run one krb524d per host, so it has to be -able to scan multiple keytabs. This might get logistically messy. - -o This code is of alpha quality. Bugs, omissions, memory leaks, and -perhaps security holes still remain. Do not use it (yet) in a -production environment. diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c deleted file mode 100644 index 217eb40a8..000000000 --- a/src/krb524/cnv_tkt_skey.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright 2003 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include "k5-int.h" /* we need krb5_context::clockskew */ -#include <stdio.h> -#include <sys/types.h> - -#ifdef _WIN32 -#include "port-sockets.h" -#else -#include <sys/time.h> -#include <netinet/in.h> -#endif -#include <krb.h> -#include "krb524d.h" - -static int krb524d_debug = 0; - -static int -krb524_convert_princs(context, client, server, pname, pinst, prealm, - sname, sinst, srealm) - krb5_context context; - krb5_principal client, server; - char *pname, *pinst, *prealm, *sname, *sinst, *srealm; -{ - int ret; - - if ((ret = krb5_524_conv_principal(context, client, pname, pinst, - prealm))) - return ret; - - return krb5_524_conv_principal(context, server, sname, sinst, srealm); -} -/* - * Convert a v5 ticket for server to a v4 ticket, using service key - * skey for both. - */ -int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, - saddr) - krb5_context context; - krb5_ticket *v5tkt; - KTEXT_ST *v4tkt; - krb5_keyblock *v5_skey, *v4_skey; - struct sockaddr_in *saddr; -{ - char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - char sname[ANAME_SZ], sinst[INST_SZ], srealm[REALM_SZ]; - krb5_enc_tkt_part *v5etkt; - int ret, lifetime, v4endtime; - krb5_timestamp server_time; - struct sockaddr_in *sinp = (struct sockaddr_in *)saddr; - krb5_address kaddr; - - v5tkt->enc_part2 = NULL; - if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) { - return ret; - } - v5etkt = v5tkt->enc_part2; - - if (v5etkt->transited.tr_contents.length != 0) { - /* Some intermediate realms transited -- do we accept them? - - Simple answer: No. - - More complicated answer: Check our local config file to - see if the path is correct, and base the answer on that. - This denies the krb4 application server any ability to do - its own validation as krb5 servers can. - - Fast answer: Not right now. */ - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - /* We could also encounter a case where luser@R1 gets a ticket - for krbtgt/R3@R2, and then tries to convert it. But the - converted ticket would be one the v4 KDC code should reject - anyways. So we don't need to worry about it here. */ - - if ((ret = krb524_convert_princs(context, v5etkt->client, v5tkt->server, - pname, pinst, prealm, sname, - sinst, srealm))) { - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return ret; - } - if ((v5etkt->session->enctype != ENCTYPE_DES_CBC_CRC && - v5etkt->session->enctype != ENCTYPE_DES_CBC_MD4 && - v5etkt->session->enctype != ENCTYPE_DES_CBC_MD5) || - v5etkt->session->length != sizeof(C_Block)) { - if (krb524d_debug) - fprintf(stderr, "v5 session keyblock type %d length %d != C_Block size %d\n", - v5etkt->session->enctype, - v5etkt->session->length, - (int) sizeof(C_Block)); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return KRB524_BADKEY; - } - - /* V4 has no concept of authtime or renew_till, so ignore them */ - if (v5etkt->times.starttime == 0) - v5etkt->times.starttime = v5etkt->times.authtime; - /* rather than apply fit an extended v5 lifetime into a v4 range, - give out a v4 ticket with as much of the v5 lifetime is available - "now" instead. */ - if ((ret = krb5_timeofday(context, &server_time))) { - if (krb524d_debug) - fprintf(stderr, "krb5_timeofday failed!\n"); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return ret; - } - if ((server_time + context->clockskew >= v5etkt->times.starttime) - && (server_time - context->clockskew <= v5etkt->times.endtime)) { - lifetime = krb_time_to_life(server_time, v5etkt->times.endtime); - v4endtime = krb_life_to_time(server_time, lifetime); - /* - * Adjust start time backwards if the lifetime value - * returned by krb_time_to_life() maps to a longer lifetime - * than that of the original krb5 ticket. - */ - if (v4endtime > v5etkt->times.endtime) - server_time -= v4endtime - v5etkt->times.endtime; - } else { - if (krb524d_debug) - fprintf(stderr, "v5 ticket time out of bounds\n"); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - if (server_time+context->clockskew < v5etkt->times.starttime) - return KRB5KRB_AP_ERR_TKT_NYV; - else if (server_time-context->clockskew > v5etkt->times.endtime) - return KRB5KRB_AP_ERR_TKT_EXPIRED; - else /* shouldn't happen, but just in case... */ - return KRB5KRB_AP_ERR_TKT_NYV; - } - - kaddr.addrtype = ADDRTYPE_INET; - kaddr.length = sizeof(sinp->sin_addr); - kaddr.contents = (krb5_octet *)&sinp->sin_addr; - - if (!krb5_address_search(context, &kaddr, v5etkt->caddrs)) { - if (krb524d_debug) - fprintf(stderr, "Invalid v5creds address information.\n"); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - return KRB524_BADADDR; - } - - if (krb524d_debug) - printf("startime = %ld, authtime = %ld, lifetime = %ld\n", - (long) v5etkt->times.starttime, - (long) v5etkt->times.authtime, - (long) lifetime); - - /* XXX are there V5 flags we should map to V4 equivalents? */ - if (v4_skey->enctype == ENCTYPE_DES_CBC_CRC) { - ret = krb_create_ticket(v4tkt, - 0, /* flags */ - pname, - pinst, - prealm, - sinp->sin_addr.s_addr, - (char *) v5etkt->session->contents, - lifetime, - /* issue_data */ - server_time, - sname, - sinst, - v4_skey->contents); - } - else abort(); - krb5_free_enc_tkt_part(context, v5etkt); - v5tkt->enc_part2 = NULL; - if (ret == KSUCCESS) - return 0; - else - return KRB524_V4ERR; -} diff --git a/src/krb524/k524init.M b/src/krb524/k524init.M deleted file mode 100644 index f480767a0..000000000 --- a/src/krb524/k524init.M +++ /dev/null @@ -1,47 +0,0 @@ -.\" krb524/k524init.M -.\" -.\" Copyright 2005 by the Massachusetts Institute of Technology. -.\" -.\" Export of this software from the United States of America may -.\" require a specific license from the United States Government. -.\" It is the responsibility of any person or organization contemplating -.\" export to obtain such a license before exporting. -.\" -.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\" distribute this software and its documentation for any purpose and -.\" without fee is hereby granted, provided that the above copyright -.\" notice appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, and that -.\" the name of M.I.T. not be used in advertising or publicity pertaining -.\" to distribution of the software without specific, written prior -.\" permission. Furthermore if you modify this software you must label -.\" your software as modified software and not distribute it in such a -.\" fashion that it might be confused with the original M.I.T. software. -.\" M.I.T. makes no representations about the suitability of -.\" this software for any purpose. It is provided "as is" without express -.\" or implied warranty. -.\" " -.TH KRB524INIT 1 -.SH NAME -krb524init \- Obtain Kerberos V4 tickets from Kerberos V5 tickets -.SH SYNOPSIS -\fBkrb524init\fP [\fB\-n\fP] [\fB\-p\fP \fIprincipal\fP] -.SH DESCRIPTION -.I krb524init -converts a V5 credential to a V4 credential by querying a remote krb524d -server and stores it in a V4 ticket cache. The credential is -.I principal -or "krbtgt" at the V5 ticket cache's default principal's realm if not -specified. -.SH OPTIONS -.TP -.B \-n -By default, the V4 ticket cache is initialized. If this option is given, -the converted credential is instead added to the existing ticket cache. -.TP -\fB\-p\fP \fIprincipal\fP -Convert -.I principal -rather than krbtgt. -.SH SEE ALSO -kinit(1), krb524d(8) diff --git a/src/krb524/k524init.c b/src/krb524/k524init.c deleted file mode 100644 index c611b2e5c..000000000 --- a/src/krb524/k524init.c +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include "autoconf.h" -#include "k5-int.h" /* for data_eq */ -#include <krb5.h> -#include "com_err.h" - -#include <stdio.h> -#ifdef HAVE_UNISTD_H -#include <unistd.h> -#endif -#include <string.h> -#include <signal.h> -#include <sys/types.h> -#ifndef _WIN32 -#include <sys/time.h> -#include <sys/signal.h> -#include <netinet/in.h> -#endif - -#include <krb.h> - -extern int optind; -extern char *optarg; -char *prog = "k524init"; - -int main(argc, argv) - int argc; - char **argv; -{ - krb5_principal client, server; - krb5_ccache cc; - krb5_creds increds, *v5creds; - CREDENTIALS v4creds; - int code; - int option; - char *princ = NULL; - int nodelete = 0; - int lose = 0; - krb5_context context; - krb5_error_code retval; - - if (argv[0]) { - prog = strrchr (argv[0], '/'); - if (prog) - prog++; - else - prog = argv[0]; - } - - retval = krb5_init_context(&context); - if (retval) { - com_err(prog, retval, "while initializing krb5"); - exit(1); - } - - while(((option = getopt(argc, argv, "p:n")) != -1)) { - switch(option) { - case 'p': - princ = optarg; - break; - case 'n': - nodelete++; - break; - default: - lose++; - break; - } - } - - if (lose || (argc - optind > 1)) { - fprintf(stderr, "Usage: %s [-p principal] [-n]\n", prog); - exit(1); - } - - if ((code = krb5_cc_default(context, &cc))) { - com_err(prog, code, "opening default credentials cache"); - exit(1); - } - - if ((code = krb5_cc_get_principal(context, cc, &client))) { - com_err(prog, code, "while retrieving user principal name"); - exit(1); - } - - if (princ) { - if ((code = krb5_parse_name(context, princ, &server))) { - com_err(prog, code, "while parsing service principal name"); - exit(1); - } - } else { - if ((code = krb5_build_principal(context, &server, - krb5_princ_realm(context, client)->length, - krb5_princ_realm(context, client)->data, - "krbtgt", - krb5_princ_realm(context, client)->data, - NULL))) { - com_err(prog, code, "while creating service principal name"); - exit(1); - } - } - - if (!nodelete) { - krb5_data *crealm = krb5_princ_realm (context, client); - krb5_data *srealm = krb5_princ_realm (context, server); - if (!data_eq(*crealm, *srealm)) { - /* Since krb4 ticket files don't store the realm name - separately, and the client realm is assumed to be the - realm of the first ticket, let's not store an initial - ticket with the wrong realm name, since it'll confuse - other programs. */ - fprintf (stderr, - "%s: Client and server principals' realm names are different;\n" - "\tbecause of limitations in the krb4 ticket file implementation,\n" - "\tthis doesn't work for an initial ticket. Try `%s -n'\n" - "\tif you already have other krb4 tickets, or convert the\n" - "\tticket-granting ticket from your home realm.\n", - prog, prog); - exit (1); - } - } - - memset((char *) &increds, 0, sizeof(increds)); - increds.client = client; - increds.server = server; - increds.times.endtime = 0; - increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - if ((code = krb5_get_credentials(context, 0, cc, &increds, &v5creds))) { - com_err(prog, code, "getting V5 credentials"); - exit(1); - } - - if ((code = krb5_524_convert_creds(context, v5creds, &v4creds))) { - com_err(prog, code, "converting to V4 credentials"); - exit(1); - } - - /* this is stolen from the v4 kinit */ - - if (!nodelete) { - /* initialize ticket cache */ - code = krb_in_tkt(v4creds.pname,v4creds.pinst,v4creds.realm); - if (code != KSUCCESS) { - fprintf (stderr, "%s: %s trying to create the V4 ticket file", - prog, krb_get_err_text (code)); - exit(1); - } - } - - /* stash ticket, session key, etc. for future use */ - /* This routine does *NOT* return one of the usual com_err codes. */ - if ((code = krb_save_credentials(v4creds.service, v4creds.instance, - v4creds.realm, v4creds.session, - v4creds.lifetime, v4creds.kvno, - &(v4creds.ticket_st), - v4creds.issue_date))) { - fprintf (stderr, "%s: %s trying to save the V4 ticket\n", - prog, krb_get_err_text (code)); - exit(1); - } - - exit(0); -} diff --git a/src/krb524/krb524.c b/src/krb524/krb524.c deleted file mode 100644 index 1eff72f00..000000000 --- a/src/krb524/krb524.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (C) 2003 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -#ifdef _WIN32 -#include "krb5.h" - -#ifdef krb524_convert_creds_kdc -#undef krb524_convert_creds_kdc -#endif -#ifdef krb524_init_ets -#undef krb524_init_ets -#endif - -int KRB5_CALLCONV_WRONG -krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, struct credentials *v4creds) -{ - return(krb5_524_convert_creds(context,v5creds,v4creds)); -} - -void KRB5_CALLCONV_WRONG -krb524_init_ets(krb5_context context) -{ - /* no-op */ -} -#endif /* _WIN32 */ diff --git a/src/krb524/krb524.def b/src/krb524/krb524.def deleted file mode 100644 index 67d205045..000000000 --- a/src/krb524/krb524.def +++ /dev/null @@ -1,13 +0,0 @@ -;---------------------------------------------------- -; KRB524.DEF - KRB524.DLL module definition file -;---------------------------------------------------- - -; **************************************************************************** -; Do not add any function to this file until you make sure the calling -; convention for the exported function is KRB5_CALLCONV -; **************************************************************************** - - -EXPORTS - krb524_convert_creds_kdc @1 - krb524_init_ets @2 diff --git a/src/krb524/krb524_prot b/src/krb524/krb524_prot deleted file mode 100644 index f83854d77..000000000 --- a/src/krb524/krb524_prot +++ /dev/null @@ -1,11 +0,0 @@ -Protocol: - - -> ASN.1 encoded V5 ticket - <- int status_code, [int kvno, encode_v4tkt encoded KTEXT_ST] - -kvno and V4 ticket are only included if status_code is zero. - -The kvno for the converted ticket is sent explicitly because the field -is ASN.1 encoded in the krb5_creds structure; the client would have to -decode (but not decrypt) the entire krb5_ticket structure to get it, -which would be inefficient. diff --git a/src/krb524/krb524d.M b/src/krb524/krb524d.M deleted file mode 100644 index dee00cf81..000000000 --- a/src/krb524/krb524d.M +++ /dev/null @@ -1,74 +0,0 @@ -.\" krb524/krb524d.M -.\" -.\" Copyright 1990 by the Massachusetts Institute of Technology. -.\" -.\" Export of this software from the United States of America may -.\" require a specific license from the United States Government. -.\" It is the responsibility of any person or organization contemplating -.\" export to obtain such a license before exporting. -.\" -.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\" distribute this software and its documentation for any purpose and -.\" without fee is hereby granted, provided that the above copyright -.\" notice appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, and that -.\" the name of M.I.T. not be used in advertising or publicity pertaining -.\" to distribution of the software without specific, written prior -.\" permission. Furthermore if you modify this software you must label -.\" your software as modified software and not distribute it in such a -.\" fashion that it might be confused with the original M.I.T. software. -.\" M.I.T. makes no representations about the suitability of -.\" this software for any purpose. It is provided "as is" without express -.\" or implied warranty. -.\" " -.TH KRB524D 8 -.SH NAME -krb524d \- Version 5 to Version 4 Credentials Conversion Daemon -.SH SYNOPSIS -.B krb524d -[ -.B \-m[aster] -| -.B \-k[eytab] -] [ -.B \-r -.I realm -] [ -.B \-nofork -] [ -.B \-p -.I portnum -] -.br -.SH DESCRIPTION -.I krb524d -is the Kerberos Version 5 to Version 4 Credentials Conversion daemon. -It works in conjuction with a krb5kdc to allow clients to acquire Kerberos -version 4 tickets from Kerberos version 5 tickets without specifying a password. -.SH OPTIONS -.TP -\fB\-m[aster]\fP -Use the KDC database to convert credentials. This option cannot be combined with -\fB\-k[eytab]\fP. -.TP -\fB\-k[eytab]\fP -Use the default keytab to convert credentials. This option cannot be combined with -\fB\-m[aster]\fP. -.TP -\fB\-r\fP \fIrealm\fP -Convert credentials for \fIrealm\fP; by default the realm returned by -.IR krb5_default_local_realm (3) -is used. -.TP -\fB\-nofork\fP -specifies that krb524d not fork on launch. Useful for debugging purposes. -.TP -\fB\-p\fP \fIportnum\fP -specifies the default UDP port number which krb524d should listen on for -Kerberos 524 requests. This value is used when no port is specified in -the KDC profile and when no port is specified in the Kerberos configuration -file. -If no value is available, then the value in /etc/services for service -"krb524" is used. -.SH SEE ALSO -kerberos(1), krb5kdc(8), kdb5_util(8), kdc.conf(5) diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c deleted file mode 100644 index 202cda920..000000000 --- a/src/krb524/krb524d.c +++ /dev/null @@ -1,637 +0,0 @@ -/* - * Copyright (C) 2002, 2007, 2008 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include <k5-int.h> -#include <kadm5/admin.h> -#include <adm_proto.h> -#include <com_err.h> -#include <stdarg.h> - -#include <assert.h> -#include <stdio.h> -#ifdef HAVE_SYS_SELECT_H -#include <sys/select.h> -#endif -#include <string.h> -#include <signal.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/signal.h> -#include <netinet/in.h> - -#include <krb.h> -#include "krb524d.h" - -#if defined(NEED_DAEMON_PROTO) -extern int daemon(int, int); -#endif - -#define TIMEOUT 60 -#define TKT_BUFSIZ 2048 -#define MSGSIZE 8192 - -char *whoami; -int signalled = 0; -static int debug = 0; -void *handle = NULL; - -int use_keytab, use_master; -int allow_v4_crossrealm = 0; -char *keytab = NULL; -krb5_keytab kt; - -void init_keytab(krb5_context), - init_master(krb5_context, kadm5_config_params *), - cleanup_and_exit(int, krb5_context); -krb5_error_code do_connection(int, krb5_context); -krb5_error_code lookup_service_key(krb5_context, krb5_principal, - krb5_enctype, krb5_kvno, - krb5_keyblock *, krb5_kvno *); -krb5_error_code kdc_get_server_key(krb5_context, krb5_principal, - krb5_keyblock *, krb5_kvno *, - krb5_enctype, krb5_kvno); - -static krb5_error_code -handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, - struct sockaddr_in *saddr, - krb5_data *tktdata, krb5_kvno *v4kvno); -static krb5_error_code -afs_return_v4(krb5_context, const krb5_principal , int *use_v5); - -static void usage(context) - krb5_context context; -{ - fprintf(stderr, "Usage: %s [-k[eytab]] [-m[aster] [-r realm]] [-nofork] [-p portnum]\n", whoami); - cleanup_and_exit(1, context); -} - -static RETSIGTYPE request_exit(signo) - int signo; -{ - signalled = 1; -} - -int (*encode_v4tkt)(KTEXT, char *, unsigned int *) = 0; - -int main(argc, argv) - int argc; - char **argv; -{ - struct servent *serv; - struct sockaddr_in saddr; - struct timeval timeout; - int ret, s, nofork; - fd_set rfds; - krb5_context context; - krb5_error_code retval; - kadm5_config_params config_params; - unsigned long port = 0; - - whoami = ((whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]); - - retval = krb5int_init_context_kdc(&context); - if (retval) { - com_err(whoami, retval, "while initializing krb5"); - exit(1); - } - - { - krb5int_access k5int; - retval = krb5int_accessor(&k5int, KRB5INT_ACCESS_VERSION); - if (retval != 0) { - com_err(whoami, retval, - "while accessing krb5 library internal support"); - exit(1); - } - encode_v4tkt = k5int.krb524_encode_v4tkt; - if (encode_v4tkt == NULL) { - com_err(whoami, 0, - "krb4 support disabled in krb5 support library"); - exit(1); - } - } - - argv++; argc--; - use_master = use_keytab = nofork = 0; - config_params.mask = 0; - - while (argc) { - if (strncmp(*argv, "-X", 2) == 0) { - allow_v4_crossrealm = 1; - } - else if (strncmp(*argv, "-k", 2) == 0) - use_keytab = 1; - else if (strncmp(*argv, "-m", 2) == 0) - use_master = 1; - else if (strcmp(*argv, "-nofork") == 0) - nofork = 1; - else if (strcmp(*argv, "-r") == 0) { - argv++; argc--; - if (argc == 0 || !use_master) - usage(context); - config_params.mask |= KADM5_CONFIG_REALM; - config_params.realm = *argv; - } - else if (strcmp(*argv, "-p") == 0) { - char *endptr = 0; - argv++; argc--; - if (argc == 0) - usage (context); - if (port != 0) { - com_err (whoami, 0, - "port number may only be specified once"); - exit (1); - } - port = strtoul (*argv, &endptr, 0); - if (*endptr != '\0' || port > 65535 || port == 0) { - com_err (whoami, 0, - "invalid port number %s, must be 1..65535\n", - *argv); - exit (1); - } - } - else - break; - argv++; argc--; - } - if (argc || use_keytab + use_master > 1 || - use_keytab + use_master == 0) { - use_keytab = use_master = 0; - usage(context); - } - - signal(SIGINT, request_exit); - signal(SIGHUP, SIG_IGN); - signal(SIGTERM, request_exit); - - krb5_klog_init(context, "krb524d", whoami, !nofork); - - if (use_keytab) - init_keytab(context); - if (use_master) - init_master(context, &config_params); - - memset((char *) &saddr, 0, sizeof(struct sockaddr_in)); - saddr.sin_family = AF_INET; - saddr.sin_addr.s_addr = INADDR_ANY; - if (port == 0) { - serv = getservbyname(KRB524_SERVICE, "udp"); - if (serv == NULL) { - com_err(whoami, 0, "service entry `%s' not found, using %d", - KRB524_SERVICE, KRB524_PORT); - saddr.sin_port = htons(KRB524_PORT); - } else - saddr.sin_port = serv->s_port; - } else - saddr.sin_port = htons(port); - - if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { - com_err(whoami, errno, "creating main socket"); - cleanup_and_exit(1, context); - } - set_cloexec_fd(s); - if ((ret = bind(s, (struct sockaddr *) &saddr, - sizeof(struct sockaddr_in))) < 0) { - com_err(whoami, errno, "binding main socket"); - cleanup_and_exit(1, context); - } - if (!nofork && daemon(0, 0)) { - com_err(whoami, errno, "while detaching from tty"); - cleanup_and_exit(1, context); - } - - while (1) { - FD_ZERO(&rfds); - FD_SET(s, &rfds); - timeout.tv_sec = TIMEOUT; - timeout.tv_usec = 0; - - ret = select(s+1, &rfds, NULL, NULL, &timeout); - if (signalled) - cleanup_and_exit(0, context); - else if (ret == 0) { - if (use_master) { - ret = kadm5_flush(handle); - if (ret && ret != KRB5_KDB_DBNOTINITED) { - com_err(whoami, ret, "closing kerberos database"); - cleanup_and_exit(1, context); - } - } - } else if (ret < 0 && errno != EINTR) { - com_err(whoami, errno, "in select"); - cleanup_and_exit(1, context); - } else if (FD_ISSET(s, &rfds)) { - if (debug) - printf("received packet\n"); - if ((ret = do_connection(s, context))) { - com_err(whoami, ret, "handling packet"); - } - } else - com_err(whoami, 0, "impossible situation occurred!"); - } - - cleanup_and_exit(0, context); -} - -void cleanup_and_exit(ret, context) - int ret; - krb5_context context; -{ - if (use_master && handle) { - (void) kadm5_destroy(handle); - } - if (use_keytab && kt) krb5_kt_close(context, kt); - krb5_klog_close(context); - krb5_free_context(context); - exit(ret); -} - -void init_keytab(context) - krb5_context context; -{ - int ret; - use_keytab = 0; - if (keytab == NULL) { - if ((ret = krb5_kt_default(context, &kt))) { - com_err(whoami, ret, "while opening default keytab"); - cleanup_and_exit(1, context); - } - } else { - if ((ret = krb5_kt_resolve(context, keytab, &kt))) { - com_err(whoami, ret, "while resolving keytab %s", - keytab); - cleanup_and_exit(1, context); - } - } - use_keytab = 1; /* now safe to close keytab */ -} - -void init_master(context, params) - krb5_context context; - kadm5_config_params *params; -{ - int ret; - - use_master = 0; - if ((ret = kadm5_init(whoami, NULL, KADM5_ADMIN_SERVICE, params, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, NULL, - &handle))) { - com_err(whoami, ret, "initializing kadm5 library"); - cleanup_and_exit(1, context); - } - use_master = 1; /* now safe to close kadm5 */ -} - -krb5_error_code do_connection(s, context) - int s; - krb5_context context; -{ - struct sockaddr saddr; - krb5_ticket *v5tkt = 0; - krb5_data msgdata, tktdata; - char msgbuf[MSGSIZE], tktbuf[TKT_BUFSIZ], *p; - int ret; - socklen_t saddrlen; - krb5_int32 n; /* Must be 4 bytes */ - krb5_kvno v4kvno; - - msgdata.data = msgbuf; - msgdata.length = MSGSIZE; - tktdata.data = tktbuf; - tktdata.length = TKT_BUFSIZ; - saddrlen = sizeof(struct sockaddr); - ret = recvfrom(s, msgdata.data, (int) msgdata.length, 0, &saddr, &saddrlen); - if (ret < 0) { - /* if recvfrom fails, we probably don't have a valid saddr to - use for the reply, so don't even try to respond. */ - return errno; - } - if (debug) - printf("message received\n"); - - if ((ret = decode_krb5_ticket(&msgdata, &v5tkt))) { - switch (ret) { - case KRB5KDC_ERR_BAD_PVNO: - case ASN1_MISPLACED_FIELD: - case ASN1_MISSING_FIELD: - case ASN1_BAD_ID: - case KRB5_BADMSGTYPE: - /* don't even answer parse errors */ - return ret; - break; - default: - /* try and recognize our own error packet */ - if (msgdata.length == sizeof(krb5_int32)) - return KRB5_BADMSGTYPE; - else - goto error; - } - } - if (debug) - printf("V5 ticket decoded\n"); - - if (krb5_princ_size(context, v5tkt->server) >= 1 - && krb5_princ_component(context, v5tkt->server, 0)->length == 3 - && strncmp(krb5_princ_component(context, v5tkt->server, 0)->data, - "afs", 3) == 0) { - krb5_data *enc_part; - int use_v5; - if ((ret = afs_return_v4(context, v5tkt->server, - &use_v5)) != 0) - goto error; - if ((ret = encode_krb5_enc_data(&v5tkt->enc_part, &enc_part)) != 0) - goto error; - if (!(use_v5)|| enc_part->length >= 344) { - krb5_free_data(context, enc_part); - if ((ret = handle_classic_v4(context, v5tkt, - (struct sockaddr_in *) &saddr, &tktdata, - &v4kvno)) != 0) - goto error; - } else { - KTEXT_ST fake_v4tkt; - memset(&fake_v4tkt, 0x11, sizeof(fake_v4tkt)); - fake_v4tkt.mbz = 0; - fake_v4tkt.length = enc_part->length; - memcpy(fake_v4tkt.dat, enc_part->data, enc_part->length); - v4kvno = (0x100-0x2b); /*protocol constant indicating v5 - * enc part only*/ - krb5_free_data(context, enc_part); - ret = encode_v4tkt(&fake_v4tkt, tktdata.data, &tktdata.length); - } - } else { - if ((ret = handle_classic_v4(context, v5tkt, - (struct sockaddr_in *) &saddr, &tktdata, - &v4kvno)) != 0) - goto error; - } - -error: - /* create the reply */ - p = msgdata.data; - msgdata.length = 0; - - n = htonl(ret); - memcpy(p, (char *) &n, sizeof(krb5_int32)); - p += sizeof(krb5_int32); - msgdata.length += sizeof(krb5_int32); - - if (ret) - goto write_msg; - - n = htonl(v4kvno); - memcpy(p, (char *) &n, sizeof(krb5_int32)); - p += sizeof(krb5_int32); - msgdata.length += sizeof(krb5_int32); - - memcpy(p, tktdata.data, tktdata.length); - p += tktdata.length; - msgdata.length += tktdata.length; - -write_msg: - if (ret) - (void) sendto(s, msgdata.data, (int) msgdata.length, 0, &saddr, saddrlen); - else - if (sendto(s, msgdata.data, msgdata.length, 0, &saddr, saddrlen)<0) - ret = errno; - if (debug) - printf("reply written\n"); - if (v5tkt) - krb5_free_ticket(context, v5tkt); - - - return ret; -} - -krb5_error_code lookup_service_key(context, p, ktype, kvno, key, kvnop) - krb5_context context; - krb5_principal p; - krb5_enctype ktype; - krb5_kvno kvno; - krb5_keyblock *key; - krb5_kvno *kvnop; -{ - int ret; - krb5_keytab_entry entry; - - if (use_keytab) { - if ((ret = krb5_kt_get_entry(context, kt, p, kvno, ktype, &entry))) - return ret; - *key = entry.key; - key->contents = malloc(key->length); - if (key->contents) - memcpy(key->contents, entry.key.contents, key->length); - else if (key->length) { - /* out of memory? */ - ret = ENOMEM; - memset (key, 0, sizeof (*key)); - return ret; - } - - krb5_kt_free_entry(context, &entry); - return 0; - } else if (use_master) { - return kdc_get_server_key(context, p, key, kvnop, ktype, kvno); - } - return 0; -} - -krb5_error_code kdc_get_server_key(context, service, key, kvnop, ktype, kvno) - krb5_context context; - krb5_principal service; - krb5_keyblock *key; - krb5_kvno *kvnop; - krb5_enctype ktype; - krb5_kvno kvno; -{ - krb5_error_code ret; - kadm5_principal_ent_rec server; - - if ((ret = kadm5_get_principal(handle, service, &server, - KADM5_KEY_DATA|KADM5_ATTRIBUTES))) - return ret; - - if (server.attributes & KRB5_KDB_DISALLOW_ALL_TIX - || server.attributes & KRB5_KDB_DISALLOW_SVR) { - kadm5_free_principal_ent(handle, &server); - return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - } - - /* - * We try kadm5_decrypt_key twice because in the case of a - * ENCTYPE_DES_CBC_CRC key, we prefer to find a krb4 salt type - * over a normal key. Note this may create a problem if the - * server key is passworded and has both a normal and v4 salt. - * There is no good solution to this. - */ - if ((ret = kadm5_decrypt_key(handle, - &server, - ktype, - (ktype == ENCTYPE_DES_CBC_CRC) ? - KRB5_KDB_SALTTYPE_V4 : -1, - kvno, - key, NULL, kvnop)) && - (ret = kadm5_decrypt_key(handle, - &server, - ktype, - -1, - kvno, - key, NULL, kvnop))) { - kadm5_free_principal_ent(handle, &server); - return (KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); - } - - kadm5_free_principal_ent(handle, &server); - return ret; -} - -/* - * We support two kinds of v4 credentials. There are real v4 - * credentials, and a Kerberos v5 enc part masquerading as a krb4 - * credential to be used by modern AFS implementations; this function - * handles the classic v4 case. - */ - -static krb5_error_code -handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, - struct sockaddr_in *saddr, - krb5_data *tktdata, krb5_kvno *v4kvno) -{ - krb5_error_code ret; - krb5_keyblock v5_service_key, v4_service_key; - KTEXT_ST v4tkt; - - v5_service_key.contents = NULL; - v4_service_key.contents = NULL; - - if ((ret = lookup_service_key(context, v5tkt->server, - v5tkt->enc_part.enctype, - v5tkt->enc_part.kvno, - &v5_service_key, NULL))) - goto error; - - if ((ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_DES_CBC_CRC, - 0, - &v4_service_key, v4kvno))) - goto error; - - if (debug) - printf("service key retrieved\n"); - if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt))) { - goto error; - } - - if (!(allow_v4_crossrealm || krb5_realm_compare(context, v5tkt->server, - v5tkt->enc_part2->client))) { - ret = KRB5KDC_ERR_POLICY; - goto error; - } - krb5_free_enc_tkt_part(context, v5tkt->enc_part2); - v5tkt->enc_part2= NULL; - - memset(&v4tkt, 0x33, sizeof(v4tkt)); - ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key, - &v4_service_key, - (struct sockaddr_in *)saddr); - if (ret) - goto error; - - if (debug) - printf("credentials converted\n"); - - ret = encode_v4tkt(&v4tkt, tktdata->data, &tktdata->length); - if (ret) - goto error; - if (debug) - printf("v4 credentials encoded\n"); - -error: - if (v5tkt->enc_part2) { - krb5_free_enc_tkt_part(context, v5tkt->enc_part2); - v5tkt->enc_part2 = NULL; - } - - if (v5_service_key.contents) - krb5_free_keyblock_contents(context, &v5_service_key); - if (v4_service_key.contents) - krb5_free_keyblock_contents(context, &v4_service_key); - return ret; -} - -/* - * afs_return_v4: a predicate to determine whether we want to try - * using the afs krb5 encrypted part encoding or whether we just - * return krb4. Takes a principal, and checks the configuration file. - */ -static krb5_error_code -afs_return_v4 (krb5_context context, const krb5_principal princ, - int *use_v5) -{ - krb5_error_code ret; - char *unparsed_name; - char *cp; - krb5_data realm; - assert(use_v5 != NULL); - ret = krb5_unparse_name(context, princ, &unparsed_name); - if (ret != 0) - return ret; -/* Trim out trailing realm component into separate string.*/ - for (cp = unparsed_name; *cp != '\0'; cp++) { - if (*cp == '\\') { - cp++; /* We trust unparse_name not to leave a singleton - * backslash*/ - continue; - } - if (*cp == '@') { - *cp = '\0'; - realm.data = cp+1; - realm.length = strlen((char *) realm.data); - break; - } - } - krb5_appdefault_boolean(context, "afs_krb5", - &realm, unparsed_name, 1, - use_v5); - krb5_free_unparsed_name(context, unparsed_name); - return ret; -} diff --git a/src/krb524/krb524d.h b/src/krb524/krb524d.h deleted file mode 100644 index b40e3aec5..000000000 --- a/src/krb524/krb524d.h +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef KRB524INT_H -#define KRB524INT_H - -#include "port-sockets.h" -#include "kerberosIV/krb.h" - -#ifndef KRB524INT_BEGIN_DECLS -#ifdef __cplusplus -#define KRB524INT_BEGIN_DECLS extern "C" { -#define KRB524INT_END_DECLS } -#else -#define KRB524INT_BEGIN_DECLS -#define KRB524INT_END_DECLS -#endif -#endif - -KRB524INT_BEGIN_DECLS - -int krb524_convert_tkt_skey - (krb5_context context, krb5_ticket *v5tkt, KTEXT_ST *v4tkt, - krb5_keyblock *v5_skey, krb5_keyblock *v4_skey, - struct sockaddr_in *saddr); - -KRB524INT_END_DECLS - -#endif /* KRB524INT_H */ diff --git a/src/krb524/libinit.c b/src/krb524/libinit.c deleted file mode 100644 index 22aeea9f8..000000000 --- a/src/krb524/libinit.c +++ /dev/null @@ -1,27 +0,0 @@ -#ifdef _WIN32 -#include <windows.h> - -BOOL -WINAPI -DllMain( - HANDLE hModule, - DWORD fdwReason, - LPVOID lpReserved - ) -{ - switch (fdwReason) - { - case DLL_PROCESS_ATTACH: - break; - case DLL_THREAD_ATTACH: - break; - case DLL_THREAD_DETACH: - break; - case DLL_PROCESS_DETACH: - break; - default: - return FALSE; - } - return TRUE; -} -#endif diff --git a/src/krb524/test.c b/src/krb524/test.c deleted file mode 100644 index d0cb92181..000000000 --- a/src/krb524/test.c +++ /dev/null @@ -1,353 +0,0 @@ -/* - * Copyright 1994 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include "k5-int.h" - -#include <stdio.h> -#include <time.h> -#include <sys/types.h> - -#ifndef _WIN32 -#include <netinet/in.h> -#endif - -#include <des.h> -#include <krb.h> -#include "com_err.h" - -#define KEYSIZE 8 -#define CRED_BUFSIZ 2048 - -#define krb5_print_addrs - -void do_local (krb5_creds *, krb5_keyblock *), - do_remote (krb5_context, krb5_creds *, char *, krb5_keyblock *); - -static -void print_key(msg, key) - char *msg; - des_cblock *key; -{ - printf("%s: ", msg); - C_Block_print(key); - printf("\n"); -} - -static -void print_time(msg, t) - char *msg; - int t; -{ - printf("%s: %d, %s", msg, t, ctime((time_t *) &t)); -} - -static -void krb5_print_times(msg, t) - char *msg; - krb5_ticket_times *t; -{ - printf("%s: Start: %d, %s", msg, t->starttime, - ctime((time_t *) &t->starttime)); - printf("%s: End: %d, %s", msg, t->endtime, - ctime((time_t *) &t->endtime)); - printf("%s: Auth: %d, %s", msg, t->authtime, - ctime((time_t *) &t->authtime)); - printf("%s: Renew: %d, %s", msg, t->renew_till, - ctime((time_t *) &t->renew_till)); -} - -static -void krb5_print_keyblock(msg, key) - char *msg; - krb5_keyblock *key; -{ - printf("%s: Keytype: %d\n", msg, key->enctype); - printf("%s: Length: %d\n", msg, key->length); - printf("%s: Key: ", msg); - C_Block_print((des_cblock *) key->contents); - printf("\n"); -} - -static -void krb5_print_ticket(context, ticket_data, key) - krb5_context context; - krb5_data *ticket_data; - krb5_keyblock *key; -{ - char *p; - krb5_ticket *tkt; - int ret; - - if ((ret = decode_krb5_ticket(ticket_data, &tkt))) { - com_err("test", ret, "decoding ticket"); - exit(1); - } - if ((ret = krb5_decrypt_tkt_part(context, key, tkt))) { - com_err("test", ret, "decrypting V5 ticket for print"); - exit(1); - } - - krb5_unparse_name(context, tkt->server, &p); - printf("Ticket: Server: %s\n", p); - free(p); - printf("Ticket: kvno: %d\n", tkt->enc_part.kvno); - printf("Ticket: Flags: 0x%08x\n", tkt->enc_part2->flags); - krb5_print_keyblock("Ticket: Session Keyblock", - tkt->enc_part2->session); - krb5_unparse_name(context, tkt->enc_part2->client, &p); - printf("Ticket: Client: %s\n", p); - free(p); - krb5_print_times("Ticket: Times", &tkt->enc_part2->times); - printf("Ticket: Address 0: %08lx\n", - *((unsigned long *) tkt->enc_part2->caddrs[0]->contents)); - - krb5_free_ticket(context, tkt); -} - -static -void krb5_print_creds(context, creds, secret_key) - krb5_context context; - krb5_creds *creds; - krb5_keyblock *secret_key; -{ - char *p; - - krb5_unparse_name(context, creds->client, &p); - printf("Client: %s\n", p); - free(p); - krb5_unparse_name(context, creds->server, &p); - printf("Server: %s\n", p); - free(p); - krb5_print_keyblock("Session key", &creds->keyblock); - krb5_print_times("Times", &creds->times); - printf("is_skey: %s\n", creds->is_skey ? "True" : "False"); - printf("Flags: 0x%08x\n", creds->ticket_flags); -#if 0 - krb5_print_addrs(creds->addresses); -#endif - krb5_print_ticket(context, &creds->ticket, secret_key); - /* krb5_print_ticket(context, &creds->second_ticket, secret_key); */ -} - -static -void krb4_print_ticket(ticket, secret_key) - KTEXT ticket; - krb5_keyblock *secret_key; -{ - char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; - char sname[ANAME_SZ], sinst[INST_SZ]; - unsigned char flags; - krb5_ui_4 addr; - krb5_ui_4 issue_time; - C_Block session_key; - int life; - Key_schedule keysched; - - int ret; - - if (des_key_sched(secret_key->contents, keysched)) { - fprintf(stderr, "Bug in DES key somewhere.\n"); - exit(1); - } - - ret = decomp_ticket(ticket, &flags, pname, pinst, prealm, &addr, - session_key, &life, &issue_time, sname, - sinst, secret_key->contents, keysched); - if (ret != KSUCCESS) { - fprintf(stderr, "krb4 decomp_ticket failed\n"); - exit(1); - } - printf("Ticket: Client: %s.%s@%s\n", pname, pinst, prealm); - printf("Ticket: Service: %s.%s\n", sname, sinst); - printf("Ticket: Address: %08lx\n", (long) addr); - print_key("Ticket: Session Key", (char *) session_key); - printf("Ticket: Lifetime: %d\n", life); - printf("Ticket: Issue Date: %ld, %s", (long) issue_time, - ctime((time_t *) &issue_time)); -} - -static -void krb4_print_creds(creds, secret_key) - CREDENTIALS *creds; - krb5_keyblock *secret_key; -{ - printf("Client: %s.%s@%s\n", creds->pname, creds->pinst, - creds->realm); - printf("Service: %s.%s@%s\n", creds->service, creds->instance, - creds->realm); - print_key("Session key", (char *) creds->session); - printf("Lifetime: %d\n", creds->lifetime); - printf("Key Version: %d\n", creds->kvno); - print_time("Issue Date", creds->issue_date); - krb4_print_ticket(&creds->ticket_st, secret_key); -} - -static -void usage() -{ - fprintf(stderr, "Usage: test [-remote server] client service\n"); - exit(1); -} - -int main(argc, argv) - int argc; - char **argv; -{ - krb5_principal client, server; - krb5_ccache cc; - krb5_creds increds, *v5creds; - krb5_keyblock key; - char keybuf[KEYSIZE], buf[BUFSIZ]; - int i, ret, local; - char *remote; - krb5_context context; - krb5_error_code retval; - -#if 0 - krb524_debug = 1; -#endif - - retval = krb5_init_context(&context); - if (retval) { - com_err(argv[0], retval, "while initializing krb5"); - exit(1); - } - - local = 0; - remote = NULL; - argc--; argv++; - while (argc) { - if (strcmp(*argv, "-local") == 0) - local++; -#if 0 - else if (strcmp(*argv, "-remote") == 0) { - argc--; argv++; - if (!argc) - usage(); - remote = *argv; - } -#endif - else - break; - argc--; argv++; - } - if (argc != 2) - usage(); - - if ((ret = krb5_parse_name(context, argv[0], &client))) { - com_err("test", ret, "parsing client name"); - exit(1); - } - if ((ret = krb5_parse_name(context, argv[1], &server))) { - com_err("test", ret, "parsing server name"); - exit(1); - } - if ((ret = krb5_cc_default(context, &cc))) { - com_err("test", ret, "opening default credentials cache"); - exit(1); - } - - memset((char *) &increds, 0, sizeof(increds)); - increds.client = client; - increds.server = server; - increds.times.endtime = 0; - increds.keyblock.enctype = ENCTYPE_DES_CBC_MD5; - if ((ret = krb5_get_credentials(context, 0, cc, &increds, &v5creds))) { - com_err("test", ret, "getting V5 credentials"); - exit(1); - } - - /* We need the service key in order to locally decrypt both */ - /* tickets for testing */ - printf("Service's key: "); - fflush(stdout); - fgets(buf, BUFSIZ, stdin); - for (i = 0; i < 8; i++) { - unsigned char c; - c = buf[2*i]; - if (c >= '0' && c <= '9') - c -= '0'; - else if (c >= 'a' && c <= 'z') - c = c - 'a' + 0xa; - keybuf[i] = c << 4; - c = buf[2*i+1]; - if (c >= '0' && c <= '9') - c -= '0'; - else if (c >= 'a' && c <= 'z') - c = c - 'a' + 0xa; - keybuf[i] += c; - } - - key.enctype = ENCTYPE_DES_CBC_MD5; - key.length = KEYSIZE; /* presumably */ - key.contents = (krb5_octet *) keybuf; - - do_remote(context, v5creds, remote, &key); - exit(0); -} - -void do_remote(context, v5creds, server, key) - krb5_context context; - krb5_creds *v5creds; - char *server; - krb5_keyblock *key; -{ -#if 0 - struct sockaddr_in saddr; - struct hostent *hp; -#endif - CREDENTIALS v4creds; - int ret; - - printf("\nV5 credentials:\n"); - krb5_print_creds(context, v5creds, key); - -#if 0 - if (strcmp(server, "kdc") != 0) { - hp = gethostbyname(server); - if (hp == NULL) { - fprintf(stderr, "test: host %s does not exist.\n", server); - exit(1); - } - memset((char *) &saddr, 0, sizeof(struct sockaddr_in)); - saddr.sin_family = AF_INET; - memcpy((char *) &saddr.sin_addr.s_addr, hp->h_addr, - sizeof(struct in_addr)); - - if ((ret = krb524_convert_creds_addr(context, v5creds, &v4creds, - (struct sockaddr *) &saddr))) { - com_err("test", ret, "converting credentials on %s", - server); - exit(1); - } - } else -#endif - { - if ((ret = krb524_convert_creds_kdc(context, v5creds, &v4creds))) { - com_err("test", ret, "converting credentials via kdc"); - exit(1); - } - } - - printf("\nV4 credentials:\n"); - krb4_print_creds(&v4creds, key); -} |