diff options
author | Adam Jackson <ajax@benzedrine.nwnk.net> | 2007-06-04 18:07:00 -0400 |
---|---|---|
committer | Adam Jackson <ajax@benzedrine.nwnk.net> | 2007-06-04 18:07:00 -0400 |
commit | dfbe32b5b828cc4e3da36a0e2e6ad641164eaa5e (patch) | |
tree | 1b08018adca275fe5ee38eb12366ac8d256f191a | |
parent | 75dece08fb72803d5116e6776e9f1534ff20e37b (diff) |
Remove the old Kerberos 5 authentication code.
Before you complain, this code hasn't seen material change since at least
X11R6. It certainly does not build with any modern version of Kerberos.
Anybody wanting krb5 auth to their X server should probably be using
GSSAPI instead of internal krb5 API anyway.
-rw-r--r-- | dix/dispatch.c | 10 | ||||
-rw-r--r-- | dix/tables.c | 15 | ||||
-rw-r--r-- | include/dixstruct.h | 4 | ||||
-rw-r--r-- | os/Makefile.am | 3 | ||||
-rw-r--r-- | os/access.c | 31 | ||||
-rw-r--r-- | os/auth.c | 12 | ||||
-rw-r--r-- | os/k5auth.c | 799 | ||||
-rw-r--r-- | os/osdep.h | 23 |
8 files changed, 1 insertions, 896 deletions
diff --git a/dix/dispatch.c b/dix/dispatch.c index 6aba9dbb1..c313796ab 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -996,10 +996,6 @@ ProcGetAtomName(ClientPtr client) } } -#ifdef K5AUTH -extern int k5_bad(); -#endif - int ProcSetSelectionOwner(ClientPtr client) { @@ -3541,12 +3537,6 @@ InitProcVectors(void) ProcVector[i] = SwappedProcVector[i] = ProcBadRequest; ReplySwapVector[i] = ReplyNotSwappd; } -#ifdef K5AUTH - if (!k5_Vector[i]) - { - k5_Vector[i] = k5_bad; - } -#endif } for(i = LASTEvent; i < 128; i++) { diff --git a/dix/tables.c b/dix/tables.c index 258ac0370..2200e3ceb 100644 --- a/dix/tables.c +++ b/dix/tables.c @@ -61,11 +61,6 @@ SOFTWARE. #include "swaprep.h" #include "swapreq.h" -#ifdef K5AUTH -extern int - k5_stage1(), k5_stage2(), k5_stage3(), k5_bad(); -#endif - int (* InitialVector[3]) ( ClientPtr /* client */ ) = @@ -515,13 +510,3 @@ _X_EXPORT ReplySwapPtr ReplySwapVector[256] = ReplyNotSwappd, /* NoOperation */ ReplyNotSwappd }; - -#ifdef K5AUTH -int (*k5_Vector[256])() = -{ - k5_bad, - k5_stage1, - k5_bad, - k5_stage3 -}; -#endif diff --git a/include/dixstruct.h b/include/dixstruct.h index b5ffcca49..dd6347f18 100644 --- a/include/dixstruct.h +++ b/include/dixstruct.h @@ -207,10 +207,6 @@ extern int (* ProcVector[256]) (ClientPtr /*client*/); extern int (* SwappedProcVector[256]) (ClientPtr /*client*/); -#ifdef K5AUTH -extern int (*k5_Vector[256])(ClientPtr /*client*/); -#endif - extern ReplySwapPtr ReplySwapVector[256]; extern int ProcBadRequest(ClientPtr /*client*/); diff --git a/os/Makefile.am b/os/Makefile.am index d8d1405ce..c5e7b0397 100644 --- a/os/Makefile.am +++ b/os/Makefile.am @@ -3,7 +3,6 @@ noinst_LTLIBRARIES = libos.la libcwrapper.la AM_CFLAGS = $(DIX_CFLAGS) # FIXME: Add support for these in configure.ac -K5AUTH_SRCS = k5auth.c SECURERPC_SRCS = rpcauth.c INTERNALMALLOC_SRCS = xalloc.c @@ -48,7 +47,7 @@ libcwrapper_la_CFLAGS = \ -I$(top_srcdir)/hw/xfree86/os-support \ $(AM_CFLAGS) -EXTRA_DIST = $(K5AUTH_SRCS) $(SECURERPC_SRCS) $(INTERNALMALLOC_SRCS) \ +EXTRA_DIST = $(SECURERPC_SRCS) $(INTERNALMALLOC_SRCS) \ $(XCSECURITY_SRCS) $(XDMCP_SRCS) $(STRLCAT_SRCS) if XSERVER_DTRACE diff --git a/os/access.c b/os/access.c index 221b8cbcd..2de0ead43 100644 --- a/os/access.c +++ b/os/access.c @@ -1169,10 +1169,6 @@ ResetHosts (char *display) struct nodeent *np; struct dn_naddr dnaddr, *dnaddrp, *dnet_addr(); #endif -#ifdef K5AUTH - krb5_principal princ; - krb5_data kbuf; -#endif int family = 0; pointer addr; int len; @@ -1252,13 +1248,6 @@ ResetHosts (char *display) hostname = ohostname + 4; } #endif -#ifdef K5AUTH - else if (!strncmp("krb:", lhostname, 4)) - { - family = FamilyKrb5Principal; - hostname = ohostname + 4; - } -#endif else if (!strncmp("si:", lhostname, 3)) { family = FamilyServerInterpreted; @@ -1301,16 +1290,6 @@ ResetHosts (char *display) } else #endif /* DNETCONN */ -#ifdef K5AUTH - if (family == FamilyKrb5Principal) - { - krb5_parse_name(hostname, &princ); - XauKrb5Encode(princ, &kbuf); - (void) NewHost(FamilyKrb5Principal, kbuf.data, kbuf.length, FALSE); - krb5_free_principal(princ); - } - else -#endif #ifdef SECURE_RPC if ((family == FamilyNetname) || (strchr(hostname, '@'))) { @@ -1552,11 +1531,6 @@ AddHost (ClientPtr client, len = length; LocalHostEnabled = TRUE; break; -#ifdef K5AUTH - case FamilyKrb5Principal: - len = length; - break; -#endif #ifdef SECURE_RPC case FamilyNetname: len = length; @@ -1655,11 +1629,6 @@ RemoveHost ( len = length; LocalHostEnabled = FALSE; break; -#ifdef K5AUTH - case FamilyKrb5Principal: - len = length; - break; -#endif #ifdef SECURE_RPC case FamilyNetname: len = length; @@ -35,9 +35,6 @@ from The Open Group. #include <dix-config.h> #endif -#ifdef K5AUTH -# include <krb5/krb5.h> -#endif # include <X11/X.h> # include <X11/Xauth.h> # include "misc.h" @@ -92,15 +89,6 @@ static struct protocol protocols[] = { #endif }, #endif -#ifdef K5AUTH -{ (unsigned short) 14, "MIT-KERBEROS-5", - K5Add, K5Check, K5Reset, - K5ToID, K5FromID, K5Remove, -#ifdef XCSECURITY - NULL -#endif -}, -#endif #ifdef XCSECURITY { (unsigned short) XSecurityAuthorizationNameLen, XSecurityAuthorizationName, diff --git a/os/k5auth.c b/os/k5auth.c deleted file mode 100644 index 7bc0ce822..000000000 --- a/os/k5auth.c +++ /dev/null @@ -1,799 +0,0 @@ -/* - -Copyright 1993, 1994, 1998 The Open Group - -Permission to use, copy, modify, distribute, and sell this software and its -documentation for any purpose is hereby granted without fee, provided that -the above copyright notice appear in all copies and that both that -copyright notice and this permission notice appear in supporting -documentation. - -The above copyright notice and this permission notice shall be included -in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR -OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -OTHER DEALINGS IN THE SOFTWARE. - -Except as contained in this notice, the name of The Open Group shall -not be used in advertising or otherwise to promote the sale, use or -other dealings in this Software without prior written authorization -from The Open Group. - -*/ - -/* - * Kerberos V5 authentication scheme - * Author: Tom Yu <tlyu@MIT.EDU> - * - * Mostly snarfed wholesale from the user_user demo in the - * krb5 distribution. (At least the checking part) - */ - -#ifdef HAVE_DIX_CONFIG_H -#include <dix-config.h> -#endif - -#include <sys/types.h> -#include <sys/socket.h> -#ifdef TCPCONN -#include <netinet/in.h> -#endif -#ifdef DNETCONN -#include <netdnet/dn.h> -#endif -#include <arpa/inet.h> -#include <krb5/krb5.h> -/* 9/93: krb5.h leaks some symbols */ -#undef BITS32 -#undef xfree -#include <krb5/los-proto.h> -#include <X11/X.h> -#include "os.h" -#include "osdep.h" -#include <X11/Xproto.h> -#include <X11/Xfuncs.h> -#include "dixstruct.h" -#include <com_err.h> -#include "Xauth.h" - -extern int (*k5_Vector[256])(); -extern int SendConnSetup(); -extern char *display; /* need this to generate rcache name */ - -static XID krb5_id = ~0L; -static krb5_principal srvname = NULL; /* service name */ -static char *ccname = NULL; -static char *ktname = NULL; /* key table name */ -static char kerror[256]; - -/* - * tgt_keyproc: - * - * extract session key from a credentials struct - */ -krb5_error_code tgt_keyproc(keyprocarg, principal, vno, key) - krb5_pointer keyprocarg; - krb5_principal principal; - krb5_kvno vno; - krb5_keyblock **key; -{ - krb5_creds *creds = (krb5_creds *)keyprocarg; - - return krb5_copy_keyblock(&creds->keyblock, key); -} - -/* - * k5_cmpenc: - * - * compare "encoded" principals - */ -Bool k5_cmpenc(pname, plen, buf) - unsigned char *pname; - short plen; - krb5_data *buf; -{ - return (plen == buf->length && - memcmp(pname, buf->data, plen) == 0); -} - -/* - * K5Check: - * - * This is stage 0 of the krb5 authentication protocol. It - * goes through the current credentials cache and extracts the - * primary principal and tgt to send to the client, or as - * appropriate, extracts from a keytab. - * - * The packet sent to the client has the following format: - * - * CARD8 reqType = 2 - * CARD8 data = 0 - * CARD16 length = total length of packet (in 32 bit units) - * CARD16 plen = length of encoded principal following - * STRING8 princ = encoded principal - * STRING8 ticket = server tgt - * - * For client-server authentication, the packet is as follows: - * - * CARD8 reqType = 3 - * CARD8 data = 0 - * CARD16 length = total length - * STRING8 princ = encoded principal of server - */ -XID K5Check(data_length, data, client, reason) - unsigned short data_length; - char *data; - ClientPtr client; - char **reason; -{ - krb5_error_code retval; - CARD16 tlen; - krb5_principal sprinc, cprinc; - krb5_ccache cc; - krb5_creds *creds; - char *outbuf, *cp; - krb5_data princ; - register char n; - xReq prefix; - - if (krb5_id == ~0L) - return ~0L; - if (!ccname && !srvname) - return ~0L; - if (ccname) - { - if ((creds = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) - return ~0L; - if (retval = krb5_cc_resolve(ccname, &cc)) - return ~0L; - bzero((char*)creds, sizeof (krb5_creds)); - if (retval = krb5_cc_get_principal(cc, &cprinc)) - { - krb5_free_creds(creds); - krb5_cc_close(cc); - return ~0L; - } - creds->client = cprinc; - if (retval = - krb5_build_principal_ext(&sprinc, - krb5_princ_realm(creds->client)->length, - krb5_princ_realm(creds->client)->data, - 6, "krbtgt", - krb5_princ_realm(creds->client)->length, - krb5_princ_realm(creds->client)->data, - 0)) - { - krb5_free_creds(creds); - krb5_cc_close(cc); - return ~0L; - } - creds->server = sprinc; - retval = krb5_get_credentials(KRB5_GC_CACHED, cc, creds); - krb5_cc_close(cc); - if (retval) - { - krb5_free_creds(creds); - return ~0L; - } - if (retval = XauKrb5Encode(cprinc, &princ)) - { - krb5_free_creds(creds); - return ~0L; - } - tlen = sz_xReq + 2 + princ.length + creds->ticket.length; - prefix.reqType = 2; /* opcode = authenticate user-to-user */ - } - else if (srvname) - { - if (retval = XauKrb5Encode(srvname, &princ)) - { - return ~0L; - } - tlen = sz_xReq + princ.length; - prefix.reqType = 3; /* opcode = authenticate client-server */ - } - prefix.data = 0; /* stage = 0 */ - prefix.length = (tlen + 3) >> 2; /* round up to nearest multiple - of 4 bytes */ - if (client->swapped) - { - swaps(&prefix.length, n); - } - if ((cp = outbuf = (char *)malloc(tlen)) == NULL) - { - if (ccname) - { - krb5_free_creds(creds); - } - free(princ.data); - return ~0L; - } - memcpy(cp, &prefix, sz_xReq); - cp += sz_xReq; - if (ccname) - { - memcpy(cp, &princ.length, 2); - if (client->swapped) - { - swaps((CARD16 *)cp, n); - } - cp += 2; - } - memcpy(cp, princ.data, princ.length); - cp += princ.length; - free(princ.data); /* we don't need that anymore */ - if (ccname) - memcpy(cp, creds->ticket.data, creds->ticket.length); - WriteToClient(client, tlen, outbuf); - free(outbuf); - client->requestVector = k5_Vector; /* hack in our dispatch vector */ - client->clientState = ClientStateAuthenticating; - if (ccname) - { - ((OsCommPtr)client->osPrivate)->authstate.srvcreds = (pointer)creds; /* save tgt creds */ - ((OsCommPtr)client->osPrivate)->authstate.ktname = NULL; - ((OsCommPtr)client->osPrivate)->authstate.srvname = NULL; - } - if (srvname) - { - ((OsCommPtr)client->osPrivate)->authstate.srvcreds = NULL; - ((OsCommPtr)client->osPrivate)->authstate.ktname = (pointer)ktname; - ((OsCommPtr)client->osPrivate)->authstate.srvname = (pointer)srvname; - } - ((OsCommPtr)client->osPrivate)->authstate.stageno = 1; /* next stage is 1 */ - return krb5_id; -} - -/* - * k5_stage1: - * - * This gets called out of the dispatcher after K5Check frobs with the - * client->requestVector. It accepts the ap_req from the client and verifies - * it. In addition, if the client has set AP_OPTS_MUTUAL_REQUIRED, it then - * sends an ap_rep to the client to achieve mutual authentication. - * - * client stage1 packet format is as follows: - * - * CARD8 reqType = 1 - * CARD8 data = ignored - * CARD16 length = total length - * STRING8 data = the actual ap_req - * - * stage2 packet sent back to client for mutual authentication: - * - * CARD8 reqType = 2 - * CARD8 data = 2 - * CARD16 length = total length - * STRING8 data = the ap_rep - */ -int k5_stage1(client) - register ClientPtr client; -{ - long addrlen; - krb5_error_code retval, retval2; - register char n; - struct sockaddr cli_net_addr; - xReq prefix; - krb5_principal cprinc; - krb5_data buf; - krb5_creds *creds = (krb5_creds *)((OsCommPtr)client->osPrivate)->authstate.srvcreds; - krb5_keyblock *skey; - krb5_address cli_addr, **localaddrs = NULL; - krb5_tkt_authent *authdat; - krb5_ap_rep_enc_part rep; - krb5_int32 ctime, cusec; - krb5_rcache rcache = NULL; - char *cachename = NULL, *rc_type = NULL, *rc_base = "rcX", *kt = NULL; - REQUEST(xReq); - - if (((OsCommPtr)client->osPrivate)->authstate.stageno != 1) - { - if (creds) - krb5_free_creds(creds); - return(SendConnSetup(client, "expected Krb5 stage1 packet")); - } - addrlen = sizeof (cli_net_addr); - if (getpeername(((OsCommPtr)client->osPrivate)->fd, - &cli_net_addr, &addrlen) == -1) - { - if (creds) - krb5_free_creds(creds); - return(SendConnSetup(client, "Krb5 stage1: getpeername failed")); - } - if (cli_net_addr.sa_family == AF_UNSPEC -#if defined(UNIXCONN) || defined(LOCALCONN) || defined(OS2PIPECONN) - || cli_net_addr.sa_family == AF_UNIX -#endif - ) /* assume local host */ - { - krb5_os_localaddr(&localaddrs); - if (!localaddrs || !localaddrs[0]) - { - if (creds) - krb5_free_creds(creds); - return(SendConnSetup(client, "Krb5 failed to get localaddrs")); - } - cli_addr.addrtype = localaddrs[0]->addrtype; - cli_addr.length = localaddrs[0]->length; - cli_addr.contents = localaddrs[0]->contents; - } - else - { - cli_addr.addrtype = cli_net_addr.sa_family; /* the values - are compatible */ - switch (cli_net_addr.sa_family) - { -#ifdef TCPCONN - case AF_INET: - cli_addr.length = sizeof (struct in_addr); - cli_addr.contents = - (krb5_octet *)&((struct sockaddr_in *)&cli_net_addr)->sin_addr; - break; -#endif -#ifdef DNETCONN - case AF_DECnet: - cli_addr.length = sizeof (struct dn_naddr); - cli_addr.contents = - (krb5_octet *)&((struct sockaddr_dn *)&cli_net_addr)->sdn_add; - break; -#endif - default: - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - sprintf(kerror, "Krb5 stage1: unknown address family %d from getpeername", - cli_net_addr.sa_family); - return(SendConnSetup(client, kerror)); - } - } - if ((rcache = (krb5_rcache)malloc(sizeof(*rcache))) == NULL) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - return(SendConnSetup(client, "malloc bombed for krb5_rcache")); - } - if ((rc_type = krb5_rc_default_type()) == NULL) - rc_type = "dfl"; - if (retval = krb5_rc_resolve_type(&rcache, rc_type)) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - free(rcache); - strcpy(kerror, "krb5_rc_resolve_type failed: "); - strncat(kerror, error_message(retval), 231); - return(SendConnSetup(client, kerror)); - } - if ((cachename = (char *)malloc(strlen(rc_base) + strlen(display) + 1)) - == NULL) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - free(rcache); - return(SendConnSetup(client, "Krb5: malloc bombed for cachename")); - } - strcpy(cachename, rc_base); - strcat(cachename, display); - if (retval = krb5_rc_resolve(rcache, cachename)) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - free(rcache); - free(cachename); - strcpy(kerror, "krb5_rc_resolve failed: "); - strncat(kerror, error_message(retval), 236); - return(SendConnSetup(client, kerror)); - } - free(cachename); - if (krb5_rc_recover(rcache)) - { - extern krb5_deltat krb5_clockskew; - if (retval = krb5_rc_initialize(rcache, krb5_clockskew)) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - if (retval2 = krb5_rc_close(rcache)) - { - strcpy(kerror, "krb5_rc_close failed: "); - strncat(kerror, error_message(retval2), 238); - return(SendConnSetup(client, kerror)); - } - free(rcache); - strcpy(kerror, "krb5_rc_initialize failed: "); - strncat(kerror, error_message(retval), 233); - return(SendConnSetup(client, kerror)); - } - } - buf.length = (stuff->length << 2) - sz_xReq; - buf.data = (char *)stuff + sz_xReq; - if (creds) - { - retval = krb5_rd_req(&buf, - NULL, /* don't bother with server name */ - &cli_addr, - NULL, /* no fetchfrom */ - tgt_keyproc, - creds, /* credentials as arg to - keyproc */ - rcache, - &authdat); - krb5_free_creds(creds); - } - else if (kt = (char *)((OsCommPtr)client->osPrivate)->authstate.ktname) - { - retval = krb5_rd_req(&buf, srvname, &cli_addr, kt, NULL, NULL, - rcache, &authdat); - ((OsCommPtr)client->osPrivate)->authstate.ktname = NULL; - } - else - { - if (localaddrs) - krb5_free_addresses(localaddrs); - return(SendConnSetup(client, "Krb5: neither srvcreds nor ktname set")); - } - if (localaddrs) - krb5_free_addresses(localaddrs); - if (rcache) - { - if (retval2 = krb5_rc_close(rcache)) - { - strcpy(kerror, "krb5_rc_close failed (2): "); - strncat(kerror, error_message(retval2), 230); - return(SendConnSetup(client, kerror)); - } - free(rcache); - } - if (retval) - { - strcpy(kerror, "Krb5: Bad application request: "); - strncat(kerror, error_message(retval), 224); - return(SendConnSetup(client, kerror)); - } - cprinc = authdat->ticket->enc_part2->client; - skey = authdat->ticket->enc_part2->session; - if (XauKrb5Encode(cprinc, &buf)) - { - krb5_free_tkt_authent(authdat); - return(SendConnSetup(client, "XauKrb5Encode bombed")); - } - /* - * Now check to see if the principal we got is one that we want to let in - */ - if (ForEachHostInFamily(FamilyKrb5Principal, k5_cmpenc, (pointer)&buf)) - { - free(buf.data); - /* - * The following deals with sending an ap_rep to the client to - * achieve mutual authentication. The client sends back a stage 3 - * packet if all is ok. - */ - if (authdat->ap_options | AP_OPTS_MUTUAL_REQUIRED) - { - /* - * stage 2: send ap_rep to client - */ - if (retval = krb5_us_timeofday(&ctime, &cusec)) - { - krb5_free_tkt_authent(authdat); - strcpy(kerror, "error in krb5_us_timeofday: "); - strncat(kerror, error_message(retval), 234); - return(SendConnSetup(client, kerror)); - } - rep.ctime = ctime; - rep.cusec = cusec; - rep.subkey = NULL; - rep.seq_number = 0; - if (retval = krb5_mk_rep(&rep, skey, &buf)) - { - krb5_free_tkt_authent(authdat); - strcpy(kerror, "error in krb5_mk_rep: "); - strncat(kerror, error_message(retval), 238); - return(SendConnSetup(client, kerror)); - } - prefix.reqType = 2; /* opcode = authenticate */ - prefix.data = 2; /* stage = 2 */ - prefix.length = (buf.length + sz_xReq + 3) >> 2; - if (client->swapped) - { - swaps(&prefix.length, n); - } - WriteToClient(client, sz_xReq, (char *)&prefix); - WriteToClient(client, buf.length, buf.data); - free(buf.data); - krb5_free_tkt_authent(authdat); - ((OsCommPtr)client->osPrivate)->authstate.stageno = 3; /* expect stage3 packet */ - return(Success); - } - else - { - free(buf.data); - krb5_free_tkt_authent(authdat); - return(SendConnSetup(client, NULL)); /* success! */ - } - } - else - { - char *kname; - - krb5_free_tkt_authent(authdat); - free(buf.data); - retval = krb5_unparse_name(cprinc, &kname); - if (retval == 0) - { - sprintf(kerror, "Principal \"%s\" is not authorized to connect", - kname); - if (kname) - free(kname); - return(SendConnSetup(client, kerror)); - } - else - return(SendConnSetup(client,"Principal is not authorized to connect to Server")); - } -} - -/* - * k5_stage3: - * - * Get the short ack packet from the client. This packet can conceivably - * be expanded to allow for switching on end-to-end encryption. - * - * stage3 packet format: - * - * CARD8 reqType = 3 - * CARD8 data = ignored (for now) - * CARD16 length = should be zero - */ -int k5_stage3(client) - register ClientPtr client; -{ - REQUEST(xReq); - - if (((OsCommPtr)client->osPrivate)->authstate.stageno != 3) - { - return(SendConnSetup(client, "expected Krb5 stage3 packet")); - } - else - return(SendConnSetup(client, NULL)); /* success! */ -} - -k5_bad(client) - register ClientPtr client; -{ - if (((OsCommPtr)client->osPrivate)->authstate.srvcreds) - krb5_free_creds((krb5_creds *)((OsCommPtr)client->osPrivate)->authstate.srvcreds); - sprintf(kerror, "unrecognized Krb5 auth packet %d, expecting %d", - ((xReq *)client->requestBuffer)->reqType, - ((OsCommPtr)client->osPrivate)->authstate.stageno); - return(SendConnSetup(client, kerror)); -} - -/* - * K5Add: - * - * Takes the name of a credentials cache and resolves it. Also adds the - * primary principal of the ccache to the acl. - * - * Now will also take a service name. - */ -int K5Add(data_length, data, id) - unsigned short data_length; - char *data; - XID id; -{ - krb5_principal princ; - krb5_error_code retval; - krb5_keytab_entry tmp_entry; - krb5_keytab keytab; - krb5_kvno kvno = 0; - krb5_ccache cc; - char *nbuf, *cp; - krb5_data kbuf; - int i, ktlen; - - krb5_init_ets(); /* can't think of a better place to put it */ - krb5_id = ~0L; - if (data_length < 3) - return 0; - if ((nbuf = (char *)malloc(data_length - 2)) == NULL) - return 0; - memcpy(nbuf, data + 3, data_length - 3); - nbuf[data_length - 3] = '\0'; - if (ccname) - { - free(ccname); - ccname = NULL; - } - if (srvname) - { - krb5_free_principal(srvname); - srvname = NULL; - } - if (ktname) - { - free(ktname); - ktname = NULL; - } - if (!strncmp(data, "UU:", 3)) - { - if (retval = krb5_cc_resolve(nbuf, &cc)) - { - ErrorF("K5Add: krb5_cc_resolve of \"%s\" failed: %s\n", - nbuf, error_message(retval)); - free(nbuf); - return 0; - } - if (cc && !(retval = krb5_cc_get_principal(cc, &princ))) - { - if (XauKrb5Encode(princ, &kbuf)) - { - free(nbuf); - krb5_free_principal(princ); - krb5_cc_close(cc); - return 0; - } - if (krb5_cc_close(cc)) - return 0; - AddHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data); - krb5_free_principal(princ); - free(kbuf.data); - ccname = nbuf; - krb5_id = id; - return 1; - } - else - { - ErrorF("K5Add: getting principal from cache \"%s\" failed: %s\n", - nbuf, error_message(retval)); - } - } - else if (!strncmp(data, "CS:", 3)) - { - if ((cp = strchr(nbuf, ',')) == NULL) - { - free(nbuf); - return 0; - } - *cp = '\0'; /* gross but it works :-) */ - ktlen = strlen(cp + 1); - if ((ktname = (char *)malloc(ktlen + 1)) == NULL) - { - free(nbuf); - return 0; - } - strcpy(ktname, cp + 1); - retval = krb5_sname_to_principal(NULL, /* NULL for hostname uses - local host name*/ - nbuf, KRB5_NT_SRV_HST, - &srvname); - free(nbuf); - if (retval) - { - free(ktname); - ktname = NULL; - return 0; - } - if (retval = krb5_kt_resolve(ktname, &keytab)) - { - free(ktname); - ktname = NULL; - krb5_free_principal(srvname); - srvname = NULL; - return 0; - } - retval = krb5_kt_get_entry(keytab, srvname, kvno, &tmp_entry); - krb5_kt_free_entry(&tmp_entry); - if (retval) - { - free(ktname); - ktname = NULL; - krb5_free_principal(srvname); - srvname = NULL; - return 0; - } - if (XauKrb5Encode(srvname, &kbuf)) - { - free(ktname); - ktname = NULL; - krb5_free_principal(srvname); - srvname = NULL; - return 0; - } - AddHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data); - krb5_id = id; - return 1; - } - else - { - ErrorF("K5Add: credentials cache name \"%.*s\" in auth file: unknown type\n", - data_length, data); - } - return 0; -} - -/* - * K5Reset: - * - * Reset krb5_id, also nuke the current principal from the acl. - */ -int K5Reset() -{ - krb5_principal princ; - krb5_error_code retval; - krb5_ccache cc; - krb5_data kbuf; - int i; - - if (ccname) - { - if (retval = krb5_cc_resolve(ccname, &cc)) - { - free(ccname); - ccname = NULL; - } - if (cc && !(retval = krb5_cc_get_principal(cc, &princ))) - { - if (XauKrb5Encode(princ, &kbuf)) - return 1; - RemoveHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data); - krb5_free_principal(princ); - free(kbuf.data); - if (krb5_cc_close(cc)) - return 1; - free(ccname); - ccname = NULL; - } - } - if (srvname) - { - if (XauKrb5Encode(srvname, &kbuf)) - return 1; - RemoveHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data); - krb5_free_principal(srvname); - free(kbuf.data); - srvname = NULL; - } - if (ktname) - { - free(ktname); - ktname = NULL; - } - krb5_id = ~0L; - return 0; -} - -XID K5ToID(data_length, data) - unsigned short data_length; - char *data; -{ - return krb5_id; -} - -int K5FromID(id, data_lenp, datap) - XID id; - unsigned short *data_lenp; - char **datap; -{ - return 0; -} - -int K5Remove(data_length, data) - unsigned short data_length; - char *data; -{ - return 0; -} diff --git a/os/osdep.h b/os/osdep.h index 0984d51e8..04e88ea49 100644 --- a/os/osdep.h +++ b/os/osdep.h @@ -145,16 +145,6 @@ typedef struct _connectionOutput { int count; } ConnectionOutput, *ConnectionOutputPtr; -#ifdef K5AUTH -typedef struct _k5_state { - int stageno; /* current stage of auth protocol */ - pointer srvcreds; /* server credentials */ - pointer srvname; /* server principal name */ - pointer ktname; /* key table: principal-key pairs */ - pointer skey; /* session key */ -} k5_state; -#endif - struct _osComm; #define AuthInitArgs void @@ -190,9 +180,6 @@ typedef struct _osComm { ConnectionInputPtr input; ConnectionOutputPtr output; XID auth_id; /* authorization id */ -#ifdef K5AUTH - k5_state authstate; /* state of setup auth conversation */ -#endif CARD32 conn_time; /* timestamp if not established, else 0 */ struct _XtransConnInfo *trans_conn; /* transport connection object */ } OsCommRec, *OsCommPtr; @@ -273,16 +260,6 @@ extern int SecureRPCRemove (AuthRemCArgs); extern int SecureRPCReset (AuthRstCArgs); #endif -/* in k5auth.c */ -#ifdef K5AUTH -extern XID K5Check (AuthCheckArgs); -extern XID K5ToID (AuthToIDArgs); -extern int K5Add (AuthAddCArgs); -extern int K5FromID (AuthFromIDArgs); -extern int K5Remove (AuthRemCArgs); -extern int K5Reset (AuthRstCArgs); -#endif - /* in secauth.c */ extern XID AuthSecurityCheck (AuthCheckArgs); |