summaryrefslogtreecommitdiff
path: root/crypto/heimdal/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/kdc')
-rw-r--r--crypto/heimdal/kdc/524.c296
-rw-r--r--crypto/heimdal/kdc/Makefile.am69
-rw-r--r--crypto/heimdal/kdc/Makefile.in792
-rw-r--r--crypto/heimdal/kdc/config.c400
-rw-r--r--crypto/heimdal/kdc/connect.c805
-rw-r--r--crypto/heimdal/kdc/headers.h109
-rw-r--r--crypto/heimdal/kdc/hprop.8170
-rw-r--r--crypto/heimdal/kdc/hprop.c868
-rw-r--r--crypto/heimdal/kdc/hprop.cat898
-rw-r--r--crypto/heimdal/kdc/hprop.h75
-rw-r--r--crypto/heimdal/kdc/hpropd.874
-rw-r--r--crypto/heimdal/kdc/hpropd.c439
-rw-r--r--crypto/heimdal/kdc/hpropd.cat842
-rw-r--r--crypto/heimdal/kdc/kadb.h84
-rw-r--r--crypto/heimdal/kdc/kaserver.c830
-rw-r--r--crypto/heimdal/kdc/kdc.8164
-rw-r--r--crypto/heimdal/kdc/kdc.cat8126
-rw-r--r--crypto/heimdal/kdc/kdc_locl.h120
-rw-r--r--crypto/heimdal/kdc/kerberos4.c661
-rw-r--r--crypto/heimdal/kdc/kerberos5.c1847
-rw-r--r--crypto/heimdal/kdc/kstash.860
-rw-r--r--crypto/heimdal/kdc/kstash.c148
-rw-r--r--crypto/heimdal/kdc/kstash.cat833
-rw-r--r--crypto/heimdal/kdc/log.c84
-rw-r--r--crypto/heimdal/kdc/main.c114
-rw-r--r--crypto/heimdal/kdc/misc.c76
-rw-r--r--crypto/heimdal/kdc/mit_dump.c370
-rw-r--r--crypto/heimdal/kdc/rx.h79
-rw-r--r--crypto/heimdal/kdc/string2key.879
-rw-r--r--crypto/heimdal/kdc/string2key.c179
-rw-r--r--crypto/heimdal/kdc/string2key.cat841
-rw-r--r--crypto/heimdal/kdc/v4_dump.c142
32 files changed, 0 insertions, 9474 deletions
diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c
deleted file mode 100644
index 21bc6a1359d4..000000000000
--- a/crypto/heimdal/kdc/524.c
+++ /dev/null
@@ -1,296 +0,0 @@
-/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-
-RCSID("$Id: 524.c,v 1.25 2002/07/31 09:43:20 joda Exp $");
-
-#ifdef KRB4
-
-/*
- * fetch the server from `t', returning the name in malloced memory in
- * `spn' and the entry itself in `server'
- */
-
-static krb5_error_code
-fetch_server (const Ticket *t,
- char **spn,
- hdb_entry **server,
- const char *from)
-{
- krb5_error_code ret;
- krb5_principal sprinc;
-
- ret = principalname2krb5_principal(&sprinc, t->sname, t->realm);
- if (ret) {
- kdc_log(0, "principalname2krb5_principal: %s",
- krb5_get_err_text(context, ret));
- return ret;
- }
- ret = krb5_unparse_name(context, sprinc, spn);
- if (ret) {
- krb5_free_principal(context, sprinc);
- kdc_log(0, "krb5_unparse_name: %s", krb5_get_err_text(context, ret));
- return ret;
- }
- ret = db_fetch(sprinc, server);
- krb5_free_principal(context, sprinc);
- if (ret) {
- kdc_log(0,
- "Request to convert ticket from %s for unknown principal %s: %s",
- from, *spn, krb5_get_err_text(context, ret));
- if (ret == HDB_ERR_NOENTRY)
- ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- return ret;
- }
- return 0;
-}
-
-static krb5_error_code
-log_524 (const EncTicketPart *et,
- const char *from,
- const char *spn)
-{
- krb5_principal client;
- char *cpn;
- krb5_error_code ret;
-
- ret = principalname2krb5_principal(&client, et->cname, et->crealm);
- if (ret) {
- kdc_log(0, "principalname2krb5_principal: %s",
- krb5_get_err_text (context, ret));
- return ret;
- }
- ret = krb5_unparse_name(context, client, &cpn);
- if (ret) {
- krb5_free_principal(context, client);
- kdc_log(0, "krb5_unparse_name: %s",
- krb5_get_err_text (context, ret));
- return ret;
- }
- kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
- free(cpn);
- krb5_free_principal(context, client);
- return 0;
-}
-
-static krb5_error_code
-verify_flags (const EncTicketPart *et,
- const char *spn)
-{
- if(et->endtime < kdc_time){
- kdc_log(0, "Ticket expired (%s)", spn);
- return KRB5KRB_AP_ERR_TKT_EXPIRED;
- }
- if(et->flags.invalid){
- kdc_log(0, "Ticket not valid (%s)", spn);
- return KRB5KRB_AP_ERR_TKT_NYV;
- }
- return 0;
-}
-
-/*
- * set the `et->caddr' to the most appropriate address to use, where
- * `addr' is the address the request was received from.
- */
-
-static krb5_error_code
-set_address (EncTicketPart *et,
- struct sockaddr *addr,
- const char *from)
-{
- krb5_error_code ret;
- krb5_address *v4_addr;
-
- v4_addr = malloc (sizeof(*v4_addr));
- if (v4_addr == NULL)
- return ENOMEM;
-
- ret = krb5_sockaddr2address(context, addr, v4_addr);
- if(ret) {
- free (v4_addr);
- kdc_log(0, "Failed to convert address (%s)", from);
- return ret;
- }
-
- if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
- kdc_log(0, "Incorrect network address (%s)", from);
- krb5_free_address(context, v4_addr);
- free (v4_addr);
- return KRB5KRB_AP_ERR_BADADDR;
- }
- if(v4_addr->addr_type == KRB5_ADDRESS_INET) {
- /* we need to collapse the addresses in the ticket to a
- single address; best guess is to use the address the
- connection came from */
-
- if (et->caddr != NULL) {
- free_HostAddresses(et->caddr);
- } else {
- et->caddr = malloc (sizeof (*et->caddr));
- if (et->caddr == NULL) {
- krb5_free_address(context, v4_addr);
- free(v4_addr);
- return ENOMEM;
- }
- }
- et->caddr->val = v4_addr;
- et->caddr->len = 1;
- } else {
- krb5_free_address(context, v4_addr);
- free(v4_addr);
- }
- return 0;
-}
-
-/*
- * process a 5->4 request, based on `t', and received `from, addr',
- * returning the reply in `reply'
- */
-
-krb5_error_code
-do_524(const Ticket *t, krb5_data *reply,
- const char *from, struct sockaddr *addr)
-{
- krb5_error_code ret = 0;
- krb5_crypto crypto;
- hdb_entry *server = NULL;
- Key *skey;
- krb5_data et_data;
- EncTicketPart et;
- EncryptedData ticket;
- krb5_storage *sp;
- char *spn = NULL;
- unsigned char buf[MAX_KTXT_LEN + 4 * 4];
- size_t len;
-
- if(!enable_524) {
- ret = KRB5KDC_ERR_POLICY;
- kdc_log(0, "Rejected ticket conversion request from %s", from);
- goto out;
- }
-
- ret = fetch_server (t, &spn, &server, from);
- if (ret) {
- goto out;
- }
-
- ret = hdb_enctype2key(context, server, t->enc_part.etype, &skey);
- if(ret){
- kdc_log(0, "No suitable key found for server (%s) from %s", spn, from);
- goto out;
- }
- ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
- if (ret) {
- kdc_log(0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
- goto out;
- }
- ret = krb5_decrypt_EncryptedData (context,
- crypto,
- KRB5_KU_TICKET,
- &t->enc_part,
- &et_data);
- krb5_crypto_destroy(context, crypto);
- if(ret){
- kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
- goto out;
- }
- ret = krb5_decode_EncTicketPart(context, et_data.data, et_data.length,
- &et, &len);
- krb5_data_free(&et_data);
- if(ret){
- kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
- goto out;
- }
-
- ret = log_524 (&et, from, spn);
- if (ret) {
- free_EncTicketPart(&et);
- goto out;
- }
-
- ret = verify_flags (&et, spn);
- if (ret) {
- free_EncTicketPart(&et);
- goto out;
- }
-
- ret = set_address (&et, addr, from);
- if (ret) {
- free_EncTicketPart(&et);
- goto out;
- }
- ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
- &et, &t->sname, &len);
- free_EncTicketPart(&et);
- if(ret){
- kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
- goto out;
- }
- ret = get_des_key(server, TRUE, FALSE, &skey);
- if(ret){
- kdc_log(0, "no suitable DES key for server (%s)", spn);
- goto out;
- }
- ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len,
- skey->key.keyvalue.data, &ticket);
- if(ret){
- kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
- goto out;
- }
-out:
- /* make reply */
- memset(buf, 0, sizeof(buf));
- sp = krb5_storage_from_mem(buf, sizeof(buf));
- krb5_store_int32(sp, ret);
- if(ret == 0){
- krb5_store_int32(sp, server->kvno); /* is this right? */
- krb5_store_data(sp, ticket.cipher);
- /* Aargh! This is coded as a KTEXT_ST. */
- krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
- krb5_store_int32(sp, 0); /* mbz */
- free_EncryptedData(&ticket);
- }
- ret = krb5_storage_to_data(sp, reply);
- reply->length = krb5_storage_seek(sp, 0, SEEK_CUR);
- krb5_storage_free(sp);
-
- if(spn)
- free(spn);
- if(server)
- free_ent (server);
- return ret;
-}
-
-#endif /* KRB4 */
diff --git a/crypto/heimdal/kdc/Makefile.am b/crypto/heimdal/kdc/Makefile.am
deleted file mode 100644
index 3bb00f82eed7..000000000000
--- a/crypto/heimdal/kdc/Makefile.am
+++ /dev/null
@@ -1,69 +0,0 @@
-# $Id: Makefile.am,v 1.43 2001/08/28 08:31:27 assar Exp $
-
-include $(top_srcdir)/Makefile.am.common
-
-INCLUDES += $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
-
-bin_PROGRAMS = string2key
-
-sbin_PROGRAMS = kstash
-
-libexec_PROGRAMS = hprop hpropd kdc
-
-man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
-
-hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h
-hpropd_SOURCES = hpropd.c hprop.h
-
-kstash_SOURCES = kstash.c headers.h
-
-string2key_SOURCES = string2key.c headers.h
-
-if KRB4
-krb4_sources = 524.c kerberos4.c kaserver.c rx.h
-else
-krb4_sources =
-endif
-
-kdc_SOURCES = \
- config.c \
- connect.c \
- kdc_locl.h \
- kerberos5.c \
- log.c \
- main.c \
- misc.c \
- $(krb4_sources)
-
-
-hprop_LDADD = \
- $(top_builddir)/lib/hdb/libhdb.la \
- $(LIB_openldap) \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(LIB_kdb) $(LIB_krb4) \
- $(LIB_des) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(LIB_roken) \
- $(DBLIB)
-
-hpropd_LDADD = \
- $(top_builddir)/lib/hdb/libhdb.la \
- $(LIB_openldap) \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(LIB_kdb) $(LIB_krb4) \
- $(LIB_des) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(LIB_roken) \
- $(DBLIB)
-
-LDADD = $(top_builddir)/lib/hdb/libhdb.la \
- $(LIB_openldap) \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(LIB_krb4) \
- $(LIB_des) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(LIB_roken) \
- $(DBLIB)
-
-kdc_LDADD = $(LDADD) $(LIB_pidfile)
-
diff --git a/crypto/heimdal/kdc/Makefile.in b/crypto/heimdal/kdc/Makefile.in
deleted file mode 100644
index 429deea3a044..000000000000
--- a/crypto/heimdal/kdc/Makefile.in
+++ /dev/null
@@ -1,792 +0,0 @@
-# Makefile.in generated by automake 1.6.1 from Makefile.am.
-# @configure_input@
-
-# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002
-# Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-# $Id: Makefile.am,v 1.43 2001/08/28 08:31:27 assar Exp $
-
-# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
-
-# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $
-SHELL = @SHELL@
-
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
-VPATH = @srcdir@
-prefix = @prefix@
-exec_prefix = @exec_prefix@
-
-bindir = @bindir@
-sbindir = @sbindir@
-libexecdir = @libexecdir@
-datadir = @datadir@
-sysconfdir = @sysconfdir@
-sharedstatedir = @sharedstatedir@
-localstatedir = @localstatedir@
-libdir = @libdir@
-infodir = @infodir@
-mandir = @mandir@
-includedir = @includedir@
-oldincludedir = /usr/include
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ..
-
-ACLOCAL = @ACLOCAL@
-AUTOCONF = @AUTOCONF@
-AUTOMAKE = @AUTOMAKE@
-AUTOHEADER = @AUTOHEADER@
-
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_DATA = @INSTALL_DATA@
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = @program_transform_name@
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-host_alias = @host_alias@
-host_triplet = @host@
-
-EXEEXT = @EXEEXT@
-OBJEXT = @OBJEXT@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AMTAR = @AMTAR@
-AS = @AS@
-AWK = @AWK@
-CANONICAL_HOST = @CANONICAL_HOST@
-CATMAN = @CATMAN@
-CATMANEXT = @CATMANEXT@
-CC = @CC@
-COMPILE_ET = @COMPILE_ET@
-CPP = @CPP@
-DBLIB = @DBLIB@
-DEPDIR = @DEPDIR@
-DIR_com_err = @DIR_com_err@
-DIR_des = @DIR_des@
-DIR_roken = @DIR_roken@
-DLLTOOL = @DLLTOOL@
-ECHO = @ECHO@
-EXTRA_LIB45 = @EXTRA_LIB45@
-GROFF = @GROFF@
-INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_ = @INCLUDE_@
-INCLUDE_des = @INCLUDE_des@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LEX = @LEX@
-
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBTOOL = @LIBTOOL@
-LIB_ = @LIB_@
-LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
-LIB_NDBM = @LIB_NDBM@
-LIB_com_err = @LIB_com_err@
-LIB_com_err_a = @LIB_com_err_a@
-LIB_com_err_so = @LIB_com_err_so@
-LIB_des = @LIB_des@
-LIB_des_a = @LIB_des_a@
-LIB_des_appl = @LIB_des_appl@
-LIB_des_so = @LIB_des_so@
-LIB_kdb = @LIB_kdb@
-LIB_otp = @LIB_otp@
-LIB_roken = @LIB_roken@
-LIB_security = @LIB_security@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
-NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
-NROFF = @NROFF@
-OBJDUMP = @OBJDUMP@
-PACKAGE = @PACKAGE@
-RANLIB = @RANLIB@
-STRIP = @STRIP@
-VERSION = @VERSION@
-VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
-WFLAGS = @WFLAGS@
-WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
-WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
-X_CFLAGS = @X_CFLAGS@
-X_EXTRA_LIBS = @X_EXTRA_LIBS@
-X_LIBS = @X_LIBS@
-X_PRE_LIBS = @X_PRE_LIBS@
-YACC = @YACC@
-am__include = @am__include@
-am__quote = @am__quote@
-dpagaix_cflags = @dpagaix_cflags@
-dpagaix_ldadd = @dpagaix_ldadd@
-dpagaix_ldflags = @dpagaix_ldflags@
-install_sh = @install_sh@
-
-AUTOMAKE_OPTIONS = foreign no-dependencies 1.6
-
-SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5
-
-@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
-
-AM_CFLAGS = $(WFLAGS)
-
-CP = cp
-
-buildinclude = $(top_builddir)/include
-
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_crypt = @LIB_crypt@
-LIB_dbm_firstkey = @LIB_dbm_firstkey@
-LIB_dbopen = @LIB_dbopen@
-LIB_dlopen = @LIB_dlopen@
-LIB_dn_expand = @LIB_dn_expand@
-LIB_el_init = @LIB_el_init@
-LIB_getattr = @LIB_getattr@
-LIB_gethostbyname = @LIB_gethostbyname@
-LIB_getpwent_r = @LIB_getpwent_r@
-LIB_getpwnam_r = @LIB_getpwnam_r@
-LIB_getsockopt = @LIB_getsockopt@
-LIB_logout = @LIB_logout@
-LIB_logwtmp = @LIB_logwtmp@
-LIB_odm_initialize = @LIB_odm_initialize@
-LIB_openpty = @LIB_openpty@
-LIB_pidfile = @LIB_pidfile@
-LIB_res_search = @LIB_res_search@
-LIB_setpcred = @LIB_setpcred@
-LIB_setsockopt = @LIB_setsockopt@
-LIB_socket = @LIB_socket@
-LIB_syslog = @LIB_syslog@
-LIB_tgetent = @LIB_tgetent@
-
-HESIODLIB = @HESIODLIB@
-HESIODINCLUDE = @HESIODINCLUDE@
-INCLUDE_hesiod = @INCLUDE_hesiod@
-LIB_hesiod = @LIB_hesiod@
-
-INCLUDE_krb4 = @INCLUDE_krb4@
-LIB_krb4 = @LIB_krb4@
-
-INCLUDE_openldap = @INCLUDE_openldap@
-LIB_openldap = @LIB_openldap@
-
-INCLUDE_readline = @INCLUDE_readline@
-LIB_readline = @LIB_readline@
-
-NROFF_MAN = groff -mandoc -Tascii
-
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
-
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la
-
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-
-@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-
-bin_PROGRAMS = string2key
-
-sbin_PROGRAMS = kstash
-
-libexec_PROGRAMS = hprop hpropd kdc
-
-man_MANS = kdc.8 kstash.8 hprop.8 hpropd.8 string2key.8
-
-hprop_SOURCES = hprop.c mit_dump.c v4_dump.c hprop.h kadb.h
-hpropd_SOURCES = hpropd.c hprop.h
-
-kstash_SOURCES = kstash.c headers.h
-
-string2key_SOURCES = string2key.c headers.h
-
-@KRB4_TRUE@krb4_sources = 524.c kerberos4.c kaserver.c rx.h
-@KRB4_FALSE@krb4_sources =
-
-kdc_SOURCES = \
- config.c \
- connect.c \
- kdc_locl.h \
- kerberos5.c \
- log.c \
- main.c \
- misc.c \
- $(krb4_sources)
-
-
-hprop_LDADD = \
- $(top_builddir)/lib/hdb/libhdb.la \
- $(LIB_openldap) \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(LIB_kdb) $(LIB_krb4) \
- $(LIB_des) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(LIB_roken) \
- $(DBLIB)
-
-
-hpropd_LDADD = \
- $(top_builddir)/lib/hdb/libhdb.la \
- $(LIB_openldap) \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(LIB_kdb) $(LIB_krb4) \
- $(LIB_des) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(LIB_roken) \
- $(DBLIB)
-
-
-LDADD = $(top_builddir)/lib/hdb/libhdb.la \
- $(LIB_openldap) \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(LIB_krb4) \
- $(LIB_des) \
- $(top_builddir)/lib/asn1/libasn1.la \
- $(LIB_roken) \
- $(DBLIB)
-
-
-kdc_LDADD = $(LDADD) $(LIB_pidfile)
-subdir = kdc
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
-CONFIG_HEADER = $(top_builddir)/include/config.h
-CONFIG_CLEAN_FILES =
-bin_PROGRAMS = string2key$(EXEEXT)
-libexec_PROGRAMS = hprop$(EXEEXT) hpropd$(EXEEXT) kdc$(EXEEXT)
-sbin_PROGRAMS = kstash$(EXEEXT)
-PROGRAMS = $(bin_PROGRAMS) $(libexec_PROGRAMS) $(sbin_PROGRAMS)
-
-am_hprop_OBJECTS = hprop.$(OBJEXT) mit_dump.$(OBJEXT) v4_dump.$(OBJEXT)
-hprop_OBJECTS = $(am_hprop_OBJECTS)
-hprop_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(top_builddir)/lib/asn1/libasn1.la
-hprop_LDFLAGS =
-am_hpropd_OBJECTS = hpropd.$(OBJEXT)
-hpropd_OBJECTS = $(am_hpropd_OBJECTS)
-hpropd_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(top_builddir)/lib/asn1/libasn1.la
-hpropd_LDFLAGS =
-@KRB4_TRUE@am__objects_1 = 524.$(OBJEXT) kerberos4.$(OBJEXT) \
-@KRB4_TRUE@ kaserver.$(OBJEXT)
-@KRB4_FALSE@am__objects_1 =
-am_kdc_OBJECTS = config.$(OBJEXT) connect.$(OBJEXT) kerberos5.$(OBJEXT) \
- log.$(OBJEXT) main.$(OBJEXT) misc.$(OBJEXT) $(am__objects_1)
-kdc_OBJECTS = $(am_kdc_OBJECTS)
-kdc_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(top_builddir)/lib/asn1/libasn1.la
-kdc_LDFLAGS =
-am_kstash_OBJECTS = kstash.$(OBJEXT)
-kstash_OBJECTS = $(am_kstash_OBJECTS)
-kstash_LDADD = $(LDADD)
-kstash_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(top_builddir)/lib/asn1/libasn1.la
-kstash_LDFLAGS =
-am_string2key_OBJECTS = string2key.$(OBJEXT)
-string2key_OBJECTS = $(am_string2key_OBJECTS)
-string2key_LDADD = $(LDADD)
-string2key_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
- $(top_builddir)/lib/krb5/libkrb5.la \
- $(top_builddir)/lib/asn1/libasn1.la
-string2key_LDFLAGS =
-
-DEFS = @DEFS@
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include
-CPPFLAGS = @CPPFLAGS@
-LDFLAGS = @LDFLAGS@
-LIBS = @LIBS@
-depcomp =
-am__depfiles_maybe =
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) \
- $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(AM_LDFLAGS) $(LDFLAGS) -o $@
-CFLAGS = @CFLAGS@
-DIST_SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) \
- $(kstash_SOURCES) $(string2key_SOURCES)
-MANS = $(man_MANS)
-DIST_COMMON = Makefile.am Makefile.in
-SOURCES = $(hprop_SOURCES) $(hpropd_SOURCES) $(kdc_SOURCES) $(kstash_SOURCES) $(string2key_SOURCES)
-
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
-$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4)
- cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign kdc/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)
-binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-install-binPROGRAMS: $(bin_PROGRAMS)
- @$(NORMAL_INSTALL)
- $(mkinstalldirs) $(DESTDIR)$(bindir)
- @list='$(bin_PROGRAMS)'; for p in $$list; do \
- p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- if test -f $$p \
- || test -f $$p1 \
- ; then \
- p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \
- f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) $$p $(DESTDIR)$(bindir)/$$f; \
- else :; fi; \
- done
-
-uninstall-binPROGRAMS:
- @$(NORMAL_UNINSTALL)
- @list='$(bin_PROGRAMS)'; for p in $$list; do \
- f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
- f=`echo "$$f" | sed -e 's,^.*/,,'`; \
- echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
- rm -f $(DESTDIR)$(bindir)/$$f; \
- done
-
-clean-binPROGRAMS:
- -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
-libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-install-libexecPROGRAMS: $(libexec_PROGRAMS)
- @$(NORMAL_INSTALL)
- $(mkinstalldirs) $(DESTDIR)$(libexecdir)
- @list='$(libexec_PROGRAMS)'; for p in $$list; do \
- p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- if test -f $$p \
- || test -f $$p1 \
- ; then \
- p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \
- f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(libexecPROGRAMS_INSTALL) $$p $(DESTDIR)$(libexecdir)/$$f; \
- else :; fi; \
- done
-
-uninstall-libexecPROGRAMS:
- @$(NORMAL_UNINSTALL)
- @list='$(libexec_PROGRAMS)'; for p in $$list; do \
- f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
- f=`echo "$$f" | sed -e 's,^.*/,,'`; \
- echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
- rm -f $(DESTDIR)$(libexecdir)/$$f; \
- done
-
-clean-libexecPROGRAMS:
- -test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
-sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-install-sbinPROGRAMS: $(sbin_PROGRAMS)
- @$(NORMAL_INSTALL)
- $(mkinstalldirs) $(DESTDIR)$(sbindir)
- @list='$(sbin_PROGRAMS)'; for p in $$list; do \
- p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- if test -f $$p \
- || test -f $$p1 \
- ; then \
- p1=`echo "$$p1" | sed -e 's,^.*/,,'`; \
- f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(sbinPROGRAMS_INSTALL) $$p $(DESTDIR)$(sbindir)/$$f; \
- else :; fi; \
- done
-
-uninstall-sbinPROGRAMS:
- @$(NORMAL_UNINSTALL)
- @list='$(sbin_PROGRAMS)'; for p in $$list; do \
- f=`echo $$p|sed 's/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
- f=`echo "$$f" | sed -e 's,^.*/,,'`; \
- echo " rm -f $(DESTDIR)$(sbindir)/$$f"; \
- rm -f $(DESTDIR)$(sbindir)/$$f; \
- done
-
-clean-sbinPROGRAMS:
- -test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS)
-hprop$(EXEEXT): $(hprop_OBJECTS) $(hprop_DEPENDENCIES)
- @rm -f hprop$(EXEEXT)
- $(LINK) $(hprop_LDFLAGS) $(hprop_OBJECTS) $(hprop_LDADD) $(LIBS)
-hpropd$(EXEEXT): $(hpropd_OBJECTS) $(hpropd_DEPENDENCIES)
- @rm -f hpropd$(EXEEXT)
- $(LINK) $(hpropd_LDFLAGS) $(hpropd_OBJECTS) $(hpropd_LDADD) $(LIBS)
-kdc$(EXEEXT): $(kdc_OBJECTS) $(kdc_DEPENDENCIES)
- @rm -f kdc$(EXEEXT)
- $(LINK) $(kdc_LDFLAGS) $(kdc_OBJECTS) $(kdc_LDADD) $(LIBS)
-kstash$(EXEEXT): $(kstash_OBJECTS) $(kstash_DEPENDENCIES)
- @rm -f kstash$(EXEEXT)
- $(LINK) $(kstash_LDFLAGS) $(kstash_OBJECTS) $(kstash_LDADD) $(LIBS)
-string2key$(EXEEXT): $(string2key_OBJECTS) $(string2key_DEPENDENCIES)
- @rm -f string2key$(EXEEXT)
- $(LINK) $(string2key_LDFLAGS) $(string2key_OBJECTS) $(string2key_LDADD) $(LIBS)
-
-mostlyclean-compile:
- -rm -f *.$(OBJEXT) core *.core
-
-distclean-compile:
- -rm -f *.tab.c
-
-.c.o:
- $(COMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$<
-
-.c.obj:
- $(COMPILE) -c `cygpath -w $<`
-
-.c.lo:
- $(LTCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$<
-
-mostlyclean-libtool:
- -rm -f *.lo
-
-clean-libtool:
- -rm -rf .libs _libs
-
-distclean-libtool:
- -rm -f libtool
-uninstall-info-am:
-
-man8dir = $(mandir)/man8
-install-man8: $(man8_MANS) $(man_MANS)
- @$(NORMAL_INSTALL)
- $(mkinstalldirs) $(DESTDIR)$(man8dir)
- @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.8*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
- else file=$$i; fi; \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
- $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
- done
-uninstall-man8:
- @$(NORMAL_UNINSTALL)
- @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.8*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
- rm -f $(DESTDIR)$(man8dir)/$$inst; \
- done
-
-ETAGS = etags
-ETAGSFLAGS =
-
-tags: TAGS
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) ' { files[$$0] = 1; } \
- END { for (i in files) print i; }'`; \
- mkid -fID $$unique
-
-TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
- $(TAGS_FILES) $(LISP)
- tags=; \
- here=`pwd`; \
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) ' { files[$$0] = 1; } \
- END { for (i in files) print i; }'`; \
- test -z "$(ETAGS_ARGS)$$tags$$unique" \
- || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$tags $$unique
-
-GTAGS:
- here=`$(am__cd) $(top_builddir) && pwd` \
- && cd $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
- -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-
-top_distdir = ..
-distdir = $(top_distdir)/$(PACKAGE)-$(VERSION)
-
-distdir: $(DISTFILES)
- @for file in $(DISTFILES); do \
- if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
- dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
- if test "$$dir" != "$$file" && test "$$dir" != "."; then \
- dir="/$$dir"; \
- $(mkinstalldirs) "$(distdir)$$dir"; \
- else \
- dir=''; \
- fi; \
- if test -d $$d/$$file; then \
- if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
- fi; \
- cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
- else \
- test -f $(distdir)/$$file \
- || cp -p $$d/$$file $(distdir)/$$file \
- || exit 1; \
- fi; \
- done
- $(MAKE) $(AM_MAKEFLAGS) \
- top_distdir="${top_distdir}" distdir="$(distdir)" \
- dist-hook
-check-am: all-am
- $(MAKE) $(AM_MAKEFLAGS) check-local
-check: check-am
-all-am: Makefile $(PROGRAMS) $(MANS) all-local
-
-installdirs:
- $(mkinstalldirs) $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) $(DESTDIR)$(sbindir) $(DESTDIR)$(man8dir)
-
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
- @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- INSTALL_STRIP_FLAG=-s \
- `test -z '$(STRIP)' || \
- echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
- -rm -f Makefile $(CONFIG_CLEAN_FILES) stamp-h stamp-h[0-9]*
-
-maintainer-clean-generic:
- @echo "This command is intended for maintainers to use"
- @echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
- clean-libtool clean-sbinPROGRAMS mostlyclean-am
-
-distclean: distclean-am
-
-distclean-am: clean-am distclean-compile distclean-generic \
- distclean-libtool distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-data-local install-man
-
-install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
- install-sbinPROGRAMS
- @$(NORMAL_INSTALL)
- $(MAKE) $(AM_MAKEFLAGS) install-exec-hook
-
-install-info: install-info-am
-
-install-man: install-man8
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool
-
-uninstall-am: uninstall-binPROGRAMS uninstall-info-am \
- uninstall-libexecPROGRAMS uninstall-man uninstall-sbinPROGRAMS
-
-uninstall-man: uninstall-man8
-
-.PHONY: GTAGS all all-am all-local check check-am check-local clean \
- clean-binPROGRAMS clean-generic clean-libexecPROGRAMS \
- clean-libtool clean-sbinPROGRAMS distclean distclean-compile \
- distclean-generic distclean-libtool distclean-tags distdir dvi \
- dvi-am info info-am install install-am install-binPROGRAMS \
- install-data install-data-am install-data-local install-exec \
- install-exec-am install-info install-info-am \
- install-libexecPROGRAMS install-man install-man8 \
- install-sbinPROGRAMS install-strip installcheck installcheck-am \
- installdirs maintainer-clean maintainer-clean-generic \
- mostlyclean mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool tags uninstall uninstall-am \
- uninstall-binPROGRAMS uninstall-info-am \
- uninstall-libexecPROGRAMS uninstall-man uninstall-man8 \
- uninstall-sbinPROGRAMS
-
-
-install-suid-programs:
- @foo='$(bin_SUIDS)'; \
- for file in $$foo; do \
- x=$(DESTDIR)$(bindir)/$$file; \
- if chown 0:0 $$x && chmod u+s $$x; then :; else \
- echo "*"; \
- echo "* Failed to install $$x setuid root"; \
- echo "*"; \
- fi; done
-
-install-exec-hook: install-suid-programs
-
-install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
- @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
- for f in $$foo; do \
- f=`basename $$f`; \
- if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
- else file="$$f"; fi; \
- if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \
- : ; else \
- echo " $(CP) $$file $(buildinclude)/$$f"; \
- $(CP) $$file $(buildinclude)/$$f; \
- fi ; \
- done
-
-all-local: install-build-headers
-
-check-local::
- @if test '$(CHECK_LOCAL)'; then \
- foo='$(CHECK_LOCAL)'; else \
- foo='$(PROGRAMS)'; fi; \
- if test "$$foo"; then \
- failed=0; all=0; \
- for i in $$foo; do \
- all=`expr $$all + 1`; \
- if ./$$i --version > /dev/null 2>&1; then \
- echo "PASS: $$i"; \
- else \
- echo "FAIL: $$i"; \
- failed=`expr $$failed + 1`; \
- fi; \
- done; \
- if test "$$failed" -eq 0; then \
- banner="All $$all tests passed"; \
- else \
- banner="$$failed of $$all tests failed"; \
- fi; \
- dashes=`echo "$$banner" | sed s/./=/g`; \
- echo "$$dashes"; \
- echo "$$banner"; \
- echo "$$dashes"; \
- test "$$failed" -eq 0; \
- fi
-
-.x.c:
- @cmp -s $< $@ 2> /dev/null || cp $< $@
-#NROFF_MAN = nroff -man
-.1.cat1:
- $(NROFF_MAN) $< > $@
-.3.cat3:
- $(NROFF_MAN) $< > $@
-.5.cat5:
- $(NROFF_MAN) $< > $@
-.8.cat8:
- $(NROFF_MAN) $< > $@
-
-dist-cat1-mans:
- @foo='$(man1_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.1) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat3-mans:
- @foo='$(man3_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.3) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat5-mans:
- @foo='$(man5_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.5) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-cat8-mans:
- @foo='$(man8_MANS)'; \
- bar='$(man_MANS)'; \
- for i in $$bar; do \
- case $$i in \
- *.8) foo="$$foo $$i";; \
- esac; done ;\
- for i in $$foo; do \
- x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
- echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
- $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
- done
-
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
-
-install-cat-mans:
- $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
-
-install-data-local: install-cat-mans
-
-.et.h:
- $(COMPILE_ET) $<
-.et.c:
- $(COMPILE_ET) $<
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c
deleted file mode 100644
index 165e309e0c9e..000000000000
--- a/crypto/heimdal/kdc/config.c
+++ /dev/null
@@ -1,400 +0,0 @@
-/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-#include <getarg.h>
-#include <parse_bytes.h>
-
-RCSID("$Id: config.c,v 1.43 2002/08/29 01:51:07 assar Exp $");
-
-static const char *config_file; /* location of kdc config file */
-
-int require_preauth = -1; /* 1 == require preauth for all principals */
-
-size_t max_request; /* maximal size of a request */
-
-static char *max_request_str; /* `max_request' as a string */
-
-time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
-
-struct dbinfo *databases;
-HDB **db;
-int num_db;
-
-const char *port_str;
-
-#ifdef HAVE_DAEMON
-int detach_from_console = -1;
-#define DETACH_IS_DEFAULT FALSE
-#endif
-
-int enable_http = -1;
-krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
-
-krb5_boolean check_ticket_addresses;
-krb5_boolean allow_null_ticket_addresses;
-krb5_boolean allow_anonymous;
-
-static struct getarg_strings addresses_str; /* addresses to listen on */
-krb5_addresses explicit_addresses;
-
-#ifdef KRB4
-char *v4_realm;
-int enable_v4 = -1;
-int enable_524 = -1;
-int enable_kaserver = -1;
-#endif
-
-static int help_flag;
-static int version_flag;
-
-static struct getargs args[] = {
- {
- "config-file", 'c', arg_string, &config_file,
- "location of config file", "file"
- },
- {
- "require-preauth", 'p', arg_negative_flag, &require_preauth,
- "don't require pa-data in as-reqs"
- },
- {
- "max-request", 0, arg_string, &max_request,
- "max size for a kdc-request", "size"
- },
-#if 0
- {
- "database", 'd', arg_string, &databases,
- "location of database", "database"
- },
-#endif
- { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
-#ifdef KRB4
- { "kerberos4", 0, arg_negative_flag, &enable_v4,
- "don't respond to kerberos 4 requests"
- },
- { "524", 0, arg_negative_flag, &enable_524,
- "don't respond to 524 requests"
- },
- {
- "v4-realm", 'r', arg_string, &v4_realm,
- "realm to serve v4-requests for"
- },
- {
- "kaserver", 'K', arg_flag, &enable_kaserver,
- "enable kaserver support"
- },
-#endif
- { "ports", 'P', arg_string, &port_str,
- "ports to listen to", "portspec"
- },
-#ifdef HAVE_DAEMON
-#if DETACH_IS_DEFAULT
- {
- "detach", 'D', arg_negative_flag, &detach_from_console,
- "don't detach from console"
- },
-#else
- {
- "detach", 0 , arg_flag, &detach_from_console,
- "detach from console"
- },
-#endif
-#endif
- { "addresses", 0, arg_strings, &addresses_str,
- "addresses to listen on", "list of addresses" },
- { "help", 'h', arg_flag, &help_flag },
- { "version", 'v', arg_flag, &version_flag }
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(int ret)
-{
- arg_printusage (args, num_args, NULL, "");
- exit (ret);
-}
-
-static void
-get_dbinfo(void)
-{
- const krb5_config_binding *top_binding = NULL;
- const krb5_config_binding *db_binding;
- const krb5_config_binding *default_binding = NULL;
- struct dbinfo *di, **dt;
- const char *default_dbname = HDB_DEFAULT_DB;
- const char *default_mkey = HDB_DB_DIR "/m-key";
- const char *p;
-
- databases = NULL;
- dt = &databases;
- while((db_binding = (const krb5_config_binding *)
- krb5_config_get_next(context, NULL, &top_binding,
- krb5_config_list,
- "kdc",
- "database",
- NULL))) {
- p = krb5_config_get_string(context, db_binding, "realm", NULL);
- if(p == NULL) {
- if(default_binding) {
- krb5_warnx(context, "WARNING: more than one realm-less "
- "database specification");
- krb5_warnx(context, "WARNING: using the first encountered");
- } else
- default_binding = db_binding;
- continue;
- }
- di = calloc(1, sizeof(*di));
- di->realm = strdup(p);
- p = krb5_config_get_string(context, db_binding, "dbname", NULL);
- if(p)
- di->dbname = strdup(p);
- p = krb5_config_get_string(context, db_binding, "mkey_file", NULL);
- if(p)
- di->mkey_file = strdup(p);
- *dt = di;
- dt = &di->next;
- }
- if(default_binding) {
- di = calloc(1, sizeof(*di));
- p = krb5_config_get_string(context, default_binding, "dbname", NULL);
- if(p) {
- di->dbname = strdup(p);
- default_dbname = p;
- }
- p = krb5_config_get_string(context, default_binding, "mkey_file", NULL);
- if(p) {
- di->mkey_file = strdup(p);
- default_mkey = p;
- }
- *dt = di;
- dt = &di->next;
- } else if(databases == NULL) {
- /* if there are none specified, use some default */
- di = calloc(1, sizeof(*di));
- di->dbname = strdup(default_dbname);
- di->mkey_file = strdup(default_mkey);
- *dt = di;
- dt = &di->next;
- }
- for(di = databases; di; di = di->next) {
- if(di->dbname == NULL)
- di->dbname = strdup(default_dbname);
- if(di->mkey_file == NULL) {
- p = strrchr(di->dbname, '.');
- if(p == NULL || strchr(p, '/') != NULL)
- /* final pathname component does not contain a . */
- asprintf(&di->mkey_file, "%s.mkey", di->dbname);
- else
- /* the filename is something.else, replace .else with
- .mkey */
- asprintf(&di->mkey_file, "%.*s.mkey",
- (int)(p - di->dbname), di->dbname);
- }
- }
-}
-
-static void
-add_one_address (const char *str, int first)
-{
- krb5_error_code ret;
- krb5_addresses tmp;
-
- ret = krb5_parse_address (context, str, &tmp);
- if (ret)
- krb5_err (context, 1, ret, "parse_address `%s'", str);
- if (first)
- krb5_copy_addresses(context, &tmp, &explicit_addresses);
- else
- krb5_append_addresses(context, &explicit_addresses, &tmp);
- krb5_free_addresses (context, &tmp);
-}
-
-void
-configure(int argc, char **argv)
-{
- int optind = 0;
- int e;
- const char *p;
-
- while((e = getarg(args, num_args, argc, argv, &optind)))
- warnx("error at argument `%s'", argv[optind]);
-
- if(help_flag)
- usage (0);
-
- if (version_flag) {
- print_version(NULL);
- exit(0);
- }
-
- argc -= optind;
- argv += optind;
-
- if (argc != 0)
- usage(1);
-
- {
- krb5_error_code ret;
- char **files;
- char *tmp;
- if(config_file == NULL)
- config_file = _PATH_KDC_CONF;
- asprintf(&tmp, "%s:%s", config_file, krb5_config_file);
- if(tmp == NULL)
- krb5_errx(context, 1, "out of memory");
-
- krb5_config_file = tmp;
-
- ret = krb5_get_default_config_files(&files);
- if(ret)
- krb5_err(context, 1, ret, "reading configuration files");
- ret = krb5_set_config_files(context, files);
- krb5_free_config_files(files);
- if(ret)
- krb5_err(context, 1, ret, "reading configuration files");
- }
-
- get_dbinfo();
-
- if(max_request_str){
- max_request = parse_bytes(max_request_str, NULL);
- }
-
- if(max_request == 0){
- p = krb5_config_get_string (context,
- NULL,
- "kdc",
- "max-request",
- NULL);
- if(p)
- max_request = parse_bytes(p, NULL);
- }
-
- if(require_preauth == -1)
- require_preauth = krb5_config_get_bool(context, NULL, "kdc",
- "require-preauth", NULL);
-
- if(port_str == NULL){
- p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL);
- if (p != NULL)
- port_str = strdup(p);
- }
-
- explicit_addresses.len = 0;
-
- if (addresses_str.num_strings) {
- int i;
-
- for (i = 0; i < addresses_str.num_strings; ++i)
- add_one_address (addresses_str.strings[i], i == 0);
- free_getarg_strings (&addresses_str);
- } else {
- char **foo = krb5_config_get_strings (context, NULL,
- "kdc", "addresses", NULL);
-
- if (foo != NULL) {
- add_one_address (*foo++, TRUE);
- while (*foo)
- add_one_address (*foo++, FALSE);
- }
- }
-
-#ifdef KRB4
- if(enable_v4 == -1)
- enable_v4 = krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
- "enable-kerberos4", NULL);
- if(enable_524 == -1)
- enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4,
- "kdc", "enable-524", NULL);
-#endif
-
- if(enable_http == -1)
- enable_http = krb5_config_get_bool(context, NULL, "kdc",
- "enable-http", NULL);
- check_ticket_addresses =
- krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
- "check-ticket-addresses", NULL);
- allow_null_ticket_addresses =
- krb5_config_get_bool_default(context, NULL, TRUE, "kdc",
- "allow-null-ticket-addresses", NULL);
-
- allow_anonymous =
- krb5_config_get_bool(context, NULL, "kdc",
- "allow-anonymous", NULL);
-#ifdef KRB4
- if(v4_realm == NULL){
- p = krb5_config_get_string (context, NULL,
- "kdc",
- "v4-realm",
- NULL);
- if(p)
- v4_realm = strdup(p);
- }
- if (enable_kaserver == -1)
- enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
- "kdc",
- "enable-kaserver",
- NULL);
-#endif
-
- encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, NULL, "kdc",
- "encode_as_rep_as_tgs_rep",
- NULL);
-
- kdc_warn_pwexpire = krb5_config_get_time (context, NULL,
- "kdc",
- "kdc_warn_pwexpire",
- NULL);
-
-#ifdef HAVE_DAEMON
- if(detach_from_console == -1)
- detach_from_console = krb5_config_get_bool_default(context, NULL,
- DETACH_IS_DEFAULT,
- "kdc",
- "detach", NULL);
-#endif
- kdc_openlog();
- if(max_request == 0)
- max_request = 64 * 1024;
- if(require_preauth == -1)
- require_preauth = 1;
- if (port_str == NULL)
- port_str = "+";
-#ifdef KRB4
- if(v4_realm == NULL){
- v4_realm = malloc(40); /* REALM_SZ */
- krb_get_lrealm(v4_realm, 1);
- }
-#endif
-}
diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c
deleted file mode 100644
index 54dff306a0f0..000000000000
--- a/crypto/heimdal/kdc/connect.c
+++ /dev/null
@@ -1,805 +0,0 @@
-/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-
-RCSID("$Id: connect.c,v 1.86.4.1 2002/10/21 16:05:17 joda Exp $");
-
-/*
- * a tuple describing on what to listen
- */
-
-struct port_desc{
- int family;
- int type;
- int port;
-};
-
-/* the current ones */
-
-static struct port_desc *ports;
-static int num_ports;
-
-/*
- * add `family, port, protocol' to the list with duplicate suppresion.
- */
-
-static void
-add_port(int family, int port, const char *protocol)
-{
- int type;
- int i;
-
- if(strcmp(protocol, "udp") == 0)
- type = SOCK_DGRAM;
- else if(strcmp(protocol, "tcp") == 0)
- type = SOCK_STREAM;
- else
- return;
- for(i = 0; i < num_ports; i++){
- if(ports[i].type == type
- && ports[i].port == port
- && ports[i].family == family)
- return;
- }
- ports = realloc(ports, (num_ports + 1) * sizeof(*ports));
- if (ports == NULL)
- krb5_err (context, 1, errno, "realloc");
- ports[num_ports].family = family;
- ports[num_ports].type = type;
- ports[num_ports].port = port;
- num_ports++;
-}
-
-/*
- * add a triple but with service -> port lookup
- * (this prints warnings for stuff that does not exist)
- */
-
-static void
-add_port_service(int family, const char *service, int port,
- const char *protocol)
-{
- port = krb5_getportbyname (context, service, protocol, port);
- add_port (family, port, protocol);
-}
-
-/*
- * add the port with service -> port lookup or string -> number
- * (no warning is printed)
- */
-
-static void
-add_port_string (int family, const char *port_str, const char *protocol)
-{
- struct servent *sp;
- int port;
-
- sp = roken_getservbyname (port_str, protocol);
- if (sp != NULL) {
- port = sp->s_port;
- } else {
- char *end;
-
- port = htons(strtol(port_str, &end, 0));
- if (end == port_str)
- return;
- }
- add_port (family, port, protocol);
-}
-
-/*
- * add the standard collection of ports for `family'
- */
-
-static void
-add_standard_ports (int family)
-{
- add_port_service(family, "kerberos", 88, "udp");
- add_port_service(family, "kerberos", 88, "tcp");
- add_port_service(family, "kerberos-sec", 88, "udp");
- add_port_service(family, "kerberos-sec", 88, "tcp");
- if(enable_http)
- add_port_service(family, "http", 80, "tcp");
-#ifdef KRB4
- if(enable_v4) {
- add_port_service(family, "kerberos-iv", 750, "udp");
- add_port_service(family, "kerberos-iv", 750, "tcp");
- }
- if(enable_524) {
- add_port_service(family, "krb524", 4444, "udp");
- add_port_service(family, "krb524", 4444, "tcp");
- }
- if (enable_kaserver)
- add_port_service(family, "afs3-kaserver", 7004, "udp");
-#endif
-}
-
-/*
- * parse the set of space-delimited ports in `str' and add them.
- * "+" => all the standard ones
- * otherwise it's port|service[/protocol]
- */
-
-static void
-parse_ports(const char *str)
-{
- char *pos = NULL;
- char *p;
- char *str_copy = strdup (str);
-
- p = strtok_r(str_copy, " \t", &pos);
- while(p != NULL) {
- if(strcmp(p, "+") == 0) {
-#ifdef HAVE_IPV6
- add_standard_ports(AF_INET6);
-#endif
- add_standard_ports(AF_INET);
- } else {
- char *q = strchr(p, '/');
- if(q){
- *q++ = 0;
-#ifdef HAVE_IPV6
- add_port_string(AF_INET6, p, q);
-#endif
- add_port_string(AF_INET, p, q);
- }else {
-#ifdef HAVE_IPV6
- add_port_string(AF_INET6, p, "udp");
- add_port_string(AF_INET6, p, "tcp");
-#endif
- add_port_string(AF_INET, p, "udp");
- add_port_string(AF_INET, p, "tcp");
- }
- }
-
- p = strtok_r(NULL, " \t", &pos);
- }
- free (str_copy);
-}
-
-/*
- * every socket we listen on
- */
-
-struct descr {
- int s;
- int type;
- unsigned char *buf;
- size_t size;
- size_t len;
- time_t timeout;
- struct sockaddr_storage __ss;
- struct sockaddr *sa;
- socklen_t sock_len;
- char addr_string[128];
-};
-
-static void
-init_descr(struct descr *d)
-{
- memset(d, 0, sizeof(*d));
- d->sa = (struct sockaddr *)&d->__ss;
- d->s = -1;
-}
-
-/*
- * re-intialize all `n' ->sa in `d'.
- */
-
-static void
-reinit_descrs (struct descr *d, int n)
-{
- int i;
-
- for (i = 0; i < n; ++i)
- d[i].sa = (struct sockaddr *)&d[i].__ss;
-}
-
-/*
- * Create the socket (family, type, port) in `d'
- */
-
-static void
-init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
-{
- krb5_error_code ret;
- struct sockaddr_storage __ss;
- struct sockaddr *sa = (struct sockaddr *)&__ss;
- int sa_size;
-
- init_descr (d);
-
- ret = krb5_addr2sockaddr (context, a, sa, &sa_size, port);
- if (ret) {
- krb5_warn(context, ret, "krb5_addr2sockaddr");
- close(d->s);
- d->s = -1;
- return;
- }
-
- if (sa->sa_family != family)
- return;
-
- d->s = socket(family, type, 0);
- if(d->s < 0){
- krb5_warn(context, errno, "socket(%d, %d, 0)", family, type);
- d->s = -1;
- return;
- }
-#if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_REUSEADDR)
- {
- int one = 1;
- setsockopt(d->s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one));
- }
-#endif
- d->type = type;
-
- if(bind(d->s, sa, sa_size) < 0){
- char a_str[256];
- size_t len;
-
- krb5_print_address (a, a_str, sizeof(a_str), &len);
- krb5_warn(context, errno, "bind %s/%d", a_str, ntohs(port));
- close(d->s);
- d->s = -1;
- return;
- }
- if(type == SOCK_STREAM && listen(d->s, SOMAXCONN) < 0){
- char a_str[256];
- size_t len;
-
- krb5_print_address (a, a_str, sizeof(a_str), &len);
- krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port));
- close(d->s);
- d->s = -1;
- return;
- }
-}
-
-/*
- * Allocate descriptors for all the sockets that we should listen on
- * and return the number of them.
- */
-
-static int
-init_sockets(struct descr **desc)
-{
- krb5_error_code ret;
- int i, j;
- struct descr *d;
- int num = 0;
- krb5_addresses addresses;
-
- if (explicit_addresses.len) {
- addresses = explicit_addresses;
- } else {
- ret = krb5_get_all_server_addrs (context, &addresses);
- if (ret)
- krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
- }
- parse_ports(port_str);
- d = malloc(addresses.len * num_ports * sizeof(*d));
- if (d == NULL)
- krb5_errx(context, 1, "malloc(%lu) failed",
- (unsigned long)num_ports * sizeof(*d));
-
- for (i = 0; i < num_ports; i++){
- for (j = 0; j < addresses.len; ++j) {
- init_socket(&d[num], &addresses.val[j],
- ports[i].family, ports[i].type, ports[i].port);
- if(d[num].s != -1){
- char a_str[80];
- size_t len;
-
- krb5_print_address (&addresses.val[j], a_str,
- sizeof(a_str), &len);
-
- kdc_log(5, "listening on %s port %u/%s",
- a_str,
- ntohs(ports[i].port),
- (ports[i].type == SOCK_STREAM) ? "tcp" : "udp");
- /* XXX */
- num++;
- }
- }
- }
- krb5_free_addresses (context, &addresses);
- d = realloc(d, num * sizeof(*d));
- if (d == NULL && num != 0)
- krb5_errx(context, 1, "realloc(%lu) failed",
- (unsigned long)num * sizeof(*d));
- reinit_descrs (d, num);
- *desc = d;
- return num;
-}
-
-/*
- * handle the request in `buf, len', from `addr' (or `from' as a string),
- * sending a reply in `reply'.
- */
-
-static int
-process_request(unsigned char *buf,
- size_t len,
- krb5_data *reply,
- int *sendlength,
- const char *from,
- struct sockaddr *addr)
-{
- KDC_REQ req;
-#ifdef KRB4
- Ticket ticket;
-#endif
- krb5_error_code ret;
- size_t i;
-
- gettimeofday(&now, NULL);
- if(decode_AS_REQ(buf, len, &req, &i) == 0){
- ret = as_rep(&req, reply, from, addr);
- free_AS_REQ(&req);
- return ret;
- }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
- ret = tgs_rep(&req, reply, from, addr);
- free_TGS_REQ(&req);
- return ret;
- }
-#ifdef KRB4
- else if(maybe_version4(buf, len)){
- *sendlength = 0; /* elbitapmoc sdrawkcab XXX */
- do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
- return 0;
- }else if(decode_Ticket(buf, len, &ticket, &i) == 0){
- ret = do_524(&ticket, reply, from, addr);
- free_Ticket(&ticket);
- return ret;
- } else if (enable_kaserver) {
- ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
- return ret;
- }
-#endif
-
- return -1;
-}
-
-static void
-addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len)
-{
- krb5_address a;
- if(krb5_sockaddr2address(context, addr, &a) == 0) {
- if(krb5_print_address(&a, str, len, &len) == 0) {
- krb5_free_address(context, &a);
- return;
- }
- krb5_free_address(context, &a);
- }
- snprintf(str, len, "<family=%d>", addr->sa_family);
-}
-
-/*
- * Handle the request in `buf, len' to socket `d'
- */
-
-static void
-do_request(void *buf, size_t len, int sendlength,
- struct descr *d)
-{
- krb5_error_code ret;
- krb5_data reply;
-
- reply.length = 0;
- ret = process_request(buf, len, &reply, &sendlength,
- d->addr_string, d->sa);
- if(reply.length){
- kdc_log(5, "sending %lu bytes to %s", (unsigned long)reply.length,
- d->addr_string);
- if(sendlength){
- unsigned char len[4];
- len[0] = (reply.length >> 24) & 0xff;
- len[1] = (reply.length >> 16) & 0xff;
- len[2] = (reply.length >> 8) & 0xff;
- len[3] = reply.length & 0xff;
- if(sendto(d->s, len, sizeof(len), 0, d->sa, d->sock_len) < 0) {
- kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
- krb5_data_free(&reply);
- return;
- }
- }
- if(sendto(d->s, reply.data, reply.length, 0, d->sa, d->sock_len) < 0) {
- kdc_log (0, "sendto(%s): %s", d->addr_string, strerror(errno));
- krb5_data_free(&reply);
- return;
- }
- krb5_data_free(&reply);
- }
- if(ret)
- kdc_log(0, "Failed processing %lu byte request from %s",
- (unsigned long)len, d->addr_string);
-}
-
-/*
- * Handle incoming data to the UDP socket in `d'
- */
-
-static void
-handle_udp(struct descr *d)
-{
- unsigned char *buf;
- int n;
-
- buf = malloc(max_request);
- if(buf == NULL){
- kdc_log(0, "Failed to allocate %lu bytes", (unsigned long)max_request);
- return;
- }
-
- d->sock_len = sizeof(d->__ss);
- n = recvfrom(d->s, buf, max_request, 0, d->sa, &d->sock_len);
- if(n < 0)
- krb5_warn(context, errno, "recvfrom");
- else {
- addr_to_string (d->sa, d->sock_len,
- d->addr_string, sizeof(d->addr_string));
- do_request(buf, n, 0, d);
- }
- free (buf);
-}
-
-static void
-clear_descr(struct descr *d)
-{
- if(d->buf)
- memset(d->buf, 0, d->size);
- d->len = 0;
- if(d->s != -1)
- close(d->s);
- d->s = -1;
-}
-
-
-/* remove HTTP %-quoting from buf */
-static int
-de_http(char *buf)
-{
- char *p, *q;
- for(p = q = buf; *p; p++, q++) {
- if(*p == '%' && isxdigit(p[1]) && isxdigit(p[2])) {
- unsigned int x;
- if(sscanf(p + 1, "%2x", &x) != 1)
- return -1;
- *q = x;
- p += 2;
- } else
- *q = *p;
- }
- *q = '\0';
- return 0;
-}
-
-#define TCP_TIMEOUT 4
-
-/*
- * accept a new TCP connection on `d[parent]' and store it in `d[child]'
- */
-
-static void
-add_new_tcp (struct descr *d, int parent, int child)
-{
- int s;
-
- if (child == -1)
- return;
-
- d[child].sock_len = sizeof(d[child].__ss);
- s = accept(d[parent].s, d[child].sa, &d[child].sock_len);
- if(s < 0) {
- krb5_warn(context, errno, "accept");
- return;
- }
-
- if (s >= FD_SETSIZE) {
- krb5_warnx(context, "socket FD too large");
- close (s);
- return;
- }
-
- d[child].s = s;
- d[child].timeout = time(NULL) + TCP_TIMEOUT;
- d[child].type = SOCK_STREAM;
- addr_to_string (d[child].sa, d[child].sock_len,
- d[child].addr_string, sizeof(d[child].addr_string));
-}
-
-/*
- * Grow `d' to handle at least `n'.
- * Return != 0 if fails
- */
-
-static int
-grow_descr (struct descr *d, size_t n)
-{
- if (d->size - d->len < n) {
- unsigned char *tmp;
-
- d->size += max(1024, d->len + n);
- if (d->size >= max_request) {
- kdc_log(0, "Request exceeds max request size (%lu bytes).",
- (unsigned long)d->size);
- clear_descr(d);
- return -1;
- }
- tmp = realloc (d->buf, d->size);
- if (tmp == NULL) {
- kdc_log(0, "Failed to re-allocate %lu bytes.",
- (unsigned long)d->size);
- clear_descr(d);
- return -1;
- }
- d->buf = tmp;
- }
- return 0;
-}
-
-/*
- * Try to handle the TCP data at `d->buf, d->len'.
- * Return -1 if failed, 0 if succesful, and 1 if data is complete.
- */
-
-static int
-handle_vanilla_tcp (struct descr *d)
-{
- krb5_storage *sp;
- int32_t len;
-
- sp = krb5_storage_from_mem(d->buf, d->len);
- if (sp == NULL) {
- kdc_log (0, "krb5_storage_from_mem failed");
- return -1;
- }
- krb5_ret_int32(sp, &len);
- krb5_storage_free(sp);
- if(d->len - 4 >= len) {
- memmove(d->buf, d->buf + 4, d->len - 4);
- return 1;
- }
- return 0;
-}
-
-/*
- * Try to handle the TCP/HTTP data at `d->buf, d->len'.
- * Return -1 if failed, 0 if succesful, and 1 if data is complete.
- */
-
-static int
-handle_http_tcp (struct descr *d)
-{
- char *s, *p, *t;
- void *data;
- char *proto;
- int len;
-
- s = (char *)d->buf;
-
- p = strstr(s, "\r\n");
- if (p == NULL) {
- kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
- return -1;
- }
- *p = 0;
-
- p = NULL;
- t = strtok_r(s, " \t", &p);
- if (t == NULL) {
- kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
- return -1;
- }
- t = strtok_r(NULL, " \t", &p);
- if(t == NULL) {
- kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
- return -1;
- }
- data = malloc(strlen(t));
- if (data == NULL) {
- kdc_log(0, "Failed to allocate %lu bytes",
- (unsigned long)strlen(t));
- return -1;
- }
- if(*t == '/')
- t++;
- if(de_http(t) != 0) {
- kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
- kdc_log(5, "Request: %s", t);
- free(data);
- return -1;
- }
- proto = strtok_r(NULL, " \t", &p);
- if (proto == NULL) {
- kdc_log(0, "Malformed HTTP request from %s", d->addr_string);
- free(data);
- return -1;
- }
- len = base64_decode(t, data);
- if(len <= 0){
- const char *msg =
- " 404 Not found\r\n"
- "Server: Heimdal/" VERSION "\r\n"
- "Cache-Control: no-cache\r\n"
- "Pragma: no-cache\r\n"
- "Content-type: text/html\r\n"
- "Content-transfer-encoding: 8bit\r\n\r\n"
- "<TITLE>404 Not found</TITLE>\r\n"
- "<H1>404 Not found</H1>\r\n"
- "That page doesn't exist, maybe you are looking for "
- "<A HREF=\"http://www.pdc.kth.se/heimdal/\">Heimdal</A>?\r\n";
- write(d->s, proto, strlen(proto));
- write(d->s, msg, strlen(msg));
- kdc_log(0, "HTTP request from %s is non KDC request", d->addr_string);
- kdc_log(5, "Request: %s", t);
- free(data);
- return -1;
- }
- {
- const char *msg =
- " 200 OK\r\n"
- "Server: Heimdal/" VERSION "\r\n"
- "Cache-Control: no-cache\r\n"
- "Pragma: no-cache\r\n"
- "Content-type: application/octet-stream\r\n"
- "Content-transfer-encoding: binary\r\n\r\n";
- write(d->s, proto, strlen(proto));
- write(d->s, msg, strlen(msg));
- }
- memcpy(d->buf, data, len);
- d->len = len;
- free(data);
- return 1;
-}
-
-/*
- * Handle incoming data to the TCP socket in `d[index]'
- */
-
-static void
-handle_tcp(struct descr *d, int index, int min_free)
-{
- unsigned char buf[1024];
- int n;
- int ret = 0;
-
- if (d[index].timeout == 0) {
- add_new_tcp (d, index, min_free);
- return;
- }
-
- n = recvfrom(d[index].s, buf, sizeof(buf), 0, NULL, NULL);
- if(n < 0){
- krb5_warn(context, errno, "recvfrom");
- return;
- }
- if (grow_descr (&d[index], n))
- return;
- memcpy(d[index].buf + d[index].len, buf, n);
- d[index].len += n;
- if(d[index].len > 4 && d[index].buf[0] == 0) {
- ret = handle_vanilla_tcp (&d[index]);
- } else if(enable_http &&
- d[index].len >= 4 &&
- strncmp((char *)d[index].buf, "GET ", 4) == 0 &&
- strncmp((char *)d[index].buf + d[index].len - 4,
- "\r\n\r\n", 4) == 0) {
- ret = handle_http_tcp (&d[index]);
- if (ret < 0)
- clear_descr (d + index);
- } else if (d[index].len > 4) {
- kdc_log (0, "TCP data of strange type from %s", d[index].addr_string);
- return;
- }
- if (ret < 0)
- return;
- else if (ret == 1) {
- do_request(d[index].buf, d[index].len, 1, &d[index]);
- clear_descr(d + index);
- }
-}
-
-void
-loop(void)
-{
- struct descr *d;
- int ndescr;
-
- ndescr = init_sockets(&d);
- if(ndescr <= 0)
- krb5_errx(context, 1, "No sockets!");
- while(exit_flag == 0){
- struct timeval tmout;
- fd_set fds;
- int min_free = -1;
- int max_fd = 0;
- int i;
-
- FD_ZERO(&fds);
- for(i = 0; i < ndescr; i++) {
- if(d[i].s >= 0){
- if(d[i].type == SOCK_STREAM &&
- d[i].timeout && d[i].timeout < time(NULL)) {
- kdc_log(1, "TCP-connection from %s expired after %lu bytes",
- d[i].addr_string, (unsigned long)d[i].len);
- clear_descr(&d[i]);
- continue;
- }
- if(max_fd < d[i].s)
- max_fd = d[i].s;
- if (max_fd >= FD_SETSIZE)
- krb5_errx(context, 1, "fd too large");
- FD_SET(d[i].s, &fds);
- } else if(min_free < 0 || i < min_free)
- min_free = i;
- }
- if(min_free == -1){
- struct descr *tmp;
- tmp = realloc(d, (ndescr + 4) * sizeof(*d));
- if(tmp == NULL)
- krb5_warnx(context, "No memory");
- else {
- d = tmp;
- reinit_descrs (d, ndescr);
- memset(d + ndescr, 0, 4 * sizeof(*d));
- for(i = ndescr; i < ndescr + 4; i++)
- init_descr (&d[i]);
- min_free = ndescr;
- ndescr += 4;
- }
- }
-
- tmout.tv_sec = TCP_TIMEOUT;
- tmout.tv_usec = 0;
- switch(select(max_fd + 1, &fds, 0, 0, &tmout)){
- case 0:
- break;
- case -1:
- if (errno != EINTR)
- krb5_warn(context, errno, "select");
- break;
- default:
- for(i = 0; i < ndescr; i++)
- if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) {
- if(d[i].type == SOCK_DGRAM)
- handle_udp(&d[i]);
- else if(d[i].type == SOCK_STREAM)
- handle_tcp(d, i, min_free);
- }
- }
- }
- free (d);
-}
diff --git a/crypto/heimdal/kdc/headers.h b/crypto/heimdal/kdc/headers.h
deleted file mode 100644
index 96db9248bebb..000000000000
--- a/crypto/heimdal/kdc/headers.h
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * $Id: headers.h,v 1.15 2002/09/10 20:04:46 joda Exp $
- * $FreeBSD$
- */
-
-#ifndef __HEADERS_H__
-#define __HEADERS_H__
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-#include <signal.h>
-#include <stdarg.h>
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#endif
-#ifdef HAVE_SYS_SELECT_H
-#include <sys/select.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_NETINET_IN6_H
-#include <netinet/in6.h>
-#endif
-#ifdef HAVE_NETINET6_IN6_H
-#include <netinet6/in6.h>
-#endif
-#ifdef HAVE_ARPA_INET_H
-#include <arpa/inet.h>
-#endif
-#ifdef HAVE_NETDB_H
-#include <netdb.h>
-#endif
-#ifdef HAVE_UTIL_H
-#include <util.h>
-#endif
-#ifdef HAVE_LIBUTIL_H
-#include <libutil.h>
-#endif
-#include <err.h>
-#include <roken.h>
-#include <getarg.h>
-#include <base64.h>
-#include <parse_units.h>
-#include <krb5.h>
-#include <krb5_locl.h>
-#include <hdb.h>
-#include <hdb_err.h>
-#include <der.h> /* copy_octet_string */
-
-#ifdef KRB4
-#include <krb.h>
-#include <prot.h>
-#define Principal Principal4
-#include <krb_db.h>
-#endif
-
-#undef ALLOC
-#define ALLOC(X) ((X) = malloc(sizeof(*(X))))
-#undef ALLOC_SEQ
-#define ALLOC_SEQ(X, N) do { (X)->len = (N); \
-(X)->val = calloc((X)->len, sizeof(*(X)->val)); } while(0)
-
-#endif /* __HEADERS_H__ */
diff --git a/crypto/heimdal/kdc/hprop.8 b/crypto/heimdal/kdc/hprop.8
deleted file mode 100644
index f9b3ba71f718..000000000000
--- a/crypto/heimdal/kdc/hprop.8
+++ /dev/null
@@ -1,170 +0,0 @@
-.\" $Id: hprop.8,v 1.16 2002/08/20 17:18:38 joda Exp $
-.\"
-.Dd June 19, 2000
-.Dt HPROP 8
-.Os HEIMDAL
-.Sh NAME
-.Nm hprop
-.Nd propagate the KDC database
-.Sh SYNOPSIS
-.Nm
-.Oo Fl m Ar file \*(Ba Xo
-.Fl -master-key= Ns Pa file
-.Xc
-.Oc
-.Oo Fl d Ar file \*(Ba Xo
-.Fl -database= Ns Pa file
-.Xc
-.Oc
-.Op Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|krb4-db|kaserver
-.Oo Fl r Ar string \*(Ba Xo
-.Fl -v4-realm= Ns Ar string
-.Xc
-.Oc
-.Oo Fl c Ar cell \*(Ba Xo
-.Fl -cell= Ns Ar cell
-.Xc
-.Oc
-.Op Fl S | Fl -kaspecials
-.Oo Fl k Ar keytab \*(Ba Xo
-.Fl -keytab= Ns Ar keytab
-.Xc
-.Oc
-.Oo Fl R Ar string \*(Ba Xo
-.Fl -v5-realm= Ns Ar string
-.Xc
-.Oc
-.Op Fl D | Fl -decrypt
-.Op Fl E | Fl -encrypt
-.Op Fl n | Fl -stdout
-.Op Fl v | Fl -verbose
-.Op Fl -version
-.Op Fl h | Fl -help
-.Op Ar host Ns Op : Ns Ar port
-.Ar ...
-.Sh DESCRIPTION
-.Nm
-takes a principal database in a specified format and converts it into
-a stream of Heimdal database records. This stream can either be
-written to standard out, or (more commonly) be propagated to a
-.Xr hpropd 8
-server running on a different machine.
-.Pp
-If propagating, it connects to all
-.Ar hosts
-specified on the command by opening a TCP connection to port 754
-(service hprop) and sends the database in encrypted form.
-.Pp
-Supported options:
-.Bl -tag -width Ds
-.It Xo
-.Fl m Ar file ,
-.Fl -master-key= Ns Pa file
-.Xc
-Where to find the master key to encrypt or decrypt keys with.
-.It Xo
-.Fl d Ar file ,
-.Fl -database= Ns Pa file
-.Xc
-The database to be propagated.
-.It Xo
-.Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|krb4-db|kaserver
-.Xc
-Specifies the type of the source database. Alternatives include:
-.Pp
-.Bl -tag -width krb4-dump -compact -offset indent
-.It heimdal
-a Heimdal database
-.It mit-dump
-a MIT Kerberos 5 dump file
-.It krb4-db
-a Kerberos 4 database
-.It krb4-dump
-a Kerberos 4 dump file
-.It kaserver
-an AFS kaserver database
-.El
-.It Xo
-.Fl k Ar keytab ,
-.Fl -keytab= Ns Ar keytab
-.Xc
-The keytab to use for fetching the key to be used for authenticating
-to the propagation daemon(s). The key
-.Pa kadmin/hprop
-is used from this keytab. The default is to fetch the key from the
-KDC database.
-.It Xo
-.Fl R Ar string ,
-.Fl -v5-realm= Ns Ar string
-.Xc
-Local realm override.
-.It Xo
-.Fl D ,
-.Fl -decrypt
-.Xc
-The encryption keys in the database can either be in clear, or
-encrypted with a master key. This option transmits the database with
-unencrypted keys.
-.It Xo
-.Fl E ,
-.Fl -encrypt
-.Xc
-This option transmits the database with encrypted keys.
-.It Xo
-.Fl n ,
-.Fl -stdout
-.Xc
-Dump the database on stdout, in a format that can be fed to hpropd.
-.El
-.Pp
-The following options are only valid if
-.Nm hprop
-is compiled with support for Kerberos 4 (kaserver).
-.Bl -tag -width Ds
-.It Xo
-.Fl r Ar string ,
-.Fl -v4-realm= Ns Ar string
-.Xc
-v4 realm to use
-.It Xo
-.Fl c Ar cell ,
-.Fl -cell= Ns Ar cell
-.Xc
-The AFS cell name, used if reading a kaserver database.
-.It Xo
-.Fl S ,
-.Fl -kaspecials
-.Xc
-Also dump the principals marked as special in the kaserver database.
-.It Xo
-.Fl 4 ,
-.Fl -v4-db
-.Xc
-Deprecated, identical to
-.Sq --source=krb4-db .
-.It Xo
-.Fl K ,
-.Fl -ka-db
-.Xc
-Deprecated, identical to
-.Sq --source=kaserver .
-.El
-.Sh EXAMPLES
-The following will propagate a database to another machine (which
-should run
-.Xr hpropd 8):
-.Bd -literal -offset indent
-$ hprop slave-1 slave-2
-.Ed
-.Pp
-Copy a Kerberos 4 database to a Kerberos 5 slave:
-.Bd -literal -offset indent
-$ hprop --source=krb4-db -E krb5-slave
-.Ed
-.Pp
-Convert a Kerberos 4 dump-file for use with a Heimdal KDC:
-.Bd -literal -offset indent
-$ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump --master-key=/.k | hpropd -n
-.Ed
-.Sh SEE ALSO
-.Xr hpropd 8
diff --git a/crypto/heimdal/kdc/hprop.c b/crypto/heimdal/kdc/hprop.c
deleted file mode 100644
index 3bc066fe1971..000000000000
--- a/crypto/heimdal/kdc/hprop.c
+++ /dev/null
@@ -1,868 +0,0 @@
-/*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "hprop.h"
-
-RCSID("$Id: hprop.c,v 1.70 2002/09/04 18:19:41 joda Exp $");
-
-static int version_flag;
-static int help_flag;
-static const char *ktname = HPROP_KEYTAB;
-static const char *database;
-static char *mkeyfile;
-static int to_stdout;
-static int verbose_flag;
-static int encrypt_flag;
-static int decrypt_flag;
-static hdb_master_key mkey5;
-
-static char *source_type;
-
-static char *afs_cell;
-static char *v4_realm;
-
-static int kaspecials_flag;
-static int ka_use_null_salt;
-
-static char *local_realm=NULL;
-
-static int
-open_socket(krb5_context context, const char *hostname, const char *port)
-{
- struct addrinfo *ai, *a;
- struct addrinfo hints;
- int error;
-
- memset (&hints, 0, sizeof(hints));
- hints.ai_socktype = SOCK_STREAM;
- hints.ai_protocol = IPPROTO_TCP;
-
- error = getaddrinfo (hostname, port, &hints, &ai);
- if (error) {
- warnx ("%s: %s", hostname, gai_strerror(error));
- return -1;
- }
-
- for (a = ai; a != NULL; a = a->ai_next) {
- int s;
-
- s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
- if (s < 0)
- continue;
- if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
- warn ("connect(%s)", hostname);
- close (s);
- continue;
- }
- freeaddrinfo (ai);
- return s;
- }
- warnx ("failed to contact %s", hostname);
- freeaddrinfo (ai);
- return -1;
-}
-
-krb5_error_code
-v5_prop(krb5_context context, HDB *db, hdb_entry *entry, void *appdata)
-{
- krb5_error_code ret;
- struct prop_data *pd = appdata;
- krb5_data data;
-
- if(encrypt_flag) {
- ret = hdb_seal_keys_mkey(context, entry, mkey5);
- if (ret) {
- krb5_warn(context, ret, "hdb_seal_keys_mkey");
- return ret;
- }
- }
- if(decrypt_flag) {
- ret = hdb_unseal_keys_mkey(context, entry, mkey5);
- if (ret) {
- krb5_warn(context, ret, "hdb_unseal_keys_mkey");
- return ret;
- }
- }
-
- ret = hdb_entry2value(context, entry, &data);
- if(ret) {
- krb5_warn(context, ret, "hdb_entry2value");
- return ret;
- }
-
- if(to_stdout)
- ret = krb5_write_message(context, &pd->sock, &data);
- else
- ret = krb5_write_priv_message(context, pd->auth_context,
- &pd->sock, &data);
- krb5_data_free(&data);
- return ret;
-}
-
-#ifdef KRB4
-
-static char realm_buf[REALM_SZ];
-
-static int
-kdb_prop(void *arg, Principal *p)
-{
- int ret;
- struct v4_principal pr;
-
- memset(&pr, 0, sizeof(pr));
-
- if(p->attributes != 0) {
- warnx("%s.%s has non-zero attributes - skipping",
- p->name, p->instance);
- return 0;
- }
- strlcpy(pr.name, p->name, sizeof(pr.name));
- strlcpy(pr.instance, p->instance, sizeof(pr.instance));
-
- copy_to_key(&p->key_low, &p->key_high, pr.key);
- pr.exp_date = p->exp_date;
- pr.mod_date = p->mod_date;
- strlcpy(pr.mod_name, p->mod_name, sizeof(pr.mod_name));
- strlcpy(pr.mod_instance, p->mod_instance, sizeof(pr.mod_instance));
- pr.max_life = p->max_life;
- pr.mkvno = p->kdc_key_ver;
- pr.kvno = p->key_version;
-
- ret = v4_prop(arg, &pr);
- memset(&pr, 0, sizeof(pr));
- return ret;
-}
-
-#endif /* KRB4 */
-
-#ifndef KRB4
-static time_t
-krb_life_to_time(time_t start, int life)
-{
- static int lifetimes[] = {
- 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318,
- 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684,
- 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720,
- 191077, 204289, 218415, 233517, 249664, 266926, 285383, 305116,
- 326213, 348769, 372885, 398668, 426234, 455705, 487215, 520904,
- 556921, 595430, 636601, 680618, 727680, 777995, 831789, 889303,
- 950794, 1016537, 1086825, 1161973, 1242318, 1328218, 1420057, 1518247,
- 1623226, 1735464, 1855462, 1983758, 2120925, 2267576, 2424367, 2592000
- };
-
-#if 0
- int i;
- double q = exp((log(2592000.0) - log(38400.0)) / 63);
- double x = 38400;
- for(i = 0; i < 64; i++) {
- lifetimes[i] = (int)x;
- x *= q;
- }
-#endif
-
- if(life == 0xff)
- return NEVERDATE;
- if(life < 0x80)
- return start + life * 5 * 60;
- if(life > 0xbf)
- life = 0xbf;
- return start + lifetimes[life - 0x80];
-}
-#endif /* !KRB4 */
-
-int
-v4_prop(void *arg, struct v4_principal *p)
-{
- struct prop_data *pd = arg;
- hdb_entry ent;
- krb5_error_code ret;
-
- memset(&ent, 0, sizeof(ent));
-
- ret = krb5_425_conv_principal(pd->context, p->name, p->instance, v4_realm,
- &ent.principal);
- if(ret) {
- krb5_warn(pd->context, ret,
- "krb5_425_conv_principal %s.%s@%s",
- p->name, p->instance, v4_realm);
- return 0;
- }
-
- if(verbose_flag) {
- char *s;
- krb5_unparse_name_short(pd->context, ent.principal, &s);
- krb5_warnx(pd->context, "%s.%s -> %s", p->name, p->instance, s);
- free(s);
- }
-
- ent.kvno = p->kvno;
- ent.keys.len = 3;
- ent.keys.val = malloc(ent.keys.len * sizeof(*ent.keys.val));
- if(p->mkvno != -1) {
- ent.keys.val[0].mkvno = malloc (sizeof(*ent.keys.val[0].mkvno));
- *(ent.keys.val[0].mkvno) = p->mkvno;
- } else
- ent.keys.val[0].mkvno = NULL;
- ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt));
- ent.keys.val[0].salt->type = KRB5_PADATA_PW_SALT;
- ent.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
- krb5_data_alloc(&ent.keys.val[0].key.keyvalue, sizeof(des_cblock));
- memcpy(ent.keys.val[0].key.keyvalue.data, p->key, 8);
-
- copy_Key(&ent.keys.val[0], &ent.keys.val[1]);
- ent.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
- copy_Key(&ent.keys.val[0], &ent.keys.val[2]);
- ent.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
-
- {
- int life = krb_life_to_time(0, p->max_life);
- if(life == NEVERDATE){
- ent.max_life = NULL;
- } else {
- /* clean up lifetime a bit */
- if(life > 86400)
- life = (life + 86399) / 86400 * 86400;
- else if(life > 3600)
- life = (life + 3599) / 3600 * 3600;
- ALLOC(ent.max_life);
- *ent.max_life = life;
- }
- }
-
- ALLOC(ent.valid_end);
- *ent.valid_end = p->exp_date;
-
- ret = krb5_make_principal(pd->context, &ent.created_by.principal,
- v4_realm,
- "kadmin",
- "hprop",
- NULL);
- if(ret){
- krb5_warn(pd->context, ret, "krb5_make_principal");
- ret = 0;
- goto out;
- }
- ent.created_by.time = time(NULL);
- ALLOC(ent.modified_by);
- ret = krb5_425_conv_principal(pd->context, p->mod_name, p->mod_instance,
- v4_realm, &ent.modified_by->principal);
- if(ret){
- krb5_warn(pd->context, ret, "%s.%s@%s", p->name, p->instance, v4_realm);
- ent.modified_by->principal = NULL;
- ret = 0;
- goto out;
- }
- ent.modified_by->time = p->mod_date;
-
- ent.flags.forwardable = 1;
- ent.flags.renewable = 1;
- ent.flags.proxiable = 1;
- ent.flags.postdate = 1;
- ent.flags.client = 1;
- ent.flags.server = 1;
-
- /* special case password changing service */
- if(strcmp(p->name, "changepw") == 0 &&
- strcmp(p->instance, "kerberos") == 0) {
- ent.flags.forwardable = 0;
- ent.flags.renewable = 0;
- ent.flags.proxiable = 0;
- ent.flags.postdate = 0;
- ent.flags.initial = 1;
- ent.flags.change_pw = 1;
- }
-
- ret = v5_prop(pd->context, NULL, &ent, pd);
-
- if (strcmp (p->name, "krbtgt") == 0
- && strcmp (v4_realm, p->instance) != 0) {
- krb5_free_principal (pd->context, ent.principal);
- ret = krb5_425_conv_principal (pd->context, p->name,
- v4_realm, p->instance,
- &ent.principal);
- if (ret == 0)
- ret = v5_prop (pd->context, NULL, &ent, pd);
- }
-
- out:
- hdb_free_entry(pd->context, &ent);
- return ret;
-}
-
-#include "kadb.h"
-
-/* read a `ka_entry' from `fd' at offset `pos' */
-static void
-read_block(krb5_context context, int fd, int32_t pos, void *buf, size_t len)
-{
- krb5_error_code ret;
-#ifdef HAVE_PREAD
- if((ret = pread(fd, buf, len, 64 + pos)) < 0)
- krb5_err(context, 1, errno, "pread(%u)", 64 + pos);
-#else
- if(lseek(fd, 64 + pos, SEEK_SET) == (off_t)-1)
- krb5_err(context, 1, errno, "lseek(%u)", 64 + pos);
- ret = read(fd, buf, len);
- if(ret < 0)
- krb5_err(context, 1, errno, "read(%lu)", (unsigned long)len);
-#endif
- if(ret != len)
- krb5_errx(context, 1, "read(%lu) = %u", (unsigned long)len, ret);
-}
-
-static int
-ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent)
-{
- int32_t flags = ntohl(ent->flags);
- krb5_error_code ret;
- hdb_entry hdb;
-
- if(!kaspecials_flag
- && (flags & KAFNORMAL) == 0) /* remove special entries */
- return 0;
- memset(&hdb, 0, sizeof(hdb));
- ret = krb5_425_conv_principal(pd->context, ent->name, ent->instance,
- v4_realm, &hdb.principal);
- if(ret) {
- krb5_warn(pd->context, ret,
- "krb5_425_conv_principal (%s.%s@%s)",
- ent->name, ent->instance, v4_realm);
- return 0;
- }
- hdb.kvno = ntohl(ent->kvno);
- hdb.keys.len = 3;
- hdb.keys.val = malloc(hdb.keys.len * sizeof(*hdb.keys.val));
- hdb.keys.val[0].mkvno = NULL;
- hdb.keys.val[0].salt = calloc(1, sizeof(*hdb.keys.val[0].salt));
- if (ka_use_null_salt) {
- hdb.keys.val[0].salt->type = hdb_pw_salt;
- hdb.keys.val[0].salt->salt.data = NULL;
- hdb.keys.val[0].salt->salt.length = 0;
- } else {
- hdb.keys.val[0].salt->type = hdb_afs3_salt;
- hdb.keys.val[0].salt->salt.data = strdup(afs_cell);
- hdb.keys.val[0].salt->salt.length = strlen(afs_cell);
- }
-
- hdb.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5;
- krb5_data_copy(&hdb.keys.val[0].key.keyvalue, ent->key, sizeof(ent->key));
- copy_Key(&hdb.keys.val[0], &hdb.keys.val[1]);
- hdb.keys.val[1].key.keytype = ETYPE_DES_CBC_MD4;
- copy_Key(&hdb.keys.val[0], &hdb.keys.val[2]);
- hdb.keys.val[2].key.keytype = ETYPE_DES_CBC_CRC;
-
- ALLOC(hdb.max_life);
- *hdb.max_life = ntohl(ent->max_life);
-
- if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != -1){
- ALLOC(hdb.valid_end);
- *hdb.valid_end = ntohl(ent->valid_end);
- }
-
- if (ntohl(ent->pw_change) != NEVERDATE &&
- ent->pw_expire != 255 &&
- ent->pw_expire != 0) {
- ALLOC(hdb.pw_end);
- *hdb.pw_end = ntohl(ent->pw_change)
- + 24 * 60 * 60 * ent->pw_expire;
- }
-
- ret = krb5_make_principal(pd->context, &hdb.created_by.principal,
- v4_realm,
- "kadmin",
- "hprop",
- NULL);
- hdb.created_by.time = time(NULL);
-
- if(ent->mod_ptr){
- struct ka_entry mod;
- ALLOC(hdb.modified_by);
- read_block(pd->context, fd, ntohl(ent->mod_ptr), &mod, sizeof(mod));
-
- krb5_425_conv_principal(pd->context, mod.name, mod.instance, v4_realm,
- &hdb.modified_by->principal);
- hdb.modified_by->time = ntohl(ent->mod_time);
- memset(&mod, 0, sizeof(mod));
- }
-
- hdb.flags.forwardable = 1;
- hdb.flags.renewable = 1;
- hdb.flags.proxiable = 1;
- hdb.flags.postdate = 1;
- /* XXX - AFS 3.4a creates krbtgt.REALMOFCELL as NOTGS+NOSEAL */
- if (strcmp(ent->name, "krbtgt") == 0 &&
- (flags & (KAFNOTGS|KAFNOSEAL)) == (KAFNOTGS|KAFNOSEAL))
- flags &= ~(KAFNOTGS|KAFNOSEAL);
-
- hdb.flags.client = (flags & KAFNOTGS) == 0;
- hdb.flags.server = (flags & KAFNOSEAL) == 0;
-
- ret = v5_prop(pd->context, NULL, &hdb, pd);
- hdb_free_entry(pd->context, &hdb);
- return ret;
-}
-
-static int
-ka_dump(struct prop_data *pd, const char *file)
-{
- struct ka_header header;
- int i;
- int fd = open(file, O_RDONLY);
-
- if(fd < 0)
- krb5_err(pd->context, 1, errno, "open(%s)", file);
- read_block(pd->context, fd, 0, &header, sizeof(header));
- if(header.version1 != header.version2)
- krb5_errx(pd->context, 1, "Version mismatch in header: %ld/%ld",
- (long)ntohl(header.version1), (long)ntohl(header.version2));
- if(ntohl(header.version1) != 5)
- krb5_errx(pd->context, 1, "Unknown database version %ld (expected 5)",
- (long)ntohl(header.version1));
- for(i = 0; i < ntohl(header.hashsize); i++){
- int32_t pos = ntohl(header.hash[i]);
- while(pos){
- struct ka_entry ent;
- read_block(pd->context, fd, pos, &ent, sizeof(ent));
- ka_convert(pd, fd, &ent);
- pos = ntohl(ent.next);
- }
- }
- return 0;
-}
-
-
-
-struct getargs args[] = {
- { "master-key", 'm', arg_string, &mkeyfile, "v5 master key file", "file" },
- { "database", 'd', arg_string, &database, "database", "file" },
- { "source", 0, arg_string, &source_type, "type of database to read",
- "heimdal"
- "|mit-dump"
- "|krb4-dump"
-#ifdef KRB4
- "|krb4-db"
-#endif
- "|kaserver"
- },
-
- { "v4-realm", 'r', arg_string, &v4_realm, "v4 realm to use" },
- { "cell", 'c', arg_string, &afs_cell, "name of AFS cell" },
- { "kaspecials", 'S', arg_flag, &kaspecials_flag, "dump KASPECIAL keys"},
- { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" },
- { "v5-realm", 'R', arg_string, &local_realm, "v5 realm to use" },
- { "decrypt", 'D', arg_flag, &decrypt_flag, "decrypt keys" },
- { "encrypt", 'E', arg_flag, &encrypt_flag, "encrypt keys" },
- { "stdout", 'n', arg_flag, &to_stdout, "dump to stdout" },
- { "verbose", 'v', arg_flag, &verbose_flag },
- { "version", 0, arg_flag, &version_flag },
- { "help", 'h', arg_flag, &help_flag }
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(int ret)
-{
- arg_printusage (args, num_args, NULL, "[host[:port]] ...");
- exit (ret);
-}
-
-static void
-get_creds(krb5_context context, krb5_ccache *cache)
-{
- krb5_keytab keytab;
- krb5_principal client;
- krb5_error_code ret;
- krb5_get_init_creds_opt init_opts;
- krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP;
- krb5_creds creds;
-
- ret = krb5_kt_register(context, &hdb_kt_ops);
- if(ret) krb5_err(context, 1, ret, "krb5_kt_register");
-
- ret = krb5_kt_resolve(context, ktname, &keytab);
- if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve");
-
- ret = krb5_make_principal(context, &client, NULL,
- "kadmin", HPROP_NAME, NULL);
- if(ret) krb5_err(context, 1, ret, "krb5_make_principal");
-
- krb5_get_init_creds_opt_init(&init_opts);
- krb5_get_init_creds_opt_set_preauth_list(&init_opts, &preauth, 1);
-
- ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, &init_opts);
- if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
-
- ret = krb5_kt_close(context, keytab);
- if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
-
- ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache);
- if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new");
-
- ret = krb5_cc_initialize(context, *cache, client);
- if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
-
- krb5_free_principal(context, client);
-
- ret = krb5_cc_store_cred(context, *cache, &creds);
- if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
-
- krb5_free_creds_contents(context, &creds);
-}
-
-enum hprop_source {
- HPROP_HEIMDAL = 1,
- HPROP_KRB4_DB,
- HPROP_KRB4_DUMP,
- HPROP_KASERVER,
- HPROP_MIT_DUMP
-};
-
-#define IS_TYPE_V4(X) ((X) == HPROP_KRB4_DB || (X) == HPROP_KRB4_DUMP || (X) == HPROP_KASERVER)
-
-struct {
- int type;
- const char *name;
-} types[] = {
- { HPROP_HEIMDAL, "heimdal" },
- { HPROP_KRB4_DUMP, "krb4-dump" },
-#ifdef KRB4
- { HPROP_KRB4_DB, "krb4-db" },
-#endif
- { HPROP_KASERVER, "kaserver" },
- { HPROP_MIT_DUMP, "mit-dump" }
-};
-
-static int
-parse_source_type(const char *s)
-{
- int i;
- for(i = 0; i < sizeof(types) / sizeof(types[0]); i++) {
- if(strstr(types[i].name, s) == types[i].name)
- return types[i].type;
- }
- return 0;
-}
-
-static void
-iterate (krb5_context context,
- const char *database,
- HDB *db,
- int type,
- struct prop_data *pd)
-{
- int ret;
-
- switch(type) {
- case HPROP_KRB4_DUMP:
- ret = v4_prop_dump(pd, database);
- break;
-#ifdef KRB4
- case HPROP_KRB4_DB:
- ret = kerb_db_iterate ((k_iter_proc_t)kdb_prop, pd);
- if(ret)
- krb5_errx(context, 1, "kerb_db_iterate: %s",
- krb_get_err_text(ret));
- break;
-#endif /* KRB4 */
- case HPROP_KASERVER:
- ret = ka_dump(pd, database);
- if(ret)
- krb5_err(context, 1, ret, "ka_dump");
- break;
- case HPROP_MIT_DUMP:
- ret = mit_prop_dump(pd, database);
- if (ret)
- krb5_errx(context, 1, "mit_prop_dump: %s",
- krb5_get_err_text(context, ret));
- break;
- case HPROP_HEIMDAL:
- ret = hdb_foreach(context, db, HDB_F_DECRYPT, v5_prop, pd);
- if(ret)
- krb5_err(context, 1, ret, "hdb_foreach");
- break;
- }
-}
-
-static int
-dump_database (krb5_context context, int type,
- const char *database, HDB *db)
-{
- krb5_error_code ret;
- struct prop_data pd;
- krb5_data data;
-
- pd.context = context;
- pd.auth_context = NULL;
- pd.sock = STDOUT_FILENO;
-
- iterate (context, database, db, type, &pd);
- krb5_data_zero (&data);
- ret = krb5_write_message (context, &pd.sock, &data);
- if (ret)
- krb5_err(context, 1, ret, "krb5_write_message");
-
- return 0;
-}
-
-static int
-propagate_database (krb5_context context, int type,
- const char *database,
- HDB *db, krb5_ccache ccache,
- int optind, int argc, char **argv)
-{
- krb5_principal server;
- krb5_error_code ret;
- int i;
-
- for(i = optind; i < argc; i++){
- krb5_auth_context auth_context;
- int fd;
- struct prop_data pd;
- krb5_data data;
-
- char *port, portstr[NI_MAXSERV];
-
- port = strchr(argv[i], ':');
- if(port == NULL) {
- snprintf(portstr, sizeof(portstr), "%u",
- ntohs(krb5_getportbyname (context, "hprop", "tcp",
- HPROP_PORT)));
- port = portstr;
- } else
- *port++ = '\0';
-
- fd = open_socket(context, argv[i], port);
- if(fd < 0) {
- krb5_warn (context, errno, "connect %s", argv[i]);
- continue;
- }
-
- ret = krb5_sname_to_principal(context, argv[i],
- HPROP_NAME, KRB5_NT_SRV_HST, &server);
- if(ret) {
- krb5_warn(context, ret, "krb5_sname_to_principal(%s)", argv[i]);
- close(fd);
- continue;
- }
-
- if (local_realm) {
- krb5_realm my_realm;
- krb5_get_default_realm(context,&my_realm);
-
- free (*krb5_princ_realm(context, server));
- krb5_princ_set_realm(context,server,&my_realm);
- }
-
- auth_context = NULL;
- ret = krb5_sendauth(context,
- &auth_context,
- &fd,
- HPROP_VERSION,
- NULL,
- server,
- AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
- NULL, /* in_data */
- NULL, /* in_creds */
- ccache,
- NULL,
- NULL,
- NULL);
-
- krb5_free_principal(context, server);
-
- if(ret) {
- krb5_warn(context, ret, "krb5_sendauth");
- close(fd);
- continue;
- }
-
- pd.context = context;
- pd.auth_context = auth_context;
- pd.sock = fd;
-
- iterate (context, database, db, type, &pd);
-
- krb5_data_zero (&data);
- ret = krb5_write_priv_message(context, auth_context, &fd, &data);
- if(ret)
- krb5_warn(context, ret, "krb5_write_priv_message");
-
- ret = krb5_read_priv_message(context, auth_context, &fd, &data);
- if(ret)
- krb5_warn(context, ret, "krb5_read_priv_message");
- else
- krb5_data_free (&data);
-
- krb5_auth_con_free(context, auth_context);
- close(fd);
- }
- return 0;
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_error_code ret;
- krb5_context context;
- krb5_ccache ccache = NULL;
- HDB *db = NULL;
- int optind = 0;
-
- int type = 0;
-
- setprogname(argv[0]);
-
- if(getarg(args, num_args, argc, argv, &optind))
- usage(1);
-
- if(help_flag)
- usage(0);
-
- if(version_flag){
- print_version(NULL);
- exit(0);
- }
-
- ret = krb5_init_context(&context);
- if(ret)
- exit(1);
-
- if(local_realm)
- krb5_set_default_realm(context, local_realm);
-
- if(v4_realm == NULL) {
- ret = krb5_get_default_realm(context, &v4_realm);
- if(ret)
- krb5_err(context, 1, ret, "krb5_get_default_realm");
- }
-
- if(afs_cell == NULL) {
- afs_cell = strdup(v4_realm);
- if(afs_cell == NULL)
- krb5_errx(context, 1, "out of memory");
- strlwr(afs_cell);
- }
-
-
- if(encrypt_flag && decrypt_flag)
- krb5_errx(context, 1,
- "only one of `--encrypt' and `--decrypt' is meaningful");
-
- if(source_type != NULL) {
- if(type != 0)
- krb5_errx(context, 1, "more than one database type specified");
- type = parse_source_type(source_type);
- if(type == 0)
- krb5_errx(context, 1, "unknown source type `%s'", source_type);
- } else if(type == 0)
- type = HPROP_HEIMDAL;
-
- if(!to_stdout)
- get_creds(context, &ccache);
-
- if(decrypt_flag || encrypt_flag) {
- ret = hdb_read_master_key(context, mkeyfile, &mkey5);
- if(ret && ret != ENOENT)
- krb5_err(context, 1, ret, "hdb_read_master_key");
- if(ret)
- krb5_errx(context, 1, "No master key file found");
- }
-
-#ifdef KRB4
- if (IS_TYPE_V4(type)) {
- int e;
-
- if (v4_realm == NULL) {
- e = krb_get_lrealm(realm_buf, 1);
- if(e)
- krb5_errx(context, 1, "krb_get_lrealm: %s",
- krb_get_err_text(e));
- v4_realm = realm_buf;
- }
- }
-#endif
-
- switch(type) {
-#ifdef KRB4
- case HPROP_KRB4_DB:
- if (database == NULL)
- krb5_errx(context, 1, "no database specified");
- break;
-#endif
- case HPROP_KASERVER:
- if (database == NULL)
- database = DEFAULT_DATABASE;
- ka_use_null_salt = krb5_config_get_bool_default(context, NULL, FALSE,
- "hprop",
- "afs_uses_null_salt",
- NULL);
-
- break;
- case HPROP_KRB4_DUMP:
- if (database == NULL)
- krb5_errx(context, 1, "no dump file specified");
-
- break;
- case HPROP_MIT_DUMP:
- if (database == NULL)
- krb5_errx(context, 1, "no dump file specified");
- break;
- case HPROP_HEIMDAL:
- ret = hdb_create (context, &db, database);
- if(ret)
- krb5_err(context, 1, ret, "hdb_create: %s", database);
- ret = db->open(context, db, O_RDONLY, 0);
- if(ret)
- krb5_err(context, 1, ret, "db->open");
- break;
- default:
- krb5_errx(context, 1, "unknown dump type `%d'", type);
- break;
- }
-
- if (to_stdout)
- dump_database (context, type, database, db);
- else
- propagate_database (context, type, database,
- db, ccache, optind, argc, argv);
-
- if(ccache != NULL)
- krb5_cc_destroy(context, ccache);
-
- if(db != NULL)
- (*db->destroy)(context, db);
-
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/heimdal/kdc/hprop.cat8 b/crypto/heimdal/kdc/hprop.cat8
deleted file mode 100644
index 0ac37e242053..000000000000
--- a/crypto/heimdal/kdc/hprop.cat8
+++ /dev/null
@@ -1,98 +0,0 @@
-HPROP(8) NetBSD System Manager's Manual HPROP(8)
-
-NNAAMMEE
- hhpprroopp - propagate the KDC database
-
-SSYYNNOOPPSSIISS
- hhpprroopp [--mm _f_i_l_e | ----mmaasstteerr--kkeeyy==_f_i_l_e] [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e]
- [----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_a_s_e_r_v_e_r] [--rr _s_t_r_i_n_g |
- ----vv44--rreeaallmm==_s_t_r_i_n_g] [--cc _c_e_l_l | ----cceellll==_c_e_l_l] [--SS | ----kkaassppeecciiaallss] [--kk _k_e_y_t_a_b
- | ----kkeeyyttaabb==_k_e_y_t_a_b] [--RR _s_t_r_i_n_g | ----vv55--rreeaallmm==_s_t_r_i_n_g] [--DD | ----ddeeccrryypptt] [--EE |
- ----eennccrryypptt] [--nn | ----ssttddoouutt] [--vv | ----vveerrbboossee] [----vveerrssiioonn] [--hh | ----hheellpp]
- [_h_o_s_t[:_p_o_r_t]] _._._.
-
-DDEESSCCRRIIPPTTIIOONN
- hhpprroopp takes a principal database in a specified format and converts it
- into a stream of Heimdal database records. This stream can either be
- written to standard out, or (more commonly) be propagated to a hpropd(8)
- server running on a different machine.
-
- If propagating, it connects to all _h_o_s_t_s specified on the command by
- opening a TCP connection to port 754 (service hprop) and sends the
- database in encrypted form.
-
- Supported options:
-
- --mm _f_i_l_e, ----mmaasstteerr--kkeeyy==_f_i_l_e
- Where to find the master key to encrypt or decrypt keys with.
-
- --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e
- The database to be propagated.
-
- ----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_a_s_e_r_v_e_r
- Specifies the type of the source database. Alternatives include:
-
- heimdal a Heimdal database
- mit-dump a MIT Kerberos 5 dump file
- krb4-db a Kerberos 4 database
- krb4-dump a Kerberos 4 dump file
- kaserver an AFS kaserver database
-
- --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b
- The keytab to use for fetching the key to be used for authenti-
- cating to the propagation daemon(s). The key _k_a_d_m_i_n_/_h_p_r_o_p is used
- from this keytab. The default is to fetch the key from the KDC
- database.
-
- --RR _s_t_r_i_n_g, ----vv55--rreeaallmm==_s_t_r_i_n_g
- Local realm override.
-
- --DD, ----ddeeccrryypptt
- The encryption keys in the database can either be in clear, or
- encrypted with a master key. This option transmits the database
- with unencrypted keys.
-
- --EE, ----eennccrryypptt
- This option transmits the database with encrypted keys.
-
- --nn, ----ssttddoouutt
- Dump the database on stdout, in a format that can be fed to
- hpropd.
-
- The following options are only valid if hhpprroopp is compiled with support
- for Kerberos 4 (kaserver).
-
- --rr _s_t_r_i_n_g, ----vv44--rreeaallmm==_s_t_r_i_n_g
- v4 realm to use
-
- --cc _c_e_l_l, ----cceellll==_c_e_l_l
- The AFS cell name, used if reading a kaserver database.
-
- --SS, ----kkaassppeecciiaallss
- Also dump the principals marked as special in the kaserver
- database.
-
- --44, ----vv44--ddbb
- Deprecated, identical to `--source=krb4-db'.
-
- --KK, ----kkaa--ddbb
- Deprecated, identical to `--source=kaserver'.
-
-EEXXAAMMPPLLEESS
- The following will propagate a database to another machine (which should
- run hpropd(8):)
-
- $ hprop slave-1 slave-2
-
- Copy a Kerberos 4 database to a Kerberos 5 slave:
-
- $ hprop --source=krb4-db -E krb5-slave
-
- Convert a Kerberos 4 dump-file for use with a Heimdal KDC:
-
- $ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump --master-key=/.k | hpropd -n
-
-SSEEEE AALLSSOO
- hpropd(8)
-
- HEIMDAL June 19, 2000 2
diff --git a/crypto/heimdal/kdc/hprop.h b/crypto/heimdal/kdc/hprop.h
deleted file mode 100644
index 0bcab88b4fee..000000000000
--- a/crypto/heimdal/kdc/hprop.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id: hprop.h,v 1.13 2001/01/26 15:54:19 joda Exp $ */
-
-#ifndef __HPROP_H__
-#define __HPROP_H__
-
-#include "headers.h"
-
-struct prop_data{
- krb5_context context;
- krb5_auth_context auth_context;
- int sock;
-};
-
-#define HPROP_VERSION "hprop-0.0"
-#define HPROP_NAME "hprop"
-#define HPROP_KEYTAB "HDB:"
-#define HPROP_PORT 754
-
-#ifndef NEVERDATE
-#define NEVERDATE ((1U << 31) - 1)
-#endif
-
-krb5_error_code v5_prop(krb5_context, HDB*, hdb_entry*, void*);
-int mit_prop_dump(void*, const char*);
-
-struct v4_principal {
- char name[64];
- char instance[64];
- des_cblock key;
- int kvno;
- int mkvno;
- time_t exp_date;
- time_t mod_date;
- char mod_name[64];
- char mod_instance[64];
- int max_life;
-};
-
-int v4_prop(void*, struct v4_principal*);
-int v4_prop_dump(void *arg, const char*);
-
-#endif /* __HPROP_H__ */
diff --git a/crypto/heimdal/kdc/hpropd.8 b/crypto/heimdal/kdc/hpropd.8
deleted file mode 100644
index 2fa63f123f38..000000000000
--- a/crypto/heimdal/kdc/hpropd.8
+++ /dev/null
@@ -1,74 +0,0 @@
-.\" $Id: hpropd.8,v 1.9 2002/08/20 16:37:13 joda Exp $
-.\"
-.Dd August 27, 1997
-.Dt HPROPD 8
-.Os HEIMDAL
-.Sh NAME
-.Nm hpropd
-.Nd receive a propagated database
-.Sh SYNOPSIS
-.Nm
-.Oo Fl d Ar file \*(Ba Xo
-.Fl -database= Ns Ar file
-.Xc
-.Oc
-.Op Fl n | Fl -stdin
-.Op Fl -print
-.Op Fl i | Fl -no-inetd
-.Oo Fl k Ar keytab \*(Ba Xo
-.Fl -keytab= Ns Ar keytab
-.Xc
-.Oc
-.Op Fl 4 | Fl -v4dump
-.Sh DESCRIPTION
-.Nm
-receives databases sent by
-.Nm hprop .
-and writes it as a local database.
-.Pp
-By default,
-.Nm
-expects to be started from
-.Nm inetd
-if stdin is a socket and expects to receive the dumped database over
-stdin otherwise.
-If the database is sent over the network, it is authenticated and
-encrypted.
-Only connections from
-.Nm kadmin Ns / Ns Nm hprop
-are accepted.
-.Pp
-Options supported:
-.Bl -tag -width Ds
-.It Xo
-.Fl d Ar file ,
-.Fl -database= Ns Ar file
-.Xc
-database
-.It Xo
-.Fl n ,
-.Fl -stdin
-.Xc
-read from stdin
-.It Xo
-.Fl -print
-.Xc
-print dump to stdout
-.It Xo
-.Fl i ,
-.Fl -no-inetd
-.Xc
-Not started from inetd
-.It Xo
-.Fl k Ar keytab ,
-.Fl -keytab= Ns Ar keytab
-.Xc
-keytab to use for authentication
-.It Xo
-.Fl 4 ,
-.Fl -v4dump
-.Xc
-create v4 type DB
-.El
-.Sh SEE ALSO
-.Xr hprop 8
diff --git a/crypto/heimdal/kdc/hpropd.c b/crypto/heimdal/kdc/hpropd.c
deleted file mode 100644
index b36ca4d6d638..000000000000
--- a/crypto/heimdal/kdc/hpropd.c
+++ /dev/null
@@ -1,439 +0,0 @@
-/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "hprop.h"
-
-RCSID("$Id: hpropd.c,v 1.35 2002/04/18 10:18:50 joda Exp $");
-
-#ifdef KRB4
-static des_cblock mkey4;
-static des_key_schedule msched4;
-
-static char *
-time2str(time_t t)
-{
- static char buf[128];
- strftime(buf, sizeof(buf), "%Y%m%d%H%M", gmtime(&t));
- return buf;
-}
-
-static int
-dump_krb4(krb5_context context, hdb_entry *ent, int fd)
-{
- char name[ANAME_SZ];
- char instance[INST_SZ];
- char realm[REALM_SZ];
- char buf[1024];
- char *p;
- int i;
- int ret;
- char *princ_name;
- Event *modifier;
- krb5_realm *realms;
- int cmp;
-
- ret = krb5_524_conv_principal(context, ent->principal,
- name, instance, realm);
- if (ret) {
- krb5_unparse_name(context, ent->principal, &princ_name);
- krb5_warn(context, ret, "%s", princ_name);
- free(princ_name);
- return -1;
- }
-
- ret = krb5_get_default_realms (context, &realms);
- if (ret) {
- krb5_warn(context, ret, "krb5_get_default_realms");
- return -1;
- }
-
- cmp = strcmp (realms[0], ent->principal->realm);
- krb5_free_host_realm (context, realms);
- if (cmp != 0)
- return -1;
-
- snprintf (buf, sizeof(buf), "%s %s ", name,
- (strlen(instance) != 0) ? instance : "*");
-
- if (ent->max_life) {
- asprintf(&p, "%d", krb_time_to_life(0, *ent->max_life));
- strcat(buf, p);
- free(p);
- } else
- strcat(buf, "255");
- strcat(buf, " ");
-
- i = 0;
- while (i < ent->keys.len &&
- ent->keys.val[i].key.keytype != KEYTYPE_DES)
- ++i;
-
- if (i == ent->keys.len) {
- krb5_warnx(context, "No DES key for %s.%s", name, instance);
- return -1;
- }
-
- if (ent->keys.val[i].mkvno)
- asprintf(&p, "%d ", *ent->keys.val[i].mkvno);
- else
- asprintf(&p, "%d ", 1);
- strcat(buf, p);
- free(p);
-
- asprintf(&p, "%d ", ent->kvno);
- strcat(buf, p);
- free(p);
-
- asprintf(&p, "%d ", 0); /* Attributes are always 0*/
- strcat(buf, p);
- free(p);
-
- {
- u_int32_t *key = ent->keys.val[i].key.keyvalue.data;
- kdb_encrypt_key((des_cblock*)key, (des_cblock*)key,
- &mkey4, msched4, DES_ENCRYPT);
- asprintf(&p, "%x %x ", (int)htonl(*key), (int)htonl(*(key+1)));
- strcat(buf, p);
- free(p);
- }
-
- if (ent->valid_end == NULL)
- strcat(buf, time2str(60*60*24*365*50)); /* no expiration */
- else
- strcat(buf, time2str(*ent->valid_end));
- strcat(buf, " ");
-
- if (ent->modified_by == NULL)
- modifier = &ent->created_by;
- else
- modifier = ent->modified_by;
-
- ret = krb5_524_conv_principal(context, modifier->principal,
- name, instance, realm);
- if (ret) {
- krb5_unparse_name(context, modifier->principal, &princ_name);
- krb5_warn(context, ret, "%s", princ_name);
- free(princ_name);
- return -1;
- }
- asprintf(&p, "%s %s %s\n", time2str(modifier->time),
- (strlen(name) != 0) ? name : "*",
- (strlen(instance) != 0) ? instance : "*");
- strcat(buf, p);
- free(p);
-
- ret = write(fd, buf, strlen(buf));
- if (ret == -1)
- krb5_warnx(context, "write");
- return 0;
-}
-#endif /* KRB4 */
-
-static int inetd_flag = -1;
-static int help_flag;
-static int version_flag;
-static int print_dump;
-static const char *database = HDB_DEFAULT_DB;
-static int from_stdin;
-static char *local_realm;
-#ifdef KRB4
-static int v4dump;
-#endif
-static char *ktname = NULL;
-
-struct getargs args[] = {
- { "database", 'd', arg_string, &database, "database", "file" },
- { "stdin", 'n', arg_flag, &from_stdin, "read from stdin" },
- { "print", 0, arg_flag, &print_dump, "print dump to stdout" },
- { "inetd", 'i', arg_negative_flag, &inetd_flag,
- "Not started from inetd" },
- { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" },
- { "realm", 'r', arg_string, &local_realm, "realm to use" },
-#ifdef KRB4
- { "v4dump", '4', arg_flag, &v4dump, "create v4 type DB" },
-#endif
- { "version", 0, arg_flag, &version_flag, NULL, NULL },
- { "help", 'h', arg_flag, &help_flag, NULL, NULL}
-};
-
-static int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(int ret)
-{
- arg_printusage (args, num_args, NULL, "");
- exit (ret);
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_error_code ret;
- krb5_context context;
- krb5_auth_context ac = NULL;
- krb5_principal c1, c2;
- krb5_authenticator authent;
- krb5_keytab keytab;
- int fd;
- HDB *db;
- int optind = 0;
- char *tmp_db;
- krb5_log_facility *fac;
- int nprincs;
-#ifdef KRB4
- int e;
- int fd_out = -1;
-#endif
-
- setprogname(argv[0]);
-
- ret = krb5_init_context(&context);
- if(ret)
- exit(1);
-
- ret = krb5_openlog(context, "hpropd", &fac);
- if(ret)
- ;
- krb5_set_warn_dest(context, fac);
-
- if(getarg(args, num_args, argc, argv, &optind))
- usage(1);
-
-#ifdef KRB4
- if (v4dump && database == HDB_DEFAULT_DB)
- database = "/var/kerberos/524_dump";
-#endif /* KRB4 */
-
- if(local_realm != NULL)
- krb5_set_default_realm(context, local_realm);
-
- if(help_flag)
- usage(0);
- if(version_flag) {
- print_version(NULL);
- exit(0);
- }
-
- argc -= optind;
- argv += optind;
-
- if (argc != 0)
- usage(1);
-
- if(from_stdin)
- fd = STDIN_FILENO;
- else {
- struct sockaddr_storage ss;
- struct sockaddr *sa = (struct sockaddr *)&ss;
- socklen_t sin_len = sizeof(ss);
- char addr_name[256];
- krb5_ticket *ticket;
- char *server;
-
- fd = STDIN_FILENO;
- if (inetd_flag == -1) {
- if (getpeername (fd, sa, &sin_len) < 0)
- inetd_flag = 0;
- else
- inetd_flag = 1;
- }
- if (!inetd_flag) {
- mini_inetd (krb5_getportbyname (context, "hprop", "tcp",
- HPROP_PORT));
- }
- sin_len = sizeof(ss);
- if(getpeername(fd, sa, &sin_len) < 0)
- krb5_err(context, 1, errno, "getpeername");
-
- if (inet_ntop(sa->sa_family,
- socket_get_address (sa),
- addr_name,
- sizeof(addr_name)) == NULL)
- strlcpy (addr_name, "unknown address",
- sizeof(addr_name));
-
- krb5_log(context, fac, 0, "Connection from %s", addr_name);
-
- ret = krb5_kt_register(context, &hdb_kt_ops);
- if(ret)
- krb5_err(context, 1, ret, "krb5_kt_register");
-
- if (ktname != NULL) {
- ret = krb5_kt_resolve(context, ktname, &keytab);
- if (ret)
- krb5_err (context, 1, ret, "krb5_kt_resolve %s", ktname);
- } else {
- ret = krb5_kt_default (context, &keytab);
- if (ret)
- krb5_err (context, 1, ret, "krb5_kt_default");
- }
-
- ret = krb5_recvauth(context, &ac, &fd, HPROP_VERSION, NULL,
- 0, keytab, &ticket);
- if(ret)
- krb5_err(context, 1, ret, "krb5_recvauth");
-
- ret = krb5_unparse_name(context, ticket->server, &server);
- if (ret)
- krb5_err(context, 1, ret, "krb5_unparse_name");
- if (strncmp(server, "hprop/", 5) != 0)
- krb5_errx(context, 1, "ticket not for hprop (%s)", server);
-
- free(server);
- krb5_free_ticket (context, ticket);
-
- ret = krb5_auth_con_getauthenticator(context, ac, &authent);
- if(ret)
- krb5_err(context, 1, ret, "krb5_auth_con_getauthenticator");
-
- ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL);
- if(ret)
- krb5_err(context, 1, ret, "krb5_make_principal");
- principalname2krb5_principal(&c2, authent->cname, authent->crealm);
- if(!krb5_principal_compare(context, c1, c2)) {
- char *s;
- krb5_unparse_name(context, c2, &s);
- krb5_errx(context, 1, "Unauthorized connection from %s", s);
- }
- krb5_free_principal(context, c1);
- krb5_free_principal(context, c2);
-
- ret = krb5_kt_close(context, keytab);
- if(ret)
- krb5_err(context, 1, ret, "krb5_kt_close");
- }
-
- if(!print_dump) {
- asprintf(&tmp_db, "%s~", database);
-#ifdef KRB4
- if (v4dump) {
- fd_out = open(tmp_db, O_WRONLY | O_CREAT | O_TRUNC, 0600);
- if (fd_out == -1)
- krb5_errx(context, 1, "%s", strerror(errno));
- }
- else
-#endif /* KRB4 */
- {
- ret = hdb_create(context, &db, tmp_db);
- if(ret)
- krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db);
- ret = db->open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600);
- if(ret)
- krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db);
- }
- }
-
-#ifdef KRB4
- if (v4dump) {
- e = kdb_get_master_key(0, &mkey4, msched4);
- if(e)
- krb5_errx(context, 1, "kdb_get_master_key: %s",
- krb_get_err_text(e));
- }
-#endif /* KRB4 */
-
- nprincs = 0;
- while(1){
- krb5_data data;
- hdb_entry entry;
-
- if(from_stdin) {
- ret = krb5_read_message(context, &fd, &data);
- if(ret != 0 && ret != HEIM_ERR_EOF)
- krb5_err(context, 1, ret, "krb5_read_message");
- } else {
- ret = krb5_read_priv_message(context, ac, &fd, &data);
- if(ret)
- krb5_err(context, 1, ret, "krb5_read_priv_message");
- }
-
- if(ret == HEIM_ERR_EOF || data.length == 0) {
- if(!from_stdin) {
- data.data = NULL;
- data.length = 0;
- krb5_write_priv_message(context, ac, &fd, &data);
- }
- if(!print_dump) {
-#ifdef KRB4
- if (v4dump) {
- ret = rename(tmp_db, database);
- if (ret)
- krb5_errx(context, 1, "rename");
- ret = close(fd_out);
- if (ret)
- krb5_errx(context, 1, "close");
- } else
-#endif /* KRB4 */
- {
- ret = db->rename(context, db, database);
- if(ret)
- krb5_err(context, 1, ret, "db_rename");
- ret = db->close(context, db);
- if(ret)
- krb5_err(context, 1, ret, "db_close");
- }
- }
- break;
- }
- ret = hdb_value2entry(context, &data, &entry);
- if(ret)
- krb5_err(context, 1, ret, "hdb_value2entry");
- if(print_dump)
- hdb_print_entry(context, db, &entry, stdout);
- else {
-#ifdef KRB4
- if (v4dump) {
- ret = dump_krb4(context, &entry, fd_out);
- if(!ret) nprincs++;
- }
- else
-#endif /* KRB4 */
- {
- ret = db->store(context, db, 0, &entry);
- if(ret == HDB_ERR_EXISTS) {
- char *s;
- krb5_unparse_name(context, entry.principal, &s);
- krb5_warnx(context, "Entry exists: %s", s);
- free(s);
- } else if(ret)
- krb5_err(context, 1, ret, "db_store");
- else
- nprincs++;
- }
- }
- hdb_free_entry(context, &entry);
- }
- if (!print_dump)
- krb5_log(context, fac, 0, "Received %d principals", nprincs);
- exit(0);
-}
diff --git a/crypto/heimdal/kdc/hpropd.cat8 b/crypto/heimdal/kdc/hpropd.cat8
deleted file mode 100644
index e72b4da337a3..000000000000
--- a/crypto/heimdal/kdc/hpropd.cat8
+++ /dev/null
@@ -1,42 +0,0 @@
-HPROPD(8) NetBSD System Manager's Manual HPROPD(8)
-
-NNAAMMEE
- hhpprrooppdd - receive a propagated database
-
-SSYYNNOOPPSSIISS
- hhpprrooppdd [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] [--nn | ----ssttddiinn] [----pprriinntt] [--ii |
- ----nnoo--iinneettdd] [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--44 | ----vv44dduummpp]
-
-DDEESSCCRRIIPPTTIIOONN
- hhpprrooppdd receives databases sent by hhpprroopp. and writes it as a local
- database.
-
- By default, hhpprrooppdd expects to be started from iinneettdd if stdin is a socket
- and expects to receive the dumped database over stdin otherwise. If the
- database is sent over the network, it is authenticated and encrypted.
- Only connections from kkaaddmmiinn/hhpprroopp are accepted.
-
- Options supported:
-
- --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e
- database
-
- --nn, ----ssttddiinn
- read from stdin
-
- ----pprriinntt
- print dump to stdout
-
- --ii, ----nnoo--iinneettdd
- Not started from inetd
-
- --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b
- keytab to use for authentication
-
- --44, ----vv44dduummpp
- create v4 type DB
-
-SSEEEE AALLSSOO
- hprop(8)
-
- HEIMDAL August 27, 1997 1
diff --git a/crypto/heimdal/kdc/kadb.h b/crypto/heimdal/kdc/kadb.h
deleted file mode 100644
index 5c98ccc77a24..000000000000
--- a/crypto/heimdal/kdc/kadb.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id: kadb.h,v 1.3 2000/03/03 12:36:26 assar Exp $ */
-
-#ifndef __kadb_h__
-#define __kadb_h__
-
-#define HASHSIZE 8191
-
-struct ka_header {
- int32_t version1; /* file format version, should
- match version2 */
- int32_t size;
- int32_t free_ptr;
- int32_t eof_ptr;
- int32_t kvno_ptr;
- int32_t stats[8];
- int32_t admin_accounts;
- int32_t special_keys_version;
- int32_t hashsize; /* allocated size of hash */
- int32_t hash[HASHSIZE];
- int32_t version2;
-};
-
-struct ka_entry {
- int32_t flags; /* see below */
- int32_t next; /* next in hash list */
- int32_t valid_end; /* expiration date */
- int32_t mod_time; /* time last modified */
- int32_t mod_ptr; /* pointer to modifier */
- int32_t pw_change; /* last pw change */
- int32_t max_life; /* max ticket life */
- int32_t kvno;
- int32_t foo2[2]; /* huh? */
- char name[64];
- char instance[64];
- char key[8];
- u_char pw_expire; /* # days before password expires */
- u_char spare;
- u_char attempts;
- u_char locktime;
-};
-
-#define KAFNORMAL (1<<0)
-#define KAFADMIN (1<<2) /* an administrator */
-#define KAFNOTGS (1<<3) /* ! allow principal to get or use TGT */
-#define KAFNOSEAL (1<<5) /* ! allow principal as server in GetTicket */
-#define KAFNOCPW (1<<6) /* ! allow principal to change its own key */
-#define KAFSPECIAL (1<<8) /* set if special AuthServer principal */
-
-#define DEFAULT_DATABASE "/usr/afs/db/kaserver.DB0"
-
-#endif /* __kadb_h__ */
diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c
deleted file mode 100644
index 7eeff8a02e68..000000000000
--- a/crypto/heimdal/kdc/kaserver.c
+++ /dev/null
@@ -1,830 +0,0 @@
-/*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-
-RCSID("$Id: kaserver.c,v 1.20.2.1 2002/10/21 14:30:51 joda Exp $");
-
-
-#include <rx.h>
-
-#define KA_AUTHENTICATION_SERVICE 731
-#define KA_TICKET_GRANTING_SERVICE 732
-#define KA_MAINTENANCE_SERVICE 733
-
-#define AUTHENTICATE_OLD 1
-#define CHANGEPASSWORD 2
-#define GETTICKET_OLD 3
-#define SETPASSWORD 4
-#define SETFIELDS 5
-#define CREATEUSER 6
-#define DELETEUSER 7
-#define GETENTRY 8
-#define LISTENTRY 9
-#define GETSTATS 10
-#define DEBUG 11
-#define GETPASSWORD 12
-#define GETRANDOMKEY 13
-#define AUTHENTICATE 21
-#define AUTHENTICATE_V2 22
-#define GETTICKET 23
-
-/* XXX - Where do we get these? */
-
-#define RXGEN_OPCODE (-455)
-
-#define KADATABASEINCONSISTENT (180480L)
-#define KAEXIST (180481L)
-#define KAIO (180482L)
-#define KACREATEFAIL (180483L)
-#define KANOENT (180484L)
-#define KAEMPTY (180485L)
-#define KABADNAME (180486L)
-#define KABADINDEX (180487L)
-#define KANOAUTH (180488L)
-#define KAANSWERTOOLONG (180489L)
-#define KABADREQUEST (180490L)
-#define KAOLDINTERFACE (180491L)
-#define KABADARGUMENT (180492L)
-#define KABADCMD (180493L)
-#define KANOKEYS (180494L)
-#define KAREADPW (180495L)
-#define KABADKEY (180496L)
-#define KAUBIKINIT (180497L)
-#define KAUBIKCALL (180498L)
-#define KABADPROTOCOL (180499L)
-#define KANOCELLS (180500L)
-#define KANOCELL (180501L)
-#define KATOOMANYUBIKS (180502L)
-#define KATOOMANYKEYS (180503L)
-#define KABADTICKET (180504L)
-#define KAUNKNOWNKEY (180505L)
-#define KAKEYCACHEINVALID (180506L)
-#define KABADSERVER (180507L)
-#define KABADUSER (180508L)
-#define KABADCPW (180509L)
-#define KABADCREATE (180510L)
-#define KANOTICKET (180511L)
-#define KAASSOCUSER (180512L)
-#define KANOTSPECIAL (180513L)
-#define KACLOCKSKEW (180514L)
-#define KANORECURSE (180515L)
-#define KARXFAIL (180516L)
-#define KANULLPASSWORD (180517L)
-#define KAINTERNALERROR (180518L)
-#define KAPWEXPIRED (180519L)
-#define KAREUSED (180520L)
-#define KATOOSOON (180521L)
-#define KALOCKED (180522L)
-
-static void
-decode_rx_header (krb5_storage *sp,
- struct rx_header *h)
-{
- krb5_ret_int32(sp, &h->epoch);
- krb5_ret_int32(sp, &h->connid);
- krb5_ret_int32(sp, &h->callid);
- krb5_ret_int32(sp, &h->seqno);
- krb5_ret_int32(sp, &h->serialno);
- krb5_ret_int8(sp, &h->type);
- krb5_ret_int8(sp, &h->flags);
- krb5_ret_int8(sp, &h->status);
- krb5_ret_int8(sp, &h->secindex);
- krb5_ret_int16(sp, &h->reserved);
- krb5_ret_int16(sp, &h->serviceid);
-}
-
-static void
-encode_rx_header (struct rx_header *h,
- krb5_storage *sp)
-{
- krb5_store_int32(sp, h->epoch);
- krb5_store_int32(sp, h->connid);
- krb5_store_int32(sp, h->callid);
- krb5_store_int32(sp, h->seqno);
- krb5_store_int32(sp, h->serialno);
- krb5_store_int8(sp, h->type);
- krb5_store_int8(sp, h->flags);
- krb5_store_int8(sp, h->status);
- krb5_store_int8(sp, h->secindex);
- krb5_store_int16(sp, h->reserved);
- krb5_store_int16(sp, h->serviceid);
-}
-
-static void
-init_reply_header (struct rx_header *hdr,
- struct rx_header *reply_hdr,
- u_char type,
- u_char flags)
-{
- reply_hdr->epoch = hdr->epoch;
- reply_hdr->connid = hdr->connid;
- reply_hdr->callid = hdr->callid;
- reply_hdr->seqno = 1;
- reply_hdr->serialno = 1;
- reply_hdr->type = type;
- reply_hdr->flags = flags;
- reply_hdr->status = 0;
- reply_hdr->secindex = 0;
- reply_hdr->reserved = 0;
- reply_hdr->serviceid = hdr->serviceid;
-}
-
-static void
-make_error_reply (struct rx_header *hdr,
- u_int32_t ret,
- krb5_data *reply)
-
-{
- krb5_storage *sp;
- struct rx_header reply_hdr;
-
- init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
- sp = krb5_storage_emem();
- encode_rx_header (&reply_hdr, sp);
- krb5_store_int32(sp, ret);
- krb5_storage_to_data (sp, reply);
- krb5_storage_free (sp);
-}
-
-static krb5_error_code
-krb5_ret_xdr_data(krb5_storage *sp,
- krb5_data *data)
-{
- int ret;
- int size;
- ret = krb5_ret_int32(sp, &size);
- if(ret)
- return ret;
- if(size < 0)
- return ERANGE;
- data->length = size;
- if (size) {
- u_char foo[4];
- size_t pad = (4 - size % 4) % 4;
-
- data->data = malloc(size);
- if (data->data == NULL)
- return ENOMEM;
- ret = krb5_storage_read(sp, data->data, size);
- if(ret != size)
- return (ret < 0)? errno : KRB5_CC_END;
- if (pad) {
- ret = krb5_storage_read(sp, foo, pad);
- if (ret != pad)
- return (ret < 0)? errno : KRB5_CC_END;
- }
- } else
- data->data = NULL;
- return 0;
-}
-
-static krb5_error_code
-krb5_store_xdr_data(krb5_storage *sp,
- krb5_data data)
-{
- u_char zero[4] = {0, 0, 0, 0};
- int ret;
- size_t pad;
-
- ret = krb5_store_int32(sp, data.length);
- if(ret < 0)
- return ret;
- ret = krb5_storage_write(sp, data.data, data.length);
- if(ret != data.length){
- if(ret < 0)
- return errno;
- return KRB5_CC_END;
- }
- pad = (4 - data.length % 4) % 4;
- if (pad) {
- ret = krb5_storage_write(sp, zero, pad);
- if (ret != pad) {
- if (ret < 0)
- return errno;
- return KRB5_CC_END;
- }
- }
- return 0;
-}
-
-
-static krb5_error_code
-create_reply_ticket (struct rx_header *hdr,
- Key *skey,
- char *name, char *instance, char *realm,
- struct sockaddr_in *addr,
- int life,
- int kvno,
- int32_t max_seq_len,
- const char *sname, const char *sinstance,
- u_int32_t challenge,
- const char *label,
- des_cblock *key,
- krb5_data *reply)
-{
- KTEXT_ST ticket;
- des_cblock session;
- krb5_storage *sp;
- krb5_data enc_data;
- des_key_schedule schedule;
- struct rx_header reply_hdr;
- des_cblock zero;
- size_t pad;
- unsigned fyrtiosjuelva;
-
- /* create the ticket */
-
- des_new_random_key(&session);
-
- krb_create_ticket (&ticket, 0, name, instance, realm,
- addr->sin_addr.s_addr,
- &session, life, kdc_time,
- sname, sinstance, skey->key.keyvalue.data);
-
- /* create the encrypted part of the reply */
- sp = krb5_storage_emem ();
- krb5_generate_random_block(&fyrtiosjuelva, sizeof(fyrtiosjuelva));
- fyrtiosjuelva &= 0xffffffff;
- krb5_store_int32 (sp, fyrtiosjuelva);
- krb5_store_int32 (sp, challenge);
- krb5_storage_write (sp, session, 8);
- memset (&session, 0, sizeof(session));
- krb5_store_int32 (sp, kdc_time);
- krb5_store_int32 (sp, kdc_time + krb_life_to_time (0, life));
- krb5_store_int32 (sp, kvno);
- krb5_store_int32 (sp, ticket.length);
- krb5_store_stringz (sp, name);
- krb5_store_stringz (sp, instance);
-#if 1 /* XXX - Why shouldn't the realm go here? */
- krb5_store_stringz (sp, "");
-#else
- krb5_store_stringz (sp, realm);
-#endif
- krb5_store_stringz (sp, sname);
- krb5_store_stringz (sp, sinstance);
- krb5_storage_write (sp, ticket.dat, ticket.length);
- krb5_storage_write (sp, label, strlen(label));
-
- /* pad to DES block */
- memset (zero, 0, sizeof(zero));
- pad = (8 - krb5_storage_seek (sp, 0, SEEK_CUR) % 8) % 8;
- krb5_storage_write (sp, zero, pad);
-
- krb5_storage_to_data (sp, &enc_data);
- krb5_storage_free (sp);
-
- if (enc_data.length > max_seq_len) {
- krb5_data_free (&enc_data);
- make_error_reply (hdr, KAANSWERTOOLONG, reply);
- return 0;
- }
-
- /* encrypt it */
- des_set_key (key, schedule);
- des_pcbc_encrypt (enc_data.data,
- enc_data.data,
- enc_data.length,
- schedule,
- key,
- DES_ENCRYPT);
- memset (&schedule, 0, sizeof(schedule));
-
- /* create the reply packet */
- init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
- sp = krb5_storage_emem ();
- encode_rx_header (&reply_hdr, sp);
- krb5_store_int32 (sp, max_seq_len);
- krb5_store_xdr_data (sp, enc_data);
- krb5_data_free (&enc_data);
- krb5_storage_to_data (sp, reply);
- krb5_storage_free (sp);
- return 0;
-}
-
-static krb5_error_code
-unparse_auth_args (krb5_storage *sp,
- char **name,
- char **instance,
- time_t *start_time,
- time_t *end_time,
- krb5_data *request,
- int32_t *max_seq_len)
-{
- krb5_data data;
- int32_t tmp;
-
- krb5_ret_xdr_data (sp, &data);
- *name = malloc(data.length + 1);
- if (*name == NULL)
- return ENOMEM;
- memcpy (*name, data.data, data.length);
- (*name)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_xdr_data (sp, &data);
- *instance = malloc(data.length + 1);
- if (*instance == NULL) {
- free (*name);
- return ENOMEM;
- }
- memcpy (*instance, data.data, data.length);
- (*instance)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_int32 (sp, &tmp);
- *start_time = tmp;
- krb5_ret_int32 (sp, &tmp);
- *end_time = tmp;
- krb5_ret_xdr_data (sp, request);
- krb5_ret_int32 (sp, max_seq_len);
- /* ignore the rest */
- return 0;
-}
-
-static void
-do_authenticate (struct rx_header *hdr,
- krb5_storage *sp,
- struct sockaddr_in *addr,
- krb5_data *reply)
-{
- krb5_error_code ret;
- char *name = NULL;
- char *instance = NULL;
- time_t start_time;
- time_t end_time;
- krb5_data request;
- int32_t max_seq_len;
- hdb_entry *client_entry = NULL;
- hdb_entry *server_entry = NULL;
- Key *ckey = NULL;
- Key *skey = NULL;
- des_cblock key;
- des_key_schedule schedule;
- krb5_storage *reply_sp;
- time_t max_life;
- u_int8_t life;
- int32_t chal;
- char client_name[256];
- char server_name[256];
-
- krb5_data_zero (&request);
-
- unparse_auth_args (sp, &name, &instance, &start_time, &end_time,
- &request, &max_seq_len);
-
- snprintf (client_name, sizeof(client_name), "%s.%s@%s",
- name, instance, v4_realm);
-
- ret = db_fetch4 (name, instance, v4_realm, &client_entry);
- if (ret) {
- kdc_log(0, "Client not found in database: %s: %s",
- client_name, krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- snprintf (server_name, sizeof(server_name), "%s.%s@%s",
- "krbtgt", v4_realm, v4_realm);
-
- ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &server_entry);
- if (ret) {
- kdc_log(0, "Server not found in database: %s: %s",
- server_name, krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- ret = check_flags (client_entry, client_name,
- server_entry, server_name,
- TRUE);
- if (ret) {
- make_error_reply (hdr, KAPWEXPIRED, reply);
- goto out;
- }
-
- /* find a DES key */
- ret = get_des_key(client_entry, FALSE, TRUE, &ckey);
- if(ret){
- kdc_log(0, "no suitable DES key for client");
- make_error_reply (hdr, KANOKEYS, reply);
- goto out;
- }
-
- /* find a DES key */
- ret = get_des_key(server_entry, TRUE, TRUE, &skey);
- if(ret){
- kdc_log(0, "no suitable DES key for server");
- make_error_reply (hdr, KANOKEYS, reply);
- goto out;
- }
-
- /* try to decode the `request' */
- memcpy (&key, ckey->key.keyvalue.data, sizeof(key));
- des_set_key (&key, schedule);
- des_pcbc_encrypt (request.data,
- request.data,
- request.length,
- schedule,
- &key,
- DES_DECRYPT);
- memset (&schedule, 0, sizeof(schedule));
-
- /* check for the magic label */
- if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) {
- make_error_reply (hdr, KABADREQUEST, reply);
- goto out;
- }
-
- reply_sp = krb5_storage_from_mem (request.data, 4);
- krb5_ret_int32 (reply_sp, &chal);
- krb5_storage_free (reply_sp);
-
- if (abs(chal - kdc_time) > context->max_skew) {
- make_error_reply (hdr, KACLOCKSKEW, reply);
- goto out;
- }
-
- /* life */
- max_life = end_time - kdc_time;
- /* end_time - kdc_time can sometimes be non-positive due to slight
- time skew between client and server. Let's make sure it is postive */
- if(max_life < 1)
- max_life = 1;
- if (client_entry->max_life)
- max_life = min(max_life, *client_entry->max_life);
- if (server_entry->max_life)
- max_life = min(max_life, *server_entry->max_life);
-
- life = krb_time_to_life(kdc_time, kdc_time + max_life);
-
- create_reply_ticket (hdr, skey,
- name, instance, v4_realm,
- addr, life, server_entry->kvno,
- max_seq_len,
- "krbtgt", v4_realm,
- chal + 1, "tgsT",
- &key, reply);
- memset (&key, 0, sizeof(key));
-
-out:
- if (request.length) {
- memset (request.data, 0, request.length);
- krb5_data_free (&request);
- }
- if (name)
- free (name);
- if (instance)
- free (instance);
- if (client_entry)
- free_ent (client_entry);
- if (server_entry)
- free_ent (server_entry);
-}
-
-static krb5_error_code
-unparse_getticket_args (krb5_storage *sp,
- int *kvno,
- char **auth_domain,
- krb5_data *ticket,
- char **name,
- char **instance,
- krb5_data *times,
- int32_t *max_seq_len)
-{
- krb5_data data;
- int32_t tmp;
-
- krb5_ret_int32 (sp, &tmp);
- *kvno = tmp;
-
- krb5_ret_xdr_data (sp, &data);
- *auth_domain = malloc(data.length + 1);
- if (*auth_domain == NULL)
- return ENOMEM;
- memcpy (*auth_domain, data.data, data.length);
- (*auth_domain)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_xdr_data (sp, ticket);
-
- krb5_ret_xdr_data (sp, &data);
- *name = malloc(data.length + 1);
- if (*name == NULL) {
- free (*auth_domain);
- return ENOMEM;
- }
- memcpy (*name, data.data, data.length);
- (*name)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_xdr_data (sp, &data);
- *instance = malloc(data.length + 1);
- if (*instance == NULL) {
- free (*auth_domain);
- free (*name);
- return ENOMEM;
- }
- memcpy (*instance, data.data, data.length);
- (*instance)[data.length] = '\0';
- krb5_data_free (&data);
-
- krb5_ret_xdr_data (sp, times);
-
- krb5_ret_int32 (sp, max_seq_len);
- /* ignore the rest */
- return 0;
-}
-
-static void
-do_getticket (struct rx_header *hdr,
- krb5_storage *sp,
- struct sockaddr_in *addr,
- krb5_data *reply)
-{
- krb5_error_code ret;
- int kvno;
- char *auth_domain = NULL;
- krb5_data aticket;
- char *name = NULL;
- char *instance = NULL;
- krb5_data times;
- int32_t max_seq_len;
- hdb_entry *server_entry = NULL;
- hdb_entry *krbtgt_entry = NULL;
- Key *kkey = NULL;
- Key *skey = NULL;
- des_cblock key;
- des_key_schedule schedule;
- des_cblock session;
- time_t max_life;
- int8_t life;
- time_t start_time, end_time;
- char pname[ANAME_SZ];
- char pinst[INST_SZ];
- char prealm[REALM_SZ];
- char server_name[256];
-
- krb5_data_zero (&aticket);
- krb5_data_zero (&times);
-
- unparse_getticket_args (sp, &kvno, &auth_domain, &aticket,
- &name, &instance, &times, &max_seq_len);
-
- snprintf (server_name, sizeof(server_name),
- "%s.%s@%s", name, instance, v4_realm);
-
- ret = db_fetch4 (name, instance, v4_realm, &server_entry);
- if (ret) {
- kdc_log(0, "Server not found in database: %s: %s",
- server_name, krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- ret = check_flags (NULL, NULL,
- server_entry, server_name,
- FALSE);
- if (ret) {
- make_error_reply (hdr, KAPWEXPIRED, reply);
- goto out;
- }
-
- ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &krbtgt_entry);
- if (ret) {
- kdc_log(0, "Server not found in database: %s.%s@%s: %s",
- "krbtgt", v4_realm, v4_realm, krb5_get_err_text(context, ret));
- make_error_reply (hdr, KANOENT, reply);
- goto out;
- }
-
- /* find a DES key */
- ret = get_des_key(krbtgt_entry, TRUE, TRUE, &kkey);
- if(ret){
- kdc_log(0, "no suitable DES key for krbtgt");
- make_error_reply (hdr, KANOKEYS, reply);
- goto out;
- }
-
- /* find a DES key */
- ret = get_des_key(server_entry, TRUE, TRUE, &skey);
- if(ret){
- kdc_log(0, "no suitable DES key for server");
- make_error_reply (hdr, KANOKEYS, reply);
- goto out;
- }
-
- /* decrypt the incoming ticket */
- memcpy (&key, kkey->key.keyvalue.data, sizeof(key));
-
- /* unpack the ticket */
- {
- KTEXT_ST ticket;
- u_char flags;
- int life;
- u_int32_t time_sec;
- char sname[ANAME_SZ];
- char sinstance[SNAME_SZ];
- u_int32_t paddress;
-
- if (aticket.length > sizeof(ticket.dat)) {
- kdc_log(0, "ticket too long (%u > %u)",
- (unsigned)aticket.length,
- (unsigned)sizeof(ticket.dat));
- make_error_reply (hdr, KABADTICKET, reply);
- goto out;
- }
-
- ticket.length = aticket.length;
- memcpy (ticket.dat, aticket.data, ticket.length);
-
- des_set_key (&key, schedule);
- decomp_ticket (&ticket, &flags, pname, pinst, prealm,
- &paddress, session, &life, &time_sec,
- sname, sinstance,
- &key, schedule);
-
- if (strcmp (sname, "krbtgt") != 0
- || strcmp (sinstance, v4_realm) != 0) {
- kdc_log(0, "no TGT: %s.%s for %s.%s@%s",
- sname, sinstance,
- pname, pinst, prealm);
- make_error_reply (hdr, KABADTICKET, reply);
- goto out;
- }
-
- if (kdc_time > krb_life_to_time(time_sec, life)) {
- kdc_log(0, "TGT expired: %s.%s@%s",
- pname, pinst, prealm);
- make_error_reply (hdr, KABADTICKET, reply);
- goto out;
- }
- }
-
- /* decrypt the times */
- des_set_key (&session, schedule);
- des_ecb_encrypt (times.data,
- times.data,
- schedule,
- DES_DECRYPT);
- memset (&schedule, 0, sizeof(schedule));
-
- /* and extract them */
- {
- krb5_storage *sp;
- int32_t tmp;
-
- sp = krb5_storage_from_mem (times.data, times.length);
- krb5_ret_int32 (sp, &tmp);
- start_time = tmp;
- krb5_ret_int32 (sp, &tmp);
- end_time = tmp;
- krb5_storage_free (sp);
- }
-
- /* life */
- max_life = end_time - kdc_time;
- /* end_time - kdc_time can sometimes be non-positive due to slight
- time skew between client and server. Let's make sure it is postive */
- if(max_life < 1)
- max_life = 1;
- if (krbtgt_entry->max_life)
- max_life = min(max_life, *krbtgt_entry->max_life);
- if (server_entry->max_life)
- max_life = min(max_life, *server_entry->max_life);
-
- life = krb_time_to_life(kdc_time, kdc_time + max_life);
-
- create_reply_ticket (hdr, skey,
- pname, pinst, prealm,
- addr, life, server_entry->kvno,
- max_seq_len,
- name, instance,
- 0, "gtkt",
- &session, reply);
- memset (&session, 0, sizeof(session));
-
-out:
- if (aticket.length) {
- memset (aticket.data, 0, aticket.length);
- krb5_data_free (&aticket);
- }
- if (times.length) {
- memset (times.data, 0, times.length);
- krb5_data_free (&times);
- }
- if (auth_domain)
- free (auth_domain);
- if (name)
- free (name);
- if (instance)
- free (instance);
- if (krbtgt_entry)
- free_ent (krbtgt_entry);
- if (server_entry)
- free_ent (server_entry);
-}
-
-krb5_error_code
-do_kaserver(unsigned char *buf,
- size_t len,
- krb5_data *reply,
- const char *from,
- struct sockaddr_in *addr)
-{
- krb5_error_code ret = 0;
- struct rx_header hdr;
- u_int32_t op;
- krb5_storage *sp;
-
- if (len < RX_HEADER_SIZE)
- return -1;
- sp = krb5_storage_from_mem (buf, len);
-
- decode_rx_header (sp, &hdr);
- buf += RX_HEADER_SIZE;
- len -= RX_HEADER_SIZE;
-
- switch (hdr.type) {
- case HT_DATA :
- break;
- case HT_ACK :
- case HT_BUSY :
- case HT_ABORT :
- case HT_ACKALL :
- case HT_CHAL :
- case HT_RESP :
- case HT_DEBUG :
- default:
- /* drop */
- goto out;
- }
-
-
- if (hdr.serviceid != KA_AUTHENTICATION_SERVICE
- && hdr.serviceid != KA_TICKET_GRANTING_SERVICE) {
- ret = -1;
- goto out;
- }
-
- krb5_ret_int32(sp, &op);
- switch (op) {
- case AUTHENTICATE :
- do_authenticate (&hdr, sp, addr, reply);
- break;
- case GETTICKET :
- do_getticket (&hdr, sp, addr, reply);
- break;
- case AUTHENTICATE_OLD :
- case CHANGEPASSWORD :
- case GETTICKET_OLD :
- case SETPASSWORD :
- case SETFIELDS :
- case CREATEUSER :
- case DELETEUSER :
- case GETENTRY :
- case LISTENTRY :
- case GETSTATS :
- case DEBUG :
- case GETPASSWORD :
- case GETRANDOMKEY :
- case AUTHENTICATE_V2 :
- default :
- make_error_reply (&hdr, RXGEN_OPCODE, reply);
- break;
- }
-
-out:
- krb5_storage_free (sp);
- return ret;
-}
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
deleted file mode 100644
index 20c180a4d7d3..000000000000
--- a/crypto/heimdal/kdc/kdc.8
+++ /dev/null
@@ -1,164 +0,0 @@
-.\" $Id: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $
-.\"
-.Dd August 22, 2002
-.Dt KDC 8
-.Os HEIMDAL
-.Sh NAME
-.Nm kdc
-.Nd Kerberos 5 server
-.Sh SYNOPSIS
-.Nm
-.Oo Fl c Ar file \*(Ba Xo
-.Fl -config-file= Ns Ar file
-.Xc
-.Oc
-.Op Fl p | Fl -no-require-preauth
-.Op Fl -max-request= Ns Ar size
-.Op Fl H | Fl -enable-http
-.Oo Fl r Ar string \*(Ba Xo
-.Fl -v4-realm= Ns Ar string
-.Xc
-.Oc
-.Op Fl K | Fl -no-kaserver
-.Op Fl r Ar realm
-.Op Fl -v4-realm= Ns Ar realm
-.Oo Fl P Ar string \*(Ba Xo
-.Fl -ports= Ns Ar string
-.Xc
-.Oc
-.Op Fl -addresses= Ns Ar list of addresses
-.Sh DESCRIPTION
-.Nm
-serves requests for tickets. When it starts, it first checks the flags
-passed, any options that are not specified with a command line flag is
-taken from a config file, or from a default compiled-in value.
-.Pp
-Options supported:
-.Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
-Specifies the location of the config file, the default is
-.Pa /var/heimdal/kdc.conf .
-This is the only value that can't be specified in the config file.
-.It Xo
-.Fl p ,
-.Fl -no-require-preauth
-.Xc
-Turn off the requirement for pre-autentication in the initial AS-REQ
-for all principals. The use of pre-authentication makes it more
-difficult to do offline password attacks. You might want to turn it
-off if you have clients that doesn't do pre-authentication. Since the
-version 4 protocol doesn't support any pre-authentication, so serving
-version 4 clients is just about the same as not requiring
-pre-athentication. The default is to require
-pre-authentication. Adding the require-preauth per principal is a more
-flexible way of handling this.
-.It Xo
-.Fl -max-request= Ns Ar size
-.Xc
-Gives an upper limit on the size of the requests that the kdc is
-willing to handle.
-.It Xo
-.Fl H ,
-.Fl -enable-http
-.Xc
-Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
-.It Xo
-.Fl K ,
-.Fl -no-kaserver
-.Xc
-Disables kaserver emulation (in case it's compiled in).
-.It Xo
-.Fl r Ar realm ,
-.Fl -v4-realm= Ns Ar realm
-.Xc
-What realm this server should act as when dealing with version 4
-requests. The database can contain any number of realms, but since the
-version 4 protocol doesn't contain a realm for the server, it must be
-explicitly specified. The default is whatever is returned by
-.Fn krb_get_lrealm .
-This option is only availabe if the KDC has been compiled with version
-4 support.
-.It Xo
-.Fl P Ar string ,
-.Fl -ports= Ns Ar string
-.Xc
-Specifies the set of ports the KDC should listen on. It is given as a
-white-space separated list of services or port numbers.
-.It Fl -addresses= Ns Ar list of addresses
-The list of addresses to listen for requests on. By default, the kdc
-will listen on all the locally configured addresses. If only a subset
-is desired, or the automatic detection fails, this option might be used.
-.El
-.Pp
-All activities , are logged to one or more destinations, see
-.Xr krb5.conf 5 ,
-and
-.Xr krb5_openlog 3 .
-The entity used for logging is
-.Nm kdc .
-.Sh CONFIGURATION FILE
-The configuration file has the same syntax as
-.Xr krb5.conf 5 ,
-but will be read before
-.Pa /etc/krb5.conf ,
-so it may override settings found there. Options specific to the KDC
-only are found in the
-.Dq [kdc]
-section.
-All the command-line options can preferably be added in the
-configuration file. The only difference is the pre-authentication flag,
-that has to be specified as:
-.Pp
-.Dl require-preauth = no
-.Pp
-(in fact you can specify the option as
-.Fl -require-preauth=no ) .
-.Pp
-And there are some configuration options which do not have
-command-line equivalents:
-.Bl -tag -width "xxx" -offset indent
-.It Li check-ticket-addresses = Va boolean
-Check the addresses in the ticket when processing TGS requests. The
-default is FALSE.
-.It Li allow-null-ticket-addresses = Va boolean
-Permit tickets with no addresses. This option is only relevant when
-check-ticket-addresses is TRUE.
-.It Li allow-anonymous = Va boolean
-Permit anonymous tickets with no addresses.
-.It encode_as_rep_as_tgs_rep = Va boolean
-Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code. The
-Heimdal clients allow both.
-.It kdc_warn_pwexpire = Va time
-How long before password/principal expiration the KDC should start
-sending out warning messages.
-.El
-.Pp
-An example of a config file:
-.Bd -literal -offset indent
-[kdc]
- require-preauth = no
- v4-realm = FOO.SE
- key-file = /key-file
-.Ed
-.Sh BUGS
-If the machine running the KDC has new addresses added to it, the KDC
-will have to be restarted to listen to them. The reason it doesn't
-just listen to wildcarded (like INADDR_ANY) addresses, is that the
-replies has to come from the same address they were sent to, and most
-OS:es doesn't pass this information to the application. If your normal
-mode of operation require that you add and remove addresses, the best
-option is probably to listen to a wildcarded TCP socket, and make sure
-your clients use TCP to connect. For instance, this will listen to
-IPv4 TCP port 88 only:
-.Bd -literal -offset indent
-kdc --addresses=0.0.0.0 --ports="88/tcp"
-.Ed
-.Pp
-There should be a way to specify protocol, port, and address triplets,
-not just addresses and protocol, port tuples.
-.Sh SEE ALSO
-.Xr kinit 1 ,
-.Xr krb5.conf 5
diff --git a/crypto/heimdal/kdc/kdc.cat8 b/crypto/heimdal/kdc/kdc.cat8
deleted file mode 100644
index 4d83d59973da..000000000000
--- a/crypto/heimdal/kdc/kdc.cat8
+++ /dev/null
@@ -1,126 +0,0 @@
-KDC(8) NetBSD System Manager's Manual KDC(8)
-
-NNAAMMEE
- kkddcc - Kerberos 5 server
-
-SSYYNNOOPPSSIISS
- kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh]
- [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g]
- [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g |
- ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s]
-
-DDEESSCCRRIIPPTTIIOONN
- kkddcc serves requests for tickets. When it starts, it first checks the
- flags passed, any options that are not specified with a command line flag
- is taken from a config file, or from a default compiled-in value.
-
- Options supported:
-
- --cc _f_i_l_e, ----ccoonnffiigg--ffiillee==_f_i_l_e
- Specifies the location of the config file, the default is
- _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be
- specified in the config file.
-
- --pp, ----nnoo--rreeqquuiirree--pprreeaauutthh
- Turn off the requirement for pre-autentication in the initial AS-
- REQ for all principals. The use of pre-authentication makes it
- more difficult to do offline password attacks. You might want to
- turn it off if you have clients that doesn't do pre-authentica-
- tion. Since the version 4 protocol doesn't support any pre-au-
- thentication, so serving version 4 clients is just about the same
- as not requiring pre-athentication. The default is to require
- pre-authentication. Adding the require-preauth per principal is a
- more flexible way of handling this.
-
- ----mmaaxx--rreeqquueesstt==_s_i_z_e
- Gives an upper limit on the size of the requests that the kdc is
- willing to handle.
-
- --HH, ----eennaabbllee--hhttttpp
- Makes the kdc listen on port 80 and handle requests encapsulated
- in HTTP.
-
- --KK, ----nnoo--kkaasseerrvveerr
- Disables kaserver emulation (in case it's compiled in).
-
- --rr _r_e_a_l_m, ----vv44--rreeaallmm==_r_e_a_l_m
- What realm this server should act as when dealing with version 4
- requests. The database can contain any number of realms, but
- since the version 4 protocol doesn't contain a realm for the
- server, it must be explicitly specified. The default is whatever
- is returned by kkrrbb__ggeett__llrreeaallmm(). This option is only availabe if
- the KDC has been compiled with version 4 support.
-
- --PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g
- Specifies the set of ports the KDC should listen on. It is given
- as a white-space separated list of services or port numbers.
-
- ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s
- The list of addresses to listen for requests on. By default, the
- kdc will listen on all the locally configured addresses. If only
- a subset is desired, or the automatic detection fails, this op-
- tion might be used.
-
- All activities , are logged to one or more destinations, see
- krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc.
-
-CCOONNFFIIGGUURRAATTIIOONN FFIILLEE
- The configuration file has the same syntax as krb5.conf(5), but will be
- read before _/_e_t_c_/_k_r_b_5_._c_o_n_f, so it may override settings found there. Op-
- tions specific to the KDC only are found in the ``[kdc]'' section. All
- the command-line options can preferably be added in the configuration
- file. The only difference is the pre-authentication flag, that has to be
- specified as:
-
- require-preauth = no
-
- (in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo).
-
- And there are some configuration options which do not have command-line
- equivalents:
-
- check-ticket-addresses = _b_o_o_l_e_a_n
- Check the addresses in the ticket when processing TGS re-
- quests. The default is FALSE.
-
- allow-null-ticket-addresses = _b_o_o_l_e_a_n
- Permit tickets with no addresses. This option is only rele-
- vant when check-ticket-addresses is TRUE.
-
- allow-anonymous = _b_o_o_l_e_a_n
- Permit anonymous tickets with no addresses.
-
- encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n
- Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE
- code. The Heimdal clients allow both.
-
- kdc_warn_pwexpire = _t_i_m_e
- How long before password/principal expiration the KDC should
- start sending out warning messages.
-
- An example of a config file:
-
- [kdc]
- require-preauth = no
- v4-realm = FOO.SE
- key-file = /key-file
-
-BBUUGGSS
- If the machine running the KDC has new addresses added to it, the KDC
- will have to be restarted to listen to them. The reason it doesn't just
- listen to wildcarded (like INADDR_ANY) addresses, is that the replies has
- to come from the same address they were sent to, and most OS:es doesn't
- pass this information to the application. If your normal mode of opera-
- tion require that you add and remove addresses, the best option is proba-
- bly to listen to a wildcarded TCP socket, and make sure your clients use
- TCP to connect. For instance, this will listen to IPv4 TCP port 88 only:
-
- kdc --addresses=0.0.0.0 --ports="88/tcp"
-
- There should be a way to specify protocol, port, and address triplets,
- not just addresses and protocol, port tuples.
-
-SSEEEE AALLSSOO
- kinit(1), krb5.conf(5)
-
- HEIMDAL August 22, 2002 2
diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h
deleted file mode 100644
index 6ab28d0dccc6..000000000000
--- a/crypto/heimdal/kdc/kdc_locl.h
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * $Id: kdc_locl.h,v 1.54 2002/08/19 12:18:07 joda Exp $
- */
-
-#ifndef __KDC_LOCL_H__
-#define __KDC_LOCL_H__
-
-#include "headers.h"
-
-extern krb5_context context;
-
-extern int require_preauth;
-extern sig_atomic_t exit_flag;
-extern size_t max_request;
-extern time_t kdc_warn_pwexpire;
-extern struct dbinfo {
- char *realm;
- char *dbname;
- char *mkey_file;
- struct dbinfo *next;
-} *databases;
-extern HDB **db;
-extern int num_db;
-extern const char *port_str;
-extern krb5_addresses explicit_addresses;
-
-extern int enable_http;
-extern krb5_boolean encode_as_rep_as_tgs_rep;
-extern krb5_boolean check_ticket_addresses;
-extern krb5_boolean allow_null_ticket_addresses;
-extern krb5_boolean allow_anonymous;
-
-#ifdef KRB4
-extern char *v4_realm;
-extern int enable_v4;
-extern int enable_524;
-extern krb5_boolean enable_kaserver;
-#endif
-
-#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf"
-#define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log"
-
-extern struct timeval now;
-#define kdc_time (now.tv_sec)
-
-krb5_error_code as_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
-void configure (int, char**);
-krb5_error_code db_fetch (krb5_principal, hdb_entry**);
-void free_ent(hdb_entry *);
-void kdc_log (int, const char*, ...)
- __attribute__ ((format (printf, 2,3)));
-
-char* kdc_log_msg (int, const char*, ...)
- __attribute__ ((format (printf, 2,3)));
-char* kdc_log_msg_va (int, const char*, va_list)
- __attribute__ ((format (printf, 2,0)));
-void kdc_openlog (void);
-void loop (void);
-void set_master_key (EncryptionKey);
-krb5_error_code tgs_rep (KDC_REQ*, krb5_data*, const char*, struct sockaddr *);
-Key* unseal_key (Key*);
-krb5_error_code check_flags(hdb_entry *client, const char *client_name,
- hdb_entry *server, const char *server_name,
- krb5_boolean is_as_req);
-
-#ifdef KRB4
-krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**);
-krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*);
-krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*,
- struct sockaddr_in*);
-krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*,
- const PrincipalName*, size_t*);
-krb5_error_code encrypt_v4_ticket (void*, size_t, des_cblock*, EncryptedData*);
-krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**);
-int maybe_version4 (unsigned char*, int);
-#endif
-
-#ifdef KRB4
-krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*,
- struct sockaddr_in*);
-#endif
-
-#ifdef HAVE_OPENSSL
-#define des_new_random_key des_random_key
-#endif
-
-#endif /* __KDC_LOCL_H__ */
diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c
deleted file mode 100644
index c3a851b07aec..000000000000
--- a/crypto/heimdal/kdc/kerberos4.c
+++ /dev/null
@@ -1,661 +0,0 @@
-/*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-
-RCSID("$Id: kerberos4.c,v 1.41 2002/04/18 16:08:24 joda Exp $");
-
-#ifdef KRB4
-
-#ifndef swap32
-static u_int32_t
-swap32(u_int32_t x)
-{
- return ((x << 24) & 0xff000000) |
- ((x << 8) & 0xff0000) |
- ((x >> 8) & 0xff00) |
- ((x >> 24) & 0xff);
-}
-#endif /* swap32 */
-
-int
-maybe_version4(unsigned char *buf, int len)
-{
- return len > 0 && *buf == 4;
-}
-
-static void
-make_err_reply(krb5_data *reply, int code, const char *msg)
-{
- KTEXT_ST er;
-
- /* name, instance and realm are not checked in most (all?)
- implementations; msg is also never used, but we send it anyway
- (for debugging purposes) */
-
- if(msg == NULL)
- msg = krb_get_err_text(code);
- cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg);
- krb5_data_copy(reply, er.dat, er.length);
-}
-
-static krb5_boolean
-valid_princ(krb5_context context, krb5_principal princ)
-{
- krb5_error_code ret;
- char *s;
- hdb_entry *ent;
-
- ret = krb5_unparse_name(context, princ, &s);
- if (ret)
- return FALSE;
- ret = db_fetch(princ, &ent);
- if (ret) {
- kdc_log(7, "Lookup %s failed: %s", s,
- krb5_get_err_text (context, ret));
- free(s);
- return FALSE;
- }
- kdc_log(7, "Lookup %s succeeded", s);
- free(s);
- free_ent(ent);
- return TRUE;
-}
-
-krb5_error_code
-db_fetch4(const char *name, const char *instance, const char *realm,
- hdb_entry **ent)
-{
- krb5_principal p;
- krb5_error_code ret;
-
- ret = krb5_425_conv_principal_ext(context, name, instance, realm,
- valid_princ, 0, &p);
- if(ret)
- return ret;
- ret = db_fetch(p, ent);
- krb5_free_principal(context, p);
- return ret;
-}
-
-krb5_error_code
-get_des_key(hdb_entry *principal, krb5_boolean is_server,
- krb5_boolean prefer_afs_key, Key **ret_key)
-{
- Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
- int i;
- krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5,
- ETYPE_DES_CBC_MD4,
- ETYPE_DES_CBC_CRC };
-
- for(i = 0;
- i < sizeof(etypes)/sizeof(etypes[0])
- && (v5_key == NULL || v4_key == NULL ||
- afs_key == NULL || server_key == NULL);
- ++i) {
- Key *key = NULL;
- while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
- if(key->salt == NULL) {
- if(v5_key == NULL)
- v5_key = key;
- } else if(key->salt->type == hdb_pw_salt &&
- key->salt->salt.length == 0) {
- if(v4_key == NULL)
- v4_key = key;
- } else if(key->salt->type == hdb_afs3_salt) {
- if(afs_key == NULL)
- afs_key = key;
- } else if(server_key == NULL)
- server_key = key;
- }
- }
-
- if(prefer_afs_key) {
- if(afs_key)
- *ret_key = afs_key;
- else if(v4_key)
- *ret_key = v4_key;
- else if(v5_key)
- *ret_key = v5_key;
- else if(is_server && server_key)
- *ret_key = server_key;
- else
- return KERB_ERR_NULL_KEY;
- } else {
- if(v4_key)
- *ret_key = v4_key;
- else if(afs_key)
- *ret_key = afs_key;
- else if(v5_key)
- *ret_key = v5_key;
- else if(is_server && server_key)
- *ret_key = server_key;
- else
- return KERB_ERR_NULL_KEY;
- }
-
- if((*ret_key)->key.keyvalue.length == 0)
- return KERB_ERR_NULL_KEY;
- return 0;
-}
-
-#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
-
-/*
- * Process the v4 request in `buf, len' (received from `addr'
- * (with string `from').
- * Return an error code and a reply in `reply'.
- */
-
-krb5_error_code
-do_version4(unsigned char *buf,
- size_t len,
- krb5_data *reply,
- const char *from,
- struct sockaddr_in *addr)
-{
- krb5_storage *sp;
- krb5_error_code ret;
- hdb_entry *client = NULL, *server = NULL;
- Key *ckey, *skey;
- int8_t pvno;
- int8_t msg_type;
- int lsb;
- char *name = NULL, *inst = NULL, *realm = NULL;
- char *sname = NULL, *sinst = NULL;
- int32_t req_time;
- time_t max_life;
- u_int8_t life;
- char client_name[256];
- char server_name[256];
-
- if(!enable_v4) {
- kdc_log(0, "Rejected version 4 request from %s", from);
- make_err_reply(reply, KDC_GEN_ERR, "function not enabled");
- return 0;
- }
-
- sp = krb5_storage_from_mem(buf, len);
- RCHECK(krb5_ret_int8(sp, &pvno), out);
- if(pvno != 4){
- kdc_log(0, "Protocol version mismatch (%d)", pvno);
- make_err_reply(reply, KDC_PKT_VER, NULL);
- goto out;
- }
- RCHECK(krb5_ret_int8(sp, &msg_type), out);
- lsb = msg_type & 1;
- msg_type &= ~1;
- switch(msg_type){
- case AUTH_MSG_KDC_REQUEST:
- RCHECK(krb5_ret_stringz(sp, &name), out1);
- RCHECK(krb5_ret_stringz(sp, &inst), out1);
- RCHECK(krb5_ret_stringz(sp, &realm), out1);
- RCHECK(krb5_ret_int32(sp, &req_time), out1);
- if(lsb)
- req_time = swap32(req_time);
- RCHECK(krb5_ret_int8(sp, &life), out1);
- RCHECK(krb5_ret_stringz(sp, &sname), out1);
- RCHECK(krb5_ret_stringz(sp, &sinst), out1);
- snprintf (client_name, sizeof(client_name),
- "%s.%s@%s", name, inst, realm);
- snprintf (server_name, sizeof(server_name),
- "%s.%s@%s", sname, sinst, v4_realm);
-
- kdc_log(0, "AS-REQ %s from %s for %s",
- client_name, from, server_name);
-
- ret = db_fetch4(name, inst, realm, &client);
- if(ret) {
- kdc_log(0, "Client not found in database: %s: %s",
- client_name, krb5_get_err_text(context, ret));
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
- goto out1;
- }
- ret = db_fetch4(sname, sinst, v4_realm, &server);
- if(ret){
- kdc_log(0, "Server not found in database: %s: %s",
- server_name, krb5_get_err_text(context, ret));
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL);
- goto out1;
- }
-
- ret = check_flags (client, client_name,
- server, server_name,
- TRUE);
- if (ret) {
- /* good error code? */
- make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
- goto out1;
- }
-
- /*
- * There's no way to do pre-authentication in v4 and thus no
- * good error code to return if preauthentication is required.
- */
-
- if (require_preauth
- || client->flags.require_preauth
- || server->flags.require_preauth) {
- kdc_log(0,
- "Pre-authentication required for v4-request: "
- "%s for %s",
- client_name, server_name);
- make_err_reply(reply, KERB_ERR_NULL_KEY, NULL);
- goto out1;
- }
-
- ret = get_des_key(client, FALSE, FALSE, &ckey);
- if(ret){
- kdc_log(0, "no suitable DES key for client");
- make_err_reply(reply, KDC_NULL_KEY,
- "no suitable DES key for client");
- goto out1;
- }
-
-#if 0
- /* this is not necessary with the new code in libkrb */
- /* find a properly salted key */
- while(ckey->salt == NULL || ckey->salt->salt.length != 0)
- ret = hdb_next_keytype2key(context, client, KEYTYPE_DES, &ckey);
- if(ret){
- kdc_log(0, "No version-4 salted key in database -- %s.%s@%s",
- name, inst, realm);
- make_err_reply(reply, KDC_NULL_KEY,
- "No version-4 salted key in database");
- goto out1;
- }
-#endif
-
- ret = get_des_key(server, TRUE, FALSE, &skey);
- if(ret){
- kdc_log(0, "no suitable DES key for server");
- /* XXX */
- make_err_reply(reply, KDC_NULL_KEY,
- "no suitable DES key for server");
- goto out1;
- }
-
- max_life = krb_life_to_time(0, life);
- if(client->max_life)
- max_life = min(max_life, *client->max_life);
- if(server->max_life)
- max_life = min(max_life, *server->max_life);
-
- life = krb_time_to_life(kdc_time, kdc_time + max_life);
-
- {
- KTEXT_ST cipher, ticket;
- KTEXT r;
- des_cblock session;
-
- des_new_random_key(&session);
-
- krb_create_ticket(&ticket, 0, name, inst, v4_realm,
- addr->sin_addr.s_addr, session, life, kdc_time,
- sname, sinst, skey->key.keyvalue.data);
-
- create_ciph(&cipher, session, sname, sinst, v4_realm,
- life, server->kvno % 256, &ticket, kdc_time,
- ckey->key.keyvalue.data);
- memset(&session, 0, sizeof(session));
- r = create_auth_reply(name, inst, realm, req_time, 0,
- client->pw_end ? *client->pw_end : 0,
- client->kvno % 256, &cipher);
- krb5_data_copy(reply, r->dat, r->length);
- memset(&cipher, 0, sizeof(cipher));
- memset(&ticket, 0, sizeof(ticket));
- }
- out1:
- break;
- case AUTH_MSG_APPL_REQUEST: {
- int8_t kvno;
- int8_t ticket_len;
- int8_t req_len;
- KTEXT_ST auth;
- AUTH_DAT ad;
- size_t pos;
- krb5_principal tgt_princ = NULL;
- hdb_entry *tgt = NULL;
- Key *tkey;
-
- RCHECK(krb5_ret_int8(sp, &kvno), out2);
- RCHECK(krb5_ret_stringz(sp, &realm), out2);
-
- ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
- &tgt_princ);
- if(ret){
- kdc_log(0, "Converting krbtgt principal: %s",
- krb5_get_err_text(context, ret));
- make_err_reply(reply, KFAILURE,
- "Failed to convert v4 principal (krbtgt)");
- goto out2;
- }
-
- ret = db_fetch(tgt_princ, &tgt);
- if(ret){
- char *s;
- s = kdc_log_msg(0, "Ticket-granting ticket not "
- "found in database: krbtgt.%s@%s: %s",
- realm, v4_realm,
- krb5_get_err_text(context, ret));
- make_err_reply(reply, KFAILURE, s);
- free(s);
- goto out2;
- }
-
- if(tgt->kvno % 256 != kvno){
- kdc_log(0, "tgs-req with old kvno %d (current %d) for "
- "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
- make_err_reply(reply, KDC_AUTH_EXP,
- "old krbtgt kvno used");
- goto out2;
- }
-
- ret = get_des_key(tgt, TRUE, FALSE, &tkey);
- if(ret){
- kdc_log(0, "no suitable DES key for krbtgt");
- /* XXX */
- make_err_reply(reply, KDC_NULL_KEY,
- "no suitable DES key for krbtgt");
- goto out2;
- }
-
- RCHECK(krb5_ret_int8(sp, &ticket_len), out2);
- RCHECK(krb5_ret_int8(sp, &req_len), out2);
-
- pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR);
-
- memset(&auth, 0, sizeof(auth));
- memcpy(&auth.dat, buf, pos);
- auth.length = pos;
- krb_set_key(tkey->key.keyvalue.data, 0);
-
- krb_ignore_ip_address = !check_ticket_addresses;
-
- ret = krb_rd_req(&auth, "krbtgt", realm,
- addr->sin_addr.s_addr, &ad, 0);
- if(ret){
- kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret));
- make_err_reply(reply, ret, NULL);
- goto out2;
- }
-
- RCHECK(krb5_ret_int32(sp, &req_time), out2);
- if(lsb)
- req_time = swap32(req_time);
- RCHECK(krb5_ret_int8(sp, &life), out2);
- RCHECK(krb5_ret_stringz(sp, &sname), out2);
- RCHECK(krb5_ret_stringz(sp, &sinst), out2);
- snprintf (server_name, sizeof(server_name),
- "%s.%s@%s",
- sname, sinst, v4_realm);
-
- kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s",
- ad.pname, ad.pinst, ad.prealm, from, server_name);
-
- if(strcmp(ad.prealm, realm)){
- kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
- "Can't hop realms");
- goto out2;
- }
-
- if(strcmp(sname, "changepw") == 0){
- kdc_log(0, "Bad request for changepw ticket");
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,
- "Can't authorize password change based on TGT");
- goto out2;
- }
-
-#if 0
- ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
- if(ret){
- char *s;
- s = kdc_log_msg(0, "Client not found in database: %s.%s@%s: %s",
- ad.pname, ad.pinst, ad.prealm,
- krb5_get_err_text(context, ret));
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
- free(s);
- goto out2;
- }
-#endif
-
- ret = db_fetch4(sname, sinst, v4_realm, &server);
- if(ret){
- char *s;
- s = kdc_log_msg(0, "Server not found in database: %s: %s",
- server_name, krb5_get_err_text(context, ret));
- make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
- free(s);
- goto out2;
- }
-
- ret = check_flags (NULL, NULL,
- server, server_name,
- FALSE);
- if (ret) {
- /* good error code? */
- make_err_reply(reply, KERB_ERR_NAME_EXP, NULL);
- goto out2;
- }
-
- ret = get_des_key(server, TRUE, FALSE, &skey);
- if(ret){
- kdc_log(0, "no suitable DES key for server");
- /* XXX */
- make_err_reply(reply, KDC_NULL_KEY,
- "no suitable DES key for server");
- goto out2;
- }
-
- max_life = krb_life_to_time(ad.time_sec, ad.life);
- max_life = min(max_life, krb_life_to_time(kdc_time, life));
- life = min(life, krb_time_to_life(kdc_time, max_life));
- max_life = krb_life_to_time(0, life);
-#if 0
- if(client->max_life)
- max_life = min(max_life, *client->max_life);
-#endif
- if(server->max_life)
- max_life = min(max_life, *server->max_life);
-
- {
- KTEXT_ST cipher, ticket;
- KTEXT r;
- des_cblock session;
- des_new_random_key(&session);
- krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
- addr->sin_addr.s_addr, &session, life, kdc_time,
- sname, sinst, skey->key.keyvalue.data);
-
- create_ciph(&cipher, session, sname, sinst, v4_realm,
- life, server->kvno % 256, &ticket,
- kdc_time, &ad.session);
-
- memset(&session, 0, sizeof(session));
- memset(ad.session, 0, sizeof(ad.session));
-
- r = create_auth_reply(ad.pname, ad.pinst, ad.prealm,
- req_time, 0, 0, 0, &cipher);
- krb5_data_copy(reply, r->dat, r->length);
- memset(&cipher, 0, sizeof(cipher));
- memset(&ticket, 0, sizeof(ticket));
- }
- out2:
- if(tgt_princ)
- krb5_free_principal(context, tgt_princ);
- if(tgt)
- free_ent(tgt);
- break;
- }
-
- case AUTH_MSG_ERR_REPLY:
- break;
- default:
- kdc_log(0, "Unknown message type: %d from %s",
- msg_type, from);
-
- make_err_reply(reply, KFAILURE, "Unknown message type");
- }
-out:
- if(name)
- free(name);
- if(inst)
- free(inst);
- if(realm)
- free(realm);
- if(sname)
- free(sname);
- if(sinst)
- free(sinst);
- if(client)
- free_ent(client);
- if(server)
- free_ent(server);
- krb5_storage_free(sp);
- return 0;
-}
-
-
-#define ETYPE_DES_PCBC 17 /* XXX */
-
-krb5_error_code
-encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply)
-{
- des_key_schedule schedule;
-
- reply->etype = ETYPE_DES_PCBC;
- reply->kvno = NULL;
- reply->cipher.length = len;
- reply->cipher.data = malloc(len);
- if(len != 0 && reply->cipher.data == NULL)
- return ENOMEM;
- des_set_key(key, schedule);
- des_pcbc_encrypt(buf,
- reply->cipher.data,
- len,
- schedule,
- key,
- DES_ENCRYPT);
- memset(schedule, 0, sizeof(schedule));
- return 0;
-}
-
-krb5_error_code
-encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
- const PrincipalName *service, size_t *size)
-{
- krb5_storage *sp;
- krb5_error_code ret;
- char name[40], inst[40], realm[40];
- char sname[40], sinst[40];
-
- {
- krb5_principal princ;
- principalname2krb5_principal(&princ,
- *service,
- et->crealm);
- ret = krb5_524_conv_principal(context,
- princ,
- sname,
- sinst,
- realm);
- krb5_free_principal(context, princ);
- if(ret)
- return ret;
-
- principalname2krb5_principal(&princ,
- et->cname,
- et->crealm);
-
- ret = krb5_524_conv_principal(context,
- princ,
- name,
- inst,
- realm);
- krb5_free_principal(context, princ);
- }
- if(ret)
- return ret;
-
- sp = krb5_storage_emem();
-
- krb5_store_int8(sp, 0); /* flags */
- krb5_store_stringz(sp, name);
- krb5_store_stringz(sp, inst);
- krb5_store_stringz(sp, realm);
- {
- unsigned char tmp[4] = { 0, 0, 0, 0 };
- int i;
- if(et->caddr){
- for(i = 0; i < et->caddr->len; i++)
- if(et->caddr->val[i].addr_type == AF_INET &&
- et->caddr->val[i].address.length == 4){
- memcpy(tmp, et->caddr->val[i].address.data, 4);
- break;
- }
- }
- krb5_storage_write(sp, tmp, sizeof(tmp));
- }
-
- if((et->key.keytype != ETYPE_DES_CBC_MD5 &&
- et->key.keytype != ETYPE_DES_CBC_MD4 &&
- et->key.keytype != ETYPE_DES_CBC_CRC) ||
- et->key.keyvalue.length != 8)
- return -1;
- krb5_storage_write(sp, et->key.keyvalue.data, 8);
-
- {
- time_t start = et->starttime ? *et->starttime : et->authtime;
- krb5_store_int8(sp, krb_time_to_life(start, et->endtime));
- krb5_store_int32(sp, start);
- }
-
- krb5_store_stringz(sp, sname);
- krb5_store_stringz(sp, sinst);
-
- {
- krb5_data data;
- krb5_storage_to_data(sp, &data);
- krb5_storage_free(sp);
- *size = (data.length + 7) & ~7; /* pad to 8 bytes */
- if(*size > len)
- return -1;
- memset((unsigned char*)buf - *size + 1, 0, *size);
- memcpy((unsigned char*)buf - *size + 1, data.data, data.length);
- krb5_data_free(&data);
- }
- return 0;
-}
-
-#endif /* KRB4 */
diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c
deleted file mode 100644
index 7ba968083ee5..000000000000
--- a/crypto/heimdal/kdc/kerberos5.c
+++ /dev/null
@@ -1,1847 +0,0 @@
-/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-
-RCSID("$Id: kerberos5.c,v 1.143 2002/09/09 14:03:02 nectar Exp $");
-
-#define MAX_TIME ((time_t)((1U << 31) - 1))
-
-static void
-fix_time(time_t **t)
-{
- if(*t == NULL){
- ALLOC(*t);
- **t = MAX_TIME;
- }
- if(**t == 0) **t = MAX_TIME; /* fix for old clients */
-}
-
-static void
-set_salt_padata (METHOD_DATA **m, Salt *salt)
-{
- if (salt) {
- ALLOC(*m);
- (*m)->len = 1;
- ALLOC((*m)->val);
- (*m)->val->padata_type = salt->type;
- copy_octet_string(&salt->salt,
- &(*m)->val->padata_value);
- }
-}
-
-static PA_DATA*
-find_padata(KDC_REQ *req, int *start, int type)
-{
- while(*start < req->padata->len){
- (*start)++;
- if(req->padata->val[*start - 1].padata_type == type)
- return &req->padata->val[*start - 1];
- }
- return NULL;
-}
-
-/*
- * return the first appropriate key of `princ' in `ret_key'. Look for
- * all the etypes in (`etypes', `len'), stopping as soon as we find
- * one, but preferring one that has default salt
- */
-
-static krb5_error_code
-find_etype(hdb_entry *princ, krb5_enctype *etypes, unsigned len,
- Key **ret_key, krb5_enctype *ret_etype)
-{
- int i;
- krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
-
- for(i = 0; ret != 0 && i < len ; i++) {
- Key *key = NULL;
-
- while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) {
- if (key->key.keyvalue.length == 0) {
- ret = KRB5KDC_ERR_NULL_KEY;
- continue;
- }
- *ret_key = key;
- *ret_etype = etypes[i];
- ret = 0;
- if (key->salt == NULL)
- return ret;
- }
- }
- return ret;
-}
-
-static krb5_error_code
-find_keys(hdb_entry *client,
- hdb_entry *server,
- Key **ckey,
- krb5_enctype *cetype,
- Key **skey,
- krb5_enctype *setype,
- krb5_enctype *etypes,
- unsigned num_etypes)
-{
- krb5_error_code ret;
-
- if(client){
- /* find client key */
- ret = find_etype(client, etypes, num_etypes, ckey, cetype);
- if (ret) {
- kdc_log(0, "Client has no support for etypes");
- return ret;
- }
- }
-
- if(server){
- /* find server key */
- ret = find_etype(server, etypes, num_etypes, skey, setype);
- if (ret) {
- kdc_log(0, "Server has no support for etypes");
- return ret;
- }
- }
- return 0;
-}
-
-static krb5_error_code
-make_anonymous_principalname (PrincipalName *pn)
-{
- pn->name_type = KRB5_NT_PRINCIPAL;
- pn->name_string.len = 1;
- pn->name_string.val = malloc(sizeof(*pn->name_string.val));
- if (pn->name_string.val == NULL)
- return ENOMEM;
- pn->name_string.val[0] = strdup("anonymous");
- if (pn->name_string.val[0] == NULL) {
- free(pn->name_string.val);
- pn->name_string.val = NULL;
- return ENOMEM;
- }
- return 0;
-}
-
-static krb5_error_code
-encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek,
- krb5_enctype etype,
- int skvno, EncryptionKey *skey,
- int ckvno, EncryptionKey *ckey,
- const char **e_text,
- krb5_data *reply)
-{
- unsigned char *buf;
- size_t buf_size;
- size_t len;
- krb5_error_code ret;
- krb5_crypto crypto;
-
- ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
- if(ret) {
- kdc_log(0, "Failed to encode ticket: %s",
- krb5_get_err_text(context, ret));
- return ret;
- }
- if(buf_size != len) {
- free(buf);
- kdc_log(0, "Internal error in ASN.1 encoder");
- *e_text = "KDC internal error";
- return KRB5KRB_ERR_GENERIC;
- }
-
- ret = krb5_crypto_init(context, skey, etype, &crypto);
- if (ret) {
- free(buf);
- kdc_log(0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
- return ret;
- }
-
- ret = krb5_encrypt_EncryptedData(context,
- crypto,
- KRB5_KU_TICKET,
- buf,
- len,
- skvno,
- &rep->ticket.enc_part);
- free(buf);
- krb5_crypto_destroy(context, crypto);
- if(ret) {
- kdc_log(0, "Failed to encrypt data: %s",
- krb5_get_err_text(context, ret));
- return ret;
- }
-
- if(rep->msg_type == krb_as_rep && !encode_as_rep_as_tgs_rep)
- ASN1_MALLOC_ENCODE(EncASRepPart, buf, buf_size, ek, &len, ret);
- else
- ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
- if(ret) {
- kdc_log(0, "Failed to encode KDC-REP: %s",
- krb5_get_err_text(context, ret));
- return ret;
- }
- if(buf_size != len) {
- free(buf);
- kdc_log(0, "Internal error in ASN.1 encoder");
- *e_text = "KDC internal error";
- return KRB5KRB_ERR_GENERIC;
- }
- ret = krb5_crypto_init(context, ckey, 0, &crypto);
- if (ret) {
- free(buf);
- kdc_log(0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
- return ret;
- }
- if(rep->msg_type == krb_as_rep) {
- krb5_encrypt_EncryptedData(context,
- crypto,
- KRB5_KU_AS_REP_ENC_PART,
- buf,
- len,
- ckvno,
- &rep->enc_part);
- free(buf);
- ASN1_MALLOC_ENCODE(AS_REP, buf, buf_size, rep, &len, ret);
- } else {
- krb5_encrypt_EncryptedData(context,
- crypto,
- KRB5_KU_TGS_REP_ENC_PART_SESSION,
- buf,
- len,
- ckvno,
- &rep->enc_part);
- free(buf);
- ASN1_MALLOC_ENCODE(TGS_REP, buf, buf_size, rep, &len, ret);
- }
- krb5_crypto_destroy(context, crypto);
- if(ret) {
- kdc_log(0, "Failed to encode KDC-REP: %s",
- krb5_get_err_text(context, ret));
- return ret;
- }
- if(buf_size != len) {
- free(buf);
- kdc_log(0, "Internal error in ASN.1 encoder");
- *e_text = "KDC internal error";
- return KRB5KRB_ERR_GENERIC;
- }
- reply->data = buf;
- reply->length = buf_size;
- return 0;
-}
-
-static int
-realloc_method_data(METHOD_DATA *md)
-{
- PA_DATA *pa;
- pa = realloc(md->val, (md->len + 1) * sizeof(*md->val));
- if(pa == NULL)
- return ENOMEM;
- md->val = pa;
- md->len++;
- return 0;
-}
-
-static krb5_error_code
-make_etype_info_entry(ETYPE_INFO_ENTRY *ent, Key *key)
-{
- ent->etype = key->key.keytype;
- if(key->salt){
- ALLOC(ent->salttype);
-#if 0
- if(key->salt->type == hdb_pw_salt)
- *ent->salttype = 0; /* or 1? or NULL? */
- else if(key->salt->type == hdb_afs3_salt)
- *ent->salttype = 2;
- else {
- kdc_log(0, "unknown salt-type: %d",
- key->salt->type);
- return KRB5KRB_ERR_GENERIC;
- }
- /* according to `the specs', we can't send a salt if
- we have AFS3 salted key, but that requires that you
- *know* what cell you are using (e.g by assuming
- that the cell is the same as the realm in lower
- case) */
-#else
- *ent->salttype = key->salt->type;
-#endif
- krb5_copy_data(context, &key->salt->salt,
- &ent->salt);
- } else {
- /* we return no salt type at all, as that should indicate
- * the default salt type and make everybody happy. some
- * systems (like w2k) dislike being told the salt type
- * here. */
-
- ent->salttype = NULL;
- ent->salt = NULL;
- }
- return 0;
-}
-
-static krb5_error_code
-get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
- ENCTYPE *etypes, unsigned int etypes_len)
-{
- krb5_error_code ret = 0;
- int i, j;
- unsigned int n = 0;
- ETYPE_INFO pa;
- unsigned char *buf;
- size_t len;
-
-
- pa.len = client->keys.len;
- if(pa.len > UINT_MAX/sizeof(*pa.val))
- return ERANGE;
- pa.val = malloc(pa.len * sizeof(*pa.val));
- if(pa.val == NULL)
- return ENOMEM;
-
- for(j = 0; j < etypes_len; j++) {
- for(i = 0; i < client->keys.len; i++) {
- if(client->keys.val[i].key.keytype == etypes[j])
- if((ret = make_etype_info_entry(&pa.val[n++],
- &client->keys.val[i])) != 0) {
- free_ETYPE_INFO(&pa);
- return ret;
- }
- }
- }
- for(i = 0; i < client->keys.len; i++) {
- for(j = 0; j < etypes_len; j++) {
- if(client->keys.val[i].key.keytype == etypes[j])
- goto skip;
- }
- if((ret = make_etype_info_entry(&pa.val[n++],
- &client->keys.val[i])) != 0) {
- free_ETYPE_INFO(&pa);
- return ret;
- }
- skip:;
- }
-
- if(n != pa.len) {
- char *name;
- krb5_unparse_name(context, client->principal, &name);
- kdc_log(0, "internal error in get_pa_etype_info(%s): %d != %d",
- name, n, pa.len);
- free(name);
- pa.len = n;
- }
-
- ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret);
- free_ETYPE_INFO(&pa);
- if(ret)
- return ret;
- ret = realloc_method_data(md);
- if(ret) {
- free(buf);
- return ret;
- }
- md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO;
- md->val[md->len - 1].padata_value.length = len;
- md->val[md->len - 1].padata_value.data = buf;
- return 0;
-}
-
-/*
- * verify the flags on `client' and `server', returning 0
- * if they are OK and generating an error messages and returning
- * and error code otherwise.
- */
-
-krb5_error_code
-check_flags(hdb_entry *client, const char *client_name,
- hdb_entry *server, const char *server_name,
- krb5_boolean is_as_req)
-{
- if(client != NULL) {
- /* check client */
- if (client->flags.invalid) {
- kdc_log(0, "Client (%s) has invalid bit set", client_name);
- return KRB5KDC_ERR_POLICY;
- }
-
- if(!client->flags.client){
- kdc_log(0, "Principal may not act as client -- %s",
- client_name);
- return KRB5KDC_ERR_POLICY;
- }
-
- if (client->valid_start && *client->valid_start > kdc_time) {
- kdc_log(0, "Client not yet valid -- %s", client_name);
- return KRB5KDC_ERR_CLIENT_NOTYET;
- }
-
- if (client->valid_end && *client->valid_end < kdc_time) {
- kdc_log(0, "Client expired -- %s", client_name);
- return KRB5KDC_ERR_NAME_EXP;
- }
-
- if (client->pw_end && *client->pw_end < kdc_time
- && !server->flags.change_pw) {
- kdc_log(0, "Client's key has expired -- %s", client_name);
- return KRB5KDC_ERR_KEY_EXPIRED;
- }
- }
-
- /* check server */
-
- if (server != NULL) {
- if (server->flags.invalid) {
- kdc_log(0, "Server has invalid flag set -- %s", server_name);
- return KRB5KDC_ERR_POLICY;
- }
-
- if(!server->flags.server){
- kdc_log(0, "Principal may not act as server -- %s",
- server_name);
- return KRB5KDC_ERR_POLICY;
- }
-
- if(!is_as_req && server->flags.initial) {
- kdc_log(0, "AS-REQ is required for server -- %s", server_name);
- return KRB5KDC_ERR_POLICY;
- }
-
- if (server->valid_start && *server->valid_start > kdc_time) {
- kdc_log(0, "Server not yet valid -- %s", server_name);
- return KRB5KDC_ERR_SERVICE_NOTYET;
- }
-
- if (server->valid_end && *server->valid_end < kdc_time) {
- kdc_log(0, "Server expired -- %s", server_name);
- return KRB5KDC_ERR_SERVICE_EXP;
- }
-
- if (server->pw_end && *server->pw_end < kdc_time) {
- kdc_log(0, "Server's key has expired -- %s", server_name);
- return KRB5KDC_ERR_KEY_EXPIRED;
- }
- }
- return 0;
-}
-
-/*
- * Return TRUE if `from' is part of `addresses' taking into consideration
- * the configuration variables that tells us how strict we should be about
- * these checks
- */
-
-static krb5_boolean
-check_addresses(HostAddresses *addresses, const struct sockaddr *from)
-{
- krb5_error_code ret;
- krb5_address addr;
- krb5_boolean result;
-
- if(check_ticket_addresses == 0)
- return TRUE;
-
- if(addresses == NULL)
- return allow_null_ticket_addresses;
-
- ret = krb5_sockaddr2address (context, from, &addr);
- if(ret)
- return FALSE;
-
- result = krb5_address_search(context, &addr, addresses);
- krb5_free_address (context, &addr);
- return result;
-}
-
-krb5_error_code
-as_rep(KDC_REQ *req,
- krb5_data *reply,
- const char *from,
- struct sockaddr *from_addr)
-{
- KDC_REQ_BODY *b = &req->req_body;
- AS_REP rep;
- KDCOptions f = b->kdc_options;
- hdb_entry *client = NULL, *server = NULL;
- krb5_enctype cetype, setype;
- EncTicketPart et;
- EncKDCRepPart ek;
- krb5_principal client_princ, server_princ;
- char *client_name, *server_name;
- krb5_error_code ret = 0;
- const char *e_text = NULL;
- krb5_crypto crypto;
- Key *ckey, *skey;
-
- memset(&rep, 0, sizeof(rep));
-
- if(b->sname == NULL){
- server_name = "<unknown server>";
- ret = KRB5KRB_ERR_GENERIC;
- e_text = "No server in request";
- } else{
- principalname2krb5_principal (&server_princ, *(b->sname), b->realm);
- krb5_unparse_name(context, server_princ, &server_name);
- }
-
- if(b->cname == NULL){
- client_name = "<unknown client>";
- ret = KRB5KRB_ERR_GENERIC;
- e_text = "No client in request";
- } else {
- principalname2krb5_principal (&client_princ, *(b->cname), b->realm);
- krb5_unparse_name(context, client_princ, &client_name);
- }
- kdc_log(0, "AS-REQ %s from %s for %s",
- client_name, from, server_name);
-
- if(ret)
- goto out;
-
- ret = db_fetch(client_princ, &client);
- if(ret){
- kdc_log(0, "UNKNOWN -- %s: %s", client_name,
- krb5_get_err_text(context, ret));
- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- goto out;
- }
-
- ret = db_fetch(server_princ, &server);
- if(ret){
- kdc_log(0, "UNKNOWN -- %s: %s", server_name,
- krb5_get_err_text(context, ret));
- ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto out;
- }
-
- ret = check_flags(client, client_name, server, server_name, TRUE);
- if(ret)
- goto out;
-
- memset(&et, 0, sizeof(et));
- memset(&ek, 0, sizeof(ek));
-
- if(req->padata){
- int i = 0;
- PA_DATA *pa;
- int found_pa = 0;
- kdc_log(5, "Looking for pa-data -- %s", client_name);
- while((pa = find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
- krb5_data ts_data;
- PA_ENC_TS_ENC p;
- time_t patime;
- size_t len;
- EncryptedData enc_data;
- Key *pa_key;
-
- found_pa = 1;
-
- ret = decode_EncryptedData(pa->padata_value.data,
- pa->padata_value.length,
- &enc_data,
- &len);
- if (ret) {
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- kdc_log(5, "Failed to decode PA-DATA -- %s",
- client_name);
- goto out;
- }
-
- ret = hdb_enctype2key(context, client, enc_data.etype, &pa_key);
- if(ret){
- char *estr;
- e_text = "No key matches pa-data";
- ret = KRB5KDC_ERR_PREAUTH_FAILED;
- if(krb5_enctype_to_string(context, enc_data.etype, &estr))
- estr = NULL;
- if(estr == NULL)
- kdc_log(5, "No client key matching pa-data (%d) -- %s",
- enc_data.etype, client_name);
- else
- kdc_log(5, "No client key matching pa-data (%s) -- %s",
- estr, client_name);
- free(estr);
-
- free_EncryptedData(&enc_data);
- continue;
- }
-
- try_next_key:
- ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
- if (ret) {
- kdc_log(0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
- free_EncryptedData(&enc_data);
- continue;
- }
-
- ret = krb5_decrypt_EncryptedData (context,
- crypto,
- KRB5_KU_PA_ENC_TIMESTAMP,
- &enc_data,
- &ts_data);
- krb5_crypto_destroy(context, crypto);
- if(ret){
- if(hdb_next_enctype2key(context, client,
- enc_data.etype, &pa_key) == 0)
- goto try_next_key;
- free_EncryptedData(&enc_data);
- e_text = "Failed to decrypt PA-DATA";
- kdc_log (5, "Failed to decrypt PA-DATA -- %s",
- client_name);
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- continue;
- }
- free_EncryptedData(&enc_data);
- ret = decode_PA_ENC_TS_ENC(ts_data.data,
- ts_data.length,
- &p,
- &len);
- krb5_data_free(&ts_data);
- if(ret){
- e_text = "Failed to decode PA-ENC-TS-ENC";
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- kdc_log (5, "Failed to decode PA-ENC-TS_ENC -- %s",
- client_name);
- continue;
- }
- patime = p.patimestamp;
- free_PA_ENC_TS_ENC(&p);
- if (abs(kdc_time - p.patimestamp) > context->max_skew) {
- ret = KRB5KDC_ERR_PREAUTH_FAILED;
- e_text = "Too large time skew";
- kdc_log(0, "Too large time skew -- %s", client_name);
- goto out;
- }
- et.flags.pre_authent = 1;
- kdc_log(2, "Pre-authentication succeded -- %s", client_name);
- break;
- }
- if(found_pa == 0 && require_preauth)
- goto use_pa;
- /* We come here if we found a pa-enc-timestamp, but if there
- was some problem with it, other than too large skew */
- if(found_pa && et.flags.pre_authent == 0){
- kdc_log(0, "%s -- %s", e_text, client_name);
- e_text = NULL;
- goto out;
- }
- }else if (require_preauth
- || client->flags.require_preauth
- || server->flags.require_preauth) {
- METHOD_DATA method_data;
- PA_DATA *pa;
- unsigned char *buf;
- size_t len;
- krb5_data foo_data;
-
- use_pa:
- method_data.len = 0;
- method_data.val = NULL;
-
- ret = realloc_method_data(&method_data);
- pa = &method_data.val[method_data.len-1];
- pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
- pa->padata_value.length = 0;
- pa->padata_value.data = NULL;
-
- ret = get_pa_etype_info(&method_data, client,
- b->etype.val, b->etype.len); /* XXX check ret */
-
- ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
- free_METHOD_DATA(&method_data);
- foo_data.data = buf;
- foo_data.length = len;
-
- ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
- krb5_mk_error(context,
- ret,
- "Need to use PA-ENC-TIMESTAMP",
- &foo_data,
- client_princ,
- server_princ,
- NULL,
- NULL,
- reply);
- free(buf);
- kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name);
- ret = 0;
- goto out2;
- }
-
- ret = find_keys(client, server, &ckey, &cetype, &skey, &setype,
- b->etype.val, b->etype.len);
- if(ret) {
- kdc_log(0, "Server/client has no support for etypes");
- goto out;
- }
-
- {
- char *cet;
- char *set;
-
- ret = krb5_enctype_to_string(context, cetype, &cet);
- if(ret == 0) {
- ret = krb5_enctype_to_string(context, setype, &set);
- if (ret == 0) {
- kdc_log(5, "Using %s/%s", cet, set);
- free(set);
- } else
- free(cet);
- } else
- kdc_log(5, "Using e-types %d/%d", cetype, setype);
- }
-
- {
- char str[128];
- unparse_flags(KDCOptions2int(f), KDCOptions_units, str, sizeof(str));
- if(*str)
- kdc_log(2, "Requested flags: %s", str);
- }
-
-
- if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
- || (f.request_anonymous && !allow_anonymous)) {
- ret = KRB5KDC_ERR_BADOPTION;
- kdc_log(0, "Bad KDC options -- %s", client_name);
- goto out;
- }
-
- rep.pvno = 5;
- rep.msg_type = krb_as_rep;
- copy_Realm(&b->realm, &rep.crealm);
- if (f.request_anonymous)
- make_anonymous_principalname (&rep.cname);
- else
- copy_PrincipalName(b->cname, &rep.cname);
- rep.ticket.tkt_vno = 5;
- copy_Realm(&b->realm, &rep.ticket.realm);
- copy_PrincipalName(b->sname, &rep.ticket.sname);
-
- et.flags.initial = 1;
- if(client->flags.forwardable && server->flags.forwardable)
- et.flags.forwardable = f.forwardable;
- else if (f.forwardable) {
- ret = KRB5KDC_ERR_POLICY;
- kdc_log(0, "Ticket may not be forwardable -- %s", client_name);
- goto out;
- }
- if(client->flags.proxiable && server->flags.proxiable)
- et.flags.proxiable = f.proxiable;
- else if (f.proxiable) {
- ret = KRB5KDC_ERR_POLICY;
- kdc_log(0, "Ticket may not be proxiable -- %s", client_name);
- goto out;
- }
- if(client->flags.postdate && server->flags.postdate)
- et.flags.may_postdate = f.allow_postdate;
- else if (f.allow_postdate){
- ret = KRB5KDC_ERR_POLICY;
- kdc_log(0, "Ticket may not be postdatable -- %s", client_name);
- goto out;
- }
-
- /* check for valid set of addresses */
- if(!check_addresses(b->addresses, from_addr)) {
- ret = KRB5KRB_AP_ERR_BADADDR;
- kdc_log(0, "Bad address list requested -- %s", client_name);
- goto out;
- }
-
- krb5_generate_random_keyblock(context, setype, &et.key);
- copy_PrincipalName(&rep.cname, &et.cname);
- copy_Realm(&b->realm, &et.crealm);
-
- {
- time_t start;
- time_t t;
-
- start = et.authtime = kdc_time;
-
- if(f.postdated && req->req_body.from){
- ALLOC(et.starttime);
- start = *et.starttime = *req->req_body.from;
- et.flags.invalid = 1;
- et.flags.postdated = 1; /* XXX ??? */
- }
- fix_time(&b->till);
- t = *b->till;
-
- /* be careful not overflowing */
-
- if(client->max_life)
- t = start + min(t - start, *client->max_life);
- if(server->max_life)
- t = start + min(t - start, *server->max_life);
-#if 0
- t = min(t, start + realm->max_life);
-#endif
- et.endtime = t;
- if(f.renewable_ok && et.endtime < *b->till){
- f.renewable = 1;
- if(b->rtime == NULL){
- ALLOC(b->rtime);
- *b->rtime = 0;
- }
- if(*b->rtime < *b->till)
- *b->rtime = *b->till;
- }
- if(f.renewable && b->rtime){
- t = *b->rtime;
- if(t == 0)
- t = MAX_TIME;
- if(client->max_renew)
- t = start + min(t - start, *client->max_renew);
- if(server->max_renew)
- t = start + min(t - start, *server->max_renew);
-#if 0
- t = min(t, start + realm->max_renew);
-#endif
- ALLOC(et.renew_till);
- *et.renew_till = t;
- et.flags.renewable = 1;
- }
- }
-
- if (f.request_anonymous)
- et.flags.anonymous = 1;
-
- if(b->addresses){
- ALLOC(et.caddr);
- copy_HostAddresses(b->addresses, et.caddr);
- }
-
- {
- krb5_data empty_string;
-
- krb5_data_zero(&empty_string);
- et.transited.tr_type = DOMAIN_X500_COMPRESS;
- et.transited.contents = empty_string;
- }
-
- copy_EncryptionKey(&et.key, &ek.key);
-
- /* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
- * as 0 and as 0x80 (meaning indefinite length) apart, and is thus
- * incapable of correctly decoding SEQUENCE OF's of zero length.
- *
- * To fix this, always send at least one no-op last_req
- *
- * If there's a pw_end or valid_end we will use that,
- * otherwise just a dummy lr.
- */
- ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
- ek.last_req.len = 0;
- if (client->pw_end
- && (kdc_warn_pwexpire == 0
- || kdc_time + kdc_warn_pwexpire <= *client->pw_end)) {
- ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME;
- ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end;
- ++ek.last_req.len;
- }
- if (client->valid_end) {
- ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
- ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end;
- ++ek.last_req.len;
- }
- if (ek.last_req.len == 0) {
- ek.last_req.val[ek.last_req.len].lr_type = LR_NONE;
- ek.last_req.val[ek.last_req.len].lr_value = 0;
- ++ek.last_req.len;
- }
- ek.nonce = b->nonce;
- if (client->valid_end || client->pw_end) {
- ALLOC(ek.key_expiration);
- if (client->valid_end) {
- if (client->pw_end)
- *ek.key_expiration = min(*client->valid_end, *client->pw_end);
- else
- *ek.key_expiration = *client->valid_end;
- } else
- *ek.key_expiration = *client->pw_end;
- } else
- ek.key_expiration = NULL;
- ek.flags = et.flags;
- ek.authtime = et.authtime;
- if (et.starttime) {
- ALLOC(ek.starttime);
- *ek.starttime = *et.starttime;
- }
- ek.endtime = et.endtime;
- if (et.renew_till) {
- ALLOC(ek.renew_till);
- *ek.renew_till = *et.renew_till;
- }
- copy_Realm(&rep.ticket.realm, &ek.srealm);
- copy_PrincipalName(&rep.ticket.sname, &ek.sname);
- if(et.caddr){
- ALLOC(ek.caddr);
- copy_HostAddresses(et.caddr, ek.caddr);
- }
-
- set_salt_padata (&rep.padata, ckey->salt);
- ret = encode_reply(&rep, &et, &ek, setype, server->kvno, &skey->key,
- client->kvno, &ckey->key, &e_text, reply);
- free_EncTicketPart(&et);
- free_EncKDCRepPart(&ek);
- free_AS_REP(&rep);
- out:
- if(ret){
- krb5_mk_error(context,
- ret,
- e_text,
- NULL,
- client_princ,
- server_princ,
- NULL,
- NULL,
- reply);
- ret = 0;
- }
- out2:
- krb5_free_principal(context, client_princ);
- free(client_name);
- krb5_free_principal(context, server_princ);
- free(server_name);
- if(client)
- free_ent(client);
- if(server)
- free_ent(server);
- return ret;
-}
-
-
-static krb5_error_code
-check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et)
-{
- KDCOptions f = b->kdc_options;
-
- if(f.validate){
- if(!tgt->flags.invalid || tgt->starttime == NULL){
- kdc_log(0, "Bad request to validate ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- if(*tgt->starttime > kdc_time){
- kdc_log(0, "Early request to validate ticket");
- return KRB5KRB_AP_ERR_TKT_NYV;
- }
- /* XXX tkt = tgt */
- et->flags.invalid = 0;
- }else if(tgt->flags.invalid){
- kdc_log(0, "Ticket-granting ticket has INVALID flag set");
- return KRB5KRB_AP_ERR_TKT_INVALID;
- }
-
- if(f.forwardable){
- if(!tgt->flags.forwardable){
- kdc_log(0, "Bad request for forwardable ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- et->flags.forwardable = 1;
- }
- if(f.forwarded){
- if(!tgt->flags.forwardable){
- kdc_log(0, "Request to forward non-forwardable ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- et->flags.forwarded = 1;
- et->caddr = b->addresses;
- }
- if(tgt->flags.forwarded)
- et->flags.forwarded = 1;
-
- if(f.proxiable){
- if(!tgt->flags.proxiable){
- kdc_log(0, "Bad request for proxiable ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- et->flags.proxiable = 1;
- }
- if(f.proxy){
- if(!tgt->flags.proxiable){
- kdc_log(0, "Request to proxy non-proxiable ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- et->flags.proxy = 1;
- et->caddr = b->addresses;
- }
- if(tgt->flags.proxy)
- et->flags.proxy = 1;
-
- if(f.allow_postdate){
- if(!tgt->flags.may_postdate){
- kdc_log(0, "Bad request for post-datable ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- et->flags.may_postdate = 1;
- }
- if(f.postdated){
- if(!tgt->flags.may_postdate){
- kdc_log(0, "Bad request for postdated ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- if(b->from)
- *et->starttime = *b->from;
- et->flags.postdated = 1;
- et->flags.invalid = 1;
- }else if(b->from && *b->from > kdc_time + context->max_skew){
- kdc_log(0, "Ticket cannot be postdated");
- return KRB5KDC_ERR_CANNOT_POSTDATE;
- }
-
- if(f.renewable){
- if(!tgt->flags.renewable){
- kdc_log(0, "Bad request for renewable ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- et->flags.renewable = 1;
- ALLOC(et->renew_till);
- fix_time(&b->rtime);
- *et->renew_till = *b->rtime;
- }
- if(f.renew){
- time_t old_life;
- if(!tgt->flags.renewable || tgt->renew_till == NULL){
- kdc_log(0, "Request to renew non-renewable ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- old_life = tgt->endtime;
- if(tgt->starttime)
- old_life -= *tgt->starttime;
- else
- old_life -= tgt->authtime;
- et->endtime = *et->starttime + old_life;
- if (et->renew_till != NULL)
- et->endtime = min(*et->renew_till, et->endtime);
- }
-
- /* checks for excess flags */
- if(f.request_anonymous && !allow_anonymous){
- kdc_log(0, "Request for anonymous ticket");
- return KRB5KDC_ERR_BADOPTION;
- }
- return 0;
-}
-
-static krb5_error_code
-fix_transited_encoding(TransitedEncoding *tr,
- const char *client_realm,
- const char *server_realm,
- const char *tgt_realm)
-{
- krb5_error_code ret = 0;
- if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)){
- char **realms = NULL, **tmp;
- int num_realms = 0;
- int i;
- if(tr->tr_type && tr->contents.length != 0) {
- if(tr->tr_type != DOMAIN_X500_COMPRESS){
- kdc_log(0, "Unknown transited type: %u",
- tr->tr_type);
- return KRB5KDC_ERR_TRTYPE_NOSUPP;
- }
- ret = krb5_domain_x500_decode(context,
- tr->contents,
- &realms,
- &num_realms,
- client_realm,
- server_realm);
- if(ret){
- krb5_warn(context, ret, "Decoding transited encoding");
- return ret;
- }
- }
- if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
- ret = ERANGE;
- goto free_realms;
- }
- tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
- if(tmp == NULL){
- ret = ENOMEM;
- goto free_realms;
- }
- realms = tmp;
- realms[num_realms] = strdup(tgt_realm);
- if(realms[num_realms] == NULL){
- ret = ENOMEM;
- goto free_realms;
- }
- num_realms++;
- free_TransitedEncoding(tr);
- tr->tr_type = DOMAIN_X500_COMPRESS;
- ret = krb5_domain_x500_encode(realms, num_realms, &tr->contents);
- if(ret)
- krb5_warn(context, ret, "Encoding transited encoding");
- free_realms:
- for(i = 0; i < num_realms; i++)
- free(realms[i]);
- free(realms);
- }
- return ret;
-}
-
-
-static krb5_error_code
-tgs_make_reply(KDC_REQ_BODY *b,
- EncTicketPart *tgt,
- EncTicketPart *adtkt,
- AuthorizationData *auth_data,
- hdb_entry *server,
- hdb_entry *client,
- krb5_principal client_principal,
- hdb_entry *krbtgt,
- krb5_enctype cetype,
- const char **e_text,
- krb5_data *reply)
-{
- KDC_REP rep;
- EncKDCRepPart ek;
- EncTicketPart et;
- KDCOptions f = b->kdc_options;
- krb5_error_code ret;
- krb5_enctype etype;
- Key *skey;
- EncryptionKey *ekey;
-
- if(adtkt) {
- int i;
- krb5_keytype kt;
- ekey = &adtkt->key;
- for(i = 0; i < b->etype.len; i++){
- ret = krb5_enctype_to_keytype(context, b->etype.val[i], &kt);
- if(ret)
- continue;
- if(adtkt->key.keytype == kt)
- break;
- }
- if(i == b->etype.len)
- return KRB5KDC_ERR_ETYPE_NOSUPP;
- etype = b->etype.val[i];
- }else{
- ret = find_keys(NULL, server, NULL, NULL, &skey, &etype,
- b->etype.val, b->etype.len);
- if(ret) {
- kdc_log(0, "Server has no support for etypes");
- return ret;
- }
- ekey = &skey->key;
- }
-
- memset(&rep, 0, sizeof(rep));
- memset(&et, 0, sizeof(et));
- memset(&ek, 0, sizeof(ek));
-
- rep.pvno = 5;
- rep.msg_type = krb_tgs_rep;
-
- et.authtime = tgt->authtime;
- fix_time(&b->till);
- et.endtime = min(tgt->endtime, *b->till);
- ALLOC(et.starttime);
- *et.starttime = kdc_time;
-
- ret = check_tgs_flags(b, tgt, &et);
- if(ret)
- return ret;
-
- copy_TransitedEncoding(&tgt->transited, &et.transited);
- ret = fix_transited_encoding(&et.transited,
- *krb5_princ_realm(context, client_principal),
- *krb5_princ_realm(context, server->principal),
- *krb5_princ_realm(context, krbtgt->principal));
- if(ret){
- free_TransitedEncoding(&et.transited);
- return ret;
- }
-
-
- copy_Realm(krb5_princ_realm(context, server->principal),
- &rep.ticket.realm);
- krb5_principal2principalname(&rep.ticket.sname, server->principal);
- copy_Realm(&tgt->crealm, &rep.crealm);
- if (f.request_anonymous)
- make_anonymous_principalname (&tgt->cname);
- else
- copy_PrincipalName(&tgt->cname, &rep.cname);
- rep.ticket.tkt_vno = 5;
-
- ek.caddr = et.caddr;
- if(et.caddr == NULL)
- et.caddr = tgt->caddr;
-
- {
- time_t life;
- life = et.endtime - *et.starttime;
- if(client && client->max_life)
- life = min(life, *client->max_life);
- if(server->max_life)
- life = min(life, *server->max_life);
- et.endtime = *et.starttime + life;
- }
- if(f.renewable_ok && tgt->flags.renewable &&
- et.renew_till == NULL && et.endtime < *b->till){
- et.flags.renewable = 1;
- ALLOC(et.renew_till);
- *et.renew_till = *b->till;
- }
- if(et.renew_till){
- time_t renew;
- renew = *et.renew_till - et.authtime;
- if(client && client->max_renew)
- renew = min(renew, *client->max_renew);
- if(server->max_renew)
- renew = min(renew, *server->max_renew);
- *et.renew_till = et.authtime + renew;
- }
-
- if(et.renew_till){
- *et.renew_till = min(*et.renew_till, *tgt->renew_till);
- *et.starttime = min(*et.starttime, *et.renew_till);
- et.endtime = min(et.endtime, *et.renew_till);
- }
-
- *et.starttime = min(*et.starttime, et.endtime);
-
- if(*et.starttime == et.endtime){
- ret = KRB5KDC_ERR_NEVER_VALID;
- goto out;
- }
- if(et.renew_till && et.endtime == *et.renew_till){
- free(et.renew_till);
- et.renew_till = NULL;
- et.flags.renewable = 0;
- }
-
- et.flags.pre_authent = tgt->flags.pre_authent;
- et.flags.hw_authent = tgt->flags.hw_authent;
- et.flags.anonymous = tgt->flags.anonymous;
-
- /* XXX Check enc-authorization-data */
- et.authorization_data = auth_data;
-
- krb5_generate_random_keyblock(context, etype, &et.key);
- et.crealm = tgt->crealm;
- et.cname = tgt->cname;
-
- ek.key = et.key;
- /* MIT must have at least one last_req */
- ek.last_req.len = 1;
- ek.last_req.val = calloc(1, sizeof(*ek.last_req.val));
- ek.nonce = b->nonce;
- ek.flags = et.flags;
- ek.authtime = et.authtime;
- ek.starttime = et.starttime;
- ek.endtime = et.endtime;
- ek.renew_till = et.renew_till;
- ek.srealm = rep.ticket.realm;
- ek.sname = rep.ticket.sname;
-
- /* It is somewhat unclear where the etype in the following
- encryption should come from. What we have is a session
- key in the passed tgt, and a list of preferred etypes
- *for the new ticket*. Should we pick the best possible
- etype, given the keytype in the tgt, or should we look
- at the etype list here as well? What if the tgt
- session key is DES3 and we want a ticket with a (say)
- CAST session key. Should the DES3 etype be added to the
- etype list, even if we don't want a session key with
- DES3? */
- ret = encode_reply(&rep, &et, &ek, etype, adtkt ? 0 : server->kvno, ekey,
- 0, &tgt->key, e_text, reply);
-out:
- free_TGS_REP(&rep);
- free_TransitedEncoding(&et.transited);
- if(et.starttime)
- free(et.starttime);
- if(et.renew_till)
- free(et.renew_till);
- free_LastReq(&ek.last_req);
- memset(et.key.keyvalue.data, 0, et.key.keyvalue.length);
- free_EncryptionKey(&et.key);
- return ret;
-}
-
-static krb5_error_code
-tgs_check_authenticator(krb5_auth_context ac,
- KDC_REQ_BODY *b,
- const char **e_text,
- krb5_keyblock *key)
-{
- krb5_authenticator auth;
- size_t len;
- unsigned char *buf;
- size_t buf_size;
- krb5_error_code ret;
- krb5_crypto crypto;
-
- krb5_auth_con_getauthenticator(context, ac, &auth);
- if(auth->cksum == NULL){
- kdc_log(0, "No authenticator in request");
- ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
- goto out;
- }
- /*
- * according to RFC1510 it doesn't need to be keyed,
- * but according to the latest draft it needs to.
- */
- if (
-#if 0
-!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
- ||
-#endif
- !krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
- kdc_log(0, "Bad checksum type in authenticator: %d",
- auth->cksum->cksumtype);
- ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
- goto out;
- }
-
- /* XXX should not re-encode this */
- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
- if(ret){
- kdc_log(0, "Failed to encode KDC-REQ-BODY: %s",
- krb5_get_err_text(context, ret));
- goto out;
- }
- if(buf_size != len) {
- free(buf);
- kdc_log(0, "Internal error in ASN.1 encoder");
- *e_text = "KDC internal error";
- ret = KRB5KRB_ERR_GENERIC;
- goto out;
- }
- ret = krb5_crypto_init(context, key, 0, &crypto);
- if (ret) {
- free(buf);
- kdc_log(0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
- goto out;
- }
- ret = krb5_verify_checksum(context,
- crypto,
- KRB5_KU_TGS_REQ_AUTH_CKSUM,
- buf,
- len,
- auth->cksum);
- free(buf);
- krb5_crypto_destroy(context, crypto);
- if(ret){
- kdc_log(0, "Failed to verify checksum: %s",
- krb5_get_err_text(context, ret));
- }
-out:
- free_Authenticator(auth);
- free(auth);
- return ret;
-}
-
-/*
- * return the realm of a krbtgt-ticket or NULL
- */
-
-static Realm
-get_krbtgt_realm(const PrincipalName *p)
-{
- if(p->name_string.len == 2
- && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0)
- return p->name_string.val[1];
- else
- return NULL;
-}
-
-static Realm
-find_rpath(Realm r)
-{
- const char *new_realm = krb5_config_get_string(context,
- NULL,
- "libdefaults",
- "capath",
- r,
- NULL);
- return (Realm)new_realm;
-}
-
-
-static krb5_boolean
-need_referral(krb5_principal server, krb5_realm **realms)
-{
- if(server->name.name_type != KRB5_NT_SRV_INST ||
- server->name.name_string.len != 2)
- return FALSE;
-
- return krb5_get_host_realm_int(context, server->name.name_string.val[1],
- FALSE, realms) == 0;
-}
-
-static krb5_error_code
-tgs_rep2(KDC_REQ_BODY *b,
- PA_DATA *tgs_req,
- krb5_data *reply,
- const char *from,
- const struct sockaddr *from_addr,
- time_t **csec,
- int **cusec)
-{
- krb5_ap_req ap_req;
- krb5_error_code ret;
- krb5_principal princ;
- krb5_auth_context ac = NULL;
- krb5_ticket *ticket = NULL;
- krb5_flags ap_req_options;
- krb5_flags verify_ap_req_flags;
- const char *e_text = NULL;
- krb5_crypto crypto;
-
- hdb_entry *krbtgt = NULL;
- EncTicketPart *tgt;
- Key *tkey;
- krb5_enctype cetype;
- krb5_principal cp = NULL;
- krb5_principal sp = NULL;
- AuthorizationData *auth_data = NULL;
-
- *csec = NULL;
- *cusec = NULL;
-
- memset(&ap_req, 0, sizeof(ap_req));
- ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
- if(ret){
- kdc_log(0, "Failed to decode AP-REQ: %s",
- krb5_get_err_text(context, ret));
- goto out2;
- }
-
- if(!get_krbtgt_realm(&ap_req.ticket.sname)){
- /* XXX check for ticket.sname == req.sname */
- kdc_log(0, "PA-DATA is not a ticket-granting ticket");
- ret = KRB5KDC_ERR_POLICY; /* ? */
- goto out2;
- }
-
- principalname2krb5_principal(&princ,
- ap_req.ticket.sname,
- ap_req.ticket.realm);
-
- ret = db_fetch(princ, &krbtgt);
-
- if(ret) {
- char *p;
- krb5_unparse_name(context, princ, &p);
- kdc_log(0, "Ticket-granting ticket not found in database: %s: %s",
- p, krb5_get_err_text(context, ret));
- free(p);
- ret = KRB5KRB_AP_ERR_NOT_US;
- goto out2;
- }
-
- if(ap_req.ticket.enc_part.kvno &&
- *ap_req.ticket.enc_part.kvno != krbtgt->kvno){
- char *p;
-
- krb5_unparse_name (context, princ, &p);
- kdc_log(0, "Ticket kvno = %d, DB kvno = %d (%s)",
- *ap_req.ticket.enc_part.kvno,
- krbtgt->kvno,
- p);
- free (p);
- ret = KRB5KRB_AP_ERR_BADKEYVER;
- goto out2;
- }
-
- ret = hdb_enctype2key(context, krbtgt, ap_req.ticket.enc_part.etype, &tkey);
- if(ret){
- char *str;
- krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
- kdc_log(0, "No server key found for %s", str);
- free(str);
- ret = KRB5KRB_AP_ERR_BADKEYVER;
- goto out2;
- }
-
- if (b->kdc_options.validate)
- verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
- else
- verify_ap_req_flags = 0;
-
- ret = krb5_verify_ap_req2(context,
- &ac,
- &ap_req,
- princ,
- &tkey->key,
- verify_ap_req_flags,
- &ap_req_options,
- &ticket,
- KRB5_KU_TGS_REQ_AUTH);
-
- krb5_free_principal(context, princ);
- if(ret) {
- kdc_log(0, "Failed to verify AP-REQ: %s",
- krb5_get_err_text(context, ret));
- goto out2;
- }
-
- {
- krb5_authenticator auth;
-
- ret = krb5_auth_con_getauthenticator(context, ac, &auth);
- if (ret == 0) {
- *csec = malloc(sizeof(**csec));
- if (*csec == NULL) {
- krb5_free_authenticator(context, &auth);
- kdc_log(0, "malloc failed");
- goto out2;
- }
- **csec = auth->ctime;
- *cusec = malloc(sizeof(**cusec));
- if (*cusec == NULL) {
- krb5_free_authenticator(context, &auth);
- kdc_log(0, "malloc failed");
- goto out2;
- }
- **csec = auth->cusec;
- krb5_free_authenticator(context, &auth);
- }
- }
-
- cetype = ap_req.authenticator.etype;
-
- tgt = &ticket->ticket;
-
- ret = tgs_check_authenticator(ac, b, &e_text, &tgt->key);
-
- if (b->enc_authorization_data) {
- krb5_keyblock *subkey;
- krb5_data ad;
- ret = krb5_auth_con_getremotesubkey(context,
- ac,
- &subkey);
- if(ret){
- krb5_auth_con_free(context, ac);
- kdc_log(0, "Failed to get remote subkey: %s",
- krb5_get_err_text(context, ret));
- goto out2;
- }
- if(subkey == NULL){
- ret = krb5_auth_con_getkey(context, ac, &subkey);
- if(ret) {
- krb5_auth_con_free(context, ac);
- kdc_log(0, "Failed to get session key: %s",
- krb5_get_err_text(context, ret));
- goto out2;
- }
- }
- if(subkey == NULL){
- krb5_auth_con_free(context, ac);
- kdc_log(0, "Failed to get key for enc-authorization-data");
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out2;
- }
- ret = krb5_crypto_init(context, subkey, 0, &crypto);
- if (ret) {
- krb5_auth_con_free(context, ac);
- kdc_log(0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
- goto out2;
- }
- ret = krb5_decrypt_EncryptedData (context,
- crypto,
- KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
- b->enc_authorization_data,
- &ad);
- krb5_crypto_destroy(context, crypto);
- if(ret){
- krb5_auth_con_free(context, ac);
- kdc_log(0, "Failed to decrypt enc-authorization-data");
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out2;
- }
- krb5_free_keyblock(context, subkey);
- ALLOC(auth_data);
- ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
- if(ret){
- krb5_auth_con_free(context, ac);
- free(auth_data);
- auth_data = NULL;
- kdc_log(0, "Failed to decode authorization data");
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out2;
- }
- }
-
- krb5_auth_con_free(context, ac);
-
- if(ret){
- kdc_log(0, "Failed to verify authenticator: %s",
- krb5_get_err_text(context, ret));
- goto out2;
- }
-
- {
- PrincipalName *s;
- Realm r;
- char *spn = NULL, *cpn = NULL;
- hdb_entry *server = NULL, *client = NULL;
- int loop = 0;
- EncTicketPart adtkt;
- char opt_str[128];
-
- s = b->sname;
- r = b->realm;
- if(b->kdc_options.enc_tkt_in_skey){
- Ticket *t;
- hdb_entry *uu;
- krb5_principal p;
- Key *tkey;
-
- if(b->additional_tickets == NULL ||
- b->additional_tickets->len == 0){
- ret = KRB5KDC_ERR_BADOPTION; /* ? */
- kdc_log(0, "No second ticket present in request");
- goto out;
- }
- t = &b->additional_tickets->val[0];
- if(!get_krbtgt_realm(&t->sname)){
- kdc_log(0, "Additional ticket is not a ticket-granting ticket");
- ret = KRB5KDC_ERR_POLICY;
- goto out2;
- }
- principalname2krb5_principal(&p, t->sname, t->realm);
- ret = db_fetch(p, &uu);
- krb5_free_principal(context, p);
- if(ret){
- if (ret == HDB_ERR_NOENTRY)
- ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto out;
- }
- ret = hdb_enctype2key(context, uu, t->enc_part.etype, &tkey);
- if(ret){
- ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
- goto out;
- }
- ret = krb5_decrypt_ticket(context, t, &tkey->key, &adtkt, 0);
-
- if(ret)
- goto out;
- s = &adtkt.cname;
- r = adtkt.crealm;
- }
-
- principalname2krb5_principal(&sp, *s, r);
- krb5_unparse_name(context, sp, &spn);
- principalname2krb5_principal(&cp, tgt->cname, tgt->crealm);
- krb5_unparse_name(context, cp, &cpn);
- unparse_flags (KDCOptions2int(b->kdc_options), KDCOptions_units,
- opt_str, sizeof(opt_str));
- if(*opt_str)
- kdc_log(0, "TGS-REQ %s from %s for %s [%s]",
- cpn, from, spn, opt_str);
- else
- kdc_log(0, "TGS-REQ %s from %s for %s", cpn, from, spn);
- server_lookup:
- ret = db_fetch(sp, &server);
-
- if(ret){
- Realm req_rlm, new_rlm;
- krb5_realm *realms;
-
- if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
- if(loop++ < 2) {
- new_rlm = find_rpath(req_rlm);
- if(new_rlm) {
- kdc_log(5, "krbtgt for realm %s not found, trying %s",
- req_rlm, new_rlm);
- krb5_free_principal(context, sp);
- free(spn);
- krb5_make_principal(context, &sp, r,
- KRB5_TGS_NAME, new_rlm, NULL);
- krb5_unparse_name(context, sp, &spn);
- goto server_lookup;
- }
- }
- } else if(need_referral(sp, &realms)) {
- if (strcmp(realms[0], sp->realm) != 0) {
- kdc_log(5, "returning a referral to realm %s for "
- "server %s that was not found",
- realms[0], spn);
- krb5_free_principal(context, sp);
- free(spn);
- krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
- realms[0], NULL);
- krb5_unparse_name(context, sp, &spn);
- krb5_free_host_realm(context, realms);
- goto server_lookup;
- }
- krb5_free_host_realm(context, realms);
- }
- kdc_log(0, "Server not found in database: %s: %s", spn,
- krb5_get_err_text(context, ret));
- if (ret == HDB_ERR_NOENTRY)
- ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto out;
- }
-
- ret = db_fetch(cp, &client);
- if(ret)
- kdc_log(1, "Client not found in database: %s: %s",
- cpn, krb5_get_err_text(context, ret));
-#if 0
- /* XXX check client only if same realm as krbtgt-instance */
- if(ret){
- kdc_log(0, "Client not found in database: %s: %s",
- cpn, krb5_get_err_text(context, ret));
- if (ret == HDB_ERR_NOENTRY)
- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- goto out;
- }
-#endif
-
- ret = check_flags(client, cpn, server, spn, FALSE);
- if(ret)
- goto out;
-
- if((b->kdc_options.validate || b->kdc_options.renew) &&
- !krb5_principal_compare(context,
- krbtgt->principal,
- server->principal)){
- kdc_log(0, "Inconsistent request.");
- ret = KRB5KDC_ERR_SERVER_NOMATCH;
- goto out;
- }
-
- /* check for valid set of addresses */
- if(!check_addresses(tgt->caddr, from_addr)) {
- ret = KRB5KRB_AP_ERR_BADADDR;
- kdc_log(0, "Request from wrong address");
- goto out;
- }
-
- ret = tgs_make_reply(b,
- tgt,
- b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,
- auth_data,
- server,
- client,
- cp,
- krbtgt,
- cetype,
- &e_text,
- reply);
-
- out:
- free(spn);
- free(cpn);
-
- if(server)
- free_ent(server);
- if(client)
- free_ent(client);
- }
-out2:
- if(ret) {
- krb5_mk_error(context,
- ret,
- e_text,
- NULL,
- cp,
- sp,
- NULL,
- NULL,
- reply);
- free(*csec);
- free(*cusec);
- *csec = NULL;
- *cusec = NULL;
- }
- krb5_free_principal(context, cp);
- krb5_free_principal(context, sp);
- if (ticket) {
- krb5_free_ticket(context, ticket);
- free(ticket);
- }
- free_AP_REQ(&ap_req);
- if(auth_data){
- free_AuthorizationData(auth_data);
- free(auth_data);
- }
-
- if(krbtgt)
- free_ent(krbtgt);
-
- return ret;
-}
-
-
-krb5_error_code
-tgs_rep(KDC_REQ *req,
- krb5_data *data,
- const char *from,
- struct sockaddr *from_addr)
-{
- krb5_error_code ret;
- int i = 0;
- PA_DATA *tgs_req = NULL;
- time_t *csec = NULL;
- int *cusec = NULL;
-
- if(req->padata == NULL){
- ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */
- kdc_log(0, "TGS-REQ from %s without PA-DATA", from);
- goto out;
- }
-
- tgs_req = find_padata(req, &i, KRB5_PADATA_TGS_REQ);
-
- if(tgs_req == NULL){
- ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
-
- kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from);
- goto out;
- }
- ret = tgs_rep2(&req->req_body, tgs_req, data, from, from_addr,
- &csec, &cusec);
-out:
- if(ret && data->data == NULL){
- krb5_mk_error(context,
- ret,
- NULL,
- NULL,
- NULL,
- NULL,
- csec,
- cusec,
- data);
- }
- free(csec);
- free(cusec);
- return 0;
-}
diff --git a/crypto/heimdal/kdc/kstash.8 b/crypto/heimdal/kdc/kstash.8
deleted file mode 100644
index 3bd46c63ac01..000000000000
--- a/crypto/heimdal/kdc/kstash.8
+++ /dev/null
@@ -1,60 +0,0 @@
-.\" $Id: kstash.8,v 1.7 2002/08/20 16:37:14 joda Exp $
-.\"
-.Dd September 1, 2000
-.Dt KSTASH 8
-.Os HEIMDAL
-.Sh NAME
-.Nm kstash
-.Nd "store the KDC master password in a file"
-.Sh SYNOPSIS
-.Nm
-.Oo Fl e Ar string \*(Ba Xo
-.Fl -enctype= Ns Ar string
-.Xc
-.Oc
-.Oo Fl k Ar file \*(Ba Xo
-.Fl -key-file= Ns Ar file
-.Xc
-.Oc
-.Op Fl -convert-file
-.Op Fl -master-key-fd= Ns Ar fd
-.Op Fl h | Fl -help
-.Op Fl -version
-.Sh DESCRIPTION
-.Nm
-reads the Kerberos master key and stores it in a file that will be
-used by the KDC.
-.Pp
-Supported options:
-.Bl -tag -width Ds
-.It Xo
-.Fl e Ar string ,
-.Fl -enctype= Ns Ar string
-.Xc
-the encryption type to use, defaults to DES3-CBC-SHA1
-.It Xo
-.Fl k Ar file ,
-.Fl -key-file= Ns Ar file
-.Xc
-the name of the master key file
-.It Xo
-.Fl -convert-file
-.Xc
-don't ask for a new master key, just read an old master key file, and
-write it back in the new keyfile format
-.It Xo
-.Fl -master-key-fd= Ns Ar fd
-.Xc
-filedescriptor to read passphrase from, if not specified the
-passphrase will be read from the terminal
-.El
-.\".Sh ENVIRONMENT
-.\".Sh FILES
-.\".Sh EXAMPLES
-.\".Sh DIAGNOSTICS
-.Sh SEE ALSO
-.Xr kdc 8
-.\".Sh STANDARDS
-.\".Sh HISTORY
-.\".Sh AUTHORS
-.\".Sh BUGS
diff --git a/crypto/heimdal/kdc/kstash.c b/crypto/heimdal/kdc/kstash.c
deleted file mode 100644
index dc0621a6f69f..000000000000
--- a/crypto/heimdal/kdc/kstash.c
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "headers.h"
-
-RCSID("$Id: kstash.c,v 1.15 2002/04/18 09:47:25 joda Exp $");
-
-krb5_context context;
-
-const char *keyfile = HDB_DB_DIR "/m-key";
-int convert_flag;
-int help_flag;
-int version_flag;
-
-int master_key_fd = -1;
-
-const char *enctype_str = "des3-cbc-sha1";
-
-struct getargs args[] = {
- { "enctype", 'e', arg_string, &enctype_str, "encryption type" },
- { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
- { "convert-file", 0, arg_flag, &convert_flag,
- "just convert keyfile to new format" },
- { "master-key-fd", 0, arg_integer, &master_key_fd,
- "filedescriptor to read passphrase from", "fd" },
- { "help", 'h', arg_flag, &help_flag },
- { "version", 0, arg_flag, &version_flag }
-};
-
-int num_args = sizeof(args) / sizeof(args[0]);
-
-int
-main(int argc, char **argv)
-{
- char buf[1024];
- krb5_error_code ret;
-
- krb5_enctype enctype;
-
- hdb_master_key mkey;
-
- krb5_program_setup(&context, argc, argv, args, num_args, NULL);
-
- if(help_flag)
- krb5_std_usage(0, args, num_args);
- if(version_flag){
- print_version(NULL);
- exit(0);
- }
-
- ret = krb5_string_to_enctype(context, enctype_str, &enctype);
- if(ret)
- krb5_err(context, 1, ret, "krb5_string_to_enctype");
-
- ret = hdb_read_master_key(context, keyfile, &mkey);
- if(ret && ret != ENOENT)
- krb5_err(context, 1, ret, "reading master key from %s", keyfile);
-
- if (convert_flag) {
- if (ret)
- krb5_err(context, 1, ret, "reading master key from %s", keyfile);
- } else {
- krb5_keyblock key;
- krb5_salt salt;
- salt.salttype = KRB5_PW_SALT;
- /* XXX better value? */
- salt.saltvalue.data = NULL;
- salt.saltvalue.length = 0;
- if(master_key_fd != -1) {
- ssize_t n;
- n = read(master_key_fd, buf, sizeof(buf));
- if(n <= 0)
- krb5_err(context, 1, errno, "failed to read passphrase");
- buf[n] = '\0';
- buf[strcspn(buf, "\r\n")] = '\0';
- } else {
- if(des_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
- exit(1);
- }
- krb5_string_to_key_salt(context, enctype, buf, salt, &key);
- ret = hdb_add_master_key(context, &key, &mkey);
-
- krb5_free_keyblock_contents(context, &key);
-
- }
-
- {
- char *new, *old;
- asprintf(&old, "%s.old", keyfile);
- asprintf(&new, "%s.new", keyfile);
- if(unlink(new) < 0 && errno != ENOENT) {
- ret = errno;
- goto out;
- }
- krb5_warnx(context, "writing key to `%s'", keyfile);
- ret = hdb_write_master_key(context, new, mkey);
- if(ret)
- unlink(new);
- else {
- unlink(old);
- if(link(keyfile, old) < 0 && errno != ENOENT) {
- ret = errno;
- unlink(new);
- } else if(rename(new, keyfile) < 0) {
- ret = errno;
- }
- }
- out:
- free(old);
- free(new);
- if(ret)
- krb5_warn(context, errno, "writing master key file");
- }
-
- hdb_free_master_key(context, mkey);
-
- exit(ret != 0);
-}
diff --git a/crypto/heimdal/kdc/kstash.cat8 b/crypto/heimdal/kdc/kstash.cat8
deleted file mode 100644
index 266648edc607..000000000000
--- a/crypto/heimdal/kdc/kstash.cat8
+++ /dev/null
@@ -1,33 +0,0 @@
-KSTASH(8) NetBSD System Manager's Manual KSTASH(8)
-
-NNAAMMEE
- kkssttaasshh - store the KDC master password in a file
-
-SSYYNNOOPPSSIISS
- kkssttaasshh [--ee _s_t_r_i_n_g | ----eennccttyyppee==_s_t_r_i_n_g] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e]
- [----ccoonnvveerrtt--ffiillee] [----mmaasstteerr--kkeeyy--ffdd==_f_d] [--hh | ----hheellpp] [----vveerrssiioonn]
-
-DDEESSCCRRIIPPTTIIOONN
- kkssttaasshh reads the Kerberos master key and stores it in a file that will be
- used by the KDC.
-
- Supported options:
-
- --ee _s_t_r_i_n_g, ----eennccttyyppee==_s_t_r_i_n_g
- the encryption type to use, defaults to DES3-CBC-SHA1
-
- --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e
- the name of the master key file
-
- ----ccoonnvveerrtt--ffiillee
- don't ask for a new master key, just read an old master key file,
- and write it back in the new keyfile format
-
- ----mmaasstteerr--kkeeyy--ffdd==_f_d
- filedescriptor to read passphrase from, if not specified the
- passphrase will be read from the terminal
-
-SSEEEE AALLSSOO
- kdc(8)
-
- HEIMDAL September 1, 2000 1
diff --git a/crypto/heimdal/kdc/log.c b/crypto/heimdal/kdc/log.c
deleted file mode 100644
index aa430aa7cee4..000000000000
--- a/crypto/heimdal/kdc/log.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (c) 1997, 1998, 2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-RCSID("$Id: log.c,v 1.14 2002/08/19 12:17:49 joda Exp $");
-
-static krb5_log_facility *logf;
-
-void
-kdc_openlog(void)
-{
- char **s = NULL, **p;
- krb5_initlog(context, "kdc", &logf);
- s = krb5_config_get_strings(context, NULL, "kdc", "logging", NULL);
- if(s == NULL)
- s = krb5_config_get_strings(context, NULL, "logging", "kdc", NULL);
- if(s){
- for(p = s; *p; p++)
- krb5_addlog_dest(context, logf, *p);
- krb5_config_free_strings(s);
- }else
- krb5_addlog_dest(context, logf, DEFAULT_LOG_DEST);
- krb5_set_warn_dest(context, logf);
-}
-
-char*
-kdc_log_msg_va(int level, const char *fmt, va_list ap)
-{
- char *msg;
- krb5_vlog_msg(context, logf, &msg, level, fmt, ap);
- return msg;
-}
-
-char*
-kdc_log_msg(int level, const char *fmt, ...)
-{
- va_list ap;
- char *s;
- va_start(ap, fmt);
- s = kdc_log_msg_va(level, fmt, ap);
- va_end(ap);
- return s;
-}
-
-void
-kdc_log(int level, const char *fmt, ...)
-{
- va_list ap;
- char *s;
- va_start(ap, fmt);
- s = kdc_log_msg_va(level, fmt, ap);
- if(s) free(s);
- va_end(ap);
-}
diff --git a/crypto/heimdal/kdc/main.c b/crypto/heimdal/kdc/main.c
deleted file mode 100644
index 32ae20f5c2d8..000000000000
--- a/crypto/heimdal/kdc/main.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-#ifdef HAVE_UTIL_H
-#include <util.h>
-#endif
-
-RCSID("$Id: main.c,v 1.27 2002/08/28 21:27:16 joda Exp $");
-
-sig_atomic_t exit_flag = 0;
-krb5_context context;
-
-#ifdef HAVE_DAEMON
-extern int detach_from_console;
-#endif
-
-static RETSIGTYPE
-sigterm(int sig)
-{
- exit_flag = 1;
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_error_code ret;
- setprogname(argv[0]);
-
- ret = krb5_init_context(&context);
- if (ret)
- errx (1, "krb5_init_context failed: %d", ret);
-
- configure(argc, argv);
-
- if(databases == NULL) {
- db = malloc(sizeof(*db));
- num_db = 1;
- ret = hdb_create(context, &db[0], NULL);
- if(ret)
- krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB);
- ret = hdb_set_master_keyfile(context, db[0], NULL);
- if (ret)
- krb5_err(context, 1, ret, "hdb_set_master_keyfile");
- } else {
- struct dbinfo *d;
- int i;
- /* count databases */
- for(d = databases, i = 0; d; d = d->next, i++);
- db = malloc(i * sizeof(*db));
- for(d = databases, num_db = 0; d; d = d->next, num_db++) {
- ret = hdb_create(context, &db[num_db], d->dbname);
- if(ret)
- krb5_err(context, 1, ret, "hdb_create %s", d->dbname);
- ret = hdb_set_master_keyfile(context, db[num_db], d->mkey_file);
- if (ret)
- krb5_err(context, 1, ret, "hdb_set_master_keyfile");
- }
- }
-
-#ifdef HAVE_SIGACTION
- {
- struct sigaction sa;
-
- sa.sa_flags = 0;
- sa.sa_handler = sigterm;
- sigemptyset(&sa.sa_mask);
-
- sigaction(SIGINT, &sa, NULL);
- sigaction(SIGTERM, &sa, NULL);
- }
-#else
- signal(SIGINT, sigterm);
- signal(SIGTERM, sigterm);
-#endif
-#ifdef HAVE_DAEMON
- if (detach_from_console)
- daemon(0, 0);
-#endif
- pidfile(NULL);
- loop();
- krb5_free_context(context);
- return 0;
-}
diff --git a/crypto/heimdal/kdc/misc.c b/crypto/heimdal/kdc/misc.c
deleted file mode 100644
index aebdc6895b0f..000000000000
--- a/crypto/heimdal/kdc/misc.c
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "kdc_locl.h"
-
-RCSID("$Id: misc.c,v 1.22 2001/01/30 03:54:21 assar Exp $");
-
-struct timeval now;
-
-krb5_error_code
-db_fetch(krb5_principal principal, hdb_entry **h)
-{
- hdb_entry *ent;
- krb5_error_code ret = HDB_ERR_NOENTRY;
- int i;
-
- ent = malloc (sizeof (*ent));
- if (ent == NULL)
- return ENOMEM;
- ent->principal = principal;
-
- for(i = 0; i < num_db; i++) {
- ret = db[i]->open(context, db[i], O_RDONLY, 0);
- if (ret) {
- kdc_log(0, "Failed to open database: %s",
- krb5_get_err_text(context, ret));
- continue;
- }
- ret = db[i]->fetch(context, db[i], HDB_F_DECRYPT, ent);
- db[i]->close(context, db[i]);
- if(ret == 0) {
- *h = ent;
- return 0;
- }
- }
- free(ent);
- return ret;
-}
-
-void
-free_ent(hdb_entry *ent)
-{
- hdb_free_entry (context, ent);
- free (ent);
-}
-
diff --git a/crypto/heimdal/kdc/mit_dump.c b/crypto/heimdal/kdc/mit_dump.c
deleted file mode 100644
index 336d26579175..000000000000
--- a/crypto/heimdal/kdc/mit_dump.c
+++ /dev/null
@@ -1,370 +0,0 @@
-/*
- * Copyright (c) 2000 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "hprop.h"
-
-RCSID("$Id: mit_dump.c,v 1.3 2000/08/09 09:57:37 joda Exp $");
-
-/*
-can have any number of princ stanzas.
-format is as follows (only \n indicates newlines)
-princ\t%d\t (%d is KRB5_KDB_V1_BASE_LENGTH, always 38)
-%d\t (strlen of principal e.g. shadow/foo@ANDREW.CMU.EDU)
-%d\t (number of tl_data)
-%d\t (number of key data, e.g. how many keys for this user)
-%d\t (extra data length)
-%s\t (principal name)
-%d\t (attributes)
-%d\t (max lifetime, seconds)
-%d\t (max renewable life, seconds)
-%d\t (expiration, seconds since epoch or 2145830400 for never)
-%d\t (password expiration, seconds, 0 for never)
-%d\t (last successful auth, seconds since epoch)
-%d\t (last failed auth, per above)
-%d\t (failed auth count)
-foreach tl_data 0 to number of tl_data - 1 as above
- %d\t%d\t (data type, data length)
- foreach tl_data 0 to length-1
- %02x (tl data contents[element n])
- except if tl_data length is 0
- %d (always -1)
- \t
-foreach key 0 to number of keys - 1 as above
- %d\t%d\t (key data version, kvno)
- foreach version 0 to key data version - 1 (a key or a salt)
- %d\t%d\t(data type for this key, data length for this key)
- foreach key data length 0 to length-1
- %02x (key data contents[element n])
- except if key_data length is 0
- %d (always -1)
- \t
-foreach extra data length 0 to length - 1
- %02x (extra data part)
-unless no extra data
- %d (always -1)
-;\n
-
-*/
-
-static int
-hex_to_octet_string(const char *ptr, krb5_data *data)
-{
- int i;
- unsigned int v;
- for(i = 0; i < data->length; i++) {
- if(sscanf(ptr + 2 * i, "%02x", &v) != 1)
- return -1;
- ((unsigned char*)data->data)[i] = v;
- }
- return 2 * i;
-}
-
-static char *
-nexttoken(char **p)
-{
- char *q;
- do {
- q = strsep(p, " \t");
- } while(q && *q == '\0');
- return q;
-}
-
-static size_t
-getdata(char **p, unsigned char *buf, size_t len)
-{
- size_t i;
- int v;
- char *q = nexttoken(p);
- i = 0;
- while(*q && i < len) {
- if(sscanf(q, "%02x", &v) != 1)
- break;
- buf[i++] = v;
- q += 2;
- }
- return i;
-}
-
-static int
-getint(char **p)
-{
- int val;
- char *q = nexttoken(p);
- sscanf(q, "%d", &val);
- return val;
-}
-
-#include <kadm5/admin.h>
-
-static void
-attr_to_flags(unsigned attr, HDBFlags *flags)
-{
- flags->postdate = !(attr & KRB5_KDB_DISALLOW_POSTDATED);
- flags->forwardable = !(attr & KRB5_KDB_DISALLOW_FORWARDABLE);
- flags->initial = !!(attr & KRB5_KDB_DISALLOW_TGT_BASED);
- flags->renewable = !(attr & KRB5_KDB_DISALLOW_RENEWABLE);
- flags->proxiable = !(attr & KRB5_KDB_DISALLOW_PROXIABLE);
- /* DUP_SKEY */
- flags->invalid = !!(attr & KRB5_KDB_DISALLOW_ALL_TIX);
- flags->require_preauth = !!(attr & KRB5_KDB_REQUIRES_PRE_AUTH);
- /* HW_AUTH */
- flags->server = !(attr & KRB5_KDB_DISALLOW_SVR);
- flags->change_pw = !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
- flags->client = 1; /* XXX */
-}
-
-#define KRB5_KDB_SALTTYPE_NORMAL 0
-#define KRB5_KDB_SALTTYPE_V4 1
-#define KRB5_KDB_SALTTYPE_NOREALM 2
-#define KRB5_KDB_SALTTYPE_ONLYREALM 3
-#define KRB5_KDB_SALTTYPE_SPECIAL 4
-#define KRB5_KDB_SALTTYPE_AFS3 5
-
-static krb5_error_code
-fix_salt(krb5_context context, hdb_entry *ent, int key_num)
-{
- krb5_error_code ret;
- Salt *salt = ent->keys.val[key_num].salt;
- /* fix salt type */
- switch((int)salt->type) {
- case KRB5_KDB_SALTTYPE_NORMAL:
- salt->type = KRB5_PADATA_PW_SALT;
- break;
- case KRB5_KDB_SALTTYPE_V4:
- krb5_data_free(&salt->salt);
- salt->type = KRB5_PADATA_PW_SALT;
- break;
- case KRB5_KDB_SALTTYPE_NOREALM:
- {
- size_t len;
- int i;
- krb5_error_code ret;
- char *p;
-
- len = 0;
- for (i = 0; i < ent->principal->name.name_string.len; ++i)
- len += strlen(ent->principal->name.name_string.val[i]);
- ret = krb5_data_alloc (&salt->salt, len);
- if (ret)
- return ret;
- p = salt->salt.data;
- for (i = 0; i < ent->principal->name.name_string.len; ++i) {
- memcpy (p,
- ent->principal->name.name_string.val[i],
- strlen(ent->principal->name.name_string.val[i]));
- p += strlen(ent->principal->name.name_string.val[i]);
- }
-
- salt->type = KRB5_PADATA_PW_SALT;
- break;
- }
- case KRB5_KDB_SALTTYPE_ONLYREALM:
- krb5_data_free(&salt->salt);
- ret = krb5_data_copy(&salt->salt,
- ent->principal->realm,
- strlen(ent->principal->realm));
- if(ret)
- return ret;
- salt->type = KRB5_PADATA_PW_SALT;
- break;
- case KRB5_KDB_SALTTYPE_SPECIAL:
- salt->type = KRB5_PADATA_PW_SALT;
- break;
- case KRB5_KDB_SALTTYPE_AFS3:
- krb5_data_free(&salt->salt);
- ret = krb5_data_copy(&salt->salt,
- ent->principal->realm,
- strlen(ent->principal->realm));
- if(ret)
- return ret;
- salt->type = KRB5_PADATA_AFS3_SALT;
- break;
- default:
- abort();
- }
- return 0;
-}
-
-int
-mit_prop_dump(void *arg, const char *file)
-{
- krb5_error_code ret;
- char buf [1024];
- FILE *f;
- int lineno = 0;
- struct hdb_entry ent;
-
- struct prop_data *pd = arg;
-
- f = fopen(file, "r");
- if(f == NULL)
- return errno;
-
- while(fgets(buf, sizeof(buf), f)) {
- char *p = buf, *q;
-
- int i;
-
- int num_tl_data;
- int num_key_data;
- int extra_data_length;
- int attributes;
-
- int tmp;
-
- lineno++;
-
- memset(&ent, 0, sizeof(ent));
-
- q = nexttoken(&p);
- if(strcmp(q, "kdb5_util") == 0) {
- int major;
- q = nexttoken(&p); /* load_dump */
- if(strcmp(q, "load_dump"))
- errx(1, "line %d: unknown version", lineno);
- q = nexttoken(&p); /* load_dump */
- if(strcmp(q, "version"))
- errx(1, "line %d: unknown version", lineno);
- q = nexttoken(&p); /* x.0 */
- if(sscanf(q, "%d", &major) != 1)
- errx(1, "line %d: unknown version", lineno);
- if(major != 4)
- errx(1, "unknown dump file format, got %d, expected 4", major);
- continue;
- } else if(strcmp(q, "princ") != 0) {
- warnx("line %d: not a principal", lineno);
- continue;
- }
- tmp = getint(&p);
- if(tmp != 38) {
- warnx("line %d: bad base length %d != 38", lineno, tmp);
- continue;
- }
- q = nexttoken(&p); /* length of principal */
- num_tl_data = getint(&p); /* number of tl-data */
- num_key_data = getint(&p); /* number of key-data */
- extra_data_length = getint(&p); /* length of extra data */
- q = nexttoken(&p); /* principal name */
- krb5_parse_name(pd->context, q, &ent.principal);
- attributes = getint(&p); /* attributes */
- attr_to_flags(attributes, &ent.flags);
- tmp = getint(&p); /* max life */
- if(tmp != 0) {
- ALLOC(ent.max_life);
- *ent.max_life = tmp;
- }
- tmp = getint(&p); /* max renewable life */
- if(tmp != 0) {
- ALLOC(ent.max_renew);
- *ent.max_renew = tmp;
- }
- tmp = getint(&p); /* expiration */
- if(tmp != 0 && tmp != 2145830400) {
- ALLOC(ent.valid_end);
- *ent.valid_end = tmp;
- }
- tmp = getint(&p); /* pw expiration */
- if(tmp != 0) {
- ALLOC(ent.pw_end);
- *ent.pw_end = tmp;
- }
- q = nexttoken(&p); /* last auth */
- q = nexttoken(&p); /* last failed auth */
- q = nexttoken(&p); /* fail auth count */
- for(i = 0; i < num_tl_data; i++) {
- unsigned long val;
- int tl_type, tl_length;
- unsigned char *buf;
- krb5_principal princ;
-
- tl_type = getint(&p); /* data type */
- tl_length = getint(&p); /* data length */
-
-#define KRB5_TL_LAST_PWD_CHANGE 1
-#define KRB5_TL_MOD_PRINC 2
- switch(tl_type) {
- case KRB5_TL_MOD_PRINC:
- buf = malloc(tl_length);
- getdata(&p, buf, tl_length); /* data itself */
- val = buf[0] | (buf[1] << 8) | (buf[2] << 16) | (buf[3] << 24);
- ret = krb5_parse_name(pd->context, buf + 4, &princ);
- free(buf);
- ALLOC(ent.modified_by);
- ent.modified_by->time = val;
- ent.modified_by->principal = princ;
- break;
- default:
- nexttoken(&p);
- break;
- }
- }
- ALLOC_SEQ(&ent.keys, num_key_data);
- for(i = 0; i < num_key_data; i++) {
- int key_versions;
- key_versions = getint(&p); /* key data version */
- ent.kvno = getint(&p); /* XXX kvno */
-
- ALLOC(ent.keys.val[i].mkvno);
- *ent.keys.val[i].mkvno = 0;
-
- /* key version 0 -- actual key */
- ent.keys.val[i].key.keytype = getint(&p); /* key type */
- tmp = getint(&p); /* key length */
- /* the first two bytes of the key is the key length --
- skip it */
- krb5_data_alloc(&ent.keys.val[i].key.keyvalue, tmp - 2);
- q = nexttoken(&p); /* key itself */
- hex_to_octet_string(q + 4, &ent.keys.val[i].key.keyvalue);
-
- if(key_versions > 1) {
- /* key version 1 -- optional salt */
- ALLOC(ent.keys.val[i].salt);
- ent.keys.val[i].salt->type = getint(&p); /* salt type */
- tmp = getint(&p); /* salt length */
- if(tmp > 0) {
- krb5_data_alloc(&ent.keys.val[i].salt->salt, tmp - 2);
- q = nexttoken(&p); /* salt itself */
- hex_to_octet_string(q + 4, &ent.keys.val[i].salt->salt);
- } else {
- ent.keys.val[i].salt->salt.length = 0;
- ent.keys.val[i].salt->salt.data = NULL;
- tmp = getint(&p); /* -1, if no data. */
- }
- fix_salt(pd->context, &ent, i);
- }
- }
- q = nexttoken(&p); /* extra data */
- v5_prop(pd->context, NULL, &ent, arg);
- }
- return 0;
-}
diff --git a/crypto/heimdal/kdc/rx.h b/crypto/heimdal/kdc/rx.h
deleted file mode 100644
index ab8ec8052318..000000000000
--- a/crypto/heimdal/kdc/rx.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */
-
-#ifndef __RX_H__
-#define __RX_H__
-
-/* header of a RPC packet */
-
-enum rx_header_type {
- HT_DATA = 1,
- HT_ACK = 2,
- HT_BUSY = 3,
- HT_ABORT = 4,
- HT_ACKALL = 5,
- HT_CHAL = 6,
- HT_RESP = 7,
- HT_DEBUG = 8
-};
-
-/* For flags in header */
-
-enum rx_header_flag {
- HF_CLIENT_INITIATED = 1,
- HF_REQ_ACK = 2,
- HF_LAST = 4,
- HF_MORE = 8
-};
-
-struct rx_header {
- u_int32_t epoch;
- u_int32_t connid; /* And channel ID */
- u_int32_t callid;
- u_int32_t seqno;
- u_int32_t serialno;
- u_char type;
- u_char flags;
- u_char status;
- u_char secindex;
- u_int16_t reserved; /* ??? verifier? */
- u_int16_t serviceid;
-/* This should be the other way around according to everything but */
-/* tcpdump */
-};
-
-#define RX_HEADER_SIZE 28
-
-#endif /* __RX_H__ */
diff --git a/crypto/heimdal/kdc/string2key.8 b/crypto/heimdal/kdc/string2key.8
deleted file mode 100644
index 7b081d4c7b96..000000000000
--- a/crypto/heimdal/kdc/string2key.8
+++ /dev/null
@@ -1,79 +0,0 @@
-.\" $Id: string2key.8,v 1.5 2002/08/20 16:37:16 joda Exp $
-.\"
-.Dd March 4, 2000
-.Dt STRING2KEY 8
-.Os HEIMDAL
-.Sh NAME
-.Nm string2key
-.Nd map a password into a key
-.Sh SYNOPSIS
-.Nm
-.Op Fl 5 | Fl -version5
-.Op Fl 4 | Fl -version4
-.Op Fl a | Fl -afs
-.Oo Fl c Ar cell \*(Ba Xo
-.Fl -cell= Ns Ar cell
-.Xc
-.Oc
-.Oo Fl w Ar password \*(Ba Xo
-.Fl -password= Ns Ar password
-.Xc
-.Oc
-.Oo Fl p Ar principal \*(Ba Xo
-.Fl -principal= Ns Ar principal
-.Xc
-.Oc
-.Oo Fl k Ar string \*(Ba Xo
-.Fl -keytype= Ns Ar string
-.Xc
-.Oc
-.Ar password
-.Sh DESCRIPTION
-.Nm
-performs the string-to-key function.
-This is useful when you want to handle the raw key instead of the password.
-Supported options:
-.Bl -tag -width Ds
-.It Xo
-.Fl 5 ,
-.Fl -version5
-.Xc
-Output Kerberos v5 string-to-key
-.It Xo
-.Fl 4 ,
-.Fl -version4
-.Xc
-Output Kerberos v4 string-to-key
-.It Xo
-.Fl a ,
-.Fl -afs
-.Xc
-Output AFS string-to-key
-.It Xo
-.Fl c Ar cell ,
-.Fl -cell= Ns Ar cell
-.Xc
-AFS cell to use
-.It Xo
-.Fl w Ar password ,
-.Fl -password= Ns Ar password
-.Xc
-Password to use
-.It Xo
-.Fl p Ar principal ,
-.Fl -principal= Ns Ar principal
-.Xc
-Kerberos v5 principal to use
-.It Xo
-.Fl k Ar string ,
-.Fl -keytype= Ns Ar string
-.Xc
-Keytype
-.It Xo
-.Fl -version
-.Xc
-print version
-.It Xo
-.Fl -help
-.Xc
-.El
diff --git a/crypto/heimdal/kdc/string2key.c b/crypto/heimdal/kdc/string2key.c
deleted file mode 100644
index 677ada645f29..000000000000
--- a/crypto/heimdal/kdc/string2key.c
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * Copyright (c) 1997, 1998, 1999, 2002 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "headers.h"
-#include <getarg.h>
-
-RCSID("$Id: string2key.c,v 1.19 2002/04/18 10:18:07 joda Exp $");
-
-int version5;
-int version4;
-int afs;
-char *principal;
-char *cell;
-char *password;
-const char *keytype_str = "des-cbc-md5";
-int version;
-int help;
-
-struct getargs args[] = {
- { "version5", '5', arg_flag, &version5, "Output Kerberos v5 string-to-key" },
- { "version4", '4', arg_flag, &version4, "Output Kerberos v4 string-to-key" },
- { "afs", 'a', arg_flag, &afs, "Output AFS string-to-key" },
- { "cell", 'c', arg_string, &cell, "AFS cell to use", "cell" },
- { "password", 'w', arg_string, &password, "Password to use", "password" },
- { "principal",'p', arg_string, &principal, "Kerberos v5 principal to use", "principal" },
- { "keytype", 'k', arg_string, &keytype_str, "Keytype" },
- { "version", 0, arg_flag, &version, "print version" },
- { "help", 0, arg_flag, &help, NULL }
-};
-
-int num_args = sizeof(args) / sizeof(args[0]);
-
-static void
-usage(int status)
-{
- arg_printusage (args, num_args, NULL, "password");
- exit(status);
-}
-
-static void
-tokey(krb5_context context,
- krb5_enctype enctype,
- const char *password,
- krb5_salt salt,
- const char *label)
-{
- int i;
- krb5_keyblock key;
- krb5_string_to_key_salt(context, enctype, password, salt, &key);
- printf("%s: ", label);
- for(i = 0; i < key.keyvalue.length; i++)
- printf("%02x", ((unsigned char*)key.keyvalue.data)[i]);
- printf("\n");
- krb5_free_keyblock_contents(context, &key);
-}
-
-int
-main(int argc, char **argv)
-{
- krb5_context context;
- krb5_principal princ;
- krb5_salt salt;
- int optind;
- char buf[1024];
- krb5_enctype etype;
- krb5_error_code ret;
-
- optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
-
- if(help)
- usage(0);
-
- if(version){
- print_version (NULL);
- return 0;
- }
-
- argc -= optind;
- argv += optind;
-
- if (argc > 1)
- usage(1);
-
- if(!version5 && !version4 && !afs)
- version5 = 1;
-
- ret = krb5_string_to_enctype(context, keytype_str, &etype);
-#if 0
- if(ret) {
- krb5_keytype keytype;
- ret = krb5_string_to_keytype(context, keytype_str, &keytype);
- ret = krb5_keytype_to_enctype(context, keytype, &etype);
- }
-#endif
- if(ret)
- krb5_err(context, 1, ret, "%s", keytype_str);
-
- if((etype != ETYPE_DES_CBC_CRC &&
- etype != ETYPE_DES_CBC_MD4 &&
- etype != ETYPE_DES_CBC_MD5) &&
- (afs || version4))
- krb5_errx(context, 1,
- "DES is the only valid keytype for AFS and Kerberos 4");
-
-
- if(version5 && principal == NULL){
- printf("Kerberos v5 principal: ");
- if(fgets(buf, sizeof(buf), stdin) == NULL)
- return 1;
- if(buf[strlen(buf) - 1] == '\n')
- buf[strlen(buf) - 1] = '\0';
- principal = estrdup(buf);
- }
- if(afs && cell == NULL){
- printf("AFS cell: ");
- if(fgets(buf, sizeof(buf), stdin) == NULL)
- return 1;
- if(buf[strlen(buf) - 1] == '\n')
- buf[strlen(buf) - 1] = '\0';
- cell = estrdup(buf);
- }
- if(argv[0])
- password = argv[0];
- if(password == NULL){
- if(des_read_pw_string(buf, sizeof(buf), "Password: ", 0))
- return 1;
- password = buf;
- }
-
- if(version5){
- krb5_parse_name(context, principal, &princ);
- krb5_get_pw_salt(context, princ, &salt);
- tokey(context, etype, password, salt, "Kerberos v5 key");
- krb5_free_salt(context, salt);
- }
- if(version4){
- salt.salttype = KRB5_PW_SALT;
- salt.saltvalue.length = 0;
- salt.saltvalue.data = NULL;
- tokey(context, ETYPE_DES_CBC_MD5, password, salt, "Kerberos v4 key");
- }
- if(afs){
- salt.salttype = KRB5_AFS3_SALT;
- salt.saltvalue.length = strlen(cell);
- salt.saltvalue.data = cell;
- tokey(context, ETYPE_DES_CBC_MD5, password, salt, "AFS key");
- }
- return 0;
-}
diff --git a/crypto/heimdal/kdc/string2key.cat8 b/crypto/heimdal/kdc/string2key.cat8
deleted file mode 100644
index 60a819e4d474..000000000000
--- a/crypto/heimdal/kdc/string2key.cat8
+++ /dev/null
@@ -1,41 +0,0 @@
-STRING2KEY(8) NetBSD System Manager's Manual STRING2KEY(8)
-
-NNAAMMEE
- ssttrriinngg22kkeeyy - map a password into a key
-
-SSYYNNOOPPSSIISS
- ssttrriinngg22kkeeyy [--55 | ----vveerrssiioonn55] [--44 | ----vveerrssiioonn44] [--aa | ----aaffss] [--cc _c_e_l_l |
- ----cceellll==_c_e_l_l] [--ww _p_a_s_s_w_o_r_d | ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--pp _p_r_i_n_c_i_p_a_l |
- ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--kk _s_t_r_i_n_g | ----kkeeyyttyyppee==_s_t_r_i_n_g] _p_a_s_s_w_o_r_d
-
-DDEESSCCRRIIPPTTIIOONN
- ssttrriinngg22kkeeyy performs the string-to-key function. This is useful when you
- want to handle the raw key instead of the password. Supported options:
-
- --55, ----vveerrssiioonn55
- Output Kerberos v5 string-to-key
-
- --44, ----vveerrssiioonn44
- Output Kerberos v4 string-to-key
-
- --aa, ----aaffss
- Output AFS string-to-key
-
- --cc _c_e_l_l, ----cceellll==_c_e_l_l
- AFS cell to use
-
- --ww _p_a_s_s_w_o_r_d, ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d
- Password to use
-
- --pp _p_r_i_n_c_i_p_a_l, ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l
- Kerberos v5 principal to use
-
- --kk _s_t_r_i_n_g, ----kkeeyyttyyppee==_s_t_r_i_n_g
- Keytype
-
- ----vveerrssiioonn
- print version
-
- ----hheellpp
-
- HEIMDAL March 4, 2000 1
diff --git a/crypto/heimdal/kdc/v4_dump.c b/crypto/heimdal/kdc/v4_dump.c
deleted file mode 100644
index dc0a8f20d439..000000000000
--- a/crypto/heimdal/kdc/v4_dump.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/*
- * Copyright (c) 2000 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "hprop.h"
-
-RCSID("$Id: v4_dump.c,v 1.4 2001/01/26 15:55:07 joda Exp $");
-
-static time_t
-time_parse(const char *cp)
-{
- char wbuf[5];
- struct tm tp;
- int local;
-
- memset(&tp, 0, sizeof(tp)); /* clear out the struct */
-
- /* new format is YYYYMMDDHHMM UTC,
- old format is YYMMDDHHMM local time */
- if (strlen(cp) > 10) { /* new format */
- strlcpy(wbuf, cp, sizeof(wbuf));
- tp.tm_year = atoi(wbuf) - 1900;
- cp += 4;
- local = 0;
- } else {
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- wbuf[2] = '\0';
- tp.tm_year = atoi(wbuf);
- if(tp.tm_year < 38)
- tp.tm_year += 100;
- local = 1;
- }
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- wbuf[2] = 0;
- tp.tm_mon = atoi(wbuf) - 1;
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_mday = atoi(wbuf);
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_hour = atoi(wbuf);
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_min = atoi(wbuf);
-
- return(tm2time(tp, local));
-}
-
-/* convert a version 4 dump file */
-int
-v4_prop_dump(void *arg, const char *file)
-{
- char buf [1024];
- FILE *f;
- int lineno = 0;
-
- f = fopen(file, "r");
- if(f == NULL)
- return errno;
-
- while(fgets(buf, sizeof(buf), f)) {
- int ret;
- unsigned long key[2]; /* yes, long */
- char exp_date[64], mod_date[64];
- struct v4_principal pr;
- int attributes;
-
- memset(&pr, 0, sizeof(pr));
- errno = 0;
- lineno++;
- ret = sscanf(buf, "%s %s %d %d %d %d %lx %lx %s %s %s %s",
- pr.name, pr.instance,
- &pr.max_life, &pr.mkvno, &pr.kvno,
- &attributes,
- &key[0], &key[1],
- exp_date, mod_date,
- pr.mod_name, pr.mod_instance);
- if(ret != 12){
- warnx("Line %d malformed (ignored)", lineno);
- continue;
- }
- if(attributes != 0) {
- warnx("Line %d (%s.%s) has non-zero attributes - skipping",
- lineno, pr.name, pr.instance);
- continue;
- }
- pr.key[0] = (key[0] >> 24) & 0xff;
- pr.key[1] = (key[0] >> 16) & 0xff;
- pr.key[2] = (key[0] >> 8) & 0xff;
- pr.key[3] = (key[0] >> 0) & 0xff;
- pr.key[4] = (key[1] >> 24) & 0xff;
- pr.key[5] = (key[1] >> 16) & 0xff;
- pr.key[6] = (key[1] >> 8) & 0xff;
- pr.key[7] = (key[1] >> 0) & 0xff;
- pr.exp_date = time_parse(exp_date);
- pr.mod_date = time_parse(mod_date);
- if (pr.instance[0] == '*')
- pr.instance[0] = '\0';
- if (pr.mod_name[0] == '*')
- pr.mod_name[0] = '\0';
- if (pr.mod_instance[0] == '*')
- pr.mod_instance[0] = '\0';
- v4_prop(arg, &pr);
- memset(&pr, 0, sizeof(pr));
- }
- return 0;
-}
generated by cgit v1.3 (git 2.53.0) at 2026-05-09 01:49:29 +0000