+zephyr (2.1.20010518.SNAPSHOT-10.3) unstable; urgency=low
+
+ * first milestone krb5 client changes (still krb4 protocol)
+ * next up: krb5-only realm
+
+ -- Karl Ramm <kcr@1ts.org> Sun, 1 Jun 2003 23:12:35 -0400
+
zephyr (2.1.20010518.SNAPSHOT-10.2) unstable; urgency=low
* Patch in the krb5 interrealm.
dh_testdir
# Add here commands to configure the package.
-mkdir krb
- cd krb&&../configure --with-krb4=/usr --with-krb5=/usr $(CONFIGURE_ROOT)
+ cd krb&& CFLAGS=-g ../configure --with-krb4=/usr --with-krb5=/usr $(CONFIGURE_ROOT)
-mkdir no-krb
- cd no-krb&&../configure $(CONFIGURE_ROOT)
+ cd no-krb&& CFLAGS=-g ../configure $(CONFIGURE_ROOT)
touch configure-stamp
build: configure-stamp build-stamp
dh_movefiles --sourcedir=debian/tmp-krb -plibzephyr3-krb -pzephyr-server-krb
dh_installdebconf
dh_installdocs
-# dh_installexamples
-# dh_installmenu
-# dh_installemacsen
-# dh_installpam
dh_installinit -pzephyr-clients --init-script=zhm
dh_installinit -pzephyr-server-krb --init-script=zephyrd
dh_installinit -pzephyr-server --init-script=zephyrd
-# dh_installcron
-# dh_installmanpages
-# dh_installinfo
-# dh_undocumented
dh_installchangelogs
dh_strip
-# dh_link
dh_compress
dh_fixperms
# You may want to make some executables suid here.
int timeout));
void Z_gettimeofday(struct _ZTimeval *ztv, struct timezone *tz);
+
+#ifdef HAVE_KRB5
+int ZGetCreds(krb5_creds **creds_out);
+#endif
#endif /* __INTERNAL_H__ */
* This file is automatically generated; please do not edit it.
*/
+#include <et/com_err.h>
+
#define ZERR_PKTLEN (-772103680L)
#define ZERR_HEADERLEN (-772103679L)
#define ZERR_ILLVAL (-772103678L)
#define ZERR_NOMORESUBSCRIPTIONS (-772103660L)
#define ZERR_TOOMANYSUBS (-772103659L)
#define ZERR_EOF (-772103658L)
+extern const struct error_table et_zeph_error_table;
extern void initialize_zeph_error_table(void);
#define ERROR_TABLE_BASE_zeph (-772103680L)
ZNotice_t *notice;
struct sockaddr_in *from;
{
-#ifdef HAVE_KRB4
+#if defined(HAVE_KRB4) || defined(HAVE_KRB5)
int result;
ZChecksum_t our_checksum;
+ C_Block *session;
+#ifdef HAVE_KRB5
+ krb5_creds *creds_out;
+#else
CREDENTIALS cred;
-
+#endif
/* If the value is already known, return it. */
if (notice->z_checked_auth != ZAUTH_UNSET)
return (notice->z_checked_auth);
if (!notice->z_auth)
return (ZAUTH_NO);
-
+
+#ifdef HAVE_KRB5
+ result = ZGetCreds(&creds_out);
+ if (result)
+ return ZAUTH_NO;
+ /* HOLDING: creds_out */
+
+ if (creds_out->keyblock.enctype != ENCTYPE_DES_CBC_CRC)
+ return (ZAUTH_NO);
+ session = (C_Block *)creds_out->keyblock.contents;
+
+#else
if ((result = krb_get_cred(SERVER_SERVICE, SERVER_INSTANCE,
__Zephyr_realm, &cred)) != 0)
return (ZAUTH_NO);
+ session = (C_Block *)cred.session;
+#endif
+
#ifdef NOENCRYPTION
our_checksum = 0;
#else
our_checksum = des_quad_cksum(notice->z_packet, NULL,
notice->z_default_format+
strlen(notice->z_default_format)+1-
- notice->z_packet, 0, cred.session);
+ notice->z_packet, 0, session);
#endif
/* if mismatched checksum, then the packet was corrupted */
return ((our_checksum == notice->z_checksum) ? ZAUTH_YES : ZAUTH_FAILED);
char *ZGetSender()
{
struct passwd *pw;
+ static char *sender = NULL;
+#ifdef HAVE_KRB5
+ krb5_ccache ccache;
+ krb5_principal principal;
+ char *prname;
+ int result;
+ char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; /*XXX*/
+#else
#ifdef HAVE_KRB4
char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
- static char sender[ANAME_SZ+INST_SZ+REALM_SZ+3] = "";
-#else
- static char sender[128] = "";
+#endif
#endif
/* Return it if already cached */
- if (*sender)
+ if (sender)
return (sender);
+#ifdef HAVE_KRB5
+ result = krb5_cc_default(Z_krb5_ctx, &ccache);
+ if (!result) {
+ result = krb5_cc_get_principal(Z_krb5_ctx, ccache, &principal);
+ if (!result) {
+#if 0
+ krb5_unparse_name(Z_krb5_ctx, principal, &prname);
+ sender = strdup(prname);
+#else
+ krb5_524_conv_principal(Z_krb5_ctx, principal, pname, pinst, prealm);
+ sender = malloc(ANAME_SZ+INST_SZ+REALM_SZ+3);
+ if (sender)
+ (void) sprintf(sender, "%s%s%s@%s", pname, (pinst[0]?".":""),
+ pinst, prealm);
+#endif
+ krb5_free_principal(Z_krb5_ctx, principal);
+ }
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ }
+#else
#ifdef HAVE_KRB4
if (krb_get_tf_fullname((char *)TKT_FILE, pname, pinst, prealm) == KSUCCESS)
{
- (void) sprintf(sender, "%s%s%s@%s", pname, (pinst[0]?".":""),
- pinst, prealm);
+ sender = malloc(ANAME_SZ+INST_SZ+REALM_SZ+3);
+ if (sender)
+ (void) sprintf(sender, "%s%s%s@%s", pname, (pinst[0]?".":""),
+ pinst, prealm);
return (sender);
}
+#endif
#endif
/* XXX a uid_t is a u_short (now), but getpwuid
pw = getpwuid((int) getuid());
if (!pw)
return ("unknown");
- (void) sprintf(sender, "%s@%s", pw->pw_name, __Zephyr_realm);
+ sender = malloc(strlen(pw->pw_name) + strlen(__Zephyr_realm));
+ if (sender)
+ (void) sprintf(sender, "%s@%s", pw->pw_name, __Zephyr_realm);
return (sender);
}
#ifdef HAVE_KRB4
#include <krb_err.h>
#endif
+#ifdef HAVE_KRB5
+#include <krb5.h>
+#endif
#ifdef HAVE_KRB5_ERR_H
#include <krb5_err.h>
#endif
int s, sinsize = sizeof(sin);
Code_t code;
ZNotice_t notice;
+#ifdef HAVE_KRB5
+ char **krealms = NULL;
+#else
#ifdef HAVE_KRB4
char *krealm = NULL;
int krbval;
char d1[ANAME_SZ], d2[INST_SZ];
+#endif
+#endif
+#ifdef HAVE_KRB4
initialize_krb_error_table();
#endif
#ifdef HAVE_KRB5
If this code ever support a multiplexing zhm, this will have to
be made smarter, and probably per-message */
+#ifdef HAVE_KRB5
+ code = krb5_get_host_realm(Z_krb5_ctx, notice.z_message, &krealms);
+ if (code)
+ return(code);
+#else
#ifdef HAVE_KRB4
krealm = krb_realmofhost(notice.z_message);
+#endif
#endif
hostent = gethostbyname(notice.z_message);
if (hostent && hostent->h_addrtype == AF_INET)
ZFreeNotice(¬ice);
}
+#ifdef HAVE_KRB5
+ if (krealms) {
+ strcpy(__Zephyr_realm, krealms[0]);
+ krb5_free_host_realm(Z_krb5_ctx, krealms);
+ } else {
+ /* XXX check ticket file here */
+ code = krb5_get_default_realm(Z_krb5_ctx, __Zephyr_realm);
+ if (code)
+ return code;
+ }
+#else
#ifdef HAVE_KRB4
if (krealm) {
strcpy(__Zephyr_realm, krealm);
}
#else
strcpy(__Zephyr_realm, "local-realm");
+#endif
#endif
__My_addr.s_addr = INADDR_NONE;
int buffer_len;
int *len;
{
-#ifdef HAVE_KRB4
+#if defined(HAVE_KRB4) || defined(HAVE_KRB5)
int result;
time_t now;
KTEXT_ST authent;
char *cstart, *cend;
ZChecksum_t checksum;
CREDENTIALS cred;
- extern unsigned long des_quad_cksum();
+ C_Block *session;
+#ifdef HAVE_KRB5
+ krb5_creds *creds_out;
+
+ result = ZGetCreds(&creds_out);
+ if (result)
+ return result;
+
+ result = krb5_524_convert_creds(Z_krb5_ctx, creds_out, &cred);
+ /* krb5_free_creds(Z_krb5_ctx, creds_out);*/
+ if (result)
+ return result;
+ /* HOLDING: creds_out */
+
+ if (creds_out->keyblock.enctype != ENCTYPE_DES_CBC_CRC)
+ return (KRB5_BAD_ENCTYPE);
+ session = (C_Block *)creds_out->keyblock.contents;
+ result = krb_mk_req_creds(&authent, &cred, 0);
+ if (result != MK_AP_OK)
+ return result + krb_err_base;
+#endif
+#ifndef HAVE_KRB5
result = krb_mk_req(&authent, SERVER_SERVICE,
SERVER_INSTANCE, __Zephyr_realm, 0);
if (result != MK_AP_OK)
if (result != KSUCCESS)
return (result+krb_err_base);
+ session = (C_Block *)cred.session;
+#endif
+
notice->z_auth = 1;
notice->z_authent_len = authent.length;
notice->z_ascii_authent = (char *)malloc((unsigned)authent.length*3);
return(result);
/* Compute a checksum over the header and message. */
- checksum = des_quad_cksum(buffer, NULL, cstart - buffer, 0, cred.session);
+ checksum = des_quad_cksum(buffer, NULL, cstart - buffer, 0, session);
checksum ^= des_quad_cksum(cend, NULL, buffer + *len - cend, 0,
- cred.session);
+ session);
checksum ^= des_quad_cksum(notice->z_message, NULL, notice->z_message_len,
- 0, cred.session);
+ 0, session);
notice->z_checksum = checksum;
ZMakeAscii32(cstart, buffer + buffer_len - cstart, checksum);
return (result);
#endif /* HAVE_KRB5 */
}
+
+#ifdef HAVE_KRB5
+int ZGetCreds(krb5_creds **creds_out) {
+ krb5_creds creds_in;
+ krb5_ccache ccache; /* XXX make this a global or static?*/
+ int result;
+
+ result = krb5_cc_default(Z_krb5_ctx, &ccache);
+ if (result)
+ return result;
+
+ memset((char *)&creds_in, 0, sizeof(creds_in));
+ result = krb5_build_principal(Z_krb5_ctx, &creds_in.server,
+ strlen(__Zephyr_realm), __Zephyr_realm,
+ SERVER_SERVICE, SERVER_INSTANCE, 0);
+ if (result) {
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ return result;
+ }
+
+ result = krb5_cc_get_principal(Z_krb5_ctx, ccache, &creds_in.client);
+ if (result) {
+ krb5_free_cred_contents(Z_krb5_ctx, &creds_in); /* I also hope this is ok */
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ return result;
+ }
+
+ creds_in.times.endtime = 0;
+ creds_in.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+
+ result = krb5_get_credentials(Z_krb5_ctx, 0, ccache, &creds_in, creds_out);
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ krb5_free_cred_contents(Z_krb5_ctx, &creds_in); /* I also hope this is ok */
+
+ return result;
+
+
+}
+#endif
}
#endif /* HAVE_KRB5 */
-#ifdef HAVE_KRB4
-C_Block __Zephyr_session;
-#endif
char __Zephyr_realm[REALM_SZ];
#ifdef Z_DEBUG
krb5_ccache Z_krb5_ccache;
#endif
+#ifdef HAVE_KRB4
+C_Block __Zephyr_session;
+#endif
+
int
main(argc, argv)
int argc;
check:
install: zwgc
- ${INSTALL} -m 755 -s zwgc ${DESTDIR}${bindir}
+ ${INSTALL} -m 755 zwgc ${DESTDIR}${bindir}
${INSTALL} -m 644 ${srcdir}/zwgc.1 ${DESTDIR}${mandir}/man1
${INSTALL} -m 644 ${srcdir}/zwgc.desc ${DESTDIR}${datadir}/zephyr
${INSTALL} -m 644 ${srcdir}/zwgc_resources ${DESTDIR}${datadir}/zephyr