From dcc63ec1f3f35d6b7b5675193873f103a0aef55d Mon Sep 17 00:00:00 2001
From: kcr <kcr@cbed1d16-5ef5-0310-b6a1-d4a37b08ba1f>
Date: Mon, 2 Jun 2003 03:14:49 +0000
Subject: [PATCH] krb5 client doing krb4 protocol

git-svn-id: svn://svn.1ts.org/debian/branches/athena-update-branch@178 cbed1d16-5ef5-0310-b6a1-d4a37b08ba1f
---
 zephyr/debian/changelog      |  7 ++++
 zephyr/debian/rules          | 13 +------
 zephyr/h/internal.h          |  4 ++
 zephyr/h/zephyr/zephyr_err.h |  3 ++
 zephyr/lib/ZCkAuth.c         | 26 +++++++++++--
 zephyr/lib/ZGetSender.c      | 45 ++++++++++++++++++----
 zephyr/lib/ZInit.c           | 27 +++++++++++++
 zephyr/lib/ZMkAuth.c         | 73 +++++++++++++++++++++++++++++++++---
 zephyr/lib/Zinternal.c       |  3 --
 zephyr/server/main.c         |  4 ++
 zephyr/zwgc/Makefile.in      |  2 +-
 11 files changed, 176 insertions(+), 31 deletions(-)

diff --git a/zephyr/debian/changelog b/zephyr/debian/changelog
index d6d8780..2996356 100644
--- a/zephyr/debian/changelog
+++ b/zephyr/debian/changelog
@@ -1,3 +1,10 @@
+zephyr (2.1.20010518.SNAPSHOT-10.3) unstable; urgency=low
+
+  * first milestone krb5 client changes (still krb4 protocol)
+  * next up: krb5-only realm
+
+ -- Karl Ramm <kcr@1ts.org>  Sun,  1 Jun 2003 23:12:35 -0400
+
 zephyr (2.1.20010518.SNAPSHOT-10.2) unstable; urgency=low
 
   * Patch in the krb5 interrealm.
diff --git a/zephyr/debian/rules b/zephyr/debian/rules
index 9dc1796..5bbe2c8 100755
--- a/zephyr/debian/rules
+++ b/zephyr/debian/rules
@@ -23,9 +23,9 @@ configure-stamp:
 	dh_testdir
 	# Add here commands to configure the package.
 	-mkdir krb
-	cd krb&&../configure --with-krb4=/usr --with-krb5=/usr $(CONFIGURE_ROOT)
+	cd krb&& CFLAGS=-g ../configure --with-krb4=/usr --with-krb5=/usr $(CONFIGURE_ROOT)
 	-mkdir no-krb
-	cd no-krb&&../configure $(CONFIGURE_ROOT)
+	cd no-krb&& CFLAGS=-g ../configure $(CONFIGURE_ROOT)
 	touch configure-stamp
 
 build: configure-stamp build-stamp
@@ -102,20 +102,11 @@ binary-arch: build install
 	dh_movefiles --sourcedir=debian/tmp-krb -plibzephyr3-krb -pzephyr-server-krb
 	dh_installdebconf 
 	dh_installdocs
-#	dh_installexamples
-#	dh_installmenu
-#	dh_installemacsen
-#	dh_installpam
 	dh_installinit -pzephyr-clients --init-script=zhm
 	dh_installinit -pzephyr-server-krb --init-script=zephyrd
 	dh_installinit -pzephyr-server --init-script=zephyrd
-#	dh_installcron
-#	dh_installmanpages
-#	dh_installinfo
-#	dh_undocumented
 	dh_installchangelogs 
 	dh_strip
-#	dh_link
 	dh_compress
 	dh_fixperms
 	# You may want to make some executables suid here.
diff --git a/zephyr/h/internal.h b/zephyr/h/internal.h
index 2924e07..78f98cf 100644
--- a/zephyr/h/internal.h
+++ b/zephyr/h/internal.h
@@ -114,5 +114,9 @@ Code_t Z_WaitForNotice __P((ZNotice_t *notice,
 			    int timeout));
 
 void Z_gettimeofday(struct _ZTimeval *ztv, struct timezone *tz);
+
+#ifdef HAVE_KRB5
+int ZGetCreds(krb5_creds **creds_out);
+#endif
 #endif /* __INTERNAL_H__ */
 
diff --git a/zephyr/h/zephyr/zephyr_err.h b/zephyr/h/zephyr/zephyr_err.h
index 3fd16e9..466b34d 100644
--- a/zephyr/h/zephyr/zephyr_err.h
+++ b/zephyr/h/zephyr/zephyr_err.h
@@ -3,6 +3,8 @@
  * This file is automatically generated; please do not edit it.
  */
 
+#include <et/com_err.h>
+
 #define ZERR_PKTLEN                              (-772103680L)
 #define ZERR_HEADERLEN                           (-772103679L)
 #define ZERR_ILLVAL                              (-772103678L)
@@ -26,6 +28,7 @@
 #define ZERR_NOMORESUBSCRIPTIONS                 (-772103660L)
 #define ZERR_TOOMANYSUBS                         (-772103659L)
 #define ZERR_EOF                                 (-772103658L)
+extern const struct error_table et_zeph_error_table;
 extern void initialize_zeph_error_table(void);
 #define ERROR_TABLE_BASE_zeph (-772103680L)
 
diff --git a/zephyr/lib/ZCkAuth.c b/zephyr/lib/ZCkAuth.c
index 375145f..ed69a6a 100644
--- a/zephyr/lib/ZCkAuth.c
+++ b/zephyr/lib/ZCkAuth.c
@@ -33,29 +33,47 @@ Code_t ZCheckAuthentication(notice, from)
     ZNotice_t *notice;
     struct sockaddr_in *from;
 {	
-#ifdef HAVE_KRB4
+#if defined(HAVE_KRB4) || defined(HAVE_KRB5)
     int result;
     ZChecksum_t our_checksum;
+    C_Block *session;
+#ifdef HAVE_KRB5
+    krb5_creds *creds_out;
+#else
     CREDENTIALS cred;
-
+#endif
     /* If the value is already known, return it. */
     if (notice->z_checked_auth != ZAUTH_UNSET)
 	return (notice->z_checked_auth);
 
     if (!notice->z_auth)
 	return (ZAUTH_NO);
-	
+
+#ifdef HAVE_KRB5
+    result = ZGetCreds(&creds_out);
+    if (result)
+      return ZAUTH_NO;
+    /* HOLDING: creds_out */
+
+    if (creds_out->keyblock.enctype != ENCTYPE_DES_CBC_CRC)
+      return (ZAUTH_NO);
+    session = (C_Block *)creds_out->keyblock.contents;
+    
+#else
     if ((result = krb_get_cred(SERVER_SERVICE, SERVER_INSTANCE, 
 			       __Zephyr_realm, &cred)) != 0)
 	return (ZAUTH_NO);
 
+    session = (C_Block *)cred.session;
+#endif
+
 #ifdef NOENCRYPTION
     our_checksum = 0;
 #else
     our_checksum = des_quad_cksum(notice->z_packet, NULL, 
 				  notice->z_default_format+
 				  strlen(notice->z_default_format)+1-
-				  notice->z_packet, 0, cred.session);
+				  notice->z_packet, 0, session);
 #endif
     /* if mismatched checksum, then the packet was corrupted */
     return ((our_checksum == notice->z_checksum) ? ZAUTH_YES : ZAUTH_FAILED);
diff --git a/zephyr/lib/ZGetSender.c b/zephyr/lib/ZGetSender.c
index ef5e936..bd8a62b 100644
--- a/zephyr/lib/ZGetSender.c
+++ b/zephyr/lib/ZGetSender.c
@@ -22,24 +22,53 @@ static const char rcsid_ZGetSender_c[] =
 char *ZGetSender()
 {
     struct passwd *pw;
+    static char *sender = NULL;
+#ifdef HAVE_KRB5
+    krb5_ccache ccache;
+    krb5_principal principal;
+    char *prname;
+    int result;
+    char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; /*XXX*/
+#else    
 #ifdef HAVE_KRB4
     char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
-    static char sender[ANAME_SZ+INST_SZ+REALM_SZ+3] = "";
-#else
-    static char sender[128] = "";
+#endif 
 #endif
 
     /* Return it if already cached */
-    if (*sender)
+    if (sender)
 	return (sender);
 
+#ifdef HAVE_KRB5
+    result = krb5_cc_default(Z_krb5_ctx, &ccache);
+    if (!result) {
+      result = krb5_cc_get_principal(Z_krb5_ctx, ccache, &principal);
+      if (!result) {
+#if 0
+	krb5_unparse_name(Z_krb5_ctx, principal, &prname);
+	sender = strdup(prname);
+#else
+	krb5_524_conv_principal(Z_krb5_ctx, principal, pname, pinst, prealm);
+        sender = malloc(ANAME_SZ+INST_SZ+REALM_SZ+3);
+	if (sender)
+	  (void) sprintf(sender, "%s%s%s@%s", pname, (pinst[0]?".":""),
+			 pinst, prealm);
+#endif
+	krb5_free_principal(Z_krb5_ctx, principal);
+      }
+      krb5_cc_close(Z_krb5_ctx, ccache);
+    } 
+#else
 #ifdef HAVE_KRB4
     if (krb_get_tf_fullname((char *)TKT_FILE, pname, pinst, prealm) == KSUCCESS)
     {
-	(void) sprintf(sender, "%s%s%s@%s", pname, (pinst[0]?".":""),
-		       pinst, prealm);
+        sender = malloc(ANAME_SZ+INST_SZ+REALM_SZ+3);
+	if (sender)
+	  (void) sprintf(sender, "%s%s%s@%s", pname, (pinst[0]?".":""),
+			 pinst, prealm);
 	return (sender);
     }
+#endif
 #endif
 
     /* XXX a uid_t is a u_short (now),  but getpwuid
@@ -47,6 +76,8 @@ char *ZGetSender()
     pw = getpwuid((int) getuid());
     if (!pw)
 	return ("unknown");
-    (void) sprintf(sender, "%s@%s", pw->pw_name, __Zephyr_realm);
+    sender = malloc(strlen(pw->pw_name) + strlen(__Zephyr_realm));
+    if (sender)
+      (void) sprintf(sender, "%s@%s", pw->pw_name, __Zephyr_realm);
     return (sender);
 }
diff --git a/zephyr/lib/ZInit.c b/zephyr/lib/ZInit.c
index 391992f..fe820fa 100644
--- a/zephyr/lib/ZInit.c
+++ b/zephyr/lib/ZInit.c
@@ -21,6 +21,9 @@ static char rcsid_ZInitialize_c[] =
 #ifdef HAVE_KRB4
 #include <krb_err.h>
 #endif
+#ifdef HAVE_KRB5
+#include <krb5.h>
+#endif
 #ifdef HAVE_KRB5_ERR_H
 #include <krb5_err.h>
 #endif
@@ -39,11 +42,17 @@ Code_t ZInitialize()
     int s, sinsize = sizeof(sin);
     Code_t code;
     ZNotice_t notice;
+#ifdef HAVE_KRB5
+    char **krealms = NULL;
+#else
 #ifdef HAVE_KRB4
     char *krealm = NULL;
     int krbval;
     char d1[ANAME_SZ], d2[INST_SZ];
+#endif
+#endif
 
+#ifdef HAVE_KRB4
     initialize_krb_error_table();
 #endif
 #ifdef HAVE_KRB5
@@ -96,8 +105,14 @@ Code_t ZInitialize()
 	  If this code ever support a multiplexing zhm, this will have to
 	  be made smarter, and probably per-message */
 
+#ifdef HAVE_KRB5
+       code = krb5_get_host_realm(Z_krb5_ctx, notice.z_message, &krealms);
+       if (code)
+	 return(code);
+#else
 #ifdef HAVE_KRB4
        krealm = krb_realmofhost(notice.z_message);
+#endif
 #endif
        hostent = gethostbyname(notice.z_message);
        if (hostent && hostent->h_addrtype == AF_INET)
@@ -106,6 +121,17 @@ Code_t ZInitialize()
        ZFreeNotice(&notice);
     }
 
+#ifdef HAVE_KRB5
+    if (krealms) {
+      strcpy(__Zephyr_realm, krealms[0]);
+      krb5_free_host_realm(Z_krb5_ctx, krealms);
+    } else {
+      /* XXX check ticket file here */
+      code = krb5_get_default_realm(Z_krb5_ctx, __Zephyr_realm);
+      if (code)
+	return code;
+    }
+#else
 #ifdef HAVE_KRB4
     if (krealm) {
 	strcpy(__Zephyr_realm, krealm);
@@ -116,6 +142,7 @@ Code_t ZInitialize()
     }
 #else
     strcpy(__Zephyr_realm, "local-realm");
+#endif
 #endif
 
     __My_addr.s_addr = INADDR_NONE;
diff --git a/zephyr/lib/ZMkAuth.c b/zephyr/lib/ZMkAuth.c
index f776cba..bf17695 100644
--- a/zephyr/lib/ZMkAuth.c
+++ b/zephyr/lib/ZMkAuth.c
@@ -34,15 +34,36 @@ Code_t ZMakeAuthentication(notice, buffer, buffer_len, len)
     int buffer_len;
     int *len;
 {
-#ifdef HAVE_KRB4
+#if defined(HAVE_KRB4) || defined(HAVE_KRB5)
     int result;
     time_t now;
     KTEXT_ST authent;
     char *cstart, *cend;
     ZChecksum_t checksum;
     CREDENTIALS cred;
-    extern unsigned long des_quad_cksum();
+    C_Block *session;
+#ifdef HAVE_KRB5
+    krb5_creds *creds_out;
+
+    result = ZGetCreds(&creds_out);
+    if (result)
+      return result;
+
+    result = krb5_524_convert_creds(Z_krb5_ctx, creds_out, &cred);
+    /* krb5_free_creds(Z_krb5_ctx, creds_out);*/
+    if (result)
+      return result;
+    /* HOLDING: creds_out */
+
+    if (creds_out->keyblock.enctype != ENCTYPE_DES_CBC_CRC)
+      return (KRB5_BAD_ENCTYPE);
+    session = (C_Block *)creds_out->keyblock.contents;
 
+    result = krb_mk_req_creds(&authent, &cred, 0);
+    if (result != MK_AP_OK)
+      return result + krb_err_base;
+#endif
+#ifndef HAVE_KRB5
     result = krb_mk_req(&authent, SERVER_SERVICE, 
 			SERVER_INSTANCE, __Zephyr_realm, 0);
     if (result != MK_AP_OK)
@@ -52,6 +73,9 @@ Code_t ZMakeAuthentication(notice, buffer, buffer_len, len)
     if (result != KSUCCESS)
 	return (result+krb_err_base);
 
+    session = (C_Block *)cred.session;
+#endif
+
     notice->z_auth = 1;
     notice->z_authent_len = authent.length;
     notice->z_ascii_authent = (char *)malloc((unsigned)authent.length*3);
@@ -73,11 +97,11 @@ Code_t ZMakeAuthentication(notice, buffer, buffer_len, len)
 	return(result);
 
     /* Compute a checksum over the header and message. */
-    checksum = des_quad_cksum(buffer, NULL, cstart - buffer, 0, cred.session);
+    checksum = des_quad_cksum(buffer, NULL, cstart - buffer, 0, session);
     checksum ^= des_quad_cksum(cend, NULL, buffer + *len - cend, 0,
-			       cred.session);
+			       session);
     checksum ^= des_quad_cksum(notice->z_message, NULL, notice->z_message_len,
-			       0, cred.session);
+			       0, session);
     notice->z_checksum = checksum;
     ZMakeAscii32(cstart, buffer + buffer_len - cstart, checksum);
 
@@ -340,3 +364,42 @@ Code_t ZMakeZcodeRealmAuthentication(notice, buffer, buffer_len, phdr_len,
     return (result);
 #endif /* HAVE_KRB5 */
 }
+
+#ifdef HAVE_KRB5
+int ZGetCreds(krb5_creds **creds_out) {
+  krb5_creds creds_in;
+  krb5_ccache ccache; /* XXX make this a global or static?*/
+  int result;
+  
+  result = krb5_cc_default(Z_krb5_ctx, &ccache);
+  if (result)
+    return result;
+
+  memset((char *)&creds_in, 0, sizeof(creds_in));
+  result = krb5_build_principal(Z_krb5_ctx, &creds_in.server,
+			     strlen(__Zephyr_realm), __Zephyr_realm,
+				SERVER_SERVICE, SERVER_INSTANCE, 0);
+  if (result) {
+    krb5_cc_close(Z_krb5_ctx, ccache);
+    return result;
+  }
+  
+  result = krb5_cc_get_principal(Z_krb5_ctx, ccache, &creds_in.client);
+  if (result) {
+    krb5_free_cred_contents(Z_krb5_ctx, &creds_in); /* I also hope this is ok */
+    krb5_cc_close(Z_krb5_ctx, ccache);
+    return result;
+  }
+  
+  creds_in.times.endtime = 0;
+  creds_in.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+  
+  result = krb5_get_credentials(Z_krb5_ctx, 0, ccache, &creds_in, creds_out);
+  krb5_cc_close(Z_krb5_ctx, ccache);
+  krb5_free_cred_contents(Z_krb5_ctx, &creds_in); /* I also hope this is ok */
+
+  return result;
+  
+  
+}
+#endif
diff --git a/zephyr/lib/Zinternal.c b/zephyr/lib/Zinternal.c
index 65dacab..ee1d5ee 100644
--- a/zephyr/lib/Zinternal.c
+++ b/zephyr/lib/Zinternal.c
@@ -98,9 +98,6 @@ Code_t Z_krb5_lookup_cksumtype(krb5_enctype e, krb5_cksumtype *c)
 }
 #endif /* HAVE_KRB5 */
 
-#ifdef HAVE_KRB4
-C_Block __Zephyr_session;
-#endif
 char __Zephyr_realm[REALM_SZ];
 
 #ifdef Z_DEBUG
diff --git a/zephyr/server/main.c b/zephyr/server/main.c
index d94b468..76020c7 100644
--- a/zephyr/server/main.c
+++ b/zephyr/server/main.c
@@ -128,6 +128,10 @@ char *bdump_version = "1.2";
 krb5_ccache Z_krb5_ccache;
 #endif
 
+#ifdef HAVE_KRB4
+C_Block __Zephyr_session;
+#endif
+
 int
 main(argc, argv)
     int argc;
diff --git a/zephyr/zwgc/Makefile.in b/zephyr/zwgc/Makefile.in
index e4b2342..845d8c3 100644
--- a/zephyr/zwgc/Makefile.in
+++ b/zephyr/zwgc/Makefile.in
@@ -83,7 +83,7 @@ y.tab.c y.tab.h: parser.y
 check:
 
 install: zwgc
-	${INSTALL} -m 755 -s zwgc ${DESTDIR}${bindir}
+	${INSTALL} -m 755 zwgc ${DESTDIR}${bindir}
 	${INSTALL} -m 644 ${srcdir}/zwgc.1 ${DESTDIR}${mandir}/man1
 	${INSTALL} -m 644 ${srcdir}/zwgc.desc ${DESTDIR}${datadir}/zephyr
 	${INSTALL} -m 644 ${srcdir}/zwgc_resources ${DESTDIR}${datadir}/zephyr
-- 
2.45.2