From: Greg Hudson Date: Wed, 3 Aug 2016 15:26:13 +0000 (-0400) Subject: Remove unnecessary directories X-Git-Tag: krb5-1.15-beta1~128 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ced29ba544dfcb15b0f04d19579a907409c82f3;p=thirdparty%2Fkrb5.git Remove unnecessary directories Remove the plugin modules wpse, cksum_body, and locate/python, which aren't used by the test suite or built by default. Remove util/collected-client-lib, as we no longer have a need to create a smaller client-only library. Remove util/gss-kernel-lib, as it turned out not to be useful for facilitating kernel integrations. --- diff --git a/src/Makefile.in b/src/Makefile.in index 814e5af035..15b9cbbdc3 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -20,12 +20,9 @@ SUBDIRS=util include lib \ plugins/kdb/db2 \ @ldap_plugin_dir@ \ plugins/kdb/test \ - plugins/locate/python \ - plugins/preauth/cksum_body \ plugins/preauth/otp \ plugins/preauth/pkinit \ plugins/preauth/test \ - plugins/preauth/wpse \ plugins/tls/k5tls \ kdc kadmin slave clients appl tests \ config-files build-tools man doc @po@ diff --git a/src/configure.in b/src/configure.in index db8b929efd..58f89d9b15 100644 --- a/src/configure.in +++ b/src/configure.in @@ -1216,16 +1216,6 @@ AC_CHECK_LIB(aceclnt, sd_init, [ AC_SUBST(sam2_plugin) CFLAGS=$old_CFLAGS -# This checks is for plugins/locate/python, which isn't built by -# default, so it's not a big deal that it isn't very good. We should -# use python-config instead. -PYTHON_LIB= -AC_CHECK_HEADERS(Python.h python2.3/Python.h python2.5/Python.h) -AC_CHECK_LIB(python2.3,main,[PYTHON_LIB=-lpython2.3], - AC_CHECK_LIB(python2.5,main,[PYTHON_LIB=-lpython2.5])) -AC_SUBST(PYTHON_LIB) - - # Kludge for simple server --- FIXME is this the best way to do this? if test "$ac_cv_lib_socket" = "yes" -a "$ac_cv_lib_nsl" = "yes"; then @@ -1412,7 +1402,6 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test kdc slave config-files build-tools man doc include plugins/hostrealm/test - plugins/locate/python plugins/localauth/test plugins/kadm5_hook/test plugins/pwqual/test @@ -1427,10 +1416,8 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test plugins/kdb/db2/libdb2/recno plugins/kdb/db2/libdb2/test plugins/kdb/test - plugins/preauth/cksum_body plugins/preauth/otp plugins/preauth/test - plugins/preauth/wpse plugins/authdata/greet_client plugins/authdata/greet_server plugins/tls/k5tls @@ -1449,6 +1436,5 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test tests tests/resolve tests/asn.1 tests/create tests/hammer tests/verify tests/gssapi tests/dejagnu tests/threads tests/shlib tests/gss-threads tests/misc - util/gss-kernel-lib util/collected-client-lib po ) diff --git a/src/plugins/locate/python/Makefile.in b/src/plugins/locate/python/Makefile.in deleted file mode 100644 index ec474bd6ca..0000000000 --- a/src/plugins/locate/python/Makefile.in +++ /dev/null @@ -1,24 +0,0 @@ -# The python locate module is not built by default. To build it -# manally, run "make all-liblinks". - -mydir=plugins$(S)locate$(S)python -BUILDTOP=$(REL)..$(S)..$(S).. - -LIBBASE=python -LIBMAJOR=0 -LIBMINOR=0 -RELDIR=../plugins/locate/python -MODULE_INSTALL_DIR = $(KRB5_LIBKRB5_MODULE_DIR) - -SHLIB_EXPDEPS= $(KRB5_DEPLIB) $(SUPPORT_DEPLIB) -SHLIB_EXPLIBS= @PYTHON_LIB@ $(KRB5_LIB) $(SUPPORT_LIB) - -SRCS= \ - $(srcdir)/py-locate.c -STLIBOBJS= py-locate.o - -clean-unix:: clean-liblinks clean-libs clean-libobjs - -@libnover_frag@ -@libobj_frag@ - diff --git a/src/plugins/locate/python/deps b/src/plugins/locate/python/deps deleted file mode 100644 index d26a51ec7c..0000000000 --- a/src/plugins/locate/python/deps +++ /dev/null @@ -1,9 +0,0 @@ -# -# Generated makefile dependencies follow. -# -py-locate.so py-locate.po $(OUTPRE)py-locate.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/fake-addrinfo.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h py-locate.c diff --git a/src/plugins/locate/python/locate-service.py b/src/plugins/locate/python/locate-service.py deleted file mode 100644 index 53153be77e..0000000000 --- a/src/plugins/locate/python/locate-service.py +++ /dev/null @@ -1,77 +0,0 @@ -# Copyright 2006 Massachusetts Institute of Technology. -# All Rights Reserved. -# -# Export of this software from the United States of America may -# require a specific license from the United States Government. -# It is the responsibility of any person or organization contemplating -# export to obtain such a license before exporting. -# -# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -# distribute this software and its documentation for any purpose and -# without fee is hereby granted, provided that the above copyright -# notice appear in all copies and that both that copyright notice and -# this permission notice appear in supporting documentation, and that -# the name of M.I.T. not be used in advertising or publicity pertaining -# to distribution of the software without specific, written prior -# permission. Furthermore if you modify this software you must label -# your software as modified software and not distribute it in such a -# fashion that it might be confused with the original M.I.T. software. -# M.I.T. makes no representations about the suitability of -# this software for any purpose. It is provided "as is" without express -# or implied warranty. - -# possible return values: -# False: request not handled by this script, try another means -# empty list: no server available, e.g., TCP KDC in realm with only UDP -# ordered list of (ip-addr-string, port-number-or-string, socket-type) -# -# Field ip-addr-string is a numeric representation of the IPv4 or IPv6 -# address. Field port-number-or-string is, for example, "88" or 88. The -# socket type is also expressed numerically, SOCK_DGRAM or SOCK_STREAM. -# It must agree with the supplied socktype value if that is non-zero, but -# zero must not be used in the returned list. -# -# service enum values: kdc=1, master_kdc, kadmin, krb524, kpasswd - -from socket import getaddrinfo, SOCK_STREAM, SOCK_DGRAM, AF_INET, AF_INET6 -def locate1 (service, realm, socktype, family): - if (service == 1 or service == 2) and realm == "ATHENA.MIT.EDU": - if socktype == SOCK_STREAM: return [] - socktype = SOCK_DGRAM - result = [] - hlist = (("kerberos.mit.edu", 88), ("kerberos-1.mit.edu", 88), - ("some-random-name-that-does-not-exist.mit.edu", 12345), - ("kerberos.mit.edu", 750)) - if service == 2: hlist = (hlist[0],) - for (hname,hport) in hlist: - try: - alist = getaddrinfo(hname, hport, family, socktype) - for a in alist: - (fam, stype, proto, canonname, sa) = a - if fam == AF_INET or fam == AF_INET6: - addr = sa[0] - port = sa[1] - result = result + [(addr, port, stype)] - except Exception, inst: -# print "getaddrinfo error for " + hname + ":", inst - pass # Enh, this is just a demo. - return result - if realm == "BOBO.MIT.EDU": return [] - return False - -verbose = 0 -servicenames = { 1: "kdc", 2: "master_kdc", 3: "kadmin", 4: "krb524", 5: "kpasswd" } -socktypenames = { SOCK_STREAM: "STREAM", SOCK_DGRAM: "DGRAM" } -familynames = { 0: "UNSPEC", AF_INET: "INET", AF_INET6: "INET6" } - -def locate (service, realm, socktype, family): - socktypename = socktype - if socktype in socktypenames: socktypename = "%s(%d)" % (socktypenames[socktype], socktype) - familyname = family - if family in familynames: familyname = "%s(%d)" % (familynames[family], family) - servicename = service - if service in servicenames: servicename = "%s(%d)" % (servicenames[service], service) - if verbose: print "locate called with service", servicename, "realm", realm, "socktype", socktypename, "family", familyname - result = locate1 (service, realm, socktype, family) - if verbose: print "locate result is", result - return result diff --git a/src/plugins/locate/python/py-locate.c b/src/plugins/locate/python/py-locate.c deleted file mode 100644 index 7273026760..0000000000 --- a/src/plugins/locate/python/py-locate.c +++ /dev/null @@ -1,323 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* plugins/locate/python/py-locate.c */ -/* - * Copyright 2006, 2007 Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* This is a demo module. The error checking is incomplete, there's - no exception handling, and it wouldn't surprise me in the least if - there are more bugs in the refcount maintenance. - - But it will demonstrate (1) the plugin interface for locating a KDC - or other Kerberos-related service, and (2) that it's possible for - these plugins to call out to scripts in various languages for - prototyping or whatever. - - Some notes: - - If delayed initialization is not done, and the script is executed - when this module is loaded, loading other Python modules may not - work, if they include object code referencing the Python symbols. - Under glibc at least, it appears that the symbols of this module - aren't available to random dlopen/dlsym calls until loading - finishes, including the initialization routine. It's completely - logical -- in fact, I'd be concerned if it were otherwise. But not - obvious if you're not thinking about it. - - Actually, sometimes even with delayed initialization it could be a - problem. - - You may be able to work around it with something like: - % env LD_PRELOAD=/usr/lib/libpython2.3.so.1.0 kinit ...blah... - - This module seems rather sensitive to bugs in the Python code. If - it's not correct, you may get core dumps, Python GC errors, etc. - Probably more signs of bugs in this code. - - All of the -1 returns should be cleaned up and made to return - real error codes, with appropriate output if debugging is enabled. - - Blah. */ - -/* Include Python.h before autoconf.h, because our autoconf.h seems - to confuse Python's headers. */ -#include -#if HAVE_PYTHON_H -#include -#elif HAVE_PYTHON2_3_PYTHON_H -#include -#elif HAVE_PYTHON2_5_PYTHON_H -#include -#else -#error "Where's the Python header file?" -#endif -#include -#include "k5-platform.h" /* for init/fini macros */ -#include "fake-addrinfo.h" - -#include - -#define LIBDIR "/tmp" /* should be imported from configure */ -#define SCRIPT_PATH LIBDIR "/krb5/locate-service.py" -#define LOOKUP_FUNC_NAME "locate" - -static PyObject *locatefn; - -MAKE_INIT_FUNCTION(my_init); -MAKE_FINI_FUNCTION(my_fini); - -#define F (strchr(__FILE__, '/') ? 1 + strrchr(__FILE__, '/') : __FILE__) - -static krb5_context sctx; /* XXX ugly hack! */ - -int -my_init(void) -{ - PyObject *mainmodule; - FILE *f; - - Py_Initialize (); -// fprintf(stderr, "trying to load %s\n", SCRIPT_PATH); - f = fopen(SCRIPT_PATH, "r"); - if (f == NULL) { - if (sctx) - krb5_set_error_message(sctx, -1, - "couldn't open Python script %s (%s)", - SCRIPT_PATH, strerror(errno)); - return -1; - } - set_cloexec_file(f); - PyRun_SimpleFile (f, SCRIPT_PATH); - fclose(f); - mainmodule = PyModule_GetDict(PyImport_AddModule("__main__")); - if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; } - locatefn = PyDict_GetItemString (mainmodule, LOOKUP_FUNC_NAME); - if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; } - /* Don't DECREF mainmodule, it's sometimes causing crashes. */ - if (locatefn == 0) - return -1; - if (!PyCallable_Check (locatefn)) { - Py_DECREF (locatefn); - locatefn = 0; - return -1; - } - if (PyErr_Occurred()) { fprintf(stderr,"%s:%d: python error\n", F, __LINE__); PyErr_Print(); return -1; } - return 0; -} - -void -my_fini(void) -{ -// fprintf(stderr, "%s:%d: Python module finalization\n", F, __LINE__); - if (! INITIALIZER_RAN (my_init)) - return; - Py_DECREF (locatefn); - locatefn = 0; - Py_Finalize (); -} - -static krb5_error_code -ctxinit(krb5_context ctx, void **blobptr) -{ - /* If we wanted to create a separate Python interpreter instance, - look up the pathname of the script in the config file used for - the current krb5_context, and load the script in that - interpreter, this would be a good place for it; the blob could - be allocated to hold the reference to the interpreter - instance. */ - *blobptr = ctx; - return 0; -} - -static void -ctxfini(void *blob) -{ -} - -/* Special return codes: - - 0: We set a (possibly empty) set of server locations in the result - field. If the server location set is empty, that means there - aren't any servers, *not* that we should try the krb5.conf file or - DNS or something. - - KRB5_PLUGIN_NO_HANDLE: This realm or service isn't handled here, - try some other means. - - Other: Some error happened here. It may be reported, if the - service can't be located by other means. (In this implementation, - the catch-all error code returned in a bunch of places is -1, which - isn't going to be very useful to the caller.) */ - -static krb5_error_code -lookup(void *blob, enum locate_service_type svc, const char *realm, - int socktype, int family, - int (*cbfunc)(void *, int, struct sockaddr *), void *cbdata) -{ - PyObject *py_result, *svcarg, *realmarg, *arglist; - int listsize, i, x; - struct addrinfo aihints, *airesult; - int thissocktype; - -// fprintf(stderr, "%s:%d: lookup(%d,%s,%d,%d)\n", F, __LINE__, -// svc, realm, socktype, family); - sctx = blob; /* XXX: Not thread safe! */ - i = CALL_INIT_FUNCTION (my_init); - if (i) { -#if 0 - fprintf(stderr, "%s:%d: module initialization failed\n", F, __LINE__); -#endif - return i; - } - if (locatefn == 0) - return KRB5_PLUGIN_NO_HANDLE; - svcarg = PyInt_FromLong (svc); - /* error? */ - realmarg = PyString_FromString ((char *) realm); - /* error? */ - arglist = PyTuple_New (4); - /* error? */ - - PyTuple_SetItem (arglist, 0, svcarg); - PyTuple_SetItem (arglist, 1, realmarg); - PyTuple_SetItem (arglist, 2, PyInt_FromLong (socktype)); - PyTuple_SetItem (arglist, 3, PyInt_FromLong (family)); - /* references handed off, no decref */ - - py_result = PyObject_CallObject (locatefn, arglist); - Py_DECREF (arglist); - if (PyErr_Occurred()) { - fprintf(stderr,"%s:%d: python error\n", F, __LINE__); - PyErr_Print(); - krb5_set_error_message(blob, -1, - "Python evaluation error, see stderr"); - return -1; - } - if (py_result == 0) { - fprintf(stderr, "%s:%d: returned null object\n", F, __LINE__); - return -1; - } - if (py_result == Py_False) - return KRB5_PLUGIN_NO_HANDLE; - if (! PyList_Check (py_result)) { - Py_DECREF (py_result); - fprintf(stderr, "%s:%d: returned non-list, non-False\n", F, __LINE__); - krb5_set_error_message(blob, -1, - "Python script error -- returned non-list, non-False result"); - return -1; - } - listsize = PyList_Size (py_result); - /* allocate */ - memset(&aihints, 0, sizeof(aihints)); - aihints.ai_flags = AI_NUMERICHOST; - aihints.ai_family = family; - for (i = 0; i < listsize; i++) { - PyObject *answer, *field; - char *hoststr, *portstr, portbuf[3*sizeof(long) + 4]; - int cbret; - - answer = PyList_GetItem (py_result, i); - if (! PyTuple_Check (answer)) { - krb5_set_error_message(blob, -1, - "Python script error -- returned item %d not a tuple", i); - /* leak? */ - return -1; - } - if (PyTuple_Size (answer) != 3) { - krb5_set_error_message(blob, -1, - "Python script error -- returned tuple %d size %d should be 3", - i, PyTuple_Size (answer)); - /* leak? */ - return -1; - } - field = PyTuple_GetItem (answer, 0); - if (! PyString_Check (field)) { - /* leak? */ - krb5_set_error_message(blob, -1, - "Python script error -- first component of tuple %d is not a string", - i); - return -1; - } - hoststr = PyString_AsString (field); - field = PyTuple_GetItem (answer, 1); - if (PyString_Check (field)) { - portstr = PyString_AsString (field); - } else if (PyInt_Check (field)) { - snprintf(portbuf, sizeof(portbuf), "%ld", PyInt_AsLong (field)); - portstr = portbuf; - } else { - krb5_set_error_message(blob, -1, - "Python script error -- second component of tuple %d neither a string nor an integer", - i); - /* leak? */ - return -1; - } - field = PyTuple_GetItem (answer, 2); - if (! PyInt_Check (field)) { - krb5_set_error_message(blob, -1, - "Python script error -- third component of tuple %d not an integer", - i); - /* leak? */ - return -1; - } - thissocktype = PyInt_AsLong (field); - switch (thissocktype) { - case SOCK_STREAM: - case SOCK_DGRAM: - /* okay */ - if (socktype != 0 && socktype != thissocktype) { - krb5_set_error_message(blob, -1, - "Python script error -- tuple %d has socket type %d, should only have %d", - i, thissocktype, socktype); - /* leak? */ - return -1; - } - break; - default: - /* 0 is not acceptable */ - krb5_set_error_message(blob, -1, - "Python script error -- tuple %d has invalid socket type %d", - i, thissocktype); - /* leak? */ - return -1; - } - aihints.ai_socktype = thissocktype; - aihints.ai_flags = AI_ADDRCONFIG; - x = getaddrinfo (hoststr, portstr, &aihints, &airesult); - if (x != 0) - continue; - cbret = cbfunc(cbdata, airesult->ai_socktype, airesult->ai_addr); - freeaddrinfo(airesult); - if (cbret != 0) - break; - } - Py_DECREF (py_result); - return 0; -} - -const krb5plugin_service_locate_ftable service_locator = { - /* version */ - 0, - /* functions */ - ctxinit, ctxfini, lookup, -}; diff --git a/src/plugins/locate/python/python.exports b/src/plugins/locate/python/python.exports deleted file mode 100644 index 60ff46e8db..0000000000 --- a/src/plugins/locate/python/python.exports +++ /dev/null @@ -1 +0,0 @@ -service_locator diff --git a/src/plugins/preauth/cksum_body/Makefile.in b/src/plugins/preauth/cksum_body/Makefile.in deleted file mode 100644 index 45cceb7eee..0000000000 --- a/src/plugins/preauth/cksum_body/Makefile.in +++ /dev/null @@ -1,26 +0,0 @@ -# The cksum_body preauth module is not built by default. To build it -# manually, run "make all-libs". - -mydir=plugins$(S)preauth$(S)cksum_body -BUILDTOP=$(REL)..$(S)..$(S).. -MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) - -LIBBASE=cksum_body -LIBMAJOR=0 -LIBMINOR=0 -RELDIR=../plugins/preauth/cksum_body -# Depends on libk5crypto and libkrb5 -SHLIB_EXPDEPS = \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) - -STLIBOBJS=cksum_body_main.o - -SRCS= $(srcdir)/cksum_body_main.c - -clean-unix:: clean-libs clean-libobjs - -@libnover_frag@ -@libobj_frag@ - diff --git a/src/plugins/preauth/cksum_body/cksum_body.exports b/src/plugins/preauth/cksum_body/cksum_body.exports deleted file mode 100644 index df335ca64b..0000000000 --- a/src/plugins/preauth/cksum_body/cksum_body.exports +++ /dev/null @@ -1,2 +0,0 @@ -clpreauth_cksum_body_initvt -kdcpreauth_cksum_body_initvt diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c deleted file mode 100644 index ed2b5b4e01..0000000000 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ /dev/null @@ -1,611 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 2006 Red Hat, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Checksum the request body with the user's long-term key. - * - * The e-data from the KDC is a list of network-byte-order 32-bit integers - * listing key types which the KDC has for the user. - * - * The client uses one of these key types to generate a checksum over the body - * of the request, and includes the checksum in the AS-REQ as preauthentication - * data. - * - * The AS-REP carries no preauthentication data for this scheme. - */ - -#ident "$Id: cksum_body_main.c,v 1.4 2007/01/02 22:33:50 kwc Exp $" - -#include "autoconf.h" - -#ifdef HAVE_ERRNO_H -#include -#endif -#ifdef HAVE_STRING_H -#include -#endif - -#include -#include - -#include -#include - -/* This is not a standardized value. It's defined here only to make it easier - * to change in this module. */ -#define KRB5_PADATA_CKSUM_BODY_REQ 130 - -struct server_stats{ - int successes, failures; -}; - -typedef struct _test_svr_req_ctx { - int value1; - int value2; -} test_svr_req_ctx; - -static int -client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) -{ - return PA_REAL; -} - -static krb5_error_code -client_process(krb5_context kcontext, - krb5_clpreauth_moddata moddata, - krb5_clpreauth_modreq modreq, - krb5_get_init_creds_opt *opt, - krb5_clpreauth_callbacks cb, - krb5_clpreauth_rock rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *pa_data, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_pa_data ***out_pa_data) -{ - krb5_pa_data **send_pa; - krb5_checksum checksum; - krb5_cksumtype *cksumtypes; - krb5_error_code status = 0; - krb5_int32 cksumtype; - unsigned int i, cksumtype_count; - int num_gic_info = 0; - krb5_gic_opt_pa_data *gic_info; - krb5_keyblock *as_key; - - status = krb5_get_init_creds_opt_get_pa(kcontext, opt, - &num_gic_info, &gic_info); - if (status && status != ENOENT) { -#ifdef DEBUG - fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n", - error_message(status)); -#endif - return status; - } -#ifdef DEBUG - fprintf(stderr, "(cksum_body) Got the following gic options:\n"); -#endif - for (i = 0; i < num_gic_info; i++) { -#ifdef DEBUG - fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value); -#endif - } - krb5_get_init_creds_opt_free_pa(kcontext, num_gic_info, gic_info); - - memset(&checksum, 0, sizeof(checksum)); - - status = cb->get_as_key(kcontext, rock, &as_key); - if (status != 0) - return status; -#ifdef DEBUG - fprintf(stderr, "Got AS key (type = %d).\n", as_key->enctype); -#endif - - /* Determine an appropriate checksum type for this key. */ - cksumtype_count = 0; - cksumtypes = NULL; - status = krb5_c_keyed_checksum_types(kcontext, as_key->enctype, - &cksumtype_count, &cksumtypes); - if (status != 0) - return status; - - /* Generate the checksum. */ - for (i = 0; i < cksumtype_count; i++) { - status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - encoded_request_body, - &checksum); - if (status == 0) { -#ifdef DEBUG - fprintf(stderr, "Made checksum (type = %d, %d bytes).\n", - checksum.checksum_type, encoded_request_body->length); -#endif - break; - } - } - cksumtype = htonl(cksumtypes[i]); - krb5_free_cksumtypes(kcontext, cksumtypes); - if (status != 0) { - if (checksum.length > 0) - krb5_free_checksum_contents(kcontext, &checksum); - return status; - } - - /* Allocate the preauth data structure. */ - send_pa = malloc(2 * sizeof(krb5_pa_data *)); - if (send_pa == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - return ENOMEM; - } - send_pa[1] = NULL; /* Terminate list */ - send_pa[0] = malloc(sizeof(krb5_pa_data)); - if (send_pa[0] == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - free(send_pa); - return ENOMEM; - } - send_pa[0]->pa_type = KRB5_PADATA_CKSUM_BODY_REQ; - send_pa[0]->length = 4 + checksum.length; - send_pa[0]->contents = malloc(4 + checksum.length); - if (send_pa[0]->contents == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - free(send_pa[0]); - free(send_pa); - return ENOMEM; - } - - /* Store the checksum. */ - memcpy(send_pa[0]->contents, &cksumtype, 4); - memcpy(send_pa[0]->contents + 4, checksum.contents, checksum.length); - *out_pa_data = send_pa; - - /* Clean up. */ - krb5_free_checksum_contents(kcontext, &checksum); - - return 0; -} - -static krb5_error_code -client_gic_opt(krb5_context kcontext, - krb5_clpreauth_moddata moddata, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) -{ -#ifdef DEBUG - fprintf(stderr, "(cksum_body) client_gic_opt: received '%s' = '%s'\n", - attr, value); -#endif - return 0; -} - -/* Initialize and tear down the server-side module, and do stat tracking. */ -static krb5_error_code -server_init(krb5_context kcontext, krb5_kdcpreauth_moddata *moddata_out, - const char **realmnames) -{ - struct server_stats *stats; - stats = malloc(sizeof(struct server_stats)); - if (stats == NULL) - return ENOMEM; - stats->successes = 0; - stats->failures = 0; - *moddata_out = (krb5_kdcpreauth_moddata)stats; - return 0; -} -static void -server_fini(krb5_context kcontext, krb5_kdcpreauth_moddata moddata) -{ - struct server_stats *stats; - stats = (struct server_stats *)moddata; - if (stats != NULL) { -#ifdef DEBUG - fprintf(stderr, "Total: %d clients failed, %d succeeded.\n", - stats->failures, stats->successes); -#endif - free(stats); - } -} - -/* Obtain and return any preauthentication data (which is destined for the - * client) which matches type data->pa_type. */ -static void -server_get_edata(krb5_context kcontext, krb5_kdc_req *request, - krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type, - krb5_kdcpreauth_edata_respond_fn respond, void *arg) -{ - krb5_keyblock *keys; - krb5_int32 *enctypes, enctype; - krb5_pa_data *data; - int i; - - /* Retrieve the client's keys. */ - if (cb->client_keys(kcontext, rock, &keys) != 0) { -#ifdef DEBUG - fprintf(stderr, "Error retrieving client keys.\n"); -#endif - (*respond)(arg, KRB5KDC_ERR_PADATA_TYPE_NOSUPP, NULL); - return; - } - - /* Count which types of keys we've got. */ - for (i = 0; keys[i].enctype != 0; i++); - - /* Return the list of encryption types. */ - enctypes = malloc((unsigned)i * 4); - if (enctypes == NULL) { - cb->free_keys(kcontext, rock, keys); - (*respond)(arg, ENOMEM, NULL); - return; - } -#ifdef DEBUG - fprintf(stderr, "Supported enctypes = {"); -#endif - for (i = 0; keys[i].enctype != 0; i++) { -#ifdef DEBUG - fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype); -#endif - enctype = htonl(keys[i].enctype); - memcpy(&enctypes[i], &enctype, 4); - } -#ifdef DEBUG - fprintf(stderr, "}.\n"); -#endif - cb->free_keys(kcontext, rock, keys); - data = malloc(sizeof(*data)); - if (data == NULL) { - free(enctypes); - (*respond)(arg, ENOMEM, NULL); - } - data->magic = KV5M_PA_DATA; - data->pa_type = KRB5_PADATA_CKSUM_BODY_REQ; - data->length = (i * 4); - data->contents = (unsigned char *) enctypes; - (*respond)(arg, 0, data); -} - -/* Verify a request from a client. */ -static void -server_verify(krb5_context kcontext, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - krb5_kdcpreauth_callbacks cb, - krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_verify_respond_fn respond, - void *arg) -{ - krb5_int32 cksumtype; - krb5_checksum checksum; - krb5_boolean valid; - krb5_data *req_body; - krb5_keyblock *keys, *key; - size_t length; - unsigned int i, cksumtypes_count; - krb5_cksumtype *cksumtypes; - krb5_error_code status; - struct server_stats *stats; - test_svr_req_ctx *svr_req_ctx; - krb5_authdata **my_authz_data = NULL; - - stats = (struct server_stats *)moddata; - -#ifdef DEBUG - fprintf(stderr, "cksum_body: server_verify\n"); -#endif - /* Verify the preauth data. Start with the checksum type. */ - if (data->length < 4) { - stats->failures++; - (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); - return; - } - memcpy(&cksumtype, data->contents, 4); - memset(&checksum, 0, sizeof(checksum)); - checksum.checksum_type = ntohl(cksumtype); - - /* Verify that the amount of data we have left is what we expect. */ - if (krb5_c_checksum_length(kcontext, checksum.checksum_type, - &length) != 0) { -#ifdef DEBUG - fprintf(stderr, "Error determining checksum size (type = %d). " - "Is it supported?\n", checksum.checksum_type); -#endif - stats->failures++; - (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL); - return; - } - if (data->length - 4 != length) { -#ifdef DEBUG - fprintf(stderr, "Checksum size doesn't match client packet size.\n"); -#endif - stats->failures++; - (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); - return; - } - checksum.length = length; - - /* Pull up the client's keys. */ - if (cb->client_keys(kcontext, rock, &keys) != 0) { -#ifdef DEBUG - fprintf(stderr, "Error retrieving client keys.\n"); -#endif - stats->failures++; - (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); - return; - } - - /* Find the key which would have been used to generate the checksum. */ - for (key = keys; key->enctype != 0; key++) { - cksumtypes_count = 0; - cksumtypes = NULL; - if (krb5_c_keyed_checksum_types(kcontext, key->enctype, - &cksumtypes_count, &cksumtypes) != 0) - continue; - for (i = 0; i < cksumtypes_count; i++) { - if (cksumtypes[i] == checksum.checksum_type) - break; - } - if (cksumtypes != NULL) - krb5_free_cksumtypes(kcontext, cksumtypes); - if (i < cksumtypes_count) { -#ifdef DEBUG - fprintf(stderr, "Found checksum key.\n"); -#endif - break; - } - } - if (key->enctype == 0) { - cb->free_keys(kcontext, rock, keys); - stats->failures++; - (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL); - return; - } - - /* Save a copy of the key. */ - if (krb5_copy_keyblock(kcontext, keys, &key) != 0) { - cb->free_keys(kcontext, rock, keys); - stats->failures++; - (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL); - return; - } - cb->free_keys(kcontext, rock, keys); - - req_body = cb->request_body(kcontext, rock); - -#ifdef DEBUG - fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n", - key->enctype, checksum.checksum_type, req_body->length); -#endif - - /* Verify the checksum itself. */ - checksum.contents = data->contents + 4; - valid = FALSE; - status = krb5_c_verify_checksum(kcontext, key, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - req_body, &checksum, &valid); - - /* Clean up. */ - krb5_free_keyblock(kcontext, key); - - /* Evaluate our results. */ - if ((status != 0) || (!valid)) { -#ifdef DEBUG - if (status != 0) { - fprintf(stderr, "Error in checksum verification.\n"); - } else { - fprintf(stderr, "Checksum mismatch.\n"); - } -#endif - stats->failures++; - (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); - return; - } - - /* - * Return some junk authorization data just to exercise the - * code path handling the returned authorization data. - * - * NOTE that this is NOT VALID authorization data! - */ -#ifdef DEBUG - fprintf(stderr, "cksum_body: doing authorization data!\n"); -#endif - my_authz_data = malloc(2 * sizeof(*my_authz_data)); - if (my_authz_data != NULL) { -#if 1 /* USE_5000_AD */ -#define AD_ALLOC_SIZE 5000 - /* ad_header consists of a sequence tag (0x30) and length - * (0x82 0x1384) followed by octet string tag (0x04) and - * length (0x82 0x1380) */ - krb5_octet ad_header[] = {0x30, 0x82, 0x13, 0x84, 0x04, 0x82, 0x13, 0x80}; -#else -#define AD_ALLOC_SIZE 100 - /* ad_header consists of a sequence tag (0x30) and length - * (0x62) followed by octet string tag (0x04) and length - * (0x60) */ - krb5_octet ad_header[] = {0x30, 0x62, 0x04, 0x60}; -#endif - - my_authz_data[1] = NULL; - my_authz_data[0] = malloc(sizeof(krb5_authdata)); - if (my_authz_data[0] == NULL) { - free(my_authz_data); - (*respond)(arg, ENOMEM, NULL, NULL, NULL); - return; - } - my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE); - if (my_authz_data[0]->contents == NULL) { - free(my_authz_data[0]); - free(my_authz_data); - (*respond)(arg, ENOMEM, NULL, NULL, NULL); - return; - } - memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE); - my_authz_data[0]->magic = KV5M_AUTHDATA; - my_authz_data[0]->ad_type = 1; - my_authz_data[0]->length = AD_ALLOC_SIZE; - memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); - snprintf(my_authz_data[0]->contents + sizeof(ad_header), - AD_ALLOC_SIZE - sizeof(ad_header), - "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); -#ifdef DEBUG - fprintf(stderr, "Returning %d bytes of authorization data\n", - AD_ALLOC_SIZE); -#endif - } - - /* Return a request context to exercise code that handles it */ - svr_req_ctx = malloc(sizeof(*svr_req_ctx)); - if (svr_req_ctx != NULL) { - svr_req_ctx->value1 = 111111; - svr_req_ctx->value2 = 222222; -#ifdef DEBUG - fprintf(stderr, "server_verify: returning context at %p\n", - svr_req_ctx); -#endif - } - - /* Note that preauthentication succeeded. */ - enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - stats->successes++; - (*respond)(arg, 0, (krb5_kdcpreauth_modreq)svr_req_ctx, NULL, my_authz_data); -} - -/* Create the response for a client. */ -static krb5_error_code -server_return(krb5_context kcontext, - krb5_pa_data *padata, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_callbacks cb, - krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq) -{ - /* We don't need to send data back on the return trip. */ - *send_pa = NULL; - return 0; -} - -/* Test server request context freeing */ -static void -server_free_modreq(krb5_context kcontext, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq) -{ - test_svr_req_ctx *svr_req_ctx; -#ifdef DEBUG - fprintf(stderr, "server_free_modreq: entered!\n"); -#endif - if (modreq == NULL) - return; - - svr_req_ctx = (test_svr_req_ctx *)modreq; - if (svr_req_ctx == NULL) - return; - - if (svr_req_ctx->value1 != 111111 || svr_req_ctx->value2 != 222222) { - fprintf(stderr, "server_free_modreq: got invalid req context " - "at %p with values %d and %d\n", - svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2); - return; - } -#ifdef DEBUG - fprintf(stderr, "server_free_modreq: freeing context at %p\n", svr_req_ctx); -#endif - free(svr_req_ctx); -} - -static int -server_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) -{ - return PA_SUFFICIENT; -} - -static krb5_preauthtype supported_client_pa_types[] = { - KRB5_PADATA_CKSUM_BODY_REQ, 0, -}; -static krb5_preauthtype supported_server_pa_types[] = { - KRB5_PADATA_CKSUM_BODY_REQ, 0, -}; - -krb5_error_code -clpreauth_cksum_body_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable); -krb5_error_code -kdcpreauth_cksum_body_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable); - -krb5_error_code -clpreauth_cksum_body_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable) -{ - krb5_clpreauth_vtable vt; - - if (maj_ver != 1) - return KRB5_PLUGIN_VER_NOTSUPP; - vt = (krb5_clpreauth_vtable)vtable; - vt->name = "cksum_body"; - vt->pa_type_list = supported_client_pa_types; - vt->flags = client_get_flags; - vt->process = client_process; - vt->gic_opts = client_gic_opt; - return 0; -} - -krb5_error_code -kdcpreauth_cksum_body_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable) -{ - krb5_kdcpreauth_vtable vt; - - if (maj_ver != -1) - return KRB5_PLUGIN_VER_NOTSUPP; - vt = (krb5_kdcpreauth_vtable)vtable; - vt->name = "cksum_body"; - vt->pa_type_list = supported_server_pa_types; - vt->init = server_init; - vt->fini = server_fini; - vt->flags = server_get_flags; - vt->edata = server_get_edata; - vt->verify = server_verify; - vt->return_padata = server_return; - vt->free_modreq = server_free_modreq; - return 0; -} diff --git a/src/plugins/preauth/cksum_body/deps b/src/plugins/preauth/cksum_body/deps deleted file mode 100644 index 7ee4121957..0000000000 --- a/src/plugins/preauth/cksum_body/deps +++ /dev/null @@ -1,8 +0,0 @@ -# -# Generated makefile dependencies follow. -# -cksum_body_main.so cksum_body_main.po $(OUTPRE)cksum_body_main.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/krb5/clpreauth_plugin.h \ - $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h cksum_body_main.c diff --git a/src/plugins/preauth/wpse/Makefile.in b/src/plugins/preauth/wpse/Makefile.in deleted file mode 100644 index ab7c74424d..0000000000 --- a/src/plugins/preauth/wpse/Makefile.in +++ /dev/null @@ -1,26 +0,0 @@ -# The Worst Preauthentication Scheme Ever is not built by default. To -# build it manually, run "make all-libs". - -mydir=plugins$(S)preauth$(S)wpse -BUILDTOP=$(REL)..$(S)..$(S).. -MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) - -LIBBASE=wpse -LIBMAJOR=0 -LIBMINOR=0 -RELDIR=../plugins/preauth/wpse -# Depends on libk5crypto and libkrb5 -SHLIB_EXPDEPS = \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) - -STLIBOBJS=wpse_main.o - -SRCS=wpse_main.c - -clean-unix:: clean-libs clean-libobjs - -@libnover_frag@ -@libobj_frag@ - diff --git a/src/plugins/preauth/wpse/deps b/src/plugins/preauth/wpse/deps deleted file mode 100644 index 64f5f2ac0b..0000000000 --- a/src/plugins/preauth/wpse/deps +++ /dev/null @@ -1,7 +0,0 @@ -# -# Generated makefile dependencies follow. -# -wpse_main.so wpse_main.po $(OUTPRE)wpse_main.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/krb5/preauth_plugin.h \ - wpse_main.c diff --git a/src/plugins/preauth/wpse/wpse.exports b/src/plugins/preauth/wpse/wpse.exports deleted file mode 100644 index 4cc48a8831..0000000000 --- a/src/plugins/preauth/wpse/wpse.exports +++ /dev/null @@ -1,2 +0,0 @@ -clpreauth_wpse_initvt -kdcpreauth_wpse_initvt diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c deleted file mode 100644 index c14ec753d0..0000000000 --- a/src/plugins/preauth/wpse/wpse_main.c +++ /dev/null @@ -1,477 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (C) 2006 Red Hat, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* Worst. Preauthentication. Scheme. Ever. */ - -#ident "$Id: wpse_main.c,v 1.3 2007/01/02 22:33:51 kwc Exp $" - -#include "autoconf.h" - -#ifdef HAVE_ERRNO_H -#include -#endif -#ifdef HAVE_STRING_H -#include -#endif - -#include -#include - -#include -#include - -/* This is not a standardized value. It's defined here only to make it easier - * to change in this module. */ -#define KRB5_PADATA_WPSE_REQ 131 - -static int -client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) -{ - return PA_REAL; -} - -static krb5_error_code -client_init(krb5_context kcontext, krb5_clpreauth_moddata *moddata_out) -{ - int *pctx; - - pctx = malloc(sizeof(int)); - if (pctx == NULL) - return ENOMEM; - *pctx = 0; - *moddata_out = (krb5_clpreauth_moddata)pctx; - return 0; -} - -static void -client_fini(krb5_context kcontext, krb5_clpreauth_moddata moddata) -{ - int *pctx; - - pctx = (int *)moddata; - if (pctx) { -#ifdef DEBUG - fprintf(stderr, "wpse module called total of %d times\n", *pctx); -#endif - free(pctx); - } -} - -static krb5_error_code -client_process(krb5_context kcontext, - krb5_clpreauth_moddata moddata, - krb5_clpreauth_modreq modreq, - krb5_get_init_creds_opt *opt, - krb5_clpreauth_callbacks cb, - krb5_clpreauth_rock rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *pa_data, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_pa_data ***out_pa_data) -{ - krb5_pa_data **send_pa; - krb5_int32 nnonce, enctype; - krb5_keyblock *kb; - krb5_error_code status; - int *pctx; - -#ifdef DEBUG - fprintf(stderr, "%d bytes of preauthentication data (type %d)\n", - pa_data->length, pa_data->pa_type); -#endif - - pctx = (int *)moddata; - if (pctx) { - (*pctx)++; - } - - if (pa_data->length == 0) { - /* Create preauth data. */ - send_pa = malloc(2 * sizeof(krb5_pa_data *)); - if (send_pa == NULL) - return ENOMEM; - send_pa[1] = NULL; /* Terminate list */ - send_pa[0] = malloc(sizeof(krb5_pa_data)); - if (send_pa[0] == NULL) { - free(send_pa); - return ENOMEM; - } - send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ; - send_pa[0]->length = 4; - send_pa[0]->contents = malloc(4); - if (send_pa[0]->contents == NULL) { - free(send_pa[0]); - free(send_pa); - return ENOMEM; - } - /* Store the preauth data. */ - nnonce = htonl(request->nonce); - memcpy(send_pa[0]->contents, &nnonce, 4); - *out_pa_data = send_pa; - } else { - /* A reply from the KDC. Conventionally this would be - * indicated by a different preauthentication type, but this - * mechanism/implementation doesn't do that. */ - if (pa_data->length > 4) { - memcpy(&enctype, pa_data->contents, 4); - kb = NULL; - status = krb5_init_keyblock(kcontext, ntohl(enctype), - pa_data->length - 4, &kb); - if (status != 0) - return status; - memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4); -#ifdef DEBUG - fprintf(stderr, "Recovered key type=%d, length=%d.\n", - kb->enctype, kb->length); -#endif - status = cb->set_as_key(kcontext, rock, kb); - krb5_free_keyblock(kcontext, kb); - return status; - } - return KRB5KRB_ERR_GENERIC; - } - return 0; -} - -#define WPSE_MAGIC 0x77707365 -typedef struct _wpse_req_ctx -{ - int magic; - int value; -} wpse_req_ctx; - -static void -client_req_init(krb5_context kcontext, krb5_clpreauth_moddata moddata, - krb5_clpreauth_modreq *modreq_out) -{ - wpse_req_ctx *ctx; - - *modreq_out = NULL; - - /* Allocate a request context. Useful for verifying that we do in fact - * do per-request cleanup. */ - ctx = (wpse_req_ctx *) malloc(sizeof(*ctx)); - if (ctx == NULL) - return; - ctx->magic = WPSE_MAGIC; - ctx->value = 0xc0dec0de; - - *modreq_out = (krb5_clpreauth_modreq)ctx; -} - -static void -client_req_cleanup(krb5_context kcontext, krb5_clpreauth_moddata moddata, - krb5_clpreauth_modreq modreq) -{ - wpse_req_ctx *ctx = (wpse_req_ctx *)modreq; - - if (ctx) { -#ifdef DEBUG - fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n", - ctx, ctx->magic, ctx->value); -#endif - if (ctx->magic != WPSE_MAGIC) { -#ifdef DEBUG - fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n", - ctx, ctx->magic); -#endif - return; - } - free(ctx); - } - return; -} - -static krb5_error_code -client_gic_opt(krb5_context kcontext, - krb5_clpreauth_moddata moddata, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) -{ -#ifdef DEBUG - fprintf(stderr, "(wpse) client_gic_opt: received '%s' = '%s'\n", - attr, value); -#endif - return 0; -} - - -/* Free state. */ -static void -server_free_modreq(krb5_context kcontext, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq) -{ - free(modreq); -} - -/* Obtain and return any preauthentication data (which is destined for the - * client) which matches type data->pa_type. */ -static void -server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - krb5_kdcpreauth_callbacks cb, - krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, - krb5_preauthtype pa_type, - krb5_kdcpreauth_edata_respond_fn respond, - void *arg) -{ - (*respond)(arg, 0, NULL); -} - -/* Verify a request from a client. */ -static void -server_verify(krb5_context kcontext, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - krb5_kdcpreauth_callbacks cb, - krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_verify_respond_fn respond, - void *arg) -{ - krb5_int32 nnonce; - krb5_authdata **my_authz_data; - krb5_kdcpreauth_modreq modreq; - -#ifdef DEBUG - fprintf(stderr, "wpse: server_verify()!\n"); -#endif - /* Verify the preauth data. */ - if (data->length != 4) { - (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); - return; - } - memcpy(&nnonce, data->contents, 4); - nnonce = ntohl(nnonce); - if (memcmp(&nnonce, &request->nonce, 4) != 0) { - (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); - return; - } - /* Note that preauthentication succeeded. */ - enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - enc_tkt_reply->flags |= TKT_FLG_HW_AUTH; - /* Allocate a context. Useful for verifying that we do in fact do - * per-request cleanup. */ - modreq = malloc(4); - - /* - * Return some junk authorization data just to exercise the - * code path handling the returned authorization data. - * - * NOTE that this is NOT VALID authorization data! - */ -#ifdef DEBUG - fprintf(stderr, "wpse: doing authorization data!\n"); -#endif - my_authz_data = malloc(2 * sizeof(*my_authz_data)); - if (my_authz_data != NULL) { -#if 1 /* USE_5000_AD */ -#define AD_ALLOC_SIZE 5000 - /* ad_header consists of a sequence tag (0x30) and length - * (0x82 0x1384) followed by octet string tag (0x04) and - * length (0x82 0x1380) */ - krb5_octet ad_header[] = {0x30, 0x82, 0x13, 0x84, 0x04, 0x82, 0x13, 0x80}; -#else -#define AD_ALLOC_SIZE 100 - /* ad_header consists of a sequence tag (0x30) and length - * (0x62) followed by octet string tag (0x04) and length - * (0x60) */ - krb5_octet ad_header[] = {0x30, 0x62, 0x04, 0x60}; -#endif - - my_authz_data[1] = NULL; - my_authz_data[0] = malloc(sizeof(krb5_authdata)); - if (my_authz_data[0] == NULL) { - free(my_authz_data); - (*respond)(arg, ENOMEM, modreq, NULL, NULL); - return; - } - my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE); - if (my_authz_data[0]->contents == NULL) { - free(my_authz_data[0]); - free(my_authz_data); - (*respond)(arg, ENOMEM, modreq, NULL, NULL); - return; - } - memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE); - my_authz_data[0]->magic = KV5M_AUTHDATA; - my_authz_data[0]->ad_type = 1; - my_authz_data[0]->length = AD_ALLOC_SIZE; - memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); - snprintf(my_authz_data[0]->contents + sizeof(ad_header), - AD_ALLOC_SIZE - sizeof(ad_header), - "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); -#ifdef DEBUG - fprintf(stderr, "Returning %d bytes of authorization data\n", - AD_ALLOC_SIZE); -#endif - } - - (*respond)(arg, 0, modreq, NULL, my_authz_data); -} - -/* Create the response for a client. */ -static krb5_error_code -server_return(krb5_context kcontext, - krb5_pa_data *padata, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_callbacks cb, - krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) -{ - /* This module does a couple of dumb things. It tags its reply with - * the same type as the initial challenge (expecting the client to sort - * out whether there's anything useful in there). Oh, and it replaces - * the AS reply key with one which is sent in the clear. */ - krb5_keyblock *kb; - krb5_int32 enctype; - int i; - - *send_pa = NULL; - - /* We'll want a key with the first supported enctype. */ - for (i = 0; i < request->nktypes; i++) { - kb = NULL; - if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) { - break; - } - } - if (i >= request->nktypes) { - /* No matching cipher type found. */ - return 0; - } - - /* Randomize a key and save it for the client. */ - if (krb5_c_make_random_key(kcontext, request->ktype[i], kb) != 0) { - krb5_free_keyblock(kcontext, kb); - return 0; - } -#ifdef DEBUG - fprintf(stderr, "Generated random key, type=%d, length=%d.\n", - kb->enctype, kb->length); -#endif - - *send_pa = malloc(sizeof(krb5_pa_data)); - if (*send_pa == NULL) { - krb5_free_keyblock(kcontext, kb); - return ENOMEM; - } - (*send_pa)->pa_type = KRB5_PADATA_WPSE_REQ; - (*send_pa)->length = 4 + kb->length; - (*send_pa)->contents = malloc(4 + kb->length); - if ((*send_pa)->contents == NULL) { - free(*send_pa); - *send_pa = NULL; - krb5_free_keyblock(kcontext, kb); - return ENOMEM; - } - - /* Store the preauth data. */ - enctype = htonl(kb->enctype); - memcpy((*send_pa)->contents, &enctype, 4); - memcpy((*send_pa)->contents + 4, kb->contents, kb->length); - krb5_free_keyblock_contents(kcontext, encrypting_key); - krb5_copy_keyblock_contents(kcontext, kb, encrypting_key); - - - /* Clean up. */ - krb5_free_keyblock(kcontext, kb); - - return 0; -} - -static int -server_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) -{ - return PA_HARDWARE | PA_REPLACES_KEY | PA_SUFFICIENT; -} - -static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; -static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; - -krb5_error_code -clpreauth_wpse_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable); -krb5_error_code -kdcpreauth_wpse_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable); - -krb5_error_code -clpreauth_wpse_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable) -{ - krb5_clpreauth_vtable vt; - - if (maj_ver != 1) - return KRB5_PLUGIN_VER_NOTSUPP; - vt = (krb5_clpreauth_vtable)vtable; - vt->name = "wpse"; - vt->pa_type_list = supported_client_pa_types; - vt->init = client_init; - vt->fini = client_fini; - vt->flags = client_get_flags; - vt->request_init = client_req_init; - vt->request_fini = client_req_cleanup; - vt->process = client_process; - vt->gic_opts = client_gic_opt; - return 0; -} - -krb5_error_code -kdcpreauth_wpse_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable) -{ - krb5_kdcpreauth_vtable vt; - - if (maj_ver != -1) - return KRB5_PLUGIN_VER_NOTSUPP; - vt = (krb5_kdcpreauth_vtable)vtable; - vt->name = "wpse"; - vt->pa_type_list = supported_server_pa_types; - vt->flags = server_get_flags; - vt->edata = server_get_edata; - vt->verify = server_verify; - vt->return_padata = server_return; - vt->free_modreq = server_free_modreq; - return 0; -} diff --git a/src/util/Makefile.in b/src/util/Makefile.in index 5452a772ec..2611581c15 100644 --- a/src/util/Makefile.in +++ b/src/util/Makefile.in @@ -4,8 +4,7 @@ mydir=util # configure scripts, so hide this. ##WIN32##!if 0 SUBDIRS=support $(MAYBE_ET_@COM_ERR_VERSION@) $(MAYBE_SS_@SS_VERSION@) \ - profile gss-kernel-lib collected-client-lib \ - $(MAYBE_VERTO_@VERTO_VERSION@) + profile $(MAYBE_VERTO_@VERTO_VERSION@) ##WIN32##!endif WINSUBDIRS=windows support et profile wshelper BUILDTOP=$(REL).. diff --git a/src/util/collected-client-lib/Makefile.in b/src/util/collected-client-lib/Makefile.in deleted file mode 100644 index 606149e456..0000000000 --- a/src/util/collected-client-lib/Makefile.in +++ /dev/null @@ -1,78 +0,0 @@ -# The collected client library is not built by default. To build it -# manually, run "make all-libs". - -mydir=util$(S)collected-client-lib -BUILDTOP=$(REL)..$(S).. -RELDIR=../util/collected-client-lib - -##DOS##BUILDTOP = ..\.. -##DOS##LIBNAME=$(OUTPRE)k5sprt32.lib -##DOS##WIN64LIBNAME=$(OUTPRE)k5sprt64.lib -##DOS##XTRA= -##DOS##OBJFILE=$(OUTPRE)k5sprt32.lst -##DOS##WIN64OBJFILE=$(OUTPRE)k5sprt64.lst - -LIBBASE=collected -LIBMAJOR=1 -LIBMINOR=0 - -LIBINITFUNC= -LIBFINIFUNC= - -STLIBOBJS= -LIBOBJS= -STOBJLISTS= \ - ../../lib/gssapi/OBJS.ST \ - ../../lib/gssapi/generic/OBJS.ST \ - ../../lib/gssapi/mechglue/OBJS.ST \ - ../../lib/gssapi/krb5/OBJS.ST \ - ../../lib/gssapi/spnego/OBJS.ST \ - ../../lib/krb5/OBJS.ST \ - ../../lib/krb5/error_tables/OBJS.ST \ - ../../lib/krb5/asn.1/OBJS.ST \ - ../../lib/krb5/ccache/OBJS.ST \ - ../../lib/krb5/keytab/OBJS.ST \ - ../../lib/krb5/krb/OBJS.ST \ - ../../lib/krb5/rcache/OBJS.ST \ - ../../lib/krb5/os/OBJS.ST \ - ../../lib/krb5/unicode/OBJS.ST \ - ../profile/OBJS.ST \ - ../../lib/crypto/krb/crc32/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/des/OBJS.ST \ - ../../lib/crypto/krb/dk/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/enc_provider/OBJS.ST \ - ../../lib/crypto/krb/hash_provider/OBJS.ST \ - ../../lib/crypto/krb/keyhash_provider/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/md4/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/md5/OBJS.ST \ - ../../lib/crypto/krb/old/OBJS.ST \ - ../../lib/crypto/krb/raw/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/sha1/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/arcfour/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/aes/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/camellia/OBJS.ST \ - ../../lib/crypto/krb/prng/OBJS.ST \ - ../../lib/crypto/krb/prng/@PRNG_ALG@/OBJS.ST \ - ../../lib/crypto/krb/OBJS.ST \ - ../../lib/crypto/@CRYPTO_IMPL@/OBJS.ST \ - ../../lib/crypto/OBJS.ST \ - ../et/OBJS.ST \ - ../support/OBJS.ST - -SRCS= - -SHLIB_EXPDEPS = - -LIBS_UTILS=-lresolv -# Add -lm if dumping thread stats, for sqrt. -SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) $(LIBS_UTILS) - -DEPLIBS= - -clean-unix:: clean-libs - -#SHLIB_EXPORT_FILE=libcollected.exports - -@lib_frag@ -#@#libobj_frag@ - diff --git a/src/util/collected-client-lib/deps b/src/util/collected-client-lib/deps deleted file mode 100644 index 2feac3c9d3..0000000000 --- a/src/util/collected-client-lib/deps +++ /dev/null @@ -1 +0,0 @@ -# No dependencies here. diff --git a/src/util/collected-client-lib/libcollected.exports b/src/util/collected-client-lib/libcollected.exports deleted file mode 100644 index 6eb668dc5a..0000000000 --- a/src/util/collected-client-lib/libcollected.exports +++ /dev/null @@ -1,286 +0,0 @@ -error_message -com_err -com_err_va -reset_com_err_hook -set_com_err_hook -add_error_table -remove_error_table -profile_init -profile_init_path -profile_is_writable -profile_is_modified -profile_flush -profile_flush_to_file -profile_flush_to_buffer -profile_free_buffer -profile_abandon -profile_release -profile_get_values -profile_free_list -profile_get_string -profile_get_boolean -profile_get_integer -profile_get_relation_names -profile_get_subsection_names -profile_iterator_create -profile_iterator_free -profile_iterator -profile_release_string -profile_update_relation -profile_clear_relation -profile_rename_section -profile_add_relation -krb5_is_referral_realm -krb5_c_encrypt -krb5_c_decrypt -krb5_c_encrypt_length -krb5_c_block_size -krb5_c_keylengths -krb5_c_init_state -krb5_c_free_state -krb5_c_prf -krb5_c_prf_length -krb5_c_make_random_key -krb5_c_random_to_key -krb5_c_random_add_entropy -krb5_c_random_make_octets -krb5_c_random_os_entropy -krb5_c_random_seed -krb5_c_string_to_key -krb5_c_string_to_key_with_params -krb5_c_enctype_compare -krb5_c_make_checksum -krb5_c_verify_checksum -krb5_c_checksum_length -krb5_c_keyed_checksum_types -krb5_c_valid_enctype -krb5_c_valid_cksumtype -krb5_c_is_coll_proof_cksum -krb5_c_is_keyed_cksum -krb5_cc_get_name -krb5_cc_gen_new -krb5_cc_initialize -krb5_cc_destroy -krb5_cc_close -krb5_cc_store_cred -krb5_cc_retrieve_cred -krb5_cc_get_principal -krb5_cc_start_seq_get -krb5_cc_next_cred -krb5_cc_end_seq_get -krb5_cc_remove_cred -krb5_cc_set_flags -krb5_cc_get_flags -krb5_cc_get_type -krb5_cccol_cursor_new -krb5_cccol_cursor_next -krb5_cccol_cursor_free -krb5_cc_new_unique -krb5_init_context -krb5_init_secure_context -krb5_free_context -krb5_copy_context -krb5_is_thread_safe -krb5_free_tgt_creds -krb5_get_credentials -krb5_get_credentials_validate -krb5_get_credentials_renew -krb5_mk_req -krb5_mk_req_extended -krb5_rd_rep -krb5_rd_error -krb5_rd_safe -krb5_rd_priv -krb5_parse_name -krb5_unparse_name -krb5_unparse_name_ext -krb5_set_principal_realm -krb5_address_search -krb5_address_compare -krb5_address_order -krb5_realm_compare -krb5_principal_compare -krb5_init_keyblock -krb5_copy_keyblock -krb5_copy_keyblock_contents -krb5_copy_creds -krb5_copy_data -krb5_copy_principal -krb5_copy_addresses -krb5_copy_ticket -krb5_copy_authdata -krb5_copy_authenticator -krb5_copy_checksum -krb5_build_principal_ext -krb5_build_principal -krb5_build_principal_va -krb5_principal2salt -krb5_cc_resolve -krb5_cc_default_name -krb5_cc_set_default_name -krb5_cc_default -krb5_cc_copy_creds -krb5_free_principal -krb5_free_authenticator -krb5_free_addresses -krb5_free_authdata -krb5_free_ticket -krb5_free_error -krb5_free_creds -krb5_free_cred_contents -krb5_free_checksum -krb5_free_checksum_contents -krb5_free_keyblock -krb5_free_keyblock_contents -krb5_free_ap_rep_enc_part -krb5_free_data -krb5_free_data_contents -krb5_free_unparsed_name -krb5_free_cksumtypes -krb5_us_timeofday -krb5_timeofday -krb5_os_localaddr -krb5_get_default_realm -krb5_set_default_realm -krb5_free_default_realm -krb5_sname_to_principal -krb5_change_password -krb5_set_password -krb5_set_password_using_ccache -krb5_chpw_message -krb5_get_profile -krb5_mk_safe -krb5_mk_priv -krb5_sendauth -krb5_mk_ncred -krb5_mk_1cred -krb5_fwd_tgt_creds -krb5_auth_con_init -krb5_auth_con_free -krb5_auth_con_setflags -krb5_auth_con_getflags -krb5_auth_con_set_checksum_func -krb5_auth_con_get_checksum_func -krb5_auth_con_setaddrs -krb5_auth_con_getaddrs -krb5_auth_con_setports -krb5_auth_con_setuseruserkey -krb5_auth_con_getkey -krb5_auth_con_getsendsubkey -krb5_auth_con_getrecvsubkey -krb5_auth_con_setsendsubkey -krb5_auth_con_setrecvsubkey -krb5_auth_con_getlocalseqnumber -krb5_auth_con_getremoteseqnumber -krb5_auth_con_setrcache -krb5_auth_con_getrcache -krb5_auth_con_getauthenticator -krb5_read_password -krb5_aname_to_localname -krb5_get_host_realm -krb5_get_fallback_host_realm -krb5_free_host_realm -krb5_auth_con_genaddrs -krb5_set_real_time -krb5_get_time_offsets -krb5_string_to_enctype -krb5_string_to_salttype -krb5_string_to_cksumtype -krb5_string_to_timestamp -krb5_string_to_deltat -krb5_enctype_to_string -krb5_salttype_to_string -krb5_cksumtype_to_string -krb5_timestamp_to_string -krb5_timestamp_to_sfstring -krb5_deltat_to_string -krb5_get_init_creds_opt_alloc -krb5_get_init_creds_opt_free -krb5_get_init_creds_opt_init -krb5_get_init_creds_opt_set_tkt_life -krb5_get_init_creds_opt_set_renew_life -krb5_get_init_creds_opt_set_forwardable -krb5_get_init_creds_opt_set_proxiable -krb5_get_init_creds_opt_set_etype_list -krb5_get_init_creds_opt_set_address_list -krb5_get_init_creds_opt_set_preauth_list -krb5_get_init_creds_opt_set_salt -krb5_get_init_creds_opt_set_change_password_prompt -krb5_get_init_creds_opt_set_pa -krb5_get_init_creds_password -krb5_get_validated_creds -krb5_get_renewed_creds -krb5_decode_ticket -krb5_appdefault_string -krb5_appdefault_boolean -krb5_get_prompt_types -krb5_set_error_message -krb5_vset_error_message -krb5_get_error_message -krb5_free_error_message -krb5_clear_error_message -gss_acquire_cred -gss_release_cred -gss_init_sec_context -gss_process_context_token -gss_delete_sec_context -gss_context_time -gss_sign -gss_verify -gss_seal -gss_unseal -gss_display_status -gss_indicate_mechs -gss_compare_name -gss_display_name -gss_import_name -gss_release_name -gss_release_buffer -gss_release_oid_set -gss_inquire_cred -gss_add_cred -gss_inquire_cred_by_mech -gss_inquire_context -gss_wrap_size_limit -gss_release_oid -gss_create_empty_oid_set -gss_add_oid_set_member -gss_test_oid_set_member -gss_oid_to_str -gss_str_to_oid -gss_wrap -gss_unwrap -gss_get_mic -gss_verify_mic -gss_inquire_names_for_mech -gss_inquire_mechs_for_name -gss_canonicalize_name -gss_export_name -gss_duplicate_name -GSS_C_NT_USER_NAME -GSS_C_NT_MACHINE_UID_NAME -GSS_C_NT_STRING_UID_NAME -GSS_C_NT_HOSTBASED_SERVICE_X -GSS_C_NT_HOSTBASED_SERVICE -GSS_C_NT_ANONYMOUS -GSS_C_NT_EXPORT_NAME -gss_nt_user_name -gss_nt_machine_uid_name -gss_nt_string_uid_name -gss_nt_service_name_v2 -gss_nt_service_name -gss_nt_exported_name -GSS_KRB5_NT_PRINCIPAL_NAME -gss_mech_krb5 -gss_mech_krb5_old -gss_mech_set_krb5 -gss_mech_set_krb5_both -gss_mech_set_krb5_old -gss_nt_krb5_name -gss_nt_krb5_principal -krb5_gss_oid_array -gss_krb5_copy_ccache -gss_krb5_ccache_name -gss_krb5_set_allowable_enctypes -gss_krb5_export_lucid_sec_context -gss_krb5_free_lucid_sec_context diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in deleted file mode 100644 index 29a1556fb8..0000000000 --- a/src/util/gss-kernel-lib/Makefile.in +++ /dev/null @@ -1,229 +0,0 @@ -mydir=util/gss-kernel-lib -BUILDTOP=$(REL)..$(S).. - -DEFINES=-DKRB5_KERNEL -ALL_CFLAGS=$(WARN_CFLAGS) $(DEFS) $(DEFINES) -I. -Igssapi $(CPPFLAGS) $(CFLAGS) - -SHLIB_EXPDEPS = \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS=-lgssrpc -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(LIBS) - -SRCS= \ - k5seal.c \ - k5sealiov.c \ - k5unseal.c \ - k5unsealiov.c \ - k5sealv3.c \ - k5sealv3iov.c \ - util_cksum.c \ - util_crypt.c \ - util_seqnum.c \ - util_seed.c \ - util_token.c \ - util_set.c \ - util_seqstate.c - -EXTRADEPSRCS= kernel_gss.c t_kgss_common.c t_kgss_user.c t_kgss_kernel.c - -OBJS= \ - kernel_gss.o \ - k5seal.o \ - k5sealiov.o \ - k5unseal.o \ - k5unsealiov.o \ - k5sealv3.o \ - k5sealv3iov.o \ - util_cksum.o \ - util_crypt.o \ - util_seqnum.o \ - util_seed.o \ - util_token.o \ - util_set.o \ - util_seqstate.o - -# COM_ERR_DEPS is COM_ERR_DEPS-k5 when we use the bundled com_err, and -# empty otherwise. Normally COM_ERR_DEPS-k5 is from the central -# include directory in the build tree, but here we only take headers -# from the current directory, so we need to redefine it. -COM_ERR_DEPS-k5 = com_err.h - -HEADERS= \ - gssapi/gssapi.h \ - gssapi/gssapi_krb5.h \ - gssapi/gssapi_alloc.h \ - gssapi/gssapi_ext.h \ - gssapi.h \ - gssapiP_krb5.h \ - gssapi_err_krb5.h \ - gssapiP_generic.h \ - gssapi_generic.h \ - gssapi_err_generic.h \ - k5-int.h \ - k5-int-pkinit.h \ - k5-thread.h \ - k5-platform.h \ - k5-buf.h \ - k5-trace.h \ - k5-err.h \ - k5-plugin.h \ - k5-gmt_mktime.h \ - krb5.h \ - osconf.h \ - autoconf.h \ - port-sockets.h \ - socket-utils.h \ - krb5/krb5.h \ - krb5/plugin.h \ - krb5/clpreauth_plugin.h \ - krb5/authdata_plugin.h \ - profile.h \ - $(COM_ERR_DEPS) - -check-pytests: t_kgss_user t_kgss_kernel - $(RUNPYTEST) $(srcdir)/t_kgss.py $(PYTESTFLAGS) - -libkgss.a: $(OBJS) - $(RM) $@ - $(AR) cq $@ $(OBJS) - $(RANLIB) $@ - -t_kgss_user: t_kgss_user.o t_kgss_common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o t_kgss_user t_kgss_user.o t_kgss_common.o $(GSS_LIBS) \ - $(KRB5_BASE_LIBS) - -t_kgss_kernel: libkgss.a t_kgss_kernel.o t_kgss_common.o $(K5CRYPTO_DEPLIB) \ - $(SUPPORT_DEPLIB) - $(CC_LINK) -o $@ t_kgss_kernel.o t_kgss_common.o libkgss.a \ - $(K5CRYPTO_LIB) $(SUPPORT_LIB) - -depend: $(SRCS) $(HEADERS) - -clean: - $(RM) $(SRCS) $(HEADERS) libkgss.a testlog OBJS.SH - $(RM) -r gssapi krb5 testdir - $(RM) t_kgss_user.o t_kgss_kernel.o t_kgss_common.o - $(RM) t_kgss_user t_kgss_kernel - -GSS_KRB5=$(top_srcdir)/lib/gssapi/krb5 -GSS_KRB5_BUILD=$(BUILDTOP)/lib/gssapi/krb5 -GSS_GENERIC=$(top_srcdir)/lib/gssapi/generic -GSS_GENERIC_BUILD=$(BUILDTOP)/lib/gssapi/generic -INCLUDE=$(top_srcdir)/include -INCLUDE_BUILD=$(BUILDTOP)/include - -# Rules to copy sources from their real homes in the source or build tree. -# If we switch to requiring gnu make, we can use $(CP) $< $@ in these rules. -k5seal.c: $(GSS_KRB5)/k5seal.c - $(CP) $(GSS_KRB5)/k5seal.c $@ -k5sealiov.c: $(GSS_KRB5)/k5sealiov.c - $(CP) $(GSS_KRB5)/k5sealiov.c $@ -k5unseal.c: $(GSS_KRB5)/k5unseal.c - $(CP) $(GSS_KRB5)/k5unseal.c $@ -k5unsealiov.c: $(GSS_KRB5)/k5unsealiov.c - $(CP) $(GSS_KRB5)/k5unsealiov.c $@ -k5sealv3.c: $(GSS_KRB5)/k5sealv3.c - $(CP) $(GSS_KRB5)/k5sealv3.c $@ -k5sealv3iov.c: $(GSS_KRB5)/k5sealv3iov.c - $(CP) $(GSS_KRB5)/k5sealv3iov.c $@ -util_cksum.c: $(GSS_KRB5)/util_cksum.c - $(CP) $(GSS_KRB5)/util_cksum.c $@ -util_crypt.c: $(GSS_KRB5)/util_crypt.c - $(CP) $(GSS_KRB5)/util_crypt.c $@ -util_seqnum.c: $(GSS_KRB5)/util_seqnum.c - $(CP) $(GSS_KRB5)/util_seqnum.c $@ -util_seed.c: $(GSS_KRB5)/util_seed.c - $(CP) $(GSS_KRB5)/util_seed.c $@ -util_token.c: $(GSS_GENERIC)/util_token.c - $(CP) $(GSS_GENERIC)/util_token.c $@ -util_set.c: $(GSS_GENERIC)/util_set.c - $(CP) $(GSS_GENERIC)/util_set.c $@ -util_seqstate.c: $(GSS_GENERIC)/util_seqstate.c - $(CP) $(GSS_GENERIC)/util_seqstate.c $@ - -# Rules to copy headers from their real homes in the source or build tree. -gssapi.h: $(INCLUDE)/gssapi.h - $(CP) $(INCLUDE)/gssapi.h $@ -gssapi/gssapi.h: gssapi $(GSS_GENERIC_BUILD)/gssapi.h - $(CP) $(GSS_GENERIC_BUILD)/gssapi.h $@ -gssapi/gssapi_krb5.h: gssapi $(GSS_KRB5)/gssapi_krb5.h - $(CP) $(GSS_KRB5)/gssapi_krb5.h $@ -gssapi/gssapi_alloc.h: gssapi $(GSS_GENERIC)/gssapi_alloc.h - $(CP) $(GSS_GENERIC)/gssapi_alloc.h $@ -gssapi/gssapi_ext.h: gssapi $(GSS_GENERIC)/gssapi_ext.h - $(CP) $(GSS_GENERIC)/gssapi_ext.h $@ -gssapiP_krb5.h: $(GSS_KRB5)/gssapiP_krb5.h - $(CP) $(GSS_KRB5)/gssapiP_krb5.h $@ -gssapi_err_krb5.h: $(GSS_KRB5_BUILD)/gssapi_err_krb5.h - $(CP) $(GSS_KRB5_BUILD)/gssapi_err_krb5.h $@ -gssapiP_generic.h: $(GSS_GENERIC)/gssapiP_generic.h - $(CP) $(GSS_GENERIC)/gssapiP_generic.h $@ -gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h - $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ -gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h - $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ -k5-int.h: $(INCLUDE)/k5-int.h - $(CP) $(INCLUDE)/k5-int.h $@ -k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h - $(CP) $(INCLUDE)/k5-int-pkinit.h $@ -k5-thread.h: $(INCLUDE)/k5-thread.h - $(CP) $(INCLUDE)/k5-thread.h $@ -k5-platform.h: $(INCLUDE)/k5-platform.h - $(CP) $(INCLUDE)/k5-platform.h $@ -k5-buf.h: $(INCLUDE)/k5-buf.h - $(CP) $(INCLUDE)/k5-buf.h $@ -k5-trace.h: $(INCLUDE)/k5-trace.h - $(CP) $(INCLUDE)/k5-trace.h $@ -k5-err.h: $(INCLUDE)/k5-err.h - $(CP) $(INCLUDE)/k5-err.h $@ -k5-plugin.h: $(INCLUDE)/k5-plugin.h - $(CP) $(INCLUDE)/k5-plugin.h $@ -k5-gmt_mktime.h: $(INCLUDE)/k5-gmt_mktime.h - $(CP) $(INCLUDE)/k5-gmt_mktime.h $@ -krb5.h: $(INCLUDE)/krb5.h - $(CP) $(INCLUDE)/krb5.h $@ -osconf.h: $(INCLUDE_BUILD)/osconf.h - $(CP) $(INCLUDE_BUILD)/osconf.h $@ -autoconf.h: $(INCLUDE_BUILD)/autoconf.h - $(CP) $(INCLUDE_BUILD)/autoconf.h $@ -port-sockets.h: $(INCLUDE)/port-sockets.h - $(CP) $(INCLUDE)/port-sockets.h $@ -socket-utils.h: $(INCLUDE)/socket-utils.h - $(CP) $(INCLUDE)/socket-utils.h $@ -krb5/krb5.h: krb5 $(INCLUDE_BUILD)/krb5/krb5.h - $(CP) $(INCLUDE_BUILD)/krb5/krb5.h $@ -krb5/plugin.h: krb5 $(INCLUDE)/krb5/plugin.h - $(CP) $(INCLUDE)/krb5/plugin.h $@ -krb5/clpreauth_plugin.h: krb5 $(INCLUDE)/krb5/clpreauth_plugin.h - $(CP) $(INCLUDE)/krb5/clpreauth_plugin.h $@ -krb5/authdata_plugin.h: krb5 $(INCLUDE)/krb5/authdata_plugin.h - $(CP) $(INCLUDE)/krb5/authdata_plugin.h $@ -profile.h: $(INCLUDE_BUILD)/profile.h - $(CP) $(INCLUDE_BUILD)/profile.h $@ -com_err.h: $(INCLUDE_BUILD)/com_err.h - $(CP) $(INCLUDE_BUILD)/com_err.h $@ - -# Rules to generate dependency headers if they don't already exist, -# for "make depend" from an unbuilt directory. -$(GSS_GENERIC_BUILD)/gssapi.h: - (cd $(GSS_GENERIC_BUILD) && $(MAKE) gssapi.h) -$(GSS_GENERIC_BUILD)/gssapi_err_generic.h: - (cd $(GSS_GENERIC_BUILD) && $(MAKE) gssapi_err_generic.h) -$(GSS_KRB5_BUILD)/gssapi_err_krb5.h: - (cd $(GSS_KRB5_BUILD) && $(MAKE) gssapi_err_krb5.h) -$(INCLUDE_BUILD)/osconf.h: - (cd $(INCLUDE_BUILD) && $(MAKE) osconf.h) -$(INCLUDE_BUILD)/krb5/krb5.h: - (cd $(INCLUDE_BUILD) && $(MAKE) krb5/krb5.h) - -gssapi: - test -d gssapi || mkdir gssapi -krb5: - test -d krb5 || mkdir krb5 - -LIBBASE=kgss -LIBMAJOR=1 -LIBMINOR=0 - -LIBINITFUNC= -LIBFINIFUNC= diff --git a/src/util/gss-kernel-lib/README b/src/util/gss-kernel-lib/README deleted file mode 100644 index b2adf2b4f0..0000000000 --- a/src/util/gss-kernel-lib/README +++ /dev/null @@ -1,121 +0,0 @@ -This directory is intended to help integrators of MIT krb5 code into -the kernel by: - -1. Identifying the GSSAPI source files necessary for wrapping and -unwrapping messages. - -2. Providing a test framework to ensuring that these source files do -not grow addtional dependencies without alerting the developers. - -3. Providing code for importing a Lucid sec context. - -Nothing is built in this directory during "make all". The following -happens durng "make check": - -1. Sources and headers are copied here from other parts of the tree. - -2. Sources are compiled and built, together with some additional code -in kernel_gss.c, into a static library named libkgss.a. Sources are -built with -DKRB5_KERNEL, which is used (very sparingly) to eliminate -dependencies such as the code to save error messages. - -3. A test program is built in two parts: t_kgss_user is built against -the regular ("user-space") GSSAPI libraries, and t_kgss_kernel is -built against libkgss.a. - -4. A Python test executes t_kgss_user, which runs t_kgss_kernel in a -child process and exercises the functionality of libkgss.a. - -Limitations ------------ - -Lucid contexts are used to transport the acceptor context from -user-space to kernel-space, because the code overhead of normal -export/import is large (it requires the libkrb5 serialization -framework). Kernel integrators should be aware of two issues with -Lucid contexts: - -1. They are not a flat data blob. It is up to the user/kernelspace -interface to define a format for transporting the lucid context -structure. - -2. Lucid contexts do not convey the do-replay or do-sequence flags -from the original context. RPC security does not need replay or -sequence detection, so the krb5_gss_import_lucid_sec_context -implementation in kernel_gss.c simply assumes the flags should be -turned off. If the kernel GSS code is being used for a protocol which -does need replay or sequence detection, those flags should be -determined separately and set in the krb5 GSS context. - -Crypto library --------------- - -libkgss.a does not include crypto code. Almost all of the crypto -library is required for a kernel integration, so it would not be -productive to duplicate almost all of the crypto build infrastructure -to demonstrate the kernel subset. - -A kernel integrator will almost certainly want to use the kernel's -native PRNG instead of the default lib/crypto/krb/prng_fortuna.c, and -may also wish to write a back end module implementing standard crypto -primitives in terms of the kernel's crypto primitives, instead of -using lib/crypto/builtin. - -A few pieces of crypto functionality can be omitted from a kernel -subset. String-to-key is not needed, and consequently neither is -PBKDF2. PRF is not needed, unless the integrator is adding -krb5_gss_pseudo_random to the subset. The enctype utility APIs are -not needed. DES and DES3 keys are only used via raw enctypes, so the -functions in enc_old.c won't be reached. Because of the way the -crypto library uses vtables internally, removing the unreached code is -not simply a matter of selecting source files, and it may be simpler -to just leave the small amount of unreached code in. - -A complete inventory of crypto APIs used by the kernel subset can be -made with: - - nm libkgss.a | awk '/U .*_[ck]_/ {print $2}' | sort -u - -Currently, that list is: - - krb5_c_block_size - krb5_c_checksum_length - krb5_c_crypto_length - krb5_c_make_checksum - krb5_c_padding_length - krb5_c_random_make_octets - krb5int_c_free_keyblock - krb5int_c_mandatory_cksumtype - krb5_k_create_key - krb5_k_decrypt - krb5_k_decrypt_iov - krb5_k_encrypt - krb5_k_encrypt_iov - krb5_k_free_key - krb5_k_key_keyblock - krb5_k_make_checksum - krb5_k_make_checksum_iov - krb5_k_verify_checksum - krb5_k_verify_checksum_iov - -Debugging test failures ------------------------ - -If an error occurs in t_kgss_user, it can be debugged in the same way -as any program running under the Python test framework. Start by -re-running the Python script with the -v flag, then add a --debug -option for the failing command, then set breakpoints or step through -the process execution as necessary. - -If an error occurs in t_kgss_kernel, it is harder to debug, since -t_kgss_user runs it as a subprocess. On Linux with gdb, it is -possible to interactively debug t_kgss_kernel by starting an -interactive gdb session for t_kgss_user and doing: - - set follow-fork-mode child - break main - run - cont - -You should get a breakpoint in the main() of t_kgss_kernel and should -be able to set breakpoints from there. diff --git a/src/util/gss-kernel-lib/deps b/src/util/gss-kernel-lib/deps deleted file mode 100644 index a263ba2cb4..0000000000 --- a/src/util/gss-kernel-lib/deps +++ /dev/null @@ -1,126 +0,0 @@ -# -# Generated makefile dependencies follow. -# -$(OUTPRE)k5seal.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5seal.c \ - krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \ - osconf.h port-sockets.h profile.h socket-utils.h -$(OUTPRE)k5sealiov.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5sealiov.c \ - krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \ - osconf.h port-sockets.h profile.h socket-utils.h -$(OUTPRE)k5unseal.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5unseal.c \ - krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \ - osconf.h port-sockets.h profile.h socket-utils.h -$(OUTPRE)k5unsealiov.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5unsealiov.c \ - krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \ - osconf.h port-sockets.h profile.h socket-utils.h -$(OUTPRE)k5sealv3.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5sealv3.c \ - krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \ - osconf.h port-sockets.h profile.h socket-utils.h -$(OUTPRE)k5sealv3iov.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h k5sealv3iov.c \ - krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \ - osconf.h port-sockets.h profile.h socket-utils.h -$(OUTPRE)util_cksum.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \ - krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \ - port-sockets.h profile.h socket-utils.h util_cksum.c -$(OUTPRE)util_crypt.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \ - krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \ - port-sockets.h profile.h socket-utils.h util_crypt.c -$(OUTPRE)util_seqnum.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \ - krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \ - port-sockets.h profile.h socket-utils.h util_seqnum.c -$(OUTPRE)util_seed.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \ - krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \ - port-sockets.h profile.h socket-utils.h util_seed.c -$(OUTPRE)util_token.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \ - k5-buf.h k5-platform.h k5-thread.h util_token.c -$(OUTPRE)util_set.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \ - k5-buf.h k5-platform.h k5-thread.h util_set.c -$(OUTPRE)util_seqstate.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapiP_generic.h gssapi_err_generic.h gssapi_generic.h \ - k5-buf.h k5-platform.h k5-thread.h util_seqstate.c -$(OUTPRE)kernel_gss.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h kernel_gss.c \ - kernel_gss.h krb5.h krb5/authdata_plugin.h krb5/krb5.h \ - krb5/plugin.h osconf.h port-sockets.h profile.h socket-utils.h -$(OUTPRE)t_kgss_common.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \ - krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \ - port-sockets.h profile.h socket-utils.h t_kgss_common.c \ - t_kgss_common.h -$(OUTPRE)t_kgss_user.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h krb5.h \ - krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h osconf.h \ - port-sockets.h profile.h socket-utils.h t_kgss_common.h \ - t_kgss_user.c -$(OUTPRE)t_kgss_kernel.$(OBJEXT): $(COM_ERR_DEPS) autoconf.h \ - gssapi/gssapi.h gssapi/gssapi_alloc.h gssapi/gssapi_ext.h \ - gssapi/gssapi_krb5.h gssapiP_generic.h gssapiP_krb5.h \ - gssapi_err_generic.h gssapi_err_krb5.h gssapi_generic.h \ - k5-buf.h k5-err.h k5-gmt_mktime.h k5-int-pkinit.h k5-int.h \ - k5-platform.h k5-plugin.h k5-thread.h k5-trace.h kernel_gss.h \ - krb5.h krb5/authdata_plugin.h krb5/krb5.h krb5/plugin.h \ - osconf.h port-sockets.h profile.h socket-utils.h t_kgss_common.h \ - t_kgss_kernel.c diff --git a/src/util/gss-kernel-lib/kernel_gss.c b/src/util/gss-kernel-lib/kernel_gss.c deleted file mode 100644 index 2895d058d2..0000000000 --- a/src/util/gss-kernel-lib/kernel_gss.c +++ /dev/null @@ -1,213 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* util/gss-kernel-lib/gss_kernel.c - Extra pieces for GSS kernel library */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * This file includes a few symbols cherry-picked from larger files, as well as - * a function to import a lucid sec context. - */ - -#include "gssapiP_krb5.h" -#include "kernel_gss.h" - -/* Normally defined in lib/gssapi/krb5/gssapi_krb5.c. */ -static const gss_OID_desc oid_array[] = { - {GSS_MECH_KRB5_OID_LENGTH, GSS_MECH_KRB5_OID}, - {GSS_MECH_KRB5_OLD_OID_LENGTH, GSS_MECH_KRB5_OLD_OID} -}; -#define oids ((gss_OID)oid_array) -const gss_OID gss_mech_krb5 = &oids[0]; -const gss_OID gss_mech_krb5_old = &oids[1]; - -/* Create a key from key data in a lucid context. */ -static krb5_error_code -lkey_to_key(const gss_krb5_lucid_key_t *lkey, krb5_key *key_out) -{ - krb5_keyblock kb; - - kb.enctype = lkey->type; - kb.length = lkey->length; - kb.contents = lkey->data; - return krb5_k_create_key(NULL, &kb, key_out); -} - -/* Get the RFC3961 mandator cksumtype for key. */ -static inline krb5_error_code -get_cksumtype(krb5_key key, krb5_cksumtype *out) -{ - return krb5int_c_mandatory_cksumtype(NULL, key->keyblock.enctype, out); -} - -/* Import a lucid context structure, creating a krb5 GSS context structure - * sufficient for use by by wrap/unwrap/get_mic/verify_mic operations. */ -static krb5_error_code -import_lucid_sec_context_v1(const gss_krb5_lucid_context_v1_t *lctx, - gss_ctx_id_t *context_handle_out) -{ - krb5_error_code ret; - krb5_gss_ctx_id_t gctx; - OM_uint32 tmpmin; - krb5_key key = NULL; - - gctx = k5alloc(sizeof(*gctx), &ret); - if (gctx == NULL) - return ret; - - gctx->initiate = lctx->initiate; - gctx->krb_times.endtime = lctx->endtime; - gctx->seq_send = lctx->send_seq; - gctx->seq_recv = lctx->recv_seq; - gctx->proto = lctx->protocol; - if (lctx->protocol == 0) { - /* Ignore sign_alg and seal_alg since they follow from the enctype. */ - ret = lkey_to_key(&lctx->rfc1964_kd.ctx_key, &key); - if (ret) - goto cleanup; - /* For raw enctypes, choose an enctype expected by kg_setup_keys. */ - if (key->keyblock.enctype == ENCTYPE_DES_CBC_RAW) - key->keyblock.enctype = ENCTYPE_DES_CBC_CRC; - else if (key->keyblock.enctype == ENCTYPE_DES3_CBC_RAW) - key->keyblock.enctype = ENCTYPE_DES3_CBC_SHA1; - ret = kg_setup_keys(NULL, gctx, key, &gctx->cksumtype); - if (ret) - goto cleanup; - if (gctx->proto != 0) { /* ctx_key did not have a pre-CFX enctype. */ - ret = EINVAL; - goto cleanup; - } - } else if (lctx->protocol == 1) { - ret = lkey_to_key(&lctx->cfx_kd.ctx_key, &gctx->subkey); - if (ret) - goto cleanup; - ret = get_cksumtype(gctx->subkey, &gctx->cksumtype); - if (ret) - goto cleanup; - if (lctx->cfx_kd.have_acceptor_subkey) { - gctx->have_acceptor_subkey = 1; - ret = lkey_to_key(&lctx->cfx_kd.acceptor_subkey, - &gctx->acceptor_subkey); - if (ret) - goto cleanup; - ret = get_cksumtype(gctx->acceptor_subkey, - &gctx->acceptor_subkey_cksumtype); - if (ret) - goto cleanup; - } - } - - gctx->seed_init = 0; - gctx->established = 1; - gctx->mech_used = (gss_OID_desc *)gss_mech_krb5; - - /* - * The lucid context doesn't convey the gss_flags which indicate whether - * the protocol needs replay or sequence protection. Assume we don't - * (because RPCSEC_GSS doesn't). - */ - g_seqstate_init(&gctx->seqstate, gctx->seq_recv, 0, 0, gctx->proto); - - *context_handle_out = (gss_ctx_id_t)gctx; - gctx = NULL; - -cleanup: - krb5_k_free_key(NULL, key); - krb5_gss_delete_sec_context(&tmpmin, (gss_ctx_id_t *)&gctx, NULL); - return ret; -} - -OM_uint32 -krb5_gss_import_lucid_sec_context(OM_uint32 *minor_status, void *lctx, - gss_ctx_id_t *context_handle_out) -{ - OM_uint32 vers = ((gss_krb5_lucid_context_version_t *)lctx)->version; - krb5_error_code ret; - - if (vers == 1) - ret = import_lucid_sec_context_v1((gss_krb5_lucid_context_v1_t *)lctx, - context_handle_out); - else - ret = KG_LUCID_VERSION; - *minor_status = ret; - return (ret == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE; -} - -/* - * Normally defined in lib/gssapi/krb5/delete_sec_context.c; this version - * is tailored for imported lucid contexts and has fewer dependencies. - * Does not handle output tokens. - */ -OM_uint32 -krb5_gss_delete_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - gss_buffer_t output_token) -{ - krb5_gss_ctx_id_t ctx; - - if (output_token) { - *minor_status = EINVAL; - return GSS_S_FAILURE; - } - - *minor_status = 0; - if (*context_handle == GSS_C_NO_CONTEXT) - return GSS_S_COMPLETE; - - ctx = (krb5_gss_ctx_id_t)*context_handle; - g_seqstate_free(ctx->seqstate); - krb5_k_free_key(NULL, ctx->enc); - krb5_k_free_key(NULL, ctx->seq); - krb5_k_free_key(NULL, ctx->subkey); - krb5_k_free_key(NULL, ctx->acceptor_subkey); - memset(ctx, 0, sizeof(*ctx)); - free(ctx); - *context_handle = GSS_C_NO_CONTEXT; - return GSS_S_COMPLETE; -} - -/* Normally defined in lib/krb5/krb/kfree.c. */ - -void KRB5_CALLCONV -krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val) -{ - if (val == NULL) - return; - free(val->contents); - val->contents = NULL; -} - -void KRB5_CALLCONV -krb5_free_keyblock(krb5_context context, register krb5_keyblock *val) -{ - krb5int_c_free_keyblock (context, val); -} - -void KRB5_CALLCONV -krb5_free_data(krb5_context context, krb5_data *val) -{ - if (val == NULL) - return; - free(val->data); - free(val); -} diff --git a/src/util/gss-kernel-lib/kernel_gss.h b/src/util/gss-kernel-lib/kernel_gss.h deleted file mode 100644 index b99f461773..0000000000 --- a/src/util/gss-kernel-lib/kernel_gss.h +++ /dev/null @@ -1,36 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* util/gss-kernel-lib/kernel_gss.h - Declarations for kernel GSS library */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifndef KERNEL_GSS_H -#define KERNEL_GSS_H - -#include - -OM_uint32 -krb5_gss_import_lucid_sec_context(OM_uint32 *minor_status, void *lctx, - gss_ctx_id_t *context_handle_out); - -#endif /* KERNEL_GSS_H */ diff --git a/src/util/gss-kernel-lib/t_kgss.c b/src/util/gss-kernel-lib/t_kgss.c deleted file mode 100644 index 623be12170..0000000000 --- a/src/util/gss-kernel-lib/t_kgss.c +++ /dev/null @@ -1,38 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* util/gss-kernel-lib/t_kgss.c - Kernel GSS library test program */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -int -main(int argc, char **argv) -{ - krb5_gss_wrap_iov(); - krb5_gss_wrap_iov_length(); - krb5_gss_wrap(); - krb5_gss_unwrap(); - krb5_gss_unwrap_iov(); - krb5_gss_get_mic(); - krb5_gss_verify_mic(); - return 0; -} diff --git a/src/util/gss-kernel-lib/t_kgss.py b/src/util/gss-kernel-lib/t_kgss.py deleted file mode 100755 index 18a11ba31e..0000000000 --- a/src/util/gss-kernel-lib/t_kgss.py +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/python - -# Copyright (C) 2011 by the Massachusetts Institute of Technology. -# All rights reserved. -# -# Export of this software from the United States of America may -# require a specific license from the United States Government. -# It is the responsibility of any person or organization contemplating -# export to obtain such a license before exporting. -# -# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -# distribute this software and its documentation for any purpose and -# without fee is hereby granted, provided that the above copyright -# notice appear in all copies and that both that copyright notice and -# this permission notice appear in supporting documentation, and that -# the name of M.I.T. not be used in advertising or publicity pertaining -# to distribution of the software without specific, written prior -# permission. Furthermore if you modify this software you must label -# your software as modified software and not distribute it in such a -# fashion that it might be confused with the original M.I.T. software. -# M.I.T. makes no representations about the suitability of -# this software for any purpose. It is provided "as is" without express -# or implied warranty. - -from k5test import * - -# Test krb5 negotiation under SPNEGO for all enctype configurations. -for realm in multipass_realms(): - realm.run(['./t_kgss_user', realm.host_princ]) - -success('Kernel GSSAPI subset tests') diff --git a/src/util/gss-kernel-lib/t_kgss_common.c b/src/util/gss-kernel-lib/t_kgss_common.c deleted file mode 100644 index 49123c6629..0000000000 --- a/src/util/gss-kernel-lib/t_kgss_common.c +++ /dev/null @@ -1,106 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* util/gss-kernel-lib/t_kgss_common.c - Common functions for tests */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "k5-int.h" -#include -#include -#include "t_kgss_common.h" - -/* Write len bytes of data to fd, aborting on failure. */ -void -rewrite(int fd, const void *data, size_t len) -{ - ssize_t r; - - while (len > 0) { - r = write(fd, data, len); - if (r == -1 && errno == EINTR) - continue; - assert(r > 0); - data = (char *)data +r; - len -= r; - } -} - -/* Read len bytes into buf from fd, aborting on failure. */ -void -reread(int fd, void *buf, size_t len) -{ - ssize_t r; - - while (len > 0) { - r = read(fd, buf, len); - if (r == -1 && errno == EINTR) - continue; - assert(r > 0); - buf = (char *)buf + r; - len -= r; - } -} - -/* Send a data packet to fd using a machine-dependent length/value encoding. */ -void -send_data(int fd, const void *data, size_t len) -{ - rewrite(fd, &len, sizeof(len)); - rewrite(fd, data, len); -} - -/* Read a packet from fd into an allocated buffer. */ -void -read_data(int fd, void **data_out, size_t *len_out) -{ - size_t len; - void *data; - - reread(fd, &len, sizeof(len)); - data = malloc(len); - assert(data != NULL); - reread(fd, data, len); - *data_out = data; - *len_out = len; -} - -/* - * Acknowledgements are used to make the parent and child processes operate in - * lock-step. That way, if the child fails, the parent isn't several steps - * ahead before it finds out. - */ - -void -send_ack(int fd) -{ - rewrite(fd, "ack", 3); -} - -void -read_ack(int fd) -{ - char buf[3]; - - reread(fd, buf, 3); - assert(memcmp(buf, "ack", 3) == 0); -} diff --git a/src/util/gss-kernel-lib/t_kgss_common.h b/src/util/gss-kernel-lib/t_kgss_common.h deleted file mode 100644 index edb38886aa..0000000000 --- a/src/util/gss-kernel-lib/t_kgss_common.h +++ /dev/null @@ -1,32 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* util/gss-kernel-lib/t_kgss_common.h - Common declarations for tests */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -void rewrite(int fd, const void *data, size_t len); -void reread(int fd, void *buf, size_t len); -void send_data(int fd, const void *data, size_t len); -void read_data(int fd, void **data_out, size_t *len_out); -void send_ack(int fd); -void read_ack(int fd); diff --git a/src/util/gss-kernel-lib/t_kgss_kernel.c b/src/util/gss-kernel-lib/t_kgss_kernel.c deleted file mode 100644 index bc961eb50c..0000000000 --- a/src/util/gss-kernel-lib/t_kgss_kernel.c +++ /dev/null @@ -1,292 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* util/gss-kernel-lib/t_kgss_kernel.c - Kernel portion of test program */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * This program links against libkgss.a and is run as a child process of - * t_kgss_user. It receives an exported acceptor context from its parent and - * then exchanges wrap, MIC, and IOV tokens with the parent. - */ - -#include "k5-int.h" -#include -#include "gssapi_krb5.h" -#include "gssapiP_krb5.h" -#include "kernel_gss.h" -#include "t_kgss_common.h" - -/* If major represents an error, display an error message and exit. */ -static void -check(OM_uint32 major, OM_uint32 minor, const char *fn) -{ - if (!GSS_ERROR(major)) - return; - fprintf(stderr, "t_kgss_kernel: %s: major %u, minor %u\n", fn, major, - minor); - /* libkgss doesn't have gss_display_status. */ - exit(1); -} - -#define READ(p, f) (memcpy(&f, p, sizeof(f)), p += sizeof(f)) - -/* Read fields from p into lkey and return the updated pointer. */ -static const unsigned char * -read_lucid_key(const unsigned char *p, gss_krb5_lucid_key_t *lkey) -{ - READ(p, lkey->type); - READ(p, lkey->length); - lkey->data = malloc(lkey->length); - assert(lkey->data != NULL); - memcpy(lkey->data, p, lkey->length); - return p + lkey->length; -} - -/* Read a data packet from stdin, unmarshal it into a lucid context, and import - * the lucid context into a GSS-krb5 acceptor context. */ -static void -read_lucid_context(gss_ctx_id_t *ctx_out) -{ - void *data; - size_t len; - const unsigned char *p; - gss_krb5_lucid_context_v1_t lctx; - OM_uint32 major, minor; - - /* No length checking; totally unsafe outside of this test program. */ - read_data(STDIN_FILENO, &data, &len); - p = data; - READ(p, lctx.version); - READ(p, lctx.initiate); - READ(p, lctx.endtime); - READ(p, lctx.send_seq); - READ(p, lctx.recv_seq); - READ(p, lctx.protocol); - if (lctx.protocol == 0) { - READ(p, lctx.rfc1964_kd.sign_alg); - READ(p, lctx.rfc1964_kd.seal_alg); - p = read_lucid_key(p, &lctx.rfc1964_kd.ctx_key); - } else if (lctx.protocol == 1) { - READ(p, lctx.cfx_kd.have_acceptor_subkey); - p = read_lucid_key(p, &lctx.cfx_kd.ctx_key); - if (lctx.cfx_kd.have_acceptor_subkey) - p = read_lucid_key(p, &lctx.cfx_kd.acceptor_subkey); - } else - abort(); - - major = krb5_gss_import_lucid_sec_context(&minor, &lctx, ctx_out); - check(major, minor, "krb5_gss_import_lucid_sec_context"); -} - -/* Read a wrap token from stdin and verify that it says "userwrap". */ -static void -read_wrap_token(gss_ctx_id_t ctx) -{ - OM_uint32 major, minor; - gss_buffer_desc wrapped, buf; - - read_data(STDIN_FILENO, &wrapped.value, &wrapped.length); - major = krb5_gss_unwrap(&minor, ctx, &wrapped, &buf, NULL, NULL); - check(major, minor, "krb5_gss_unwrap"); - assert(buf.length == 8 && memcmp(buf.value, "userwrap", 8) == 0); - gssalloc_free(buf.value); - free(wrapped.value); -} - -/* Read a MIC token from stdin and verify that it is for "usermic". */ -static void -read_mic_token(gss_ctx_id_t ctx) -{ - OM_uint32 major, minor; - gss_buffer_desc mic, buf; - - read_data(STDIN_FILENO, &mic.value, &mic.length); - buf.value = "usermic"; - buf.length = 7; - major = krb5_gss_verify_mic(&minor, ctx, &buf, &mic, NULL); - check(major, minor, "krb5_gss_verify_mic"); - free(mic.value); -} - -/* Read an IOV token from stdin and verify that it is for "userwrapmic" with - * only the "wrap" part wrapped. */ -static void -read_iov_token(gss_ctx_id_t ctx) -{ - OM_uint32 major, minor; - gss_iov_buffer_desc iov[6]; - - /* Read in buffers and lay out the IOVs. */ - iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; - read_data(STDIN_FILENO, &iov[0].buffer.value, &iov[0].buffer.length); - iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[1].buffer.value = "user"; - iov[1].buffer.length = 4; - iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; - read_data(STDIN_FILENO, &iov[2].buffer.value, &iov[2].buffer.length); - iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[3].buffer.value = "mic"; - iov[3].buffer.length = 3; - iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING; - read_data(STDIN_FILENO, &iov[4].buffer.value, &iov[4].buffer.length); - iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER; - read_data(STDIN_FILENO, &iov[5].buffer.value, &iov[5].buffer.length); - - /* Unwrap and check the data contents. */ - major = krb5_gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 6); - check(major, minor, "gss_unwrap_iov"); - assert(iov[2].buffer.length == 4); - assert(memcmp(iov[2].buffer.value, "wrap", 4) == 0); - - free(iov[0].buffer.value); - free(iov[2].buffer.value); - free(iov[4].buffer.value); - free(iov[5].buffer.value); -} - -/* Create a wrap token for the text "kernelwrap" and send it to stdout. */ -static void -send_wrap_token(gss_ctx_id_t ctx) -{ - OM_uint32 major, minor; - gss_buffer_desc buf, wrapped; - - buf.value = "kernelwrap"; - buf.length = 10; - major = krb5_gss_wrap(&minor, ctx, 1, GSS_C_QOP_DEFAULT, &buf, NULL, - &wrapped); - check(major, minor, "krb5_gss_wrap"); - send_data(STDOUT_FILENO, wrapped.value, wrapped.length); - gssalloc_free(wrapped.value); -} - -/* Create a wrap token for the text "kernelmic" and send it to stdout. */ -static void -send_mic_token(gss_ctx_id_t ctx) -{ - OM_uint32 major, minor; - gss_buffer_desc buf, mic; - - buf.value = "kernelmic"; - buf.length = 9; - major = krb5_gss_get_mic(&minor, ctx, GSS_C_QOP_DEFAULT, &buf, &mic); - check(major, minor, "krb5_gss_get_mic"); - send_data(STDOUT_FILENO, mic.value, mic.length); - gssalloc_free(mic.value); -} - -/* Create an IOV token for "kernelwrapmic", wrapping only the "wrap" part, and - * send the header/data/padding/trailer buffers to stdout. */ -static void -send_iov_token(gss_ctx_id_t ctx) -{ - OM_uint32 major, minor; - gss_iov_buffer_desc iov[6]; - char *buf, *p; - - /* Lay out skeleton IOVs and compute header, padding, trailer lengths. */ - iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; - iov[0].buffer.value = NULL; - iov[0].buffer.length = 0; - iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[1].buffer.value = "kernel"; - iov[1].buffer.length = 6; - iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; - iov[2].buffer.value = "wrap"; - iov[2].buffer.length = 4; - iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[3].buffer.value = "mic"; - iov[3].buffer.length = 3; - iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING; - iov[4].buffer.value = NULL; - iov[4].buffer.length = 0; - iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER; - iov[5].buffer.value = NULL; - iov[5].buffer.length = 0; - major = krb5_gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, - iov, 6); - check(major, minor, "krb5_gss_wrap_iov_length"); - - /* Create a payload and set header/data/padding/trailer IOV pointers. */ - buf = malloc(iov[0].buffer.length + iov[2].buffer.length + - iov[4].buffer.length + iov[5].buffer.length); - assert(buf != NULL); - p = buf; - iov[0].buffer.value = p; - p += iov[0].buffer.length; - memcpy(p, "wrap", 4); - iov[2].buffer.value = p; - p += iov[2].buffer.length; - iov[4].buffer.value = p; - p += iov[4].buffer.length; - iov[5].buffer.value = p; - - /* Wrap the payload and send it to fd in chunks. */ - major = krb5_gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 6); - check(major, minor, "gss_wrap_iov"); - send_data(STDOUT_FILENO, iov[0].buffer.value, iov[0].buffer.length); - send_data(STDOUT_FILENO, iov[2].buffer.value, iov[2].buffer.length); - send_data(STDOUT_FILENO, iov[4].buffer.value, iov[4].buffer.length); - send_data(STDOUT_FILENO, iov[5].buffer.value, iov[5].buffer.length); - free(buf); -} - -/* Delete the krb5 security context ctx. */ -static void -cleanup_context(gss_ctx_id_t ctx) -{ - OM_uint32 major, minor; - - major = krb5_gss_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER); - check(major, minor, "gss_delete_sec_context"); -} - -int -main(int argc, char **argv) -{ - gss_ctx_id_t acceptor; - int dummy; - - /* Make the PRNG work since we're not using krb5_init_context. */ - krb5_c_random_os_entropy(NULL, 0, &dummy); - - read_lucid_context(&acceptor); - send_ack(STDOUT_FILENO); - read_wrap_token(acceptor); - send_ack(STDOUT_FILENO); - read_mic_token(acceptor); - send_ack(STDOUT_FILENO); - read_iov_token(acceptor); - send_ack(STDOUT_FILENO); - - send_wrap_token(acceptor); - read_ack(STDIN_FILENO); - send_mic_token(acceptor); - read_ack(STDIN_FILENO); - send_iov_token(acceptor); - read_ack(STDIN_FILENO); - - cleanup_context(acceptor); - return 0; -} diff --git a/src/util/gss-kernel-lib/t_kgss_user.c b/src/util/gss-kernel-lib/t_kgss_user.c deleted file mode 100644 index 8c67b5dcb1..0000000000 --- a/src/util/gss-kernel-lib/t_kgss_user.c +++ /dev/null @@ -1,400 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* util/gss-kernel-lib/t_kgss_user.c - Userspace portion of test program */ -/* - * Copyright (C) 2011 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* - * This program is run from t_kgss.py. It establishes initiator and acceptor - * contexts, then exports the acceptor context to a child program running - * t_kgss_kernel, which is linked against libkgss.a. Wrap, MIC, and IOV tokens - * are then exchanged with the child process to test the libkgss functionality. - */ - -#include "k5-int.h" -#include -#include -#include -#include -#include "t_kgss_common.h" - -/* If major represents an error, display an error message and exit. */ -static void -check(OM_uint32 major, OM_uint32 minor, const char *fn) -{ - OM_uint32 msg_ctx, tmpmin; - gss_buffer_desc msg; - - if (!GSS_ERROR(major)) - return; - fprintf(stderr, "%s: major %u, minor %u\n", fn, major, minor); - gss_display_status(&tmpmin, minor, GSS_C_MECH_CODE, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "%.*s\n", (int)msg.length, (char *)msg.value); - exit(1); -} - -/* Establish initiator and acceptor security krb5 contexts using default - * initiator/acceptor creds and a target krb5 principal named tprinc. */ -static void -establish_contexts(const char *tprinc, gss_ctx_id_t *initiator_out, - gss_ctx_id_t *acceptor_out) -{ - OM_uint32 major, minor; - gss_buffer_desc buf, itoken, rtoken; - gss_name_t target_name; - gss_ctx_id_t initiator = GSS_C_NO_CONTEXT, acceptor = GSS_C_NO_CONTEXT; - - /* Import the target principal. */ - buf.value = (void *)tprinc; - buf.length = strlen(tprinc); - major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, - &target_name); - check(major, minor, "gss_import_name"); - - /* Create initiator context and get initiator token. */ - itoken.value = NULL; - itoken.length = 0; - major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &initiator, - target_name, (gss_OID)gss_mech_krb5, - GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, - NULL, &itoken, NULL, NULL); - check(major, minor, "gss_init_sec_context(1)"); - assert(major == GSS_S_CONTINUE_NEEDED); - - /* Create acceptor context and get response token. */ - rtoken.value = NULL; - rtoken.length = 0; - major = gss_accept_sec_context(&minor, &acceptor, GSS_C_NO_CREDENTIAL, - &itoken, GSS_C_NO_CHANNEL_BINDINGS, - NULL, NULL, &rtoken, NULL, NULL, NULL); - check(major, minor, "gss_accept_sec_context"); - assert(major == GSS_S_COMPLETE); - - /* Complete initiator context using response token. */ - gss_release_buffer(&minor, &itoken); - itoken.value = NULL; - itoken.length = 0; - major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &initiator, - target_name, (gss_OID)gss_mech_krb5, - GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE, - GSS_C_NO_CHANNEL_BINDINGS, &rtoken, - NULL, &itoken, NULL, NULL); - check(major, minor, "gss_init_sec_context(2)"); - assert(major == GSS_S_COMPLETE); - gss_release_buffer(&minor, &rtoken); - gss_release_buffer(&minor, &itoken); - - *initiator_out = initiator; - *acceptor_out = acceptor; -} - -/* Start t_kgss_kernel in a child process with input and output pipes. */ -static void -start_child(int *to_child_out, int *from_child_out, pid_t *pid_out) -{ - pid_t pid; - int stdin_pipe[2], stdout_pipe[2]; - - assert(pipe(stdin_pipe) == 0); - assert(pipe(stdout_pipe) == 0); - pid = fork(); - if (pid == 0) { - /* Child. */ - dup2(stdin_pipe[0], STDIN_FILENO); - dup2(stdout_pipe[1], STDOUT_FILENO); - close(stdin_pipe[0]); - close(stdin_pipe[1]); - close(stdout_pipe[0]); - close(stdout_pipe[1]); - execl("./t_kgss_kernel", "./t_kgss_kernel", (char *)NULL); - _exit(1); - } - close(stdin_pipe[0]); - close(stdout_pipe[1]); - *to_child_out = stdin_pipe[1]; - *from_child_out = stdout_pipe[0]; - *pid_out = pid; -} - -#define WRITE(b, d) k5_buf_add_len(b, (char *)&d, sizeof(d)) - -/* Add the fields of lkey to bufp. */ -static void -add_lucid_key(struct k5buf *bufp, const gss_krb5_lucid_key_t *lkey) -{ - WRITE(bufp, lkey->type); - WRITE(bufp, lkey->length); - k5_buf_add_len(bufp, lkey->data, lkey->length); -} - -/* Using a machine-dependent format, marshal the fields of lctx into an - * allocated buffer. */ -static void -marshal_lucid_context(const gss_krb5_lucid_context_v1_t *lctx, - unsigned char **data_out, size_t *len_out) -{ - struct k5buf buf; - - k5_buf_init_dynamic(&buf); - WRITE(&buf, lctx->version); - WRITE(&buf, lctx->initiate); - WRITE(&buf, lctx->endtime); - WRITE(&buf, lctx->send_seq); - WRITE(&buf, lctx->recv_seq); - WRITE(&buf, lctx->protocol); - if (lctx->protocol == 0) { - WRITE(&buf, lctx->rfc1964_kd.sign_alg); - WRITE(&buf, lctx->rfc1964_kd.seal_alg); - add_lucid_key(&buf, &lctx->rfc1964_kd.ctx_key); - } else if (lctx->protocol == 1) { - WRITE(&buf, lctx->cfx_kd.have_acceptor_subkey); - add_lucid_key(&buf, &lctx->cfx_kd.ctx_key); - if (lctx->cfx_kd.have_acceptor_subkey) - add_lucid_key(&buf, &lctx->cfx_kd.acceptor_subkey); - } else - abort(); - assert(k5_buf_status(&buf) == 0); - *data_out = buf.data; - *len_out = buf.len; -} - -/* Export ctx as a lucid context, marshal it, and write it to fd. */ -static void -send_lucid_context(gss_ctx_id_t ctx, int fd) -{ - OM_uint32 major, minor; - void *result; - gss_krb5_lucid_context_v1_t *lctx; - unsigned char *data; - size_t len; - - major = gss_krb5_export_lucid_sec_context(&minor, &ctx, 1, &result); - check(major, minor, "gss_krb5_export_lucid_sec_context"); - lctx = result; - marshal_lucid_context(lctx, &data, &len); - send_data(fd, data, len); - free(data); -} - -/* Create a GSS wrap token of the text "userwrap" and send it to fd. */ -static void -send_wrap_token(gss_ctx_id_t ctx, int fd) -{ - OM_uint32 major, minor; - gss_buffer_desc buf, wrapped; - - buf.value = "userwrap"; - buf.length = 8; - major = gss_wrap(&minor, ctx, 1, GSS_C_QOP_DEFAULT, &buf, NULL, &wrapped); - check(major, minor, "gss_wrap"); - send_data(fd, wrapped.value, wrapped.length); - gss_release_buffer(&minor, &wrapped); -} - -/* Create a MIC token for the text "usermic" and send it to fd. */ -static void -send_mic_token(gss_ctx_id_t ctx, int fd) -{ - OM_uint32 major, minor; - gss_buffer_desc buf, mic; - - buf.value = "usermic"; - buf.length = 7; - major = gss_get_mic(&minor, ctx, GSS_C_QOP_DEFAULT, &buf, &mic); - check(major, minor, "gss_get_mic"); - send_data(fd, mic.value, mic.length); - gss_release_buffer(&minor, &mic); -} - -/* Create an IOV token for "userwrapmic", wrapping only the "wrap" part, and - * send the header/data/padding/trailer buffers to fd. */ -static void -send_iov_token(gss_ctx_id_t ctx, int fd) -{ - OM_uint32 major, minor; - gss_iov_buffer_desc iov[6]; - char *buf, *p; - - /* Lay out skeleton IOVs and compute header, padding, trailer lengths. */ - iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; - iov[0].buffer.value = NULL; - iov[0].buffer.length = 0; - iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[1].buffer.value = "user"; - iov[1].buffer.length = 4; - iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; - iov[2].buffer.value = "wrap"; - iov[2].buffer.length = 4; - iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[3].buffer.value = "mic"; - iov[3].buffer.length = 3; - iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING; - iov[4].buffer.value = NULL; - iov[4].buffer.length = 0; - iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER; - iov[5].buffer.value = NULL; - iov[5].buffer.length = 0; - major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, - iov, 6); - check(major, minor, "gss_wrap_iov_length"); - - /* Create a payload and set header/data/padding/trailer IOV pointers. */ - buf = malloc(iov[0].buffer.length + iov[2].buffer.length + - iov[4].buffer.length + iov[5].buffer.length); - assert(buf != NULL); - p = buf; - iov[0].buffer.value = p; - p += iov[0].buffer.length; - memcpy(p, "wrap", 4); - iov[2].buffer.value = p; - p += iov[2].buffer.length; - iov[4].buffer.value = p; - p += iov[4].buffer.length; - iov[5].buffer.value = p; - - /* Wrap the payload and send it to fd in chunks. */ - major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 6); - check(major, minor, "gss_wrap_iov"); - send_data(fd, iov[0].buffer.value, iov[0].buffer.length); - send_data(fd, iov[2].buffer.value, iov[2].buffer.length); - send_data(fd, iov[4].buffer.value, iov[4].buffer.length); - send_data(fd, iov[5].buffer.value, iov[5].buffer.length); - free(buf); -} - -/* Read a wrap token from fd and verify that it says "kernelwrap". */ -static void -read_wrap_token(gss_ctx_id_t ctx, int fd) -{ - OM_uint32 major, minor; - gss_buffer_desc wrapped, buf; - - read_data(fd, &wrapped.value, &wrapped.length); - major = gss_unwrap(&minor, ctx, &wrapped, &buf, NULL, NULL); - check(major, minor, "gss_unwrap"); - assert(buf.length == 10 && memcmp(buf.value, "kernelwrap", 10) == 0); - gss_release_buffer(&minor, &buf); - free(wrapped.value); -} - -/* Read a MIC token from fd and verify that it was for "kernelmic". */ -static void -read_mic_token(gss_ctx_id_t ctx, int fd) -{ - OM_uint32 major, minor; - gss_buffer_desc mic, buf; - - read_data(fd, &mic.value, &mic.length); - buf.value = "kernelmic"; - buf.length = 9; - major = gss_verify_mic(&minor, ctx, &buf, &mic, NULL); - check(major, minor, "gss_verify_mic"); - free(mic.value); -} - -/* Read an IOV token from fd and verify that it is for "kernelwrapmic" with - * only the "wrap" part wrapped. */ -static void -read_iov_token(gss_ctx_id_t ctx, int fd) -{ - OM_uint32 major, minor; - gss_iov_buffer_desc iov[6]; - - /* Read in buffers and lay out the IOVs. */ - iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; - read_data(fd, &iov[0].buffer.value, &iov[0].buffer.length); - iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[1].buffer.value = "kernel"; - iov[1].buffer.length = 6; - iov[2].type = GSS_IOV_BUFFER_TYPE_DATA; - read_data(fd, &iov[2].buffer.value, &iov[2].buffer.length); - iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[3].buffer.value = "mic"; - iov[3].buffer.length = 3; - iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING; - read_data(fd, &iov[4].buffer.value, &iov[4].buffer.length); - iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER; - read_data(fd, &iov[5].buffer.value, &iov[5].buffer.length); - - /* Unwrap and check the data contents. */ - major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 6); - check(major, minor, "gss_unwrap_iov"); - assert(iov[2].buffer.length == 4); - assert(memcmp(iov[2].buffer.value, "wrap", 4) == 0); - - free(iov[0].buffer.value); - free(iov[2].buffer.value); - free(iov[4].buffer.value); - free(iov[5].buffer.value); -} - -/* Delete the security context ctx. */ -static void -cleanup_context(gss_ctx_id_t ctx) -{ - OM_uint32 major, minor; - - major = gss_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER); - check(major, minor, "gss_delete_sec_context"); -} - -int -main(int argc, char **argv) -{ - gss_ctx_id_t initiator, acceptor; - int to_child, from_child, status; - pid_t child_pid; - - if (argc != 2) { - fprintf(stderr, "Usage: %s target-princ\n", argv[0]); - return 1; - } - - establish_contexts(argv[1], &initiator, &acceptor); - start_child(&to_child, &from_child, &child_pid); - - send_lucid_context(acceptor, to_child); - read_ack(from_child); - send_wrap_token(initiator, to_child); - read_ack(from_child); - send_mic_token(initiator, to_child); - read_ack(from_child); - send_iov_token(initiator, to_child); - read_ack(from_child); - - read_wrap_token(initiator, from_child); - send_ack(to_child); - read_mic_token(initiator, from_child); - send_ack(to_child); - read_iov_token(initiator, from_child); - send_ack(to_child); - - cleanup_context(initiator); - close(to_child); - close(from_child); - assert(wait(&status) == child_pid); - assert(WIFEXITED(status) && WEXITSTATUS(status) == 0); - return 0; -}