From b158a88fa4a175b7380507831d64c832d9bf2541 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Sat, 3 May 2014 20:57:16 -0400 Subject: [PATCH 1/2] Remove Kerberos 4 configuration option Signed-off-by: Anders Kaseorg --- INSTALL | 16 ++-------------- configure.ac | 30 +----------------------------- lib/zephyr_tests.py | 2 +- lib/zephyr_tests.txt | 2 +- server/zephyrd.8.in | 6 ------ zephyr.pc.in | 2 +- 6 files changed, 6 insertions(+), 52 deletions(-) diff --git a/INSTALL b/INSTALL index 04f62fd6..b1577857 100644 --- a/INSTALL +++ b/INSTALL @@ -25,18 +25,6 @@ by adding the option "--with-krb5=KRBPREFIX" to the configure line, where KRBPREFIX/include and KRBPREFIX/lib are the directories you have the Kerberos libraries installed in. -If your site has a Kerberos 4 service, you can enable Kerberos 4 support -by adding the option "--with-krb4=KRBPREFIX" to the configure line, -where KRBPREFIX/include and KRBPREFIX/lib are the directories you -have the Kerberos libraries installed in. Note that this is -deprecated, and should only be enabled for transitions. - -If you build with both krb5 and krb4, you will get a client that only -knows how to authenticate with krb5 servers, but a server that can -understand authentication from both krb4 and krb5 clients. - -If you want/need a krb4 client, you have to build without krb5. - If you have a make which supports VPATH in a manner compatible with GNU make, you can build in a separate directory. Simply invoke the configure script from within the build directory and configure will @@ -52,12 +40,12 @@ to the configure line. If you have Hesiod and/or Kerberos installed such that you can't specify a single prefix for both include files and libraries, set the environment variables CPPFLAGS and LDFLAGS to include the relevant -directories, and just configure with "--with-krb4" and +directories, and just configure with "--with-krb5" and "--with-hesiod". For instance (for a csh-like shell): setenv CPPFLAGS "-I/opt/athena/include" setenv LDFLAGS "-I/opt/athena/arch/sparc/lib" - ./configure --with-hesiod --with-krb4 + ./configure --with-hesiod --with-krb5 make make install diff --git a/configure.ac b/configure.ac index dd0dc5aa..5a2b128f 100644 --- a/configure.ac +++ b/configure.ac @@ -114,34 +114,6 @@ AC_SUBST(LIBICONV) AC_CHECK_LIB(curses, tgetstr, [TLIB=-lcurses], [TLIB=-ltermcap]) AC_SUBST(TLIB) -AC_ARG_WITH(krb4, - [ --with-krb4=PREFIX Use Kerberos 4], - [krb4="$withval"], [krb4=no]) -if test "$krb4" != no; then - AC_CHECK_FUNC(gethostbyname, :, AC_CHECK_LIB(nsl, gethostbyname)) - AC_CHECK_FUNC(socket, :, AC_CHECK_LIB(socket, socket)) - AC_CHECK_LIB(gen, compile) - if test "$krb4" != yes; then - CPPFLAGS="$CPPFLAGS -I$krb4/include" - if test -d "$krb4/include/kerberosIV"; then - CPPFLAGS="$CPPFLAGS -I$krb4/include/kerberosIV" - fi - LDFLAGS="$LDFLAGS -L$krb4/lib" - fi - AC_CHECK_LIB(krb4, krb_rd_req, - [KRB4_LIBS="-lkrb4 -ldes425 -lkrb5 -lk5crypto -lcom_err"], - [AC_CHECK_LIB(des, des_quad_cksum, - [KRB4_DES_LIBS="-ldes"],,,) - AC_CHECK_LIB(krb, krb_rd_req, - [KRB4_LIBS="-lkrb $KRB4_DES_LIBS"], - [AC_MSG_ERROR(Kerberos 4 libraries not found)], - $KRB4_DES_LIBS)], - -ldes425 -lkrb5 -lk5crypto -lcom_err) - AC_DEFINE(HAVE_KRB4, 1, [Define to compile with Kerberos support.]) - LIBZEPHYR_LIBS="$LIBZEPHYR_LIBS $KRB4_LIBS" -fi -AC_SUBST(KRB4_LIBS) - AC_ARG_WITH(krb5, [ --with-krb5=PREFIX Use Kerberos 5], [krb5="$withval"], [krb5=no]) @@ -249,7 +221,7 @@ fi AC_SUBST(SS_LIBS) AC_SUBST(SS_OBJS) -LIBS="$KRB5_LIBS $KRB4_LIBS $LIBS" +LIBS="$KRB5_LIBS $LIBS" dnl Checks for library functions. #XXX more looking for res_send diff --git a/lib/zephyr_tests.py b/lib/zephyr_tests.py index d8a0aca2..8ef118cd 100755 --- a/lib/zephyr_tests.py +++ b/lib/zephyr_tests.py @@ -133,7 +133,7 @@ def test_z_compare_uid(self): def test_zauthtype(self): """Make sure Zauthtype is an acceptable value""" - assert self._libzephyr.Zauthtype in (0, 4, 5) + assert self._libzephyr.Zauthtype in (0, 5) def test_z_expand_realm(self): """test ZExpandRealm""" diff --git a/lib/zephyr_tests.txt b/lib/zephyr_tests.txt index 7e66dbc6..d389c081 100644 --- a/lib/zephyr_tests.txt +++ b/lib/zephyr_tests.txt @@ -25,7 +25,7 @@ actually got set up: >>> assert _z.ZGetFD() == -1 >>> Zauthtype = _z.Zauthtype - >>> assert Zauthtype in (0, 4, 5) + >>> assert Zauthtype in (0, 5) >>> realm = _z.ZGetRealm() >>> assert realm >>> if Zauthtype: assert realm != 'local-realm' diff --git a/server/zephyrd.8.in b/server/zephyrd.8.in index eef97809..a65922fd 100644 --- a/server/zephyrd.8.in +++ b/server/zephyrd.8.in @@ -94,15 +94,9 @@ Access Control Lists for subscribing .I @sysconfdir@/zephyr/acl/xmt-*.acl: Access Control Lists for transmitting .TP -.I @sysconfdir@/zephyr/srvtab: -Kerberos 4 Service keys -.TP .I @sysconfdir@/zephyr/krb5.keytab: Kerberos V Service keys .TP -.I /var/run/zephyrd.tkt4: -Current Kerberos 4 tickets for exchange with other servers -.TP .I /var/run/zephyrd.tkt: Current Kerberos 5 tickets for exchange with other servers .TP diff --git a/zephyr.pc.in b/zephyr.pc.in index 00782f4c..526c4d20 100644 --- a/zephyr.pc.in +++ b/zephyr.pc.in @@ -8,5 +8,5 @@ Description: Project Athena's notification service Version: @PACKAGE_VERSION@ Requires: Libs: -L${libdir} -l@PACKAGE_NAME@ -Libs.private: @HESIOD_LIBS@ @KRB4_LIBS@ @KRB5_LIBS@ @REGEX_LIBS@ +Libs.private: @HESIOD_LIBS@ @KRB5_LIBS@ @REGEX_LIBS@ Cflags: -I${includedir} From bb2d0df7efb47a1fb54ca919329c4dbdf4ea8ff8 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Sat, 3 May 2014 21:48:36 -0400 Subject: [PATCH 2/2] Remove HAVE_KRB4 code Signed-off-by: Anders Kaseorg --- clients/zshutdown_notify/zshutdown_notify.c | 40 ---- h/internal.h | 8 - h/sysdep.h | 11 - lib/ZCkAuth.c | 30 --- lib/ZExpnRlm.c | 54 ----- lib/ZFmtAuth.c | 61 ------ lib/ZGetSender.c | 15 -- lib/ZInit.c | 28 --- lib/ZMkAuth.c | 55 ----- server/bdump.c | 214 +++----------------- server/client.c | 4 - server/dispatch.c | 12 +- server/global.c | 11 - server/kstuff.c | 181 +---------------- server/main.c | 41 +--- server/realm.c | 12 +- server/subscr.c | 35 +--- server/zserver.h | 31 +-- server/zsrv_conf.h | 4 - 19 files changed, 38 insertions(+), 809 deletions(-) diff --git a/clients/zshutdown_notify/zshutdown_notify.c b/clients/zshutdown_notify/zshutdown_notify.c index 2f51cc05..e548da4c 100644 --- a/clients/zshutdown_notify/zshutdown_notify.c +++ b/clients/zshutdown_notify/zshutdown_notify.c @@ -30,10 +30,6 @@ static const char rcsid_zshutdown_notify_c[] = #define N_DEF_FORMAT "From $sender:\n@bold(Shutdown message from $1 at $time)\n@center(System going down, message is:)\n\n$2\n\n@center(@bold($3))" #define N_FIELD_CNT 3 -#ifdef HAVE_KRB4 -#define SVC_NAME "rcmd" -#endif - /* * Standard warning strings appended as extra fields to * the message body. @@ -53,12 +49,6 @@ main(int argc, char msgbuff[BUFSIZ], message[Z_MAXPKTLEN], *ptr; char scratch[BUFSIZ]; char *msg[N_FIELD_CNT]; -#ifdef HAVE_KRB4 - char tkt_filename[MAXPATHLEN]; - char rlm[REALM_SZ]; - char hn2[NS_MAXDNAME]; - char *cp; -#endif if (gethostname(hostname, sizeof(hostname)) < 0) { com_err(argv[0], errno, "while finding hostname"); @@ -73,33 +63,6 @@ main(int argc, sprintf(scratch, warning, hostname); msg[2] = scratch; -#ifdef HAVE_KRB4 - (void) sprintf(tkt_filename, "/tmp/tkt_zshut_%d", getpid()); - krb_set_tkt_string(tkt_filename); - - cp = krb_get_phost(hostname); - if (cp) - (void) strcpy(hn2, cp); - else { - fprintf(stderr, "%s: can't figure out canonical hostname\n",argv[0]); - exit(1); - } - retval = krb_get_lrealm(rlm, 1); - if (retval) { - fprintf(stderr, "%s: can't get local realm: %s\n", - argv[0], krb_get_err_text(retval)); - exit(1); - } - retval = krb_get_svc_in_tkt(SVC_NAME, hn2, rlm, - SERVER_SERVICE, SERVER_INSTANCE, 1, - (char *)KEYFILE); - if (retval) { - fprintf(stderr, "%s: can't get tickets: %s\n", - argv[0], krb_get_err_text(retval)); - exit(1); - } -#endif - if ((retval = ZInitialize()) != ZERR_NONE) { com_err(argv[0], retval, "while initializing"); exit(1); @@ -131,9 +94,6 @@ main(int argc, notice.z_default_format = N_DEF_FORMAT; retval = ZSendList(¬ice, msg, N_FIELD_CNT, ZAUTH); -#ifdef HAVE_KRB4 - (void) dest_tkt(); -#endif if (retval != ZERR_NONE) { com_err(argv[0], retval, "while sending notice"); diff --git a/h/internal.h b/h/internal.h index b6e68048..da872e83 100644 --- a/h/internal.h +++ b/h/internal.h @@ -6,11 +6,6 @@ #include #include -#ifdef HAVE_KRB4 -#include -#include -#endif - #ifdef HAVE_KRB5 #include #endif @@ -181,9 +176,6 @@ unsigned long z_quad_cksum(const unsigned char *, uint32_t *, long, int, unsigned char *); Code_t ZFormatAuthenticNoticeV5(ZNotice_t*, char*, int, int*, krb5_keyblock *); #endif -#ifdef HAVE_KRB4 -Code_t ZFormatAuthenticNotice(ZNotice_t*, char*, int, int*, C_Block); -#endif #ifdef HAVE_KRB5_CREDS_KEYBLOCK_ENCTYPE #define Z_keydata(keyblock) ((keyblock)->contents) diff --git a/h/sysdep.h b/h/sysdep.h index 368ba5a6..b6e486cd 100644 --- a/h/sysdep.h +++ b/h/sysdep.h @@ -159,17 +159,6 @@ ZEPHYR_INT32 gethostid(); #include /* Kerberos compatibility. */ -#ifdef HAVE_KRB4 -# include -# include -# include -# ifndef HAVE_KRB_GET_ERR_TEXT -# define krb_get_err_text(n) krb_err_txt[n] -# endif -# ifndef HAVE_KRB_LOG -# define krb_log log -# endif -#endif #ifdef HAVE_SYS_UTSNAME_H # include diff --git a/lib/ZCkAuth.c b/lib/ZCkAuth.c index ea024a90..9b0da7ad 100644 --- a/lib/ZCkAuth.c +++ b/lib/ZCkAuth.c @@ -33,35 +33,5 @@ Code_t ZCheckAuthentication(ZNotice_t *notice, struct sockaddr_in *from) { -#if defined(HAVE_KRB4) && !defined(HAVE_KRB5) - int result; - ZChecksum_t our_checksum; - C_Block *session; - CREDENTIALS cred; - - /* If the value is already known, return it. */ - if (notice->z_checked_auth != ZAUTH_UNSET) - return (notice->z_checked_auth); - - if (!notice->z_auth) - return (ZAUTH_NO); - - if ((result = krb_get_cred(SERVER_SERVICE, SERVER_INSTANCE, - __Zephyr_realm, &cred)) != 0) - return (ZAUTH_NO); - - session = (C_Block *)cred.session; - - our_checksum = des_quad_cksum((unsigned char *)notice->z_packet, - NULL, - notice->z_default_format+ - strlen(notice->z_default_format) + 1 - - notice->z_packet, - 0, session); - - /* if mismatched checksum, then the packet was corrupted */ - return ((our_checksum == notice->z_checksum) ? ZAUTH_YES : ZAUTH_FAILED); -#else return ZCheckZcodeAuthentication(notice, from); -#endif } diff --git a/lib/ZExpnRlm.c b/lib/ZExpnRlm.c index 6f904b65..ae64f3b0 100644 --- a/lib/ZExpnRlm.c +++ b/lib/ZExpnRlm.c @@ -26,7 +26,6 @@ ZExpandRealm(char *realm) result = krb5_free_host_realm(Z_krb5_ctx, list_realms); return expand; #else -#ifndef HAVE_KRB4 struct hostent *he; he = gethostbyname(realm); @@ -44,58 +43,5 @@ ZExpandRealm(char *realm) *cp1 = '\0'; return(expand); -#else - int retval; - FILE *rlm_file; - char krb_host[NS_MAXDNAME + 1]; - static char krb_realm[REALM_SZ+1]; - char linebuf[BUFSIZ]; - char scratch[64]; - -/* upcase what we got */ - cp2 = realm; - cp1 = expand; - while (*cp2) { - *cp1++ = toupper(*cp2++); - } - *cp1 = '\0'; - - if ((rlm_file = fopen("/etc/krb.conf", "r")) == (FILE *) 0) { - return(expand); - } - - if (fgets(linebuf, BUFSIZ, rlm_file) == NULL) { - /* error reading */ - (void) fclose(rlm_file); - return(expand); - } - - if (sscanf(linebuf, "%s", krb_realm) < 1) { - /* error reading */ - (void) fclose(rlm_file); - return(expand); - } - - if (!strncmp(krb_realm, expand, strlen(expand))) { - (void) fclose(rlm_file); - return(krb_realm); - } - - while (1) { - /* run through the file, looking for admin host */ - if (fgets(linebuf, BUFSIZ, rlm_file) == NULL) { - (void) fclose(rlm_file); - return(expand); - } - - if (sscanf(linebuf, "%s %s admin %s", krb_realm, krb_host, scratch) - < 2) - continue; - if (!strncmp(krb_realm, expand, strlen(expand))) { - (void) fclose(rlm_file); - return(krb_realm); - } - } -#endif /* HAVE_KRB4 */ #endif } diff --git a/lib/ZFmtAuth.c b/lib/ZFmtAuth.c index f658f7c3..06c913e5 100644 --- a/lib/ZFmtAuth.c +++ b/lib/ZFmtAuth.c @@ -16,50 +16,6 @@ static const char rcsid_ZFormatAuthenticNotice_c[] = "$Id$"; #include -#ifdef HAVE_KRB4 -Code_t -ZFormatAuthenticNotice(ZNotice_t *notice, - char *buffer, - int buffer_len, - int *len, - C_Block session) -{ - ZNotice_t newnotice; - char *ptr; - int retval, hdrlen; - - newnotice = *notice; - newnotice.z_auth = 1; - newnotice.z_authent_len = 0; - newnotice.z_ascii_authent = ""; - - if ((retval = Z_FormatRawHeader(&newnotice, buffer, buffer_len, - &hdrlen, &ptr, NULL)) != ZERR_NONE) - return (retval); - - newnotice.z_checksum = - (ZChecksum_t)des_quad_cksum((void *)buffer, NULL, ptr - buffer, 0, (C_Block *)session); - - if ((retval = Z_FormatRawHeader(&newnotice, buffer, buffer_len, - &hdrlen, NULL, NULL)) != ZERR_NONE) - return (retval); - - ptr = buffer+hdrlen; - - if (newnotice.z_message_len+hdrlen > buffer_len) - return (ZERR_PKTLEN); - - (void) memcpy(ptr, newnotice.z_message, newnotice.z_message_len); - - *len = hdrlen+newnotice.z_message_len; - - if (*len > Z_MAXPKTLEN) - return (ZERR_PKTLEN); - - return (ZERR_NONE); -} -#endif - #ifdef HAVE_KRB5 Code_t ZFormatAuthenticNoticeV5(ZNotice_t *notice, @@ -73,30 +29,13 @@ ZFormatAuthenticNoticeV5(ZNotice_t *notice, int retval, hdrlen, hdr_adj; krb5_enctype enctype; krb5_cksumtype cksumtype; -#ifdef HAVE_KRB4 - int key_len; -#endif char *cksum_start, *cstart, *cend; int cksum_len; -#ifdef HAVE_KRB4 - key_len = Z_keylen(keyblock); -#endif retval = Z_ExtractEncCksum(keyblock, &enctype, &cksumtype); if (retval) return (ZAUTH_FAILED); -#ifdef HAVE_KRB4 - if (key_len == 8 && (enctype == (krb5_enctype)ENCTYPE_DES_CBC_CRC || - enctype == (krb5_enctype)ENCTYPE_DES_CBC_MD4 || - enctype == (krb5_enctype)ENCTYPE_DES_CBC_MD5)) { - C_Block tmp; - memcpy(&tmp, Z_keydata(keyblock), key_len); - return ZFormatAuthenticNotice(notice, buffer, buffer_len, len, - tmp); - } -#endif - newnotice = *notice; newnotice.z_auth = 1; newnotice.z_authent_len = 0; diff --git a/lib/ZGetSender.c b/lib/ZGetSender.c index 7f0ab237..c8afdbe3 100644 --- a/lib/ZGetSender.c +++ b/lib/ZGetSender.c @@ -29,10 +29,6 @@ ZGetSender(void) krb5_principal principal; char *prname; int result; -#else -#ifdef HAVE_KRB4 - char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; -#endif #endif /* Return it if already cached */ @@ -52,17 +48,6 @@ ZGetSender(void) } krb5_cc_close(Z_krb5_ctx, ccache); } -#else -#ifdef HAVE_KRB4 - if (krb_get_tf_fullname((char *)TKT_FILE, pname, pinst, prealm) == KSUCCESS) - { - sender = malloc(ANAME_SZ+INST_SZ+REALM_SZ+3); - if (sender) - (void) sprintf(sender, "%s%s%s@%s", pname, (pinst[0]?".":""), - pinst, prealm); - return (sender); - } -#endif #endif /* XXX a uid_t is a u_short (now), but getpwuid diff --git a/lib/ZInit.c b/lib/ZInit.c index abaa2a4f..cddeb2a6 100644 --- a/lib/ZInit.c +++ b/lib/ZInit.c @@ -18,9 +18,6 @@ static const char rcsid_ZInitialize_c[] = #include #include -#ifdef HAVE_KRB4 -#include -#endif #ifdef HAVE_KRB5 #include #endif @@ -37,8 +34,6 @@ static int z_get_host_realm_replacement(char *, char ***); #if defined(HAVE_KRB5) int Zauthtype = 5; -#elif defined(HAVE_KRB4) -int Zauthtype = 4; #else int Zauthtype = 0; #endif @@ -57,20 +52,11 @@ ZInitialize(void) ZNotice_t notice; #ifdef HAVE_KRB5 char **krealms = NULL; -#else -#ifdef HAVE_KRB4 - char *krealm = NULL; - int krbval; - char d1[ANAME_SZ], d2[INST_SZ]; -#endif #endif /* On OS X you don't need to initialize the Kerberos error tables as long as you link with -framework Kerberos */ #if !(defined(__APPLE__) && defined(__MACH__)) -#ifdef HAVE_KRB4 - initialize_krb_error_table(); -#endif #ifdef HAVE_KRB5 initialize_krb5_error_table(); #endif @@ -134,10 +120,6 @@ ZInitialize(void) #else code = z_get_host_realm_replacement(notice.z_message, &krealms); #endif -#else -#ifdef HAVE_KRB4 - krealm = krb_realmofhost(notice.z_message); -#endif #endif hostent = gethostbyname(notice.z_message); if (hostent && hostent->h_addrtype == AF_INET) @@ -163,18 +145,8 @@ ZInitialize(void) free(p); #endif } -#else -#ifdef HAVE_KRB4 - if (krealm) { - strcpy(__Zephyr_realm, krealm); - } else if ((krb_get_tf_fullname(TKT_FILE, d1, d2, __Zephyr_realm) - != KSUCCESS) && - ((krbval = krb_get_lrealm(__Zephyr_realm, 1)) != KSUCCESS)) { - return (krbval); - } #else strcpy(__Zephyr_realm, "local-realm"); -#endif #endif __My_addr.s_addr = INADDR_NONE; diff --git a/lib/ZMkAuth.c b/lib/ZMkAuth.c index 63605f49..b46b2f45 100644 --- a/lib/ZMkAuth.c +++ b/lib/ZMkAuth.c @@ -16,10 +16,6 @@ static const char rcsid_ZMakeAuthentication_c[] = "$Id$"; #endif -#ifdef HAVE_KRB4 -#include -#endif - #if defined(HAVE_KRB5) && !HAVE_KRB5_FREE_DATA #define krb5_free_data(ctx, dat) free((dat)->data) #endif @@ -38,56 +34,6 @@ ZMakeAuthentication(register ZNotice_t *notice, { #ifdef HAVE_KRB5 return ZMakeZcodeAuthentication(notice, buffer, buffer_len, len/*?XXX*/); -#else -#ifdef HAVE_KRB4 - int result; - KTEXT_ST authent; - char *cstart, *cend; - ZChecksum_t checksum; - CREDENTIALS cred; - C_Block *session; - - result = krb_mk_req(&authent, SERVER_SERVICE, - SERVER_INSTANCE, __Zephyr_realm, 0); - if (result != MK_AP_OK) - return (result+krb_err_base); - result = krb_get_cred(SERVER_SERVICE, SERVER_INSTANCE, - __Zephyr_realm, &cred); - if (result != KSUCCESS) - return (result+krb_err_base); - - session = (C_Block *)cred.session; - - notice->z_auth = 1; - notice->z_authent_len = authent.length; - notice->z_ascii_authent = (char *)malloc((unsigned)authent.length*3); - /* zero length authent is an error, so malloc(0) is not a problem */ - if (!notice->z_ascii_authent) - return (ENOMEM); - if ((result = ZMakeAscii(notice->z_ascii_authent, - authent.length*3, - authent.dat, - authent.length)) != ZERR_NONE) { - free(notice->z_ascii_authent); - return (result); - } - result = Z_FormatRawHeader(notice, buffer, buffer_len, len, &cstart, - &cend); - free(notice->z_ascii_authent); - notice->z_authent_len = 0; - if (result) - return(result); - - /* Compute a checksum over the header and message. */ - checksum = des_quad_cksum((unsigned char *)buffer, NULL, cstart - buffer, 0, session); - checksum ^= des_quad_cksum((unsigned char *)cend, NULL, buffer + *len - cend, 0, - session); - checksum ^= des_quad_cksum((unsigned char *)notice->z_message, NULL, notice->z_message_len, - 0, session); - notice->z_checksum = checksum; - ZMakeAscii32(cstart, buffer + buffer_len - cstart, checksum); - - return (ZERR_NONE); #else notice->z_checksum = 0; notice->z_auth = 1; @@ -95,7 +41,6 @@ ZMakeAuthentication(register ZNotice_t *notice, notice->z_ascii_authent = ""; return (Z_FormatRawHeader(notice, buffer, buffer_len, len, NULL, NULL)); #endif -#endif } Code_t diff --git a/server/bdump.c b/server/bdump.c index 344adcf4..a1368e3b 100644 --- a/server/bdump.c +++ b/server/bdump.c @@ -78,19 +78,7 @@ static long ticket5_time; #define tkt5_lifetime(val) (val) #endif -#ifdef HAVE_KRB4 -static long ticket_time; - -#define TKTLIFETIME 120 -#define tkt_lifetime(val) ((long) val * 5L * 60L) - -#endif /* HAVE_KRB4 */ - -#if defined(HAVE_KRB4) -extern C_Block serv_key; -extern Sched serv_ksched; -#endif -#if defined(HAVE_KRB5) && !defined(HAVE_KRB4) +#ifdef HAVE_KRB5 krb5_keyblock *server_key; #endif @@ -119,13 +107,13 @@ bdump_offer(struct sockaddr_in *who) { Code_t retval; char buf[512], *addr, *lyst[2]; -#if !defined(HAVE_KRB4) && !defined(HAVE_KRB5) +#ifndef HAVE_KRB5 int bdump_port = IPPORT_RESERVED - 1; -#endif /* !HAVE_KRB4 */ +#endif /* !HAVE_KRB5 */ zdbug((LOG_DEBUG, "bdump_offer")); -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 /* * when using kerberos server-server authentication, we can * use any random local address @@ -162,9 +150,9 @@ bdump_offer(struct sockaddr_in *who) return; } } -#else /* !HAVE_KRB4 */ +#else /* !HAVE_KRB5 */ /* - * when not using HAVE_KRB4, we can't use any old port, we use + * when not using HAVE_KRB5, we can't use any old port, we use * Internet reserved ports instead (rresvport) */ bdump_socket = rresvport(&bdump_port); @@ -177,7 +165,7 @@ bdump_offer(struct sockaddr_in *who) bdump_sin.sin_port = htons((unsigned short) bdump_port); bdump_sin.sin_addr = my_addr; bdump_sin.sin_family = AF_INET; -#endif /* HAVE_KRB4 */ +#endif /* HAVE_KRB5 */ listen(bdump_socket, 1); @@ -224,26 +212,20 @@ bdump_send(void) #ifdef _POSIX_VERSION struct sigaction action; #endif -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 char *data = NULL; int len = 0; int proto = 0; #endif -#ifdef HAVE_KRB4 - KTEXT_ST ticket; - AUTH_DAT kdata; - /* may be moved into kstuff.c */ - char instance [INST_SZ]; -#endif #ifdef HAVE_KRB5 /* may be moved into kstuff.c */ krb5_principal principal; krb5_data k5data; krb5_keytab kt; #endif -#if !defined(HAVE_KRB4) && !defined(HAVE_KRB5) +#ifndef HAVE_KRB5 unsigned short fromport; -#endif /* HAVE_KRB4 */ +#endif /* HAVE_KRB5 */ zdbug((LOG_DEBUG, "bdump_send")); @@ -257,7 +239,7 @@ bdump_send(void) sizeof(on)) < 0) syslog(LOG_WARNING, "bdump_send: setsockopt (SO_KEEPALIVE): %m"); -#if !defined(HAVE_KRB4) && !defined(HAVE_KRB5) +#ifndef HAVE_KRB5 fromport = ntohs(from.sin_port); #endif @@ -297,7 +279,7 @@ bdump_send(void) } /* Now begin the brain dump. */ -#if defined(HAVE_KRB5) || defined(HAVE_KRB4) +#ifdef HAVE_KRB5 retval = ReadKerberosData(live_socket, &len, &data, &proto); if (retval != 0) { @@ -404,54 +386,14 @@ bdump_send(void) krb5_free_data_contents(Z_krb5_ctx, &k5data); break; #endif /* HAVE_KRB5 */ -#ifdef HAVE_KRB4 - case 4: - bdump_auth_proc = Z_FormatAuthHeaderWithASCIIAddress; - /* here to krb_rd_req from GetKerberosData candidate for refactoring - back into kstuff.c */ - (void) strcpy(instance, "*"); /* let Kerberos fill it in */ - - ticket.length = len; - memcpy(&ticket.dat, data, MIN(len, (int)sizeof(ticket.dat))); - retval = krb_rd_req(&ticket, SERVER_SERVICE, instance, - from.sin_addr.s_addr, &kdata, srvtab_file); - /* - retval = GetKerberosData(live_socket, from.sin_addr, &kdata, - SERVER_SERVICE, srvtab_file); - */ - if (retval != KSUCCESS) { - syslog(LOG_ERR, "bdump_send: getkdata: %s", - error_message(retval)); - cleanup(server); - return; - } - if (strcmp(kdata.pname, SERVER_SERVICE) || - strcmp(kdata.pinst, SERVER_INSTANCE) || - strcmp(kdata.prealm, ZGetRealm())) { - syslog(LOG_ERR, "bdump_send: peer not zephyr: %s.%s@%s", - kdata.pname, kdata.pinst, kdata.prealm); - cleanup(server); - return; - } - /* authenticate back */ - retval = SendKerberosData(live_socket, &ticket, SERVER_SERVICE, - SERVER_INSTANCE); - if (retval != 0) { - syslog(LOG_ERR,"bdump_send: SendKerberosData: %s", - error_message (retval)); - cleanup(server); - return; - } - break; -#endif /* HAVE_KRB4 */ } -#else /* HAVE_KRB4 || HAVE_KRB5 */ +#else /* HAVE_KRB5 */ if (fromport > IPPORT_RESERVED || fromport < IPPORT_RESERVED / 2) { syslog(LOG_ERR, "bdump_send: bad port from peer: %d", fromport); cleanup(server); return; } -#endif /* HAVE_KRB4 || HAVE_KRB5 */ +#endif /* HAVE_KRB5 */ retval = setup_file_pointers(); if (retval != 0) { syslog (LOG_WARNING, "bdump_send: can't set up file pointers: %s", @@ -511,7 +453,7 @@ bdump_get_v12 (ZNotice_t *notice, #ifdef _POSIX_VERSION struct sigaction action; #endif -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 #ifdef HAVE_KRB5 krb5_creds creds; krb5_creds *credsp; @@ -519,13 +461,9 @@ bdump_get_v12 (ZNotice_t *notice, krb5_data data; krb5_ap_rep_enc_part *rep; #endif -#ifdef HAVE_KRB4 - KTEXT_ST ticket; - AUTH_DAT kdata; -#endif -#else /* !HAVE_KRB4 && !HAVE_KRB5 */ +#else /* !HAVE_KRB5 */ int reserved_port = IPPORT_RESERVED - 1; -#endif /* !HAVE_KRB4 && !HAVE_KRB5 */ +#endif /* !HAVE_KRB5 */ bdumping = 1; server->dumping = 1; @@ -566,7 +504,7 @@ bdump_get_v12 (ZNotice_t *notice, server->dumping = 0; return; } -#if !defined(HAVE_KRB4) && !defined(HAVE_KRB5) +#ifndef HAVE_KRB5 if (ntohs(from.sin_port) > IPPORT_RESERVED || ntohs(from.sin_port) < IPPORT_RESERVED / 2) { syslog(LOG_ERR, "bdump_get: port not reserved: %d", @@ -575,9 +513,9 @@ bdump_get_v12 (ZNotice_t *notice, return; } live_socket = rresvport(&reserved_port); -#else /* !HAVE_KRB4 && !HAVE_KRB5 */ +#else /* !HAVE_KRB5 */ live_socket = socket(AF_INET, SOCK_STREAM, 0); -#endif /* !HAVE_KRB4 && !HAVE_KRB5 */ +#endif /* !HAVE_KRB5 */ if (live_socket < 0) { syslog(LOG_ERR, "bdump_get: socket: %m"); cleanup(server); @@ -595,7 +533,7 @@ bdump_get_v12 (ZNotice_t *notice, zdbug((LOG_DEBUG, "bdump_get: connected")); /* Now begin the brain dump. */ -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 if (get_tgt()) { syslog(LOG_ERR, "bdump_get: get_tgt failed"); cleanup(server); @@ -709,40 +647,8 @@ bdump_get_v12 (ZNotice_t *notice, } break; #endif -#ifdef HAVE_KRB4 - case 4: - bdump_auth_proc = Z_FormatAuthHeaderWithASCIIAddress; - /* send an authenticator */ - retval = SendKerberosData(live_socket, &ticket, SERVER_SERVICE, - SERVER_INSTANCE); - if (retval != 0) { - syslog(LOG_ERR,"bdump_get: %s", error_message(retval)); - cleanup(server); - return; - } - zdbug((LOG_DEBUG, "bdump_get: SendKerberosData ok")); - - /* get his authenticator */ - retval = GetKerberosData(live_socket, from.sin_addr, &kdata, - SERVER_SERVICE, srvtab_file); - if (retval != KSUCCESS) { - syslog(LOG_ERR, "bdump_get getkdata: %s",error_message(retval)); - cleanup(server); - return; - } - - if (strcmp(kdata.pname, SERVER_SERVICE) || - strcmp(kdata.pinst, SERVER_INSTANCE) || - strcmp(kdata.prealm, ZGetRealm())) { - syslog(LOG_ERR, "bdump_get: peer not zephyr in lrealm: %s.%s@%s", - kdata.pname, kdata.pinst,kdata.prealm); - cleanup(server); - return; - } - break; -#endif /* HAVE_KRB4 */ } -#endif /* defined(HAVE_KRB4) || defined(HAVE_KRB5) */ +#endif /* defined(HAVE_KRB5) */ retval = setup_file_pointers(); if (retval != 0) { syslog(LOG_WARNING, "bdump_get: can't set up file pointers: %s", @@ -988,11 +894,10 @@ cleanup(Server *server) server->dumping = 0; } -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 int got_des = 0; -#ifndef HAVE_KRB4 unsigned int enctypes[] = {ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD4, ENCTYPE_DES_CBC_MD5, @@ -1000,55 +905,14 @@ unsigned int enctypes[] = {ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_RAW, #endif 0}; -#endif int get_tgt(void) { int retval = 0; -#ifndef HAVE_KRB4 int i; krb5_keytab_entry kt_ent; -#endif -#ifdef HAVE_KRB4 - /* MIT Kerberos 4 get_svc_in_tkt() requires instance to be writable and - * at least INST_SZ bytes long. */ - static char buf[INST_SZ + 1] = SERVER_INSTANCE; - - /* have they expired ? */ - if (ticket_time < NOW - tkt_lifetime(TKTLIFETIME) + (15L * 60L)) { - /* +15 for leeway */ - - zdbug((LOG_DEBUG,"get new tickets: %d %d %d", ticket_time, NOW, - NOW - tkt_lifetime(TKTLIFETIME) + 15L)); - - dest_tkt(); - - retval = krb_get_svc_in_tkt(SERVER_SERVICE, buf, (char *)ZGetRealm(), - "krbtgt", (char *)ZGetRealm(), - TKTLIFETIME, srvtab_file); - if (retval != KSUCCESS) { - syslog(LOG_ERR,"get_tgt: krb_get_svc_in_tkt: %s", - error_message(retval)); - ticket_time = 0; - return(1); - } else { - ticket_time = NOW; - } - - retval = read_service_key(SERVER_SERVICE, SERVER_INSTANCE, - (char *)ZGetRealm(), 0 /*kvno*/, - srvtab_file, (char *)serv_key); - if (retval != KSUCCESS) { - syslog(LOG_ERR, "get_tgt: read_service_key: %s", - error_message(retval)); - return 1; - } - des_key_sched(serv_key, serv_ksched.s); - got_des = 1; - } -#endif #ifdef HAVE_KRB5 /* XXX */ if (ticket5_time < NOW - tkt5_lifetime(TKT5LIFETIME) + (15L * 60L)) { @@ -1096,7 +960,6 @@ get_tgt(void) return 1; } -#ifndef HAVE_KRB4 for (i = 0; enctypes[i]; i++) { retval = krb5_kt_get_entry(Z_krb5_ctx, kt, principal, 0, enctypes[i], &kt_ent); @@ -1120,7 +983,6 @@ get_tgt(void) got_des = 1; } -#endif /* HAVE_KRB4 */ krb5_free_principal(Z_krb5_ctx, principal); krb5_kt_close(Z_krb5_ctx, kt); @@ -1145,7 +1007,7 @@ get_tgt(void) #endif return 0; } -#endif /* HAVE_KRB4 */ +#endif /* HAVE_KRB5 */ /* * The braindump offer wasn't taken, so we retract it. @@ -1188,13 +1050,9 @@ bdump_recv_loop(Server *server) unsigned char buf[512]; int blen; #endif -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 char *cp; -#ifndef HAVE_KRB4 unsigned char cblock[8]; -#else - C_Block cblock; -#endif #endif ZRealm *realm = NULL; @@ -1343,23 +1201,6 @@ bdump_recv_loop(Server *server) } } } -#else -#ifdef HAVE_KRB4 - memset(client->session_key, 0, sizeof(C_Block)); - if (*notice.z_class_inst) { - /* a C_Block is there */ - cp = notice.z_message + strlen(notice.z_message) + 1; - retval = ZReadAscii(cp, strlen(cp), cblock, sizeof(C_Block)); - if (retval != ZERR_NONE) { - syslog(LOG_ERR,"bdump_recv_loop: bad cblock read: %s (%s)", - error_message(retval), cp); - } else { - des_ecb_encrypt((des_cblock *)cblock, - (des_cblock *)client->session_key, - serv_ksched.s, DES_DECRYPT); - } - } -#endif /* HAVE_KRB4 */ #endif } else if (strcmp(notice.z_opcode, CLIENT_SUBSCRIBE) == 0) { /* a subscription packet */ @@ -1660,7 +1501,6 @@ setup_file_pointers (void) #ifdef HAVE_KRB5 static int des_service_decrypt(unsigned char *in, unsigned char *out) { -#ifndef HAVE_KRB4 krb5_data dout; #ifdef HAVE_KRB5_C_DECRYPT krb5_enc_data din; @@ -1694,9 +1534,5 @@ static int des_service_decrypt(unsigned char *in, unsigned char *out) { return ret; #endif -#else - des_ecb_encrypt((C_Block *)in, (C_Block *)out, serv_ksched.s, DES_DECRYPT); - return 0; /* sigh */ -#endif } #endif diff --git a/server/client.c b/server/client.c index 02e98624..ffabf10f 100644 --- a/server/client.c +++ b/server/client.c @@ -82,10 +82,6 @@ client_register(ZNotice_t *notice, memset(&client->addr, 0, sizeof(struct sockaddr_in)); #ifdef HAVE_KRB5 client->session_keyblock = NULL; -#else -#ifdef HAVE_KRB4 - memset(&client->session_key, 0, sizeof(client->session_key)); -#endif #endif client->last_send = 0; client->last_ack = NOW; diff --git a/server/dispatch.c b/server/dispatch.c index ea95d3af..73ba42d4 100644 --- a/server/dispatch.c +++ b/server/dispatch.c @@ -545,13 +545,10 @@ xmit(ZNotice_t *notice, #if defined(HAVE_KRB5) retval = ZFormatAuthenticNoticeV5(notice, noticepack, packlen, &packlen, client->session_keyblock); -#elif defined(HAVE_KRB4) - retval = ZFormatAuthenticNotice(notice, noticepack, packlen, - &packlen, client->session_key); -#else /* !HAVE_KRB4 */ +#else /* !HAVE_KRB5 */ notice->z_auth = 1; retval = ZFormatSmallRawNotice(notice, noticepack, &packlen); -#endif /* HAVE_KRB4 */ +#endif /* HAVE_KRB5 */ if (retval != ZERR_NONE) syslog(LOG_ERR, "xmit auth/raw format: %s", error_message(retval)); } else { @@ -1041,11 +1038,6 @@ control_dispatch(ZNotice_t *notice, nack(notice, who); return ZERR_NONE; } -#else -#ifdef HAVE_KRB4 - /* in case it's changed */ - memcpy(client->session_key, ZGetSession(), sizeof(C_Block)); -#endif #endif retval = subscr_subscribe(client, notice, server); if (retval != ZERR_NONE) { diff --git a/server/global.c b/server/global.c index 5199f7b7..67f6254b 100644 --- a/server/global.c +++ b/server/global.c @@ -36,9 +36,6 @@ char list_file[128]; #ifdef HAVE_KRB5 char keytab_file[128]; #endif -#ifdef HAVE_KRB4 -char srvtab_file[128]; -#endif char acl_dir[128]; char subs_file[128]; @@ -58,18 +55,10 @@ char *bdump_version = "1.2"; #ifdef HAVE_KRB5 int bdump_auth_proto = 5; #else /* HAVE_KRB5 */ -#ifdef HAVE_KRB4 -int bdump_auth_proto = 4; -#else /* HAVE_KRB4 */ int bdump_auth_proto = 0; -#endif /* HAVE_KRB4 */ #endif /* HAVE_KRB5 */ #ifdef HAVE_KRB5 krb5_ccache Z_krb5_ccache; krb5_keyblock *__Zephyr_keyblock; -#else -#ifdef HAVE_KRB4 -C_Block __Zephyr_session; -#endif #endif diff --git a/server/kstuff.c b/server/kstuff.c index 5e4cf870..2b828a00 100644 --- a/server/kstuff.c +++ b/server/kstuff.c @@ -20,112 +20,12 @@ static const char rcsid_kstuff_c[] = "$Id$"; #endif #endif -#if defined(HAVE_KRB4) && defined(HAVE_KRB5) -static Code_t ZCheckAuthentication4(ZNotice_t *notice, struct sockaddr_in *from); -#endif #ifdef HAVE_KRB5 static ZChecksum_t compute_checksum(ZNotice_t *, unsigned char *); static ZChecksum_t compute_rlm_checksum(ZNotice_t *, unsigned char *); #endif -#ifdef HAVE_KRB4 -/* - * GetKerberosData - * - * get ticket from file descriptor and decode it. - * Return KFAILURE if we barf on reading the ticket, else return - * the value of rd_ap_req() applied to the ticket. - */ -int -GetKerberosData(int fd, /* file descr. to read from */ - struct in_addr haddr, /* address of foreign host on fd */ - AUTH_DAT *kdata, /* kerberos data (returned) */ - char *service, /* service principal desired */ - char *srvtab) /* file to get keys from */ -{ - char p[20]; - KTEXT_ST ticket; /* will get Kerberos ticket from client */ - unsigned int i; - char instance[INST_SZ]; - - /* - * Get the Kerberos ticket. The first few characters, terminated - * by a blank, should give us a length; then get than many chars - * which will be the ticket proper. - */ - for (i=0; i<20; i++) { - if (read(fd, &p[i], 1) != 1) { - syslog(LOG_WARNING,"bad read tkt len"); - return(KFAILURE); - } - if (p[i] == ' ') { - p[i] = '\0'; - break; - } - } - ticket.length = atoi(p); - if ((i==20) || (ticket.length<=0) || (ticket.length>MAX_KTXT_LEN)) { - syslog(LOG_WARNING,"bad tkt len %d",ticket.length); - return(KFAILURE); - } - for (i=0; ilength); - size_to_write = strlen (p); - if ((written = write(fd, p, size_to_write)) != size_to_write) - return ((ssize_t)written < 0) ? errno : ZSRV_PKSHORT; - if ((written = write(fd, ticket->dat, ticket->length)) - != ticket->length) - return ((ssize_t)written < 0) ? errno : ZSRV_PKSHORT; - - return 0; -} - -#endif /* HAVE_KRB4 */ - -#if defined(HAVE_KRB5) || defined(HAVE_KRB4) +#ifdef HAVE_KRB5 Code_t ReadKerberosData(int fd, int *size, char **data, int *proto) { char p[20]; @@ -285,11 +185,6 @@ ZCheckSrvAuthentication(ZNotice_t *notice, return ZAUTH_FAILED; } -#ifdef HAVE_KRB4 - if (notice->z_ascii_authent[0] != 'Z' && realm == NULL) - return ZCheckAuthentication4(notice, from); -#endif - len = strlen(notice->z_ascii_authent)+1; authbuf = malloc(len); @@ -606,59 +501,6 @@ ZCheckSrvAuthentication(ZNotice_t *notice, #undef KRB5AUTHENT -#if defined(HAVE_KRB4) && defined(HAVE_KRB5) -static Code_t -ZCheckAuthentication4(ZNotice_t *notice, - struct sockaddr_in *from) -{ - int result; - char srcprincipal[ANAME_SZ+INST_SZ+REALM_SZ+4]; - KTEXT_ST authent; - AUTH_DAT dat; - ZChecksum_t checksum; - char instance[INST_SZ+1]; - - if (!notice->z_auth) - return ZAUTH_NO; - - /* Check for bogus authentication data length. */ - if (notice->z_authent_len <= 0) - return ZAUTH_FAILED; - - /* Read in the authentication data. */ - if (ZReadAscii(notice->z_ascii_authent, - strlen(notice->z_ascii_authent)+1, - (unsigned char *)authent.dat, - notice->z_authent_len) == ZERR_BADFIELD) { - return ZAUTH_FAILED; - } - authent.length = notice->z_authent_len; - - strcpy(instance, SERVER_INSTANCE); - - /* We don't have the session key cached; do it the long way. */ - result = krb_rd_req(&authent, SERVER_SERVICE, instance, - from->sin_addr.s_addr, &dat, srvtab_file); - if (result == RD_AP_OK) { - ZSetSessionDES(&dat.session); - sprintf(srcprincipal, "%s%s%s@%s", dat.pname, dat.pinst[0] ? "." : "", - dat.pinst, dat.prealm); - if (strcmp(srcprincipal, notice->z_sender)) - return ZAUTH_FAILED; - } else { - return ZAUTH_FAILED; /* didn't decode correctly */ - } - - /* Check the cryptographic checksum. */ - checksum = compute_checksum(notice, dat.session); - - if (checksum != notice->z_checksum) - return ZAUTH_FAILED; - - return ZAUTH_YES; -} -#endif - #ifdef HAVE_KRB5 static ZChecksum_t @@ -732,24 +574,3 @@ ZSetSession(krb5_keyblock *keyblock) { return; } #endif -#ifdef HAVE_KRB4 -void -ZSetSessionDES(C_Block *key) { -#ifdef HAVE_KRB5 - Code_t result; - if (__Zephyr_keyblock) { - krb5_free_keyblock(Z_krb5_ctx, __Zephyr_keyblock); - __Zephyr_keyblock=NULL; - } - result = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, - sizeof(C_Block), - &__Zephyr_keyblock); - if (result) /*XXX we're out of memory? */ - return; - - memcpy(Z_keydata(__Zephyr_keyblock), key, sizeof(C_Block)); -#else - memcpy(__Zephyr_session, key, sizeof(C_Block)); -#endif -} -#endif diff --git a/server/main.c b/server/main.c index 0186b177..a9c7f7bd 100644 --- a/server/main.c +++ b/server/main.c @@ -76,16 +76,13 @@ static char *programname; /* set to the basename of argv[0] */ #ifdef HAVE_KRB5 static char tkt5_file[256]; #endif -#ifdef HAVE_KRB4 -static char tkt_file[128]; -#endif static int dump_db_flag = 0; static int dump_strings_flag = 0; static int nofork; -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 static char my_realm[REALM_SZ]; #endif @@ -105,10 +102,6 @@ main(int argc, int optchar; /* option processing */ sprintf(list_file, "%s/zephyr/%s", SYSCONFDIR, SERVER_LIST_FILE); -#ifdef HAVE_KRB4 - sprintf(srvtab_file, "%s/zephyr/%s", SYSCONFDIR, ZEPHYR_SRVTAB); - strcpy(tkt_file, ZEPHYR_TKFILE); -#endif #ifdef HAVE_KRB5 sprintf(keytab_file, "%s/zephyr/%s", SYSCONFDIR, ZEPHYR_KEYTAB); strcpy(tkt5_file, ZEPHYR_TK5FILE); @@ -135,7 +128,7 @@ main(int argc, nofork = 1; break; case 'k': -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 strncpy(my_realm, optarg, REALM_SZ); #endif break; @@ -156,28 +149,6 @@ main(int argc, } } -#ifdef HAVE_KRB4 - /* if there is no readable srvtab and we are not standalone, there - is no possible way we can succeed, so we exit */ - - if (access(srvtab_file, R_OK) -#ifdef DEBUG - && !zalone -#endif /* DEBUG */ - ) { - fprintf(stderr, "NO ZEPHYR SRVTAB (%s) available; exiting\n", - srvtab_file); - exit(1); - } - /* Use local realm if not specified on command line. */ - if (!*my_realm) { - if (krb_get_lrealm(my_realm, 1) != KSUCCESS) { - fputs("Couldn't get local Kerberos realm; exiting.\n", stderr); - exit(1); - } - } -#endif /* HAVE_KRB4 */ - #ifndef DEBUG if (!nofork) detach(); @@ -334,9 +305,6 @@ initialize(void) server_init(); -#ifdef HAVE_KRB4 - krb_set_tkt_string(tkt_file); -#endif realm_init(); ZSetServerState(1); @@ -355,7 +323,7 @@ initialize(void) } #endif #endif -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 /* Override what Zinitialize set for ZGetRealm() */ if (*my_realm) strcpy(__Zephyr_realm, my_realm); @@ -485,9 +453,6 @@ bye(int sig) #endif hostm_shutdown(); /* tell our hosts */ kill_realm_pids(); -#ifdef HAVE_KRB4 - dest_tkt(); -#endif syslog(LOG_NOTICE, "goodbye (sig %d)", sig); exit(0); } diff --git a/server/realm.c b/server/realm.c index 494c2e4a..c4c45eed 100644 --- a/server/realm.c +++ b/server/realm.c @@ -283,7 +283,7 @@ realm_expand_realm(char *realmname) int a; /* First, look for an exact match (case insensitive) */ -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 if (!strcasecmp(ZGetRealm(), realmname)) return(ZGetRealm()); #endif @@ -293,7 +293,7 @@ realm_expand_realm(char *realmname) return(otherrealms[a]->name); /* No exact match. See if there's a partial match */ -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 if (!strncasecmp(ZGetRealm(), realmname, strlen(realmname))) return(ZGetRealm()); #endif @@ -800,10 +800,6 @@ realm_init(void) memset(&client->addr, 0, sizeof(struct sockaddr_in)); #ifdef HAVE_KRB5 client->session_keyblock = NULL; -#else -#ifdef HAVE_KRB4 - memset(&client->session_key, 0, sizeof(client->session_key)); -#endif #endif snprintf(rlmprinc, MAX_PRINCIPAL_SIZE, "%s.%s@%s", SERVER_SERVICE, SERVER_INSTANCE, rlm->name); @@ -1091,9 +1087,9 @@ realm_handoff(ZNotice_t *notice, zdbug((LOG_DEBUG, "realm_sendit to realm %s auth %d", realm->name, auth)); /* valid ticket available now, send the message */ retval = realm_sendit_auth(notice, who, auth, realm, ack_to_sender); -#else /* HAVE_KRB4 */ +#else /* HAVE_KRB5 */ realm_sendit(notice, who, auth, realm, ack_to_sender); -#endif /* HAVE_KRB4 */ +#endif /* HAVE_KRB5 */ } static void diff --git a/server/subscr.c b/server/subscr.c index b7886630..b27832b3 100644 --- a/server/subscr.c +++ b/server/subscr.c @@ -65,11 +65,6 @@ static const char rcsid_subscr_c[] = "$Id$"; * */ -#if defined(HAVE_KRB4) -C_Block serv_key; -Sched serv_ksched; -#endif - static Code_t add_subscriptions(Client *who, Destlist *subs_queue, ZNotice_t *notice, Server *server); static Destlist *extract_subscriptions(ZNotice_t *notice); @@ -599,11 +594,6 @@ subscr_send_subs(Client *client) #ifdef HAVE_KRB5 char buf[512]; unsigned char *bufp; -#else -#ifdef HAVE_KRB4 - char buf[512]; - C_Block cblock; -#endif /* HAVE_KRB4 */ #endif char buf2[512]; char *list[7 * NUM_FIELDS]; @@ -615,17 +605,6 @@ subscr_send_subs(Client *client) list[num++] = buf2; #ifdef HAVE_KRB5 -#ifdef HAVE_KRB4 /* XXX make this optional for server transition time */ - if (Z_enctype(client->session_keyblock) == ENCTYPE_DES_CBC_CRC) { - bufp = malloc(Z_keylen(client->session_keyblock)); - if (bufp == NULL) { - syslog(LOG_WARNING, "subscr_send_subs: cannot allocate memory for DES keyblock: %m"); - return errno; - } - des_ecb_encrypt((C_Block *)Z_keydata(client->session_keyblock), (C_Block *)bufp, serv_ksched.s, DES_ENCRYPT); - retval = ZMakeAscii(buf, sizeof(buf), bufp, Z_keylen(client->session_keyblock)); - } else { -#endif bufp = malloc(Z_keylen(client->session_keyblock) + 8); /* + enctype + length */ if (bufp == NULL) { @@ -637,24 +616,14 @@ subscr_send_subs(Client *client) memcpy(&bufp[8], Z_keydata(client->session_keyblock), Z_keylen(client->session_keyblock)); retval = ZMakeZcode(buf, sizeof(buf), bufp, Z_keylen(client->session_keyblock) + 8); -#ifdef HAVE_KRB4 - } -#endif /* HAVE_KRB4 */ -#else /* HAVE_KRB5 */ -#ifdef HAVE_KRB4 - des_ecb_encrypt((des_cblock *)client->session_key, (des_cblock *)cblock, - serv_ksched.s, DES_ENCRYPT); - - retval = ZMakeAscii(buf, sizeof(buf), cblock, sizeof(C_Block)); -#endif /* HAVE_KRB4 */ #endif /* HAVE_KRB5 */ -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 if (retval != ZERR_NONE) { } else { list[num++] = buf; } -#endif /* HAVE_KRB4 || HAVE_KRB5*/ +#endif /* HAVE_KRB5 */ retval = bdump_send_list_tcp(SERVACK, &client->addr, ZEPHYR_ADMIN_CLASS, num > 1 ? "CBLOCK" : "", ADMIN_NEWCLT, client->principal->string, "", list, num); diff --git a/server/zserver.h b/server/zserver.h index b1b4bc83..1d6000fa 100644 --- a/server/zserver.h +++ b/server/zserver.h @@ -41,17 +41,6 @@ krb5_error_code Z_krb5_init_keyblock(krb5_context, krb5_enctype, size_t, krb5_keyblock **); #endif -#ifdef HAVE_KRB4 -void ZSetSessionDES(C_Block *key); - -Code_t ZFormatAuthenticNotice(ZNotice_t*, char*, int, int*, C_Block); - -#ifndef HAVE_KRB5 -extern C_Block __Zephyr_session; -#define ZGetSession() (__Zephyr_session) -#endif -#endif - /* For krb_rd_req prototype and definition. */ #ifndef KRB_INT32 #define KRB_INT32 ZEPHYR_INT32 @@ -60,13 +49,6 @@ extern C_Block __Zephyr_session; /* Current time as cached by main(); use instead of time(). */ #define NOW t_local.tv_sec -#ifdef HAVE_KRB4 -/* Kerberos shouldn't stick us with array types... */ -typedef struct { - des_key_schedule s; -} Sched; -#endif - enum _ZRealm_state { REALM_NEW, /* New realm; no servers yet */ REALM_UP, /* ZRealm is up */ @@ -151,10 +133,6 @@ struct _Client { Destlist *subs ; /* subscriptions */ #ifdef HAVE_KRB5 krb5_keyblock *session_keyblock; -#else -#ifdef HAVE_KRB4 - C_Block session_key; /* session key for this client */ -#endif /* HAVE_KRB4 */ #endif String *principal; /* krb principal of user */ int last_send; /* Counter for last sent packet. */ @@ -330,14 +308,10 @@ void hostm_shutdown(void); /* found in kstuff.c */ Code_t ZCheckSrvAuthentication(ZNotice_t *notice, struct sockaddr_in *from, char *realm); -#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +#ifdef HAVE_KRB5 Code_t ReadKerberosData(int, int *, char **, int *); void sweep_ticket_hash_table(void *); #endif -#ifdef HAVE_KRB4 -int GetKerberosData (int, struct in_addr, AUTH_DAT *, char *, char *); -Code_t SendKerberosData (int, KTEXT, char *, char *); -#endif #ifdef HAVE_KRB5 Code_t SendKrb5Data(int, krb5_data *); Code_t GetKrb5Data(int, krb5_data *); @@ -442,9 +416,6 @@ extern char list_file[]; extern char keytab_file[]; extern krb5_ccache Z_krb5_ccache; #endif -#ifdef HAVE_KRB4 -extern char srvtab_file[]; -#endif extern char acl_dir[]; extern char subs_file[]; extern const char version[]; diff --git a/server/zsrv_conf.h b/server/zsrv_conf.h index 9c2f674b..98d7a599 100644 --- a/server/zsrv_conf.h +++ b/server/zsrv_conf.h @@ -23,10 +23,6 @@ #define ZEPHYR_KEYTAB "krb5.keytab" #define ZEPHYR_TK5FILE "/var/run/zephyrd.tkt" #endif -#ifdef HAVE_KRB4 -#define ZEPHYR_SRVTAB "srvtab" -#define ZEPHYR_TKFILE "/var/run/zephyrd.tkt4" -#endif #define ZEPHYR_ACL_DIR "acl/" #define ZEPHYR_CLASS_REGISTRY "class-registry.acl" #define DEFAULT_SUBS_FILE "default.subscriptions"