diff options
author | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2016-07-01 15:48:55 +0200 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2016-07-01 15:48:55 +0200 |
commit | 2f19f2f66d7cc3d844e8f1eb58d65c4fa6b867d1 (patch) | |
tree | ba1bf29ee69e8ae391b0773161ff3baf58707761 /nx-X11/programs/Xserver/os | |
parent | a3a295288189d1312f5abef0e7b4cc57b948e7d3 (diff) | |
parent | 20454528656dbe98a538de7c67ce89e50841bd5f (diff) | |
download | nx-libs-2f19f2f66d7cc3d844e8f1eb58d65c4fa6b867d1.tar.gz nx-libs-2f19f2f66d7cc3d844e8f1eb58d65c4fa6b867d1.tar.bz2 nx-libs-2f19f2f66d7cc3d844e8f1eb58d65c4fa6b867d1.zip |
Merge branch 'sunweaver-pr/libXau-cleanup' into 3.6.x
Attributes GH PR #152: https://github.com/ArcticaProject/nx-libs/pull/152
Reviewed by: Vadim Troshchinskiy <vadim@qindel.com> -- Fri, 01 Jul 2016 14:55:00 +0200
Diffstat (limited to 'nx-X11/programs/Xserver/os')
-rw-r--r-- | nx-X11/programs/Xserver/os/Imakefile | 18 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/os/access.c | 31 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/os/auth.c | 12 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/os/k5auth.c | 801 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/os/osdep.h | 23 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/os/rpcauth.c | 2 |
6 files changed, 5 insertions, 882 deletions
diff --git a/nx-X11/programs/Xserver/os/Imakefile b/nx-X11/programs/Xserver/os/Imakefile index 5245b7841..00d28deb1 100644 --- a/nx-X11/programs/Xserver/os/Imakefile +++ b/nx-X11/programs/Xserver/os/Imakefile @@ -78,11 +78,6 @@ RPCOBJS = RPCSRCS = #endif -#if HasKrb5 -KRB5OBJS = k5auth.o k5encode.o -KRB5SRCS = k5auth.c k5encode.c -#endif - #if HasBSD44Sockets SOCK_DEFINES = -DBSD44SOCKETS #endif @@ -122,12 +117,12 @@ GETPEER_DEFINES = -DHAS_GETPEEREID BOOTSTRAPCFLAGS = SRCS = WaitFor.c access.c connection.c io.c $(COLOR_SRCS) \ osinit.c utils.c log.c auth.c mitauth.c secauth.c \ - $(XDMAUTHSRCS) $(RPCSRCS) $(KRB5SRCS) xdmcp.c OtherSources \ + $(XDMAUTHSRCS) $(RPCSRCS) xdmcp.c OtherSources \ transport.c $(SNPRINTF_SRCS) $(STRLCAT_SRCS) \ $(MALLOC_SRCS) xprintf.c OBJS = WaitFor.o access.o connection.o io.o $(COLOR_OBJS) \ osinit.o utils.o log.o auth.o mitauth.o secauth.o \ - $(XDMAUTHOBJS) $(RPCOBJS) $(KRB5OBJS) xdmcp.o OtherObjects \ + $(XDMAUTHOBJS) $(RPCOBJS) xdmcp.o OtherObjects \ transport.o $(SNPRINTF_OBJS) $(STRLCAT_OBJS) \ $(MALLOC_OBJS) xprintf.o @@ -146,7 +141,6 @@ BOOTSTRAPCFLAGS = DBM_DEFINES = NdbmDefines ADM_DEFINES = -DADMPATH=\"$(ADMDIR)/X\%smsgs\" XDMCP_DEFINES = ServerXdmcpDefines - KRB5_DEFINES = Krb5Defines XALLOC_DEFINES = XallocDefines ERROR_DEFINES = ServerErrorDefines #if HasPam && HasPamMisc @@ -154,11 +148,11 @@ BOOTSTRAPCFLAGS = #endif DEFINES = -DXSERV_t -DTRANS_SERVER $(CONNECTION_FLAGS) $(MEM_DEFINES) \ $(XDMAUTHDEFS) $(RPCDEFS) $(SIGNAL_DEFINES) $(OS_DEFINES) \ - $(KRB5_DEFINES) $(RGB_DEFINES) $(GETPEER_DEFINES) \ + $(RGB_DEFINES) $(GETPEER_DEFINES) \ $(RANDOM_DEFINES) $(BUGMSG) $(XTRANS_FAILDEFINES) $(NX_DEFINES) INCLUDES = -I. -I../include -I$(XINCLUDESRC) -I$(EXTINCSRC) \ -I$(SERVERSRC)/Xext -I$(SERVERSRC)/render \ - -I$(TOP)/lib/Xau Krb5Includes $(NX_INCLUDES) \ + -I$(TOP)/lib/Xau $(NX_INCLUDES) \ `pkg-config --cflags-only-I pixman-1` DEPEND_DEFINES = $(DBM_DEFINES) $(XDMCP_DEFINES) $(EXT_DEFINES) \ $(TRANS_INCLUDES) $(CONNECTION_FLAGS) $(GETPEER_DEFINES) \ @@ -204,10 +198,6 @@ oscolor.o: oscolor.c $(ICONFIGFILES) SpecialCObjectRule(oscolor,$(ICONFIGFILES),$(DBM_DEFINES)) #endif -#if HasKrb5 -LinkSourceFile(k5encode.c,$(XAUTHSRC)) -#endif - #if !HasSnprintf LinkSourceFile(snprintf.c,$(LIBSRC)/misc) #endif diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c index d2bf972fe..7f45e5ec9 100644 --- a/nx-X11/programs/Xserver/os/access.c +++ b/nx-X11/programs/Xserver/os/access.c @@ -1170,10 +1170,6 @@ ResetHosts (char *display) struct nodeent *np; struct dn_naddr dnaddr, *dnaddrp, *dnet_addr(); #endif -#ifdef K5AUTH - krb5_principal princ; - krb5_data kbuf; -#endif int family = 0; void *addr; int len; @@ -1249,13 +1245,6 @@ ResetHosts (char *display) hostname = ohostname + 4; } #endif -#ifdef K5AUTH - else if (!strncmp("krb:", lhostname, 4)) - { - family = FamilyKrb5Principal; - hostname = ohostname + 4; - } -#endif else if (!strncmp("si:", lhostname, 3)) { family = FamilyServerInterpreted; @@ -1298,16 +1287,6 @@ ResetHosts (char *display) } else #endif /* DNETCONN */ -#ifdef K5AUTH - if (family == FamilyKrb5Principal) - { - krb5_parse_name(hostname, &princ); - XauKrb5Encode(princ, &kbuf); - (void) NewHost(FamilyKrb5Principal, kbuf.data, kbuf.length, FALSE); - krb5_free_principal(princ); - } - else -#endif #ifdef SECURE_RPC if ((family == FamilyNetname) || (strchr(hostname, '@'))) { @@ -1553,11 +1532,6 @@ AddHost (ClientPtr client, len = length; LocalHostEnabled = TRUE; break; -#ifdef K5AUTH - case FamilyKrb5Principal: - len = length; - break; -#endif #ifdef SECURE_RPC case FamilyNetname: len = length; @@ -1656,11 +1630,6 @@ RemoveHost ( len = length; LocalHostEnabled = FALSE; break; -#ifdef K5AUTH - case FamilyKrb5Principal: - len = length; - break; -#endif #ifdef SECURE_RPC case FamilyNetname: len = length; diff --git a/nx-X11/programs/Xserver/os/auth.c b/nx-X11/programs/Xserver/os/auth.c index c14c1e874..587e0d5ec 100644 --- a/nx-X11/programs/Xserver/os/auth.c +++ b/nx-X11/programs/Xserver/os/auth.c @@ -54,9 +54,6 @@ from The Open Group. #include <dix-config.h> #endif -#ifdef K5AUTH -# include <krb5/krb5.h> -#endif # include <nx-X11/X.h> # include <nx-X11/Xauth.h> # include "misc.h" @@ -112,15 +109,6 @@ static struct protocol protocols[] = { #endif }, #endif -#ifdef K5AUTH -{ (unsigned short) 14, "MIT-KERBEROS-5", - K5Add, K5Check, K5Reset, - K5ToID, K5FromID, K5Remove, -#ifdef XCSECURITY - NULL -#endif -}, -#endif #ifdef XCSECURITY { (unsigned short) XSecurityAuthorizationNameLen, XSecurityAuthorizationName, diff --git a/nx-X11/programs/Xserver/os/k5auth.c b/nx-X11/programs/Xserver/os/k5auth.c deleted file mode 100644 index f2ed5369d..000000000 --- a/nx-X11/programs/Xserver/os/k5auth.c +++ /dev/null @@ -1,801 +0,0 @@ -/* $Xorg: k5auth.c,v 1.4 2001/02/09 02:05:23 xorgcvs Exp $ */ -/* - -Copyright 1993, 1994, 1998 The Open Group - -Permission to use, copy, modify, distribute, and sell this software and its -documentation for any purpose is hereby granted without fee, provided that -the above copyright notice appear in all copies and that both that -copyright notice and this permission notice appear in supporting -documentation. - -The above copyright notice and this permission notice shall be included -in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR -OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -OTHER DEALINGS IN THE SOFTWARE. - -Except as contained in this notice, the name of The Open Group shall -not be used in advertising or otherwise to promote the sale, use or -other dealings in this Software without prior written authorization -from The Open Group. - -*/ -/* $XFree86: xc/programs/Xserver/os/k5auth.c,v 3.4 2001/01/17 22:37:10 dawes Exp $ */ - -/* - * Kerberos V5 authentication scheme - * Author: Tom Yu <tlyu@MIT.EDU> - * - * Mostly snarfed wholesale from the user_user demo in the - * krb5 distribution. (At least the checking part) - */ - -#ifdef HAVE_DIX_CONFIG_H -#include <dix-config.h> -#endif - -#include <sys/types.h> -#include <sys/socket.h> -#ifdef TCPCONN -#include <netinet/in.h> -#endif -#ifdef DNETCONN -#include <netdnet/dn.h> -#endif -#include <arpa/inet.h> -#include <krb5/krb5.h> -/* 9/93: krb5.h leaks some symbols */ -#undef BITS32 -#undef xfree -#include <krb5/los-proto.h> -#include <nx-X11/X.h> -#include "os.h" -#include "osdep.h" -#include <nx-X11/Xproto.h> -#include <nx-X11/Xfuncs.h> -#include "dixstruct.h" -#include <com_err.h> -#include "Xauth.h" - -extern int (*k5_Vector[256])(); -extern int SendConnSetup(); -extern char *display; /* need this to generate rcache name */ - -static XID krb5_id = ~0L; -static krb5_principal srvname = NULL; /* service name */ -static char *ccname = NULL; -static char *ktname = NULL; /* key table name */ -static char kerror[256]; - -/* - * tgt_keyproc: - * - * extract session key from a credentials struct - */ -krb5_error_code tgt_keyproc(keyprocarg, principal, vno, key) - krb5_void * keyprocarg; - krb5_principal principal; - krb5_kvno vno; - krb5_keyblock **key; -{ - krb5_creds *creds = (krb5_creds *)keyprocarg; - - return krb5_copy_keyblock(&creds->keyblock, key); -} - -/* - * k5_cmpenc: - * - * compare "encoded" principals - */ -Bool k5_cmpenc(pname, plen, buf) - unsigned char *pname; - short plen; - krb5_data *buf; -{ - return (plen == buf->length && - memcmp(pname, buf->data, plen) == 0); -} - -/* - * K5Check: - * - * This is stage 0 of the krb5 authentication protocol. It - * goes through the current credentials cache and extracts the - * primary principal and tgt to send to the client, or as - * appropriate, extracts from a keytab. - * - * The packet sent to the client has the following format: - * - * CARD8 reqType = 2 - * CARD8 data = 0 - * CARD16 length = total length of packet (in 32 bit units) - * CARD16 plen = length of encoded principal following - * STRING8 princ = encoded principal - * STRING8 ticket = server tgt - * - * For client-server authentication, the packet is as follows: - * - * CARD8 reqType = 3 - * CARD8 data = 0 - * CARD16 length = total length - * STRING8 princ = encoded principal of server - */ -XID K5Check(data_length, data, client, reason) - unsigned short data_length; - char *data; - ClientPtr client; - char **reason; -{ - krb5_error_code retval; - CARD16 tlen; - krb5_principal sprinc, cprinc; - krb5_ccache cc; - krb5_creds *creds; - char *outbuf, *cp; - krb5_data princ; - register char n; - xReq prefix; - - if (krb5_id == ~0L) - return ~0L; - if (!ccname && !srvname) - return ~0L; - if (ccname) - { - if ((creds = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) - return ~0L; - if (retval = krb5_cc_resolve(ccname, &cc)) - return ~0L; - bzero((char*)creds, sizeof (krb5_creds)); - if (retval = krb5_cc_get_principal(cc, &cprinc)) - { - krb5_free_creds(creds); - krb5_cc_close(cc); - return ~0L; - } - creds->client = cprinc; - if (retval = - krb5_build_principal_ext(&sprinc, - krb5_princ_realm(creds->client)->length, - krb5_princ_realm(creds->client)->data, - 6, "krbtgt", - krb5_princ_realm(creds->client)->length, - krb5_princ_realm(creds->client)->data, - 0)) - { - krb5_free_creds(creds); - krb5_cc_close(cc); - return ~0L; - } - creds->server = sprinc; - retval = krb5_get_credentials(KRB5_GC_CACHED, cc, creds); - krb5_cc_close(cc); - if (retval) - { - krb5_free_creds(creds); - return ~0L; - } - if (retval = XauKrb5Encode(cprinc, &princ)) - { - krb5_free_creds(creds); - return ~0L; - } - tlen = sz_xReq + 2 + princ.length + creds->ticket.length; - prefix.reqType = 2; /* opcode = authenticate user-to-user */ - } - else if (srvname) - { - if (retval = XauKrb5Encode(srvname, &princ)) - { - return ~0L; - } - tlen = sz_xReq + princ.length; - prefix.reqType = 3; /* opcode = authenticate client-server */ - } - prefix.data = 0; /* stage = 0 */ - prefix.length = (tlen + 3) >> 2; /* round up to nearest multiple - of 4 bytes */ - if (client->swapped) - { - swaps(&prefix.length, n); - } - if ((cp = outbuf = (char *)malloc(tlen)) == NULL) - { - if (ccname) - { - krb5_free_creds(creds); - } - free(princ.data); - return ~0L; - } - memcpy(cp, &prefix, sz_xReq); - cp += sz_xReq; - if (ccname) - { - memcpy(cp, &princ.length, 2); - if (client->swapped) - { - swaps((CARD16 *)cp, n); - } - cp += 2; - } - memcpy(cp, princ.data, princ.length); - cp += princ.length; - free(princ.data); /* we don't need that anymore */ - if (ccname) - memcpy(cp, creds->ticket.data, creds->ticket.length); - WriteToClient(client, tlen, outbuf); - free(outbuf); - client->requestVector = k5_Vector; /* hack in our dispatch vector */ - client->clientState = ClientStateAuthenticating; - if (ccname) - { - ((OsCommPtr)client->osPrivate)->authstate.srvcreds = (void *)creds; /* save tgt creds */ - ((OsCommPtr)client->osPrivate)->authstate.ktname = NULL; - ((OsCommPtr)client->osPrivate)->authstate.srvname = NULL; - } - if (srvname) - { - ((OsCommPtr)client->osPrivate)->authstate.srvcreds = NULL; - ((OsCommPtr)client->osPrivate)->authstate.ktname = (void *)ktname; - ((OsCommPtr)client->osPrivate)->authstate.srvname = (void *)srvname; - } - ((OsCommPtr)client->osPrivate)->authstate.stageno = 1; /* next stage is 1 */ - return krb5_id; -} - -/* - * k5_stage1: - * - * This gets called out of the dispatcher after K5Check frobs with the - * client->requestVector. It accepts the ap_req from the client and verifies - * it. In addition, if the client has set AP_OPTS_MUTUAL_REQUIRED, it then - * sends an ap_rep to the client to achieve mutual authentication. - * - * client stage1 packet format is as follows: - * - * CARD8 reqType = 1 - * CARD8 data = ignored - * CARD16 length = total length - * STRING8 data = the actual ap_req - * - * stage2 packet sent back to client for mutual authentication: - * - * CARD8 reqType = 2 - * CARD8 data = 2 - * CARD16 length = total length - * STRING8 data = the ap_rep - */ -int k5_stage1(client) - register ClientPtr client; -{ - long addrlen; - krb5_error_code retval, retval2; - register char n; - struct sockaddr cli_net_addr; - xReq prefix; - krb5_principal cprinc; - krb5_data buf; - krb5_creds *creds = (krb5_creds *)((OsCommPtr)client->osPrivate)->authstate.srvcreds; - krb5_keyblock *skey; - krb5_address cli_addr, **localaddrs = NULL; - krb5_tkt_authent *authdat; - krb5_ap_rep_enc_part rep; - krb5_int32 ctime, cusec; - krb5_rcache rcache = NULL; - char *cachename = NULL, *rc_type = NULL, *rc_base = "rcX", *kt = NULL; - REQUEST(xReq); - - if (((OsCommPtr)client->osPrivate)->authstate.stageno != 1) - { - if (creds) - krb5_free_creds(creds); - return(SendConnSetup(client, "expected Krb5 stage1 packet")); - } - addrlen = sizeof (cli_net_addr); - if (getpeername(((OsCommPtr)client->osPrivate)->fd, - &cli_net_addr, &addrlen) == -1) - { - if (creds) - krb5_free_creds(creds); - return(SendConnSetup(client, "Krb5 stage1: getpeername failed")); - } - if (cli_net_addr.sa_family == AF_UNSPEC -#if defined(UNIXCONN) || defined(LOCALCONN) || defined(OS2PIPECONN) - || cli_net_addr.sa_family == AF_UNIX -#endif - ) /* assume local host */ - { - krb5_os_localaddr(&localaddrs); - if (!localaddrs || !localaddrs[0]) - { - if (creds) - krb5_free_creds(creds); - return(SendConnSetup(client, "Krb5 failed to get localaddrs")); - } - cli_addr.addrtype = localaddrs[0]->addrtype; - cli_addr.length = localaddrs[0]->length; - cli_addr.contents = localaddrs[0]->contents; - } - else - { - cli_addr.addrtype = cli_net_addr.sa_family; /* the values - are compatible */ - switch (cli_net_addr.sa_family) - { -#ifdef TCPCONN - case AF_INET: - cli_addr.length = sizeof (struct in_addr); - cli_addr.contents = - (krb5_octet *)&((struct sockaddr_in *)&cli_net_addr)->sin_addr; - break; -#endif -#ifdef DNETCONN - case AF_DECnet: - cli_addr.length = sizeof (struct dn_naddr); - cli_addr.contents = - (krb5_octet *)&((struct sockaddr_dn *)&cli_net_addr)->sdn_add; - break; -#endif - default: - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - sprintf(kerror, "Krb5 stage1: unknown address family %d from getpeername", - cli_net_addr.sa_family); - return(SendConnSetup(client, kerror)); - } - } - if ((rcache = (krb5_rcache)malloc(sizeof(*rcache))) == NULL) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - return(SendConnSetup(client, "malloc bombed for krb5_rcache")); - } - if ((rc_type = krb5_rc_default_type()) == NULL) - rc_type = "dfl"; - if (retval = krb5_rc_resolve_type(&rcache, rc_type)) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - free(rcache); - strcpy(kerror, "krb5_rc_resolve_type failed: "); - strncat(kerror, error_message(retval), 231); - return(SendConnSetup(client, kerror)); - } - if ((cachename = (char *)malloc(strlen(rc_base) + strlen(display) + 1)) - == NULL) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - free(rcache); - return(SendConnSetup(client, "Krb5: malloc bombed for cachename")); - } - strcpy(cachename, rc_base); - strcat(cachename, display); - if (retval = krb5_rc_resolve(rcache, cachename)) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - free(rcache); - free(cachename); - strcpy(kerror, "krb5_rc_resolve failed: "); - strncat(kerror, error_message(retval), 236); - return(SendConnSetup(client, kerror)); - } - free(cachename); - if (krb5_rc_recover(rcache)) - { - extern krb5_deltat krb5_clockskew; - if (retval = krb5_rc_initialize(rcache, krb5_clockskew)) - { - if (localaddrs) - krb5_free_addresses(localaddrs); - if (creds) - krb5_free_creds(creds); - if (retval2 = krb5_rc_close(rcache)) - { - strcpy(kerror, "krb5_rc_close failed: "); - strncat(kerror, error_message(retval2), 238); - return(SendConnSetup(client, kerror)); - } - free(rcache); - strcpy(kerror, "krb5_rc_initialize failed: "); - strncat(kerror, error_message(retval), 233); - return(SendConnSetup(client, kerror)); - } - } - buf.length = (stuff->length << 2) - sz_xReq; - buf.data = (char *)stuff + sz_xReq; - if (creds) - { - retval = krb5_rd_req(&buf, - NULL, /* don't bother with server name */ - &cli_addr, - NULL, /* no fetchfrom */ - tgt_keyproc, - creds, /* credentials as arg to - keyproc */ - rcache, - &authdat); - krb5_free_creds(creds); - } - else if (kt = (char *)((OsCommPtr)client->osPrivate)->authstate.ktname) - { - retval = krb5_rd_req(&buf, srvname, &cli_addr, kt, NULL, NULL, - rcache, &authdat); - ((OsCommPtr)client->osPrivate)->authstate.ktname = NULL; - } - else - { - if (localaddrs) - krb5_free_addresses(localaddrs); - return(SendConnSetup(client, "Krb5: neither srvcreds nor ktname set")); - } - if (localaddrs) - krb5_free_addresses(localaddrs); - if (rcache) - { - if (retval2 = krb5_rc_close(rcache)) - { - strcpy(kerror, "krb5_rc_close failed (2): "); - strncat(kerror, error_message(retval2), 230); - return(SendConnSetup(client, kerror)); - } - free(rcache); - } - if (retval) - { - strcpy(kerror, "Krb5: Bad application request: "); - strncat(kerror, error_message(retval), 224); - return(SendConnSetup(client, kerror)); - } - cprinc = authdat->ticket->enc_part2->client; - skey = authdat->ticket->enc_part2->session; - if (XauKrb5Encode(cprinc, &buf)) - { - krb5_free_tkt_authent(authdat); - return(SendConnSetup(client, "XauKrb5Encode bombed")); - } - /* - * Now check to see if the principal we got is one that we want to let in - */ - if (ForEachHostInFamily(FamilyKrb5Principal, k5_cmpenc, (void *)&buf)) - { - free(buf.data); - /* - * The following deals with sending an ap_rep to the client to - * achieve mutual authentication. The client sends back a stage 3 - * packet if all is ok. - */ - if (authdat->ap_options | AP_OPTS_MUTUAL_REQUIRED) - { - /* - * stage 2: send ap_rep to client - */ - if (retval = krb5_us_timeofday(&ctime, &cusec)) - { - krb5_free_tkt_authent(authdat); - strcpy(kerror, "error in krb5_us_timeofday: "); - strncat(kerror, error_message(retval), 234); - return(SendConnSetup(client, kerror)); - } - rep.ctime = ctime; - rep.cusec = cusec; - rep.subkey = NULL; - rep.seq_number = 0; - if (retval = krb5_mk_rep(&rep, skey, &buf)) - { - krb5_free_tkt_authent(authdat); - strcpy(kerror, "error in krb5_mk_rep: "); - strncat(kerror, error_message(retval), 238); - return(SendConnSetup(client, kerror)); - } - prefix.reqType = 2; /* opcode = authenticate */ - prefix.data = 2; /* stage = 2 */ - prefix.length = (buf.length + sz_xReq + 3) >> 2; - if (client->swapped) - { - swaps(&prefix.length, n); - } - WriteToClient(client, sz_xReq, (char *)&prefix); - WriteToClient(client, buf.length, buf.data); - free(buf.data); - krb5_free_tkt_authent(authdat); - ((OsCommPtr)client->osPrivate)->authstate.stageno = 3; /* expect stage3 packet */ - return(Success); - } - else - { - free(buf.data); - krb5_free_tkt_authent(authdat); - return(SendConnSetup(client, NULL)); /* success! */ - } - } - else - { - char *kname; - - krb5_free_tkt_authent(authdat); - free(buf.data); - retval = krb5_unparse_name(cprinc, &kname); - if (retval == 0) - { - sprintf(kerror, "Principal \"%s\" is not authorized to connect", - kname); - if (kname) - free(kname); - return(SendConnSetup(client, kerror)); - } - else - return(SendConnSetup(client,"Principal is not authorized to connect to Server")); - } -} - -/* - * k5_stage3: - * - * Get the short ack packet from the client. This packet can conceivably - * be expanded to allow for switching on end-to-end encryption. - * - * stage3 packet format: - * - * CARD8 reqType = 3 - * CARD8 data = ignored (for now) - * CARD16 length = should be zero - */ -int k5_stage3(client) - register ClientPtr client; -{ - REQUEST(xReq); - - if (((OsCommPtr)client->osPrivate)->authstate.stageno != 3) - { - return(SendConnSetup(client, "expected Krb5 stage3 packet")); - } - else - return(SendConnSetup(client, NULL)); /* success! */ -} - -k5_bad(client) - register ClientPtr client; -{ - if (((OsCommPtr)client->osPrivate)->authstate.srvcreds) - krb5_free_creds((krb5_creds *)((OsCommPtr)client->osPrivate)->authstate.srvcreds); - sprintf(kerror, "unrecognized Krb5 auth packet %d, expecting %d", - ((xReq *)client->requestBuffer)->reqType, - ((OsCommPtr)client->osPrivate)->authstate.stageno); - return(SendConnSetup(client, kerror)); -} - -/* - * K5Add: - * - * Takes the name of a credentials cache and resolves it. Also adds the - * primary principal of the ccache to the acl. - * - * Now will also take a service name. - */ -int K5Add(data_length, data, id) - unsigned short data_length; - char *data; - XID id; -{ - krb5_principal princ; - krb5_error_code retval; - krb5_keytab_entry tmp_entry; - krb5_keytab keytab; - krb5_kvno kvno = 0; - krb5_ccache cc; - char *nbuf, *cp; - krb5_data kbuf; - int i, ktlen; - - krb5_init_ets(); /* can't think of a better place to put it */ - krb5_id = ~0L; - if (data_length < 3) - return 0; - if ((nbuf = (char *)malloc(data_length - 2)) == NULL) - return 0; - memcpy(nbuf, data + 3, data_length - 3); - nbuf[data_length - 3] = '\0'; - if (ccname) - { - free(ccname); - ccname = NULL; - } - if (srvname) - { - krb5_free_principal(srvname); - srvname = NULL; - } - if (ktname) - { - free(ktname); - ktname = NULL; - } - if (!strncmp(data, "UU:", 3)) - { - if (retval = krb5_cc_resolve(nbuf, &cc)) - { - ErrorF("K5Add: krb5_cc_resolve of \"%s\" failed: %s\n", - nbuf, error_message(retval)); - free(nbuf); - return 0; - } - if (cc && !(retval = krb5_cc_get_principal(cc, &princ))) - { - if (XauKrb5Encode(princ, &kbuf)) - { - free(nbuf); - krb5_free_principal(princ); - krb5_cc_close(cc); - return 0; - } - if (krb5_cc_close(cc)) - return 0; - AddHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data); - krb5_free_principal(princ); - free(kbuf.data); - ccname = nbuf; - krb5_id = id; - return 1; - } - else - { - ErrorF("K5Add: getting principal from cache \"%s\" failed: %s\n", - nbuf, error_message(retval)); - } - } - else if (!strncmp(data, "CS:", 3)) - { - if ((cp = strchr(nbuf, ',')) == NULL) - { - free(nbuf); - return 0; - } - *cp = '\0'; /* gross but it works :-) */ - ktlen = strlen(cp + 1); - if ((ktname = (char *)malloc(ktlen + 1)) == NULL) - { - free(nbuf); - return 0; - } - strcpy(ktname, cp + 1); - retval = krb5_sname_to_principal(NULL, /* NULL for hostname uses - local host name*/ - nbuf, KRB5_NT_SRV_HST, - &srvname); - free(nbuf); - if (retval) - { - free(ktname); - ktname = NULL; - return 0; - } - if (retval = krb5_kt_resolve(ktname, &keytab)) - { - free(ktname); - ktname = NULL; - krb5_free_principal(srvname); - srvname = NULL; - return 0; - } - retval = krb5_kt_get_entry(keytab, srvname, kvno, &tmp_entry); - krb5_kt_free_entry(&tmp_entry); - if (retval) - { - free(ktname); - ktname = NULL; - krb5_free_principal(srvname); - srvname = NULL; - return 0; - } - if (XauKrb5Encode(srvname, &kbuf)) - { - free(ktname); - ktname = NULL; - krb5_free_principal(srvname); - srvname = NULL; - return 0; - } - AddHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data); - krb5_id = id; - return 1; - } - else - { - ErrorF("K5Add: credentials cache name \"%.*s\" in auth file: unknown type\n", - data_length, data); - } - return 0; -} - -/* - * K5Reset: - * - * Reset krb5_id, also nuke the current principal from the acl. - */ -int K5Reset() -{ - krb5_principal princ; - krb5_error_code retval; - krb5_ccache cc; - krb5_data kbuf; - int i; - - if (ccname) - { - if (retval = krb5_cc_resolve(ccname, &cc)) - { - free(ccname); - ccname = NULL; - } - if (cc && !(retval = krb5_cc_get_principal(cc, &princ))) - { - if (XauKrb5Encode(princ, &kbuf)) - return 1; - RemoveHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data); - krb5_free_principal(princ); - free(kbuf.data); - if (krb5_cc_close(cc)) - return 1; - free(ccname); - ccname = NULL; - } - } - if (srvname) - { - if (XauKrb5Encode(srvname, &kbuf)) - return 1; - RemoveHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data); - krb5_free_principal(srvname); - free(kbuf.data); - srvname = NULL; - } - if (ktname) - { - free(ktname); - ktname = NULL; - } - krb5_id = ~0L; - return 0; -} - -XID K5ToID(data_length, data) - unsigned short data_length; - char *data; -{ - return krb5_id; -} - -int K5FromID(id, data_lenp, datap) - XID id; - unsigned short *data_lenp; - char **datap; -{ - return 0; -} - -int K5Remove(data_length, data) - unsigned short data_length; - char *data; -{ - return 0; -} diff --git a/nx-X11/programs/Xserver/os/osdep.h b/nx-X11/programs/Xserver/os/osdep.h index acf832e1c..633039f4a 100644 --- a/nx-X11/programs/Xserver/os/osdep.h +++ b/nx-X11/programs/Xserver/os/osdep.h @@ -145,16 +145,6 @@ typedef struct _connectionOutput { int count; } ConnectionOutput, *ConnectionOutputPtr; -#ifdef K5AUTH -typedef struct _k5_state { - int stageno; /* current stage of auth protocol */ - void *srvcreds; /* server credentials */ - void *srvname; /* server principal name */ - void *ktname; /* key table: principal-key pairs */ - void *skey; /* session key */ -} k5_state; -#endif - struct _osComm; #define AuthInitArgs void @@ -190,9 +180,6 @@ typedef struct _osComm { ConnectionInputPtr input; ConnectionOutputPtr output; XID auth_id; /* authorization id */ -#ifdef K5AUTH - k5_state authstate; /* state of setup auth conversation */ -#endif CARD32 conn_time; /* timestamp if not established, else 0 */ struct _XtransConnInfo *trans_conn; /* transport connection object */ } OsCommRec, *OsCommPtr; @@ -283,16 +270,6 @@ extern int SecureRPCRemove (AuthRemCArgs); extern int SecureRPCReset (AuthRstCArgs); #endif -/* in k5auth.c */ -#ifdef K5AUTH -extern XID K5Check (AuthCheckArgs); -extern XID K5ToID (AuthToIDArgs); -extern int K5Add (AuthAddCArgs); -extern int K5FromID (AuthFromIDArgs); -extern int K5Remove (AuthRemCArgs); -extern int K5Reset (AuthRstCArgs); -#endif - /* in secauth.c */ extern XID AuthSecurityCheck (AuthCheckArgs); diff --git a/nx-X11/programs/Xserver/os/rpcauth.c b/nx-X11/programs/Xserver/os/rpcauth.c index 94c26651b..91823553c 100644 --- a/nx-X11/programs/Xserver/os/rpcauth.c +++ b/nx-X11/programs/Xserver/os/rpcauth.c @@ -41,7 +41,7 @@ from The Open Group. #ifdef SECURE_RPC #include <nx-X11/X.h> -#include "Xauth.h" +#include <nx-X11/Xauth.h> #include "misc.h" #include "os.h" #include "dixstruct.h" |