diff options
author | nectar <nectar@FreeBSD.org> | 2002-09-16 21:04:40 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2002-09-16 21:04:40 +0000 |
commit | 8707f886593c300d83c76654e92ec76bcea9b858 (patch) | |
tree | 291ed09be4bd7c999ad1617a832aa3caae1cb274 /crypto/heimdal/appl | |
parent | a77dba08ca7d8ad2f2dcd653974ac66df78cfa49 (diff) | |
download | FreeBSD-src-8707f886593c300d83c76654e92ec76bcea9b858.zip FreeBSD-src-8707f886593c300d83c76654e92ec76bcea9b858.tar.gz |
Import of Heimdal Kerberos from KTH repository circa 2002/09/16.
Diffstat (limited to 'crypto/heimdal/appl')
-rw-r--r-- | crypto/heimdal/appl/ftp/ChangeLog | 8 | ||||
-rw-r--r-- | crypto/heimdal/appl/ftp/ftp/ftp.c | 10 | ||||
-rw-r--r-- | crypto/heimdal/appl/ftp/ftp/ftp_locl.h | 8 | ||||
-rw-r--r-- | crypto/heimdal/appl/ftp/ftp/gssapi.c | 7 | ||||
-rw-r--r-- | crypto/heimdal/appl/ftp/ftp/security.c | 6 | ||||
-rw-r--r-- | crypto/heimdal/appl/kf/kf.c | 122 | ||||
-rw-r--r-- | crypto/heimdal/appl/kf/kf_locl.h | 11 | ||||
-rw-r--r-- | crypto/heimdal/appl/kf/kfd.c | 189 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/ChangeLog | 24 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/common.c | 86 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rsh.1 | 23 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rsh.c | 87 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rsh_locl.h | 22 | ||||
-rw-r--r-- | crypto/heimdal/appl/rsh/rshd.c | 63 | ||||
-rw-r--r-- | crypto/heimdal/appl/su/su.c | 8 | ||||
-rw-r--r-- | crypto/heimdal/appl/telnet/ChangeLog | 8 | ||||
-rw-r--r-- | crypto/heimdal/appl/telnet/libtelnet/enc_des.c | 8 | ||||
-rw-r--r-- | crypto/heimdal/appl/telnet/libtelnet/encrypt.h | 6 | ||||
-rw-r--r-- | crypto/heimdal/appl/telnet/libtelnet/kerberos5.c | 4 |
19 files changed, 427 insertions, 273 deletions
diff --git a/crypto/heimdal/appl/ftp/ChangeLog b/crypto/heimdal/appl/ftp/ChangeLog index 3d4e6ed..92e0041 100644 --- a/crypto/heimdal/appl/ftp/ChangeLog +++ b/crypto/heimdal/appl/ftp/ChangeLog @@ -1,3 +1,11 @@ +2002-09-05 Johan Danielsson <joda@pdc.kth.se> + + * ftp/security.c (sec_vfprintf): free encoded data + + * ftp/gssapi.c (gss_decode): release buffer + + * ftp/ftp.c (active_mode): no need to allocate buffer for EPRT + 2002-08-28 Johan Danielsson <joda@pdc.kth.se> * ftp/ftp.c (command): clean up va_{start,end}ing (from NetBSD) diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.c b/crypto/heimdal/appl/ftp/ftp/ftp.c index 1ae92d7..fcf0bc4 100644 --- a/crypto/heimdal/appl/ftp/ftp/ftp.c +++ b/crypto/heimdal/appl/ftp/ftp/ftp.c @@ -32,7 +32,7 @@ */ #include "ftp_locl.h" -RCSID ("$Id: ftp.c,v 1.73 2002/08/28 16:10:39 joda Exp $"); +RCSID ("$Id: ftp.c,v 1.74 2002/09/04 22:00:12 joda Exp $"); struct sockaddr_storage hisctladdr_ss; struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss; @@ -1284,7 +1284,6 @@ noport: if (listen (data, 1) < 0) warn ("listen"); if (sendport) { - char *cmd; char addr_str[256]; int inet_af; int overbose; @@ -1305,15 +1304,14 @@ noport: errx (1, "bad address family %d", data_addr->sa_family); } - asprintf (&cmd, "EPRT |%d|%s|%d|", - inet_af, addr_str, ntohs(socket_get_port (data_addr))); overbose = verbose; if (debug == 0) verbose = -1; - result = command (cmd); - + result = command ("EPRT |%d|%s|%d|", + inet_af, addr_str, + ntohs(socket_get_port (data_addr))); verbose = overbose; if (result == ERROR) { diff --git a/crypto/heimdal/appl/ftp/ftp/ftp_locl.h b/crypto/heimdal/appl/ftp/ftp/ftp_locl.h index 4412189..4749da0 100644 --- a/crypto/heimdal/appl/ftp/ftp/ftp_locl.h +++ b/crypto/heimdal/appl/ftp/ftp/ftp_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: ftp_locl.h,v 1.36 2001/08/22 20:30:19 assar Exp $ */ +/* $Id: ftp_locl.h,v 1.37 2002/09/10 20:03:46 joda Exp $ */ #ifndef __FTP_LOCL_H__ #define __FTP_LOCL_H__ @@ -131,11 +131,7 @@ struct hostent *gethostbyname(const char *); #include "security.h" /* des_read_pw_string */ -#ifdef HAVE_OPENSSL -#include <openssl/des.h> -#else -#include <des.h> -#endif +#include "crypto-headers.h" #if defined(__sun__) && !defined(__svr4) int fclose(FILE*); diff --git a/crypto/heimdal/appl/ftp/ftp/gssapi.c b/crypto/heimdal/appl/ftp/ftp/gssapi.c index 3f07f16..af04c1a 100644 --- a/crypto/heimdal/appl/ftp/ftp/gssapi.c +++ b/crypto/heimdal/appl/ftp/ftp/gssapi.c @@ -39,7 +39,7 @@ #include <gssapi.h> #include <krb5_err.h> -RCSID("$Id: gssapi.c,v 1.19 2002/08/20 12:47:45 joda Exp $"); +RCSID("$Id: gssapi.c,v 1.20 2002/09/04 22:00:50 joda Exp $"); struct gss_data { gss_ctx_id_t context_hdl; @@ -81,6 +81,7 @@ gss_decode(void *app_data, void *buf, int len, int level) gss_qop_t qop_state; int conf_state; struct gss_data *d = app_data; + size_t ret_len; input.length = len; input.value = buf; @@ -93,7 +94,9 @@ gss_decode(void *app_data, void *buf, int len, int level) if(GSS_ERROR(maj_stat)) return -1; memmove(buf, output.value, output.length); - return output.length; + ret_len = output.length; + gss_release_buffer(&min_stat, &output); + return ret_len; } static int diff --git a/crypto/heimdal/appl/ftp/ftp/security.c b/crypto/heimdal/appl/ftp/ftp/security.c index a8fff1d..db67775 100644 --- a/crypto/heimdal/appl/ftp/ftp/security.c +++ b/crypto/heimdal/appl/ftp/ftp/security.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998-2001 Kungliga Tekniska Högskolan + * Copyright (c) 1998-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -37,7 +37,7 @@ #include "ftp_locl.h" #endif -RCSID("$Id: security.c,v 1.18 2001/02/07 10:49:43 assar Exp $"); +RCSID("$Id: security.c,v 1.19 2002/09/04 22:01:28 joda Exp $"); static enum protection_level command_prot; static enum protection_level data_prot; @@ -387,9 +387,11 @@ sec_vfprintf(FILE *f, const char *fmt, va_list ap) return -1; } if(base64_encode(enc, len, &buf) < 0){ + free(enc); printf("Out of memory base64-encoding.\n"); return -1; } + free(enc); #ifdef FTP_SERVER if(command_prot == prot_safe) fprintf(f, "631 %s\r\n", buf); diff --git a/crypto/heimdal/appl/kf/kf.c b/crypto/heimdal/appl/kf/kf.c index 3288dae..190101b 100644 --- a/crypto/heimdal/appl/kf/kf.c +++ b/crypto/heimdal/appl/kf/kf.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,13 +32,13 @@ */ #include "kf_locl.h" -RCSID("$Id: kf.c,v 1.15 2001/02/20 01:44:44 assar Exp $"); +RCSID("$Id: kf.c,v 1.17 2002/09/05 15:00:03 joda Exp $"); krb5_context context; static int help_flag; static int version_flag; static char *port_str; -const char *service = SERVICE; +const char *service = KF_SERVICE; const char *remote_name = NULL; int forwardable = 0; const char *ccache_name = NULL; @@ -107,7 +107,7 @@ client_setup(krb5_context *context, int *argc, char **argv) } if (port == 0) - port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM); + port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM); if(*argc - optind < 1) usage(1, args, num_args); @@ -122,22 +122,19 @@ client_setup(krb5_context *context, int *argc, char **argv) */ static int -proto (int sock, const char *hostname, const char *service) +proto (int sock, const char *hostname, const char *service, + char *message, size_t len) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_data data; - krb5_data packet; krb5_data data_send; - u_int32_t len, net_len; krb5_ccache ccache; krb5_creds creds; krb5_kdc_flags flags; krb5_principal principal; - char ret_string[10]; - ssize_t n; status = krb5_auth_con_init (context, &auth_context); if (status) { @@ -166,10 +163,10 @@ proto (int sock, const char *hostname, const char *service) status = krb5_sendauth (context, &auth_context, &sock, - VERSION, + KF_VERSION_1, NULL, server, - AP_OPTS_MUTUAL_REQUIRED, + AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, NULL, NULL, NULL, @@ -181,27 +178,19 @@ proto (int sock, const char *hostname, const char *service) return 1; } - if (remote_name == NULL) { - remote_name = get_default_username (); - if (remote_name == NULL) - errx (1, "who are you?"); - } + if (ccache_name == NULL) + ccache_name = ""; - krb5_data_zero(&data_send); data_send.data = (void *)remote_name; data_send.length = strlen(remote_name) + 1; - status = krb5_write_message(context, &sock, &data_send); + status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_warn (context, status, "krb5_write_message"); return 1; } - - if (ccache_name == NULL) - ccache_name = ""; - data_send.data = (void *)ccache_name; data_send.length = strlen(ccache_name)+1; - status = krb5_write_message(context, &sock, &data_send); + status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_warn (context, status, "krb5_write_message"); return 1; @@ -223,16 +212,15 @@ proto (int sock, const char *hostname, const char *service) creds.client = principal; - status = krb5_build_principal (context, - &creds.server, - strlen(principal->realm), - principal->realm, - KRB5_TGS_NAME, - principal->realm, - NULL); + status = krb5_make_principal (context, + &creds.server, + principal->realm, + KRB5_TGS_NAME, + principal->realm, + NULL); if (status) { - krb5_warn (context, status, "krb5_build_principal"); + krb5_warn (context, status, "krb5_make_principal"); return 1; } @@ -254,60 +242,36 @@ proto (int sock, const char *hostname, const char *service) return 1; } - status = krb5_mk_priv (context, - auth_context, - &data, - &packet, - NULL); + status = krb5_write_priv_message(context, auth_context, &sock, &data); + if (status) { krb5_warn (context, status, "krb5_mk_priv"); return 1; } - len = packet.length; - net_len = htonl(len); - - if (krb5_net_write (context, &sock, &net_len, 4) != 4) { - krb5_warn (context, errno, "krb5_net_write"); - return 1; - } - if (krb5_net_write (context, &sock, packet.data, len) != len) { - krb5_warn (context, errno, "krb5_net_write"); - return 1; - } - krb5_data_free (&data); - n = krb5_net_read (context, &sock, &net_len, 4); - if (n == 0) { - krb5_warnx (context, "EOF in krb5_net_read"); - return 1; - } - if (n < 0) { - krb5_warn (context, errno, "krb5_net_read"); - return 1; - } - len = ntohl(net_len); - if (len >= sizeof(ret_string)) { - krb5_warnx (context, "too long string back from %s", hostname); - return 1; - } - n = krb5_net_read (context, &sock, ret_string, len); - if (n == 0) { - krb5_warnx (context, "EOF in krb5_net_read"); + status = krb5_read_priv_message(context, auth_context, &sock, &data); + if (status) { + krb5_warn (context, status, "krb5_mk_priv"); return 1; } - if (n < 0) { - krb5_warn (context, errno, "krb5_net_read"); - return 1; + if(data.length >= len) { + krb5_warnx (context, "returned string is too long, truncating"); + memcpy(message, data.data, len); + message[len - 1] = '\0'; + } else { + memcpy(message, data.data, data.length); + message[data.length] = '\0'; } - ret_string[sizeof(ret_string) - 1] = '\0'; + krb5_data_free (&data); - return(strcmp(ret_string,"ok")); + return(strcmp(message, "ok")); } static int -doit (const char *hostname, int port, const char *service) +doit (const char *hostname, int port, const char *service, + char *message, size_t len) { struct addrinfo *ai, *a; struct addrinfo hints; @@ -337,7 +301,7 @@ doit (const char *hostname, int port, const char *service) continue; } freeaddrinfo (ai); - return proto (s, hostname, service); + return proto (s, hostname, service, message, len); } warnx ("failed to contact %s", hostname); freeaddrinfo (ai); @@ -353,9 +317,19 @@ main(int argc, char **argv) argcc = argc; port = client_setup(&context, &argcc, argv); + if (remote_name == NULL) { + remote_name = get_default_username (); + if (remote_name == NULL) + errx (1, "who are you?"); + } + for (i = argcc;i < argc; i++) { - ret = doit (argv[i], port, service); - warnx ("%s %s", argv[i], ret ? "failed" : "ok"); + char message[128]; + ret = doit (argv[i], port, service, message, sizeof(message)); + if(ret == 0) + warnx ("%s: ok", argv[i]); + else + warnx ("%s: failed: %s", argv[i], message); } return(ret); } diff --git a/crypto/heimdal/appl/kf/kf_locl.h b/crypto/heimdal/appl/kf/kf_locl.h index 29f5941..0a6a28f 100644 --- a/crypto/heimdal/appl/kf/kf_locl.h +++ b/crypto/heimdal/appl/kf/kf_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: kf_locl.h,v 1.2 1999/12/02 17:04:55 joda Exp $ */ +/* $Id: kf_locl.h,v 1.3 2002/09/04 20:29:04 joda Exp $ */ #ifdef HAVE_CONFIG_H #include <config.h> @@ -74,7 +74,8 @@ #include <err.h> #include <krb5.h> -#define SERVICE "host" +#define KF_SERVICE "host" -#define PORT "kf" -#define PORT_NUM 2110 +#define KF_PORT_NAME "kf" +#define KF_PORT_NUM 2110 +#define KF_VERSION_1 "KFWDV0.1" diff --git a/crypto/heimdal/appl/kf/kfd.c b/crypto/heimdal/appl/kf/kfd.c index 6dc2666..7f6ea28 100644 --- a/crypto/heimdal/appl/kf/kfd.c +++ b/crypto/heimdal/appl/kf/kfd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "kf_locl.h" -RCSID("$Id: kfd.c,v 1.9 2001/02/20 01:44:44 assar Exp $"); +RCSID("$Id: kfd.c,v 1.10 2002/09/04 20:31:48 joda Exp $"); krb5_context context; char krb5_tkfile[MAXPATHLEN]; @@ -40,7 +40,7 @@ char krb5_tkfile[MAXPATHLEN]; static int help_flag; static int version_flag; static char *port_str; -char *service = SERVICE; +char *service = KF_SERVICE; int do_inetd = 0; static char *regpag_str=NULL; @@ -92,7 +92,7 @@ server_setup(krb5_context *context, int argc, char **argv) } if (port == 0) - port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM); + port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM); if(argv[local_argc] != NULL) usage(1, args, num_args); @@ -100,26 +100,23 @@ server_setup(krb5_context *context, int argc, char **argv) return port; } -static void -syslog_and_die (const char *m, ...) -{ - va_list args; +static int protocol_version; - va_start(args, m); - vsyslog (LOG_ERR, m, args); - va_end(args); - exit (1); -} - -static void -syslog_and_cont (const char *m, ...) +static krb5_boolean +kfd_match_version(const void *arg, const char *version) { - va_list args; - - va_start(args, m); - vsyslog (LOG_ERR, m, args); - va_end(args); - return; + if(strcmp(version, KF_VERSION_1) == 0) { + protocol_version = 1; + return TRUE; + } else if (strlen(version) == 4 && + version[0] == '0' && + version[1] == '.' && + (version[2] == '4' || version[2] == '3') && + islower(version[3])) { + protocol_version = 0; + return TRUE; + } + return FALSE; } static int @@ -132,31 +129,25 @@ proto (int sock, const char *service) char *name; char ret_string[10]; char hostname[MAXHOSTNAMELEN]; - krb5_data packet; krb5_data data; krb5_data remotename; krb5_data tk_file; - - u_int32_t len, net_len; krb5_ccache ccache; char ccname[MAXPATHLEN]; struct passwd *pwd; - ssize_t n; status = krb5_auth_con_init (context, &auth_context); if (status) - syslog_and_die("krb5_auth_con_init: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, status, "krb5_auth_con_init"); status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) - syslog_and_die("krb5_auth_con_setaddr: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, status, "krb5_auth_con_setaddr"); if(gethostname (hostname, sizeof(hostname)) < 0) - syslog_and_die("gethostname: %s",strerror(errno)); + krb5_err(context, 1, errno, "gethostname"); status = krb5_sname_to_principal (context, hostname, @@ -164,88 +155,80 @@ proto (int sock, const char *service) KRB5_NT_SRV_HST, &server); if (status) - syslog_and_die("krb5_sname_to_principal: %s", - krb5_get_err_text(context, status)); - - status = krb5_recvauth (context, - &auth_context, - &sock, - VERSION, - server, - 0, - NULL, - &ticket); + krb5_err(context, 1, status, "krb5_sname_to_principal"); + + status = krb5_recvauth_match_version (context, + &auth_context, + &sock, + kfd_match_version, + NULL, + server, + 0, + NULL, + &ticket); if (status) - syslog_and_die("krb5_recvauth: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, status, "krb5_recvauth"); status = krb5_unparse_name (context, ticket->client, &name); if (status) - syslog_and_die("krb5_unparse_name: %s", - krb5_get_err_text(context, status)); - - status=krb5_read_message (context, &sock, &remotename); - if (status) { - syslog_and_die("krb5_read_message: %s", - krb5_get_err_text(context, status)); - } - status=krb5_read_message (context, &sock, &tk_file); - if (status) { - syslog_and_die("krb5_read_message: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, status, "krb5_unparse_name"); + + if(protocol_version == 0) { + data.data = "old clnt"; /* XXX old clients only had room for + 10 bytes of message, and also + didn't show it to the user */ + data.length = strlen(data.data) + 1; + krb5_write_message(context, &sock, &data); + sleep(2); /* XXX give client time to finish */ + krb5_errx(context, 1, "old client; exiting"); } + status=krb5_read_priv_message (context, auth_context, + &sock, &remotename); + if (status) + krb5_err(context, 1, status, "krb5_read_message"); + status=krb5_read_priv_message (context, auth_context, + &sock, &tk_file); + if (status) + krb5_err(context, 1, status, "krb5_read_message"); + krb5_data_zero (&data); - krb5_data_zero (&packet); - - n = krb5_net_read (context, &sock, &net_len, 4); - if (n < 0) - syslog_and_die("krb5_net_read: %s", strerror(errno)); - if (n == 0) - syslog_and_die("EOF in krb5_net_read"); - - len = ntohl(net_len); - krb5_data_alloc (&packet, len); - n = krb5_net_read (context, &sock, packet.data, len); - if (n < 0) - syslog_and_die("krb5_net_read: %s", strerror(errno)); - if (n == 0) - syslog_and_die("EOF in krb5_net_read"); - - status = krb5_rd_priv (context, - auth_context, - &packet, - &data, - NULL); + + if(((char*)remotename.data)[remotename.length-1] != '\0') + krb5_errx(context, 1, "unterminated received"); + if(((char*)tk_file.data)[tk_file.length-1] != '\0') + krb5_errx(context, 1, "unterminated received"); + + status = krb5_read_priv_message(context, auth_context, &sock, &data); + if (status) { - syslog_and_cont("krb5_rd_priv: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, errno, "krb5_read_priv_message"); goto out; } pwd = getpwnam ((char *)(remotename.data)); if (pwd == NULL) { status=1; - syslog_and_cont("getpwnam: %s failed",(char *)(remotename.data)); + krb5_warnx(context, "getpwnam: %s failed",(char *)(remotename.data)); goto out; } if(!krb5_kuserok (context, - ticket->client, - (char *)(remotename.data))) { + ticket->client, + (char *)(remotename.data))) { status=1; - syslog_and_cont("krb5_kuserok: permission denied"); + krb5_warnx(context, "krb5_kuserok: permission denied"); goto out; } if (setgid(pwd->pw_gid) < 0) { - syslog_and_cont ("setgid: %s", strerror(errno)); + krb5_warn(context, errno, "setgid"); goto out; } if (setuid(pwd->pw_uid) < 0) { - syslog_and_cont ("setuid: %s", strerror(errno)); + krb5_warn(context, errno, "setuid"); goto out; } @@ -256,49 +239,41 @@ proto (int sock, const char *service) status = krb5_cc_resolve (context, ccname, &ccache); if (status) { - syslog_and_cont("krb5_cc_resolve: %s", - krb5_get_err_text(context, status)); + krb5_warn(context, status, "krb5_cc_resolve"); goto out; } status = krb5_cc_initialize (context, ccache, ticket->client); if (status) { - syslog_and_cont("krb5_cc_initialize: %s", - krb5_get_err_text(context, status)); + krb5_warn(context, status, "krb5_cc_initialize"); goto out; } status = krb5_rd_cred2 (context, auth_context, ccache, &data); krb5_cc_close (context, ccache); if (status) { - syslog_and_cont("krb5_rd_cred: %s", - krb5_get_err_text(context, status)); + krb5_warn(context, status, "krb5_rd_cred"); goto out; } strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile)); - syslog_and_cont("%s forwarded ticket to %s,%s", - name, - (char *)(remotename.data),ccname); -out: + krb5_warnx(context, "%s forwarded ticket to %s,%s", + name, + (char *)(remotename.data),ccname); + out: if (status) { strcpy(ret_string, "no"); - syslog_and_cont("failed"); + krb5_warnx(context, "failed"); } else { strcpy(ret_string, "ok"); } krb5_data_free (&tk_file); krb5_data_free (&remotename); - krb5_data_free (&packet); krb5_data_free (&data); free(name); - len = strlen(ret_string) + 1; - net_len = htonl(len); - if (krb5_net_write (context, &sock, &net_len, 4) != 4) - return 1; - if (krb5_net_write (context, &sock, ret_string, len) != len) - return 1; - return status; + data.data = ret_string; + data.length = strlen(ret_string) + 1; + return krb5_write_priv_message(context, auth_context, &sock, &data); } static int @@ -314,10 +289,16 @@ main(int argc, char **argv) { int port; int ret; + krb5_log_facility *fac; setprogname (argv[0]); roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH); port = server_setup(&context, argc, argv); + ret = krb5_openlog(context, "kfd", &fac); + if(ret) krb5_err(context, 1, ret, "krb5_openlog"); + ret = krb5_set_warn_dest(context, fac); + if(ret) krb5_err(context, 1, ret, "krb5_set_warn_dest"); + ret = doit (port, service); closelog(); if (ret == 0 && regpag_str != NULL) diff --git a/crypto/heimdal/appl/rsh/ChangeLog b/crypto/heimdal/appl/rsh/ChangeLog index 983bccf..ddac74f 100644 --- a/crypto/heimdal/appl/rsh/ChangeLog +++ b/crypto/heimdal/appl/rsh/ChangeLog @@ -1,3 +1,27 @@ +2002-09-04 Johan Danielsson <joda@pdc.kth.se> + + * rsh.c: free some memory + +2002-09-04 Assar Westerlund <assar@kth.se> + + * common.c: krb5_crypto_block_size -> krb5_crypto_getblocksize + +2002-09-04 Johan Danielsson <joda@pdc.kth.se> + + * rsh.1: document -P + +2002-09-03 Johan Danielsson <joda@pdc.kth.se> + + * rsh.c: revert to protocol v1 if not asked for specific protocol + + * rshd.c: handle protocol version 2 + + * rsh.c: handle protocol version 2 + + * common.c: handle protocol version 2 + + * rsh_locl.h: handle protocol version 2 + 2002-02-18 Johan Danielsson <joda@pdc.kth.se> * rshd.c: don't show options that doesn't apply diff --git a/crypto/heimdal/appl/rsh/common.c b/crypto/heimdal/appl/rsh/common.c index 686e681..69b0c9b 100644 --- a/crypto/heimdal/appl/rsh/common.c +++ b/crypto/heimdal/appl/rsh/common.c @@ -32,14 +32,40 @@ */ #include "rsh_locl.h" -RCSID("$Id: common.c,v 1.14 2002/02/18 20:01:05 joda Exp $"); +RCSID("$Id: common.c,v 1.16 2002/09/04 15:50:36 assar Exp $"); #if defined(KRB4) || defined(KRB5) +#ifdef KRB5 +int key_usage = 1026; + +void *ivec_in[2]; +void *ivec_out[2]; + +void +init_ivecs(int client) +{ + size_t blocksize; + + krb5_crypto_getblocksize(context, crypto, &blocksize); + + ivec_in[0] = malloc(blocksize); + memset(ivec_in[0], client, blocksize); + + ivec_in[1] = malloc(blocksize); + memset(ivec_in[1], 2 | client, blocksize); + + ivec_out[0] = malloc(blocksize); + memset(ivec_out[0], !client, blocksize); + + ivec_out[1] = malloc(blocksize); + memset(ivec_out[1], 2 | !client, blocksize); +} +#endif + + ssize_t -do_read (int fd, - void *buf, - size_t sz) +do_read (int fd, void *buf, size_t sz, void *ivec) { if (do_encrypt) { #ifdef KRB4 @@ -61,7 +87,11 @@ do_read (int fd, len = ntohl(len); if (len > sz) abort (); - outer_len = krb5_get_wrapped_length (context, crypto, len); + /* ivec will be non null for protocol version 2 */ + if(ivec != NULL) + outer_len = krb5_get_wrapped_length (context, crypto, len + 4); + else + outer_len = krb5_get_wrapped_length (context, crypto, len); edata = malloc (outer_len); if (edata == NULL) errx (1, "malloc: cannot allocate %u bytes", outer_len); @@ -69,13 +99,22 @@ do_read (int fd, if (ret <= 0) return ret; - status = krb5_decrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED, - edata, outer_len, &data); + status = krb5_decrypt_ivec(context, crypto, key_usage, + edata, outer_len, &data, ivec); free (edata); if (status) - errx (1, "%s", krb5_get_err_text (context, status)); - memcpy (buf, data.data, len); + krb5_err (context, 1, status, "decrypting data"); + if(ivec != NULL) { + unsigned long l; + if(data.length < len + 4) + errx (1, "data received is too short"); + _krb5_get_int(data.data, &l, 4); + if(l != len) + errx (1, "inconsistency in received data"); + memcpy (buf, (unsigned char *)data.data+4, len); + } else + memcpy (buf, data.data, len); krb5_data_free (&data); return len; } else @@ -86,7 +125,7 @@ do_read (int fd, } ssize_t -do_write (int fd, void *buf, size_t sz) +do_write (int fd, void *buf, size_t sz, void *ivec) { if (do_encrypt) { #ifdef KRB4 @@ -98,20 +137,27 @@ do_write (int fd, void *buf, size_t sz) if(auth_method == AUTH_KRB5) { krb5_error_code status; krb5_data data; - u_int32_t len; + unsigned char len[4]; int ret; - status = krb5_encrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED, - buf, sz, &data); - - if (status) - errx (1, "%s", krb5_get_err_text(context, status)); + _krb5_put_int(len, sz, 4); + if(ivec != NULL) { + unsigned char *tmp = malloc(sz + 4); + if(tmp == NULL) + err(1, "malloc"); + _krb5_put_int(tmp, sz, 4); + memcpy(tmp + 4, buf, sz); + status = krb5_encrypt_ivec(context, crypto, key_usage, + tmp, sz + 4, &data, ivec); + free(tmp); + } else + status = krb5_encrypt_ivec(context, crypto, key_usage, + buf, sz, &data, ivec); - assert (krb5_get_wrapped_length (context, crypto, - sz) == data.length); + if (status) + krb5_err(context, 1, status, "encrypting data"); - len = htonl(sz); - ret = krb5_net_write (context, &fd, &len, 4); + ret = krb5_net_write (context, &fd, len, 4); if (ret != 4) return ret; ret = krb5_net_write (context, &fd, data.data, data.length); diff --git a/crypto/heimdal/appl/rsh/rsh.1 b/crypto/heimdal/appl/rsh/rsh.1 index 284ad6d..46652d8 100644 --- a/crypto/heimdal/appl/rsh/rsh.1 +++ b/crypto/heimdal/appl/rsh/rsh.1 @@ -1,6 +1,6 @@ -.\" $Id: rsh.1,v 1.3 2002/08/20 17:07:08 joda Exp $ +.\" $Id: rsh.1,v 1.4 2002/09/04 13:01:52 joda Exp $ .\" -.Dd July 31, 2001 +.Dd September 4, 2002 .Dt RSH 1 .Os HEIMDAL .Sh NAME @@ -13,6 +13,7 @@ remote shell .Op Fl U Pa string .Op Fl p Ar port .Op Fl l Ar username +.Op Fl P Ar N|O .Ar host [command] .Sh DESCRIPTION .Nm @@ -145,6 +146,22 @@ By default the remote username is the same as the local. The option or the .Pa username@host format allow the remote name to be specified. +.It Xo +.Fl P Ar N|O|1|2 , +.Fl -protocol= Ns Ar N|O|1|2 +.Xc +Specifies which protocol version to use with Kerberos 5. +.Ar N +and +.Ar 2 +selects protocol version 2, while +.Ar O +and +.Ar 1 +selects version 1. Version 2 is beleived to be more secure, and is the +default. Unless asked for a specific version, +.Nm +will try both. This behaviour may change in the future. .El .\".Pp .\"Without a @@ -155,7 +172,7 @@ format allow the remote name to be specified. .\"with the same arguments. .Sh EXAMPLES Care should be taken when issuing commands containing shell meta -characters. Without quoting these will be expanded on the local +characters. Without quoting, these will be expanded on the local machine. .Pp The following command: diff --git a/crypto/heimdal/appl/rsh/rsh.c b/crypto/heimdal/appl/rsh/rsh.c index 1f68e2f..6ae9646 100644 --- a/crypto/heimdal/appl/rsh/rsh.c +++ b/crypto/heimdal/appl/rsh/rsh.c @@ -32,7 +32,7 @@ */ #include "rsh_locl.h" -RCSID("$Id: rsh.c,v 1.65 2002/02/18 20:02:06 joda Exp $"); +RCSID("$Id: rsh.c,v 1.68 2002/09/04 21:40:04 joda Exp $"); enum auth_method auth_method; #if defined(KRB4) || defined(KRB5) @@ -67,6 +67,8 @@ static const char *user; static int do_version; static int do_help; static int do_errsock = 1; +static char *protocol_version_str; +static int protocol_version = 2; /* * @@ -80,6 +82,11 @@ loop (int s, int errsock) fd_set real_readset; int count = 1; +#ifdef KRB5 + if(auth_method == AUTH_KRB5 && protocol_version == 2) + init_ivecs(1); +#endif + if (s >= FD_SETSIZE || errsock >= FD_SETSIZE) errx (1, "fd too large"); @@ -106,7 +113,7 @@ loop (int s, int errsock) err (1, "select"); } if (FD_ISSET(s, &readset)) { - ret = do_read (s, buf, sizeof(buf)); + ret = do_read (s, buf, sizeof(buf), ivec_in[0]); if (ret < 0) err (1, "read"); else if (ret == 0) { @@ -118,7 +125,7 @@ loop (int s, int errsock) net_write (STDOUT_FILENO, buf, ret); } if (errsock != -1 && FD_ISSET(errsock, &readset)) { - ret = do_read (errsock, buf, sizeof(buf)); + ret = do_read (errsock, buf, sizeof(buf), ivec_in[1]); if (ret < 0) err (1, "read"); else if (ret == 0) { @@ -138,7 +145,7 @@ loop (int s, int errsock) FD_CLR(STDIN_FILENO, &real_readset); shutdown (s, SHUT_WR); } else - do_write (s, buf, ret); + do_write (s, buf, ret, ivec_out[0]); } } } @@ -166,7 +173,7 @@ send_krb4_auth(int s, getpid(), &msg, &cred, schedule, (struct sockaddr_in *)thisaddr, (struct sockaddr_in *)thataddr, - KCMD_VERSION); + KCMD_OLD_VERSION); if (status != KSUCCESS) { warnx("%s: %s", hostname, krb_get_err_text(status)); return 1; @@ -267,6 +274,8 @@ krb5_forward_cred (krb5_auth_context auth_context, return 0; } +static int sendauth_version_error; + static int send_krb5_auth(int s, struct sockaddr *thisaddr, @@ -282,6 +291,8 @@ send_krb5_auth(int s, int status; size_t len; krb5_auth_context auth_context = NULL; + const char *protocol_string = NULL; + krb5_flags ap_opts; status = krb5_sname_to_principal(context, hostname, @@ -300,25 +311,53 @@ send_krb5_auth(int s, cmd, remote_user); + ap_opts = 0; + + if(do_encrypt) + ap_opts |= AP_OPTS_MUTUAL_REQUIRED; + + switch(protocol_version) { + case 2: + ap_opts |= AP_OPTS_USE_SUBKEY; + protocol_string = KCMD_NEW_VERSION; + break; + case 1: + protocol_string = KCMD_OLD_VERSION; + key_usage = KRB5_KU_OTHER_ENCRYPTED; + break; + default: + abort(); + } + status = krb5_sendauth (context, &auth_context, &s, - KCMD_VERSION, + protocol_string, NULL, server, - do_encrypt ? AP_OPTS_MUTUAL_REQUIRED : 0, + ap_opts, &cksum_data, NULL, NULL, NULL, NULL, NULL); + + krb5_free_principal(context, server); + krb5_data_free(&cksum_data); + if (status) { - warnx("%s: %s", hostname, krb5_get_err_text(context, status)); + if(status == KRB5_SENDAUTH_REJECTED && + protocol_version == 2 && protocol_version_str == NULL) + sendauth_version_error = 1; + else + krb5_warn(context, status, "%s", hostname); return 1; } - status = krb5_auth_con_getkey (context, auth_context, &keyblock); + status = krb5_auth_con_getlocalsubkey (context, auth_context, &keyblock); + if(keyblock == NULL) + status = krb5_auth_con_getkey (context, auth_context, &keyblock); if (status) { warnx ("krb5_auth_con_getkey: %s", krb5_get_err_text(context, status)); return 1; @@ -552,7 +591,7 @@ proto (int s, int errsock, (void *)&one, sizeof(one)) < 0) warn("setsockopt stderr"); } - + return loop (s, errsock2); } @@ -777,6 +816,8 @@ struct getargs args[] = { "port" }, { "user", 'l', arg_string, &user, "Run as this user", "login" }, { "stderr", 'e', arg_negative_flag, &do_errsock, "Don't open stderr"}, + { "protocol", 'P', arg_string, &protocol_version_str, + "Protocol version", "protocol" }, { "version", 0, arg_flag, &do_version, NULL }, { "help", 0, arg_flag, &do_help, NULL } }; @@ -840,7 +881,24 @@ main(int argc, char **argv) print_version (NULL); return 0; } - + + if(protocol_version_str != NULL) { + if(strcasecmp(protocol_version_str, "N") == 0) + protocol_version = 2; + else if(strcasecmp(protocol_version_str, "O") == 0) + protocol_version = 1; + else { + char *end; + int v; + v = strtol(protocol_version_str, &end, 0); + if(*end != '\0' || (v != 1 && v != 2)) { + errx(1, "unknown protocol version \"%s\"", + protocol_version_str); + } + protocol_version = v; + } + } + #ifdef KRB5 status = krb5_init_context (&context); if (status) { @@ -978,9 +1036,15 @@ main(int argc, char **argv) errx (1, "getaddrinfo: %s", gai_strerror(error)); auth_method = AUTH_KRB5; + again: ret = doit (host, ai, user, local_user, cmd, cmd_len, do_errsock, send_krb5_auth); + if(ret != 0 && sendauth_version_error && + protocol_version == 2) { + protocol_version = 1; + goto again; + } freeaddrinfo(ai); } #endif @@ -1035,5 +1099,6 @@ main(int argc, char **argv) cmd, cmd_len); freeaddrinfo(ai); } + free(cmd); return ret; } diff --git a/crypto/heimdal/appl/rsh/rsh_locl.h b/crypto/heimdal/appl/rsh/rsh_locl.h index a288d12..0d54a3e 100644 --- a/crypto/heimdal/appl/rsh/rsh_locl.h +++ b/crypto/heimdal/appl/rsh/rsh_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: rsh_locl.h,v 1.27 2002/08/12 15:09:16 joda Exp $ */ +/* $Id: rsh_locl.h,v 1.28 2002/09/03 20:03:46 joda Exp $ */ #ifdef HAVE_CONFIG_H #include <config.h> @@ -99,6 +99,7 @@ #endif #ifdef KRB5 #include <krb5.h> +#include <krb5-private.h> /* for _krb5_{get,put}_int */ #endif #ifdef KRB4 #include <kafs.h> @@ -132,25 +133,30 @@ extern int do_encrypt; extern krb5_context context; extern krb5_keyblock *keyblock; extern krb5_crypto crypto; +extern int key_usage; +extern void *ivec_in[2]; +extern void *ivec_out[2]; +void init_ivecs(int); #endif #ifdef KRB4 extern des_key_schedule schedule; extern des_cblock iv; #endif -#define KCMD_VERSION "KCMDV0.1" +#define KCMD_OLD_VERSION "KCMDV0.1" +#define KCMD_NEW_VERSION "KCMDV0.2" #define USERNAME_SZ 16 #define COMMAND_SZ 1024 -#define RSH_BUFSIZ (16 * 1024) +#define RSH_BUFSIZ (5 * 1024) /* MIT kcmd can't handle larger buffers */ #define PATH_RSH BINDIR "/rsh" #if defined(KRB4) || defined(KRB5) -ssize_t do_read (int fd, void *buf, size_t sz); -ssize_t do_write (int fd, void *buf, size_t sz); +ssize_t do_read (int, void*, size_t, void*); +ssize_t do_write (int, void*, size_t, void*); #else -#define do_write(F, B, L) write((F), (B), (L)) -#define do_read(F, B, L) read((F), (B), (L)) +#define do_write(F, B, L, I) write((F), (B), (L)) +#define do_read(F, B, L, I) read((F), (B), (L)) #endif diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c index fc2df7f..bec9bf4 100644 --- a/crypto/heimdal/appl/rsh/rshd.c +++ b/crypto/heimdal/appl/rsh/rshd.c @@ -32,7 +32,7 @@ */ #include "rsh_locl.h" -RCSID("$Id: rshd.c,v 1.46 2002/02/18 20:02:14 joda Exp $"); +RCSID("$Id: rshd.c,v 1.47 2002/09/03 20:03:26 joda Exp $"); int login_access( struct passwd *user, char *from); @@ -199,7 +199,7 @@ recv_krb4_auth (int s, u_char *buf, version); if (status != KSUCCESS) syslog_and_die ("recvauth: %s", krb_get_err_text(status)); - if (strncmp (version, KCMD_VERSION, KRB_SENDAUTH_VLEN) != 0) + if (strncmp (version, KCMD_OLD_VERSION, KRB_SENDAUTH_VLEN) != 0) syslog_and_die ("bad version: %s", version); read_str (s, server_username, USERNAME_SZ, "remote username"); @@ -277,6 +277,24 @@ krb5_start_session (void) return; } +static int protocol_version; + +static krb5_boolean +match_kcmd_version(const void *data, const char *version) +{ + if(strcmp(version, KCMD_NEW_VERSION) == 0) { + protocol_version = 2; + return TRUE; + } + if(strcmp(version, KCMD_OLD_VERSION) == 0) { + protocol_version = 1; + key_usage = KRB5_KU_OTHER_ENCRYPTED; + return TRUE; + } + return FALSE; +} + + static int recv_krb5_auth (int s, u_char *buf, struct sockaddr *thisaddr, @@ -311,14 +329,15 @@ recv_krb5_auth (int s, u_char *buf, syslog_and_die ("krb5_sock_to_principal: %s", krb5_get_err_text(context, status)); - status = krb5_recvauth(context, - &auth_context, - &s, - KCMD_VERSION, - server, - KRB5_RECVAUTH_IGNORE_VERSION, - NULL, - &ticket); + status = krb5_recvauth_match_version(context, + &auth_context, + &s, + match_kcmd_version, + NULL, + server, + KRB5_RECVAUTH_IGNORE_VERSION, + NULL, + &ticket); krb5_free_principal (context, server); if (status) syslog_and_die ("krb5_recvauth: %s", @@ -328,8 +347,17 @@ recv_krb5_auth (int s, u_char *buf, read_str (s, cmd, COMMAND_SZ, "command"); read_str (s, client_username, COMMAND_SZ, "local username"); - status = krb5_auth_con_getkey (context, auth_context, &keyblock); - if (status) + if(protocol_version == 2) { + status = krb5_auth_con_getremotesubkey(context, auth_context, + &keyblock); + if(status != 0 || keyblock == NULL) + syslog_and_die("failed to get remote subkey"); + } else if(protocol_version == 1) { + status = krb5_auth_con_getkey (context, auth_context, &keyblock); + if(status != 0 || keyblock == NULL) + syslog_and_die("failed to get key"); + } + if (status != 0 || keyblock == NULL) syslog_and_die ("krb5_auth_con_getkey: %s", krb5_get_err_text(context, status)); @@ -436,6 +464,11 @@ loop (int from0, int to0, if(from0 >= FD_SETSIZE || from1 >= FD_SETSIZE || from2 >= FD_SETSIZE) errx (1, "fd too large"); +#ifdef KRB5 + if(auth_method == AUTH_KRB5 && protocol_version == 2) + init_ivecs(0); +#endif + FD_ZERO(&real_readset); FD_SET(from0, &real_readset); FD_SET(from1, &real_readset); @@ -454,7 +487,7 @@ loop (int from0, int to0, syslog_and_die ("select: %m"); } if (FD_ISSET(from0, &readset)) { - ret = do_read (from0, buf, sizeof(buf)); + ret = do_read (from0, buf, sizeof(buf), ivec_in[0]); if (ret < 0) syslog_and_die ("read: %m"); else if (ret == 0) { @@ -475,7 +508,7 @@ loop (int from0, int to0, if (--count == 0) exit (0); } else - do_write (to1, buf, ret); + do_write (to1, buf, ret, ivec_out[0]); } if (FD_ISSET(from2, &readset)) { ret = read (from2, buf, sizeof(buf)); @@ -488,7 +521,7 @@ loop (int from0, int to0, if (--count == 0) exit (0); } else - do_write (to2, buf, ret); + do_write (to2, buf, ret, ivec_out[1]); } } } diff --git a/crypto/heimdal/appl/su/su.c b/crypto/heimdal/appl/su/su.c index 175f375..0750f4f 100644 --- a/crypto/heimdal/appl/su/su.c +++ b/crypto/heimdal/appl/su/su.c @@ -32,7 +32,7 @@ #include <config.h> -RCSID("$Id: su.c,v 1.24 2002/02/19 13:01:15 joda Exp $"); +RCSID("$Id: su.c,v 1.25 2002/09/10 20:03:47 joda Exp $"); #include <stdio.h> #include <stdlib.h> @@ -50,11 +50,7 @@ RCSID("$Id: su.c,v 1.24 2002/02/19 13:01:15 joda Exp $"); #include <pwd.h> -#ifdef HAVE_OPENSSL -#include <openssl/des.h> -#else -#include <des.h> -#endif +#include "crypto-headers.h" #ifdef KRB5 #include <krb5.h> #endif diff --git a/crypto/heimdal/appl/telnet/ChangeLog b/crypto/heimdal/appl/telnet/ChangeLog index d8bc151..f696871 100644 --- a/crypto/heimdal/appl/telnet/ChangeLog +++ b/crypto/heimdal/appl/telnet/ChangeLog @@ -1,5 +1,13 @@ +2002-09-02 Johan Danielsson <joda@pdc.kth.se> + + * libtelnet/kerberos5.c: set AP_OPTS_USE_SUBKEY + 2002-08-28 Johan Danielsson <joda@pdc.kth.se> + * telnet/commands.c: remove extra "Toggle"'s + + * telnet/commands.c: IRIX == 4 -> IRIX4 + * telnet/main.c: rename functions to what they're really called * telnet/commands.c: kill some might be uninitialized warnings diff --git a/crypto/heimdal/appl/telnet/libtelnet/enc_des.c b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c index 6b5c989..537d22f 100644 --- a/crypto/heimdal/appl/telnet/libtelnet/enc_des.c +++ b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c @@ -33,7 +33,7 @@ #include <config.h> -RCSID("$Id: enc_des.c,v 1.20 2001/08/29 00:45:19 assar Exp $"); +RCSID("$Id: enc_des.c,v 1.21 2002/09/10 20:03:47 joda Exp $"); #if defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION) #include <arpa/telnet.h> @@ -50,11 +50,7 @@ RCSID("$Id: enc_des.c,v 1.20 2001/08/29 00:45:19 assar Exp $"); #include "encrypt.h" #include "misc-proto.h" -#ifdef HAVE_OPENSSL -#include <openssl/des.h> -#else -#include <des.h> -#endif +#include "crypto-headers.h" extern int encrypt_debug_mode; diff --git a/crypto/heimdal/appl/telnet/libtelnet/encrypt.h b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h index 41a138b..3b04bd5 100644 --- a/crypto/heimdal/appl/telnet/libtelnet/encrypt.h +++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h @@ -55,7 +55,7 @@ * or implied warranty. */ -/* $Id: encrypt.h,v 1.7 2001/08/22 20:30:22 assar Exp $ */ +/* $Id: encrypt.h,v 1.8 2002/09/10 20:03:47 joda Exp $ */ #ifndef __ENCRYPT__ #define __ENCRYPT__ @@ -90,11 +90,9 @@ typedef struct { #define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */ +#include "crypto-headers.h" #ifdef HAVE_OPENSSL -#include <openssl/des.h> #define des_new_random_key des_random_key -#else -#include <des.h> #endif #include "enc-proto.h" diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c index ef4d4ac..8a4bf69 100644 --- a/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c +++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c @@ -53,7 +53,7 @@ #include <config.h> -RCSID("$Id: kerberos5.c,v 1.50 2002/08/28 20:55:53 joda Exp $"); +RCSID("$Id: kerberos5.c,v 1.51 2002/09/02 15:33:20 joda Exp $"); #ifdef KRB5 @@ -206,6 +206,8 @@ kerberos5_send(char *name, Authenticator *ap) ap_opts = AP_OPTS_MUTUAL_REQUIRED; else ap_opts = 0; + + ap_opts |= AP_OPTS_USE_SUBKEY; ret = krb5_auth_con_init (context, &auth_context); if (ret) { |