[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problems running krb5 telnet
Jonas Oberg <jonas@coyote.org> writes:
> db1/ and libdb.* comes from the gnu libc distribution. I then also have
> gdbm installed as a complement. I don't know if what comes with the libc
> is the original Berkeley, but the files are copyright the regents of
> univ. of calif.
You need (in one of the standard include directories) have a ndbm.h or
a dbm.h.
> > Well. First of all, what kind of KDC are you using? We need to think
> > a little bit more how to work around that problem.
>
> I'm using the MIT Kerberos V KDC. It was not compiled with any special
> configuration options.
I was confused because we did the work-around for that a long time ago
but it did not work any longer because we had changed too much the way
things worked.
Please try this (longer) patch instead.
/assar
Index: appl/telnet/libtelnet/kerberos5.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/appl/telnet/libtelnet/kerberos5.c,v
retrieving revision 1.35
diff -u -w -r1.35 kerberos5.c
--- appl/telnet/libtelnet/kerberos5.c 1999/04/10 23:46:06 1.35
+++ appl/telnet/libtelnet/kerberos5.c 1999/04/25 16:12:41
@@ -187,7 +187,7 @@
return(0);
}
- krb5_auth_setenctype (context, auth_context, ETYPE_DES_CBC_MD5);
+ krb5_auth_setkeytype (context, auth_context, KEYTYPE_DES);
foo[0] = ap->type;
foo[1] = ap->way;
Index: lib/krb5/auth_context.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/krb5/auth_context.c,v
retrieving revision 1.45
diff -u -w -r1.45 auth_context.c
--- lib/krb5/auth_context.c 1999/04/15 12:59:28 1.45
+++ lib/krb5/auth_context.c 1999/04/25 16:13:46
@@ -60,6 +60,8 @@
p->local_address = NULL;
p->remote_address = NULL;
+ p->keytype = KEYTYPE_NULL;
+ p->cksumtype = CKSUMTYPE_NONE;
*auth_context = p;
return 0;
}
@@ -280,17 +282,38 @@
krb5_auth_context auth_context,
krb5_cksumtype cksumtype)
{
- krb5_abortx(context, "unimplemented krb5_auth_setcksumtype called");
+ auth_context->cksumtype = cksumtype;
+ return 0;
}
krb5_error_code
krb5_auth_getcksumtype(krb5_context context,
krb5_auth_context auth_context,
krb5_cksumtype *cksumtype)
+{
+ *cksumtype = auth_context->cksumtype;
+ return 0;
+}
+
+krb5_error_code
+krb5_auth_setkeytype (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keytype keytype)
{
- krb5_abortx(context, "unimplemented krb5_auth_getcksumtype called");
+ auth_context->keytype = keytype;
+ return 0;
+}
+
+krb5_error_code
+krb5_auth_getkeytype (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keytype *keytype)
+{
+ *keytype = auth_context->keytype;
+ return 0;
}
+#if 0
krb5_error_code
krb5_auth_setenctype(krb5_context context,
krb5_auth_context auth_context,
@@ -312,6 +335,7 @@
{
krb5_abortx(context, "unimplemented krb5_auth_getenctype called");
}
+#endif
krb5_error_code
krb5_auth_getlocalseqnumber(krb5_context context,
Index: lib/krb5/crypto.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/krb5/crypto.c,v
retrieving revision 1.10
diff -u -w -r1.10 crypto.c
--- lib/krb5/crypto.c 1999/04/10 15:10:00 1.10
+++ lib/krb5/crypto.c 1999/04/25 17:04:39
@@ -69,6 +69,7 @@
#define F_CPROOF 2 /* checksum is collision proof */
#define F_DERIVED 4 /* uses derived keys */
#define F_VARIANT 8 /* uses `variant' keys (6.4.3) */
+#define F_PSEUDO 16 /* not a real protocol type */
struct salt_type {
krb5_salttype type;
@@ -1148,26 +1149,18 @@
}
static krb5_error_code
-create_checksum(krb5_context context,
+do_checksum (krb5_context context,
+ struct checksum_type *ct,
krb5_crypto crypto,
- unsigned usage, /* not krb5_key_usage */
- krb5_cksumtype type, /* if crypto == NULL */
+ unsigned usage,
void *data,
size_t len,
Checksum *result)
{
krb5_error_code ret;
- struct checksum_type *ct;
struct key_data *dkey;
int keyed_checksum;
- if(crypto) {
- ct = crypto->et->keyed_checksum;
- if(ct == NULL)
- ct = crypto->et->cksumtype;
- } else
- ct = _find_checksum(type);
- if(ct == NULL)
- return KRB5_PROG_SUMTYPE_NOSUPP;
+
keyed_checksum = (ct->flags & F_KEYED) != 0;
if(keyed_checksum && crypto == NULL)
return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
@@ -1181,6 +1174,28 @@
return 0;
}
+static krb5_error_code
+create_checksum(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage, /* not krb5_key_usage */
+ krb5_cksumtype type, /* if crypto == NULL */
+ void *data,
+ size_t len,
+ Checksum *result)
+{
+ struct checksum_type *ct;
+
+ if(crypto) {
+ ct = crypto->et->keyed_checksum;
+ if(ct == NULL)
+ ct = crypto->et->cksumtype;
+ } else
+ ct = _find_checksum(type);
+ if(ct == NULL)
+ return KRB5_PROG_SUMTYPE_NOSUPP;
+ return do_checksum (context, ct, crypto, usage, data, len, result);
+}
+
krb5_error_code
krb5_create_checksum(krb5_context context,
krb5_crypto crypto,
@@ -1208,11 +1223,6 @@
Checksum c;
struct checksum_type *ct;
- if(crypto) {
- ct = crypto->et->keyed_checksum;
- if(ct == NULL)
- ct = crypto->et->cksumtype;
- } else
ct = _find_checksum(cksum->cksumtype);
if(ct == NULL)
return KRB5_PROG_SUMTYPE_NOSUPP;
@@ -1228,7 +1238,7 @@
if(ct->verify)
return (*ct->verify)(context, dkey, data, len, cksum);
- ret = create_checksum(context, crypto, usage, ct->type, data, len, &c);
+ ret = do_checksum(context, ct, crypto, usage, data, len, &c);
if(ret)
return ret;
@@ -1333,6 +1343,10 @@
des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], &ivec, encrypt);
}
+/*
+ * these should currently be in reverse preference order.
+ */
+
static struct encryption_type etypes[] = {
{
ETYPE_NULL,
@@ -1433,7 +1447,7 @@
&keytype_des,
&checksum_none,
NULL,
- 0,
+ F_PSEUDO,
DES_CBC_encrypt_null_ivec,
},
{
@@ -1444,7 +1458,7 @@
&keytype_des3_derived,
&checksum_none,
NULL,
- 0,
+ F_PSEUDO,
DES_CBC_encrypt_null_ivec,
},
};
@@ -1520,6 +1534,34 @@
}
#endif
+krb5_error_code
+krb5_keytype_to_enctypes (krb5_context context,
+ krb5_keytype keytype,
+ unsigned *len,
+ int **val)
+{
+ int i;
+ unsigned n = 0;
+ int *ret;
+
+ for (i = num_etypes - 1; i >= 0; --i) {
+ if (etypes[i].keytype->type == keytype
+ && !(etypes[i].flags & F_PSEUDO))
+ ++n;
+ }
+ ret = malloc(n * sizeof(int));
+ if (ret == NULL && n != 0)
+ return ENOMEM;
+ n = 0;
+ for (i = num_etypes - 1; i >= 0; --i) {
+ if (etypes[i].keytype->type == keytype
+ && !(etypes[i].flags & F_PSEUDO))
+ ret[n++] = etypes[i].type;
+ }
+ *len = n;
+ *val = ret;
+ return 0;
+}
krb5_error_code
krb5_enctype_valid(krb5_context context,
Index: lib/krb5/get_cred.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/krb5/get_cred.c,v
retrieving revision 1.71
diff -u -w -r1.71 get_cred.c
--- lib/krb5/get_cred.c 1999/04/11 23:13:39 1.71
+++ lib/krb5/get_cred.c 1999/04/25 16:21:31
@@ -85,30 +85,9 @@
in_data.length = len;
in_data.data = buf + buf_size - len;
- {
- Ticket ticket;
- ret = decode_Ticket(creds->ticket.data, creds->ticket.length,
- &ticket, &len);
- if(ret)
- return ret;
- /*
- * If we get a ticket encrypted with DES-CBC-CRC, it's
- * probably an old DCE secd and then the usual heuristics of
- * using the best algorithm (in this case RSA-MD5 and
- * DES-CBC-MD5) will not work.
- */
- if(ticket.enc_part.etype == ETYPE_DES_CBC_CRC) {
- krb5_auth_setcksumtype(context, ac, CKSUMTYPE_RSA_MD4);
- krb5_auth_setenctype(context, ac, ETYPE_DES_CBC_CRC);
- }
- free_Ticket(&ticket);
-
-
ret = krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
&padata->padata_value,
KRB5_KU_TGS_REQ_AUTH_CKSUM);
-
- }
out:
free (buf);
if(ret)
@@ -195,14 +174,10 @@
t->pvno = 5;
t->msg_type = krb_tgs_req;
if (in_creds->session.keytype) {
- krb5_enctype foo[2];
-
- foo[0] = in_creds->session.keytype;
- foo[1] = 0;
- ret = krb5_init_etype(context,
+ ret = krb5_keytype_to_enctypes (context,
+ in_creds->session.keytype,
&t->req_body.etype.len,
- &t->req_body.etype.val,
- foo);
+ &t->req_body.etype.val);
} else {
ret = krb5_init_etype(context,
&t->req_body.etype.len,
Index: lib/krb5/krb5.h
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/krb5/krb5.h,v
retrieving revision 1.145
diff -u -w -r1.145 krb5.h
--- lib/krb5/krb5.h 1999/04/24 16:29:06 1.145
+++ lib/krb5/krb5.h 1999/04/25 16:09:49
@@ -474,6 +474,9 @@
krb5_pointer i_vector;
krb5_rcache rcache;
+
+ krb5_keytype keytype; /* ¿requested key type ? */
+ krb5_cksumtype cksumtype; /* ¡requested checksum type! */
}krb5_auth_context_data, *krb5_auth_context;
Index: lib/krb5/mk_req.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/krb5/mk_req.c,v
retrieving revision 1.13
diff -u -w -r1.13 mk_req.c
--- lib/krb5/mk_req.c 1999/02/11 21:03:43 1.13
+++ lib/krb5/mk_req.c 1999/04/25 16:34:56
@@ -82,8 +82,8 @@
if (r)
return r;
this_cred.times.endtime = 0;
- if (auth_context && *auth_context && (*auth_context)->keyblock)
- this_cred.session.keytype = (*auth_context)->keyblock->keytype;
+ if (auth_context && *auth_context && (*auth_context)->keytype)
+ this_cred.session.keytype = (*auth_context)->keytype;
r = krb5_get_credentials (context, 0, ccache, &this_cred, &cred);
if (r)
Index: lib/krb5/mk_req_ext.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/krb5/mk_req_ext.c,v
retrieving revision 1.19
diff -u -w -r1.19 mk_req_ext.c
--- lib/krb5/mk_req_ext.c 1999/02/11 21:03:44 1.19
+++ lib/krb5/mk_req_ext.c 1999/04/25 14:36:23
@@ -94,6 +94,18 @@
krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
if (in_data) {
+#if 1
+ if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
+ /* this is to make DCE secd (and older MIT kdcs?) happy */
+ ret = krb5_create_checksum(context,
+ NULL,
+ CKSUMTYPE_RSA_MD4,
+ in_data->data,
+ in_data->length,
+ &c);
+ } else
+#endif
+ {
krb5_crypto crypto;
krb5_crypto_init(context, ac->keyblock, 0, &crypto);
ret = krb5_create_checksum(context,
@@ -104,6 +116,7 @@
&c);
krb5_crypto_destroy(context, crypto);
+ }
c_opt = &c;
} else {
c_opt = NULL;