diff options
-rwxr-xr-x | configure | 149 | ||||
-rw-r--r-- | configure.in | 11 | ||||
-rw-r--r-- | h/config.h.in | 3 | ||||
-rw-r--r-- | server/bdump.c | 83 | ||||
-rw-r--r-- | server/subscr.c | 2 | ||||
-rw-r--r-- | server/zserver.h | 7 |
6 files changed, 90 insertions, 165 deletions
@@ -1476,7 +1476,6 @@ Optional Packages: both] --with-tags[=TAGS] include additional configurations [automatic] --with-x use the X Window System - --with-openssl=PREFIX Use OpenSSL crypto --with-krb4=PREFIX Use Kerberos 4 --with-krb5=PREFIX Use Kerberos 5 --with-hesiod=PREFIX Use Hesiod @@ -4142,7 +4141,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 4145 "configure"' > conftest.$ac_ext + echo '#line 4144 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -6708,11 +6707,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6711: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6710: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6715: \$? = $ac_status" >&5 + echo "$as_me:6714: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -6941,11 +6940,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6944: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6943: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6948: \$? = $ac_status" >&5 + echo "$as_me:6947: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -7001,11 +7000,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7004: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7003: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7008: \$? = $ac_status" >&5 + echo "$as_me:7007: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8331,7 +8330,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 8334 "configure"' > conftest.$ac_ext + echo '#line 8333 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9169,7 +9168,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 9172 "configure" +#line 9171 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -9267,7 +9266,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 9270 "configure" +#line 9269 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -11446,11 +11445,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11449: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11448: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:11453: \$? = $ac_status" >&5 + echo "$as_me:11452: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -11506,11 +11505,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11509: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11508: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:11513: \$? = $ac_status" >&5 + echo "$as_me:11512: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12017,7 +12016,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 12020 "configure"' > conftest.$ac_ext + echo '#line 12019 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -12855,7 +12854,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 12858 "configure" +#line 12857 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12953,7 +12952,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 12956 "configure" +#line 12955 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13780,11 +13779,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13783: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13782: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13787: \$? = $ac_status" >&5 + echo "$as_me:13786: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -13840,11 +13839,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13843: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13842: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13847: \$? = $ac_status" >&5 + echo "$as_me:13846: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -15150,7 +15149,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 15153 "configure"' > conftest.$ac_ext + echo '#line 15152 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -15894,11 +15893,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15897: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15896: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15901: \$? = $ac_status" >&5 + echo "$as_me:15900: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -16127,11 +16126,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16130: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16129: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16134: \$? = $ac_status" >&5 + echo "$as_me:16133: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings @@ -16187,11 +16186,11 @@ else -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16190: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16189: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:16194: \$? = $ac_status" >&5 + echo "$as_me:16193: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17517,7 +17516,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 17520 "configure"' > conftest.$ac_ext + echo '#line 17519 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -18355,7 +18354,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 18358 "configure" +#line 18357 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -18453,7 +18452,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 18456 "configure" +#line 18455 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -23476,90 +23475,6 @@ fi -# Check whether --with-openssl was given. -if test "${with_openssl+set}" = set; then - withval=$with_openssl; openssl="$withval" -else - openssl=no -fi - -if test "$openssl" != no; then - { echo "$as_me:$LINENO: checking for DES_ecb_encrypt in -lcrypto" >&5 -echo $ECHO_N "checking for DES_ecb_encrypt in -lcrypto... $ECHO_C" >&6; } -if test "${ac_cv_lib_crypto_DES_ecb_encrypt+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcrypto $LIBS" -cat >conftest.$ac_ext <<_ACEOF -/* confdefs.h. */ -_ACEOF -cat confdefs.h >>conftest.$ac_ext -cat >>conftest.$ac_ext <<_ACEOF -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char DES_ecb_encrypt (); -int -main () -{ -return DES_ecb_encrypt (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 - (eval "$ac_link") 2>conftest.er1 - ac_status=$? - grep -v '^ *+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && - $as_test_x conftest$ac_exeext; then - ac_cv_lib_crypto_DES_ecb_encrypt=yes -else - echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_cv_lib_crypto_DES_ecb_encrypt=no -fi - -rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ echo "$as_me:$LINENO: result: $ac_cv_lib_crypto_DES_ecb_encrypt" >&5 -echo "${ECHO_T}$ac_cv_lib_crypto_DES_ecb_encrypt" >&6; } -if test $ac_cv_lib_crypto_DES_ecb_encrypt = yes; then - OPENSSL_LIBS=-lcrypto - cat >>confdefs.h <<\_ACEOF -#define HAVE_OPENSSL 1 -_ACEOF - -else - { { echo "$as_me:$LINENO: error: Openssl requested but not found" >&5 -echo "$as_me: error: Openssl requested but not found" >&2;} - { (exit 1); exit 1; }; } -fi - -fi - - # Check whether --with-krb4 was given. if test "${with_krb4+set}" = set; then withval=$with_krb4; krb4="$withval" @@ -25409,7 +25324,7 @@ else echo "$as_me: error: This package requires ss." >&2;} { (exit 1); exit 1; }; } fi -LIBS="$OPENSSL_LIBS $KRB5_LIBS $KRB4_LIBS $HESIOD_LIBS $LIBS" +LIBS="$KRB5_LIBS $KRB4_LIBS $HESIOD_LIBS $LIBS" if test $ac_cv_c_compiler_gnu = yes; then { echo "$as_me:$LINENO: checking whether $CC needs -traditional" >&5 diff --git a/configure.in b/configure.in index d24a891..57b97df 100644 --- a/configure.in +++ b/configure.in @@ -84,15 +84,6 @@ AC_SUBST(TLIB) AC_SUBST(RLIB) AC_SUBST(SLIB) -AC_ARG_WITH(openssl, - [ --with-openssl=PREFIX Use OpenSSL crypto], - [openssl="$withval"], [openssl=no]) -if test "$openssl" != no; then - AC_CHECK_LIB(crypto, DES_ecb_encrypt, [OPENSSL_LIBS=-lcrypto - AC_DEFINE(HAVE_OPENSSL)], - [AC_MSG_ERROR(Openssl requested but not found)]) -fi - ATHENA_KRB4 ATHENA_KRB5 ATHENA_HESIOD @@ -100,7 +91,7 @@ ATHENA_REGEXP ATHENA_ARES ATHENA_UTIL_COM_ERR ATHENA_UTIL_SS -LIBS="$OPENSSL_LIBS $KRB5_LIBS $KRB4_LIBS $HESIOD_LIBS $LIBS" +LIBS="$KRB5_LIBS $KRB4_LIBS $HESIOD_LIBS $LIBS" dnl Checks for library functions. AC_PROG_GCC_TRADITIONAL diff --git a/h/config.h.in b/h/config.h.in index 688870f..40c0a3e 100644 --- a/h/config.h.in +++ b/h/config.h.in @@ -273,6 +273,3 @@ /* Define to `int' if <sys/types.h> doesn't define. */ #undef uid_t - -/* Wether we have the openssl library about */ -#undef HAVE_OPENSSL diff --git a/server/bdump.c b/server/bdump.c index 0b242d7..1b40336 100644 --- a/server/bdump.c +++ b/server/bdump.c @@ -102,6 +102,9 @@ static int setup_file_pointers(void); static void shutdown_file_pointers(void); static void cleanup(Server *server); +#if defined(HAVE_KRB4) || defined(HAVE_KRB5) +static int des_service_decrypt(char *in, char *out); +#endif #ifdef HAVE_KRB5 static long ticket5_time; #define TKT5LIFETIME 8*60*60 @@ -116,10 +119,13 @@ static long ticket_time; #endif /* HAVE_KRB4 */ -#if defined(HAVE_KRB4) || defined(HAVE_OPENSSL) +#if defined(HAVE_KRB4) extern C_Block serv_key; extern Sched serv_ksched; #endif +#if defined(HAVE_KRB5) && !defined(HAVE_KRB4) +krb5_keyblock *server_key; +#endif static Timer *bdump_timer; static int live_socket = -1; @@ -1081,7 +1087,7 @@ get_tgt(void) 0, NULL, &opt); -#if defined(HAVE_OPENSSL) && !defined(HAVE_KRB4) +#ifndef HAVE_KRB4 if (retval) { krb5_free_principal(Z_krb5_ctx, principal); krb5_kt_close(Z_krb5_ctx, kt); @@ -1095,21 +1101,19 @@ get_tgt(void) break; } if (!retval) { - retval = krb5_copy_keyblock(Z_krb5_ctx, &kt_ent.key, &serv_key); + retval = krb5_copy_keyblock(Z_krb5_ctx, &kt_ent.key, &server_key); if (retval) { krb5_free_principal(Z_krb5_ctx, principal); krb5_kt_close(Z_krb5_ctx, kt); return(1); } - des_key_sched(serv_key, serv_ksched.s); - got_des = 1; } #endif krb5_free_principal(Z_krb5_ctx, principal); krb5_kt_close(Z_krb5_ctx, kt); -#if defined(HAVE_OPENSSL) && !defined(HAVE_KRB4) +#ifndef HAVE_KRB4 if (retval) return(1); #endif @@ -1168,8 +1172,12 @@ bdump_recv_loop(Server *server) #endif #if defined(HAVE_KRB4) || defined(HAVE_KRB5) char *cp; +#ifndef HAVE_KRB4 + unsigned char cblock[8]; +#else C_Block cblock; #endif +#endif ZRealm *realm = NULL; zdbug((LOG_DEBUG, "bdump recv loop")); @@ -1268,32 +1276,31 @@ bdump_recv_loop(Server *server) if (*notice.z_class_inst) { /* check out this session key I found */ cp = notice.z_message + strlen(notice.z_message) + 1; - switch (*cp) { -#if defined(HAVE_KRB4) || defined(HAVE_OPENSSL) - if (got_des) { - /* ****ing netascii; this is an encrypted DES keyblock - XXX this code should be conditionalized for server - transitions */ - retval = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, - sizeof(C_Block), - &client->session_keyblock); + if (*cp == '0' && got_des) { + /* ****ing netascii; this is an encrypted DES keyblock + XXX this code should be conditionalized for server + transitions */ + retval = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, + sizeof(cblock), + &client->session_keyblock); + if (retval) { + syslog(LOG_ERR, "brl failed to allocate DES keyblock: %s", + error_message(retval)); + return retval; + } + retval = ZReadAscii(cp, strlen(cp), cblock, sizeof(cblock)); + if (retval != ZERR_NONE) { + syslog(LOG_ERR,"brl bad cblk read: %s (%s)", + error_message(retval), cp); + } else { + retval = des_service_decrypt(cblock, Z_keydata(client->session_keyblock)); if (retval) { - syslog(LOG_ERR, "brl failed to allocate DES keyblock: %s", + syslog(LOG_ERR, "brl failed to decyrpt DES session key: %s", error_message(retval)); return retval; } - retval = ZReadAscii(cp, strlen(cp), cblock, sizeof(C_Block)); - if (retval != ZERR_NONE) { - syslog(LOG_ERR,"brl bad cblk read: %s (%s)", - error_message(retval), cp); - } else { - des_ecb_encrypt((C_Block *)cblock, (C_Block *)Z_keydata(client->session_keyblock), - serv_ksched.s, DES_DECRYPT); - } } - break; -#endif - case 'Z': + } else if (*cp == 'Z') { /* Zcode! Long live the new flesh! */ retval = ZReadZcode((unsigned char *)cp, buf, sizeof(buf), &blen); if (retval != ZERR_NONE) { @@ -1312,7 +1319,6 @@ bdump_recv_loop(Server *server) memcpy(Z_keydata(client->session_keyblock), &buf[8], Z_keylen(client->session_keyblock)); } - break; } } #else @@ -1659,3 +1665,24 @@ setup_file_pointers (void) return 0; } + +#ifdef HAVE_KRB5 +static int des_service_decrypt(char *in, char *out) { +#ifndef HAVE_KRB4 + krb5_data dout; + krb5_enc_data din; + + dout.length = 8; + dout.data = out; + + din.ciphertext.length = 8; + din.ciphertext.data = in; + din.enctype = Z_enctype(server_key); + + return krb5_c_decrypt(Z_krb5_ctx, server_key, 0, 0, &din, &dout); +#else + des_ecb_encrypt((C_Block *)in, (C_Block *)out, serv_ksched.s, DES_DECRYPT); + return 0; /* sigh */ +#endif +} +#endif diff --git a/server/subscr.c b/server/subscr.c index 364208e..41384ee 100644 --- a/server/subscr.c +++ b/server/subscr.c @@ -61,7 +61,7 @@ static const char rcsid_subscr_c[] = "$Id$"; * */ -#if defined(HAVE_KRB4) || defined(HAVE_OPENSSL) +#if defined(HAVE_KRB4) C_Block serv_key; Sched serv_ksched; #endif diff --git a/server/zserver.h b/server/zserver.h index ca60844..cceb270 100644 --- a/server/zserver.h +++ b/server/zserver.h @@ -61,12 +61,7 @@ extern C_Block __Zephyr_session; /* Current time as cached by main(); use instead of time(). */ #define NOW t_local.tv_sec -#if defined(HAVE_OPENSSL) & !defined(HAVE_KRB4) -#define OPENSSL_DES_LIBDES_COMPATIBILITY -#include <openssl/des.h> -#endif - -#if defined(HAVE_KRB4) || defined(HAVE_OPENSSL) +#ifdef HAVE_KRB4 /* Kerberos shouldn't stick us with array types... */ typedef struct { des_key_schedule s; |