aklog.c

Bug Summary

File:	aklog/aklog.c
Location:	line 1783, column 5
Description:	Value stored to 'enctype' is never read

Annotated Source Code

1	/*
2	* $Id$
3	*
4	* Copyright 1990,1991 by the Massachusetts Institute of Technology
5	* For distribution and copying rights, see the file "mit-copyright.h"
6	*/
7	/*
8	* Copyright (c) 2005, 2006
9	* The Linux Box Corporation
10	* ALL RIGHTS RESERVED
11	*
12	* Permission is granted to use, copy, create derivative works
13	* and redistribute this software and such derivative works
14	* for any purpose, so long as the name of the Linux Box
15	* Corporation is not used in any advertising or publicity
16	* pertaining to the use or distribution of this software
17	* without specific, written prior authorization. If the
18	* above copyright notice or any other identification of the
19	* Linux Box Corporation is included in any copy of any
20	* portion of this software, then the disclaimer below must
21	* also be included.
22	*
23	* This software is provided as is, without representation
24	* from the Linux Box Corporation as to its fitness for any
25	* purpose, and without warranty by the Linux Box Corporation
26	* of any kind, either express or implied, including
27	* without limitation the implied warranties of
28	* merchantability and fitness for a particular purpose. The
29	* regents of the Linux Box Corporation shall not be liable
30	* for any damages, including special, indirect, incidental, or
31	* consequential damages, with respect to any claim arising
32	* out of or in connection with the use of the software, even
33	* if it has been or is hereafter advised of the possibility of
34	* such damages.
35	*/
36
37	#include <afsconfig.h>
38	#include <afs/param.h>
39	#include <afs/stds.h>
40
41	#include <roken.h>
42
43	#include <ctype.h>
44
45	#include <afs/ktc.h>
46	#include <afs/token.h>
47
48	#include <krb5.h>
49	#if defined(HAVE_ET_COM_ERR_H)
50	#include <et/com_err.h>
51	#else
52	#include <com_err.h>
53	#endif
54
55	#ifndef HAVE_KERBEROSV_HEIM_ERR_H
56	#include <afs/com_err.h>
57	#endif
58
59	#ifdef AFS_SUN5_ENV
60	#include <sys/ioccom.h>
61	#endif
62
63	#include <afs/auth.h>
64	#include <afs/cellconfig.h>
65	#include <afs/vice.h>
66	#include <afs/venus.h>
67	#include <afs/ptserver.h>
68	#include <afs/ptuser.h>
69	#include <afs/pterror.h>
70	#include <afs/dirpath.h>
71	#include <afs/afsutil.h>
72
73	#include "aklog.h"
74	#include "linked_list.h"
75
76	#ifdef HAVE_KRB5_CREDS_KEYBLOCK
77	#define USING_MIT 1
78	#endif
79	#ifdef HAVE_KRB5_CREDS_SESSION1
80	#define USING_HEIMDAL1 1
81	#endif
82
83	#define AFSKEY"afs" "afs"
84	#define AFSINST"" ""
85
86	#ifndef AFS_TRY_FULL_PRINC1
87	#define AFS_TRY_FULL_PRINC1 1
88	#endif /* AFS_TRY_FULL_PRINC */
89
90	#define AKLOG_TRYAGAIN-1 -1
91	#define AKLOG_SUCCESS0 0
92	#define AKLOG_USAGE1 1
93	#define AKLOG_SOMETHINGSWRONG2 2
94	#define AKLOG_AFS3 3
95	#define AKLOG_KERBEROS4 4
96	#define AKLOG_TOKEN5 5
97	#define AKLOG_BADPATH6 6
98	#define AKLOG_MISC7 7
99
100	#ifndef TRUE1
101	#define TRUE1 1
102	#endif
103
104	#ifndef FALSE0
105	#define FALSE0 0
106	#endif
107
108	#ifndef MAXSYMLINKS32
109	/* RedHat 4.x doesn't seem to define this */
110	#define MAXSYMLINKS32 5
111	#endif
112
113	#define DIR'/' '/' /* Character that divides directories */
114	#define DIRSTRING"/" "/" /* String form of above */
115	#define VOLMARKER':' ':' /* Character separating cellname from mntpt */
116	#define VOLMARKERSTRING":" ":" /* String form of above */
117
118	typedef struct {
119	char cell[BUFSIZ1024];
120	char realm[REALM_SZ40];
121	} cellinfo_t;
122
123	static krb5_ccache _krb425_ccache = NULL((void *)0);
124
125	/*
126	* Why doesn't AFS provide these prototypes?
127	*/
128
129	extern int pioctl(char , afs_int32, struct ViceIoctl , afs_int32);
130
131	/*
132	* Other prototypes
133	*/
134
135	extern char afs_realm_of_cell(krb5_context, struct afsconf_cell , int);
136	static int isdir(char , unsigned char );
137	static krb5_error_code get_credv5(krb5_context context, char , char ,
138	char , krb5_creds *);
139	static int get_user_realm(krb5_context, char **);
140
141	#define TRYAGAIN(x)(x == -1 \|\| x == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN \|\| x == KRB5KRB_ERR_GENERIC ) (x == AKLOG_TRYAGAIN-1 \|\| \
142	x == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN \|\| \
143	x == KRB5KRB_ERR_GENERIC)
144
145	#if defined(HAVE_KRB5_PRINC_SIZE) \|\| defined(krb5_princ_size)
146
147	#define get_princ_str(c, p, n)krb5_principal_get_comp_string(c, p, n) krb5_princ_component(c, p, n)->data
148	#define get_princ_len(c, p, n)strlen(krb5_principal_get_comp_string(c, p, n)) krb5_princ_component(c, p, n)->length
149	#define second_comp(c, p)(krb5_principal_get_comp_string(c, p, 1) != ((void *)0)) (krb5_princ_size(c, p) > 1)
150	#define realm_data(c, p)(krb5_principal_get_realm(c, p)) krb5_princ_realm(c, p)->data
151	#define realm_len(c, p)strlen(krb5_principal_get_realm(c, p)) krb5_princ_realm(c, p)->length
152
153	#elif defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING1)
154
155	#define get_princ_str(c, p, n)krb5_principal_get_comp_string(c, p, n) krb5_principal_get_comp_string(c, p, n)
156	#define get_princ_len(c, p, n)strlen(krb5_principal_get_comp_string(c, p, n)) strlen(krb5_principal_get_comp_string(c, p, n))
157	#define second_comp(c, p)(krb5_principal_get_comp_string(c, p, 1) != ((void )0)) (krb5_principal_get_comp_string(c, p, 1) != NULL((void )0))
158	#define realm_data(c, p)(krb5_principal_get_realm(c, p)) krb5_realm_data(krb5_principal_get_realm(c, p))(krb5_principal_get_realm(c, p))
159	#define realm_len(c, p)strlen(krb5_principal_get_realm(c, p)) krb5_realm_length(krb5_principal_get_realm(c, p))strlen(krb5_principal_get_realm(c, p))
160
161	#else
162	#error "Must have either krb5_princ_size or krb5_principal_get_comp_string"
163	#endif
164
165	#if !defined(HAVE_KRB5_ENCRYPT_TKT_PART) && defined(HAVE_ENCODE_KRB5_ENC_TKT_PART) && defined(HAVE_KRB5_C_ENCRYPT1)
166	extern krb5_error_code encode_krb5_enc_tkt_part (const krb5_enc_tkt_part *rep,
167	krb5_data **code);
168
169	krb5_error_code
170	krb5_encrypt_tkt_part(krb5_context context,
171	const krb5_keyblock *key,
172	krb5_ticket *ticket)
173	{
174	krb5_data *data = 0;
175	int code;
176	size_t enclen;
177
178	if ((code = encode_krb5_enc_tkt_part(ticket->enc_part2, &data)))
179	goto Done;
180	if ((code = krb5_c_encrypt_length(context, key->enctype,
181	data->length, &enclen)))
182	goto Done;
183	ticket->enc_part.ciphertext.length = enclen;
184	if (!(ticket->enc_part.ciphertext.data = malloc(enclen))) {
185	code = ENOMEM12;
186	goto Done;
187	}
188	if ((code = krb5_c_encrypt(context, key, KRB5_KEYUSAGE_KDC_REP_TICKET,
189	0, data, &ticket->enc_part))) {
190	free(ticket->enc_part.ciphertext.data);
191	ticket->enc_part.ciphertext.data = 0;
192	}
193	Done:
194	if (data) {
195	if (data->data)
196	free(data->data);
197	free(data);
198	}
199	return code;
200	}
201	#endif
202
203	#if defined(HAVE_KRB5_CREDS_KEYBLOCK)
204
205	#define get_cred_keydata(c)c->session.keyvalue.data c->keyblock.contents
206	#define get_cred_keylen(c)c->session.keyvalue.length c->keyblock.length
207	#define get_creds_enctype(c)c->session.keytype c->keyblock.enctype
208
209	#elif defined(HAVE_KRB5_CREDS_SESSION1)
210
211	#define get_cred_keydata(c)c->session.keyvalue.data c->session.keyvalue.data
212	#define get_cred_keylen(c)c->session.keyvalue.length c->session.keyvalue.length
213	#define get_creds_enctype(c)c->session.keytype c->session.keytype
214
215	#else
216	#error "Must have either keyblock or session member of krb5_creds"
217	#endif
218
219	#ifdef AFS_DARWIN110_ENV
220	#define HAVE_NO_KRB5_524 /* MITKerberosShim logs but returns success */
221	#elif !defined(HAVE_KRB5_524_CONVERT_CREDS) && defined(HAVE_KRB524_CONVERT_CREDS_KDC1)
222	#define krb5_524_convert_credskrb524_convert_creds_kdc krb524_convert_creds_kdc
223	#elif !defined(HAVE_KRB5_524_CONVERT_CREDS) && !defined(HAVE_KRB524_CONVERT_CREDS_KDC1)
224	#define HAVE_NO_KRB5_524
225	#endif
226
227	#if USING_HEIMDAL1
228	#define deref_keyblock_enctype(kb)((kb)->keytype) \
229	((kb)->keytype)
230
231	#define deref_entry_keyblock(entry)entry->keyblock \
232	entry->keyblock
233
234	#define deref_session_key(creds)creds->session \
235	creds->session
236
237	#define deref_enc_tkt_addrs(tkt)tkt->caddr \
238	tkt->caddr
239
240	#define deref_enc_length(enc)((enc)->cipher.length) \
241	((enc)->cipher.length)
242
243	#define deref_enc_data(enc)((enc)->cipher.data) \
244	((enc)->cipher.data)
245
246	#define krb5_free_keytab_entry_contentskrb5_kt_free_entry krb5_kt_free_entry
247
248	#else
249	#define deref_keyblock_enctype(kb)((kb)->keytype) \
250	((kb)->enctype)
251
252	#define deref_entry_keyblock(entry)entry->keyblock \
253	entry->key
254
255	#define deref_session_key(creds)creds->session \
256	creds->keyblock
257
258	#define deref_enc_tkt_addrs(tkt)tkt->caddr \
259	tkt->caddrs
260
261	#define deref_enc_length(enc)((enc)->cipher.length) \
262	((enc)->ciphertext.length)
263
264	#define deref_enc_data(enc)((enc)->cipher.data) \
265	((enc)->ciphertext.data)
266
267	#endif
268
269	#define deref_entry_enctype(entry)((&entry->keyblock)->keytype) \
270	deref_keyblock_enctype(&deref_entry_keyblock(entry))((&entry->keyblock)->keytype)
271
272	/*
273	* Provide a replacement for strerror if we don't have it
274	*/
275
276	#ifndef HAVE_STRERROR1
277	extern char *sys_errlist[];
278	#define strerror(x) sys_errlist[x]
279	#endif /* HAVE_STRERROR */
280
281	static char progname = NULL((void )0); /* Name of this program */
282	static int dflag = FALSE0; /* Give debugging information */
283	static int noauth = FALSE0; /* If true, don't try to get tokens */
284	static int zsubs = FALSE0; /* Are we keeping track of zephyr subs? */
285	static int hosts = FALSE0; /* Are we keeping track of hosts? */
286	static int noprdb = FALSE0; /* Skip resolving name to id? */
287	static int linked = FALSE0; /* try for both AFS nodes */
288	static int afssetpag = FALSE0; /* setpag for AFS */
289	static int force = FALSE0; /* Bash identical tokens? */
290	static int do524 = FALSE0; /* Should we do 524 instead of rxkad2b? */
291	static char keytab = NULL((void )0); /* keytab for akimpersonate */
292	static char client = NULL((void )0); /* client principal for akimpersonate */
293	static linked_list zsublist; /* List of zephyr subscriptions */
294	static linked_list hostlist; /* List of host addresses */
295	static linked_list authedcells; /* List of cells already logged to */
296
297	/* A com_error bodge. The idea here is that this routine lets us lookup
298	* things in the system com_err, if the AFS one just tells us the error
299	* is unknown
300	*/
301
302	void
303	redirect_errors(const char who, afs_int32 code, const char fmt, va_list ap)
304	{
305	if (who) {
306	fputs(who, stderr__stderrp);
307	fputs(": ", stderr__stderrp);
308	}
309	if (code) {
310	const char *str = afs_error_message(code);
311	if (strncmp(str, "unknown", strlen("unknown")) == 0) {
312	#ifdef HAVE_KRB5_SVC_GET_MSG
313	krb5_svc_get_msg(code,&str);
314	#elif defined(HAVE_ERROR_MESSAGE)
315	str = error_message(code);
316	#else
317	; /* IRIX apparently has neither: use the string we have */
318	#endif
319	}
320	fputs(str, stderr__stderrp);
321	fputs(" ", stderr__stderrp);
322	#ifdef HAVE_KRB5_SVC_GET_MSG
323	krb5_free_string(str);
324	#endif
325	}
326	if (fmt) {
327	vfprintf(stderr__stderrp, fmt, ap);
328	}
329	putc('\n', stderr)(!__isthreaded ? __sputc('\n', __stderrp) : (putc)('\n', __stderrp ));
330	fflush(stderr__stderrp);
331	}
332
333	static void
334	afs_dprintf(char *fmt, ...) {
335	va_list ap;
336
337	va_start(ap, fmt)__builtin_va_start((ap), (fmt));
338	if (dflag)
339	vprintf(fmt, ap);
340	va_end(ap)__builtin_va_end(ap);
341	}
342
343	static char *
344	copy_cellinfo(cellinfo_t *cellinfo)
345	{
346	cellinfo_t *new_cellinfo;
347
348	if ((new_cellinfo = (cellinfo_t *)malloc(sizeof(cellinfo_t))))
349	memcpy(new_cellinfo, cellinfo, sizeof(cellinfo_t));
350
351	return ((char *)new_cellinfo);
352	}
353
354
355	static int
356	get_cellconfig(char cell, struct afsconf_cell cellconfig, char **local_cell)
357	{
358	int status = AKLOG_SUCCESS0;
359	struct afsconf_dir *configdir;
360
361	memset(cellconfig, 0, sizeof(*cellconfig));
362
363	*local_cell = malloc(MAXCELLCHARS64);
364	if (local_cell == NULL((void )0)) {
365	fprintf(stderr__stderrp, "%s: can't allocate memory for local cell name\n",
366	progname);
367	exit(AKLOG_AFS3);
368	}
369
370	if (!(configdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATHgetDirPath(AFSDIR_CLIENT_ETC_DIRPATH_ID)))) {
371	fprintf(stderr__stderrp,
372	"%s: can't get afs configuration (afsconf_Open(%s))\n",
373	progname, AFSDIR_CLIENT_ETC_DIRPATHgetDirPath(AFSDIR_CLIENT_ETC_DIRPATH_ID));
374	exit(AKLOG_AFS3);
375	}
376
377	if (afsconf_GetLocalCell(configdir, *local_cell, MAXCELLCHARS64)) {
378	fprintf(stderr__stderrp, "%s: can't determine local cell.\n", progname);
379	exit(AKLOG_AFS3);
380	}
381
382	if ((cell == NULL((void *)0)) \|\| (cell[0] == 0))
383	cell = *local_cell;
384
385	/* XXX - This function modifies 'cell' by passing it through lcstring */
386	if (afsconf_GetCellInfo(configdir, cell, NULL((void *)0), cellconfig)) {
387	fprintf(stderr__stderrp, "%s: Can't get information about cell %s.\n",
388	progname, cell);
389	status = AKLOG_AFS3;
390	}
391
392	afsconf_Close(configdir);
393
394	return(status);
395	}
396
397	static char *
398	extract_realm(krb5_context context, krb5_principal princ) {
399	int len;
400	char *realm;
401
402	len = realm_len(context, princ)strlen(krb5_principal_get_realm(context, princ));
403	if (len > REALM_SZ40-1)
404	len = REALM_SZ40-1;
405
406	realm = malloc(sizeof(char) * (len+1));
407	if (realm == NULL((void *)0))
408	return NULL((void *)0);
409
410	strncpy(realm, realm_data(context, princ)(krb5_principal_get_realm(context, princ)), len);
411	realm[len] = '\0';
412
413	return realm;
414	}
415
416	static int
417	get_realm_from_cred(krb5_context context, krb5_creds v5cred, char *realm) {
418	#if !defined(HEIMDAL) && defined(HAVE_KRB5_DECODE_TICKET)
419	krb5_error_code code;
420	krb5_ticket *ticket;
421
422	realm = NULL((void )0);
423
424	code = krb5_decode_ticket(&v5cred->ticket, &ticket);
425	if (code)
426	return code;
427
428	*realm = extract_realm(context, ticket->server);
429	if (realm == NULL((void )0))
430	code = ENOMEM12;
431
432	krb5_free_ticket(context, ticket);
433
434	return code;
435	#else
436	realm = NULL((void )0);
437	return 0;
438	#endif
439	}
440
441	/*!
442	* Get a Kerberos service ticket to use as the base of an rxkad token for
443	* a given AFS cell.
444	*
445	* @param[in] context
446	* An initialized Kerberos v5 context
447	* @param[in] realm
448	* The realm to look in for the service principal. If NULL, then the
449	* realm is determined from the cell name or the user's credentials
450	* (see below for the heuristics used)
451	* @param[in] cell
452	* The cell information for the cell to obtain a ticket for
453	* @param[out] v5cred
454	* A Kerberos credentials structure containing the ticket acquired
455	* for the cell. This is a dynamically allocated structure, which
456	* should be freed by using the appropriate Kerberos API function.
457	* @param[out] realmUsed
458	* The realm in which the cell's service principal was located. If
459	* unset, then the principal was located in the same realm as the
460	* current user. This is a malloc'd string which should be freed
461	* by the caller.
462	*
463	* @returns
464	* 0 on success, an error value upon failure
465	*
466	* @notes
467	* This code tries principals in the following, much debated,
468	* order:
469	*
470	* If the realm is specified on the command line we do
471	* - afs/cell@COMMAND-LINE-REALM
472	* - afs@COMMAND-LINE-REALM
473	*
474	* Otherwise, we do
475	* - afs/cell@REALM-FROM-USERS-PRINCIPAL
476	* - afs/cell@krb5_get_host_realm(db-server)
477	* Then, if krb5_get_host_realm(db-server) is non-empty
478	* - afs@ krb5_get_host_realm(db-server)
479	* Otherwise
480	* - afs/cell@ upper-case-domain-of-db-server
481	* - afs@ upper-case-domain-of-db-server
482	*
483	* In all cases, the 'afs@' variant is only tried where the
484	* cell and the realm match case-insensitively.
485	*/
486
487	static int
488	rxkad_get_ticket(krb5_context context, char *realm,
489	struct afsconf_cell *cell,
490	krb5_creds v5cred, char realmUsed) {
491	char realm_of_cell = NULL((void )0);
492	char realm_of_user = NULL((void )0);
493	char realm_from_princ = NULL((void )0);
494	int status;
495	int retry;
496
497	realmUsed = NULL((void )0);
498
499	if ((status = get_user_realm(context, &realm_of_user))) {
500	fprintf(stderr__stderrp, "%s: Couldn't determine realm of user:", progname);
501	afs_com_err(progname, status, " while getting realm");
502	status = AKLOG_KERBEROS4;
503	goto out;
504	}
505
506	retry = 1;
507
508	while(retry) {
509	/* Cell on command line - use that one */
510	if (realm && realm[0]) {
511	realm_of_cell = realm;
512	status = AKLOG_TRYAGAIN-1;
513	afs_dprintf("We were told to authenticate to realm %s.\n", realm);
514	} else {
515	/* Initially, try using afs/cell@USERREALM */
516	afs_dprintf("Trying to authenticate to user's realm %s.\n",
517	realm_of_user);
518	realm_of_cell = realm_of_user;
519	status = get_credv5(context, AFSKEY"afs", cell->name, realm_of_cell,
520	v5cred);
521
522	/* If that failed, try to determine the realm from the name of
523	* one of the DB servers */
524	if (TRYAGAIN(status)(status == -1 \|\| status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN \|\| status == KRB5KRB_ERR_GENERIC)) {
525	realm_of_cell = afs_realm_of_cell(context, cell, FALSE0);
526	if (!realm_of_cell) {
527	fprintf(stderr__stderrp, "%s: Couldn't figure out realm for cell "
528	"%s.\n", progname, cell->name);
529	exit(AKLOG_MISC7);
530	}
531
532	if (realm_of_cell[0])
533	afs_dprintf("We've deduced that we need to authenticate"
534	" to realm %s.\n", realm_of_cell);
535	else
536	afs_dprintf("We've deduced that we need to authenticate "
537	"using referrals.\n");
538	}
539	}
540
541	if (TRYAGAIN(status)(status == -1 \|\| status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN \|\| status == KRB5KRB_ERR_GENERIC)) {
542	/* If we've got the full-princ-first option, or we're in a
543	* different realm from the cell - use the cell name as the
544	* instance */
545	if (AFS_TRY_FULL_PRINC1 \|\|
546	strcasecmp(cell->name, realm_of_cell)!=0) {
547	status = get_credv5(context, AFSKEY"afs", cell->name,
548	realm_of_cell, v5cred);
549
550	/* If we failed & we've got an empty realm, then try
551	* calling afs_realm_for_cell again. */
552	if (TRYAGAIN(status)(status == -1 \|\| status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN \|\| status == KRB5KRB_ERR_GENERIC) && !realm_of_cell[0]) {
553	/* This time, get the realm by taking the domain
554	* component of the db server and make it upper case */
555	realm_of_cell = afs_realm_of_cell(context, cell, TRUE1);
556	if (!realm_of_cell) {
557	fprintf(stderr__stderrp,
558	"%s: Couldn't figure out realm for cell %s.\n",
559	progname, cell->name);
560	exit(AKLOG_MISC7);
561	}
562	afs_dprintf("We've deduced that we need to authenticate"
563	" to realm %s.\n", realm_of_cell);
564	}
565	status = get_credv5(context, AFSKEY"afs", cell->name,
566	realm_of_cell, v5cred);
567	}
568
569	/* If the realm and cell name match, then try without an
570	* instance, but only if realm is non-empty */
571
572	if (TRYAGAIN(status)(status == -1 \|\| status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN \|\| status == KRB5KRB_ERR_GENERIC) &&
573	strcasecmp(cell->name, realm_of_cell) == 0) {
574	status = get_credv5(context, AFSKEY"afs", NULL((void *)0), realm_of_cell,
575	v5cred);
576	if (!AFS_TRY_FULL_PRINC1 && TRYAGAIN(status)(status == -1 \|\| status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN \|\| status == KRB5KRB_ERR_GENERIC)) {
577	status = get_credv5(context, AFSKEY"afs", cell->name,
578	realm_of_cell, v5cred);
579	}
580	}
581	}
582
583	/* Try to find a service principal for this cell.
584	* Some broken MIT libraries return KRB5KRB_AP_ERR_MSG_TYPE upon
585	* the first attempt, so we try twice to be sure */
586
587	if (status == KRB5KRB_AP_ERR_MSG_TYPE && retry == 1)
588	retry++;
589	else
590	retry = 0;
591	}
592
593	if (status != 0) {
594	afs_dprintf("Kerberos error code returned by get_cred : %d\n", status);
595	fprintf(stderr__stderrp, "%s: Couldn't get %s AFS tickets:\n",
596	progname, cell->name);
597	afs_com_err(progname, status, "while getting AFS tickets");
598	#ifdef KRB5_CC_NOT_KTYPE
599	if (status == KRB5_CC_NOT_KTYPE) {
600	fprintf(stderr__stderrp, "allow_weak_enctypes may be required in the Kerberos configuration\n");
601	}
602	#endif
603	status = AKLOG_KERBEROS4;
604	goto out;
605	}
606
607	/* If we've got a valid ticket, and we still don't know the realm name
608	* try to figure it out from the contents of the ticket
609	*/
610	if (strcmp(realm_of_cell, "") == 0) {
611	status = get_realm_from_cred(context, *v5cred, &realm_from_princ);
612	if (status) {
613	fprintf(stderr__stderrp,
614	"%s: Couldn't decode ticket to determine realm for "
615	"cell %s.\n",
616	progname, cell->name);
617	} else {
618	if (realm_from_princ)
619	realm_of_cell = realm_from_princ;
620	}
621	}
622
623	/* If the realm of the user and cell differ, then we need to use the
624	* realm when we later construct the user's principal */
625	if (realm_of_cell != NULL((void *)0) && strcmp(realm_of_user, realm_of_cell) != 0)
626	*realmUsed = realm_of_user;
627
628	out:
629	if (realm_from_princ)
630	free(realm_from_princ);
631	if (realm_of_user && realmUsed == NULL((void )0))
632	free(realm_of_user);
633
634	return status;
635	}
636
637	/*!
638	* Build an rxkad token from a Kerberos ticket, using only local tools (that
639	* is, without using a 524 conversion service)
640	*
641	* @param[in] context
642	* An initialised Kerberos 5 context
643	* @param[in] v5cred
644	* A Kerberos credentials structure containing a suitable service ticket
645	* @param[out] tokenPtr
646	* An AFS token structure containing an rxkad token. This is a malloc'd
647	* structure which should be freed by the caller.
648	* @param[out[ userPtr
649	* A string containing the principal of the user to whom the token was
650	* issued. This is a malloc'd block which should be freed by the caller.
651	*
652	* @returns
653	* 0 on success, an error value upon failure
654	*/
655	static int
656	rxkad_build_native_token(krb5_context context, krb5_creds *v5cred,
657	struct ktc_tokenUnion tokenPtr, char userPtr) {
658	char username[BUFSIZ1024];
659	struct ktc_tokenUnion *token;
660	struct token_rxkad *rxkadToken;
661	#ifdef HAVE_NO_KRB5_524
662	char *p;
663	int len;
664	#else
665	int status;
666	char k4name[ANAME_SZ40];
667	char k4inst[INST_SZ40];
668	char k4realm[REALM_SZ40];
669	#endif
670
671	afs_dprintf("Using Kerberos V5 ticket natively\n");
672
673	tokenPtr = NULL((void )0);
674	userPtr = NULL((void )0);
675
676	#ifndef HAVE_NO_KRB5_524
677	status = krb5_524_conv_principal (context, v5cred->client,
678	(char *) &k4name,
679	(char *) &k4inst,
680	(char *) &k4realm);
681	if (status) {
682	afs_com_err(progname, status, "while converting principal "
683	"to Kerberos V4 format");
684	return AKLOG_KERBEROS4;
685	}
686	strcpy (username, k4name);
687	if (k4inst[0]) {
688	strcat (username, ".");
689	strcat (username, k4inst);
690	}
691	#else
692	len = min(get_princ_len(context, v5cred->client, 0),(((strlen(krb5_principal_get_comp_string(context, v5cred-> client, 0))) < ((krb5_principal_get_comp_string(context, v5cred ->client, 1) != ((void )0)) ? 64 - 2 : 64 - 1)) ? (strlen (krb5_principal_get_comp_string(context, v5cred->client, 0 ))) : ((krb5_principal_get_comp_string(context, v5cred->client , 1) != ((void )0)) ? 64 - 2 : 64 - 1))
693	second_comp(context, v5cred->client) ?(((strlen(krb5_principal_get_comp_string(context, v5cred-> client, 0))) < ((krb5_principal_get_comp_string(context, v5cred ->client, 1) != ((void )0)) ? 64 - 2 : 64 - 1)) ? (strlen (krb5_principal_get_comp_string(context, v5cred->client, 0 ))) : ((krb5_principal_get_comp_string(context, v5cred->client , 1) != ((void )0)) ? 64 - 2 : 64 - 1))
694	MAXKTCNAMELEN - 2 : MAXKTCNAMELEN - 1)(((strlen(krb5_principal_get_comp_string(context, v5cred-> client, 0))) < ((krb5_principal_get_comp_string(context, v5cred ->client, 1) != ((void )0)) ? 64 - 2 : 64 - 1)) ? (strlen (krb5_principal_get_comp_string(context, v5cred->client, 0 ))) : ((krb5_principal_get_comp_string(context, v5cred->client , 1) != ((void )0)) ? 64 - 2 : 64 - 1));
695	strncpy(username, get_princ_str(context, v5cred->client, 0)krb5_principal_get_comp_string(context, v5cred->client, 0), len);
696	username[len] = '\0';
697
698	if (second_comp(context, v5cred->client)(krb5_principal_get_comp_string(context, v5cred->client, 1 ) != ((void *)0))) {
699	strcat(username, ".");
700	p = username + strlen(username);
701	len = min(get_princ_len(context, v5cred->client, 1),(((strlen(krb5_principal_get_comp_string(context, v5cred-> client, 1))) < (64 - strlen(username) - 1)) ? (strlen(krb5_principal_get_comp_string (context, v5cred->client, 1))) : (64 - strlen(username) - 1 ))
702	MAXKTCNAMELEN - strlen(username) - 1)(((strlen(krb5_principal_get_comp_string(context, v5cred-> client, 1))) < (64 - strlen(username) - 1)) ? (strlen(krb5_principal_get_comp_string (context, v5cred->client, 1))) : (64 - strlen(username) - 1 ));
703	strncpy(p, get_princ_str(context, v5cred->client, 1)krb5_principal_get_comp_string(context, v5cred->client, 1), len);
704	p[len] = '\0';
705	}
706	#endif
707
708	token = malloc(sizeof(struct ktc_tokenUnion));
709	if (token == NULL((void *)0))
710	return ENOMEM12;
711
712	memset(token, 0, sizeof(struct ktc_tokenUnion));
713
714	token->at_type = AFSTOKEN_UNION_KAD2;
715	rxkadToken = &token->ktc_tokenUnion_u.at_kad;
716
717	rxkadToken->rk_kvno = RXKAD_TKT_TYPE_KERBEROS_V5256;
718	rxkadToken->rk_begintime = v5cred->times.starttime;;
719	rxkadToken->rk_endtime = v5cred->times.endtime;
720	memcpy(&rxkadToken->rk_key, get_cred_keydata(v5cred)v5cred->session.keyvalue.data,
721	get_cred_keylen(v5cred)v5cred->session.keyvalue.length);
722	rxkadToken->rk_ticket.rk_ticket_len = v5cred->ticket.length;
723	rxkadToken->rk_ticket.rk_ticket_val = malloc(v5cred->ticket.length);
724	if (rxkadToken->rk_ticket.rk_ticket_val == NULL((void *)0)) {
725	free(token);
726	return ENOMEM12;
727	}
728	memcpy(rxkadToken->rk_ticket.rk_ticket_val, v5cred->ticket.data,
729	rxkadToken->rk_ticket.rk_ticket_len);
730
731	*tokenPtr = token;
732	*userPtr = strdup(username);
733
734	return 0;
735	}
736
737	/*!
738	* Convert a Keberos ticket to an rxkad token, using information obtained
739	* from an external Kerberos 5->4 conversion service. If the code is built
740	* with HAVE_NO_KRB5_524 then this is a stub function which will always
741	* return success without a token.
742	*
743	* @param[in] context
744	* An initialised Kerberos 5 context
745	* @param[in] v5cred
746	* A Kerberos credentials structure containing a suitable service ticket
747	* @param[out] tokenPtr
748	* An AFS token structure containing an rxkad token. This is a malloc'd
749	* structure which should be freed by the caller.
750	* @param[out[ userPtr
751	* A string containing the principal of the user to whom the token was
752	* issued. This is a malloc'd block which should be freed by the caller.
753	*
754	* @returns
755	* 0 on success, an error value upon failure
756	*/
757
758	#ifdef HAVE_NO_KRB5_524
759	static int
760	rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred,
761	struct ktc_tokenUnion tokenPtr, char userPtr) {
762	tokenPtr = NULL((void )0);
763	userPtr = NULL((void )0);
764
765	return 0;
766	}
767	#else
768	static int
769	rxkad_get_converted_token(krb5_context context, krb5_creds *v5cred,
770	struct ktc_tokenUnion tokenPtr, char userPtr) {
771	CREDENTIALS cred;
772	char username[BUFSIZ1024];
773	struct ktc_tokenUnion *token;
774	struct token_rxkad *rxkadToken;
775	int status;
776
777	tokenPtr = NULL((void )0);
778	userPtr = NULL((void )0);
779
780	afs_dprintf("Using Kerberos 524 translator service\n");
781
782	status = krb5_524_convert_credskrb524_convert_creds_kdc(context, v5cred, &cred);
783
784	if (status) {
785	afs_com_err(progname, status, "while converting tickets "
786	"to Kerberos V4 format");
787	return AKLOG_KERBEROS4;
788	}
789
790	strcpy (username, cred.pname);
791	if (cred.pinst[0]) {
792	strcat (username, ".");
793	strcat (username, cred.pinst);
794	}
795
796	token = malloc(sizeof(struct ktc_tokenUnion));
797	if (token == NULL((void *)0))
798	return ENOMEM12;
799	memset(token, 0, sizeof(struct ktc_tokenUnion));
800
801	token->at_type = AFSTOKEN_UNION_KAD2;
802
803	rxkadToken = &token->ktc_tokenUnion_u.at_kad;
804	rxkadToken->rk_kvno = cred.kvno;
805	rxkadToken->rk_begintime = cred.issue_date;
806	/*
807	* It seems silly to go through a bunch of contortions to
808	* extract the expiration time, when the v5 credentials already
809	* has the exact time! Let's use that instead.
810	*
811	* Note that this isn't a security hole, as the expiration time
812	* is also contained in the encrypted token
813	*/
814	rxkadToken->rk_endtime = v5cred->times.endtime;
815	memcpy(&rxkadToken->rk_key, cred.session, 8);
816	rxkadToken->rk_ticket.rk_ticket_len = cred.ticket_st.length;
817	rxkadToken->rk_ticket.rk_ticket_val = malloc(cred.ticket_st.length);
818	if (rxkadToken->rk_ticket.rk_ticket_val == NULL((void *)0)) {
819	free(token);
820	return ENOMEM12;
821	}
822	memcpy(rxkadToken->rk_ticket.rk_ticket_val, cred.ticket_st.dat,
823	rxkadToken->rk_ticket.rk_ticket_len);
824
825	*tokenPtr = token;
826	*userPtr = strdup(username);
827
828	return 0;
829	}
830	#endif
831
832	/*!
833	* This function gets an rxkad token for a given cell.
834	*
835	* @param[in] context
836	* An initialized Kerberos v5 context
837	* @param[in] cell
838	* The cell information for the cell which we're obtaining a token for
839	* @param[in] realm
840	* The realm to look in for the service principal. If NULL, then the
841	* realm is determined from the cell name or the user's credentials
842	* (see the documentation for rxkad_get_ticket)
843	* @param[out] token
844	* The rxkad token produced. This is a malloc'd structure which should
845	* be freed by the caller.
846	* @parma[out] authuser
847	* A string containing the principal of the user to whom the token was
848	* issued. This is a malloc'd block which should be freed by the caller.
849	* @param[out] foreign
850	* Whether the user is considered as 'foreign' to the realm of the cell.
851	*
852	* @returns
853	* 0 on success, an error value upon failuer
854	*/
855	static int
856	rxkad_get_token(krb5_context context, struct afsconf_cell cell, char realm,
857	struct ktc_tokenUnion token, char authuser, int *foreign) {
858	krb5_creds *v5cred;
859	char realmUsed = NULL((void )0);
860	char username = NULL((void )0);
861	int status;
862	size_t len;
863
864	token = NULL((void )0);
865	authuser = NULL((void )0);
866	*foreign = 0;
867
868	status = rxkad_get_ticket(context, realm, cell, &v5cred, &realmUsed);
869	if (status)
870	return status;
871
872	if (do524)
873	status = rxkad_get_converted_token(context, v5cred, token, &username);
874	else
875	status = rxkad_build_native_token(context, v5cred, token, &username);
876
877	if (status)
878	goto out;
879
880	/* We now have the username, plus the realm name, so stitch them together
881	* to give us the name that the ptserver will know the user by */
882	if (realmUsed == NULL((void *)0)) {
883	*authuser = username;
884	username = NULL((void *)0);
885	*foreign = 0;
886	} else {
887	len = strlen(username)+strlen(realmUsed)+2;
888	*authuser = malloc(len);
889	snprintf(*authuser, len, "%s@%s", username, realmUsed);
890	*foreign = 1;
891	}
892
893	out:
894	if (realmUsed)
895	free(realmUsed);
896	if (username)
897	free(username);
898
899	return status;
900	}
901
902	/*
903	* Log to a cell. If the cell has already been logged to, return without
904	* doing anything. Otherwise, log to it and mark that it has been logged
905	* to.
906	*/
907	static int
908	auth_to_cell(krb5_context context, char cell, char realm, char **linkedcell)
909	{
910	int status = AKLOG_SUCCESS0;
911	int isForeign = 0;
912	char username = NULL((void )0); /* To hold client username structure */
913	afs_int32 viceId; /* AFS uid of user */
914
915	char local_cell = NULL((void )0);
916	struct ktc_tokenUnion rxkadToken = NULL((void )0);
917	struct ktc_setTokenData *token;
918	struct ktc_setTokenData btoken = NULL((void )0);
919	struct afsconf_cell cellconf;
920
921	/* NULL or empty cell returns information on local cell */
922	if ((status = get_cellconfig(cell, &cellconf, &local_cell)))
923	return(status);
924
925	if (linkedcell != NULL((void *)0)) {
926	if (cellconf.linkedCell != NULL((void *)0)) {
927	*linkedcell = strdup(cellconf.linkedCell);
928	if (linkedcell == NULL((void )0)) {
929	status = ENOMEM12;
930	goto out;
931	}
932	} else {
933	linkedcell = NULL((void )0);
934	}
935	}
936
937	if (ll_string(&authedcells, ll_s_check, cellconf.name)) {
938	afs_dprintf("Already authenticated to %s (or tried to)\n", cellconf.name);
939	status = AKLOG_SUCCESS0;
940	goto out;
941	}
942
943	/*
944	* Record that we have attempted to log to this cell. We do this
945	* before we try rather than after so that we will not try
946	* and fail repeatedly for one cell.
947	*/
948	ll_string(&authedcells, ll_s_add, cellconf.name);
949
950	/*
951	* Record this cell in the list of zephyr subscriptions. We may
952	* want zephyr subscriptions even if authentication fails.
953	* If this is done after we attempt to get tokens, aklog -zsubs
954	* can return something different depending on whether or not we
955	* are in -noauth mode.
956	*/
957	if (ll_string(&zsublist, ll_s_add, cellconf.name) == LL_FAILURE-1) {
958	fprintf(stderr__stderrp,
959	"%s: failure adding cell %s to zephyr subscriptions list.\n",
960	progname, cellconf.name);
961	exit(AKLOG_MISC7);
962	}
963	if (ll_string(&zsublist, ll_s_add, local_cell) == LL_FAILURE-1) {
964	fprintf(stderr__stderrp,
965	"%s: failure adding cell %s to zephyr subscriptions list.\n",
966	progname, local_cell);
967	exit(AKLOG_MISC7);
968	}
969
970	if (!noauth) {
971	afs_dprintf("Authenticating to cell %s (server %s).\n", cellconf.name,
972	cellconf.hostName[0]);
973
974	token = token_buildTokenJar(cellconf.name);
975	if (token == NULL((void *)0)) {
976	status = ENOMEM12;
977	goto out;
978	}
979
980	status = rxkad_get_token(context, &cellconf, realm, &rxkadToken,
981	&username, &isForeign);
982	if (status)
983	goto out;
984
985	/* We need to keep the token structure around so that we can stick
986	* the viceId into it (once we know it) */
987	status = token_addToken(token, rxkadToken);
988	if (status) {
989	afs_dprintf("Add Token failed with %d", status);
990	goto out;
991	}
992
993	if (!force &&
994	ktc_GetTokenEx(cellconf.name, &btoken) == 0 &&
995	token_SetsEquivalent(token, btoken)) {
996
997	token_FreeSet(&btoken);
998	afs_dprintf("Identical tokens already exist; skipping.\n");
999	status = AKLOG_SUCCESS0;
1000	goto out;
1001	}
1002
1003	if (btoken)
1004	token_FreeSet(&btoken);
1005
1006	#ifdef FORCE_NOPRDB
1007	noprdb = 1;
1008	#endif
1009
1010	if (noprdb) {
1011	afs_dprintf("Not resolving name %s to id (-noprdb set)\n", username);
1012	}
1013	else {
1014	afs_dprintf("About to resolve name %s to id in cell %s.\n", username,
1015	cellconf.name);
1016
1017	if (!pr_Initialize (0, AFSDIR_CLIENT_ETC_DIRPATHgetDirPath(AFSDIR_CLIENT_ETC_DIRPATH_ID), cellconf.name))
1018	status = pr_SNameToId (username, &viceId);
1019
1020	if (status)
1021	afs_dprintf("Error %d\n", status);
1022	else
1023	afs_dprintf("Id %d\n", (int) viceId);
1024
1025
1026	/*
1027	* This code is taken from cklog -- it lets people
1028	* automatically register with the ptserver in foreign cells
1029	*/
1030
1031	#ifdef ALLOW_REGISTER1
1032	if ((status == 0) && (viceId == ANONYMOUSID32766) && isForeign) {
1033	afs_dprintf("doing first-time registration of %s at %s\n",
1034	username, cellconf.name);
1035	viceId = 0;
1036
1037	status = ktc_SetTokenEx(token);
1038	if (status) {
1039	afs_com_err(progname, status,
1040	"while obtaining tokens for cell %s",
1041	cellconf.name);
1042	status = AKLOG_TOKEN5;
1043	}
1044
1045	/*
1046	* In case you're wondering, we don't need to change the
1047	* filename here because we're still connecting to the
1048	* same cell -- we're just using a different authenticat ion
1049	* level
1050	*/
1051
1052	if ((status = pr_Initialize(1L, AFSDIR_CLIENT_ETC_DIRPATHgetDirPath(AFSDIR_CLIENT_ETC_DIRPATH_ID),
1053	cellconf.name))) {
1054	printf("Error %d\n", status);
1055	}
1056
1057	if ((status = pr_CreateUser(username, &viceId))) {
1058	fprintf(stderr__stderrp, "%s: %s so unable to create remote PTS "
1059	"user %s in cell %s (status: %d).\n", progname,
1060	afs_error_message(status), username, cellconf.name,
1061	status);
1062	viceId = ANONYMOUSID32766;
1063	} else {
1064	printf("created cross-cell entry for %s (Id %d) at %s\n",
1065	username, viceId, cellconf.name);
1066	}
1067	}
1068	#endif /* ALLOW_REGISTER */
1069
1070	if ((status == 0) && (viceId != ANONYMOUSID32766)) {
1071	rxkadToken->ktc_tokenUnion_u.at_kad.rk_viceid = viceId;
1072	token_replaceToken(token, rxkadToken);
1073	}
1074	}
1075
1076	afs_dprintf("Setting tokens. %s @ %s \n", username, cellconf.name);
1077
1078	#ifndef AFS_AIX51_ENV
1079	/* on AIX 4.1.4 with AFS 3.4a+ if a write is not done before
1080	* this routine, it will not add the token. It is not clear what
1081	* is going on here! So we will do the following operation.
1082	* On AIX 5, it causes the parent program to die, so we won't.
1083	*/
1084	write(2,"",0); /* dummy write */
1085	#endif
1086	token_setPag(token, afssetpag);
1087	status = ktc_SetTokenEx(token);
1088	if (status) {
1089	afs_com_err(progname, status, "while setting tokens for cell %s",
1090	cellconf.name);
1091	status = AKLOG_TOKEN5;
1092	}
1093	}
1094	else
1095	afs_dprintf("Noauth mode; not authenticating.\n");
1096
1097	out:
1098	if (rxkadToken) {
1099	free(rxkadToken->ktc_tokenUnion_u.at_kad.rk_ticket.rk_ticket_val);
1100	free(rxkadToken);
1101	}
1102
1103	if (local_cell)
1104	free(local_cell);
1105	if (username)
1106	free(username);
1107
1108	return(status);
1109	}
1110
1111	static int
1112	get_afs_mountpoint(char file, char mountpoint, int size)
1113	{
1114	#ifdef AFS_SUN_ENV
1115	char V ='V'; /* AFS has problem on Sun with pioctl */
1116	#endif
1117	char our_file[MAXPATHLEN1024 + 1];
1118	char *parent_dir;
1119	char *last_component;
1120	struct ViceIoctl vio;
1121	char cellname[BUFSIZ1024];
1122
1123	memset(our_file, 0, sizeof(our_file));
1124	strcpy(our_file, file);
1125
1126	if ((last_component = strrchr(our_file, DIR'/'))) {
1127	*last_component++ = 0;
1128	parent_dir = our_file;
1129	}
1130	else {
1131	last_component = our_file;
1132	parent_dir = ".";
1133	}
1134
1135	memset(cellname, 0, sizeof(cellname));
1136
1137	vio.in = last_component;
1138	vio.in_size = strlen(last_component)+1;
1139	vio.out_size = size;
1140	vio.out = mountpoint;
1141
1142	if (!pioctl(parent_dir, VIOC_AFS_STAT_MT_PT((unsigned int) ((unsigned long) ((0x80000000) \| (((sizeof(struct ViceIoctl)) & ((1 << 13) - 1)) << 16) \| ((('V' )) << 8) \| ((29))))), &vio, 0)) {
1143	if (strchr(mountpoint, VOLMARKER':') == NULL((void *)0)) {
1144	vio.in = file;
1145	vio.in_size = strlen(file) + 1;
1146	vio.out_size = sizeof(cellname);
1147	vio.out = cellname;
1148
1149	if (!pioctl(file, VIOC_FILE_CELL_NAME((unsigned int) ((unsigned long) ((0x80000000) \| (((sizeof(struct ViceIoctl)) & ((1 << 13) - 1)) << 16) \| ((('V' )) << 8) \| ((30))))), &vio, 1)) {
1150	strcat(cellname, VOLMARKERSTRING":");
1151	strcat(cellname, mountpoint + 1);
1152	memset(mountpoint + 1, 0, size - 1);
1153	strcpy(mountpoint + 1, cellname);
1154	}
1155	}
1156	return(TRUE1);
1157	}
1158	else
1159	return(FALSE0);
1160	}
1161
1162	/*
1163	* This routine each time it is called returns the next directory
1164	* down a pathname. It resolves all symbolic links. The first time
1165	* it is called, it should be called with the name of the path
1166	* to be descended. After that, it should be called with the arguemnt
1167	* NULL.
1168	*/
1169	static char *
1170	next_path(char *origpath)
1171	{
1172	static char path[MAXPATHLEN1024 + 1];
1173	static char pathtocheck[MAXPATHLEN1024 + 1];
1174
1175	int link = FALSE0; /* Is this a symbolic link? */
1176	char linkbuf[MAXPATHLEN1024 + 1];
1177	char tmpbuf[MAXPATHLEN1024 + 1];
1178
1179	static char last_comp; / last component of directory name */
1180	static char elast_comp; / End of last component */
1181	char *t;
1182	int len;
1183
1184	static int symlinkcount = 0; /* We can't exceed MAXSYMLINKS */
1185
1186	/* If we are given something for origpath, we are initializing only. */
1187	if (origpath) {
1188	memset(path, 0, sizeof(path));
1189	memset(pathtocheck, 0, sizeof(pathtocheck));
1190	strcpy(path, origpath);
1191	last_comp = path;
1192	symlinkcount = 0;
1193	return(NULL((void *)0));
1194	}
1195
1196	/* We were not given origpath; find then next path to check */
1197
1198	/* If we've gotten all the way through already, return NULL */
1199	if (last_comp == NULL((void *)0))
1200	return(NULL((void *)0));
1201
1202	do {
1203	while (*last_comp == DIR'/')
1204	strncat(pathtocheck, last_comp++, 1);
1205	len = (elast_comp = strchr(last_comp, DIR'/'))
1206	? elast_comp - last_comp : strlen(last_comp);
1207	strncat(pathtocheck, last_comp, len);
1208	memset(linkbuf, 0, sizeof(linkbuf));
1209	if ((link = (readlink(pathtocheck, linkbuf,
1210	sizeof(linkbuf)) > 0))) {
1211	if (++symlinkcount > MAXSYMLINKS32) {
1212	fprintf(stderr__stderrp, "%s: %s\n", progname, strerror(ELOOP62));
1213	exit(AKLOG_BADPATH6);
1214	}
1215	memset(tmpbuf, 0, sizeof(tmpbuf));
1216	if (elast_comp)
1217	strcpy(tmpbuf, elast_comp);
1218	if (linkbuf[0] == DIR'/') {
1219	/*
1220	* If this is a symbolic link to an absolute path,
1221	* replace what we have by the absolute path.
1222	*/
1223	memset(path, 0, strlen(path));
1224	memcpy(path, linkbuf, sizeof(linkbuf));
1225	strcat(path, tmpbuf);
1226	last_comp = path;
1227	elast_comp = NULL((void *)0);
1228	memset(pathtocheck, 0, sizeof(pathtocheck));
1229	}
1230	else {
1231	/*
1232	* If this is a symbolic link to a relative path,
1233	* replace only the last component with the link name.
1234	*/
1235	strncpy(last_comp, linkbuf, strlen(linkbuf) + 1);
1236	strcat(path, tmpbuf);
1237	elast_comp = NULL((void *)0);
1238	if ((t = strrchr(pathtocheck, DIR'/'))) {
1239	t++;
1240	memset(t, 0, strlen(t));
1241	}
1242	else
1243	memset(pathtocheck, 0, sizeof(pathtocheck));
1244	}
1245	}
1246	else
1247	last_comp = elast_comp;
1248	}
1249	while(link);
1250
1251	return(pathtocheck);
1252	}
1253
1254	static void
1255	add_hosts(char *file)
1256	{
1257	#ifdef AFS_SUN_ENV
1258	char V = 'V'; /* AFS has problem on SunOS */
1259	#endif
1260	struct ViceIoctl vio;
1261	char outbuf[BUFSIZ1024];
1262	long *phosts;
1263	int i;
1264	struct hostent *hp;
1265	struct in_addr in;
1266
1267	memset(outbuf, 0, sizeof(outbuf));
1268
1269	vio.out_size = sizeof(outbuf);
1270	vio.in_size = 0;
1271	vio.out = outbuf;
1272
1273	afs_dprintf("Getting list of hosts for %s\n", file);
1274
1275	/* Don't worry about errors. */
1276	if (!pioctl(file, VIOCWHEREIS((unsigned int) ((unsigned long) ((0x80000000) \| (((sizeof(struct ViceIoctl)) & ((1 << 13) - 1)) << 16) \| ((('V' )) << 8) \| ((14))))), &vio, 1)) {
1277	phosts = (long *) outbuf;
1278
1279	/*
1280	* Lists hosts that we care about. If ALLHOSTS is defined,
1281	* then all hosts that you ever may possible go through are
1282	* included in this list. If not, then only hosts that are
1283	* the only ones appear. That is, if a volume you must use
1284	* is replaced on only one server, that server is included.
1285	* If it is replicated on many servers, then none are included.
1286	* This is not perfect, but the result is that people don't
1287	* get subscribed to a lot of instances of FILSRV that they
1288	* probably won't need which reduces the instances of
1289	* people getting messages that don't apply to them.
1290	*/
1291	#ifndef ALLHOSTS
1292	if (phosts[1] != '\0')
1293	return;
1294	#endif
1295	for (i = 0; phosts[i]; i++) {
1296	if (hosts) {
1297	in.s_addr = phosts[i];
1298	afs_dprintf("Got host %s\n", inet_ntoa__inet_ntoa(in));
1299	ll_string(&hostlist, ll_s_add, (char *)inet_ntoa__inet_ntoa(in));
1300	}
1301	if (zsubs && (hp=gethostbyaddr((char *) &phosts[i],sizeof(long),AF_INET2))) {
1302	afs_dprintf("Got host %s\n", hp->h_name);
1303	ll_string(&zsublist, ll_s_add, hp->h_name);
1304	}
1305	}
1306	}
1307	}
1308
1309	/*
1310	* This routine descends through a path to a directory, logging to
1311	* every cell it encounters along the way.
1312	*/
1313	static int
1314	auth_to_path(krb5_context context, char *path)
1315	{
1316	int status = AKLOG_SUCCESS0;
1317	int auth_status = AKLOG_SUCCESS0;
1318
1319	char *nextpath;
1320	char pathtocheck[MAXPATHLEN1024 + 1];
1321	char mountpoint[MAXPATHLEN1024 + 1];
1322
1323	char *cell;
1324	char *endofcell;
1325
1326	u_char isdirectory;
1327
1328	/* Initialize */
1329	if (path[0] == DIR'/')
1330	strcpy(pathtocheck, path);
1331	else {
1332	if (getcwd(pathtocheck, sizeof(pathtocheck)) == NULL((void *)0)) {
1333	fprintf(stderr__stderrp, "Unable to find current working directory:\n");
1334	fprintf(stderr__stderrp, "%s\n", pathtocheck);
1335	fprintf(stderr__stderrp, "Try an absolute pathname.\n");
1336	exit(AKLOG_BADPATH6);
1337	}
1338	else {
1339	strcat(pathtocheck, DIRSTRING"/");
1340	strcat(pathtocheck, path);
1341	}
1342	}
1343	next_path(pathtocheck);
1344
1345	/* Go on to the next level down the path */
1346	while ((nextpath = next_path(NULL((void *)0)))) {
1347	strcpy(pathtocheck, nextpath);
1348	afs_dprintf("Checking directory %s\n", pathtocheck);
1349	/*
1350	* If this is an afs mountpoint, determine what cell from
1351	* the mountpoint name which is of the form
1352	* #cellname:volumename or %cellname:volumename.
1353	*/
1354	if (get_afs_mountpoint(pathtocheck, mountpoint, sizeof(mountpoint))) {
1355	/* skip over the '#' or '%' */
1356	cell = mountpoint + 1;
1357	/* Add this (cell:volumename) to the list of zsubs */
1358	if (zsubs)
1359	ll_string(&zsublist, ll_s_add, cell);
1360	if (zsubs \|\| hosts)
1361	add_hosts(pathtocheck);
1362	if ((endofcell = strchr(mountpoint, VOLMARKER':'))) {
1363	*endofcell = '\0';
1364	if ((auth_status = auth_to_cell(context, cell, NULL((void )0), NULL((void )0)))) {
1365	if (status == AKLOG_SUCCESS0)
1366	status = auth_status;
1367	else if (status != auth_status)
1368	status = AKLOG_SOMETHINGSWRONG2;
1369	}
1370	}
1371	}
1372	else {
1373	if (isdir(pathtocheck, &isdirectory) < 0) {
1374	/*
1375	* If we've logged and still can't stat, there's
1376	* a problem...
1377	*/
1378	fprintf(stderr__stderrp, "%s: stat(%s): %s\n", progname,
1379	pathtocheck, strerror(errno(* __error())));
1380	return(AKLOG_BADPATH6);
1381	}
1382	else if (! isdirectory) {
1383	/* Allow only directories */
1384	fprintf(stderr__stderrp, "%s: %s: %s\n", progname, pathtocheck,
1385	strerror(ENOTDIR20));
1386	return(AKLOG_BADPATH6);
1387	}
1388	}
1389	}
1390
1391
1392	return(status);
1393	}
1394
1395
1396	/* Print usage message and exit */
1397	static void
1398	usage(void)
1399	{
1400	fprintf(stderr__stderrp, "\nUsage: %s %s%s%s\n", progname,
1401	"[-d] [[-cell \| -c] cell [-k krb_realm]] ",
1402	"[[-p \| -path] pathname]\n",
1403	" [-zsubs] [-hosts] [-noauth] [-noprdb] [-force] [-setpag] \n"
1404	" [-linked]"
1405	#ifndef HAVE_NO_KRB5_524
1406	" [-524]"
1407	#endif
1408	"\n");
1409	fprintf(stderr__stderrp, " -d gives debugging information.\n");
1410	fprintf(stderr__stderrp, " krb_realm is the kerberos realm of a cell.\n");
1411	fprintf(stderr__stderrp, " pathname is the name of a directory to which ");
1412	fprintf(stderr__stderrp, "you wish to authenticate.\n");
1413	fprintf(stderr__stderrp, " -zsubs gives zephyr subscription information.\n");
1414	fprintf(stderr__stderrp, " -hosts gives host address information.\n");
1415	fprintf(stderr__stderrp, " -noauth does not attempt to get tokens.\n");
1416	fprintf(stderr__stderrp, " -noprdb means don't try to determine AFS ID.\n");
1417	fprintf(stderr__stderrp, " -force means replace identical tickets. \n");
1418	fprintf(stderr__stderrp, " -linked means if AFS node is linked, try both. \n");
1419	fprintf(stderr__stderrp, " -setpag set the AFS process authentication group.\n");
1420	#ifndef HAVE_NO_KRB5_524
1421	fprintf(stderr__stderrp, " -524 means use the 524 converter instead of V5 directly\n");
1422	#endif
1423	fprintf(stderr__stderrp, " No commandline arguments means ");
1424	fprintf(stderr__stderrp, "authenticate to the local cell.\n");
1425	fprintf(stderr__stderrp, "\n");
1426	exit(AKLOG_USAGE1);
1427	}
1428
1429	int
1430	main(int argc, char *argv[])
1431	{
1432	krb5_context context;
1433	int status = AKLOG_SUCCESS0;
1434	int i;
1435	int somethingswrong = FALSE0;
1436
1437	cellinfo_t cellinfo;
1438
1439	extern char progname; / Name of this program */
1440
1441	int cmode = FALSE0; /* Cellname mode */
1442	int pmode = FALSE0; /* Path name mode */
1443
1444	char realm[REALM_SZ40]; /* Kerberos realm of afs server */
1445	char cell[BUFSIZ1024]; /* Cell to which we are authenticating */
1446	char path[MAXPATHLEN1024 + 1]; /* Path length for path mode */
1447
1448	linked_list cells; /* List of cells to log to */
1449	linked_list paths; /* List of paths to log to */
1450	ll_node *cur_node;
1451	char *linkedcell;
1452
1453	memset(&cellinfo, 0, sizeof(cellinfo));
1454
1455	memset(realm, 0, sizeof(realm));
1456	memset(cell, 0, sizeof(cell));
1457	memset(path, 0, sizeof(path));
1458
1459	ll_init(&cells);
1460	ll_init(&paths);
1461
1462	ll_init(&zsublist);
1463	ll_init(&hostlist);
1464
1465	/* Store the program name here for error messages */
1466	if ((progname = strrchr(argv[0], DIR'/')))
1467	progname++;
1468	else
1469	progname = argv[0];
1470
1471	krb5_init_context(&context);
1472	initialize_KTC_error_table ();
1473	initialize_U_error_table();
1474	initialize_RXK_error_table();
1475	initialize_ACFG_error_table();
1476	initialize_PT_error_table();
1477	afs_set_com_err_hook(redirect_errors);
1478
1479	/*
1480	* Enable DES enctypes, which are currently still required for AFS.
1481	* krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is
1482	* Heimdal.
1483	*/
1484	#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
1485	i = krb5_enctype_valid(context, ETYPE_DES_CBC_CRC);
1486	if (i)
1487	krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
1488	#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
1489	krb5_allow_weak_crypto(context, 1);
1490	#endif
1491
1492	/* Initialize list of cells to which we have authenticated */
1493	ll_init(&authedcells);
1494
1495	/* Parse commandline arguments and make list of what to do. */
1496	for (i = 1; i < argc; i++) {
1497	if (strcmp(argv[i], "-d") == 0)
1498	dflag++;
1499	else if (strcmp(argv[i], "-noauth") == 0)
1500	noauth++;
1501	else if (strcmp(argv[i], "-zsubs") == 0)
1502	zsubs++;
1503	else if (strcmp(argv[i], "-hosts") == 0)
1504	hosts++;
1505	else if (strcmp(argv[i], "-noprdb") == 0)
1506	noprdb++;
1507	else if (strcmp(argv[i], "-linked") == 0)
1508	linked++;
1509	else if (strcmp(argv[i], "-force") == 0)
1510	force++;
1511	#ifndef HAVE_NO_KRB5_524
1512	else if (strcmp(argv[i], "-524") == 0)
1513	do524++;
1514	#endif
1515	else if (strcmp(argv[i], "-setpag") == 0)
1516	afssetpag++;
1517	else if (((strcmp(argv[i], "-cell") == 0) \|\|
1518	(strcmp(argv[i], "-c") == 0)) && !pmode)
1519	if (++i < argc) {
1520	cmode++;
1521	strcpy(cell, argv[i]);
1522	}
1523	else
1524	usage();
1525	else if ((strcmp(argv[i], "-keytab") == 0))
1526	if (++i < argc) {
1527	keytab = argv[i];
1528	}
1529	else
1530	usage();
1531	else if ((strcmp(argv[i], "-principal") == 0))
1532	if (++i < argc) {
1533	client = argv[i];
1534	}
1535	else
1536	usage();
1537	else if (((strcmp(argv[i], "-path") == 0) \|\|
1538	(strcmp(argv[i], "-p") == 0)) && !cmode)
1539	if (++i < argc) {
1540	pmode++;
1541	strcpy(path, argv[i]);
1542	}
1543	else
1544	usage();
1545
1546	else if (argv[i][0] == '-')
1547	usage();
1548	else if (!pmode && !cmode) {
1549	if (strchr(argv[i], DIR'/') \|\| (strcmp(argv[i], ".") == 0) \|\|
1550	(strcmp(argv[i], "..") == 0)) {
1551	pmode++;
1552	strcpy(path, argv[i]);
1553	}
1554	else {
1555	cmode++;
1556	strcpy(cell, argv[i]);
1557	}
1558	}
1559	else
1560	usage();
1561
1562	if (cmode) {
1563	if (((i + 1) < argc) && (strcmp(argv[i + 1], "-k") == 0)) {
1564	i+=2;
1565	if (i < argc)
1566	strcpy(realm, argv[i]);
1567	else
1568	usage();
1569	}
1570	/* Add this cell to list of cells */
1571	strcpy(cellinfo.cell, cell);
1572	strcpy(cellinfo.realm, realm);
1573	if ((cur_node = ll_add_node(&cells, ll_tail))) {
1574	char *new_cellinfo;
1575	if ((new_cellinfo = copy_cellinfo(&cellinfo)))
1576	ll_add_data(cur_node, new_cellinfo)(((cur_node)->data)=(char*)(new_cellinfo));
1577	else {
1578	fprintf(stderr__stderrp,
1579	"%s: failure copying cellinfo.\n", progname);
1580	exit(AKLOG_MISC7);
1581	}
1582	}
1583	else {
1584	fprintf(stderr__stderrp, "%s: failure adding cell to cells list.\n",
1585	progname);
1586	exit(AKLOG_MISC7);
1587	}
1588	memset(&cellinfo, 0, sizeof(cellinfo));
1589	cmode = FALSE0;
1590	memset(cell, 0, sizeof(cell));
1591	memset(realm, 0, sizeof(realm));
1592	}
1593	else if (pmode) {
1594	/* Add this path to list of paths */
1595	if ((cur_node = ll_add_node(&paths, ll_tail))) {
1596	char *new_path;
1597	if ((new_path = strdup(path)))
1598	ll_add_data(cur_node, new_path)(((cur_node)->data)=(char*)(new_path));
1599	else {
1600	fprintf(stderr__stderrp, "%s: failure copying path name.\n",
1601	progname);
1602	exit(AKLOG_MISC7);
1603	}
1604	}
1605	else {
1606	fprintf(stderr__stderrp, "%s: failure adding path to paths list.\n",
1607	progname);
1608	exit(AKLOG_MISC7);
1609	}
1610	pmode = FALSE0;
1611	memset(path, 0, sizeof(path));
1612	}
1613	}
1614
1615	/* If nothing was given, log to the local cell. */
1616	if ((cells.nelements + paths.nelements) == 0) {
1617	struct passwd *pwd;
1618
1619	status = auth_to_cell(context, NULL((void )0), NULL((void )0), &linkedcell);
1620
1621	/* If this cell is linked to a DCE cell, and user requested -linked,
1622	* get tokens for both. This is very useful when the AFS cell is
1623	* linked to a DFS cell and this system does not also have DFS.
1624	*/
1625
1626	if (!status && linked && linkedcell != NULL((void *)0)) {
1627	afs_dprintf("Linked cell: %s\n", linkedcell);
1628	status = auth_to_cell(context, linkedcell, NULL((void )0), NULL((void )0));
1629	}
1630	if (linkedcell) {
1631	free(linkedcell);
1632	linkedcell = NULL((void *)0);
1633	}
1634
1635	/*
1636	* Local hack - if the person has a file in their home
1637	* directory called ".xlog", read that for a list of
1638	* extra cells to authenticate to
1639	*/
1640
1641	if ((pwd = getpwuid(getuid())) != NULL((void *)0)) {
1642	struct stat sbuf;
1643	FILE *f;
1644	char fcell[100], xlog_path[512];
1645
1646	strcpy(xlog_path, pwd->pw_dir);
1647	strcat(xlog_path, "/.xlog");
1648
1649	if ((stat(xlog_path, &sbuf) == 0) &&
1650	((f = fopen(xlog_path, "r")) != NULL((void *)0))) {
1651
1652	afs_dprintf("Reading %s for cells to authenticate to.\n",
1653	xlog_path);
1654
1655	while (fgets(fcell, 100, f) != NULL((void *)0)) {
1656	int auth_status;
1657
1658	fcell[strlen(fcell) - 1] = '\0';
1659
1660	afs_dprintf("Found cell %s in %s.\n", fcell, xlog_path);
1661
1662	auth_status = auth_to_cell(context, fcell, NULL((void )0), NULL((void )0));
1663	if (status == AKLOG_SUCCESS0)
1664	status = auth_status;
1665	else
1666	status = AKLOG_SOMETHINGSWRONG2;
1667	}
1668	}
1669	}
1670	}
1671	else {
1672	/* Log to all cells in the cells list first */
1673	for (cur_node = cells.first; cur_node; cur_node = cur_node->next) {
1674	memcpy((char *)&cellinfo, cur_node->data, sizeof(cellinfo));
1675	if ((status = auth_to_cell(context, cellinfo.cell, cellinfo.realm,
1676	&linkedcell)))
1677	somethingswrong++;
1678	else {
1679	if (linked && linkedcell != NULL((void *)0)) {
1680	afs_dprintf("Linked cell: %s\n", linkedcell);
1681	if ((status = auth_to_cell(context, linkedcell,
1682	cellinfo.realm, NULL((void *)0))))
1683	somethingswrong++;
1684	}
1685	if (linkedcell != NULL((void *)0)) {
1686	free(linkedcell);
1687	linkedcell = NULL((void *)0);
1688	}
1689	}
1690	}
1691
1692	/* Then, log to all paths in the paths list */
1693	for (cur_node = paths.first; cur_node; cur_node = cur_node->next) {
1694	if ((status = auth_to_path(context, cur_node->data)))
1695	somethingswrong++;
1696	}
1697
1698	/*
1699	* If only one thing was logged to, we'll return the status
1700	* of the single call. Otherwise, we'll return a generic
1701	* something failed status.
1702	*/
1703	if (somethingswrong && ((cells.nelements + paths.nelements) > 1))
1704	status = AKLOG_SOMETHINGSWRONG2;
1705	}
1706
1707	/* If we are keeping track of zephyr subscriptions, print them. */
1708	if (zsubs)
1709	for (cur_node = zsublist.first; cur_node; cur_node = cur_node->next) {
1710	printf("zsub: %s\n", cur_node->data);
1711	}
1712
1713	/* If we are keeping track of host information, print it. */
1714	if (hosts)
1715	for (cur_node = hostlist.first; cur_node; cur_node = cur_node->next) {
1716	printf("host: %s\n", cur_node->data);
1717	}
1718
1719	exit(status);
1720	}
1721
1722	static int
1723	isdir(char path, unsigned char val)
1724	{
1725	struct stat statbuf;
1726
1727	if (lstat(path, &statbuf) < 0)
1728	return (-1);
1729	else {
1730	if ((statbuf.st_mode & S_IFMT0170000) == S_IFDIR0040000)
1731	*val = TRUE1;
1732	else
1733	*val = FALSE0;
1734	return (0);
1735	}
1736	}
1737
1738	static krb5_error_code
1739	get_credv5_akimpersonate(krb5_context context,
1740	char* keytab,
1741	krb5_principal service_principal,
1742	krb5_principal client_principal,
1743	time_t starttime,
1744	time_t endtime,
1745	int *allowed_enctypes,
1746	int *paddress,
1747	krb5_creds** out_creds /* out */ )
1748	{
1749	#if defined(USING_HEIMDAL1) \|\| (defined(HAVE_ENCODE_KRB5_ENC_TKT) && defined(HAVE_ENCODE_KRB5_TICKET) && defined(HAVE_KRB5_C_ENCRYPT1))
1750	krb5_error_code code;
1751	krb5_keytab kt = 0;
1752	krb5_kt_cursor cursor[1];
1753	krb5_keytab_entry entry[1];
1754	krb5_ccache cc = 0;
1755	krb5_creds *creds = 0;
1756	krb5_enctype enctype;
1757	krb5_kvno kvno;
1758	krb5_keyblock session_key[1];
1759	#if USING_HEIMDAL1
1760	Ticket ticket_reply[1];
1761	EncTicketPart enc_tkt_reply[1];
1762	krb5_address address[30];
1763	krb5_addresses faddr[1];
1764	int temp_vno[1];
1765	time_t temp_time[2];
1766	#else
1767	krb5_ticket ticket_reply[1];
1768	krb5_enc_tkt_part enc_tkt_reply[1];
1769	krb5_address address[30], *faddr[30];
1770	krb5_data * temp;
1771	#endif
1772	int i;
1773	static int any_enctype[] = {0};
1774	*out_creds = 0;
1775	if (!(creds = malloc(sizeof *creds))) {
1776	code = ENOMEM12;
1777	goto cleanup;
1778	}
1779	if (!allowed_enctypes)
1780	allowed_enctypes = any_enctype;
1781
1782	cc = 0;
1783	enctype = 0; /* AKIMPERSONATE_IGNORE_ENCTYPE */
	Value stored to 'enctype' is never read
1784	kvno = 0; /* AKIMPERSONATE_IGNORE_VNO */
1785	memset((char)creds, 0, sizeof creds);
1786	memset((char)entry, 0, sizeof entry);
1787	memset((char)session_key, 0, sizeof session_key);
1788	memset((char)ticket_reply, 0, sizeof ticket_reply);
1789	memset((char)enc_tkt_reply, 0, sizeof enc_tkt_reply);
1790	code = krb5_kt_resolve(context, keytab, &kt);
1791	if (code) {
1792	if (keytab)
1793	afs_com_err(progname, code, "while resolving keytab %s", keytab);
1794	else
1795	afs_com_err(progname, code, "while resolving default keytab");
1796	goto cleanup;
1797	}
1798
1799	if (service_principal) {
1800	for (i = 0; (enctype = allowed_enctypes[i]) \|\| !i; ++i) {
1801	code = krb5_kt_get_entry(context,
1802	kt,
1803	service_principal,
1804	kvno,
1805	enctype,
1806	entry);
1807	if (!code) {
1808	if (allowed_enctypes[i])
1809	deref_keyblock_enctype(session_key)((session_key)->keytype) = allowed_enctypes[i];
1810	break;
1811	}
1812	}
1813	if (code) {
1814	afs_com_err(progname, code,"while scanning keytab entries");
1815	goto cleanup;
1816	}
1817	} else {
1818	krb5_keytab_entry new[1];
1819	int best = -1;
1820	memset(new, 0, sizeof *new);
1821	if ((code == krb5_kt_start_seq_get(context, kt, cursor))) {
1822	afs_com_err(progname, code, "while starting keytab scan");
1823	goto cleanup;
1824	}
1825	while (!(code = krb5_kt_next_entry(context, kt, new, cursor))) {
1826	for (i = 0;
1827	allowed_enctypes[i] && allowed_enctypes[i]
1828	!= deref_entry_enctype(new)((&new->keyblock)->keytype); ++i)
1829	;
1830	if ((!i \|\| allowed_enctypes[i]) &&
1831	(best < 0 \|\| best > i)) {
1832	krb5_free_keytab_entry_contentskrb5_kt_free_entry(context, entry);
1833	entry = new;
1834	memset(new, 0, sizeof *new);
1835	} else krb5_free_keytab_entry_contentskrb5_kt_free_entry(context, new);
1836	}
1837	if ((i = krb5_kt_end_seq_get(context, kt, cursor))) {
1838	afs_com_err(progname, i, "while ending keytab scan");
1839	code = i;
1840	goto cleanup;
1841	}
1842	if (best < 0) {
1843	afs_com_err(progname, code, "while scanning keytab");
1844	goto cleanup;
1845	}
1846	deref_keyblock_enctype(session_key)((session_key)->keytype) = deref_entry_enctype(entry)((&entry->keyblock)->keytype);
1847	}
1848
1849	/* Make Ticket */
1850
1851	#if USING_HEIMDAL1
1852	if ((code = krb5_generate_random_keyblock(context,
1853	deref_keyblock_enctype(session_key)((session_key)->keytype), session_key))) {
1854	afs_com_err(progname, code, "while making session key");
1855	goto cleanup;
1856	}
1857	enc_tkt_reply->flags.initial = 1;
1858	enc_tkt_reply->transited.tr_type = DOMAIN_X500_COMPRESS;
1859	enc_tkt_reply->cname = client_principal->name;
1860	enc_tkt_reply->crealm = client_principal->realm;
1861	enc_tkt_reply->key = *session_key;
1862	{
1863	static krb5_data empty_string;
1864	enc_tkt_reply->transited.contents = empty_string;
1865	}
1866	enc_tkt_reply->authtime = starttime;
1867	enc_tkt_reply->starttime = temp_time;
1868	*enc_tkt_reply->starttime = starttime;
1869	#if 0
1870	enc_tkt_reply->renew_till = temp_time + 1;
1871	*enc_tkt_reply->renew_till = endtime;
1872	#endif
1873	enc_tkt_reply->endtime = endtime;
1874	#else
1875	if ((code = krb5_c_make_random_key(context,
1876	deref_keyblock_enctype(session_key)((session_key)->keytype), session_key))) {
1877	afs_com_err(progname, code, "while making session key");
1878	goto cleanup;
1879	}
1880	enc_tkt_reply->magic = KV5M_ENC_TKT_PART;
1881	#define DATACAST (unsigned char *)
1882	enc_tkt_reply->flags \|= TKT_FLG_INITIAL;
1883	enc_tkt_reply->transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
1884	enc_tkt_reply->session = session_key;
1885	enc_tkt_reply->client = client_principal;
1886	{
1887	static krb5_data empty_string;
1888	enc_tkt_reply->transited.tr_contents = empty_string;
1889	}
1890	enc_tkt_reply->times.authtime = starttime;
1891	enc_tkt_reply->times.starttime = starttime; /* krb524init needs this */
1892	enc_tkt_reply->times.endtime = endtime;
1893	#endif /* USING_HEIMDAL */
1894	/* NB: We will discard address for now--ignoring caddr field
1895	in any case. MIT branch does what it always did. */
1896
1897	if (paddress && *paddress) {
1898	deref_enc_tkt_addrs(enc_tkt_reply)enc_tkt_reply->caddr = faddr;
1899	#if USING_HEIMDAL1
1900	faddr->len = 0;
1901	faddr->val = address;
1902	#endif
1903	for (i = 0; paddress[i]; ++i) {
1904	#if USING_HEIMDAL1
1905	address[i].addr_type = KRB5_ADDRESS_INET;
1906	address[i].address.data = (void*)(paddress+i);
1907	address[i].address.length = sizeof(paddress[i]);
1908	#else
1909	#if !USING_SSL
1910	address[i].magic = KV5M_ADDRESS;
1911	address[i].addrtype = ADDRTYPE_INET;
1912	#else
1913	address[i].addrtype = AF_INET2;
1914	#endif
1915	address[i].contents = (void*)(paddress+i);
1916	address[i].length = sizeof(int);
1917	faddr[i] = address+i;
1918	#endif
1919	}
1920	#if USING_HEIMDAL1
1921	faddr->len = i;
1922	#else
1923	faddr[i] = 0;
1924	#endif
1925	}
1926
1927	#if USING_HEIMDAL1
1928	ticket_reply->sname = service_principal->name;
1929	ticket_reply->realm = service_principal->realm;
1930
1931	{ /* crypto block */
1932	krb5_crypto crypto = 0;
1933	unsigned char *buf = 0;
1934	size_t buf_size, buf_len;
1935	char *what;
1936
1937	ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size,do { (buf_size) = length_EncTicketPart((enc_tkt_reply)); (buf ) = malloc((buf_size)); if((buf) == ((void )0)) { (code) = 12 ; } else { (code) = encode_EncTicketPart(((unsigned char)(buf )) + (buf_size) - 1, (buf_size), (enc_tkt_reply), (&buf_len )); if((code) != 0) { free((buf)); (buf) = ((void *)0); } } } while (0)
1938	enc_tkt_reply, &buf_len, code)do { (buf_size) = length_EncTicketPart((enc_tkt_reply)); (buf ) = malloc((buf_size)); if((buf) == ((void )0)) { (code) = 12 ; } else { (code) = encode_EncTicketPart(((unsigned char)(buf )) + (buf_size) - 1, (buf_size), (enc_tkt_reply), (&buf_len )); if((code) != 0) { free((buf)); (buf) = ((void *)0); } } } while (0);
1939	if(code) {
1940	afs_com_err(progname, code, "while encoding ticket");
1941	goto cleanup;
1942	}
1943
1944	if(buf_len != buf_size) {
1945	afs_com_err(progname, code,
1946	"%u != %u while encoding ticket (internal ASN.1 encoder error",
1947	(unsigned int)buf_len, (unsigned int)buf_size);
1948	goto cleanup;
1949	}
1950	what = "krb5_crypto_init";
1951	code = krb5_crypto_init(context,
1952	&deref_entry_keyblock(entry)entry->keyblock,
1953	deref_entry_enctype(entry)((&entry->keyblock)->keytype),
1954	&crypto);
1955	if(!code) {
1956	what = "krb5_encrypt";
1957	code = krb5_encrypt_EncryptedData(context, crypto, KRB5_KU_TICKET,
1958	buf, buf_len, entry->vno, &(ticket_reply->enc_part));
1959	}
1960	if (buf) free(buf);
1961	if (crypto) krb5_crypto_destroy(context, crypto);
1962	if(code) {
1963	afs_com_err(progname, code, "while %s", what);
1964	goto cleanup;
1965	}
1966	} /* crypto block */
1967	ticket_reply->enc_part.etype = deref_entry_enctype(entry)((&entry->keyblock)->keytype);
1968	ticket_reply->enc_part.kvno = temp_vno;
1969	*ticket_reply->enc_part.kvno = entry->vno;
1970	ticket_reply->tkt_vno = 5;
1971	#else
1972	ticket_reply->server = service_principal;
1973	ticket_reply->enc_part2 = enc_tkt_reply;
1974	if ((code = krb5_encrypt_tkt_part(context, &deref_entry_keyblock(entry)entry->keyblock, ticket_reply))) {
1975	afs_com_err(progname, code, "while making ticket");
1976	goto cleanup;
1977	}
1978	ticket_reply->enc_part.kvno = entry->vno;
1979	#endif
1980
1981	/* Construct Creds */
1982
1983	if ((code = krb5_copy_principal(context, service_principal,
1984	&creds->server))) {
1985	afs_com_err(progname, code, "while copying service principal");
1986	goto cleanup;
1987	}
1988	if ((code = krb5_copy_principal(context, client_principal,
1989	&creds->client))) {
1990	afs_com_err(progname, code, "while copying client principal");
1991	goto cleanup;
1992	}
1993	if ((code = krb5_copy_keyblock_contents(context, session_key,
1994	&deref_session_key(creds)creds->session))) {
1995	afs_com_err(progname, code, "while copying session key");
1996	goto cleanup;
1997	}
1998
1999	#if USING_HEIMDAL1
2000	creds->times.authtime = enc_tkt_reply->authtime;
2001	creds->times.starttime = *(enc_tkt_reply->starttime);
2002	creds->times.endtime = enc_tkt_reply->endtime;
2003	creds->times.renew_till = 0; /* (enc_tkt_reply->renew_till) /
2004	creds->flags.b = enc_tkt_reply->flags;
2005	#else
2006	creds->times = enc_tkt_reply->times;
2007	creds->ticket_flags = enc_tkt_reply->flags;
2008	#endif
2009	if (!deref_enc_tkt_addrs(enc_tkt_reply)enc_tkt_reply->caddr)
2010	;
2011	else if ((code = krb5_copy_addresses(context,
2012	deref_enc_tkt_addrs(enc_tkt_reply)enc_tkt_reply->caddr, &creds->addresses))) {
2013	afs_com_err(progname, code, "while copying addresses");
2014	goto cleanup;
2015	}
2016
2017	#if USING_HEIMDAL1
2018	{
2019	size_t creds_tkt_len;
2020	ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,do { (creds->ticket.length) = length_Ticket((ticket_reply) ); (creds->ticket.data) = malloc((creds->ticket.length) ); if((creds->ticket.data) == ((void )0)) { (code) = 12; } else { (code) = encode_Ticket(((unsigned char)(creds->ticket .data)) + (creds->ticket.length) - 1, (creds->ticket.length ), (ticket_reply), (&creds_tkt_len)); if((code) != 0) { free ((creds->ticket.data)); (creds->ticket.data) = ((void * )0); } } } while (0)
2021	ticket_reply, &creds_tkt_len, code)do { (creds->ticket.length) = length_Ticket((ticket_reply) ); (creds->ticket.data) = malloc((creds->ticket.length) ); if((creds->ticket.data) == ((void )0)) { (code) = 12; } else { (code) = encode_Ticket(((unsigned char)(creds->ticket .data)) + (creds->ticket.length) - 1, (creds->ticket.length ), (ticket_reply), (&creds_tkt_len)); if((code) != 0) { free ((creds->ticket.data)); (creds->ticket.data) = ((void * )0); } } } while (0);
2022	if(code) {
2023	afs_com_err(progname, code, "while encoding ticket");
2024	goto cleanup;
2025	}
2026	}
2027	#else
2028	if ((code = encode_krb5_ticket(ticket_reply, &temp))) {
2029	afs_com_err(progname, code, "while encoding ticket");
2030	goto cleanup;
2031	}
2032	creds->ticket = *temp;
2033	free(temp);
2034	#endif
2035	/* return creds */
2036	*out_creds = creds;
2037	creds = 0;
2038	cleanup:
2039	if (deref_enc_data(&ticket_reply->enc_part)((&ticket_reply->enc_part)->cipher.data))
2040	free(deref_enc_data(&ticket_reply->enc_part)((&ticket_reply->enc_part)->cipher.data));
2041	krb5_free_keytab_entry_contentskrb5_kt_free_entry(context, entry);
2042	if (client_principal)
2043	krb5_free_principal(context, client_principal);
2044	if (service_principal)
2045	krb5_free_principal(context, service_principal);
2046	if (cc)
2047	krb5_cc_close(context, cc);
2048	if (kt)
2049	krb5_kt_close(context, kt);
2050	if (creds) krb5_free_creds(context, creds);
2051	krb5_free_keyblock_contents(context, session_key);
2052	return code;
2053	#else
2054	return -1;
2055	#endif
2056	}
2057
2058
2059	static krb5_error_code
2060	get_credv5(krb5_context context, char name, char inst, char *realm,
2061	krb5_creds **creds)
2062	{
2063	krb5_creds increds;
2064	krb5_error_code r;
2065	static krb5_principal client_principal = 0;
2066
2067	afs_dprintf("Getting tickets: %s%s%s@%s\n", name,
2068	(inst && inst[0]) ? "/" : "", inst ? inst : "", realm);
2069
2070	memset(&increds, 0, sizeof(increds));
2071	/* ANL - instance may be ptr to a null string. Pass null then */
2072	if ((r = krb5_build_principal(context, &increds.server,
2073	strlen(realm), realm,
2074	name,
2075	(inst && strlen(inst)) ? inst : (void ) NULL((void )0),
2076	(void ) NULL((void )0)))) {
2077	return r;
2078	}
2079
2080
2081	if (!_krb425_ccache) {
2082	r = krb5_cc_default(context, &_krb425_ccache);
2083	if (r)
2084	return r;
2085	}
2086	if (!client_principal) {
2087	if (client) {
2088	r = krb5_parse_name(context, client, &client_principal);
2089	} else {
2090	r = krb5_cc_get_principal(context, _krb425_ccache, &client_principal);
2091	}
2092	if (r)
2093	return r;
2094	}
2095
2096	increds.client = client_principal;
2097	increds.times.endtime = 0;
2098	/* Ask for DES since that is what V4 understands */
2099	get_creds_enctype((&increds))(&increds)->session.keytype = ENCTYPE_DES_CBC_CRC;
2100
2101	if (keytab) {
2102	int allowed_enctypes[] = {
2103	ENCTYPE_DES_CBC_CRC, 0
2104	};
2105
2106	r = get_credv5_akimpersonate(context,
2107	keytab,
2108	increds.server,
2109	increds.client,
2110	300, ((~0U)>>1),
2111	allowed_enctypes,
2112	0 /* paddress */,
2113	creds /* out */);
2114	} else {
2115	r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds);
2116	}
2117	return r;
2118	}
2119
2120
2121	static int
2122	get_user_realm(krb5_context context, char **realm)
2123	{
2124	static krb5_principal client_principal = 0;
2125	krb5_error_code r = 0;
2126
2127	realm = NULL((void )0);
2128
2129	if (!_krb425_ccache) {
2130	r = krb5_cc_default(context, &_krb425_ccache);
2131	if (r)
2132	return r;
2133	}
2134	if (!client_principal) {
2135	if (client) {
2136	r = krb5_parse_name(context, client, &client_principal);
2137	} else {
2138	r = krb5_cc_get_principal(context, _krb425_ccache, &client_principal);
2139	}
2140	if (r)
2141	return r;
2142	}
2143
2144	*realm = extract_realm(context, client_principal);
2145	if (realm == NULL((void )0))
2146	return ENOMEM12;
2147
2148	return(r);
2149	}