From 9139a60c94c24e41109574e84e7cda9c2dc3fb38 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 24 Feb 2023 14:15:14 -0500
Subject: Avoid using internal APIs in sim_client

In sim_client.c, remove the calls to krb5_gen_portaddr() and
krb5_gen_replay_name() as they don't do anything after commit
dcb853ac32779b173f39e19c0f24b0087de85771.  Remove them, and include
krb5.h plus appropriate system headers rather than k5-int.h.

Also use a subkey when negotiating the auth context.  Kerberos
application protocols should generally use subkeys to prevent
cross-connection replay attacks.
---
 src/appl/simple/client/sim_client.c | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/src/appl/simple/client/sim_client.c b/src/appl/simple/client/sim_client.c
index 08f06abe5..ea1379e60 100644
--- a/src/appl/simple/client/sim_client.c
+++ b/src/appl/simple/client/sim_client.c
@@ -29,14 +29,17 @@
  * This program performs no useful function.
  */
 
-#include <k5-int.h>
+#include <krb5.h>
 #include "com_err.h"
 
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
 #include <netdb.h>
-#include <ctype.h>
+#include <getopt.h>
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif
@@ -66,7 +69,6 @@ main(int argc, char *argv[])
     int flags = 0;                      /* flags for sendto() */
     struct servent *serv;
     struct hostent *host;
-    char *cp;
 #ifdef BROKEN_STREAMS_SOCKETS
     char my_hostname[MAXHOSTNAMELEN];
 #endif
@@ -85,7 +87,7 @@ main(int argc, char *argv[])
     krb5_error_code retval;
     krb5_data packet, inbuf;
     krb5_ccache ccdef;
-    krb5_address addr, *portlocal_addr;
+    krb5_address addr;
 
     krb5_context          context;
     krb5_auth_context     auth_context = NULL;
@@ -202,8 +204,9 @@ main(int argc, char *argv[])
         exit(1);
     }
 
-    if ((retval = krb5_mk_req(context, &auth_context, 0, service, hostname,
-                              &inbuf, ccdef, &packet))) {
+    retval = krb5_mk_req(context, &auth_context, AP_OPTS_USE_SUBKEY, service,
+                         hostname, &inbuf, ccdef, &packet);
+    if (retval) {
         com_err(progname, retval, "while preparing AP_REQ");
         exit(1);
     }
@@ -251,20 +254,6 @@ main(int argc, char *argv[])
         exit(1);
     }
 
-    /* THIS IS UGLY */
-    if ((retval = krb5_gen_portaddr(context, &addr,
-                                    (krb5_pointer) &c_sock.sin_port,
-                                    &portlocal_addr))) {
-        com_err(progname, retval, "while generating port address");
-        exit(1);
-    }
-
-    if ((retval = krb5_gen_replay_name(context,portlocal_addr,
-                                       "_sim_clt",&cp))) {
-        com_err(progname, retval, "while generating replay cache name");
-        exit(1);
-    }
-
     /* Make the safe message */
     inbuf.data = message;
     inbuf.length = strlen(message);
-- 
cgit v1.2.1