new files
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6184 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
89
appl/kx/context.c
Normal file
89
appl/kx/context.c
Normal file
@@ -0,0 +1,89 @@
|
||||
/*
|
||||
* Copyright (c) 1995 - 1999 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* This product includes software developed by the Kungliga Tekniska
|
||||
* H<>gskolan and its contributors.
|
||||
*
|
||||
* 4. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "kx.h"
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
void
|
||||
context_set (kx_context *kc, char *host, char *user, int port,
|
||||
int debug_flag, int keepalive_flag, int tcp_flag)
|
||||
{
|
||||
kc->host = host;
|
||||
kc->user = user;
|
||||
kc->port = port;
|
||||
kc->debug_flag = debug_flag;
|
||||
kc->keepalive_flag = keepalive_flag;
|
||||
kc->tcp_flag = tcp_flag;
|
||||
}
|
||||
|
||||
void
|
||||
context_destroy (kx_context *kc)
|
||||
{
|
||||
(*kc->destroy)(kc);
|
||||
}
|
||||
|
||||
int
|
||||
context_authenticate (kx_context *kc, int s)
|
||||
{
|
||||
return (*kc->authenticate)(kc, s);
|
||||
}
|
||||
|
||||
int
|
||||
context_userok (kx_context *kc, char *user)
|
||||
{
|
||||
return (*kc->userok)(kc, user);
|
||||
}
|
||||
|
||||
ssize_t
|
||||
kx_read (kx_context *kc, int fd, void *buf, size_t len)
|
||||
{
|
||||
return (*kc->read)(kc, fd, buf, len);
|
||||
}
|
||||
|
||||
ssize_t
|
||||
kx_write (kx_context *kc, int fd, const void *buf, size_t len)
|
||||
{
|
||||
return (*kc->write)(kc, fd, buf, len);
|
||||
}
|
||||
|
||||
int
|
||||
copy_encrypted (kx_context *kc, int fd1, int fd2)
|
||||
{
|
||||
return (*kc->copy_encrypted)(kc, fd1, fd2);
|
||||
}
|
309
appl/kx/krb4.c
Normal file
309
appl/kx/krb4.c
Normal file
@@ -0,0 +1,309 @@
|
||||
/*
|
||||
* Copyright (c) 1995 - 1999 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* This product includes software developed by the Kungliga Tekniska
|
||||
* H<>gskolan and its contributors.
|
||||
*
|
||||
* 4. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "kx.h"
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
#ifdef KRB4
|
||||
|
||||
struct krb4_kx_context {
|
||||
des_cblock key;
|
||||
des_key_schedule schedule;
|
||||
AUTH_DAT auth;
|
||||
};
|
||||
|
||||
typedef struct krb4_kx_context krb4_kx_context;
|
||||
|
||||
static void
|
||||
krb4_destroy (kx_context *c)
|
||||
{
|
||||
memset (c->data, 0, sizeof(krb4_kx_context));
|
||||
free (c->data);
|
||||
}
|
||||
|
||||
static int
|
||||
krb4_authenticate (kx_context *kc, int s)
|
||||
{
|
||||
CREDENTIALS cred;
|
||||
KTEXT_ST text;
|
||||
MSG_DAT msg;
|
||||
int status;
|
||||
krb4_kx_context *c = (krb4_kx_context *)kc->data;
|
||||
char *host = kc->host;
|
||||
|
||||
status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd",
|
||||
host, krb_realmofhost (host),
|
||||
getpid(), &msg, &cred, c->schedule,
|
||||
&kc->thisaddr, &kc->thataddr, KX_VERSION);
|
||||
if (status != KSUCCESS) {
|
||||
warnx ("%s: %s\n", host, krb_get_err_text(status));
|
||||
return -1;
|
||||
}
|
||||
memcpy (c->key, cred.session, sizeof(des_cblock));
|
||||
return 0;
|
||||
}
|
||||
|
||||
static ssize_t
|
||||
krb4_read (kx_context *kc,
|
||||
int fd, void *buf, size_t len)
|
||||
{
|
||||
unsigned char tmp[4];
|
||||
ssize_t ret;
|
||||
size_t l;
|
||||
int status;
|
||||
krb4_kx_context *c = (krb4_kx_context *)kc->data;
|
||||
MSG_DAT msg;
|
||||
|
||||
ret = krb_net_read (fd, tmp, 4);
|
||||
if (ret == 0)
|
||||
return ret;
|
||||
if (ret != 4)
|
||||
return -1;
|
||||
l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
|
||||
if (l > len)
|
||||
return -1;
|
||||
if (krb_net_read (fd, buf, l) != l)
|
||||
return -1;
|
||||
status = krb_rd_priv (buf, l, c->schedule, &c->key,
|
||||
&kc->thataddr, &kc->thisaddr, &msg);
|
||||
if (status != RD_AP_OK) {
|
||||
warnx ("krb4_read: %s", krb_get_err_text(status));
|
||||
return -1;
|
||||
}
|
||||
memmove (buf, msg.app_data, msg.app_length);
|
||||
return msg.app_length;
|
||||
}
|
||||
|
||||
static ssize_t
|
||||
krb4_write(kx_context *kc,
|
||||
int fd, const void *buf, size_t len)
|
||||
{
|
||||
void *outbuf;
|
||||
krb4_kx_context *c = (krb4_kx_context *)kc->data;
|
||||
size_t outlen;
|
||||
unsigned char tmp[4];
|
||||
|
||||
outbuf = malloc (len + 30);
|
||||
if (outbuf == NULL)
|
||||
return -1;
|
||||
outlen = krb_mk_priv ((void *)buf, outbuf, len, c->schedule, &c->key,
|
||||
&kc->thisaddr, &kc->thataddr);
|
||||
if (outlen < 0) {
|
||||
free (outbuf);
|
||||
return -1;
|
||||
}
|
||||
tmp[0] = (outlen >> 24) & 0xFF;
|
||||
tmp[1] = (outlen >> 16) & 0xFF;
|
||||
tmp[2] = (outlen >> 8) & 0xFF;
|
||||
tmp[3] = (outlen >> 0) & 0xFF;
|
||||
|
||||
if (krb_net_write (fd, tmp, 4) != 4 ||
|
||||
krb_net_write (fd, outbuf, outlen) != outlen) {
|
||||
free (outbuf);
|
||||
return -1;
|
||||
}
|
||||
free (outbuf);
|
||||
return len;
|
||||
}
|
||||
|
||||
/*
|
||||
* Copy data from `fd1' to `fd2', {en,de}crypting with cfb64
|
||||
* with `mode' and state stored in `iv', `schedule', and `num'.
|
||||
* Return -1 if error, 0 if eof, else 1
|
||||
*/
|
||||
|
||||
static int
|
||||
do_enccopy (int fd1, int fd2, int mode, des_cblock *iv,
|
||||
des_key_schedule schedule, int *num)
|
||||
{
|
||||
int ret;
|
||||
u_char buf[BUFSIZ];
|
||||
|
||||
ret = read (fd1, buf, sizeof(buf));
|
||||
if (ret == 0)
|
||||
return 0;
|
||||
if (ret < 0) {
|
||||
warn ("read");
|
||||
return ret;
|
||||
}
|
||||
#ifndef NOENCRYPTION
|
||||
des_cfb64_encrypt (buf, buf, ret, schedule, iv,
|
||||
num, mode);
|
||||
#endif
|
||||
ret = krb_net_write (fd2, buf, ret);
|
||||
if (ret < 0) {
|
||||
warn ("write");
|
||||
return ret;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int
|
||||
krb4_copy_encrypted (kx_context *kc,
|
||||
int fd1, int fd2)
|
||||
{
|
||||
krb4_kx_context *c = (krb4_kx_context *)kc->data;
|
||||
des_cblock iv1, iv2;
|
||||
int num1 = 0, num2 = 0;
|
||||
|
||||
memcpy (iv1, c->key, sizeof(iv1));
|
||||
memcpy (iv2, c->key, sizeof(iv2));
|
||||
for (;;) {
|
||||
fd_set fdset;
|
||||
int ret;
|
||||
|
||||
FD_ZERO(&fdset);
|
||||
FD_SET(fd1, &fdset);
|
||||
FD_SET(fd2, &fdset);
|
||||
|
||||
ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL);
|
||||
if (ret < 0 && errno != EINTR) {
|
||||
warn ("select");
|
||||
return 1;
|
||||
}
|
||||
if (FD_ISSET(fd1, &fdset)) {
|
||||
ret = do_enccopy (fd1, fd2, DES_ENCRYPT, &iv1, c->schedule, &num1);
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
}
|
||||
if (FD_ISSET(fd2, &fdset)) {
|
||||
ret = do_enccopy (fd2, fd1, DES_DECRYPT, &iv2, c->schedule, &num2);
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
krb4_userok (kx_context *kc, char *user)
|
||||
{
|
||||
krb4_kx_context *c = (krb4_kx_context *)kc->data;
|
||||
char *tmp;
|
||||
|
||||
tmp = krb_unparse_name_long (c->auth.pname,
|
||||
c->auth.pinst,
|
||||
c->auth.prealm);
|
||||
kc->user = strdup (tmp);
|
||||
if (kc->user == NULL)
|
||||
err (1, "malloc");
|
||||
|
||||
|
||||
return kuserok (&c->auth, user);
|
||||
}
|
||||
|
||||
void
|
||||
krb4_make_context (kx_context *kc)
|
||||
{
|
||||
kc->authenticate = krb4_authenticate;
|
||||
kc->userok = krb4_userok;
|
||||
kc->read = krb4_read;
|
||||
kc->write = krb4_write;
|
||||
kc->copy_encrypted = krb4_copy_encrypted;
|
||||
kc->destroy = krb4_destroy;
|
||||
kc->user = NULL;
|
||||
kc->data = malloc(sizeof(krb4_kx_context));
|
||||
|
||||
if (kc->data == NULL)
|
||||
err (1, "malloc");
|
||||
}
|
||||
|
||||
int
|
||||
recv_v4_auth (kx_context *kc, int sock, u_char *buf)
|
||||
{
|
||||
int status;
|
||||
KTEXT_ST ticket;
|
||||
char instance[INST_SZ + 1];
|
||||
char version[KRB_SENDAUTH_VLEN + 1];
|
||||
krb4_kx_context *c;
|
||||
AUTH_DAT auth;
|
||||
des_key_schedule schedule;
|
||||
|
||||
if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
|
||||
return -1;
|
||||
if (net_read (sock, buf + 4, KRB_SENDAUTH_VLEN - 4) !=
|
||||
KRB_SENDAUTH_VLEN - 4) {
|
||||
syslog (LOG_ERR, "read: %m");
|
||||
exit (1);
|
||||
}
|
||||
if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) {
|
||||
syslog (LOG_ERR, "unrecognized auth protocol: %.8s", buf);
|
||||
exit (1);
|
||||
}
|
||||
|
||||
k_getsockinst (sock, instance, sizeof(instance));
|
||||
status = krb_recvauth (KOPT_IGNORE_PROTOCOL | KOPT_DO_MUTUAL,
|
||||
sock,
|
||||
&ticket,
|
||||
"rcmd",
|
||||
instance,
|
||||
&kc->thataddr,
|
||||
&kc->thisaddr,
|
||||
&auth,
|
||||
"",
|
||||
schedule,
|
||||
version);
|
||||
if (status != KSUCCESS) {
|
||||
syslog (LOG_ERR, "krb_recvauth: %s", krb_get_err_text(status));
|
||||
exit (1);
|
||||
}
|
||||
if (strncmp (version, KX_VERSION, KRB_SENDAUTH_VLEN) != 0) {
|
||||
/* Try to be nice to old kx's */
|
||||
if (strncmp (version, KX_OLD_VERSION, KRB_SENDAUTH_VLEN) == 0) {
|
||||
char *old_errmsg = "\001Old version of kx. Please upgrade.";
|
||||
char user[64];
|
||||
|
||||
syslog (LOG_ERR, "Old version client (%s)", version);
|
||||
|
||||
krb_net_read (sock, user, sizeof(user));
|
||||
krb_net_write (sock, old_errmsg, strlen(old_errmsg) + 1);
|
||||
} else
|
||||
syslog (LOG_ERR, "bad version: %s", version);
|
||||
}
|
||||
|
||||
krb4_make_context (kc);
|
||||
c = (krb4_kx_context *)kc->data;
|
||||
|
||||
c->auth = auth;
|
||||
memcpy (c->key, &auth.session, sizeof(des_cblock));
|
||||
memcpy (c->schedule, schedule, sizeof(schedule));
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* KRB4 */
|
367
appl/kx/krb5.c
Normal file
367
appl/kx/krb5.c
Normal file
@@ -0,0 +1,367 @@
|
||||
/*
|
||||
* Copyright (c) 1995 - 1999 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* This product includes software developed by the Kungliga Tekniska
|
||||
* H<>gskolan and its contributors.
|
||||
*
|
||||
* 4. Neither the name of the Institute nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "kx.h"
|
||||
|
||||
RCSID("$Id$");
|
||||
|
||||
#ifdef KRB5
|
||||
|
||||
struct krb5_kx_context {
|
||||
krb5_context context;
|
||||
krb5_keyblock *keyblock;
|
||||
krb5_crypto crypto;
|
||||
krb5_principal client;
|
||||
};
|
||||
|
||||
typedef struct krb5_kx_context krb5_kx_context;
|
||||
|
||||
static void
|
||||
krb5_destroy (kx_context *c)
|
||||
{
|
||||
krb5_kx_context *kc = (krb5_kx_context *)c->data;
|
||||
|
||||
if (kc->keyblock)
|
||||
krb5_free_keyblock (kc->context, kc->keyblock);
|
||||
if (kc->crypto)
|
||||
krb5_crypto_destroy (kc->context, kc->crypto);
|
||||
if (kc->client)
|
||||
krb5_free_principal (kc->context, kc->client);
|
||||
if (kc->context)
|
||||
krb5_free_context (kc->context);
|
||||
free (kc->context);
|
||||
}
|
||||
|
||||
static int
|
||||
krb5_authenticate (kx_context *kc, int s)
|
||||
{
|
||||
krb5_kx_context *c = (krb5_kx_context *)kc->data;
|
||||
krb5_context context = c->context;
|
||||
krb5_auth_context auth_context = NULL;
|
||||
krb5_error_code ret;
|
||||
krb5_principal server;
|
||||
char *host = kc->host;
|
||||
|
||||
ret = krb5_sname_to_principal (context,
|
||||
host, "host", KRB5_NT_SRV_HST, &server);
|
||||
if (ret) {
|
||||
warnx ("krb5_sname_to_principal: %s: %s", host,
|
||||
krb5_get_err_text(context, ret));
|
||||
return 1;
|
||||
}
|
||||
|
||||
ret = krb5_sendauth (context,
|
||||
&auth_context,
|
||||
&s,
|
||||
KX_VERSION,
|
||||
NULL,
|
||||
server,
|
||||
AP_OPTS_MUTUAL_REQUIRED,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL);
|
||||
if (ret) {
|
||||
warnx ("krb5_sendauth: %s: %s", host,
|
||||
krb5_get_err_text(context, ret));
|
||||
return 1;
|
||||
}
|
||||
|
||||
ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock);
|
||||
if (ret) {
|
||||
warnx ("krb5_auth_con_getkey: %s: %s", host,
|
||||
krb5_get_err_text(context, ret));
|
||||
krb5_auth_con_free (context, auth_context);
|
||||
return 1;
|
||||
}
|
||||
|
||||
ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto);
|
||||
if (ret) {
|
||||
warnx ("krb5_crypto_init: %s", krb5_get_err_text (context, ret));
|
||||
krb5_auth_con_free (context, auth_context);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static ssize_t
|
||||
krb5_read (kx_context *kc,
|
||||
int fd, void *buf, size_t len)
|
||||
{
|
||||
krb5_kx_context *c = (krb5_kx_context *)kc->data;
|
||||
krb5_context context = c->context;
|
||||
size_t data_len, outer_len;
|
||||
krb5_error_code ret;
|
||||
unsigned char tmp[4];
|
||||
krb5_data data;
|
||||
int l;
|
||||
|
||||
l = krb5_net_read (context, &fd, tmp, 4);
|
||||
if (l == 0)
|
||||
return l;
|
||||
if (l != 4)
|
||||
return -1;
|
||||
data_len = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
|
||||
outer_len = krb5_get_wrapped_length (context, c->crypto, data_len);
|
||||
if (outer_len > len)
|
||||
return -1;
|
||||
if (krb5_net_read (context, &fd, buf, outer_len) != outer_len)
|
||||
return -1;
|
||||
|
||||
ret = krb5_decrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED,
|
||||
buf, outer_len, &data);
|
||||
if (ret) {
|
||||
warnx ("krb5_decrypt: %s", krb5_get_err_text(context, ret));
|
||||
return -1;
|
||||
}
|
||||
if (data_len > data.length) {
|
||||
krb5_data_free (&data);
|
||||
return -1;
|
||||
}
|
||||
memmove (buf, data.data, data_len);
|
||||
krb5_data_free (&data);
|
||||
return data_len;
|
||||
}
|
||||
|
||||
static ssize_t
|
||||
krb5_write(kx_context *kc,
|
||||
int fd, const void *buf, size_t len)
|
||||
{
|
||||
krb5_kx_context *c = (krb5_kx_context *)kc->data;
|
||||
krb5_context context = c->context;
|
||||
krb5_data data;
|
||||
krb5_error_code ret;
|
||||
unsigned char tmp[4];
|
||||
size_t outlen;
|
||||
|
||||
ret = krb5_encrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED,
|
||||
(void *)buf, len, &data);
|
||||
if (ret){
|
||||
warnx ("krb5_write: %s", krb5_get_err_text (context, ret));
|
||||
return -1;
|
||||
}
|
||||
|
||||
outlen = data.length;
|
||||
tmp[0] = (len >> 24) & 0xFF;
|
||||
tmp[1] = (len >> 16) & 0xFF;
|
||||
tmp[2] = (len >> 8) & 0xFF;
|
||||
tmp[3] = (len >> 0) & 0xFF;
|
||||
|
||||
if (krb5_net_write (context, &fd, tmp, 4) != 4 ||
|
||||
krb5_net_write (context, &fd, data.data, outlen) != outlen) {
|
||||
krb5_data_free (&data);
|
||||
return -1;
|
||||
}
|
||||
krb5_data_free (&data);
|
||||
return len;
|
||||
}
|
||||
|
||||
static int
|
||||
copy_out (kx_context *kc, int from_fd, int to_fd)
|
||||
{
|
||||
char buf[32768];
|
||||
ssize_t len;
|
||||
|
||||
len = read (from_fd, buf, sizeof(buf));
|
||||
if (len == 0)
|
||||
return 0;
|
||||
if (len < 0) {
|
||||
warn ("read");
|
||||
return len;
|
||||
}
|
||||
return krb5_write (kc, to_fd, buf, len);
|
||||
}
|
||||
|
||||
static int
|
||||
copy_in (kx_context *kc, int from_fd, int to_fd)
|
||||
{
|
||||
krb5_kx_context *c = (krb5_kx_context *)kc->data;
|
||||
char buf[33000]; /* XXX */
|
||||
|
||||
ssize_t len;
|
||||
|
||||
len = krb5_read (kc, from_fd, buf, sizeof(buf));
|
||||
if (len == 0)
|
||||
return 0;
|
||||
if (len < 0) {
|
||||
warn ("krb5_read");
|
||||
return len;
|
||||
}
|
||||
|
||||
return krb5_net_write (c->context, &to_fd, buf, len);
|
||||
}
|
||||
|
||||
static int
|
||||
krb5_copy_encrypted (kx_context *kc, int fd1, int fd2)
|
||||
{
|
||||
for (;;) {
|
||||
fd_set fdset;
|
||||
int ret;
|
||||
|
||||
FD_ZERO(&fdset);
|
||||
FD_SET(fd1, &fdset);
|
||||
FD_SET(fd2, &fdset);
|
||||
|
||||
ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL);
|
||||
if (ret < 0 && errno != EINTR) {
|
||||
warn ("select");
|
||||
return 1;
|
||||
}
|
||||
if (FD_ISSET(fd1, &fdset)) {
|
||||
ret = copy_out (kc, fd1, fd2);
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
}
|
||||
if (FD_ISSET(fd2, &fdset)) {
|
||||
ret = copy_in (kc, fd2, fd1);
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
krb5_userok (kx_context *kc, char *user)
|
||||
{
|
||||
krb5_kx_context *c = (krb5_kx_context *)kc->data;
|
||||
krb5_context context = c->context;
|
||||
krb5_error_code ret;
|
||||
|
||||
ret = krb5_unparse_name (context, c->client, &kc->user);
|
||||
if (ret)
|
||||
krb5_err (context, 1, ret, "krb5_unparse_name");
|
||||
|
||||
return !krb5_kuserok (context, c->client, user);
|
||||
}
|
||||
|
||||
void
|
||||
krb5_make_context (kx_context *kc)
|
||||
{
|
||||
krb5_kx_context *c;
|
||||
|
||||
kc->authenticate = krb5_authenticate;
|
||||
kc->userok = krb5_userok;
|
||||
kc->read = krb5_read;
|
||||
kc->write = krb5_write;
|
||||
kc->copy_encrypted = krb5_copy_encrypted;
|
||||
kc->destroy = krb5_destroy;
|
||||
kc->user = NULL;
|
||||
kc->data = malloc(sizeof(krb5_kx_context));
|
||||
|
||||
if (kc->data == NULL)
|
||||
err (1, "malloc");
|
||||
memset (kc->data, 0, sizeof(krb5_kx_context));
|
||||
c = (krb5_kx_context *)kc->data;
|
||||
krb5_init_context (&c->context);
|
||||
}
|
||||
|
||||
int
|
||||
recv_v5_auth (kx_context *kc, int sock, u_char *buf)
|
||||
{
|
||||
u_int32_t len;
|
||||
krb5_error_code ret;
|
||||
krb5_kx_context *c;
|
||||
krb5_context context;
|
||||
krb5_principal server;
|
||||
krb5_auth_context auth_context = NULL;
|
||||
krb5_ticket *ticket;
|
||||
|
||||
if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
|
||||
return 1;
|
||||
len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
|
||||
if (net_read(sock, buf, len) != len) {
|
||||
syslog (LOG_ERR, "read: %m");
|
||||
exit (1);
|
||||
}
|
||||
if (len != sizeof(KRB5_SENDAUTH_VERSION)
|
||||
|| memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) {
|
||||
syslog (LOG_ERR, "bad sendauth version: %.8s", buf);
|
||||
exit (1);
|
||||
}
|
||||
|
||||
krb5_make_context (kc);
|
||||
c = (krb5_kx_context *)kc->data;
|
||||
context = c->context;
|
||||
|
||||
ret = krb5_sock_to_principal (context, sock, "host",
|
||||
KRB5_NT_SRV_HST, &server);
|
||||
if (ret) {
|
||||
syslog (LOG_ERR, "krb5_sock_to_principal: %s",
|
||||
krb5_get_err_text (context, ret));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
ret = krb5_recvauth (context,
|
||||
&auth_context,
|
||||
&sock,
|
||||
KX_VERSION,
|
||||
server,
|
||||
KRB5_RECVAUTH_IGNORE_VERSION,
|
||||
NULL,
|
||||
&ticket);
|
||||
krb5_free_principal (context, server);
|
||||
if (ret) {
|
||||
syslog (LOG_ERR, "krb5_sock_to_principal: %s",
|
||||
krb5_get_err_text (context, ret));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock);
|
||||
if (ret) {
|
||||
syslog (LOG_ERR, "krb5_auth_con_getkey: %s",
|
||||
krb5_get_err_text (context, ret));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto);
|
||||
if (ret) {
|
||||
syslog (LOG_ERR, "krb5_crypto_init: %s",
|
||||
krb5_get_err_text (context, ret));
|
||||
exit (1);
|
||||
}
|
||||
|
||||
c->client = ticket->client;
|
||||
ticket->client = NULL;
|
||||
krb5_free_ticket (context, ticket);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* KRB5 */
|
Reference in New Issue
Block a user