handle protocol version 2

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11349 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
2002-09-03 20:03:46 +00:00
parent d9a1ec3c10
commit 76f0ff261e
4 changed files with 182 additions and 49 deletions

View File

@@ -36,10 +36,36 @@ RCSID("$Id$");
#if defined(KRB4) || defined(KRB5)
#ifdef KRB5
int key_usage = 1026;
void *ivec_in[2];
void *ivec_out[2];
void
init_ivecs(int client)
{
size_t blocksize;
krb5_crypto_block_size(context, crypto, &blocksize);
ivec_in[0] = malloc(blocksize);
memset(ivec_in[0], client, blocksize);
ivec_in[1] = malloc(blocksize);
memset(ivec_in[1], 2 | client, blocksize);
ivec_out[0] = malloc(blocksize);
memset(ivec_out[0], !client, blocksize);
ivec_out[1] = malloc(blocksize);
memset(ivec_out[1], 2 | !client, blocksize);
}
#endif
ssize_t
do_read (int fd,
void *buf,
size_t sz)
do_read (int fd, void *buf, size_t sz, void *ivec)
{
if (do_encrypt) {
#ifdef KRB4
@@ -61,7 +87,11 @@ do_read (int fd,
len = ntohl(len);
if (len > sz)
abort ();
outer_len = krb5_get_wrapped_length (context, crypto, len);
/* ivec will be non null for protocol version 2 */
if(ivec != NULL)
outer_len = krb5_get_wrapped_length (context, crypto, len + 4);
else
outer_len = krb5_get_wrapped_length (context, crypto, len);
edata = malloc (outer_len);
if (edata == NULL)
errx (1, "malloc: cannot allocate %u bytes", outer_len);
@@ -69,13 +99,22 @@ do_read (int fd,
if (ret <= 0)
return ret;
status = krb5_decrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED,
edata, outer_len, &data);
status = krb5_decrypt_ivec(context, crypto, key_usage,
edata, outer_len, &data, ivec);
free (edata);
if (status)
errx (1, "%s", krb5_get_err_text (context, status));
memcpy (buf, data.data, len);
krb5_err (context, 1, status, "decrypting data");
if(ivec != NULL) {
unsigned long l;
if(data.length < len + 4)
errx (1, "data received is too short");
_krb5_get_int(data.data, &l, 4);
if(l != len)
errx (1, "inconsistency in received data");
memcpy (buf, (unsigned char *)data.data+4, len);
} else
memcpy (buf, data.data, len);
krb5_data_free (&data);
return len;
} else
@@ -86,7 +125,7 @@ do_read (int fd,
}
ssize_t
do_write (int fd, void *buf, size_t sz)
do_write (int fd, void *buf, size_t sz, void *ivec)
{
if (do_encrypt) {
#ifdef KRB4
@@ -98,20 +137,27 @@ do_write (int fd, void *buf, size_t sz)
if(auth_method == AUTH_KRB5) {
krb5_error_code status;
krb5_data data;
u_int32_t len;
unsigned char len[4];
int ret;
status = krb5_encrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED,
buf, sz, &data);
_krb5_put_int(len, sz, 4);
if(ivec != NULL) {
unsigned char *tmp = malloc(sz + 4);
if(tmp == NULL)
err(1, "malloc");
_krb5_put_int(tmp, sz, 4);
memcpy(tmp + 4, buf, sz);
status = krb5_encrypt_ivec(context, crypto, key_usage,
tmp, sz + 4, &data, ivec);
free(tmp);
} else
status = krb5_encrypt_ivec(context, crypto, key_usage,
buf, sz, &data, ivec);
if (status)
errx (1, "%s", krb5_get_err_text(context, status));
krb5_err(context, 1, status, "encrypting data");
assert (krb5_get_wrapped_length (context, crypto,
sz) == data.length);
len = htonl(sz);
ret = krb5_net_write (context, &fd, &len, 4);
ret = krb5_net_write (context, &fd, len, 4);
if (ret != 4)
return ret;
ret = krb5_net_write (context, &fd, data.data, data.length);

View File

@@ -67,6 +67,8 @@ static const char *user;
static int do_version;
static int do_help;
static int do_errsock = 1;
static char *protocol_version_str;
static int protocol_version = 2;
/*
*
@@ -80,6 +82,11 @@ loop (int s, int errsock)
fd_set real_readset;
int count = 1;
#ifdef KRB5
if(auth_method == AUTH_KRB5 && protocol_version == 2)
init_ivecs(1);
#endif
if (s >= FD_SETSIZE || errsock >= FD_SETSIZE)
errx (1, "fd too large");
@@ -106,7 +113,7 @@ loop (int s, int errsock)
err (1, "select");
}
if (FD_ISSET(s, &readset)) {
ret = do_read (s, buf, sizeof(buf));
ret = do_read (s, buf, sizeof(buf), ivec_in[0]);
if (ret < 0)
err (1, "read");
else if (ret == 0) {
@@ -118,7 +125,7 @@ loop (int s, int errsock)
net_write (STDOUT_FILENO, buf, ret);
}
if (errsock != -1 && FD_ISSET(errsock, &readset)) {
ret = do_read (errsock, buf, sizeof(buf));
ret = do_read (errsock, buf, sizeof(buf), ivec_in[1]);
if (ret < 0)
err (1, "read");
else if (ret == 0) {
@@ -138,7 +145,7 @@ loop (int s, int errsock)
FD_CLR(STDIN_FILENO, &real_readset);
shutdown (s, SHUT_WR);
} else
do_write (s, buf, ret);
do_write (s, buf, ret, ivec_out[0]);
}
}
}
@@ -166,7 +173,7 @@ send_krb4_auth(int s,
getpid(), &msg, &cred, schedule,
(struct sockaddr_in *)thisaddr,
(struct sockaddr_in *)thataddr,
KCMD_VERSION);
KCMD_OLD_VERSION);
if (status != KSUCCESS) {
warnx("%s: %s", hostname, krb_get_err_text(status));
return 1;
@@ -282,6 +289,8 @@ send_krb5_auth(int s,
int status;
size_t len;
krb5_auth_context auth_context = NULL;
const char *protocol_string = NULL;
krb5_flags ap_opts;
status = krb5_sname_to_principal(context,
hostname,
@@ -300,13 +309,31 @@ send_krb5_auth(int s,
cmd,
remote_user);
ap_opts = 0;
if(do_encrypt)
ap_opts |= AP_OPTS_MUTUAL_REQUIRED;
switch(protocol_version) {
case 2:
ap_opts |= AP_OPTS_USE_SUBKEY;
protocol_string = KCMD_NEW_VERSION;
break;
case 1:
protocol_string = KCMD_OLD_VERSION;
key_usage = KRB5_KU_OTHER_ENCRYPTED;
break;
default:
abort();
}
status = krb5_sendauth (context,
&auth_context,
&s,
KCMD_VERSION,
protocol_string,
NULL,
server,
do_encrypt ? AP_OPTS_MUTUAL_REQUIRED : 0,
ap_opts,
&cksum_data,
NULL,
NULL,
@@ -318,7 +345,9 @@ send_krb5_auth(int s,
return 1;
}
status = krb5_auth_con_getkey (context, auth_context, &keyblock);
status = krb5_auth_con_getlocalsubkey (context, auth_context, &keyblock);
if(keyblock == NULL)
status = krb5_auth_con_getkey (context, auth_context, &keyblock);
if (status) {
warnx ("krb5_auth_con_getkey: %s", krb5_get_err_text(context, status));
return 1;
@@ -552,7 +581,7 @@ proto (int s, int errsock,
(void *)&one, sizeof(one)) < 0)
warn("setsockopt stderr");
}
return loop (s, errsock2);
}
@@ -777,6 +806,8 @@ struct getargs args[] = {
"port" },
{ "user", 'l', arg_string, &user, "Run as this user", "login" },
{ "stderr", 'e', arg_negative_flag, &do_errsock, "Don't open stderr"},
{ "protocol", 'P', arg_string, &protocol_version_str,
"Protocol version", "protocol" },
{ "version", 0, arg_flag, &do_version, NULL },
{ "help", 0, arg_flag, &do_help, NULL }
};
@@ -840,7 +871,24 @@ main(int argc, char **argv)
print_version (NULL);
return 0;
}
if(protocol_version_str != NULL) {
if(strcasecmp(protocol_version_str, "N") == 0)
protocol_version = 2;
else if(strcasecmp(protocol_version_str, "O") == 0)
protocol_version = 1;
else {
char *end;
int v;
v = strtol(protocol_version_str, &end, 0);
if(*end != '\0' || (v != 1 && v != 2)) {
errx(1, "unknown protocol version \"%s\"",
protocol_version_str);
}
protocol_version = v;
}
}
#ifdef KRB5
status = krb5_init_context (&context);
if (status) {

View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska H<>gskolan
* Copyright (c) 1997 - 2002 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -99,6 +99,7 @@
#endif
#ifdef KRB5
#include <krb5.h>
#include <krb5-private.h> /* for _krb5_{get,put}_int */
#endif
#ifdef KRB4
#include <kafs.h>
@@ -132,25 +133,30 @@ extern int do_encrypt;
extern krb5_context context;
extern krb5_keyblock *keyblock;
extern krb5_crypto crypto;
extern int key_usage;
extern void *ivec_in[2];
extern void *ivec_out[2];
void init_ivecs(int);
#endif
#ifdef KRB4
extern des_key_schedule schedule;
extern des_cblock iv;
#endif
#define KCMD_VERSION "KCMDV0.1"
#define KCMD_OLD_VERSION "KCMDV0.1"
#define KCMD_NEW_VERSION "KCMDV0.2"
#define USERNAME_SZ 16
#define COMMAND_SZ 1024
#define RSH_BUFSIZ (16 * 1024)
#define RSH_BUFSIZ (5 * 1024) /* MIT kcmd can't handle larger buffers */
#define PATH_RSH BINDIR "/rsh"
#if defined(KRB4) || defined(KRB5)
ssize_t do_read (int fd, void *buf, size_t sz);
ssize_t do_write (int fd, void *buf, size_t sz);
ssize_t do_read (int, void*, size_t, void*);
ssize_t do_write (int, void*, size_t, void*);
#else
#define do_write(F, B, L) write((F), (B), (L))
#define do_read(F, B, L) read((F), (B), (L))
#define do_write(F, B, L, I) write((F), (B), (L))
#define do_read(F, B, L, I) read((F), (B), (L))
#endif

View File

@@ -199,7 +199,7 @@ recv_krb4_auth (int s, u_char *buf,
version);
if (status != KSUCCESS)
syslog_and_die ("recvauth: %s", krb_get_err_text(status));
if (strncmp (version, KCMD_VERSION, KRB_SENDAUTH_VLEN) != 0)
if (strncmp (version, KCMD_OLD_VERSION, KRB_SENDAUTH_VLEN) != 0)
syslog_and_die ("bad version: %s", version);
read_str (s, server_username, USERNAME_SZ, "remote username");
@@ -277,6 +277,24 @@ krb5_start_session (void)
return;
}
static int protocol_version;
static krb5_boolean
match_kcmd_version(const void *data, const char *version)
{
if(strcmp(version, KCMD_NEW_VERSION) == 0) {
protocol_version = 2;
return TRUE;
}
if(strcmp(version, KCMD_OLD_VERSION) == 0) {
protocol_version = 1;
key_usage = KRB5_KU_OTHER_ENCRYPTED;
return TRUE;
}
return FALSE;
}
static int
recv_krb5_auth (int s, u_char *buf,
struct sockaddr *thisaddr,
@@ -311,14 +329,15 @@ recv_krb5_auth (int s, u_char *buf,
syslog_and_die ("krb5_sock_to_principal: %s",
krb5_get_err_text(context, status));
status = krb5_recvauth(context,
&auth_context,
&s,
KCMD_VERSION,
server,
KRB5_RECVAUTH_IGNORE_VERSION,
NULL,
&ticket);
status = krb5_recvauth_match_version(context,
&auth_context,
&s,
match_kcmd_version,
NULL,
server,
KRB5_RECVAUTH_IGNORE_VERSION,
NULL,
&ticket);
krb5_free_principal (context, server);
if (status)
syslog_and_die ("krb5_recvauth: %s",
@@ -328,8 +347,17 @@ recv_krb5_auth (int s, u_char *buf,
read_str (s, cmd, COMMAND_SZ, "command");
read_str (s, client_username, COMMAND_SZ, "local username");
status = krb5_auth_con_getkey (context, auth_context, &keyblock);
if (status)
if(protocol_version == 2) {
status = krb5_auth_con_getremotesubkey(context, auth_context,
&keyblock);
if(status != 0 || keyblock == NULL)
syslog_and_die("failed to get remote subkey");
} else if(protocol_version == 1) {
status = krb5_auth_con_getkey (context, auth_context, &keyblock);
if(status != 0 || keyblock == NULL)
syslog_and_die("failed to get key");
}
if (status != 0 || keyblock == NULL)
syslog_and_die ("krb5_auth_con_getkey: %s",
krb5_get_err_text(context, status));
@@ -436,6 +464,11 @@ loop (int from0, int to0,
if(from0 >= FD_SETSIZE || from1 >= FD_SETSIZE || from2 >= FD_SETSIZE)
errx (1, "fd too large");
#ifdef KRB5
if(auth_method == AUTH_KRB5 && protocol_version == 2)
init_ivecs(0);
#endif
FD_ZERO(&real_readset);
FD_SET(from0, &real_readset);
FD_SET(from1, &real_readset);
@@ -454,7 +487,7 @@ loop (int from0, int to0,
syslog_and_die ("select: %m");
}
if (FD_ISSET(from0, &readset)) {
ret = do_read (from0, buf, sizeof(buf));
ret = do_read (from0, buf, sizeof(buf), ivec_in[0]);
if (ret < 0)
syslog_and_die ("read: %m");
else if (ret == 0) {
@@ -475,7 +508,7 @@ loop (int from0, int to0,
if (--count == 0)
exit (0);
} else
do_write (to1, buf, ret);
do_write (to1, buf, ret, ivec_out[0]);
}
if (FD_ISSET(from2, &readset)) {
ret = read (from2, buf, sizeof(buf));
@@ -488,7 +521,7 @@ loop (int from0, int to0,
if (--count == 0)
exit (0);
} else
do_write (to2, buf, ret);
do_write (to2, buf, ret, ivec_out[1]);
}
}
}