diff options
author | nectar <nectar@FreeBSD.org> | 2002-09-16 21:04:40 +0000 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2002-09-16 21:04:40 +0000 |
commit | 8707f886593c300d83c76654e92ec76bcea9b858 (patch) | |
tree | 291ed09be4bd7c999ad1617a832aa3caae1cb274 /crypto/heimdal/appl/kf | |
parent | a77dba08ca7d8ad2f2dcd653974ac66df78cfa49 (diff) | |
download | FreeBSD-src-8707f886593c300d83c76654e92ec76bcea9b858.zip FreeBSD-src-8707f886593c300d83c76654e92ec76bcea9b858.tar.gz |
Import of Heimdal Kerberos from KTH repository circa 2002/09/16.
Diffstat (limited to 'crypto/heimdal/appl/kf')
-rw-r--r-- | crypto/heimdal/appl/kf/kf.c | 122 | ||||
-rw-r--r-- | crypto/heimdal/appl/kf/kf_locl.h | 11 | ||||
-rw-r--r-- | crypto/heimdal/appl/kf/kfd.c | 189 |
3 files changed, 139 insertions, 183 deletions
diff --git a/crypto/heimdal/appl/kf/kf.c b/crypto/heimdal/appl/kf/kf.c index 3288dae..190101b 100644 --- a/crypto/heimdal/appl/kf/kf.c +++ b/crypto/heimdal/appl/kf/kf.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000, 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,13 +32,13 @@ */ #include "kf_locl.h" -RCSID("$Id: kf.c,v 1.15 2001/02/20 01:44:44 assar Exp $"); +RCSID("$Id: kf.c,v 1.17 2002/09/05 15:00:03 joda Exp $"); krb5_context context; static int help_flag; static int version_flag; static char *port_str; -const char *service = SERVICE; +const char *service = KF_SERVICE; const char *remote_name = NULL; int forwardable = 0; const char *ccache_name = NULL; @@ -107,7 +107,7 @@ client_setup(krb5_context *context, int *argc, char **argv) } if (port == 0) - port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM); + port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM); if(*argc - optind < 1) usage(1, args, num_args); @@ -122,22 +122,19 @@ client_setup(krb5_context *context, int *argc, char **argv) */ static int -proto (int sock, const char *hostname, const char *service) +proto (int sock, const char *hostname, const char *service, + char *message, size_t len) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_data data; - krb5_data packet; krb5_data data_send; - u_int32_t len, net_len; krb5_ccache ccache; krb5_creds creds; krb5_kdc_flags flags; krb5_principal principal; - char ret_string[10]; - ssize_t n; status = krb5_auth_con_init (context, &auth_context); if (status) { @@ -166,10 +163,10 @@ proto (int sock, const char *hostname, const char *service) status = krb5_sendauth (context, &auth_context, &sock, - VERSION, + KF_VERSION_1, NULL, server, - AP_OPTS_MUTUAL_REQUIRED, + AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, NULL, NULL, NULL, @@ -181,27 +178,19 @@ proto (int sock, const char *hostname, const char *service) return 1; } - if (remote_name == NULL) { - remote_name = get_default_username (); - if (remote_name == NULL) - errx (1, "who are you?"); - } + if (ccache_name == NULL) + ccache_name = ""; - krb5_data_zero(&data_send); data_send.data = (void *)remote_name; data_send.length = strlen(remote_name) + 1; - status = krb5_write_message(context, &sock, &data_send); + status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_warn (context, status, "krb5_write_message"); return 1; } - - if (ccache_name == NULL) - ccache_name = ""; - data_send.data = (void *)ccache_name; data_send.length = strlen(ccache_name)+1; - status = krb5_write_message(context, &sock, &data_send); + status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_warn (context, status, "krb5_write_message"); return 1; @@ -223,16 +212,15 @@ proto (int sock, const char *hostname, const char *service) creds.client = principal; - status = krb5_build_principal (context, - &creds.server, - strlen(principal->realm), - principal->realm, - KRB5_TGS_NAME, - principal->realm, - NULL); + status = krb5_make_principal (context, + &creds.server, + principal->realm, + KRB5_TGS_NAME, + principal->realm, + NULL); if (status) { - krb5_warn (context, status, "krb5_build_principal"); + krb5_warn (context, status, "krb5_make_principal"); return 1; } @@ -254,60 +242,36 @@ proto (int sock, const char *hostname, const char *service) return 1; } - status = krb5_mk_priv (context, - auth_context, - &data, - &packet, - NULL); + status = krb5_write_priv_message(context, auth_context, &sock, &data); + if (status) { krb5_warn (context, status, "krb5_mk_priv"); return 1; } - len = packet.length; - net_len = htonl(len); - - if (krb5_net_write (context, &sock, &net_len, 4) != 4) { - krb5_warn (context, errno, "krb5_net_write"); - return 1; - } - if (krb5_net_write (context, &sock, packet.data, len) != len) { - krb5_warn (context, errno, "krb5_net_write"); - return 1; - } - krb5_data_free (&data); - n = krb5_net_read (context, &sock, &net_len, 4); - if (n == 0) { - krb5_warnx (context, "EOF in krb5_net_read"); - return 1; - } - if (n < 0) { - krb5_warn (context, errno, "krb5_net_read"); - return 1; - } - len = ntohl(net_len); - if (len >= sizeof(ret_string)) { - krb5_warnx (context, "too long string back from %s", hostname); - return 1; - } - n = krb5_net_read (context, &sock, ret_string, len); - if (n == 0) { - krb5_warnx (context, "EOF in krb5_net_read"); + status = krb5_read_priv_message(context, auth_context, &sock, &data); + if (status) { + krb5_warn (context, status, "krb5_mk_priv"); return 1; } - if (n < 0) { - krb5_warn (context, errno, "krb5_net_read"); - return 1; + if(data.length >= len) { + krb5_warnx (context, "returned string is too long, truncating"); + memcpy(message, data.data, len); + message[len - 1] = '\0'; + } else { + memcpy(message, data.data, data.length); + message[data.length] = '\0'; } - ret_string[sizeof(ret_string) - 1] = '\0'; + krb5_data_free (&data); - return(strcmp(ret_string,"ok")); + return(strcmp(message, "ok")); } static int -doit (const char *hostname, int port, const char *service) +doit (const char *hostname, int port, const char *service, + char *message, size_t len) { struct addrinfo *ai, *a; struct addrinfo hints; @@ -337,7 +301,7 @@ doit (const char *hostname, int port, const char *service) continue; } freeaddrinfo (ai); - return proto (s, hostname, service); + return proto (s, hostname, service, message, len); } warnx ("failed to contact %s", hostname); freeaddrinfo (ai); @@ -353,9 +317,19 @@ main(int argc, char **argv) argcc = argc; port = client_setup(&context, &argcc, argv); + if (remote_name == NULL) { + remote_name = get_default_username (); + if (remote_name == NULL) + errx (1, "who are you?"); + } + for (i = argcc;i < argc; i++) { - ret = doit (argv[i], port, service); - warnx ("%s %s", argv[i], ret ? "failed" : "ok"); + char message[128]; + ret = doit (argv[i], port, service, message, sizeof(message)); + if(ret == 0) + warnx ("%s: ok", argv[i]); + else + warnx ("%s: failed: %s", argv[i], message); } return(ret); } diff --git a/crypto/heimdal/appl/kf/kf_locl.h b/crypto/heimdal/appl/kf/kf_locl.h index 29f5941..0a6a28f 100644 --- a/crypto/heimdal/appl/kf/kf_locl.h +++ b/crypto/heimdal/appl/kf/kf_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: kf_locl.h,v 1.2 1999/12/02 17:04:55 joda Exp $ */ +/* $Id: kf_locl.h,v 1.3 2002/09/04 20:29:04 joda Exp $ */ #ifdef HAVE_CONFIG_H #include <config.h> @@ -74,7 +74,8 @@ #include <err.h> #include <krb5.h> -#define SERVICE "host" +#define KF_SERVICE "host" -#define PORT "kf" -#define PORT_NUM 2110 +#define KF_PORT_NAME "kf" +#define KF_PORT_NUM 2110 +#define KF_VERSION_1 "KFWDV0.1" diff --git a/crypto/heimdal/appl/kf/kfd.c b/crypto/heimdal/appl/kf/kfd.c index 6dc2666..7f6ea28 100644 --- a/crypto/heimdal/appl/kf/kfd.c +++ b/crypto/heimdal/appl/kf/kfd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "kf_locl.h" -RCSID("$Id: kfd.c,v 1.9 2001/02/20 01:44:44 assar Exp $"); +RCSID("$Id: kfd.c,v 1.10 2002/09/04 20:31:48 joda Exp $"); krb5_context context; char krb5_tkfile[MAXPATHLEN]; @@ -40,7 +40,7 @@ char krb5_tkfile[MAXPATHLEN]; static int help_flag; static int version_flag; static char *port_str; -char *service = SERVICE; +char *service = KF_SERVICE; int do_inetd = 0; static char *regpag_str=NULL; @@ -92,7 +92,7 @@ server_setup(krb5_context *context, int argc, char **argv) } if (port == 0) - port = krb5_getportbyname (*context, PORT, "tcp", PORT_NUM); + port = krb5_getportbyname (*context, KF_PORT_NAME, "tcp", KF_PORT_NUM); if(argv[local_argc] != NULL) usage(1, args, num_args); @@ -100,26 +100,23 @@ server_setup(krb5_context *context, int argc, char **argv) return port; } -static void -syslog_and_die (const char *m, ...) -{ - va_list args; +static int protocol_version; - va_start(args, m); - vsyslog (LOG_ERR, m, args); - va_end(args); - exit (1); -} - -static void -syslog_and_cont (const char *m, ...) +static krb5_boolean +kfd_match_version(const void *arg, const char *version) { - va_list args; - - va_start(args, m); - vsyslog (LOG_ERR, m, args); - va_end(args); - return; + if(strcmp(version, KF_VERSION_1) == 0) { + protocol_version = 1; + return TRUE; + } else if (strlen(version) == 4 && + version[0] == '0' && + version[1] == '.' && + (version[2] == '4' || version[2] == '3') && + islower(version[3])) { + protocol_version = 0; + return TRUE; + } + return FALSE; } static int @@ -132,31 +129,25 @@ proto (int sock, const char *service) char *name; char ret_string[10]; char hostname[MAXHOSTNAMELEN]; - krb5_data packet; krb5_data data; krb5_data remotename; krb5_data tk_file; - - u_int32_t len, net_len; krb5_ccache ccache; char ccname[MAXPATHLEN]; struct passwd *pwd; - ssize_t n; status = krb5_auth_con_init (context, &auth_context); if (status) - syslog_and_die("krb5_auth_con_init: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, status, "krb5_auth_con_init"); status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) - syslog_and_die("krb5_auth_con_setaddr: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, status, "krb5_auth_con_setaddr"); if(gethostname (hostname, sizeof(hostname)) < 0) - syslog_and_die("gethostname: %s",strerror(errno)); + krb5_err(context, 1, errno, "gethostname"); status = krb5_sname_to_principal (context, hostname, @@ -164,88 +155,80 @@ proto (int sock, const char *service) KRB5_NT_SRV_HST, &server); if (status) - syslog_and_die("krb5_sname_to_principal: %s", - krb5_get_err_text(context, status)); - - status = krb5_recvauth (context, - &auth_context, - &sock, - VERSION, - server, - 0, - NULL, - &ticket); + krb5_err(context, 1, status, "krb5_sname_to_principal"); + + status = krb5_recvauth_match_version (context, + &auth_context, + &sock, + kfd_match_version, + NULL, + server, + 0, + NULL, + &ticket); if (status) - syslog_and_die("krb5_recvauth: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, status, "krb5_recvauth"); status = krb5_unparse_name (context, ticket->client, &name); if (status) - syslog_and_die("krb5_unparse_name: %s", - krb5_get_err_text(context, status)); - - status=krb5_read_message (context, &sock, &remotename); - if (status) { - syslog_and_die("krb5_read_message: %s", - krb5_get_err_text(context, status)); - } - status=krb5_read_message (context, &sock, &tk_file); - if (status) { - syslog_and_die("krb5_read_message: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, status, "krb5_unparse_name"); + + if(protocol_version == 0) { + data.data = "old clnt"; /* XXX old clients only had room for + 10 bytes of message, and also + didn't show it to the user */ + data.length = strlen(data.data) + 1; + krb5_write_message(context, &sock, &data); + sleep(2); /* XXX give client time to finish */ + krb5_errx(context, 1, "old client; exiting"); } + status=krb5_read_priv_message (context, auth_context, + &sock, &remotename); + if (status) + krb5_err(context, 1, status, "krb5_read_message"); + status=krb5_read_priv_message (context, auth_context, + &sock, &tk_file); + if (status) + krb5_err(context, 1, status, "krb5_read_message"); + krb5_data_zero (&data); - krb5_data_zero (&packet); - - n = krb5_net_read (context, &sock, &net_len, 4); - if (n < 0) - syslog_and_die("krb5_net_read: %s", strerror(errno)); - if (n == 0) - syslog_and_die("EOF in krb5_net_read"); - - len = ntohl(net_len); - krb5_data_alloc (&packet, len); - n = krb5_net_read (context, &sock, packet.data, len); - if (n < 0) - syslog_and_die("krb5_net_read: %s", strerror(errno)); - if (n == 0) - syslog_and_die("EOF in krb5_net_read"); - - status = krb5_rd_priv (context, - auth_context, - &packet, - &data, - NULL); + + if(((char*)remotename.data)[remotename.length-1] != '\0') + krb5_errx(context, 1, "unterminated received"); + if(((char*)tk_file.data)[tk_file.length-1] != '\0') + krb5_errx(context, 1, "unterminated received"); + + status = krb5_read_priv_message(context, auth_context, &sock, &data); + if (status) { - syslog_and_cont("krb5_rd_priv: %s", - krb5_get_err_text(context, status)); + krb5_err(context, 1, errno, "krb5_read_priv_message"); goto out; } pwd = getpwnam ((char *)(remotename.data)); if (pwd == NULL) { status=1; - syslog_and_cont("getpwnam: %s failed",(char *)(remotename.data)); + krb5_warnx(context, "getpwnam: %s failed",(char *)(remotename.data)); goto out; } if(!krb5_kuserok (context, - ticket->client, - (char *)(remotename.data))) { + ticket->client, + (char *)(remotename.data))) { status=1; - syslog_and_cont("krb5_kuserok: permission denied"); + krb5_warnx(context, "krb5_kuserok: permission denied"); goto out; } if (setgid(pwd->pw_gid) < 0) { - syslog_and_cont ("setgid: %s", strerror(errno)); + krb5_warn(context, errno, "setgid"); goto out; } if (setuid(pwd->pw_uid) < 0) { - syslog_and_cont ("setuid: %s", strerror(errno)); + krb5_warn(context, errno, "setuid"); goto out; } @@ -256,49 +239,41 @@ proto (int sock, const char *service) status = krb5_cc_resolve (context, ccname, &ccache); if (status) { - syslog_and_cont("krb5_cc_resolve: %s", - krb5_get_err_text(context, status)); + krb5_warn(context, status, "krb5_cc_resolve"); goto out; } status = krb5_cc_initialize (context, ccache, ticket->client); if (status) { - syslog_and_cont("krb5_cc_initialize: %s", - krb5_get_err_text(context, status)); + krb5_warn(context, status, "krb5_cc_initialize"); goto out; } status = krb5_rd_cred2 (context, auth_context, ccache, &data); krb5_cc_close (context, ccache); if (status) { - syslog_and_cont("krb5_rd_cred: %s", - krb5_get_err_text(context, status)); + krb5_warn(context, status, "krb5_rd_cred"); goto out; } strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile)); - syslog_and_cont("%s forwarded ticket to %s,%s", - name, - (char *)(remotename.data),ccname); -out: + krb5_warnx(context, "%s forwarded ticket to %s,%s", + name, + (char *)(remotename.data),ccname); + out: if (status) { strcpy(ret_string, "no"); - syslog_and_cont("failed"); + krb5_warnx(context, "failed"); } else { strcpy(ret_string, "ok"); } krb5_data_free (&tk_file); krb5_data_free (&remotename); - krb5_data_free (&packet); krb5_data_free (&data); free(name); - len = strlen(ret_string) + 1; - net_len = htonl(len); - if (krb5_net_write (context, &sock, &net_len, 4) != 4) - return 1; - if (krb5_net_write (context, &sock, ret_string, len) != len) - return 1; - return status; + data.data = ret_string; + data.length = strlen(ret_string) + 1; + return krb5_write_priv_message(context, auth_context, &sock, &data); } static int @@ -314,10 +289,16 @@ main(int argc, char **argv) { int port; int ret; + krb5_log_facility *fac; setprogname (argv[0]); roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH); port = server_setup(&context, argc, argv); + ret = krb5_openlog(context, "kfd", &fac); + if(ret) krb5_err(context, 1, ret, "krb5_openlog"); + ret = krb5_set_warn_dest(context, fac); + if(ret) krb5_err(context, 1, ret, "krb5_set_warn_dest"); + ret = doit (port, service); closelog(); if (ret == 0 && regpag_str != NULL) |