* int num;
*/
+#if defined(HAVE_KRB5) && 0
+int krb5_init_keyblock(krb5_context context,
+ krb5_enctype type,
+ size_t size,
+ krb5_keyblock **akey)
+{
+krb5_error_code ret;
+size_t len;
+krb5_keyblock *key;
+
+*akey=NULL;
+key=malloc(sizeof(*key));
+memset(key, 0, sizeof(*key));
+ret = krb5_enctype_keysize(context, type, &len);
+if (ret)
+return ret;
+
+if (len != size) {
+krb5_set_error_string(context, "Encryption key %d is %lu bytes "
+"long, %lu was passed in",
+type, (unsigned long)len, (unsigned long)size);
+return KRB5_PROG_ETYPE_NOSUPP;
+}
+
+ret = krb5_data_alloc(&key->keyvalue, len);
+if(ret) {
+krb5_set_error_string(context, "malloc failed: %lu",
+(unsigned long)len);
+return ret;
+}
+key->keytype = type;
+*akey=key;
+return 0;
+}
+#endif
+
+
static void close_bdump __P((void* arg));
static Code_t bdump_send_loop __P((Server *server)),
bdump_ask_for __P((char *inst)),
#ifdef HAVE_KRB5
{ /* "server" side */
krb5_auth_context actx;
+ krb5_principal principal;
+ krb5_data data;
+ krb5_ap_rep_enc_part *rep;
+ krb5_keytab kt;
+
+ if (get_tgt()) {
+ syslog(LOG_ERR, "bdump_send: get_tgt failed");
+ cleanup(server);
+ return;
+ }
+
+ retval = krb5_build_principal(Z_krb5_ctx, &principal,
+ strlen(ZGetRealm()),
+ ZGetRealm(),
+ SERVER_KRB5_SERVICE, SERVER_INSTANCE,
+ 0);
+ if (retval) {
+ syslog(LOG_ERR, "bdump_send: krb5_build_principal: %s", error_message(retval));
+ cleanup(server);
+ return;
+ }
+
+ retval = krb5_auth_con_init(Z_krb5_ctx, &actx);
+ if (retval) {
+ syslog(LOG_ERR, "bdump_send: krb5_auth_con_init: %s", error_message(retval));
+ cleanup(server);
+ return;
+ }
+
+ /* Get the "client" krb_ap_req */
+
+ memset((char *)&data, 0, sizeof(krb5_data));
+ retval = GetKrb5Data(live_socket, &data);
+ if (retval) {
+ syslog(LOG_ERR, "bdump_send: cannot get auth response: %s",
+ error_message(retval));
+ krb5_auth_con_free(Z_krb5_ctx, actx);
+ cleanup(server);
+ return;
+ }
+
+
+ /* resolve keytab */
+ retval = krb5_kt_resolve(Z_krb5_ctx, keytab_file, &kt);
+ if (retval) {
+ syslog(LOG_ERR, "bdump_send: cannot resolve keytab: %s",
+ error_message(retval));
+ krb5_auth_con_free(Z_krb5_ctx, actx);
+ krb5_kt_close(Z_krb5_ctx, kt);
+ cleanup(server);
+ return;
+ }
+
+ retval = krb5_rd_req(Z_krb5_ctx, &actx, &data, principal, kt, NULL, NULL);
+ krb5_free_principal(Z_krb5_ctx, principal);
+ krb5_kt_close(Z_krb5_ctx, kt);
+ free(data.data);
+ memset((char *)&data, 0, sizeof(krb5_data));
+ if (retval) {
+ syslog(LOG_ERR, "bdump_send: mutual authentication failed: %s",
+ error_message(retval));
+ krb5_auth_con_free(Z_krb5_ctx, actx);
+ cleanup(server);
+ return;
+ }
+
+ /* Now send back our auth packet */
+
+ memset((char *)&data, 0, sizeof(krb5_data));
+ retval = krb5_mk_rep(Z_krb5_ctx, actx, &data);
+ if (retval) {
+ syslog(LOG_ERR, "bdump_send: krb5_mk_rep: %s", error_message(retval));
+ krb5_auth_con_free(Z_krb5_ctx, actx);
+ cleanup(server);
+ return;
+ }
+ retval = SendKrb5Data(live_socket, &data);
+ if (retval) {
+ syslog(LOG_ERR, "bdump_send: cannot send authenticator: %s",
+ error_message(retval));
+ krb5_free_data_contents(Z_krb5_ctx, &data);
+ krb5_auth_con_free(Z_krb5_ctx, actx);
+ cleanup(server);
+ return;
+ }
+ krb5_free_data_contents(Z_krb5_ctx, &data);
}
#else /* HAVE_KRB5 */
#ifdef HAVE_KRB4
#ifdef HAVE_KRB5
if (get_tgt()) {
+ syslog(LOG_ERR, "bdump_get: get_tgt failed");
cleanup(server);
return;
}
#ifndef NOENCRYPTION
Sched *s;
#endif
-
+
/* have they expired ? */
if (ticket_time < NOW - tkt_lifetime(TKTLIFETIME) + (15L * 60L)) {
/* +15 for leeway */
/* ****ing netascii; this is an encrypted DES keyblock
XXX this code should be conditionalized for server
transitions */
- retval = krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
+ retval = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
sizeof(C_Block),
&client->session_keyblock);
if (retval) {
syslog(LOG_ERR,"brl bad cblk read: %s (%s)",
error_message(retval), cp);
} else {
- des_ecb_encrypt(cblock, client->session_keyblock->contents,
+ des_ecb_encrypt(cblock, Z_keydata(client->session_keyblock),
serv_ksched.s, DES_DECRYPT);
}
} else if (*cp == 'Z') { /* Zcode! Long live the new flesh! */
syslog(LOG_ERR,"brl bad cblk read: %s (%s)",
error_message(retval), cp);
} else {
- retval = krb5_init_keyblock(Z_krb5_ctx,
+ retval = Z_krb5_init_keyblock(Z_krb5_ctx,
ntohl(*(krb5_enctype *)&buf[0]),
- ntohl(*(krb5_ui_4 *)&buf[4]),
+ ntohl(*(u_int32_t *)&buf[4]),
&client->session_keyblock);
if (retval) {
syslog(LOG_ERR, "brl failed to allocate keyblock: %s",
error_message(retval));
return retval;
}
- memcpy(client->session_keyblock->contents, &buf[8],
- client->session_keyblock->length);
+ memcpy(Z_keydata(client->session_keyblock), &buf[8],
+ Z_keylen(client->session_keyblock));
}
}
}
SendKrb5Data(int fd, krb5_data *data) {
char p[32];
int written, size_to_write;
- sprintf(p, "V5-%d", data->length);
+ sprintf(p, "V5-%d ", data->length);
size_to_write = strlen (p);
if (size_to_write != (written = write(fd, p, size_to_write)) ||
data->length != (written = write(fd, data->data, data->length))) {
krb5_free_keyblock(Z_krb5_ctx, keyblock);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
- return ZAUTH_NO;
+ return ZAUTH_FAILED;
}
/* HOLDING: authctx, authenticator, cksumbuf.data */
krb5_free_keyblock(Z_krb5_ctx, keyblock);
krb5_auth_con_free(Z_krb5_ctx, authctx);
krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
- return ZAUTH_NO;
+ return ZAUTH_FAILED;
}
/* HOLDING: authctx, authenticator, cksumbuf.data */
}
#ifdef HAVE_KRB5
+krb5_error_code
+Z_krb5_init_keyblock(krb5_context context,
+ krb5_enctype type,
+ size_t size,
+ krb5_keyblock **key)
+{
+#ifdef HAVE_KRB5_CREDS_KEYBLOCK_ENCTYPE
+ return krb5_init_keyblock(context, type, size, key);
+#else
+ krb5_error_code ret;
+ krb5_keyblock *tmp, tmp_ss;
+ tmp = &tmp_ss;
+
+ *key = NULL;
+ Z_enctype(tmp) = type;
+ Z_keylen(tmp) = size;
+ Z_keydata(tmp) = malloc(size);
+ if (!Z_keydata(tmp))
+ return ENOMEM;
+ ret = krb5_copy_keyblock(context, tmp, key);
+ free(Z_keydata(tmp));
+ return ret;
+#endif
+}
+
+#if 0
+void ZLogKey(char *label, krb5_keyblock *keyblock) {
+ char *p, *buf;
+ unsigned char *k;
+ int i;
+ buf = malloc(5 *Z_keylen(keyblock)+1);
+
+ k=Z_keydata(keyblock);
+ for (i=0,p=buf; i < Z_keylen(keyblock); i++,p+=strlen(p))
+ sprintf(p, " 0x%02x", k[i]);
+ syslog(LOG_ERR, "key %s is type %d, %d bytes, %s", label, Z_enctype(keyblock), Z_keylen(keyblock), buf);
+ free(buf);
+}
+#endif
+
void
ZSetSession(krb5_keyblock *keyblock) {
#if 1
ZSetSessionDES(C_Block *key) {
#ifdef HAVE_KRB5
Code_t result;
-#ifdef HAVE_KRB5_INIT_KEYBLOCK
if (__Zephyr_keyblock) {
- krb5_free_keyblock(__Zephyr_keyblock);
+ krb5_free_keyblock(Z_krb5_ctx, __Zephyr_keyblock);
__Zephyr_keyblock=NULL;
}
- result = krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
- sizeof(C_Block)
+ result = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
+ sizeof(C_Block),
&__Zephyr_keyblock);
if (result) /*XXX we're out of memory? */
return;
memcpy(Z_keydata(__Zephyr_keyblock), key, sizeof(C_Block));
-#else
- krb5_keyblock *tmp, tmp_ss;
- tmp = &tmp_ss;
- Z_keylen(tmp)=sizeof(C_Block);
- Z_keydata(tmp)=key;
-#if HAVE_KRB5_CREDS_KEYBLOCK_ENCTYPE
- tmp->enctype = ENCTYPE_DES_CBC_CRC;
-#else
- tmp->keytype = KEYTYPE_DES;
-#endif
- if (__Zephyr_keyblock) {
- krb5_free_keyblock_contents(Z_krb5_ctx, __Zephyr_keyblock);
- result = krb5_copy_keyblock_contents(Z_krb5_ctx, tmp,
- __Zephyr_keyblock);
- } else {
- result = krb5_copy_keyblock(Z_krb5_ctx, tmp, &__Zephyr_keyblock);
- }
- if (result) /*XXX we're out of memory? */
- ;
-#endif
#else
memcpy(__Zephyr_session, key, sizeof(C_Block));
#endif
if (retval = (subscr_send_realm_subs(&otherrealms[cnt])) != ZERR_NONE)
return(retval);
}
+ return ZERR_NONE;
}
int
retval = ZMakeZcodeRealmAuthentication(&newnotice, buffer, buffer_len,
&hdrlen, realm->name);
if (retval != ZERR_NONE) {
- syslog(LOG_WARNING, "rlm_sendit_auth set addr: %s",
+ syslog(LOG_WARNING, "rlm_sendit_auth make zcksum: %s",
error_message(retval));
return (retval);
}
syslog(LOG_CRIT, "srv_fwd malloc");
abort();
}
- if (realm_which_realm(who)) {
- retval = ZNewFormatSmallRawNotice(notice, pack, &packlen);
- } else {
- retval = ZFormatSmallRawNotice(notice, pack, &packlen);
- }
+ retval = ZNewFormatSmallRawNotice(notice, pack, &packlen);
if (retval != ZERR_NONE) {
syslog(LOG_WARNING, "srv_fwd format: %s", error_message(retval));
continue;
#ifdef HAVE_KRB5
#ifdef HAVE_KRB4 /* XXX make this optional for server transition time */
- if (client->session_keyblock->enctype == ENCTYPE_DES_CBC_CRC) {
- bufp = malloc(client->session_keyblock->length);
+ if (Z_enctype(client->session_keyblock) == ENCTYPE_DES_CBC_CRC) {
+ bufp = malloc(Z_keylen(client->session_keyblock));
if (bufp == NULL) {
syslog(LOG_WARNING, "subscr_send_subs: cannot allocate memory for DES keyblock: %m");
return errno;
}
- des_ecb_encrypt(client->session_keyblock->contents, bufp, serv_ksched.s, DES_ENCRYPT);
- retval = ZMakeAscii(buf, sizeof(buf), bufp, client->session_keyblock->length);
+ des_ecb_encrypt(Z_keydata(client->session_keyblock), bufp, serv_ksched.s, DES_ENCRYPT);
+ retval = ZMakeAscii(buf, sizeof(buf), bufp, Z_keylen(client->session_keyblock));
} else {
#endif
- bufp = malloc(client->session_keyblock->length + 8); /* + enctype
+ bufp = malloc(Z_keylen(client->session_keyblock) + 8); /* + enctype
+ length */
if (bufp == NULL) {
syslog(LOG_WARNING, "subscr_send_subs: cannot allocate memory for keyblock: %m");
return errno;
}
- *(krb5_enctype *)&bufp[0] = htonl(client->session_keyblock->enctype);
- *(krb5_ui_4 *)&bufp[4] = htonl(client->session_keyblock->length);
- memcpy(&bufp[8], client->session_keyblock->contents, client->session_keyblock->length);
+ *(krb5_enctype *)&bufp[0] = htonl(Z_enctype(client->session_keyblock));
+ *(u_int32_t *)&bufp[4] = htonl(Z_keylen(client->session_keyblock));
+ memcpy(&bufp[8], Z_keydata(client->session_keyblock), Z_keylen(client->session_keyblock));
- retval = ZMakeZcode(buf, sizeof(buf), bufp, client->session_keyblock->length + 8);
+ retval = ZMakeZcode(buf, sizeof(buf), bufp, Z_keylen(client->session_keyblock) + 8);
#ifdef HAVE_KRB4
}
#endif /* HAVE_KRB4 */
lnotice = *notice;
lnotice.z_opcode = LOCATE_LOCATE;
lnotice.z_kind = ACKED;
+ lnotice.z_auth = 0;
+ lnotice.z_authent_len = 0;
+ lnotice.z_ascii_authent = "";
+ lnotice.z_checksum = 0;
+ lnotice.z_ascii_checksum = "";
if ((retval = ZFormatRawNotice(&lnotice, &pack, &packlen)) != ZERR_NONE) {
syslog(LOG_WARNING, "ulog_relay_loc format: %s",
#define ZGetSession() (__Zephyr_keyblock)
void ZSetSession(krb5_keyblock *keyblock);
Code_t ZFormatAuthenticNoticeV5 __P((ZNotice_t*, char*, int, int*, krb5_keyblock *));
+krb5_error_code Z_krb5_init_keyblock(krb5_context, krb5_enctype, size_t,
+ krb5_keyblock **);
#else
extern C_Block __Zephyr_session;
#define ZGetSession() (__Zephyr_session)