From: kcr Date: Fri, 18 Jul 2008 20:38:06 +0000 (+0000) Subject: r226@bucket (orig r222): kcr | 2007-12-24 21:03:29 -0500 X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=4d96b3cbddc3c3d0c50bf88d77d3282a293ed756;p=1ts-debian.git r226@bucket (orig r222): kcr | 2007-12-24 21:03:29 -0500 /afs/andrew.cmu.edu/usr18/cg2v/zephyr-krb5-server-20071215+.diff git-svn-id: svn://svn.1ts.org/debian/trunk/zephyr@291 cbed1d16-5ef5-0310-b6a1-d4a37b08ba1f --- diff --git a/server/bdump.c b/server/bdump.c index 7f50208..eb067ca 100644 --- a/server/bdump.c +++ b/server/bdump.c @@ -44,6 +44,43 @@ static const char rcsid_bdump_c[] = "$Id$"; * int num; */ +#if defined(HAVE_KRB5) && 0 +int krb5_init_keyblock(krb5_context context, + krb5_enctype type, + size_t size, + krb5_keyblock **akey) +{ +krb5_error_code ret; +size_t len; +krb5_keyblock *key; + +*akey=NULL; +key=malloc(sizeof(*key)); +memset(key, 0, sizeof(*key)); +ret = krb5_enctype_keysize(context, type, &len); +if (ret) +return ret; + +if (len != size) { +krb5_set_error_string(context, "Encryption key %d is %lu bytes " +"long, %lu was passed in", +type, (unsigned long)len, (unsigned long)size); +return KRB5_PROG_ETYPE_NOSUPP; +} + +ret = krb5_data_alloc(&key->keyvalue, len); +if(ret) { +krb5_set_error_string(context, "malloc failed: %lu", +(unsigned long)len); +return ret; +} +key->keytype = type; +*akey=key; +return 0; +} +#endif + + static void close_bdump __P((void* arg)); static Code_t bdump_send_loop __P((Server *server)), bdump_ask_for __P((char *inst)), @@ -281,7 +318,93 @@ bdump_send() #ifdef HAVE_KRB5 { /* "server" side */ krb5_auth_context actx; + krb5_principal principal; + krb5_data data; + krb5_ap_rep_enc_part *rep; + krb5_keytab kt; + + if (get_tgt()) { + syslog(LOG_ERR, "bdump_send: get_tgt failed"); + cleanup(server); + return; + } + + retval = krb5_build_principal(Z_krb5_ctx, &principal, + strlen(ZGetRealm()), + ZGetRealm(), + SERVER_KRB5_SERVICE, SERVER_INSTANCE, + 0); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_build_principal: %s", error_message(retval)); + cleanup(server); + return; + } + + retval = krb5_auth_con_init(Z_krb5_ctx, &actx); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_auth_con_init: %s", error_message(retval)); + cleanup(server); + return; + } + + /* Get the "client" krb_ap_req */ + + memset((char *)&data, 0, sizeof(krb5_data)); + retval = GetKrb5Data(live_socket, &data); + if (retval) { + syslog(LOG_ERR, "bdump_send: cannot get auth response: %s", + error_message(retval)); + krb5_auth_con_free(Z_krb5_ctx, actx); + cleanup(server); + return; + } + + + /* resolve keytab */ + retval = krb5_kt_resolve(Z_krb5_ctx, keytab_file, &kt); + if (retval) { + syslog(LOG_ERR, "bdump_send: cannot resolve keytab: %s", + error_message(retval)); + krb5_auth_con_free(Z_krb5_ctx, actx); + krb5_kt_close(Z_krb5_ctx, kt); + cleanup(server); + return; + } + + retval = krb5_rd_req(Z_krb5_ctx, &actx, &data, principal, kt, NULL, NULL); + krb5_free_principal(Z_krb5_ctx, principal); + krb5_kt_close(Z_krb5_ctx, kt); + free(data.data); + memset((char *)&data, 0, sizeof(krb5_data)); + if (retval) { + syslog(LOG_ERR, "bdump_send: mutual authentication failed: %s", + error_message(retval)); + krb5_auth_con_free(Z_krb5_ctx, actx); + cleanup(server); + return; + } + + /* Now send back our auth packet */ + + memset((char *)&data, 0, sizeof(krb5_data)); + retval = krb5_mk_rep(Z_krb5_ctx, actx, &data); + if (retval) { + syslog(LOG_ERR, "bdump_send: krb5_mk_rep: %s", error_message(retval)); + krb5_auth_con_free(Z_krb5_ctx, actx); + cleanup(server); + return; + } + retval = SendKrb5Data(live_socket, &data); + if (retval) { + syslog(LOG_ERR, "bdump_send: cannot send authenticator: %s", + error_message(retval)); + krb5_free_data_contents(Z_krb5_ctx, &data); + krb5_auth_con_free(Z_krb5_ctx, actx); + cleanup(server); + return; + } + krb5_free_data_contents(Z_krb5_ctx, &data); } #else /* HAVE_KRB5 */ #ifdef HAVE_KRB4 @@ -464,6 +587,7 @@ bdump_get_v12 (notice, auth, who, server) #ifdef HAVE_KRB5 if (get_tgt()) { + syslog(LOG_ERR, "bdump_get: get_tgt failed"); cleanup(server); return; } @@ -810,7 +934,7 @@ get_tgt() #ifndef NOENCRYPTION Sched *s; #endif - + /* have they expired ? */ if (ticket_time < NOW - tkt_lifetime(TKTLIFETIME) + (15L * 60L)) { /* +15 for leeway */ @@ -1032,7 +1156,7 @@ bdump_recv_loop(server) /* ****ing netascii; this is an encrypted DES keyblock XXX this code should be conditionalized for server transitions */ - retval = krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, + retval = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, sizeof(C_Block), &client->session_keyblock); if (retval) { @@ -1045,7 +1169,7 @@ bdump_recv_loop(server) syslog(LOG_ERR,"brl bad cblk read: %s (%s)", error_message(retval), cp); } else { - des_ecb_encrypt(cblock, client->session_keyblock->contents, + des_ecb_encrypt(cblock, Z_keydata(client->session_keyblock), serv_ksched.s, DES_DECRYPT); } } else if (*cp == 'Z') { /* Zcode! Long live the new flesh! */ @@ -1054,17 +1178,17 @@ bdump_recv_loop(server) syslog(LOG_ERR,"brl bad cblk read: %s (%s)", error_message(retval), cp); } else { - retval = krb5_init_keyblock(Z_krb5_ctx, + retval = Z_krb5_init_keyblock(Z_krb5_ctx, ntohl(*(krb5_enctype *)&buf[0]), - ntohl(*(krb5_ui_4 *)&buf[4]), + ntohl(*(u_int32_t *)&buf[4]), &client->session_keyblock); if (retval) { syslog(LOG_ERR, "brl failed to allocate keyblock: %s", error_message(retval)); return retval; } - memcpy(client->session_keyblock->contents, &buf[8], - client->session_keyblock->length); + memcpy(Z_keydata(client->session_keyblock), &buf[8], + Z_keylen(client->session_keyblock)); } } } diff --git a/server/kstuff.c b/server/kstuff.c index 6bd9ca5..700b380 100644 --- a/server/kstuff.c +++ b/server/kstuff.c @@ -165,7 +165,7 @@ Code_t SendKrb5Data(int fd, krb5_data *data) { char p[32]; int written, size_to_write; - sprintf(p, "V5-%d", data->length); + sprintf(p, "V5-%d ", data->length); size_to_write = strlen (p); if (size_to_write != (written = write(fd, p, size_to_write)) || data->length != (written = write(fd, data->data, data->length))) { @@ -409,7 +409,7 @@ ZCheckRealmAuthentication(notice, from, realm) krb5_free_keyblock(Z_krb5_ctx, keyblock); krb5_auth_con_free(Z_krb5_ctx, authctx); krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT); - return ZAUTH_NO; + return ZAUTH_FAILED; } /* HOLDING: authctx, authenticator, cksumbuf.data */ @@ -694,7 +694,7 @@ ZCheckAuthentication(notice, from) krb5_free_keyblock(Z_krb5_ctx, keyblock); krb5_auth_con_free(Z_krb5_ctx, authctx); krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT); - return ZAUTH_NO; + return ZAUTH_FAILED; } /* HOLDING: authctx, authenticator, cksumbuf.data */ @@ -847,6 +847,46 @@ static ZChecksum_t compute_rlm_checksum(notice, session_key) } #ifdef HAVE_KRB5 +krb5_error_code +Z_krb5_init_keyblock(krb5_context context, + krb5_enctype type, + size_t size, + krb5_keyblock **key) +{ +#ifdef HAVE_KRB5_CREDS_KEYBLOCK_ENCTYPE + return krb5_init_keyblock(context, type, size, key); +#else + krb5_error_code ret; + krb5_keyblock *tmp, tmp_ss; + tmp = &tmp_ss; + + *key = NULL; + Z_enctype(tmp) = type; + Z_keylen(tmp) = size; + Z_keydata(tmp) = malloc(size); + if (!Z_keydata(tmp)) + return ENOMEM; + ret = krb5_copy_keyblock(context, tmp, key); + free(Z_keydata(tmp)); + return ret; +#endif +} + +#if 0 +void ZLogKey(char *label, krb5_keyblock *keyblock) { + char *p, *buf; + unsigned char *k; + int i; + buf = malloc(5 *Z_keylen(keyblock)+1); + + k=Z_keydata(keyblock); + for (i=0,p=buf; i < Z_keylen(keyblock); i++,p+=strlen(p)) + sprintf(p, " 0x%02x", k[i]); + syslog(LOG_ERR, "key %s is type %d, %d bytes, %s", label, Z_enctype(keyblock), Z_keylen(keyblock), buf); + free(buf); +} +#endif + void ZSetSession(krb5_keyblock *keyblock) { #if 1 @@ -871,38 +911,17 @@ void ZSetSessionDES(C_Block *key) { #ifdef HAVE_KRB5 Code_t result; -#ifdef HAVE_KRB5_INIT_KEYBLOCK if (__Zephyr_keyblock) { - krb5_free_keyblock(__Zephyr_keyblock); + krb5_free_keyblock(Z_krb5_ctx, __Zephyr_keyblock); __Zephyr_keyblock=NULL; } - result = krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, - sizeof(C_Block) + result = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, + sizeof(C_Block), &__Zephyr_keyblock); if (result) /*XXX we're out of memory? */ return; memcpy(Z_keydata(__Zephyr_keyblock), key, sizeof(C_Block)); -#else - krb5_keyblock *tmp, tmp_ss; - tmp = &tmp_ss; - Z_keylen(tmp)=sizeof(C_Block); - Z_keydata(tmp)=key; -#if HAVE_KRB5_CREDS_KEYBLOCK_ENCTYPE - tmp->enctype = ENCTYPE_DES_CBC_CRC; -#else - tmp->keytype = KEYTYPE_DES; -#endif - if (__Zephyr_keyblock) { - krb5_free_keyblock_contents(Z_krb5_ctx, __Zephyr_keyblock); - result = krb5_copy_keyblock_contents(Z_krb5_ctx, tmp, - __Zephyr_keyblock); - } else { - result = krb5_copy_keyblock(Z_krb5_ctx, tmp, &__Zephyr_keyblock); - } - if (result) /*XXX we're out of memory? */ - ; -#endif #else memcpy(__Zephyr_session, key, sizeof(C_Block)); #endif diff --git a/server/realm.c b/server/realm.c index e8801a4..24c91e1 100644 --- a/server/realm.c +++ b/server/realm.c @@ -240,6 +240,7 @@ realm_send_realms() if (retval = (subscr_send_realm_subs(&otherrealms[cnt])) != ZERR_NONE) return(retval); } + return ZERR_NONE; } int @@ -1137,7 +1138,7 @@ realm_sendit_auth(notice, who, auth, realm, ack_to_sender) retval = ZMakeZcodeRealmAuthentication(&newnotice, buffer, buffer_len, &hdrlen, realm->name); if (retval != ZERR_NONE) { - syslog(LOG_WARNING, "rlm_sendit_auth set addr: %s", + syslog(LOG_WARNING, "rlm_sendit_auth make zcksum: %s", error_message(retval)); return (retval); } diff --git a/server/server.c b/server/server.c index 0a1d041..4d68d92 100644 --- a/server/server.c +++ b/server/server.c @@ -1381,11 +1381,7 @@ server_forward(notice, auth, who) syslog(LOG_CRIT, "srv_fwd malloc"); abort(); } - if (realm_which_realm(who)) { - retval = ZNewFormatSmallRawNotice(notice, pack, &packlen); - } else { - retval = ZFormatSmallRawNotice(notice, pack, &packlen); - } + retval = ZNewFormatSmallRawNotice(notice, pack, &packlen); if (retval != ZERR_NONE) { syslog(LOG_WARNING, "srv_fwd format: %s", error_message(retval)); continue; diff --git a/server/subscr.c b/server/subscr.c index 724833d..97861e7 100644 --- a/server/subscr.c +++ b/server/subscr.c @@ -861,27 +861,27 @@ subscr_send_subs(client) #ifdef HAVE_KRB5 #ifdef HAVE_KRB4 /* XXX make this optional for server transition time */ - if (client->session_keyblock->enctype == ENCTYPE_DES_CBC_CRC) { - bufp = malloc(client->session_keyblock->length); + if (Z_enctype(client->session_keyblock) == ENCTYPE_DES_CBC_CRC) { + bufp = malloc(Z_keylen(client->session_keyblock)); if (bufp == NULL) { syslog(LOG_WARNING, "subscr_send_subs: cannot allocate memory for DES keyblock: %m"); return errno; } - des_ecb_encrypt(client->session_keyblock->contents, bufp, serv_ksched.s, DES_ENCRYPT); - retval = ZMakeAscii(buf, sizeof(buf), bufp, client->session_keyblock->length); + des_ecb_encrypt(Z_keydata(client->session_keyblock), bufp, serv_ksched.s, DES_ENCRYPT); + retval = ZMakeAscii(buf, sizeof(buf), bufp, Z_keylen(client->session_keyblock)); } else { #endif - bufp = malloc(client->session_keyblock->length + 8); /* + enctype + bufp = malloc(Z_keylen(client->session_keyblock) + 8); /* + enctype + length */ if (bufp == NULL) { syslog(LOG_WARNING, "subscr_send_subs: cannot allocate memory for keyblock: %m"); return errno; } - *(krb5_enctype *)&bufp[0] = htonl(client->session_keyblock->enctype); - *(krb5_ui_4 *)&bufp[4] = htonl(client->session_keyblock->length); - memcpy(&bufp[8], client->session_keyblock->contents, client->session_keyblock->length); + *(krb5_enctype *)&bufp[0] = htonl(Z_enctype(client->session_keyblock)); + *(u_int32_t *)&bufp[4] = htonl(Z_keylen(client->session_keyblock)); + memcpy(&bufp[8], Z_keydata(client->session_keyblock), Z_keylen(client->session_keyblock)); - retval = ZMakeZcode(buf, sizeof(buf), bufp, client->session_keyblock->length + 8); + retval = ZMakeZcode(buf, sizeof(buf), bufp, Z_keylen(client->session_keyblock) + 8); #ifdef HAVE_KRB4 } #endif /* HAVE_KRB4 */ diff --git a/server/uloc.c b/server/uloc.c index 66071cf..5d996c8 100644 --- a/server/uloc.c +++ b/server/uloc.c @@ -1090,6 +1090,11 @@ ulogin_relay_locate(notice, who) lnotice = *notice; lnotice.z_opcode = LOCATE_LOCATE; lnotice.z_kind = ACKED; + lnotice.z_auth = 0; + lnotice.z_authent_len = 0; + lnotice.z_ascii_authent = ""; + lnotice.z_checksum = 0; + lnotice.z_ascii_checksum = ""; if ((retval = ZFormatRawNotice(&lnotice, &pack, &packlen)) != ZERR_NONE) { syslog(LOG_WARNING, "ulog_relay_loc format: %s", diff --git a/server/zserver.h b/server/zserver.h index 94f11b0..ba615e9 100644 --- a/server/zserver.h +++ b/server/zserver.h @@ -38,6 +38,8 @@ extern krb5_keyblock *__Zephyr_keyblock; #define ZGetSession() (__Zephyr_keyblock) void ZSetSession(krb5_keyblock *keyblock); Code_t ZFormatAuthenticNoticeV5 __P((ZNotice_t*, char*, int, int*, krb5_keyblock *)); +krb5_error_code Z_krb5_init_keyblock(krb5_context, krb5_enctype, size_t, + krb5_keyblock **); #else extern C_Block __Zephyr_session; #define ZGetSession() (__Zephyr_session)