diff --git a/eBones/include/krb.h b/eBones/include/krb.h index d7b77f7ab856..a9eba82b6f1b 100644 --- a/eBones/include/krb.h +++ b/eBones/include/krb.h @@ -1,515 +1,517 @@ /* * Copyright 1987, 1988 by the Massachusetts Institute of Technology. * For copying and distribution information, please see the file * . * * Include file for the Kerberos library. * * from: krb.h,v 4.26 89/08/08 17:55:25 jtkohl Exp $ - * $Id: krb.h,v 1.6 1995/09/13 17:23:47 markm Exp $ + * $Id: krb.h,v 1.7 1995/10/05 21:29:26 gibbs Exp $ */ /* Only one time, please */ #ifndef KRB_DEFS #define KRB_DEFS /* Need some defs from des.h */ #include #include #include /* Text describing error codes */ #define MAX_KRB_ERRORS 256 extern char *krb_err_txt[MAX_KRB_ERRORS]; /* These are not defined for at least SunOS 3.3 and Ultrix 2.2 */ #if defined(ULTRIX022) || (defined(SunOS) && SunOS < 40) #define FD_ZERO(p) ((p)->fds_bits[0] = 0) #define FD_SET(n, p) ((p)->fds_bits[0] |= (1 << (n))) #define FD_ISSET(n, p) ((p)->fds_bits[0] & (1 << (n))) #endif /* ULTRIX022 || SunOS */ /* General definitions */ #define KSUCCESS 0 #define KFAILURE 255 #ifdef NO_UIDGID_T typedef unsigned short uid_t; typedef unsigned short gid_t; #endif /* NO_UIDGID_T */ /* * Kerberos specific definitions * * KRBLOG is the log file for the kerberos master server. KRB_CONF is * the configuration file where different host machines running master * and slave servers can be found. KRB_MASTER is the name of the * machine with the master database. The admin_server runs on this * machine, and all changes to the db (as opposed to read-only * requests, which can go to slaves) must go to it. KRB_HOST is the * default machine * when looking for a kerberos slave server. Other * possibilities are * in the KRB_CONF file. KRB_REALM is the name of * the realm. */ #ifdef notdef this is server - only, does not belong here; #define KRBLOG "/etc/kerberosIV/kerberos.log" are these used anyplace '?'; #define VX_KRB_HSTFILE "/etc/krbhst" #define PC_KRB_HSTFILE "\\kerberos\\krbhst" #endif #define KRB_CONF "/etc/kerberosIV/krb.conf" #define KRB_RLM_TRANS "/etc/kerberosIV/krb.realms" #define KRB_MASTER "kerberos" #define KRB_HOST KRB_MASTER #define KRB_REALM "ATHENA.MIT.EDU" /* The maximum sizes for aname, realm, sname, and instance +1 */ #define ANAME_SZ 40 #define REALM_SZ 40 #define SNAME_SZ 40 #define INST_SZ 40 /* include space for '.' and '@' */ #define MAX_K_NAME_SZ (ANAME_SZ + INST_SZ + REALM_SZ + 2) #define KKEY_SZ 100 #define VERSION_SZ 1 #define MSG_TYPE_SZ 1 #define DATE_SZ 26 /* RTI date output */ #define MAX_HSTNM 100 #ifndef DEFAULT_TKT_LIFE /* allow compile-time override */ #define DEFAULT_TKT_LIFE 96 /* default lifetime for krb_mk_req & co., 8 hrs */ #endif /* Definition of text structure used to pass text around */ #define MAX_KTXT_LEN 1250 struct ktext { int length; /* Length of the text */ unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ unsigned long mbz; /* zero to catch runaway strings */ }; typedef struct ktext *KTEXT; typedef struct ktext KTEXT_ST; /* Definitions for send_to_kdc */ #define CLIENT_KRB_TIMEOUT 4 /* time between retries */ #define CLIENT_KRB_RETRY 5 /* retry this many times */ #define CLIENT_KRB_BUFLEN 512 /* max unfragmented packet */ /* Definitions for ticket file utilities */ #define R_TKT_FIL 0 #define W_TKT_FIL 1 /* Definitions for cl_get_tgt */ #ifdef PC #define CL_GTGT_INIT_FILE "\\kerberos\\k_in_tkts" #else #define CL_GTGT_INIT_FILE "/etc/k_in_tkts" #endif PC /* Parameters for rd_ap_req */ /* Maximum alloable clock skew in seconds */ #define CLOCK_SKEW 5*60 /* Filename for readservkey */ #define KEYFILE "/etc/kerberosIV/srvtab" /* Structure definition for rd_ap_req */ struct auth_dat { unsigned char k_flags; /* Flags from ticket */ char pname[ANAME_SZ]; /* Principal's name */ char pinst[INST_SZ]; /* His Instance */ char prealm[REALM_SZ]; /* His Realm */ unsigned long checksum; /* Data checksum (opt) */ C_Block session; /* Session Key */ int life; /* Life of ticket */ unsigned long time_sec; /* Time ticket issued */ unsigned long address; /* Address in ticket */ KTEXT_ST reply; /* Auth reply (opt) */ }; typedef struct auth_dat AUTH_DAT; /* Structure definition for credentials returned by get_cred */ struct credentials { char service[ANAME_SZ]; /* Service name */ char instance[INST_SZ]; /* Instance */ char realm[REALM_SZ]; /* Auth domain */ C_Block session; /* Session key */ int lifetime; /* Lifetime */ int kvno; /* Key version number */ KTEXT_ST ticket_st; /* The ticket itself */ long issue_date; /* The issue time */ char pname[ANAME_SZ]; /* Principal's name */ char pinst[INST_SZ]; /* Principal's instance */ }; typedef struct credentials CREDENTIALS; /* Structure definition for rd_private_msg and rd_safe_msg */ struct msg_dat { unsigned char *app_data; /* pointer to appl data */ unsigned long app_length; /* length of appl data */ unsigned long hash; /* hash to lookup replay */ int swap; /* swap bytes? */ long time_sec; /* msg timestamp seconds */ unsigned char time_5ms; /* msg timestamp 5ms units */ }; typedef struct msg_dat MSG_DAT; /* Location of ticket file for save_cred and get_cred */ #ifdef PC #define TKT_FILE "\\kerberos\\ticket.ses" #else #define TKT_FILE tkt_string() #define TKT_ROOT "/tmp/tkt" #endif PC /* Error codes returned from the KDC */ #define KDC_OK 0 /* Request OK */ #define KDC_NAME_EXP 1 /* Principal expired */ #define KDC_SERVICE_EXP 2 /* Service expired */ #define KDC_AUTH_EXP 3 /* Auth expired */ #define KDC_PKT_VER 4 /* Protocol version unknown */ #define KDC_P_MKEY_VER 5 /* Wrong master key version */ #define KDC_S_MKEY_VER 6 /* Wrong master key version */ #define KDC_BYTE_ORDER 7 /* Byte order unknown */ #define KDC_PR_UNKNOWN 8 /* Principal unknown */ #define KDC_PR_N_UNIQUE 9 /* Principal not unique */ #define KDC_NULL_KEY 10 /* Principal has null key */ #define KDC_GEN_ERR 20 /* Generic error from KDC */ /* Values returned by get_credentials */ #define GC_OK 0 /* Retrieve OK */ #define RET_OK 0 /* Retrieve OK */ #define GC_TKFIL 21 /* Can't read ticket file */ #define RET_TKFIL 21 /* Can't read ticket file */ #define GC_NOTKT 22 /* Can't find ticket or TGT */ #define RET_NOTKT 22 /* Can't find ticket or TGT */ /* Values returned by mk_ap_req */ #define MK_AP_OK 0 /* Success */ #define MK_AP_TGTEXP 26 /* TGT Expired */ /* Values returned by rd_ap_req */ #define RD_AP_OK 0 /* Request authentic */ #define RD_AP_UNDEC 31 /* Can't decode authenticator */ #define RD_AP_EXP 32 /* Ticket expired */ #define RD_AP_NYV 33 /* Ticket not yet valid */ #define RD_AP_REPEAT 34 /* Repeated request */ #define RD_AP_NOT_US 35 /* The ticket isn't for us */ #define RD_AP_INCON 36 /* Request is inconsistent */ #define RD_AP_TIME 37 /* delta_t too big */ #define RD_AP_BADD 38 /* Incorrect net address */ #define RD_AP_VERSION 39 /* protocol version mismatch */ #define RD_AP_MSG_TYPE 40 /* invalid msg type */ #define RD_AP_MODIFIED 41 /* message stream modified */ #define RD_AP_ORDER 42 /* message out of order */ #define RD_AP_UNAUTHOR 43 /* unauthorized request */ /* Values returned by get_pw_tkt */ #define GT_PW_OK 0 /* Got password changing tkt */ #define GT_PW_NULL 51 /* Current PW is null */ #define GT_PW_BADPW 52 /* Incorrect current password */ #define GT_PW_PROT 53 /* Protocol Error */ #define GT_PW_KDCERR 54 /* Error returned by KDC */ #define GT_PW_NULLTKT 55 /* Null tkt returned by KDC */ /* Values returned by send_to_kdc */ #define SKDC_OK 0 /* Response received */ #define SKDC_RETRY 56 /* Retry count exceeded */ #define SKDC_CANT 57 /* Can't send request */ /* * Values returned by get_intkt * (can also return SKDC_* and KDC errors) */ #define INTK_OK 0 /* Ticket obtained */ #define INTK_W_NOTALL 61 /* Not ALL tickets returned */ #define INTK_BADPW 62 /* Incorrect password */ #define INTK_PROT 63 /* Protocol Error */ #define INTK_ERR 70 /* Other error */ /* Values returned by get_adtkt */ #define AD_OK 0 /* Ticket Obtained */ #define AD_NOTGT 71 /* Don't have tgt */ /* Error codes returned by ticket file utilities */ #define NO_TKT_FIL 76 /* No ticket file found */ #define TKT_FIL_ACC 77 /* Couldn't access tkt file */ #define TKT_FIL_LCK 78 /* Couldn't lock ticket file */ #define TKT_FIL_FMT 79 /* Bad ticket file format */ #define TKT_FIL_INI 80 /* tf_init not called first */ /* Error code returned by kparse_name */ #define KNAME_FMT 81 /* Bad Kerberos name format */ /* Error codes returned by get_local_addr and bind_local_addr */ #define GT_LADDR_NOSOCK 82 /* Can't open socket */ #define GT_LADDR_IFLIST 83 /* * Can't retrieve local interface * configuration list */ #define GT_LADDR_NVI 84 /* No valid local interface found */ #define BND_LADDR_BIND 85 /* Can't bind local address */ /* Error code returned by krb_mk_safe */ #define SAFE_PRIV_ERROR -1 /* syscall error */ /* * macros for byte swapping; also scratch space * u_quad 0-->7, 1-->6, 2-->5, 3-->4, 4-->3, 5-->2, 6-->1, 7-->0 * u_long 0-->3, 1-->2, 2-->1, 3-->0 * u_short 0-->1, 1-->0 */ #define swap_u_16(x) {\ unsigned long _krb_swap_tmp[4];\ swab(((char *) x) +0, ((char *) _krb_swap_tmp) +14 ,2); \ swab(((char *) x) +2, ((char *) _krb_swap_tmp) +12 ,2); \ swab(((char *) x) +4, ((char *) _krb_swap_tmp) +10 ,2); \ swab(((char *) x) +6, ((char *) _krb_swap_tmp) +8 ,2); \ swab(((char *) x) +8, ((char *) _krb_swap_tmp) +6 ,2); \ swab(((char *) x) +10,((char *) _krb_swap_tmp) +4 ,2); \ swab(((char *) x) +12,((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) x) +14,((char *) _krb_swap_tmp) +0 ,2); \ bcopy((char *)_krb_swap_tmp,(char *)x,16);\ } #define swap_u_12(x) {\ unsigned long _krb_swap_tmp[4];\ swab(( char *) x, ((char *) _krb_swap_tmp) +10 ,2); \ swab(((char *) x) +2, ((char *) _krb_swap_tmp) +8 ,2); \ swab(((char *) x) +4, ((char *) _krb_swap_tmp) +6 ,2); \ swab(((char *) x) +6, ((char *) _krb_swap_tmp) +4 ,2); \ swab(((char *) x) +8, ((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) x) +10,((char *) _krb_swap_tmp) +0 ,2); \ bcopy((char *)_krb_swap_tmp,(char *)x,12);\ } #define swap_C_Block(x) {\ unsigned long _krb_swap_tmp[4];\ swab(( char *) x, ((char *) _krb_swap_tmp) +6 ,2); \ swab(((char *) x) +2,((char *) _krb_swap_tmp) +4 ,2); \ swab(((char *) x) +4,((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) x) +6,((char *) _krb_swap_tmp) ,2); \ bcopy((char *)_krb_swap_tmp,(char *)x,8);\ } #define swap_u_quad(x) {\ unsigned long _krb_swap_tmp[4];\ swab(( char *) &x, ((char *) _krb_swap_tmp) +6 ,2); \ swab(((char *) &x) +2,((char *) _krb_swap_tmp) +4 ,2); \ swab(((char *) &x) +4,((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) &x) +6,((char *) _krb_swap_tmp) ,2); \ bcopy((char *)_krb_swap_tmp,(char *)&x,8);\ } #define swap_u_long(x) {\ unsigned long _krb_swap_tmp[4];\ swab((char *) &x, ((char *) _krb_swap_tmp) +2 ,2); \ swab(((char *) &x) +2,((char *) _krb_swap_tmp),2); \ x = _krb_swap_tmp[0]; \ } #define swap_u_short(x) {\ unsigned short _krb_swap_sh_tmp; \ swab((char *) &x, ( &_krb_swap_sh_tmp) ,2); \ x = (unsigned short) _krb_swap_sh_tmp; \ } /* Kerberos ticket flag field bit definitions */ #define K_FLAG_ORDER 0 /* bit 0 --> lsb */ #define K_FLAG_1 /* reserved */ #define K_FLAG_2 /* reserved */ #define K_FLAG_3 /* reserved */ #define K_FLAG_4 /* reserved */ #define K_FLAG_5 /* reserved */ #define K_FLAG_6 /* reserved */ #define K_FLAG_7 /* reserved, bit 7 --> msb */ #ifndef PC char *tkt_string(); #endif PC #ifdef OLDNAMES #define krb_mk_req mk_ap_req #define krb_rd_req rd_ap_req #define krb_kntoln an_to_ln #define krb_set_key set_serv_key #define krb_get_cred get_credentials #define krb_mk_priv mk_private_msg #define krb_rd_priv rd_private_msg #define krb_mk_safe mk_safe_msg #define krb_rd_safe rd_safe_msg #define krb_mk_err mk_appl_err_msg #define krb_rd_err rd_appl_err_msg #define krb_ck_repl check_replay #define krb_get_pw_in_tkt get_in_tkt #define krb_get_svc_in_tkt get_svc_in_tkt #define krb_get_pw_tkt get_pw_tkt #define krb_realmofhost krb_getrealm #define krb_get_phost get_phost #define krb_get_krbhst get_krbhst #define krb_get_lrealm get_krbrlm #endif OLDNAMES /* Defines for krb_sendauth and krb_recvauth */ #define KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */ #define KOPT_DO_MUTUAL 0x00000002 /* do mutual auth */ #define KOPT_DONT_CANON 0x00000004 /* * don't canonicalize inst as * a hostname */ #define KRB_SENDAUTH_VLEN 8 /* length for version strings */ #ifdef ATHENA_COMPAT #define KOPT_DO_OLDSTYLE 0x00000008 /* use the old-style protocol */ #endif ATHENA_COMPAT /* libacl */ void acl_canonicalize_principal __P((char *principal, char *buf)); int acl_check __P((char *acl, char *principal)); int acl_exact_match __P((char *acl, char *principal)); int acl_add __P((char *acl, char *principal)); int acl_delete __P((char *acl, char *principal)); int acl_initialize __P((char *acl_file, int mode)); /* libkrb - krb.3 */ int krb_mk_req __P((KTEXT authent, char *service, char *instance, char *realm, long checksum); int krb_rd_req __P((KTEXT authent, char *service, char *instance, long from_addr, AUTH_DAT *ad, char *fn)); int krb_kntoln __P((AUTH_DAT *ad, char *lname)); int krb_set_key __P((char *key, int cvt)); int krb_get_cred __P((char *service, char *instance, char *realm, CREDENTIALS *c)); long krb_mk_priv __P((u_char *in, u_char *out, u_long in_length, des_key_schedule schedule, des_cblock key, struct sockaddr_in *sender, struct sockaddr_in *receiver)); long krb_rd_priv __P((u_char *in, u_long in_length, Key_schedule schedule, des_cblock key, struct sockaddr_in *sender, struct sockaddr_in *receiver, MSG_DAT *msg_data)); long krb_mk_safe __P((u_char *in, u_char *out, u_long in_length, des_cblock *key, struct sockaddr_in *sender, struct sockaddr_in *receiver)); long krb_rd_safe __P((u_char *in, u_long length, des_cblock *key, struct sockaddr_in *sender, struct sockaddr_in *receiver, MSG_DAT *msg_data)); long krb_mk_err __P((u_char *out, long code, char *string)); int krb_rd_err __P((u_char *in, u_long in_length, long *code, MSG_DAT *m_data)); /* libkrb - krb_sendauth.3 */ int krb_sendauth __P((long options, int fd, KTEXT ticket, char *service, char *inst, char *realm, u_long checksum, MSG_DAT *msg_data, CREDENTIALS *cred, Key_schedule schedule, struct sockaddr_in *laddr, struct sockaddr_in *faddr, char *version)); int krb_recvauth __P((long options, int fd, KTEXT ticket, char *service, char *instance, struct sockaddr_in *faddr, struct sockaddr_in *laddr, AUTH_DAT *kdata, char *filename, Key_schedule schedule, char *version)); int krb_net_write __P((int fd, char *buf, int len)); int krb_net_read __P((int fd, char *buf, int len)); /* libkrb - krb_realmofhost.3 */ char *krb_realmofhost __P((char *host)); char *krb_get_phost __P((char *alias)); int krb_get_krbhst __P((char *h, char *r, int n)); int krb_get_admhst __P((char *h, char *r, int n)); int krb_get_lrealm __P((char *r, int n)); /* libkrb - krb_set_tkt_string.3 */ void krb_set_tkt_string(char *val); /* libkrb - kuserok.3 */ int kuserok __P((AUTH_DAT *authdata, char *localuser)); /* libkrb - tf_util.3 */ int tf_init __P((char *tf_name, int rw)); int tf_get_pname __P((char *p)); int tf_get_pinst __P((char *inst)); int tf_get_cred __P((CREDENTIALS *c)); void tf_close __P((void)); /* Internal routines */ +int des_set_key_krb __P((des_cblock *inkey, des_key_schedule insched)); +void des_clear_key_krb __P((void)); int des_read __P((int fd, char *buf, int len)); int des_write __P((int fd, char *buf, int len)); int krb_get_tf_realm __P((char *ticket_file, char *realm)); int krb_get_in_tkt __P((char *user, char *instance, char *realm, char *service, char *sinstance, int life, int (*key_proc)(), int (*decrypt_proc)(), char *arg)); int krb_get_pw_in_tkt __P((char *user, char *instance, char *realm, char *service, char *sinstance, int life, char *password)); int krb_get_svc_in_tkt __P((char *user, char *instance, char *realm, char *service, char *sinstance, int life, char *srvtab)); int krb_get_tf_fullname __P((char *ticket_file, char *name, char *instance, char *realm)); int save_credentials __P((char *service, char *instance, char *realm, des_cblock session, int lifetime, int kvno, KTEXT ticket, long issue_date)); int read_service_key __P((char *service, char *instance, char *realm, int kvno, char *file, char *key)); int get_ad_tkt __P((char *service, char *sinstance, char *realm, int lifetime)); int send_to_kdc __P((KTEXT pkt, KTEXT rpkt, char *realm)); int krb_bind_local_addr __P((int s)); int krb_get_local_addr __P((struct sockaddr_in *returned_addr)); int krb_create_ticket __P((KTEXT tkt, unsigned char flags, char *pname, char *pinstance, char *prealm, long paddress, char *session, short life, long time_sec, char *sname, char *sinstance, C_Block key)); int decomp_ticket __P((KTEXT tkt, unsigned char *flags, char *pname, char *pinstance, char *prealm, unsigned long *paddress, des_cblock session, int *life, unsigned long *time_sec, char *sname, char *sinstance, des_cblock key, des_key_schedule key_s)); int create_ciph __P((KTEXT c, C_Block session, char *service, char *instance, char *realm, unsigned long life, int kvno, KTEXT tkt, unsigned long kdc_time, C_Block key)); int kname_parse __P((char *np, char *ip, char *rp, char *fullname)); int tf_save_cred __P((char *service, char *instance, char *realm, des_cblock session, int lifetime, int kvno, KTEXT ticket, long issue_date)); int getst(int fd, char *s, int n)); int pkt_clen __P((KTEXT pkt)); int in_tkt __P((char *pname, char *pinst)); int dest_tkt __P((void)); char *month_sname __P((int n)); void log __P(()); /* Actually VARARGS - markm */ void kset_logfile __P((char *filename)); void set_logfile __P((char *filename)); int k_isinst __P((char *s)); int k_isrealm __P((char *s)); int k_isname __P((char *s)); int k_gethostname __P((char *name, int namelen)); int kerb_init __P((void)); void kerb_fini __P((void)); int kerb_db_set_name __P((char *name)); int kerb_db_set_lockmode __P((int mode)); int kerb_db_create __P((char *db_name)); int kerb_db_iterate __P((int (*func)(), char *arg)); int kerb_db_rename __P((char *from, char *to)); long kerb_get_db_age __P((void)); char * stime __P((long *t)); long kdb_get_master_key __P((int prompt, C_Block master_key, Key_schedule master_key_sched)); long kdb_verify_master_key __P((C_Block master_key, Key_schedule master_key_sched, FILE *out)); void kdb_encrypt_key __P((C_Block in, C_Block out, C_Block master_key, Key_schedule master_key_sched, int e_d_flag)); extern int krb_ap_req_debug; extern int krb_debug; #endif KRB_DEFS diff --git a/eBones/lib/libkrb/des_rw.c b/eBones/lib/libkrb/des_rw.c index 5b339ee3238e..e7e867a20c78 100644 --- a/eBones/lib/libkrb/des_rw.c +++ b/eBones/lib/libkrb/des_rw.c @@ -1,262 +1,263 @@ /* * Copyright (c) 1994 Geoffrey M. Rehmet, Rhodes University * All rights reserved. * * This code is derived from a specification based on software * which forms part of the 4.4BSD-Lite distribution, which was developed * by the University of California and its contributors. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the entire comment, * including the above copyright notice, this list of conditions * and the following disclaimer, verbatim, at the beginning of * the source file. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by Geoffrey M. Rehmet * 4. Neither the name of Geoffrey M. Rehmet nor that of Rhodes University * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL GEOFFREY M. REHMET OR RHODES UNIVERSITY BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: des_rw.c,v 1.6 1995/07/18 16:38:17 mark Exp $ + * $Id: des_rw.c,v 1.4 1995/09/07 21:37:50 markm Exp $ */ /* * * NB: THESE ROUTINES WILL FAIL IF NON-BLOCKING I/O IS USED. * */ /* * Routines for reading and writing DES encrypted messages onto sockets. * (These routines will fail if non-blocking I/O is used.) * * When a message is written, its length is first transmitted as an int, * in network byte order. The encrypted message is then transmitted, * to a multiple of 8 bytes. Messages shorter than 8 bytes are right * justified into a buffer of length 8 bytes, and the remainder of the * buffer is filled with random garbage (before encryption): * * DDD -------->--+--------+ * | | * +--+--+--+--+--+--+--+--+ * |x |x |x |x |x |D |D |D | * +--+--+--+--+--+--+--+--+ * | garbage | data | * | | * +-----------------------+----> des_pcbc_encrypt() --> * * (Note that the length field sent before the actual message specifies * the number of data bytes, not the length of the entire padded message. * * When data is read, if the message received is longer than the number * of bytes requested, then the remaining bytes are stored until the * following call to des_read(). If the number of bytes received is * less then the number of bytes received, then only the number of bytes * actually received is returned. * * This interface corresponds with the original des_rw.c, except for the * bugs in des_read() in the original 4.4BSD version. (One bug is * normally not visible, due to undocumented behaviour of * des_pcbc_encrypt() in the original MIT libdes.) * * XXX Todo: * 1) Give better error returns on writes * 2) Improve error checking on reads * 3) Get rid of need for extern decl. of krb_net_read() * 4) Tidy garbage generation a bit * 5) Make the above comment more readable */ #ifdef CRYPT #ifdef KERBEROS #ifndef BUFFER_LEN #define BUFFER_LEN 10240 #endif #include #include #include #include #include #include #include #include static des_cblock des_key; static des_key_schedule key_schedule; /* * Buffer for storing extra data when more data is received, then was * actually requested in des_read(). */ static u_char des_buff[BUFFER_LEN]; static u_char buffer[BUFFER_LEN]; static unsigned stored = 0; static u_char *buff_ptr = buffer; /* * Set the encryption key for des_read() and des_write(). * inkey is the initial vector for the DES encryption, while insched is * the DES key, in unwrapped form. */ int -des_set_key(inkey, insched) +des_set_key_krb(inkey, insched) des_cblock *inkey; des_key_schedule insched; { bcopy(inkey, des_key, sizeof(des_cblock)); bcopy(insched, &key_schedule, sizeof(des_key_schedule)); return 0; } /* * Clear the key schedule, and initial vector, which were previously * stored in static vars by des_set_key(). */ -void des_clear_key() +void +des_clear_key_krb() { bzero(&des_key, sizeof(des_cblock)); bzero(&key_schedule, sizeof(des_key_schedule)); } int des_read(fd, buf, len) int fd; register char * buf; int len; { int msg_length; /* length of actual message data */ int pad_length; /* length of padded message */ int nread; /* number of bytes actually read */ int nreturned = 0; if(stored >= len) { bcopy(buff_ptr, buf, len); stored -= len; buff_ptr += len; return(len); } else { if (stored) { bcopy(buff_ptr, buf, stored); nreturned = stored; len -= stored; stored = 0; buff_ptr = buffer; } else { nreturned = 0; buff_ptr = buffer; } } nread = krb_net_read(fd, (char *)&msg_length, sizeof(msg_length)); if(nread != (int)(sizeof(msg_length))) return(0); msg_length = ntohl(msg_length); pad_length = roundup(msg_length, 8); nread = krb_net_read(fd, des_buff, pad_length); if(nread != pad_length) return(0); des_pcbc_encrypt((des_cblock*) des_buff, (des_cblock*) buff_ptr, (msg_length < 8 ? 8 : msg_length), key_schedule, (des_cblock*) &des_key, DES_DECRYPT); if(msg_length < 8) buff_ptr += (8 - msg_length); stored = msg_length; if(stored >= len) { bcopy(buff_ptr, buf, len); stored -= len; buff_ptr += len; nreturned += len; } else { bcopy(buff_ptr, buf, stored); nreturned += stored; stored = 0; } return(nreturned); } /* * Write a message onto a file descriptor (generally a socket), using * DES to encrypt the message. */ int des_write(fd, buf, len) int fd; char * buf; int len; { static int seeded = 0; char garbage[8]; long rnd; int pad_len; int write_len; int i; char *data; if(len < 8) { /* * Right justify the message in 8 bytes of random garbage. */ if(!seeded) { seeded = 1; srandom((unsigned)time(NULL)); } for(i = 0 ; i < 8 ; i+= sizeof(long)) { rnd = random(); bcopy(&rnd, garbage+i, (i <= (8 - sizeof(long)))?sizeof(long):(8-i)); } bcopy(buf, garbage + 8 - len, len); data = garbage; pad_len = 8; } else { data = buf; pad_len = roundup(len, 8); } des_pcbc_encrypt((des_cblock*) data, (des_cblock*) des_buff, (len < 8)?8:len, key_schedule, (des_cblock*) &des_key, DES_ENCRYPT); write_len = htonl(len); if(write(fd, &write_len, sizeof(write_len)) != sizeof(write_len)) return(-1); if(write(fd, des_buff, pad_len) != pad_len) return(-1); return(len); } #endif /* KERBEROS */ #endif /* CRYPT */ diff --git a/eBones/libexec/registerd/registerd.c b/eBones/libexec/registerd/registerd.c index 36c7a742ac46..7c749240ae1b 100644 --- a/eBones/libexec/registerd/registerd.c +++ b/eBones/libexec/registerd/registerd.c @@ -1,355 +1,355 @@ /*- * Copyright (c) 1990, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #if 0 #ifndef lint static char copyright[] = "@(#) Copyright (c) 1990, 1993\n\ The Regents of the University of California. All rights reserved.\n"; static char sccsid[] = "@(#)registerd.c 8.1 (Berkeley) 6/1/93"; #endif /* not lint */ #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "register_proto.h" #include "pathnames.h" #define KBUFSIZ (sizeof(struct keyfile_data)) #define RCRYPT 0x00 #define CLEAR 0x01 char *progname, msgbuf[BUFSIZ]; void cleanup(void); void die(int); void send_packet(char *msg, int flag); int net_get_principal(char *pname, char *iname, C_Block *keyp); int do_append(struct sockaddr_in *sinp); void main(argc, argv) int argc; char **argv; { static Key_schedule schedule; static struct rlimit rl = { 0, 0 }; struct keyfile_data *kfile; u_char code; int kf, retval, sval; struct sockaddr_in sin; char keyfile[MAXPATHLEN], keybuf[KBUFSIZ]; progname = argv[0]; /* for the library routines */ openlog("registerd", LOG_PID, LOG_AUTH); signal(SIGHUP, SIG_IGN); signal(SIGINT, SIG_IGN); signal(SIGTSTP, SIG_IGN); signal(SIGPIPE, die); if (setrlimit(RLIMIT_CORE, &rl) < 0) { syslog(LOG_ERR, "setrlimit: %m"); exit(1); } /* figure out who we are talking to */ sval = sizeof(sin); if (getpeername(0, (struct sockaddr *) &sin, &sval) < 0) { syslog(LOG_ERR, "getpeername: %m"); exit(1); } /* get encryption key */ (void) sprintf(keyfile, "%s/%s%s", SERVER_KEYDIR, KEYFILE_BASE, inet_ntoa(sin.sin_addr)); if ((kf = open(keyfile, O_RDONLY)) < 0) { syslog(LOG_ERR, "error opening Kerberos update keyfile (%s): %m", keyfile); sprintf(msgbuf, "couldn't open session keyfile for your host"); send_packet(msgbuf, CLEAR); exit(1); } if (read(kf, keybuf, KBUFSIZ) != KBUFSIZ) { syslog(LOG_ERR, "wrong read size of Kerberos update keyfile"); sprintf(msgbuf, "couldn't read session key from your host's keyfile"); send_packet(msgbuf, CLEAR); exit(1); } sprintf(msgbuf, GOTKEY_MSG); send_packet(msgbuf, CLEAR); kfile = (struct keyfile_data *) keybuf; key_sched((C_Block *)kfile->kf_key, schedule); - des_set_key((des_cblock *)kfile->kf_key, schedule); + des_set_key_krb((des_cblock *)kfile->kf_key, schedule); /* read the command code byte */ if (des_read(0, &code, 1) == 1) { switch(code) { case APPEND_DB: retval = do_append(&sin); break; case ABORT: cleanup(); close(0); exit(0); default: retval = KFAILURE; syslog(LOG_NOTICE, "invalid command code on db update (0x%x)", code); } } else { retval = KFAILURE; syslog(LOG_ERR, "couldn't read command code on Kerberos update"); } code = (u_char) retval; if (code != KSUCCESS) { sprintf(msgbuf, "%s", krb_err_txt[code]); send_packet(msgbuf, RCRYPT); } else { sprintf(msgbuf, "Update complete."); send_packet(msgbuf, RCRYPT); } cleanup(); close(0); exit(0); } #define MAX_PRINCIPAL 10 static Principal principal_data[MAX_PRINCIPAL]; static C_Block key, master_key; static Key_schedule master_key_schedule; int do_append(sinp) struct sockaddr_in *sinp; { Principal default_princ; char input_name[ANAME_SZ]; char input_instance[INST_SZ]; int j,n, more; long mkeyversion; /* get master key from MKEYFILE */ if (kdb_get_master_key(0, master_key, master_key_schedule) != 0) { syslog(LOG_ERR, "couldn't get master key"); return(KFAILURE); } mkeyversion = kdb_verify_master_key(master_key, master_key_schedule, NULL); if (mkeyversion < 0) { syslog(LOG_ERR, "couldn't validate master key"); return(KFAILURE); } n = kerb_get_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST, &default_princ, 1, &more); if (n != 1) { syslog(LOG_ERR, "couldn't get default principal"); return(KFAILURE); } /* * get principal name, instance, and password from network. * convert password to key and store it */ if (net_get_principal(input_name, input_instance, (C_Block *)key) != 0) { return(KFAILURE); } j = kerb_get_principal( input_name, input_instance, principal_data, MAX_PRINCIPAL, &more ); if (j != 0) { /* already in database, no update */ syslog(LOG_NOTICE, "attempt to add duplicate entry for principal %s.%s", input_name, input_instance); return(KDC_PR_N_UNIQUE); } /* * set up principal's name, instance */ strcpy(principal_data[0].name, input_name); strcpy(principal_data[0].instance, input_instance); principal_data[0].old = NULL; /* and the expiration date and version #s */ principal_data[0].exp_date = default_princ.exp_date; strcpy(principal_data[0].exp_date_txt, default_princ.exp_date_txt); principal_data[0].max_life = default_princ.max_life; principal_data[0].attributes = default_princ.attributes; principal_data[0].kdc_key_ver = default_princ.kdc_key_ver; /* and the key */ kdb_encrypt_key(key, key, master_key, master_key_schedule, ENCRYPT); bcopy(key, &principal_data[0].key_low, 4); bcopy(((long *) key) + 1, &principal_data[0].key_high,4); bzero(key, sizeof(key)); principal_data[0].key_version = 1; /* 1st entry */ /* and write it to the database */ if (kerb_put_principal(&principal_data[0], 1)) { syslog(LOG_INFO, "Kerberos update failure: put_principal failed"); return(KFAILURE); } syslog(LOG_NOTICE, "Kerberos update: wrote new record for %s.%s from %s", principal_data[0].name, principal_data[0].instance, inet_ntoa(sinp->sin_addr) ); return(KSUCCESS); } void send_packet(msg,flag) char *msg; int flag; { int len = strlen(msg); msg[len++] = '\n'; msg[len] = '\0'; if (len > sizeof(msgbuf)) { syslog(LOG_ERR, "send_packet: invalid msg size"); return; } if (flag == RCRYPT) { if (des_write(0, msg, len) != len) syslog(LOG_ERR, "couldn't write reply message"); } else if (flag == CLEAR) { if (write(0, msg, len) != len) syslog(LOG_ERR, "couldn't write reply message"); } else syslog(LOG_ERR, "send_packet: invalid flag (%d)", flag); } int net_get_principal(pname, iname, keyp) char *pname, *iname; C_Block *keyp; { int cc; static char password[255]; cc = des_read(0, pname, ANAME_SZ); if (cc != ANAME_SZ) { syslog(LOG_ERR, "couldn't get principal name"); return(-1); } cc = des_read(0, iname, INST_SZ); if (cc != INST_SZ) { syslog(LOG_ERR, "couldn't get instance name"); return(-1); } cc = des_read(0, password, 255); if (cc != 255) { syslog(LOG_ERR, "couldn't get password"); bzero(password, 255); return(-1); } string_to_key(password, (des_cblock *)*keyp); bzero(password, 255); return(0); } void cleanup() { bzero(master_key, sizeof(master_key)); bzero(key, sizeof(key)); bzero(master_key_schedule, sizeof(master_key_schedule)); } void die(sig) int sig; { syslog(LOG_ERR, "remote end died (SIGPIPE)"); cleanup(); exit(1); } diff --git a/eBones/usr.bin/register/register.c b/eBones/usr.bin/register/register.c index 7050cca1284b..d38dcc456b08 100644 --- a/eBones/usr.bin/register/register.c +++ b/eBones/usr.bin/register/register.c @@ -1,316 +1,316 @@ /*- * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #if 0 #ifndef lint static char copyright[] = "@(#) Copyright (c) 1989, 1993\n\ The Regents of the University of California. All rights reserved.\n"; static char sccsid[] = "@(#)register.c 8.1 (Berkeley) 6/1/93"; #endif /* not lint */ #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "pathnames.h" #include "register_proto.h" #define SERVICE "krbupdate" /* service to add to KDC's database */ #define PROTOCOL "tcp" void die(int); void type_info(void); void setup_key(struct sockaddr_in local); void cleanup(void); int get_user_info(void); char realm[REALM_SZ]; char krbhst[MAX_HSTNM]; static char pname[ANAME_SZ]; static char iname[INST_SZ]; static char password[_PASSWORD_LEN]; void main(argc, argv) int argc; char **argv; { struct servent *se; struct hostent *host; struct sockaddr_in sin, local; int rval; int sock, llen; u_char code; static struct rlimit rl = { 0, 0 }; signal(SIGPIPE, die); if (setrlimit(RLIMIT_CORE, &rl) < 0) { perror("rlimit"); exit(1); } if ((se = getservbyname(SERVICE, PROTOCOL)) == NULL) { fprintf(stderr, "couldn't find entry for service %s\n", SERVICE); exit(1); } if ((rval = krb_get_lrealm(realm,0)) != KSUCCESS) { fprintf(stderr, "couldn't get local Kerberos realm: %s\n", krb_err_txt[rval]); exit(1); } if ((rval = krb_get_krbhst(krbhst, realm, 1)) != KSUCCESS) { fprintf(stderr, "couldn't get Kerberos host: %s\n", krb_err_txt[rval]); exit(1); } if ((host = gethostbyname(krbhst)) == NULL) { fprintf(stderr, "couldn't get host entry for host %s\n", krbhst); exit(1); } sin.sin_family = host->h_addrtype; (void)bcopy(host->h_addr, (char *) &sin.sin_addr, host->h_length); sin.sin_port = se->s_port; if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket"); exit(1); } if (connect(sock, (struct sockaddr *) &sin, sizeof(sin)) < 0) { perror("connect"); (void)close(sock); exit(1); } llen = sizeof(local); if (getsockname(sock, (struct sockaddr *) &local, &llen) < 0) { perror("getsockname"); (void)close(sock); exit(1); } setup_key(local); type_info(); if (!get_user_info()) { code = ABORT; (void)des_write(sock, &code, 1); cleanup(); exit(1); } code = APPEND_DB; if (des_write(sock, &code, 1) != 1) { perror("write 1"); cleanup(); exit(1); } if (des_write(sock, pname, ANAME_SZ) != ANAME_SZ) { perror("write principal name"); cleanup(); exit(1); } if (des_write(sock, iname, INST_SZ) != INST_SZ) { perror("write instance name"); cleanup(); exit(1); } if (des_write(sock, password, 255) != 255) { perror("write password"); cleanup(); exit(1); } /* get return message */ { int cc; char msgbuf[BUFSIZ]; cc = read(sock, msgbuf, BUFSIZ); if (cc <= 0) { fprintf(stderr, "protocol error during key verification\n"); cleanup(); exit(1); } if (strncmp(msgbuf, GOTKEY_MSG, 6) != 0) { fprintf(stderr, "%s: %s", krbhst, msgbuf); cleanup(); exit(1); } cc = des_read(sock, msgbuf, BUFSIZ); if (cc <= 0) { fprintf(stderr, "protocol error during read\n"); cleanup(); exit(1); } else { printf("%s: %s", krbhst, msgbuf); } } cleanup(); close(sock); } void cleanup() { bzero(password, 255); } extern char *crypt(); extern char *getpass(); int get_user_info() { int uid = getuid(); int valid = 0, i; struct passwd *pw; char *pas, *namep; /* NB: we must run setuid-root to get at the real pw file */ if ((pw = getpwuid(uid)) == NULL) { fprintf(stderr, "Who are you?\n"); return(0); } (void)seteuid(uid); (void)strcpy(pname, pw->pw_name); /* principal name */ for (i = 1; i < 3; i++) { pas = getpass("login password:"); namep = crypt(pas, pw->pw_passwd); if (strcmp(namep, pw->pw_passwd)) { fprintf(stderr, "Password incorrect\n"); continue; } else { valid = 1; break; } } if (!valid) return(0); pas = getpass("Kerberos password (may be the same):"); while (*pas == NULL) { printf(" password not allowed\n"); pas = getpass("Kerberos password (may be the same):"); } (void)strcpy(password, pas); /* password */ pas = getpass("Retype Kerberos password:"); if (strcmp(password, pas)) { fprintf(stderr, "Password mismatch -- aborted\n"); return(0); } iname[0] = NULL; /* null instance name */ return(1); } void setup_key(local) struct sockaddr_in local; { static struct keyfile_data kdata; static Key_schedule schedule; int fd; char namebuf[MAXPATHLEN]; (void) sprintf(namebuf, "%s%s", CLIENT_KEYFILE, inet_ntoa(local.sin_addr)); fd = open(namebuf, O_RDONLY); if (fd < 0) { fprintf(stderr, "couldn't open key file %s for local host: ", namebuf); perror(""); exit(1); } if (read(fd, (char *)&kdata, sizeof(kdata)) != sizeof(kdata)) { fprintf(stderr,"size error reading key file for local host %s\n", inet_ntoa(local.sin_addr)); exit(1); } key_sched((des_cblock *)kdata.kf_key, schedule); - des_set_key((des_cblock *)kdata.kf_key, schedule); + des_set_key_krb((des_cblock *)kdata.kf_key, schedule); return; } void type_info() { printf("Kerberos user registration (realm %s)\n\n", realm); printf("Please enter your login password followed by your new Kerberos password.\n"); printf("The Kerberos password you enter now will be used in the future\n"); printf("as your Kerberos password for all machines in the %s realm.\n", realm); printf("You will only be allowed to perform this operation once, although you may run\n"); printf("the %s program from now on to change your Kerberos password.\n\n", _PATH_KPASSWD); } void die(sig) int sig; { fprintf(stderr, "\nServer no longer listening\n"); fflush(stderr); cleanup(); exit(1); }