[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_2-19-g547bb3
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_2-19-g547bb31 |
|
Date: |
Sat, 26 Apr 2014 17:04:49 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 547bb31ef5a971fcd310b741a20cbe1b0959770a (commit)
from df4d445682e20b0c0b111eadc88b6c11599a0357 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=547bb31ef5a971fcd310b741a20cbe1b0959770a
commit 547bb31ef5a971fcd310b741a20cbe1b0959770a
Author: Mats Erik Andersson <address@hidden>
Date: Sat Apr 26 18:56:19 2014 +0200
libinetutils: Skeletal preparations for Heimdal.
Lay the foundation for separate authentication code to be
used by the r-commands when built with standard Kerberos5.
diff --git a/ChangeLog b/ChangeLog
index 4918c45..d0b8bd4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,25 @@
+2014-04-26 Mats Erik Andersson <address@hidden>
+
+ libinetutils: Skeletal preparations for Heimdal.
+
+ * configure.ac <krb5>: Disable rlogind and rshd.
+ (KERBEROS_VERSION): Publish it using AC_SUBST.
+
+ * libinetutils/kerberos5.c: New file, mostly copied
+ in from `shishi.c' as a guide.
+
+ * libinetutils/Makefile.am (libinetutils_a_SOURCES):
+ Remove `des_rw.c', and add `kerberos5.c'.
+
+ * libinetutils/kcmd.c: Remove support for KRB4, replacing
+ all macros KERBEROS by KRB5.
+ [KRB5]: Include <krb5.h> and "kerberos5_def.h".
+ [KRB5] (kcmd): Update declarations, and make small,
+ obvious adaptions to Kerberos5.
+ (kcmd): Refactor steps common to SHISHI and KRB5, such as
+ protocol exchange and address resolution. They differ at
+ the end, calling shishi_auth() or kerberos_auth().
+
2014-04-25 Mats Erik Andersson <address@hidden>
Begin support for Heimdal's Kerberos.
diff --git a/configure.ac b/configure.ac
index 7ad7690..3915b8e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -356,11 +356,14 @@ if test "$enable_encryption" = yes \
krb5/asn1.h krb5/crc-32.h krb5/ext-proto.h \
krb5/krb5.h krb5/los-proto.h])
CPPFLAGS=$save_CPPFLAGS
- # We have no support for krcmd() with Kerberos5.
+ # We have limited support for krcmd() with Kerberos5.
# Encryption must be sorted out as a first step.
IU_DISABLE_TARGET(rcp)
IU_DISABLE_TARGET(rlogin)
IU_DISABLE_TARGET(rsh)
+ # Likewise, we need to migrate away from KRB4 and des_*()
+ IU_DISABLE_TARGET(rlogind)
+ IU_DISABLE_TARGET(rshd)
fi
;;
*)
@@ -390,6 +393,7 @@ if test "$enable_encryption" = yes \
fi
AC_SUBST(LIBAUTH)
AC_SUBST(INCAUTH)
+AC_SUBST(KERBEROS_VERSION)
# Define CPP macros that enable auth/encrypt code
if test ".$LIBAUTH" != .; then
diff --git a/libinetutils/Makefile.am b/libinetutils/Makefile.am
index 87922f5..b256545 100644
--- a/libinetutils/Makefile.am
+++ b/libinetutils/Makefile.am
@@ -37,9 +37,9 @@ libinetutils_a_SOURCES = \
cleansess.c\
daemon.c\
defauthors.c\
- des_rw.c\
if_index.c \
kcmd.c\
+ kerberos5.c \
krcmd.c\
localhost.c\
logwtmpko.c\
diff --git a/libinetutils/kcmd.c b/libinetutils/kcmd.c
index ac8afaa..c7cc639 100644
--- a/libinetutils/kcmd.c
+++ b/libinetutils/kcmd.c
@@ -49,7 +49,7 @@
#include <config.h>
-#if defined KERBEROS || defined SHISHI
+#if defined KRB5 || defined SHISHI
# include <sys/param.h>
# include <sys/file.h>
@@ -60,17 +60,15 @@
# include <netinet/in.h>
# include <arpa/inet.h>
-# if defined KERBEROS
-# ifdef HAVE_KERBEROSIV_DES_H
-# include <kerberosIV/des.h>
+# if defined KRB5
+# ifdef HAVE_KRB5_H
+# include <krb5.h>
# endif
-# ifdef HAVE_KERBEROSIV_KRB_H
-# include <kerberosIV/krb.h>
-# endif
-# elif defined(SHISHI)
+# include "kerberos5_def.h"
+# elif defined(SHISHI) /* !KRB5 */
# include <shishi.h>
# include "shishi_def.h"
-# endif
+# endif /* SHISHI && !KRB5 */
# include <ctype.h>
# include <errno.h>
@@ -90,20 +88,21 @@
int getport (int *, int);
-# if defined KERBEROS
+# if defined KRB5
int
-kcmd (int *sock, char **ahost, unsigned short rport, char *locuser,
- char *remuser, char *cmd, int *fd2p, KTEXT ticket,
- char *service, const char *realm,
- CREDENTIALS * cred, Key_schedule schedule, MSG_DAT * msg_data,
- struct sockaddr_in *laddr, struct sockaddr_in *faddr, long authopts)
-# elif defined(SHISHI)
+kcmd (krb5_context *ctx, int *sock, char **ahost, unsigned short rport,
+ char *locuser, char **remuser, char *cmd, int *fd2p,
+ char *service, const char *realm, krb5_keyblock **key,
+ struct sockaddr_in *laddr, struct sockaddr_in *faddr,
+ long authopts)
+# elif defined(SHISHI) /* !KRB5 */
int
-kcmd (Shishi ** h, int *sock, char **ahost, unsigned short rport, char
*locuser,
- char **remuser, char *cmd, int *fd2p, char *service, const char *realm,
- Shishi_key ** key, struct sockaddr_storage *laddr,
- struct sockaddr_storage *faddr, long authopts, int af)
-# endif
+kcmd (Shishi ** h, int *sock, char **ahost, unsigned short rport,
+ char *locuser, char **remuser, char *cmd, int *fd2p,
+ char *service, const char *realm, Shishi_key ** key,
+ struct sockaddr_storage *laddr, struct sockaddr_storage *faddr,
+ long authopts, int af)
+# endif /* SHISHI && !KRB5 */
{
int s, timo = 1, pid;
# ifdef HAVE_SIGACTION
@@ -130,10 +129,6 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
char *host_save, *host;
int status;
-# if defined SHISHI
- int zero = 0;
-# endif
-
pid = getpid ();
/* Extract Kerberos instance name. */
@@ -145,7 +140,11 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
# if HAVE_DECL_GETADDRINFO
memset (&hints, 0, sizeof (hints));
+# ifdef KRB5
+ hints.ai_family = AF_INET;
+# else /* SHISHI && !KRB5 */
hints.ai_family = af;
+# endif
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_CANONNAME;
snprintf (portstr, sizeof (portstr), "%hu", ntohs (rport));
@@ -212,12 +211,6 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
*ahost = p;
}
-# ifdef KERBEROS
- /* If realm is null, look up from table */
- if (realm == NULL || realm[0] == '\0')
- realm = krb_realmofhost (host_save);
-# endif /* KERBEROS */
-
# ifdef HAVE_SIGACTION
sigemptyset (&sigs);
sigaddset (&sigs, SIGURG);
@@ -350,7 +343,7 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned short
rport, char *locuser,
# if HAVE_DECL_GETADDRINFO
if (res)
freeaddrinfo (res);
-#endif
+# endif
lport--;
if (fd2p == 0)
@@ -411,35 +404,15 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned
short rport, char *locuser,
/* write(s, locuser, strlen(locuser)+1); */
/* set up the needed stuff for mutual auth, but only if necessary */
-# ifdef KERBEROS
- if (authopts & KOPT_DO_MUTUAL)
- {
- int sin_len;
-
- *faddr = sin;
-
- sin_len = sizeof (*laddr);
- if (getsockname (s, (struct sockaddr *) laddr, &sin_len) < 0)
- {
- perror ("kcmd(getsockname)");
- status = -1;
- goto bad2;
- }
- }
-
- if ((status = krb_sendauth (authopts, s, ticket, service, *ahost,
- realm, (unsigned long) getpid (), msg_data,
- cred, schedule,
- laddr, faddr, "KCMDV0.1")) != KSUCCESS)
- goto bad2;
-
- write (s, remuser, strlen (remuser) + 1);
-# elif defined(SHISHI)
+# ifdef KRB5
+ if (authopts & AP_OPTS_MUTUAL_REQUIRED)
+# elif defined(SHISHI) /* !KRB5 */
if (authopts & SHISHI_APOPTIONS_MUTUAL_REQUIRED)
+# endif
{
socklen_t sin_len;
- *faddr = sin;
+ memcpy (faddr, &sin, sizeof(*faddr));
sin_len = sizeof (*laddr);
if (getsockname (s, (struct sockaddr *) laddr, &sin_len) < 0)
@@ -452,25 +425,37 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned
short rport, char *locuser,
(void) service; /* Silence warning. XXX: Implicit use? */
- if ((status =
- shishi_auth (h, 0, remuser, *ahost, s, cmd, rport, key,
- realm)) != SHISHI_OK)
+# ifdef KRB5
+ status = kerberos_auth (ctx, 0, remuser, *ahost, s,
+ cmd, rport, key, realm);
+ if (status != 0)
goto bad2;
+# elif defined(SHISHI) /* !KRB5 */
+ status = shishi_auth (h, 0, remuser, *ahost, s,
+ cmd, rport, key, realm);
+ if (status != SHISHI_OK)
+ goto bad2;
+
+# endif /* SHISHI && !KRB5 */
+
write (s, *remuser, strlen (*remuser) + 1);
-# endif /* SHISHI */
write (s, cmd, strlen (cmd) + 1);
-# ifdef SHISHI
if (locuser && locuser[0])
write (s, locuser, strlen (locuser) + 1);
else
write (s, *remuser, strlen (*remuser) + 1);
- write (s, &zero, sizeof (int)); /* XXX: not protocol */
-# endif
- if ((rc = read (s, &c, 1)) != 1)
+ {
+ int zero = 0; /* No forwarding of credentials. */
+
+ write (s, &zero, sizeof (zero));
+ }
+
+ rc = read (s, &c, sizeof (c));
+ if (rc != sizeof (c))
{
if (rc == -1)
perror (*ahost);
@@ -497,11 +482,11 @@ kcmd (Shishi ** h, int *sock, char **ahost, unsigned
short rport, char *locuser,
sigsetmask (oldmask);
# endif /* !HAVE_SIGACTION */
*sock = s;
-# if defined KERBEROS
- return (KSUCCESS);
-# elif defined(SHISHI)
+# if defined KRB5
+ return (0);
+# elif defined(SHISHI) /* !KRB5 */
return (SHISHI_OK);
-# endif
+# endif /* SHISHI && !KRB5 */
bad2:
if (lport)
close (*fd2p);
@@ -569,4 +554,4 @@ getport (int *alport, int af)
}
}
-#endif /* KERBEROS || SHISHI */
+#endif /* KRB5 || SHISHI */
diff --git a/libinetutils/kerberos5.c b/libinetutils/kerberos5.c
new file mode 100644
index 0000000..41a657e
--- /dev/null
+++ b/libinetutils/kerberos5.c
@@ -0,0 +1,483 @@
+/* shishi.c -- functions to use Heimdal's and MIT's Kerberos V
+ Copyright (C) 2014 Free Software Foundation, Inc.
+
+ This file is part of GNU Inetutils.
+
+ GNU Inetutils is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or (at
+ your option) any later version.
+
+ GNU Inetutils is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see `http://www.gnu.org/licenses/'. */
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#ifdef KRB5
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include <unistd.h>
+
+# include <krb5.h>
+# include "kerberos5_def.h"
+
+/* authentication, client side */
+int
+kerberos_auth (krb5_context *ctx, int verbose, char **cname,
+ const char *sname, int sock, char *cmd,
+ unsigned short port, krb5_keyblock **key,
+ const char *realm)
+{
+ int rc;
+ char *out, *p;
+ size_t outlen;
+ int krb5len, msglen;
+ char *tmpserver;
+ char auth;
+ /* KERBEROS 5 SENDAUTH MESSAGE */
+ char krb5sendauth[] = "KRB5_SENDAUTH_V1.0";
+ /* PROTOCOL VERSION */
+ char krb5sendclient[] = "KCMDV0.2";
+
+ /* to store error msg sent by server */
+ char errormsg[101];
+ char cksumdata[101];
+
+ krb5_data cksum_data;
+ krb5_principal server;
+ krb5_auth_context auth_ctx = NULL;
+ krb5_flags authopts = AP_OPTS_USE_SUBKEY;
+
+ if (krb5_sname_to_principal (*ctx, sname, "host",
+ KRB5_NT_SRV_HST, &server))
+ return (-1);
+
+ /* If realm is null, look up from table */
+ if (realm == NULL || realm[0] == '\0')
+# ifdef KRB5_GENERAL__ /* MIT */
+ realm = (char *) krb5_princ_realm (*ctx, server);
+# else /* Heimdal */
+ realm = krb5_principal_get_realm (*ctx, server);
+# endif
+
+ /* size of KRB5 auth message */
+ krb5len = strlen (krb5sendauth) + 1;
+ msglen = htonl (krb5len);
+ write (sock, &msglen, sizeof (int));
+ /* KRB5 authentication message */
+ write (sock, krb5sendauth, krb5len);
+ /* size of client message */
+ krb5len = strlen (krb5sendclient) + 1;
+ msglen = htonl (krb5len);
+ write (sock, &msglen, sizeof (int));
+ /* KRB5 client message */
+ write (sock, krb5sendclient, krb5len);
+
+ /* get answer from server 0 = ok, 1 = error with message */
+ read (sock, &auth, 1);
+ if (auth)
+ {
+ ssize_t n;
+
+ errormsg[0] = '\0';
+ n = read (sock, errormsg, sizeof (errormsg) - 1);
+
+ if (n >= 0 && n < (ssize_t) sizeof (errormsg))
+ errormsg[n] = '\0';
+ else
+ errormsg[sizeof (errormsg) -1] = '\0';
+
+ fprintf (stderr, "Error during server authentication : %s\n", errormsg);
+ return -1;
+ }
+
+ if (verbose)
+ {
+ printf ("Client: %s\n", *cname);
+ printf ("Server: %s\n", sname);
+ }
+
+ /* Get a ticket for the server. */
+
+ tmpserver = malloc (strlen (SERVICE) + strlen (sname) + 2);
+ if (!tmpserver)
+ {
+ perror ("kerberos_auth()");
+ return -1;
+ }
+
+ p = strchr (sname, '/');
+ if (p && (p != sname))
+ strcpy (tmpserver, sname); /* Non-empty prefix. */
+ else
+ sprintf (tmpserver, "%s/%s", SERVICE, sname + (p ? 1 : 0));
+
+ /* Retrieve realm assigned to this server as per configuration,
+ * unless an explicit domain was passed in the call.
+ */
+ if (!realm)
+ {
+ if (!p)
+ p = (char *) sname;
+ else if (*p == '/')
+ ++p;
+ }
+
+ /* checksum = port: terminal name */
+
+ cksum_data.length = snprintf (cksumdata, sizeof (cksumdata) - 1,
+ "%u:%s%s", ntohs (port), cmd, *cname);
+
+ if (strncmp (cmd, "-x ", 3) == 0)
+ authopts |= AP_OPTS_MUTUAL_REQUIRED;
+
+ cksum_data.data = cksumdata;
+
+ rc = krb5_sendauth (*ctx, &auth_ctx, &sock, "KCMDV0.2",
+ NULL, server, authopts, &cksum_data,
+ NULL, NULL, NULL, NULL, NULL);
+
+ if (rc == KRB5_SENDAUTH_REJECTED)
+ {
+ fprintf (stderr, "server rejected authentication");
+ return rc;
+ }
+
+ krb5_free_principal (*ctx, server);
+# if 0
+ krb5_data_free (&cksum_data);
+# endif
+
+ rc = krb5_auth_con_getlocalsubkey (*ctx, auth_ctx, key);
+
+ /* send size of AP-REQ to the server */
+
+ msglen = outlen;
+ msglen = htonl (msglen);
+ write (sock, (char *) &msglen, sizeof (int));
+
+ /* send AP-REQ to the server */
+
+ write (sock, out, outlen);
+
+ /* read response from server - what ? */
+
+ read (sock, &rc, sizeof (rc));
+ if (rc)
+ return -1 /* SHISHI_APREP_VERIFY_FAILED */;
+
+ /* For mutual authentication, wait for server reply. */
+
+ /* We are now authenticated. */
+ if (verbose)
+ printf ("User authenticated.\n");
+
+ return 0;
+
+}
+
+/* authentication, server side */
+int
+get_auth (int infd, krb5_context *ctx, krb5_auth_context *actx,
+ krb5_keyblock **key, const char **err_msg,
+ int *protoversion, int *cksumtype,
+ char **cksum, size_t *cksumlen, char *srvname)
+{
+ char *out;
+ size_t outlen;
+ char *buf;
+ int buflen;
+ int len;
+ int rc;
+ int error;
+ /* KERBEROS 5 SENDAUTH MESSAGE */
+ char krb5sendauth[] = "KRB5_SENDAUTH_V1.0";
+ /* PROTOCOL VERSION */
+ char krb5kcmd1[] = "KCMDV0.1";
+ char krb5kcmd2[] = "KCMDV0.2";
+ char *servername, *server = NULL, *realm = NULL;
+
+ *err_msg = NULL;
+ /* Get key for the server. */
+
+# if 0
+ /*
+ * XXX: Taken straight from the version for libshishi.
+ * XXX: No adaptions yet.
+ */
+ rc = shishi_init_server (handle);
+ if (rc != SHISHI_OK)
+ return rc;
+
+ if (srvname && *srvname)
+ {
+ rc = shishi_parse_name (*handle, srvname, &server, &realm);
+ if (rc != SHISHI_OK)
+ {
+ *err_msg = shishi_strerror (rc);
+ return rc;
+ }
+ }
+
+ if (server && *server)
+ {
+ char *p;
+
+ servername = malloc (sizeof (SERVICE) + strlen (server) + 2);
+ if (!servername)
+ {
+ *err_msg = "Not enough memory";
+ return SHISHI_TOO_SMALL_BUFFER;
+ }
+
+ p = strchr (server, '/');
+ if (p && (p != server))
+ sprintf (servername, "%s", server); /* Non-empty prefix. */
+ else
+ sprintf (servername, "%s/%s", SERVICE,
+ server + (p ? 1 : 0)); /* Remove initial slash. */
+ }
+ else
+ servername = shishi_server_for_local_service (*handle, SERVICE);
+
+ if (realm && *realm)
+ shishi_realm_default_set (*handle, realm);
+
+ free (server);
+ free (realm);
+
+ /* Enable use of `~/.k5login'. */
+ if (shishi_check_version ("1.0.2")) /* Faulty in version 1.0.1. */
+ {
+ rc = shishi_cfg_authorizationtype_set (*handle, "k5login basic");
+ if (rc != SHISHI_OK)
+ {
+ *err_msg = shishi_error (*handle);
+ return rc;
+ }
+ }
+
+ key = shishi_hostkeys_for_serverrealm (*handle, servername,
+ shishi_realm_default (*handle));
+ free (servername);
+ if (!key)
+ {
+ *err_msg = shishi_error (*handle);
+ return SHISHI_INVALID_KEY;
+ }
+
+ /* Read Kerberos 5 sendauth message */
+ rc = read (infd, &len, sizeof (int));
+ if (rc != sizeof (int))
+ {
+ *err_msg = "Error reading message size";
+ return SHISHI_IO_ERROR;
+ }
+
+ buflen = ntohl (len);
+ buf = malloc (buflen);
+ if (!buf)
+ {
+ *err_msg = "Not enough memory";
+ return SHISHI_TOO_SMALL_BUFFER;
+ }
+
+ rc = read (infd, buf, buflen);
+ if (rc != buflen)
+ {
+ *err_msg = "Error reading authentication message";
+ return SHISHI_IO_ERROR;
+ }
+
+ len = strlen (krb5sendauth);
+ rc = strncmp (buf, krb5sendauth, buflen >= len ? len : buflen);
+ if (rc)
+ {
+ *err_msg = "Invalid authentication type";
+ /* Authentication type is wrong. */
+ write (infd, "\001", 1);
+ return SHISHI_VERIFY_FAILED;
+ }
+
+ free (buf);
+
+ /* Read protocol version */
+ rc = read (infd, &len, sizeof (int));
+ if (rc != sizeof (int))
+ {
+ *err_msg = "Error reading protocol message size";
+ return SHISHI_IO_ERROR;
+ }
+ buflen = ntohl (len);
+ buf = malloc (buflen);
+ if (!buf)
+ {
+ *err_msg = "Not enough memory";
+ return SHISHI_TOO_SMALL_BUFFER;
+ }
+
+ rc = read (infd, buf, buflen);
+ if (rc != buflen)
+ {
+ *err_msg = "Error reading protocol message";
+ return SHISHI_IO_ERROR;
+ }
+
+ len = strlen (krb5kcmd1);
+ rc = strncmp (buf, krb5kcmd1, buflen >= len ? len : buflen);
+ if (rc)
+ {
+ len = strlen (krb5kcmd2);
+ rc = strncmp (buf, krb5kcmd2, buflen >= len ? len : buflen);
+ if (rc)
+ {
+ *err_msg = "Protocol version not supported";
+ /* Protocol version is wrong. */
+ write (infd, "\002", 1);
+ return SHISHI_VERIFY_FAILED;
+ }
+ *protoversion = 2;
+ }
+ else
+ *protoversion = 1;
+
+ free (buf);
+
+ /* Authentication type is ok */
+
+ write (infd, "\0", 1);
+
+ /* Read Authentication request from client */
+
+ rc = read (infd, &len, sizeof (int));
+ if (rc != sizeof (int))
+ {
+ *err_msg = "Error reading authentication request size";
+ return SHISHI_IO_ERROR;
+ }
+
+ buflen = ntohl (len);
+ buf = malloc (buflen);
+ if (!buf)
+ {
+ *err_msg = "Not enough memory";
+ return SHISHI_TOO_SMALL_BUFFER;
+ }
+
+ rc = read (infd, buf, buflen);
+ if (rc != buflen)
+ {
+ *err_msg = "Error reading authentication request";
+ return SHISHI_IO_ERROR;
+ }
+
+ /* Create Authentication context */
+
+ rc = shishi_ap_nosubkey (*handle, ap);
+ if (rc != SHISHI_OK)
+ return rc;
+
+ /* Store request in context */
+
+ rc = shishi_ap_req_der_set (*ap, buf, buflen);
+ if (rc != SHISHI_OK)
+ return rc;
+
+ free (buf);
+
+ /* Process authentication request */
+
+ rc = shishi_ap_req_process (*ap, key);
+ if (rc != SHISHI_OK)
+ return rc;
+
+# ifdef ENCRYPTION
+
+ /* extract subkey if present from ap exchange for secure connection */
+ if (*protoversion == 2)
+ {
+ *enckey = NULL;
+ shishi_authenticator_get_subkey (*handle,
+ shishi_ap_authenticator (*ap), enckey);
+ }
+
+# endif
+
+ /* Get authenticator checksum */
+ rc = shishi_authenticator_cksum (*handle,
+ shishi_ap_authenticator (*ap),
+ cksumtype, cksum, cksumlen);
+ if (rc != SHISHI_OK)
+ return rc;
+
+ /* User is authenticated. */
+ error = 0;
+ write (infd, &error, sizeof (int));
+
+ /* Authenticate ourself to client, if requested. */
+
+ if (shishi_apreq_mutual_required_p (*handle, shishi_ap_req (*ap)))
+ {
+ int len;
+
+ rc = shishi_ap_rep_der (*ap, &out, &outlen);
+ if (rc != SHISHI_OK)
+ return rc;
+
+ len = outlen;
+ len = htonl (len);
+ rc = write (infd, &len, sizeof (len));
+ if (rc != sizeof (int))
+ {
+ *err_msg = "Error sending AP-REP";
+ free (out);
+ return SHISHI_IO_ERROR;
+ }
+
+ rc = write (infd, out, ntohl (len));
+ if (rc != (int) ntohl (len))
+ {
+ *err_msg = "Error sending AP-REP";
+ free (out);
+ return SHISHI_IO_ERROR;
+ }
+
+ free (out);
+
+ /* We are authenticated to client */
+ }
+
+# ifdef ENCRYPTION
+ if (*protoversion == 1)
+ {
+ Shishi_tkt *tkt;
+
+ tkt = shishi_ap_tkt (*ap);
+ if (tkt == NULL)
+ {
+ *err_msg = "Could not get tkt from AP-REQ";
+ return SHISHI_INVALID_TICKET;
+ }
+
+ rc = shishi_encticketpart_get_key (*handle,
+ shishi_tkt_encticketpart (tkt),
+ enckey);
+ if (rc != SHISHI_OK)
+ return rc;
+ }
+# endif /* ENCRYPTION */
+
+ return 0;
+# else
+ return -1;
+# endif
+}
+#endif /* KRB5 */
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 22 ++
configure.ac | 6 +-
libinetutils/Makefile.am | 2 +-
libinetutils/kcmd.c | 125 ++++++-------
libinetutils/kerberos5.c | 483 ++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 566 insertions(+), 72 deletions(-)
create mode 100644 libinetutils/kerberos5.c
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_2-19-g547bb31,
Mats Erik Andersson <=