+++ /dev/null
-/*
- * lib/krb5/krb/compat_recv.c
- *
- * Copyright 1993 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * convenience sendauth/recvauth functions, with compatibility with V4
- * recvauth.
- *
- * NOTE: linking in this function will pull in V4 kerberos routines.
- *
- * WARNING: In the V4-style arguments, the ticket and kdata arguments
- * have different types than the V4 recvauth; in V4, they were KTEXT
- * and AUTH_DAT *, respectively. Here, they are KTEXT * and AUTH_DAT **
- * and they are allocated by recvauth if and only if we end up talking
- * to a V4 sendauth.
- */
-
-#define NEED_SOCKETS
-#include "k5-int.h"
-#if !defined(_MSDOS) && !defined(_MACINTOSH)
-#include <kerberosIV/krb.h>
-#include <kerberosIV/krb4-proto.h>
-#include "com_err.h"
-#include <errno.h>
-
-#include <stdio.h>
-#include <string.h>
-
-static int krb_v4_recvauth();
-
-#define KRB_V4_SENDAUTH_VERS "AUTHV0.1" /* MUST be 8 chars long */
-#define KRB_V5_SENDAUTH_VERS "KRB5_SENDAUTH_V1.0"
-
-#define KRB5_RECVAUTH_V4 4
-#define KRB5_RECVAUTH_V5 5
-
-krb5_error_code
-krb5_compat_recvauth(context, auth_context,
- /* IN */
- fdp, appl_version, server, flags, keytab,
- v4_options, v4_service, v4_instance, v4_faddr, v4_laddr,
- v4_filename,
- /* OUT */
- ticket,
- auth_sys, v4_kdata, v4_schedule, v4_version)
- krb5_context context;
- krb5_auth_context *auth_context;
- krb5_pointer fdp;
- char *appl_version;
- krb5_principal server;
- krb5_int32 flags;
- krb5_keytab keytab;
- krb5_ticket ** ticket;
- krb5_int32 *auth_sys;
-
- /*
- * Version 4 arguments
- */
- krb5_int32 v4_options; /* bit-pattern of options */
- char *v4_service; /* service expected */
- char *v4_instance; /* inst expected (may be filled in) */
- struct sockaddr_in *v4_faddr; /* foreign address */
- struct sockaddr_in *v4_laddr; /* local address */
- AUTH_DAT **v4_kdata; /* kerberos data (returned) */
- char *v4_filename; /* name of file with service keys */
- Key_schedule v4_schedule; /* key schedule (return) */
- char *v4_version; /* version string (filled in) */
-{
- union verslen {
- krb5_int32 len;
- char vers[4];
- } vers;
- char *buf;
- int len, length;
- krb5_int32 retval;
- int fd = *( (int *) fdp);
-#ifdef KRB5_KRB4_COMPAT
- KTEXT v4_ticket; /* storage for client's ticket */
-#endif
-
- if ((retval = krb5_net_read(context, fd, vers.vers, 4)) != 4)
- return((retval < 0) ? errno : ECONNABORTED);
-
-#ifdef KRB5_KRB4_COMPAT
- if (!strncmp(vers.vers, KRB_V4_SENDAUTH_VERS, 4)) {
- /*
- * We must be talking to a V4 sendauth; read in the
- * rest of the version string and make sure.
- */
- if ((retval = krb5_net_read(context, fd, vers.vers, 4)) != 4)
- return((retval < 0) ? errno : ECONNABORTED);
-
- if (strncmp(vers.vers, KRB_V4_SENDAUTH_VERS+4, 4))
- return KRB5_SENDAUTH_BADAUTHVERS;
-
- *auth_sys = KRB5_RECVAUTH_V4;
-
- *v4_kdata = (AUTH_DAT *) malloc( sizeof(AUTH_DAT) );
- v4_ticket = (KTEXT) malloc(sizeof(KTEXT_ST));
-
- retval = krb_v4_recvauth(v4_options, fd, v4_ticket,
- v4_service, v4_instance, v4_faddr,
- v4_laddr, *v4_kdata, v4_filename,
- v4_schedule, v4_version);
- krb5_xfree(v4_ticket);
- /*
- * XXX error code translation?
- */
- switch (retval) {
- case RD_AP_OK:
- return 0;
- case RD_AP_TIME:
- return KRB5KRB_AP_ERR_SKEW;
- case RD_AP_EXP:
- return KRB5KRB_AP_ERR_TKT_EXPIRED;
- case RD_AP_NYV:
- return KRB5KRB_AP_ERR_TKT_NYV;
- case RD_AP_NOT_US:
- return KRB5KRB_AP_ERR_NOT_US;
- case RD_AP_UNDEC:
- return KRB5KRB_AP_ERR_BAD_INTEGRITY;
- case RD_AP_REPEAT:
- return KRB5KRB_AP_ERR_REPEAT;
- case RD_AP_MSG_TYPE:
- return KRB5KRB_AP_ERR_MSG_TYPE;
- case RD_AP_MODIFIED:
- return KRB5KRB_AP_ERR_MODIFIED;
- case RD_AP_ORDER:
- return KRB5KRB_AP_ERR_BADORDER;
- case RD_AP_BADD:
- return KRB5KRB_AP_ERR_BADADDR;
- default:
- return KRB5_SENDAUTH_BADRESPONSE;
- }
- }
-#endif
-
- /*
- * Assume that we're talking to a V5 recvauth; read in the
- * the version string, and make sure it matches.
- */
-
- len = (int) ntohl(vers.len);
-
- if (len < 0 || len > 255)
- return KRB5_SENDAUTH_BADAUTHVERS;
-
- buf = malloc(len);
- if (!buf)
- return ENOMEM;
-
- length = krb5_net_read(context, fd, buf, len);
- if (len != length) {
- krb5_xfree(buf);
- if (len < 0)
- return errno;
- else
- return ECONNABORTED;
- }
-
- if (strcmp(buf, KRB_V5_SENDAUTH_VERS)) {
- krb5_xfree(buf);
- return KRB5_SENDAUTH_BADAUTHVERS;
- }
- krb5_xfree(buf);
-
- *auth_sys = KRB5_RECVAUTH_V5;
-
- retval = krb5_recvauth(context, auth_context, fdp, appl_version, server,
- flags | KRB5_RECVAUTH_SKIP_VERSION,
- keytab, ticket);
-
- return retval;
-}
-
-
-#ifndef max
-#define max(a,b) (((a) > (b)) ? (a) : (b))
-#endif /* max */
-
-#ifdef KRB5_KRB4_COMPAT
-static int
-krb_v4_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata,
- filename, schedule, version)
-long options; /* bit-pattern of options */
-int fd; /* file descr. to read from */
-KTEXT ticket; /* storage for client's ticket */
-char *service; /* service expected */
-char *instance; /* inst expected (may be filled in) */
-struct sockaddr_in *faddr; /* address of foreign host on fd */
-struct sockaddr_in *laddr; /* local address */
-AUTH_DAT *kdata; /* kerberos data (returned) */
-char *filename; /* name of file with service keys */
-Key_schedule schedule; /* key schedule (return) */
-char *version; /* version string (filled in) */
-{
- int cc, old_vers = 0;
- int rem;
- krb5_int32 tkt_len, priv_len;
- krb5_ui_4 cksum;
- u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)];
-
- /* read the application version string */
- if ((krb_net_read(fd, version, KRB_SENDAUTH_VLEN) !=
- KRB_SENDAUTH_VLEN))
- return(errno);
- version[KRB_SENDAUTH_VLEN] = '\0';
-
- /* get the length of the ticket */
- if (krb_net_read(fd, (char *)&tkt_len, sizeof(tkt_len)) !=
- sizeof(tkt_len))
- return(errno);
-
- /* sanity check */
- ticket->length = ntohl((unsigned long)tkt_len);
- if ((ticket->length <= 0) || (ticket->length > MAX_KTXT_LEN)) {
- if (options & KOPT_DO_MUTUAL) {
- rem = KFAILURE;
- goto mutual_fail;
- } else
- return(KFAILURE); /* XXX there may still be junk on the fd? */
- }
-
- /* read the ticket */
- if (krb_net_read(fd, (char *) ticket->dat, ticket->length)
- != ticket->length)
- return(errno);
-
- /*
- * now have the ticket. decrypt it to get the authenticated
- * data.
- */
- rem = krb_rd_req(ticket,service,instance,faddr->sin_addr.s_addr,
- kdata,filename);
-
- if (old_vers) return(rem); /* XXX can't do mutual with old client */
-
- /* if we are doing mutual auth, compose a response */
- if (options & KOPT_DO_MUTUAL) {
- if (rem != KSUCCESS)
- /* the krb_rd_req failed */
- goto mutual_fail;
-
- /* add one to the (formerly) sealed checksum, and re-seal it
- for return to the client */
- cksum = kdata->checksum + 1;
- cksum = htonl(cksum);
-#ifndef NOENCRYPTION
- key_sched(kdata->session,schedule);
-#endif /* !NOENCRYPTION */
- priv_len = krb_mk_priv((unsigned char *)&cksum,
- tmp_buf,
- (unsigned long) sizeof(cksum),
- schedule,
- kdata->session,
- laddr,
- faddr);
- if (priv_len < 0) {
- /* re-sealing failed; notify the client */
- rem = KFAILURE; /* XXX */
-mutual_fail:
- priv_len = -1;
- tkt_len = htonl((unsigned long) priv_len);
- /* a length of -1 is interpreted as an authentication
- failure by the client */
- if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len)))
- != sizeof(tkt_len))
- return(cc);
- return(rem);
- } else {
- /* re-sealing succeeded, send the private message */
- tkt_len = htonl((unsigned long)priv_len);
- if ((cc = krb_net_write(fd, (char *)&tkt_len, sizeof(tkt_len)))
- != sizeof(tkt_len))
- return(cc);
- if ((cc = krb_net_write(fd, (char *)tmp_buf, (int) priv_len))
- != (int) priv_len)
- return(cc);
- }
- }
- return(rem);
-}
-#endif
-#endif
projects / krb5.git / commitdiff