From ef711b047d0bcb61526908d2f4bca6b88d93efd5 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 16 Oct 1997 05:31:47 +0000 Subject: [PATCH] * main.c: Change KERBEROS to KRB5_KRB4_COMPAT where appropriate * secure.c: Use rather than "secure.h" so that the correct secure.h gets included (the one in the $(srcdir) of the directory we're compiling secure.c into). From danw@mit.edu. * ftp.c: Change KERBEROS to KRB5_KRB4_COMPAT where appropriate. Re-order the clauses so that that GSSAPI gets tried before KERBEROS_V4. * Makefile.in: Update LOCALINCLUDE and the link line to DTRT with krb4 compatibility. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10235 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/gssftp/ftp/ChangeLog | 15 ++++ src/appl/gssftp/ftp/Makefile.in | 4 +- src/appl/gssftp/ftp/ftp.c | 146 ++++++++++++++++---------------- src/appl/gssftp/ftp/main.c | 10 +-- src/appl/gssftp/ftp/secure.c | 23 ++--- 5 files changed, 107 insertions(+), 91 deletions(-) diff --git a/src/appl/gssftp/ftp/ChangeLog b/src/appl/gssftp/ftp/ChangeLog index 1205eaece..64cf0d0ca 100644 --- a/src/appl/gssftp/ftp/ChangeLog +++ b/src/appl/gssftp/ftp/ChangeLog @@ -1,3 +1,18 @@ +Thu Oct 16 01:20:30 1997 Tom Yu + + * main.c: Change KERBEROS to KRB5_KRB4_COMPAT where appropriate. + + * secure.c: Use rather than "secure.h" so that the + correct secure.h gets included (the one in the $(srcdir) of the + directory we're compiling secure.c into). From danw@mit.edu. + + * ftp.c: Change KERBEROS to KRB5_KRB4_COMPAT where appropriate. + Re-order the clauses so that that GSSAPI gets tried before + KERBEROS_V4. + + * Makefile.in: Update LOCALINCLUDE and the link line to DTRT with + krb4 compatibility. + Sun Aug 17 14:23:39 1997 Ezra Peisach * Makefile.in (SRCS): Add $(srcdir) where needed. diff --git a/src/appl/gssftp/ftp/Makefile.in b/src/appl/gssftp/ftp/Makefile.in index 75b6aff70..e2927804b 100644 --- a/src/appl/gssftp/ftp/Makefile.in +++ b/src/appl/gssftp/ftp/Makefile.in @@ -14,13 +14,13 @@ SRCS = $(srcdir)/cmds.c $(srcdir)/cmdtab.c $(srcdir)/domacro.c \ OBJS = cmds.o cmdtab.o domacro.o ftp.o getpass.o glob.o main.o pclose.o \ radix.o ruserpass.o secure.o -LOCALINCLUDE = -I$(srcdir)/.. +LOCALINCLUDE = -I$(srcdir)/.. -I$(srcdir) @KRB4_INCLUDES@ DEFINES = -DGSSAPI -DNOCONFIDENTIAL all:: ftp ftp: $(OBJS) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o ftp $(OBJS) $(GSS_LIBS) $(KRB5_BASE_LIBS) + $(CC_LINK) -o ftp $(OBJS) $(GSS_LIBS) $(KRB4COMPAT_LIBS) clean:: $(RM) ftp diff --git a/src/appl/gssftp/ftp/ftp.c b/src/appl/gssftp/ftp/ftp.c index 0641416bc..41207c06a 100644 --- a/src/appl/gssftp/ftp/ftp.c +++ b/src/appl/gssftp/ftp/ftp.c @@ -79,14 +79,14 @@ static char sccsid[] = "@(#)ftp.c 5.38 (Berkeley) 4/22/91"; #define L_INCR 1 #endif -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT #include KTEXT_ST ticket; CREDENTIALS cred; Key_schedule schedule; MSG_DAT msg_data; -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI #include #include @@ -348,7 +348,7 @@ secure_command(cmd) * File protection level also determines whether * commands are MIC or ENC. Should be independent ... */ -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT if (strcmp(auth_type, "KERBEROS_V4") == 0) if ((length = level == PROT_P ? krb_mk_priv((unsigned char *)cmd, (unsigned char *)out, @@ -361,7 +361,7 @@ secure_command(cmd) level == PROT_P ? "priv" : "safe"); return(0); } -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI /* secure_command (based on level) */ if (strcmp(auth_type, "GSSAPI") == 0) { @@ -616,7 +616,7 @@ getreply(expecteof) code, radix_error(kerror), obuf); n = '5'; } -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT else if (strcmp(auth_type, "KERBEROS_V4") == 0) if ((kerror = safe ? krb_rd_safe((unsigned char *)ibuf, len, @@ -1536,10 +1536,10 @@ pswitch(flag) char mo[MAXPATHLEN]; char *authtype; int lvl; -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT C_Block session; Key_schedule schedule; -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ } proxstruct, tmpstruct; struct comvars *ip, *op; @@ -1608,12 +1608,12 @@ pswitch(flag) level = op->lvl; if (!level) level = 1; -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT memcpy(ip->session, cred.session, sizeof(cred.session)); memcpy(cred.session, op->session, sizeof(cred.session)); memcpy(ip->schedule, schedule, sizeof(schedule)); memcpy(schedule, op->schedule, sizeof(schedule)); -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ (void) signal(SIGINT, oldintr); if (abrtflag) { abrtflag = 0; @@ -1821,9 +1821,9 @@ gunique(local) return(new); } -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT char realm[REALM_SZ + 1]; -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI /* for testing, we don't have an ftp key yet */ @@ -1834,77 +1834,19 @@ do_auth() { extern int setsafe(); int oldverbose; -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT char *service, inst[INST_SZ]; u_long cksum, checksum = (u_long) getpid(); -#endif /* KERBEROS */ -#if defined(KERBEROS) || defined(GSSAPI) +#endif /* KRB5_KRB4_COMPAT */ +#if defined(KRB5_KRB4_COMPAT) || defined(GSSAPI) u_char out_buf[FTP_BUFSIZ]; int i; -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ if (auth_type) return(1); /* auth already succeeded */ /* Other auth types go here ... */ -#ifdef KERBEROS - if (command("AUTH %s", "KERBEROS_V4") == CONTINUE) { - if (verbose) - printf("%s accepted as authentication type\n", "KERBEROS_V4"); - - strcpy(inst, (char *) krb_get_phost(hostname)); - if (realm[0] == '\0') - strcpy(realm, (char *) krb_realmofhost(hostname)); - if ((kerror = krb_mk_req(&ticket, service = "ftp", - inst, realm, checksum)) - && (kerror != KDC_PR_UNKNOWN || - (kerror = krb_mk_req(&ticket, service = "rcmd", - inst, realm, checksum)))) - fprintf(stderr, "Kerberos V4 krb_mk_req failed: %s\n", - krb_get_err_text(kerror)); - else if (kerror = krb_get_cred(service, inst, realm, &cred)) - fprintf(stderr, "Kerberos V4 krb_get_cred failed: %s\n", - krb_get_err_text(kerror)); - else { - key_sched(cred.session, schedule); - reply_parse = "ADAT="; - oldverbose = verbose; - verbose = 0; - i = ticket.length; - if (kerror = radix_encode(ticket.dat, out_buf, &i, 0)) - fprintf(stderr, "Base 64 encoding failed: %s\n", - radix_error(kerror)); - else if (command("ADAT %s", out_buf) != COMPLETE) - fprintf(stderr, "Kerberos V4 authentication failed\n"); - else if (!reply_parse) - fprintf(stderr, - "No authentication data received from server\n"); - else if (kerror = radix_encode(reply_parse, out_buf, &i, 1)) - fprintf(stderr, "Base 64 decoding failed: %s\n", - radix_error(kerror)); - else if (kerror = krb_rd_safe(out_buf, i, &cred.session, - &hisctladdr, &myctladdr, &msg_data)) - fprintf(stderr, "Kerberos V4 krb_rd_safe failed: %s\n", - krb_get_err_text(kerror)); - else { - /* fetch the (modified) checksum */ - (void) memcpy(&cksum, msg_data.app_data, sizeof(cksum)); - if (ntohl(cksum) == checksum + 1) { - verbose = oldverbose; - if (verbose) - printf("Kerberos V4 authentication succeeded\n"); - reply_parse = NULL; - auth_type = "KERBEROS_V4"; - return(1); - } else fprintf(stderr, - "Kerberos V4 mutual authentication failed\n"); - } - verbose = oldverbose; - reply_parse = NULL; - } - } else fprintf(stderr, "%s rejected as an authentication type\n", - "KERBEROS_V4"); -#endif /* KERBEROS */ #ifdef GSSAPI if (command("AUTH %s", "GSSAPI") == CONTINUE) { OM_uint32 maj_stat, min_stat; @@ -2042,6 +1984,64 @@ do_auth() } } #endif /* GSSAPI */ +#ifdef KRB5_KRB4_COMPAT + if (command("AUTH %s", "KERBEROS_V4") == CONTINUE) { + if (verbose) + printf("%s accepted as authentication type\n", "KERBEROS_V4"); + + strcpy(inst, (char *) krb_get_phost(hostname)); + if (realm[0] == '\0') + strcpy(realm, (char *) krb_realmofhost(hostname)); + if ((kerror = krb_mk_req(&ticket, service = "ftp", + inst, realm, checksum)) + && (kerror != KDC_PR_UNKNOWN || + (kerror = krb_mk_req(&ticket, service = "rcmd", + inst, realm, checksum)))) + fprintf(stderr, "Kerberos V4 krb_mk_req failed: %s\n", + krb_get_err_text(kerror)); + else if (kerror = krb_get_cred(service, inst, realm, &cred)) + fprintf(stderr, "Kerberos V4 krb_get_cred failed: %s\n", + krb_get_err_text(kerror)); + else { + key_sched(cred.session, schedule); + reply_parse = "ADAT="; + oldverbose = verbose; + verbose = 0; + i = ticket.length; + if (kerror = radix_encode(ticket.dat, out_buf, &i, 0)) + fprintf(stderr, "Base 64 encoding failed: %s\n", + radix_error(kerror)); + else if (command("ADAT %s", out_buf) != COMPLETE) + fprintf(stderr, "Kerberos V4 authentication failed\n"); + else if (!reply_parse) + fprintf(stderr, + "No authentication data received from server\n"); + else if (kerror = radix_encode(reply_parse, out_buf, &i, 1)) + fprintf(stderr, "Base 64 decoding failed: %s\n", + radix_error(kerror)); + else if (kerror = krb_rd_safe(out_buf, i, &cred.session, + &hisctladdr, &myctladdr, &msg_data)) + fprintf(stderr, "Kerberos V4 krb_rd_safe failed: %s\n", + krb_get_err_text(kerror)); + else { + /* fetch the (modified) checksum */ + (void) memcpy(&cksum, msg_data.app_data, sizeof(cksum)); + if (ntohl(cksum) == checksum + 1) { + verbose = oldverbose; + if (verbose) + printf("Kerberos V4 authentication succeeded\n"); + reply_parse = NULL; + auth_type = "KERBEROS_V4"; + return(1); + } else fprintf(stderr, + "Kerberos V4 mutual authentication failed\n"); + } + verbose = oldverbose; + reply_parse = NULL; + } + } else fprintf(stderr, "%s rejected as an authentication type\n", + "KERBEROS_V4"); +#endif /* KRB5_KRB4_COMPAT */ /* Other auth types go here ... */ diff --git a/src/appl/gssftp/ftp/main.c b/src/appl/gssftp/ftp/main.c index 4a6d88f54..a73f4fb93 100644 --- a/src/appl/gssftp/ftp/main.c +++ b/src/appl/gssftp/ftp/main.c @@ -67,11 +67,11 @@ uid_t getuid(); sigtype intr(), lostpeer(); extern char *home; char *getlogin(); -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT #include struct servent staticsp; extern char realm[]; -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ main(argc, argv) char *argv[]; @@ -86,12 +86,12 @@ main(argc, argv) fprintf(stderr, "ftp: ftp/tcp: unknown service\n"); exit(1); } -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT /* GDM need to static sp so that the information is not lost when kerberos calls getservbyname */ memcpy(&staticsp,sp,sizeof(struct servent)); sp = &staticsp; -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ doglob = 1; interactive = 1; autologin = 1; @@ -105,7 +105,7 @@ main(argc, argv) debug++; break; -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT case 'k': if (*++cp != '\0') strncpy(realm, ++cp, REALM_SZ); diff --git a/src/appl/gssftp/ftp/secure.c b/src/appl/gssftp/ftp/secure.c index 550160b03..a379370eb 100644 --- a/src/appl/gssftp/ftp/secure.c +++ b/src/appl/gssftp/ftp/secure.c @@ -4,16 +4,16 @@ * Only one security context, thus only work on one fd at a time! */ -#include "secure.h" /* stuff which is specific to client or server */ +#include /* stuff which is specific to client or server */ -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT #include CRED_DECL extern KTEXT_ST ticket; extern MSG_DAT msg_data; extern Key_schedule schedule; -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI #include #include @@ -58,15 +58,16 @@ extern unsigned char *ucbuf; /* cleartext buffer */ static unsigned int nout, bufp; /* number of chars in ucbuf, * pointer into ucbuf */ -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT #define FUDGE_FACTOR 32 /* Amount of growth * from cleartext to ciphertext. * krb_mk_priv adds this # bytes. * Must be defined for each auth type. */ -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI +#undef FUDGE_FACTOR #define FUDGE_FACTOR 64 /*It appears to add 52 byts, but I'm not usre it is a constant--hartmans*/ #endif /*GSSAPI*/ @@ -74,7 +75,7 @@ static unsigned int nout, bufp; /* number of chars in ucbuf, #define FUDGE_FACTOR 0 #endif -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT /* XXX - The following must be redefined if KERBEROS_V4 is not used * but some other auth type is. They must have the same properties. */ #define looping_write krb_net_write @@ -223,13 +224,13 @@ secure_putbuf(fd, buf, nbyte) unsigned char *buf; unsigned int nbyte; { - static char *outbuf; /* output ciphertext */ + static char *outbuf; /* output ciphertext */ static unsigned int bufsize; /* size of outbuf */ ftp_int32 length; ftp_uint32 net_len; /* Other auth types go here ... */ -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT if (bufsize < nbyte + FUDGE_FACTOR) { if (outbuf? (outbuf = realloc(outbuf, (unsigned) (nbyte + FUDGE_FACTOR))): @@ -253,7 +254,7 @@ unsigned int nbyte; level == PROT_P ? "priv" : "safe"); return(ERR); } -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI if (strcmp(auth_type, "GSSAPI") == 0) { gss_buffer_desc in_buf, out_buf; @@ -330,7 +331,7 @@ int fd; return(ERR); } /* Other auth types go here ... */ -#ifdef KERBEROS +#ifdef KRB5_KRB4_COMPAT if (strcmp(auth_type, "KERBEROS_V4") == 0) { if (kerror = level == PROT_P ? krb_rd_priv(ucbuf, length, schedule, SESSION, @@ -345,7 +346,7 @@ int fd; memcpy(ucbuf, msg_data.app_data, msg_data.app_length); nin = bufp = msg_data.app_length; } -#endif /* KERBEROS */ +#endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI if (strcmp(auth_type, "GSSAPI") == 0) { gss_buffer_desc xmit_buf, msg_buf; -- 2.26.2