2 * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 struct krb5_kx_context
{
42 krb5_keyblock
*keyblock
;
44 krb5_principal client
;
45 krb5_log_facility
*log
;
49 typedef struct krb5_kx_context krb5_kx_context
;
51 #define K5DATA(kc) ((krb5_kx_context*)kc->data)
52 #define CONTEXT(kc) (K5DATA(kc)->context)
55 * Destroy the krb5 context in `c'.
59 krb5_destroy (kx_context
*kc
)
61 if (K5DATA(kc
)->keyblock
)
62 krb5_free_keyblock (CONTEXT(kc
), K5DATA(kc
)->keyblock
);
63 if (K5DATA(kc
)->crypto
)
64 krb5_crypto_destroy (CONTEXT(kc
), K5DATA(kc
)->crypto
);
65 if (K5DATA(kc
)->client
)
66 krb5_free_principal (CONTEXT(kc
), K5DATA(kc
)->client
);
68 krb5_free_context (CONTEXT(kc
));
69 memset (kc
->data
, 0, sizeof(krb5_kx_context
));
74 * Read the authentication information from `s' and return 0 if
79 krb5_authenticate (kx_context
*kc
, int s
)
81 krb5_auth_context auth_context
= NULL
;
83 krb5_principal server
;
84 const char *host
= kc
->host
;
86 ret
= krb5_sname_to_principal (CONTEXT(kc
),
87 host
, "host", KRB5_NT_SRV_HST
, &server
);
89 krb5_warn (CONTEXT(kc
), ret
, "krb5_sname_to_principal: %s", host
);
93 ret
= krb5_sendauth (CONTEXT(kc
),
99 AP_OPTS_MUTUAL_REQUIRED
| AP_OPTS_USE_SUBKEY
,
107 if(ret
!= KRB5_SENDAUTH_BADRESPONSE
)
108 krb5_warn (CONTEXT(kc
), ret
, "krb5_sendauth: %s", host
);
112 ret
= krb5_auth_con_getkey (CONTEXT(kc
), auth_context
,
113 &K5DATA(kc
)->keyblock
);
115 krb5_warn (CONTEXT(kc
), ret
, "krb5_auth_con_getkey: %s", host
);
116 krb5_auth_con_free (CONTEXT(kc
), auth_context
);
120 ret
= krb5_crypto_init (CONTEXT(kc
), K5DATA(kc
)->keyblock
,
121 0, &K5DATA(kc
)->crypto
);
123 krb5_warn (CONTEXT(kc
), ret
, "krb5_crypto_init");
124 krb5_auth_con_free (CONTEXT(kc
), auth_context
);
131 * Read an encapsulated krb5 packet from `fd' into `buf' (of size
132 * `len'). Return the number of bytes read or 0 on EOF or -1 on
137 krb5_read (kx_context
*kc
,
138 int fd
, void *buf
, size_t len
)
140 size_t data_len
, outer_len
;
142 unsigned char tmp
[4];
146 l
= krb5_net_read (CONTEXT(kc
), &fd
, tmp
, 4);
151 data_len
= (tmp
[0] << 24) | (tmp
[1] << 16) | (tmp
[2] << 8) | tmp
[3];
152 outer_len
= krb5_get_wrapped_length (CONTEXT(kc
),
153 K5DATA(kc
)->crypto
, data_len
);
156 if (krb5_net_read (CONTEXT(kc
), &fd
, buf
, outer_len
) != outer_len
)
159 ret
= krb5_decrypt (CONTEXT(kc
), K5DATA(kc
)->crypto
,
160 KRB5_KU_OTHER_ENCRYPTED
,
161 buf
, outer_len
, &data
);
163 krb5_warn (CONTEXT(kc
), ret
, "krb5_decrypt");
166 if (data_len
> data
.length
) {
167 krb5_data_free (&data
);
170 memmove (buf
, data
.data
, data_len
);
171 krb5_data_free (&data
);
176 * Write an encapsulated krb5 packet on `fd' with the data in `buf,
177 * len'. Return len or -1 on error.
181 krb5_write(kx_context
*kc
,
182 int fd
, const void *buf
, size_t len
)
186 unsigned char tmp
[4];
189 ret
= krb5_encrypt (CONTEXT(kc
), K5DATA(kc
)->crypto
,
190 KRB5_KU_OTHER_ENCRYPTED
,
193 krb5_warn (CONTEXT(kc
), ret
, "krb5_write");
197 outlen
= data
.length
;
198 tmp
[0] = (len
>> 24) & 0xFF;
199 tmp
[1] = (len
>> 16) & 0xFF;
200 tmp
[2] = (len
>> 8) & 0xFF;
201 tmp
[3] = (len
>> 0) & 0xFF;
203 if (krb5_net_write (CONTEXT(kc
), &fd
, tmp
, 4) != 4 ||
204 krb5_net_write (CONTEXT(kc
), &fd
, data
.data
, outlen
) != outlen
) {
205 krb5_data_free (&data
);
208 krb5_data_free (&data
);
213 * Copy from the unix socket `from_fd' encrypting to `to_fd'.
214 * Return 0, -1 or len.
218 copy_out (kx_context
*kc
, int from_fd
, int to_fd
)
223 len
= read (from_fd
, buf
, sizeof(buf
));
227 krb5_warn (CONTEXT(kc
), errno
, "read");
230 return krb5_write (kc
, to_fd
, buf
, len
);
234 * Copy from the socket `from_fd' decrypting to `to_fd'.
235 * Return 0, -1 or len.
239 copy_in (kx_context
*kc
, int from_fd
, int to_fd
)
241 char buf
[33000]; /* XXX */
245 len
= krb5_read (kc
, from_fd
, buf
, sizeof(buf
));
249 krb5_warn (CONTEXT(kc
), errno
, "krb5_read");
253 return krb5_net_write (CONTEXT(kc
), &to_fd
, buf
, len
);
257 * Copy data between `fd1' and `fd2', encrypting in one direction and
258 * decrypting in the other.
262 krb5_copy_encrypted (kx_context
*kc
, int fd1
, int fd2
)
268 if (fd1
>= FD_SETSIZE
|| fd2
>= FD_SETSIZE
) {
269 krb5_warnx (CONTEXT(kc
), "fd too large");
277 ret
= select (max(fd1
, fd2
)+1, &fdset
, NULL
, NULL
, NULL
);
278 if (ret
< 0 && errno
!= EINTR
) {
279 krb5_warn (CONTEXT(kc
), errno
, "select");
282 if (FD_ISSET(fd1
, &fdset
)) {
283 ret
= copy_out (kc
, fd1
, fd2
);
287 if (FD_ISSET(fd2
, &fdset
)) {
288 ret
= copy_in (kc
, fd2
, fd1
);
296 * Return 0 if the user authenticated on `kc' is allowed to login as
301 krb5_userok (kx_context
*kc
, char *user
)
306 ret
= krb5_unparse_name (CONTEXT(kc
), K5DATA(kc
)->client
, &tmp
);
308 krb5_err (CONTEXT(kc
), 1, ret
, "krb5_unparse_name");
311 return !krb5_kuserok (CONTEXT(kc
), K5DATA(kc
)->client
, user
);
315 * Create an instance of an krb5 context.
319 krb5_make_context (kx_context
*kc
)
324 kc
->authenticate
= krb5_authenticate
;
325 kc
->userok
= krb5_userok
;
326 kc
->read
= krb5_read
;
327 kc
->write
= krb5_write
;
328 kc
->copy_encrypted
= krb5_copy_encrypted
;
329 kc
->destroy
= krb5_destroy
;
331 kc
->data
= malloc(sizeof(krb5_kx_context
));
333 if (kc
->data
== NULL
) {
334 syslog (LOG_ERR
, "failed to malloc %lu bytes",
335 (unsigned long)sizeof(krb5_kx_context
));
338 memset (kc
->data
, 0, sizeof(krb5_kx_context
));
339 c
= (krb5_kx_context
*)kc
->data
;
340 ret
= krb5_init_context (&c
->context
);
342 syslog (LOG_ERR
, "failed initialise krb5 context");
348 * Receive authentication information on `sock' (first four bytes
353 recv_v5_auth (kx_context
*kc
, int sock
, u_char
*buf
)
357 krb5_principal server
;
358 krb5_auth_context auth_context
= NULL
;
361 if (memcmp (buf
, "\x00\x00\x00\x13", 4) != 0)
363 len
= (buf
[0] << 24) | (buf
[1] << 16) | (buf
[2] << 8) | (buf
[3]);
364 if (net_read(sock
, buf
, len
) != len
) {
365 syslog (LOG_ERR
, "read: %m");
368 if (len
!= sizeof(KRB5_SENDAUTH_VERSION
)
369 || memcmp (buf
, KRB5_SENDAUTH_VERSION
, len
) != 0) {
370 syslog (LOG_ERR
, "bad sendauth version: %.8s", buf
);
374 krb5_make_context (kc
);
375 krb5_openlog(CONTEXT(kc
), "kxd", &K5DATA(kc
)->log
);
376 krb5_set_warn_dest(CONTEXT(kc
), K5DATA(kc
)->log
);
378 ret
= krb5_sock_to_principal (CONTEXT(kc
), sock
, "host",
379 KRB5_NT_SRV_HST
, &server
);
381 syslog (LOG_ERR
, "krb5_sock_to_principal: %s",
382 krb5_get_err_text (CONTEXT(kc
), ret
));
386 ret
= krb5_recvauth (CONTEXT(kc
),
391 KRB5_RECVAUTH_IGNORE_VERSION
,
394 krb5_free_principal (CONTEXT(kc
), server
);
396 syslog (LOG_ERR
, "krb5_sock_to_principal: %s",
397 krb5_get_err_text (CONTEXT(kc
), ret
));
401 ret
= krb5_auth_con_getkey (CONTEXT(kc
), auth_context
, &K5DATA(kc
)->keyblock
);
403 syslog (LOG_ERR
, "krb5_auth_con_getkey: %s",
404 krb5_get_err_text (CONTEXT(kc
), ret
));
408 ret
= krb5_crypto_init (CONTEXT(kc
), K5DATA(kc
)->keyblock
, 0, &K5DATA(kc
)->crypto
);
410 syslog (LOG_ERR
, "krb5_crypto_init: %s",
411 krb5_get_err_text (CONTEXT(kc
), ret
));
415 K5DATA(kc
)->client
= ticket
->client
;
416 ticket
->client
= NULL
;
417 krb5_free_ticket (CONTEXT(kc
), ticket
);
419 krb5_auth_con_free(CONTEXT(kc
), auth_context
);