freebsd-nq/eBones/lib/librkinit/rk_krb.c
Justin T. Gibbs b00d18e592 MIT's librkinit. Part of the rkinit suite. Rkinit allows you to forward
tickets to other kerberos hosts safely in one easy step.
1995-09-15 06:09:30 +00:00

317 lines
7.4 KiB
C

/*
* $Id: rk_krb.c,v 1.1 1993/12/10 19:36:09 dglo Exp gibbs $
* $Source: /usr/src/eBones/librkinit/RCS/rk_krb.c,v $
* $Author: dglo $
*
* This file contains the kerberos parts of the rkinit library.
* See the comment at the top of rk_lib.c for a description of the naming
* conventions used within the rkinit library.
*/
#if !defined(lint) && !defined(SABER) && !defined(LOCORE) && defined(RCS_HDRS)
static char *rcsid = "$Id: rk_krb.c,v 1.1 1993/12/10 19:36:09 dglo Exp gibbs $";
#endif /* lint || SABER || LOCORE || RCS_HDRS */
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <krb.h>
#include <des.h>
#include <signal.h>
#include <setjmp.h>
#ifdef POSIX
#include <termios.h>
#else
#include <sgtty.h>
#endif
#include <rkinit.h>
#include <rkinit_err.h>
#include <rkinit_private.h>
static jmp_buf env;
static void sig_restore();
static void push_signals();
static void pop_signals();
/* Information to be passed around within client get_in_tkt */
typedef struct {
KTEXT scip; /* Server KDC packet */
char *username;
char *host;
} rkinit_intkt_info;
static char errbuf[BUFSIZ];
/* The compiler complains if this is declared static. */
#ifdef __STDC__
int rki_key_proc(char *user, char *instance, char *realm, char *arg,
des_cblock *key)
#else
int rki_key_proc(user, instance, realm, arg, key)
char *user;
char *instance;
char *realm;
char *arg;
des_cblock *key;
#endif /* __STDC__ */
{
rkinit_intkt_info *rii = (rkinit_intkt_info *)arg;
char password[BUFSIZ];
int ok = 0;
#ifdef POSIX
struct termios ttyb;
#else
struct sgttyb ttyb; /* For turning off echo */
#endif
SBCLEAR(ttyb);
BCLEAR(password);
/*
* If the username does not match the aname in the ticket,
* we will print that too. Otherwise, we won't.
*/
printf("Kerberos initialization (%s)", rii->host);
if (strcmp(rii->username, user))
printf(": tickets will be owned by %s", rii->username);
printf("\nPassword for %s%s%s@%s: ", user,
(instance[0]) ? "." : "", instance, realm);
fflush(stdout);
push_signals();
if (setjmp(env)) {
ok = -1;
goto lose;
}
#ifndef POSIX
ioctl(0, TIOCGETP, &ttyb);
ttyb.sg_flags &= ~ECHO;
ioctl(0, TIOCSETP, &ttyb);
#else
(void) tcgetattr(0, &ttyb);
ttyb.c_lflag &= ~ECHO;
(void) tcsetattr(0, TCSAFLUSH, &ttyb);
#endif
bzero(password, sizeof(password));
if (read(0, password, sizeof(password)) == -1) {
perror("read");
ok = -1;
goto lose;
}
if (password[strlen(password)-1] == '\n')
password[strlen(password)-1] = 0;
/* Generate the key from the password and destroy the password */
des_string_to_key(password, key);
lose:
BCLEAR(password);
#ifndef POSIX
ttyb.sg_flags |= ECHO;
ioctl(0, TIOCSETP, &ttyb);
#else
ttyb.c_lflag |= ECHO;
(void) tcsetattr(0, TCSAFLUSH, &ttyb);
#endif
pop_signals();
printf("\n");
return(ok);
}
#ifdef __STDC__
static int rki_decrypt_tkt(char *user, char *instance, char *realm,
char *arg, int (*key_proc)(), KTEXT *cipp)
#else
static int rki_decrypt_tkt(user, instance, realm, arg, key_proc, cipp)
char *user;
char *instance;
char *realm;
char *arg;
int (*key_proc)();
KTEXT *cipp;
#endif /* __STDC__ */
{
KTEXT cip = *cipp;
C_Block key; /* Key for decrypting cipher */
Key_schedule key_s;
KTEXT scip = 0; /* cipher from rkinit server */
rkinit_intkt_info *rii = (rkinit_intkt_info *)arg;
/* generate a key */
{
register int rc;
rc = (*key_proc)(user, instance, realm, arg, key);
if (rc)
return(rc);
}
des_key_sched(&key, key_s);
/* Decrypt information from KDC */
des_pcbc_encrypt((C_Block *)cip->dat,(C_Block *)cip->dat,
(long) cip->length, key_s, &key, 0);
/* DescrYPT rkinit server's information from KDC */
scip = rii->scip;
des_pcbc_encrypt((C_Block *)scip->dat,(C_Block *)scip->dat,
(long) scip->length, key_s, &key, 0);
/* Get rid of all traces of key */
bzero((char *)key, sizeof(key));
bzero((char *)key_s, sizeof(key_s));
return(0);
}
#ifdef __STDC__
int rki_get_tickets(int version, char *host, char *r_krealm, rkinit_info *info)
#else
int rki_get_tickets(version, host, r_krealm, info)
int version;
char *host;
char *r_krealm;
rkinit_info *info;
#endif /* __STDC__ */
{
int status = RKINIT_SUCCESS;
KTEXT_ST auth;
char phost[MAXHOSTNAMELEN];
KTEXT_ST scip; /* server's KDC packet */
des_cblock key;
des_key_schedule sched;
struct sockaddr_in caddr;
struct sockaddr_in saddr;
CREDENTIALS cred;
MSG_DAT msg_data;
u_char enc_data[MAX_KTXT_LEN];
rkinit_intkt_info rii;
SBCLEAR(auth);
BCLEAR(phost);
SBCLEAR(rii);
SBCLEAR(scip);
SBCLEAR(caddr);
SBCLEAR(saddr);
SBCLEAR(cred);
SBCLEAR(msg_data);
BCLEAR(enc_data);
if ((status = rki_send_rkinit_info(version, info)) != RKINIT_SUCCESS)
return(status);
if ((status = rki_rpc_get_skdc(&scip)) != RKINIT_SUCCESS)
return(status);
rii.scip = &scip;
rii.host = host;
rii.username = info->username;
if ((status = krb_get_in_tkt(info->aname, info->inst, info->realm,
"krbtgt", info->realm, 1,
rki_key_proc, rki_decrypt_tkt, (char *)&rii))) {
strcpy(errbuf, krb_err_txt[status]);
rkinit_errmsg(errbuf);
return(RKINIT_KERBEROS);
}
/* Create an authenticator */
strcpy(phost, krb_get_phost(host));
if ((status = krb_mk_req(&auth, KEY, phost, r_krealm, 0))) {
sprintf(errbuf, "krb_mk_req: %s", krb_err_txt[status]);
rkinit_errmsg(errbuf);
return(RKINIT_KERBEROS);
}
/* Re-encrypt server KDC packet in session key */
/* Get credentials from ticket file */
if ((status = krb_get_cred(KEY, phost, r_krealm, &cred))) {
sprintf(errbuf, "krb_get_cred: %s", krb_err_txt[status]);
rkinit_errmsg(errbuf);
return(RKINIT_KERBEROS);
}
/* Exctract the session key and make the schedule */
bcopy(cred.session, key, sizeof(key));
if ((status = des_key_sched(&key, sched))) {
sprintf(errbuf, "des_key_sched: %s", krb_err_txt[status]);
rkinit_errmsg(errbuf);
return(RKINIT_DES);
}
/* Get client and server addresses */
if ((status = rki_get_csaddr(&caddr, &saddr)) != RKINIT_SUCCESS)
return(status);
/*
* scip was passed to krb_get_in_tkt, where it was decrypted.
* Now re-encrypt in the session key.
*/
msg_data.app_data = enc_data;
if ((msg_data.app_length =
krb_mk_priv(scip.dat, msg_data.app_data, scip.length, sched, key,
&caddr, &saddr)) == -1) {
sprintf(errbuf, "krb_mk_priv failed.");
rkinit_errmsg(errbuf);
return(RKINIT_KERBEROS);
}
/* Destroy tickets, which we no longer need */
dest_tkt();
if ((status = rki_rpc_send_ckdc(&msg_data)) != RKINIT_SUCCESS)
return(status);
if ((status = rki_rpc_sendauth(&auth)) != RKINIT_SUCCESS)
return(status);
if ((status = rki_rpc_get_status()))
return(status);
return(RKINIT_SUCCESS);
}
static void (*old_sigfunc[NSIG])(int);
static void push_signals()
{
register i;
for (i = 0; i < NSIG; i++)
old_sigfunc[i] = signal(i,sig_restore);
}
static void pop_signals()
{
register i;
for (i = 0; i < NSIG; i++)
signal(i,old_sigfunc[i]);
}
static void sig_restore(sig,code,scp)
int sig,code;
struct sigcontext *scp;
{
longjmp(env,1);
}