diff options
| author |   hin <hin@openbsd.org> | 2001-05-25 10:23:04 +0000 |
|---|---|---|
| committer | hin <hin@openbsd.org> | 2001-05-25 10:23:04 +0000 |
| commit | b7dad53aa7d06020f97cfd8522a1ec553fb6f246 (patch) | |
| tree | e32c92965cb394ce833359a742d86a53534f0235 | |
| parent | Simple build instructions. (diff) | |
| download | wireguard-openbsd-b7dad53aa7d06020f97cfd8522a1ec553fb6f246.tar.xz wireguard-openbsd-b7dad53aa7d06020f97cfd8522a1ec553fb6f246.zip | |
KerberosV stuff taken from Heimdal.
| -rw-r--r-- | lib/libtelnet/Makefile | 5 | ||||
| -rw-r--r-- | lib/libtelnet/auth-proto.h | 99 | ||||
| -rw-r--r-- | lib/libtelnet/auth.c | 850 | ||||
| -rw-r--r-- | lib/libtelnet/auth.h | 20 | ||||
| -rw-r--r-- | lib/libtelnet/enc-proto.h | 134 | ||||
| -rw-r--r-- | lib/libtelnet/enc_des.c | 12 | ||||
| -rw-r--r-- | lib/libtelnet/encrypt.c | 32 | ||||
| -rw-r--r-- | lib/libtelnet/encrypt.h | 55 | ||||
| -rw-r--r-- | lib/libtelnet/genget.c | 87 | ||||
| -rw-r--r-- | lib/libtelnet/kerberos.c | 157 | ||||
| -rw-r--r-- | lib/libtelnet/kerberos5.c | 280 | ||||
| -rw-r--r-- | lib/libtelnet/misc-proto.h | 36 | ||||
| -rw-r--r-- | lib/libtelnet/misc.c | 73 | ||||
| -rw-r--r-- | lib/libtelnet/misc.h | 10 |
14 files changed, 1006 insertions, 844 deletions
diff --git a/lib/libtelnet/Makefile b/lib/libtelnet/Makefile index 125cb56e11b..dee29e822ff 100644 --- a/lib/libtelnet/Makefile +++ b/lib/libtelnet/Makefile @@ -1,5 +1,5 @@ # from: @(#)Makefile 8.2 (Berkeley) 12/15/93 -# $OpenBSD: Makefile,v 1.4 2000/09/03 18:41:14 espie Exp $ +# $OpenBSD: Makefile,v 1.5 2001/05/25 10:23:04 hin Exp $ # $NetBSD: Makefile,v 1.6 1996/02/24 01:15:15 jtk Exp $ LIB= telnet @@ -14,10 +14,9 @@ CFLAGS+= -DKRB4 -DAUTHENTICATION -DENCRYPTION -DDES_ENCRYPTION SRCS+= kerberos.c enc_des.c .endif -# XXX this has not been tested due to lack of kerberos5 to test with. .if (${KERBEROS5:L} == "yes") CFLAGS+= -DKRB5 -DAUTHENTICATION -DENCRYPTION -DDES_ENCRYPTION -SRCS+= kerberos5.c enc_des.c +SRCS+= kerberos5.c .endif .include <bsd.lib.mk> diff --git a/lib/libtelnet/auth-proto.h b/lib/libtelnet/auth-proto.h index 170121ad6ff..9899634ff00 100644 --- a/lib/libtelnet/auth-proto.h +++ b/lib/libtelnet/auth-proto.h @@ -30,9 +30,9 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * from: @(#)auth-proto.h 8.1 (Berkeley) 6/4/93 - * $OpenBSD: auth-proto.h,v 1.3 1998/03/12 04:48:43 art Exp $ - * $NetBSD: auth-proto.h,v 1.5 1996/02/24 01:15:16 jtk Exp $ + * from: @(#)auth-proto.h 8.1 (Berkeley) 6/4/93 + * $OpenBSD: auth-proto.h,v 1.4 2001/05/25 10:23:05 hin Exp $ + * $NetBSD: auth-proto.h,v 1.5 1996/02/24 01:15:16 jtk Exp $ */ /* @@ -68,51 +68,70 @@ */ #include <sys/cdefs.h> +/* $KTH: auth-proto.h,v 1.10 2000/01/18 03:08:55 assar Exp $ */ #if defined(AUTHENTICATION) -Authenticator *findauthenticator __P((int, int)); +Authenticator *findauthenticator (int, int); -void auth_init __P((char *, int)); -int auth_cmd __P((int, char **)); -void auth_request __P((void)); -void auth_send __P((unsigned char *, int)); -void auth_send_retry __P((void)); -void auth_is __P((unsigned char *, int)); -void auth_reply __P((unsigned char *, int)); -void auth_finished __P((Authenticator *, int)); -int auth_wait __P((char *)); -void auth_disable_name __P((char *)); -void auth_gen_printsub __P((unsigned char *, int, unsigned char *, int)); +int auth_wait (char *, size_t); +void auth_disable_name (char *); +void auth_finished (Authenticator *, int); +void auth_gen_printsub (unsigned char *, int, unsigned char *, int); +void auth_init (const char *, int); +void auth_is (unsigned char *, int); +void auth_name (unsigned char*, int); +void auth_reply (unsigned char *, int); +void auth_request (void); +void auth_send (unsigned char *, int); +void auth_send_retry (void); +void auth_printsub (unsigned char*, int, unsigned char*, int); +int getauthmask (char *type, int *maskp); +int auth_enable (char *type); +int auth_disable (char *type); +int auth_onoff (char *type, int on); +int auth_togdebug (int on); +int auth_status (void); +int auth_sendname (unsigned char *cp, int len); +void auth_debug (int mode); +void auth_gen_printsub (unsigned char *data, int cnt, + unsigned char *buf, int buflen); -int getauthmask __P((char *, int *)); -int auth_enable __P((char *)); -int auth_disable __P((char *)); -int auth_onoff __P((char *, int)); -int auth_togdebug __P((int)); -int auth_status __P((void)); -void auth_name __P((unsigned char *, int)); -int auth_sendname __P((unsigned char *, int)); -void auth_debug __P((int)); -void auth_printsub __P((unsigned char *, int, unsigned char *, int)); +#ifdef UNSAFE +int unsafe_init (Authenticator *, int); +int unsafe_send (Authenticator *); +void unsafe_is (Authenticator *, unsigned char *, int); +void unsafe_reply (Authenticator *, unsigned char *, int); +int unsafe_status (Authenticator *, char *, int); +void unsafe_printsub (unsigned char *, int, unsigned char *, int); +#endif + +#ifdef SRA +int sra_init (Authenticator *, int); +int sra_send (Authenticator *); +void sra_is (Authenticator *, unsigned char *, int); +void sra_reply (Authenticator *, unsigned char *, int); +int sra_status (Authenticator *, char *, int); +void sra_printsub (unsigned char *, int, unsigned char *, int); +#endif #ifdef KRB4 -int kerberos4_init __P((Authenticator *, int)); -int kerberos4_forward __P((Authenticator *)); -int kerberos4_send_oneway __P((Authenticator *)); -int kerberos4_send_mutual __P((Authenticator *)); -void kerberos4_is __P((Authenticator *, unsigned char *, int)); -void kerberos4_reply __P((Authenticator *, unsigned char *, int)); -int kerberos4_status __P((Authenticator *, char *, int)); -void kerberos4_printsub __P((unsigned char *, int, unsigned char *, int)); +int kerberos4_init (Authenticator *, int); +int kerberos4_send_mutual (Authenticator *); +int kerberos4_send_oneway (Authenticator *); +void kerberos4_is (Authenticator *, unsigned char *, int); +void kerberos4_reply (Authenticator *, unsigned char *, int); +int kerberos4_status (Authenticator *, char *, size_t, int); +void kerberos4_printsub (unsigned char *, int, unsigned char *, int); +int kerberos4_forward (Authenticator *ap, void *); #endif #ifdef KRB5 -int kerberos5_init __P((Authenticator *, int)); -int kerberos5_send_mutual __P((Authenticator *)); -int kerberos5_send_oneway __P((Authenticator *)); -void kerberos5_is __P((Authenticator *, unsigned char *, int)); -void kerberos5_reply __P((Authenticator *, unsigned char *, int)); -int kerberos5_status __P((Authenticator *, char *, int)); -void kerberos5_printsub __P((unsigned char *, int, unsigned char *, int)); +int kerberos5_init (Authenticator *, int); +int kerberos5_send_mutual (Authenticator *); +int kerberos5_send_oneway (Authenticator *); +void kerberos5_is (Authenticator *, unsigned char *, int); +void kerberos5_reply (Authenticator *, unsigned char *, int); +int kerberos5_status (Authenticator *, char *, size_t, int); +void kerberos5_printsub (unsigned char *, int, unsigned char *, int); #endif #endif diff --git a/lib/libtelnet/auth.c b/lib/libtelnet/auth.c index 412fe75a406..cdeb1b3e484 100644 --- a/lib/libtelnet/auth.c +++ b/lib/libtelnet/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.3 1998/03/12 04:48:45 art Exp $ */ +/* $OpenBSD: auth.c,v 1.4 2001/05/25 10:23:05 hin Exp $ */ /*- * Copyright (c) 1991, 1993 @@ -34,7 +34,7 @@ */ #ifndef lint -/* from: static char sccsid[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95" */ +/* from: static char sccsid[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95" */ /* from: static char *rcsid = "$NetBSD: auth.c,v 1.5 1996/02/24 01:15:17 jtk Exp $"; */ #endif /* not lint */ @@ -70,9 +70,9 @@ * or implied warranty. */ +/* "$KTH: auth.c,v 1.23 2000/01/18 03:09:34 assar Exp $" */ #if defined(AUTHENTICATION) - #include <stdio.h> #include <sys/types.h> #include <unistd.h> @@ -108,7 +108,7 @@ extern rsaencpwd_printsub(); #endif int auth_debug_mode = 0; -static char *Name = "Noname"; +static const char *Name = "Noname"; static int Server = 0; static Authenticator *authenticated = 0; static int authenticating = 0; @@ -122,75 +122,91 @@ static int auth_send_cnt = 0; * in priority order, i.e. try the first one first. */ Authenticator authenticators[] = { +#ifdef UNSAFE + { AUTHTYPE_UNSAFE, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, + unsafe_init, + unsafe_send, + unsafe_is, + unsafe_reply, + unsafe_status, + unsafe_printsub }, +#endif +#ifdef SRA + { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, + sra_init, + sra_send, + sra_is, + sra_reply, + sra_status, + sra_printsub }, +#endif #ifdef SPX - { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - spx_init, - spx_send, - spx_is, - spx_reply, - spx_status, - spx_printsub }, - { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - spx_init, - spx_send, - spx_is, - spx_reply, - spx_status, - spx_printsub }, + { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, + spx_init, + spx_send, + spx_is, + spx_reply, + spx_status, + spx_printsub }, + { AUTHTYPE_SPX, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, + spx_init, + spx_send, + spx_is, + spx_reply, + spx_status, + spx_printsub }, #endif #ifdef KRB5 - { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - kerberos5_init, - kerberos5_send_mutual, - kerberos5_is, - kerberos5_reply, - kerberos5_status, - kerberos5_printsub }, - - { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - kerberos5_init, - kerberos5_send_oneway, - kerberos5_is, - kerberos5_reply, - kerberos5_status, - kerberos5_printsub }, + { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, + kerberos5_init, + kerberos5_send_mutual, + kerberos5_is, + kerberos5_reply, + kerberos5_status, + kerberos5_printsub }, + { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, + kerberos5_init, + kerberos5_send_oneway, + kerberos5_is, + kerberos5_reply, + kerberos5_status, + kerberos5_printsub }, #endif #ifdef KRB4 - { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - kerberos4_init, - kerberos4_send_mutual, - kerberos4_is, - kerberos4_reply, - kerberos4_status, - kerberos4_printsub }, - - { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - kerberos4_init, - kerberos4_send_oneway, - kerberos4_is, - kerberos4_reply, - kerberos4_status, - kerberos4_printsub }, + { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, + kerberos4_init, + kerberos4_send_mutual, + kerberos4_is, + kerberos4_reply, + kerberos4_status, + kerberos4_printsub }, + { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, + kerberos4_init, + kerberos4_send_oneway, + kerberos4_is, + kerberos4_reply, + kerberos4_status, + kerberos4_printsub }, #endif #ifdef KRB4_ENCPWD - { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, - krb4encpwd_init, - krb4encpwd_send, - krb4encpwd_is, - krb4encpwd_reply, - krb4encpwd_status, - krb4encpwd_printsub }, + { AUTHTYPE_KRB4_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, + krb4encpwd_init, + krb4encpwd_send, + krb4encpwd_is, + krb4encpwd_reply, + krb4encpwd_status, + krb4encpwd_printsub }, #endif #ifdef RSA_ENCPWD - { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, - rsaencpwd_init, - rsaencpwd_send, - rsaencpwd_is, - rsaencpwd_reply, - rsaencpwd_status, - rsaencpwd_printsub }, + { AUTHTYPE_RSA_ENCPWD, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY, + rsaencpwd_init, + rsaencpwd_send, + rsaencpwd_is, + rsaencpwd_reply, + rsaencpwd_status, + rsaencpwd_printsub }, #endif - { 0, }, + { 0, }, }; static Authenticator NoAuth = { 0 }; @@ -198,193 +214,181 @@ static Authenticator NoAuth = { 0 }; static int i_support = 0; static int i_wont_support = 0; - Authenticator * -findauthenticator(type, way) - int type; - int way; +Authenticator * +findauthenticator(int type, int way) { - Authenticator *ap = authenticators; + Authenticator *ap = authenticators; - while (ap->type && (ap->type != type || ap->way != way)) - ++ap; - return(ap->type ? ap : 0); + while (ap->type && (ap->type != type || ap->way != way)) + ++ap; + return(ap->type ? ap : 0); } - void -auth_init(name, server) - char *name; - int server; +void +auth_init(const char *name, int server) { - Authenticator *ap = authenticators; - - Server = server; - Name = name; - - i_support = 0; - authenticated = 0; - authenticating = 0; - while (ap->type) { - if (!ap->init || (*ap->init)(ap, server)) { - i_support |= typemask(ap->type); - if (auth_debug_mode) - printf(">>>%s: I support auth type %d %d\r\n", - Name, - ap->type, ap->way); - } - else if (auth_debug_mode) - printf(">>>%s: Init failed: auth type %d %d\r\n", - Name, ap->type, ap->way); - ++ap; + Authenticator *ap = authenticators; + + Server = server; + Name = name; + + i_support = 0; + authenticated = 0; + authenticating = 0; + while (ap->type) { + if (!ap->init || (*ap->init)(ap, server)) { + i_support |= typemask(ap->type); + if (auth_debug_mode) + printf(">>>%s: I support auth type %d %d\r\n", + Name, + ap->type, ap->way); } + else if (auth_debug_mode) + printf(">>>%s: Init failed: auth type %d %d\r\n", + Name, ap->type, ap->way); + ++ap; + } } - void -auth_disable_name(name) - char *name; +void +auth_disable_name(char *name) { - int x; - for (x = 0; x < AUTHTYPE_CNT; ++x) { - if (!strcasecmp(name, AUTHTYPE_NAME(x))) { - i_wont_support |= typemask(x); - break; - } + int x; + for (x = 0; x < AUTHTYPE_CNT; ++x) { + if (!strcasecmp(name, AUTHTYPE_NAME(x))) { + i_wont_support |= typemask(x); + break; } + } } - int -getauthmask(type, maskp) - char *type; - int *maskp; +int +getauthmask(char *type, int *maskp) { - register int x; + int x; - if (!strcasecmp(type, AUTHTYPE_NAME(0))) { - *maskp = -1; - return(1); - } + if (!strcasecmp(type, AUTHTYPE_NAME(0))) { + *maskp = -1; + return(1); + } - for (x = 1; x < AUTHTYPE_CNT; ++x) { - if (!strcasecmp(type, AUTHTYPE_NAME(x))) { - *maskp = typemask(x); - return(1); - } + for (x = 1; x < AUTHTYPE_CNT; ++x) { + if (!strcasecmp(type, AUTHTYPE_NAME(x))) { + *maskp = typemask(x); + return(1); } - return(0); + } + return(0); } - int -auth_enable(type) - char *type; +int +auth_enable(char *type) { - return(auth_onoff(type, 1)); + return(auth_onoff(type, 1)); } - int -auth_disable(type) - char *type; +int +auth_disable(char *type) { - return(auth_onoff(type, 0)); + return(auth_onoff(type, 0)); } - int -auth_onoff(type, on) - char *type; - int on; +int +auth_onoff(char *type, int on) { - int i, mask = -1; - Authenticator *ap; - - if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { - printf("auth %s 'type'\n", on ? "enable" : "disable"); - printf("Where 'type' is one of:\n"); - printf("\t%s\n", AUTHTYPE_NAME(0)); - mask = 0; - for (ap = authenticators; ap->type; ap++) { - if ((mask & (i = typemask(ap->type))) != 0) - continue; - mask |= i; - printf("\t%s\n", AUTHTYPE_NAME(ap->type)); - } - return(0); - } + int i, mask = -1; + Authenticator *ap; - if (!getauthmask(type, &mask)) { - printf("%s: invalid authentication type\n", type); - return(0); + if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) { + printf("auth %s 'type'\n", on ? "enable" : "disable"); + printf("Where 'type' is one of:\n"); + printf("\t%s\n", AUTHTYPE_NAME(0)); + mask = 0; + for (ap = authenticators; ap->type; ap++) { + if ((mask & (i = typemask(ap->type))) != 0) + continue; + mask |= i; + printf("\t%s\n", AUTHTYPE_NAME(ap->type)); } - if (on) - i_wont_support &= ~mask; - else - i_wont_support |= mask; - return(1); + return(0); + } + + if (!getauthmask(type, &mask)) { + printf("%s: invalid authentication type\n", type); + return(0); + } + if (on) + i_wont_support &= ~mask; + else + i_wont_support |= mask; + return(1); } - int -auth_togdebug(on) - int on; +int +auth_togdebug(int on) { - if (on < 0) - auth_debug_mode ^= 1; - else - auth_debug_mode = on; - printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled"); - return(1); + if (on < 0) + auth_debug_mode ^= 1; + else + auth_debug_mode = on; + printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled"); + return(1); } - int -auth_status() +int +auth_status(void) { - Authenticator *ap; - int i, mask; - - if (i_wont_support == -1) - printf("Authentication disabled\n"); - else - printf("Authentication enabled\n"); - - mask = 0; - for (ap = authenticators; ap->type; ap++) { - if ((mask & (i = typemask(ap->type))) != 0) - continue; - mask |= i; - printf("%s: %s\n", AUTHTYPE_NAME(ap->type), - (i_wont_support & typemask(ap->type)) ? - "disabled" : "enabled"); - } - return(1); + Authenticator *ap; + int i, mask; + + if (i_wont_support == -1) + printf("Authentication disabled\n"); + else + printf("Authentication enabled\n"); + + mask = 0; + for (ap = authenticators; ap->type; ap++) { + if ((mask & (i = typemask(ap->type))) != 0) + continue; + mask |= i; + printf("%s: %s\n", AUTHTYPE_NAME(ap->type), + (i_wont_support & typemask(ap->type)) ? + "disabled" : "enabled"); + } + return(1); } /* * This routine is called by the server to start authentication * negotiation. */ - void -auth_request() +void +auth_request(void) { - static unsigned char str_request[64] = { IAC, SB, - TELOPT_AUTHENTICATION, - TELQUAL_SEND, }; - Authenticator *ap = authenticators; - unsigned char *e = str_request + 4; - - if (!authenticating) { - authenticating = 1; - while (ap->type) { - if (i_support & ~i_wont_support & typemask(ap->type)) { - if (auth_debug_mode) { - printf(">>>%s: Sending type %d %d\r\n", - Name, ap->type, ap->way); - } - *e++ = ap->type; - *e++ = ap->way; - } - ++ap; + static unsigned char str_request[64] = { IAC, SB, + TELOPT_AUTHENTICATION, + TELQUAL_SEND, }; + Authenticator *ap = authenticators; + unsigned char *e = str_request + 4; + + if (!authenticating) { + authenticating = 1; + while (ap->type) { + if (i_support & ~i_wont_support & typemask(ap->type)) { + if (auth_debug_mode) { + printf(">>>%s: Sending type %d %d\r\n", + Name, ap->type, ap->way); } - *e++ = IAC; - *e++ = SE; - net_write(str_request, e - str_request); - printsub('>', &str_request[2], e - str_request - 2); + *e++ = ap->type; + *e++ = ap->way; + } + ++ap; } + *e++ = IAC; + *e++ = SE; + telnet_net_write(str_request, e - str_request); + printsub('>', &str_request[2], e - str_request - 2); + } } /* @@ -398,282 +402,264 @@ auth_request() * with KERBEROS instead of LOGIN (which is against what the * protocol says)) you will have to hack this code... */ - void -auth_send(data, cnt) - unsigned char *data; - int cnt; +void +auth_send(unsigned char *data, int cnt) { - Authenticator *ap; - static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, - TELQUAL_IS, AUTHTYPE_NULL, 0, - IAC, SE }; - if (Server) { - if (auth_debug_mode) { - printf(">>>%s: auth_send called!\r\n", Name); - } - return; - } - + Authenticator *ap; + static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION, + TELQUAL_IS, AUTHTYPE_NULL, 0, + IAC, SE }; + if (Server) { if (auth_debug_mode) { - printf(">>>%s: auth_send got:", Name); - printd(data, cnt); printf("\r\n"); + printf(">>>%s: auth_send called!\r\n", Name); } - + return; + } + + if (auth_debug_mode) { + printf(">>>%s: auth_send got:", Name); + printd(data, cnt); printf("\r\n"); + } + + /* + * Save the data, if it is new, so that we can continue looking + * at it if the authorization we try doesn't work + */ + if (data < _auth_send_data || + data > _auth_send_data + sizeof(_auth_send_data)) { + auth_send_cnt = cnt > sizeof(_auth_send_data) + ? sizeof(_auth_send_data) + : cnt; + memmove(_auth_send_data, data, auth_send_cnt); + auth_send_data = _auth_send_data; + } else { /* - * Save the data, if it is new, so that we can continue looking - * at it if the authorization we try doesn't work + * This is probably a no-op, but we just make sure */ - if (data < _auth_send_data || - data > _auth_send_data + sizeof(_auth_send_data)) { - auth_send_cnt = cnt > sizeof(_auth_send_data) - ? sizeof(_auth_send_data) - : cnt; - memmove((void *)_auth_send_data, (void *)data, auth_send_cnt); - auth_send_data = _auth_send_data; - } else { - /* - * This is probably a no-op, but we just make sure - */ - auth_send_data = data; - auth_send_cnt = cnt; - } - while ((auth_send_cnt -= 2) >= 0) { + auth_send_data = data; + auth_send_cnt = cnt; + } + while ((auth_send_cnt -= 2) >= 0) { + if (auth_debug_mode) + printf(">>>%s: He supports %d\r\n", + Name, *auth_send_data); + if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) { + ap = findauthenticator(auth_send_data[0], + auth_send_data[1]); + if (ap && ap->send) { if (auth_debug_mode) - printf(">>>%s: He supports %d\r\n", - Name, *auth_send_data); - if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) { - ap = findauthenticator(auth_send_data[0], - auth_send_data[1]); - if (ap && ap->send) { - if (auth_debug_mode) - printf(">>>%s: Trying %d %d\r\n", - Name, auth_send_data[0], - auth_send_data[1]); - if ((*ap->send)(ap)) { - /* - * Okay, we found one we like - * and did it. - * we can go home now. - */ - if (auth_debug_mode) - printf(">>>%s: Using type %d\r\n", - Name, *auth_send_data); - auth_send_data += 2; - return; - } - } - /* else - * just continue on and look for the - * next one if we didn't do anything. - */ + printf(">>>%s: Trying %d %d\r\n", + Name, auth_send_data[0], + auth_send_data[1]); + if ((*ap->send)(ap)) { + /* + * Okay, we found one we like + * and did it. + * we can go home now. + */ + if (auth_debug_mode) + printf(">>>%s: Using type %d\r\n", + Name, *auth_send_data); + auth_send_data += 2; + return; } - auth_send_data += 2; + } + /* else + * just continue on and look for the + * next one if we didn't do anything. + */ } - net_write(str_none, sizeof(str_none)); - printsub('>', &str_none[2], sizeof(str_none) - 2); - if (auth_debug_mode) - printf(">>>%s: Sent failure message\r\n", Name); - auth_finished(0, AUTH_REJECT); + auth_send_data += 2; + } + telnet_net_write(str_none, sizeof(str_none)); + printsub('>', &str_none[2], sizeof(str_none) - 2); + if (auth_debug_mode) + printf(">>>%s: Sent failure message\r\n", Name); + auth_finished(0, AUTH_REJECT); #ifdef KANNAN - /* - * We requested strong authentication, however no mechanisms worked. - * Therefore, exit on client end. - */ - printf("Unable to securely authenticate user ... exit\n"); - exit(0); + /* + * We requested strong authentication, however no mechanisms worked. + * Therefore, exit on client end. + */ + printf("Unable to securely authenticate user ... exit\n"); + exit(0); #endif /* KANNAN */ } - void -auth_send_retry() +void +auth_send_retry(void) { - /* - * if auth_send_cnt <= 0 then auth_send will end up rejecting - * the authentication and informing the other side of this. + /* + * if auth_send_cnt <= 0 then auth_send will end up rejecting + * the authentication and informing the other side of this. */ - auth_send(auth_send_data, auth_send_cnt); + auth_send(auth_send_data, auth_send_cnt); } - void -auth_is(data, cnt) - unsigned char *data; - int cnt; +void +auth_is(unsigned char *data, int cnt) { - Authenticator *ap; - - if (cnt < 2) - return; + Authenticator *ap; - if (data[0] == AUTHTYPE_NULL) { - auth_finished(0, AUTH_REJECT); - return; - } + if (cnt < 2) + return; - if ((ap = findauthenticator(data[0], data[1]))) { - if (ap->is) - (*ap->is)(ap, data+2, cnt-2); - } else if (auth_debug_mode) - printf(">>>%s: Invalid authentication in IS: %d\r\n", - Name, *data); + if (data[0] == AUTHTYPE_NULL) { + auth_finished(0, AUTH_REJECT); + return; + } + + if ((ap = findauthenticator(data[0], data[1]))) { + if (ap->is) + (*ap->is)(ap, data+2, cnt-2); + } else if (auth_debug_mode) + printf(">>>%s: Invalid authentication in IS: %d\r\n", + Name, *data); } - void -auth_reply(data, cnt) - unsigned char *data; - int cnt; +void +auth_reply(unsigned char *data, int cnt) { - Authenticator *ap; + Authenticator *ap; - if (cnt < 2) - return; + if (cnt < 2) + return; - if ((ap = findauthenticator(data[0], data[1]))) { - if (ap->reply) - (*ap->reply)(ap, data+2, cnt-2); - } else if (auth_debug_mode) - printf(">>>%s: Invalid authentication in SEND: %d\r\n", - Name, *data); + if ((ap = findauthenticator(data[0], data[1]))) { + if (ap->reply) + (*ap->reply)(ap, data+2, cnt-2); + } else if (auth_debug_mode) + printf(">>>%s: Invalid authentication in SEND: %d\r\n", + Name, *data); } - void -auth_name(data, cnt) - unsigned char *data; - int cnt; +void +auth_name(unsigned char *data, int cnt) { - unsigned char savename[256]; + char savename[256]; - if (cnt < 1) { - if (auth_debug_mode) - printf(">>>%s: Empty name in NAME\r\n", Name); - return; - } - if (cnt > sizeof(savename) - 1) { - if (auth_debug_mode) - printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n", - Name, cnt, sizeof(savename)-1); - return; - } - memmove((void *)savename, (void *)data, cnt); - savename[cnt] = '\0'; /* Null terminate */ + if (cnt < 1) { if (auth_debug_mode) - printf(">>>%s: Got NAME [%s]\r\n", Name, savename); - auth_encrypt_user(savename); + printf(">>>%s: Empty name in NAME\r\n", Name); + return; + } + if (cnt > sizeof(savename) - 1) { + if (auth_debug_mode) + printf(">>>%s: Name in NAME (%d) exceeds %lu length\r\n", + Name, cnt, (unsigned long)(sizeof(savename)-1)); + return; + } + memmove(savename, data, cnt); + savename[cnt] = '\0'; /* Null terminate */ + if (auth_debug_mode) + printf(">>>%s: Got NAME [%s]\r\n", Name, savename); + auth_encrypt_user(savename); } - int -auth_sendname(cp, len) - unsigned char *cp; - int len; +int +auth_sendname(unsigned char *cp, int len) { - static unsigned char str_request[256+6] - = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, }; - register unsigned char *e = str_request + 4; - register unsigned char *ee = &str_request[sizeof(str_request)-2]; - - while (--len >= 0) { - if ((*e++ = *cp++) == IAC) - *e++ = IAC; - if (e >= ee) - return(0); - } - *e++ = IAC; - *e++ = SE; - net_write(str_request, e - str_request); - printsub('>', &str_request[2], e - &str_request[2]); - return(1); + static unsigned char str_request[256+6] + = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, }; + unsigned char *e = str_request + 4; + unsigned char *ee = &str_request[sizeof(str_request)-2]; + + while (--len >= 0) { + if ((*e++ = *cp++) == IAC) + *e++ = IAC; + if (e >= ee) + return(0); + } + *e++ = IAC; + *e++ = SE; + telnet_net_write(str_request, e - str_request); + printsub('>', &str_request[2], e - &str_request[2]); + return(1); } - void -auth_finished(ap, result) - Authenticator *ap; - int result; +void +auth_finished(Authenticator *ap, int result) { - if (!(authenticated = ap)) - authenticated = &NoAuth; - validuser = result; + if (!(authenticated = ap)) + authenticated = &NoAuth; + validuser = result; } - /* ARGSUSED */ - static void -auth_intr(sig) - int sig; +/* ARGSUSED */ +static void +auth_intr(int sig) { - auth_finished(0, AUTH_REJECT); + auth_finished(0, AUTH_REJECT); } - int -auth_wait(name) - char *name; +int +auth_wait(char *name, size_t name_sz) { - if (auth_debug_mode) - printf(">>>%s: in auth_wait.\r\n", Name); - - if (Server && !authenticating) - return(0); - - (void) signal(SIGALRM, auth_intr); - alarm(30); - while (!authenticated) - if (telnet_spin()) - break; - alarm(0); - (void) signal(SIGALRM, SIG_DFL); - - /* - * Now check to see if the user is valid or not - */ - if (!authenticated || authenticated == &NoAuth) - return(AUTH_REJECT); + if (auth_debug_mode) + printf(">>>%s: in auth_wait.\r\n", Name); - if (validuser == AUTH_VALID) - validuser = AUTH_USER; + if (Server && !authenticating) + return(0); - if (authenticated->status) - validuser = (*authenticated->status)(authenticated, - name, validuser); - return(validuser); + signal(SIGALRM, auth_intr); + alarm(30); + while (!authenticated) + if (telnet_spin()) + break; + alarm(0); + signal(SIGALRM, SIG_DFL); + + /* + * Now check to see if the user is valid or not + */ + if (!authenticated || authenticated == &NoAuth) + return(AUTH_REJECT); + + if (validuser == AUTH_VALID) + validuser = AUTH_USER; + + if (authenticated->status) + validuser = (*authenticated->status)(authenticated, + name, name_sz, + validuser); + return(validuser); } - void -auth_debug(mode) - int mode; +void +auth_debug(int mode) { - auth_debug_mode = mode; + auth_debug_mode = mode; } - void -auth_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; +void +auth_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) { - Authenticator *ap; + Authenticator *ap; - if ((ap = findauthenticator(data[1], data[2])) && ap->printsub) - (*ap->printsub)(data, cnt, buf, buflen); - else - auth_gen_printsub(data, cnt, buf, buflen); + if ((ap = findauthenticator(data[1], data[2])) && ap->printsub) + (*ap->printsub)(data, cnt, buf, buflen); + else + auth_gen_printsub(data, cnt, buf, buflen); } - void -auth_gen_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; +void +auth_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) { - register unsigned char *cp; - unsigned char tbuf[16]; - - cnt -= 3; - data += 3; - buf[buflen-1] = '\0'; - buf[buflen-2] = '*'; - buflen -= 2; - for (; cnt > 0; cnt--, data++) { - snprintf((char *)tbuf, sizeof(tbuf), " %d", *data); - for (cp = tbuf; *cp && buflen > 0; --buflen) - *buf++ = *cp++; - if (buflen <= 0) - return; - } - *buf = '\0'; + unsigned char *cp; + unsigned char tbuf[16]; + + cnt -= 3; + data += 3; + buf[buflen-1] = '\0'; + buf[buflen-2] = '*'; + buflen -= 2; + for (; cnt > 0; cnt--, data++) { + snprintf(tbuf, sizeof(tbuf), " %d", *data); + for (cp = tbuf; *cp && buflen > 0; --buflen) + *buf++ = *cp++; + if (buflen <= 0) + return; + } + *buf = '\0'; } #endif diff --git a/lib/libtelnet/auth.h b/lib/libtelnet/auth.h index dd9fba11451..58283b13a5f 100644 --- a/lib/libtelnet/auth.h +++ b/lib/libtelnet/auth.h @@ -30,9 +30,9 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * from: @(#)auth.h 8.1 (Berkeley) 6/4/93 - * $OpenBSD: auth.h,v 1.3 1998/03/12 04:48:46 art Exp $ - * $NetBSD: auth.h,v 1.5 1996/02/24 01:15:18 jtk Exp $ + * from: @(#)auth.h 8.1 (Berkeley) 6/4/93 + * $OpenBSD: auth.h,v 1.4 2001/05/25 10:23:05 hin Exp $ + * $NetBSD: auth.h,v 1.5 1996/02/24 01:15:18 jtk Exp $ */ /* @@ -67,6 +67,8 @@ * or implied warranty. */ +/* $KTH: auth.h,v 1.4 1998/06/09 19:24:41 joda Exp $ */ + #ifndef __AUTH__ #define __AUTH__ @@ -79,12 +81,12 @@ typedef struct XauthP { int type; int way; - int (*init) __P((struct XauthP *, int)); - int (*send) __P((struct XauthP *)); - void (*is) __P((struct XauthP *, unsigned char *, int)); - void (*reply) __P((struct XauthP *, unsigned char *, int)); - int (*status) __P((struct XauthP *, char *, int)); - void (*printsub) __P((unsigned char *, int, unsigned char *, int)); + int (*init) (struct XauthP *, int); + int (*send) (struct XauthP *); + void (*is) (struct XauthP *, unsigned char *, int); + void (*reply) (struct XauthP *, unsigned char *, int); + int (*status) (struct XauthP *, char *, size_t, int); + void (*printsub) (unsigned char *, int, unsigned char *, int); } Authenticator; #include "auth-proto.h" diff --git a/lib/libtelnet/enc-proto.h b/lib/libtelnet/enc-proto.h index ff3ecb7e693..21aa13524ab 100644 --- a/lib/libtelnet/enc-proto.h +++ b/lib/libtelnet/enc-proto.h @@ -1,4 +1,3 @@ -/* $OpenBSD: enc-proto.h,v 1.1 1998/03/12 04:48:47 art Exp $ */ /*- * Copyright (c) 1991, 1993 * The Regents of the University of California. All rights reserved. @@ -36,7 +35,7 @@ * @(#)enc-proto.h 5.2 (Berkeley) 3/22/91 */ -/* + /* * This source code is no longer held under any constraint of USA * `cryptographic laws' since it was exported legally. The cryptographic * functions were removed from the code and a "Bones" distribution was @@ -68,79 +67,78 @@ * or implied warranty. */ -/* $KTH: enc-proto.h,v 1.8 1997/11/02 03:57:10 assar Exp $ */ +/* $KTH: enc-proto.h,v 1.10 2000/01/18 03:09:56 assar Exp $ */ #if defined(ENCRYPTION) -Encryptions *findencryption __P((int)); -Encryptions *finddecryption __P((int)); -int EncryptAutoDec __P((int)); -int EncryptAutoEnc __P((int)); -int EncryptDebug __P((int)); -int EncryptDisable __P((char*, char*)); -int EncryptEnable __P((char*, char*)); -int EncryptStart __P((char*)); -int EncryptStartInput __P((void)); -int EncryptStartOutput __P((void)); -int EncryptStatus __P((void)); -int EncryptStop __P((char*)); -int EncryptStopInput __P((void)); -int EncryptStopOutput __P((void)); -int EncryptType __P((char*, char*)); -int EncryptVerbose __P((int)); -int net_write __P((unsigned char *, int)); -void decrypt_auto __P((int)); -void encrypt_auto __P((int)); -void encrypt_debug __P((int)); -void encrypt_dec_keyid __P((unsigned char*, int)); -void encrypt_display __P((void)); -void encrypt_enc_keyid __P((unsigned char*, int)); -void encrypt_end __P((void)); -void encrypt_gen_printsub __P((unsigned char*, int, unsigned char*, int)); -void encrypt_init __P((char*, int)); -void encrypt_is __P((unsigned char*, int)); -void encrypt_list_types __P((void)); -void encrypt_not __P((void)); -void encrypt_printsub __P((unsigned char*, int, unsigned char*, int)); -void encrypt_reply __P((unsigned char*, int)); -void encrypt_request_end __P((void)); -void encrypt_request_start __P((unsigned char*, int)); -void encrypt_send_end __P((void)); -void encrypt_send_keyid __P((int, unsigned char*, int, int)); -void encrypt_send_request_end __P((void)); -void encrypt_send_request_start __P((void)); -void encrypt_send_support __P((void)); -void encrypt_session_key __P((Session_Key*, int)); -void encrypt_start __P((unsigned char*, int)); -void encrypt_start_output __P((int)); -void encrypt_support __P((unsigned char*, int)); -void encrypt_verbose_quiet __P((int)); -void encrypt_wait __P((void)); -int encrypt_delay __P((void)); +Encryptions *findencryption (int); +Encryptions *finddecryption(int); +int EncryptAutoDec(int); +int EncryptAutoEnc(int); +int EncryptDebug(int); +int EncryptDisable(char*, char*); +int EncryptEnable(char*, char*); +int EncryptStart(char*); +int EncryptStartInput(void); +int EncryptStartOutput(void); +int EncryptStatus(void); +int EncryptStop(char*); +int EncryptStopInput(void); +int EncryptStopOutput(void); +int EncryptType(char*, char*); +int EncryptVerbose(int); +void decrypt_auto(int); +void encrypt_auto(int); +void encrypt_debug(int); +void encrypt_dec_keyid(unsigned char*, int); +void encrypt_display(void); +void encrypt_enc_keyid(unsigned char*, int); +void encrypt_end(void); +void encrypt_gen_printsub(unsigned char*, int, unsigned char*, int); +void encrypt_init(const char*, int); +void encrypt_is(unsigned char*, int); +void encrypt_list_types(void); +void encrypt_not(void); +void encrypt_printsub(unsigned char*, int, unsigned char*, int); +void encrypt_reply(unsigned char*, int); +void encrypt_request_end(void); +void encrypt_request_start(unsigned char*, int); +void encrypt_send_end(void); +void encrypt_send_keyid(int, unsigned char*, int, int); +void encrypt_send_request_end(void); +void encrypt_send_request_start(void); +void encrypt_send_support(void); +void encrypt_session_key(Session_Key*, int); +void encrypt_start(unsigned char*, int); +void encrypt_start_output(int); +void encrypt_support(unsigned char*, int); +void encrypt_verbose_quiet(int); +void encrypt_wait(void); +int encrypt_delay(void); #ifdef TELENTD -void encrypt_wait __P((void)); +void encrypt_wait (void); #else -void encrypt_display __P((void)); +void encrypt_display (void); #endif -void cfb64_encrypt __P((unsigned char *, int)); -int cfb64_decrypt __P((int)); -void cfb64_init __P((int)); -int cfb64_start __P((int, int)); -int cfb64_is __P((unsigned char *, int)); -int cfb64_reply __P((unsigned char *, int)); -void cfb64_session __P((Session_Key *, int)); -int cfb64_keyid __P((int, unsigned char *, int *)); -void cfb64_printsub __P((unsigned char *, int, unsigned char *, int)); +void cfb64_encrypt (unsigned char *, int); +int cfb64_decrypt (int); +void cfb64_init (int); +int cfb64_start (int, int); +int cfb64_is (unsigned char *, int); +int cfb64_reply (unsigned char *, int); +void cfb64_session (Session_Key *, int); +int cfb64_keyid (int, unsigned char *, int *); +void cfb64_printsub (unsigned char *, int, unsigned char *, int); -void ofb64_encrypt __P((unsigned char *, int)); -int ofb64_decrypt __P((int)); -void ofb64_init __P((int)); -int ofb64_start __P((int, int)); -int ofb64_is __P((unsigned char *, int)); -int ofb64_reply __P((unsigned char *, int)); -void ofb64_session __P((Session_Key *, int)); -int ofb64_keyid __P((int, unsigned char *, int *)); -void ofb64_printsub __P((unsigned char *, int, unsigned char *, int)); +void ofb64_encrypt (unsigned char *, int); +int ofb64_decrypt (int); +void ofb64_init (int); +int ofb64_start (int, int); +int ofb64_is (unsigned char *, int); +int ofb64_reply (unsigned char *, int); +void ofb64_session (Session_Key *, int); +int ofb64_keyid (int, unsigned char *, int *); +void ofb64_printsub (unsigned char *, int, unsigned char *, int); #endif diff --git a/lib/libtelnet/enc_des.c b/lib/libtelnet/enc_des.c index 769b40c76b3..99fd4e62260 100644 --- a/lib/libtelnet/enc_des.c +++ b/lib/libtelnet/enc_des.c @@ -1,5 +1,4 @@ -/* $OpenBSD: enc_des.c,v 1.1 1998/03/12 04:48:48 art Exp $ */ -/* $Id: enc_des.c,v 1.1 1998/03/12 04:48:48 art Exp $ */ +/* $OpenBSD: enc_des.c,v 1.2 2001/05/25 10:23:06 hin Exp $ */ /*- * Copyright (c) 1991, 1993 @@ -34,11 +33,14 @@ * SUCH DAMAGE. */ +/* $KTH: enc_des.c,v 1.16 1998/07/09 23:16:23 assar Exp $ */ + #if defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION) #include <arpa/telnet.h> #include <stdio.h> #include <stdlib.h> #include <string.h> + #include "encrypt.h" #include "misc-proto.h" #include <des.h> @@ -226,7 +228,7 @@ static int fb64_start(struct fb *fbp, int dir, int server) *p++ = IAC; *p++ = SE; printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); - net_write(fbp->fb_feed, p - fbp->fb_feed); + telnet_net_write(fbp->fb_feed, p - fbp->fb_feed); break; default: return(FAILED); @@ -284,7 +286,7 @@ int fb64_is(unsigned char *data, int cnt, struct fb *fbp) *p++ = IAC; *p++ = SE; printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); - net_write(fbp->fb_feed, p - fbp->fb_feed); + telnet_net_write(fbp->fb_feed, p - fbp->fb_feed); state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS; break; @@ -309,7 +311,7 @@ int fb64_is(unsigned char *data, int cnt, struct fb *fbp) *p++ = IAC; *p++ = SE; printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); - net_write(fbp->fb_feed, p - fbp->fb_feed); + telnet_net_write(fbp->fb_feed, p - fbp->fb_feed); break; } diff --git a/lib/libtelnet/encrypt.c b/lib/libtelnet/encrypt.c index 91b33beba21..8c590ebf5e1 100644 --- a/lib/libtelnet/encrypt.c +++ b/lib/libtelnet/encrypt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: encrypt.c,v 1.4 1998/04/01 11:32:02 deraadt Exp $ */ +/* $OpenBSD: encrypt.c,v 1.5 2001/05/25 10:23:06 hin Exp $ */ /* $KTH: encrypt.c,v 1.19 1997/11/02 03:58:03 assar Exp $ */ /*- @@ -34,7 +34,7 @@ * SUCH DAMAGE. */ -/* + /* * This source code is no longer held under any constraint of USA * `cryptographic laws' since it was exported legally. The cryptographic * functions were removed from the code and a "Bones" distribution was @@ -66,6 +66,8 @@ * or implied warranty. */ +/* $KTH: encrypt.c,v 1.22 2000/01/18 03:10:35 assar Exp $ */ + #if defined(ENCRYPTION) #define ENCRYPT_NAMES @@ -79,12 +81,13 @@ #include "misc.h" + /* * These functions pointers point to the current routines * for encrypting and decrypting data. */ -void (*encrypt_output) __P((unsigned char *, int)); -int (*decrypt_input) __P((int)); +void (*encrypt_output) (unsigned char *, int); +int (*decrypt_input) (int); char *nclearto; int encrypt_debug_mode = 0; @@ -95,7 +98,7 @@ static int autoencrypt = 0; static int autodecrypt = 0; static int havesessionkey = 0; static int Server = 0; -static char *Name = "Noname"; +static const char *Name = "Noname"; #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) @@ -181,7 +184,7 @@ static struct key_info { }; void -encrypt_init(char *name, int server) +encrypt_init(const char *name, int server) { Encryptions *ep = encryptions; @@ -442,7 +445,7 @@ encrypt_send_support(void) */ if (!Server && autodecrypt) encrypt_send_request_start(); - net_write(str_send, str_suplen); + telnet_net_write(str_send, str_suplen); printsub('>', &str_send[2], str_suplen - 2); str_suplen = 0; } @@ -502,6 +505,11 @@ EncryptAutoDec(int on) void encrypt_not(void) { + if (encrypt_verbose) + printf("[ Connection is NOT encrypted ]\r\n"); + else + printf("\r\n*** Connection not encrypted! " + "Communication may be eavesdropped. ***\r\n"); } /* @@ -799,7 +807,7 @@ void encrypt_send_keyid(int dir, unsigned char *keyid, int keylen, int saveit) } *strp++ = IAC; *strp++ = SE; - net_write(str_keyid, strp - str_keyid); + telnet_net_write(str_keyid, strp - str_keyid); printsub('>', &str_keyid[2], strp - str_keyid - 2); } @@ -858,7 +866,7 @@ encrypt_start_output(int type) } *p++ = IAC; *p++ = SE; - net_write(str_start, p - str_start); + telnet_net_write(str_start, p - str_start); net_encrypt(); printsub('>', &str_start[2], p - &str_start[2]); /* @@ -884,7 +892,7 @@ encrypt_send_end(void) return; str_end[3] = ENCRYPT_END; - net_write(str_end, sizeof(str_end)); + telnet_net_write(str_end, sizeof(str_end)); net_encrypt(); printsub('>', &str_end[2], sizeof(str_end) - 2); /* @@ -912,7 +920,7 @@ encrypt_send_request_start(void) } *p++ = IAC; *p++ = SE; - net_write(str_start, p - str_start); + telnet_net_write(str_start, p - str_start); printsub('>', &str_start[2], p - &str_start[2]); if (encrypt_debug_mode) printf(">>>%s: Request input to be encrypted\r\n", Name); @@ -922,7 +930,7 @@ void encrypt_send_request_end(void) { str_end[3] = ENCRYPT_REQEND; - net_write(str_end, sizeof(str_end)); + telnet_net_write(str_end, sizeof(str_end)); printsub('>', &str_end[2], sizeof(str_end) - 2); if (encrypt_debug_mode) diff --git a/lib/libtelnet/encrypt.h b/lib/libtelnet/encrypt.h index 7b26aabd0fe..d079644b111 100644 --- a/lib/libtelnet/encrypt.h +++ b/lib/libtelnet/encrypt.h @@ -30,9 +30,9 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * from: @(#)encrypt.h 8.1 (Berkeley) 6/4/93 - * $OpenBSD: encrypt.h,v 1.3 1998/03/12 04:48:49 art Exp $ - * $NetBSD: encrypt.h,v 1.4 1996/02/24 01:15:20 jtk Exp $ + * from: @(#)encrypt.h 8.1 (Berkeley) 6/4/93 + * $OpenBSD: encrypt.h,v 1.4 2001/05/25 10:23:06 hin Exp $ + * $NetBSD: encrypt.h,v 1.4 1996/02/24 01:15:20 jtk Exp $ */ /* @@ -44,7 +44,6 @@ * code was determined to fall under General License GTDA under ECCN 5D96G, * and hence exportable. The cryptographic interfaces were re-added by Eric * Young, and then KTH proceeded to maintain the code in the free world. - * */ /* @@ -67,38 +66,40 @@ * or implied warranty. */ -#ifndef __ENCRYPT__ -#define __ENCRYPT__ +/* $KTH: encrypt.h,v 1.4 1997/01/24 23:10:56 assar Exp $ */ -#define DIR_DECRYPT 1 -#define DIR_ENCRYPT 2 +#ifndef __ENCRYPT__ +#define __ENCRYPT__ -#define VALIDKEY(key) ( key[0] | key[1] | key[2] | key[3] | \ - key[4] | key[5] | key[6] | key[7]) +#define DIR_DECRYPT 1 +#define DIR_ENCRYPT 2 -#define SAMEKEY(k1, k2) (!memcmp(k1, k2, sizeof(des_cblock))) +#define VALIDKEY(key) ( key[0] | key[1] | key[2] | key[3] | \ + key[4] | key[5] | key[6] | key[7]) -typedef struct { - short type; - int length; - unsigned char *data; +#define SAMEKEY(k1, k2) (!memcmp(k1, k2, sizeof(des_cblock))) + +typedef struct { + short type; + int length; + unsigned char *data; } Session_Key; typedef struct { - char *name; - int type; - void (*output) (unsigned char *, int); - int (*input) (int); - void (*init) (int); - int (*start) (int, int); - int (*is) (unsigned char *, int); - int (*reply) (unsigned char *, int); - void (*session) (Session_Key *, int); - int (*keyid) (int, unsigned char *, int *); - void (*printsub) (unsigned char *, int, unsigned char *, int); + char *name; + int type; + void (*output) (unsigned char *, int); + int (*input) (int); + void (*init) (int); + int (*start) (int, int); + int (*is) (unsigned char *, int); + int (*reply) (unsigned char *, int); + void (*session) (Session_Key *, int); + int (*keyid) (int, unsigned char *, int *); + void (*printsub) (unsigned char *, int, unsigned char *, int); } Encryptions; -#define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */ +#define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */ #include "enc-proto.h" diff --git a/lib/libtelnet/genget.c b/lib/libtelnet/genget.c index e821b9dae15..ea6c90c2a8a 100644 --- a/lib/libtelnet/genget.c +++ b/lib/libtelnet/genget.c @@ -1,4 +1,4 @@ -/* $OpenBSD: genget.c,v 1.4 1998/03/12 04:48:50 art Exp $ */ +/* $OpenBSD: genget.c,v 1.5 2001/05/25 10:23:06 hin Exp $ */ /*- * Copyright (c) 1991, 1993 @@ -34,11 +34,12 @@ */ #ifndef lint -/* from: static char sccsid[] = "@(#)genget.c 8.2 (Berkeley) 5/30/95"; */ +/* from: static char sccsid[] = "@(#)genget.c 8.2 (Berkeley) 5/30/95"; */ /* from: static char *rcsid = "$NetBSD: genget.c,v 1.5 1996/02/24 01:15:21 jtk Exp $"; */ -static char *rcsid = "$OpenBSD: genget.c,v 1.4 1998/03/12 04:48:50 art Exp $"; +static char *rcsid = "$OpenBSD: genget.c,v 1.5 2001/05/25 10:23:06 hin Exp $"; #endif /* not lint */ +/* $KTH: genget.c,v 1.6 1997/05/04 09:01:34 assar Exp $ */ #include <ctype.h> #include "misc-proto.h" @@ -50,60 +51,58 @@ static char *rcsid = "$OpenBSD: genget.c,v 1.4 1998/03/12 04:48:50 art Exp $"; * the length is returned. If *s1 is a prefix of *s2, * the length of *s1 is returned. */ - int -isprefix(s1, s2) - register char *s1, *s2; +int +isprefix(char *s1, char *s2) { - char *os1; - register char c1, c2; + char *os1; + char c1, c2; - if (*s1 == '\0') - return(-1); - os1 = s1; - c1 = *s1; - c2 = *s2; - while (LOWER(c1) == LOWER(c2)) { - if (c1 == '\0') - break; - c1 = *++s1; - c2 = *++s2; - } - return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1))); + if (*s1 == '\0') + return(-1); + os1 = s1; + c1 = *s1; + c2 = *s2; + while (LOWER(c1) == LOWER(c2)) { + if (c1 == '\0') + break; + c1 = *++s1; + c2 = *++s2; + } + return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1))); } static char *ambiguous; /* special return value for command routines */ - char ** -genget(name, table, stlen) - char *name; /* name to match */ - char **table; /* name entry in table */ - int stlen; +char ** +genget(char *name, char **table, int stlen) + /* name to match */ + /* name entry in table */ + { - register char **c, **found; - register int n; + char **c, **found; + int n; - if (name == 0) - return 0; + if (name == 0) + return 0; - found = 0; - for (c = table; *c != 0; c = (char **)((char *)c + stlen)) { - if ((n = isprefix(name, *c)) == 0) - continue; - if (n < 0) /* exact match */ - return(c); - if (found) - return(&ambiguous); - found = c; - } - return(found); + found = 0; + for (c = table; *c != 0; c = (char **)((char *)c + stlen)) { + if ((n = isprefix(name, *c)) == 0) + continue; + if (n < 0) /* exact match */ + return(c); + if (found) + return(&ambiguous); + found = c; + } + return(found); } /* * Function call version of Ambiguous() */ - int -Ambiguous(s) - void *s; +int +Ambiguous(void *s) { - return((char **)s == &ambiguous); + return((char **)s == &ambiguous); } diff --git a/lib/libtelnet/kerberos.c b/lib/libtelnet/kerberos.c index b08e1bbbfcc..9b02b793ccd 100644 --- a/lib/libtelnet/kerberos.c +++ b/lib/libtelnet/kerberos.c @@ -1,5 +1,4 @@ -/* $OpenBSD: kerberos.c,v 1.5 2000/09/15 07:13:44 deraadt Exp $ */ -/* $Id: kerberos.c,v 1.5 2000/09/15 07:13:44 deraadt Exp $ */ +/* $OpenBSD: kerberos.c,v 1.6 2001/05/25 10:23:07 hin Exp $ */ /*- * Copyright (c) 1991, 1993 @@ -34,7 +33,7 @@ * SUCH DAMAGE. */ -/* + /* * This source code is no longer held under any constraint of USA * `cryptographic laws' since it was exported legally. The cryptographic * functions were removed from the code and a "Bones" distribution was @@ -66,6 +65,8 @@ * or implied warranty. */ +/* $KTH: kerberos.c,v 1.50 2000/11/23 02:28:06 joda Exp $" */ + #ifdef KRB4 #include <sys/types.h> #include <sys/socket.h> @@ -79,6 +80,7 @@ #include <des.h> #include <kerberosIV/krb.h> #include <pwd.h> +#include <syslog.h> #include "encrypt.h" #include "auth.h" #include "misc.h" @@ -105,6 +107,7 @@ static KTEXT_ST auth; static char name[ANAME_SZ]; static AUTH_DAT adat; static des_cblock session_key; +static des_cblock cred_session; static des_key_schedule sched; static des_cblock challenge; static int auth_done; /* XXX */ @@ -112,6 +115,42 @@ static int auth_done; /* XXX */ static int pack_cred(CREDENTIALS *cred, unsigned char *buf); static int unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred); +/* This is stolen from libroken; it's the only thing actually needed from + * libroken. + */ +void +esetenv(const char *var, const char *val, int rewrite) +{ + if (setenv ((char *)var, (char *)val, rewrite)) + errx (1, "failed setting environment variable %s", var); +} + +static int +check_krb4_tickets() { + int ret; + int retval = 0; + char *file; + krb_principal princ; + + file = getenv("KRBTKFILE"); + if(file == NULL) + file = TKT_FILE; + + ret = krb_get_tf_realm(file, princ.realm); + switch(ret) { + case NO_TKT_FIL: + retval = 0; + goto done; + case 0: + retval = 1; + goto done; + default: + errx(1, "krb_get_tf_realm: %d", ret); + } + + done: + return retval; +} static int Data(Authenticator *ap, int type, const void *d, int c) @@ -141,7 +180,7 @@ Data(Authenticator *ap, int type, const void *d, int c) *p++ = SE; if (str_data[3] == TELQUAL_IS) printsub('>', &str_data[2], p - (&str_data[2])); - return(net_write(str_data, p - str_data)); + return(telnet_net_write(str_data, p - str_data)); } int @@ -172,7 +211,9 @@ kerberos4_send(char *name, Authenticator *ap) CREDENTIALS cred; int r; - printf("[ Trying %s ... ]\r\n", name); + if(check_krb4_tickets() != 1) + return 0; + if (!UserNameRequested) { if (auth_debug_mode) { printf("Kerberos V4: no user name supplied\r\n"); @@ -182,10 +223,9 @@ kerberos4_send(char *name, Authenticator *ap) memset(instance, 0, sizeof(instance)); - if ((realm = krb_get_phost(RemoteHostName))) - strncpy(instance, realm, sizeof(instance)); - - instance[sizeof(instance)-1] = '\0'; + strlcpy (instance, + krb_get_phost(RemoteHostName), + INST_SZ); realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName); @@ -193,6 +233,8 @@ kerberos4_send(char *name, Authenticator *ap) printf("Kerberos V4: no realm for %s\r\n", RemoteHostName); return(0); } + printf("[ Trying %s (%s.%s@%s) ... ]\r\n", name, + KRB_SERVICE_NAME, instance, realm); r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L); if (r) { printf("mk_req failed: %s\r\n", krb_get_err_text(r)); @@ -221,6 +263,7 @@ kerberos4_send(char *name, Authenticator *ap) int i; des_key_sched(&cred.session, sched); + memcpy (&cred_session, &cred.session, sizeof(cred_session)); des_init_random_number_generator(&cred.session); des_new_random_key(&session_key); des_ecb_encrypt(&session_key, &session_key, sched, 0); @@ -274,7 +317,7 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt) char realm[REALM_SZ]; char instance[INST_SZ]; int r; - int addr_len; + socklen_t addr_len; if (cnt-- < 1) return; @@ -303,6 +346,14 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt) auth_finished(ap, AUTH_REJECT); return; } + if (addr.sin_family != AF_INET) { + if (auth_debug_mode) + printf("unknown address family: %d\r\n", addr.sin_family); + Data(ap, KRB_REJECT, "bad address family", -1); + auth_finished(ap, AUTH_REJECT); + return; + } + r = krb_rd_req(&auth, KRB_SERVICE_NAME, instance, addr.sin_addr.s_addr, &adat, ""); if (r) { @@ -320,11 +371,20 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt) char ts[MAXPATHLEN]; struct passwd *pw = getpwnam(UserNameRequested); - if (pw) { + if(pw){ snprintf(ts, sizeof(ts), - "%s%u", TKT_ROOT, (unsigned)pw->pw_uid); - /* XXX allocation failure? */ - setenv("KRBTKFILE", ts, 1); + "%s%u", + TKT_ROOT, + (unsigned)pw->pw_uid); + esetenv("KRBTKFILE", ts, 1); + + if (pw->pw_uid == 0) + syslog(LOG_INFO|LOG_AUTH, + "ROOT Kerberos login from %s on %s\n", + krb_unparse_name_long(adat.pname, + adat.pinst, + adat.prealm), + RemoteHostName); } Data(ap, KRB_ACCEPT, NULL, 0); } else { @@ -342,6 +402,8 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt) Data(ap, KRB_REJECT, (void *)msg, -1); free(msg); } + auth_finished(ap, AUTH_REJECT); + break; } auth_finished(ap, AUTH_USER); break; @@ -389,6 +451,7 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt) if(cnt > sizeof(cred)) abort(); + memcpy (session_key, adat.session, sizeof(session_key)); des_set_key(&session_key, ks); des_pcbc_encrypt((void*)data, (void*)netcred, cnt, ks, &session_key, DES_DECRYPT); @@ -401,7 +464,7 @@ kerberos4_is(Authenticator *ap, unsigned char *data, int cnt) cred.issue_date < 0 || cred.issue_date > time(0) + CLOCK_SKEW || strncmp(cred.pname, adat.pname, sizeof(cred.pname)) || - strncmp(cred.pinst, adat.pinst, sizeof(cred.pname))){ + strncmp(cred.pinst, adat.pinst, sizeof(cred.pinst))){ Data(ap, KRB_FORWARD_REJECT, "Bad credentials", -1); }else{ if((ret = tf_setup(&cred, @@ -467,7 +530,7 @@ kerberos4_reply(Authenticator *ap, unsigned char *data, int cnt) skey.data = session_key; encrypt_session_key(&skey, 0); #if 0 - kerberos4_forward(ap); + kerberos4_forward(ap, &cred_session); #endif return; } @@ -499,14 +562,13 @@ kerberos4_reply(Authenticator *ap, unsigned char *data, int cnt) } int -kerberos4_status(Authenticator *ap, char *name, int level) +kerberos4_status(Authenticator *ap, char *name, size_t name_sz, int level) { if (level < AUTH_USER) return(level); if (UserNameRequested && !kuserok(&adat, UserNameRequested)) { - strncpy(name, UserNameRequested, ANAME_SZ - 1); - name[ANAME_SZ - 1] = '\0'; + strlcpy(name, UserNameRequested, name_sz); return(AUTH_VALID); } else return(AUTH_USER); @@ -518,7 +580,6 @@ kerberos4_status(Authenticator *ap, char *name, int level) void kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) { - char lbuf[32]; int i; buf[buflen-1] = '\0'; /* make sure its NULL terminated */ @@ -526,11 +587,11 @@ kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) switch(data[3]) { case KRB_REJECT: /* Rejected (reason might follow) */ - strncpy((char *)buf, " REJECT ", buflen); + strlcpy((char *)buf, " REJECT ", buflen); goto common; case KRB_ACCEPT: /* Accepted (name might follow) */ - strncpy((char *)buf, " ACCEPT ", buflen); + strlcpy((char *)buf, " ACCEPT ", buflen); common: BUMP(buf, buflen); if (cnt <= 4) @@ -543,25 +604,23 @@ kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) break; case KRB_AUTH: /* Authentication data follows */ - strncpy((char *)buf, " AUTH", buflen); + strlcpy((char *)buf, " AUTH", buflen); goto common2; case KRB_CHALLENGE: - strncpy((char *)buf, " CHALLENGE", buflen); + strlcpy((char *)buf, " CHALLENGE", buflen); goto common2; case KRB_RESPONSE: - strncpy((char *)buf, " RESPONSE", buflen); + strlcpy((char *)buf, " RESPONSE", buflen); goto common2; default: - snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[3]); - strncpy((char *)buf, lbuf, buflen); + snprintf(buf, buflen, " %d (unknown)", data[3]); common2: BUMP(buf, buflen); for (i = 4; i < cnt; i++) { - snprintf(lbuf, sizeof(lbuf), " %d", data[i]); - strncpy((char *)buf, lbuf, buflen); + snprintf(buf, buflen, " %d", data[i]); BUMP(buf, buflen); } break; @@ -616,17 +675,16 @@ pack_cred(CREDENTIALS *cred, unsigned char *buf) p += REALM_SZ; memcpy(p, cred->session, 8); p += 8; - *p++ = cred->lifetime; - *p++ = cred->kvno; + p += krb_put_int(cred->lifetime, p, 4, 4); + p += krb_put_int(cred->kvno, p, 4, 4); p += krb_put_int(cred->ticket_st.length, p, 4, 4); memcpy(p, cred->ticket_st.dat, cred->ticket_st.length); p += cred->ticket_st.length; + p += krb_put_int(0, p, 4, 4); p += krb_put_int(cred->issue_date, p, 4, 4); - strncpy (cred->pname, p, ANAME_SZ); - cred->pname[ANAME_SZ - 1] = '\0'; + memcpy (p, cred->pname, ANAME_SZ); p += ANAME_SZ; - strncpy (cred->pinst, p, INST_SZ); - cred->pinst[INST_SZ - 1] = '\0'; + memcpy (p, cred->pinst, INST_SZ); p += INST_SZ; return p - buf; } @@ -635,6 +693,7 @@ static int unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred) { unsigned char *p = buf; + u_int32_t tmp; strncpy (cred->service, p, ANAME_SZ); cred->service[ANAME_SZ - 1] = '\0'; @@ -648,23 +707,32 @@ unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred) memcpy(cred->session, p, 8); p += 8; - cred->lifetime = *p++; - cred->kvno = *p++; + p += krb_get_int(p, &tmp, 4, 0); + cred->lifetime = tmp; + p += krb_get_int(p, &tmp, 4, 0); + cred->kvno = tmp; + p += krb_get_int(p, &cred->ticket_st.length, 4, 0); memcpy(cred->ticket_st.dat, p, cred->ticket_st.length); + p += cred->ticket_st.length; + p += krb_get_int(p, &tmp, 4, 0); cred->ticket_st.mbz = 0; p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, 0); - p += krb_get_nir(p, - cred->pname, sizeof(cred->pname), - cred->pinst, sizeof(cred->pinst), - NULL, 0); + + strncpy (cred->pname, p, ANAME_SZ); + cred->pname[ANAME_SZ - 1] = '\0'; + p += ANAME_SZ; + strncpy (cred->pinst, p, INST_SZ); + cred->pinst[INST_SZ - 1] = '\0'; + p += INST_SZ; return 0; } int -kerberos4_forward(Authenticator *ap) +kerberos4_forward(Authenticator *ap, void *v) { + des_cblock *key = (des_cblock *)v; CREDENTIALS cred; char *realm; des_key_schedule ks; @@ -682,10 +750,10 @@ kerberos4_forward(Authenticator *ap) &cred); if(ret) return ret; - des_set_key(&session_key, ks); + des_set_key(key, ks); len = pack_cred(&cred, netcred); des_pcbc_encrypt((void*)netcred, (void*)netcred, len, - ks, &session_key, DES_ENCRYPT); + ks, key, DES_ENCRYPT); memset(ks, 0, sizeof(ks)); Data(ap, KRB_FORWARD, netcred, len); memset(netcred, 0, sizeof(netcred)); @@ -693,3 +761,4 @@ kerberos4_forward(Authenticator *ap) } #endif /* KRB4 */ + diff --git a/lib/libtelnet/kerberos5.c b/lib/libtelnet/kerberos5.c index 229798391f5..575a9d72571 100644 --- a/lib/libtelnet/kerberos5.c +++ b/lib/libtelnet/kerberos5.c @@ -1,5 +1,4 @@ -/* $OpenBSD: kerberos5.c,v 1.1 1998/03/12 04:48:52 art Exp $ */ -/* $Id: kerberos5.c,v 1.1 1998/03/12 04:48:52 art Exp $ */ +/* $OpenBSD: kerberos5.c,v 1.2 2001/05/25 10:23:07 hin Exp $ */ /*- * Copyright (c) 1991, 1993 @@ -65,6 +64,9 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. */ + +/* $KTH: kerberos5.c,v 1.47 2001/01/09 18:45:33 assar Exp $ */ + #ifdef KRB5 #include <arpa/telnet.h> @@ -75,23 +77,22 @@ #include <netdb.h> #include <ctype.h> #include <pwd.h> +#include <errno.h> #define Authenticator k5_Authenticator -#include <krb5.h> +#include <kerberosV/krb5.h> #undef Authenticator + #include "encrypt.h" #include "auth.h" #include "misc.h" -extern int auth_debug_mode; - -/* where should this really reside? */ - -#ifdef KRB5 -#define FORWARD +#if defined(DCE) +int dfsk5ok = 0; +int dfspag = 0; +int dfsfwd = 0; #endif -#ifdef FORWARD int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ /* These values need to be the same as those defined in telnet/main.c. */ @@ -101,8 +102,6 @@ int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ void kerberos5_forward (Authenticator *); -#endif /* FORWARD */ - static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, AUTHTYPE_KERBEROS_V5, }; @@ -111,11 +110,9 @@ static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, #define KRB_ACCEPT 2 /* Accepted */ #define KRB_RESPONSE 3 /* Response for mutual auth. */ -#ifdef FORWARD #define KRB_FORWARD 4 /* Forwarded credentials follow */ #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ -#endif /* FORWARD */ static krb5_data auth; static krb5_ticket *ticket; @@ -124,6 +121,41 @@ static krb5_context context; static krb5_auth_context auth_context; static int +check_krb5_tickets() +{ + krb5_error_code ret; + krb5_context context; + krb5_ccache ccache; + krb5_principal principal; + int retval = 1; + + ret = krb5_init_context(&context); + if(ret) + errx(1, "krb5_init_context failt: %d", ret); + + ret = krb5_cc_default(context, &ccache); + if(ret) + errx(1, "krb5_cc_default: %d", ret); + + ret = krb5_cc_get_principal (context, ccache, &principal); + switch(ret) { + case ENOENT: + retval = 0; + goto done; + case 0: + retval = 1; + goto done; + default: + errx(1, "krb5_cc_get_principal: %d", ret); + break; + } + + done: + krb5_free_context(context); + return retval; +} + +static int Data(Authenticator *ap, int type, void *d, int c) { unsigned char *p = str_data + 4; @@ -151,20 +183,40 @@ Data(Authenticator *ap, int type, void *d, int c) *p++ = SE; if (str_data[3] == TELQUAL_IS) printsub('>', &str_data[2], p - &str_data[2]); - return(net_write(str_data, p - str_data)); + return(telnet_net_write(str_data, p - str_data)); } int kerberos5_init(Authenticator *ap, int server) { - if (server) + krb5_error_code ret; + + ret = krb5_init_context(&context); + if (ret) + return 0; + if (server) { + krb5_keytab kt; + krb5_kt_cursor cursor; + + ret = krb5_kt_default(context, &kt); + if (ret) + return 0; + + ret = krb5_kt_start_seq_get (context, kt, &cursor); + if (ret) { + krb5_kt_close (context, kt); + return 0; + } + krb5_kt_end_seq_get (context, kt, &cursor); + krb5_kt_close (context, kt); + str_data[3] = TELQUAL_REPLY; - else + } else str_data[3] = TELQUAL_IS; - krb5_init_context(&context); return(1); } +extern int net; static int kerberos5_send(char *name, Authenticator *ap) { @@ -173,8 +225,10 @@ kerberos5_send(char *name, Authenticator *ap) int ap_opts; krb5_data cksum_data; char foo[2]; + + if(check_krb5_tickets() != 1) + return 0; - printf("[ Trying %s ... ]\r\n", name); if (!UserNameRequested) { if (auth_debug_mode) { printf("Kerberos V5: no user name supplied\r\n"); @@ -205,19 +259,63 @@ kerberos5_send(char *name, Authenticator *ap) return(0); } - krb5_auth_setenctype (context, auth_context, ETYPE_DES_CBC_MD5); + ret = krb5_auth_con_setaddrs_from_fd (context, + auth_context, + &net); + if (ret) { + if (auth_debug_mode) { + printf ("Kerberos V5:" + " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", + krb5_get_err_text(context, ret)); + } + return(0); + } + + krb5_auth_setkeytype (context, auth_context, KEYTYPE_DES); foo[0] = ap->type; foo[1] = ap->way; cksum_data.length = sizeof(foo); cksum_data.data = foo; - ret = krb5_mk_req(context, &auth_context, ap_opts, - "host", RemoteHostName, - &cksum_data, ccache, &auth); + + { + krb5_principal service; + char sname[128]; + + + ret = krb5_sname_to_principal (context, + RemoteHostName, + NULL, + KRB5_NT_SRV_HST, + &service); + if(ret) { + if (auth_debug_mode) { + printf ("Kerberos V5:" + " krb5_sname_to_principal(%s) failed (%s)\r\n", + RemoteHostName, krb5_get_err_text(context, ret)); + } + return 0; + } + ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname)); + if(ret) { + if (auth_debug_mode) { + printf ("Kerberos V5:" + " krb5_unparse_name_fixed failed (%s)\r\n", + krb5_get_err_text(context, ret)); + } + return 0; + } + printf("[ Trying %s (%s)... ]\r\n", name, sname); + ret = krb5_mk_req_exact(context, &auth_context, ap_opts, + service, + &cksum_data, ccache, &auth); + krb5_free_principal (context, service); + + } if (ret) { - if (auth_debug_mode) { + if (1 || auth_debug_mode) { printf("Kerberos V5: mk_req failed (%s)\r\n", krb5_get_err_text(context, ret)); } @@ -261,7 +359,6 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) krb5_keyblock *key_block; char *name; krb5_principal server; - krb5_authenticator authenticator; int zero = 0; if (cnt-- < 1) @@ -318,8 +415,8 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) NULL, NULL, &ticket); - krb5_free_principal (context, server); + krb5_free_principal (context, server); if (ret) { char *errbuf; @@ -332,55 +429,29 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) free (errbuf); return; } - - ret = krb5_auth_con_getkey(context, auth_context, &key_block); - if (ret) { - Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: " - "krb5_auth_con_getkey failed (%s)\r\n", - krb5_get_err_text(context, ret)); - return; - } - ret = krb5_auth_getauthenticator (context, - auth_context, - &authenticator); - if (ret) { - Data(ap, KRB_REJECT, "krb5_auth_getauthenticator failed", -1); - auth_finished(ap, AUTH_REJECT); - if (auth_debug_mode) - printf("Kerberos V5: " - "krb5_auth_getauthenticator failed (%s)\r\n", - krb5_get_err_text(context, ret)); - return; - } - - if (authenticator->cksum) { + { char foo[2]; - + foo[0] = ap->type; foo[1] = ap->way; + + ret = krb5_verify_authenticator_checksum(context, + auth_context, + foo, + sizeof(foo)); - ret = krb5_verify_checksum (context, - foo, - sizeof(foo), - key_block, - authenticator->cksum); if (ret) { - Data(ap, KRB_REJECT, "No checksum", -1); + char *errbuf; + asprintf(&errbuf, "Bad checksum: %s", + krb5_get_err_text(context, ret)); + Data(ap, KRB_REJECT, errbuf, -1); if (auth_debug_mode) - printf ("No checksum\r\n"); - krb5_free_authenticator (context, - &authenticator); - + printf ("%s\r\n", errbuf); + free(errbuf); return; } } - krb5_free_authenticator (context, - &authenticator); - ret = krb5_auth_con_getremotesubkey (context, auth_context, &key_block); @@ -396,7 +467,7 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) } if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - ret = krb5_mk_rep(context, &auth_context, &outbuf); + ret = krb5_mk_rep(context, auth_context, &outbuf); if (ret) { Data(ap, KRB_REJECT, "krb5_mk_rep failed", -1); @@ -421,7 +492,9 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) name ? name : ""); } - if(key_block->keytype == KEYTYPE_DES) { + if(key_block->keytype == ETYPE_DES_CBC_MD5 || + key_block->keytype == ETYPE_DES_CBC_MD4 || + key_block->keytype == ETYPE_DES_CBC_CRC) { Session_Key skey; skey.type = SK_DES; @@ -443,13 +516,14 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) Data(ap, KRB_REJECT, (void *)msg, -1); free(msg); } + auth_finished (ap, AUTH_REJECT); + krb5_free_keyblock_contents(context, key_block); + break; } auth_finished(ap, AUTH_USER); - krb5_free_keyblock_contents(context, key_block); break; -#ifdef FORWARD case KRB_FORWARD: { struct passwd *pwd; char ccname[1024]; /* XXX */ @@ -483,10 +557,13 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) break; } - ret = krb5_rd_cred (context, - auth_context, - ccache, - &inbuf); +#if defined(DCE) + esetenv("KRB5CCNAME", ccname, 1); +#endif + ret = krb5_rd_cred2 (context, + auth_context, + ccache, + &inbuf); if(ret) { char *errbuf; @@ -501,14 +578,17 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) printf("Could not read forwarded credentials: %s\r\n", errbuf); free (errbuf); - } else + } else { Data(ap, KRB_FORWARD_ACCEPT, 0, 0); +#if defined(DCE) + dfsfwd = 1; +#endif + } chown (ccname + 5, pwd->pw_uid, -1); if (auth_debug_mode) printf("Forwarded credentials obtained\r\n"); break; } -#endif /* FORWARD */ default: if (auth_debug_mode) printf("Unknown Kerberos option %d\r\n", data[-1]); @@ -569,10 +649,8 @@ kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) encrypt_session_key(&skey, 0); krb5_free_keyblock_contents (context, keyblock); auth_finished(ap, AUTH_USER); -#ifdef FORWARD if (forward_flags & OPTS_FORWARD_CREDS) kerberos5_forward(ap); -#endif /* FORWARD */ break; } case KRB_RESPONSE: @@ -596,7 +674,6 @@ kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) mutual_complete = 1; } return; -#ifdef FORWARD case KRB_FORWARD_ACCEPT: printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); return; @@ -604,7 +681,6 @@ kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", cnt, data); return; -#endif /* FORWARD */ default: if (auth_debug_mode) printf("Unknown Kerberos option %d\r\n", data[-1]); @@ -613,7 +689,7 @@ kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) } int -kerberos5_status(Authenticator *ap, char *name, int level) +kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level) { if (level < AUTH_USER) return(level); @@ -623,7 +699,10 @@ kerberos5_status(Authenticator *ap, char *name, int level) ticket->client, UserNameRequested)) { - strcpy(name, UserNameRequested); + strlcpy(name, UserNameRequested, name_sz); +#if defined(DCE) + dfsk5ok = 1; +#endif return(AUTH_VALID); } else return(AUTH_USER); @@ -635,7 +714,6 @@ kerberos5_status(Authenticator *ap, char *name, int level) void kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) { - char lbuf[32]; int i; buf[buflen-1] = '\0'; /* make sure its NULL terminated */ @@ -643,11 +721,11 @@ kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) switch(data[3]) { case KRB_REJECT: /* Rejected (reason might follow) */ - strncpy((char *)buf, " REJECT ", buflen); + strlcpy((char *)buf, " REJECT ", buflen); goto common; case KRB_ACCEPT: /* Accepted (name might follow) */ - strncpy((char *)buf, " ACCEPT ", buflen); + strlcpy((char *)buf, " ACCEPT ", buflen); common: BUMP(buf, buflen); if (cnt <= 4) @@ -661,43 +739,38 @@ kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) case KRB_AUTH: /* Authentication data follows */ - strncpy((char *)buf, " AUTH", buflen); + strlcpy((char *)buf, " AUTH", buflen); goto common2; case KRB_RESPONSE: - strncpy((char *)buf, " RESPONSE", buflen); + strlcpy((char *)buf, " RESPONSE", buflen); goto common2; -#ifdef FORWARD case KRB_FORWARD: /* Forwarded credentials follow */ - strncpy((char *)buf, " FORWARD", buflen); + strlcpy((char *)buf, " FORWARD", buflen); goto common2; case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ - strncpy((char *)buf, " FORWARD_ACCEPT", buflen); + strlcpy((char *)buf, " FORWARD_ACCEPT", buflen); goto common2; case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ /* (reason might follow) */ - strncpy((char *)buf, " FORWARD_REJECT", buflen); + strlcpy((char *)buf, " FORWARD_REJECT", buflen); goto common2; -#endif /* FORWARD */ default: - snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[3]); - strncpy((char *)buf, lbuf, buflen); + snprintf(buf, buflen, " %d (unknown)", data[3]); common2: BUMP(buf, buflen); for (i = 4; i < cnt; i++) { - snprintf(lbuf, sizeof(lbuf), " %d", data[i]); - strncpy((char *)buf, lbuf, buflen); + snprintf(buf, buflen, " %d", data[i]); BUMP(buf, buflen); } break; } } -#ifdef FORWARD void kerberos5_forward(Authenticator *ap) { @@ -724,6 +797,8 @@ kerberos5_forward(Authenticator *ap) return; } + memset (&creds, 0, sizeof(creds)); + creds.client = principal; ret = krb5_build_principal (context, @@ -757,7 +832,7 @@ kerberos5_forward(Authenticator *ap) &out_data); if (ret) { if (auth_debug_mode) - printf ("Kerberos V5: error gettting forwarded creds: %s\r\n", + printf ("Kerberos V5: error getting forwarded creds: %s\r\n", krb5_get_err_text (context, ret)); return; } @@ -770,6 +845,17 @@ kerberos5_forward(Authenticator *ap) printf("Forwarded local Kerberos V5 credentials to server\r\n"); } } + +#if defined(DCE) +/* if this was a K5 authentication try and join a PAG for the user. */ +void +kerberos5_dfspag(void) +{ + if (dfsk5ok) { + dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client, + UserNameRequested); + } +} #endif #endif /* KRB5 */ diff --git a/lib/libtelnet/misc-proto.h b/lib/libtelnet/misc-proto.h index 2f67ff0b50f..9f8d5d2d47b 100644 --- a/lib/libtelnet/misc-proto.h +++ b/lib/libtelnet/misc-proto.h @@ -30,9 +30,9 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * from: @(#)misc-proto.h 8.1 (Berkeley) 6/4/93 - * $OpenBSD: misc-proto.h,v 1.3 1998/03/12 04:48:52 art Exp $ - * $NetBSD: misc-proto.h,v 1.5 1996/02/24 01:15:23 jtk Exp $ + * from: @(#)misc-proto.h 8.1 (Berkeley) 6/4/93 + * $OpenBSD: misc-proto.h,v 1.4 2001/05/25 10:23:07 hin Exp $ + * $NetBSD: misc-proto.h,v 1.5 1996/02/24 01:15:23 jtk Exp $ */ /* @@ -67,27 +67,27 @@ * or implied warranty. */ +/* $KTH: misc-proto.h,v 1.9 2000/11/15 23:00:21 assar Exp $ */ + #ifndef __MISC_PROTO__ #define __MISC_PROTO__ -#include <sys/cdefs.h> - -void auth_encrypt_init __P((char *, char *, char *, int)); -void auth_encrypt_user __P((char *)); -void auth_encrypt_connect __P((int)); -void printd __P((const unsigned char *, int)); -char **genget __P((char *, char **, int)); -int isprefix __P((char *, char *)); -int Ambiguous __P((void *)); +void auth_encrypt_init (const char *, const char *, const char *, int); +void auth_encrypt_user(const char *name); +void auth_encrypt_connect (int); +void printd (const unsigned char *, int); +char** genget (char *name, char **table, int stlen); +int isprefix(char *s1, char *s2); +int Ambiguous(void *s); /* * These functions are imported from the application */ -int net_write __P((unsigned char *, int)); -void net_encrypt __P((void)); -int telnet_spin __P((void)); -char *telnet_getenv __P((char *)); -char *telnet_gets __P((char *, char *, int, int)); -void printsub __P((char, unsigned char *, int)); +int telnet_net_write (unsigned char *, int); +void net_encrypt (void); +int telnet_spin (void); +char *telnet_getenv (const char *); +char *telnet_gets (char *, char *, int, int); +void printsub(int direction, unsigned char *pointer, int length); #endif diff --git a/lib/libtelnet/misc.c b/lib/libtelnet/misc.c index fc2d5791d54..af6e3115eed 100644 --- a/lib/libtelnet/misc.c +++ b/lib/libtelnet/misc.c @@ -32,11 +32,13 @@ */ #ifndef lint -/* from: static char sccsid[] = "@(#)misc.c 8.1 (Berkeley) 6/4/93"; */ +/* from: static char sccsid[] = "@(#)misc.c 8.1 (Berkeley) 6/4/93"; */ /* from: static char rcsid[] = "$NetBSD: misc.c,v 1.5 1996/02/24 01:15:25 jtk Exp $"; */ -static char rcsid[] = "$OpenBSD: misc.c,v 1.3 1998/03/12 04:48:54 art Exp $"; +static char rcsid[] = "$OpenBSD: misc.c,v 1.4 2001/05/25 10:23:07 hin Exp $"; #endif /* not lint */ +/* $KTH: misc.c,v 1.15 2000/01/25 23:24:58 assar Exp $ */ + #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -44,59 +46,50 @@ static char rcsid[] = "$OpenBSD: misc.c,v 1.3 1998/03/12 04:48:54 art Exp $"; #include "auth.h" #include "encrypt.h" -char *RemoteHostName; -char *LocalHostName; + +const char *RemoteHostName; +const char *LocalHostName; char *UserNameRequested = 0; int ConnectedCount = 0; - void -auth_encrypt_init(local, remote, name, server) - char *local; - char *remote; - char *name; - int server; +void +auth_encrypt_init(const char *local, const char *remote, const char *name, + int server) { - RemoteHostName = remote; - LocalHostName = local; + RemoteHostName = remote; + LocalHostName = local; #ifdef AUTHENTICATION - auth_init(name, server); + auth_init(name, server); #endif #ifdef ENCRYPTION - encrypt_init(name, server); + encrypt_init(name, server); #endif - - if (UserNameRequested) { - free(UserNameRequested); - UserNameRequested = 0; - } + if (UserNameRequested) { + free(UserNameRequested); + UserNameRequested = 0; + } } - void -auth_encrypt_user(name) - char *name; +void +auth_encrypt_user(const char *name) { - extern char *strdup(); - - if (UserNameRequested) - free(UserNameRequested); - UserNameRequested = name ? strdup(name) : 0; + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested = name ? strdup(name) : 0; } - void -auth_encrypt_connect(cnt) - int cnt; +void +auth_encrypt_connect(int cnt) { } - void -printd(data, cnt) - const unsigned char *data; - int cnt; +void +printd(const unsigned char *data, int cnt) { - if (cnt > 16) - cnt = 16; - while (cnt-- > 0) { - printf(" %02x", *data); - ++data; - } + if (cnt > 16) + cnt = 16; + while (cnt-- > 0) { + printf(" %02x", *data); + ++data; + } } diff --git a/lib/libtelnet/misc.h b/lib/libtelnet/misc.h index 569e5e8d38a..404333d34a9 100644 --- a/lib/libtelnet/misc.h +++ b/lib/libtelnet/misc.h @@ -30,14 +30,14 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * from: @(#)misc.h 8.1 (Berkeley) 6/4/93 - * $OpenBSD: misc.h,v 1.2 1996/03/19 23:15:56 niklas Exp $ - * $NetBSD: misc.h,v 1.4 1996/02/24 01:15:27 jtk Exp $ + * from: @(#)misc.h 8.1 (Berkeley) 6/4/93 + * $OpenBSD: misc.h,v 1.3 2001/05/25 10:23:07 hin Exp $ + * $NetBSD: misc.h,v 1.4 1996/02/24 01:15:27 jtk Exp $ */ extern char *UserNameRequested; -extern char *LocalHostName; -extern char *RemoteHostName; +extern const char *LocalHostName; +extern const char *RemoteHostName; extern int ConnectedCount; extern int ReservedPort; |