1/* 2 * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "kx.h" 35 36RCSID("$Id$"); 37 38#ifdef KRB5 39 40struct krb5_kx_context { 41 krb5_context context; 42 krb5_keyblock *keyblock; 43 krb5_crypto crypto; 44 krb5_principal client; 45 krb5_log_facility *log; 46 47}; 48 49typedef struct krb5_kx_context krb5_kx_context; 50 51#define K5DATA(kc) ((krb5_kx_context*)kc->data) 52#define CONTEXT(kc) (K5DATA(kc)->context) 53 54/* 55 * 56 */ 57 58static void 59ksyslog(krb5_context context, krb5_error_code ret, const char *fmt, ...) 60 __attribute__((__format__(__printf__, 3, 0))); 61 62static void 63ksyslog(krb5_context context, krb5_error_code ret, const char *fmt, ...) 64{ 65 const char *msg; 66 char *str = NULL; 67 va_list va; 68 69 msg = krb5_get_error_message(context, ret); 70 71 va_start(va, fmt); 72 vasprintf(&str, fmt, va); 73 va_end(va); 74 75 syslog(LOG_ERR, "%s: %s", str, msg); 76 77 krb5_free_error_message(context, msg); 78 free(str); 79} 80 81/* 82 * Destroy the krb5 context in `c'. 83 */ 84 85static void 86krb5_destroy (kx_context *kc) 87{ 88 if (K5DATA(kc)->keyblock) 89 krb5_free_keyblock (CONTEXT(kc), K5DATA(kc)->keyblock); 90 if (K5DATA(kc)->crypto) 91 krb5_crypto_destroy (CONTEXT(kc), K5DATA(kc)->crypto); 92 if (K5DATA(kc)->client) 93 krb5_free_principal (CONTEXT(kc), K5DATA(kc)->client); 94 if (CONTEXT(kc)) 95 krb5_free_context (CONTEXT(kc)); 96 memset (kc->data, 0, sizeof(krb5_kx_context)); 97 free (kc->data); 98} 99 100/* 101 * Read the authentication information from `s' and return 0 if 102 * succesful, else -1. 103 */ 104 105static int 106krb5_authenticate (kx_context *kc, int s) 107{ 108 krb5_auth_context auth_context = NULL; 109 krb5_error_code ret; 110 krb5_principal server; 111 const char *host = kc->host; 112 113 ret = krb5_sname_to_principal (CONTEXT(kc), 114 host, "host", KRB5_NT_SRV_HST, &server); 115 if (ret) { 116 krb5_warn (CONTEXT(kc), ret, "krb5_sname_to_principal: %s", host); 117 return 1; 118 } 119 120 ret = krb5_sendauth (CONTEXT(kc), 121 &auth_context, 122 &s, 123 KX_VERSION, 124 NULL, 125 server, 126 AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, 127 NULL, 128 NULL, 129 NULL, 130 NULL, 131 NULL, 132 NULL); 133 if (ret) { 134 if(ret != KRB5_SENDAUTH_BADRESPONSE) 135 krb5_warn (CONTEXT(kc), ret, "krb5_sendauth: %s", host); 136 return 1; 137 } 138 139 ret = krb5_auth_con_getkey (CONTEXT(kc), auth_context, 140 &K5DATA(kc)->keyblock); 141 if (ret) { 142 krb5_warn (CONTEXT(kc), ret, "krb5_auth_con_getkey: %s", host); 143 krb5_auth_con_free (CONTEXT(kc), auth_context); 144 return 1; 145 } 146 147 ret = krb5_crypto_init (CONTEXT(kc), K5DATA(kc)->keyblock, 148 0, &K5DATA(kc)->crypto); 149 if (ret) { 150 krb5_warn (CONTEXT(kc), ret, "krb5_crypto_init"); 151 krb5_auth_con_free (CONTEXT(kc), auth_context); 152 return 1; 153 } 154 return 0; 155} 156 157/* 158 * Read an encapsulated krb5 packet from `fd' into `buf' (of size 159 * `len'). Return the number of bytes read or 0 on EOF or -1 on 160 * error. 161 */ 162 163static ssize_t 164krb5_read (kx_context *kc, 165 int fd, void *buf, size_t len) 166{ 167 size_t data_len, outer_len; 168 krb5_error_code ret; 169 unsigned char tmp[4]; 170 krb5_data data; 171 int l; 172 173 l = krb5_net_read (CONTEXT(kc), &fd, tmp, 4); 174 if (l == 0) 175 return l; 176 if (l != 4) 177 return -1; 178 data_len = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; 179 outer_len = krb5_get_wrapped_length (CONTEXT(kc), 180 K5DATA(kc)->crypto, data_len); 181 if (outer_len > len) 182 return -1; 183 if (krb5_net_read (CONTEXT(kc), &fd, buf, outer_len) != outer_len) 184 return -1; 185 186 ret = krb5_decrypt (CONTEXT(kc), K5DATA(kc)->crypto, 187 KRB5_KU_OTHER_ENCRYPTED, 188 buf, outer_len, &data); 189 if (ret) { 190 krb5_warn (CONTEXT(kc), ret, "krb5_decrypt"); 191 return -1; 192 } 193 if (data_len > data.length) { 194 krb5_data_free (&data); 195 return -1; 196 } 197 memmove (buf, data.data, data_len); 198 krb5_data_free (&data); 199 return data_len; 200} 201 202/* 203 * Write an encapsulated krb5 packet on `fd' with the data in `buf, 204 * len'. Return len or -1 on error. 205 */ 206 207static ssize_t 208krb5_write(kx_context *kc, 209 int fd, const void *buf, size_t len) 210{ 211 krb5_data data; 212 krb5_error_code ret; 213 unsigned char tmp[4]; 214 size_t outlen; 215 216 ret = krb5_encrypt (CONTEXT(kc), K5DATA(kc)->crypto, 217 KRB5_KU_OTHER_ENCRYPTED, 218 buf, len, &data); 219 if (ret){ 220 krb5_warn (CONTEXT(kc), ret, "krb5_write"); 221 return -1; 222 } 223 224 outlen = data.length; 225 tmp[0] = (len >> 24) & 0xFF; 226 tmp[1] = (len >> 16) & 0xFF; 227 tmp[2] = (len >> 8) & 0xFF; 228 tmp[3] = (len >> 0) & 0xFF; 229 230 if (krb5_net_write (CONTEXT(kc), &fd, tmp, 4) != 4 || 231 krb5_net_write (CONTEXT(kc), &fd, data.data, outlen) != outlen) { 232 krb5_data_free (&data); 233 return -1; 234 } 235 krb5_data_free (&data); 236 return len; 237} 238 239/* 240 * Copy from the unix socket `from_fd' encrypting to `to_fd'. 241 * Return 0, -1 or len. 242 */ 243 244static int 245copy_out (kx_context *kc, int from_fd, int to_fd) 246{ 247 char buf[32768]; 248 ssize_t len; 249 250 len = read (from_fd, buf, sizeof(buf)); 251 if (len == 0) 252 return 0; 253 if (len < 0) { 254 krb5_warn (CONTEXT(kc), errno, "read"); 255 return len; 256 } 257 return krb5_write (kc, to_fd, buf, len); 258} 259 260/* 261 * Copy from the socket `from_fd' decrypting to `to_fd'. 262 * Return 0, -1 or len. 263 */ 264 265static int 266copy_in (kx_context *kc, int from_fd, int to_fd) 267{ 268 char buf[33000]; /* XXX */ 269 270 ssize_t len; 271 272 len = krb5_read (kc, from_fd, buf, sizeof(buf)); 273 if (len == 0) 274 return 0; 275 if (len < 0) { 276 krb5_warn (CONTEXT(kc), errno, "krb5_read"); 277 return len; 278 } 279 280 return krb5_net_write (CONTEXT(kc), &to_fd, buf, len); 281} 282 283/* 284 * Copy data between `fd1' and `fd2', encrypting in one direction and 285 * decrypting in the other. 286 */ 287 288static int 289krb5_copy_encrypted (kx_context *kc, int fd1, int fd2) 290{ 291 for (;;) { 292 fd_set fdset; 293 int ret; 294 295 if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) { 296 krb5_warnx (CONTEXT(kc), "fd too large"); 297 return 1; 298 } 299 300 FD_ZERO(&fdset); 301 FD_SET(fd1, &fdset); 302 FD_SET(fd2, &fdset); 303 304 ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL); 305 if (ret < 0 && errno != EINTR) { 306 krb5_warn (CONTEXT(kc), errno, "select"); 307 return 1; 308 } 309 if (FD_ISSET(fd1, &fdset)) { 310 ret = copy_out (kc, fd1, fd2); 311 if (ret <= 0) 312 return ret; 313 } 314 if (FD_ISSET(fd2, &fdset)) { 315 ret = copy_in (kc, fd2, fd1); 316 if (ret <= 0) 317 return ret; 318 } 319 } 320} 321 322/* 323 * Return 0 if the user authenticated on `kc' is allowed to login as 324 * `user'. 325 */ 326 327static int 328krb5_userok (kx_context *kc, char *user) 329{ 330 krb5_error_code ret; 331 char *tmp; 332 333 ret = krb5_unparse_name (CONTEXT(kc), K5DATA(kc)->client, &tmp); 334 if (ret) 335 krb5_err (CONTEXT(kc), 1, ret, "krb5_unparse_name"); 336 kc->user = tmp; 337 338 return !krb5_kuserok (CONTEXT(kc), K5DATA(kc)->client, user); 339} 340 341/* 342 * Create an instance of an krb5 context. 343 */ 344 345void 346krb5_make_context (kx_context *kc) 347{ 348 krb5_kx_context *c; 349 krb5_error_code ret; 350 351 kc->authenticate = krb5_authenticate; 352 kc->userok = krb5_userok; 353 kc->read = krb5_read; 354 kc->write = krb5_write; 355 kc->copy_encrypted = krb5_copy_encrypted; 356 kc->destroy = krb5_destroy; 357 kc->user = NULL; 358 kc->data = malloc(sizeof(krb5_kx_context)); 359 360 if (kc->data == NULL) { 361 syslog (LOG_ERR, "failed to malloc %lu bytes", 362 (unsigned long)sizeof(krb5_kx_context)); 363 exit(1); 364 } 365 memset (kc->data, 0, sizeof(krb5_kx_context)); 366 c = (krb5_kx_context *)kc->data; 367 ret = krb5_init_context (&c->context); 368 if (ret) { 369 syslog (LOG_ERR, "failed initialise krb5 context"); 370 exit(1); 371 } 372} 373 374/* 375 * Receive authentication information on `sock' (first four bytes 376 * in `buf'). 377 */ 378 379int 380recv_v5_auth (kx_context *kc, int sock, u_char *buf) 381{ 382 uint32_t len; 383 krb5_error_code ret; 384 krb5_principal server; 385 krb5_auth_context auth_context = NULL; 386 krb5_ticket *ticket; 387 388 if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0) 389 return 1; 390 len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]); 391 if (net_read(sock, buf, len) != len) { 392 syslog (LOG_ERR, "read: %m"); 393 exit (1); 394 } 395 if (len != sizeof(KRB5_SENDAUTH_VERSION) 396 || memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) { 397 syslog (LOG_ERR, "bad sendauth version: %.8s", buf); 398 exit (1); 399 } 400 401 krb5_make_context (kc); 402 krb5_openlog(CONTEXT(kc), "kxd", &K5DATA(kc)->log); 403 krb5_set_warn_dest(CONTEXT(kc), K5DATA(kc)->log); 404 405 ret = krb5_sock_to_principal (CONTEXT(kc), sock, "host", 406 KRB5_NT_SRV_HST, &server); 407 if (ret) { 408 ksyslog (CONTEXT(kc), ret, "krb5_sock_to_principal"); 409 exit (1); 410 } 411 412 ret = krb5_recvauth (CONTEXT(kc), 413 &auth_context, 414 &sock, 415 KX_VERSION, 416 server, 417 KRB5_RECVAUTH_IGNORE_VERSION, 418 NULL, 419 &ticket); 420 krb5_free_principal (CONTEXT(kc), server); 421 if (ret) { 422 ksyslog (CONTEXT(kc), ret, "krb5_recvauth"); 423 exit (1); 424 } 425 426 ret = krb5_auth_con_getkey (CONTEXT(kc), auth_context, &K5DATA(kc)->keyblock); 427 if (ret) { 428 ksyslog (CONTEXT(kc), ret, "krb5_auth_con_getkey"); 429 exit (1); 430 } 431 432 ret = krb5_crypto_init (CONTEXT(kc), K5DATA(kc)->keyblock, 0, &K5DATA(kc)->crypto); 433 if (ret) { 434 ksyslog (CONTEXT(kc), ret, "krb5_crypto_init"); 435 exit (1); 436 } 437 438 K5DATA(kc)->client = ticket->client; 439 ticket->client = NULL; 440 krb5_free_ticket (CONTEXT(kc), ticket); 441 442 krb5_auth_con_free(CONTEXT(kc), auth_context); 443 444 return 0; 445} 446 447#endif /* KRB5 */ 448