/afs/andrew.cmu.edu/usr18/cg2v/zephyr-krb5-server-20071215+.diff

7 files changed, 196 insertions, 49 deletions

diff --git a/server/bdump.c b/server/bdump.c
index d997672..6de5abf 100644
--- a/server/bdump.c
+++ b/server/bdump.c
@@ -44,6 +44,43 @@ static const char rcsid_bdump_c[] = "$Id$";
  *	int num;
  */
 
+#if defined(HAVE_KRB5) && 0
+int krb5_init_keyblock(krb5_context context,
+        krb5_enctype type,
+        size_t size,
+        krb5_keyblock **akey)
+{
+krb5_error_code ret;
+size_t len;
+krb5_keyblock *key;
+
+*akey=NULL;
+key=malloc(sizeof(*key));
+memset(key, 0, sizeof(*key));
+ret = krb5_enctype_keysize(context, type, &len);
+if (ret)
+return ret;
+
+if (len != size) {
+krb5_set_error_string(context, "Encryption key %d is %lu bytes "
+"long, %lu was passed in",
+type, (unsigned long)len, (unsigned long)size);
+return KRB5_PROG_ETYPE_NOSUPP;
+}
+
+ret = krb5_data_alloc(&key->keyvalue, len);
+if(ret) {
+krb5_set_error_string(context, "malloc failed: %lu",
+(unsigned long)len);
+return ret;
+}
+key->keytype = type;
+*akey=key;
+return 0;
+}
+#endif
+
+
 static void close_bdump __P((void* arg));
 static Code_t bdump_send_loop __P((Server *server)),
 bdump_ask_for __P((char *inst)),
@@ -281,7 +318,93 @@ bdump_send()
 #ifdef HAVE_KRB5
     { /* "server" side */
 	krb5_auth_context actx;
+	krb5_principal principal;
+	krb5_data data;
+	krb5_ap_rep_enc_part *rep;
+	krb5_keytab kt;
+
+	if (get_tgt()) {
+	    syslog(LOG_ERR, "bdump_send: get_tgt failed");
+	    cleanup(server);
+	    return;
+	}
+ 
+	retval = krb5_build_principal(Z_krb5_ctx, &principal, 
+				      strlen(ZGetRealm()),
+				      ZGetRealm(),
+				      SERVER_KRB5_SERVICE, SERVER_INSTANCE,
+				      0); 
+	if (retval) {
+	    syslog(LOG_ERR, "bdump_send: krb5_build_principal: %s", error_message(retval));
+	    cleanup(server);
+	    return;
+	}
 	
+
+	retval = krb5_auth_con_init(Z_krb5_ctx, &actx);
+	if (retval) {
+	    syslog(LOG_ERR, "bdump_send: krb5_auth_con_init: %s", error_message(retval));
+	    cleanup(server);
+	    return;
+	}
+
+	/* Get the "client" krb_ap_req */
+
+	memset((char *)&data, 0, sizeof(krb5_data));
+	retval = GetKrb5Data(live_socket, &data);
+	if (retval) {
+	     syslog(LOG_ERR, "bdump_send: cannot get auth response: %s",
+	            error_message(retval)); 
+	     krb5_auth_con_free(Z_krb5_ctx, actx);
+	     cleanup(server);
+	     return;
+	}
+
+
+	/* resolve keytab */
+	retval = krb5_kt_resolve(Z_krb5_ctx, keytab_file, &kt);
+	if (retval) {
+	    syslog(LOG_ERR, "bdump_send: cannot resolve keytab: %s", 
+		   error_message(retval));
+	    krb5_auth_con_free(Z_krb5_ctx, actx);
+	    krb5_kt_close(Z_krb5_ctx, kt);
+	    cleanup(server);
+	    return;
+	}
+
+	retval = krb5_rd_req(Z_krb5_ctx, &actx, &data, principal, kt, NULL, NULL);
+	krb5_free_principal(Z_krb5_ctx, principal);
+	krb5_kt_close(Z_krb5_ctx, kt);
+	free(data.data);
+	memset((char *)&data, 0, sizeof(krb5_data));
+	if (retval) {
+	     syslog(LOG_ERR, "bdump_send: mutual authentication failed: %s",
+	            error_message(retval));
+	     krb5_auth_con_free(Z_krb5_ctx, actx);
+	     cleanup(server);
+	     return;
+	}
+
+	/* Now send back our auth packet */
+
+	memset((char *)&data, 0, sizeof(krb5_data));
+	retval = krb5_mk_rep(Z_krb5_ctx, actx, &data);
+	if (retval) {
+	    syslog(LOG_ERR, "bdump_send: krb5_mk_rep: %s", error_message(retval));
+	    krb5_auth_con_free(Z_krb5_ctx, actx);
+	    cleanup(server);
+	    return;
+	}
+	retval = SendKrb5Data(live_socket, &data);
+	if (retval) {
+	     syslog(LOG_ERR, "bdump_send: cannot send authenticator: %s",
+	            error_message(retval));
+	     krb5_free_data_contents(Z_krb5_ctx, &data);
+	     krb5_auth_con_free(Z_krb5_ctx, actx);
+	     cleanup(server);
+	     return;
+	}    
+	krb5_free_data_contents(Z_krb5_ctx, &data);
     }
 #else  /* HAVE_KRB5 */  
 #ifdef HAVE_KRB4
@@ -464,6 +587,7 @@ bdump_get_v12 (notice, auth, who, server)
 
 #ifdef HAVE_KRB5
     if (get_tgt()) {
+	syslog(LOG_ERR, "bdump_get: get_tgt failed"); 
 	cleanup(server);
 	return;
     }
@@ -810,7 +934,7 @@ get_tgt()
 #ifndef NOENCRYPTION
     Sched *s;
 #endif
-	
+    
     /* have they expired ? */
     if (ticket_time < NOW - tkt_lifetime(TKTLIFETIME) + (15L * 60L)) {
 	/* +15 for leeway */
@@ -1032,7 +1156,7 @@ bdump_recv_loop(server)
 		    /* ****ing netascii; this is an encrypted DES keyblock
 		       XXX this code should be conditionalized for server
 		       transitions   */
-		    retval = krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
+		    retval = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
 						sizeof(C_Block),
 						&client->session_keyblock);
 		    if (retval) {
@@ -1045,7 +1169,7 @@ bdump_recv_loop(server)
 			syslog(LOG_ERR,"brl bad cblk read: %s (%s)",
 			       error_message(retval), cp);
 		    } else {
-			des_ecb_encrypt(cblock, client->session_keyblock->contents,
+			des_ecb_encrypt(cblock, Z_keydata(client->session_keyblock),
 					serv_ksched.s, DES_DECRYPT);
 		    }
 		} else if (*cp == 'Z') { /* Zcode! Long live the new flesh! */
@@ -1054,17 +1178,17 @@ bdump_recv_loop(server)
 			syslog(LOG_ERR,"brl bad cblk read: %s (%s)",
 			       error_message(retval), cp);
 		    } else {
-			retval = krb5_init_keyblock(Z_krb5_ctx,
+			retval = Z_krb5_init_keyblock(Z_krb5_ctx,
 						    ntohl(*(krb5_enctype *)&buf[0]),
-						    ntohl(*(krb5_ui_4 *)&buf[4]),
+						    ntohl(*(u_int32_t *)&buf[4]),
 						    &client->session_keyblock);
 			if (retval) {
 			    syslog(LOG_ERR, "brl failed to allocate keyblock: %s",
 				   error_message(retval));
 			    return retval;
 			}
-			memcpy(client->session_keyblock->contents, &buf[8],
-			       client->session_keyblock->length);
+			memcpy(Z_keydata(client->session_keyblock), &buf[8],
+			       Z_keylen(client->session_keyblock));
 		    }
 		}
 	    }
diff --git a/server/kstuff.c b/server/kstuff.c
index b4b48d7..a36afde 100644
--- a/server/kstuff.c
+++ b/server/kstuff.c
@@ -165,7 +165,7 @@ Code_t
 SendKrb5Data(int fd, krb5_data *data) {
     char p[32];
     int written, size_to_write;
-    sprintf(p, "V5-%d", data->length);
+    sprintf(p, "V5-%d ", data->length);
     size_to_write = strlen (p);
     if (size_to_write != (written = write(fd, p, size_to_write)) ||
         data->length != (written = write(fd, data->data, data->length))) {
@@ -409,7 +409,7 @@ ZCheckRealmAuthentication(notice, from, realm)
         krb5_free_keyblock(Z_krb5_ctx, keyblock);
         krb5_auth_con_free(Z_krb5_ctx, authctx);
         krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
-        return ZAUTH_NO; 
+        return ZAUTH_FAILED; 
     } 
     /* HOLDING: authctx, authenticator, cksumbuf.data */ 
  
@@ -694,7 +694,7 @@ ZCheckAuthentication(notice, from)
         krb5_free_keyblock(Z_krb5_ctx, keyblock);
         krb5_auth_con_free(Z_krb5_ctx, authctx);
         krb5_free_authenticator(Z_krb5_ctx, KRB5AUTHENT);
-        return ZAUTH_NO; 
+        return ZAUTH_FAILED; 
     } 
     /* HOLDING: authctx, authenticator, cksumbuf.data */ 
  
@@ -847,6 +847,46 @@ static ZChecksum_t compute_rlm_checksum(notice, session_key)
 }
 
 #ifdef HAVE_KRB5
+krb5_error_code 
+Z_krb5_init_keyblock(krb5_context context,
+	krb5_enctype type,
+	size_t size,
+	krb5_keyblock **key)
+{
+#ifdef HAVE_KRB5_CREDS_KEYBLOCK_ENCTYPE
+	return krb5_init_keyblock(context, type, size, key);
+#else
+	krb5_error_code ret;
+	krb5_keyblock *tmp, tmp_ss;
+	tmp = &tmp_ss;
+
+	*key = NULL;
+	Z_enctype(tmp) = type;
+	Z_keylen(tmp) = size;
+	Z_keydata(tmp) = malloc(size);
+	if (!Z_keydata(tmp))
+		return ENOMEM;
+	ret =  krb5_copy_keyblock(context, tmp, key);
+	free(Z_keydata(tmp));
+	return ret;
+#endif
+}
+
+#if 0
+void ZLogKey(char *label, krb5_keyblock *keyblock) {
+   char *p, *buf;
+   unsigned char *k;
+   int i;
+   buf = malloc(5 *Z_keylen(keyblock)+1);
+
+   k=Z_keydata(keyblock);
+   for (i=0,p=buf; i < Z_keylen(keyblock); i++,p+=strlen(p))
+       sprintf(p, " 0x%02x", k[i]);
+   syslog(LOG_ERR, "key %s is type %d, %d bytes, %s", label, Z_enctype(keyblock), Z_keylen(keyblock), buf);
+   free(buf);
+}
+#endif
+
 void
 ZSetSession(krb5_keyblock *keyblock) {
 #if 1
@@ -871,39 +911,18 @@ void
 ZSetSessionDES(C_Block *key) {
 #ifdef HAVE_KRB5
      Code_t result;
-#ifdef HAVE_KRB5_INIT_KEYBLOCK
      if (__Zephyr_keyblock) {
-          krb5_free_keyblock(__Zephyr_keyblock);
+          krb5_free_keyblock(Z_krb5_ctx, __Zephyr_keyblock);
           __Zephyr_keyblock=NULL;
      }
-     result = krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, 
-                                 sizeof(C_Block)
+     result = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC, 
+                                 sizeof(C_Block),
                                  &__Zephyr_keyblock);
      if (result) /*XXX we're out of memory? */
 	return;
 
      memcpy(Z_keydata(__Zephyr_keyblock), key, sizeof(C_Block));
 #else
-     krb5_keyblock *tmp, tmp_ss;
-     tmp = &tmp_ss;
-     Z_keylen(tmp)=sizeof(C_Block);
-     Z_keydata(tmp)=key;
-#if HAVE_KRB5_CREDS_KEYBLOCK_ENCTYPE
-     tmp->enctype = ENCTYPE_DES_CBC_CRC;
-#else
-     tmp->keytype = KEYTYPE_DES;
-#endif
-    if (__Zephyr_keyblock) {
-         krb5_free_keyblock_contents(Z_krb5_ctx, __Zephyr_keyblock);
-         result = krb5_copy_keyblock_contents(Z_krb5_ctx, tmp, 
-                                              __Zephyr_keyblock);
-    } else {
-         result = krb5_copy_keyblock(Z_krb5_ctx, tmp, &__Zephyr_keyblock);
-    }
-     if (result) /*XXX we're out of memory? */
-          ;
-#endif
-#else
     memcpy(__Zephyr_session, key, sizeof(C_Block));
 #endif
 }
diff --git a/server/realm.c b/server/realm.c
index e8801a4..24c91e1 100644
--- a/server/realm.c
+++ b/server/realm.c
@@ -240,6 +240,7 @@ realm_send_realms()
 	if (retval = (subscr_send_realm_subs(&otherrealms[cnt])) != ZERR_NONE)
 	    return(retval);
     }
+    return ZERR_NONE;
 }
 
 int
@@ -1137,7 +1138,7 @@ realm_sendit_auth(notice, who, auth, realm, ack_to_sender)
     retval = ZMakeZcodeRealmAuthentication(&newnotice, buffer, buffer_len,
 					   &hdrlen, realm->name);
     if (retval != ZERR_NONE) {
-	syslog(LOG_WARNING, "rlm_sendit_auth set addr: %s", 
+	syslog(LOG_WARNING, "rlm_sendit_auth make zcksum: %s", 
 	       error_message(retval));
 	return (retval);
     }
diff --git a/server/server.c b/server/server.c
index c2c6421..ebb420f 100644
--- a/server/server.c
+++ b/server/server.c
@@ -1381,11 +1381,7 @@ server_forward(notice, auth, who)
 	    syslog(LOG_CRIT, "srv_fwd malloc");
 	    abort();
 	}
-	if (realm_which_realm(who)) {
-	  retval = ZNewFormatSmallRawNotice(notice, pack, &packlen);
-	} else {
-	  retval = ZFormatSmallRawNotice(notice, pack, &packlen);
-	}
+	retval = ZNewFormatSmallRawNotice(notice, pack, &packlen);
 	if (retval != ZERR_NONE) {
 	    syslog(LOG_WARNING, "srv_fwd format: %s", error_message(retval));
 	    continue;
diff --git a/server/subscr.c b/server/subscr.c
index 49d3211..08d692a 100644
--- a/server/subscr.c
+++ b/server/subscr.c
@@ -861,27 +861,27 @@ subscr_send_subs(client)
 
 #ifdef HAVE_KRB5
 #ifdef HAVE_KRB4 /* XXX make this optional for server transition time */
-    if (client->session_keyblock->enctype == ENCTYPE_DES_CBC_CRC) {
-	bufp = malloc(client->session_keyblock->length);
+    if (Z_enctype(client->session_keyblock) == ENCTYPE_DES_CBC_CRC) {
+	bufp = malloc(Z_keylen(client->session_keyblock));
 	if (bufp == NULL) {
 	    syslog(LOG_WARNING, "subscr_send_subs: cannot allocate memory for DES keyblock: %m");
 	    return errno;
 	}
-	des_ecb_encrypt(client->session_keyblock->contents, bufp, serv_ksched.s, DES_ENCRYPT);
-	retval = ZMakeAscii(buf, sizeof(buf), bufp, client->session_keyblock->length);
+	des_ecb_encrypt(Z_keydata(client->session_keyblock), bufp, serv_ksched.s, DES_ENCRYPT);
+	retval = ZMakeAscii(buf, sizeof(buf), bufp, Z_keylen(client->session_keyblock));
     } else {
 #endif
-	bufp = malloc(client->session_keyblock->length + 8); /* + enctype
+	bufp = malloc(Z_keylen(client->session_keyblock) + 8); /* + enctype
 								+ length */
 	if (bufp == NULL) {
 	    syslog(LOG_WARNING, "subscr_send_subs: cannot allocate memory for keyblock: %m");
 	    return errno;
 	}
-	*(krb5_enctype *)&bufp[0] = htonl(client->session_keyblock->enctype);
-	*(krb5_ui_4 *)&bufp[4] = htonl(client->session_keyblock->length);
-	memcpy(&bufp[8], client->session_keyblock->contents, client->session_keyblock->length);
+	*(krb5_enctype *)&bufp[0] = htonl(Z_enctype(client->session_keyblock));
+	*(u_int32_t *)&bufp[4] = htonl(Z_keylen(client->session_keyblock));
+	memcpy(&bufp[8], Z_keydata(client->session_keyblock), Z_keylen(client->session_keyblock));
 
-	retval = ZMakeZcode(buf, sizeof(buf), bufp, client->session_keyblock->length + 8);
+	retval = ZMakeZcode(buf, sizeof(buf), bufp, Z_keylen(client->session_keyblock) + 8);
 #ifdef HAVE_KRB4
     }
 #endif /* HAVE_KRB4 */
diff --git a/server/uloc.c b/server/uloc.c
index 66071cf..5d996c8 100644
--- a/server/uloc.c
+++ b/server/uloc.c
@@ -1090,6 +1090,11 @@ ulogin_relay_locate(notice, who)
   lnotice = *notice;
   lnotice.z_opcode = LOCATE_LOCATE;
   lnotice.z_kind = ACKED;
+  lnotice.z_auth = 0;
+  lnotice.z_authent_len = 0;
+  lnotice.z_ascii_authent = "";
+  lnotice.z_checksum = 0;
+  lnotice.z_ascii_checksum = "";
   
   if ((retval = ZFormatRawNotice(&lnotice, &pack, &packlen)) != ZERR_NONE) {
     syslog(LOG_WARNING, "ulog_relay_loc format: %s",
diff --git a/server/zserver.h b/server/zserver.h
index 981a000..07a0baa 100644
--- a/server/zserver.h
+++ b/server/zserver.h
@@ -38,6 +38,8 @@ extern krb5_keyblock *__Zephyr_keyblock;
 #define ZGetSession() (__Zephyr_keyblock)
 void ZSetSession(krb5_keyblock *keyblock);
 Code_t ZFormatAuthenticNoticeV5 __P((ZNotice_t*, char*, int, int*, krb5_keyblock *));
+krb5_error_code Z_krb5_init_keyblock(krb5_context, krb5_enctype, size_t,
+        krb5_keyblock **);
 #else
 extern C_Block __Zephyr_session;
 #define ZGetSession() (__Zephyr_session)