[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-inetutils] Re: Telnet(d) support for new Kerberos 5 implementation
From: |
Simon Josefsson |
Subject: |
[bug-inetutils] Re: Telnet(d) support for new Kerberos 5 implementation |
Date: |
Tue, 06 Jan 2004 20:51:52 +0100 |
User-agent: |
Gnus/5.110002 (No Gnus v0.2) Emacs/21.3.50 (gnu/linux) |
Were there any objections to the last patch? To be able to work on
Shishi support in InetUtils more rapidly, we forked the InetUtils CVS
into <http://savannah.gnu.org/cgi-bin/viewcvs/shishi/inetutils/> some
months ago. I'd like to merge this back, and there hasn't been much
modifications to our repository for a while now, so this might be a
good time. Since the last patch was submitted here, Nicolas Pouvesle
has added Shishi support for rsh(d) too, as well as Shishi encryption
support for telnet(d).
Here is the current differences between our repositories. Feedback
and review appreciated -- I have barely read it myself.
During this patch, I discovered that GNU InetUtils does not support
RFC 2952 key derivation for telnet encryption (see FIXME below).
Adding that would be nice, and I need it for my AES-CCM encryption
support, so I have made some work on this on a separate branch, but it
is just a hack this far. If someone wants to implement it properly,
that would be useful.
Thanks,
Simon
diff -ur --exclude CVS inetutils/configure.ac
dopio-inetutils-shishi/configure.ac
--- inetutils/configure.ac 2003-05-25 01:36:45.000000000 +0200
+++ dopio-inetutils-shishi/configure.ac 2004-01-06 20:42:13.000000000 +0100
@@ -1,6 +1,6 @@
# Configuration for inetutils
#
-# Copyright (C) 1995, 1996, 1997, 1998, 2000, 2001, 2002 Free Software
Foundation, Inc.
+# Copyright (C) 1995, 1996, 1997, 1998, 2000, 2001, 2002, 2003 Free Software
Foundation, Inc.
#
# Written by Miles Bader <address@hidden>
#
@@ -33,7 +33,7 @@
# Include files that we link into our own include directory from headers.
# Initialize it with the things we always want to use.
INCLUDES="crypt.h arpa/telnet.h arpa/ftp.h arpa/tftp.h protocols/talkd.h
- tftpsubs.h"
+ tftpsubs.h shishi_def.h"
# Files that we link from somewhere other than headers to includes . The
# number of entries in LINK_SRCS should match that in LINK_DSTS.
@@ -63,6 +63,10 @@
AC_ARG_WITH(krb5, [ --with-krb5[[=PATH]] Compile with Kerberos V],
[KERBEROS_VERSION=5
KERBEROS_DIR=$withval])
+AC_ARG_WITH(shishi, AC_HELP_STRING([--with-shishi[[=PATH]]],
+ [Compile with Shishi (Kerberos 5)]),
+ [KERBEROS_VERSION=Shishi
+ KERBEROS_DIR=$withval])
AC_ARG_WITH(wrap, [ --with-wrap add tcp wrapper support])
AC_ARG_WITH(pam, [ --with-pam add support for PAM])
@@ -242,6 +246,7 @@
AH_TEMPLATE(KERBEROS, [Define to one if you have Kerberos])
AH_TEMPLATE(KRB4, [Define to one if you have Kerberos IV])
AH_TEMPLATE(KRB5, [Define to one if you have Kerberos V])
+ AH_TEMPLATE(SHISHI, [Define to 1 if you have Shishi])
AH_TEMPLATE(DES_ENCRYPTION, [FIXME])
if test "$KERBEROS_VERSION" = 4; then
@@ -261,7 +266,7 @@
test "$enable_encryption" = yes -a "$ac_cv_lib_des_des_key_sched" = yes \
&& AC_DEFINE(DES_ENCRYPTION)
fi
- else
+ elif test "$KERBEROS_VERSION" = 5; then
IU_CHECK_KRB5($KERBEROS_VERSION,$KERBEROS_DIR)
LIBAUTH=$KRB5_LIBS
INCAUTH=$KRB_CFLAGS
@@ -275,6 +280,22 @@
;;
esac
fi
+ else
+ if test x$KERBEROS_DIR != x; then
+ LIBAUTH=-L$KERBEROS_DIR/lib
+ INCAUTH=-I$KERBEROS_DIR/include
+ fi
+ LIBAUTH="$LIBAUTH -lshishi"
+ save_LIBS=$LIBS
+ LIBS="$LIBS $LIBAUTH"
+ save_CPPFLAGS=$CPPFLAGS
+ CPPFLAGS="$CPPFLAGS $INCAUTH"
+ AC_CHECK_HEADER(shishi.h,
+ AC_CHECK_LIB(shishi, shishi_check_version,
+ AC_DEFINE(SHISHI),
+ [INCAUTH= LIBAUTH=]))
+ LIBS=$save_LIBS
+ CPPFLAGS=$save_CPPFLAGS
fi
fi
AC_SUBST(LIBAUTH)
diff -ur --exclude CVS inetutils/.cvsignore dopio-inetutils-shishi/.cvsignore
--- inetutils/.cvsignore 2002-07-31 23:51:19.000000000 +0200
+++ dopio-inetutils-shishi/.cvsignore 2003-09-12 18:35:56.000000000 +0200
@@ -12,3 +12,5 @@
stamp-h.in
config.hin
autom4te.cache
+config.h
+stamp-*
diff -ur --exclude CVS inetutils/headers/Makefile.am
dopio-inetutils-shishi/headers/Makefile.am
--- inetutils/headers/Makefile.am 2002-04-29 23:25:20.000000000 +0200
+++ dopio-inetutils-shishi/headers/Makefile.am 2003-12-27 16:03:43.000000000
+0100
@@ -1,5 +1,5 @@
EXTRA_DIST = crypt.h err.h getopt.h obstack.h osockaddr.h paths.h poll.h \
- syslog-int.h tftpsubs.h confpaths.h.in stamp-h.in
+ syslog-int.h tftpsubs.h confpaths.h.in stamp-h.in shishi_def.h
dist-hook:
mkdir $(distdir)/arpa
Only in dopio-inetutils-shishi/headers: shishi_def.h
diff -ur --exclude CVS inetutils/libinetutils/kcmd.c
dopio-inetutils-shishi/libinetutils/kcmd.c
--- inetutils/libinetutils/kcmd.c 2000-07-06 06:21:07.000000000 +0200
+++ dopio-inetutils-shishi/libinetutils/kcmd.c 2003-09-18 14:50:07.000000000
+0200
@@ -36,7 +36,7 @@
#include <config.h>
#endif
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
#include <sys/param.h>
#include <sys/file.h>
@@ -46,9 +46,14 @@
#include <netinet/in.h>
#include <arpa/inet.h>
+#if defined(KERBEROS)
#include <kerberosIV/des.h>
#include <kerberosIV/krb.h>
#include <kerberosIV/kparse.h>
+#elif defined(SHISHI)
+#include <shishi.h>
+#include "shishi_def.h"
+#endif
#include <ctype.h>
#include <errno.h>
@@ -66,22 +71,44 @@
#define START_PORT 5120 /* arbitrary */
+#ifdef SHISHI
+#endif
+
int getport __P((int *));
+#if defined (KERBEROS)
int
kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, ticket, service, realm,
cred, schedule, msg_data, laddr, faddr, authopts)
+#elif defined(SHISHI)
+int
+kcmd(h,sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
+ key, laddr, faddr, authopts)
+ Shishi **h;
+#endif
int *sock;
char **ahost;
u_short rport;
- char *locuser, *remuser, *cmd;
+ char *locuser;
+#if defined (SHISHI)
+ char **remuser;
+#else
+ char *remuser;
+#endif
+ char *cmd;
int *fd2p;
+#if defined(KERBEROS)
KTEXT ticket;
+#endif
char *service;
char *realm;
+#if defined(KERBEROS)
CREDENTIALS *cred;
Key_schedule schedule;
MSG_DAT *msg_data;
+#elif defined(SHISHI)
+ Shishi_key **key;
+#endif
struct sockaddr_in *laddr, *faddr;
long authopts;
{
@@ -98,6 +125,9 @@
int rc;
char *host_save;
int status;
+#if defined(SHISHI)
+ int zero = 0;
+#endif
pid = getpid();
hp = gethostbyname(*ahost);
@@ -136,6 +166,7 @@
bcopy(hp->h_addr_list[0], (caddr_t)&sin.sin_addr, hp->h_length);
#endif
sin.sin_port = rport;
+
if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
break;
(void) close(s);
@@ -171,6 +202,7 @@
if (errno != ECONNREFUSED)
perror(hp->h_name);
sigsetmask(oldmask);
+
return (-1);
}
lport--;
@@ -220,6 +252,7 @@
/* (void) write(s, locuser, strlen(locuser)+1); */
/* set up the needed stuff for mutual auth, but only if necessary */
+#ifdef KERBEROS
if (authopts & KOPT_DO_MUTUAL) {
int sin_len;
*faddr = sin;
@@ -231,7 +264,7 @@
goto bad2;
}
}
-#ifdef KERBEROS
+
if ((status = krb_sendauth(authopts, s, ticket, service, *ahost,
realm, (unsigned long) getpid(), msg_data,
cred, schedule,
@@ -239,11 +272,32 @@
faddr,
"KCMDV0.1")) != KSUCCESS)
goto bad2;
-#endif /* KERBEROS */
+#elif defined(SHISHI)
+ if (authopts & SHISHI_APOPTIONS_MUTUAL_REQUIRED) {
+ int sin_len;
+ *faddr = sin;
+
+ sin_len = sizeof(struct sockaddr_in);
+ if (getsockname(s, (struct sockaddr *)laddr, &sin_len) < 0) {
+ perror("kcmd(getsockname)");
+ status = -1;
+ goto bad2;
+ }
+ }
+
+ if ((status = shishi_auth(h, 0, remuser, *ahost, s, cmd, rport, key,
realm)) != SHISHI_OK)
+ goto bad2;
- (void) write(s, remuser, strlen(remuser)+1);
+#endif /* SHISHI */
+
+ (void) write(s, *remuser, strlen(*remuser)+1);
(void) write(s, cmd, strlen(cmd)+1);
+#ifdef SHISHI
+ (void) write(s, *remuser, strlen(*remuser)+1);
+ (void) write(s, &zero, sizeof (int));
+#endif
+
if ((rc = read(s, &c, 1)) != 1) {
if (rc == -1)
perror(*ahost);
@@ -263,7 +317,11 @@
}
sigsetmask(oldmask);
*sock = s;
+#if defined(KERBEROS)
return (KSUCCESS);
+#elif defined(SHISHI)
+ return (SHISHI_OK);
+#endif
bad2:
if (lport)
(void) close(*fd2p);
diff -ur --exclude CVS inetutils/libinetutils/krcmd.c
dopio-inetutils-shishi/libinetutils/krcmd.c
--- inetutils/libinetutils/krcmd.c 2000-07-06 06:21:07.000000000 +0200
+++ dopio-inetutils-shishi/libinetutils/krcmd.c 2004-01-06 20:44:50.000000000
+0100
@@ -44,7 +44,7 @@
#include <config.h>
#endif
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
#include <sys/types.h>
#ifdef ENCRYPTION
#include <sys/socket.h>
@@ -52,16 +52,27 @@
#include <netinet/in.h>
+#ifdef KERBEROS
#include <kerberosIV/des.h>
#include <kerberosIV/krb.h>
+#elif defined(SHISHI)
+#include <shishi.h>
+#include "shishi_def.h"
+#endif
#include <stdio.h>
#define SERVICE_NAME "rcmd"
+#if defined(SHISHI)
+int kcmd __P((Shishi **,int *, char **, u_short, char *, char **, char *,
int *,
+ char *, char *, Shishi_key **, struct sockaddr_in *,
+ struct sockaddr_in *, long));
+#else
int kcmd __P((int *, char **, u_short, char *, char *, char *, int *,
KTEXT, char *, char *, CREDENTIALS *, Key_schedule, MSG_DAT *,
struct sockaddr_in *, struct sockaddr_in *, long));
+#endif
/*
* krcmd: simplified version of Athena's "kcmd"
@@ -69,6 +80,46 @@
* if fd2p is non-NULL, another socket is filled in for it
*/
+#if defined(SHISHI)
+int
+krcmd(h, ahost, rport, remuser, cmd, fd2p, realm)
+ Shishi **h;
+ char **ahost;
+ u_short rport;
+ char **remuser, *cmd;
+ int *fd2p;
+ char *realm;
+{
+ int sock = -1, err = 0;
+ long authopts = 0L;
+
+ err = kcmd(
+ h,
+ &sock,
+ ahost,
+ rport,
+ NULL, /* locuser not used */
+ remuser,
+ cmd,
+ fd2p,
+ SERVICE_NAME,
+ realm,
+ (Shishi_key **) NULL, /* key schedule not used */
+ (struct sockaddr_in *) NULL, /* local addr not used */
+ (struct sockaddr_in *) NULL, /* foreign addr not used */
+ authopts
+ );
+
+ if (err > SHISHI_OK) {
+ fprintf(stderr, "krcmd: %s\n", "error");
+ return(-1);
+ }
+ if (err < 0)
+ return(-1);
+ return(sock);
+}
+
+#elif defined(KERBEROS)
int
krcmd(ahost, rport, remuser, cmd, fd2p, realm)
char **ahost;
@@ -108,8 +159,53 @@
return(-1);
return(sock);
}
+#endif
#ifdef ENCRYPTION
+
+#if defined(SHISHI)
+int
+krcmd_mutual(h, ahost, rport, remuser, cmd, fd2p, realm, key)
+ Shishi **h;
+ char **ahost;
+ u_short rport;
+ char **remuser, *cmd;
+ int *fd2p;
+ char *realm;
+ Shishi_key **key;
+{
+ int sock = -1, err = 0;
+ struct sockaddr_in laddr, faddr;
+ long authopts = SHISHI_APOPTIONS_MUTUAL_REQUIRED;
+
+ err = kcmd(
+ h,
+ &sock,
+ ahost,
+ rport,
+ NULL, /* locuser not used */
+ remuser,
+ cmd,
+ fd2p,
+ SERVICE_NAME,
+ realm,
+ key, /* filled in */
+ &laddr, /* filled in */
+ &faddr, /* filled in */
+ authopts
+ );
+
+ if (err > SHISHI_OK) {
+ fprintf(stderr, "krcmd_mutual: %s\n", "error");
+ return(-1);
+ }
+
+ if (err < 0)
+ return (-1);
+ return(sock);
+}
+
+#elif defined(KERBEROS)
int
krcmd_mutual(ahost, rport, remuser, cmd, fd2p, realm, cred, sched)
char **ahost;
@@ -156,3 +252,4 @@
}
#endif /* CRYPT */
#endif /* KERBEROS */
+#endif /* KERBEROS */
Only in dopio-inetutils-shishi/libinetutils: krcmd.c.~1.5.~
diff -ur --exclude CVS inetutils/libinetutils/Makefile.am
dopio-inetutils-shishi/libinetutils/Makefile.am
--- inetutils/libinetutils/Makefile.am 2003-04-05 18:43:08.000000000 +0200
+++ dopio-inetutils-shishi/libinetutils/Makefile.am 2003-09-13
22:07:42.000000000 +0200
@@ -3,8 +3,9 @@
noinst_LIBRARIES = libinetutils.a
libinetutils_a_SOURCES = argcv.c cleansess.c daemon.c des_rw.c kcmd.c \
- krcmd.c localhost.c logwtmpko.c setsig.c tftpsubs.c ttymsg.c \
- xmalloc.c xstrdup.c xgetcwd.c utmp_init.c utmp_logout.c
+ krcmd.c localhost.c logwtmpko.c setsig.c shishi.c tftpsubs.c \
+ ttymsg.c xmalloc.c xstrdup.c xgetcwd.c utmp_init.c \
+ utmp_logout.c
# memcmp.c memcpy.c memmove.c memset.c
Only in dopio-inetutils-shishi/libinetutils: shishi.c
diff -ur --exclude CVS inetutils/libtelnet/auth.c
dopio-inetutils-shishi/libtelnet/auth.c
--- inetutils/libtelnet/auth.c 2002-12-06 17:10:07.000000000 +0100
+++ dopio-inetutils-shishi/libtelnet/auth.c 2003-09-12 18:28:55.000000000
+0200
@@ -126,6 +126,24 @@
spx_status,
spx_printsub },
#endif
+#ifdef SHISHI
+ { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+ krb5shishi_init,
+ krb5shishi_send,
+ krb5shishi_is,
+ krb5shishi_reply,
+ krb5shishi_status,
+ krb5shishi_printsub,
+ krb5shishi_cleanup },
+ { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
+ krb5shishi_init,
+ krb5shishi_send,
+ krb5shishi_is,
+ krb5shishi_reply,
+ krb5shishi_status,
+ krb5shishi_printsub,
+ krb5shishi_cleanup },
+#endif
#ifdef KRB5
# ifdef ENCRYPTION
{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
@@ -610,6 +628,8 @@
TN_Authenticator *ap;
int result;
{
+ if (ap && ap->cleanup)
+ (*ap->cleanup) (ap);
if (!(authenticated = ap))
authenticated = &NoAuth;
validuser = result;
diff -ur --exclude CVS inetutils/libtelnet/auth.h
dopio-inetutils-shishi/libtelnet/auth.h
--- inetutils/libtelnet/auth.h 2002-12-06 17:09:06.000000000 +0100
+++ dopio-inetutils-shishi/libtelnet/auth.h 2003-09-12 18:28:55.000000000
+0200
@@ -75,6 +75,7 @@
void (*reply) P((struct XauthP *, unsigned char *, int));
int (*status) P((struct XauthP *, char *, int));
void (*printsub) P((unsigned char *, int, unsigned char *, int));
+ void (*cleanup) P((struct XauthP *));
} TN_Authenticator;
#include "auth-proto.h"
diff -ur --exclude CVS inetutils/libtelnet/auth-proto.h
dopio-inetutils-shishi/libtelnet/auth-proto.h
--- inetutils/libtelnet/auth-proto.h 2002-12-06 17:09:06.000000000 +0100
+++ dopio-inetutils-shishi/libtelnet/auth-proto.h 2003-09-12
18:28:55.000000000 +0200
@@ -89,4 +89,14 @@
int kerberos5_status P((TN_Authenticator *, char *, int));
void kerberos5_printsub P((unsigned char *, int, unsigned char *, int));
#endif
+
+#ifdef SHISHI
+int krb5shishi_init P((TN_Authenticator *, int));
+int krb5shishi_send P((TN_Authenticator *));
+void krb5shishi_is P((TN_Authenticator *, unsigned char *, int));
+void krb5shishi_reply P((TN_Authenticator *, unsigned char *, int));
+int krb5shishi_status P((TN_Authenticator *, char *, int));
+void krb5shishi_printsub P((unsigned char *, int, unsigned char *, int));
+void krb5shishi_cleanup P((TN_Authenticator *));
+#endif
#endif
diff -ur --exclude CVS inetutils/libtelnet/enc_des.c
dopio-inetutils-shishi/libtelnet/enc_des.c
--- inetutils/libtelnet/enc_des.c 2000-07-06 06:21:08.000000000 +0200
+++ dopio-inetutils-shishi/libtelnet/enc_des.c 2003-12-13 14:15:47.000000000
+0100
@@ -37,7 +37,11 @@
#ifdef ENCRYPTION
# ifdef AUTHENTICATION
-# ifdef DES_ENCRYPTION
+# if defined (DES_ENCRYPTION) || defined (SHISHI)
+#ifdef SHISHI
+#include <shishi.h>
+extern Shishi * shishi_handle;
+#endif
#include <arpa/telnet.h>
#include <stdio.h>
#ifdef HAVE_STDLIB_H
@@ -74,7 +78,7 @@
Block str_output;
Block str_feed;
Block str_iv;
- Block str_ikey;
+ Block str_ikey;
Schedule str_sched;
int str_index;
int str_flagshift;
@@ -119,7 +123,18 @@
void fb64_stream_key P((Block, struct stinfo *));
int fb64_keyid P((int, unsigned char *, int *, struct fb *));
- void
+#ifdef SHISHI
+void shishi_des_ecb_encrypt (Shishi * h, const char key[8], const char * in,
char * out)
+{
+ char * tmp;
+
+ shishi_des (h, 0, key, NULL, NULL, in, 8, &tmp);
+ memcpy (out, tmp, 8);
+ free (tmp);
+}
+#endif
+
+void
cfb64_init(server)
int server;
{
@@ -215,9 +230,16 @@
/*
* Create a random feed and send it over.
*/
+#ifdef SHISHI
+ if (shishi_randomize (shishi_handle, 0,
+ fbp->temp_feed, 8) != SHISHI_OK)
+ return(FAILED);
+
+#else
des_new_random_key(fbp->temp_feed);
des_ecb_encrypt(fbp->temp_feed, fbp->temp_feed,
fbp->krbdes_sched, 1);
+#endif
p = fbp->fb_feed + 3;
*p++ = ENCRYPT_IS;
p++;
@@ -417,6 +439,7 @@
{
if (!key || key->type != SK_DES) {
+ /* FIXME: Support RFC 2952 approach instead of giving up here. */
if (encrypt_debug_mode)
printf("Can't set krbdes's session key (%d != %d)\r\n",
key ? key->type : -1, SK_DES);
@@ -428,10 +451,14 @@
fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
if (fbp->once == 0) {
+#ifndef SHISHI
des_set_random_generator_seed(fbp->krbdes_key);
+#endif
fbp->once = 1;
}
+#ifndef SHISHI
des_key_sched(fbp->krbdes_key, fbp->krbdes_sched);
+#endif
/*
* Now look to see if krbdes_start() was was waiting for
* the key to show up. If so, go ahead an call it now
@@ -552,7 +579,9 @@
memmove((void *)stp->str_iv, (void *)seed, sizeof(Block));
memmove((void *)stp->str_output, (void *)seed, sizeof(Block));
+#ifndef SHISHI
des_key_sched(stp->str_ikey, stp->str_sched);
+#endif
stp->str_index = sizeof(Block);
}
@@ -563,8 +592,9 @@
register struct stinfo *stp;
{
memmove((void *)stp->str_ikey, (void *)key, sizeof(Block));
+#ifndef SHISHI
des_key_sched(key, stp->str_sched);
-
+#endif
memmove((void *)stp->str_output, (void *)stp->str_iv, sizeof(Block));
stp->str_index = sizeof(Block);
@@ -604,7 +634,12 @@
while (c-- > 0) {
if (index == sizeof(Block)) {
Block b;
+#ifdef SHISHI
+ shishi_des_ecb_encrypt (shishi_handle,
fb[CFB].krbdes_key,
+ stp->str_output, b);
+#else
des_ecb_encrypt(stp->str_output, b, stp->str_sched, 1);
+#endif
memmove((void *)stp->str_feed, (void *)b,
sizeof(Block));
index = 0;
}
@@ -638,7 +673,12 @@
index = stp->str_index++;
if (index == sizeof(Block)) {
Block b;
+#ifdef SHISHI
+ shishi_des_ecb_encrypt (shishi_handle, fb[CFB].krbdes_key,
+ stp->str_output, b);
+#else
des_ecb_encrypt(stp->str_output, b, stp->str_sched, 1);
+#endif
memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
stp->str_index = 1; /* Next time will be 1 */
index = 0; /* But now use 0 */
@@ -680,7 +720,12 @@
while (c-- > 0) {
if (index == sizeof(Block)) {
Block b;
+#ifdef SHISHI
+ shishi_des_ecb_encrypt (shishi_handle,
fb[OFB].krbdes_key,
+ stp->str_feed, b);
+#else
des_ecb_encrypt(stp->str_feed, b, stp->str_sched, 1);
+#endif
memmove((void *)stp->str_feed, (void *)b,
sizeof(Block));
index = 0;
}
@@ -711,7 +756,12 @@
index = stp->str_index++;
if (index == sizeof(Block)) {
Block b;
+#ifdef SHISHI
+ shishi_des_ecb_encrypt (shishi_handle, fb[OFB].krbdes_key,
+ stp->str_feed, b);
+#else
des_ecb_encrypt(stp->str_feed, b, stp->str_sched, 1);
+#endif
memmove((void *)stp->str_feed, (void *)b, sizeof(Block));
stp->str_index = 1; /* Next time will be 1 */
index = 0; /* But now use 0 */
diff -ur --exclude CVS inetutils/libtelnet/encrypt.c
dopio-inetutils-shishi/libtelnet/encrypt.c
--- inetutils/libtelnet/encrypt.c 2000-07-06 06:21:08.000000000 +0200
+++ dopio-inetutils-shishi/libtelnet/encrypt.c 2003-09-26 17:16:56.000000000
+0200
@@ -104,7 +104,7 @@
static long remote_supports_decrypt = 0;
static Encryptions encryptions[] = {
-#ifdef DES_ENCRYPTION
+#if defined (DES_ENCRYPTION) || defined (SHISHI)
{ "DES_CFB64", ENCTYPE_DES_CFB64,
cfb64_encrypt,
cfb64_decrypt,
diff -ur --exclude CVS inetutils/libtelnet/encrypt.h
dopio-inetutils-shishi/libtelnet/encrypt.h
--- inetutils/libtelnet/encrypt.h 2000-07-06 06:21:08.000000000 +0200
+++ dopio-inetutils-shishi/libtelnet/encrypt.h 2003-12-13 13:45:43.000000000
+0100
@@ -94,6 +94,7 @@
} Encryptions;
#define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */
+#define SK_OTHER 2 /* Non-DES key. */
#include "enc-proto.h"
diff -ur --exclude CVS inetutils/libtelnet/Makefile.am
dopio-inetutils-shishi/libtelnet/Makefile.am
--- inetutils/libtelnet/Makefile.am 2002-04-08 16:02:39.000000000 +0200
+++ dopio-inetutils-shishi/libtelnet/Makefile.am 2003-09-12
18:28:55.000000000 +0200
@@ -4,6 +4,6 @@
noinst_LIBRARIES = libtelnet.a
-libtelnet_a_SOURCES = auth.c enc_des.c encrypt.c forward.c genget.c getent.c
kerberos.c kerberos5.c misc.c read_passwd.c
+libtelnet_a_SOURCES = auth.c enc_des.c encrypt.c forward.c genget.c getent.c
kerberos.c kerberos5.c misc.c read_passwd.c shishi.c
noinst_HEADERS = auth-proto.h auth.h enc-proto.h encrypt.h key-proto.h
misc-proto.h misc.h
Only in dopio-inetutils-shishi/libtelnet: shishi.c
diff -ur --exclude CVS inetutils/Makefile.am dopio-inetutils-shishi/Makefile.am
--- inetutils/Makefile.am 2002-12-11 14:20:22.000000000 +0100
+++ dopio-inetutils-shishi/Makefile.am 2003-10-11 15:22:10.000000000 +0200
@@ -1,6 +1,6 @@
AUTOMAKE_OPTIONS = 1.7
-EXTRA_DIST = README-alpha paths ChangeLog.0
+EXTRA_DIST = README-alpha README.shishi paths ChangeLog.0
SUBDIRS = headers libinetutils libtelnet glob \
inetd telnetd libls ftpd rshd rlogind uucpd rexecd syslogd tftpd \
diff -ur --exclude CVS inetutils/README dopio-inetutils-shishi/README
--- inetutils/README 2001-12-25 19:47:44.000000000 +0100
+++ dopio-inetutils-shishi/README 2003-09-12 18:28:55.000000000 +0200
@@ -47,6 +47,12 @@
install setuid root to work correctly they use priviledge ports
for communication.
+3) If both Kerberos 5 (MIT and Heimdal) and Shishi is specified, the
+applications that have been ported to use Shishi will use Shishi only,
+and the applications that have not been ported to use Shishi will use
+MIT or Heimdal Kerberos. If you want MIT or Heimdal instead of
+Shishi, don't specify --with-shishi.
+
Some known deficiencies:
o Many programs do not support long options, such as --version or --help.
o The authentication and encryption options have not been tested.
Only in dopio-inetutils-shishi/: README.shishi
diff -ur --exclude CVS inetutils/rlogin/rlogin.c
dopio-inetutils-shishi/rlogin/rlogin.c
--- inetutils/rlogin/rlogin.c 2003-04-05 18:58:47.000000000 +0200
+++ dopio-inetutils-shishi/rlogin/rlogin.c 2003-09-24 17:17:58.000000000
+0200
@@ -96,15 +96,35 @@
#include <varargs.h>
#endif
-#ifdef KERBEROS
-#include <kerberosIV/des.h>
-#include <kerberosIV/krb.h>
+#ifdef SHISHI
+#define REALM_SZ 1040
+#endif
+#if defined(KERBEROS) || defined(SHISHI)
+int use_kerberos = 1, doencrypt;
+# ifdef KERBEROS
+# include <kerberosIV/des.h>
+# include <kerberosIV/krb.h>
+char dest_realm_buf[REALM_SZ], *dest_realm = NULL;
CREDENTIALS cred;
Key_schedule schedule;
-int use_kerberos = 1, doencrypt;
+
+# elif defined(SHISHI)
+# include <shishi.h>
+# include "shishi_def.h"
char dest_realm_buf[REALM_SZ], *dest_realm = NULL;
+
+Shishi * handle;
+Shishi_key * key;
+shishi_ivector iv1, iv2;
+shishi_ivector * ivtab[2];
+
+int keytype;
+int keylen;
+int rc;
+int wlen;
#endif
+#endif /* KERBEROS */
/*
The TIOCPKT_* macros may not be implemented in the pty driver.
@@ -140,7 +160,7 @@
terminal. */
#define SPEED_NOTATTY (-1)
-int eight, rem;
+int eight=0, rem;
int noescape;
u_char escapechar = '~';
@@ -170,7 +190,11 @@
void lostpeer __P ((int));
void mode __P ((int));
void msg __P ((const char *));
+#ifdef SHISHI
+void oob __P ((char));
+#else
void oob __P ((int));
+#endif
int reader __P ((sigset_t *));
void sendwindow __P ((void));
void setsignal __P ((int));
@@ -182,13 +206,13 @@
void writer __P ((void));
void writeroob __P ((int));
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
void warning __P ((const char *, ...));
#endif
extern sig_t setsig __P ((int, sig_t));
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
#define OPTIONS "8EKde:k:l:xhV"
#else
#define OPTIONS "8EKde:l:hV"
@@ -202,7 +226,7 @@
{ "no-escape", no_argument, 0, 'E' },
{ "8-bit", no_argument, 0, '8' },
{ "kerberos", no_argument, 0, 'K' },
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
{ "realm", required_argument, 0, 'k' },
{ "encrypt", no_argument, 0, 'x' },
#endif
@@ -261,7 +285,7 @@
break;
case 'K':
-#ifdef KERBEROS
+#if defined (KERBEROS) || defined(SHISHI)
use_kerberos = 0;
#endif
break;
@@ -277,7 +301,7 @@
escapechar = getescape (optarg);
break;
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
case 'k':
strncpy (dest_realm_buf, optarg, sizeof dest_realm_buf);
/* Make sure it's null termintated. */
@@ -293,10 +317,12 @@
break;
#ifdef ENCRYPTION
-# ifdef KERBEROS
+# if defined(KERBEROS) || defined (SHISHI)
case 'x':
doencrypt = 1;
+# if defined(KERBEROS)
des_set_key (cred.session, schedule);
+#endif
break;
# endif
#endif
@@ -344,12 +370,10 @@
if (*host == '\0')
usage (1);
}
- if (!user)
- user = pw->pw_name;
}
sp = NULL;
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (use_kerberos)
{
sp = getservbyname ((doencrypt ? "eklogin" : "klogin"), "tcp");
@@ -361,7 +385,7 @@
}
}
#endif
-
+
/* Get the port number for the rlogin service. */
if (sp == NULL)
sp = getservbyname ("login", "tcp");
@@ -405,8 +429,8 @@
*/
setsig (SIGURG, copytochild);
setsig (SIGUSR1, writeroob);
-
-#ifdef KERBEROS
+
+#if defined (KERBEROS) || defined(SHISHI)
try_connect:
if (use_kerberos)
{
@@ -417,18 +441,80 @@
if (hp != NULL && !(host = strdup (hp->h_name)))
errx (1, "%s", strerror (ENOMEM));
+#if defined (KERBEROS)
rem = KSUCCESS;
errno = 0;
if (dest_realm == NULL)
dest_realm = krb_realmofhost (host);
+#elif defined (SHISHI)
+ rem = SHISHI_OK;
+ errno = 0;
+#endif
# ifdef ENCRYPTION
if (doencrypt)
+#if defined(SHISHI)
+ {
+ int i;
+
+ rem = krcmd_mutual (&handle, &host, sp->s_port, &user, term, 0,
+ dest_realm, &key);
+ if (rem > 0)
+ {
+ keytype = shishi_key_type (key);
+ keylen = shishi_cipher_blocksize (keytype);
+
+ ivtab[0] = &iv1;
+ ivtab[1] = &iv2;
+
+ for (i=0; i<2; i++)
+ {
+ ivtab[i]->ivlen = keylen;
+
+ switch (keytype)
+ {
+ case SHISHI_DES_CBC_CRC:
+ case SHISHI_DES_CBC_MD4:
+ case SHISHI_DES_CBC_MD5:
+ case SHISHI_DES_CBC_NONE:
+ case SHISHI_DES3_CBC_HMAC_SHA1_KD:
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES;
+ ivtab[i]->iv = malloc (ivtab[i]->ivlen);
+ memset (ivtab[i]->iv, !i, ivtab[i]->ivlen);
+ ivtab[i]->ctx = shishi_crypto (handle, key,
ivtab[i]->keyusage, shishi_key_type (key),
+ ivtab[i]->iv,
ivtab[i]->ivlen);
+ break;
+ case SHISHI_ARCFOUR_HMAC:
+ case SHISHI_ARCFOUR_HMAC_EXP:
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 2 + 4*i;
+ ivtab[i]->ctx = shishi_crypto (handle, key,
ivtab[i]->keyusage, shishi_key_type (key),
+ NULL, 0);
+ break;
+ default :
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 2 + 4*i;
+ ivtab[i]->iv = malloc (ivtab[i]->ivlen);
+ memset (ivtab[i]->iv, 0, ivtab[i]->ivlen);
+ ivtab[i]->ctx = shishi_crypto (handle, key,
ivtab[i]->keyusage, shishi_key_type (key),
+ ivtab[i]->iv,
ivtab[i]->ivlen);
+ }
+ }
+ }
+ }
+
+ else
+#else
rem = krcmd_mutual (&host, sp->s_port, user, term, 0,
dest_realm, &cred, schedule);
else
+#endif
#endif /* CRYPT */
- rem = krcmd (&host, sp->s_port, user, term, 0, dest_realm);
+
+ rem = krcmd (
+#if defined (SHISHI)
+ &handle, &host, sp->s_port, &user, term, 0, dest_realm);
+#else
+ &host, sp->s_port, user, term, 0, dest_realm);
+#endif
if (rem < 0)
{
use_kerberos = 0;
@@ -442,16 +528,22 @@
goto try_connect;
}
}
+
else
{
# ifdef ENCRYPTION
if (doencrypt)
errx (1, "the -x flag requires Kerberos authentication.");
#endif /* CRYPT */
+ if (!user)
+ user = pw->pw_name;
+
rem = rcmd (&host, sp->s_port, pw->pw_name, user, term, 0);
}
#else
-
+ if (!user)
+ user = pw->pw_name;
+
rem = rcmd (&host, sp->s_port, pw->pw_name, user, term, 0);
#endif /* KERBEROS */
@@ -598,7 +690,7 @@
}
if (child == 0)
{
- mode (1);
+ mode (1);
if (reader (smask) == 0)
{
/* If the reader () return 0, the socket to the server returned an
@@ -635,6 +727,24 @@
on its end of the network connection. This should cause the server to
log you out on the remote system. */
msg ("closed connection.");
+
+#ifdef SHISHI
+ if (use_kerberos)
+ {
+ shishi_done (handle);
+#ifdef ENCRYPTION
+ if (doencrypt)
+ {
+ shishi_key_done (key);
+ shishi_crypto_close (iv1.ctx);
+ shishi_crypto_close (iv2.ctx);
+ free (iv1.iv);
+ free (iv2.iv);
+ }
+#endif
+ }
+#endif
+
done (0);
}
@@ -783,6 +893,10 @@
if (doencrypt)
des_write (rem, (char *)&escapechar, 1);
else
+#elif defined(SHISHI)
+ if (doencrypt)
+ writeenc (handle, rem, (char *)&escapechar, 1, &wlen, &iv2,
key, 2);
+ else
#endif
#endif
write (rem, &escapechar, 1);
@@ -798,6 +912,16 @@
break;
}
} else
+#elif defined(SHISHI)
+ if (doencrypt)
+ {
+ writeenc (handle, rem, &c, 1, &wlen, &iv2, key, 2);
+ if (wlen == 0)
+ {
+ msg ("line gone");
+ break;
+ }
+ } else
#endif
#endif
if (write (rem, &c, 1) == 0)
@@ -886,6 +1010,10 @@
if(doencrypt)
des_write (rem, obuf, sizeof obuf);
else
+#elif defined(SHISHI)
+ if(doencrypt)
+ writeenc (handle, rem, obuf, sizeof obuf, &wlen, &iv2, key, 2);
+ else
#endif
#endif
write (rem, obuf, sizeof obuf);
@@ -902,16 +1030,26 @@
int rcvcnt, rcvstate;
char rcvbuf[8 * 1024];
+#if defined(SHISHI)
+void
+oob (char mark)
+{
+ int signo;
+#else
void
oob (int signo)
{
+ char mark;
+#endif
struct termios tt;
int atmark, n, out, rcvd;
- char waste[BUFSIZ], mark;
+ char waste[BUFSIZ];
(void)signo;
out = O_RDWR;
rcvd = 0;
+
+#ifndef SHISHI
while (recv (rem, &mark, 1, MSG_OOB) < 0)
{
switch (errno)
@@ -940,6 +1078,7 @@
return;
}
}
+#endif
if (mark & TIOCPKT_WINDOW)
{
/* Let server know about window size changes */
@@ -1016,17 +1155,26 @@
setsig (SIGTTOU, SIG_IGN);
setsig (SIGURG, oob);
-
+
ppid = getppid ();
fcntl (rem, F_SETOWN, pid);
setjmp (rcvtop);
sigprocmask (SIG_SETMASK, smask, (sigset_t *) 0);
bufp = rcvbuf;
+
for (;;)
{
+#ifdef SHISHI
+ if ((rcvcnt >= 5) && (bufp[0] == '\377') && (bufp[1] == '\377'))
+ if ((bufp[2] == 'o') && (bufp[3] == 'o'))
+ {
+ oob (bufp[4]);
+ bufp += 5;
+ }
+#endif
while ((remaining = rcvcnt - (bufp - rcvbuf)) > 0)
{
- rcvstate = WRITING;
+ rcvstate = WRITING;
n = write (STDOUT_FILENO, bufp, remaining);
if (n < 0)
{
@@ -1045,6 +1193,10 @@
if (doencrypt)
rcvcnt = des_read (rem, rcvbuf, sizeof rcvbuf);
else
+#elif defined(SHISHI)
+ if (doencrypt)
+ readenc (handle, rem, rcvbuf, &rcvcnt, &iv1, key, 2);
+ else
#endif
#endif
rcvcnt = read (rem, rcvbuf, sizeof rcvbuf);
@@ -1058,9 +1210,7 @@
return -1;
}
}
-}
-
-void
+}void
mode (int f)
{
struct termios tt;
@@ -1114,7 +1264,7 @@
fprintf (stderr, "rlogin: %s\r\n", str);
}
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
/* VARARGS */
void
#if defined(HAVE_STDARG_H) && defined(__STDC__) && __STDC__
@@ -1146,7 +1296,7 @@
{
fprintf (stderr,
"Usage: rlogin [ -%s]%s[-e char] [ -l username ] address@hidden",
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
# ifdef ENCRYPTION
"8EKx", " [-k realm] "
# else
@@ -1174,7 +1324,7 @@
which is ``~'' by default");
puts ("\
-l, --user USER run as USER on the remote system");
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
puts ("\
-K, --kerberos turns off all Kerberos authentication");
puts ("\
diff -ur --exclude CVS inetutils/rlogind/rlogind.c
dopio-inetutils-shishi/rlogind/rlogind.c
--- inetutils/rlogind/rlogind.c 2003-04-05 19:03:39.000000000 +0200
+++ dopio-inetutils-shishi/rlogind/rlogind.c 2003-10-07 20:35:53.000000000
+0200
@@ -101,21 +101,28 @@
#define TTYDEF_LFLAG (ECHO | ICANON | ISIG | IEXTEN | ECHOE|ECHOKE|ECHOCTL)
#endif
+#define AUTH_KERBEROS_SHISHI 1
#define AUTH_KERBEROS_4 4
#define AUTH_KERBEROS_5 5
-#ifdef KERBEROS
-# define SECURE_MESSAGE "This rlogin session is using DES encryption for all
transmissions.\r\n"
+#if defined(KERBEROS) || defined(SHISHI)
# ifdef KRB4
+# define SECURE_MESSAGE "This rlogin session is using DES encryption for all
transmissions.\r\n"
# include <kerberosIV/des.h>
# include <kerberosIV/krb.h>
# define kerberos_error_string(c) krb_err_txt[c]
# define AUTH_KERBEROS_DEFAULT AUTH_KERBEROS_4
# elif defined(KRB5)
+# define SECURE_MESSAGE "This rlogin session is using DES encryption for all
transmissions.\r\n"
# include <krb5.h>
# include <kerberosIV/krb.h>
# define kerberos_error_string(c) error_message (c)
# define AUTH_KERBEROS_DEFAULT AUTH_KERBEROS_5
+# elif defined(SHISHI)
+# define SECURE_MESSAGE "This rlogin session is using encryption for all
transmissions.\r\n"
+# include <shishi.h>
+# include "shishi_def.h"
+# define AUTH_KERBEROS_DEFAULT AUTH_KERBEROS_SHISHI
# endif
#endif /* KERBEROS */
@@ -130,6 +137,7 @@
extern int __check_rhosts_file;
+#ifndef SHISHI
struct auth_data
{
struct sockaddr_in from;
@@ -148,6 +156,7 @@
#endif
#endif
};
+#endif
static const char *short_options = "aD::d::hk::L:lnp:orxV";
static struct option long_options[] =
@@ -171,7 +180,7 @@
int allow_root = 0;
int verify_hostname = 0;
int keepalive = 1;
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
int kerberos = 0;
#ifdef ENCRYPTION
int encrypt_io = 0;
@@ -199,7 +208,7 @@
int do_rlogin __P ((int infd, struct auth_data *ap));
int do_krb_login __P ((int infd, struct auth_data *ap, const char **msg));
void getstr __P ((int infd, char **ptr, const char *prefix));
-void protocol __P ((int f, int p));
+void protocol __P ((int f, int p, struct auth_data *ap));
int control __P ((int pty, char *cp, size_t n));
RETSIGTYPE cleanup __P ((int signo));
void fatal __P ((int f, const char *msg, int syserr));
@@ -220,26 +229,40 @@
#define MODE_INETD 0
#define MODE_DAEMON 1
-#if defined(KERBEROS) && defined(ENCRYPTION)
+#if defined(KERBEROS) && defined (ENCRYPTION)
# define ENCRYPT_IO encrypt_io
# define IF_ENCRYPT(stmt) if (encrypt_io) stmt
# define IF_NOT_ENCRYPT(stmt) if (!encrypt_io) stmt
-# define ENC_READ(c, fd, buf, size) \
+# define ENC_READ(c, fd, buf, size, ap) \
if (encrypt_io) \
c = des_read(fd, buf, size); \
else \
c = read(fd, buf, size);
-# define ENC_WRITE(c, fd, buf, size) \
+# define EN_WRITE(c, fd, buf, size, ap) \
if (encrypt_io) \
c = des_write(fd, buf, size); \
else \
c = write(fd, buf, size);
+#elif defined(SHISHI) && defined (ENCRYPTION)
+# define ENCRYPT_IO encrypt_io
+# define IF_ENCRYPT(stmt) if (encrypt_io) stmt
+# define IF_NOT_ENCRYPT(stmt) if (!encrypt_io) stmt
+# define ENC_READ(c, fd, buf, size, ap) \
+ if (encrypt_io) \
+ readenc (ap->h, fd, buf, &c, &ap->iv1, ap->enckey, ap->protocol); \
+ else \
+ c = read(fd, buf, size);
+# define ENC_WRITE(c, fd, buf, size, ap) \
+ if (encrypt_io) \
+ writeenc (ap->h, fd, buf, size, &c, &ap->iv2, ap->enckey, ap->protocol); \
+ else \
+ c = write(fd, buf, size);
#else
# define ENCRYPT_IO 0
# define IF_ENCRYPT(stmt)
# define IF_NOT_ENCRYPT(stmt) stmt
-# define ENC_READ(c, fd, buf, size) c = read (fd, buf, size)
-# define ENC_WRITE(c, fd, buf, size) c = write (fd, buf, size)
+# define ENC_READ(c, fd, buf, size, ap) c = read (fd, buf, size)
+# define ENC_WRITE(c, fd, buf, size, ap) c = write (fd, buf, size)
#endif
int
@@ -284,7 +307,7 @@
keepalive = 0;
break;
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
case 'k':
if (optarg)
{
@@ -339,7 +362,7 @@
if (!local_domain_name)
{
- char *p = localhost ();
+ char *p = (char *)localhost ();
if (!p)
{
@@ -363,6 +386,7 @@
else
exit (rlogind_mainloop (fileno (stdin), fileno (stdout)));
+
/* To pacify lint */
return 0;
}
@@ -470,6 +494,9 @@
struct hostent *hp;
char *hostname;
int authenticated = 0;
+#ifdef SHISHI
+ int len, c;
+#endif
confirmed = 0;
@@ -506,7 +533,7 @@
}
}
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (kerberos)
{
const char *err_msg;
@@ -566,9 +593,12 @@
write (fd, "", 1);
confirmed = 1; /* we sent the null! */
}
-
+#ifdef SHISHI
+ len = sizeof (SECURE_MESSAGE) - 1;
+ IF_ENCRYPT (writeenc (ap->h, fd, SECURE_MESSAGE, len, &c, &ap->iv2,
ap->enckey, ap->protocol));
+#else
IF_ENCRYPT (des_write (fd, SECURE_MESSAGE, sizeof (SECURE_MESSAGE) - 1));
-
+#endif
return authenticated;
}
@@ -728,9 +758,30 @@
ioctl (master, TIOCPKT, &true);
netf = infd; /* Needed for cleanup() */
signal (SIGCHLD, cleanup);
- protocol (infd, master);
+ protocol (infd, master, &auth_data);
signal (SIGCHLD, SIG_IGN);
cleanup (0);
+
+#ifdef SHISHI
+ if (kerberos)
+ {
+ int i;
+
+ shishi_done (auth_data.h);
+#ifdef ENCRYPTION
+ if (encrypt_io)
+ {
+ shishi_key_done (auth_data.enckey);
+ for (i = 0; i < 2; i++)
+ {
+ shishi_crypto_close (auth_data.ivtab[i]->ctx);
+ free (auth_data.ivtab[i]->iv);
+ }
+ }
+#endif
+ }
+#endif
+
return 0;
}
@@ -765,7 +816,7 @@
return rc;
}
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
int
do_krb_login (int infd, struct auth_data *ap, const char **err_msg)
{
@@ -776,14 +827,24 @@
if (kerberos == AUTH_KERBEROS_5)
rc = do_krb5_login (infd, ap, err_msg);
else
+#elif defined(SHISHI)
+ if (kerberos == AUTH_KERBEROS_SHISHI)
+ rc = do_shishi_login (infd, ap, err_msg);
+ else
+#else
+ rc = do_krb4_login (infd, ap, err_msg);
#endif
- rc = do_krb4_login (infd, ap, err_msg);
-
+
if (rc && !err_msg)
+#if defined(SHISHI)
+ *err_msg = shishi_strerror (rc);
+#else
*err_msg = kerberos_error_string (rc);
+#endif
return rc;
}
+#ifdef KRB4
int
do_krb4_login (int infd, struct auth_data *ap, const char **err_msg)
{
@@ -859,6 +920,7 @@
return 0;
}
+#endif
#ifdef KRB5
int
@@ -958,6 +1020,151 @@
}
#endif
+
+#ifdef SHISHI
+int
+do_shishi_login (int infd, struct auth_data *ad, const char **err_msg)
+{
+ int rc;
+ int error = 0;
+ int keylen, keytype;
+ struct passwd *pwd = NULL;
+ int cksumtype, cksumlen = 30;
+ char cksum[30];
+ char * compcksum;
+ size_t compcksumlen;
+ char cksumdata[100];
+ struct sockaddr_in sock;
+ size_t socklen = sizeof (struct sockaddr_in);
+
+#ifdef ENCRYPTION
+ rc = get_auth (infd, &ad->h, &ad->ap, &ad->enckey, err_msg, &ad->protocol,
+ &cksumtype, cksum, &cksumlen);
+#else
+ rc = get_auth (infd, &ad->h, &ad->ap, NULL, err_msg, &ad->protocol,
+ &cksumtype, cksum, &cksumlen);
+#endif
+ if (rc != SHISHI_OK)
+ return rc;
+
+#ifdef ENCRYPTION
+ /* init IV */
+ if (encrypt_io)
+ {
+ int i;
+ char *iv;
+
+ ad->ivtab[0] = &ad->iv1;
+ ad->ivtab[1] = &ad->iv2;
+
+ keytype = shishi_key_type (ad->enckey);
+ keylen = shishi_cipher_blocksize (keytype);
+
+ for (i=0; i<2; i++)
+ {
+ ad->ivtab[i]->ivlen = keylen;
+
+ switch (keytype)
+ {
+ case SHISHI_DES_CBC_CRC:
+ case SHISHI_DES_CBC_MD4:
+ case SHISHI_DES_CBC_MD5:
+ case SHISHI_DES_CBC_NONE:
+ case SHISHI_DES3_CBC_HMAC_SHA1_KD:
+ ad->ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES;
+ ad->ivtab[i]->iv = malloc (ad->ivtab[i]->ivlen);
+ memset (ad->ivtab[i]->iv, i, ad->ivtab[i]->ivlen);
+ ad->ivtab[i]->ctx = shishi_crypto (ad->h, ad->enckey,
ad->ivtab[i]->keyusage, shishi_key_type (ad->enckey),
+ ad->ivtab[i]->iv,
ad->ivtab[i]->ivlen);
+ break;
+ case SHISHI_ARCFOUR_HMAC:
+ case SHISHI_ARCFOUR_HMAC_EXP:
+ ad->ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 6 - 4*i;
+ ad->ivtab[i]->ctx = shishi_crypto (ad->h, ad->enckey,
ad->ivtab[i]->keyusage, shishi_key_type (ad->enckey),
+ NULL, 0);
+ break;
+ default :
+ ad->ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 6 - 4*i;
+ ad->ivtab[i]->iv = malloc (ad->ivtab[i]->ivlen);
+ memset (ad->ivtab[i]->iv, 0, ad->ivtab[i]->ivlen);
+ if (ad->protocol == 2)
+ ad->ivtab[i]->ctx = shishi_crypto (ad->h, ad->enckey,
ad->ivtab[i]->keyusage, shishi_key_type (ad->enckey),
+ ad->ivtab[i]->iv,
ad->ivtab[i]->ivlen);
+ }
+ }
+ }
+#endif
+
+ getstr (infd, &ad->lusername, NULL);
+ getstr (infd, &ad->term, "TERM=");
+ getstr (infd, &ad->rusername, NULL);
+
+ rc = read (infd, &error, sizeof (int));
+ if ((rc != sizeof (int)) && rc)
+ {
+ free (pwd);
+ return 1;
+ }
+
+ /*
+ getpwnam crash !!!!
+
+ pwd = getpwnam (ad->lusername);
+ if (pwd == NULL)
+ {
+ *err_msg = "getpwnam failed";
+ syslog (LOG_ERR, "getpwnam failed: %m");
+ return 1;
+ }
+
+ syslog (LOG_INFO | LOG_AUTH,
+ "%sKerberos V login from %s on %s\n",
+ (pwd->pw_uid == 0) ? "ROOT " : "",
+ ad->lusername, ad->hostname);
+
+ */
+
+ free (pwd);
+
+ syslog (LOG_INFO | LOG_AUTH,
+ "Kerberos V login from %s on %s\n",
+ ad->lusername, ad->hostname);
+
+ /* verify checksum */
+
+ if (getsockname (infd, (struct sockaddr *)&sock, &socklen) < 0)
+ {
+ syslog (LOG_ERR, "Can't get sock name");
+ fatal (infd, "Can't get sockname", 1);
+ }
+
+ snprintf (cksumdata, 100, "%u:%s%s", ntohs(sock.sin_port), ad->term + 5,
ad->lusername);
+ rc = shishi_checksum (ad->h, ad->enckey, 0, cksumtype, cksumdata,
+ strlen (cksumdata), &compcksum, &compcksumlen);
+ if ((rc != SHISHI_OK) || (compcksumlen != cksumlen) || (memcmp (compcksum,
cksum, cksumlen) != 0))
+ {
+ /* err_msg crash ? */
+ /* *err_msg = "checksum verify failed"; */
+ syslog (LOG_ERR, "checksum verify failed: %s", shishi_error (ad->h));
+ free (compcksum);
+ return 1;
+ }
+
+ free (compcksum);
+
+ rc = shishi_authorized_p (ad->h, shishi_ap_tkt (ad->ap), ad->lusername);
+ if (!rc)
+ {
+ syslog (LOG_ERR, "User is not authorized to log in as: %s",
ad->lusername);
+ shishi_ap_done (ad->ap);
+ return 1;
+ }
+
+ shishi_ap_done (ad->ap);
+
+ return SHISHI_OK;
+}
+#endif
#endif
#define BUFFER_SIZE 128
@@ -1018,9 +1225,12 @@
char magic[2] = {0377, 0377};
char oobdata[] = {TIOCPKT_WINDOW}; /* May be modified by protocol/control */
+#ifdef SHISHI
+char oobdata_new[] = {0377, 0377, 'o', 'o', TIOCPKT_WINDOW};
+#endif
void
-protocol (int f, int p)
+protocol (int f, int p, struct auth_data *ap)
{
char fibuf[1024], *pbp = NULL, *fbp = NULL;
int pcc = 0, fcc = 0;
@@ -1036,6 +1246,13 @@
* (our controlling tty is the master pty).
*/
signal (SIGTTOU, SIG_IGN);
+#ifdef SHISHI
+ if (kerberos && (ap->protocol == 2))
+ {
+ ENC_WRITE (n, f, oobdata_new, 5, ap);
+ }
+ else
+#endif
send (f, oobdata, 1, MSG_OOB); /* indicate new rlogin */
if (f > p)
nfd = f + 1;
@@ -1107,7 +1324,7 @@
if (FD_ISSET (f, &ibits))
{
- ENC_READ (fcc, f, fibuf, sizeof (fibuf));
+ ENC_READ (fcc, f, fibuf, sizeof (fibuf), ap);
if (fcc < 0 && errno == EWOULDBLOCK)
fcc = 0;
@@ -1115,7 +1332,7 @@
{
register char *cp;
int left;
-
+
if (fcc <= 0)
break;
fbp = fibuf;
@@ -1186,7 +1403,7 @@
if ((FD_ISSET (f, &obits)) && pcc > 0)
{
- ENC_WRITE (cc, f, pbp, pcc);
+ ENC_WRITE (cc, f, pbp, pcc, ap);
if (cc < 0 && errno == EWOULDBLOCK)
{
@@ -1304,8 +1521,8 @@
" -l, --no-rhosts Ignore .rhosts file\n"
" -L, --local-domain=NAME Set local domain name\n"
" -n, --no-keepalive Do not set SO_KEEPALIVE\n"
-#ifdef KERBEROS
-" -k, --kerberos Use kerberos IV authentication\n"
+#if defined(KERBEROS) || defined(SHISHI)
+" -k, --kerberos Use kerberos IV/V authentication\n"
#ifdef ENCRYPTION
" -x, --encrypt Use DES encryption\n"
#endif /* ENCRYPTION */
diff -ur --exclude CVS inetutils/rsh/rsh.c dopio-inetutils-shishi/rsh/rsh.c
--- inetutils/rsh/rsh.c 2003-04-05 18:58:47.000000000 +0200
+++ dopio-inetutils-shishi/rsh/rsh.c 2003-09-24 23:30:35.000000000 +0200
@@ -70,16 +70,36 @@
# include <sys/select.h>
#endif
-#ifdef KERBEROS
-#include <kerberosIV/des.h>
-#include <kerberosIV/krb.h>
+#ifdef SHISHI
+#define REALM_SZ 1040
+#endif
+#if defined(KERBEROS) || defined(SHISHI)
+int use_kerberos = 1, doencrypt;
+# ifdef KERBEROS
+# include <kerberosIV/des.h>
+# include <kerberosIV/krb.h>
+char dest_realm_buf[REALM_SZ], *dest_realm = NULL;
CREDENTIALS cred;
Key_schedule schedule;
-int use_kerberos = 1, doencrypt;
-char dest_realm_buf[REALM_SZ], *dest_realm;
extern char *krb_realmofhost();
+
+# elif defined(SHISHI)
+# include <shishi.h>
+# include "shishi_def.h"
+char dest_realm_buf[REALM_SZ], *dest_realm = NULL;
+
+Shishi * h;
+Shishi_key * enckey;
+shishi_ivector iv1, iv2, iv3, iv4;
+shishi_ivector * ivtab[4];
+
+int keytype;
+int keylen;
+int rc;
+int wlen;
#endif
+#endif /* KERBEROS */
/*
* rsh - remote shell
@@ -95,7 +115,7 @@
/* basename (argv[0]). NetBSD, linux, & gnu libc all define it. */
extern char *__progname;
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
#ifdef ENCRYPTION
#define OPTIONS "8Kdek:l:nxVh"
#else
@@ -113,7 +133,7 @@
{ "8-bit", no_argument, 0, '8' },
{ "kerberos", no_argument, 0, 'K' },
{ "no-input", no_argument, 0, 'n' },
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
{ "realm", required_argument, 0, 'k' },
{ "encrypt", no_argument, 0, 'x' },
#endif
@@ -128,7 +148,7 @@
fprintf (stream,
"Usage: %s [-nd%s]%s[-l USER] address@hidden [COMMAND [ARG...]]\n",
__progname,
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
#ifdef ENCRYPTION
"x", " [-k REALM] "
#else
@@ -160,7 +180,7 @@
which is ``~'' by default");
puts ("\
-l, --user USER run as USER on the remote system");
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
puts ("\
-K, --kerberos turns off all Kerberos authentication");
puts ("\
@@ -250,12 +270,12 @@
break;
case 'K':
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
use_kerberos = 0;
#endif
break;
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
case 'k':
strncpy (dest_realm_buf, optarg, sizeof dest_realm_buf);
dest_realm_buf [REALM_SZ - 1] = '\0';
@@ -265,7 +285,9 @@
# ifdef ENCRYPTION
case 'x':
doencrypt = 1;
+#ifdef KERBEROS
des_set_key (cred.session, schedule);
+#endif
break;
# endif
#endif
@@ -329,11 +351,9 @@
if (*host == '\0')
usage ();
}
- if (!user)
- user = pw->pw_name;
}
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
#ifdef ENCRYPTION
/* -x turns off -n */
if (doencrypt)
@@ -355,13 +375,24 @@
doencrypt ? "ekshell" : "kshell");
}
}
+#elif defined(SHISHI)
+ if (use_kerberos)
+ {
+ sp = getservbyname ("kshell", "tcp");
+ if (sp == NULL)
+ {
+ use_kerberos = 0;
+ warning ("can't get entry for %s/tcp service",
+ "kshell");
+ }
+ }
#endif
if (sp == NULL)
sp = getservbyname("shell", "tcp");
if (sp == NULL)
errx (1, "shell/tcp: unknown service");
-#ifdef KERBEROS
+#if defined (KERBEROS) || defined(SHISHI)
try_connect:
if (use_kerberos)
{
@@ -372,19 +403,86 @@
if (hp != NULL && !(host = strdup (hp->h_name)))
err (1, NULL);
+#if defined (KERBEROS)
rem = KSUCCESS;
errno = 0;
if (dest_realm == NULL)
dest_realm = krb_realmofhost (host);
+#elif defined (SHISHI)
+ rem = SHISHI_OK;
+ errno = 0;
+#endif
#ifdef ENCRYPTION
if (doencrypt)
- rem = krcmd_mutual (&host, sp->s_port, user, args,
- &rfd2, dest_realm, &cred, schedule);
+#if defined(SHISHI)
+ {
+ int i;
+ char * term;
+
+ term = (char *)xmalloc (strlen(args)+4);
+ strcpy (term, "-x ");
+ strcat (term, args);
+
+ rem = krcmd_mutual (&h, &host, sp->s_port, &user, term, &rfd2,
+ dest_realm, &enckey);
+ if (rem > 0)
+ {
+ keytype = shishi_key_type (enckey);
+ keylen = shishi_cipher_blocksize (keytype);
+
+ ivtab[0] = &iv1;
+ ivtab[1] = &iv2;
+ ivtab[2] = &iv3;
+ ivtab[3] = &iv4;
+
+ for (i=0; i<4; i++)
+ {
+ ivtab[i]->ivlen = keylen;
+
+ switch (keytype)
+ {
+ case SHISHI_DES_CBC_CRC:
+ case SHISHI_DES_CBC_MD4:
+ case SHISHI_DES_CBC_MD5:
+ case SHISHI_DES_CBC_NONE:
+ case SHISHI_DES3_CBC_HMAC_SHA1_KD:
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES;
+ ivtab[i]->iv = malloc (ivtab[i]->ivlen);
+ memset (ivtab[i]->iv, 2*i + 1*(i<2) - 4*(i>=2),
ivtab[i]->ivlen);
+ ivtab[i]->ctx = shishi_crypto (h, enckey,
ivtab[i]->keyusage, shishi_key_type (enckey),
+ ivtab[i]->iv,
ivtab[i]->ivlen);
+ break;
+ case SHISHI_ARCFOUR_HMAC:
+ case SHISHI_ARCFOUR_HMAC_EXP:
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 2 + 4*i;
+ ivtab[i]->ctx = shishi_crypto (h, enckey,
ivtab[i]->keyusage, shishi_key_type (enckey),
+ NULL, 0);
+ break;
+ default :
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 2 + 4*i;
+ ivtab[i]->iv = malloc (ivtab[i]->ivlen);
+ memset (ivtab[i]->iv, 0, ivtab[i]->ivlen);
+ ivtab[i]->ctx = shishi_crypto (h, enckey,
ivtab[i]->keyusage, shishi_key_type (enckey),
+ ivtab[i]->iv,
ivtab[i]->ivlen);
+ }
+ }
+ }
+ free (term);
+ }
+ else
+#else
+ rem = krcmd_mutual (&host, sp->s_port, user, args, &rfd2,
+ dest_realm, &cred, schedule);
else
#endif
- rem = krcmd (&host, sp->s_port, user, args, &rfd2,
- dest_realm);
+#endif
+ rem = krcmd (
+#if defined (SHISHI)
+ &h, &host, sp->s_port, &user, args, &rfd2, dest_realm);
+#else
+ &host, sp->s_port, user, args, &rfd2, dest_realm);
+#endif
if (rem < 0)
{
use_kerberos = 0;
@@ -400,11 +498,15 @@
}
else
{
+ if (!user)
+ user = pw->pw_name;
if (doencrypt)
errx (1, "the -x flag requires Kerberos authentication");
rem = rcmd (&host, sp->s_port, pw->pw_name, user, args, &rfd2);
}
#else
+ if (!user)
+ user = pw->pw_name;
rem = rcmd (&host, sp->s_port, pw->pw_name, user, args, &rfd2);
#endif
@@ -451,7 +553,7 @@
err (1, "fork");
}
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
#ifdef ENCRYPTION
if (!doencrypt)
#endif
@@ -464,6 +566,27 @@
talk (nflag, &osigs, pid, rem);
+
+#ifdef SHISHI
+ if (use_kerberos)
+ {
+ int i;
+
+ shishi_done (h);
+#ifdef ENCRYPTION
+ if (doencrypt)
+ {
+ shishi_key_done (enckey);
+ for (i = 0; i < 4; i++)
+ {
+ shishi_crypto_close (ivtab[i]->ctx);
+ free (ivtab[i]->iv);
+ }
+ }
+#endif
+ }
+#endif
+
if (!nflag)
kill (pid, SIGKILL);
return 0;
@@ -497,11 +620,15 @@
}
if (!FD_ISSET (rem, &rembits))
goto rewrite;
-#ifdef KERBEROS
#ifdef ENCRYPTION
+#ifdef KERBEROS
if (doencrypt)
wc = des_write (rem, bp, cc);
- else
+ else
+#elif defined(SHISHI)
+ if (doencrypt)
+ writeenc (h, rem, bp, cc, &wc, &iv3, enckey, 2);
+ else
#endif
#endif
wc = write (rem, bp, cc);
@@ -550,6 +677,10 @@
cc = des_read (rfd2, buf, sizeof buf);
else
#endif
+#elif defined(SHISHI) && defined(ENCRYPTION)
+ if (doencrypt)
+ readenc (h, rfd2, buf, &cc, &iv2, enckey, 2);
+ else
#endif
cc = read (rfd2, buf, sizeof buf);
if (cc <= 0)
@@ -569,6 +700,10 @@
cc = des_read (rem, buf, sizeof buf);
else
#endif
+#elif defined(SHISHI) && defined(ENCRYPTION)
+ if (doencrypt)
+ readenc (h, rem, buf, &cc, &iv1, enckey, 2);
+ else
#endif
cc = read (rem, buf, sizeof buf);
if (cc <= 0)
@@ -586,6 +721,7 @@
sendsig (int sig)
{
char signo;
+ int n;
signo = sig;
#ifdef KERBEROS
@@ -594,11 +730,16 @@
des_write (rfd2, &signo, 1);
else
#endif
+#elif defined(SHISHI) && defined (ENCRYPTION)
+ if (doencrypt)
+ writeenc (h, rfd2, &signo, 1, &n, &iv4, enckey, 2);
+ else
#endif
+
write (rfd2, &signo, 1);
}
-#ifdef KERBEROS
+#if defined (KERBEROS) || defined(SHISHI)
/* VARARGS */
void
#if defined(HAVE_STDARG_H) && defined(__STDC__) && __STDC__
diff -ur --exclude CVS inetutils/rshd/rshd.c dopio-inetutils-shishi/rshd/rshd.c
--- inetutils/rshd/rshd.c 2002-09-09 11:31:55.000000000 +0200
+++ dopio-inetutils-shishi/rshd/rshd.c 2003-09-29 11:41:28.000000000 +0200
@@ -111,16 +111,27 @@
void usage __P ((void));
void help __P ((void));
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
+#ifdef KERBEROS
# include <kerberosIV/des.h>
# include <kerberosIV/krb.h>
+Key_schedule schedule;
+char authbuf[sizeof(AUTH_DAT)];
+char tickbuf[sizeof(KTEXT_ST)];
+#elif defined(SHISHI)
+# include <shishi.h>
+# include "shishi_def.h"
+Shishi * h;
+Shishi_ap * ap;
+Shishi_key * enckey;
+shishi_ivector iv1, iv2, iv3, iv4;
+shishi_ivector *ivtab[4];
+int protocol;
+#endif
# define VERSION_SIZE 9
# define SECURE_MESSAGE "This rsh session is using DES encryption for all
transmissions.\r\n"
# define OPTIONS "alnkvxLVh"
-char authbuf[sizeof(AUTH_DAT)];
-char tickbuf[sizeof(KTEXT_ST)];
int doencrypt, use_kerberos, vacuous;
-Key_schedule schedule;
#else
# define OPTIONS "alnLVh"
#endif
@@ -167,7 +178,7 @@
keepalive = 0; /* don't enable SO_KEEPALIVE */
break;
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
case 'k':
use_kerberos = 1;
break;
@@ -211,7 +222,7 @@
exit (1);
}
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (use_kerberos && vacuous)
{
syslog (LOG_ERR, "only one of -k and -v allowed");
@@ -293,6 +304,13 @@
fd_set wready, writeto;
fromaddr = *fromp;
+#elif defined SHISHI
+ int n;
+ int pv1[2], pv2[2];
+ fd_set wready, writeto;
+ int keytype, keylen;
+ int cksumtype, cksumlen = 30;
+ char cksum[30];
#endif
signal(SIGINT, SIG_DFL);
@@ -353,7 +371,7 @@
/* Need host byte ordered port# to compare */
fromp->sin_port = ntohs((u_short)fromp->sin_port);
/* Verify that the client's address was bound to a reserved port */
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (!use_kerberos)
#endif
if (fromp->sin_port >= IPPORT_RESERVED
@@ -406,7 +424,7 @@
syslog (LOG_ERR, "can't get stderr port: %m");
exit (1);
}
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (!use_kerberos)
#endif
if (port >= IPPORT_RESERVED || port < IPPORT_RESERVED/2)
@@ -419,6 +437,8 @@
* client's, just change the port# to the one specified
* by the clent as the secondary port.
*/
+ syslog (LOG_ERR, "2nd port not reserved %d\n", port);
+
fromp->sin_port = htons (port);
if (connect (s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
{
@@ -427,7 +447,7 @@
}
}
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (vacuous)
{
error ("rshd: remote host requires Kerberos authentication\n");
@@ -458,7 +478,7 @@
* address corresponds to the name.
*/
hostname = strdup (hp->h_name);
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (!use_kerberos)
#endif
if (check_all || local_domain (hp->h_name))
@@ -544,13 +564,134 @@
}
}
else
+#elif defined (SHISHI)
+ if (use_kerberos)
+ {
+ int rc;
+ char * err_msg = NULL;
+
+ rc = get_auth (STDIN_FILENO, &h, &ap, &enckey, &err_msg, &protocol,
+ &cksumtype, cksum, &cksumlen);
+ if (rc != SHISHI_OK)
+ {
+ error ("Kerberos authentication failure: %s\n", err_msg);
+ free (err_msg);
+ exit (1);
+ }
+ }
+ else
#endif
- remuser = getstr ("remuser");
+ remuser = getstr ("remuser");
/* Read three strings from the client. */
locuser = getstr ("locuser");
cmdbuf = getstr ("command");
+#ifdef SHISHI
+ {
+ int error;
+ int rc;
+ char * compcksum;
+ size_t compcksumlen;
+ char cksumdata[100];
+ struct sockaddr_in sock;
+ size_t socklen;
+
+#ifdef ENCRYPTION
+ if (strlen (cmdbuf) >= 3)
+ if (!strncmp (cmdbuf, "-x ", 3))
+ {
+ doencrypt = 1;
+ int i;
+
+ ivtab[0] = &iv1;
+ ivtab[1] = &iv2;
+ ivtab[2] = &iv3;
+ ivtab[3] = &iv4;
+
+ keytype = shishi_key_type (enckey);
+ keylen = shishi_cipher_blocksize (keytype);
+
+ for (i=0; i<4; i++)
+ {
+ ivtab[i]->ivlen = keylen;
+
+ switch (keytype)
+ {
+ case SHISHI_DES_CBC_CRC:
+ case SHISHI_DES_CBC_MD4:
+ case SHISHI_DES_CBC_MD5:
+ case SHISHI_DES_CBC_NONE:
+ case SHISHI_DES3_CBC_HMAC_SHA1_KD:
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES;
+ ivtab[i]->iv = malloc (ivtab[i]->ivlen);
+ memset (ivtab[i]->iv, 2*i -3*(i>=2), ivtab[i]->ivlen);
+ ivtab[i]->ctx = shishi_crypto (h, enckey, ivtab[i]->keyusage,
shishi_key_type (enckey),
+ ivtab[i]->iv, ivtab[i]->ivlen);
+ break;
+ case SHISHI_ARCFOUR_HMAC:
+ case SHISHI_ARCFOUR_HMAC_EXP:
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 4*(i<2) + 2 +
2*(i%2);
+ ivtab[i]->ctx = shishi_crypto (h, enckey, ivtab[i]->keyusage,
shishi_key_type (enckey),
+ NULL, 0);
+ break;
+ default :
+ ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES + 4*(i<2) + 2 +
2*(i%2);
+ ivtab[i]->iv = malloc (ivtab[i]->ivlen);
+ memset (ivtab[i]->iv, 0, ivtab[i]->ivlen);
+ if (protocol == 2)
+ ivtab[i]->ctx = shishi_crypto (h, enckey,
ivtab[i]->keyusage, shishi_key_type (enckey),
+ ivtab[i]->iv,
ivtab[i]->ivlen);
+ }
+ }
+
+ }
+#endif
+
+ remuser = getstr ("remuser");
+ rc = read (STDIN_FILENO, &error, sizeof (int));
+ if ((rc != sizeof (int)) && rc)
+ {
+ //error ("Kerberos authentication failure: %s\n", err_msg);
+ exit (1);
+ }
+
+ /* verify checksum */
+
+ /* Doesn't give socket port ?
+ if (getsockname (STDIN_FILENO, (struct sockaddr *)&sock, &socklen) < 0)
+ {
+ syslog (LOG_ERR, "Can't get sock name");
+ exit (1);
+ }
+ */
+ snprintf (cksumdata, 100, "544:%s%s", /*ntohs(sock.sin_port),*/ cmdbuf,
locuser);
+ rc = shishi_checksum (h, enckey, 0, cksumtype, cksumdata,
+ strlen (cksumdata), &compcksum, &compcksumlen);
+ if ((rc != SHISHI_OK) || (compcksumlen != cksumlen) || (memcmp (compcksum,
cksum, cksumlen) != 0))
+ {
+ /* err_msg crash ? */
+ /* *err_msg = "checksum verify failed"; */
+ syslog (LOG_ERR, "checksum verify failed: %s", shishi_error (h));
+ free (compcksum);
+ exit (1);
+ }
+
+ rc = shishi_authorized_p (h, shishi_ap_tkt (ap), locuser);
+ if (!rc)
+ {
+ syslog (LOG_ERR, "User is not authorized to log in as: %s", locuser);
+ shishi_ap_done (ap);
+ exit (1);
+ }
+
+ free (compcksum);
+
+ shishi_ap_done (ap);
+
+ }
+#endif
+
/* Look up locuser in the passerd file. The locuser has\* to be a
* valid account on this system.
*/
@@ -580,6 +721,21 @@
}
}
else
+#elif defined(SHISHI)
+ if (use_kerberos)
+ {/*
+ if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0')
+ {
+ if (kuserok (kdata, locuser) != 0)
+ {
+ syslog (LOG_INFO|LOG_AUTH, "Kerberos rsh denied to
address@hidden",
+ kdata->pname, kdata->pinst, kdata->prealm);
+ error ("Permission denied.\n");
+ exit (1);
+ }
+ }*/
+ }
+ else
#endif
if (errorstr || pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0'
&& (iruserok (fromp->sin_addr.s_addr, pwd->pw_uid == 0,
@@ -635,7 +791,7 @@
exit (1);
}
#ifdef ENCRYPTION
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (doencrypt)
{
if (pipe (pv1) < 0)
@@ -665,7 +821,7 @@
* signal.
*/
#ifdef ENCRYPTION
-#ifdef KERBEROS
+#if defined(KERBEROS)
if (doencrypt)
{
static char msg[] = SECURE_MESSAGE;
@@ -674,6 +830,13 @@
des_write (s, msg, sizeof(msg) - 1);
}
else
+#elif defined(SHISHI)
+ if (doencrypt)
+ {
+ close (pv1[1]);
+ close (pv2[1]);
+ }
+ else
#endif
#endif
{
@@ -694,7 +857,7 @@
else
nfd = s;
#ifdef ENCRYPTION
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (doencrypt)
{
FD_ZERO (&writeto);
@@ -714,10 +877,14 @@
{
ready = readfrom;
#ifdef ENCRYPTION
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (doencrypt)
{
- wready = writeto;
+#ifdef SHISHI
+ wready = readfrom;
+#else
+ wready = writeto;
+#endif
if (select (nfd, &ready, &wready, (fd_set *) 0,
(struct timeval *) 0) < 0)
break;
@@ -737,6 +904,10 @@
if (doencrypt)
ret = des_read (s, &sig, 1);
else
+#elif defined(SHISHI)
+ if (doencrypt)
+ readenc (h, s, &sig, &ret, &iv2, enckey, protocol);
+ else
#endif
#endif
ret = read (s, &sig, 1);
@@ -761,13 +932,17 @@
if (doencrypt)
des_write (s, buf, cc);
else
+#elif defined(SHISHI)
+ if (doencrypt)
+ writeenc (h, s, buf, cc, &n, &iv4, enckey, protocol);
+ else
#endif
#endif
write (s, buf, cc);
}
}
#ifdef ENCRYPTION
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (doencrypt && FD_ISSET(pv1[0], &ready))
{
errno = 0;
@@ -778,13 +953,21 @@
FD_CLR (pv1[0], &readfrom);
}
else
+#ifdef SHISHI
+ writeenc (h, STDOUT_FILENO, buf, cc, &n, &iv3, enckey,
protocol);
+#else
des_write (STDOUT_FILENO, buf, cc);
+#endif
}
if (doencrypt && FD_ISSET(pv2[0], &wready))
{
errno = 0;
+#ifdef SHISHI
+ readenc (h, STDIN_FILENO, buf, &cc, &iv1, enckey, protocol);
+#else
cc = des_read (STDIN_FILENO, buf, sizeof buf);
+#endif
if (cc <= 0)
{
shutdown (pv2[0], 1+1);
@@ -797,7 +980,7 @@
#endif
} while (FD_ISSET (s, &readfrom) ||
#ifdef ENCRYPTION
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
(doencrypt && FD_ISSET (pv1[0], &readfrom)) ||
#endif
#endif
@@ -819,7 +1002,7 @@
close(s); /* control process handles this fd */
close (pv[0]); /* close read end of pipe */
#ifdef ENCRYPTION
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
if (doencrypt)
{
close (pv1[0]); close (pv2[0]);
@@ -830,6 +1013,28 @@
}
#endif
#endif
+
+#if defined(SHISHI)
+ if (use_kerberos)
+ {
+ int i;
+
+ shishi_done (h);
+#ifdef ENCRYPTION
+ if (doencrypt)
+ {
+ shishi_key_done (enckey);
+ for (i = 0; i < 4; i++)
+ {
+ shishi_crypto_close (ivtab[i]->ctx);
+ free (ivtab[i]->iv);
+ }
+ }
+#endif
+ }
+
+#endif
+
dup2 (pv[1], STDERR_FILENO); /* stderr of shell has to go
pipe to control process */
close (pv[1]);
@@ -891,7 +1096,12 @@
syslog (LOG_INFO|LOG_AUTH, "address@hidden as %s: cmd='%.80s'",
remuser, hostname, locuser, cmdbuf);
}
- execl (pwd->pw_shell, cp, "-c", cmdbuf, 0);
+#ifdef SHISHI
+ if (doencrypt)
+ execl (pwd->pw_shell, cp, "-c", cmdbuf+3, 0);
+ else
+#endif
+ execl (pwd->pw_shell, cp, "-c", cmdbuf, 0);
perror (pwd->pw_shell);
exit (1);
}
@@ -1042,7 +1252,7 @@
-L, --log-session Set local domain name");
puts ("\
-n, --no-keepalive Do not set SO_KEEPALIVE");
-#ifdef KERBEROS
+#if defined(KERBEROS) || defined(SHISHI)
puts ("\
-k, --kerberos Use kerberos IV authentication");
#ifdef ENCRYPTION
- [bug-inetutils] Re: Telnet(d) support for new Kerberos 5 implementation,
Simon Josefsson <=