*/
#include "config.h"
-#ifdef KRB4_SECURITY
#include <des.h>
#include <krb.h>
#endif /* HAVE_ON_EXIT */
#endif /* ! HAVE_ATEXIT */
+/*
+ * This is the tcp stream buffer size
+ */
+#ifndef STREAM_BUFSIZE
+#define STREAM_BUFSIZE (32768*2)
+#endif
+
int krb_set_lifetime(int);
int kuserok(AUTH_DAT *, char *);
*/
struct krb4_handle {
security_handle_t sech; /* MUST be first */
- struct sockaddr_in peer; /* host on other side */
+ struct sockaddr_in6 peer; /* host on other side */
char hostname[MAX_HOSTNAME_LENGTH+1]; /* human form of above */
char proto_handle[32]; /* protocol handle for this req */
int sequence; /* last sequence number we received */
security_stream_t secstr; /* MUST be first */
struct krb4_handle *krb4_handle; /* pointer into above */
int fd; /* io file descriptor */
- int port; /* local port this is bound to */
+ in_port_t port; /* local port this is bound to */
int socket; /* fd for server-side accepts */
event_handle_t *ev_read; /* read event handle */
- char databuf[MAX_TAPE_BLOCK_BYTES]; /* read buffer */
+ char databuf[STREAM_BUFSIZE]; /* read buffer */
int len; /* */
void (*fn)(void *, void *, ssize_t);/* read event fn */
void *arg; /* arg for previous */
};
-/*
- * This is the tcp stream buffer size
- */
-#define STREAM_BUFSIZE (MAX_TAPE_BLOCK_BYTES * 2)
-
/*
* Interface functions
*/
krb4_stream_read_sync,
krb4_stream_read_cancel,
sec_close_connection_none,
+ NULL,
+ NULL
};
/*
*/
union mutual {
char pad[8];
- long cksum;
+ unsigned long cksum;
};
/*
static int recv_security_ok(struct krb4_handle *, pkt_t *);
static void stream_read_callback(void *);
static void stream_read_sync_callback(void *);
-static int net_write(int, const void *, size_t);
-static int net_read(int, void *, size_t, int);
+static int knet_write(int, const void *, size_t);
+static int knet_read(int, void *, size_t, int);
static int add_ticket(struct krb4_handle *, const pkt_t *, dgram_t *);
static void add_mutual_auth(struct krb4_handle *, dgram_t *);
const char *, unsigned long);
static int check_mutual_auth(struct krb4_handle *, const char *);
-static const char *pkthdr2str(const struct krb4_handle *, const pkt_t *);
-static int str2pkthdr(const char *, pkt_t *, char *, size_t, int *);
+static const char *kpkthdr2str(const struct krb4_handle *, const pkt_t *);
+static int str2kpkthdr(const char *, pkt_t *, char *, size_t, int *);
static const char *bin2astr(const unsigned char *, int);
static void astr2bin(const unsigned char *, unsigned char *, int *);
init(void)
{
char tktfile[256];
- int port;
+ in_port_t port;
static int beenhere = 0;
if (beenhere)
hostname[SIZEOF(hostname) - 1] = '\0';
if (atexit(killtickets) < 0)
- error("could not setup krb4 exit handler: %s", strerror(errno));
+ error(_("could not setup krb4 exit handler: %s"), strerror(errno));
/*
* [XXX] It could be argued that if KRBTKFILE is set outside of amanda,
* This file also needs to be removed so that no extra tickets are
* hanging around.
*/
- snprintf(tktfile, SIZEOF(tktfile), "/tmp/tkt%ld-%ld.amanda",
+ g_snprintf(tktfile, SIZEOF(tktfile), "/tmp/tkt%ld-%ld.amanda",
(long)getuid(), (long)getpid());
ticketfilename = stralloc(tktfile);
unlink(ticketfilename);
strncpy(realm, krb_realmofhost(hostname), SIZEOF(realm) - 1);
realm[SIZEOF(realm) - 1] = '\0';
- rc = krb_get_svc_in_tkt(SERVER_HOST_PRINCIPLE, SERVER_HOST_INSTANCE,
+ rc = krb_get_svc_in_tkt(SERVER_HOST_PRINCIPAL, SERVER_HOST_INSTANCE,
realm, "krbtgt", realm, TICKET_LIFETIME, SERVER_HOST_KEY_FILE);
if (rc != 0) {
- error("could not get krbtgt for %s.%s@%s from %s: %s",
- SERVER_HOST_PRINCIPLE, SERVER_HOST_INSTANCE, realm,
+ error(_("could not get krbtgt for %s.%s@%s from %s: %s"),
+ SERVER_HOST_PRINCIPAL, SERVER_HOST_INSTANCE, realm,
SERVER_HOST_KEY_FILE, krb_err_txt[rc]);
}
char handle[32];
struct servent *se;
struct hostent *he;
- int port;
+ in_port_t port;
+
+ (void)conf_fn; /* Quiet unused parameter warning */
+ (void)datap; /* Quiet unused parameter warning */
assert(hostname != NULL);
if ((he = gethostbyname(hostname)) == NULL) {
security_seterror(&kh->sech,
- "%s: could not resolve hostname", hostname);
+ _("%s: could not resolve hostname"), hostname);
(*fn)(arg, &kh->sech, S_ERROR);
return;
}
if ((se = getservbyname(KAMANDA_SERVICE_NAME, "udp")) == NULL)
- port = (int)htons(KAMANDA_SERVICE_DEFAULT);
+ port = (int)KAMANDA_SERVICE_DEFAULT;
else
- port = se->s_port;
- snprintf(handle, SIZEOF(handle), "%ld", (long)time(NULL));
+ port = ntohs(se->s_port);
+ g_snprintf(handle, SIZEOF(handle), "%ld", (long)time(NULL));
inithandle(kh, he, (int)port, handle);
(*fn)(arg, &kh->sech, S_OK);
}
int out,
void (*fn)(security_handle_t *, pkt_t *))
{
+ (void)driver; /* Quiet unused parameter warning */
+ (void)out; /* Quiet unused parameter warning */
/*
* Make sure we're initted
* Setup our peer info. We don't do anything with the sequence yet,
* so just leave it at 0.
*/
- kh->peer.sin_family = (sa_family_t)AF_INET;
- kh->peer.sin_port = (in_port_t)port;
- kh->peer.sin_addr = *(struct in_addr *)he->h_addr;
+ kh->peer.sin6_family = (sa_family_t)AF_INET6;
+ kh->peer.sin6_port = (in_port_t)port;
+ kh->peer.sin6_addr = *(struct in6_addr *)he->h_addr;
strncpy(kh->proto_handle, handle, SIZEOF(kh->proto_handle) - 1);
kh->proto_handle[SIZEOF(kh->proto_handle) - 1] = '\0';
kh->sequence = 0;
/*
* Add the header to the packet
*/
- dgram_cat(&netfd, pkthdr2str(kh, pkt));
+ dgram_cat(&netfd, kpkthdr2str(kh, pkt));
/*
* Add the security info. This depends on which kind of packet we're
* Add the body, and send it
*/
dgram_cat(&netfd, pkt->body);
- if (dgram_send_addr(kh->peer, &netfd) != 0) {
+ if (dgram_send_addr(&kh->peer, &netfd) != 0) {
security_seterror(&kh->sech,
- "send %s to %s failed: %s", pkt_type2str(pkt->type),
+ _("send %s to %s failed: %s"), pkt_type2str(pkt->type),
kh->hostname, strerror(errno));
return (-1);
}
ks->socket = stream_server(&ks->port, STREAM_BUFSIZE, STREAM_BUFSIZE, 1);
if (ks->socket < 0) {
security_seterror(&kh->sech,
- "can't create server stream: %s", strerror(errno));
+ _("can't create server stream: %s"), strerror(errno));
amfree(ks);
return (NULL);
}
ks->fd = stream_accept(ks->socket, 30, STREAM_BUFSIZE, STREAM_BUFSIZE);
if (ks->fd < 0) {
security_stream_seterror(&ks->secstr,
- "can't accept new stream connection: %s", strerror(errno));
+ _("can't accept new stream connection: %s"), strerror(errno));
return (-1);
}
return (0);
&ks->port, 0);
if (ks->fd < 0) {
security_seterror(&kh->sech,
- "can't connect stream to %s port %d: %s", kh->hostname, id,
+ _("can't connect stream to %s port %d: %s"), kh->hostname, id,
strerror(errno));
amfree(ks);
return (NULL);
* and present it to the other side.
*/
gettimeofday(&local, &tz);
- enc.tv_sec = (long)htonl((uint32_t)local.tv_sec);
- enc.tv_usec = (long)htonl((uint32_t)local.tv_usec);
+ enc.tv_sec = (long)htonl((guint32)local.tv_sec);
+ enc.tv_usec = (long)htonl((guint32)local.tv_usec);
encrypt_data(&enc, SIZEOF(enc), &kh->session_key);
- if (net_write(fd, &enc, SIZEOF(enc)) < 0) {
+ if (knet_write(fd, &enc, SIZEOF(enc)) < 0) {
security_stream_seterror(&ks->secstr,
- "krb4 stream handshake write error: %s", strerror(errno));
+ _("krb4 stream handshake write error: %s"), strerror(errno));
return (-1);
}
* and useconds by one. Reencrypt, and present to the other side.
* Timeout in 10 seconds.
*/
- if (net_read(fd, &enc, SIZEOF(enc), 60) < 0) {
+ if (knet_read(fd, &enc, SIZEOF(enc), 60) < 0) {
security_stream_seterror(&ks->secstr,
- "krb4 stream handshake read error: %s", strerror(errno));
+ _("krb4 stream handshake read error: %s"), strerror(errno));
return (-1);
}
decrypt_data(&enc, SIZEOF(enc), &kh->session_key);
/* XXX do timestamp checking here */
- enc.tv_sec = (long)htonl(ntohl((uint32_t)enc.tv_sec) + 1);
- enc.tv_usec =(long)htonl(ntohl((uint32_t)enc.tv_usec) + 1);
+ enc.tv_sec = (long)htonl(ntohl((guint32)enc.tv_sec) + 1);
+ enc.tv_usec =(long)htonl(ntohl((guint32)enc.tv_usec) + 1);
encrypt_data(&enc, SIZEOF(enc), &kh->session_key);
- if (net_write(fd, &enc, SIZEOF(enc)) < 0) {
+ if (knet_write(fd, &enc, SIZEOF(enc)) < 0) {
security_stream_seterror(&ks->secstr,
- "krb4 stream handshake write error: %s", strerror(errno));
+ _("krb4 stream handshake write error: %s"), strerror(errno));
return (-1);
}
* If they incremented it properly, then succeed.
* Timeout in 10 seconds.
*/
- if (net_read(fd, &enc, SIZEOF(enc), 60) < 0) {
+ if (knet_read(fd, &enc, SIZEOF(enc), 60) < 0) {
security_stream_seterror(&ks->secstr,
- "krb4 stream handshake read error: %s", strerror(errno));
+ _("krb4 stream handshake read error: %s"), strerror(errno));
return (-1);
}
decrypt_data(&enc, SIZEOF(enc), &kh->session_key);
- if ((ntohl((uint32_t)enc.tv_sec) == (uint32_t)(local.tv_sec + 1)) &&
- (ntohl((uint32_t)enc.tv_usec) == (uint32_t)(local.tv_usec + 1)))
+ if ((ntohl((guint32)enc.tv_sec) == (uint32_t)(local.tv_sec + 1)) &&
+ (ntohl((guint32)enc.tv_usec) == (uint32_t)(local.tv_usec + 1)))
return (0);
security_stream_seterror(&ks->secstr,
- "krb4 handshake failed: sent %ld,%ld - recv %ld,%ld",
+ _("krb4 handshake failed: sent %ld,%ld - recv %ld,%ld"),
(long)(local.tv_sec + 1), (long)(local.tv_usec + 1),
- (long)ntohl((uint32_t)enc.tv_sec),
- (long)ntohl((uint32_t)enc.tv_usec));
+ (long)ntohl((guint32)enc.tv_sec),
+ (long)ntohl((guint32)enc.tv_usec));
return (-1);
}
size_t size)
{
struct krb4_stream *ks = s;
- struct krb4_handle *kh = ks->krb4_handle;
assert(ks != NULL);
- assert(kh != NULL);
- if (net_write(ks->fd, buf, size) < 0) {
+ if (knet_write(ks->fd, buf, size) < 0) {
security_stream_seterror(&ks->secstr,
- "write error on stream %d: %s", ks->fd, strerror(errno));
+ _("write error on stream %d: %s"), ks->fd, strerror(errno));
return (-1);
}
return (0);
void * cookie)
{
char handle[32];
- struct sockaddr_in peer;
+ struct sockaddr_in6 peer;
pkt_t pkt;
int sequence;
struct krb4_handle *kh;
void (*fn)(void *, pkt_t *, security_status_t);
void *arg;
+ (void)cookie; /* Quiet unused parameter warning */
assert(cookie == NULL);
/*
dgram_zero(&netfd);
if (dgram_recv(&netfd, 0, &peer) < 0)
return;
- if (str2pkthdr(netfd.cur, &pkt, handle, SIZEOF(handle), &sequence) < 0)
+ if (str2kpkthdr(netfd.cur, &pkt, handle, SIZEOF(handle), &sequence) < 0)
return;
for (kh = handleq_first(); kh != NULL; kh = handleq_next(kh)) {
if (strcmp(kh->proto_handle, handle) == 0 &&
- memcmp(&kh->peer.sin_addr, &peer.sin_addr,
- SIZEOF(peer.sin_addr)) == 0 &&
- kh->peer.sin_port == peer.sin_port) {
+ cmp_sockaddr(&kh->peer, &peer, 0) == 0) {
kh->sequence = sequence;
/*
if (accept_fn == NULL)
return;
- he = gethostbyaddr((void *)&peer.sin_addr, SIZEOF(peer.sin_addr), AF_INET);
+ he = gethostbyaddr((void *)&peer.sin6_addr, SIZEOF(peer.sin6_addr), AF_INET6);
if (he == NULL)
return;
kh = alloc(SIZEOF(*kh));
security_handleinit(&kh->sech, &krb4_security_driver);
- inithandle(kh, he, (int)peer.sin_port, handle);
+ inithandle(kh, he, (int)peer.sin6_port, handle);
/*
* Check the security of the packet. If it is bad, then pass NULL
* Get a ticket with the user-defined service and instance,
* and using the checksum of the body of the request packet.
*/
- rc = krb_mk_req(&ticket, CLIENT_HOST_PRINCIPLE, inst, kh->realm,
+ rc = krb_mk_req(&ticket, CLIENT_HOST_PRINCIPAL, inst, kh->realm,
kh->cksum);
if (rc == NO_TKT_FIL) {
/* It's been kdestroyed. Get a new one and try again */
get_tgt();
- rc = krb_mk_req(&ticket, CLIENT_HOST_PRINCIPLE, inst, kh->realm,
+ rc = krb_mk_req(&ticket, CLIENT_HOST_PRINCIPAL, inst, kh->realm,
kh->cksum);
}
if (rc != 0) {
security_seterror(&kh->sech,
- "krb_mk_req failed: %s (%d)", error_message(rc), rc);
+ _("krb_mk_req failed: %s (%d)"), error_message(rc), rc);
return (-1);
}
/*
assert(kh->session_key[0] != '\0');
memset(&mutual, 0, SIZEOF(mutual));
- mutual.cksum = (unsigned long)htonl((uint32_t)kh->cksum + 1);
+ mutual.cksum = (unsigned long)htonl((guint32)kh->cksum + 1);
encrypt_data(&mutual, SIZEOF(mutual), &kh->session_key);
security = vstralloc("SECURITY MUTUAL-AUTH ",
* Set this preemptively before we mangle the body.
*/
security_seterror(&kh->sech,
- "bad %s SECURITY line from %s: '%s'", pkt_type2str(pkt->type),
+ _("bad %s SECURITY line from %s: '%s'"), pkt_type2str(pkt->type),
kh->hostname, pkt->body);
return (-1);
if (strcmp(tok, "TICKET") != 0) {
security_seterror(&kh->sech,
- "REQ SECURITY line parse error, expecting TICKET, got %s", tok);
+ _("REQ SECURITY line parse error, expecting TICKET, got %s"), tok);
return (-1);
}
char *user;
int rc;
+ (void)pkt; /* Quiet unused parameter warning */
+
assert(kh != NULL);
assert(pkt != NULL);
assert(ticket_str != NULL);
inst[SIZEOF(inst) - 1] = '\0';
/* get the checksum out of the ticket */
- rc = krb_rd_req(&ticket, CLIENT_HOST_PRINCIPLE, inst,
- kh->peer.sin_addr.s_addr, &auth, CLIENT_HOST_KEY_FILE);
+ rc = krb_rd_req(&ticket, CLIENT_HOST_PRINCIPAL, inst,
+ kh->peer.sin6_addr.s_addr, &auth, CLIENT_HOST_KEY_FILE);
if (rc != 0) {
security_seterror(&kh->sech,
- "krb_rd_req failed for %s: %s (%d)", kh->hostname,
+ _("krb_rd_req failed for %s: %s (%d)"), kh->hostname,
error_message(rc), rc);
return (-1);
}
/* verify and save the checksum and session key */
if (auth.checksum != cksum) {
security_seterror(&kh->sech,
- "krb4 checksum mismatch for %s (remote=%lu, local=%lu)",
+ _("krb4 checksum mismatch for %s (remote=%lu, local=%lu)"),
kh->hostname, (long)auth.checksum, cksum);
return (-1);
}
memcpy(kh->session_key, auth.session, SIZEOF(kh->session_key));
/*
- * If FORCE_USERID is set, then we need to specifically
+ * If CHECK_USERID is set, then we need to specifically
* check the userid we're forcing ourself to. Otherwise,
* just check the login we're currently setuid to.
*/
-#ifdef FORCE_USERID
+#ifdef CHECK_USERID
if ((pwd = getpwnam(CLIENT_LOGIN)) == NULL)
- error("error [getpwnam(%s) fails]", CLIENT_LOGIN);
+ error(_("error [getpwnam(%s) fails]"), CLIENT_LOGIN);
#else
if ((pwd = getpwuid(getuid())) == NULL)
- error("error [getpwuid(%d) fails]", getuid());
+ error(_("error [getpwuid(%d) fails]"), getuid());
#endif
/* save the username in case it's overwritten */
/* check the klogin file */
if (kuserok(&auth, user)) {
security_seterror(&kh->sech,
- "access as %s not allowed from %s.%s@%s", user, auth.pname,
+ _("access as %s not allowed from %s.%s@%s"), user, auth.pname,
auth.pinst, auth.prealm);
amfree(user);
return (-1);
/* unencrypt the string using the key in the ticket file */
host2key(kh->hostname, kh->inst, &kh->session_key);
decrypt_data(&mutual, (size_t)len, &kh->session_key);
- mutual.cksum = (unsigned long)ntohl((uint32_t)mutual.cksum);
+ mutual.cksum = (unsigned long)ntohl((guint32)mutual.cksum);
/* the data must be the same as our request cksum + 1 */
if (mutual.cksum != (kh->cksum + 1)) {
security_seterror(&kh->sech,
- "krb4 checksum mismatch from %s (remote=%lu, local=%lu)",
+ _("krb4 checksum mismatch from %s (remote=%lu, local=%lu)"),
kh->hostname, mutual.cksum, kh->cksum + 1);
return (-1);
}
* Convert a pkt_t into a header string for our packet
*/
static const char *
-pkthdr2str(
+kpkthdr2str(
const struct krb4_handle * kh,
const pkt_t * pkt)
{
assert(kh != NULL);
assert(pkt != NULL);
- snprintf(retbuf, SIZEOF(retbuf), "Amanda %d.%d %s HANDLE %s SEQ %d\n",
+ g_snprintf(retbuf, SIZEOF(retbuf), "Amanda %d.%d %s HANDLE %s SEQ %d\n",
VERSION_MAJOR, VERSION_MINOR, pkt_type2str(pkt->type),
kh->proto_handle, kh->sequence);
* Returns negative on parse error.
*/
static int
-str2pkthdr(
+str2kpkthdr(
const char *origstr,
pkt_t * pkt,
char * handle,
parse_error:
#if 0 /* XXX we have no way of passing this back up */
security_seterror(&kh->sech,
- "parse error in packet header : '%s'", origstr);
+ _("parse error in packet header : '%s'"), origstr);
#endif
amfree(str);
return (-1);
#if CLIENT_HOST_INSTANCE != HOSTNAME_INSTANCE
inst = CLIENT_HOST_INSTANCE
#endif
- krb_get_cred(CLIENT_HOST_PRINCIPLE, (char *)inst, realm, &cred);
+ krb_get_cred(CLIENT_HOST_PRINCIPAL, (char *)inst, realm, &cred);
memcpy(key, cred.session, SIZEOF(des_cblock));
}
* like write(), but always writes out the entire buffer.
*/
static int
-net_write(
+knet_write(
int fd,
const void *vbuf,
size_t size)
* Like read(), but waits until the entire buffer has been filled.
*/
static int
-net_read(
+knet_read(
int fd,
void * vbuf,
size_t size,
char *buf = vbuf; /* ptr arith */
ssize_t n;
int neof = 0;
- fd_set readfds;
+ SELECT_ARG_TYPE readfds;
struct timeval tv;
while (size > 0) {
{
int i;
- dbprintf(("%s:", str));
+ dbprintf("%s:", str);
for(i=0;i<len;i++) {
- if(i%25 == 0) dbprintf(("\n"));
- dbprintf((" %02X", buf[i]));
+ if(i%25 == 0)
+ dbprintf("\n");
+ dbprintf(" %02X", buf[i]);
}
- dbprintf(("\n"));
+ dbprintf("\n");
}
static void
const char *str,
KTEXT tktp)
{
- dbprintf(("%s: length %d chk %lX\n", str, tktp->length, tktp->mbz));
- print_hex("ticket data", tktp->dat, tktp->length);
+ dbprintf(_("%s: length %d chk %lX\n"), str, tktp->length, tktp->mbz);
+ print_hex(_("ticket data"), tktp->dat, tktp->length);
fflush(stdout);
}
print_auth(
AUTH_DAT *authp)
{
- printf("\nAuth Data:\n");
- printf(" Principal \"%s\" Instance \"%s\" Realm \"%s\"\n",
+ g_printf("\nAuth Data:\n");
+ g_printf(" Principal \"%s\" Instance \"%s\" Realm \"%s\"\n",
authp->pname, authp->pinst, authp->prealm);
- printf(" cksum %d life %d keylen %ld\n", authp->checksum,
+ g_printf(" cksum %d life %d keylen %ld\n", authp->checksum,
authp->life, SIZEOF(authp->session));
print_hex("session key", authp->session, SIZEOF(authp->session));
fflush(stdout);
print_credentials(
CREDENTIALS *credp)
{
- printf("\nCredentials:\n");
- printf(" service \"%s\" instance \"%s\" realm \"%s\" life %d kvno %d\n",
+ g_printf("\nCredentials:\n");
+ g_printf(" service \"%s\" instance \"%s\" realm \"%s\" life %d kvno %d\n",
credp->service, credp->instance, credp->realm, credp->lifetime,
credp->kvno);
print_hex("session key", credp->session, SIZEOF(credp->session));
fflush(stdout);
}
#endif
-
-#else
-
-void krb4_security_dummy(void);
-
-void
-krb4_security_dummy(void)
-{
-}
-
-#endif /* KRB4_SECURITY */