/*
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Copyright (c) 1983 Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that the above copyright notice and this paragraph are
* duplicated in all such forms and that any documentation,
* advertising materials, and other materials related to such
* distribution and use acknowledge that the software was developed
* by the University of California, Berkeley. The name of the
* University may not be used to endorse or promote products derived
* from this software without specific prior written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
/* derived from @(#)rcmd.c 5.17 (Berkeley) 6/27/88 */
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
#include <string.h>
#include <pwd.h>
#include <fcntl.h>
#include <signal.h>
#include <netdb.h>
#include <locale.h>
#include <syslog.h>
#include <errno.h>
#include <com_err.h>
#include <k5-int.h>
#include <kcmd.h>
/*
* For compatibility with earlier versions of Solaris and other OS
* (kerborized rsh uses 4KB of RSH_BUFSIZE)- 256 to make sure
* there is room
*/
static int deswrite_compat(int, char *, int, int);
static int nstored = 0;
/* XXX Overloaded: use_ivecs!=0 -> new protocol, inband signalling, etc. */
/* ARGSUSED */
int
{
int s = -1;
char c;
int rc;
char *cksumbuf;
int bsize = 0;
char *kcmd_version;
" memory for checksum buffer.\n"));
return (-1);
}
return (-1);
}
return (-1);
}
if (hp == 0) {
return (-1);
}
return (-1);
}
/* If no service is given set to the default service */
return (-1);
}
(void) sigemptyset(&urgmask);
if (status) {
gettext("kcmd: "
"krb5_sname_to_principal failed: %s\n"),
status = -1;
goto bad;
}
(void) krb5_xfree(
}
if (s < 0) {
status = -1;
goto bad;
}
/*
* Kerberos only supports IPv4 addresses for now.
*/
} else {
status = -1;
goto bad;
}
status = -1;
goto bad;
}
if (fd2p == 0) {
} else {
int s2;
int s3;
if (s2 < 0) {
status = -1;
goto bad;
}
status = -1;
goto bad;
}
status = -1;
goto bad;
}
status = -1;
goto bad;
}
if (s3 < 0) {
status = -1;
goto bad;
}
gettext("socket: protocol "
"failure in circuit setup.\n"));
status = -1;
goto bad2;
}
} else {
gettext("Kerberos does not support "
"address type %d\n"),
SOCK_FAMILY(from));
status = -1;
goto bad2;
}
}
goto bad2;
if (status) {
goto bad2;
}
/* Get ticket from credentials cache or kdc */
/* Reset internal flags; these should not be sent. */
authopts &= (~OPTS_FORWARD_CREDS);
authopts &= (~OPTS_FORWARDABLE_CREDS);
goto bad2;
goto bad2;
/* Only need local address for mk_cred() to send to krlogind */
goto bad2;
if (protonum == KCMD_PROTOCOL_COMPAT_HACK) {
&is_des);
if (status)
goto bad2;
}
switch (protonum) {
case KCMD_NEW_PROTOCOL:
kcmd_version = "KCMDV0.2";
break;
case KCMD_OLD_PROTOCOL:
kcmd_version = "KCMDV0.1";
break;
default:
status = -1;
goto bad2;
}
/*
* Call the Kerberos library routine to obtain an authenticator,
* pass it over the socket to the server, and obtain mutual
* authentication.
*/
if (status) {
" to server: %s\n"),
if (error) {
" code %d (%s)\n"),
gettext("Error text"
" sent from server: %s\n"),
}
if (error) {
error = 0;
}
goto bad2;
}
if (rep_ret && server_seqno) {
}
if (locuser)
else
&outbuf)) {
gettext("kcmd: Error getting"
" forwarded creds\n"));
goto bad2;
}
/* Send forwarded credentials */
&outbuf))
goto bad2;
} else { /* Dummy write to signal no forwarding */
(krb5_pointer)&s, &outbuf))
goto bad2;
}
if (rc == -1) {
} else {
"with remote host\n"));
}
status = -1;
goto bad2;
}
if (c != 0) {
if (c == '\n')
break;
}
status = -1;
goto bad2;
}
*sock = s;
/* pass back credentials if wanted */
/*
* Initialize *authconp to auth_context, so
* that the clients can make use of it
*/
*authconp = auth_context;
return (0);
bad2:
bad:
if (s > 0)
(void) close(s);
if (get_cred)
if (ret_cred)
if (host_save)
return (status);
}
/*
* Strsave was a routine in the version 4 krb library: we put it here
* for compatablilty with version 5 krb library, since kcmd.o is linked
* into all programs.
*/
char *
{
char *ret;
exit(1);
}
return (ret);
}
/*
* This routine is to initialize the desinbuf, desoutbuf and the session key
* structures to carry out desread()'s and deswrite()'s successfully
*/
void
{
int i;
kcmd_context = ctxt;
if (enc > 0) {
} else {
return;
}
enc_keyusage_i[0] = KCMD_KEYUSAGE;
enc_keyusage_o[0] = KCMD_KEYUSAGE;
if (protonum == KCMD_OLD_PROTOCOL) {
return;
}
/*
* For the DES-based enctypes and the 3DES enctype we
* want to use a non-zero IV because that's what we did.
* In the future we use different keyusage for each
* channel and direction and a fresh cipher state.
*/
case ENCTYPE_DES_CBC_CRC:
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_DES3_CBC_SHA1:
&blocksize);
if (statuscode) {
/* XXX what do I do? */
abort();
}
== NULL) {
/* XXX what do I do? */
abort();
}
/* is there a better way to initialize this? */
break;
default:
if (amclient) {
enc_keyusage_i[0] = 1028;
enc_keyusage_o[0] = 1032;
} else { /* amclient */
enc_keyusage_i[0] = 1032;
enc_keyusage_o[0] = 1028;
}
for (i = 0; i < 2; i++) {
skey, enc_keyusage_i[i],
&encivec_i[i]);
if (ret)
goto fail;
skey, enc_keyusage_o[i],
&encivec_o[i]);
if (ret)
goto fail;
}
break;
}
return;
fail:
abort();
}
int
{
int nreturned = 0;
int cc;
if (!encrypt_flag)
/*
* If there is stored data from a previous read,
* put it into the output buffer and return it now.
*/
return (len);
} else if (nstored) {
nstored = 0;
}
return (cc);
/* XXX can't read enough, pipe must have closed */
return (0);
}
&ret))
else
/*
* preposterous length; assume out-of-sync; only recourse
* is to close connection, so return 0
*/
return (0);
}
!= net_len) {
/* pipe must have closed, return 0 */
gettext("Read error: length received %d "
"!= expected %d.\n"),
return (0);
}
/*
* Decrypt information
*/
/*
* data is decrypted into the "storage" buffer, which
* had better be large enough!
*/
if (cc) {
"from network\n"));
return (0);
}
int rd_len2;
/* cleartext length trashed? */
return (-1);
}
store_ptr += 4;
}
/*
* Copy only as much data as the input buffer will allow.
* The rest is kept in the 'storage' pointer for the next
* read.
*/
} else {
nstored = 0;
}
return (nreturned);
}
int
{
int bytes_written;
int r;
int outlen;
char *p;
if (!encrypt_flag)
bytes_written = 0;
while (len > 0) {
p = buf + bytes_written;
if (len > KCMD8_BUFSIZ)
else
if (r == -1)
return (r);
bytes_written += r;
len -= r;
}
return (bytes_written);
}
static int
{
int cc;
abort();
} else {
}
goto err;
} else {
}
return (-1);
}
/*
* Encrypt information
*/
if (cc) {
err:
return (-1);
}
"out all data.\n"));
return (-1);
} else {
return (len);
}
}