static int
unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred)
{
unsigned char *p = buf;
p += krb_get_nir(p, cred->service, cred->instance, cred->realm);
memcpy(cred->session, p, 8);
p += 8;
cred->lifetime = *p++;
cred->kvno = *p++;
p += krb_get_int(p, &cred->ticket_st.length, 4, 0);
memcpy(cred->ticket_st.dat, p, cred->ticket_st.length);
cred->ticket_st.mbz = 0;
p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, 0);
p += krb_get_nir(p, cred->pname, cred->pinst, NULL);
return 0;
}
static int
krb4_auth(void *app_data, char *host)
{
int ret;
char *p;
int len;
KTEXT_ST adat;
MSG_DAT msg_data;
int checksum;
uint32_t cs;
struct krb4_data *d = app_data;
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
struct sockaddr_in *localaddr = (struct sockaddr_in *)LOCAL_ADDR;
/* struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;*/
#endif
checksum = getpid();
ret = mk_auth(d, &adat, "ftp", host, checksum);
if(ret == KDC_PR_UNKNOWN)
ret = mk_auth(d, &adat, "rcmd", host, checksum);
if(ret){
printf("%s\n", krb_get_err_text(ret));
return AUTH_CONTINUE;
}
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
if (krb_get_config_bool("nat_in_use")) {
struct in_addr natAddr;
if (krb_get_our_ip_for_realm(krb_realmofhost(host),
&natAddr) != KSUCCESS
&& krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
ftp_err(_("Can't get address for realm %s\n"),
krb_realmofhost(host));
else {
if (natAddr.s_addr != localaddr->sin_addr.s_addr) {
ftp_err(_("Using NAT IP address (%s) for kerberos 4\n"),
inet_ntoa(natAddr));
localaddr->sin_addr = natAddr;
}
}
}
#endif
if(base64_encode(adat.dat, adat.length, &p) < 0) {
ftp_err(_("Out of memory base64-encoding\n"));
return AUTH_CONTINUE;
}
ret = ftp_cmd("ADAT %s", p);
free(p);
if(ftp->code != ctComplete){
ftp_err(_("Server didn't accept auth data\n"));
return AUTH_ERROR;
}
p = strstr(ftp->reply, "ADAT=");
if(!p){
ftp_err(_("Remote host didn't send adat reply\n"));
return AUTH_ERROR;
}
p += 5;
len = base64_decode(p, adat.dat);
if(len < 0){
ftp_err(_("Failed to decode base64 from server\n"));
return AUTH_ERROR;
}
adat.length = len;
ret = krb_rd_safe(adat.dat, adat.length, &d->key,
(struct sockaddr_in *)hisctladdr,
(struct sockaddr_in *)myctladdr, &msg_data);
if(ret){
ftp_err(_("Error reading reply from server: %s\n"),
krb_get_err_text(ret));
return AUTH_ERROR;
}
krb_get_int(msg_data.app_data, &cs, 4, 0);
if(cs - checksum != 1){
ftp_err(_("Bad checksum returned from server\n"));
return AUTH_ERROR;
}
return AUTH_OK;
}
static int
krb4_auth(void *app_data, struct connectdata *conn)
{
int ret;
char *p;
unsigned char *ptr;
size_t len;
KTEXT_ST adat;
MSG_DAT msg_data;
int checksum;
u_int32_t cs;
struct krb4_data *d = app_data;
char *host = conn->host.name;
ssize_t nread;
int l = sizeof(conn->local_addr);
struct SessionHandle *data = conn->data;
CURLcode result;
if(getsockname(conn->sock[FIRSTSOCKET],
(struct sockaddr *)LOCAL_ADDR, &l) < 0)
perror("getsockname()");
checksum = getpid();
ret = mk_auth(d, &adat, "ftp", host, checksum);
if(ret == KDC_PR_UNKNOWN)
ret = mk_auth(d, &adat, "rcmd", host, checksum);
if(ret) {
infof(data, "%s\n", krb_get_err_text(ret));
return AUTH_CONTINUE;
}
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
if(krb_get_config_bool("nat_in_use")) {
struct sockaddr_in *localaddr = (struct sockaddr_in *)LOCAL_ADDR;
struct in_addr natAddr;
if(krb_get_our_ip_for_realm(krb_realmofhost(host),
&natAddr) != KSUCCESS
&& krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
infof(data, "Can't get address for realm %s\n",
krb_realmofhost(host));
else {
if(natAddr.s_addr != localaddr->sin_addr.s_addr) {
char addr_buf[128];
if(Curl_inet_ntop(AF_INET, natAddr, addr_buf, sizeof(addr_buf)))
infof(data, "Using NAT IP address (%s) for kerberos 4\n", addr_buf);
localaddr->sin_addr = natAddr;
}
}
}
#endif
if(Curl_base64_encode(conn->data, (char *)adat.dat, adat.length, &p) < 1) {
Curl_failf(data, "Out of memory base64-encoding");
return AUTH_CONTINUE;
}
result = Curl_ftpsendf(conn, "ADAT %s", p);
free(p);
if(result)
return -2;
if(Curl_GetFTPResponse(&nread, conn, NULL))
return -1;
if(data->state.buffer[0] != '2'){
Curl_failf(data, "Server didn't accept auth data");
return AUTH_ERROR;
}
p = strstr(data->state.buffer, "ADAT=");
if(!p) {
Curl_failf(data, "Remote host didn't send adat reply");
return AUTH_ERROR;
}
p += 5;
len = Curl_base64_decode(p, &ptr);
if(len > sizeof(adat.dat)-1) {
free(ptr);
len=0;
}
if(!len || !ptr) {
Curl_failf(data, "Failed to decode base64 from server");
return AUTH_ERROR;
}
memcpy((char *)adat.dat, ptr, len);
free(ptr);
adat.length = len;
ret = krb_rd_safe(adat.dat, adat.length, &d->key,
(struct sockaddr_in *)hisctladdr,
(struct sockaddr_in *)myctladdr, &msg_data);
if(ret) {
Curl_failf(data, "Error reading reply from server: %s",
krb_get_err_text(ret));
return AUTH_ERROR;
}
krb_get_int(msg_data.app_data, &cs, 4, 0);
if(cs - checksum != 1) {
Curl_failf(data, "Bad checksum returned from server");
return AUTH_ERROR;
}
return AUTH_OK;
}
static int
krb4_auth(void *app_data, char *host)
{
int ret;
char *p;
int len;
KTEXT_ST adat;
MSG_DAT msg_data;
int checksum;
uint32_t cs;
struct krb4_data *d = app_data;
struct sockaddr_in *localaddr = (struct sockaddr_in *)LOCAL_ADDR;
struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;
checksum = getpid();
ret = mk_auth(d, &adat, "ftp", host, checksum);
if(ret == KDC_PR_UNKNOWN)
ret = mk_auth(d, &adat, "rcmd", host, checksum);
if(ret){
printf("%s\n", krb_get_err_text(ret));
return AUTH_CONTINUE;
}
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
if (krb_get_config_bool("nat_in_use")) {
struct in_addr natAddr;
if (krb_get_our_ip_for_realm(krb_realmofhost(host),
&natAddr) != KSUCCESS
&& krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
printf("Can't get address for realm %s\n",
krb_realmofhost(host));
else {
if (natAddr.s_addr != localaddr->sin_addr.s_addr) {
printf("Using NAT IP address (%s) for kerberos 4\n",
inet_ntoa(natAddr));
localaddr->sin_addr = natAddr;
/*
* This not the best place to do this, but it
* is here we know that (probably) NAT is in
* use!
*/
passivemode = 1;
printf("Setting: Passive mode on.\n");
}
}
}
#endif
printf("Local address is %s\n", inet_ntoa(localaddr->sin_addr));
printf("Remote address is %s\n", inet_ntoa(remoteaddr->sin_addr));
if(base64_encode(adat.dat, adat.length, &p) < 0) {
printf("Out of memory base64-encoding.\n");
return AUTH_CONTINUE;
}
ret = command("ADAT %s", p);
free(p);
if(ret != COMPLETE){
printf("Server didn't accept auth data.\n");
return AUTH_ERROR;
}
p = strstr(reply_string, "ADAT=");
if(!p){
printf("Remote host didn't send adat reply.\n");
return AUTH_ERROR;
}
p += 5;
len = base64_decode(p, adat.dat);
if(len < 0){
printf("Failed to decode base64 from server.\n");
return AUTH_ERROR;
}
adat.length = len;
ret = krb_rd_safe(adat.dat, adat.length, &d->key,
(struct sockaddr_in *)hisctladdr,
(struct sockaddr_in *)myctladdr, &msg_data);
if(ret){
printf("Error reading reply from server: %s.\n",
krb_get_err_text(ret));
return AUTH_ERROR;
}
krb_get_int(msg_data.app_data, &cs, 4, 0);
if(cs - checksum != 1){
printf("Bad checksum returned from server.\n");
return AUTH_ERROR;
}
return AUTH_OK;
}
int32_t
krb_rd_safe(void *in, u_int32_t in_length, des_cblock *key,
struct sockaddr_in *sender, struct sockaddr_in *receiver,
MSG_DAT *m_data)
{
unsigned char *p = (unsigned char*)in, *start;
unsigned char pvno, type;
int little_endian;
struct timeval tv;
u_int32_t src_addr;
int delta_t;
pvno = *p++;
if(pvno != KRB_PROT_VERSION)
return RD_AP_VERSION;
type = *p++;
little_endian = type & 1;
type &= ~1;
if(type != AUTH_MSG_SAFE)
return RD_AP_MSG_TYPE;
start = p;
p += krb_get_int(p, &m_data->app_length, 4, little_endian);
if(m_data->app_length + 31 > in_length)
return RD_AP_MODIFIED;
m_data->app_data = p;
p += m_data->app_length;
m_data->time_5ms = *p++;
p += krb_get_address(p, &src_addr);
if (!krb_equiv(src_addr, sender->sin_addr.s_addr))
return RD_AP_BADD;
p += krb_get_int(p, (u_int32_t *)&m_data->time_sec, 4, little_endian);
m_data->time_sec = lsb_time(m_data->time_sec, sender, receiver);
gettimeofday(&tv, NULL);
delta_t = abs((int)((long) tv.tv_sec - m_data->time_sec));
if (delta_t > CLOCK_SKEW) return RD_AP_TIME;
/*
* caller must check timestamps for proper order and replays, since
* server might have multiple clients each with its own timestamps
* and we don't assume tightly synchronized clocks.
*/
{
unsigned char new_checksum[16];
unsigned char old_checksum[16];
fixup_quad_cksum(start, p - start, key,
new_checksum, old_checksum, little_endian);
if((dqc_type == DES_QUAD_GUESS || dqc_type == DES_QUAD_NEW) &&
memcmp(new_checksum, p, 16) == 0)
dqc_type = DES_QUAD_NEW;
else if((dqc_type == DES_QUAD_GUESS || dqc_type == DES_QUAD_OLD) &&
memcmp(old_checksum, p, 16) == 0)
dqc_type = DES_QUAD_OLD;
else
return RD_AP_MODIFIED;
}
return KSUCCESS;
}
int32_t
krb_rd_priv(void *in, u_int32_t in_length,
struct des_ks_struct *schedule, des_cblock *key,
struct sockaddr_in *sender, struct sockaddr_in *receiver,
MSG_DAT *m_data)
{
unsigned char *p = (unsigned char*)in;
int little_endian;
u_int32_t clen;
struct timeval tv;
u_int32_t src_addr;
int delta_t;
unsigned char pvno, type;
pvno = *p++;
if(pvno != KRB_PROT_VERSION)
return RD_AP_VERSION;
type = *p++;
little_endian = type & 1;
type &= ~1;
p += krb_get_int(p, &clen, 4, little_endian);
if(clen + 2 > in_length)
return RD_AP_MODIFIED;
des_pcbc_encrypt((des_cblock*)p, (des_cblock*)p, clen,
schedule, key, DES_DECRYPT);
p += krb_get_int(p, &m_data->app_length, 4, little_endian);
if(m_data->app_length + 17 > in_length)
return RD_AP_MODIFIED;
m_data->app_data = p;
p += m_data->app_length;
m_data->time_5ms = *p++;
p += krb_get_address(p, &src_addr);
if (!krb_equiv(src_addr, sender->sin_addr.s_addr))
return RD_AP_BADD;
p += krb_get_int(p, (u_int32_t *)&m_data->time_sec, 4, little_endian);
m_data->time_sec = lsb_time(m_data->time_sec, sender, receiver);
gettimeofday(&tv, NULL);
/* check the time integrity of the msg */
delta_t = abs((int)((long) tv.tv_sec - m_data->time_sec));
if (delta_t > CLOCK_SKEW)
return RD_AP_TIME;
if (krb_debug)
krb_warning("delta_t = %d\n", (int) delta_t);
/*
* caller must check timestamps for proper order and
* replays, since server might have multiple clients
* each with its own timestamps and we don't assume
* tightly synchronized clocks.
*/
return KSUCCESS;
}
