int
kerberos4_forward(Authenticator *ap)
{
CREDENTIALS cred;
char *realm;
des_key_schedule ks;
int len;
unsigned char netcred[sizeof(CREDENTIALS)];
int ret;
realm = krb_realmofhost(RemoteHostName);
if(realm == NULL)
return -1;
memset(&cred, 0, sizeof(cred));
ret = krb_get_cred(KRB_TICKET_GRANTING_TICKET,
realm,
realm,
&cred);
if(ret)
return ret;
des_set_key(&session_key, ks);
len = pack_cred(&cred, netcred);
des_pcbc_encrypt((void*)netcred, (void*)netcred, len,
ks, &session_key, DES_ENCRYPT);
memset(ks, 0, sizeof(ks));
Data(ap, KRB_FORWARD, netcred, len);
memset(netcred, 0, sizeof(netcred));
return 0;
}
static char *afs_realm_of_cell(struct afsconf_cell *cellconfig)
{
char krbhst[MAX_HSTNM];
static char krbrlm[REALM_SZ+1];
if (!cellconfig)
return 0;
strcpy(krbrlm, (char *) krb_realmofhost(cellconfig->hostName[0]));
if (krb_get_admhst(krbhst, krbrlm, 1) != KSUCCESS)
{
char *s = krbrlm;
char *t = cellconfig->name;
int c;
while (c = *t++)
{
if (islower(c))
c = toupper(c);
*s++ = c;
}
*s++ = 0;
}
return krbrlm;
}
static char *
get_realm(struct kafs_data *data, const char *host)
{
char *r = krb_realmofhost(host);
if(r != NULL)
return strdup(r);
else
return NULL;
}
static int
mk_auth(struct krb4_data *d, KTEXT adat,
char *service, char *host, int checksum)
{
int ret;
CREDENTIALS cred;
char sname[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ];
strlcpy(sname, service, sizeof(sname));
strlcpy(inst, krb_get_phost(host), sizeof(inst));
strlcpy(realm, krb_realmofhost(host), sizeof(realm));
ret = krb_mk_req(adat, sname, inst, realm, checksum);
if(ret)
return ret;
strlcpy(sname, service, sizeof(sname));
strlcpy(inst, krb_get_phost(host), sizeof(inst));
strlcpy(realm, krb_realmofhost(host), sizeof(realm));
ret = krb_get_cred(sname, inst, realm, &cred);
memmove(&d->key, &cred.session, sizeof(des_cblock));
des_key_sched(&d->key, d->schedule);
memset(&cred, 0, sizeof(cred));
return ret;
}
int mr_auth(char *prog)
{
#ifdef HAVE_KRB4
int status;
mr_params params, reply;
char *args[2];
int argl[2];
char realm[REALM_SZ], host[BUFSIZ], *p;
KTEXT_ST auth;
CHECK_CONNECTED;
if ((status = mr_host(host, sizeof(host) - 1)))
return status;
strcpy(realm, krb_realmofhost(host));
for (p = host; *p && *p != '.'; p++)
{
if (isupper(*p))
*p = tolower(*p);
}
*p = '\0';
status = krb_mk_req(&auth, MOIRA_SNAME, host, realm, 0);
if (status != KSUCCESS)
{
status += ERROR_TABLE_BASE_krb;
return status;
}
params.u.mr_procno = MR_AUTH;
params.mr_argc = 2;
params.mr_argv = args;
params.mr_argl = argl;
params.mr_argv[0] = (char *)auth.dat;
params.mr_argl[0] = auth.length;
params.mr_argv[1] = prog;
params.mr_argl[1] = strlen(prog) + 1;
if ((status = mr_do_call(¶ms, &reply)) == MR_SUCCESS)
status = reply.u.mr_status;
mr_destroy_reply(reply);
return status;
#else
return MR_NO_KRB4;
#endif
}
/*
*
* K4_auth_send - gets authentication bits we need to send to KDC.
*
* Result is left in auth
*
* Returns: 0 on failure, 1 on success
*/
static int
k4_auth_send(kstream ks)
{
int r; /* Return value */
char instance[INST_SZ];
char *realm;
char buf[256];
memset(instance, 0, sizeof(instance));
if (realm = krb_get_phost(szHostName))
lstrcpy(instance, realm);
realm = krb_realmofhost(szHostName);
if (!realm) {
strcpy(buf, "Can't find realm for host \"");
strncat(buf, szHostName, sizeof(buf) - 1 - strlen(buf));
strncat(buf, "\"", sizeof(buf) - 1 - strlen(buf));
auth_abort(ks, buf, 0);
return KFAILURE;
}
r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0);
if (r == 0)
r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred);
if (r) {
strcpy(buf, "Can't get \"");
strncat(buf, KRB_SERVICE_NAME, sizeof(buf) - 1 - strlen(buf));
if (instance[0] != 0) {
strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
lstrcat(buf, instance);
}
strncat(buf, "@", sizeof(buf) - 1 - strlen(buf));
lstrcat(buf, realm);
strncat(buf, "\" ticket", sizeof(buf) - 1 - strlen(buf));
auth_abort(ks, buf, r);
return r;
}
if (!szUserName[0]) /* Copy if not there */
strcpy(szUserName, cred.pname);
return(1);
}
/*
* Function: socket_connection
*
* Purpose: Opens the network connection with the mail host, without
* doing any sort of I/O with it or anything.
*
* Arguments:
* host The host to which to connect.
* flags Option flags.
*
* Return value: A file descriptor indicating the connection, or -1
* indicating failure, in which case an error has been copied
* into pop_error.
*/
static int
socket_connection (char *host, int flags)
{
struct addrinfo *res, *it;
struct addrinfo hints;
int ret;
struct servent *servent;
struct sockaddr_in addr;
char found_port = 0;
const char *service;
int sock;
char *realhost;
#ifdef KERBEROS
#ifdef KERBEROS5
krb5_error_code rem;
krb5_context kcontext = 0;
krb5_auth_context auth_context = 0;
krb5_ccache ccdef;
krb5_principal client, server;
krb5_error *err_ret;
register char *cp;
#else
KTEXT ticket;
MSG_DAT msg_data;
CREDENTIALS cred;
Key_schedule schedule;
int rem;
#endif /* KERBEROS5 */
#endif /* KERBEROS */
int try_count = 0;
int connect_ok;
#ifdef WINDOWSNT
{
WSADATA winsockData;
if (WSAStartup (0x101, &winsockData) == 0)
have_winsock = 1;
}
#endif
memset (&addr, 0, sizeof (addr));
addr.sin_family = AF_INET;
/** "kpop" service is never used: look for 20060515 to see why **/
#ifdef KERBEROS
service = (flags & POP_NO_KERBEROS) ? POP_SERVICE : KPOP_SERVICE;
#else
service = POP_SERVICE;
#endif
#ifdef HESIOD
if (! (flags & POP_NO_HESIOD))
{
servent = hes_getservbyname (service, "tcp");
if (servent)
{
addr.sin_port = servent->s_port;
found_port = 1;
}
}
#endif
if (! found_port)
{
servent = getservbyname (service, "tcp");
if (servent)
{
addr.sin_port = servent->s_port;
}
else
{
/** "kpop" service is never used: look for 20060515 to see why **/
#ifdef KERBEROS
addr.sin_port = htons ((flags & POP_NO_KERBEROS) ?
POP_PORT : KPOP_PORT);
#else
addr.sin_port = htons (POP_PORT);
#endif
}
}
#define POP_SOCKET_ERROR "Could not create socket for POP connection: "
sock = socket (PF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
snprintf (pop_error, ERROR_MAX, "%s%s",
POP_SOCKET_ERROR, strerror (errno));
return (-1);
}
memset (&hints, 0, sizeof (hints));
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_CANONNAME;
hints.ai_family = AF_INET;
do
{
ret = getaddrinfo (host, service, &hints, &res);
try_count++;
if (ret != 0 && (ret != EAI_AGAIN || try_count == 5))
{
strcpy (pop_error, "Could not determine POP server's address");
return (-1);
}
} while (ret != 0);
for (it = res; it; it = it->ai_next)
if (it->ai_addrlen == sizeof addr)
{
struct sockaddr_in *in_a = (struct sockaddr_in *) it->ai_addr;
addr.sin_addr = in_a->sin_addr;
if (! connect (sock, (struct sockaddr *) &addr, sizeof addr))
break;
}
connect_ok = it != NULL;
if (connect_ok)
{
realhost = alloca (strlen (it->ai_canonname) + 1);
strcpy (realhost, it->ai_canonname);
}
freeaddrinfo (res);
#define CONNECT_ERROR "Could not connect to POP server: "
if (! connect_ok)
{
CLOSESOCKET (sock);
snprintf (pop_error, ERROR_MAX, "%s%s", CONNECT_ERROR, strerror (errno));
return (-1);
}
#ifdef KERBEROS
#define KRB_ERROR "Kerberos error connecting to POP server: "
if (! (flags & POP_NO_KERBEROS))
{
#ifdef KERBEROS5
rem = krb5_init_context (&kcontext);
if (rem)
{
krb5error:
if (auth_context)
krb5_auth_con_free (kcontext, auth_context);
if (kcontext)
krb5_free_context (kcontext);
snprintf (pop_error, ERROR_MAX, "%s%s",
KRB_ERROR, error_message (rem));
CLOSESOCKET (sock);
return (-1);
}
rem = krb5_auth_con_init (kcontext, &auth_context);
if (rem)
goto krb5error;
rem = krb5_cc_default (kcontext, &ccdef);
if (rem)
goto krb5error;
rem = krb5_cc_get_principal (kcontext, ccdef, &client);
if (rem)
goto krb5error;
for (cp = realhost; *cp; cp++)
*cp = c_tolower (*cp);
rem = krb5_sname_to_principal (kcontext, realhost,
POP_SERVICE, FALSE, &server);
if (rem)
goto krb5error;
rem = krb5_sendauth (kcontext, &auth_context,
(krb5_pointer) &sock, (char *) "KPOPV1.0",
client, server,
AP_OPTS_MUTUAL_REQUIRED,
0, /* no checksum */
0, /* no creds, use ccache instead */
ccdef,
&err_ret,
0, /* don't need subsession key */
0); /* don't need reply */
krb5_free_principal (kcontext, server);
if (rem)
{
int pop_error_len = snprintf (pop_error, ERROR_MAX, "%s%s",
KRB_ERROR, error_message (rem));
#if defined HAVE_KRB5_ERROR_TEXT
if (err_ret && err_ret->text.length)
{
int errlen = err_ret->text.length;
snprintf (pop_error + pop_error_len, ERROR_MAX - pop_error_len,
" [server says '%.*s']", errlen, err_ret->text.data);
}
#elif defined HAVE_KRB5_ERROR_E_TEXT
if (err_ret && err_ret->e_text && **err_ret->e_text)
snprintf (pop_error + pop_error_len, ERROR_MAX - pop_error_len,
" [server says '%s']", *err_ret->e_text);
#endif
if (err_ret)
krb5_free_error (kcontext, err_ret);
krb5_auth_con_free (kcontext, auth_context);
krb5_free_context (kcontext);
CLOSESOCKET (sock);
return (-1);
}
#else /* ! KERBEROS5 */
ticket = (KTEXT) malloc (sizeof (KTEXT_ST));
rem = krb_sendauth (0L, sock, ticket, "pop", realhost,
(char *) krb_realmofhost (realhost),
(unsigned long) 0, &msg_data, &cred, schedule,
(struct sockaddr_in *) 0,
(struct sockaddr_in *) 0,
"KPOPV0.1");
free ((char *) ticket);
if (rem != KSUCCESS)
{
snprintf (pop_error, ERROR_MAX, "%s%s", KRB_ERROR, krb_err_txt[rem]);
CLOSESOCKET (sock);
return (-1);
}
#endif /* KERBEROS5 */
}
#endif /* KERBEROS */
return (sock);
} /* socket_connection */
/* This function has not been changed to deal with NO_SOCKET_TO_FD
(i.e., systems on which sockets cannot be converted to file
descriptors). The first person to try building a kerberos client
on such a system (OS/2, Windows 95, and maybe others) will have to
take care of this. */
void
start_kerberos4_server (cvsroot_t *root, struct buffer **to_server_p,
struct buffer **from_server_p)
{
int s;
int port;
struct hostent *hp;
struct sockaddr_in sin;
char *hname;
s = socket (AF_INET, SOCK_STREAM, 0);
if (s < 0)
error (1, 0, "cannot create socket: %s", SOCK_STRERROR (SOCK_ERRNO));
port = get_cvs_port_number (root);
hp = init_sockaddr (&sin, root->hostname, port);
hname = xstrdup (hp->h_name);
TRACE (TRACE_FUNCTION, "Connecting to %s(%s):%d",
root->hostname,
inet_ntoa (sin.sin_addr),
port);
if (connect (s, (struct sockaddr *) &sin, sizeof sin) < 0)
error (1, 0, "connect to %s(%s):%d failed: %s",
root->hostname,
inet_ntoa (sin.sin_addr),
port, SOCK_STRERROR (SOCK_ERRNO));
{
const char *realm;
struct sockaddr_in laddr;
int laddrlen;
KTEXT_ST ticket;
MSG_DAT msg_data;
CREDENTIALS cred;
int status;
realm = krb_realmofhost (hname);
laddrlen = sizeof (laddr);
if (getsockname (s, (struct sockaddr *) &laddr, &laddrlen) < 0)
error (1, 0, "getsockname failed: %s", SOCK_STRERROR (SOCK_ERRNO));
/* We don't care about the checksum, and pass it as zero. */
status = krb_sendauth (KOPT_DO_MUTUAL, s, &ticket, "rcmd",
hname, realm, (unsigned long) 0, &msg_data,
&cred, sched, &laddr, &sin, "KCVSV1.0");
if (status != KSUCCESS)
error (1, 0, "kerberos authentication failed: %s",
krb_get_err_text (status));
memcpy (kblock, cred.session, sizeof (C_Block));
}
close_on_exec (s);
free (hname);
/* Give caller the values it wants. */
make_bufs_from_fds (s, s, 0, root, to_server_p, from_server_p, 1);
}
static int
krb4_auth(void *app_data, char *host)
{
int ret;
char *p;
int len;
KTEXT_ST adat;
MSG_DAT msg_data;
int checksum;
uint32_t cs;
struct krb4_data *d = app_data;
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
struct sockaddr_in *localaddr = (struct sockaddr_in *)LOCAL_ADDR;
/* struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;*/
#endif
checksum = getpid();
ret = mk_auth(d, &adat, "ftp", host, checksum);
if(ret == KDC_PR_UNKNOWN)
ret = mk_auth(d, &adat, "rcmd", host, checksum);
if(ret){
printf("%s\n", krb_get_err_text(ret));
return AUTH_CONTINUE;
}
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
if (krb_get_config_bool("nat_in_use")) {
struct in_addr natAddr;
if (krb_get_our_ip_for_realm(krb_realmofhost(host),
&natAddr) != KSUCCESS
&& krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
ftp_err(_("Can't get address for realm %s\n"),
krb_realmofhost(host));
else {
if (natAddr.s_addr != localaddr->sin_addr.s_addr) {
ftp_err(_("Using NAT IP address (%s) for kerberos 4\n"),
inet_ntoa(natAddr));
localaddr->sin_addr = natAddr;
}
}
}
#endif
if(base64_encode(adat.dat, adat.length, &p) < 0) {
ftp_err(_("Out of memory base64-encoding\n"));
return AUTH_CONTINUE;
}
ret = ftp_cmd("ADAT %s", p);
free(p);
if(ftp->code != ctComplete){
ftp_err(_("Server didn't accept auth data\n"));
return AUTH_ERROR;
}
p = strstr(ftp->reply, "ADAT=");
if(!p){
ftp_err(_("Remote host didn't send adat reply\n"));
return AUTH_ERROR;
}
p += 5;
len = base64_decode(p, adat.dat);
if(len < 0){
ftp_err(_("Failed to decode base64 from server\n"));
return AUTH_ERROR;
}
adat.length = len;
ret = krb_rd_safe(adat.dat, adat.length, &d->key,
(struct sockaddr_in *)hisctladdr,
(struct sockaddr_in *)myctladdr, &msg_data);
if(ret){
ftp_err(_("Error reading reply from server: %s\n"),
krb_get_err_text(ret));
return AUTH_ERROR;
}
krb_get_int(msg_data.app_data, &cs, 4, 0);
if(cs - checksum != 1){
ftp_err(_("Bad checksum returned from server\n"));
return AUTH_ERROR;
}
return AUTH_OK;
}
void
kauth(int argc, char **argv)
{
int ret;
char buf[1024];
des_cblock key;
des_key_schedule schedule;
KTEXT_ST tkt, tktcopy;
char *name;
char *p;
int overbose;
char passwd[100];
int tmp;
int save;
if(argc > 2){
printf("usage: %s [principal]\n", argv[0]);
code = -1;
return;
}
if(argc == 2)
name = argv[1];
else
name = username;
overbose = verbose;
verbose = 0;
save = set_command_prot(prot_private);
ret = command("SITE KAUTH %s", name);
if(ret != CONTINUE){
verbose = overbose;
set_command_prot(save);
code = -1;
return;
}
verbose = overbose;
p = strstr(reply_string, "T=");
if(!p){
printf("Bad reply from server.\n");
set_command_prot(save);
code = -1;
return;
}
p += 2;
tmp = base64_decode(p, &tkt.dat);
if(tmp < 0){
printf("Failed to decode base64 in reply.\n");
set_command_prot(save);
code = -1;
return;
}
tkt.length = tmp;
tktcopy.length = tkt.length;
p = strstr(reply_string, "P=");
if(!p){
printf("Bad reply from server.\n");
verbose = overbose;
set_command_prot(save);
code = -1;
return;
}
name = p + 2;
for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
*p = 0;
snprintf(buf, sizeof(buf), "Password for %s:", name);
if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0))
*passwd = '\0';
des_string_to_key (passwd, &key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
if (strcmp ((char*)tktcopy.dat + 8,
KRB_TICKET_GRANTING_TICKET) != 0) {
afs_string_to_key (passwd, krb_realmofhost(hostname), &key);
des_key_sched (&key, schedule);
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
}
memset(key, 0, sizeof(key));
memset(schedule, 0, sizeof(schedule));
memset(passwd, 0, sizeof(passwd));
if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) {
printf("Out of memory base64-encoding.\n");
set_command_prot(save);
code = -1;
return;
}
memset (tktcopy.dat, 0, tktcopy.length);
ret = command("SITE KAUTH %s %s", name, p);
free(p);
set_command_prot(save);
if(ret != COMPLETE){
code = -1;
return;
}
code = 0;
}
static int
krb4_auth(void *app_data, struct connectdata *conn)
{
int ret;
char *p;
unsigned char *ptr;
size_t len;
KTEXT_ST adat;
MSG_DAT msg_data;
int checksum;
u_int32_t cs;
struct krb4_data *d = app_data;
char *host = conn->host.name;
ssize_t nread;
int l = sizeof(conn->local_addr);
struct SessionHandle *data = conn->data;
CURLcode result;
if(getsockname(conn->sock[FIRSTSOCKET],
(struct sockaddr *)LOCAL_ADDR, &l) < 0)
perror("getsockname()");
checksum = getpid();
ret = mk_auth(d, &adat, "ftp", host, checksum);
if(ret == KDC_PR_UNKNOWN)
ret = mk_auth(d, &adat, "rcmd", host, checksum);
if(ret) {
infof(data, "%s\n", krb_get_err_text(ret));
return AUTH_CONTINUE;
}
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
if(krb_get_config_bool("nat_in_use")) {
struct sockaddr_in *localaddr = (struct sockaddr_in *)LOCAL_ADDR;
struct in_addr natAddr;
if(krb_get_our_ip_for_realm(krb_realmofhost(host),
&natAddr) != KSUCCESS
&& krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
infof(data, "Can't get address for realm %s\n",
krb_realmofhost(host));
else {
if(natAddr.s_addr != localaddr->sin_addr.s_addr) {
char addr_buf[128];
if(Curl_inet_ntop(AF_INET, natAddr, addr_buf, sizeof(addr_buf)))
infof(data, "Using NAT IP address (%s) for kerberos 4\n", addr_buf);
localaddr->sin_addr = natAddr;
}
}
}
#endif
if(Curl_base64_encode(conn->data, (char *)adat.dat, adat.length, &p) < 1) {
Curl_failf(data, "Out of memory base64-encoding");
return AUTH_CONTINUE;
}
result = Curl_ftpsendf(conn, "ADAT %s", p);
free(p);
if(result)
return -2;
if(Curl_GetFTPResponse(&nread, conn, NULL))
return -1;
if(data->state.buffer[0] != '2'){
Curl_failf(data, "Server didn't accept auth data");
return AUTH_ERROR;
}
p = strstr(data->state.buffer, "ADAT=");
if(!p) {
Curl_failf(data, "Remote host didn't send adat reply");
return AUTH_ERROR;
}
p += 5;
len = Curl_base64_decode(p, &ptr);
if(len > sizeof(adat.dat)-1) {
free(ptr);
len=0;
}
if(!len || !ptr) {
Curl_failf(data, "Failed to decode base64 from server");
return AUTH_ERROR;
}
memcpy((char *)adat.dat, ptr, len);
free(ptr);
adat.length = len;
ret = krb_rd_safe(adat.dat, adat.length, &d->key,
(struct sockaddr_in *)hisctladdr,
(struct sockaddr_in *)myctladdr, &msg_data);
if(ret) {
Curl_failf(data, "Error reading reply from server: %s",
krb_get_err_text(ret));
return AUTH_ERROR;
}
krb_get_int(msg_data.app_data, &cs, 4, 0);
if(cs - checksum != 1) {
Curl_failf(data, "Bad checksum returned from server");
return AUTH_ERROR;
}
return AUTH_OK;
}
static int
kerberos4_send(char *name, Authenticator *ap)
{
KTEXT_ST auth;
char instance[INST_SZ];
char *realm;
CREDENTIALS cred;
int r;
printf("[ Trying %s ... ]\r\n", name);
if (!UserNameRequested) {
if (auth_debug_mode) {
printf("Kerberos V4: no user name supplied\r\n");
}
return(0);
}
memset(instance, 0, sizeof(instance));
if ((realm = krb_get_phost(RemoteHostName)))
strncpy(instance, realm, sizeof(instance));
instance[sizeof(instance)-1] = '\0';
realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
if (!realm) {
printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
return(0);
}
r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L);
if (r) {
printf("mk_req failed: %s\r\n", krb_get_err_text(r));
return(0);
}
r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred);
if (r) {
printf("get_cred failed: %s\r\n", krb_get_err_text(r));
return(0);
}
if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
printf("Not enough room for user name\r\n");
return(0);
}
if (auth_debug_mode)
printf("Sent %d bytes of authentication data\r\n", auth.length);
if (!Data(ap, KRB_AUTH, (void *)auth.dat, auth.length)) {
if (auth_debug_mode)
printf("Not enough room for authentication data\r\n");
return(0);
}
#ifdef ENCRYPTION
/* create challenge */
if ((ap->way & AUTH_HOW_MASK)==AUTH_HOW_MUTUAL) {
int i;
des_key_sched(&cred.session, sched);
des_init_random_number_generator(&cred.session);
des_new_random_key(&session_key);
des_ecb_encrypt(&session_key, &session_key, sched, 0);
des_ecb_encrypt(&session_key, &challenge, sched, 0);
/*
old code
Some CERT Advisory thinks this is a bad thing...
des_init_random_number_generator(&cred.session);
des_new_random_key(&challenge);
des_ecb_encrypt(&challenge, &session_key, sched, 1);
*/
/*
* Increment the challenge by 1, and encrypt it for
* later comparison.
*/
for (i = 7; i >= 0; --i)
if(++challenge[i] != 0) /* No carry! */
break;
des_ecb_encrypt(&challenge, &challenge, sched, 1);
}
#endif
if (auth_debug_mode) {
printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
printd(auth.dat, auth.length);
printf("\r\n");
printf("Sent Kerberos V4 credentials to server\r\n");
}
return(1);
}
int
main(int argc, char *argv[])
{
struct passwd *pw;
struct servent *sp;
struct sgttyb ttyb;
long omask;
int argoff, ch, dflag, Dflag, one, uid;
char *host, *localname, *p, *user, term[1024];
#ifdef KERBEROS
char *k;
#endif
struct sockaddr_storage ss;
int sslen;
argoff = dflag = Dflag = 0;
one = 1;
host = localname = user = NULL;
if ((p = strrchr(argv[0], '/')))
++p;
else
p = argv[0];
if (strcmp(p, "rlogin"))
host = p;
/* handle "rlogin host flags" */
if (!host && argc > 2 && argv[1][0] != '-') {
host = argv[1];
argoff = 1;
}
#ifdef KERBEROS
#define OPTIONS "468DEKLde:i:k:l:x"
#else
#define OPTIONS "468DEKLde:i:l:"
#endif
while ((ch = getopt(argc - argoff, argv + argoff, OPTIONS)) != -1)
switch(ch) {
case '4':
family = PF_INET;
break;
case '6':
family = PF_INET6;
break;
case '8':
eight = 1;
break;
case 'D':
Dflag = 1;
break;
case 'E':
noescape = 1;
break;
case 'K':
#ifdef KERBEROS
use_kerberos = 0;
#endif
break;
case 'L':
litout = 1;
break;
case 'd':
dflag = 1;
break;
case 'e':
noescape = 0;
escapechar = getescape(optarg);
break;
case 'i':
if (getuid() != 0)
errx(1, "-i user: permission denied");
localname = optarg;
break;
#ifdef KERBEROS
case 'k':
dest_realm = dst_realm_buf;
(void)strncpy(dest_realm, optarg, REALM_SZ);
break;
#endif
case 'l':
user = optarg;
break;
#ifdef CRYPT
#ifdef KERBEROS
case 'x':
doencrypt = 1;
break;
#endif
#endif
case '?':
default:
usage();
}
optind += argoff;
/* if haven't gotten a host yet, do so */
if (!host && !(host = argv[optind++]))
usage();
if (argv[optind])
usage();
if (!(pw = getpwuid(uid = getuid())))
errx(1, "unknown user id");
if (!user)
user = pw->pw_name;
if (!localname)
localname = pw->pw_name;
sp = NULL;
#ifdef KERBEROS
k = auth_getval("auth_list");
if (k && !strstr(k, "kerberos"))
use_kerberos = 0;
if (use_kerberos) {
sp = getservbyname((doencrypt ? "eklogin" : "klogin"), "tcp");
if (sp == NULL) {
use_kerberos = 0;
warn("can't get entry for %s/tcp service",
doencrypt ? "eklogin" : "klogin");
}
}
#endif
if (sp == NULL)
sp = getservbyname("login", "tcp");
if (sp == NULL)
errx(1, "login/tcp: unknown service");
#define MAX_TERM_LENGTH (sizeof(term) - 1 - MAX_SPEED_LENGTH - 1)
(void)strncpy(term, (p = getenv("TERM")) ? p : "network",
MAX_TERM_LENGTH);
term[MAX_TERM_LENGTH] = '\0';
if (ioctl(0, TIOCGETP, &ttyb) == 0) {
(void)strcat(term, "/");
(void)strcat(term, speeds[(int)ttyb.sg_ospeed]);
}
(void)get_window_size(0, &winsize);
(void)signal(SIGPIPE, lostpeer);
/* will use SIGUSR1 for window size hack, so hold it off */
omask = sigblock(sigmask(SIGURG) | sigmask(SIGUSR1));
/*
* We set SIGURG and SIGUSR1 below so that an
* incoming signal will be held pending rather than being
* discarded. Note that these routines will be ready to get
* a signal by the time that they are unblocked below.
*/
(void)signal(SIGURG, copytochild);
(void)signal(SIGUSR1, writeroob);
#ifdef KERBEROS
if (use_kerberos) {
setuid(getuid());
rem = KSUCCESS;
errno = 0;
if (dest_realm == NULL)
dest_realm = krb_realmofhost(host);
#ifdef CRYPT
if (doencrypt) {
rem = krcmd_mutual(&host, sp->s_port, user, term, 0,
dest_realm, &cred, schedule);
des_set_key(&cred.session, schedule);
} else
#endif /* CRYPT */
rem = krcmd(&host, sp->s_port, user, term, 0,
dest_realm);
if (rem < 0) {
int i;
char **newargv;
sp = getservbyname("login", "tcp");
if (sp == NULL)
errx(1, "unknown service login/tcp");
if (errno == ECONNREFUSED)
warn("remote host doesn't support Kerberos");
if (errno == ENOENT)
warn("can't provide Kerberos auth data");
newargv = malloc((argc + 2) * sizeof(*newargv));
if (newargv == NULL)
err(1, "malloc");
newargv[0] = argv[0];
newargv[1] = "-K";
for(i = 1; i < argc; ++i)
newargv[i + 1] = argv[i];
newargv[argc + 1] = NULL;
execv(_PATH_RLOGIN, newargv);
}
} else {
#ifdef CRYPT
if (doencrypt)
errx(1, "the -x flag requires Kerberos authentication");
#endif /* CRYPT */
rem = rcmd_af(&host, sp->s_port, localname, user, term, 0,
family);
}
#else
rem = rcmd_af(&host, sp->s_port, localname, user, term, 0, family);
#endif /* KERBEROS */
if (rem < 0)
exit(1);
if (dflag &&
setsockopt(rem, SOL_SOCKET, SO_DEBUG, &one, sizeof(one)) < 0)
warn("setsockopt");
if (Dflag &&
setsockopt(rem, IPPROTO_TCP, TCP_NODELAY, &one, sizeof(one)) < 0)
warn("setsockopt NODELAY (ignored)");
sslen = sizeof(ss);
one = IPTOS_LOWDELAY;
if (getsockname(rem, (struct sockaddr *)&ss, &sslen) == 0 &&
ss.ss_family == AF_INET) {
if (setsockopt(rem, IPPROTO_IP, IP_TOS, (char *)&one,
sizeof(int)) < 0)
warn("setsockopt TOS (ignored)");
} else
if (ss.ss_family == AF_INET)
warn("setsockopt getsockname failed");
(void)setuid(uid);
doit(omask);
/*NOTREACHED*/
}
static int
krb4_auth(void *app_data, char *host)
{
int ret;
char *p;
int len;
KTEXT_ST adat;
MSG_DAT msg_data;
int checksum;
uint32_t cs;
struct krb4_data *d = app_data;
struct sockaddr_in *localaddr = (struct sockaddr_in *)LOCAL_ADDR;
struct sockaddr_in *remoteaddr = (struct sockaddr_in *)REMOTE_ADDR;
checksum = getpid();
ret = mk_auth(d, &adat, "ftp", host, checksum);
if(ret == KDC_PR_UNKNOWN)
ret = mk_auth(d, &adat, "rcmd", host, checksum);
if(ret){
printf("%s\n", krb_get_err_text(ret));
return AUTH_CONTINUE;
}
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
if (krb_get_config_bool("nat_in_use")) {
struct in_addr natAddr;
if (krb_get_our_ip_for_realm(krb_realmofhost(host),
&natAddr) != KSUCCESS
&& krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
printf("Can't get address for realm %s\n",
krb_realmofhost(host));
else {
if (natAddr.s_addr != localaddr->sin_addr.s_addr) {
printf("Using NAT IP address (%s) for kerberos 4\n",
inet_ntoa(natAddr));
localaddr->sin_addr = natAddr;
/*
* This not the best place to do this, but it
* is here we know that (probably) NAT is in
* use!
*/
passivemode = 1;
printf("Setting: Passive mode on.\n");
}
}
}
#endif
printf("Local address is %s\n", inet_ntoa(localaddr->sin_addr));
printf("Remote address is %s\n", inet_ntoa(remoteaddr->sin_addr));
if(base64_encode(adat.dat, adat.length, &p) < 0) {
printf("Out of memory base64-encoding.\n");
return AUTH_CONTINUE;
}
ret = command("ADAT %s", p);
free(p);
if(ret != COMPLETE){
printf("Server didn't accept auth data.\n");
return AUTH_ERROR;
}
p = strstr(reply_string, "ADAT=");
if(!p){
printf("Remote host didn't send adat reply.\n");
return AUTH_ERROR;
}
p += 5;
len = base64_decode(p, adat.dat);
if(len < 0){
printf("Failed to decode base64 from server.\n");
return AUTH_ERROR;
}
adat.length = len;
ret = krb_rd_safe(adat.dat, adat.length, &d->key,
(struct sockaddr_in *)hisctladdr,
(struct sockaddr_in *)myctladdr, &msg_data);
if(ret){
printf("Error reading reply from server: %s.\n",
krb_get_err_text(ret));
return AUTH_ERROR;
}
krb_get_int(msg_data.app_data, &cs, 4, 0);
if(cs - checksum != 1){
printf("Bad checksum returned from server.\n");
return AUTH_ERROR;
}
return AUTH_OK;
}
static int
try_krb4_authentication(void)
{
KTEXT_ST auth; /* Kerberos data */
char *reply;
char inst[INST_SZ];
char *realm;
CREDENTIALS cred;
int r, type;
socklen_t slen;
Key_schedule schedule;
u_long checksum, cksum;
MSG_DAT msg_data;
struct sockaddr_in local, foreign;
struct stat st;
/* Don't do anything if we don't have any tickets. */
if (stat(tkt_string(), &st) < 0)
return 0;
strlcpy(inst, (char *)krb_get_phost(get_canonical_hostname(1)),
INST_SZ);
realm = (char *)krb_realmofhost(get_canonical_hostname(1));
if (!realm) {
debug("Kerberos v4: no realm for %s", get_canonical_hostname(1));
return 0;
}
/* This can really be anything. */
checksum = (u_long)getpid();
r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum);
if (r != KSUCCESS) {
debug("Kerberos v4 krb_mk_req failed: %s", krb_err_txt[r]);
return 0;
}
/* Get session key to decrypt the server's reply with. */
r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred);
if (r != KSUCCESS) {
debug("get_cred failed: %s", krb_err_txt[r]);
return 0;
}
des_key_sched((des_cblock *) cred.session, schedule);
/* Send authentication info to server. */
packet_start(SSH_CMSG_AUTH_KERBEROS);
packet_put_string((char *) auth.dat, auth.length);
packet_send();
packet_write_wait();
/* Zero the buffer. */
(void) memset(auth.dat, 0, MAX_KTXT_LEN);
slen = sizeof(local);
memset(&local, 0, sizeof(local));
if (getsockname(packet_get_connection_in(),
(struct sockaddr *)&local, &slen) < 0)
debug("getsockname failed: %s", strerror(errno));
slen = sizeof(foreign);
memset(&foreign, 0, sizeof(foreign));
if (getpeername(packet_get_connection_in(),
(struct sockaddr *)&foreign, &slen) < 0) {
debug("getpeername failed: %s", strerror(errno));
cleanup_exit(255);
}
/* Get server reply. */
type = packet_read();
switch (type) {
case SSH_SMSG_FAILURE:
/* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
debug("Kerberos v4 authentication failed.");
return 0;
break;
case SSH_SMSG_AUTH_KERBEROS_RESPONSE:
/* SSH_SMSG_AUTH_KERBEROS_SUCCESS */
debug("Kerberos v4 authentication accepted.");
/* Get server's response. */
reply = packet_get_string((u_int *) &auth.length);
if (auth.length >= MAX_KTXT_LEN)
fatal("Kerberos v4: Malformed response from server");
memcpy(auth.dat, reply, auth.length);
free(reply);
packet_check_eom();
/*
* If his response isn't properly encrypted with the session
* key, and the decrypted checksum fails to match, he's
* bogus. Bail out.
*/
r = krb_rd_priv(auth.dat, auth.length, (void *)schedule,
&cred.session, &foreign, &local, &msg_data);
if (r != KSUCCESS) {
debug("Kerberos v4 krb_rd_priv failed: %s",
krb_err_txt[r]);
packet_disconnect("Kerberos v4 challenge failed!");
}
/* Fetch the (incremented) checksum that we supplied in the request. */
memcpy((char *)&cksum, (char *)msg_data.app_data,
sizeof(cksum));
cksum = ntohl(cksum);
/* If it matches, we're golden. */
if (cksum == checksum + 1) {
debug("Kerberos v4 challenge successful.");
return 1;
} else
packet_disconnect("Kerberos v4 challenge failed!");
break;
default:
packet_disconnect("Protocol error on Kerberos v4 response: %d", type);
}
return 0;
}
int
main (int argc, char **argv)
{
int index;
struct passwd *pw;
struct servent *sp;
sigset_t sigs, osigs;
int asrsh, rem;
pid_t pid = 0;
uid_t uid;
char *args, *host;
set_program_name (argv[0]);
asrsh = 0;
host = user = NULL;
/* If called as something other than "rsh", use it as the host name */
{
char *p = strrchr (argv[0], '/');
if (p)
++p;
else
p = argv[0];
if (strcmp (p, "rsh"))
host = p;
else
asrsh = 1;
}
/* Parse command line */
iu_argp_init ("rsh", default_program_authors);
argp_parse (&argp, argc, argv, ARGP_IN_ORDER, &index, NULL);
if (index < argc)
host = argv[index++];
/* To few args. */
if (!host)
error (EXIT_FAILURE, 0, "host not specified");
/* If no further arguments, must have been called as rlogin. */
if (!argv[index])
{
if (asrsh)
*argv = (char *) "rlogin";
seteuid (getuid ());
setuid (getuid ());
execv (PATH_RLOGIN, argv);
error (EXIT_FAILURE, errno, "cannot execute %s", PATH_RLOGIN);
}
argc -= index;
argv += index;
/* We must be setuid root. */
if (geteuid ())
error (EXIT_FAILURE, 0, "must be setuid root.\n");
if (!(pw = getpwuid (uid = getuid ())))
error (EXIT_FAILURE, 0, "unknown user id");
/* Accept user1@host format, though "-l user2" overrides user1 */
{
char *p = strchr (host, '@');
if (p)
{
*p = '\0';
if (!user && p > host)
user = host;
host = p + 1;
if (*host == '\0')
error (EXIT_FAILURE, 0, "empty host name");
}
}
#if defined KERBEROS || defined SHISHI
# ifdef ENCRYPTION
/* -x turns off -n */
if (doencrypt)
null_input_option = 0;
# endif
#endif
args = copyargs (argv);
sp = NULL;
#ifdef KERBEROS
if (use_kerberos)
{
sp = getservbyname ((doencrypt ? "ekshell" : "kshell"), "tcp");
if (sp == NULL)
{
use_kerberos = 0;
warning ("can't get entry for %s/tcp service",
doencrypt ? "ekshell" : "kshell");
}
}
#elif defined(SHISHI)
if (use_kerberos)
{
sp = getservbyname ("kshell", "tcp");
if (sp == NULL)
{
use_kerberos = 0;
warning ("can't get entry for %s/tcp service", "kshell");
}
}
#endif
if (sp == NULL)
sp = getservbyname ("shell", "tcp");
if (sp == NULL)
error (EXIT_FAILURE, 0, "shell/tcp: unknown service");
#if defined KERBEROS || defined SHISHI
try_connect:
if (use_kerberos)
{
struct hostent *hp;
/* fully qualify hostname (needed for krb_realmofhost) */
hp = gethostbyname (host);
if (hp != NULL && !(host = strdup (hp->h_name)))
error (EXIT_FAILURE, errno, "strdup");
# if defined KERBEROS
rem = KSUCCESS;
errno = 0;
if (dest_realm == NULL)
dest_realm = krb_realmofhost (host);
# elif defined (SHISHI)
rem = SHISHI_OK;
errno = 0;
# endif
# ifdef ENCRYPTION
if (doencrypt)
# if defined SHISHI
{
int i;
char *term;
term = xmalloc (strlen (args) + 4);
strcpy (term, "-x ");
strcat (term, args);
rem = krcmd_mutual (&h, &host, sp->s_port, &user, term, &rfd2,
dest_realm, &enckey);
if (rem > 0)
{
keytype = shishi_key_type (enckey);
keylen = shishi_cipher_blocksize (keytype);
ivtab[0] = &iv1;
ivtab[1] = &iv2;
ivtab[2] = &iv3;
ivtab[3] = &iv4;
for (i = 0; i < 4; i++)
{
ivtab[i]->ivlen = keylen;
switch (keytype)
{
case SHISHI_DES_CBC_CRC:
case SHISHI_DES_CBC_MD4:
case SHISHI_DES_CBC_MD5:
case SHISHI_DES_CBC_NONE:
case SHISHI_DES3_CBC_HMAC_SHA1_KD:
ivtab[i]->keyusage = SHISHI_KEYUSAGE_KCMD_DES;
ivtab[i]->iv = malloc (ivtab[i]->ivlen);
memset (ivtab[i]->iv,
2 * i + 1 * (i < 2) - 4 * (i >= 2),
ivtab[i]->ivlen);
ivtab[i]->ctx =
shishi_crypto (h, enckey, ivtab[i]->keyusage,
shishi_key_type (enckey), ivtab[i]->iv,
ivtab[i]->ivlen);
break;
case SHISHI_ARCFOUR_HMAC:
case SHISHI_ARCFOUR_HMAC_EXP:
ivtab[i]->keyusage =
SHISHI_KEYUSAGE_KCMD_DES + 2 + 4 * i;
ivtab[i]->ctx =
shishi_crypto (h, enckey, ivtab[i]->keyusage,
shishi_key_type (enckey), NULL, 0);
break;
default:
ivtab[i]->keyusage =
SHISHI_KEYUSAGE_KCMD_DES + 2 + 4 * i;
ivtab[i]->iv = malloc (ivtab[i]->ivlen);
memset (ivtab[i]->iv, 0, ivtab[i]->ivlen);
ivtab[i]->ctx =
shishi_crypto (h, enckey, ivtab[i]->keyusage,
shishi_key_type (enckey), ivtab[i]->iv,
ivtab[i]->ivlen);
}
}
}
free (term);
}
else
# else
rem = krcmd_mutual (&host, sp->s_port, user, args, &rfd2,
dest_realm, &cred, schedule);
else
# endif
# endif
rem = krcmd (
# if defined SHISHI
&h, &host, sp->s_port, &user, args, &rfd2, dest_realm);
# else
&host, sp->s_port, user, args, &rfd2, dest_realm);
# endif
if (rem < 0)
{
use_kerberos = 0;
sp = getservbyname ("shell", "tcp");
if (sp == NULL)
error (EXIT_FAILURE, 0, "shell/tcp: unknown service");
if (errno == ECONNREFUSED)
warning ("remote host doesn't support Kerberos");
if (errno == ENOENT)
warning ("can't provide Kerberos auth data");
goto try_connect;
}
}
CURLcode Curl_krb_kauth(struct connectdata *conn)
{
des_cblock key;
des_key_schedule schedule;
KTEXT_ST tkt, tktcopy;
char *name;
char *p;
char passwd[100];
size_t tmp;
ssize_t nread;
int save;
CURLcode result;
unsigned char *ptr;
save = Curl_set_command_prot(conn, prot_private);
result = Curl_ftpsendf(conn, "SITE KAUTH %s", conn->user);
if(result)
return result;
result = Curl_GetFTPResponse(&nread, conn, NULL);
if(result)
return result;
if(conn->data->state.buffer[0] != '3'){
Curl_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
p = strstr(conn->data->state.buffer, "T=");
if(!p) {
Curl_failf(conn->data, "Bad reply from server");
Curl_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
p += 2;
tmp = Curl_base64_decode(p, &ptr);
if(tmp >= sizeof(tkt.dat)) {
free(ptr);
tmp=0;
}
if(!tmp || !ptr) {
Curl_failf(conn->data, "Failed to decode base64 in reply");
Curl_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
memcpy((char *)tkt.dat, ptr, tmp);
free(ptr);
tkt.length = tmp;
tktcopy.length = tkt.length;
p = strstr(conn->data->state.buffer, "P=");
if(!p) {
Curl_failf(conn->data, "Bad reply from server");
Curl_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
name = p + 2;
for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
*p = 0;
des_string_to_key (conn->passwd, &key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((void *)tkt.dat, (void *)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
if(strcmp ((char*)tktcopy.dat + 8,
KRB_TICKET_GRANTING_TICKET) != 0) {
afs_string_to_key(passwd,
krb_realmofhost(conn->host.name),
&key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((void *)tkt.dat, (void *)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
}
memset(key, 0, sizeof(key));
memset(schedule, 0, sizeof(schedule));
memset(passwd, 0, sizeof(passwd));
if(Curl_base64_encode(conn->data, (char *)tktcopy.dat, tktcopy.length, &p)
< 1) {
failf(conn->data, "Out of memory base64-encoding.");
Curl_set_command_prot(conn, save);
return CURLE_OUT_OF_MEMORY;
}
memset (tktcopy.dat, 0, tktcopy.length);
result = Curl_ftpsendf(conn, "SITE KAUTH %s %s", name, p);
free(p);
if(result)
return result;
result = Curl_GetFTPResponse(&nread, conn, NULL);
if(result)
return result;
Curl_set_command_prot(conn, save);
return CURLE_OK;
}
Code_t ZInitialize()
{
struct servent *hmserv;
struct hostent *hostent;
char addr[4], hostname[MAXHOSTNAMELEN];
struct in_addr servaddr;
struct sockaddr_in sin;
int s;
socklen_t sinsize = sizeof(sin);
Code_t code;
ZNotice_t notice;
#ifdef ZEPHYR_USES_KERBEROS
char *krealm = NULL;
int krbval;
char d1[ANAME_SZ], d2[INST_SZ];
/* initialize_krb_error_table(); */
#endif
initialize_zeph_error_table();
(void) memset((char *)&__HM_addr, 0, sizeof(__HM_addr));
__HM_addr.sin_family = AF_INET;
/* Set up local loopback address for HostManager */
addr[0] = 127;
addr[1] = 0;
addr[2] = 0;
addr[3] = 1;
hmserv = (struct servent *)getservbyname(HM_SVCNAME, "udp");
__HM_addr.sin_port = (hmserv) ? hmserv->s_port : HM_SVC_FALLBACK;
(void) memcpy((char *)&__HM_addr.sin_addr, addr, 4);
__HM_set = 0;
/* Initialize the input queue */
__Q_Tail = NULL;
__Q_Head = NULL;
/* if the application is a server, there might not be a zhm. The
code will fall back to something which might not be "right",
but this is is ok, since none of the servers call krb_rd_req. */
servaddr.s_addr = INADDR_NONE;
if (! __Zephyr_server) {
if ((code = ZOpenPort(NULL)) != ZERR_NONE)
return(code);
if ((code = ZhmStat(NULL, ¬ice)) != ZERR_NONE)
return(code);
ZClosePort();
/* the first field, which is NUL-terminated, is the server name.
If this code ever support a multiplexing zhm, this will have to
be made smarter, and probably per-message */
#ifdef ZEPHYR_USES_KERBEROS
krealm = krb_realmofhost(notice.z_message);
#endif
hostent = gethostbyname(notice.z_message);
if (hostent && hostent->h_addrtype == AF_INET)
memcpy(&servaddr, hostent->h_addr, sizeof(servaddr));
ZFreeNotice(¬ice);
}
#ifdef ZEPHYR_USES_KERBEROS
if (krealm) {
g_strlcpy(__Zephyr_realm, krealm, REALM_SZ);
} else if ((krb_get_tf_fullname(TKT_FILE, d1, d2, __Zephyr_realm)
!= KSUCCESS) &&
((krbval = krb_get_lrealm(__Zephyr_realm, 1)) != KSUCCESS)) {
return (krbval);
}
#else
g_strlcpy(__Zephyr_realm, "local-realm", REALM_SZ);
#endif
__My_addr.s_addr = INADDR_NONE;
if (servaddr.s_addr != INADDR_NONE) {
/* Try to get the local interface address by connecting a UDP
* socket to the server address and getting the local address.
* Some broken operating systems (e.g. Solaris 2.0-2.5) yield
* INADDR_ANY (zero), so we have to check for that. */
s = socket(AF_INET, SOCK_DGRAM, 0);
if (s != -1) {
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
memcpy(&sin.sin_addr, &servaddr, sizeof(servaddr));
sin.sin_port = HM_SRV_SVC_FALLBACK;
if (connect(s, (struct sockaddr *) &sin, sizeof(sin)) == 0
&& getsockname(s, (struct sockaddr *) &sin, &sinsize) == 0
&& sin.sin_addr.s_addr != 0)
memcpy(&__My_addr, &sin.sin_addr, sizeof(__My_addr));
close(s);
}
}
if (__My_addr.s_addr == INADDR_NONE) {
/* We couldn't figure out the local interface address by the
* above method. Try by resolving the local hostname. (This
* is a pretty broken thing to do, and unfortunately what we
* always do on server machines.) */
if (gethostname(hostname, sizeof(hostname)) == 0) {
hostent = gethostbyname(hostname);
if (hostent && hostent->h_addrtype == AF_INET)
memcpy(&__My_addr, hostent->h_addr, sizeof(__My_addr));
}
}
/* If the above methods failed, zero out __My_addr so things will
* sort of kind of work. */
if (__My_addr.s_addr == INADDR_NONE)
__My_addr.s_addr = 0;
/* Get the sender so we can cache it */
(void) ZGetSender();
return (ZERR_NONE);
}
