static int
passwd_cb(char *buf, int size, int rwflag, void *filename)
{
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
UI *ui;
const char *prompt;
ui = UI_new();
if (ui == NULL)
goto err;
prompt = UI_construct_prompt(ui, "passphrase", filename);
UI_add_input_string(ui, prompt, 0, buf, 0, size - 1);
UI_process(ui);
UI_free(ui);
return strlen(buf);
err:
LM_ERR("passwd_cb failed\n");
if (ui)
UI_free(ui);
return 0;
#else
if( des_read_pw_string(buf, size-1, "Enter Private Key password:"******"passwd_cb failed\n");
return 0;
}
return strlen( buf );
#endif
}
/* For historical reasons, the standard function for reading passwords is
* in the DES library -- if someone ever wants to disable DES,
* this function will fail */
int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
{
#ifndef NO_DES
if ((prompt == NULL) && (prompt_string[0] != '\0'))
prompt=prompt_string;
return(des_read_pw_string(buf,len,prompt,verify));
#else
return -1;
#endif
}
int
sc_init_open_login(
CK_SESSION_HANDLE_PTR PsessionHandle,
CK_SLOT_ID_PTR pslot,
char * ppin,
CK_USER_TYPE userType)
{
CK_RV status;
char * pin;
char rpin[256];
/* could also add CKF_EXCLUSIVE_SESSION */
int flags =
CKF_RW_SESSION | CKF_SERIAL_SESSION ;
status = (*(pFunctionList->C_OpenSession))(*pslot,
flags, 0, NULL, PsessionHandle);
if (status != CKR_OK) {
SCerr(SCERR_F_SCINIT,SCERR_R_OPENSESSION);
ERR_add_error_data(1,sc_ERR_code(status));
return SCERR_R_OPENSESSION;
}
if (ppin) /* did user provide the pin? */ {
pin = ppin;
}
else {
pin = rpin;
memset(rpin,0,sizeof(rpin));
#ifdef WIN32
read_passphrase_win32_prompt(
(userType == CKU_USER) ?
"Smart Card User PIN:" : "Smart Card SO PIN:",0);
read_passphrase_win32(rpin,sizeof(rpin),0);
#else
des_read_pw_string(rpin,sizeof(rpin),
(userType == CKU_USER) ?
"Smart Card User PIN:" : "Smart Card SO PIN:",0);
#endif
/*DEE should test this too */
}
status = (*(pFunctionList->C_Login))(*PsessionHandle, userType,
(CK_CHAR_PTR)pin, strlen(pin));
memset(rpin,0,sizeof(rpin));
if (status != CKR_OK) {
SCerr(SCERR_F_SCINIT,SCERR_R_LOGIN);
ERR_add_error_data(1,sc_ERR_code(status));
return SCERR_R_LOGIN;
}
return 0;
}
char *
prompt_password(const char * prompt) {
int rc =
// Read password from terminal. Disable terminal echo.
des_read_pw_string (
Myproxy_pw, // buffer
sizeof ( Myproxy_pw ) - 1, // length
prompt, // prompt
true // verify
);
if (rc) {
return NULL;
}
return Myproxy_pw;
}
int
main(int argc, char **argv)
{
struct afsconf_dir *tdir;
afs_int32 code;
if (argc == 1) {
printf("bos_util: usage is 'bos_util <opcode> options, e.g.\n");
printf(" bos_util add <kvno>\n");
printf(" bos_util adddes <kvno>\n");
#ifdef KERBEROS
printf(" bos_util srvtab2keyfile <kvno> <keyfile> <princ>\n");
#endif
printf(" bos_util delete <kvno>\n");
printf(" bos_util list\n");
exit(1);
}
tdir = afsconf_Open(AFSDIR_SERVER_ETC_DIR);
if (!tdir) {
printf("bos_util: can't initialize conf dir '%s'\n",
AFSDIR_SERVER_ETC_DIR);
exit(1);
}
if (strcmp(argv[1], "add") == 0) {
struct ktc_encryptionKey tkey;
int kvno;
char buf[BUFSIZ], ver[BUFSIZ];
char *tcell = NULL;
if (argc != 3) {
printf("bos_util add: usage is 'bos_util add <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
memset(&tkey, 0, sizeof(struct ktc_encryptionKey));
/* prompt for key */
code = des_read_pw_string(buf, sizeof(buf), "input key: ", 0);
if (code || strlen(buf) == 0) {
printf("Bad key: \n");
exit(1);
}
code = des_read_pw_string(ver, sizeof(ver), "Retype input key: ", 0);
if (code || strlen(ver) == 0) {
printf("Bad key: \n");
exit(1);
}
if (strcmp(ver, buf) != 0) {
printf("\nInput key mismatch\n");
exit(1);
}
ka_StringToKey(buf, tcell, &tkey);
code = afsconf_AddKey(tdir, kvno, ktc_to_charptr(&tkey), 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
} else if (strcmp(argv[1], "adddes") == 0) {
struct ktc_encryptionKey tkey;
int kvno;
afs_int32 code;
char buf[BUFSIZ], ver[BUFSIZ];
if (argc != 3) {
printf("bos_util adddes: usage is 'bos_util adddes <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
memset(&tkey, 0, sizeof(struct ktc_encryptionKey));
/* prompt for key */
code = des_read_pw_string(buf, sizeof(buf), "input key: ", 0);
if (code || strlen(buf) == 0) {
printf("Bad key: \n");
exit(1);
}
code = des_read_pw_string(ver, sizeof(ver), "Retype input key: ", 0);
if (code || strlen(ver) == 0) {
printf("Bad key: \n");
exit(1);
}
if (strcmp(ver, buf) != 0) {
printf("\nInput key mismatch\n");
exit(1);
}
des_string_to_key(buf, ktc_to_cblockptr(&tkey));
code = afsconf_AddKey(tdir, kvno, ktc_to_charptr(&tkey), 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
}
#ifdef KERBEROS
else if (strcmp(argv[1], "srvtab2keyfile") == 0) {
char tkey[8], name[255], inst[255], realm[255];
int kvno;
if (argc != 5) {
printf
("bos_util add: usage is 'bos_util srvtab2keyfile <kvno> <keyfile> <princ>\n");
exit(1);
}
kvno = atoi(argv[2]);
bzero(tkey, sizeof(tkey));
code = kname_parse(name, inst, realm, argv[4]);
if (code != 0) {
printf("Invalid kerberos name\n");
exit(1);
}
code = read_service_key(name, inst, realm, kvno, argv[3], tkey);
if (code != 0) {
printf("Can't find key in %s\n", argv[3]);
exit(1);
}
code = afsconf_AddKey(tdir, kvno, tkey, 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
}
#endif
else if (strcmp(argv[1], "delete") == 0) {
long kvno;
if (argc != 3) {
printf("bos_util delete: usage is 'bos_util delete <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
code = afsconf_DeleteKey(tdir, kvno);
if (code) {
printf("bos_util: failed to delete key %ld, (code %d)\n", kvno,
code);
exit(1);
}
} else if (strcmp(argv[1], "list") == 0) {
struct afsconf_keys tkeys;
int i;
unsigned char tbuffer[9];
code = afsconf_GetKeys(tdir, &tkeys);
if (code) {
printf("bos_util: failed to get keys, code %d\n", code);
exit(1);
}
for (i = 0; i < tkeys.nkeys; i++) {
if (tkeys.key[i].kvno != -1) {
int count;
unsigned char x[8];
memcpy(tbuffer, tkeys.key[i].key, 8);
tbuffer[8] = 0;
printf("kvno %4d: key is '%s' '", tkeys.key[i].kvno, tbuffer);
strcpy((char *)x, (char *)tbuffer);
for (count = 0; count < 8; count++)
printf("\\%03o", x[count]);
printf("'\n");
}
}
printf("All done.\n");
} else {
printf
("bos_util: unknown operation '%s', type 'bos_util' for assistance\n",
argv[1]);
exit(1);
}
exit(0);
}
/*ARGSUSED */
static int
passwd_to_key(
char *user,
char *instance,
char *realm,
char *passwd,
C_Block key
)
{
#ifdef NOENCRYPTION
if (!passwd)
placebo_read_password(key, "Password: "******"Password: "******"Trying next_string_to_key[%d]\n",in_tkt_decrypt_again);
} else
--in_tkt_decrypt_again;
/*
* If the principal is known to be in the local realm, don't even bother
* to attempt decryptions with alternative string to key algorithms (i.e.
* we presumably aren't schizophrenic with respect to our own string to
* key function). This is simply an optimization to avoid extra useless
* work when a bad password has been supplied in the common case.
*/
/* THIS IS WRONG!!!!!
* if (strcmp(realm, KRB_REALM) == 0)
* in_tkt_decrypt_again = 0;
*/
/*
* If there are no more string to key algorithms to try, zero the password
* string now so that krb_get_in_tkt() doesn't have to call us back since
* it can't distinguish this case from one when the password function
* doesn't support iteration at all.
*/
if (in_tkt_decrypt_again == 0) {
bzero(key_string, sizeof (key_string));
have_key_string = 0;
}
#else /* OLDSTRTOKEY */
// back to the original MIT code
if (passwd)
string_to_key(passwd, key);
else {
des_read_password(key, "Password: ", 0);
}
#endif /* OLDSTRTOKEY */
#endif /* !NOENCRYPTION */
return (0);
}
void
kauth(int argc, char **argv)
{
int ret;
char buf[1024];
des_cblock key;
des_key_schedule schedule;
KTEXT_ST tkt, tktcopy;
char *name;
char *p;
int overbose;
char passwd[100];
int tmp;
int save;
if(argc > 2){
printf("usage: %s [principal]\n", argv[0]);
code = -1;
return;
}
if(argc == 2)
name = argv[1];
else
name = username;
overbose = verbose;
verbose = 0;
save = set_command_prot(prot_private);
ret = command("SITE KAUTH %s", name);
if(ret != CONTINUE){
verbose = overbose;
set_command_prot(save);
code = -1;
return;
}
verbose = overbose;
p = strstr(reply_string, "T=");
if(!p){
printf("Bad reply from server.\n");
set_command_prot(save);
code = -1;
return;
}
p += 2;
tmp = base64_decode(p, &tkt.dat);
if(tmp < 0){
printf("Failed to decode base64 in reply.\n");
set_command_prot(save);
code = -1;
return;
}
tkt.length = tmp;
tktcopy.length = tkt.length;
p = strstr(reply_string, "P=");
if(!p){
printf("Bad reply from server.\n");
verbose = overbose;
set_command_prot(save);
code = -1;
return;
}
name = p + 2;
for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
*p = 0;
snprintf(buf, sizeof(buf), "Password for %s:", name);
if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0))
*passwd = '\0';
des_string_to_key (passwd, &key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
if (strcmp ((char*)tktcopy.dat + 8,
KRB_TICKET_GRANTING_TICKET) != 0) {
afs_string_to_key (passwd, krb_realmofhost(hostname), &key);
des_key_sched (&key, schedule);
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
}
memset(key, 0, sizeof(key));
memset(schedule, 0, sizeof(schedule));
memset(passwd, 0, sizeof(passwd));
if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) {
printf("Out of memory base64-encoding.\n");
set_command_prot(save);
code = -1;
return;
}
memset (tktcopy.dat, 0, tktcopy.length);
ret = command("SITE KAUTH %s %s", name, p);
free(p);
set_command_prot(save);
if(ret != COMPLETE){
code = -1;
return;
}
code = 0;
}
