moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00
Code Issues Releases Wiki Activity

FTP: remove krb4 support

Browse Source 
We've announced this pending removal for a long time and we've
repeatedly asked if anyone would care or if anyone objects. Nobody has
objected. It has probably not even been working for a good while since
nobody has tested/used this code recently.

The stuff in krb4.h that was generic enough to be used by other sources
is now present in security.h
This commit is contained in:
Daniel Stenberg 2013-08-23 16:16:42 +02:00
parent 817ceb09e0
commit bb55293313
13 changed files with 41 additions and 623 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
RELEASE-NOTES
View File

@ -7,16 +7,12 @@ Curl and libcurl 7.32.1
Known libcurl bindings: 42 Known libcurl bindings: 42
Contributors: 1057 Contributors: 1057
***
krb4 support is up for removal. If you care about it at all, speak up
on the curl-library list asap!
***
This release includes the following changes: This release includes the following changes:
o test code for testing the event based API [3] o test code for testing the event based API [3]
o CURLM_ADDED_ALREADY: new error code o CURLM_ADDED_ALREADY: new error code
o test TFTP server: support "writedelay" within <servercmd> o test TFTP server: support "writedelay" within <servercmd>
o krb4 support has been removed
This release includes the following bugfixes: This release includes the following bugfixes:

100
configure.ac
View File

@ -150,7 +150,6 @@ dnl initialize all the info variables
curl_ssl_msg="no (--with-{ssl,gnutls,nss,polarssl,cyassl,axtls,winssl,darwinssl} )" curl_ssl_msg="no (--with-{ssl,gnutls,nss,polarssl,cyassl,axtls,winssl,darwinssl} )"
curl_ssh_msg="no (--with-libssh2)" curl_ssh_msg="no (--with-libssh2)"
curl_zlib_msg="no (--with-zlib)" curl_zlib_msg="no (--with-zlib)"
curl_krb4_msg="no (--with-krb4*)"
curl_gss_msg="no (--with-gssapi)" curl_gss_msg="no (--with-gssapi)"
curl_spnego_msg="no (--with-spnego)" curl_spnego_msg="no (--with-spnego)"
curl_tls_srp_msg="no (--enable-tls-srp)" curl_tls_srp_msg="no (--enable-tls-srp)"
@ -1134,101 +1133,6 @@ no)
;; ;;
esac esac
dnl **********************************************************************
dnl Check for the presence of Kerberos4 libraries and headers
dnl **********************************************************************
AC_ARG_WITH(krb4-includes,
AC_HELP_STRING([--with-krb4-includes=DIR],
[Specify location of kerberos4 headers]),[
CPPFLAGS="$CPPFLAGS -I$withval"
KRB4INC="$withval"
want_krb4=yes
])
AC_ARG_WITH(krb4-libs,
AC_HELP_STRING([--with-krb4-libs=DIR],[Specify location of kerberos4 libs]),[
LDFLAGS="$LDFLAGS -L$withval"
KRB4LIB="$withval"
want_krb4=yes
])
OPT_KRB4=off
AC_ARG_WITH(krb4,dnl
AC_HELP_STRING([--with-krb4=DIR],[where to look for Kerberos4]),[
OPT_KRB4="$withval"
if test X"$OPT_KRB4" != Xno; then
want_krb4="yes"
if test X"$OPT_KRB4" != Xyes; then
LDFLAGS="$LDFLAGS -L$OPT_KRB4/lib$libsuff"
KRB4LIB="$OPT_KRB4/lib$libsuff"
CPPFLAGS="$CPPFLAGS -I$OPT_KRB4/include"
KRB4INC="$OPT_KRB4/include"
fi
fi
])
AC_MSG_CHECKING([if Kerberos4 support is requested])
if test "$want_krb4" = yes
then
if test "$ipv6" = "yes"; then
echo krb4 is not compatible with IPv6
exit 1
fi
AC_MSG_RESULT(yes)
dnl Check for & handle argument to --with-krb4
AC_MSG_CHECKING(where to look for Kerberos4)
if test X"$OPT_KRB4" = Xyes
then
AC_MSG_RESULT([defaults])
else
AC_MSG_RESULT([libs in $KRB4LIB, headers in $KRB4INC])
fi
dnl Check for DES library
AC_CHECK_LIB(des, des_pcbc_encrypt,
[
AC_CHECK_HEADERS(des.h)
dnl resolv lib?
AC_CHECK_FUNC(res_search, , [AC_CHECK_LIB(resolv, res_search)])
dnl Check for the Kerberos4 library
AC_CHECK_LIB(krb, krb_net_read,
[
dnl Check for header files
AC_CHECK_HEADERS(krb.h)
dnl we found the required libraries, add to LIBS
LIBS="-lkrb -lcom_err -ldes $LIBS"
dnl Check for function krb_get_our_ip_for_realm
dnl this is needed for NAT networks
AC_CHECK_FUNCS(krb_get_our_ip_for_realm)
dnl add define KRB4
AC_DEFINE(HAVE_KRB4, 1,
[if you have the Kerberos4 libraries (including -ldes)])
dnl substitute it too!
KRB4_ENABLED=1
AC_SUBST(KRB4_ENABLED)
curl_krb4_msg="enabled"
dnl the krb4 stuff needs a strlcpy()
AC_CHECK_FUNCS(strlcpy)
])
])
else
AC_MSG_RESULT(no)
fi
dnl ********************************************************************** dnl **********************************************************************
dnl Check for FBopenssl(SPNEGO) libraries dnl Check for FBopenssl(SPNEGO) libraries
dnl ********************************************************************** dnl **********************************************************************
@ -3365,9 +3269,6 @@ if test "x$USE_SSLEAY" = "x1"; then
elif test -n "$SSL_ENABLED"; then elif test -n "$SSL_ENABLED"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES SSL" SUPPORT_FEATURES="$SUPPORT_FEATURES SSL"
fi fi
if test "@KRB4_ENABLED@" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES KRB4"
fi
if test "x$IPV6_ENABLED" = "x1"; then if test "x$IPV6_ENABLED" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES IPv6" SUPPORT_FEATURES="$SUPPORT_FEATURES IPv6"
fi fi
@ -3542,7 +3443,6 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
SSL support: ${curl_ssl_msg} SSL support: ${curl_ssl_msg}
SSH support: ${curl_ssh_msg} SSH support: ${curl_ssh_msg}
zlib support: ${curl_zlib_msg} zlib support: ${curl_zlib_msg}
krb4 support: ${curl_krb4_msg}
GSSAPI support: ${curl_gss_msg} GSSAPI support: ${curl_gss_msg}
SPNEGO support: ${curl_spnego_msg} SPNEGO support: ${curl_spnego_msg}
TLS-SRP support: ${curl_tls_srp_msg} TLS-SRP support: ${curl_tls_srp_msg}

4
lib/Makefile.inc
View File

@ -10,7 +10,7 @@
CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
cookie.c http.c sendf.c ftp.c url.c dict.c if2ip.c speedcheck.c \ cookie.c http.c sendf.c ftp.c url.c dict.c if2ip.c speedcheck.c \
ldap.c ssluse.c version.c getenv.c escape.c mprintf.c telnet.c \ ldap.c ssluse.c version.c getenv.c escape.c mprintf.c telnet.c \
netrc.c getinfo.c transfer.c strequal.c easy.c security.c krb4.c \ netrc.c getinfo.c transfer.c strequal.c easy.c security.c \
curl_fnmatch.c fileinfo.c ftplistparser.c wildcard.c krb5.c \ curl_fnmatch.c fileinfo.c ftplistparser.c wildcard.c krb5.c \
memdebug.c http_chunks.c strtok.c connect.c llist.c hash.c multi.c \ memdebug.c http_chunks.c strtok.c connect.c llist.c hash.c multi.c \
content_encoding.c share.c http_digest.c md4.c md5.c \ content_encoding.c share.c http_digest.c md4.c md5.c \
@ -31,7 +31,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \ progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \
if2ip.h speedcheck.h urldata.h curl_ldap.h ssluse.h escape.h telnet.h \ if2ip.h speedcheck.h urldata.h curl_ldap.h ssluse.h escape.h telnet.h \
getinfo.h strequal.h krb4.h memdebug.h http_chunks.h \ getinfo.h strequal.h security.h memdebug.h http_chunks.h \
curl_fnmatch.h wildcard.h fileinfo.h ftplistparser.h strtok.h \ curl_fnmatch.h wildcard.h fileinfo.h ftplistparser.h strtok.h \
connect.h llist.h hash.h content_encoding.h share.h curl_md4.h \ connect.h llist.h hash.h content_encoding.h share.h curl_md4.h \
curl_md5.h http_digest.h http_negotiate.h inet_pton.h amigaos.h \ curl_md5.h http_digest.h http_negotiate.h inet_pton.h amigaos.h \

33
lib/ftp.c
View File

@ -59,11 +59,7 @@
#include "ftp.h" #include "ftp.h"
#include "fileinfo.h" #include "fileinfo.h"
#include "ftplistparser.h" #include "ftplistparser.h"
#include "security.h"
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI)
#include "krb4.h"
#endif
#include "strtoofft.h" #include "strtoofft.h"
#include "strequal.h" #include "strequal.h"
#include "sslgen.h" #include "sslgen.h"
@ -615,7 +611,7 @@ static CURLcode ftp_readresp(curl_socket_t sockfd,
{ {
struct connectdata *conn = pp->conn; struct connectdata *conn = pp->conn;
struct SessionHandle *data = conn->data; struct SessionHandle *data = conn->data;
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
char * const buf = data->state.buffer; char * const buf = data->state.buffer;
#endif #endif
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
@ -623,7 +619,7 @@ static CURLcode ftp_readresp(curl_socket_t sockfd,
result = Curl_pp_readresp(sockfd, pp, &code, size); result = Curl_pp_readresp(sockfd, pp, &code, size);
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #if defined(HAVE_GSSAPI)
/* handle the security-oriented responses 6xx ***/ /* handle the security-oriented responses 6xx ***/
/* FIXME: some errorchecking perhaps... ***/ /* FIXME: some errorchecking perhaps... ***/
switch(code) { switch(code) {
@ -2578,19 +2574,6 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
{ {
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
#ifdef HAVE_KRB4
if(conn->data->set.krb) {
/* We may need to issue a KAUTH here to have access to the files
* do it if user supplied a password
*/
if(conn->passwd && *conn->passwd) {
/* BLOCKING */
result = Curl_krb_kauth(conn);
if(result)
return result;
}
}
#endif
if(conn->ssl[FIRSTSOCKET].use) { if(conn->ssl[FIRSTSOCKET].use) {
/* PBSZ = PROTECTION BUFFER SIZE. /* PBSZ = PROTECTION BUFFER SIZE.
@ -2720,7 +2703,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
} }
/* We have received a 220 response fine, now we proceed. */ /* We have received a 220 response fine, now we proceed. */
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
if(data->set.krb) { if(data->set.krb) {
/* If not anonymous login, try a secure login. Note that this /* If not anonymous login, try a secure login. Note that this
procedure is still BLOCKING. */ procedure is still BLOCKING. */
@ -4076,7 +4059,7 @@ CURLcode Curl_ftpsendf(struct connectdata *conn,
size_t write_len; size_t write_len;
char *sptr=s; char *sptr=s;
CURLcode res = CURLE_OK; CURLcode res = CURLE_OK;
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
enum protection_level data_sec = conn->data_prot; enum protection_level data_sec = conn->data_prot;
#endif #endif
@ -4096,12 +4079,12 @@ CURLcode Curl_ftpsendf(struct connectdata *conn,
return(res); return(res);
for(;;) { for(;;) {
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
conn->data_prot = PROT_CMD; conn->data_prot = PROT_CMD;
#endif #endif
res = Curl_write(conn, conn->sock[FIRSTSOCKET], sptr, write_len, res = Curl_write(conn, conn->sock[FIRSTSOCKET], sptr, write_len,
&bytes_written); &bytes_written);
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
DEBUGASSERT(data_sec > PROT_NONE && data_sec < PROT_LAST); DEBUGASSERT(data_sec > PROT_NONE && data_sec < PROT_LAST);
conn->data_prot = data_sec; conn->data_prot = data_sec;
#endif #endif
@ -4203,7 +4186,7 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
Curl_pp_disconnect(pp); Curl_pp_disconnect(pp);
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
Curl_sec_end(conn); Curl_sec_end(conn);
#endif #endif

440
lib/krb4.c
View File

@ -1,440 +0,0 @@
/* This source code was modified by Martin Hedenfalk <mhe@stacken.kth.se> for
* use in Curl. Martin's latest changes were done 2000-09-18.
*
* It has since been patched away like a madman by Daniel Stenberg to make it
* better applied to curl conditions, and to make it not use globals, pollute
* name space and more.
*
* Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* Copyright (c) 2004 - 2011 Daniel Stenberg
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#include "curl_setup.h"
#ifndef CURL_DISABLE_FTP
#ifdef HAVE_KRB4
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
#include <krb.h>
#include <des.h>
#include "urldata.h"
#include "curl_base64.h"
#include "ftp.h"
#include "sendf.h"
#include "krb4.h"
#include "inet_ntop.h"
#include "curl_memory.h"
/* The last #include file should be: */
#include "memdebug.h"
#define LOCAL_ADDR (&conn->local_addr)
#define REMOTE_ADDR conn->ip_addr->ai_addr
#define myctladdr LOCAL_ADDR
#define hisctladdr REMOTE_ADDR
struct krb4_data {
des_cblock key;
des_key_schedule schedule;
char name[ANAME_SZ];
char instance[INST_SZ];
char realm[REALM_SZ];
};
#ifndef HAVE_STRLCPY
/* if it ever goes non-static, make it Curl_ prefixed! */
static size_t
strlcpy (char *dst, const char *src, size_t dst_sz)
{
size_t n;
char *p;
for(p = dst, n = 0;
n + 1 < dst_sz && *src != '\0';
++p, ++src, ++n)
*p = *src;
*p = '\0';
if(*src == '\0')
return n;
else
return n + strlen (src);
}
#else
size_t strlcpy (char *dst, const char *src, size_t dst_sz);
#endif
static int
krb4_check_prot(void *app_data, int level)
{
app_data = NULL; /* prevent compiler warning */
if(level == PROT_CONFIDENTIAL)
return -1;
return 0;
}
static int
krb4_decode(void *app_data, void *buf, int len, int level,
struct connectdata *conn)
{
MSG_DAT m;
int e;
struct krb4_data *d = app_data;
if(level == PROT_SAFE)
e = krb_rd_safe(buf, len, &d->key,
(struct sockaddr_in *)REMOTE_ADDR,
(struct sockaddr_in *)LOCAL_ADDR, &m);
else
e = krb_rd_priv(buf, len, d->schedule, &d->key,
(struct sockaddr_in *)REMOTE_ADDR,
(struct sockaddr_in *)LOCAL_ADDR, &m);
if(e) {
struct SessionHandle *data = conn->data;
infof(data, "krb4_decode: %s\n", krb_get_err_text(e));
return -1;
}
memmove(buf, m.app_data, m.app_length);
return m.app_length;
}
static int
krb4_overhead(void *app_data, int level, int len)
{
/* no arguments are used, just init them to prevent compiler warnings */
app_data = NULL;
level = 0;
len = 0;
return 31;
}
static int
krb4_encode(void *app_data, const void *from, int length, int level, void **to,
struct connectdata *conn)
{
struct krb4_data *d = app_data;
*to = malloc(length + 31);
if(!*to)
return -1;
if(level == PROT_SAFE)
/* NOTE that the void* cast is safe, krb_mk_safe/priv don't modify the
* input buffer
*/
return krb_mk_safe((void*)from, *to, length, &d->key,
(struct sockaddr_in *)LOCAL_ADDR,
(struct sockaddr_in *)REMOTE_ADDR);
else if(level == PROT_PRIVATE)
return krb_mk_priv((void*)from, *to, length, d->schedule, &d->key,
(struct sockaddr_in *)LOCAL_ADDR,
(struct sockaddr_in *)REMOTE_ADDR);
else
return -1;
}
static int
mk_auth(struct krb4_data *d, KTEXT adat,
const char *service, char *host, int checksum)
{
int ret;
CREDENTIALS cred;
char sname[SNAME_SZ], inst[INST_SZ], realm[REALM_SZ];
strlcpy(sname, service, sizeof(sname));
strlcpy(inst, krb_get_phost(host), sizeof(inst));
strlcpy(realm, krb_realmofhost(host), sizeof(realm));
ret = krb_mk_req(adat, sname, inst, realm, checksum);
if(ret)
return ret;
strlcpy(sname, service, sizeof(sname));
strlcpy(inst, krb_get_phost(host), sizeof(inst));
strlcpy(realm, krb_realmofhost(host), sizeof(realm));
ret = krb_get_cred(sname, inst, realm, &cred);
memmove(&d->key, &cred.session, sizeof(des_cblock));
des_key_sched(&d->key, d->schedule);
memset(&cred, 0, sizeof(cred));
return ret;
}
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
int krb_get_our_ip_for_realm(char *, struct in_addr *);
#endif
static int
krb4_auth(void *app_data, struct connectdata *conn)
{
int ret;
char *p;
unsigned char *ptr;
size_t len = 0;
KTEXT_ST adat;
MSG_DAT msg_data;
int checksum;
u_int32_t cs;
struct krb4_data *d = app_data;
char *host = conn->host.name;
ssize_t nread;
int l = sizeof(conn->local_addr);
struct SessionHandle *data = conn->data;
CURLcode result;
size_t base64_sz = 0;
if(getsockname(conn->sock[FIRSTSOCKET],
(struct sockaddr *)LOCAL_ADDR, &l) < 0)
perror("getsockname()");
checksum = getpid();
ret = mk_auth(d, &adat, "ftp", host, checksum);
if(ret == KDC_PR_UNKNOWN)
ret = mk_auth(d, &adat, "rcmd", host, checksum);
if(ret) {
infof(data, "%s\n", krb_get_err_text(ret));
return AUTH_CONTINUE;
}
#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
if(krb_get_config_bool("nat_in_use")) {
struct sockaddr_in *localaddr = (struct sockaddr_in *)LOCAL_ADDR;
struct in_addr natAddr;
if(krb_get_our_ip_for_realm(krb_realmofhost(host),
&natAddr) != KSUCCESS
&& krb_get_our_ip_for_realm(NULL, &natAddr) != KSUCCESS)
infof(data, "Can't get address for realm %s\n",
krb_realmofhost(host));
else {
if(natAddr.s_addr != localaddr->sin_addr.s_addr) {
char addr_buf[128];
if(Curl_inet_ntop(AF_INET, natAddr, addr_buf, sizeof(addr_buf)))
infof(data, "Using NAT IP address (%s) for kerberos 4\n", addr_buf);
localaddr->sin_addr = natAddr;
}
}
}
#endif
result = Curl_base64_encode(conn->data, (char *)adat.dat, adat.length,
&p, &base64_sz);
if(result) {
Curl_failf(data, "base64-encoding: %s", curl_easy_strerror(result));
return AUTH_CONTINUE;
}
result = Curl_ftpsendf(conn, "ADAT %s", p);
free(p);
if(result)
return -2;
if(Curl_GetFTPResponse(&nread, conn, NULL))
return -1;
if(data->state.buffer[0] != '2') {
Curl_failf(data, "Server didn't accept auth data");
return AUTH_ERROR;
}
p = strstr(data->state.buffer, "ADAT=");
if(!p) {
Curl_failf(data, "Remote host didn't send adat reply");
return AUTH_ERROR;
}
p += 5;
result = Curl_base64_decode(p, &ptr, &len);
if(result) {
Curl_failf(data, "base64-decoding: %s", curl_easy_strerror(result));
return AUTH_ERROR;
}
if(len > sizeof(adat.dat)-1) {
free(ptr);
ptr = NULL;
len = 0;
}
if(!len || !ptr) {
Curl_failf(data, "Failed to decode base64 from server");
return AUTH_ERROR;
}
memcpy((char *)adat.dat, ptr, len);
free(ptr);
adat.length = len;
ret = krb_rd_safe(adat.dat, adat.length, &d->key,
(struct sockaddr_in *)hisctladdr,
(struct sockaddr_in *)myctladdr, &msg_data);
if(ret) {
Curl_failf(data, "Error reading reply from server: %s",
krb_get_err_text(ret));
return AUTH_ERROR;
}
krb_get_int(msg_data.app_data, &cs, 4, 0);
if(cs - checksum != 1) {
Curl_failf(data, "Bad checksum returned from server");
return AUTH_ERROR;
}
return AUTH_OK;
}
struct Curl_sec_client_mech Curl_krb4_client_mech = {
"KERBEROS_V4",
sizeof(struct krb4_data),
NULL, /* init */
krb4_auth,
NULL, /* end */
krb4_check_prot,
krb4_overhead,
krb4_encode,
krb4_decode
};
static enum protection_level
krb4_set_command_prot(struct connectdata *conn, enum protection_level level)
{
enum protection_level old = conn->command_prot;
DEBUGASSERT(level > PROT_NONE && level < PROT_LAST);
conn->command_prot = level;
return old;
}
CURLcode Curl_krb_kauth(struct connectdata *conn)
{
des_cblock key;
des_key_schedule schedule;
KTEXT_ST tkt, tktcopy;
char *name;
char *p;
char passwd[100];
size_t tmp = 0;
ssize_t nread;
enum protection_level save;
CURLcode result;
unsigned char *ptr;
size_t base64_sz = 0;
save = krb4_set_command_prot(conn, PROT_PRIVATE);
result = Curl_ftpsendf(conn, "SITE KAUTH %s", conn->user);
if(result)
return result;
result = Curl_GetFTPResponse(&nread, conn, NULL);
if(result)
return result;
if(conn->data->state.buffer[0] != '3') {
krb4_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
p = strstr(conn->data->state.buffer, "T=");
if(!p) {
Curl_failf(conn->data, "Bad reply from server");
krb4_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
p += 2;
result = Curl_base64_decode(p, &ptr, &tmp);
if(result) {
Curl_failf(conn->data, "base64-decoding: %s", curl_easy_strerror(result));
return result;
}
if(tmp >= sizeof(tkt.dat)) {
free(ptr);
ptr = NULL;
tmp = 0;
}
if(!tmp || !ptr) {
Curl_failf(conn->data, "Failed to decode base64 in reply");
krb4_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
memcpy((char *)tkt.dat, ptr, tmp);
free(ptr);
tkt.length = tmp;
tktcopy.length = tkt.length;
p = strstr(conn->data->state.buffer, "P=");
if(!p) {
Curl_failf(conn->data, "Bad reply from server");
krb4_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
name = p + 2;
for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
*p = 0;
des_string_to_key (conn->passwd, &key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((void *)tkt.dat, (void *)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
if(strcmp ((char*)tktcopy.dat + 8,
KRB_TICKET_GRANTING_TICKET) != 0) {
afs_string_to_key(passwd,
krb_realmofhost(conn->host.name),
&key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((void *)tkt.dat, (void *)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
}
memset(key, 0, sizeof(key));
memset(schedule, 0, sizeof(schedule));
memset(passwd, 0, sizeof(passwd));
result = Curl_base64_encode(conn->data, (char *)tktcopy.dat, tktcopy.length,
&p, &base64_sz);
if(result) {
Curl_failf(conn->data, "base64-encoding: %s", curl_easy_strerror(result));
krb4_set_command_prot(conn, save);
return result;
}
memset (tktcopy.dat, 0, tktcopy.length);
result = Curl_ftpsendf(conn, "SITE KAUTH %s %s", name, p);
free(p);
if(result)
return result;
result = Curl_GetFTPResponse(&nread, conn, NULL);
if(result)
return result;
krb4_set_command_prot(conn, save);
return CURLE_OK;
}
#endif /* HAVE_KRB4 */
#endif /* CURL_DISABLE_FTP */

2
lib/krb5.c
View File

@ -51,7 +51,7 @@
#include "ftp.h" #include "ftp.h"
#include "curl_gssapi.h" #include "curl_gssapi.h"
#include "sendf.h" #include "sendf.h"
#include "krb4.h" #include "security.h"
#include "curl_memory.h" #include "curl_memory.h"
#include "warnless.h" #include "warnless.h"

15
lib/pingpong.c
View File

@ -165,7 +165,7 @@ CURLcode Curl_pp_vsendf(struct pingpong *pp,
struct connectdata *conn = pp->conn; struct connectdata *conn = pp->conn;
struct SessionHandle *data = conn->data; struct SessionHandle *data = conn->data;
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
enum protection_level data_sec = conn->data_prot; enum protection_level data_sec = conn->data_prot;
#endif #endif
@ -194,12 +194,12 @@ CURLcode Curl_pp_vsendf(struct pingpong *pp,
return error; return error;
} }
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
conn->data_prot = PROT_CMD; conn->data_prot = PROT_CMD;
#endif #endif
error = Curl_write(conn, conn->sock[FIRSTSOCKET], s, write_len, error = Curl_write(conn, conn->sock[FIRSTSOCKET], s, write_len,
&bytes_written); &bytes_written);
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
DEBUGASSERT(data_sec > PROT_NONE && data_sec < PROT_LAST); DEBUGASSERT(data_sec > PROT_NONE && data_sec < PROT_LAST);
conn->data_prot = data_sec; conn->data_prot = data_sec;
#endif #endif
@ -302,14 +302,14 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
} }
else { else {
int res; int res;
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
enum protection_level prot = conn->data_prot; enum protection_level prot = conn->data_prot;
conn->data_prot = PROT_CLEAR; conn->data_prot = PROT_CLEAR;
#endif #endif
DEBUGASSERT((ptr+BUFSIZE-pp->nread_resp) <= (buf+BUFSIZE+1)); DEBUGASSERT((ptr+BUFSIZE-pp->nread_resp) <= (buf+BUFSIZE+1));
res = Curl_read(conn, sockfd, ptr, BUFSIZE-pp->nread_resp, res = Curl_read(conn, sockfd, ptr, BUFSIZE-pp->nread_resp,
&gotbytes); &gotbytes);
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
DEBUGASSERT(prot > PROT_NONE && prot < PROT_LAST); DEBUGASSERT(prot > PROT_NONE && prot < PROT_LAST);
conn->data_prot = prot; conn->data_prot = prot;
#endif #endif
@ -352,7 +352,7 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
the line isn't really terminated until the LF comes */ the line isn't really terminated until the LF comes */
/* output debug output if that is requested */ /* output debug output if that is requested */
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
if(!conn->sec_complete) if(!conn->sec_complete)
#endif #endif
if(data->set.verbose) if(data->set.verbose)
@ -371,8 +371,7 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
if(pp->endofresp(conn, pp->linestart_resp, perline, code)) { if(pp->endofresp(conn, pp->linestart_resp, perline, code)) {
/* This is the end of the last line, copy the last line to the /* This is the end of the last line, copy the last line to the
start of the buffer and zero terminate, for old times sake (and start of the buffer and zero terminate, for old times sake */
krb4)! */
char *meow; char *meow;
int n; int n;
for(meow=pp->linestart_resp, n=0; meow<ptr; meow++, n++) for(meow=pp->linestart_resp, n=0; meow<ptr; meow++, n++)

17
lib/security.c
View File

@ -7,7 +7,7 @@
* rewrite to work around the paragraph 2 in the BSD licenses as explained * rewrite to work around the paragraph 2 in the BSD licenses as explained
* below. * below.
* *
* Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan * Copyright (c) 1998, 1999, 2013 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden). * (Royal Institute of Technology, Stockholm, Sweden).
* *
* Copyright (C) 2001 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 2001 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
@ -44,7 +44,7 @@
#include "curl_setup.h" #include "curl_setup.h"
#ifndef CURL_DISABLE_FTP #ifndef CURL_DISABLE_FTP
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
#ifdef HAVE_NETDB_H #ifdef HAVE_NETDB_H
#include <netdb.h> #include <netdb.h>
@ -57,7 +57,7 @@
#include "urldata.h" #include "urldata.h"
#include "curl_base64.h" #include "curl_base64.h"
#include "curl_memory.h" #include "curl_memory.h"
#include "krb4.h" #include "security.h"
#include "ftp.h" #include "ftp.h"
#include "sendf.h" #include "sendf.h"
#include "rawstr.h" #include "rawstr.h"
@ -110,11 +110,8 @@ static char level_to_char(int level) {
} }
static const struct Curl_sec_client_mech * const mechs[] = { static const struct Curl_sec_client_mech * const mechs[] = {
#if defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
&Curl_krb5_client_mech, &Curl_krb5_client_mech,
#endif
#if defined(HAVE_KRB4)
&Curl_krb4_client_mech,
#endif #endif
NULL NULL
}; };
@ -199,7 +196,7 @@ socket_write(struct connectdata *conn, curl_socket_t fd, const void *to,
static CURLcode read_data(struct connectdata *conn, static CURLcode read_data(struct connectdata *conn,
curl_socket_t fd, curl_socket_t fd,
struct krb4buffer *buf) struct krb5buffer *buf)
{ {
int len; int len;
void* tmp; void* tmp;
@ -225,7 +222,7 @@ static CURLcode read_data(struct connectdata *conn,
} }
static size_t static size_t
buffer_read(struct krb4buffer *buf, void *data, size_t len) buffer_read(struct krb5buffer *buf, void *data, size_t len)
{ {
if(buf->size - buf->index < len) if(buf->size - buf->index < len)
len = buf->size - buf->index; len = buf->size - buf->index;
@ -599,6 +596,6 @@ Curl_sec_end(struct connectdata *conn)
conn->mech = NULL; conn->mech = NULL;
} }
#endif /* HAVE_KRB4 || HAVE_GSSAPI */ #endif /* HAVE_GSSAPI */
#endif /* CURL_DISABLE_FTP */ #endif /* CURL_DISABLE_FTP */

20
lib/krb4.h → lib/security.h
View File

@ -1,5 +1,5 @@
#ifndef HEADER_CURL_KRB4_H #ifndef HEADER_CURL_SECURITY_H
#define HEADER_CURL_KRB4_H #define HEADER_CURL_SECURITY_H
/*************************************************************************** /***************************************************************************
* _ _ ____ _ * _ _ ____ _
* Project ___| | | | _ \| | * Project ___| | | | _ \| |
@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -34,24 +34,18 @@ struct Curl_sec_client_mech {
int (*decode)(void *, void*, int, int, struct connectdata *); int (*decode)(void *, void*, int, int, struct connectdata *);
}; };
#define AUTH_OK 0 #define AUTH_OK 0
#define AUTH_CONTINUE 1 #define AUTH_CONTINUE 1
#define AUTH_ERROR 2 #define AUTH_ERROR 2
#ifdef HAVE_KRB4
extern struct Curl_sec_client_mech Curl_krb4_client_mech;
#endif
#ifdef HAVE_GSSAPI
extern struct Curl_sec_client_mech Curl_krb5_client_mech;
#endif
CURLcode Curl_krb_kauth(struct connectdata *conn);
int Curl_sec_read_msg (struct connectdata *conn, char *, int Curl_sec_read_msg (struct connectdata *conn, char *,
enum protection_level); enum protection_level);
void Curl_sec_end (struct connectdata *); void Curl_sec_end (struct connectdata *);
CURLcode Curl_sec_login (struct connectdata *); CURLcode Curl_sec_login (struct connectdata *);
int Curl_sec_request_prot (struct connectdata *conn, const char *level); int Curl_sec_request_prot (struct connectdata *conn, const char *level);
#endif /* HEADER_CURL_KRB4_H */ #ifdef HAVE_GSSAPI
extern struct Curl_sec_client_mech Curl_krb5_client_mech;
#endif
#endif /* HEADER_CURL_SECURITY_H */

10
lib/sendf.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -35,14 +35,6 @@
#define _MPRINTF_REPLACE /* use the internal *printf() functions */ #define _MPRINTF_REPLACE /* use the internal *printf() functions */
#include <curl/mprintf.h> #include <curl/mprintf.h>
/* the krb4 functions only exists for FTP and if krb4 or gssapi is defined */
#if !defined(CURL_DISABLE_FTP) && (defined(HAVE_KRB4) || defined(HAVE_GSSAPI))
#include "krb4.h"
#else
#define Curl_sec_send(a,b,c,d) -1
#define Curl_sec_read(a,b,c,d) -1
#endif
#include "curl_memory.h" #include "curl_memory.h"
#include "strerror.h" #include "strerror.h"

2
lib/url.c
View File

@ -3607,7 +3607,7 @@ static struct connectdata *allocate_conn(struct SessionHandle *data)
if(!conn->send_pipe || !conn->recv_pipe) if(!conn->send_pipe || !conn->recv_pipe)
goto error; goto error;
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
conn->data_prot = PROT_CLEAR; conn->data_prot = PROT_CLEAR;
#endif #endif

10
lib/urldata.h
View File

@ -222,9 +222,9 @@
#define CURLMIN(x,y) ((x)<(y)?(x):(y)) #define CURLMIN(x,y) ((x)<(y)?(x):(y))
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
/* Types needed for krb4/5-ftp connections */ /* Types needed for krb5-ftp connections */
struct krb4buffer { struct krb5buffer {
void *data; void *data;
size_t size; size_t size;
size_t index; size_t index;
@ -934,12 +934,12 @@ struct connectdata {
} allocptr; } allocptr;
int sec_complete; /* if kerberos is enabled for this connection */ int sec_complete; /* if kerberos is enabled for this connection */
#if defined(HAVE_KRB4) || defined(HAVE_GSSAPI) #ifdef HAVE_GSSAPI
enum protection_level command_prot; enum protection_level command_prot;
enum protection_level data_prot; enum protection_level data_prot;
enum protection_level request_data_prot; enum protection_level request_data_prot;
size_t buffer_size; size_t buffer_size;
struct krb4buffer in_buffer; struct krb5buffer in_buffer;
void *app_data; void *app_data;
const struct Curl_sec_client_mech *mech; const struct Curl_sec_client_mech *mech;
struct sockaddr_in local_addr; struct sockaddr_in local_addr;

5
lib/version.c
View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -235,9 +235,6 @@ static curl_version_info_data version_info = {
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
| CURL_VERSION_IPV6 | CURL_VERSION_IPV6
#endif #endif
#ifdef HAVE_KRB4
| CURL_VERSION_KERBEROS4
#endif
#ifdef USE_SSL #ifdef USE_SSL
| CURL_VERSION_SSL | CURL_VERSION_SSL
#endif #endif