Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bring back files that this update removed.

Browse Source
This commit is contained in:
christos 2005-04-23 16:55:03 +00:00
parent ab388e3703
commit 0df7655544
8 changed files with 1083 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

361
crypto/dist/ssh/auth-krb4.c vendored Normal file
View File

@ -0,0 +1,361 @@
/* $NetBSD: auth-krb4.c,v 1.17 2005/04/23 16:55:03 christos Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth-krb4.c,v 1.29 2003/02/21 10:34:48 mpech Exp $");
__RCSID("$NetBSD: auth-krb4.c,v 1.17 2005/04/23 16:55:03 christos Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "packet.h"
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"
#include "uidswap.h"
#include "auth.h"
#ifdef AFS
#include "radix.h"
#endif
#ifdef KRB4
extern ServerOptions options;
static int
krb4_init(void *context)
{
Authctxt *authctxt = (Authctxt *)context;
const char *tkt_root = TKT_ROOT;
struct stat st;
int fd;
if (!authctxt->krb4_ticket_file) {
/* Set unique ticket string manually since we're still root. */
authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
#ifdef AFS
if (lstat("/ticket", &st) != -1)
tkt_root = "/ticket/";
#endif /* AFS */
snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
tkt_root, authctxt->pw->pw_uid, (long)getpid());
krb_set_tkt_string(authctxt->krb4_ticket_file);
}
/* Try to create our ticket file. */
if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
close(fd);
return (1);
}
/* Ticket file exists - make sure user owns it (just passed ticket). */
if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
st.st_uid == authctxt->pw->pw_uid)
return (1);
}
/* Failure - cancel cleanup function, leaving ticket for inspection. */
logit("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
xfree(authctxt->krb4_ticket_file);
authctxt->krb4_ticket_file = NULL;
return (0);
}
/*
* try krb4 authentication,
* return 1 on success, 0 on failure, -1 if krb4 is not available
*/
int
auth_krb4_password(Authctxt *authctxt, const char *password)
{
AUTH_DAT adata;
KTEXT_ST tkt;
struct hostent *hp;
struct passwd *pw;
char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
u_int32_t faddr;
int r;
if ((pw = authctxt->pw) == NULL)
return (0);
/*
* Try Kerberos password authentication only for non-root
* users and only if Kerberos is installed.
*/
if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
/* Set up our ticket file. */
if (!krb4_init(authctxt)) {
logit("Couldn't initialize Kerberos ticket file for %s!",
pw->pw_name);
goto failure;
}
/* Try to get TGT using our password. */
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
"krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
if (r != INTK_OK) {
debug("Kerberos v4 password authentication for %s "
"failed: %s", pw->pw_name, krb_err_txt[r]);
goto failure;
}
/* Successful authentication. */
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
/*
* Now that we have a TGT, try to get a local
* "rcmd" ticket to ensure that we are not talking
* to a bogus Kerberos server.
*/
gethostname(localhost, sizeof(localhost));
strlcpy(phost, (char *)krb_get_phost(localhost),
sizeof(phost));
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
if (r == KSUCCESS) {
if ((hp = gethostbyname(localhost)) == NULL) {
logit("Couldn't get local host address!");
goto failure;
}
memmove((void *)&faddr, (void *)hp->h_addr,
sizeof(faddr));
/* Verify our "rcmd" ticket. */
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
faddr, &adata, "");
if (r == RD_AP_UNDEC) {
/*
* Probably didn't have a srvtab on
* localhost. Disallow login.
*/
logit("Kerberos v4 TGT for %s unverifiable, "
"no srvtab installed? krb_rd_req: %s",
pw->pw_name, krb_err_txt[r]);
goto failure;
} else if (r != KSUCCESS) {
logit("Kerberos v4 %s ticket unverifiable: %s",
KRB4_SERVICE_NAME, krb_err_txt[r]);
goto failure;
}
} else if (r == KDC_PR_UNKNOWN) {
/*
* Disallow login if no rcmd service exists, and
* log the error.
*/
logit("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
"not registered, or srvtab is wrong?", pw->pw_name,
krb_err_txt[r], KRB4_SERVICE_NAME, phost);
goto failure;
} else {
/*
* TGT is bad, forget it. Possibly spoofed!
*/
debug("WARNING: Kerberos v4 TGT possibly spoofed "
"for %s: %s", pw->pw_name, krb_err_txt[r]);
goto failure;
}
/* Authentication succeeded. */
return (1);
} else
/* Logging in as root or no local Kerberos realm. */
debug("Unable to authenticate to Kerberos.");
failure:
krb4_cleanup_proc(authctxt);
if (!options.kerberos_or_local_passwd)
return (0);
/* Fall back to ordinary passwd authentication. */
return (-1);
}
void
krb4_cleanup_proc(void *context)
{
Authctxt *authctxt = (Authctxt *)context;
debug("krb4_cleanup_proc called");
if (authctxt->krb4_ticket_file) {
(void) dest_tkt();
xfree(authctxt->krb4_ticket_file);
authctxt->krb4_ticket_file = NULL;
}
}
int
auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply)
{
AUTH_DAT adat = {0};
Key_schedule schedule;
struct sockaddr_in local, foreign;
char instance[INST_SZ];
socklen_t slen;
u_int cksum;
int r, s;
s = packet_get_connection_in();
slen = sizeof(local);
memset(&local, 0, sizeof(local));
if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
debug("getsockname failed: %.100s", strerror(errno));
slen = sizeof(foreign);
memset(&foreign, 0, sizeof(foreign));
if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
cleanup_exit(255);
}
instance[0] = '*';
instance[1] = 0;
/* Get the encrypted request, challenge, and session key. */
if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
0, &adat, ""))) {
debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
return (0);
}
des_key_sched((des_cblock *) adat.session, schedule);
*client = xmalloc(MAX_K_NAME_SZ);
(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
*adat.pinst ? "." : "", adat.pinst, adat.prealm);
/* Check ~/.klogin authorization now. */
if (kuserok(&adat, authctxt->user) != KSUCCESS) {
logit("Kerberos v4 .klogin authorization failed for %s to "
"account %s", *client, authctxt->user);
xfree(*client);
*client = NULL;
return (0);
}
/* Increment the checksum, and return it encrypted with the
session key. */
cksum = adat.checksum + 1;
cksum = htonl(cksum);
/* If we can't successfully encrypt the checksum, we send back an
empty message, admitting our failure. */
if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
schedule, &adat.session, &local, &foreign)) < 0) {
debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
reply->dat[0] = 0;
reply->length = 0;
} else
reply->length = r;
/* Clear session key. */
memset(&adat.session, 0, sizeof(adat.session));
return (1);
}
#endif /* KRB4 */
#ifdef AFS
int
auth_krb4_tgt(Authctxt *authctxt, const char *string)
{
CREDENTIALS creds;
struct passwd *pw;
if ((pw = authctxt->pw) == NULL)
goto failure;
temporarily_use_uid(pw);
if (!radix_to_creds(string, &creds)) {
logit("Protocol error decoding Kerberos v4 TGT");
goto failure;
}
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
strlcpy(creds.service, "krbtgt", sizeof creds.service);
if (strcmp(creds.service, "krbtgt")) {
logit("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
creds.realm, pw->pw_name);
goto failure;
}
if (!krb4_init(authctxt))
goto failure;
if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
goto failure;
if (save_credentials(creds.service, creds.instance, creds.realm,
creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
creds.issue_date) != KSUCCESS) {
debug("Kerberos v4 TGT refused: couldn't save credentials");
goto failure;
}
/* Successful authentication, passed all checks. */
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
memset(&creds, 0, sizeof(creds));
restore_uid();
return (1);
failure:
krb4_cleanup_proc(authctxt);
memset(&creds, 0, sizeof(creds));
restore_uid();
return (0);
}
int
auth_afs_token(Authctxt *authctxt, const char *token_string)
{
CREDENTIALS creds;
struct passwd *pw;
uid_t uid;
if ((pw = authctxt->pw) == NULL)
return (0);
if (!radix_to_creds(token_string, &creds)) {
logit("Protocol error decoding AFS token");
return (0);
}
if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
strlcpy(creds.service, "afs", sizeof creds.service);
if (strncmp(creds.pname, "AFS ID ", 7) == 0)
uid = atoi(creds.pname + 7);
else
uid = pw->pw_uid;
if (kafs_settoken(creds.realm, uid, &creds)) {
logit("AFS token (%s@%s) rejected for %s",
creds.pname, creds.realm, pw->pw_name);
memset(&creds, 0, sizeof(creds));
return (0);
}
debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
memset(&creds, 0, sizeof(creds));
return (1);
}
#endif /* AFS */

70
crypto/dist/ssh/auth2-krb5.c vendored Normal file
View File

@ -0,0 +1,70 @@
/* $NetBSD: auth2-krb5.c,v 1.7 2005/04/23 16:55:03 christos Exp $ */
/*
* Copyright (c) 2003 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth2-krb5.c,v 1.2 2003/05/15 14:09:21 markus Exp $");
__RCSID("$NetBSD: auth2-krb5.c,v 1.7 2005/04/23 16:55:03 christos Exp $");
#include <krb5.h>
#include "ssh2.h"
#include "xmalloc.h"
#include "packet.h"
#include "log.h"
#include "auth.h"
#include "monitor_wrap.h"
#include "servconf.h"
/* import */
extern ServerOptions options;
static int
userauth_kerberos(Authctxt *authctxt)
{
krb5_data tkt, reply;
u_int dlen;
char *client = NULL;
int authenticated = 0;
tkt.data = packet_get_string(&dlen);
tkt.length = dlen;
packet_check_eom();
if (PRIVSEP(auth_krb5(authctxt, &tkt, &client, &reply))) {
authenticated = 1;
if (reply.length)
xfree(reply.data);
}
if (client)
xfree(client);
xfree(tkt.data);
return (authenticated);
}
Authmethod method_kerberos = {
"kerberos-2@ssh.com",
userauth_kerberos,
&options.kerberos_authentication
};

165
crypto/dist/ssh/moduli.5 vendored Normal file
View File

@ -0,0 +1,165 @@
.\" $NetBSD: moduli.5,v 1.13 2005/04/23 16:55:03 christos Exp $
.\" $OpenBSD: moduli.5,v 1.7 2003/03/06 20:48:35 jmc Exp $
.\"
.\" Copyright 1997, 2000 William Allen Simpson <wsimpson@greendragon.com>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software designed by William Allen Simpson.
.\" 4. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" Manual page, using -mandoc macros
.\"
.Dd February 7, 2005
.Dt MODULI 5
.Os
.Sh NAME
.Nm moduli
.Nd system moduli file
.Sh DESCRIPTION
The
.Pa /etc/moduli
file contains the system-wide Diffie-Hellman prime moduli for
.Xr sshd 8 .
.Pp
Each line in this file contains the following fields:
Time, Type, Tests, Tries, Size, Generator, Modulus.
The fields are separated by white space (tab or blank).
.Pp
.Fa Time : yyyymmddhhmmss .
Specifies the system time that the line was appended to the file.
The value 00000000000000 means unknown (historic).
.\"The file is sorted in ascending order.
.Pp
.Fa Type : decimal .
Specifies the internal structure of the prime modulus.
.Pp
.Bl -tag -width indent -offset indent -compact
.It 0 :
unknown;
often learned from peer during protocol operation,
and saved for later analysis.
.It 1 :
unstructured;
a common large number.
.It 2 :
safe (p = 2q + 1);
meets basic structural requirements.
.It 3 :
Schnorr.
.It 4 :
Sophie-Germaine (q = (p-1)/2);
usually generated in the process of testing safe or strong primes.
.It 5 :
strong;
useful for RSA public key generation.
.El
.Pp
.Fa Tests : decimal (bit field) .
Specifies the methods used in checking for primality.
Usually, more than one test is used.
.Pp
.Bl -tag -width indent -offset indent -compact
.It 0 :
not tested;
often learned from peer during protocol operation,
and saved for later analysis.
.It 1 :
composite;
failed one or more tests.
In this case, the highest bit specifies the test that failed.
.It 2 :
sieve;
checked for division by a range of smaller primes.
.It 4 :
Miller-Rabin.
.It 8 :
Jacobi.
.It 16 :
Elliptic Curve.
.El
.Pp
.Fa Tries : decimal .
Depends on the value of the highest valid Test bit,
where the method specified is:
.Pp
.Bl -tag -width indent -offset indent -compact
.It 0 :
not tested
(always zero).
.It 1 :
composite
(irrelevant).
.It 2 :
sieve;
number of primes sieved.
Commonly on the order of 32,000,000.
.It 4 :
Miller-Rabin;
number of M-R iterations.
Commonly on the order of 32 to 64.
.It 8 :
Jacobi;
unknown
(always zero).
.It 16 :
Elliptic Curve;
unused
(always zero).
.El
.Pp
.Fa Size : decimal .
Specifies the number of the most significant bit (0 to M).
.Pp
.Fa Generator : hex string .
Specifies the best generator for a Diffie-Hellman exchange.
0 = unknown or variable,
2, 3, 5, etc.
.Pp
.Fa Modulus : hex string .
The prime modulus.
.Pp
The file should be searched for moduli that meet the appropriate
Time, Size and Generator criteria.
When more than one meet the criteria,
the selection should be weighted toward newer moduli,
without completely disqualifying older moduli.
.Pp
Note that
.Xr sshd 8
uses only the Size criteria and then selects a modulus at random
if more than one meet the Size criteria.
.Sh FILES
.Bl -tag -width /etc/moduli -compact
.It Pa /etc/moduli
.El
.Sh SEE ALSO
.Xr sshd 8
.Sh HISTORY
The
.Nm
file appeared in
.Ox 2.8
and
.Nx 1.6 .

160
crypto/dist/ssh/radix.c vendored Normal file
View File

@ -0,0 +1,160 @@
/* $NetBSD: radix.c,v 1.17 2005/04/23 16:55:03 christos Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#include "uuencode.h"
RCSID("$OpenBSD: radix.c,v 1.22 2002/09/09 14:54:15 markus Exp $");
__RCSID("$NetBSD: radix.c,v 1.17 2005/04/23 16:55:03 christos Exp $");
#ifdef AFS
#include <krb.h>
#include <radix.h>
#include "bufaux.h"
int
creds_to_radix(CREDENTIALS *creds, u_char *buf, size_t buflen)
{
Buffer b;
int ret;
buffer_init(&b);
buffer_put_char(&b, 1); /* version */
buffer_append(&b, creds->service, strlen(creds->service));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->instance, strlen(creds->instance));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->realm, strlen(creds->realm));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->pname, strlen(creds->pname));
buffer_put_char(&b, '\0');
buffer_append(&b, creds->pinst, strlen(creds->pinst));
buffer_put_char(&b, '\0');
/* Null string to repeat the realm. */
buffer_put_char(&b, '\0');
buffer_put_int(&b, creds->issue_date);
buffer_put_int(&b, krb_life_to_time(creds->issue_date,
creds->lifetime));
buffer_append(&b, creds->session, sizeof(creds->session));
buffer_put_short(&b, creds->kvno);
/* 32 bit size + data */
buffer_put_string(&b, creds->ticket_st.dat, creds->ticket_st.length);
ret = uuencode(buffer_ptr(&b), buffer_len(&b), (char *)buf, buflen);
buffer_free(&b);
return ret;
}
#define GETSTRING(b, t, tlen) \
do { \
int i, found = 0; \
for (i = 0; i < tlen; i++) { \
if (buffer_len(b) == 0) \
goto done; \
t[i] = buffer_get_char(b); \
if (t[i] == '\0') { \
found = 1; \
break; \
} \
} \
if (!found) \
goto done; \
} while(0)
int
radix_to_creds(const char *buf, CREDENTIALS *creds)
{
Buffer b;
u_char *space;
char c, version, *p;
u_int endTime, len;
int blen, ret;
ret = 0;
blen = strlen(buf);
/* sanity check for size */
if (blen > 8192)
return 0;
buffer_init(&b);
space = buffer_append_space(&b, blen);
/* check version and length! */
len = uudecode(buf, space, blen);
if (len < 1)
goto done;
version = buffer_get_char(&b);
GETSTRING(&b, creds->service, sizeof creds->service);
GETSTRING(&b, creds->instance, sizeof creds->instance);
GETSTRING(&b, creds->realm, sizeof creds->realm);
GETSTRING(&b, creds->pname, sizeof creds->pname);
GETSTRING(&b, creds->pinst, sizeof creds->pinst);
if (buffer_len(&b) == 0)
goto done;
/* Ignore possibly different realm. */
while (buffer_len(&b) > 0 && (c = buffer_get_char(&b)) != '\0')
;
if (buffer_len(&b) == 0)
goto done;
creds->issue_date = buffer_get_int(&b);
endTime = buffer_get_int(&b);
creds->lifetime = krb_time_to_life(creds->issue_date, endTime);
len = buffer_len(&b);
if (len < sizeof(creds->session))
goto done;
memcpy(&creds->session, buffer_ptr(&b), sizeof(creds->session));
buffer_consume(&b, sizeof(creds->session));
creds->kvno = buffer_get_short(&b);
p = buffer_get_string(&b, &len);
if (len < 0 || len > sizeof(creds->ticket_st.dat))
goto done;
memcpy(&creds->ticket_st.dat, p, len);
creds->ticket_st.length = len;
ret = 1;
done:
buffer_free(&b);
return ret;
}
#endif /* AFS */

29
crypto/dist/ssh/radix.h vendored Normal file
View File

@ -0,0 +1,29 @@
/* $NetBSD: radix.h,v 1.9 2005/04/23 16:55:03 christos Exp $ */
/* $OpenBSD: radix.h,v 1.4 2001/06/26 17:27:24 markus Exp $ */
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
int creds_to_radix(CREDENTIALS *, u_char *, size_t);
int radix_to_creds(const char *, CREDENTIALS *);

118
crypto/dist/ssh/readpassphrase.3 vendored Normal file
View File

@ -0,0 +1,118 @@
.\" $NetBSD: readpassphrase.3,v 1.6 2005/04/23 16:55:03 christos Exp $
.\" $OpenBSD: readpassphrase.3,v 1.3 2001/08/06 10:42:25 mpech Exp $
.\"
.\" Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd November 20, 2000
.Dt READPASSPHRASE 3
.Os
.Sh NAME
.Nm readpassphrase
.Nd get a passphrase from the user
.Sh SYNOPSIS
.In readpassphrase.h
.Ft char *
.Fn readpassphrase "const char *prompt" "char *buf" "size_t bufsiz" "int flags"
.Sh DESCRIPTION
The
.Fn readpassphrase
function displays a prompt to, and reads in a passphrase from,
.Pa /dev/tty .
If this file is inaccessible
and the
.Dv RPP_REQUIRE_TTY
flag is not set,
.Fn readpassphrase
displays the prompt on the standard error output and reads from the standard
input.
In this case it is generally not possible to turn off echo.
.Pp
Up to
.Fa bufsiz
- 1 characters (one is for the NUL) are read into the provided buffer
.Fa buf .
Any additional
characters and the terminating newline (or return) character are discarded.
.Pp
.Fn readpassphrase
takes the following optional
.Fa flags :
.Pp
.Bd -literal -offset indent -compact
RPP_ECHO_OFF turn off echo (default behavior)
RPP_ECHO_ON leave echo on
RPP_REQUIRE_TTY fail if there is no tty
RPP_FORCELOWER force input to lower case
RPP_FORCEUPPER force input to upper case
RPP_SEVENBIT strip the high bit from input
.Ed
.Pp
The calling process should zero the passphrase as soon as possible to
avoid leaving the cleartext passphrase visible in the process's address
space.
.Sh RETURN VALUES
On success,
.Fn readpassphrase
returns a pointer to the null-terminated passphrase.
If the
.Dv RPP_REQUIRE_TTY
flag is set and
.Pa /dev/tty
is inaccessible,
.Fn readpassphrase
returns a null pointer.
.Sh FILES
.Bl -tag -width /dev/tty -compact
.It Pa /dev/tty
.El
.Sh EXAMPLES
The following code fragment will read a passphrase from
.Pa /dev/tty
into the buffer
.Fa passbuf .
.Bd -literal -offset indent
char passbuf[1024];
\&...
if (readpassphrase("Response: ", passbuf, sizeof(passbuf),
RPP_REQUIRE_TTY) == NULL)
errx(1, "unable to read passphrase");
if (compare(transform(passbuf), epass) != 0)
errx(1, "bad passphrase");
\&...
memset(passbuf, 0, sizeof(passbuf));
.Ed
.Sh SEE ALSO
.Xr getpass 3
.Sh HISTORY
The
.Fn readpassphrase
function first appeared in
.Ox 2.9 .

133
crypto/dist/ssh/readpassphrase.c vendored Normal file
View File

@ -0,0 +1,133 @@
/* $NetBSD: readpassphrase.c,v 1.6 2005/04/23 16:55:03 christos Exp $ */
/*
* Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
* THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.7 2001/08/07 19:34:11 millert Exp $";
#endif /* LIBC_SCCS and not lint */
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <paths.h>
#include <pwd.h>
#include <signal.h>
#include <string.h>
#include <termios.h>
#include <unistd.h>
#include <readpassphrase.h>
char *
readpassphrase(prompt, buf, bufsiz, flags)
const char *prompt;
char *buf;
size_t bufsiz;
int flags;
{
struct termios term, oterm;
char ch, *p, *end;
int input, output;
sigset_t oset, nset;
/* I suppose we could alloc on demand in this case (XXX). */
if (bufsiz == 0) {
errno = EINVAL;
return(NULL);
}
/*
* Read and write to /dev/tty if available. If not, read from
* stdin and write to stderr unless a tty is required.
*/
if ((input = output = open(_PATH_TTY, O_RDWR)) == -1) {
if (flags & RPP_REQUIRE_TTY) {
errno = ENOTTY;
return(NULL);
}
input = STDIN_FILENO;
output = STDERR_FILENO;
}
/*
* We block SIGINT and SIGTSTP so the terminal is not left
* in an inconsistent state (ie: no echo). It would probably
* be better to simply catch these though.
*/
sigemptyset(&nset);
sigaddset(&nset, SIGINT);
sigaddset(&nset, SIGTSTP);
(void)sigprocmask(SIG_BLOCK, &nset, &oset);
/* Turn off echo if possible. */
if (tcgetattr(input, &oterm) == 0) {
memcpy(&term, &oterm, sizeof(term));
if (!(flags & RPP_ECHO_ON) && (term.c_lflag & ECHO))
term.c_lflag &= ~ECHO;
if (term.c_cc[VSTATUS] != _POSIX_VDISABLE)
term.c_cc[VSTATUS] = _POSIX_VDISABLE;
(void)tcsetattr(input, TCSAFLUSH|TCSASOFT, &term);
} else {
memset(&term, 0, sizeof(term));
memset(&oterm, 0, sizeof(oterm));
}
(void)write(output, prompt, strlen(prompt));
end = buf + bufsiz - 1;
for (p = buf; read(input, &ch, 1) == 1 && ch != '\n' && ch != '\r';) {
if (p < end) {
if ((flags & RPP_SEVENBIT))
ch &= 0x7f;
if (isalpha((unsigned char)ch)) {
if ((flags & RPP_FORCELOWER))
ch = tolower((unsigned char)ch);
if ((flags & RPP_FORCEUPPER))
ch = toupper((unsigned char)ch);
}
*p++ = ch;
}
}
*p = '\0';
if (!(term.c_lflag & ECHO))
(void)write(output, "\n", 1);
/* Restore old terminal settings and signal mask. */
if (memcmp(&term, &oterm, sizeof(term)) != 0)
(void)tcsetattr(input, TCSAFLUSH|TCSASOFT, &oterm);
(void)sigprocmask(SIG_SETMASK, &oset, NULL);
if (input != STDIN_FILENO)
(void)close(input);
return(buf);
}
char *
getpass(prompt)
const char *prompt;
{
static char buf[_PASSWORD_LEN + 1];
return(readpassphrase(prompt, buf, sizeof(buf), RPP_ECHO_OFF));
}

47
crypto/dist/ssh/readpassphrase.h vendored Normal file
View File

@ -0,0 +1,47 @@
/* $NetBSD: readpassphrase.h,v 1.5 2005/04/23 16:55:03 christos Exp $ */
/* $OpenBSD: readpassphrase.h,v 1.1 2000/11/21 00:48:38 millert Exp $ */
/*
* Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
* THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _READPASSPHRASE_H_
#define _READPASSPHRASE_H_
#define RPP_ECHO_OFF 0x00 /* Turn off echo (default). */
#define RPP_ECHO_ON 0x01 /* Leave echo on. */
#define RPP_REQUIRE_TTY 0x02 /* Fail if there is no tty. */
#define RPP_FORCELOWER 0x04 /* Force input to lower case. */
#define RPP_FORCEUPPER 0x08 /* Force input to upper case. */
#define RPP_SEVENBIT 0x10 /* Strip the high bit from input. */
#include <sys/cdefs.h>
__BEGIN_DECLS
char * readpassphrase __P((const char *, char *, size_t, int));
__END_DECLS
#endif /* !_READPASSPHRASE_H_ */