diff options
-rw-r--r-- | clients/tde/src/app/remotemdi.h | 2 | ||||
-rw-r--r-- | lib/libtdekrb/src/Makefile.am | 8 | ||||
-rw-r--r-- | lib/libtdekrb/src/tdekrbclientsocket.cpp (renamed from lib/libtdekrb/src/tdekrbsocket.cpp) | 24 | ||||
-rw-r--r-- | lib/libtdekrb/src/tdekrbclientsocket.h (renamed from lib/libtdekrb/src/tdekrbsocket.h) | 6 | ||||
-rw-r--r-- | lib/libtdekrb/src/tdekrbserversocket.cpp | 434 | ||||
-rw-r--r-- | lib/libtdekrb/src/tdekrbserversocket.h | 68 | ||||
-rw-r--r-- | servers/auth_server_lin/src/Makefile.am | 2 | ||||
-rw-r--r-- | servers/auth_server_lin/src/auth_conn.cpp | 276 | ||||
-rw-r--r-- | servers/auth_server_lin/src/auth_conn.h | 25 |
9 files changed, 543 insertions, 302 deletions
diff --git a/clients/tde/src/app/remotemdi.h b/clients/tde/src/app/remotemdi.h index 2e1c939..5ccc80d 100644 --- a/clients/tde/src/app/remotemdi.h +++ b/clients/tde/src/app/remotemdi.h @@ -11,7 +11,7 @@ #include <tqvaluelist.h> #include <kmdimainfrm.h> -#include "tdekrbsocket.h" +#include "tdekrbclientsocket.h" class KMdiChildView; class KListBox; diff --git a/lib/libtdekrb/src/Makefile.am b/lib/libtdekrb/src/Makefile.am index 110019d..b0b10cf 100644 --- a/lib/libtdekrb/src/Makefile.am +++ b/lib/libtdekrb/src/Makefile.am @@ -4,10 +4,8 @@ METASOURCES = AUTO # Create a shared library file lib_LTLIBRARIES = libtdekrbsocket.la -include_HEADERS = tdekrbsocket.h +include_HEADERS = tdekrbclientsocket.h tdekrbserversocket.h -libtdekrbsocket_la_SOURCES = tdekrbsocket.cpp +libtdekrbsocket_la_SOURCES = tdekrbclientsocket.cpp tdekrbserversocket.cpp libtdekrbsocket_la_LIBADD = -lkio $(LIB_TDEUI) -lsasl2 -libtdekrbsocket_la_LDFLAGS = -avoid-version -module -no-undefined \ - $(all_libraries) - +libtdekrbsocket_la_LDFLAGS = -avoid-version -module -no-undefined $(all_libraries)
\ No newline at end of file diff --git a/lib/libtdekrb/src/tdekrbsocket.cpp b/lib/libtdekrb/src/tdekrbclientsocket.cpp index 19b666a..c9db10a 100644 --- a/lib/libtdekrb/src/tdekrbsocket.cpp +++ b/lib/libtdekrb/src/tdekrbclientsocket.cpp @@ -27,7 +27,7 @@ #include <saslplug.h> #include <saslutil.h> -#include "tdekrbsocket.h" +#include "tdekrbclientsocket.h" #define NET_SEC_BUF_SIZE (2048) @@ -58,7 +58,7 @@ static int logSASLMessages(void *context __attribute__((unused)), int priority, } printf("[SASL %s] %s\n\r", label, message); - + return SASL_OK; } @@ -116,12 +116,28 @@ void TDEKerberosClientSocket::setServerFQDN(TQString name) { } Q_LONG TDEKerberosClientSocket::readBlock(char *data, Q_ULONG maxlen) { - Q_LONG ret = TQSocket::readBlock(data, maxlen); + Q_LONG ret; + + if (m_kerberosRequested) { + ret = receiveEncryptedData(data, maxlen); + } + else { + ret = TQSocket::readBlock(data, maxlen); + } + return ret; } Q_LONG TDEKerberosClientSocket::writeBlock(const char *data, Q_ULONG len) { - Q_LONG ret = TQSocket::writeBlock(data, len); + Q_LONG ret; + + if (m_kerberosRequested) { + ret = transmitEncryptedData(socket(), data, len); + } + else { + ret = TQSocket::writeBlock(data, len); + } + return ret; } diff --git a/lib/libtdekrb/src/tdekrbsocket.h b/lib/libtdekrb/src/tdekrbclientsocket.h index 5f5f036..b010bc5 100644 --- a/lib/libtdekrb/src/tdekrbsocket.h +++ b/lib/libtdekrb/src/tdekrbclientsocket.h @@ -18,8 +18,8 @@ * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ***************************************************************************/ -#ifndef TDEKRBSOCKET_H -#define TDEKRBSOCKET_H +#ifndef TDEKRBCLIENTSOCKET_H +#define TDEKRBCLIENTSOCKET_H #include <tqsocket.h> @@ -65,4 +65,4 @@ class TDEKerberosClientSocket : public TQSocket unsigned int m_negotiatedMaxBufferSize; }; -#endif // TDEKRBSOCKET_H
\ No newline at end of file +#endif // TDEKRBCLIENTSOCKET_H
\ No newline at end of file diff --git a/lib/libtdekrb/src/tdekrbserversocket.cpp b/lib/libtdekrb/src/tdekrbserversocket.cpp new file mode 100644 index 0000000..0704aeb --- /dev/null +++ b/lib/libtdekrb/src/tdekrbserversocket.cpp @@ -0,0 +1,434 @@ +/*************************************************************************** + * Copyright (C) 2012 by Timothy Pearson * + * kb9vqf@pearsoncomputing.net * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + * This program is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with this program; if not, write to the * + * Free Software Foundation, Inc., * + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ***************************************************************************/ + +#include <stdlib.h> +#include <unistd.h> + +#include <tqapplication.h> + +#include <sasl.h> +#include <saslplug.h> +#include <saslutil.h> + +#include "tdekrbserversocket.h" + +#define NET_SEC_BUF_SIZE (2048) + +class SASLDataPrivate +{ + public: + sasl_callback_t m_callbacks[N_CALLBACKS]; + sasl_conn_t *m_krbConnection; +}; + +static int logSASLMessages(void *context __attribute__((unused)), int priority, const char *message) { + const char *label; + + if (!message) { + return SASL_BADPARAM; + } + + switch (priority) { + case SASL_LOG_ERR: + label = "Error"; + break; + case SASL_LOG_NOTE: + label = "Info"; + break; + default: + label = "Other"; + break; + } + + printf("[SASL %s] %s\n\r", label, message); + + return SASL_OK; +} + +TDEKerberosServerSocket::TDEKerberosServerSocket(TQObject *parent, const char *name) : TQSocket(parent, name), m_kerberosRequested(false), m_negotiatedMaxBufferSize(NET_SEC_BUF_SIZE) { + saslData = new SASLDataPrivate; + saslData->m_krbConnection = NULL; +} + +TDEKerberosServerSocket::~TDEKerberosServerSocket() { + delete saslData; +} + +bool TDEKerberosServerSocket::open(int mode) { + bool ret = TQSocket::open(mode); + if (m_kerberosRequested) { + initializeKerberosInterface(); + } + return ret; +} + +void TDEKerberosServerSocket::close() { + TQSocket::close(); +} + +int TDEKerberosServerSocket::setUsingKerberos(bool krbactive) { + int ret = 0; + + if (m_serviceName == "") { + printf("[ERROR] No service name set!\n\r"); fflush(stdout); + return -1; + } + + if (krbactive) { + m_kerberosRequested = true; + if ((!saslData->m_krbConnection) && (state() == TQSocket::Connected)) { + ret = initializeKerberosInterface(); + } + } + else { + m_kerberosRequested = false; + if (saslData->m_krbConnection) { + freeKerberosConnection(); + } + } + + return ret; +} + +void TDEKerberosServerSocket::setServiceName(TQString name) { + m_serviceName = name; +} + +void TDEKerberosServerSocket::setServerFQDN(TQString name) { + m_serverFQDN = name; +} + +Q_LONG TDEKerberosServerSocket::readBlock(char *data, Q_ULONG maxlen) { + Q_LONG ret; + + if (m_kerberosRequested) { + ret = receiveEncryptedData(data, maxlen); + } + else { + ret = TQSocket::readBlock(data, maxlen); + } + + return ret; +} + +Q_LONG TDEKerberosServerSocket::writeBlock(const char *data, Q_ULONG len) { + Q_LONG ret; + + if (m_kerberosRequested) { + ret = transmitEncryptedData(socket(), data, len); + } + else { + ret = TQSocket::writeBlock(data, len); + } + + return ret; +} + +Q_LONG TDEKerberosServerSocket::readLine(char *data, Q_ULONG maxlen) { + Q_LONG ret; + + if (m_kerberosRequested) { + ret = getSASLDataFromNetwork(data, maxlen); + } + else { + ret = TQSocket::readLine(data, maxlen); + } + + return ret; +} + +TQString TDEKerberosServerSocket::readLine() { + TQString ret; + char *buf; + + if (m_kerberosRequested) { + buf = (char*)malloc(m_negotiatedMaxBufferSize); + receiveEncryptedData(buf, m_negotiatedMaxBufferSize); + ret = TQString(buf); + free(buf); + } + else { + ret = TQSocket::readLine(); + } + + return ret; +} + +void TDEKerberosServerSocket::writeLine(TQString str) { + if (m_kerberosRequested) { + transmitEncryptedData(socket(), str.ascii(), str.length()); + } + else { + TQSocket::writeBlock(str.ascii(), str.length()); + } +} + +void TDEKerberosServerSocket::freeKerberosConnection(void) { + if (saslData->m_krbConnection) { + sasl_dispose(&saslData->m_krbConnection); + } + saslData->m_krbConnection = 0; +} + +void TDEKerberosServerSocket::sendSASLDataToNetwork(const char *buffer, unsigned length, int netfd) { + char *buf; + unsigned len, alloclen; + int result; + + alloclen = ((length / 3) + 1) * 4 + 1; + buf = (char*)malloc(alloclen); + if (!buf) { + printf("[ERROR] Unable to malloc()!\n\r"); + return; + } + + result = sasl_encode64(buffer, length, buf, alloclen, &len); + if (result != SASL_OK) { + printf("[ERROR] Encoding data in base64 returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result); + return; + } + + len = strlen(buf); + buf[len] = '\n'; + buf[len+1] = 0; + write(netfd, buf, len+1); + + free(buf); +} + +unsigned int TDEKerberosServerSocket::getSASLDataFromNetwork(char *buf, int trunclen) { + unsigned int len; + int result; + + TQByteArray ba(2048); + + len = 0; + while (1) { + tqApp->processEvents(); + if (state() != TQSocket::Connected) { + return -1; + } + if (TQSocket::readBlock(ba.data()+len, 1) > 0) { + if (ba.data()[len] == '\n') { + ba.data()[len] = 0; + break; + } + if (ba.data()[len] != '\r') { + len++; + } + } + if (len >= (ba.size()-1)) { + ba.resize(ba.size()+2048); + break; + } + } + + len = strlen(ba.data()); + result = sasl_decode64(ba.data(), strlen(ba.data()), buf, trunclen, &len); + if (result != SASL_OK) { + printf("[ERROR] Decoding data from base64 returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result); + return -1; + } + buf[len] = '\0'; + + return len; +} + +int TDEKerberosServerSocket::transmitEncryptedData(int fd, const char* readbuf, int cc) { + int result = 0; + unsigned int len; + const char *data; + + result=sasl_encode(saslData->m_krbConnection, readbuf, cc, &data, &len); + if (result != SASL_OK) { + printf("[ERROR] Encrypting data returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result); + return -1; + } + sendSASLDataToNetwork(data, len, fd); + + return 0; +} + +int TDEKerberosServerSocket::receiveEncryptedData(char *buf, int trunclen) { + unsigned int recv_len; + const char *recv_data; + int result; + int len; + + len = getSASLDataFromNetwork(buf, trunclen); + if (len >= 0) { + result=sasl_decode(saslData->m_krbConnection, buf, len, &recv_data, &recv_len); + if (result != SASL_OK) { + printf("[ERROR] Decrypting data returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result); + return -1; + } + strncpy(buf, recv_data, trunclen); + } + + return 0; +} + +int TDEKerberosServerSocket::initializeKerberosInterface() { + if (state() != TQSocket::Connected) { + saslData->m_krbConnection = false; + return -1; + } + + sasl_callback_t *callback; + char buf[NET_SEC_BUF_SIZE]; + int result = 0; + int serverlast = 0; + sasl_security_properties_t secprops; + const char *ext_authid = NULL; + unsigned int len; + int count; + const char *data; + char user_authorized = 0; + sasl_ssf_t *ssf; + + // FIXME + // Populate these fields! + char *iplocal = NULL; + char *ipremote = NULL; + char *localdomain = NULL; + char *userdomain = NULL; + + callback = saslData->m_callbacks; + + // log + callback->id = SASL_CB_LOG; + callback->proc = (sasl_callback_ft)&logSASLMessages; + callback->context = NULL; + ++callback; + + // end of callback list + callback->id = SASL_CB_LIST_END; + callback->proc = NULL; + callback->context = NULL; + ++callback; + + // Initialize default data structures + memset(&secprops, 0L, sizeof(secprops)); + secprops.maxbufsize = NET_SEC_BUF_SIZE; + secprops.max_ssf = UINT_MAX; + + result = sasl_server_init(saslData->m_callbacks, m_serviceName.ascii()); + if (result != SASL_OK) { + printf("[ERROR] Initializing libsasl returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result); + return -1; + } + + result = sasl_server_new(m_serviceName.ascii(), localdomain, userdomain, iplocal, ipremote, NULL, serverlast, &saslData->m_krbConnection); + if (result != SASL_OK) { + printf("[ERROR] Allocating sasl connection state returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result); + return -1; + } + + result = sasl_setprop(saslData->m_krbConnection, SASL_SEC_PROPS, &secprops); + + if (result != SASL_OK) { + printf("[ERROR] Setting security properties returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result); + freeKerberosConnection(); + return -1; + } + + puts("[DEBUG] Generating client mechanism list..."); + result = sasl_listmech(saslData->m_krbConnection, ext_authid, NULL, " ", NULL, &data, &len, &count); + if (result != SASL_OK) { + printf("[ERROR] Generating client mechanism list returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result); + freeKerberosConnection(); + return -1; + } + + printf("[DEBUG] Sending list of %d mechanism(s)\n\r", count); + sendSASLDataToNetwork(data, len, socket()); + + printf("[DEBUG] Waiting for client mechanism...\n\r"); + len = getSASLDataFromNetwork(buf, NET_SEC_BUF_SIZE); + if (strlen(buf) < len) { + printf("[DEBUG] Initial response received (%d < %d) [%s]\n\r", strlen(buf), len, buf); + // An initial response is present + data = buf + strlen(buf) + 1; + len = len - (unsigned) strlen(buf) - 1; + } + else { + data = NULL; + len = 0; + } + result = sasl_server_start(saslData->m_krbConnection, buf, data, len, &data, &len); + if (result != SASL_OK && result != SASL_CONTINUE) { + printf("[ERROR] Starting SASL negotiation returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result); + freeKerberosConnection(); + return -1; + } + + while (result == SASL_CONTINUE) { + if (data) { + printf("[DEBUG] Sending response...\n\r"); + sendSASLDataToNetwork(data, len, socket()); + } + else { + printf("[ERROR] No data to send!\n\r"); + freeKerberosConnection(); + return -1; + } + printf("[DEBUG] Waiting for client reply...\n\r"); + len = getSASLDataFromNetwork(buf, NET_SEC_BUF_SIZE); + data = NULL; + result = sasl_server_step(saslData->m_krbConnection, buf, len, &data, &len); + if (result != SASL_OK && result != SASL_CONTINUE) { + printf("[ERROR] Performing SASL negotiation returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result); + freeKerberosConnection(); + return -1; + } + } + printf("[DEBUG] Negotiation complete\n\r"); + + if(serverlast && data) { + printf("[DEBUG] Additional information needed to be sent\n\r"); + sendSASLDataToNetwork(data, len, socket()); + } + + result = sasl_getprop(saslData->m_krbConnection, SASL_USERNAME, (const void **)&data); + if (result != SASL_OK) { + printf("[WARNING] Unable to determine authenticated username!\n\r"); + } + else { + printf("[DEBUG] Authenticated username: %s\n\r", data ? data : "(NULL)"); + } + + result = sasl_getprop(saslData->m_krbConnection, SASL_DEFUSERREALM, (const void **)&data); + if (result != SASL_OK) { + printf("[WARNING] Unable to determine authenticated realm!\n\r"); + } + else { + printf("[DEBUG] Authenticated realm: %s\n\r", data ? data : "(NULL)"); + } + + result = sasl_getprop(saslData->m_krbConnection, SASL_SSF, (const void **)&ssf); + if (result != SASL_OK) { + printf("[WARNING] Unable to determine SSF!\n\r"); + } + else { + printf("[DEBUG] Authenticated SSF: %d\n", *ssf); + } + + return 0; +}
\ No newline at end of file diff --git a/lib/libtdekrb/src/tdekrbserversocket.h b/lib/libtdekrb/src/tdekrbserversocket.h new file mode 100644 index 0000000..16d6483 --- /dev/null +++ b/lib/libtdekrb/src/tdekrbserversocket.h @@ -0,0 +1,68 @@ +/*************************************************************************** + * Copyright (C) 2012 by Timothy Pearson * + * kb9vqf@pearsoncomputing.net * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + * This program is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with this program; if not, write to the * + * Free Software Foundation, Inc., * + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ***************************************************************************/ + +#ifndef TDEKRBSERVERSOCKET_H +#define TDEKRBSERVERSOCKET_H + +#include <tqsocket.h> + +#define N_CALLBACKS 3 + +class SASLDataPrivate; + +class TDEKerberosServerSocket : public TQSocket +{ + Q_OBJECT + + public: + TDEKerberosServerSocket(TQObject *parent=0, const char *name=0); + virtual ~TDEKerberosServerSocket(); + + bool open(int mode); + void close(); + Q_LONG readBlock(char *data, Q_ULONG maxlen); + Q_LONG writeBlock(const char *data, Q_ULONG len); + Q_LONG readLine(char *data, Q_ULONG maxlen); + TQString readLine(); + void writeLine(TQString); + + int setUsingKerberos(bool krbactive); + void setServiceName(TQString name); + void setServerFQDN(TQString name); + + private: + int initializeKerberosInterface(); + void freeKerberosConnection(); + void sendSASLDataToNetwork(const char *buffer, unsigned length, int netfd); + unsigned int getSASLDataFromNetwork(char *buf, int trunclen); + int transmitEncryptedData(int fd, const char* readbuf, int cc); + int receiveEncryptedData(char *buf, int trunclen); + + private: + bool m_kerberosRequested; + TQString m_serviceName; + TQString m_serverFQDN; + + private: + SASLDataPrivate *saslData; + unsigned int m_negotiatedMaxBufferSize; +}; + +#endif // TDEKRBSERVERSOCKET_H
\ No newline at end of file diff --git a/servers/auth_server_lin/src/Makefile.am b/servers/auth_server_lin/src/Makefile.am index 169c4c7..e7250a4 100644 --- a/servers/auth_server_lin/src/Makefile.am +++ b/servers/auth_server_lin/src/Makefile.am @@ -5,6 +5,6 @@ bin_PROGRAMS = remotefpga_authserver remotefpga_authserver_SOURCES = main.cpp auth_conn.cpp remotefpga_authserver_METASOURCES = AUTO -remotefpga_authserver_LDFLAGS = $(all_libraries) $(KDE_RPATH) $(LIB_QT) -lDCOP $(LIB_TDECORE) $(LIB_TDEUI) -ltdefx $(LIB_KIO) -lktexteditor -lsasl2 +remotefpga_authserver_LDFLAGS = $(all_libraries) $(KDE_RPATH) $(LIB_QT) -lDCOP $(LIB_TDECORE) $(LIB_TDEUI) -ltdefx $(LIB_KIO) -lktexteditor -ltdekrbsocket KDE_OPTIONS = nofinal diff --git a/servers/auth_server_lin/src/auth_conn.cpp b/servers/auth_server_lin/src/auth_conn.cpp index acf8e83..41a09f9 100644 --- a/servers/auth_server_lin/src/auth_conn.cpp +++ b/servers/auth_server_lin/src/auth_conn.cpp @@ -30,15 +30,9 @@ instance of this class. */ AuthSocket::AuthSocket(int sock, TQObject *parent, const char *name) : - TQSocket( parent, name ) { + TDEKerberosServerSocket( parent, name ) { - iplocal = NULL; - ipremote = NULL; - searchpath = NULL; - service = "remotefpga"; - localdomain = NULL; - userdomain = NULL; - conn = NULL; + setServiceName("remotefpga"); line = 0; connect(this, SIGNAL(connectionClosed()), SLOT(deleteLater())); @@ -60,270 +54,22 @@ void AuthSocket::connectionClosedHandler() { } int AuthSocket::initiateKerberosHandshake() { - return authenticate_connection_with_kerberos(socket()); -} - -#define NET_SEC_BUF_SIZE (2048) + bool user_authorized = false; -static int sasl_my_log(void *context __attribute__((unused)), int priority, const char *message) { - const char *label; - - if (!message) { - return SASL_BADPARAM; - } - - switch (priority) { - case SASL_LOG_ERR: - label = "Error"; - break; - case SASL_LOG_NOTE: - label = "Info"; - break; - default: - label = "Other"; - break; - } + if (setUsingKerberos(true) == 0) { + // RAJA FIXME + if (user_authorized == 1) { + // Send list of available servers... + writeBlock("OK�", strlen("OK�")); + } - printf("[SASL %s] %s\n\r", label, message); + writeBlock("TESTING", strlen("TESTING")); - return SASL_OK; -} - -sasl_callback_t callbacks[] = { - {SASL_CB_LOG, (sasl_callback_ft)&sasl_my_log, NULL}, - {SASL_CB_LIST_END, NULL, NULL} -}; - -void AuthSocket::free_conn(void) { - if (conn) { - sasl_dispose(&conn); - } -} - -void AuthSocket::send_sasl_data_to_network(const char *buffer, unsigned length, int netfd) -{ - char *buf; - unsigned len, alloclen; - int result; - - alloclen = ((length / 3) + 1) * 4 + 1; - buf = (char*)malloc(alloclen); - if (!buf) { - printf("[ERROR] Unable to malloc()!\n\r"); - return; - } - - result = sasl_encode64(buffer, length, buf, alloclen, &len); - if (result != SASL_OK) { - printf("[ERROR] Encoding data in base64 returned %s (%d)\n\r", sasl_errdetail(conn), result); - return; - } - - len = strlen(buf); - buf[len] = '\n'; - buf[len+1] = 0; - write(netfd, buf, len+1); - - free(buf); -} - -unsigned int AuthSocket::get_sasl_data_from_network(char *buf) { - unsigned int len; - int result; - - len = 0; - while (1) { - tqApp->processEvents(); - if (state() != TQSocket::Connected) { - return -1; - } - if (readBlock(buf+len, 1) > 0) { - if (buf[len] == '\n') { - buf[len] = 0; - break; - } - if (buf[len] != '\r') { - len++; - } - } - if (len >= NET_SEC_BUF_SIZE) { - break; - } - } - - len = strlen(buf); - result = sasl_decode64(buf, (unsigned) strlen(buf), buf, NET_SEC_BUF_SIZE, &len); - if (result != SASL_OK) { - printf("[ERROR] Decoding data from base64 returned %s (%d)\n\r", sasl_errdetail(conn), result); - return -1; - } - buf[len] = '\0'; - - return len; -} - -int AuthSocket::write_data_to_client(int fd, const char* readbuf, int cc) { - int result = 0; - unsigned int len; - const char *data; - - result=sasl_encode(conn, readbuf, cc, &data, &len); - if (result != SASL_OK) { - printf("[ERROR] Encrypting data returned %s (%d)\n\r", sasl_errdetail(conn), result); - return -1; - } - send_sasl_data_to_network(data, len, fd); - - return 0; -} - -int AuthSocket::receive_data_from_client(char *buf, int netfd) { - unsigned int recv_len; - const char *recv_data; - int result; - int len; - - len = get_sasl_data_from_network(buf); - if (len >= 0) { - result=sasl_decode(conn, buf, len, &recv_data, &recv_len); - if (result != SASL_OK) { - printf("[ERROR] Decrypting data returned %s (%d)\n\r", sasl_errdetail(conn), result); - return -1; - } - strncpy(buf, recv_data, NET_SEC_BUF_SIZE); - } - - return 0; - } - -int AuthSocket::authenticate_connection_with_kerberos(int netfd) { - char buf[NET_SEC_BUF_SIZE]; - int result = 0; - int serverlast = 0; - sasl_security_properties_t secprops; - const char *ext_authid = NULL; - unsigned int len; - int count; - const char *data; - char user_authorized = 0; - sasl_ssf_t *ssf; - - // FIXME - // Initialize default data structures - memset(&secprops, 0L, sizeof(secprops)); - secprops.maxbufsize = NET_SEC_BUF_SIZE; - secprops.max_ssf = UINT_MAX; - - result = sasl_server_init(callbacks, "remotefpga"); - if (result != SASL_OK) { - printf("[ERROR] Initializing libsasl returned %s (%d)\n\r", sasl_errdetail(conn), result); - return -1; - } - - result = sasl_server_new(service, localdomain, userdomain, iplocal, ipremote, NULL, serverlast, &conn); - if (result != SASL_OK) { - printf("[ERROR] Allocating sasl connection state returned %s (%d)\n\r", sasl_errdetail(conn), result); - return -1; - } - - result = sasl_setprop(conn, SASL_SEC_PROPS, &secprops); - - if (result != SASL_OK) { - printf("[ERROR] Setting security properties returned %s (%d)\n\r", sasl_errdetail(conn), result); - free_conn(); - return -1; - } - - puts("[DEBUG] Generating client mechanism list..."); - result = sasl_listmech(conn, ext_authid, NULL, " ", NULL, &data, &len, &count); - if (result != SASL_OK) { - printf("[ERROR] Generating client mechanism list returned %s (%d)\n\r", sasl_errdetail(conn), result); - free_conn(); - return -1; - } - - printf("[DEBUG] Sending list of %d mechanism(s)\n\r", count); - send_sasl_data_to_network(data, len, netfd); - - printf("[DEBUG] Waiting for client mechanism...\n\r"); - len = get_sasl_data_from_network(buf); - if (strlen(buf) < len) { - printf("[DEBUG] Initial response received (%d < %d) [%s]\n\r", strlen(buf), len, buf); - // An initial response is present - data = buf + strlen(buf) + 1; - len = len - (unsigned) strlen(buf) - 1; + return 0; } else { - data = NULL; - len = 0; - } - result = sasl_server_start(conn, buf, data, len, &data, &len); - if (result != SASL_OK && result != SASL_CONTINUE) { - printf("[ERROR] Starting SASL negotiation returned %s (%d)\n\r", sasl_errdetail(conn), result); - free_conn(); return -1; } - - while (result == SASL_CONTINUE) { - if (data) { - printf("[DEBUG] Sending response...\n\r"); - send_sasl_data_to_network(data, len, netfd); - } - else { - printf("[ERROR] No data to send!\n\r"); - free_conn(); - return -1; - } - printf("[DEBUG] Waiting for client reply...\n\r"); - len = get_sasl_data_from_network(buf); - data = NULL; - result = sasl_server_step(conn, buf, len, &data, &len); - if (result != SASL_OK && result != SASL_CONTINUE) { - printf("[ERROR] Performing SASL negotiation returned %s (%d)\n\r", sasl_errdetail(conn), result); - free_conn(); - return -1; - } - } - printf("[DEBUG] Negotiation complete\n\r"); - - if(serverlast && data) { - printf("[DEBUG] Additional information needed to be sent\n\r"); - send_sasl_data_to_network(data, len, netfd); - } - - result = sasl_getprop(conn, SASL_USERNAME, (const void **)&data); - if (result != SASL_OK) { - printf("[WARNING] Unable to determine authenticated username!\n\r"); - } - else { - printf("[DEBUG] Authenticated username: %s\n\r", data ? data : "(NULL)"); - } - - result = sasl_getprop(conn, SASL_DEFUSERREALM, (const void **)&data); - if (result != SASL_OK) { - printf("[WARNING] Unable to determine authenticated realm!\n\r"); - } - else { - printf("[DEBUG] Authenticated realm: %s\n\r", data ? data : "(NULL)"); - } - - result = sasl_getprop(conn, SASL_SSF, (const void **)&ssf); - if (result != SASL_OK) { - printf("[WARNING] Unable to determine SSF!\n\r"); - } - else { - printf("[DEBUG] Authenticated SSF: %d\n", *ssf); - } - - // RAJA FIXME - if (user_authorized == 1) { - // Send list of available servers... - write_data_to_client(netfd, "OK�", strlen("OK�")); - } - - write_data_to_client(netfd, "TESTING", strlen("TESTING")); - - return 0; } /* diff --git a/servers/auth_server_lin/src/auth_conn.h b/servers/auth_server_lin/src/auth_conn.h index 9b4e28e..7c9d000 100644 --- a/servers/auth_server_lin/src/auth_conn.h +++ b/servers/auth_server_lin/src/auth_conn.h @@ -29,11 +29,9 @@ #include <tqpushbutton.h> #include <tqtextstream.h> -#include <sasl.h> -#include <saslplug.h> -#include <saslutil.h> +#include <tdekrbserversocket.h> -class AuthSocket : public TQSocket +class AuthSocket : public TDEKerberosServerSocket { Q_OBJECT @@ -45,27 +43,8 @@ class AuthSocket : public TQSocket void close(); int initiateKerberosHandshake(); - private: - void free_conn(void); - void send_sasl_data_to_network(const char *buffer, unsigned length, int netfd); - unsigned int get_sasl_data_from_network(char *buf); - int write_data_to_client(int fd, const char* readbuf, int cc); - int receive_data_from_client(char *buf, int netfd); - int authenticate_connection_with_kerberos(int netfd); - - sasl_callback_t callbacks[]; - private slots: void connectionClosedHandler(); - - private: - char *iplocal; - char *ipremote; - char *searchpath; - const char *service; - char *localdomain; - char *userdomain; - sasl_conn_t *conn; private: int line; |