summaryrefslogtreecommitdiffstats
path: root/clients/tde/src/lib/tdekrbsocket.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'clients/tde/src/lib/tdekrbsocket.cpp')
-rw-r--r--clients/tde/src/lib/tdekrbsocket.cpp404
1 files changed, 404 insertions, 0 deletions
diff --git a/clients/tde/src/lib/tdekrbsocket.cpp b/clients/tde/src/lib/tdekrbsocket.cpp
new file mode 100644
index 0000000..30f28d2
--- /dev/null
+++ b/clients/tde/src/lib/tdekrbsocket.cpp
@@ -0,0 +1,404 @@
+/***************************************************************************
+ * Copyright (C) 2012 by Timothy Pearson *
+ * kb9vqf@pearsoncomputing.net *
+ * *
+ * This program is free software; you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * This program is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with this program; if not, write to the *
+ * Free Software Foundation, Inc., *
+ * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
+ ***************************************************************************/
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <tqapplication.h>
+
+#include <sasl.h>
+#include <saslplug.h>
+#include <saslutil.h>
+
+#include "tdekrbsocket.h"
+
+#define NET_SEC_BUF_SIZE (2048)
+
+class SASLDataPrivate
+{
+ public:
+ sasl_callback_t m_callbacks[N_CALLBACKS];
+ sasl_conn_t *m_krbConnection;
+};
+
+static int logSASLMessages(void *context __attribute__((unused)), int priority, const char *message) {
+ const char *label;
+
+ if (!message) {
+ return SASL_BADPARAM;
+ }
+
+ switch (priority) {
+ case SASL_LOG_ERR:
+ label = "Error";
+ break;
+ case SASL_LOG_NOTE:
+ label = "Info";
+ break;
+ default:
+ label = "Other";
+ break;
+ }
+
+ printf("[SASL %s] %s\n\r", label, message);
+
+ return SASL_OK;
+}
+
+TDEKerberosClientSocket::TDEKerberosClientSocket(TQObject *parent, const char *name) : TQSocket(parent, name), m_kerberosRequested(false) {
+ saslData = new SASLDataPrivate;
+ saslData->m_krbConnection = NULL;
+}
+
+TDEKerberosClientSocket::~TDEKerberosClientSocket() {
+ delete saslData;
+}
+
+bool TDEKerberosClientSocket::open(int mode) {
+ bool ret = TQSocket::open(mode);
+ if (m_kerberosRequested) {
+ initializeKerberosInterface();
+ }
+ return ret;
+}
+
+void TDEKerberosClientSocket::close() {
+ TQSocket::close();
+}
+
+int TDEKerberosClientSocket::setUsingKerberos(bool krbactive) {
+ int ret = 0;
+
+ if (m_serviceName == "") {
+ printf("[ERROR] No service name set!\n\r"); fflush(stdout);
+ return -1;
+ }
+
+ if (krbactive) {
+ m_kerberosRequested = true;
+ if ((!saslData->m_krbConnection) && (state() == TQSocket::Connected)) {
+ ret = initializeKerberosInterface();
+ }
+ }
+ else {
+ m_kerberosRequested = false;
+ if (saslData->m_krbConnection) {
+ freeKerberosConnection();
+ }
+ }
+
+ return ret;
+}
+
+void TDEKerberosClientSocket::setServiceName(TQString name) {
+ m_serviceName = name;
+}
+
+void TDEKerberosClientSocket::setServerFQDN(TQString name) {
+ m_serverFQDN = name;
+}
+
+Q_LONG TDEKerberosClientSocket::readBlock(char *data, Q_ULONG maxlen) {
+ Q_LONG ret = TQSocket::readBlock(data, maxlen);
+ return ret;
+}
+
+Q_LONG TDEKerberosClientSocket::writeBlock(const char *data, Q_ULONG len) {
+ Q_LONG ret = TQSocket::writeBlock(data, len);
+ return ret;
+}
+
+Q_LONG TDEKerberosClientSocket::readLine(char *data, Q_ULONG maxlen) {
+ Q_LONG ret;
+
+ if (m_kerberosRequested) {
+ ret = getSASLDataFromNetwork(data, maxlen);
+ }
+ else {
+ ret = TQSocket::readLine(data, maxlen);
+ }
+
+ return ret;
+}
+
+TQString TDEKerberosClientSocket::readLine() {
+ TQString ret;
+ char buf[NET_SEC_BUF_SIZE];
+
+ if (m_kerberosRequested) {
+ receiveEncryptedData(buf, NET_SEC_BUF_SIZE);
+ ret = TQString(buf);
+ }
+ else {
+ ret = TQSocket::readLine();
+ }
+
+ return ret;
+}
+
+void TDEKerberosClientSocket::writeLine(TQString str) {
+ if (m_kerberosRequested) {
+ transmitEncryptedData(socket(), str.ascii(), str.length());
+ }
+ else {
+ TQSocket::writeBlock(str.ascii(), str.length());
+ }
+}
+
+void TDEKerberosClientSocket::freeKerberosConnection(void) {
+ if (saslData->m_krbConnection) {
+ sasl_dispose(&saslData->m_krbConnection);
+ }
+ saslData->m_krbConnection = 0;
+}
+
+void TDEKerberosClientSocket::sendSASLDataToNetwork(const char *buffer, unsigned length, int netfd) {
+ char *buf;
+ unsigned len, alloclen;
+ int result;
+ char txbuf[NET_SEC_BUF_SIZE];
+
+ alloclen = ((length / 3) + 1) * 4 + 1;
+ buf = (char*)malloc(alloclen);
+ if (!buf) {
+ printf("[ERROR] Unable to malloc()!\n\r");
+ return;
+ }
+
+ result = sasl_encode64(buffer, length, buf, alloclen, &len);
+ if (result != SASL_OK) {
+ printf("[ERROR] Encoding data in base64 returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result);
+ return;
+ }
+
+ sprintf(txbuf, "%s\n", buf);
+ write(netfd, txbuf, strlen(txbuf));
+
+ free(buf);
+}
+
+unsigned int TDEKerberosClientSocket::getSASLDataFromNetwork(char *buf, int trunclen) {
+ unsigned int len;
+ int result;
+
+ len = 0;
+ while (1) {
+ tqApp->processEvents();
+ if (state() != TQSocket::Connected) {
+ return -1;
+ }
+ if (TQSocket::readBlock(buf+len, 1) > 0) {
+ if (buf[len] == '\n') {
+ buf[len] = 0;
+ break;
+ }
+ if (buf[len] != '\r') {
+ len++;
+ }
+ }
+ if (len >= trunclen) {
+ break;
+ }
+ }
+
+ len = strlen(buf);
+ result = sasl_decode64(buf, (unsigned) strlen(buf), buf, trunclen, &len);
+ if (result != SASL_OK) {
+ printf("[ERROR] Decoding data from base64 returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result);
+ return -1;
+ }
+ buf[len] = '\0';
+
+ return len;
+}
+
+int TDEKerberosClientSocket::transmitEncryptedData(int fd, const char* readbuf, int cc) {
+ int result = 0;
+ unsigned int len;
+ const char *data;
+
+ result=sasl_encode(saslData->m_krbConnection, readbuf, cc, &data, &len);
+ if (result != SASL_OK) {
+ printf("[ERROR] Encrypting data returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result);
+ return -1;
+ }
+ sendSASLDataToNetwork(data, len, fd);
+
+ return 0;
+}
+
+int TDEKerberosClientSocket::receiveEncryptedData(char *buf, int trunclen) {
+ unsigned int recv_len;
+ const char *recv_data;
+ int result;
+ int len;
+
+ len = getSASLDataFromNetwork(buf, trunclen);
+ if (len >= 0) {
+ result=sasl_decode(saslData->m_krbConnection, buf, len, &recv_data, &recv_len);
+ if (result != SASL_OK) {
+ printf("[ERROR] Decrypting data returned %s (%d)\n\r", sasl_errdetail(saslData->m_krbConnection), result);
+ return -1;
+ }
+ strncpy(buf, recv_data, trunclen);
+ }
+
+ return 0;
+}
+
+int TDEKerberosClientSocket::initializeKerberosInterface() {
+ if (state() != TQSocket::Connected) {
+ saslData->m_krbConnection = false;
+ return -1;
+ }
+
+ sasl_callback_t *callback;
+ char buf[NET_SEC_BUF_SIZE];
+ int result = 0;
+ int serverlast = 0;
+ sasl_security_properties_t secprops;
+ const char *chosenmech;
+ unsigned int len;
+ const char *data;
+ char user_authorized = 0;
+ sasl_ssf_t *ssf;
+ char *iplocal = NULL;
+ char *ipremote = NULL;
+ const char *service = m_serviceName.ascii();
+ const char *fqdn = m_serverFQDN.ascii();
+
+ callback = saslData->m_callbacks;
+
+ // log
+ callback->id = SASL_CB_LOG;
+ callback->proc = (sasl_callback_ft)&logSASLMessages;
+ callback->context = NULL;
+ ++callback;
+
+ // end of callback list
+ callback->id = SASL_CB_LIST_END;
+ callback->proc = NULL;
+ callback->context = NULL;
+ ++callback;
+
+ // Initialize default data structures
+ memset(&secprops, 0L, sizeof(secprops));
+ secprops.maxbufsize = NET_SEC_BUF_SIZE;
+ secprops.max_ssf = UINT_MAX;
+
+ result = sasl_client_init(saslData->m_callbacks);
+ if (result != SASL_OK) {
+ printf("[ERROR] Initializing libsasl returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result);
+ return -1;
+ }
+
+ result = sasl_client_new(service, fqdn, iplocal, ipremote, NULL, serverlast, &saslData->m_krbConnection);
+ if (result != SASL_OK) {
+ printf("[ERROR] Allocating sasl connection state returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result);
+ return -1;
+ }
+
+ result = sasl_setprop(saslData->m_krbConnection, SASL_SEC_PROPS, &secprops);
+ if (result != SASL_OK) {
+ printf("[ERROR] Setting security properties returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result);
+ freeKerberosConnection();
+ return -1;
+ }
+
+ printf("[DEBUG] Waiting for mechanism list from server...\n\r");
+ len = getSASLDataFromNetwork(buf, NET_SEC_BUF_SIZE);
+
+ printf("Choosing best mechanism from: %s\n", buf);
+
+ result = sasl_client_start(saslData->m_krbConnection, buf, NULL, &data, &len, &chosenmech);
+ if (result != SASL_OK && result != SASL_CONTINUE) {
+ printf("[ERROR] Starting SASL negotiation returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result);
+ freeKerberosConnection();
+ return -1;
+ }
+
+ printf("[DEBUG] Using mechanism %s\n\r", chosenmech);
+ strcpy(buf, chosenmech);
+ if (data) {
+ if (NET_SEC_BUF_SIZE - strlen(buf) - 1 < len) {
+ printf("[ERROR] Insufficient buffer space to construct initial response!\n\r");
+ freeKerberosConnection();
+ return -1;
+ }
+ printf("[DEBUG] Preparing initial response...\n\r");
+ memcpy(buf + strlen(buf) + 1, data, len);
+ len += (unsigned) strlen(buf) + 1;
+ data = NULL;
+ }
+ else {
+ len = (unsigned) strlen(buf);
+ }
+
+ printf("[DEBUG] Sending initial response...\n\r");
+ sendSASLDataToNetwork(buf, len, socket());
+
+ while (result == SASL_CONTINUE) {
+ printf("[DEBUG] Waiting for server reply...\n\r");
+ len = getSASLDataFromNetwork(buf, NET_SEC_BUF_SIZE);
+ if (state() != TQSocket::Connected) {
+ return -1;
+ }
+ result = sasl_client_step(saslData->m_krbConnection, buf, len, NULL, &data, &len);
+ if (result != SASL_OK && result != SASL_CONTINUE) {
+ printf("[ERROR] Performing SASL negotiation returned %s (%d)\n\r", sasl_errstring(result, NULL, NULL), result);
+ freeKerberosConnection();
+ return -1;
+ }
+ if (data && len) {
+ printf("[DEBUG] Sending response...\n\r");
+ sendSASLDataToNetwork(data, len, socket());
+ }
+ else if (result != SASL_OK || !serverlast) {
+ sendSASLDataToNetwork("", 0, socket());
+ }
+ }
+ printf("[DEBUG] Negotiation complete!\n\r");
+
+ result = sasl_getprop(saslData->m_krbConnection, SASL_USERNAME, (const void **)&data);
+ if (result != SASL_OK) {
+ printf("[WARNING] Unable to determine authenticated username!\n\r");
+ }
+ else {
+ printf("[DEBUG] Authenticated username: %s\n\r", data ? data : "(NULL)");
+ }
+
+ result = sasl_getprop(saslData->m_krbConnection, SASL_DEFUSERREALM, (const void **)&data);
+ if (result != SASL_OK) {
+ printf("[WARNING] Unable to determine authenticated realm!\n\r");
+ }
+ else {
+ printf("[DEBUG] Authenticated realm: %s\n\r", data ? data : "(NULL)");
+ }
+
+ result = sasl_getprop(saslData->m_krbConnection, SASL_SSF, (const void **)&ssf);
+ if (result != SASL_OK) {
+ printf("[WARNING] Unable to determine SSF!\n\r");
+ }
+ else {
+ printf("[DEBUG] Authenticated SSF: %d\n", *ssf);
+ }
+
+ return 0;
+} \ No newline at end of file
generated by cgit v1.2.1 (git 2.18.0) at 2024-12-29 19:38:12 +0000