search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / appl / telnet / libtelnet / kerberos5.c
blob3717a200cc28d79bca7ec67d2a9c3b3d8241dff9
1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
36 *
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
52 */
53
54 #include <config.h>
55
56 __RCSID("$Heimdal: kerberos5.c 22071 2007-11-14 20:04:50Z lha $"
57 "$NetBSD$");
58
59 #ifdef KRB5
60
61 #include <arpa/telnet.h>
62 #include <stdio.h>
63 #include <stdlib.h>
64 #include <string.h>
65 #include <unistd.h>
66 #include <netdb.h>
67 #include <ctype.h>
68 #include <pwd.h>
69 #define Authenticator k5_Authenticator
70 #include <krb5.h>
71 #undef Authenticator
72 #include <roken.h>
73 #ifdef SOCKS
74 #include <socks.h>
75 #endif
76
77
78 #include "encrypt.h"
79 #include "auth.h"
80 #include "misc.h"
81
82 #if defined(DCE)
83 int dfsk5ok = 0;
84 int dfspag = 0;
85 int dfsfwd = 0;
86 #endif
87
88 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
89
90 int forward(int);
91 int forwardable(int);
92
93 /* These values need to be the same as those defined in telnet/main.c. */
94 /* Either define them in both places, or put in some common header file. */
95 #define OPTS_FORWARD_CREDS 0x00000002
96 #define OPTS_FORWARDABLE_CREDS 0x00000001
97
98
99 void kerberos5_forward (Authenticator *);
100
101 static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 };
102
103 #define KRB_AUTH 0 /* Authentication data follows */
104 #define KRB_REJECT 1 /* Rejected (reason might follow) */
105 #define KRB_ACCEPT 2 /* Accepted */
106 #define KRB_RESPONSE 3 /* Response for mutual auth. */
107
108 #define KRB_FORWARD 4 /* Forwarded credentials follow */
109 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
110 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
111
112 static krb5_data auth;
113 static krb5_ticket *ticket;
114
115 static krb5_context context;
116 static krb5_auth_context auth_context;
117
118 static int
119 Data(Authenticator *ap, int type, const void *d, int c)
120 {
121 const unsigned char *cp, *cd = d;
122 unsigned char *p0, *p;
123 size_t len = sizeof(str_data) + 3 + 2;
124 int ret;
125
126 if (c == -1)
127 c = strlen((const char*)cd);
128
129 for (cp = cd; cp - cd < c; cp++, len++)
130 if (*cp == IAC)
131 len++;
132
133 p0 = malloc(len);
134 if (p0 == NULL)
135 return 0;
136
137 memcpy(p0, str_data, sizeof(str_data));
138 p = p0 + sizeof(str_data);
139
140 if (auth_debug_mode) {
141 printf("%s:%d: [%d] (%d)",
142 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
143 str_data[3],
144 type, c);
145 printd(d, c);
146 printf("\r\n");
147 }
148 *p++ = ap->type;
149 *p++ = ap->way;
150 *p++ = type;
151 while (c-- > 0) {
152 if ((*p++ = *cd++) == IAC)
153 *p++ = IAC;
154 }
155 *p++ = IAC;
156 *p++ = SE;
157 if (str_data[3] == TELQUAL_IS)
158 printsub('>', &p0[2], len - 2);
159 ret = telnet_net_write(p0, len);
160 free(p0);
161 return ret;
162 }
163
164 int
165 kerberos5_init(Authenticator *ap, int server)
166 {
167 krb5_error_code ret;
168
169 ret = krb5_init_context(&context);
170 if (ret)
171 return 0;
172 if (server) {
173 krb5_keytab kt;
174 krb5_kt_cursor cursor;
175
176 ret = krb5_kt_default(context, &kt);
177 if (ret)
178 return 0;
179
180 ret = krb5_kt_start_seq_get (context, kt, &cursor);
181 if (ret) {
182 krb5_kt_close (context, kt);
183 return 0;
184 }
185 krb5_kt_end_seq_get (context, kt, &cursor);
186 krb5_kt_close (context, kt);
187
188 str_data[3] = TELQUAL_REPLY;
189 } else
190 str_data[3] = TELQUAL_IS;
191 return(1);
192 }
193
194 extern int net;
195 static int
196 kerberos5_send(char *name, Authenticator *ap)
197 {
198 krb5_error_code ret;
199 krb5_ccache ccache;
200 int ap_opts;
201 krb5_data cksum_data;
202 char ap_msg[2];
203
204 if (!UserNameRequested) {
205 if (auth_debug_mode) {
206 printf("Kerberos V5: no user name supplied\r\n");
207 }
208 return(0);
209 }
210
211 ret = krb5_cc_default(context, &ccache);
212 if (ret) {
213 if (auth_debug_mode) {
214 printf("Kerberos V5: could not get default ccache: %s\r\n",
215 krb5_get_err_text (context, ret));
216 }
217 return 0;
218 }
219
220 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
221 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
222 else
223 ap_opts = 0;
224
225 ap_opts |= AP_OPTS_USE_SUBKEY;
226
227 ret = krb5_auth_con_init (context, &auth_context);
228 if (ret) {
229 if (auth_debug_mode) {
230 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
231 krb5_get_err_text(context, ret));
232 }
233 return(0);
234 }
235
236 ret = krb5_auth_con_setaddrs_from_fd (context,
237 auth_context,
238 &net);
239 if (ret) {
240 if (auth_debug_mode) {
241 printf ("Kerberos V5:"
242 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
243 krb5_get_err_text(context, ret));
244 }
245 return(0);
246 }
247
248 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
249
250 ap_msg[0] = ap->type;
251 ap_msg[1] = ap->way;
252
253 cksum_data.length = sizeof(ap_msg);
254 cksum_data.data = ap_msg;
255
256
257 {
258 krb5_principal service;
259 char sname[128];
260
261
262 ret = krb5_sname_to_principal (context,
263 RemoteHostName,
264 NULL,
265 KRB5_NT_SRV_HST,
266 &service);
267 if(ret) {
268 if (auth_debug_mode) {
269 printf ("Kerberos V5:"
270 " krb5_sname_to_principal(%s) failed (%s)\r\n",
271 RemoteHostName, krb5_get_err_text(context, ret));
272 }
273 return 0;
274 }
275 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
276 if(ret) {
277 if (auth_debug_mode) {
278 printf ("Kerberos V5:"
279 " krb5_unparse_name_fixed failed (%s)\r\n",
280 krb5_get_err_text(context, ret));
281 }
282 return 0;
283 }
284 printf("[ Trying %s (%s)... ]\r\n", name, sname);
285 ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
286 service,
287 &cksum_data, ccache, &auth);
288 krb5_free_principal (context, service);
289
290 }
291 if (ret) {
292 if (1 || auth_debug_mode) {
293 printf("Kerberos V5: mk_req failed (%s)\r\n",
294 krb5_get_err_text(context, ret));
295 }
296 return(0);
297 }
298
299 if (!auth_sendname((unsigned char *)UserNameRequested,
300 strlen(UserNameRequested))) {
301 if (auth_debug_mode)
302 printf("Not enough room for user name\r\n");
303 return(0);
304 }
305 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
306 if (auth_debug_mode)
307 printf("Not enough room for authentication data\r\n");
308 return(0);
309 }
310 if (auth_debug_mode) {
311 printf("Sent Kerberos V5 credentials to server\r\n");
312 }
313 return(1);
314 }
315
316 int
317 kerberos5_send_mutual(Authenticator *ap)
318 {
319 return kerberos5_send("mutual KERBEROS5", ap);
320 }
321
322 int
323 kerberos5_send_oneway(Authenticator *ap)
324 {
325 return kerberos5_send("KERBEROS5", ap);
326 }
327
328 static void log_message(const char *fmt, ...)
329 {
330 va_list ap;
331 va_start(ap, fmt);
332 if (auth_debug_mode) {
333 va_start(ap, fmt);
334 vfprintf(stdout, fmt, ap);
335 va_end(ap);
336 fprintf(stdout, "\r\n");
337 }
338 va_start(ap, fmt);
339 vsyslog(LOG_NOTICE, fmt, ap);
340 va_end(ap);
341 }
342
343 void
344 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
345 {
346 krb5_error_code ret;
347 krb5_data outbuf;
348 krb5_keyblock *key_block;
349 char *name;
350 krb5_principal server;
351 int zero = 0;
352
353 if (cnt-- < 1)
354 return;
355 switch (*data++) {
356 case KRB_AUTH:
357 auth.data = (char *)data;
358 auth.length = cnt;
359
360 auth_context = NULL;
361
362 ret = krb5_auth_con_init (context, &auth_context);
363 if (ret) {
364 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
365 auth_finished(ap, AUTH_REJECT);
366 log_message("Kerberos V5: krb5_auth_con_init failed (%s)",
367 krb5_get_err_text(context, ret));
368 return;
369 }
370
371 ret = krb5_auth_con_setaddrs_from_fd (context,
372 auth_context,
373 &zero);
374 if (ret) {
375 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
376 auth_finished(ap, AUTH_REJECT);
377 log_message("Kerberos V5: "
378 "krb5_auth_con_setaddrs_from_fd failed (%s)",
379 krb5_get_err_text(context, ret));
380 return;
381 }
382
383 ret = krb5_sock_to_principal (context,
384 0,
385 "host",
386 KRB5_NT_SRV_HST,
387 &server);
388 if (ret) {
389 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
390 auth_finished(ap, AUTH_REJECT);
391 log_message("Kerberos V5: "
392 "krb5_sock_to_principal failed (%s)",
393 krb5_get_err_text(context, ret));
394 return;
395 }
396
397 ret = krb5_rd_req(context,
398 &auth_context,
399 &auth,
400 server,
401 NULL,
402 NULL,
403 &ticket);
404
405 krb5_free_principal (context, server);
406 if (ret) {
407 const char *errbuf2 = "Read req failed";
408 char *errbuf;
409 int ret2;
410
411 ret2 = asprintf(&errbuf,
412 "Read req failed: %s",
413 krb5_get_err_text(context, ret));
414 if (ret2 != -1)
415 errbuf2 = errbuf;
416 Data(ap, KRB_REJECT, errbuf2, -1);
417 log_message("%s", errbuf2);
418 if (ret2 != -1)
419 free (errbuf);
420 return;
421 }
422
423 {
424 char ap_msg[2];
425
426 ap_msg[0] = ap->type;
427 ap_msg[1] = ap->way;
428
429 ret = krb5_verify_authenticator_checksum(context,
430 auth_context,
431 ap_msg,
432 sizeof(ap_msg));
433
434 if (ret) {
435 const char *errbuf2 = "Bad checksum";
436 char *errbuf;
437 int ret2;
438
439 ret2 = asprintf(&errbuf, "Bad checksum: %s",
440 krb5_get_err_text(context, ret));
441 if (ret2 != -1)
442 errbuf2 = errbuf;
443 Data(ap, KRB_REJECT, errbuf2, -1);
444 log_message("%s", errbuf2);
445 if (ret2 != -1)
446 free(errbuf);
447 return;
448 }
449 }
450 ret = krb5_auth_con_getremotesubkey (context,
451 auth_context,
452 &key_block);
453
454 if (ret) {
455 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
456 auth_finished(ap, AUTH_REJECT);
457 log_message("Kerberos V5: "
458 "krb5_auth_con_getremotesubkey failed (%s)",
459 krb5_get_err_text(context, ret));
460 return;
461 }
462
463 if (key_block == NULL) {
464 ret = krb5_auth_con_getkey(context,
465 auth_context,
466 &key_block);
467 }
468 if (ret) {
469 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
470 auth_finished(ap, AUTH_REJECT);
471 log_message("Kerberos V5: "
472 "krb5_auth_con_getkey failed (%s)",
473 krb5_get_err_text(context, ret));
474 return;
475 }
476 if (key_block == NULL) {
477 Data(ap, KRB_REJECT, "no subkey received", -1);
478 auth_finished(ap, AUTH_REJECT);
479 log_message("Kerberos V5: "
480 "krb5_auth_con_getremotesubkey returned NULL key");
481 return;
482 }
483
484 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
485 ret = krb5_mk_rep(context, auth_context, &outbuf);
486 if (ret) {
487 Data(ap, KRB_REJECT,
488 "krb5_mk_rep failed", -1);
489 auth_finished(ap, AUTH_REJECT);
490 log_message("Kerberos V5: "
491 "krb5_mk_rep failed (%s)",
492 krb5_get_err_text(context, ret));
493 return;
494 }
495 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
496 }
497 if (krb5_unparse_name(context, ticket->client, &name))
498 name = 0;
499
500 if(UserNameRequested && krb5_kuserok(context,
501 ticket->client,
502 UserNameRequested)) {
503 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
504 log_message("%s accepted as user %s from %s",
505 name ? name : "<unknown>",
506 UserNameRequested ? UserNameRequested : "<unknown>",
507 RemoteHostName ? RemoteHostName : "<unknown>");
508
509 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
510 key_block->keytype == ETYPE_DES_CBC_MD4 ||
511 key_block->keytype == ETYPE_DES_CBC_CRC) {
512 Session_Key skey;
513
514 skey.type = SK_DES;
515 skey.length = 8;
516 skey.data = key_block->keyvalue.data;
517 encrypt_session_key(&skey, 0);
518 }
519
520 } else {
521 const char *msg2 = "user is not authorized to login";
522 char *msg;
523
524 ret = asprintf (&msg, "user `%s' is not authorized to "
525 "login as `%s'",
526 name ? name : "<unknown>",
527 UserNameRequested ? UserNameRequested : "<nobody>");
528 if (ret != -1)
529 msg2 = msg;
530 Data(ap, KRB_REJECT, (void *)msg2, -1);
531 if (ret != -1)
532 free(msg);
533 auth_finished (ap, AUTH_REJECT);
534 krb5_free_keyblock_contents(context, key_block);
535 break;
536 }
537 auth_finished(ap, AUTH_USER);
538 krb5_free_keyblock_contents(context, key_block);
539
540 break;
541 case KRB_FORWARD: {
542 struct passwd *pwd;
543 char ccname[1024]; /* XXX */
544 krb5_data inbuf;
545 krb5_ccache ccache;
546 inbuf.data = (char *)data;
547 inbuf.length = cnt;
548
549 pwd = getpwnam (UserNameRequested);
550 if (pwd == NULL)
551 break;
552
553 snprintf (ccname, sizeof(ccname),
554 "FILE:/tmp/krb5cc_%lu", (unsigned long)pwd->pw_uid);
555
556 ret = krb5_cc_resolve (context, ccname, &ccache);
557 if (ret) {
558 log_message("Kerberos V5: could not get ccache: %s",
559 krb5_get_err_text(context, ret));
560 break;
561 }
562
563 ret = krb5_cc_initialize (context,
564 ccache,
565 ticket->client);
566 if (ret) {
567 log_message("Kerberos V5: could not init ccache: %s",
568 krb5_get_err_text(context, ret));
569 break;
570 }
571
572 #if defined(DCE)
573 esetenv("KRB5CCNAME", ccname, 1);
574 #endif
575 ret = krb5_rd_cred2 (context,
576 auth_context,
577 ccache,
578 &inbuf);
579 if(ret) {
580 const char *errbuf2 = "Read forwarded creds failed";
581 char *errbuf;
582 int ret2;
583
584 ret2 = asprintf (&errbuf,
585 "Read forwarded creds failed: %s",
586 krb5_get_err_text (context, ret));
587 if (ret2 != -1)
588 errbuf2 = errbuf;
589 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
590 log_message("Could not read forwarded credentials: %s", errbuf);
591
592 if (ret2 != -1)
593 free (errbuf);
594 } else {
595 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
596 #if defined(DCE)
597 dfsfwd = 1;
598 #endif
599 }
600 chown (ccname + 5, pwd->pw_uid, -1);
601 log_message("Forwarded credentials obtained");
602 break;
603 }
604 default:
605 log_message("Unknown Kerberos option %d", data[-1]);
606 Data(ap, KRB_REJECT, 0, 0);
607 break;
608 }
609 }
610
611 void
612 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
613 {
614 static int mutual_complete = 0;
615
616 if (cnt-- < 1)
617 return;
618 switch (*data++) {
619 case KRB_REJECT:
620 if (cnt > 0) {
621 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
622 cnt, data);
623 } else
624 printf("[ Kerberos V5 refuses authentication ]\r\n");
625 auth_send_retry();
626 return;
627 case KRB_ACCEPT: {
628 krb5_error_code ret;
629 Session_Key skey;
630 krb5_keyblock *keyblock;
631
632 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
633 !mutual_complete) {
634 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
635 auth_send_retry();
636 return;
637 }
638 if (cnt)
639 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
640 else
641 printf("[ Kerberos V5 accepts you ]\r\n");
642
643 ret = krb5_auth_con_getlocalsubkey (context,
644 auth_context,
645 &keyblock);
646 if (ret)
647 ret = krb5_auth_con_getkey (context,
648 auth_context,
649 &keyblock);
650 if(ret) {
651 printf("[ krb5_auth_con_getkey: %s ]\r\n",
652 krb5_get_err_text(context, ret));
653 auth_send_retry();
654 return;
655 }
656
657 skey.type = SK_DES;
658 skey.length = 8;
659 skey.data = keyblock->keyvalue.data;
660 encrypt_session_key(&skey, 0);
661 krb5_free_keyblock_contents (context, keyblock);
662 auth_finished(ap, AUTH_USER);
663 if (forward_flags & OPTS_FORWARD_CREDS)
664 kerberos5_forward(ap);
665 break;
666 }
667 case KRB_RESPONSE:
668 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
669 /* the rest of the reply should contain a krb_ap_rep */
670 krb5_ap_rep_enc_part *reply;
671 krb5_data inbuf;
672 krb5_error_code ret;
673
674 inbuf.length = cnt;
675 inbuf.data = (char *)data;
676
677 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
678 if (ret) {
679 printf("[ Mutual authentication failed: %s ]\r\n",
680 krb5_get_err_text (context, ret));
681 auth_send_retry();
682 return;
683 }
684 krb5_free_ap_rep_enc_part(context, reply);
685 mutual_complete = 1;
686 }
687 return;
688 case KRB_FORWARD_ACCEPT:
689 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
690 return;
691 case KRB_FORWARD_REJECT:
692 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
693 cnt, data);
694 return;
695 default:
696 if (auth_debug_mode)
697 printf("Unknown Kerberos option %d\r\n", data[-1]);
698 return;
699 }
700 }
701
702 int
703 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
704 {
705 if (level < AUTH_USER)
706 return(level);
707
708 if (UserNameRequested &&
709 krb5_kuserok(context,
710 ticket->client,
711 UserNameRequested))
712 {
713 strlcpy(name, UserNameRequested, name_sz);
714 #if defined(DCE)
715 dfsk5ok = 1;
716 #endif
717 return(AUTH_VALID);
718 } else
719 return(AUTH_USER);
720 }
721
722 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
723 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
724
725 void
726 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
727 {
728 int i;
729
730 buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
731 buflen -= 1;
732
733 switch(data[3]) {
734 case KRB_REJECT: /* Rejected (reason might follow) */
735 strlcpy((char *)buf, " REJECT ", buflen);
736 goto common;
737
738 case KRB_ACCEPT: /* Accepted (name might follow) */
739 strlcpy((char *)buf, " ACCEPT ", buflen);
740 common:
741 BUMP(buf, buflen);
742 if (cnt <= 4)
743 break;
744 ADDC(buf, buflen, '"');
745 for (i = 4; i < cnt; i++)
746 ADDC(buf, buflen, data[i]);
747 ADDC(buf, buflen, '"');
748 ADDC(buf, buflen, '\0');
749 break;
750
751
752 case KRB_AUTH: /* Authentication data follows */
753 strlcpy((char *)buf, " AUTH", buflen);
754 goto common2;
755
756 case KRB_RESPONSE:
757 strlcpy((char *)buf, " RESPONSE", buflen);
758 goto common2;
759
760 case KRB_FORWARD: /* Forwarded credentials follow */
761 strlcpy((char *)buf, " FORWARD", buflen);
762 goto common2;
763
764 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
765 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
766 goto common2;
767
768 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
769 /* (reason might follow) */
770 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
771 goto common2;
772
773 default:
774 snprintf((char*)buf, buflen, " %d (unknown)", data[3]);
775 common2:
776 BUMP(buf, buflen);
777 for (i = 4; i < cnt; i++) {
778 snprintf((char*)buf, buflen, " %d", data[i]);
779 BUMP(buf, buflen);
780 }
781 break;
782 }
783 }
784
785 void
786 kerberos5_forward(Authenticator *ap)
787 {
788 krb5_error_code ret;
789 krb5_ccache ccache;
790 krb5_creds creds;
791 KDCOptions flags;
792 krb5_data out_data;
793 krb5_principal principal;
794
795 ret = krb5_cc_default (context, &ccache);
796 if (ret) {
797 if (auth_debug_mode)
798 printf ("KerberosV5: could not get default ccache: %s\r\n",
799 krb5_get_err_text (context, ret));
800 return;
801 }
802
803 ret = krb5_cc_get_principal (context, ccache, &principal);
804 if (ret) {
805 if (auth_debug_mode)
806 printf ("KerberosV5: could not get principal: %s\r\n",
807 krb5_get_err_text (context, ret));
808 return;
809 }
810
811 memset (&creds, 0, sizeof(creds));
812
813 creds.client = principal;
814
815 ret = krb5_build_principal (context,
816 &creds.server,
817 strlen(principal->realm),
818 principal->realm,
819 "krbtgt",
820 principal->realm,
821 NULL);
822
823 if (ret) {
824 if (auth_debug_mode)
825 printf ("KerberosV5: could not get principal: %s\r\n",
826 krb5_get_err_text (context, ret));
827 return;
828 }
829
830 creds.times.endtime = 0;
831
832 memset(&flags, 0, sizeof(flags));
833 flags.forwarded = 1;
834 if (forward_flags & OPTS_FORWARDABLE_CREDS)
835 flags.forwardable = 1;
836
837 ret = krb5_get_forwarded_creds (context,
838 auth_context,
839 ccache,
840 KDCOptions2int(flags),
841 RemoteHostName,
842 &creds,
843 &out_data);
844 if (ret) {
845 if (auth_debug_mode)
846 printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
847 krb5_get_err_text (context, ret));
848 return;
849 }
850
851 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
852 if (auth_debug_mode)
853 printf("Not enough room for authentication data\r\n");
854 } else {
855 if (auth_debug_mode)
856 printf("Forwarded local Kerberos V5 credentials to server\r\n");
857 }
858 }
859
860 #if defined(DCE)
861 /* if this was a K5 authentication try and join a PAG for the user. */
862 void
863 kerberos5_dfspag(void)
864 {
865 if (dfsk5ok) {
866 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
867 UserNameRequested);
868 }
869 }
870 #endif
871
872 int
873 kerberos5_set_forward(int on)
874 {
875 if(on == 0)
876 forward_flags &= ~OPTS_FORWARD_CREDS;
877 if(on == 1)
878 forward_flags |= OPTS_FORWARD_CREDS;
879 if(on == -1)
880 forward_flags ^= OPTS_FORWARD_CREDS;
881 return 0;
882 }
883
884 int
885 kerberos5_set_forwardable(int on)
886 {
887 if(on == 0)
888 forward_flags &= ~OPTS_FORWARDABLE_CREDS;
889 if(on == 1)
890 forward_flags |= OPTS_FORWARDABLE_CREDS;
891 if(on == -1)
892 forward_flags ^= OPTS_FORWARDABLE_CREDS;
893 return 0;
894 }
895
896 #endif /* KRB5 */
NetBSD on the FriendlyARM MINI2440