oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Some changes.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@1232 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1997-02-13 19:55:10 +00:00
parent b5b1fe5ccf
commit 4fc459d71d
1 changed files with 339 additions and 478 deletions
Download Patch File Download Diff File Expand all files Collapse all files

289
appl/telnet/libtelnet/kerberos5.c
View File

@@ -1,11 +1,3 @@
#if !defined(lint) && !defined(SABER)
static
#ifdef __STDC__
const
#endif
char rcsid_kerberos5_c[] = "$Id$";
#endif /* lint */
/*- /*-
* Copyright (c) 1991, 1993 * Copyright (c) 1991, 1993
* The Regents of the University of California. All rights reserved. * The Regents of the University of California. All rights reserved.
@@ -64,17 +56,29 @@ char rcsid_kerberos5_c[] = "$Id$";
#include <socks.h> #include <socks.h>
#endif #endif
static const char *error_message(long foo)
{
abort();
}
RCSID("$Id$"); RCSID("$Id$");
#ifdef KRB5 #ifdef KRB5
#include <arpa/telnet.h> #include <arpa/telnet.h>
#include <stdio.h> #include <stdio.h>
#include <krb5/krb5.h> #define Authenticator k5_Authenticator
#include <krb5.h>
#undef Authenticator
#include <des.h>
#if 0
#include <krb5/asn1.h> #include <krb5/asn1.h>
#include <krb5/crc-32.h> #include <krb5/crc-32.h>
#include <krb5/los-proto.h> #include <krb5/los-proto.h>
#include <krb5/ext-proto.h> #include <krb5/ext-proto.h>
#endif
#if 0
#include <com_err.h> #include <com_err.h>
#endif
#include <netdb.h> #include <netdb.h>
#include <ctype.h> #include <ctype.h>
@@ -117,23 +121,23 @@ static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
static krb5_data auth; static krb5_data auth;
/* telnetd gets session key from here */ /* telnetd gets session key from here */
static krb5_tkt_authent *authdat = NULL; static /*krb5_tkt_authent*/ void *authdat = NULL;
/* telnet matches the AP_REQ and AP_REP with this */ /* telnet matches the AP_REQ and AP_REP with this */
#if 0
static krb5_authenticator authenticator; static krb5_authenticator authenticator;
#endif
static k5_Authenticator authenticator;
static krb5_context context;
static krb5_auth_context *auth_context;
/* some compilers can't hack void *, so we use the Kerberos krb5_pointer, /* some compilers can't hack void *, so we use the Kerberos krb5_pointer,
which is either void * or char *, depending on the compiler. */ which is either void * or char *, depending on the compiler. */
#define Voidptr krb5_pointer
des_cblock session_key; des_cblock session_key;
static int static int
Data(ap, type, d, c) Data(Authenticator *ap, int type, void *d, int c)
Authenticator *ap;
int type;
Voidptr d;
int c;
{ {
unsigned char *p = str_data + 4; unsigned char *p = str_data + 4;
unsigned char *cd = (unsigned char *)d; unsigned char *cd = (unsigned char *)d;
@@ -164,40 +168,23 @@ Data(ap, type, d, c)
} }
int int
kerberos5_init(ap, server) kerberos5_init(Authenticator *ap, int server)
Authenticator *ap;
int server;
{ {
if (server) if (server)
str_data[3] = TELQUAL_REPLY; str_data[3] = TELQUAL_REPLY;
else else
str_data[3] = TELQUAL_IS; str_data[3] = TELQUAL_IS;
krb5_init_ets(); krb5_init_context(&context);
return(1); return(1);
} }
int int
kerberos5_send(ap) kerberos5_send(Authenticator *ap)
Authenticator *ap;
{ {
char **realms;
char *name;
char *p1, *p2;
krb5_checksum ksum;
krb5_octet sum[CRC32_CKSUM_LENGTH];
krb5_principal server;
krb5_error_code r; krb5_error_code r;
krb5_ccache ccache; krb5_ccache ccache;
krb5_creds creds; /* telnet gets session key from here */
extern krb5_flags krb5_kdc_default_options;
int ap_opts; int ap_opts;
ksum.checksum_type = CKSUMTYPE_CRC32;
ksum.contents = sum;
ksum.length = sizeof(sum);
memset((Voidptr )sum, 0, sizeof(sum));
if (!UserNameRequested) { if (!UserNameRequested) {
if (auth_debug_mode) { if (auth_debug_mode) {
printf("Kerberos V5: no user name supplied\r\n"); printf("Kerberos V5: no user name supplied\r\n");
@@ -205,92 +192,28 @@ kerberos5_send(ap)
return(0); return(0);
} }
if (r = krb5_cc_default(&ccache)) { if (r = krb5_cc_default(context, &ccache)) {
if (auth_debug_mode) { if (auth_debug_mode) {
printf("Kerberos V5: could not get default ccache\r\n"); printf("Kerberos V5: could not get default ccache\r\n");
} }
return(0); return(0);
} }
if ((name = malloc(strlen(RemoteHostName)+1)) == NULL) {
if (auth_debug_mode)
printf("Out of memory for hostname in Kerberos V5\r\n");
return(0);
}
if (r = krb5_get_host_realm(RemoteHostName, &realms)) {
if (auth_debug_mode)
printf("Kerberos V5: no realm for %s\r\n", RemoteHostName);
free(name);
return(0);
}
p1 = RemoteHostName;
p2 = name;
while (*p2 = *p1++) {
if (isupper(*p2))
*p2 |= 040;
++p2;
}
if (r = krb5_build_principal_ext(&server,
strlen(realms[0]), realms[0],
4, "host",
p2 - name, name,
0)) {
if (auth_debug_mode) {
printf("Kerberos V5: failure setting up principal (%s)\r\n",
error_message(r));
}
free(name);
krb5_free_host_realm(realms);
return(0);
}
memset(&creds, 0, sizeof(creds));
creds.server = server;
if (r = krb5_cc_get_principal(ccache, &creds.client)) {
if (auth_debug_mode) {
printf("Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
free(name);
krb5_free_principal(server);
krb5_free_host_realm(realms);
return(0);
}
if (r = krb5_get_credentials(krb5_kdc_default_options, ccache, &creds)) {
if (auth_debug_mode) {
printf("Kerberos V5: failure on credentials(%d)\r\n",r);
}
free(name);
krb5_free_host_realm(realms);
krb5_free_principal(server);
return(0);
}
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
ap_opts = AP_OPTS_MUTUAL_REQUIRED; ap_opts = AP_OPTS_MUTUAL_REQUIRED;
else else
ap_opts = 0; ap_opts = 0;
r = krb5_mk_req_extended(ap_opts, &ksum, krb5_kdc_default_options, 0, auth_context = NULL;
0,
ccache, &creds, &authenticator, &auth); r = krb5_mk_req(context, &auth_context, ap_opts,
/* don't let the key get freed if we clean up the authenticator */ "host", RemoteHostName,
authenticator.subkey = 0; NULL, ccache, &auth);
free(name);
krb5_free_host_realm(realms);
krb5_free_principal(server);
if (r) { if (r) {
if (auth_debug_mode) { if (auth_debug_mode) {
printf("Kerberos V5: mk_req failed (%s)\r\n", printf("Kerberos V5: mk_req failed (%s)\r\n",
error_message(r)); krb5_get_err_text(r));
} }
return(0); return(0);
} }
@@ -312,21 +235,13 @@ kerberos5_send(ap)
} }
void void
kerberos5_is(ap, data, cnt) kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
Authenticator *ap;
unsigned char *data;
int cnt;
{ {
int r; int r;
struct hostent *hp;
char *p1, *p2;
static char *realm = NULL;
krb5_principal server;
krb5_ap_rep_enc_part reply;
krb5_data outbuf; krb5_data outbuf;
char *name; krb5_ticket *ticket;
char *getenv();
krb5_data inbuf; krb5_keyblock *key_block;
if (cnt-- < 1) if (cnt-- < 1)
return; return;
@@ -335,51 +250,11 @@ kerberos5_is(ap, data, cnt)
auth.data = (char *)data; auth.data = (char *)data;
auth.length = cnt; auth.length = cnt;
if (!(hp = gethostbyname(LocalHostName))) { auth_context = NULL;
if (auth_debug_mode)
printf("Cannot resolve local host name\r\n");
Data(ap, KRB_REJECT, "Unknown local hostname.", -1);
auth_finished(ap, AUTH_REJECT);
return;
}
if (!realm && (krb5_get_default_realm(&realm))) { r = krb5_rd_req(context, &auth_context, &auth,
if (auth_debug_mode) NULL, NULL, NULL, &ticket);
printf("Could not get default realm\r\n");
Data(ap, KRB_REJECT, "Could not get default realm.", -1);
auth_finished(ap, AUTH_REJECT);
return;
}
if ((name = malloc(strlen(hp->h_name)+1)) == NULL) {
if (auth_debug_mode)
printf("Out of memory for hostname in Kerberos V5\r\n");
Data(ap, KRB_REJECT, "Out of memory.", -1);
auth_finished(ap, AUTH_REJECT);
return;
}
p1 = hp->h_name;
p2 = name;
while (*p2 = *p1++) {
if (isupper(*p2))
*p2 |= 040;
++p2;
}
if (authdat)
krb5_free_tkt_authent(authdat);
r = krb5_build_principal_ext(&server,
strlen(realm), realm,
4, "host",
p2 - name, name,
0);
if (!r) {
r = krb5_rd_req_simple(&auth, server, 0, &authdat);
krb5_free_principal(server);
}
if (r) { if (r) {
char errbuf[128]; char errbuf[128];
@@ -392,47 +267,40 @@ kerberos5_is(ap, data, cnt)
printf("%s\r\n", errbuf); printf("%s\r\n", errbuf);
return; return;
} }
free(name); #if 0
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* do ap_rep stuff here */ r = krb5_mk_rep(context, auth_context, &outbuf);
reply.ctime = authdat->authenticator->ctime; if(r){
reply.cusec = authdat->authenticator->cusec;
reply.subkey = 0; /* use the one he gave us, so don't
need to return one here */
reply.seq_number = 0; /* we don't do seq #'s. */
if (r = krb5_mk_rep(&reply,
authdat->authenticator->subkey ?
authdat->authenticator->subkey :
authdat->ticket->enc_part2->session,
&outbuf)) {
goto errout;
} }
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
} }
if (krb5_unparse_name(authdat->ticket->enc_part2 ->client, if (krb5_unparse_name(context, ticket->enc_part2->client, &name))
&name))
name = 0; name = 0;
#endif
#if 0
Data(ap, KRB_ACCEPT, name, name ? -1 : 0); Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) { if (auth_debug_mode) {
printf("Kerberos5 identifies him as ``%s''\r\n", printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : ""); name ? name : "");
} }
#endif
auth_finished(ap, AUTH_USER); auth_finished(ap, AUTH_USER);
free(name); #if 0
if (authdat->authenticator->subkey && r = krb5_auth_con_getkey(context, auth_context, &key_block);
authdat->authenticator->subkey->keytype == KEYTYPE_DES) { if(r){
memmove((Voidptr )session_key, }
(Voidptr )authdat->authenticator->subkey->contents, #endif
sizeof(des_cblock));
} else if (authdat->ticket->enc_part2->session->keytype == if(key_block->keytype == KEYTYPE_DES){
KEYTYPE_DES) { memcpy(&session_key, key_block->contents.data,
memmove((Voidptr )session_key, sizeof(session_key));
(Voidptr )authdat->ticket->enc_part2->session->contents, }
sizeof(des_cblock));
} else #if 0
break; krb5_free_keyblock(context, key_block);
#endif
break; break;
#ifdef FORWARD #ifdef FORWARD
@@ -464,10 +332,7 @@ kerberos5_is(ap, data, cnt)
} }
void void
kerberos5_reply(ap, data, cnt) kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
Authenticator *ap;
unsigned char *data;
int cnt;
{ {
Session_Key skey; Session_Key skey;
static int mutual_complete = 0; static int mutual_complete = 0;
@@ -503,31 +368,31 @@ kerberos5_reply(ap, data, cnt)
case KRB_RESPONSE: case KRB_RESPONSE:
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* the rest of the reply should contain a krb_ap_rep */ /* the rest of the reply should contain a krb_ap_rep */
krb5_ap_rep_enc_part *reply; #if 0
/*krb5_ap_rep_enc_part*/ void *reply;
#endif
EncAPRepPart *reply;
krb5_data inbuf; krb5_data inbuf;
krb5_error_code r; krb5_error_code r;
krb5_keyblock tmpkey;
inbuf.length = cnt; inbuf.length = cnt;
inbuf.data = (char *)data; inbuf.data = (char *)data;
tmpkey.keytype = KEYTYPE_DES; if (r = krb5_rd_rep(context, auth_context, &inbuf, &reply)) {
tmpkey.contents = session_key;
tmpkey.length = sizeof(des_cblock);
if (r = krb5_rd_rep(&inbuf, &tmpkey, &reply)) {
printf("[ Mutual authentication failed: %s ]\r\n", printf("[ Mutual authentication failed: %s ]\r\n",
error_message(r)); error_message(r));
auth_send_retry(); auth_send_retry();
return; return;
} }
#if 0
if (reply->ctime != authenticator.ctime || if (reply->ctime != authenticator.ctime ||
reply->cusec != authenticator.cusec) { reply->cusec != authenticator.cusec) {
printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\r\n"); printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\r\n");
auth_send_retry(); auth_send_retry();
return; return;
} }
krb5_free_ap_rep_enc_part(reply); #endif
krb5_free_ap_rep_enc_part(context, reply);
mutual_complete = 1; mutual_complete = 1;
} }
return; return;
@@ -548,30 +413,27 @@ kerberos5_reply(ap, data, cnt)
} }
int int
kerberos5_status(ap, name, level) kerberos5_status(Authenticator *ap, char *name, int level)
Authenticator *ap;
char *name;
int level;
{ {
if (level < AUTH_USER) if (level < AUTH_USER)
return(level); return(level);
#if 0
if (UserNameRequested && if (UserNameRequested &&
krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested)) krb5_kuserok(context, authdat->ticket->enc_part2->client, UserNameRequested))
{ {
strcpy(name, UserNameRequested); strcpy(name, UserNameRequested);
return(AUTH_VALID); return(AUTH_VALID);
} else } else
return(AUTH_USER); return(AUTH_USER);
#endif
} }
#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
void void
kerberos5_printsub(data, cnt, buf, buflen) kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
unsigned char *data, *buf;
int cnt, buflen;
{ {
char lbuf[32]; char lbuf[32];
int i; int i;
@@ -637,8 +499,7 @@ kerberos5_printsub(data, cnt, buf, buflen)
#ifdef FORWARD #ifdef FORWARD
void void
kerberos5_forward(ap) kerberos5_forward(Authenticator *ap)
Authenticator *ap;
{ {
struct hostent *hp; struct hostent *hp;
krb5_creds *local_creds; krb5_creds *local_creds;
@@ -655,7 +516,7 @@ kerberos5_forward(ap)
return; return;
} }
if (r = krb5_sname_to_principal(RemoteHostName, "host", 1, if (r = krb5_sname_to_principal(context, RemoteHostName, "host", 1,
&local_creds->server)) { &local_creds->server)) {
if (auth_debug_mode) if (auth_debug_mode)
printf("Kerberos V5: could not build server name - %s\r\n", printf("Kerberos V5: could not build server name - %s\r\n",