oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Some changes.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@1232 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1997-02-13 19:55:10 +00:00
parent b5b1fe5ccf
commit 4fc459d71d
1 changed files with 339 additions and 478 deletions
Download Patch File Download Diff File Expand all files Collapse all files

817
appl/telnet/libtelnet/kerberos5.c
View File

@@ -1,11 +1,3 @@
#if !defined(lint) && !defined(SABER)
static
#ifdef __STDC__
const
#endif
char rcsid_kerberos5_c[] = "$Id$";
#endif /* lint */
/*- /*-
* Copyright (c) 1991, 1993 * Copyright (c) 1991, 1993
* The Regents of the University of California. All rights reserved. * The Regents of the University of California. All rights reserved.
@@ -64,17 +56,29 @@ char rcsid_kerberos5_c[] = "$Id$";
#include <socks.h> #include <socks.h>
#endif #endif
static const char *error_message(long foo)
{
abort();
}
RCSID("$Id$"); RCSID("$Id$");
#ifdef KRB5 #ifdef KRB5
#include <arpa/telnet.h> #include <arpa/telnet.h>
#include <stdio.h> #include <stdio.h>
#include <krb5/krb5.h> #define Authenticator k5_Authenticator
#include <krb5.h>
#undef Authenticator
#include <des.h>
#if 0
#include <krb5/asn1.h> #include <krb5/asn1.h>
#include <krb5/crc-32.h> #include <krb5/crc-32.h>
#include <krb5/los-proto.h> #include <krb5/los-proto.h>
#include <krb5/ext-proto.h> #include <krb5/ext-proto.h>
#endif
#if 0
#include <com_err.h> #include <com_err.h>
#endif
#include <netdb.h> #include <netdb.h>
#include <ctype.h> #include <ctype.h>
@@ -116,529 +120,386 @@ static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
#endif /* FORWARD */ #endif /* FORWARD */
static krb5_data auth; static krb5_data auth;
/* telnetd gets session key from here */ /* telnetd gets session key from here */
static krb5_tkt_authent *authdat = NULL; static /*krb5_tkt_authent*/ void *authdat = NULL;
/* telnet matches the AP_REQ and AP_REP with this */ /* telnet matches the AP_REQ and AP_REP with this */
#if 0
static krb5_authenticator authenticator; static krb5_authenticator authenticator;
#endif
static k5_Authenticator authenticator;
static krb5_context context;
static krb5_auth_context *auth_context;
/* some compilers can't hack void *, so we use the Kerberos krb5_pointer, /* some compilers can't hack void *, so we use the Kerberos krb5_pointer,
which is either void * or char *, depending on the compiler. */ which is either void * or char *, depending on the compiler. */
#define Voidptr krb5_pointer
des_cblock session_key; des_cblock session_key;
static int static int
Data(ap, type, d, c) Data(Authenticator *ap, int type, void *d, int c)
Authenticator *ap;
int type;
Voidptr d;
int c;
{ {
unsigned char *p = str_data + 4; unsigned char *p = str_data + 4;
unsigned char *cd = (unsigned char *)d; unsigned char *cd = (unsigned char *)d;
if (c == -1) if (c == -1)
c = strlen(cd); c = strlen(cd);
if (auth_debug_mode) {
printf("%s:%d: [%d] (%d)",
str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
str_data[3],
type, c);
printd(d, c);
printf("\r\n");
}
*p++ = ap->type;
*p++ = ap->way;
*p++ = type;
while (c-- > 0) {
if ((*p++ = *cd++) == IAC)
*p++ = IAC;
}
*p++ = IAC;
*p++ = SE;
if (str_data[3] == TELQUAL_IS)
printsub('>', &str_data[2], p - &str_data[2]);
return(net_write(str_data, p - str_data));
}
int
kerberos5_init(Authenticator *ap, int server)
{
if (server)
str_data[3] = TELQUAL_REPLY;
else
str_data[3] = TELQUAL_IS;
krb5_init_context(&context);
return(1);
}
int
kerberos5_send(Authenticator *ap)
{
krb5_error_code r;
krb5_ccache ccache;
int ap_opts;
if (!UserNameRequested) {
if (auth_debug_mode) { if (auth_debug_mode) {
printf("%s:%d: [%d] (%d)", printf("Kerberos V5: no user name supplied\r\n");
str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
str_data[3],
type, c);
printd(d, c);
printf("\r\n");
} }
*p++ = ap->type; return(0);
*p++ = ap->way; }
*p++ = type;
while (c-- > 0) { if (r = krb5_cc_default(context, &ccache)) {
if ((*p++ = *cd++) == IAC) if (auth_debug_mode) {
*p++ = IAC; printf("Kerberos V5: could not get default ccache\r\n");
} }
*p++ = IAC; return(0);
*p++ = SE; }
if (str_data[3] == TELQUAL_IS)
printsub('>', &str_data[2], p - &str_data[2]); if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
return(net_write(str_data, p - str_data)); ap_opts = AP_OPTS_MUTUAL_REQUIRED;
else
ap_opts = 0;
auth_context = NULL;
r = krb5_mk_req(context, &auth_context, ap_opts,
"host", RemoteHostName,
NULL, ccache, &auth);
if (r) {
if (auth_debug_mode) {
printf("Kerberos V5: mk_req failed (%s)\r\n",
krb5_get_err_text(r));
}
return(0);
}
if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
printf("Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
printf("Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
printf("Sent Kerberos V5 credentials to server\r\n");
}
return(1);
} }
int void
kerberos5_init(ap, server) kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
Authenticator *ap;
int server;
{ {
if (server) int r;
str_data[3] = TELQUAL_REPLY; krb5_data outbuf;
else krb5_ticket *ticket;
str_data[3] = TELQUAL_IS;
krb5_init_ets(); krb5_keyblock *key_block;
return(1);
}
int if (cnt-- < 1)
kerberos5_send(ap) return;
Authenticator *ap; switch (*data++) {
{ case KRB_AUTH:
char **realms; auth.data = (char *)data;
char *name; auth.length = cnt;
char *p1, *p2;
krb5_checksum ksum;
krb5_octet sum[CRC32_CKSUM_LENGTH];
krb5_principal server;
krb5_error_code r;
krb5_ccache ccache;
krb5_creds creds; /* telnet gets session key from here */
extern krb5_flags krb5_kdc_default_options;
int ap_opts;
auth_context = NULL;
ksum.checksum_type = CKSUMTYPE_CRC32; r = krb5_rd_req(context, &auth_context, &auth,
ksum.contents = sum; NULL, NULL, NULL, &ticket);
ksum.length = sizeof(sum);
memset((Voidptr )sum, 0, sizeof(sum));
if (!UserNameRequested) {
if (auth_debug_mode) {
printf("Kerberos V5: no user name supplied\r\n");
}
return(0);
}
if (r = krb5_cc_default(&ccache)) {
if (auth_debug_mode) {
printf("Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
if ((name = malloc(strlen(RemoteHostName)+1)) == NULL) {
if (auth_debug_mode)
printf("Out of memory for hostname in Kerberos V5\r\n");
return(0);
}
if (r = krb5_get_host_realm(RemoteHostName, &realms)) {
if (auth_debug_mode)
printf("Kerberos V5: no realm for %s\r\n", RemoteHostName);
free(name);
return(0);
}
p1 = RemoteHostName;
p2 = name;
while (*p2 = *p1++) {
if (isupper(*p2))
*p2 |= 040;
++p2;
}
if (r = krb5_build_principal_ext(&server,
strlen(realms[0]), realms[0],
4, "host",
p2 - name, name,
0)) {
if (auth_debug_mode) {
printf("Kerberos V5: failure setting up principal (%s)\r\n",
error_message(r));
}
free(name);
krb5_free_host_realm(realms);
return(0);
}
memset(&creds, 0, sizeof(creds));
creds.server = server;
if (r = krb5_cc_get_principal(ccache, &creds.client)) {
if (auth_debug_mode) {
printf("Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
free(name);
krb5_free_principal(server);
krb5_free_host_realm(realms);
return(0);
}
if (r = krb5_get_credentials(krb5_kdc_default_options, ccache, &creds)) {
if (auth_debug_mode) {
printf("Kerberos V5: failure on credentials(%d)\r\n",r);
}
free(name);
krb5_free_host_realm(realms);
krb5_free_principal(server);
return(0);
}
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
ap_opts = AP_OPTS_MUTUAL_REQUIRED;
else
ap_opts = 0;
r = krb5_mk_req_extended(ap_opts, &ksum, krb5_kdc_default_options, 0,
0,
ccache, &creds, &authenticator, &auth);
/* don't let the key get freed if we clean up the authenticator */
authenticator.subkey = 0;
free(name);
krb5_free_host_realm(realms);
krb5_free_principal(server);
if (r) { if (r) {
if (auth_debug_mode) { char errbuf[128];
printf("Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
}
if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) { errout:
if (auth_debug_mode) authdat = 0;
printf("Not enough room for user name\r\n"); strcpy(errbuf, "Read req failed: ");
return(0); strcat(errbuf, error_message(r));
Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode)
printf("%s\r\n", errbuf);
return;
} }
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { #if 0
if (auth_debug_mode) if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
printf("Not enough room for authentication data\r\n"); r = krb5_mk_rep(context, auth_context, &outbuf);
return(0); if(r){
}
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
} }
if (krb5_unparse_name(context, ticket->enc_part2->client, &name))
name = 0;
#endif
#if 0
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) { if (auth_debug_mode) {
printf("Sent Kerberos V5 credentials to server\r\n"); printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
} }
return(1); #endif
} auth_finished(ap, AUTH_USER);
void #if 0
kerberos5_is(ap, data, cnt) r = krb5_auth_con_getkey(context, auth_context, &key_block);
Authenticator *ap; if(r){
unsigned char *data; }
int cnt; #endif
{
int r; if(key_block->keytype == KEYTYPE_DES){
struct hostent *hp; memcpy(&session_key, key_block->contents.data,
char *p1, *p2; sizeof(session_key));
static char *realm = NULL; }
krb5_principal server;
krb5_ap_rep_enc_part reply;
krb5_data outbuf;
char *name;
char *getenv();
krb5_data inbuf;
if (cnt-- < 1) #if 0
return; krb5_free_keyblock(context, key_block);
switch (*data++) { #endif
case KRB_AUTH:
auth.data = (char *)data; break;
auth.length = cnt;
if (!(hp = gethostbyname(LocalHostName))) {
if (auth_debug_mode)
printf("Cannot resolve local host name\r\n");
Data(ap, KRB_REJECT, "Unknown local hostname.", -1);
auth_finished(ap, AUTH_REJECT);
return;
}
if (!realm && (krb5_get_default_realm(&realm))) {
if (auth_debug_mode)
printf("Could not get default realm\r\n");
Data(ap, KRB_REJECT, "Could not get default realm.", -1);
auth_finished(ap, AUTH_REJECT);
return;
}
if ((name = malloc(strlen(hp->h_name)+1)) == NULL) {
if (auth_debug_mode)
printf("Out of memory for hostname in Kerberos V5\r\n");
Data(ap, KRB_REJECT, "Out of memory.", -1);
auth_finished(ap, AUTH_REJECT);
return;
}
p1 = hp->h_name;
p2 = name;
while (*p2 = *p1++) {
if (isupper(*p2))
*p2 |= 040;
++p2;
}
if (authdat)
krb5_free_tkt_authent(authdat);
r = krb5_build_principal_ext(&server,
strlen(realm), realm,
4, "host",
p2 - name, name,
0);
if (!r) {
r = krb5_rd_req_simple(&auth, server, 0, &authdat);
krb5_free_principal(server);
}
if (r) {
char errbuf[128];
errout:
authdat = 0;
strcpy(errbuf, "Read req failed: ");
strcat(errbuf, error_message(r));
Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode)
printf("%s\r\n", errbuf);
return;
}
free(name);
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* do ap_rep stuff here */
reply.ctime = authdat->authenticator->ctime;
reply.cusec = authdat->authenticator->cusec;
reply.subkey = 0; /* use the one he gave us, so don't
need to return one here */
reply.seq_number = 0; /* we don't do seq #'s. */
if (r = krb5_mk_rep(&reply,
authdat->authenticator->subkey ?
authdat->authenticator->subkey :
authdat->ticket->enc_part2->session,
&outbuf)) {
goto errout;
}
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
}
if (krb5_unparse_name(authdat->ticket->enc_part2 ->client,
&name))
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
free(name);
if (authdat->authenticator->subkey &&
authdat->authenticator->subkey->keytype == KEYTYPE_DES) {
memmove((Voidptr )session_key,
(Voidptr )authdat->authenticator->subkey->contents,
sizeof(des_cblock));
} else if (authdat->ticket->enc_part2->session->keytype ==
KEYTYPE_DES) {
memmove((Voidptr )session_key,
(Voidptr )authdat->ticket->enc_part2->session->contents,
sizeof(des_cblock));
} else
break;
break;
#ifdef FORWARD #ifdef FORWARD
case KRB_FORWARD: case KRB_FORWARD:
inbuf.data = (char *)data; inbuf.data = (char *)data;
inbuf.length = cnt; inbuf.length = cnt;
if (r = rd_and_store_for_creds(&inbuf, authdat->ticket, if (r = rd_and_store_for_creds(&inbuf, authdat->ticket,
UserNameRequested)) { UserNameRequested)) {
char errbuf[128]; char errbuf[128];
strcpy(errbuf, "Read forwarded creds failed: "); strcpy(errbuf, "Read forwarded creds failed: ");
strcat(errbuf, error_message(r)); strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1); Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode) if (auth_debug_mode)
printf("Could not read forwarded credentials\r\n"); printf("Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
printf("Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
} }
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
printf("Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
} }
void void
kerberos5_reply(ap, data, cnt) kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
Authenticator *ap;
unsigned char *data;
int cnt;
{ {
Session_Key skey; Session_Key skey;
static int mutual_complete = 0; static int mutual_complete = 0;
if (cnt-- < 1) if (cnt-- < 1)
return; return;
switch (*data++) { switch (*data++) {
case KRB_REJECT: case KRB_REJECT:
if (cnt > 0) { if (cnt > 0) {
printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
cnt, data); cnt, data);
} else } else
printf("[ Kerberos V5 refuses authentication ]\r\n"); printf("[ Kerberos V5 refuses authentication ]\r\n");
auth_send_retry();
return;
case KRB_ACCEPT:
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
!mutual_complete) {
printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
auth_send_retry();
return;
}
if (cnt)
printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
else
printf("[ Kerberos V5 accepts you ]\r\n");
auth_finished(ap, AUTH_USER);
#ifdef FORWARD
if (forward_flags & OPTS_FORWARD_CREDS)
kerberos5_forward(ap);
#endif /* FORWARD */
break;
case KRB_RESPONSE:
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* the rest of the reply should contain a krb_ap_rep */
#if 0
/*krb5_ap_rep_enc_part*/ void *reply;
#endif
EncAPRepPart *reply;
krb5_data inbuf;
krb5_error_code r;
inbuf.length = cnt;
inbuf.data = (char *)data;
if (r = krb5_rd_rep(context, auth_context, &inbuf, &reply)) {
printf("[ Mutual authentication failed: %s ]\r\n",
error_message(r));
auth_send_retry(); auth_send_retry();
return; return;
case KRB_ACCEPT: }
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && #if 0
!mutual_complete) { if (reply->ctime != authenticator.ctime ||
printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); reply->cusec != authenticator.cusec) {
auth_send_retry(); printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\r\n");
return; auth_send_retry();
}
if (cnt)
printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
else
printf("[ Kerberos V5 accepts you ]\r\n");
auth_finished(ap, AUTH_USER);
#ifdef FORWARD
if (forward_flags & OPTS_FORWARD_CREDS)
kerberos5_forward(ap);
#endif /* FORWARD */
break;
case KRB_RESPONSE:
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* the rest of the reply should contain a krb_ap_rep */
krb5_ap_rep_enc_part *reply;
krb5_data inbuf;
krb5_error_code r;
krb5_keyblock tmpkey;
inbuf.length = cnt;
inbuf.data = (char *)data;
tmpkey.keytype = KEYTYPE_DES;
tmpkey.contents = session_key;
tmpkey.length = sizeof(des_cblock);
if (r = krb5_rd_rep(&inbuf, &tmpkey, &reply)) {
printf("[ Mutual authentication failed: %s ]\r\n",
error_message(r));
auth_send_retry();
return;
}
if (reply->ctime != authenticator.ctime ||
reply->cusec != authenticator.cusec) {
printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\r\n");
auth_send_retry();
return;
}
krb5_free_ap_rep_enc_part(reply);
mutual_complete = 1;
}
return;
#ifdef FORWARD
case KRB_FORWARD_ACCEPT:
printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
return;
case KRB_FORWARD_REJECT:
printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
cnt, data);
return;
#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
return; return;
}
#endif
krb5_free_ap_rep_enc_part(context, reply);
mutual_complete = 1;
} }
return;
#ifdef FORWARD
case KRB_FORWARD_ACCEPT:
printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
return;
case KRB_FORWARD_REJECT:
printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
cnt, data);
return;
#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
return;
}
} }
int int
kerberos5_status(ap, name, level) kerberos5_status(Authenticator *ap, char *name, int level)
Authenticator *ap;
char *name;
int level;
{ {
if (level < AUTH_USER) if (level < AUTH_USER)
return(level); return(level);
if (UserNameRequested && #if 0
krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested)) if (UserNameRequested &&
krb5_kuserok(context, authdat->ticket->enc_part2->client, UserNameRequested))
{ {
strcpy(name, UserNameRequested); strcpy(name, UserNameRequested);
return(AUTH_VALID); return(AUTH_VALID);
} else } else
return(AUTH_USER); return(AUTH_USER);
#endif
} }
#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
void void
kerberos5_printsub(data, cnt, buf, buflen) kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
unsigned char *data, *buf;
int cnt, buflen;
{ {
char lbuf[32]; char lbuf[32];
int i; int i;
buf[buflen-1] = '\0'; /* make sure its NULL terminated */ buf[buflen-1] = '\0'; /* make sure its NULL terminated */
buflen -= 1; buflen -= 1;
switch(data[3]) { switch(data[3]) {
case KRB_REJECT: /* Rejected (reason might follow) */ case KRB_REJECT: /* Rejected (reason might follow) */
strncpy((char *)buf, " REJECT ", buflen); strncpy((char *)buf, " REJECT ", buflen);
goto common; goto common;
case KRB_ACCEPT: /* Accepted (name might follow) */ case KRB_ACCEPT: /* Accepted (name might follow) */
strncpy((char *)buf, " ACCEPT ", buflen); strncpy((char *)buf, " ACCEPT ", buflen);
common: common:
BUMP(buf, buflen); BUMP(buf, buflen);
if (cnt <= 4) if (cnt <= 4)
break; break;
ADDC(buf, buflen, '"'); ADDC(buf, buflen, '"');
for (i = 4; i < cnt; i++) for (i = 4; i < cnt; i++)
ADDC(buf, buflen, data[i]); ADDC(buf, buflen, data[i]);
ADDC(buf, buflen, '"'); ADDC(buf, buflen, '"');
ADDC(buf, buflen, '\0'); ADDC(buf, buflen, '\0');
break; break;
case KRB_AUTH: /* Authentication data follows */ case KRB_AUTH: /* Authentication data follows */
strncpy((char *)buf, " AUTH", buflen); strncpy((char *)buf, " AUTH", buflen);
goto common2; goto common2;
case KRB_RESPONSE: case KRB_RESPONSE:
strncpy((char *)buf, " RESPONSE", buflen); strncpy((char *)buf, " RESPONSE", buflen);
goto common2; goto common2;
#ifdef FORWARD #ifdef FORWARD
case KRB_FORWARD: /* Forwarded credentials follow */ case KRB_FORWARD: /* Forwarded credentials follow */
strncpy((char *)buf, " FORWARD", buflen); strncpy((char *)buf, " FORWARD", buflen);
goto common2; goto common2;
case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
strncpy((char *)buf, " FORWARD_ACCEPT", buflen); strncpy((char *)buf, " FORWARD_ACCEPT", buflen);
goto common2; goto common2;
case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
/* (reason might follow) */ /* (reason might follow) */
strncpy((char *)buf, " FORWARD_REJECT", buflen); strncpy((char *)buf, " FORWARD_REJECT", buflen);
goto common2; goto common2;
#endif /* FORWARD */ #endif /* FORWARD */
default: default:
sprintf(lbuf, " %d (unknown)", data[3]); sprintf(lbuf, " %d (unknown)", data[3]);
strncpy((char *)buf, lbuf, buflen); strncpy((char *)buf, lbuf, buflen);
common2: common2:
BUMP(buf, buflen); BUMP(buf, buflen);
for (i = 4; i < cnt; i++) { for (i = 4; i < cnt; i++) {
sprintf(lbuf, " %d", data[i]); sprintf(lbuf, " %d", data[i]);
strncpy((char *)buf, lbuf, buflen); strncpy((char *)buf, lbuf, buflen);
BUMP(buf, buflen); BUMP(buf, buflen);
}
break;
} }
break;
}
} }
#ifdef FORWARD #ifdef FORWARD
void void
kerberos5_forward(ap) kerberos5_forward(Authenticator *ap)
Authenticator *ap;
{ {
struct hostent *hp; struct hostent *hp;
krb5_creds *local_creds; krb5_creds *local_creds;
@@ -651,31 +512,31 @@ kerberos5_forward(ap)
if (!(local_creds = (krb5_creds *) if (!(local_creds = (krb5_creds *)
calloc(1, sizeof(*local_creds)))) { calloc(1, sizeof(*local_creds)))) {
if (auth_debug_mode) if (auth_debug_mode)
printf("Kerberos V5: could not allocate memory for credentials\r\n"); printf("Kerberos V5: could not allocate memory for credentials\r\n");
return; return;
} }
if (r = krb5_sname_to_principal(RemoteHostName, "host", 1, if (r = krb5_sname_to_principal(context, RemoteHostName, "host", 1,
&local_creds->server)) { &local_creds->server)) {
if (auth_debug_mode) if (auth_debug_mode)
printf("Kerberos V5: could not build server name - %s\r\n", printf("Kerberos V5: could not build server name - %s\r\n",
error_message(r)); error_message(r));
krb5_free_creds(local_creds); krb5_free_creds(local_creds);
return; return;
} }
if (r = krb5_cc_default(&ccache)) { if (r = krb5_cc_default(&ccache)) {
if (auth_debug_mode) if (auth_debug_mode)
printf("Kerberos V5: could not get default ccache - %s\r\n", printf("Kerberos V5: could not get default ccache - %s\r\n",
error_message(r)); error_message(r));
krb5_free_creds(local_creds); krb5_free_creds(local_creds);
return; return;
} }
if (r = krb5_cc_get_principal(ccache, &local_creds->client)) { if (r = krb5_cc_get_principal(ccache, &local_creds->client)) {
if (auth_debug_mode) if (auth_debug_mode)
printf("Kerberos V5: could not get default principal - %s\r\n", printf("Kerberos V5: could not get default principal - %s\r\n",
error_message(r)); error_message(r));
krb5_free_creds(local_creds); krb5_free_creds(local_creds);
return; return;
} }
@@ -683,8 +544,8 @@ kerberos5_forward(ap)
/* Get ticket from credentials cache */ /* Get ticket from credentials cache */
if (r = krb5_get_credentials(KRB5_GC_CACHED, ccache, local_creds)) { if (r = krb5_get_credentials(KRB5_GC_CACHED, ccache, local_creds)) {
if (auth_debug_mode) if (auth_debug_mode)
printf("Kerberos V5: could not obtain credentials - %s\r\n", printf("Kerberos V5: could not obtain credentials - %s\r\n",
error_message(r)); error_message(r));
krb5_free_creds(local_creds); krb5_free_creds(local_creds);
return; return;
} }
@@ -697,8 +558,8 @@ kerberos5_forward(ap)
forward_flags & OPTS_FORWARDABLE_CREDS, forward_flags & OPTS_FORWARDABLE_CREDS,
&forw_creds)) { &forw_creds)) {
if (auth_debug_mode) if (auth_debug_mode)
printf("Kerberos V5: error getting forwarded creds - %s\r\n", printf("Kerberos V5: error getting forwarded creds - %s\r\n",
error_message(r)); error_message(r));
krb5_free_creds(local_creds); krb5_free_creds(local_creds);
return; return;
} }
@@ -706,11 +567,11 @@ kerberos5_forward(ap)
/* Send forwarded credentials */ /* Send forwarded credentials */
if (!Data(ap, KRB_FORWARD, forw_creds.data, forw_creds.length)) { if (!Data(ap, KRB_FORWARD, forw_creds.data, forw_creds.length)) {
if (auth_debug_mode) if (auth_debug_mode)
printf("Not enough room for authentication data\r\n"); printf("Not enough room for authentication data\r\n");
} }
else { else {
if (auth_debug_mode) if (auth_debug_mode)
printf("Forwarded local Kerberos V5 credentials to server\r\n"); printf("Forwarded local Kerberos V5 credentials to server\r\n");
} }
krb5_free_creds(local_creds); krb5_free_creds(local_creds);