oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

remove lots of old junk. clean-up. better error checking and

Browse Source 
reporting.  tell the user permission denied much earlier.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@3645 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
1997-10-20 03:47:29 +00:00
parent 71edba320d
commit 538f872b84
1 changed files with 214 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

379
appl/telnet/libtelnet/kerberos5.c
View File

@@ -69,14 +69,11 @@ RCSID("$Id$");
#include <socks.h> #include <socks.h>
#endif #endif
/* kerberos 5 include files (ext-proto.h) will get an appropriate stdlib.h
and string.h/strings.h */
#include "encrypt.h" #include "encrypt.h"
#include "auth.h" #include "auth.h"
#include "misc.h" #include "misc.h"
extern auth_debug_mode; extern int auth_debug_mode;
/* where should this really reside? */ /* where should this really reside? */
@@ -98,8 +95,6 @@ void kerberos5_forward (Authenticator *);
static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
AUTHTYPE_KERBEROS_V5, }; AUTHTYPE_KERBEROS_V5, };
/*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
TELQUAL_NAME, };*/
#define KRB_AUTH 0 /* Authentication data follows */ #define KRB_AUTH 0 /* Authentication data follows */
#define KRB_REJECT 1 /* Rejected (reason might follow) */ #define KRB_REJECT 1 /* Rejected (reason might follow) */
@@ -122,11 +117,6 @@ static krb5_ticket *ticket;
static krb5_context context; static krb5_context context;
static krb5_auth_context auth_context; static krb5_auth_context auth_context;
/* some compilers can't hack void *, so we use the Kerberos krb5_pointer,
which is either void * or char *, depending on the compiler. */
des_cblock session_key;
static int static int
Data(Authenticator *ap, int type, void *d, int c) Data(Authenticator *ap, int type, void *d, int c)
{ {
@@ -172,7 +162,7 @@ kerberos5_init(Authenticator *ap, int server)
static int static int
kerberos5_send(char *name, Authenticator *ap) kerberos5_send(char *name, Authenticator *ap)
{ {
krb5_error_code r; krb5_error_code ret;
krb5_ccache ccache; krb5_ccache ccache;
int ap_opts; int ap_opts;
krb5_data cksum_data; krb5_data cksum_data;
@@ -186,11 +176,13 @@ kerberos5_send(char *name, Authenticator *ap)
return(0); return(0);
} }
if (r = krb5_cc_default(context, &ccache)) { ret = krb5_cc_default(context, &ccache);
if (ret) {
if (auth_debug_mode) { if (auth_debug_mode) {
printf("Kerberos V5: could not get default ccache\r\n"); printf("Kerberos V5: could not get default ccache: %s\r\n",
krb5_get_err_text (context, ret));
} }
return(0); return 0;
} }
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
@@ -205,14 +197,14 @@ kerberos5_send(char *name, Authenticator *ap)
cksum_data.length = sizeof(foo); cksum_data.length = sizeof(foo);
cksum_data.data = foo; cksum_data.data = foo;
r = krb5_mk_req(context, &auth_context, ap_opts, ret = krb5_mk_req(context, &auth_context, ap_opts,
"host", RemoteHostName, "host", RemoteHostName,
&cksum_data, ccache, &auth); &cksum_data, ccache, &auth);
if (r) { if (ret) {
if (auth_debug_mode) { if (auth_debug_mode) {
printf("Kerberos V5: mk_req failed (%s)\r\n", printf("Kerberos V5: mk_req failed (%s)\r\n",
krb5_get_err_text(context, r)); krb5_get_err_text(context, ret));
} }
return(0); return(0);
} }
@@ -248,11 +240,12 @@ kerberos5_send_oneway(Authenticator *ap)
void void
kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
{ {
int r; krb5_error_code ret;
krb5_data outbuf; krb5_data outbuf;
krb5_keyblock *key_block; krb5_keyblock *key_block;
char *name; char *name;
krb5_principal server; krb5_principal server;
krb5_authenticator authenticator;
if (cnt-- < 1) if (cnt-- < 1)
return; return;
@@ -263,43 +256,60 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
auth_context = NULL; auth_context = NULL;
r = krb5_auth_con_init (context, &auth_context); ret = krb5_auth_con_init (context, &auth_context);
if (r) if (ret) {
abort (); Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_auth_con_setaddrs_from_fd (context,
auth_context,
0);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
r = krb5_auth_con_setaddrs_from_fd (context, ret = krb5_sock_to_principal (context,
auth_context, 0,
0); "host",
if (r) KRB5_NT_SRV_HST,
abort (); &server);
if (ret) {
Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_sock_to_principal failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
r = krb5_sock_to_principal (context, ret = krb5_rd_req(context,
0, &auth_context,
"host", &auth,
KRB5_NT_SRV_HST, server,
&server); NULL,
if (r) NULL,
abort (); &ticket);
r = krb5_rd_req(context,
&auth_context,
&auth,
server,
NULL,
NULL,
&ticket);
krb5_free_principal (context, server); krb5_free_principal (context, server);
if (r) { if (ret) {
char *errbuf; char *errbuf;
errout:
authdat = 0; authdat = 0;
asprintf(&errbuf, asprintf(&errbuf,
"Read req failed: %s", "Read req failed: %s",
krb5_get_err_text(context, r)); krb5_get_err_text(context, ret));
Data(ap, KRB_REJECT, errbuf, -1); Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode) if (auth_debug_mode)
printf("%s\r\n", errbuf); printf("%s\r\n", errbuf);
@@ -307,77 +317,119 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
return; return;
} }
r = krb5_auth_con_getkey(context, auth_context, &key_block); ret = krb5_auth_con_getkey(context, auth_context, &key_block);
if(r){ if (ret) {
abort (); Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_getkey failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
} }
{ ret = krb5_auth_getauthenticator (context,
krb5_authenticator authenticator; auth_context,
&authenticator);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_getauthenticator failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_getauthenticator failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
r = krb5_auth_getauthenticator (context, if (authenticator->cksum) {
auth_context, char foo[2];
&authenticator);
if (r)
abort ();
if (authenticator->cksum) {
char foo[2];
foo[0] = ap->type; foo[0] = ap->type;
foo[1] = ap->way; foo[1] = ap->way;
r = krb5_verify_checksum (context, ret = krb5_verify_checksum (context,
foo, foo,
sizeof(foo), sizeof(foo),
key_block, key_block,
authenticator->cksum); authenticator->cksum);
if (r) { if (ret) {
Data(ap, KRB_REJECT, "No checksum", -1); Data(ap, KRB_REJECT, "No checksum", -1);
if (auth_debug_mode) if (auth_debug_mode)
printf ("No checksum\r\n"); printf ("No checksum\r\n");
krb5_free_authenticator (context, krb5_free_authenticator (context,
&authenticator); &authenticator);
return; return;
}
} }
krb5_free_authenticator (context, }
&authenticator); krb5_free_authenticator (context,
&authenticator);
ret = krb5_auth_con_getremotesubkey (context,
auth_context,
&key_block);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_getremotesubkey failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
} }
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
r = krb5_mk_rep(context, &auth_context, &outbuf); ret = krb5_mk_rep(context, &auth_context, &outbuf);
if(r){ if (ret) {
abort (); Data(ap, KRB_REJECT,
"krb5_mk_rep failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_mk_rep failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
} }
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
} }
if (krb5_unparse_name(context, ticket->client, &name)) if (krb5_unparse_name(context, ticket->client, &name))
name = 0; name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) { if(UserNameRequested && krb5_kuserok(context,
printf("Kerberos5 identifies him as ``%s''\r\n", ticket->client,
name ? name : ""); UserNameRequested)) {
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
if(key_block->keytype == KEYTYPE_DES) {
Session_Key skey;
skey.type = SK_DES;
skey.length = 8;
skey.data = key_block->keyvalue.data;
encrypt_session_key(&skey, 0);
}
} else {
char *msg;
asprintf (&msg, "user `%s' is not authorized to "
"login as `%s'",
name ? name : "<unknown>",
UserNameRequested ? UserNameRequested : "<nobody>");
if (msg == NULL)
Data(ap, KRB_REJECT, NULL, 0);
else {
Data(ap, KRB_REJECT, (void *)msg, -1);
free(msg);
}
} }
auth_finished(ap, AUTH_USER); auth_finished(ap, AUTH_USER);
r = krb5_auth_con_getremotesubkey (context,
auth_context,
&key_block);
if(key_block->keytype == KEYTYPE_DES){
Session_Key skey;
skey.type = SK_DES;
skey.length = 8;
skey.data = key_block->keyvalue.data;
encrypt_session_key(&skey, 0);
#if 0
memcpy(&session_key, key_block->contents.data,
sizeof(session_key));
#endif
}
krb5_free_keyblock(context, key_block); krb5_free_keyblock(context, key_block);
break; break;
@@ -397,34 +449,38 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
snprintf (ccname, sizeof(ccname), snprintf (ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%u", pwd->pw_uid); "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
r = krb5_cc_resolve (context, ccname, &ccache); ret = krb5_cc_resolve (context, ccname, &ccache);
if (r) { if (ret) {
if (auth_debug_mode) if (auth_debug_mode)
printf ("Kerberos V5: could not get ccache\r\n"); printf ("Kerberos V5: could not get ccache: %s\r\n",
krb5_get_err_text(context, ret));
break; break;
} }
r = krb5_cc_initialize (context, ret = krb5_cc_initialize (context,
ccache, ccache,
ticket->client); ticket->client);
if (r) { if (ret) {
if (auth_debug_mode) if (auth_debug_mode)
printf ("Kerberos V5: could not init ccache\r\n"); printf ("Kerberos V5: could not init ccache: %s\r\n",
krb5_get_err_text(context, ret));
break; break;
} }
ret = krb5_rd_cred (context,
r = krb5_rd_cred (context, auth_context,
auth_context, ccache,
ccache, &inbuf);
&inbuf); if(ret) {
if(r) {
char *errbuf; char *errbuf;
asprintf (&errbuf, asprintf (&errbuf,
"Read forwarded creds failed: %s", "Read forwarded creds failed: %s",
krb5_get_err_text (context, r)); krb5_get_err_text (context, ret));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1); if(errbuf == NULL)
Data(ap, KRB_FORWARD_REJECT, NULL, 0);
else
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode) if (auth_debug_mode)
printf("Could not read forwarded credentials: %s\r\n", printf("Could not read forwarded credentials: %s\r\n",
errbuf); errbuf);
@@ -448,7 +504,6 @@ kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
void void
kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
{ {
Session_Key skey;
static int mutual_complete = 0; static int mutual_complete = 0;
if (cnt-- < 1) if (cnt-- < 1)
@@ -462,7 +517,11 @@ kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
printf("[ Kerberos V5 refuses authentication ]\r\n"); printf("[ Kerberos V5 refuses authentication ]\r\n");
auth_send_retry(); auth_send_retry();
return; return;
case KRB_ACCEPT: case KRB_ACCEPT: {
krb5_error_code ret;
Session_Key skey;
krb5_keyblock *keyblock;
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
!mutual_complete) { !mutual_complete) {
printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
@@ -473,62 +532,52 @@ kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
else else
printf("[ Kerberos V5 accepts you ]\r\n"); printf("[ Kerberos V5 accepts you ]\r\n");
ret = krb5_auth_con_getlocalsubkey (context,
auth_context,
&keyblock);
if (ret)
ret = krb5_auth_con_getkey (context,
auth_context,
&keyblock);
if(ret) {
printf("[ krb5_auth_con_getkey: %s ]\r\n",
krb5_get_err_text(context, ret));
auth_send_retry();
return;
}
skey.type = SK_DES;
skey.length = 8;
skey.data = keyblock->keyvalue.data;
encrypt_session_key(&skey, 0);
krb5_free_keyblock (context, keyblock);
auth_finished(ap, AUTH_USER); auth_finished(ap, AUTH_USER);
#ifdef FORWARD #ifdef FORWARD
if (forward_flags & OPTS_FORWARD_CREDS) if (forward_flags & OPTS_FORWARD_CREDS)
kerberos5_forward(ap); kerberos5_forward(ap);
#endif /* FORWARD */ #endif /* FORWARD */
break; break;
}
case KRB_RESPONSE: case KRB_RESPONSE:
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* the rest of the reply should contain a krb_ap_rep */ /* the rest of the reply should contain a krb_ap_rep */
#if 0 krb5_ap_rep_enc_part *reply;
/*krb5_ap_rep_enc_part*/ void *reply; krb5_data inbuf;
#endif krb5_error_code ret;
EncAPRepPart *reply;
krb5_data inbuf;
krb5_error_code r;
inbuf.length = cnt; inbuf.length = cnt;
inbuf.data = (char *)data; inbuf.data = (char *)data;
if (r = krb5_rd_rep(context, auth_context, &inbuf, &reply)) { ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
printf("[ Mutual authentication failed: %s ]\r\n", if (ret) {
krb5_get_err_text (context, r)); printf("[ Mutual authentication failed: %s ]\r\n",
auth_send_retry(); krb5_get_err_text (context, ret));
return; auth_send_retry();
} return;
#if 0 }
if (reply->ctime != authenticator.ctime || krb5_free_ap_rep_enc_part(context, reply);
reply->cusec != authenticator.cusec) { mutual_complete = 1;
printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\r\n");
auth_send_retry();
return;
}
#endif
krb5_free_ap_rep_enc_part(context, reply);
{
Session_Key skey;
krb5_keyblock *keyblock;
r = krb5_auth_con_getlocalsubkey (context,
auth_context,
&keyblock);
if (r)
r = krb5_auth_con_getkey (context,
auth_context,
&keyblock);
if (r) {
abort ();
}
skey.type = SK_DES;
skey.length = 8;
skey.data = keyblock->keyvalue.data;
encrypt_session_key(&skey, 0);
krb5_free_keyblock (context, keyblock);
}
mutual_complete = 1;
} }
return; return;
#ifdef FORWARD #ifdef FORWARD