kerberos5.c revision 1.2
1 1.1 cgd /*- 2 1.1 cgd * Copyright (c) 1991 The Regents of the University of California. 3 1.1 cgd * All rights reserved. 4 1.1 cgd * 5 1.1 cgd * Redistribution and use in source and binary forms, with or without 6 1.1 cgd * modification, are permitted provided that the following conditions 7 1.1 cgd * are met: 8 1.1 cgd * 1. Redistributions of source code must retain the above copyright 9 1.1 cgd * notice, this list of conditions and the following disclaimer. 10 1.1 cgd * 2. Redistributions in binary form must reproduce the above copyright 11 1.1 cgd * notice, this list of conditions and the following disclaimer in the 12 1.1 cgd * documentation and/or other materials provided with the distribution. 13 1.1 cgd * 3. All advertising materials mentioning features or use of this software 14 1.1 cgd * must display the following acknowledgement: 15 1.1 cgd * This product includes software developed by the University of 16 1.1 cgd * California, Berkeley and its contributors. 17 1.1 cgd * 4. Neither the name of the University nor the names of its contributors 18 1.1 cgd * may be used to endorse or promote products derived from this software 19 1.1 cgd * without specific prior written permission. 20 1.1 cgd * 21 1.1 cgd * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 1.1 cgd * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 1.1 cgd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 1.1 cgd * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 1.1 cgd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 1.1 cgd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 1.1 cgd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 1.1 cgd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 1.1 cgd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 1.1 cgd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 1.1 cgd * SUCH DAMAGE. 32 1.1 cgd */ 33 1.1 cgd 34 1.1 cgd #ifndef lint 35 1.2 mycroft /*static char sccsid[] = "from: @(#)kerberos5.c 5.2 (Berkeley) 3/22/91";*/ 36 1.2 mycroft static char rcsid[] = "$Id: kerberos5.c,v 1.2 1993/08/01 18:32:34 mycroft Exp $"; 37 1.1 cgd #endif /* not lint */ 38 1.1 cgd 39 1.1 cgd /* 40 1.1 cgd * Copyright (C) 1990 by the Massachusetts Institute of Technology 41 1.1 cgd * 42 1.1 cgd * Export of this software from the United States of America is assumed 43 1.1 cgd * to require a specific license from the United States Government. 44 1.1 cgd * It is the responsibility of any person or organization contemplating 45 1.1 cgd * export to obtain such a license before exporting. 46 1.1 cgd * 47 1.1 cgd * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 48 1.1 cgd * distribute this software and its documentation for any purpose and 49 1.1 cgd * without fee is hereby granted, provided that the above copyright 50 1.1 cgd * notice appear in all copies and that both that copyright notice and 51 1.1 cgd * this permission notice appear in supporting documentation, and that 52 1.1 cgd * the name of M.I.T. not be used in advertising or publicity pertaining 53 1.1 cgd * to distribution of the software without specific, written prior 54 1.1 cgd * permission. M.I.T. makes no representations about the suitability of 55 1.1 cgd * this software for any purpose. It is provided "as is" without express 56 1.1 cgd * or implied warranty. 57 1.1 cgd */ 58 1.1 cgd 59 1.1 cgd 60 1.1 cgd #ifdef KRB5 61 1.1 cgd #include <arpa/telnet.h> 62 1.1 cgd #include <stdio.h> 63 1.1 cgd #include <krb5/krb5.h> 64 1.1 cgd #include <krb5/crc-32.h> 65 1.1 cgd #include <krb5/libos-proto.h> 66 1.1 cgd #include <netdb.h> 67 1.1 cgd #include <ctype.h> 68 1.1 cgd 69 1.1 cgd #ifdef __STDC__ 70 1.1 cgd #include <stdlib.h> 71 1.1 cgd #endif 72 1.1 cgd #ifdef NO_STRING_H 73 1.1 cgd #include <strings.h> 74 1.1 cgd #else 75 1.1 cgd #include <string.h> 76 1.1 cgd #endif 77 1.1 cgd 78 1.1 cgd #include "encrypt.h" 79 1.1 cgd #include "auth.h" 80 1.1 cgd #include "misc.h" 81 1.1 cgd 82 1.1 cgd extern auth_debug_mode; 83 1.1 cgd 84 1.1 cgd char *malloc(); 85 1.1 cgd 86 1.1 cgd static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, 87 1.1 cgd AUTHTYPE_KERBEROS_V5, }; 88 1.1 cgd static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 89 1.1 cgd TELQUAL_NAME, }; 90 1.1 cgd 91 1.1 cgd #define KRB_AUTH 0 /* Authentication data follows */ 92 1.1 cgd #define KRB_REJECT 1 /* Rejected (reason might follow) */ 93 1.1 cgd #define KRB_ACCEPT 2 /* Accepted */ 94 1.1 cgd #define KRB_CHALLANGE 3 /* Challange for mutual auth. */ 95 1.1 cgd #define KRB_RESPONSE 4 /* Response for mutual auth. */ 96 1.1 cgd 97 1.1 cgd static krb5_data auth; 98 1.1 cgd /* telnetd gets session key from here */ 99 1.1 cgd static krb5_tkt_authent *authdat = NULL; 100 1.1 cgd 101 1.1 cgd #if defined(ENCRYPT) 102 1.1 cgd Block session_key; 103 1.1 cgd #endif 104 1.1 cgd static Schedule sched; 105 1.1 cgd static Block challange; 106 1.1 cgd 107 1.1 cgd static int 108 1.1 cgd Data(ap, type, d, c) 109 1.1 cgd Authenticator *ap; 110 1.1 cgd int type; 111 1.1 cgd void *d; 112 1.1 cgd int c; 113 1.1 cgd { 114 1.1 cgd unsigned char *p = str_data + 4; 115 1.1 cgd unsigned char *cd = (unsigned char *)d; 116 1.1 cgd 117 1.1 cgd if (c == -1) 118 1.1 cgd c = strlen((char *)cd); 119 1.1 cgd 120 1.1 cgd if (auth_debug_mode) { 121 1.1 cgd printf("%s:%d: [%d] (%d)", 122 1.1 cgd str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 123 1.1 cgd str_data[3], 124 1.1 cgd type, c); 125 1.1 cgd printd(d, c); 126 1.1 cgd printf("\r\n"); 127 1.1 cgd } 128 1.1 cgd *p++ = ap->type; 129 1.1 cgd *p++ = ap->way; 130 1.1 cgd *p++ = type; 131 1.1 cgd while (c-- > 0) { 132 1.1 cgd if ((*p++ = *cd++) == IAC) 133 1.1 cgd *p++ = IAC; 134 1.1 cgd } 135 1.1 cgd *p++ = IAC; 136 1.1 cgd *p++ = SE; 137 1.1 cgd if (str_data[3] == TELQUAL_IS) 138 1.1 cgd printsub('>', &str_data[2], p - &str_data[2]); 139 1.1 cgd return(net_write(str_data, p - str_data)); 140 1.1 cgd } 141 1.1 cgd 142 1.1 cgd int 143 1.1 cgd kerberos5_init(ap, server) 144 1.1 cgd Authenticator *ap; 145 1.1 cgd int server; 146 1.1 cgd { 147 1.1 cgd if (server) 148 1.1 cgd str_data[3] = TELQUAL_REPLY; 149 1.1 cgd else 150 1.1 cgd str_data[3] = TELQUAL_IS; 151 1.1 cgd krb5_init_ets(); 152 1.1 cgd return(1); 153 1.1 cgd } 154 1.1 cgd 155 1.1 cgd int 156 1.1 cgd kerberos5_send(ap) 157 1.1 cgd Authenticator *ap; 158 1.1 cgd { 159 1.1 cgd char **realms; 160 1.1 cgd char *name; 161 1.1 cgd char *p1, *p2; 162 1.1 cgd krb5_checksum ksum; 163 1.1 cgd krb5_octet sum[CRC32_CKSUM_LENGTH]; 164 1.1 cgd krb5_data *server[4]; 165 1.1 cgd krb5_data srvdata[3]; 166 1.1 cgd krb5_error_code r; 167 1.1 cgd krb5_ccache ccache; 168 1.1 cgd krb5_creds creds; /* telnet gets session key from here */ 169 1.1 cgd extern krb5_flags krb5_kdc_default_options; 170 1.1 cgd 171 1.1 cgd ksum.checksum_type = CKSUMTYPE_CRC32; 172 1.1 cgd ksum.contents = sum; 173 1.1 cgd ksum.length = sizeof(sum); 174 1.1 cgd bzero((void *)sum, sizeof(sum)); 175 1.1 cgd 176 1.1 cgd if (!UserNameRequested) { 177 1.1 cgd if (auth_debug_mode) { 178 1.1 cgd printf("Kerberos V5: no user name supplied\r\n"); 179 1.1 cgd } 180 1.1 cgd return(0); 181 1.1 cgd } 182 1.1 cgd 183 1.1 cgd if (r = krb5_cc_default(&ccache)) { 184 1.1 cgd if (auth_debug_mode) { 185 1.1 cgd printf("Kerberos V5: could not get default ccache\r\n"); 186 1.1 cgd } 187 1.1 cgd return(0); 188 1.1 cgd } 189 1.1 cgd 190 1.1 cgd if ((name = malloc(strlen(RemoteHostName)+1)) == NULL) { 191 1.1 cgd if (auth_debug_mode) 192 1.1 cgd printf("Out of memory for hostname in Kerberos V5\r\n"); 193 1.1 cgd return(0); 194 1.1 cgd } 195 1.1 cgd 196 1.1 cgd if (r = krb5_get_host_realm(RemoteHostName, &realms)) { 197 1.1 cgd if (auth_debug_mode) 198 1.1 cgd printf("Kerberos V5: no realm for %s\r\n", RemoteHostName); 199 1.1 cgd free(name); 200 1.1 cgd return(0); 201 1.1 cgd } 202 1.1 cgd 203 1.1 cgd p1 = RemoteHostName; 204 1.1 cgd p2 = name; 205 1.1 cgd 206 1.1 cgd while (*p2 = *p1++) { 207 1.1 cgd if (isupper(*p2)) 208 1.1 cgd *p2 |= 040; 209 1.1 cgd ++p2; 210 1.1 cgd } 211 1.1 cgd 212 1.1 cgd srvdata[0].data = realms[0]; 213 1.1 cgd srvdata[0].length = strlen(realms[0]); 214 1.1 cgd srvdata[1].data = "rcmd"; 215 1.1 cgd srvdata[1].length = 4; 216 1.1 cgd srvdata[2].data = name; 217 1.1 cgd srvdata[2].length = p2 - name; 218 1.1 cgd 219 1.1 cgd server[0] = &srvdata[0]; 220 1.1 cgd server[1] = &srvdata[1]; 221 1.1 cgd server[2] = &srvdata[2]; 222 1.1 cgd server[3] = 0; 223 1.1 cgd 224 1.1 cgd bzero((char *)&creds, sizeof(creds)); 225 1.1 cgd creds.server = (krb5_principal)server; 226 1.1 cgd 227 1.1 cgd if (r = krb5_cc_get_principal(ccache, &creds.client)) { 228 1.1 cgd if (auth_debug_mode) { 229 1.1 cgd printf("Keberos V5: failure on principal (%d)\r\n", 230 1.1 cgd error_message(r)); 231 1.1 cgd } 232 1.1 cgd free(name); 233 1.1 cgd krb5_free_host_realm(realms); 234 1.1 cgd return(0); 235 1.1 cgd } 236 1.1 cgd 237 1.1 cgd if (r = krb5_get_credentials(krb5_kdc_default_options, ccache, &creds)) { 238 1.1 cgd if (auth_debug_mode) { 239 1.1 cgd printf("Keberos V5: failure on credentials(%d)\r\n",r); 240 1.1 cgd } 241 1.1 cgd free(name); 242 1.1 cgd krb5_free_host_realm(realms); 243 1.1 cgd return(0); 244 1.1 cgd } 245 1.1 cgd 246 1.1 cgd r = krb5_mk_req_extended(0, &ksum, &creds.times, 247 1.1 cgd krb5_kdc_default_options, 248 1.1 cgd ccache, &creds, 0, &auth); 249 1.1 cgd 250 1.1 cgd free(name); 251 1.1 cgd krb5_free_host_realm(realms); 252 1.1 cgd if (r) { 253 1.1 cgd if (auth_debug_mode) { 254 1.1 cgd printf("Keberos V5: mk_req failed\r\n"); 255 1.1 cgd } 256 1.1 cgd return(0); 257 1.1 cgd } 258 1.1 cgd 259 1.1 cgd if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) { 260 1.1 cgd if (auth_debug_mode) 261 1.1 cgd printf("Not enough room for user name\r\n"); 262 1.1 cgd return(0); 263 1.1 cgd } 264 1.1 cgd if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 265 1.1 cgd if (auth_debug_mode) 266 1.1 cgd printf("Not enough room for authentication data\r\n"); 267 1.1 cgd return(0); 268 1.1 cgd } 269 1.1 cgd /* 270 1.1 cgd * If we are doing mutual authentication, get set up to send 271 1.1 cgd * the challange, and verify it when the response comes back. 272 1.1 cgd */ 273 1.1 cgd if (((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 274 1.1 cgd && (creds.keyblock.keytype == KEYTYPE_DES)) { 275 1.1 cgd register int i; 276 1.1 cgd 277 1.1 cgd des_key_sched(creds.keyblock.contents, sched); 278 1.1 cgd des_set_random_generator_seed(creds.keyblock.contents); 279 1.1 cgd des_new_random_key(challange); 280 1.1 cgd des_ecb_encrypt(challange, session_key, sched, 1); 281 1.1 cgd /* 282 1.1 cgd * Increment the challange by 1, and encrypt it for 283 1.1 cgd * later comparison. 284 1.1 cgd */ 285 1.1 cgd for (i = 7; i >= 0; --i) { 286 1.1 cgd register int x; 287 1.1 cgd x = (unsigned int)challange[i] + 1; 288 1.1 cgd challange[i] = x; /* ignore overflow */ 289 1.1 cgd if (x < 256) /* if no overflow, all done */ 290 1.1 cgd break; 291 1.1 cgd } 292 1.1 cgd des_ecb_encrypt(challange, challange, sched, 1); 293 1.1 cgd } 294 1.1 cgd 295 1.1 cgd if (auth_debug_mode) { 296 1.1 cgd printf("Sent Kerberos V5 credentials to server\r\n"); 297 1.1 cgd } 298 1.1 cgd return(1); 299 1.1 cgd } 300 1.1 cgd 301 1.1 cgd void 302 1.1 cgd kerberos5_is(ap, data, cnt) 303 1.1 cgd Authenticator *ap; 304 1.1 cgd unsigned char *data; 305 1.1 cgd int cnt; 306 1.1 cgd { 307 1.1 cgd int r; 308 1.1 cgd struct hostent *hp; 309 1.1 cgd char *p1, *p2; 310 1.1 cgd static char *realm = NULL; 311 1.1 cgd krb5_data *server[4]; 312 1.1 cgd krb5_data srvdata[3]; 313 1.1 cgd Session_Key skey; 314 1.1 cgd char *name; 315 1.1 cgd char *getenv(); 316 1.1 cgd 317 1.1 cgd if (cnt-- < 1) 318 1.1 cgd return; 319 1.1 cgd switch (*data++) { 320 1.1 cgd case KRB_AUTH: 321 1.1 cgd auth.data = (char *)data; 322 1.1 cgd auth.length = cnt; 323 1.1 cgd 324 1.1 cgd if (!(hp = gethostbyname(LocalHostName))) { 325 1.1 cgd if (auth_debug_mode) 326 1.1 cgd printf("Cannot resolve local host name\r\n"); 327 1.1 cgd Data(ap, KRB_REJECT, "Unknown local hostname.", -1); 328 1.1 cgd auth_finished(ap, AUTH_REJECT); 329 1.1 cgd return; 330 1.1 cgd } 331 1.1 cgd 332 1.1 cgd if (!realm && (krb5_get_default_realm(&realm))) { 333 1.1 cgd if (auth_debug_mode) 334 1.1 cgd printf("Could not get defualt realm\r\n"); 335 1.1 cgd Data(ap, KRB_REJECT, "Could not get default realm.", -1); 336 1.1 cgd auth_finished(ap, AUTH_REJECT); 337 1.1 cgd return; 338 1.1 cgd } 339 1.1 cgd 340 1.1 cgd if ((name = malloc(strlen(hp->h_name)+1)) == NULL) { 341 1.1 cgd if (auth_debug_mode) 342 1.1 cgd printf("Out of memory for hostname in Kerberos V5\r\n"); 343 1.1 cgd Data(ap, KRB_REJECT, "Out of memory.", -1); 344 1.1 cgd auth_finished(ap, AUTH_REJECT); 345 1.1 cgd return; 346 1.1 cgd } 347 1.1 cgd 348 1.1 cgd p1 = hp->h_name; 349 1.1 cgd p2 = name; 350 1.1 cgd 351 1.1 cgd while (*p2 = *p1++) { 352 1.1 cgd if (isupper(*p2)) 353 1.1 cgd *p2 |= 040; 354 1.1 cgd ++p2; 355 1.1 cgd } 356 1.1 cgd 357 1.1 cgd srvdata[0].data = realm; 358 1.1 cgd srvdata[0].length = strlen(realm); 359 1.1 cgd srvdata[1].data = "rcmd"; 360 1.1 cgd srvdata[1].length = 4; 361 1.1 cgd srvdata[2].data = name; 362 1.1 cgd srvdata[2].length = p2 - name; 363 1.1 cgd 364 1.1 cgd server[0] = &srvdata[0]; 365 1.1 cgd server[1] = &srvdata[1]; 366 1.1 cgd server[2] = &srvdata[2]; 367 1.1 cgd server[3] = 0; 368 1.1 cgd 369 1.1 cgd if (authdat) 370 1.1 cgd krb5_free_tkt_authent(authdat); 371 1.1 cgd if (r = krb5_rd_req_simple(&auth, server, 0, &authdat)) { 372 1.1 cgd char errbuf[128]; 373 1.1 cgd 374 1.1 cgd authdat = 0; 375 1.1 cgd (void) strcpy(errbuf, "Read req failed: "); 376 1.1 cgd (void) strcat(errbuf, error_message(r)); 377 1.1 cgd Data(ap, KRB_REJECT, errbuf, -1); 378 1.1 cgd if (auth_debug_mode) 379 1.1 cgd printf("%s\r\n", errbuf); 380 1.1 cgd return; 381 1.1 cgd } 382 1.1 cgd free(name); 383 1.1 cgd if (krb5_unparse_name(authdat->ticket->enc_part2 ->client, 384 1.1 cgd &name)) 385 1.1 cgd name = 0; 386 1.1 cgd Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 387 1.1 cgd if (auth_debug_mode) { 388 1.1 cgd printf("Kerberos5 accepting him as ``%s''\r\n", 389 1.1 cgd name ? name : ""); 390 1.1 cgd } 391 1.1 cgd auth_finished(ap, AUTH_USER); 392 1.1 cgd if (authdat->ticket->enc_part2->session->keytype != KEYTYPE_DES) 393 1.1 cgd break; 394 1.1 cgd bcopy((void *)authdat->ticket->enc_part2->session->contents, 395 1.1 cgd (void *)session_key, sizeof(Block)); 396 1.1 cgd break; 397 1.1 cgd 398 1.1 cgd case KRB_CHALLANGE: 399 1.1 cgd if (!VALIDKEY(session_key)) { 400 1.1 cgd /* 401 1.1 cgd * We don't have a valid session key, so just 402 1.1 cgd * send back a response with an empty session 403 1.1 cgd * key. 404 1.1 cgd */ 405 1.1 cgd Data(ap, KRB_RESPONSE, (void *)0, 0); 406 1.1 cgd break; 407 1.1 cgd } 408 1.1 cgd 409 1.1 cgd des_key_sched(session_key, sched); 410 1.1 cgd bcopy((void *)data, (void *)datablock, sizeof(Block)); 411 1.1 cgd /* 412 1.1 cgd * Take the received encrypted challange, and encrypt 413 1.1 cgd * it again to get a unique session_key for the 414 1.1 cgd * ENCRYPT option. 415 1.1 cgd */ 416 1.1 cgd des_ecb_encrypt(datablock, session_key, sched, 1); 417 1.1 cgd skey.type = SK_DES; 418 1.1 cgd skey.length = 8; 419 1.1 cgd skey.data = session_key; 420 1.1 cgd encrypt_session_key(&skey, 1); 421 1.1 cgd /* 422 1.1 cgd * Now decrypt the received encrypted challange, 423 1.1 cgd * increment by one, re-encrypt it and send it back. 424 1.1 cgd */ 425 1.1 cgd des_ecb_encrypt(datablock, challange, sched, 0); 426 1.1 cgd for (r = 7; r >= 0; r++) { 427 1.1 cgd register int t; 428 1.1 cgd t = (unsigned int)challange[r] + 1; 429 1.1 cgd challange[r] = t; /* ignore overflow */ 430 1.1 cgd if (t < 256) /* if no overflow, all done */ 431 1.1 cgd break; 432 1.1 cgd } 433 1.1 cgd des_ecb_encrypt(challange, challange, sched, 1); 434 1.1 cgd Data(ap, KRB_RESPONSE, (void *)challange, sizeof(challange)); 435 1.1 cgd break; 436 1.1 cgd 437 1.1 cgd default: 438 1.1 cgd if (auth_debug_mode) 439 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 440 1.1 cgd Data(ap, KRB_REJECT, 0, 0); 441 1.1 cgd break; 442 1.1 cgd } 443 1.1 cgd } 444 1.1 cgd 445 1.1 cgd void 446 1.1 cgd kerberos5_reply(ap, data, cnt) 447 1.1 cgd Authenticator *ap; 448 1.1 cgd unsigned char *data; 449 1.1 cgd int cnt; 450 1.1 cgd { 451 1.1 cgd Session_Key skey; 452 1.1 cgd 453 1.1 cgd if (cnt-- < 1) 454 1.1 cgd return; 455 1.1 cgd switch (*data++) { 456 1.1 cgd case KRB_REJECT: 457 1.1 cgd if (cnt > 0) { 458 1.1 cgd printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 459 1.1 cgd cnt, data); 460 1.1 cgd } else 461 1.1 cgd printf("[ Kerberos V5 refuses authentication ]\r\n"); 462 1.1 cgd auth_send_retry(); 463 1.1 cgd return; 464 1.1 cgd case KRB_ACCEPT: 465 1.1 cgd printf("[ Kerberos V5 accepts you ]\n", cnt, data); 466 1.1 cgd if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 467 1.1 cgd /* 468 1.1 cgd * Send over the encrypted challange. 469 1.1 cgd */ 470 1.1 cgd Data(ap, KRB_CHALLANGE, (void *)session_key, 471 1.1 cgd sizeof(session_key)); 472 1.1 cgd #if defined(ENCRYPT) 473 1.1 cgd des_ecb_encrypt(session_key, session_key, sched, 1); 474 1.1 cgd skey.type = SK_DES; 475 1.1 cgd skey.length = 8; 476 1.1 cgd skey.data = session_key; 477 1.1 cgd encrypt_session_key(&skey, 0); 478 1.1 cgd #endif 479 1.1 cgd return; 480 1.1 cgd } 481 1.1 cgd auth_finished(ap, AUTH_USER); 482 1.1 cgd return; 483 1.1 cgd case KRB_RESPONSE: 484 1.1 cgd /* 485 1.1 cgd * Verify that the response to the challange is correct. 486 1.1 cgd */ 487 1.1 cgd if ((cnt != sizeof(Block)) || 488 1.1 cgd (0 != memcmp((void *)data, (void *)challange, 489 1.1 cgd sizeof(challange)))) 490 1.1 cgd { 491 1.1 cgd printf("[ Kerberos V5 challange failed!!! ]\r\n"); 492 1.1 cgd auth_send_retry(); 493 1.1 cgd return; 494 1.1 cgd } 495 1.1 cgd printf("[ Kerberos V5 challange successful ]\r\n"); 496 1.1 cgd auth_finished(ap, AUTH_USER); 497 1.1 cgd break; 498 1.1 cgd default: 499 1.1 cgd if (auth_debug_mode) 500 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 501 1.1 cgd return; 502 1.1 cgd } 503 1.1 cgd } 504 1.1 cgd 505 1.1 cgd int 506 1.1 cgd kerberos5_status(ap, name, level) 507 1.1 cgd Authenticator *ap; 508 1.1 cgd char *name; 509 1.1 cgd int level; 510 1.1 cgd { 511 1.1 cgd if (level < AUTH_USER) 512 1.1 cgd return(level); 513 1.1 cgd 514 1.1 cgd if (UserNameRequested && 515 1.1 cgd krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested)) 516 1.1 cgd { 517 1.1 cgd strcpy(name, UserNameRequested); 518 1.1 cgd return(AUTH_VALID); 519 1.1 cgd } else 520 1.1 cgd return(AUTH_USER); 521 1.1 cgd } 522 1.1 cgd 523 1.1 cgd #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 524 1.1 cgd #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len));} 525 1.1 cgd 526 1.1 cgd void 527 1.1 cgd kerberos5_printsub(data, cnt, buf, buflen) 528 1.1 cgd unsigned char *data, *buf; 529 1.1 cgd int cnt, buflen; 530 1.1 cgd { 531 1.1 cgd char lbuf[32]; 532 1.1 cgd register int i; 533 1.1 cgd 534 1.1 cgd buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 535 1.1 cgd buflen -= 1; 536 1.1 cgd 537 1.1 cgd switch(data[3]) { 538 1.1 cgd case KRB_REJECT: /* Rejected (reason might follow) */ 539 1.1 cgd strncpy((char *)buf, " REJECT ", buflen); 540 1.1 cgd goto common; 541 1.1 cgd 542 1.1 cgd case KRB_ACCEPT: /* Accepted (name might follow) */ 543 1.1 cgd strncpy((char *)buf, " ACCEPT ", buflen); 544 1.1 cgd common: 545 1.1 cgd BUMP(buf, buflen); 546 1.1 cgd if (cnt <= 4) 547 1.1 cgd break; 548 1.1 cgd ADDC(buf, buflen, '"'); 549 1.1 cgd for (i = 4; i < cnt; i++) 550 1.1 cgd ADDC(buf, buflen, data[i]); 551 1.1 cgd ADDC(buf, buflen, '"'); 552 1.1 cgd ADDC(buf, buflen, '\0'); 553 1.1 cgd break; 554 1.1 cgd 555 1.1 cgd case KRB_AUTH: /* Authentication data follows */ 556 1.1 cgd strncpy((char *)buf, " AUTH", buflen); 557 1.1 cgd goto common2; 558 1.1 cgd 559 1.1 cgd case KRB_CHALLANGE: 560 1.1 cgd strncpy((char *)buf, " CHALLANGE", buflen); 561 1.1 cgd goto common2; 562 1.1 cgd 563 1.1 cgd case KRB_RESPONSE: 564 1.1 cgd strncpy((char *)buf, " RESPONSE", buflen); 565 1.1 cgd goto common2; 566 1.1 cgd 567 1.1 cgd default: 568 1.1 cgd sprintf(lbuf, " %d (unknown)", data[3]); 569 1.1 cgd strncpy((char *)buf, lbuf, buflen); 570 1.1 cgd common2: 571 1.1 cgd BUMP(buf, buflen); 572 1.1 cgd for (i = 4; i < cnt; i++) { 573 1.1 cgd sprintf(lbuf, " %d", data[i]); 574 1.1 cgd strncpy((char *)buf, lbuf, buflen); 575 1.1 cgd BUMP(buf, buflen); 576 1.1 cgd } 577 1.1 cgd break; 578 1.1 cgd } 579 1.1 cgd } 580 1.1 cgd #endif 581
Indexes created Thu Oct 02 14:10:14 GMT 2025