通讯/手机编程

开发平台：

Windows_Unix

ckuath.c：源码内容

/*
* Function: Callback to decrypt a block of characters
*
* Parameters:
* out - return as pointer to converted buffer.
*
* in - the buffer to convert
*
* Returns: number of characters converted.
*/
int
#ifdef CK_ANSIC
auth_decrypt(struct kstream_data_block *out,
struct kstream_data_block *in)
#else
auth_decrypt(out,in)
struct kstream_data_block *out; struct kstream_data_block *in;
#endif
{
out->ptr = in->ptr;
out->length = in->length;
return(out->length);
}
void
auth_finished(result) int result; {
extern char uidbuf[];
extern int sstelnet;
validUser = result;
switch (result) {
case AUTH_REJECT: /* Rejected */
if (sstelnet)
uidbuf[0] = '';
authentication_version = AUTHTYPE_NULL;
break;
case AUTH_UNKNOWN: /* We don't know who he is, but he's okay */
if (sstelnet)
strcpy(uidbuf,"(unknown)");
break;
case AUTH_OTHER: /* We know him, but not his name */
if (sstelnet)
strcpy(uidbuf,"(other)");
break;
case AUTH_USER: /* We know he name */
case AUTH_VALID: /* We know him, and he needs no password */
if (sstelnet)
strcpy(uidbuf,szUserNameRequested);
break;
}
}
#ifdef KRB4
#ifdef NT
void
ck_krb4_debug(int x)
{
set_krb_debug(x);
set_krb_ap_req_debug(x);
}
#endif /* NT */
int
ck_krb4_autoget_TGT(char * realm)
{
extern struct krb_op_data krb_op;
extern struct krb4_init_data krb4_init;
char passwd[PWD_SZ];
char prompt[256];
char * saverealm=NULL;
int rc = -1;
extern char * k4prprompt;
extern char * k4pwprompt;
ini_kerb(); /* Place defaults in above structs */
passwd[0] = '';
if ( krb4_init.principal == NULL ||
krb4_init.principal[0] == '') {
readtext(k4prprompt && k4prprompt[0] ?
k4prprompt :
"Kerberos 4 Principal: ",
passwd,PWD_SZ-1);
if ( passwd[0] )
makestr(&krb4_init.principal,passwd);
else
return(0);
}
/* Save realm in init structure so it can be restored */
if ( realm ) {
saverealm = krb4_init.realm;
krb4_init.realm = realm;
}
if ( passwd[0] || !(pwbuf[0] && pwflg) ) {
sprintf(prompt,k4pwprompt && k4pwprompt[0] ? k4pwprompt :
"%s@%s's Kerberos 4 Password: ",
krb4_init.principal,krb4_init.realm);
readpass(prompt,passwd,PWD_SZ-1);
} else {
ckstrncpy(passwd,pwbuf,sizeof(passwd));
#ifdef OS2
if ( pwcrypt )
ck_encrypt((char *)passwd);
#endif /* OS2 */
}
if ( passwd[0] ) {
makestr(&krb4_init.password,passwd);
rc = ck_krb4_initTGT(&krb_op, &krb4_init);
free(krb4_init.password);
krb4_init.password = NULL;
}
krb4_init.password = NULL;
memset(passwd,0,PWD_SZ);
/* restore realm to init structure if needed */
if ( saverealm )
krb4_init.realm = saverealm;
return(rc == 0);
}
char *
ck_krb4_realmofhost(char *host)
{
return (char *)krb_realmofhost(host);
}
/*
*
* K4_auth_send - gets authentication bits we need to send to KDC.
*
* Result is left in auth
*
* Returns: 0 on failure, 1 on success
*/
static int
#ifdef CK_ANSIC
k4_auth_send(void)
#else
k4_auth_send()
#endif
{
int r=0; /* Return value */
char instance[INST_SZ+1]="";
char *realm=NULL;
char tgt[4*REALM_SZ+1];
memset(instance, 0, sizeof(instance));
debug(F110,"k4_auth_send","krb_get_phost",0);
if (realm = (char *)krb_get_phost(szHostName)) {
ckstrncpy(instance, realm, INST_SZ);
}
debug(F110,"k4_auth_send","krb_get_realmofhost",0);
realm = (char *)krb_realmofhost(szHostName);
if (!realm) {
strcpy(strTmp, "Can't find realm for host "");
strcat(strTmp, szHostName);
strcat(strTmp, """);
printf("?Kerberos 4 error: %srn",strTmp);
krb4_errno = r;
makestr(&krb4_errmsg,strTmp);
return(0);
}
sprintf(tgt,"krbtgt.%s@%s",realm,realm);
r = ck_krb4_tkt_isvalid(tgt);
if ( r <= 0 && krb4_autoget )
ck_krb4_autoget_TGT(realm);
debug(F110,"k4_auth_send","krb_mk_req",0);
r = krb_mk_req(&k4_auth, krb4_d_srv ? krb4_d_srv : KRB4_SERVICE_NAME,
instance, realm, 0);
if (r == 0) {
debug(F110,"k4_auth_send","krb_get_cred",0);
r = krb_get_cred(krb4_d_srv ? krb4_d_srv : KRB4_SERVICE_NAME,
instance, realm, (CREDENTIALS *)&cred);
if (r)
debug(F111,"k4_auth_send","krb_get_cred() failed",r);
}
else
debug(F111,"k4_auth_send","krb_mk_req() failed",r);
if (r) {
strcpy(strTmp, "Can't get "");
strcat(strTmp, krb4_d_srv ? krb4_d_srv : KRB4_SERVICE_NAME);
if (instance[0] != 0) {
strcat(strTmp, ".");
strcat(strTmp, instance);
}
strcat(strTmp, "@");
strcat(strTmp, realm);
strcat(strTmp, "" ticketrn ");
strcat(strTmp, (char *)krb_get_err_text_entry(r));
debug(F111,"k4_auth_send",(char *)krb_get_err_text_entry(r),r);
printf("?Kerberos 4 error: %srn",strTmp);
krb4_errno = r;
makestr(&krb4_errmsg,krb_get_err_text_entry(krb4_errno));
return(0);
}
#ifdef OS2
if ( !szUserName[0] || !stricmp(szUserName,cred.pname) ) {
ckstrncpy(szUserName, cred.pname, UIDBUFLEN);
}
#endif /* OS2 */
krb4_errno = r;
makestr(&krb4_errmsg,krb_get_err_text_entry(krb4_errno));
debug(F110,"k4_auth_send",krb4_errmsg,0);
return(1);
}
/*
* Function: K4 parse authentication reply command
*
* Parameters:
* parsedat - the sub-command data.
*
* end_sub - index of the character in the 'parsedat' array which
* is the last byte in a sub-negotiation
*
* Returns: Kerberos error code.
*/
static int
#ifdef CK_ANSIC
k4_auth_reply(unsigned char *parsedat, int end_sub)
#else
k4_auth_reply(parsedat,end_sub) unsigned char *parsedat; int end_sub;
#endif
{
#ifdef CK_ENCRYPTION
Session_Key skey;
#ifdef MIT_CURRENT
krb5_data kdata;
krb5_enc_data encdata;
krb5_error_code code;
#endif /* MIT_CURRENT */
#endif
time_t t;
int x;
int i;
if (end_sub < 4 || parsedat[2] != AUTHTYPE_KERBEROS_V4) {
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
if (parsedat[4] == KRB_REJECT) {
strTmp[0] = 0;
for (i = 5; i <= end_sub; i++) {
if (parsedat[i] == IAC)
break;
strTmp[i-5] = parsedat[i];
strTmp[i-4] = 0;
}
if (!strTmp[0])
strcpy(strTmp, "Authentication rejected by remote machine!");
printf("Kerberos V4 authentication failed!rn%srn",strTmp);
krb4_errno = 0;
makestr(&krb4_errmsg,strTmp);
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
if (parsedat[4] == KRB_ACCEPT) {
int net_len;
if ((parsedat[3] & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY) {
sprintf(strTmp,"Kerberos V4 accepts you as %s",szUserName);
printf("%srn",strTmp);
accept_complete = 1;
krb4_errno = 0;
makestr(&krb4_errmsg,strTmp);
auth_finished(AUTH_USER);
return AUTH_SUCCESS;
}
if ((parsedat[3] & AUTH_HOW_MASK) != AUTH_HOW_MUTUAL) {
printf("Kerberos V4 authentication failed!rn");
sprintf(strTmp,
"Kerberos V4 accepted you, but didn't provide mutual authentication");
printf("%srn",strTmp);
krb4_errno = 0;
makestr(&krb4_errmsg,strTmp);
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#ifndef REMOVE_FOR_EXPORT
#ifdef CK_ENCRYPTION
SendK4AuthSB(KRB4_CHALLENGE,k4_session_key,sizeof(k4_session_key));
/* We have sent the decrypted session key to the host as a challenge */
/* now encrypt it to restore it to its original valid DES key value */
#ifdef MIT_CURRENT
kdata.data = k4_session_key;
kdata.length = 8;
encdata.ciphertext.data = k4_session_key;
encdata.ciphertext.length = 8;
encdata.enctype = ENCTYPE_UNKNOWN;
if (code = krb5_c_encrypt(k5_context, &k4_krbkey,
0, 0, &kdata, &encdata)) {
com_err("k4_auth_reply", code,
"while encrypting session_key");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#else /* MIT_CURRENT */
#ifdef NT
des_ecb_encrypt(k4_session_key, k4_session_key, k4_sched, 1);
#else /* NT */
des_ecb_encrypt(&k4_session_key, &k4_session_key, k4_sched, 1);
#endif /* NT */
hexdump(
"k4_auth_reply des_ecb_encrypt(k4_session_key,k4_session_key,1)",
k4_session_key,
8
);
#endif /* MIT_CURRENT */
/* And then use it to configure the encryption state machine. */
skey.type = SK_DES;
skey.length = 8;
skey.data = k4_session_key;
encrypt_session_key(&skey, AUTH_CLIENT_TO_SERVER);
#endif /* ENCRYPTION */
#endif /* REMOVE_FOR_EXPORT */
accept_complete = 1;
sprintf(strTmp,"Kerberos V4 accepts you as %s",szUserName);
printf("%srn",strTmp);
krb4_errno = 0;
makestr(&krb4_errmsg,strTmp);
auth_finished(AUTH_USER);
return AUTH_SUCCESS;
}
if (parsedat[4] == KRB4_RESPONSE) {
if (end_sub < 12) {
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
hexdump("KRB4_RESPONSE &parsedat[5]",&parsedat[5],8);
#ifdef CK_ENCRYPTION
hexdump("KRB4_RESPONSE k4_challenge",k4_challenge,8);
/* The datablock returned from the host should match the value */
/* we stored in k4_challenge. */
if (memcmp(&parsedat[5], k4_challenge, sizeof(k4_challenge)) != 0) {
printf("Kerberos V4 authentication failed!rn%srn",
"Remote machine is being impersonated!");
krb4_errno = 0;
makestr(&krb4_errmsg,"Remote machine is being impersonated!");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#else /* ENCRYPTION */
makestr(&krb4_errmsg,"Kermit built without support for encryption.");
return AUTH_FAILURE;
#endif /* ENCRYPTION */
mutual_complete = 1;
sprintf(strTmp,"Remote machine has been mutually authenticated");
printf("%srn",strTmp);
krb4_errno = 0;
makestr(&krb4_errmsg,strTmp);
auth_finished(AUTH_USER);
return AUTH_SUCCESS;
}
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
/*
* Function: K4 parse authentication IS command
*
* Parameters:
* parsedat - the sub-command data.
*
* end_sub - index of the character in the 'parsedat' array which
* is the last byte in a sub-negotiation
*
* Returns: Kerberos error code.
*/
static int
#ifdef CK_ANSIC
k4_auth_is(unsigned char *parsedat, int end_sub)
#else
k4_auth_is(parsedat,end_sub) unsigned char *parsedat; int end_sub;
#endif
{
#ifdef CK_ENCRYPTION
Session_Key skey;
#ifdef MIT_CURRENT
Block datablock, tmpkey;
krb5_data kdata;
krb5_enc_data encdata;
krb5_error_code code;
#else /* MIT_CURRENT */
Block datablock;
#endif /* MIT_CURRENT */
#endif /* ENCRYPTION */
char realm[REALM_SZ+1];
char instance[INST_SZ];
int r = 0;
char * data = &parsedat[5];
int cnt = end_sub - 5;
extern char myipaddr[];
struct hostent *host;
struct in_addr inaddr;
int i;
if (end_sub < 4 || parsedat[2] != AUTHTYPE_KERBEROS_V4) {
debug(F110,"k4_auth_is","Not kerberos v4",0);
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
switch (parsedat[4]) {
case KRB_AUTH:
debug(F110,"k4_auth_is","KRB_AUTH",0);
if (krb_get_lrealm(realm, 1) != KSUCCESS) {
SendK4AuthSB(KRB_REJECT, (void *)"No local V4 Realm.", -1);
printf("rn? Kerberos 4 - No Local Realmrn");
debug(F110,"k4_auth_is","No local realm",0);
krb4_errno = 0;
makestr(&krb4_errmsg,"No local realm");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
debug(F110,"k4_auth_is",realm,0);
k4_auth.length = cnt;
memcpy((void *)k4_auth.dat, (void *)data, k4_auth.length);
#ifdef COMMENT
debug(F101,"kerberos4_cksum","",
kerberos4_cksum(k4_auth.dat, k4_auth.length));
#endif /* COMMENT */
hexdump("k4_auth.dat",k4_auth.dat, k4_auth.length);
/* Get Instance */
inaddr.s_addr = inet_addr(myipaddr);
host = gethostbyaddr((unsigned char *)&inaddr,4,PF_INET);
if ( host ) {
ckstrncpy(instance,host->h_name,INST_SZ);
for ( i=0;i<INST_SZ;i++ ) {
if ( instance[i] == '.' )
instance[i] = '';
else
instance[i] = tolower(instance[i]);
}
} else {
instance[0] = '*';
instance[1] = 0;
}
if (r = krb_rd_req(&k4_auth,
krb4_d_srv ? krb4_d_srv : KRB4_SERVICE_NAME,
instance, 0, &k4_adat, k4_keyfile)) {
hexdump("k4_adat", &k4_adat, sizeof(AUTH_DAT));
krb_kntoln(&k4_adat, k4_name);
sprintf(strTmp,"Kerberos failed him as %s", k4_name);
printf("%srn",strTmp);
krb4_errno = r;
makestr(&krb4_errmsg,strTmp);
SendK4AuthSB(KRB_REJECT, (void *)krb_get_err_text_entry(r), -1);
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#ifdef CK_ENCRYPTION
memcpy((void *)k4_session_key, (void *)k4_adat.session, sizeof(Block));
hexdump("k4_auth_is k4_session_key",k4_session_key,sizeof(Block));
#endif /* ENCRYPTION */
krb_kntoln(&k4_adat, k4_name);
ckstrncpy(szUserNameAuthenticated,k4_name,128);
if (szUserNameRequested && !kuserok(&k4_adat, k4_name)) {
SendK4AuthSB(KRB_ACCEPT, (void *)0, 0);
if ( !strcmp(k4_name,szUserNameRequested) )
auth_finished(AUTH_VALID);
else
auth_finished(AUTH_USER);
accept_complete = 1;
}
else {
SendK4AuthSB(KRB_REJECT,
(void *)"user is not authorized", -1);
auth_finished(AUTH_REJECT);
krb4_errno = r;
makestr(&krb4_errmsg,"user is not authorized");
return(AUTH_FAILURE);
}
break;
case KRB4_CHALLENGE:
debug(F110,"k4_auth_is","KRB_CHALLENGE",0);
#ifndef CK_ENCRYPTION
SendK4AuthSB(KRB4_RESPONSE, (void *)0, 0);
#else /* ENCRYPTION */
if (!VALIDKEY(k4_session_key)) {
/*
* We don't have a valid session key, so just
* send back a response with an empty session
* key.
*/
SendK4AuthSB(KRB4_RESPONSE, (void *)0, 0);
mutual_complete = 1;
break;
}
/*
* Initialize the random number generator since it's
* used later on by the encryption routine.
*/
#ifdef MIT_CURRENT
kdata.data = k4_session_key;
kdata.length = 8;
if (code = krb5_c_random_seed(k5_context, &kdata)) {
com_err("k4_auth_is", code,
"while seeding random number generator");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
memcpy((void *)datablock, (void *)data, sizeof(Block));
/*
* Take the received encrypted challenge, and encrypt
* it again to get a unique session_key for the
* ENCRYPT option.
*/
k4_krbkey.enctype = ENCTYPE_DES_CBC_RAW;
k4_krbkey.length = 8;
k4_krbkey.contents = k4_session_key;
kdata.data = datablock;
kdata.length = 8;
encdata.ciphertext.data = tmpkey;
encdata.ciphertext.length = 8;
encdata.enctype = ENCTYPE_UNKNOWN;
if (code = krb5_c_encrypt(k5_context, &k4_krbkey, 0, 0,
&kdata, &encdata)) {
com_err("k4_auth_is", code, "while encrypting random key");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
skey.type = SK_DES;
skey.length = 8;
skey.data = tmpkey;
encrypt_session_key(&skey, AUTH_SERVER_TO_CLIENT);
/*
* Now decrypt the received encrypted challenge,
* increment by one, re-encrypt it and send it back.
*/
encdata.ciphertext.data = datablock;
encdata.ciphertext.length = 8;
encdata.enctype = ENCTYPE_UNKNOWN;
kdata.data = k4_challenge;
kdata.length = 8;
if (code = krb5_c_decrypt(k5_context, &k4_krbkey, 0, 0,
&encdata, &kdata)) {
com_err("k4_auth_is", code, "while decrypting challenge");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#else /* MIT_CURRENT */
des_set_random_generator_seed(k4_session_key);
r = des_key_sched(k4_session_key, k4_sched);
if ( r == -1 ) {
printf("?Invalid DES key specified in credentialsrn");
debug(F110,"auth_is CHALLENGE",
"invalid DES Key specified in credentials",0);
} else if ( r == -2 ) {
printf("?Weak DES key specified in credentialsrn");
debug(F110,"auth_is CHALLENGE",
"weak DES Key specified in credentials",0);
} else if ( r != 0 ) {
printf("?DES Key Schedule not set by credentialsrn");
debug(F110,"auth_is CHALLENGE",
"DES Key Schedule not set by credentials",0);
}
hexdump("auth_is schedule",k4_sched,8*16);
memcpy((void *)datablock, (void *)data, sizeof(Block));
hexdump("auth_is challege",datablock,sizeof(Block));
/*
* Take the received encrypted challenge, and encrypt
* it again to get a unique k4_session_key for the
* ENCRYPT option.
*/
#ifdef NT
des_ecb_encrypt(datablock, k4_session_key, k4_sched, 1);
#else /* NT */
des_ecb_encrypt(&datablock, &k4_session_key, k4_sched, 1);
#endif /* NT */
hexdump("auth_is des_ecb_encrypt(datablock,k4_session_key,1)",
k4_session_key,8);
skey.type = SK_DES;
skey.length = 8;
skey.data = k4_session_key;
encrypt_session_key(&skey, AUTH_SERVER_TO_CLIENT);
/*
* Now decrypt the received encrypted challenge,
* increment by one, re-encrypt it and send it back.
*/
#ifdef NT
des_ecb_encrypt(datablock, k4_challenge, k4_sched, 0);
#else /* NT */
des_ecb_encrypt(&datablock, &k4_challenge, k4_sched, 0);
#endif /* NT */
hexdump("auth_is des_ecb_encrypt(datablock,k4_challenge,0)",
k4_session_key,8);
#endif /* MIT_CURRENT */
for (r = 7; r >= 0; r--) {
register int t;
t = (unsigned int)k4_challenge[r] + 1;
k4_challenge[r] = t; /* ignore overflow */
if (t < 256) /* if no overflow, all done */
break;
}
hexdump("auth_is k4_challenge+1",k4_challenge,8);
#ifdef MIT_CURRENT
kdata.data = k4_challenge;
kdata.length = 8;
encdata.ciphertext.data = k4_challenge;
encdata.ciphertext.length = 8;
encdata.enctype = ENCTYPE_UNKNOWN;
if (code = krb5_c_encrypt(k5_context, &k4_krbkey, 0, 0,
&kdata, &encdata)) {
com_err("k4_auth_is", code, "while decrypting challenge");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#else /* MIT_CURRENT */
#ifdef NT
des_ecb_encrypt(k4_challenge, k4_challenge, k4_sched, 1);
#else /* NT */
des_ecb_encrypt(&k4_challenge, &k4_challenge, k4_sched, 1);
#endif /* NT */
hexdump("auth_is des_ecb_encrypt(k4_challenge_key,k4_challenge,1)",
k4_challenge,8);
#endif /* MIT_CURRENT */
SendK4AuthSB(KRB4_RESPONSE,(void *)k4_challenge,sizeof(k4_challenge));
#endif /* ENCRYPTION */
mutual_complete = 1;
break;
default:
if (1)
printf("Unknown Kerberos option %drn", data[-1]);
SendK4AuthSB(KRB_REJECT, 0, 0);
return(AUTH_FAILURE);
}
krb4_errno = r;
makestr(&krb4_errmsg,krb_get_err_text_entry(krb4_errno));
return(AUTH_SUCCESS);
}
#endif /* KRB4 */
#ifdef KRB5
int
ck_krb5_autoget_TGT(char * realm)
{
extern struct krb_op_data krb_op;
extern struct krb5_init_data krb5_init;
char passwd[PWD_SZ];
char prompt[64];
char * saverealm=NULL;
int rc = -1;
extern char * k5prprompt;
extern char * k5pwprompt;
ini_kerb(); /* Place defaults in above structs */
passwd[0] = '';
if ( krb5_init.principal == NULL ||
krb5_init.principal[0] == '') {
readtext(k5prprompt && k5prprompt[0] ? k5prprompt :
"Kerberos 5 Principal: ",passwd,PWD_SZ-1);
if ( passwd[0] )
makestr(&krb5_init.principal,passwd);
else
return(0);
}
/* Save realm in init structure so it can be restored */
if ( realm ) {
saverealm = krb5_init.realm;
krb5_init.realm = realm;
}
if ( passwd[0] || !(pwbuf[0] && pwflg) ) {
sprintf(prompt,k5pwprompt && k5pwprompt[0] ? k5pwprompt :
"%s@%s's Kerberos 5 Password: ",
krb5_init.principal,krb5_init.realm);
readpass(prompt,passwd,PWD_SZ-1);
} else {
ckstrncpy(passwd,pwbuf,sizeof(passwd));
#ifdef OS2
if ( pwcrypt )
ck_encrypt((char *)passwd);
#endif /* OS2 */
}
if ( passwd[0] ) {
makestr(&krb5_init.password,passwd);
rc = ck_krb5_initTGT(&krb_op, &krb5_init);
free(krb5_init.password);
krb5_init.password = NULL;
if ( krb5_d_getk4 && krb4_autoget ) {
extern struct krb4_init_data krb4_init;
char * savek4realm=NULL;
makestr(&krb4_init.principal,krb5_init.principal);
makestr(&krb4_init.password,passwd);
if ( realm ) {
savek4realm = krb4_init.realm;
krb4_init.realm = realm;
}
rc = ck_krb4_initTGT(&krb_op, &krb4_init);
if ( savek4realm )
krb4_init.realm = savek4realm;
free(krb4_init.password);
krb4_init.password = NULL;
}
memset(passwd,0,PWD_SZ);
}
/* restore realm to init structure if needed */
if ( saverealm )
krb5_init.realm = saverealm;
return(rc == 0);
}
static krb5_error_code
#ifdef CK_ANSIC
k5_get_ccache( krb5_context k5_context, krb5_ccache * p_ccache,
char * cc_name )
#else /* CK_ANSIC */
k5_get_ccache(k5_context, p_ccache, cc_name)
krb5_context k5_context;
krb5_ccache * p_ccache;
char * cc_name;
#endif /* CK_ANSIC */
{
krb5_error_code r=0;
char cc_tmp[CKMAXPATH+1];
const char * def_name = NULL;
if ( cc_name ) {
if ( strncmp("FILE:",cc_name,5) &&
strncmp("MEMORY:",cc_name,7) &&
strncmp("API:",cc_name,4) &&
strncmp("STDIO:",cc_name,6))
sprintf(cc_tmp,"FILE:%s",cc_name);
else {
ckstrncpy(cc_tmp,cc_name,CKMAXPATH);
}
r = krb5_cc_resolve (k5_context, cc_tmp, p_ccache);
if (r != 0) {
com_err("k5_get_ccache resolving ccache",r,
cc_tmp);
}
} else if ( krb5_d_cc ) {
if ( strncmp("FILE:",krb5_d_cc,5) &&
strncmp("MEMORY:",krb5_d_cc,7) &&
strncmp("API:",krb5_d_cc,4) &&
strncmp("STDIO:",krb5_d_cc,6))
sprintf(cc_tmp,"FILE:%s",krb5_d_cc);
else {
ckstrncpy(cc_tmp,krb5_d_cc,CKMAXPATH);
}
r = krb5_cc_resolve (k5_context, cc_tmp, p_ccache);
if (r != 0) {
com_err("k5_get_ccache resolving ccache",r,
krb5_d_cc);
}
} else {
if ((r = krb5_cc_default(k5_context, p_ccache))) {
com_err("k5_get_ccache",r,"while getting default ccache");
}
}
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(r);
}
char *
ck_krb5_realmofhost(char *host)
{
char ** realmlist=NULL;
krb5_context private_context=NULL;
static char * realm = NULL;
if ( !host )
return NULL;
if ( realm ) {
free(realm);
realm = NULL;
}
/* create private_context */
krb5_init_context(&private_context);
krb5_get_host_realm(private_context,host,&realmlist);
if (realmlist && realmlist[0]) {
makestr(&realm,realmlist[0]);
krb5_free_host_realm(private_context,realmlist);
realmlist = NULL;
}
if ( private_context ) {
krb5_free_context(private_context);
private_context = NULL;
}
return(realm);
}
/*
*
* K5_auth_send - gets authentication bits we need to send to KDC.
*
* Code lifted from telnet sample code in the appl directory.
*
* Result is left in k5_auth
*
* Returns: 0 on failure, 1 on success
*
*/
static int
#ifdef CK_ANSIC
k5_auth_send(int how, int encrypt, int forward)
#else
k5_auth_send(how,encrypt) int how; int encrypt; int forward;
#endif
{
krb5_error_code r=0;
krb5_ccache ccache=NULL;
krb5_creds creds;
krb5_creds * new_creds=NULL;
krb5_flags ap_opts;
char type_check[2];
krb5_data check_data;
int len=0;
#ifdef CK_ENCRYPTION
krb5_keyblock *newkey = 0;
#endif
char * realm = NULL;
char tgt[256];
realm = ck_krb5_realmofhost(szHostName);
if (!realm) {
strcpy(strTmp, "Can't find realm for host "");
strcat(strTmp, szHostName);
strcat(strTmp, """);
printf("?Kerberos 5 error: %srn",strTmp);
krb5_errno = 5;
makestr(&krb5_errmsg,strTmp);
return(0);
}
sprintf(tgt,"krbtgt/%s@%s",realm,realm);
debug(F110,"k5_auth_send TGT",tgt,0);
if (!((ck_krb5_tkt_isvalid(NULL,tgt) > 0) ||
(ck_krb5_is_tgt_valid() > 0)) &&
krb5_autoget )
ck_krb5_autoget_TGT(realm);
r = k5_get_ccache(k5_context,&ccache,NULL);
if ( r ) {
com_err(NULL, r, "while authorizing (0).");
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(0);
}
memset((char *)&creds, 0, sizeof(creds));
if (r = krb5_sname_to_principal(k5_context, szHostName,
krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME,
KRB5_NT_SRV_HST, &creds.server)) {
com_err(NULL, r, "while authorizing (1).");
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(0);
}
if (r = krb5_cc_get_principal(k5_context, ccache, &creds.client)) {
com_err(NULL, r, "while authorizing (2).");
krb5_free_cred_contents(k5_context, &creds);
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(0);
}
if (szUserName[0] == '') { /* Get user name now */
len = krb5_princ_component(k5_context, creds.client, 0)->length;
memcpy(szUserName,
krb5_princ_component(k5_context, creds.client, 0)->data,
len);
szUserName[len] = '';
} else {
char * name = NULL;
len = krb5_princ_component(k5_context, creds.client, 0)->length;
if ( len == strlen(szUserName) ) {
name = krb5_princ_component(k5_context, creds.client, 0)->data;
#ifdef OS2
if ( !strnicmp(szUserName,name,len) ) {
memcpy(szUserName,name,len);
szUserName[len] = '';
}
#endif /* OS2 */
}
}
creds.keyblock.enctype=ENCTYPE_DES_CBC_CRC;
if (r = krb5_get_credentials(k5_context, 0,
ccache, &creds, &new_creds)) {
com_err(NULL, r, "while authorizing (3).");
krb5_free_cred_contents(k5_context, &creds);
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(0);
}
if (auth_context) {
krb5_auth_con_free(k5_context, auth_context);
auth_context = 0;
}
if ((r = krb5_auth_con_init(k5_context, &auth_context))) {
com_err(NULL, r, "while initializing auth context");
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(0);
}
krb5_auth_con_setflags(k5_context, auth_context,
KRB5_AUTH_CONTEXT_RET_TIME);
type_check[0] = AUTHTYPE_KERBEROS_V5;
type_check[1] = AUTH_CLIENT_TO_SERVER |
(how ? AUTH_HOW_MUTUAL : AUTH_HOW_ONE_WAY) |
(encrypt ? AUTH_ENCRYPT_USING_TELOPT : AUTH_ENCRYPT_OFF) |
(forward ? INI_CRED_FWD_ON : INI_CRED_FWD_OFF);
check_data.magic = KV5M_DATA;
check_data.length = 2;
check_data.data = (char *)&type_check;
ap_opts = 0;
if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
ap_opts = AP_OPTS_MUTUAL_REQUIRED;
#ifdef CK_ENCRYPTION
ap_opts |= AP_OPTS_USE_SUBKEY;
#endif
r = krb5_mk_req_extended(k5_context, &auth_context, ap_opts,
&check_data, new_creds, &k5_auth);
#ifdef CK_ENCRYPTION
krb5_auth_con_getlocalsubkey(k5_context, auth_context, &newkey);
if (k5_session_key) {
krb5_free_keyblock(k5_context, k5_session_key);
k5_session_key = 0;
}
if (newkey) {
/*
* keep the key in our private storage, but don't use it
* yet---see kerberos5_reply() below
*/
if ((newkey->enctype != ENCTYPE_DES_CBC_CRC) &&
(newkey-> enctype != ENCTYPE_DES_CBC_MD5))
{
if ((new_creds->keyblock.enctype == ENCTYPE_DES_CBC_CRC) ||
(new_creds->keyblock.enctype == ENCTYPE_DES_CBC_MD5))
/* use the session key in credentials instead */
krb5_copy_keyblock(k5_context,
&new_creds->keyblock, &k5_session_key);
else
; /* What goes here? XXX */
} else {
krb5_copy_keyblock(k5_context, newkey, &k5_session_key);
}
krb5_free_keyblock(k5_context, newkey);
}
#endif /* ENCRYPTION */
krb5_free_cred_contents(k5_context, &creds);
krb5_free_creds(k5_context, new_creds);
krb5_cc_close(k5_context,ccache);
if (r) {
com_err(NULL, r, "while authorizing (4).");
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(0);
}
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(1);
}
/*
*
* K5_auth_reply -- checks the reply for mutual authentication.
*
* Code lifted from telnet sample code in the appl directory.
*
*/
static int
#ifdef CK_ANSIC
k5_auth_reply(int how, unsigned char *data, int cnt)
#else
k5_auth_reply(how,data,cnt) int how; unsigned char *data; int cnt;
#endif
{
#ifdef CK_ENCRYPTION
Session_Key skey;
#endif
data += 4; /* Point to status byte */
switch (*data++) {
case KRB_REJECT:
cnt -=5;
if (cnt > 0) {
char *s;
sprintf(strTmp,"Kerberos V5 refuses authentication becausern");
s = strTmp + strlen(strTmp);
memcpy(s, data, cnt);
s[cnt] = 0;
} else
sprintf(strTmp, "Kerberos V5 refuses authentication");
krb5_errno = 0;
makestr(&krb5_errmsg,strTmp);
printf("Kerberos authentication failed!rn%srn",strTmp);
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
case KRB_ACCEPT:
if (!mutual_complete) {
if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && !mutual_complete) {
sprintf(strTmp,
"Kerberos V5 accepted you, but didn't provide"
" mutual authentication");
printf("Kerberos authentication failed!rn%srn",strTmp);
krb5_errno = 0;
makestr(&krb5_errmsg,strTmp);
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#ifdef CK_ENCRYPTION
if (k5_session_key) {
skey.type = SK_DES;
skey.length = 8;
skey.data = k5_session_key->contents;
encrypt_session_key(&skey, AUTH_CLIENT_TO_SERVER);
}
#endif
}
cnt -= 5;
if ( cnt > 0 ) {
char *s;
sprintf(strTmp,"Kerberos V5 accepts you as ");
s = strTmp + strlen(strTmp);
memcpy(s,data,cnt);
s[cnt] = 0;
}
accept_complete = 1;
printf("%srn",strTmp);
#ifdef FORWARD
if (forward_flag && (auth_how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
kerberos5_forward();
#endif
krb5_errno = 0;
makestr(&krb5_errmsg,strTmp);
auth_finished(AUTH_USER);
return AUTH_SUCCESS;
case KRB5_RESPONSE:
if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* the rest of the reply should contain a krb_ap_rep */
krb5_ap_rep_enc_part *reply;
krb5_data inbuf;
krb5_error_code r;
inbuf.length = cnt;
inbuf.data = (char *)data;
if (r = krb5_rd_rep(k5_context, auth_context, &inbuf, &reply)) {
com_err(NULL, r, "while authorizing. (5)");
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
krb5_free_ap_rep_enc_part(k5_context, reply);
#ifdef CK_ENCRYPTION
if (encrypt_flag && k5_session_key) {
skey.type = SK_DES;
skey.length = 8;
skey.data = k5_session_key->contents;
encrypt_session_key(&skey, AUTH_CLIENT_TO_SERVER);
}
#endif /* ENCRYPTION */
mutual_complete = 1;
}
sprintf(strTmp,"Remote machine has been mutually authenticated");
krb5_errno = 0;
makestr(&krb5_errmsg,strTmp);
printf("%srn",strTmp);
auth_finished(AUTH_USER);
return AUTH_SUCCESS;
#ifdef FORWARD
case KRB5_FORWARD_ACCEPT:
forwarded_tickets = 1;
sprintf(strTmp,"Remote machine has accepted forwarded credentials");
krb5_errno = 0;
makestr(&krb5_errmsg,strTmp);
printf("%srn",strTmp);
return AUTH_SUCCESS;
case KRB5_FORWARD_REJECT:
forwarded_tickets = 0;
if (cnt > 0) {
char *s;
sprintf(strTmp,
"Kerberos V5 refuses forwarded credentials because ");
s = strTmp + strlen(strTmp);
memcpy(s, data, cnt);
s[cnt] = 0;
} else
sprintf(strTmp, "Kerberos V5 refuses forwarded credentials");
printf("%srn",strTmp);
krb5_errno = 0;
makestr(&krb5_errmsg,strTmp);
return AUTH_SUCCESS;
#endif /* FORWARD */
default:
krb5_errno = 0;
makestr(&krb5_errmsg,"Unknown reply type");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE; /* Unknown reply type */
}
}
#ifdef FORWARD
/* Decode, decrypt and store the forwarded creds in the local ccache. */
/* Needed for KRB5_FORWARD */
static krb5_error_code
rd_and_store_for_creds(context, auth_context, inbuf)
krb5_context context;
krb5_auth_context auth_context;
krb5_data *inbuf;
{
krb5_creds ** creds;
krb5_error_code retval;
krb5_ccache ccache=NULL;
if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)))
return(retval);
retval = k5_get_ccache(context,&ccache,NULL);
if ( retval )
goto cleanup;
if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client)))
goto cleanup;
if ((retval = krb5_cc_store_cred(context, ccache, creds[0])))
goto cleanup;
if ((retval = krb5_cc_close(context, ccache)))
goto cleanup;
cleanup:
krb5_free_tgt_creds(context, creds);
krb5_errno = retval;
makestr(&krb5_errmsg,error_message(krb5_errno));
return retval;
}
#endif /* FORWARD */
/*
*
* K5_auth_is.
*
*/
static int
#ifdef CK_ANSIC
k5_auth_is(int how, unsigned char *data, int cnt)
#else
k5_auth_is(how,data,cnt) int how; unsigned char *data; int cnt;
#endif
{
int r = 0;
krb5_principal server;
krb5_keyblock *newkey = NULL;
krb5_keytab keytabid = 0;
krb5_data outbuf;
#ifdef CK_ENCRYPTION
Session_Key skey;
#endif
char errbuf[128]="";
char *name;
char *getenv();
krb5_data inbuf;
krb5_authenticator *authenticator;
char princ[256]="";
int len;
data += 4; /* Point to status byte */
cnt -= 4;
hexdump("k5_auth_is data",data,cnt);
if (cnt-- < 1) {
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
switch (*data++) {
case KRB_AUTH:
k5_auth.data = (char *)data;
k5_auth.length = cnt;
debug(F110,"k5_auth_is","KRB_AUTH",0);
debug(F111,"k5_auth_is","auth_context",auth_context);
if (!r && !auth_context) {
r = krb5_auth_con_init(k5_context, &auth_context);
debug(F111,"k5_auth_is","krb5_auth_con_init",r);
}
if (!r) {
krb5_rcache rcache = NULL;
r = krb5_auth_con_getrcache(k5_context, auth_context,
&rcache);
debug(F111,"k5_auth_is","krb5_auth_con_getrcache",r);
if (!r && !rcache) {
r = krb5_sname_to_principal(k5_context, 0,
#ifdef COMMENT
0, /* changed in KRB5-CURRENT */
#else /* COMMENT */
krb5_d_srv ? krb5_d_srv :
KRB5_SERVICE_NAME,
#endif /* COMMENT */
KRB5_NT_SRV_HST, &server);
debug(F111,"k5_auth_is","krb5_sname_to_principal",r);
if (!r) {
r = krb5_get_server_rcache(k5_context,
krb5_princ_component(k5_context, server, 0),
&rcache);
debug(F111,"k5_auth_is","krb5_get_server_rcache",r);
krb5_free_principal(k5_context, server);
}
}
if (!r) {
r = krb5_auth_con_setrcache(k5_context,
auth_context, rcache);
debug(F111,"k5_auth_is","krb5_auth_con_setrcache",r);
}
}
if (!r && telnet_srvtab) {
r = krb5_kt_resolve(k5_context,
telnet_srvtab, &keytabid);
debug(F111,"k5_auth_is","krb5_kt_resolve",r);
}
if (!r) {
r = krb5_rd_req(k5_context, &auth_context, &k5_auth,
NULL, keytabid, NULL, &k5_ticket);
debug(F111,"k5_auth_is","krb5_rd_req",r);
}
if (r) {
(void) strcpy(errbuf, "krb5_rd_req failed: ");
(void) strcat(errbuf, error_message(r));
goto errout;
}
len = krb5_princ_component(k5_context,k5_ticket->server,0)->length;
if (len < 256)
{
memcpy(princ,krb5_princ_component(k5_context,
k5_ticket->server,0)->data,len);
princ[len] = '';
}
if ( strcmp((krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME), princ) )
{
debug(F110,"k5_auth_is incorrect service name",princ,0);
(void) sprintf( errbuf, "incorrect service name: %s != %s",
(krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME),
princ);
goto errout;
}
r = krb5_auth_con_getauthenticator(k5_context,
auth_context,
&authenticator);
debug(F111,"k5_auth_is","krb5_auth_con_getauthenticator",r);
if (r) {
(void) strcpy(errbuf,
"krb5_auth_con_getauthenticator failed: ");
(void) strcat(errbuf, error_message(r));
goto errout;
}
if (authenticator->checksum) {
char type_check[2];
krb5_checksum *cksum = authenticator->checksum;
krb5_keyblock *key;
type_check[0] = AUTHTYPE_KERBEROS_V5;
type_check[1] = how; /* not broken into parts */
r = krb5_auth_con_getkey(k5_context, auth_context,
&key);
debug(F111,"k5_auth_is","krb5_auth_con_getkey",r);
if (r) {
(void) strcpy(errbuf, "krb5_auth_con_getkey failed: ");
(void) strcat(errbuf, error_message(r));
goto errout;
}
r = krb5_verify_checksum(k5_context,
cksum->checksum_type, cksum,
&type_check, 2, key->contents,
key->length);
debug(F111,"k5_auth_is","krb5_verify_checksum",r);
if (r) {
(void) strcpy(errbuf,
"checksum verification failed: ");
(void) strcat(errbuf, error_message(r));
goto errout;
}
krb5_free_keyblock(k5_context, key);
} else {
if ((how & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_USING_TELOPT) {
(void) strcpy(errbuf,
"authenticator is missing required checksum");
goto errout;
}
}
krb5_free_authenticator(k5_context, authenticator);
if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* do ap_rep stuff here */
if ((r = krb5_mk_rep(k5_context, auth_context,
&outbuf))) {
debug(F111,"k5_auth_is","krb5_mk_rep",r);
(void) strcpy(errbuf, "Make reply failed: ");
(void) strcat(errbuf, error_message(r));
goto errout;
}
debug(F111,"k5_auth_is","krb5_mk_rep",r);
SendK5AuthSB(KRB5_RESPONSE, outbuf.data, outbuf.length);
mutual_complete = 1;
}
if (krb5_unparse_name(k5_context,
k5_ticket->enc_part2 ->client,
&name))
name = 0;
SendK5AuthSB(KRB_ACCEPT, name, name ? -1 : 0);
accept_complete = 1;
sprintf(strTmp,"Kerberos5 identifies him as ``%s''",
name ? name : "");
printf("%srn",strTmp);
ckstrncpy(szUserNameAuthenticated,name,128);
if (szUserNameRequested[0] &&
krb5_kuserok(k5_context, k5_ticket->enc_part2->client,
szUserNameRequested))
auth_finished(AUTH_VALID);
else
auth_finished(AUTH_USER);
if (name)
free(name);
krb5_auth_con_getremotesubkey(k5_context, auth_context,
&newkey);
if (k5_session_key) {
krb5_free_keyblock(k5_context, k5_session_key);
k5_session_key = 0;
}
if (newkey) {
krb5_copy_keyblock(k5_context, newkey, &k5_session_key);
krb5_free_keyblock(k5_context, newkey);
} else {
krb5_copy_keyblock(k5_context,
k5_ticket->enc_part2->session,
&k5_session_key);
}
#ifdef CK_ENCRYPTION
skey.type = k5_session_key->length == 8 ? SK_DES : SK_GENERIC;
skey.length = k5_session_key->length;
skey.data = k5_session_key->contents;
encrypt_session_key(&skey, AUTH_SERVER_TO_CLIENT);
#endif
debug(F100,"k5_auth_is AUTH_SUCCESS","",0);
krb5_errno = r;
if ( krb5_errno )
makestr(&krb5_errmsg,error_message(krb5_errno));
else
makestr(&krb5_errmsg,strTmp);
return AUTH_SUCCESS;
#ifdef FORWARD
case KRB5_FORWARD:
if ( !forward_flag ) {
SendK5AuthSB(KRB5_FORWARD_REJECT,
"forwarded credentials are being refused.",
-1);
return(AUTH_SUCCESS);
}
inbuf.length = cnt;
inbuf.data = (char *)data;
if ((r = krb5_auth_con_genaddrs(k5_context,auth_context,g_kstream->fd,
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR)) ||
(r = rd_and_store_for_creds(k5_context, auth_context,
&inbuf, k5_ticket, szUserNameRequested))) {
(void) strcpy(errbuf, "Read forwarded creds failed: ");
(void) strcat(errbuf, error_message(r));
SendK5AuthSB(KRB5_FORWARD_REJECT, errbuf, -1);
printf("Could not read forwarded credentialsrn");
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
}
else {
SendK5AuthSB(KRB5_FORWARD_ACCEPT, 0, 0);
sprintf(strTmp,"Forwarded credentials obtained");
printf("%srn",strTmp);
krb5_errno = r;
makestr(&krb5_errmsg,strTmp);
}
/* A failure to accept forwarded credentials is not an */
/* authentication failure. */
return AUTH_SUCCESS;
#endif /* FORWARD */
default:
printf("Unknown Kerberos option %drn", data[-1]);
SendK5AuthSB(KRB_REJECT, 0, 0);
break;
}
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
errout:
SendK5AuthSB(KRB_REJECT, errbuf, -1);
krb5_errno = r;
makestr(&krb5_errmsg,errbuf);
printf("%srn", errbuf);
if (auth_context) {
krb5_auth_con_free(k5_context, auth_context);
auth_context = 0;
}
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#ifdef FORWARD
VOID
#ifdef CK_ANSIC
kerberos5_forward(void)
#else
kerberos5_forward()
#endif
{
krb5_error_code r;
krb5_ccache ccache=NULL;
krb5_principal client = 0;
krb5_principal server = 0;
krb5_data forw_creds;
forw_creds.data = 0;
r = k5_get_ccache(k5_context,&ccache,NULL);
if ( r ) {
com_err(NULL, r, "Kerberos V5: could not get default ccache");
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
return;
}
if ((r = krb5_cc_get_principal(k5_context, ccache, &client))) {
com_err(NULL, r, "Kerberos V5: could not get default principal");
goto cleanup;
}
if ((r = krb5_sname_to_principal(k5_context, szHostName,
krb5_d_srv ? krb5_d_srv : KRB5_SERVICE_NAME,
KRB5_NT_SRV_HST, &server))) {
com_err(NULL, r, "Kerberos V5: could not make server principal");
goto cleanup;
}
if ((r = krb5_auth_con_genaddrs(k5_context, auth_context, g_kstream->fd,
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR))) {
com_err(NULL, r, "Kerberos V5: could not gen local full address");
goto cleanup;
}
if (r = krb5_fwd_tgt_creds(k5_context, auth_context, 0, client, server,
ccache, forwardable_flag, &forw_creds)) {
com_err(NULL, r, "Kerberos V5: error getting forwardable credentials");
goto cleanup;
}
/* Send forwarded credentials */
if (!SendK5AuthSB(KRB5_FORWARD, forw_creds.data, forw_creds.length)) {
printf("Kerberos V5 forwarding error!rn%srn",
"Not enough room for authentication data");
}
cleanup:
if (client)
krb5_free_principal(k5_context, client);
if (server)
krb5_free_principal(k5_context, server);
#if 0 /* XXX */
if (forw_creds.data)
free(forw_creds.data);
#endif
krb5_cc_close(k5_context, ccache);
krb5_errno = r;
makestr(&krb5_errmsg,error_message(krb5_errno));
}
#endif /* FORWARD */
#else /* KRB5 */
int
ck_krb5_autoget_TGT(char * dummy)
{
return(0);
}
#ifdef CK_KERBEROS
int
#ifdef CK_ANSIC
ck_krb5_initTGT( struct krb_op_data * op, struct krb5_init_data * init )
#else
ck_krb5_initTGT(op,init)
krb_op_data * op; struct krb5_init_data * init;
#endif /* CK_ANSIC*/
{
return(-1);
}
int
#ifdef CK_ANSIC
ck_krb5_destroy(struct krb_op_data * op)
#else
ck_krb5_destroy(op) struct krb_op_data * op;
#endif
{
return(-1);
}
int
#ifdef CK_ANSIC
ck_krb5_list_creds(struct krb_op_data * op, struct krb5_list_cred_data * lc)
#else
ck_krb5_list_creds(op,lc)
struct krb_op_data * op; struct krb5_list_cred_data * lc;
#endif
{
return(-1);
}
#else /* CK_KERBEROS */
int
#ifdef CK_ANSIC
ck_krb5_initTGT(void * op, void * init )
#else
ck_krb5_initTGT(op,init)
void * op; void * init;
#endif /* CK_ANSIC*/
{
return(-1);
}
int
#ifdef CK_ANSIC
ck_krb5_destroy(void * op)
#else
ck_krb5_destroy(op) void * op;
#endif
{
return(-1);
}
int
#ifdef CK_ANSIC
ck_krb5_list_creds(void * op, void * lc)
#else
ck_krb5_list_creds(op,lc)
void * op; void * lc;
#endif
{
return(-1);
}
#endif /* CK_KERBEROS */
#endif /* KRB5 */
#ifdef CK_SRP
/*
*
* The use of this software for revenue-generating purposes may require a
* license from the owners of the underlying intellectual property.
* Specifically, the SRP-3 protocol may not be used for revenue-generating
* purposes without a license.
*
* Within that constraint, permission to use, copy, modify, and distribute
* this software and its documentation for any purpose is hereby granted
* without fee, provided that the above copyright notices and this permission
* notice appear in all copies of the software and related documentation.
*
* THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
* EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
* WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
*
* IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
* INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
* RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
* THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
* OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
static void
srp_encode_length(data, num)
unsigned char * data;
int num;
{
*data = (num >> 8) & 0xff;
*++data = num & 0xff;
}
static int
srp_decode_length(data)
unsigned char * data;
{
return (((int) *data & 0xff) << 8) | (*(data + 1) & 0xff);
}
static int
#ifdef CK_ANSIC
srp_reply(int how, unsigned char *data, int cnt)
#else
srp_reply(how,data,cnt) int how; unsigned char *data; int cnt;
#endif
{
struct t_num n;
struct t_num g;
struct t_num s;
struct t_num B;
struct t_num * A;
char hexbuf[MAXHEXPARAMLEN];
char type_check[2];
int pflag;
#ifdef CK_ENCRYPTION
Session_Key skey;
#endif /* ENCRYPTION */
char * str=NULL;
data += 4; /* Point to status byte */
cnt -= 4;
if(cnt-- < 1) {
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
switch(*data++) {
case SRP_REJECT:
if (cnt > 0) {
sprintf(strTmp,
"SRP refuses authentication for '%s' (%.*s)rn",
szUserName, cnt, data);
str = strTmp + strlen(strTmp);
memcpy(str,data,cnt);
str[cnt] = 0;
} else
sprintf(strTmp,"SRP refuses authentication for '%s'rn",
szUserName);
printf("SRP authentication failed!rn%srn",strTmp);
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
case SRP_ACCEPT:
if(tc == NULL || cnt < RESPONSE_LEN || !srp_waitresp) {
printf("SRP Protocol errorrn");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
srp_waitresp = 0;
if(t_clientverify(tc, data) == 0) {
printf("SRP accepts you as %srn",szUserName);
#ifdef CK_ENCRYPTION
skey.type = SK_GENERIC;
skey.length = SESSION_KEY_LEN;
skey.data = tc->session_key;
encrypt_session_key(&skey, AUTH_CLIENT_TO_SERVER);
#endif /* ENCRYPTION */
accept_complete = 1;
auth_finished(AUTH_VALID);
return AUTH_SUCCESS;
}
else {
printf("SRP server authentication failed!rn");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
break;
case SRP_PARAMS:
if(!szUserName) {
printf("No username availablern");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
n.len = srp_decode_length(data);
data += 2;
cnt -= 2;
if(n.len > cnt) {
printf("n too longrn");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
n.data = data;
data += n.len;
cnt -= n.len;
g.len = srp_decode_length(data);
data += 2;
cnt -= 2;
if(g.len > cnt) {
printf("g too longrn");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
g.data = data;
data += g.len;
cnt -= g.len;
s.len = srp_decode_length(data);
data += 2;
cnt -= 2;
if(s.len > cnt) {
printf("salt too longrn");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
s.data = data;
data += s.len;
cnt -= s.len;
tc = t_clientopen(szUserName, &n, &g, &s);
A = t_clientgenexp(tc);
SendSRPAuthSB(SRP_EXP, A->data, A->len);
if ( pwbuf[0] && pwflg ) {
printf("SRP using %d-bit modulus for '%s'rn",
8 * n.len,
szUserName
);
ckstrncpy(srp_passwd,pwbuf,sizeof(srp_passwd));
#ifdef OS2
if ( pwcrypt )
ck_encrypt((char *)srp_passwd);
#endif /* OS2 */
} else {
extern char * srppwprompt;
char prompt[128];
sprintf(prompt,"SRP using %d-bit modulusrn%s's password: ",
8 * n.len,szUserName);
readpass(srppwprompt && srppwprompt[0] ? srppwprompt :
prompt,srp_passwd,sizeof(srp_passwd)-1);
}
t_clientpasswd(tc, srp_passwd);
memset(srp_passwd, 0, sizeof(srp_passwd));
return AUTH_SUCCESS;
case SRP_CHALLENGE:
if(tc == NULL) {
printf("Protocol errorrn");
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
#ifndef PRE_SRP_1_4_5
if ( (how & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_USING_TELOPT ) {
type_check[0] = AUTHTYPE_SRP;
type_check[1] = how;
t_clientaddexdata(tc,type_check,2);
}
#endif /* PRE_SRP_1_4_5 */
B.data = data;
B.len = cnt;
t_clientgetkey(tc, &B);
SendSRPAuthSB(SRP_RESPONSE, t_clientresponse(tc), RESPONSE_LEN);
srp_waitresp = 1;
return AUTH_SUCCESS;
default:
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
return AUTH_FAILURE;
}
static int
#ifdef CK_ANSIC
srp_is(int how, unsigned char *data, int cnt)
#else
srp_is(how,data,cnt) int how; unsigned char *data; int cnt;
#endif
{
char pbuf[2 * MAXPARAMLEN + 5];
char * ptr;
struct t_num A;
char hexbuf[MAXHEXPARAMLEN];
struct passwd * pass;
#ifdef CK_ENCRYPTION
Session_Key skey;
#endif
struct t_pw * tpw = NULL;
struct t_conf * tconf = NULL;
char type_check[2];
if ((cnt -= 4) < 1) {
auth_finished(AUTH_REJECT);
return AUTH_FAILURE;
}
data += 4;
cnt -= 1;
switch(*data++) {
case SRP_AUTH:
/* Send parameters back to client */
if(ts != NULL) {
t_serverclose(ts);
ts = NULL;
}
if(!szUserNameRequested[0]) {
if (1)
printf("No username availablern");
SendSRPAuthSB(SRP_REJECT, (void *) "No username supplied", -1);
auth_finished(AUTH_REJECT);
return(AUTH_FAILURE);
}
#ifdef IKSD
#ifdef CK_LOGIN
if (inserver && ckxanon &&
!strcmp(szUserNameRequested,"anonymous")) {
SendSRPAuthSB(SRP_REJECT, (void *)
"anonymous login cannot be performed with Secure Remote Password",
-1);
auth_finished(AUTH_REJECT);
return(AUTH_FAILURE);
}
#endif /* CK_LOGIN */
#endif /* IKSD */
#ifdef PRE_SRP_1_4_4
if(tpw == NULL) {
if((tpw = t_openpw(NULL)) == NULL) {
if (1)
printf("Unable to open password filern");
SendSRPAuthSB(SRP_REJECT, (void *) "No password file", -1);
return(AUTH_FAILURE);
}
}
if(tconf == NULL) {
if((tconf = t_openconf(NULL)) == NULL) {
if (1)
printf("Unable to open configuration filern");
SendSRPAuthSB(SRP_REJECT, (void *)"No configuration file", -1);
return(AUTH_FAILURE);
}
}
ts = t_serveropenfromfiles(szUserNameRequested, tpw, tconf);
t_closepw(tpw);
tpw = NULL;
t_closeconf(tconf);
tconf = NULL;
#else /* PRE_SRP_1_4_4 */
/* On Windows and OS/2 there is no well defined place for the */
/* ETC directory. So we look for either an SRP_ETC or ETC */
/* environment variable in that order. If we find one we */
/* attempt to open the files manually. */
/* We will reuse the pbuf[] for the file names. */
ptr = getenv("SRP_ETC");
if ( !ptr )
ptr = getenv("ETC");
if ( ptr ) {
int len = strlen(ptr);
int i;
strcpy(pbuf,ptr);
for ( i=0;i<len;i++ ) {
if ( pbuf[i] == '\' )
pbuf[i] = '/';
}
if ( pbuf[len-1] != '/' )
strcat(pbuf,"/tpasswd");
else
strcat(pbuf,"tpasswd");
tpw = t_openpwbyname(pbuf);
strcat(pbuf,".conf");
tconf = t_openconfbyname(pbuf);
}
if ( tpw && tconf )
ts = t_serveropenfromfiles(szUserNameRequested, tpw, tconf);
else
ts = t_serveropen(szUserNameRequested);
if ( tpw ) {
t_closepw(tpw);
tpw = NULL;
}
if ( tconf ) {
t_closeconf(tconf);
tconf = NULL;
}
#endif /* PRE_SRP_1_4_4 */
if(ts == NULL) {
if (1)
printf("User %s not foundrn", szUserNameRequested);
SendSRPAuthSB(SRP_REJECT, (void *) "Password not set", -1);
return(AUTH_FAILURE);
}
ptr = pbuf;
srp_encode_length(ptr, ts->n.len);
ptr += 2;
memcpy(ptr, ts->n.data, ts->n.len);
ptr += ts->n.len;
srp_encode_length(ptr, ts->g.len);
ptr += 2;
memcpy(ptr, ts->g.data, ts->g.len);
ptr += ts->g.len;
srp_encode_length(ptr, ts->s.len);
ptr += 2;
memcpy(ptr, ts->s.data, ts->s.len);
ptr += ts->s.len;
SendSRPAuthSB(SRP_PARAMS, pbuf, ptr - pbuf);
B = t_servergenexp(ts);
ckstrncpy(szUserNameAuthenticated,szUserNameRequested,128);
return AUTH_SUCCESS;
case SRP_EXP:
/* Client is sending A to us, compute challenge & expected response. */
if (ts == NULL || B == NULL) {
if (1)
printf("Protocol error: SRP_EXP unexpectedrn");
SendSRPAuthSB(SRP_REJECT,
(void *) "Protocol error: unexpected EXP",
-1
);
return(AUTH_FAILURE);
}
/* Wait until now to send B, since it contains the key to "u" */
SendSRPAuthSB(SRP_CHALLENGE, B->data, B->len);
B = NULL;
#ifndef PRE_SRP_1_4_5
if ( (how & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_USING_TELOPT ) {
type_check[0] = AUTHTYPE_SRP;
type_check[1] = how;
t_serveraddexdata(ts,type_check,2);
}
#endif /* PRE_SRP_1_4_5 */
A.data = data;
A.len = cnt;
ptr = t_servergetkey(ts, &A);
if(ptr == NULL) {
if (1)
printf("Security alert: Trivial session key attemptedrn");
SendSRPAuthSB(SRP_REJECT,
(void *) "Trivial session key detected",
-1
);
return(AUTH_FAILURE);
}
srp_waitresp = 1;
return AUTH_SUCCESS;
case SRP_RESPONSE:
/* Got the response; see if it's correct */
if(ts == NULL || !srp_waitresp) {
if (1)
printf("Protocol error: SRP_RESPONSE unexpectedrn");
SendSRPAuthSB(SRP_REJECT,
(void *) "Protocol error: unexpected RESPONSE",
-1
);
return(AUTH_FAILURE);
}
srp_waitresp = 0; /* we got a response */
if (cnt < RESPONSE_LEN) {
if (1)
printf("Protocol error: malformed responsern");
SendSRPAuthSB(SRP_REJECT,
(void *) "Protocol error: malformed response",
-1
);
return(AUTH_FAILURE);
}
if (t_serververify(ts, data) == 0) {
SendSRPAuthSB(SRP_ACCEPT, t_serverresponse(ts), RESPONSE_LEN);
accept_complete = 1;
#ifdef CK_ENCRYPTION
hexdump("SRP_RESPONSE ts",ts,sizeof(ts));
hexdump("SRP_RESPONSE session_key",
ts->session_key,
SESSION_KEY_LEN
);
skey.type = SK_GENERIC;
skey.length = SESSION_KEY_LEN;
skey.data = ts->session_key;
encrypt_session_key(&skey, AUTH_SERVER_TO_CLIENT);
#endif
auth_finished(AUTH_VALID);
}
else {
SendSRPAuthSB(SRP_REJECT, (void *) "Login incorrect", -1);
auth_finished(AUTH_REJECT);
return(AUTH_FAILURE);
}
return AUTH_SUCCESS;
default:
if (1)
printf("Unknown SRP option %drn", data[-1]);
SendSRPAuthSB(SRP_REJECT, (void *) "Unknown option received", -1);
return(AUTH_FAILURE);
}
}
#endif /* SRP */
#ifdef KRB5
#ifdef KINIT
/*
* clients/kinit/kinit.c
*
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* Initialize a credentials cache.
*/
#define KRB5_DEFAULT_OPTIONS 0
#define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
static krb5_data tgtname = {
0,
KRB5_TGS_NAME_SIZE,
KRB5_TGS_NAME
};
/* Internal prototypes */
static krb5_error_code krb5_validate_tgt
KRB5_PROTOTYPE((krb5_context, krb5_ccache,
krb5_principal, krb5_data *));
static krb5_error_code krb5_renew_tgt
KRB5_PROTOTYPE((krb5_context, krb5_ccache,
krb5_principal, krb5_data *));
static krb5_error_code krb5_tgt_gen
KRB5_PROTOTYPE((krb5_context, krb5_ccache,
krb5_principal, krb5_data *, int opt));
/*
* Try no preauthentication first; then try the encrypted timestamp
*/
static krb5_preauthtype * preauth = NULL;
static krb5_preauthtype preauth_list[2] = { 0, -1 };
#define NO_KEYTAB
int
#ifdef CK_ANSIC
ck_krb5_initTGT( struct krb_op_data * op, struct krb5_init_data * init )
#else
ck_krb5_initTGT(op,init)
krb_op_data * op; struct krb5_init_data * init;
#endif /* CK_ANSIC*/
{
krb5_context kcontext;
krb5_ccache ccache = NULL;
krb5_deltat lifetime = KRB5_DEFAULT_LIFE; /* -l option */
krb5_timestamp starttime = 0;
krb5_deltat rlife = 0;
int options = KRB5_DEFAULT_OPTIONS;
int option;
int errflg = 0;
krb5_error_code code;
krb5_principal me=NULL;
krb5_principal server=NULL;
krb5_creds my_creds;
krb5_timestamp now;
krb5_address **addrs = (krb5_address **)0;
int addr_count=0;
int i,j;
#ifndef NO_KEYTAB
int use_keytab = 0; /* -k option */
krb5_keytab keytab = NULL;
#endif /* NO_KEYTAB */
struct passwd *pw = 0;
int pwsize;
char *client_name=NULL, realm[256]="", numstr[40]="";
if ( !ck_krb5_is_installed() )
return(-1);
#ifdef COMMENT
printf("Kerberos V initializationrn");
#endif /* COMMENT */
code = krb5_init_context(&kcontext);
if (code) {
com_err("krb5_kinit",code,"while init_context");
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
if ((code = krb5_timeofday(kcontext, &now))) {
com_err("krb5_kinit",code,"while getting time of day");
goto exit_k5_init;
}
if ( init->renewable ) {
options |= KDC_OPT_RENEWABLE;
sprintf(numstr,"%dm",init->renewable);
code = krb5_string_to_deltat(numstr, &rlife);
if (code != 0 || rlife == 0) {
printf("Bad renewable time value %srn", numstr);
errflg++;
}
}
if ( init->renew ) {
/* renew the ticket */
options |= KDC_OPT_RENEW;
}
if ( init->validate ) {
/* validate the ticket */
options |= KDC_OPT_VALIDATE;
}
if ( init->proxiable ) {
options |= KDC_OPT_PROXIABLE;
}
if ( init->forwardable ) {
options |= KDC_OPT_FORWARDABLE;
}
#ifndef NO_KEYTAB
if ( ) {
use_keytab = 1;
}
if ( ) {
if (keytab == NULL && keytab_name != NULL) {
code = krb5_kt_resolve(kcontext, keytab_name, &keytab);
if (code != 0) {
debug(F111,"krb5_init resolving keytab",
keytab_name,code);
errflg++;
}
}
}
#endif
if ( init->lifetime ) {
sprintf(numstr,"%dm",init->lifetime);
code = krb5_string_to_deltat(numstr, &lifetime);
if (code != 0 || lifetime == 0) {
printf("Bad lifetime value %srn", numstr);
errflg++;
}
}
if ( init->postdate ) {
/* Convert cmdate() to a time_t value */
struct tm * time_tm;
struct tm * cmdate2tm(char *,int);
time_tm = cmdate2tm(init->postdate,0);
if ( time_tm )
starttime = (krb5_timestamp) mktime(time_tm);
if (code != 0 || starttime == 0 || starttime == -1) {
krb5_deltat ktmp;
code = krb5_string_to_deltat(init->postdate, &ktmp);
if (code == 0 && ktmp != 0) {
starttime = now + ktmp;
options |= KDC_OPT_POSTDATED;
} else {
printf("Bad postdate start time value %srn",
init->postdate);
errflg++;
}
} else {
options |= KDC_OPT_POSTDATED;
}
}
code = k5_get_ccache(kcontext,&ccache,op->cache);
if (code != 0) {
com_err("krb5_kinit",code,"while getting default ccache");
goto exit_k5_init;
}
if (init->principal == NULL) { /* No principal name specified */
#ifndef NO_KEYTAB
if (use_keytab) {
/* Use the default host/service name */
code = krb5_sname_to_principal(kcontext, NULL, NULL,
KRB5_NT_SRV_HST, &me);
if (code) {
com_err("krb5_kinit",
code,
"when creating default server principal name");
goto exit_k5_init;
}
} else
#endif
{
/* Get default principal from cache if one exists */
code = krb5_cc_get_principal(kcontext, ccache, &me);
if (code) {
#ifdef HAVE_PWD_H
/* Else search passwd file for client */
pw = getpwuid((int) getuid());
if (pw) {
if ((code = krb5_parse_name(kcontext,pw->pw_name,
&me))) {
krb5_errno = code;
com_err("krb5_kinit",code,"when parsing name",
pw->pw_name);
goto exit_k5_init;
}
} else {
printf(
"Unable to identify user from password filern");
goto exit_k5_init;
}
#else /* HAVE_PWD_H */
printf("Unable to identify userrn");
goto exit_k5_init;
#endif /* HAVE_PWD_H */
}
}
} /* Use specified name */
else {
char princ_realm[256];
if ( (strlen(init->principal) +
(init->instance ? strlen(init->instance)+1 : 0) +
strlen(init->realm ? init->realm : krb5_d_realm)
+ 2) > 255 )
goto exit_k5_init;
strcpy(princ_realm,init->principal);
if (init->instance) {
strcat(princ_realm,"/");
strcat(princ_realm,init->instance);
}
strcat(princ_realm,"@");
if ( init->realm )
strcat(princ_realm,init->realm);
else
strcat(princ_realm,krb5_d_realm);
if ((code = krb5_parse_name (kcontext, princ_realm, &me))) {
com_err("krb5_kinit",code,"when parsing name",
princ_realm);
goto exit_k5_init;
}
}
if ( init->realm == NULL ) {
/* Save the realm */
memcpy(realm,krb5_princ_realm(kcontext, me)->data,
krb5_princ_realm(kcontext, me)->length);
realm[krb5_princ_realm(kcontext, me)->length]='';
} else {
strcpy(realm,init->realm);
}
if ((code = krb5_unparse_name(kcontext, me, &client_name))) {
com_err("krb5_kinit",code,"when unparsing name");
goto exit_k5_init;
}
memset((char *)&my_creds, 0, sizeof(my_creds));
my_creds.client = me;
if (init->service == NULL) {
if ((code =
krb5_build_principal_ext(kcontext,
&server,
strlen(realm),realm,
tgtname.length, tgtname.data,
strlen(realm),realm,
0))) {
com_err("krb5_kinit",code,"while building server name");
goto exit_k5_init;
}
} else {
if (code = krb5_parse_name(kcontext, init->service, &server)) {
com_err("krb5_kinit",code,"while parsing service name",
init->service);
goto exit_k5_init;
}
}
my_creds.server = server;
if (options & KDC_OPT_POSTDATED) {
my_creds.times.starttime = starttime;
my_creds.times.endtime = starttime + lifetime;
} else {
my_creds.times.starttime = 0; /* start timer when request
gets to KDC */
my_creds.times.endtime = now + lifetime;
}
if (options & KDC_OPT_RENEWABLE) {
my_creds.times.renew_till = now + rlife;
} else
my_creds.times.renew_till = 0;
if (options & KDC_OPT_VALIDATE) {
/* don't use get_in_tkt, just use mk_req... */
krb5_data outbuf;
code = krb5_validate_tgt(kcontext, ccache, server, &outbuf);
if (code) {
com_err("krb5_kinit",code,"validating tgt");
goto exit_k5_init;
}
/* should be done... */
goto exit_k5_init;
}
if (options & KDC_OPT_RENEW) {
/* don't use get_in_tkt, just use mk_req... */
krb5_data outbuf;
code = krb5_renew_tgt(kcontext, ccache, server, &outbuf);
if (code) {
com_err("krb5_kinit",code,"while renewing tgt");
goto exit_k5_init;
}
/* should be done... */
goto exit_k5_init;
}
if ( init->addrs ) {
/* construct an array of krb5_address structs to pass to get_in_tkt */
/* include both the local ip addresses as well as any other that */
/* are specified. */
unsigned long ipaddr;
for ( addr_count=0;addr_count<KRB5_NUM_OF_ADDRS;addr_count++ )
if ( init->addrs[addr_count] == NULL )
break;
if (addr_count > 0) {
krb5_address ** local_addrs=NULL;
krb5_os_localaddr(kcontext, &local_addrs);
i = 0;
while ( local_addrs[i] )
i++;
addr_count += i;
addrs = (krb5_address **)
malloc((addr_count+1) * sizeof(krb5_address));
if ( !addrs ) {
krb5_free_addresses(kcontext, local_addrs);
goto exit_k5_init;
}
memset(addrs, 0, sizeof(krb5_address *) * (addr_count+1));
i = 0;
while ( local_addrs[i] ) {
addrs[i] = (krb5_address *)malloc(sizeof(krb5_address));
if (addrs[i] == NULL) {
krb5_free_addresses(kcontext, local_addrs);
goto exit_k5_init;
}
addrs[i]->magic = local_addrs[i]->magic;
addrs[i]->addrtype = local_addrs[i]->addrtype;
addrs[i]->length = local_addrs[i]->length;
addrs[i]->contents = (unsigned char *)malloc(addrs[i]->length);
if (!addrs[i]->contents) {
krb5_free_addresses(kcontext, local_addrs);
goto exit_k5_init;
}
memcpy(addrs[i]->contents,local_addrs[i]->contents,
local_addrs[i]->length);
i++;
}
krb5_free_addresses(kcontext, local_addrs);
for ( j=0;i<addr_count;i++,j++ ) {
addrs[i] = (krb5_address *)malloc(sizeof(krb5_address));
if (addrs[i] == NULL)
goto exit_k5_init;
addrs[i]->magic = KV5M_ADDRESS;
addrs[i]->addrtype = AF_INET;
addrs[i]->length = 4;
addrs[i]->contents = (unsigned char *)malloc(addrs[i]->length);
if (!addrs[i]->contents)
goto exit_k5_init;
ipaddr = inet_addr(init->addrs[j]);
memcpy(addrs[i]->contents,&ipaddr,4);
}
}
}
#ifndef NO_KEYTAB
if (!use_keytab)
#endif
{
pwsize = strlen(init->password);
if (pwsize == 0) {
printf("A password must be specified for %s.rn",client_name);
memset(init->password, 0, pwsize);
goto exit_k5_init;
}
code = krb5_get_in_tkt_with_password(kcontext, options, addrs,
NULL, preauth, init->password,
0, &my_creds, 0);
memset(init->password, 0, pwsize);
#ifndef NO_KEYTAB
} else {
code = krb5_get_in_tkt_with_keytab(kcontext, options, addrs,
NULL, preauth, keytab, 0,
&my_creds, 0);
#endif
}
if (code) {
switch (code) {
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
printf("Password incorrectrn");
goto exit_k5_init;
case KRB5KRB_AP_ERR_V4_REPLY:
if (init->getk4) {
printf("Kerberos 5 Tickets not support by server. ");
printf("A version 4 Ticket will be requested.rn");
}
goto exit_k5_init;
default:
goto exit_k5_init;
}
}
code = krb5_cc_initialize (kcontext, ccache, me);
if (code != 0) {
com_err("krb5_kinit",code,"when initializing cache",
op->cache);
goto exit_k5_init;
}
code = krb5_cc_store_cred(kcontext, ccache, &my_creds);
if (code) {
com_err("krb5_kinit",code,"while storing credentials");
goto exit_k5_init;
}
exit_k5_init:
/* Free krb5_address structures if we created them */
if ( addrs ) {
for ( i=0;i<addr_count;i++ ) {
if ( addrs[i] ) {
if ( addrs[i]->contents )
free(addrs[i]->contents);
free(addrs[i]);
}
}
}
/* my_creds is pointing at server */
krb5_free_principal(kcontext, server);
krb5_cc_close(kcontext,ccache);
krb5_free_context(kcontext);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
if ( init->getk4 && code == KRB5KRB_AP_ERR_V4_REPLY )
return(0);
printf("Result from realm %s: %srn",realm,
code?error_message(code):"OK");
return(code?-1:0);
}
#define VALIDATE 0
#define RENEW 1
/* stripped down version of krb5_mk_req */
static krb5_error_code
#ifdef CK_ANSIC
krb5_validate_tgt( krb5_context context,
krb5_ccache ccache,
krb5_principal server, /* tgtname */
krb5_data *outbuf )
#else
krb5_validate_tgt(context, ccache, server, outbuf)
krb5_context context;
krb5_ccache ccache;
krb5_principal server; /* tgtname */
krb5_data *outbuf;
#endif
{
return krb5_tgt_gen(context, ccache, server, outbuf, VALIDATE);
}
/* stripped down version of krb5_mk_req */
static krb5_error_code
#ifdef CK_ANSIC
krb5_renew_tgt(krb5_context context,
krb5_ccache ccache,
krb5_principal server, /* tgtname */
krb5_data *outbuf)
#else
krb5_renew_tgt(context, ccache, server, outbuf)
krb5_context context;
krb5_ccache ccache;
krb5_principal server; /* tgtname */
krb5_data *outbuf;
#endif
{
return krb5_tgt_gen(context, ccache, server, outbuf, RENEW);
}
/* stripped down version of krb5_mk_req */
static krb5_error_code
#ifdef CK_ANSIC
krb5_tgt_gen(krb5_context context,
krb5_ccache ccache,
krb5_principal server, /* tgtname */
krb5_data *outbuf,
int opt)
#else
krb5_tgt_gen(context, ccache, server, outbuf, opt)
krb5_context context;
krb5_ccache ccache;
krb5_principal server; /* tgtname */
krb5_data *outbuf;
int opt;
#endif
{
krb5_error_code retval;
krb5_creds * credsp;
krb5_creds creds;
/* obtain ticket & session key */
memset((char *)&creds, 0, sizeof(creds));
if ((retval = krb5_copy_principal(context, server, &creds.server)))
goto cleanup;
if ((retval = krb5_cc_get_principal(context, ccache, &creds.client)))
goto cleanup_creds;
if (opt == VALIDATE) {
if ((retval = krb5_get_credentials_validate(context, 0,
ccache, &creds, &credsp)))
goto cleanup_creds;
} else {
if ((retval = krb5_get_credentials_renew(context, 0,
ccache, &creds, &credsp)))
goto cleanup_creds;
}
/* we don't actually need to do the mk_req, just get the creds. */
cleanup_creds:
krb5_free_cred_contents(context, &creds);
cleanup:
return retval;
}
#endif /* KINIT */
#ifdef KDESTROY
int
#ifdef CK_ANSIC
ck_krb5_destroy(struct krb_op_data * op)
#else
ck_krb5_destroy(op) struct krb_op_data * op;
#endif
{
krb5_context kcontext;
krb5_error_code retval;
int c;
krb5_ccache ccache = NULL;
char *cache_name = NULL;
int code;
int errflg=0;
int quiet = 0;
if ( !ck_krb5_is_installed() )
return(-1);
code = krb5_init_context(&kcontext);
if (code) {
debug(F101,"ck_krb5_destroy while initializing krb5","",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
code = k5_get_ccache(kcontext,&ccache,op->cache);
if (code != 0) {
debug(F101,"ck_krb5_destroy while getting ccache",
"",code);
krb5_free_context(kcontext);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
code = krb5_cc_destroy (kcontext, ccache);
if (code != 0) {
debug(F101,"ck_krb5_destroy while destroying cache","",code);
if ( code == KRB5_FCC_NOFILE )
printf("No ticket cache to destroy.rn");
else
printf("Ticket cache NOT destroyed!rn");
krb5_cc_close(kcontext,ccache);
krb5_free_context(kcontext);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
printf("Tickets destroyed.rn");
/* Do not call krb5_cc_close() because cache has been destroyed */
krb5_free_context(kcontext);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return (0);
}
#endif /* KDESTROY */
#ifdef KLIST
static int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
static int show_etype = 0, show_addr = 0;
static char *defname;
static char *progname;
static krb5_int32 now;
static int timestamp_width;
static char * etype_string KRB5_PROTOTYPE((krb5_enctype ));
static void show_credential KRB5_PROTOTYPE((krb5_context,
krb5_creds *));
static int do_ccache KRB5_PROTOTYPE((krb5_context,char *));
static int do_keytab KRB5_PROTOTYPE((krb5_context,char *));
static void printtime KRB5_PROTOTYPE((time_t));
static void fillit KRB5_PROTOTYPE((int, int));
#define DEFAULT 0
#define CCACHE 1
#define KEYTAB 2
int
#ifdef CK_ANSIC
ck_krb5_list_creds(struct krb_op_data * op, struct krb5_list_cred_data * lc)
#else
ck_krb5_list_creds(op,lc)
struct krb_op_data * op; struct krb5_list_cred_data * lc;
#endif
{
krb5_context kcontext;
krb5_error_code retval;
int code;
char *name = op->cache;
int mode;
if ( !ck_krb5_is_installed() )
return(-1);
code = krb5_init_context(&kcontext);
if (code) {
debug(F101,"ck_krb5_list_creds while initializing krb5","",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
name = op->cache;
mode = DEFAULT;
show_flags = 0;
show_time = 0;
status_only = 0;
show_keys = 0;
show_etype = 0;
show_addr = 0;
show_flags = lc->flags;
show_etype = lc->encryption;
show_addr = lc->addr;
show_time = 1;
show_keys = 1;
mode = CCACHE;
if ((code = krb5_timeofday(kcontext, &now))) {
if (!status_only)
debug(F101,"ck_krb5_list_creds while getting time of day.",
"",code);
krb5_free_context(kcontext);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
else {
char tmp[BUFSIZ];
if (!krb5_timestamp_to_sfstring(now, tmp, 20, (char *) NULL) ||
!krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp), (char *) NULL))
timestamp_width = (int) strlen(tmp);
else
timestamp_width = 15;
}
if (mode == DEFAULT || mode == CCACHE)
retval = do_ccache(kcontext,name);
else
retval = do_keytab(kcontext,name);
krb5_free_context(kcontext);
return(retval);
}
static int
#ifdef CK_ANSIC
do_keytab(krb5_context kcontext, char * name)
#else
do_keytab(kcontext,name) krb5_context kcontext; char * name;
#endif
{
krb5_keytab kt;
krb5_keytab_entry entry;
krb5_kt_cursor cursor;
char buf[BUFSIZ]; /* hopefully large enough for any type */
char *pname;
int code = 0;
if (name == NULL) {
if ((code = krb5_kt_default(kcontext, &kt))) {
debug(F101,"ck_krb5_list_creds while getting default keytab",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
} else {
if ((code = krb5_kt_resolve(kcontext, name, &kt))) {
debug(F111,"ck_krb5_list_creds while resolving keytab",
name,code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
}
if ((code = krb5_kt_get_name(kcontext, kt, buf, BUFSIZ))) {
debug(F101,"ck_krb5_list_creds while getting keytab name",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
printf("Keytab name: %srn", buf);
if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor))) {
debug(F101,"ck_krb5_list_creds while starting keytab scan",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
if (show_time) {
printf("KVNO Timestamp");
fillit(timestamp_width - sizeof("Timestamp") + 2, (int) ' ');
printf("Principalrn");
printf("---- ");
fillit(timestamp_width, (int) '-');
printf(" ");
fillit(78 - timestamp_width - sizeof("KVNO"), (int) '-');
printf("rn");
} else {
printf("KVNO Principalrn");
printf(
"---- --------------------------------------------------------------------
------rn");
}
while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) {
if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) {
debug(F101,"ck_krb5_list_creds while unparsing principal name",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
printf("%4d ", entry.vno);
if (show_time) {
printtime(entry.timestamp);
printf(" ");
}
printf("%s", pname);
if (show_etype)
printf(" (%s) " , etype_string(entry.key.enctype));
if (show_keys) {
printf(" (0x");
{
int i;
for (i = 0; i < entry.key.length; i++)
printf("%02x", entry.key.contents[i]);
}
printf(")");
}
printf("rn");
krb5_free_unparsed_name(kcontext,pname);
}
if (code && code != KRB5_KT_END) {
debug(F101,"ck_krb5_list_creds while scanning keytab",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
if ((code = krb5_kt_end_seq_get(kcontext, kt, &cursor))) {
debug(F101,"ck_krb5_list_creds while ending keytab scan",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(0);
}
static int
#ifdef CK_ANSIC
do_ccache(krb5_context kcontext, char * cc_name)
#else
do_ccache(kcontext,name) krb5_context kcontext; char * cc_name;
#endif
{
krb5_ccache cache = NULL;
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ=NULL;
krb5_flags flags=0;
krb5_error_code code = 0;
int exit_status = 0;
if (status_only)
/* exit_status is set back to 0 if a valid tgt is found */
exit_status = 1;
code = k5_get_ccache(kcontext,&cache,cc_name);
if (code != 0) {
debug(F111,"do_ccache while getting ccache",
error_message(code),code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
return(-1);
}
flags = 0; /* turns off OPENCLOSE mode */
if ((code = krb5_cc_set_flags(kcontext, cache, flags))) {
if (code == ENOENT) {
debug(F111,"ck_krb5_list_creds (ticket cache)",
krb5_cc_get_name(kcontext, cache),code);
} else {
debug(F111,
"ck_krb5_list_creds while setting cache flags (ticket cache)",
krb5_cc_get_name(kcontext, cache),code);
}
printf("No ticket File.rn");
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(-1);
}
if ((code = krb5_cc_get_principal(kcontext, cache, &princ))) {
debug(F101,"ck_krb5_list_creds while retrieving principal name",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(-1);
}
if ((code = krb5_unparse_name(kcontext, princ, &defname))) {
debug(F101,"ck_krb5_list_creds while unparsing principal name",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(-1);
}
if (!status_only) {
printf("Ticket cache: %s:%srnDefault principal: %srnrn",
krb5_cc_get_type(kcontext, cache),
krb5_cc_get_name(kcontext, cache), defname);
printf("Valid starting");
fillit(timestamp_width - sizeof("Valid starting") + 3,
(int) ' ');
printf("Expires");
fillit(timestamp_width - sizeof("Expires") + 3,
(int) ' ');
printf("Service principalrn");
}
if ((code = krb5_cc_start_seq_get(kcontext, cache, &cur))) {
debug(F101,"ck_krb5_list_creds while starting to retrieve tickets",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(-1);
}
while (!(code = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) {
if (status_only) {
if (exit_status && creds.server->length == 2 &&
strcmp(creds.server->realm.data, princ->realm.data) == 0 &&
strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 &&
strcmp((char *)creds.server->data[1].data,
princ->realm.data) == 0 &&
creds.times.endtime > now)
exit_status = 0;
} else {
show_credential(kcontext, &creds);
}
krb5_free_cred_contents(kcontext, &creds);
}
printf("rn");
if (code == KRB5_CC_END || code == KRB5_CC_NOTFOUND) {
if ((code = krb5_cc_end_seq_get(kcontext, cache, &cur))) {
debug(F101,"ck_krb5_list_creds while finishing ticket retrieval",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(-1);
}
flags = KRB5_TC_OPENCLOSE; /* turns on OPENCLOSE mode */
if ((code = krb5_cc_set_flags(kcontext, cache, flags))) {
debug(F101,"ck_krb5_list_creds while closing ccache",
"",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(-1);
}
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(exit_status);
} else {
debug(F101,"ck_krb5_list_creds while retrieving a ticket","",code);
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(-1);
}
krb5_errno = code;
makestr(&krb5_errmsg,error_message(krb5_errno));
krb5_cc_close(kcontext,cache);
return(0);
}
static char *
#ifdef CK_ANSIC
etype_string(krb5_enctype enctype)
#else
etype_string(enctype) krb5_enctype enctype;
#endif
{
static char buf[12];
switch (enctype) {
case ENCTYPE_NULL:
return "NULL";
case ENCTYPE_DES_CBC_CRC:
return "DES-CBC-CRC";
case ENCTYPE_DES_CBC_MD4:
return "DES-CBC-MD4";
case ENCTYPE_DES_CBC_MD5:
return "DES-CBC-MD5";
case ENCTYPE_DES3_CBC_SHA:
return "DES3-CBC-SHA";
case ENCTYPE_DES_CBC_RAW:
return "DES-CBC-RAW";
case ENCTYPE_DES3_CBC_RAW:
return "DES3-CBC-RAW";
case ENCTYPE_DES3_HMAC_SHA1:
return "DES3-HMAC-SHA1";
case ENCTYPE_DES_HMAC_SHA1:
return "DES-HMAC-SHA1";
case ENCTYPE_UNKNOWN:
return "UNKNOWN";
case ENCTYPE_LOCAL_DES3_HMAC_SHA1:
return "LOCAL-DES3-HMAC-SHA1";
default:
sprintf(buf, "etype %d", enctype);
return buf;
break;
}
}
static char *
#ifdef CK_ANSIC
flags_string(register krb5_creds *cred)
#else
flags_string(cred) register krb5_creds *cred;
#endif
{
static char buf[32];
int i = 0;
if (cred->ticket_flags & TKT_FLG_FORWARDABLE)
buf[i++] = 'F';
if (cred->ticket_flags & TKT_FLG_FORWARDED)
buf[i++] = 'f';
if (cred->ticket_flags & TKT_FLG_PROXIABLE)
buf[i++] = 'P';
if (cred->ticket_flags & TKT_FLG_PROXY)
buf[i++] = 'p';
if (cred->ticket_flags & TKT_FLG_MAY_POSTDATE)
buf[i++] = 'D';
if (cred->ticket_flags & TKT_FLG_POSTDATED)
buf[i++] = 'd';
if (cred->ticket_flags & TKT_FLG_INVALID)
buf[i++] = 'i';
if (cred->ticket_flags & TKT_FLG_RENEWABLE)
buf[i++] = 'R';
if (cred->ticket_flags & TKT_FLG_INITIAL)
buf[i++] = 'I';
if (cred->ticket_flags & TKT_FLG_HW_AUTH)
buf[i++] = 'H';
if (cred->ticket_flags & TKT_FLG_PRE_AUTH)
buf[i++] = 'A';
buf[i] = '';
return(buf);
}
static char *