kerberos5.c

早期freebsd实现

			return;
		}

		if ((name = malloc(strlen(hp->h_name)+1)) == NULL) {
			if (auth_debug_mode)
				printf("Out of memory for hostname in Kerberos V5\r\n");
			Data(ap, KRB_REJECT, "Out of memory.", -1);
			auth_finished(ap, AUTH_REJECT);
			return;
		}

		p1 = hp->h_name;
		p2 = name;

		while (*p2 = *p1++) {
			if (isupper(*p2))
				*p2 |= 040;
			++p2;
		}

		if (authdat)
			krb5_free_tkt_authent(authdat);

	        r = krb5_build_principal_ext(&server,
					     strlen(realm), realm,
					     4, "host",
					     p2 - name, name,
					     0);
		if (!r) {
		    r = krb5_rd_req_simple(&auth, server, 0, &authdat);
		    krb5_free_principal(server);
		}
		if (r) {
			char errbuf[128];

		    errout:
			authdat = 0;
			(void) strcpy(errbuf, "Read req failed: ");
			(void) strcat(errbuf, error_message(r));
			Data(ap, KRB_REJECT, errbuf, -1);
			if (auth_debug_mode)
				printf("%s\r\n", errbuf);
			return;
		}
		free(name);
		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
		    /* do ap_rep stuff here */
		    reply.ctime = authdat->authenticator->ctime;
		    reply.cusec = authdat->authenticator->cusec;
		    reply.subkey = 0;	/* use the one he gave us, so don't
					   need to return one here */
		    reply.seq_number = 0; /* we don't do seq #'s. */

		    if (r = krb5_mk_rep(&reply,
					authdat->authenticator->subkey ?
					authdat->authenticator->subkey :
					authdat->ticket->enc_part2->session,
					&outbuf)) {
			goto errout;
		    }
		    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
		} 
		if (krb5_unparse_name(authdat->ticket->enc_part2 ->client,
				      					&name))
			name = 0;
		Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
		if (auth_debug_mode) {
			printf("Kerberos5 identifies him as ``%s''\r\n",
							name ? name : "");
		}
                auth_finished(ap, AUTH_USER);
		
		free(name);
	    	if (authdat->authenticator->subkey &&
		    authdat->authenticator->subkey->keytype == KEYTYPE_DES) {
		    bcopy((Voidptr )authdat->authenticator->subkey->contents,
			  (Voidptr )session_key, sizeof(Block));
		} else if (authdat->ticket->enc_part2->session->keytype ==
			   KEYTYPE_DES) {
		    bcopy((Voidptr )authdat->ticket->enc_part2->session->contents,
			  (Voidptr )session_key, sizeof(Block));
		} else
		    break;
		
#ifdef ENCRYPTION
		skey.type = SK_DES;
		skey.length = 8;
		skey.data = session_key;
		encrypt_session_key(&skey, 1);
#endif	/* ENCRYPTION */
		break;
#ifdef	FORWARD
	case KRB_FORWARD:
		inbuf.data = (char *)data;
		inbuf.length = cnt;
		if (r = rd_and_store_for_creds(&inbuf, authdat->ticket, 
					       UserNameRequested)) {
		    char errbuf[128];
		    
		    (void) strcpy(errbuf, "Read forwarded creds failed: ");
		    (void) strcat(errbuf, error_message(r));
		    Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
		    if (auth_debug_mode)
		      printf("Could not read forwarded credentials\r\n");
		}
		else 
		  Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
		  if (auth_debug_mode)
		    printf("Forwarded credentials obtained\r\n");
		break;
#endif	/* FORWARD */
	default:
		if (auth_debug_mode)
			printf("Unknown Kerberos option %d\r\n", data[-1]);
		Data(ap, KRB_REJECT, 0, 0);
		break;
	}
}

	void
kerberos5_reply(ap, data, cnt)
	Authenticator *ap;
	unsigned char *data;
	int cnt;
{
        Session_Key skey;
	static int mutual_complete = 0;

	if (cnt-- < 1)
		return;
	switch (*data++) {
	case KRB_REJECT:
		if (cnt > 0) {
			printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
				cnt, data);
		} else
			printf("[ Kerberos V5 refuses authentication ]\r\n");
		auth_send_retry();
		return;
	case KRB_ACCEPT:
		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
		    !mutual_complete) {
		    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\n");
		    auth_send_retry();
		    return;
		}
		if (cnt)
		    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\n", cnt, data);
		else
		    printf("[ Kerberos V5 accepts you ]\n");
		auth_finished(ap, AUTH_USER);
#ifdef	FORWARD
		if (forward_flags & OPTS_FORWARD_CREDS)
		  kerberos5_forward(ap);
#endif	/* FORWARD */
		break;
	case KRB_RESPONSE:
		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
		    /* the rest of the reply should contain a krb_ap_rep */
		    krb5_ap_rep_enc_part *reply;
		    krb5_data inbuf;
		    krb5_error_code r;
		    krb5_keyblock tmpkey;

		    inbuf.length = cnt;
		    inbuf.data = (char *)data;

		    tmpkey.keytype = KEYTYPE_DES;
		    tmpkey.contents = session_key;
		    tmpkey.length = sizeof(Block);

		    if (r = krb5_rd_rep(&inbuf, &tmpkey, &reply)) {
			printf("[ Mutual authentication failed: %s ]\n",
			       error_message(r));
			auth_send_retry();
			return;
		    }
		    if (reply->ctime != authenticator.ctime ||
			reply->cusec != authenticator.cusec) {
			printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\n");
			auth_send_retry();
			return;
		    }
		    krb5_free_ap_rep_enc_part(reply);
#ifdef	ENCRYPTION
			skey.type = SK_DES;
			skey.length = 8;
			skey.data = session_key;
			encrypt_session_key(&skey, 0);
#endif	/* ENCRYPTION */
		    mutual_complete = 1;
		}
		return;
#ifdef	FORWARD
	case KRB_FORWARD_ACCEPT:
		printf("[ Kerberos V5 accepted forwarded credentials ]\n");
		return;
	case KRB_FORWARD_REJECT:
		printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
				cnt, data);
		return;
#endif	/* FORWARD */
	default:
		if (auth_debug_mode)
			printf("Unknown Kerberos option %d\r\n", data[-1]);
		return;
	}
}

	int
kerberos5_status(ap, name, level)
	Authenticator *ap;
	char *name;
	int level;
{
	if (level < AUTH_USER)
		return(level);

	if (UserNameRequested &&
	    krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested))
	{
		strcpy(name, UserNameRequested);
		return(AUTH_VALID);
	} else
		return(AUTH_USER);
}

#define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
#define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}

	void
kerberos5_printsub(data, cnt, buf, buflen)
	unsigned char *data, *buf;
	int cnt, buflen;
{
	char lbuf[32];
	register int i;

	buf[buflen-1] = '\0';		/* make sure its NULL terminated */
	buflen -= 1;

	switch(data[3]) {
	case KRB_REJECT:		/* Rejected (reason might follow) */
		strncpy((char *)buf, " REJECT ", buflen);
		goto common;

	case KRB_ACCEPT:		/* Accepted (name might follow) */
		strncpy((char *)buf, " ACCEPT ", buflen);
	common:
		BUMP(buf, buflen);
		if (cnt <= 4)
			break;
		ADDC(buf, buflen, '"');
		for (i = 4; i < cnt; i++)
			ADDC(buf, buflen, data[i]);
		ADDC(buf, buflen, '"');
		ADDC(buf, buflen, '\0');
		break;


	case KRB_AUTH:			/* Authentication data follows */
		strncpy((char *)buf, " AUTH", buflen);
		goto common2;

	case KRB_RESPONSE:
		strncpy((char *)buf, " RESPONSE", buflen);
		goto common2;

#ifdef	FORWARD
	case KRB_FORWARD:               /* Forwarded credentials follow */
		strncpy((char *)buf, " FORWARD", buflen);
		goto common2;

	case KRB_FORWARD_ACCEPT:               /* Forwarded credentials accepted */
		strncpy((char *)buf, " FORWARD_ACCEPT", buflen);
		goto common2;

	case KRB_FORWARD_REJECT:               /* Forwarded credentials rejected */
					       /* (reason might follow) */
		strncpy((char *)buf, " FORWARD_REJECT", buflen);
		goto common2;
#endif	/* FORWARD */

	default:
		sprintf(lbuf, " %d (unknown)", data[3]);
		strncpy((char *)buf, lbuf, buflen);
	common2:
		BUMP(buf, buflen);
		for (i = 4; i < cnt; i++) {
			sprintf(lbuf, " %d", data[i]);
			strncpy((char *)buf, lbuf, buflen);
			BUMP(buf, buflen);
		}
		break;
	}
}

#ifdef	FORWARD
        void
kerberos5_forward(ap)
     Authenticator *ap;
{
    struct hostent *hp;
    krb5_creds *local_creds;
    krb5_error_code r;
    krb5_data forw_creds;
    extern krb5_cksumtype krb5_kdc_req_sumtype;
    krb5_ccache ccache;
    int i;

    if (!(local_creds = (krb5_creds *) 
	  calloc(1, sizeof(*local_creds)))) {
	if (auth_debug_mode) 
	  printf("Kerberos V5: could not allocate memory for credentials\r\n");
	return;
    }

    if (r = krb5_sname_to_principal(RemoteHostName, "host", 1,
				    &local_creds->server)) {
	if (auth_debug_mode) 
	  printf("Kerberos V5: could not build server name - %s\r\n",
		 error_message(r));
	krb5_free_creds(local_creds);
	return;
    }

    if (r = krb5_cc_default(&ccache)) {
	if (auth_debug_mode) 
	  printf("Kerberos V5: could not get default ccache - %s\r\n",
		 error_message(r));
	krb5_free_creds(local_creds);
	return;
    }

    if (r = krb5_cc_get_principal(ccache, &local_creds->client)) {
	if (auth_debug_mode) 
	  printf("Kerberos V5: could not get default principal - %s\r\n",
		 error_message(r));
	krb5_free_creds(local_creds);
	return;
    }

    /* Get ticket from credentials cache */
    if (r = krb5_get_credentials(KRB5_GC_CACHED, ccache, local_creds)) {
	if (auth_debug_mode) 
	  printf("Kerberos V5: could not obtain credentials - %s\r\n",
		 error_message(r));
	krb5_free_creds(local_creds);
	return;
    }

    if (r = get_for_creds(ETYPE_DES_CBC_CRC,
			  krb5_kdc_req_sumtype,
			  RemoteHostName,
			  local_creds->client,
			  &local_creds->keyblock,
			  forward_flags & OPTS_FORWARDABLE_CREDS,
			  &forw_creds)) {
	if (auth_debug_mode) 
	  printf("Kerberos V5: error getting forwarded creds - %s\r\n",
		 error_message(r));
	krb5_free_creds(local_creds);
	return;
    }
    
    /* Send forwarded credentials */
    if (!Data(ap, KRB_FORWARD, forw_creds.data, forw_creds.length)) {
	if (auth_debug_mode)
	  printf("Not enough room for authentication data\r\n");
    }
    else {
	if (auth_debug_mode)
	  printf("Forwarded local Kerberos V5 credentials to server\r\n");
    }

    krb5_free_creds(local_creds);
}
#endif	/* FORWARD */

#endif /* KRB5 */