k5auth.c

远程桌面连接工具

    if (krb5_rc_recover(rcache))
    {
	extern krb5_deltat krb5_clockskew;
	if (retval = krb5_rc_initialize(rcache, krb5_clockskew))
	{
	    if (localaddrs)
		krb5_free_addresses(localaddrs);
	    if (creds)
		krb5_free_creds(creds);
	    if (retval2 = krb5_rc_close(rcache))
	    {
		strcpy(kerror, "krb5_rc_close failed: ");
		strncat(kerror, error_message(retval2), 238);
		return(SendConnSetup(client, kerror));
	    }
	    free(rcache);
	    strcpy(kerror, "krb5_rc_initialize failed: ");
	    strncat(kerror, error_message(retval), 233);
	    return(SendConnSetup(client, kerror));
	}
    }
    buf.length = (stuff->length << 2) - sz_xReq;
    buf.data = (char *)stuff + sz_xReq;
    if (creds)
    {
	retval = krb5_rd_req(&buf,
			     NULL, /* don't bother with server name */
			     &cli_addr,
			     NULL, /* no fetchfrom */
			     tgt_keyproc,
			     creds, /* credentials as arg to
				       keyproc */
			     rcache,
			     &authdat);
	krb5_free_creds(creds);
    }
    else if (kt = (char *)((OsCommPtr)client->osPrivate)->authstate.ktname)
    {
	retval = krb5_rd_req(&buf, srvname, &cli_addr, kt, NULL, NULL,
			     rcache, &authdat);
	((OsCommPtr)client->osPrivate)->authstate.ktname = NULL;
    }
    else
    {
	if (localaddrs)
	    krb5_free_addresses(localaddrs);
	return(SendConnSetup(client, "Krb5: neither srvcreds nor ktname set"));
    }
    if (localaddrs)
	krb5_free_addresses(localaddrs);
    if (rcache)
    {
	if (retval2 = krb5_rc_close(rcache))
	{
	    strcpy(kerror, "krb5_rc_close failed (2): ");
	    strncat(kerror, error_message(retval2), 230);
	    return(SendConnSetup(client, kerror));
	}
	free(rcache);
    }
    if (retval)
    {
	strcpy(kerror, "Krb5: Bad application request: ");
	strncat(kerror, error_message(retval), 224);
	return(SendConnSetup(client, kerror));
    }
    cprinc = authdat->ticket->enc_part2->client;
    skey = authdat->ticket->enc_part2->session;
    if (XauKrb5Encode(cprinc, &buf))
    {
	krb5_free_tkt_authent(authdat);
	return(SendConnSetup(client, "XauKrb5Encode bombed"));
    }
    /*
     * Now check to see if the principal we got is one that we want to let in
     */
    if (ForEachHostInFamily(FamilyKrb5Principal, k5_cmpenc, (pointer)&buf))
    {
	free(buf.data);
	/*
	 * The following deals with sending an ap_rep to the client to
	 * achieve mutual authentication.  The client sends back a stage 3
	 * packet if all is ok.
	 */
	if (authdat->ap_options | AP_OPTS_MUTUAL_REQUIRED)
	{
	    /*
	     * stage 2: send ap_rep to client
	     */
	    if (retval = krb5_us_timeofday(&ctime, &cusec))
	    {
		krb5_free_tkt_authent(authdat);
		strcpy(kerror, "error in krb5_us_timeofday: ");
		strncat(kerror, error_message(retval), 234);
		return(SendConnSetup(client, kerror));
	    }
	    rep.ctime = ctime;
	    rep.cusec = cusec;
	    rep.subkey = NULL;
	    rep.seq_number = 0;
	    if (retval = krb5_mk_rep(&rep, skey, &buf))
	    {
		krb5_free_tkt_authent(authdat);
		strcpy(kerror, "error in krb5_mk_rep: ");
		strncat(kerror, error_message(retval), 238);
		return(SendConnSetup(client, kerror));
	    }
	    prefix.reqType = 2;	/* opcode = authenticate */
	    prefix.data = 2;	/* stage = 2 */
	    prefix.length = (buf.length + sz_xReq + 3) >> 2;
	    if (client->swapped)
	    {
		swaps(&prefix.length, n);
	    }
	    WriteToClient(client, sz_xReq, (char *)&prefix);
	    WriteToClient(client, buf.length, buf.data);
	    free(buf.data);
	    krb5_free_tkt_authent(authdat);
	    ((OsCommPtr)client->osPrivate)->authstate.stageno = 3; /* expect stage3 packet */
	    return(Success);
	}
	else
	{
	    free(buf.data);
	    krb5_free_tkt_authent(authdat);
	    return(SendConnSetup(client, NULL)); /* success! */
	}
    }
    else
    {
	char *kname;
	
	krb5_free_tkt_authent(authdat);
	free(buf.data);
	retval = krb5_unparse_name(cprinc, &kname);
	if (retval == 0)
	{
	    sprintf(kerror, "Principal \"%s\" is not authorized to connect",
		    kname);
	    if (kname)
		free(kname);
	    return(SendConnSetup(client, kerror));
	}
	else
	    return(SendConnSetup(client,"Principal is not authorized to connect to Server"));
    }
}

/*
 * k5_stage3:
 *
 * Get the short ack packet from the client.  This packet can conceivably
 * be expanded to allow for switching on end-to-end encryption.
 *
 * stage3 packet format:
 *
 * CARD8	reqType	= 3
 * CARD8	data	= ignored (for now)
 * CARD16	length	= should be zero
 */
int k5_stage3(client)
    register ClientPtr client;
{
    REQUEST(xReq);

    if (((OsCommPtr)client->osPrivate)->authstate.stageno != 3)
    {
	return(SendConnSetup(client, "expected Krb5 stage3 packet"));
    }
    else
	return(SendConnSetup(client, NULL)); /* success! */
}

k5_bad(client)
    register ClientPtr client;
{
    if (((OsCommPtr)client->osPrivate)->authstate.srvcreds)
	krb5_free_creds((krb5_creds *)((OsCommPtr)client->osPrivate)->authstate.srvcreds);
    sprintf(kerror, "unrecognized Krb5 auth packet %d, expecting %d",
	    ((xReq *)client->requestBuffer)->reqType,
	    ((OsCommPtr)client->osPrivate)->authstate.stageno);
    return(SendConnSetup(client, kerror));
}

/*
 * K5Add:
 *
 * Takes the name of a credentials cache and resolves it.  Also adds the
 * primary principal of the ccache to the acl.
 *
 * Now will also take a service name.
 */
int K5Add(data_length, data, id)
    unsigned short data_length;
    char *data;
    XID id;
{
    krb5_principal princ;
    krb5_error_code retval;
    krb5_keytab_entry tmp_entry;
    krb5_keytab keytab;
    krb5_kvno kvno = 0;
    krb5_ccache cc;
    char *nbuf, *cp;
    krb5_data kbuf;
    int i, ktlen;
    
    krb5_init_ets();		/* can't think of a better place to put it */
    krb5_id = ~0L;
    if (data_length < 3)
	return 0;
    if ((nbuf = (char *)malloc(data_length - 2)) == NULL)
	return 0;
    memcpy(nbuf, data + 3, data_length - 3);
    nbuf[data_length - 3] = '\0';
    if (ccname)
    {
	free(ccname);
	ccname = NULL;
    }
    if (srvname)
    {
	krb5_free_principal(srvname);
	srvname = NULL;
    }
    if (ktname)
    {
	free(ktname);
	ktname = NULL;
    }
    if (!strncmp(data, "UU:", 3))
    {
	if (retval = krb5_cc_resolve(nbuf, &cc))
	{
	    ErrorF("K5Add: krb5_cc_resolve of \"%s\" failed: %s\n",
		   nbuf, error_message(retval));
	    free(nbuf);
	    return 0;
	}
	if (cc && !(retval = krb5_cc_get_principal(cc, &princ)))
	{
	    if (XauKrb5Encode(princ, &kbuf))
	    {
		free(nbuf);
		krb5_free_principal(princ);
		krb5_cc_close(cc);
		return 0;
	    }
	    if (krb5_cc_close(cc))
		return 0;
	    AddHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data);
	    krb5_free_principal(princ);
	    free(kbuf.data);
	    ccname = nbuf;
	    krb5_id = id;
	    return 1;
	}
	else
	{
	    ErrorF("K5Add: getting principal from cache \"%s\" failed: %s\n",
		   nbuf, error_message(retval));
	}
    }
    else if (!strncmp(data, "CS:", 3))
    {
	if ((cp = strchr(nbuf, ',')) == NULL)
	{
	    free(nbuf);
	    return 0;
	}
	*cp = '\0';		/* gross but it works :-) */
	ktlen = strlen(cp + 1);
	if ((ktname = (char *)malloc(ktlen + 1)) == NULL)
	{
	    free(nbuf);
	    return 0;
	}
	strcpy(ktname, cp + 1);
	retval = krb5_sname_to_principal(NULL, /* NULL for hostname uses
						  local host name*/
					 nbuf, KRB5_NT_SRV_HST,
					 &srvname);
	free(nbuf);
	if (retval)
	{
	    free(ktname);
	    ktname = NULL;
	    return 0;
	}
	if (retval = krb5_kt_resolve(ktname, &keytab))
	{
	    free(ktname);
	    ktname = NULL;
	    krb5_free_principal(srvname);
	    srvname = NULL;
	    return 0;
	}
	retval = krb5_kt_get_entry(keytab, srvname, kvno, &tmp_entry);
	krb5_kt_free_entry(&tmp_entry);
	if (retval)
	{
	    free(ktname);
	    ktname = NULL;
	    krb5_free_principal(srvname);
	    srvname = NULL;
	    return 0;
	}
	if (XauKrb5Encode(srvname, &kbuf))
	{
	    free(ktname);
	    ktname = NULL;
	    krb5_free_principal(srvname);
	    srvname = NULL;
	    return 0;
	}
	AddHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data);
	krb5_id = id;
	return 1;
    }
    else
    {
	ErrorF("K5Add: credentials cache name \"%.*s\" in auth file: unknown type\n",
	       data_length, data);
    }
    return 0;
}

/*
 * K5Reset:
 *
 * Reset krb5_id, also nuke the current principal from the acl.
 */
int K5Reset()
{
    krb5_principal princ;
    krb5_error_code retval;
    krb5_ccache cc;
    krb5_data kbuf;
    int i;
    
    if (ccname)
    {
	if (retval = krb5_cc_resolve(ccname, &cc))
	{
	    free(ccname);
	    ccname = NULL;
	}
	if (cc && !(retval = krb5_cc_get_principal(cc, &princ)))
	{
	    if (XauKrb5Encode(princ, &kbuf))
		return 1;
	    RemoveHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data);
	    krb5_free_principal(princ);
	    free(kbuf.data);
	    if (krb5_cc_close(cc))
		return 1;
	    free(ccname);
	    ccname = NULL;
	}
    }
    if (srvname)
    {
	if (XauKrb5Encode(srvname, &kbuf))
	    return 1;
	RemoveHost(NULL, FamilyKrb5Principal, kbuf.length, kbuf.data);
	krb5_free_principal(srvname);
	free(kbuf.data);
	srvname = NULL;
    }
    if (ktname)
    {
	free(ktname);
	ktname = NULL;
    }
    krb5_id = ~0L;
    return 0;
}

XID K5ToID(data_length, data)
    unsigned short data_length;
    char *data;
{
    return krb5_id;
}

int K5FromID(id, data_lenp, datap)
    XID id;
    unsigned short *data_lenp;
    char **datap;
{
    return 0;
}

int K5Remove(data_length, data)
    unsigned short data_length;
    char *data;
{
    return 0;
}