xref: /freebsd/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 /*
35  * Copyright (C) 1990 by the Massachusetts Institute of Technology
36  *
37  * Export of this software from the United States of America may
38  * require a specific license from the United States Government.
39  * It is the responsibility of any person or organization contemplating
40  * export to obtain such a license before exporting.
41  *
42  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43  * distribute this software and its documentation for any purpose and
44  * without fee is hereby granted, provided that the above copyright
45  * notice appear in all copies and that both that copyright notice and
46  * this permission notice appear in supporting documentation, and that
47  * the name of M.I.T. not be used in advertising or publicity pertaining
48  * to distribution of the software without specific, written prior
49  * permission.  M.I.T. makes no representations about the suitability of
50  * this software for any purpose.  It is provided "as is" without express
51  * or implied warranty.
52  */
53 
54 #include <config.h>
55 
56 RCSID("$Id: kerberos5.c,v 1.53.2.1 2004/06/21 08:21:07 lha Exp $");
57 
58 #ifdef	KRB5
59 
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <unistd.h>
65 #include <netdb.h>
66 #include <ctype.h>
67 #include <pwd.h>
68 #define Authenticator k5_Authenticator
69 #include <krb5.h>
70 #undef Authenticator
71 #include <roken.h>
72 #ifdef SOCKS
73 #include <socks.h>
74 #endif
75 
76 
77 #include "encrypt.h"
78 #include "auth.h"
79 #include "misc.h"
80 
81 #if defined(DCE)
82 int dfsk5ok = 0;
83 int dfspag = 0;
84 int dfsfwd = 0;
85 #endif
86 
87 int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
88 
89 int forward(int);
90 int forwardable(int);
91 
92 /* These values need to be the same as those defined in telnet/main.c. */
93 /* Either define them in both places, or put in some common header file. */
94 #define OPTS_FORWARD_CREDS	0x00000002
95 #define OPTS_FORWARDABLE_CREDS	0x00000001
96 
97 
98 void kerberos5_forward (Authenticator *);
99 
100 static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 };
101 
102 #define	KRB_AUTH		0	/* Authentication data follows */
103 #define	KRB_REJECT		1	/* Rejected (reason might follow) */
104 #define	KRB_ACCEPT		2	/* Accepted */
105 #define	KRB_RESPONSE		3	/* Response for mutual auth. */
106 
107 #define KRB_FORWARD     	4       /* Forwarded credentials follow */
108 #define KRB_FORWARD_ACCEPT     	5       /* Forwarded credentials accepted */
109 #define KRB_FORWARD_REJECT     	6       /* Forwarded credentials rejected */
110 
111 static	krb5_data auth;
112 static  krb5_ticket *ticket;
113 
114 static krb5_context context;
115 static krb5_auth_context auth_context;
116 
117 static int
118 Data(Authenticator *ap, int type, void *d, int c)
119 {
120     unsigned char *cd = (unsigned char *)d;
121     unsigned char *p0, *p;
122     size_t len = sizeof(str_data) + 3 + 2;
123     int ret;
124 
125     if (c == -1)
126 	c = strlen((char*)cd);
127 
128     for (p = cd; p - cd < c; p++, len++)
129 	if (*p == IAC)
130 	    len++;
131 
132     p0 = malloc(len);
133     if (p0 == NULL)
134 	return 0;
135 
136     memcpy(p0, str_data, sizeof(str_data));
137     p = p0 + sizeof(str_data);
138 
139     if (auth_debug_mode) {
140 	printf("%s:%d: [%d] (%d)",
141 	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
142 	       str_data[3],
143 	       type, c);
144 	printd(d, c);
145 	printf("\r\n");
146     }
147     *p++ = ap->type;
148     *p++ = ap->way;
149     *p++ = type;
150     while (c-- > 0) {
151 	if ((*p++ = *cd++) == IAC)
152 	    *p++ = IAC;
153     }
154     *p++ = IAC;
155     *p++ = SE;
156     if (str_data[3] == TELQUAL_IS)
157 	printsub('>', &p0[2], len - 2);
158     ret = telnet_net_write(p0, len);
159     free(p0);
160     return ret;
161 }
162 
163 int
164 kerberos5_init(Authenticator *ap, int server)
165 {
166     krb5_error_code ret;
167 
168     ret = krb5_init_context(&context);
169     if (ret)
170 	return 0;
171     if (server) {
172 	krb5_keytab kt;
173 	krb5_kt_cursor cursor;
174 
175 	ret = krb5_kt_default(context, &kt);
176 	if (ret)
177 	    return 0;
178 
179 	ret = krb5_kt_start_seq_get (context, kt, &cursor);
180 	if (ret) {
181 	    krb5_kt_close (context, kt);
182 	    return 0;
183 	}
184 	krb5_kt_end_seq_get (context, kt, &cursor);
185 	krb5_kt_close (context, kt);
186 
187 	str_data[3] = TELQUAL_REPLY;
188     } else
189 	str_data[3] = TELQUAL_IS;
190     return(1);
191 }
192 
193 extern int net;
194 static int
195 kerberos5_send(char *name, Authenticator *ap)
196 {
197     krb5_error_code ret;
198     krb5_ccache ccache;
199     int ap_opts;
200     krb5_data cksum_data;
201     char foo[2];
202 
203     if (!UserNameRequested) {
204 	if (auth_debug_mode) {
205 	    printf("Kerberos V5: no user name supplied\r\n");
206 	}
207 	return(0);
208     }
209 
210     ret = krb5_cc_default(context, &ccache);
211     if (ret) {
212 	if (auth_debug_mode) {
213 	    printf("Kerberos V5: could not get default ccache: %s\r\n",
214 		   krb5_get_err_text (context, ret));
215 	}
216 	return 0;
217     }
218 
219     if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
220 	ap_opts = AP_OPTS_MUTUAL_REQUIRED;
221     else
222 	ap_opts = 0;
223 
224     ap_opts |= AP_OPTS_USE_SUBKEY;
225 
226     ret = krb5_auth_con_init (context, &auth_context);
227     if (ret) {
228 	if (auth_debug_mode) {
229 	    printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
230 		   krb5_get_err_text(context, ret));
231 	}
232 	return(0);
233     }
234 
235     ret = krb5_auth_con_setaddrs_from_fd (context,
236 					  auth_context,
237 					  &net);
238     if (ret) {
239 	if (auth_debug_mode) {
240 	    printf ("Kerberos V5:"
241 		    " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
242 		    krb5_get_err_text(context, ret));
243 	}
244 	return(0);
245     }
246 
247     krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
248 
249     foo[0] = ap->type;
250     foo[1] = ap->way;
251 
252     cksum_data.length = sizeof(foo);
253     cksum_data.data   = foo;
254 
255 
256     {
257 	krb5_principal service;
258 	char sname[128];
259 
260 
261 	ret = krb5_sname_to_principal (context,
262 				       RemoteHostName,
263 				       NULL,
264 				       KRB5_NT_SRV_HST,
265 				       &service);
266 	if(ret) {
267 	    if (auth_debug_mode) {
268 		printf ("Kerberos V5:"
269 			" krb5_sname_to_principal(%s) failed (%s)\r\n",
270 			RemoteHostName, krb5_get_err_text(context, ret));
271 	    }
272 	    return 0;
273 	}
274 	ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
275 	if(ret) {
276 	    if (auth_debug_mode) {
277 		printf ("Kerberos V5:"
278 			" krb5_unparse_name_fixed failed (%s)\r\n",
279 			krb5_get_err_text(context, ret));
280 	    }
281 	    return 0;
282 	}
283 	printf("[ Trying %s (%s)... ]\r\n", name, sname);
284 	ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
285 				service,
286 				&cksum_data, ccache, &auth);
287 	krb5_free_principal (context, service);
288 
289     }
290     if (ret) {
291 	if (1 || auth_debug_mode) {
292 	    printf("Kerberos V5: mk_req failed (%s)\r\n",
293 		   krb5_get_err_text(context, ret));
294 	}
295 	return(0);
296     }
297 
298     if (!auth_sendname((unsigned char *)UserNameRequested,
299 		       strlen(UserNameRequested))) {
300 	if (auth_debug_mode)
301 	    printf("Not enough room for user name\r\n");
302 	return(0);
303     }
304     if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
305 	if (auth_debug_mode)
306 	    printf("Not enough room for authentication data\r\n");
307 	return(0);
308     }
309     if (auth_debug_mode) {
310 	printf("Sent Kerberos V5 credentials to server\r\n");
311     }
312     return(1);
313 }
314 
315 int
316 kerberos5_send_mutual(Authenticator *ap)
317 {
318     return kerberos5_send("mutual KERBEROS5", ap);
319 }
320 
321 int
322 kerberos5_send_oneway(Authenticator *ap)
323 {
324     return kerberos5_send("KERBEROS5", ap);
325 }
326 
327 void
328 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
329 {
330     krb5_error_code ret;
331     krb5_data outbuf;
332     krb5_keyblock *key_block;
333     char *name;
334     krb5_principal server;
335     int zero = 0;
336 
337     if (cnt-- < 1)
338 	return;
339     switch (*data++) {
340     case KRB_AUTH:
341 	auth.data = (char *)data;
342 	auth.length = cnt;
343 
344 	auth_context = NULL;
345 
346 	ret = krb5_auth_con_init (context, &auth_context);
347 	if (ret) {
348 	    Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
349 	    auth_finished(ap, AUTH_REJECT);
350 	    if (auth_debug_mode)
351 		printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
352 		       krb5_get_err_text(context, ret));
353 	    return;
354 	}
355 
356 	ret = krb5_auth_con_setaddrs_from_fd (context,
357 					      auth_context,
358 					      &zero);
359 	if (ret) {
360 	    Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
361 	    auth_finished(ap, AUTH_REJECT);
362 	    if (auth_debug_mode)
363 		printf("Kerberos V5: "
364 		       "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
365 		       krb5_get_err_text(context, ret));
366 	    return;
367 	}
368 
369 	ret = krb5_sock_to_principal (context,
370 				      0,
371 				      "host",
372 				      KRB5_NT_SRV_HST,
373 				      &server);
374 	if (ret) {
375 	    Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
376 	    auth_finished(ap, AUTH_REJECT);
377 	    if (auth_debug_mode)
378 		printf("Kerberos V5: "
379 		       "krb5_sock_to_principal failed (%s)\r\n",
380 		       krb5_get_err_text(context, ret));
381 	    return;
382 	}
383 
384 	ret = krb5_rd_req(context,
385 			  &auth_context,
386 			  &auth,
387 			  server,
388 			  NULL,
389 			  NULL,
390 			  &ticket);
391 
392 	krb5_free_principal (context, server);
393 	if (ret) {
394 	    char *errbuf;
395 
396 	    asprintf(&errbuf,
397 		     "Read req failed: %s",
398 		     krb5_get_err_text(context, ret));
399 	    Data(ap, KRB_REJECT, errbuf, -1);
400 	    if (auth_debug_mode)
401 		printf("%s\r\n", errbuf);
402 	    free (errbuf);
403 	    return;
404 	}
405 
406 	{
407 	    char foo[2];
408 
409 	    foo[0] = ap->type;
410 	    foo[1] = ap->way;
411 
412 	    ret = krb5_verify_authenticator_checksum(context,
413 						     auth_context,
414 						     foo,
415 						     sizeof(foo));
416 
417 	    if (ret) {
418 		char *errbuf;
419 		asprintf(&errbuf, "Bad checksum: %s",
420 			 krb5_get_err_text(context, ret));
421 		Data(ap, KRB_REJECT, errbuf, -1);
422 		if (auth_debug_mode)
423 		    printf ("%s\r\n", errbuf);
424 		free(errbuf);
425 		return;
426 	    }
427 	}
428 	ret = krb5_auth_con_getremotesubkey (context,
429 					     auth_context,
430 					     &key_block);
431 
432 	if (ret) {
433 	    Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
434 	    auth_finished(ap, AUTH_REJECT);
435 	    if (auth_debug_mode)
436 		printf("Kerberos V5: "
437 		       "krb5_auth_con_getremotesubkey failed (%s)\r\n",
438 		       krb5_get_err_text(context, ret));
439 	    return;
440 	}
441 
442 	if (key_block == NULL) {
443 	    ret = krb5_auth_con_getkey(context,
444 				       auth_context,
445 				       &key_block);
446 	}
447 	if (ret) {
448 	    Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
449 	    auth_finished(ap, AUTH_REJECT);
450 	    if (auth_debug_mode)
451 		printf("Kerberos V5: "
452 		       "krb5_auth_con_getkey failed (%s)\r\n",
453 		       krb5_get_err_text(context, ret));
454 	    return;
455 	}
456 	if (key_block == NULL) {
457 	    Data(ap, KRB_REJECT, "no subkey received", -1);
458 	    auth_finished(ap, AUTH_REJECT);
459 	    if (auth_debug_mode)
460 		printf("Kerberos V5: "
461 		       "krb5_auth_con_getremotesubkey returned NULL key\r\n");
462 	    return;
463 	}
464 
465 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
466 	    ret = krb5_mk_rep(context, auth_context, &outbuf);
467 	    if (ret) {
468 		Data(ap, KRB_REJECT,
469 		     "krb5_mk_rep failed", -1);
470 		auth_finished(ap, AUTH_REJECT);
471 		if (auth_debug_mode)
472 		    printf("Kerberos V5: "
473 			   "krb5_mk_rep failed (%s)\r\n",
474 			   krb5_get_err_text(context, ret));
475 		return;
476 	    }
477 	    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
478 	}
479 	if (krb5_unparse_name(context, ticket->client, &name))
480 	    name = 0;
481 
482 	if(UserNameRequested && krb5_kuserok(context,
483 					     ticket->client,
484 					     UserNameRequested)) {
485 	    Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
486 	    if (auth_debug_mode) {
487 		printf("Kerberos5 identifies him as ``%s''\r\n",
488 		       name ? name : "");
489 	    }
490 
491 	    if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
492 	       key_block->keytype == ETYPE_DES_CBC_MD4 ||
493 	       key_block->keytype == ETYPE_DES_CBC_CRC) {
494 		Session_Key skey;
495 
496 		skey.type = SK_DES;
497 		skey.length = 8;
498 		skey.data = key_block->keyvalue.data;
499 		encrypt_session_key(&skey, 0);
500 	    }
501 
502 	} else {
503 	    char *msg;
504 
505 	    asprintf (&msg, "user `%s' is not authorized to "
506 		      "login as `%s'",
507 		      name ? name : "<unknown>",
508 		      UserNameRequested ? UserNameRequested : "<nobody>");
509 	    if (msg == NULL)
510 		Data(ap, KRB_REJECT, NULL, 0);
511 	    else {
512 		Data(ap, KRB_REJECT, (void *)msg, -1);
513 		free(msg);
514 	    }
515 	    auth_finished (ap, AUTH_REJECT);
516 	    krb5_free_keyblock_contents(context, key_block);
517 	    break;
518 	}
519 	auth_finished(ap, AUTH_USER);
520 	krb5_free_keyblock_contents(context, key_block);
521 
522 	break;
523     case KRB_FORWARD: {
524 	struct passwd *pwd;
525 	char ccname[1024];	/* XXX */
526 	krb5_data inbuf;
527 	krb5_ccache ccache;
528 	inbuf.data = (char *)data;
529 	inbuf.length = cnt;
530 
531 	pwd = getpwnam (UserNameRequested);
532 	if (pwd == NULL)
533 	    break;
534 
535 	snprintf (ccname, sizeof(ccname),
536 		  "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
537 
538 	ret = krb5_cc_resolve (context, ccname, &ccache);
539 	if (ret) {
540 	    if (auth_debug_mode)
541 		printf ("Kerberos V5: could not get ccache: %s\r\n",
542 			krb5_get_err_text(context, ret));
543 	    break;
544 	}
545 
546 	ret = krb5_cc_initialize (context,
547 				  ccache,
548 				  ticket->client);
549 	if (ret) {
550 	    if (auth_debug_mode)
551 		printf ("Kerberos V5: could not init ccache: %s\r\n",
552 			krb5_get_err_text(context, ret));
553 	    break;
554 	}
555 
556 #if defined(DCE)
557 	esetenv("KRB5CCNAME", ccname, 1);
558 #endif
559 	ret = krb5_rd_cred2 (context,
560 			     auth_context,
561 			     ccache,
562 			     &inbuf);
563 	if(ret) {
564 	    char *errbuf;
565 
566 	    asprintf (&errbuf,
567 		      "Read forwarded creds failed: %s",
568 		      krb5_get_err_text (context, ret));
569 	    if(errbuf == NULL)
570 		Data(ap, KRB_FORWARD_REJECT, NULL, 0);
571 	    else
572 		Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
573 	    if (auth_debug_mode)
574 		printf("Could not read forwarded credentials: %s\r\n",
575 		       errbuf);
576 	    free (errbuf);
577 	} else {
578 	    Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
579 #if defined(DCE)
580 	    dfsfwd = 1;
581 #endif
582 	}
583 	chown (ccname + 5, pwd->pw_uid, -1);
584 	if (auth_debug_mode)
585 	    printf("Forwarded credentials obtained\r\n");
586 	break;
587     }
588     default:
589 	if (auth_debug_mode)
590 	    printf("Unknown Kerberos option %d\r\n", data[-1]);
591 	Data(ap, KRB_REJECT, 0, 0);
592 	break;
593     }
594 }
595 
596 void
597 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
598 {
599     static int mutual_complete = 0;
600 
601     if (cnt-- < 1)
602 	return;
603     switch (*data++) {
604     case KRB_REJECT:
605 	if (cnt > 0) {
606 	    printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
607 		   cnt, data);
608 	} else
609 	    printf("[ Kerberos V5 refuses authentication ]\r\n");
610 	auth_send_retry();
611 	return;
612     case KRB_ACCEPT: {
613 	krb5_error_code ret;
614 	Session_Key skey;
615 	krb5_keyblock *keyblock;
616 
617 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
618 	    !mutual_complete) {
619 	    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
620 	    auth_send_retry();
621 	    return;
622 	}
623 	if (cnt)
624 	    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
625 	else
626 	    printf("[ Kerberos V5 accepts you ]\r\n");
627 
628 	ret = krb5_auth_con_getlocalsubkey (context,
629 					    auth_context,
630 					    &keyblock);
631 	if (ret)
632 	    ret = krb5_auth_con_getkey (context,
633 					auth_context,
634 					&keyblock);
635 	if(ret) {
636 	    printf("[ krb5_auth_con_getkey: %s ]\r\n",
637 		   krb5_get_err_text(context, ret));
638 	    auth_send_retry();
639 	    return;
640 	}
641 
642 	skey.type = SK_DES;
643 	skey.length = 8;
644 	skey.data = keyblock->keyvalue.data;
645 	encrypt_session_key(&skey, 0);
646 	krb5_free_keyblock_contents (context, keyblock);
647 	auth_finished(ap, AUTH_USER);
648 	if (forward_flags & OPTS_FORWARD_CREDS)
649 	    kerberos5_forward(ap);
650 	break;
651     }
652     case KRB_RESPONSE:
653 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
654 	    /* the rest of the reply should contain a krb_ap_rep */
655 	  krb5_ap_rep_enc_part *reply;
656 	  krb5_data inbuf;
657 	  krb5_error_code ret;
658 
659 	  inbuf.length = cnt;
660 	  inbuf.data = (char *)data;
661 
662 	  ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
663 	  if (ret) {
664 	      printf("[ Mutual authentication failed: %s ]\r\n",
665 		     krb5_get_err_text (context, ret));
666 	      auth_send_retry();
667 	      return;
668 	  }
669 	  krb5_free_ap_rep_enc_part(context, reply);
670 	  mutual_complete = 1;
671 	}
672 	return;
673     case KRB_FORWARD_ACCEPT:
674 	printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
675 	return;
676     case KRB_FORWARD_REJECT:
677 	printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
678 	       cnt, data);
679 	return;
680     default:
681 	if (auth_debug_mode)
682 	    printf("Unknown Kerberos option %d\r\n", data[-1]);
683 	return;
684     }
685 }
686 
687 int
688 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
689 {
690     if (level < AUTH_USER)
691 	return(level);
692 
693     if (UserNameRequested &&
694 	krb5_kuserok(context,
695 		     ticket->client,
696 		     UserNameRequested))
697 	{
698 	    strlcpy(name, UserNameRequested, name_sz);
699 #if defined(DCE)
700 	    dfsk5ok = 1;
701 #endif
702 	    return(AUTH_VALID);
703 	} else
704 	    return(AUTH_USER);
705 }
706 
707 #define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
708 #define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
709 
710 void
711 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
712 {
713     int i;
714 
715     buf[buflen-1] = '\0';		/* make sure its NULL terminated */
716     buflen -= 1;
717 
718     switch(data[3]) {
719     case KRB_REJECT:		/* Rejected (reason might follow) */
720 	strlcpy((char *)buf, " REJECT ", buflen);
721 	goto common;
722 
723     case KRB_ACCEPT:		/* Accepted (name might follow) */
724 	strlcpy((char *)buf, " ACCEPT ", buflen);
725     common:
726 	BUMP(buf, buflen);
727 	if (cnt <= 4)
728 	    break;
729 	ADDC(buf, buflen, '"');
730 	for (i = 4; i < cnt; i++)
731 	    ADDC(buf, buflen, data[i]);
732 	ADDC(buf, buflen, '"');
733 	ADDC(buf, buflen, '\0');
734 	break;
735 
736 
737     case KRB_AUTH:			/* Authentication data follows */
738 	strlcpy((char *)buf, " AUTH", buflen);
739 	goto common2;
740 
741     case KRB_RESPONSE:
742 	strlcpy((char *)buf, " RESPONSE", buflen);
743 	goto common2;
744 
745     case KRB_FORWARD:		/* Forwarded credentials follow */
746 	strlcpy((char *)buf, " FORWARD", buflen);
747 	goto common2;
748 
749     case KRB_FORWARD_ACCEPT:	/* Forwarded credentials accepted */
750 	strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
751 	goto common2;
752 
753     case KRB_FORWARD_REJECT:	/* Forwarded credentials rejected */
754 	/* (reason might follow) */
755 	strlcpy((char *)buf, " FORWARD_REJECT", buflen);
756 	goto common2;
757 
758     default:
759 	snprintf((char*)buf, buflen, " %d (unknown)", data[3]);
760     common2:
761 	BUMP(buf, buflen);
762 	for (i = 4; i < cnt; i++) {
763 	    snprintf((char*)buf, buflen, " %d", data[i]);
764 	    BUMP(buf, buflen);
765 	}
766 	break;
767     }
768 }
769 
770 void
771 kerberos5_forward(Authenticator *ap)
772 {
773     krb5_error_code ret;
774     krb5_ccache     ccache;
775     krb5_creds      creds;
776     krb5_kdc_flags  flags;
777     krb5_data       out_data;
778     krb5_principal  principal;
779 
780     ret = krb5_cc_default (context, &ccache);
781     if (ret) {
782 	if (auth_debug_mode)
783 	    printf ("KerberosV5: could not get default ccache: %s\r\n",
784 		    krb5_get_err_text (context, ret));
785 	return;
786     }
787 
788     ret = krb5_cc_get_principal (context, ccache, &principal);
789     if (ret) {
790 	if (auth_debug_mode)
791 	    printf ("KerberosV5: could not get principal: %s\r\n",
792 		    krb5_get_err_text (context, ret));
793 	return;
794     }
795 
796     memset (&creds, 0, sizeof(creds));
797 
798     creds.client = principal;
799 
800     ret = krb5_build_principal (context,
801 				&creds.server,
802 				strlen(principal->realm),
803 				principal->realm,
804 				"krbtgt",
805 				principal->realm,
806 				NULL);
807 
808     if (ret) {
809 	if (auth_debug_mode)
810 	    printf ("KerberosV5: could not get principal: %s\r\n",
811 		    krb5_get_err_text (context, ret));
812 	return;
813     }
814 
815     creds.times.endtime = 0;
816 
817     flags.i = 0;
818     flags.b.forwarded = 1;
819     if (forward_flags & OPTS_FORWARDABLE_CREDS)
820 	flags.b.forwardable = 1;
821 
822     ret = krb5_get_forwarded_creds (context,
823 				    auth_context,
824 				    ccache,
825 				    flags.i,
826 				    RemoteHostName,
827 				    &creds,
828 				    &out_data);
829     if (ret) {
830 	if (auth_debug_mode)
831 	    printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
832 		    krb5_get_err_text (context, ret));
833 	return;
834     }
835 
836     if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
837 	if (auth_debug_mode)
838 	    printf("Not enough room for authentication data\r\n");
839     } else {
840 	if (auth_debug_mode)
841 	    printf("Forwarded local Kerberos V5 credentials to server\r\n");
842     }
843 }
844 
845 #if defined(DCE)
846 /* if this was a K5 authentication try and join a PAG for the user. */
847 void
848 kerberos5_dfspag(void)
849 {
850     if (dfsk5ok) {
851 	dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
852 			      UserNameRequested);
853     }
854 }
855 #endif
856 
857 int
858 kerberos5_set_forward(int on)
859 {
860     if(on == 0)
861 	forward_flags &= ~OPTS_FORWARD_CREDS;
862     if(on == 1)
863 	forward_flags |= OPTS_FORWARD_CREDS;
864     if(on == -1)
865 	forward_flags ^= OPTS_FORWARD_CREDS;
866     return 0;
867 }
868 
869 int
870 kerberos5_set_forwardable(int on)
871 {
872     if(on == 0)
873 	forward_flags &= ~OPTS_FORWARDABLE_CREDS;
874     if(on == 1)
875 	forward_flags |= OPTS_FORWARDABLE_CREDS;
876     if(on == -1)
877 	forward_flags ^= OPTS_FORWARDABLE_CREDS;
878     return 0;
879 }
880 
881 #endif /* KRB5 */
882