xref: /freebsd/crypto/heimdal/appl/telnet/libtelnet/kerberos5.c (revision e6bfd18d21b225af6a0ed67ceeaf1293b7b9eba5)
1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 /*
35  * Copyright (C) 1990 by the Massachusetts Institute of Technology
36  *
37  * Export of this software from the United States of America may
38  * require a specific license from the United States Government.
39  * It is the responsibility of any person or organization contemplating
40  * export to obtain such a license before exporting.
41  *
42  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43  * distribute this software and its documentation for any purpose and
44  * without fee is hereby granted, provided that the above copyright
45  * notice appear in all copies and that both that copyright notice and
46  * this permission notice appear in supporting documentation, and that
47  * the name of M.I.T. not be used in advertising or publicity pertaining
48  * to distribution of the software without specific, written prior
49  * permission.  M.I.T. makes no representations about the suitability of
50  * this software for any purpose.  It is provided "as is" without express
51  * or implied warranty.
52  */
53 
54 #include <config.h>
55 
56 RCSID("$Id$");
57 
58 #ifdef	KRB5
59 
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <unistd.h>
65 #include <netdb.h>
66 #include <ctype.h>
67 #include <pwd.h>
68 #define Authenticator k5_Authenticator
69 #include <krb5.h>
70 #undef Authenticator
71 #include <roken.h>
72 #ifdef SOCKS
73 #include <socks.h>
74 #endif
75 
76 
77 #include "encrypt.h"
78 #include "auth.h"
79 #include "misc.h"
80 
81 #if defined(DCE)
82 int dfsk5ok = 0;
83 int dfspag = 0;
84 int dfsfwd = 0;
85 #endif
86 
87 int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
88 
89 int forward(int);
90 int forwardable(int);
91 
92 /* These values need to be the same as those defined in telnet/main.c. */
93 /* Either define them in both places, or put in some common header file. */
94 #define OPTS_FORWARD_CREDS	0x00000002
95 #define OPTS_FORWARDABLE_CREDS	0x00000001
96 
97 
98 void kerberos5_forward (Authenticator *);
99 
100 static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 };
101 
102 #define	KRB_AUTH		0	/* Authentication data follows */
103 #define	KRB_REJECT		1	/* Rejected (reason might follow) */
104 #define	KRB_ACCEPT		2	/* Accepted */
105 #define	KRB_RESPONSE		3	/* Response for mutual auth. */
106 
107 #define KRB_FORWARD     	4       /* Forwarded credentials follow */
108 #define KRB_FORWARD_ACCEPT     	5       /* Forwarded credentials accepted */
109 #define KRB_FORWARD_REJECT     	6       /* Forwarded credentials rejected */
110 
111 static	krb5_data auth;
112 static  krb5_ticket *ticket;
113 
114 static krb5_context context;
115 static krb5_auth_context auth_context;
116 
117 static int
118 Data(Authenticator *ap, int type, const void *d, int c)
119 {
120     const unsigned char *cp, *cd = d;
121     unsigned char *p0, *p;
122     size_t len = sizeof(str_data) + 3 + 2;
123     int ret;
124 
125     if (c == -1)
126 	c = strlen((const char*)cd);
127 
128     for (cp = cd; cp - cd < c; cp++, len++)
129 	if (*cp == IAC)
130 	    len++;
131 
132     p0 = malloc(len);
133     if (p0 == NULL)
134 	return 0;
135 
136     memcpy(p0, str_data, sizeof(str_data));
137     p = p0 + sizeof(str_data);
138 
139     if (auth_debug_mode) {
140 	printf("%s:%d: [%d] (%d)",
141 	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
142 	       str_data[3],
143 	       type, c);
144 	printd(d, c);
145 	printf("\r\n");
146     }
147     *p++ = ap->type;
148     *p++ = ap->way;
149     *p++ = type;
150     while (c-- > 0) {
151 	if ((*p++ = *cd++) == IAC)
152 	    *p++ = IAC;
153     }
154     *p++ = IAC;
155     *p++ = SE;
156     if (str_data[3] == TELQUAL_IS)
157 	printsub('>', &p0[2], len - 2);
158     ret = telnet_net_write(p0, len);
159     free(p0);
160     return ret;
161 }
162 
163 int
164 kerberos5_init(Authenticator *ap, int server)
165 {
166     krb5_error_code ret;
167 
168     ret = krb5_init_context(&context);
169     if (ret)
170 	return 0;
171     if (server) {
172 	krb5_keytab kt;
173 	krb5_kt_cursor cursor;
174 
175 	ret = krb5_kt_default(context, &kt);
176 	if (ret)
177 	    return 0;
178 
179 	ret = krb5_kt_start_seq_get (context, kt, &cursor);
180 	if (ret) {
181 	    krb5_kt_close (context, kt);
182 	    return 0;
183 	}
184 	krb5_kt_end_seq_get (context, kt, &cursor);
185 	krb5_kt_close (context, kt);
186 
187 	str_data[3] = TELQUAL_REPLY;
188     } else
189 	str_data[3] = TELQUAL_IS;
190     return(1);
191 }
192 
193 extern int net;
194 static int
195 kerberos5_send(char *name, Authenticator *ap)
196 {
197     krb5_error_code ret;
198     krb5_ccache ccache;
199     int ap_opts;
200     krb5_data cksum_data;
201     char ap_msg[2];
202 
203     if (!UserNameRequested) {
204 	if (auth_debug_mode) {
205 	    printf("Kerberos V5: no user name supplied\r\n");
206 	}
207 	return(0);
208     }
209 
210     ret = krb5_cc_default(context, &ccache);
211     if (ret) {
212 	if (auth_debug_mode) {
213 	    printf("Kerberos V5: could not get default ccache: %s\r\n",
214 		   krb5_get_err_text (context, ret));
215 	}
216 	return 0;
217     }
218 
219     if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
220 	ap_opts = AP_OPTS_MUTUAL_REQUIRED;
221     else
222 	ap_opts = 0;
223 
224     ap_opts |= AP_OPTS_USE_SUBKEY;
225 
226     ret = krb5_auth_con_init (context, &auth_context);
227     if (ret) {
228 	if (auth_debug_mode) {
229 	    printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
230 		   krb5_get_err_text(context, ret));
231 	}
232 	return(0);
233     }
234 
235     ret = krb5_auth_con_setaddrs_from_fd (context,
236 					  auth_context,
237 					  &net);
238     if (ret) {
239 	if (auth_debug_mode) {
240 	    printf ("Kerberos V5:"
241 		    " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
242 		    krb5_get_err_text(context, ret));
243 	}
244 	return(0);
245     }
246 
247     krb5_auth_con_setkeytype (context, auth_context, KRB5_ENCTYPE_DES_CBC_CRC);
248 
249     ap_msg[0] = ap->type;
250     ap_msg[1] = ap->way;
251 
252     cksum_data.length = sizeof(ap_msg);
253     cksum_data.data   = ap_msg;
254 
255 
256     {
257 	krb5_principal service;
258 	char sname[128];
259 
260 
261 	ret = krb5_sname_to_principal (context,
262 				       RemoteHostName,
263 				       NULL,
264 				       KRB5_NT_SRV_HST,
265 				       &service);
266 	if(ret) {
267 	    if (auth_debug_mode) {
268 		printf ("Kerberos V5:"
269 			" krb5_sname_to_principal(%s) failed (%s)\r\n",
270 			RemoteHostName, krb5_get_err_text(context, ret));
271 	    }
272 	    return 0;
273 	}
274 	ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
275 	if(ret) {
276 	    if (auth_debug_mode) {
277 		printf ("Kerberos V5:"
278 			" krb5_unparse_name_fixed failed (%s)\r\n",
279 			krb5_get_err_text(context, ret));
280 	    }
281 	    return 0;
282 	}
283 	printf("[ Trying %s (%s)... ]\r\n", name, sname);
284 	ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
285 				service,
286 				&cksum_data, ccache, &auth);
287 	krb5_free_principal (context, service);
288 
289     }
290     if (ret) {
291 	if (1 || auth_debug_mode) {
292 	    printf("Kerberos V5: mk_req failed (%s)\r\n",
293 		   krb5_get_err_text(context, ret));
294 	}
295 	return(0);
296     }
297 
298     if (!auth_sendname((unsigned char *)UserNameRequested,
299 		       strlen(UserNameRequested))) {
300 	if (auth_debug_mode)
301 	    printf("Not enough room for user name\r\n");
302 	return(0);
303     }
304     if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
305 	if (auth_debug_mode)
306 	    printf("Not enough room for authentication data\r\n");
307 	return(0);
308     }
309     if (auth_debug_mode) {
310 	printf("Sent Kerberos V5 credentials to server\r\n");
311     }
312     return(1);
313 }
314 
315 int
316 kerberos5_send_mutual(Authenticator *ap)
317 {
318     return kerberos5_send("mutual KERBEROS5", ap);
319 }
320 
321 int
322 kerberos5_send_oneway(Authenticator *ap)
323 {
324     return kerberos5_send("KERBEROS5", ap);
325 }
326 
327 static void log_message(const char *fmt, ...)
328 {
329     va_list ap;
330     va_start(ap, fmt);
331     if (auth_debug_mode) {
332 	va_start(ap, fmt);
333 	vfprintf(stdout, fmt, ap);
334 	va_end(ap);
335 	fprintf(stdout, "\r\n");
336     }
337     va_start(ap, fmt);
338     vsyslog(LOG_NOTICE, fmt, ap);
339     va_end(ap);
340 }
341 
342 void
343 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
344 {
345     krb5_error_code ret;
346     krb5_data outbuf;
347     krb5_keyblock *key_block;
348     char *name;
349     krb5_principal server;
350     int zero = 0;
351 
352     if (cnt-- < 1)
353 	return;
354     switch (*data++) {
355     case KRB_AUTH:
356 	auth.data = (char *)data;
357 	auth.length = cnt;
358 
359 	auth_context = NULL;
360 
361 	ret = krb5_auth_con_init (context, &auth_context);
362 	if (ret) {
363 	    Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
364 	    auth_finished(ap, AUTH_REJECT);
365 	    log_message("Kerberos V5: krb5_auth_con_init failed (%s)",
366 			krb5_get_err_text(context, ret));
367 	    return;
368 	}
369 
370 	ret = krb5_auth_con_setaddrs_from_fd (context,
371 					      auth_context,
372 					      &zero);
373 	if (ret) {
374 	    Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
375 	    auth_finished(ap, AUTH_REJECT);
376 	    log_message("Kerberos V5: "
377 			"krb5_auth_con_setaddrs_from_fd failed (%s)",
378 			krb5_get_err_text(context, ret));
379 	    return;
380 	}
381 
382 	ret = krb5_sock_to_principal (context,
383 				      0,
384 				      "host",
385 				      KRB5_NT_SRV_HST,
386 				      &server);
387 	if (ret) {
388 	    Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
389 	    auth_finished(ap, AUTH_REJECT);
390 	    log_message("Kerberos V5: "
391 			"krb5_sock_to_principal failed (%s)",
392 			krb5_get_err_text(context, ret));
393 	    return;
394 	}
395 
396 	ret = krb5_rd_req(context,
397 			  &auth_context,
398 			  &auth,
399 			  server,
400 			  NULL,
401 			  NULL,
402 			  &ticket);
403 
404 	krb5_free_principal (context, server);
405 	if (ret) {
406 	    const char *errbuf2 = "Read req failed";
407 	    char *errbuf;
408 	    int ret2;
409 
410 	    ret2 = asprintf(&errbuf,
411 			    "Read req failed: %s",
412 			    krb5_get_err_text(context, ret));
413 	    if (ret2 != -1)
414 		errbuf2 = errbuf;
415 	    Data(ap, KRB_REJECT, errbuf2, -1);
416 	    log_message("%s", errbuf2);
417 	    if (ret2 != -1)
418 		free (errbuf);
419 	    return;
420 	}
421 
422 	{
423 	    char ap_msg[2];
424 
425 	    ap_msg[0] = ap->type;
426 	    ap_msg[1] = ap->way;
427 
428 	    ret = krb5_verify_authenticator_checksum(context,
429 						     auth_context,
430 						     ap_msg,
431 						     sizeof(ap_msg));
432 
433 	    if (ret) {
434 		const char *errbuf2 = "Bad checksum";
435 		char *errbuf;
436 		int ret2;
437 
438 		ret2 = asprintf(&errbuf, "Bad checksum: %s",
439 				krb5_get_err_text(context, ret));
440 		if (ret2 != -1)
441 		    errbuf2 = errbuf;
442 		Data(ap, KRB_REJECT, errbuf2, -1);
443 		log_message("%s", errbuf2);
444 		if (ret2 != -1)
445 		    free(errbuf);
446 		return;
447 	    }
448 	}
449 	ret = krb5_auth_con_getremotesubkey (context,
450 					     auth_context,
451 					     &key_block);
452 
453 	if (ret) {
454 	    Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
455 	    auth_finished(ap, AUTH_REJECT);
456 	    log_message("Kerberos V5: "
457 			"krb5_auth_con_getremotesubkey failed (%s)",
458 			krb5_get_err_text(context, ret));
459 	    return;
460 	}
461 
462 	if (key_block == NULL) {
463 	    ret = krb5_auth_con_getkey(context,
464 				       auth_context,
465 				       &key_block);
466 	}
467 	if (ret) {
468 	    Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
469 	    auth_finished(ap, AUTH_REJECT);
470 	    log_message("Kerberos V5: "
471 			"krb5_auth_con_getkey failed (%s)",
472 			krb5_get_err_text(context, ret));
473 	    return;
474 	}
475 	if (key_block == NULL) {
476 	    Data(ap, KRB_REJECT, "no subkey received", -1);
477 	    auth_finished(ap, AUTH_REJECT);
478 	    log_message("Kerberos V5: "
479 			"krb5_auth_con_getremotesubkey returned NULL key");
480 	    return;
481 	}
482 
483 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
484 	    ret = krb5_mk_rep(context, auth_context, &outbuf);
485 	    if (ret) {
486 		Data(ap, KRB_REJECT,
487 		     "krb5_mk_rep failed", -1);
488 		auth_finished(ap, AUTH_REJECT);
489 		log_message("Kerberos V5: "
490 			    "krb5_mk_rep failed (%s)",
491 			    krb5_get_err_text(context, ret));
492 		krb5_free_keyblock(context, key_block);
493 		return;
494 	    }
495 	    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
496 	}
497 	if (krb5_unparse_name(context, ticket->client, &name))
498 	    name = 0;
499 
500 	if(UserNameRequested && krb5_kuserok(context,
501 					     ticket->client,
502 					     UserNameRequested)) {
503 	    Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
504 	    log_message("%s accepted as user %s from %s",
505 			name ? name : "<unknown>",
506 			UserNameRequested ? UserNameRequested : "<unknown>",
507 			RemoteHostName ? RemoteHostName : "<unknown>");
508 
509 	    if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
510 	       key_block->keytype == ETYPE_DES_CBC_MD4 ||
511 	       key_block->keytype == ETYPE_DES_CBC_CRC) {
512 		Session_Key skey;
513 
514 		skey.type = SK_DES;
515 		skey.length = 8;
516 		skey.data = key_block->keyvalue.data;
517 		encrypt_session_key(&skey, 0);
518 	    }
519 
520 	} else {
521 	    const char *msg2 = "user is not authorized to login";
522 	    char *msg;
523 
524 	    ret = asprintf (&msg, "user `%s' is not authorized to "
525 			    "login as `%s'",
526 			    name ? name : "<unknown>",
527 			    UserNameRequested ? UserNameRequested : "<nobody>");
528 	    if (ret != -1)
529 		msg2 = msg;
530 	    Data(ap, KRB_REJECT, (void *)msg2, -1);
531 	    if (ret != -1)
532 		free(msg);
533 	    auth_finished (ap, AUTH_REJECT);
534 	    krb5_free_keyblock(context, key_block);
535 	    break;
536 	}
537 	auth_finished(ap, AUTH_USER);
538 	krb5_free_keyblock(context, key_block);
539 
540 	break;
541     case KRB_FORWARD: {
542 	struct passwd *pwd;
543 	char ccname[1024];	/* XXX */
544 	krb5_data inbuf;
545 	krb5_ccache ccache;
546 	inbuf.data = (char *)data;
547 	inbuf.length = cnt;
548 
549 	pwd = getpwnam (UserNameRequested);
550 	if (pwd == NULL)
551 	    break;
552 
553 	snprintf (ccname, sizeof(ccname),
554 		  "FILE:/tmp/krb5cc_%lu", (unsigned long)pwd->pw_uid);
555 
556 	ret = krb5_cc_resolve (context, ccname, &ccache);
557 	if (ret) {
558 	    log_message("Kerberos V5: could not get ccache: %s",
559 			krb5_get_err_text(context, ret));
560 	    break;
561 	}
562 
563 	ret = krb5_cc_initialize (context,
564 				  ccache,
565 				  ticket->client);
566 	if (ret) {
567 	    log_message("Kerberos V5: could not init ccache: %s",
568 			krb5_get_err_text(context, ret));
569 	    break;
570 	}
571 
572 #if defined(DCE)
573 	esetenv("KRB5CCNAME", ccname, 1);
574 #endif
575 	ret = krb5_rd_cred2 (context,
576 			     auth_context,
577 			     ccache,
578 			     &inbuf);
579 	if(ret) {
580 	    const char *errbuf2 = "Read forwarded creds failed";
581 	    char *errbuf;
582 	    int ret2;
583 
584 	    ret2 = asprintf (&errbuf,
585 			     "Read forwarded creds failed: %s",
586 			     krb5_get_err_text (context, ret));
587 	    if (ret2 != -1)
588 		errbuf2 = errbuf;
589 	    Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
590 	    log_message("Could not read forwarded credentials: %s", errbuf);
591 
592 	    if (ret2 != -1)
593 		free (errbuf);
594 	} else {
595 	    Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
596 #if defined(DCE)
597 	    dfsfwd = 1;
598 #endif
599 	}
600 	chown (ccname + 5, pwd->pw_uid, -1);
601 	log_message("Forwarded credentials obtained");
602 	break;
603     }
604     default:
605 	log_message("Unknown Kerberos option %d", data[-1]);
606 	Data(ap, KRB_REJECT, 0, 0);
607 	break;
608     }
609 }
610 
611 void
612 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
613 {
614     static int mutual_complete = 0;
615 
616     if (cnt-- < 1)
617 	return;
618     switch (*data++) {
619     case KRB_REJECT:
620 	if (cnt > 0) {
621 	    printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
622 		   cnt, data);
623 	} else
624 	    printf("[ Kerberos V5 refuses authentication ]\r\n");
625 	auth_send_retry();
626 	return;
627     case KRB_ACCEPT: {
628 	krb5_error_code ret;
629 	Session_Key skey;
630 	krb5_keyblock *keyblock;
631 
632 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
633 	    !mutual_complete) {
634 	    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
635 	    auth_send_retry();
636 	    return;
637 	}
638 	if (cnt)
639 	    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
640 	else
641 	    printf("[ Kerberos V5 accepts you ]\r\n");
642 
643 	ret = krb5_auth_con_getlocalsubkey (context,
644 					    auth_context,
645 					    &keyblock);
646 	if (ret)
647 	    ret = krb5_auth_con_getkey (context,
648 					auth_context,
649 					&keyblock);
650 	if(ret) {
651 	    printf("[ krb5_auth_con_getkey: %s ]\r\n",
652 		   krb5_get_err_text(context, ret));
653 	    auth_send_retry();
654 	    return;
655 	}
656 
657 	skey.type = SK_DES;
658 	skey.length = 8;
659 	skey.data = keyblock->keyvalue.data;
660 	encrypt_session_key(&skey, 0);
661 	krb5_free_keyblock (context, keyblock);
662 	auth_finished(ap, AUTH_USER);
663 	if (forward_flags & OPTS_FORWARD_CREDS)
664 	    kerberos5_forward(ap);
665 	break;
666     }
667     case KRB_RESPONSE:
668 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
669 	    /* the rest of the reply should contain a krb_ap_rep */
670 	  krb5_ap_rep_enc_part *reply;
671 	  krb5_data inbuf;
672 	  krb5_error_code ret;
673 
674 	  inbuf.length = cnt;
675 	  inbuf.data = (char *)data;
676 
677 	  ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
678 	  if (ret) {
679 	      printf("[ Mutual authentication failed: %s ]\r\n",
680 		     krb5_get_err_text (context, ret));
681 	      auth_send_retry();
682 	      return;
683 	  }
684 	  krb5_free_ap_rep_enc_part(context, reply);
685 	  mutual_complete = 1;
686 	}
687 	return;
688     case KRB_FORWARD_ACCEPT:
689 	printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
690 	return;
691     case KRB_FORWARD_REJECT:
692 	printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
693 	       cnt, data);
694 	return;
695     default:
696 	if (auth_debug_mode)
697 	    printf("Unknown Kerberos option %d\r\n", data[-1]);
698 	return;
699     }
700 }
701 
702 int
703 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
704 {
705     if (level < AUTH_USER)
706 	return(level);
707 
708     if (UserNameRequested &&
709 	krb5_kuserok(context,
710 		     ticket->client,
711 		     UserNameRequested))
712 	{
713 	    strlcpy(name, UserNameRequested, name_sz);
714 #if defined(DCE)
715 	    dfsk5ok = 1;
716 #endif
717 	    return(AUTH_VALID);
718 	} else
719 	    return(AUTH_USER);
720 }
721 
722 #define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
723 #define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
724 
725 void
726 kerberos5_printsub(unsigned char *data, size_t cnt,
727 		   unsigned char *buf, size_t buflen)
728 {
729     int i;
730 
731     buf[buflen-1] = '\0';		/* make sure it's NULL terminated */
732     buflen -= 1;
733 
734     switch(data[3]) {
735     case KRB_REJECT:		/* Rejected (reason might follow) */
736 	strlcpy((char *)buf, " REJECT ", buflen);
737 	goto common;
738 
739     case KRB_ACCEPT:		/* Accepted (name might follow) */
740 	strlcpy((char *)buf, " ACCEPT ", buflen);
741     common:
742 	BUMP(buf, buflen);
743 	if (cnt <= 4)
744 	    break;
745 	ADDC(buf, buflen, '"');
746 	for (i = 4; i < cnt; i++)
747 	    ADDC(buf, buflen, data[i]);
748 	ADDC(buf, buflen, '"');
749 	ADDC(buf, buflen, '\0');
750 	break;
751 
752 
753     case KRB_AUTH:			/* Authentication data follows */
754 	strlcpy((char *)buf, " AUTH", buflen);
755 	goto common2;
756 
757     case KRB_RESPONSE:
758 	strlcpy((char *)buf, " RESPONSE", buflen);
759 	goto common2;
760 
761     case KRB_FORWARD:		/* Forwarded credentials follow */
762 	strlcpy((char *)buf, " FORWARD", buflen);
763 	goto common2;
764 
765     case KRB_FORWARD_ACCEPT:	/* Forwarded credentials accepted */
766 	strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
767 	goto common2;
768 
769     case KRB_FORWARD_REJECT:	/* Forwarded credentials rejected */
770 	/* (reason might follow) */
771 	strlcpy((char *)buf, " FORWARD_REJECT", buflen);
772 	goto common2;
773 
774     default:
775 	snprintf((char*)buf, buflen, " %d (unknown)", data[3]);
776     common2:
777 	BUMP(buf, buflen);
778 	for (i = 4; i < cnt; i++) {
779 	    snprintf((char*)buf, buflen, " %d", data[i]);
780 	    BUMP(buf, buflen);
781 	}
782 	break;
783     }
784 }
785 
786 void
787 kerberos5_forward(Authenticator *ap)
788 {
789     krb5_error_code ret;
790     krb5_ccache     ccache;
791     krb5_creds      creds;
792     KDCOptions	    flags;
793     krb5_data       out_data;
794     krb5_principal  principal;
795 
796     ret = krb5_cc_default (context, &ccache);
797     if (ret) {
798 	if (auth_debug_mode)
799 	    printf ("KerberosV5: could not get default ccache: %s\r\n",
800 		    krb5_get_err_text (context, ret));
801 	return;
802     }
803 
804     ret = krb5_cc_get_principal (context, ccache, &principal);
805     if (ret) {
806 	if (auth_debug_mode)
807 	    printf ("KerberosV5: could not get principal: %s\r\n",
808 		    krb5_get_err_text (context, ret));
809 	return;
810     }
811 
812     memset (&creds, 0, sizeof(creds));
813 
814     creds.client = principal;
815 
816     ret = krb5_make_principal(context,
817 			      &creds.server,
818 			      principal->realm,
819 			      "krbtgt",
820 			      principal->realm,
821 			      NULL);
822 
823     if (ret) {
824 	if (auth_debug_mode)
825 	    printf ("KerberosV5: could not get principal: %s\r\n",
826 		    krb5_get_err_text (context, ret));
827 	return;
828     }
829 
830     creds.times.endtime = 0;
831 
832     memset(&flags, 0, sizeof(flags));
833     flags.forwarded = 1;
834     if (forward_flags & OPTS_FORWARDABLE_CREDS)
835 	flags.forwardable = 1;
836 
837     ret = krb5_get_forwarded_creds (context,
838 				    auth_context,
839 				    ccache,
840 				    KDCOptions2int(flags),
841 				    RemoteHostName,
842 				    &creds,
843 				    &out_data);
844     if (ret) {
845 	if (auth_debug_mode)
846 	    printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
847 		    krb5_get_err_text (context, ret));
848 	return;
849     }
850 
851     if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
852 	if (auth_debug_mode)
853 	    printf("Not enough room for authentication data\r\n");
854     } else {
855 	if (auth_debug_mode)
856 	    printf("Forwarded local Kerberos V5 credentials to server\r\n");
857     }
858 }
859 
860 #if defined(DCE)
861 /* if this was a K5 authentication try and join a PAG for the user. */
862 void
863 kerberos5_dfspag(void)
864 {
865     if (dfsk5ok) {
866 	dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
867 			      UserNameRequested);
868     }
869 }
870 #endif
871 
872 int
873 kerberos5_set_forward(int on)
874 {
875     if(on == 0)
876 	forward_flags &= ~OPTS_FORWARD_CREDS;
877     if(on == 1)
878 	forward_flags |= OPTS_FORWARD_CREDS;
879     if(on == -1)
880 	forward_flags ^= OPTS_FORWARD_CREDS;
881     return 0;
882 }
883 
884 int
885 kerberos5_set_forwardable(int on)
886 {
887     if(on == 0)
888 	forward_flags &= ~OPTS_FORWARDABLE_CREDS;
889     if(on == 1)
890 	forward_flags |= OPTS_FORWARDABLE_CREDS;
891     if(on == -1)
892 	forward_flags ^= OPTS_FORWARDABLE_CREDS;
893     return 0;
894 }
895 
896 #endif /* KRB5 */
897