/* * * K5_auth_reply -- checks the reply for mutual authentication. * * Code lifted from telnet sample code in the appl directory. * */ static int k5_auth_reply(kstream ks, int how, unsigned char *data, int cnt) { #ifdef ENCRYPTION Session_Key skey; #endif static int mutual_complete = 0; data += 4; /* Point to status byte */ switch (*data++) { case KRB_REJECT: if (cnt > 0) { char *s; wsprintf(strTmp, "Kerberos V5 refuses authentication because\n\t"); s = strTmp + strlen(strTmp); strncpy(s, data, cnt); s[cnt] = 0; } else wsprintf(strTmp, "Kerberos V5 refuses authentication"); MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION); return KFAILURE; case KRB_ACCEPT: if (!mutual_complete) { if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && !mutual_complete) { wsprintf(strTmp, "Kerberos V5 accepted you, but didn't provide" " mutual authentication"); MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION); return KFAILURE; } #ifdef ENCRYPTION if (session_key) { skey.type = SK_DES; skey.length = 8; skey.data = session_key->contents; encrypt_session_key(&skey, 0); } #endif } #ifdef FORWARD if (forward_flag) kerberos5_forward(ks); #endif return KSUCCESS; break; case KRB_RESPONSE: if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { /* the rest of the reply should contain a krb_ap_rep */ krb5_ap_rep_enc_part *reply; krb5_data inbuf; krb5_error_code r; inbuf.length = cnt; inbuf.data = (char *)data; if (r = krb5_rd_rep(k5_context, auth_context, &inbuf, &reply)) { com_err(NULL, r, "while authorizing."); return KFAILURE; } krb5_free_ap_rep_enc_part(k5_context, reply); #ifdef ENCRYPTION if (encrypt_flag && session_key) { skey.type = SK_DES; skey.length = 8; skey.data = session_key->contents; encrypt_session_key(&skey, 0); } #endif mutual_complete = 1; } return KSUCCESS; #ifdef FORWARD case KRB_FORWARD_ACCEPT: forwarded_tickets = 1; return KSUCCESS; case KRB_FORWARD_REJECT: forwarded_tickets = 0; if (cnt > 0) { char *s; wsprintf(strTmp, "Kerberos V5 refuses forwarded credentials because\n\t"); s = strTmp + strlen(strTmp); strncpy(s, data, cnt); s[cnt] = 0; } else wsprintf(strTmp, "Kerberos V5 refuses forwarded credentials"); MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION); return KFAILURE; #endif /* FORWARD */ default: return KFAILURE; /* Unknown reply type */ } }
void kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) { static int mutual_complete = 0; if (cnt-- < 1) return; switch (*data++) { case KRB_REJECT: if (cnt > 0) { printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", cnt, data); } else printf("[ Kerberos V5 refuses authentication ]\r\n"); auth_send_retry(); return; case KRB_ACCEPT: { krb5_error_code ret; Session_Key skey; krb5_keyblock *keyblock; if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && !mutual_complete) { printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); auth_send_retry(); return; } if (cnt) printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); else printf("[ Kerberos V5 accepts you ]\r\n"); ret = krb5_auth_con_getlocalsubkey (context, auth_context, &keyblock); if (ret) ret = krb5_auth_con_getkey (context, auth_context, &keyblock); if(ret) { printf("[ krb5_auth_con_getkey: %s ]\r\n", krb5_get_err_text(context, ret)); auth_send_retry(); return; } skey.type = SK_DES; skey.length = 8; skey.data = keyblock->keyvalue.data; encrypt_session_key(&skey, 0); krb5_free_keyblock_contents (context, keyblock); auth_finished(ap, AUTH_USER); #ifdef FORWARD if (forward_flags & OPTS_FORWARD_CREDS) kerberos5_forward(ap); #endif /* FORWARD */ break; } case KRB_RESPONSE: if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { /* the rest of the reply should contain a krb_ap_rep */ krb5_ap_rep_enc_part *reply; krb5_data inbuf; krb5_error_code ret; inbuf.length = cnt; inbuf.data = (char *)data; ret = krb5_rd_rep(context, auth_context, &inbuf, &reply); if (ret) { printf("[ Mutual authentication failed: %s ]\r\n", krb5_get_err_text (context, ret)); auth_send_retry(); return; } krb5_free_ap_rep_enc_part(context, reply); mutual_complete = 1; } return; #ifdef FORWARD case KRB_FORWARD_ACCEPT: printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); return; case KRB_FORWARD_REJECT: printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", cnt, data); return; #endif /* FORWARD */ default: if (auth_debug_mode) printf("Unknown Kerberos option %d\r\n", data[-1]); return; } }
void kerberos5_reply (TN_Authenticator * ap, unsigned char *data, int cnt) { # ifdef ENCRYPTION Session_Key skey; # endif static int mutual_complete = 0; if (cnt-- < 1) return; switch (*data++) { case KRB_REJECT: if (cnt > 0) printf ("[ Kerberos V5 refuses authentication because %.*s ]\r\n", cnt, data); else printf ("[ Kerberos V5 refuses authentication ]\r\n"); auth_send_retry (); return; case KRB_ACCEPT: if (!mutual_complete) { if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { printf ("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); auth_send_retry (); break; } telnet_encrypt_key (&skey); } if (cnt) printf ("[ Kerberos V5 accepts you as ``%.*s''%s ]\r\n", cnt, data, mutual_complete ? " (server authenticated)" : " (server NOT authenticated)"); else printf ("[ Kerberos V5 accepts you ]\r\n"); auth_finished (ap, AUTH_USER); # ifdef FORWARD if (forward_flags & OPTS_FORWARD_CREDS) kerberos5_forward (ap); # endif break; case KRB_RESPONSE: if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { krb5_ap_rep_enc_part *reply; krb5_data inbuf; krb5_error_code r; inbuf.length = cnt; inbuf.data = (char *) data; if ((r = krb5_rd_rep (telnet_context, auth_context, &inbuf, &reply))) { printf ("[ Mutual authentication failed: %s ]\r\n", error_message (r)); auth_send_retry (); break; } krb5_free_ap_rep_enc_part (telnet_context, reply); telnet_encrypt_key (&skey); mutual_complete = 1; } break; # ifdef FORWARD case KRB_FORWARD_ACCEPT: printf ("[ Kerberos V5 accepted forwarded credentials ]\r\n"); break; case KRB_FORWARD_REJECT: printf ("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", cnt, data); break; # endif /* FORWARD */ default: DEBUG (("Unknown Kerberos option %d\r\n", data[-1])); } }