/*
*
* K5_auth_reply -- checks the reply for mutual authentication.
*
* Code lifted from telnet sample code in the appl directory.
*
*/
static int
k5_auth_reply(kstream ks, int how, unsigned char *data, int cnt)
{
#ifdef ENCRYPTION
Session_Key skey;
#endif
static int mutual_complete = 0;
data += 4; /* Point to status byte */
switch (*data++) {
case KRB_REJECT:
if (cnt > 0) {
char *s;
wsprintf(strTmp, "Kerberos V5 refuses authentication because\n\t");
s = strTmp + strlen(strTmp);
strncpy(s, data, cnt);
s[cnt] = 0;
} else
wsprintf(strTmp, "Kerberos V5 refuses authentication");
MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION);
return KFAILURE;
case KRB_ACCEPT:
if (!mutual_complete) {
if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && !mutual_complete) {
wsprintf(strTmp,
"Kerberos V5 accepted you, but didn't provide"
" mutual authentication");
MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION);
return KFAILURE;
}
#ifdef ENCRYPTION
if (session_key) {
skey.type = SK_DES;
skey.length = 8;
skey.data = session_key->contents;
encrypt_session_key(&skey, 0);
}
#endif
}
#ifdef FORWARD
if (forward_flag)
kerberos5_forward(ks);
#endif
return KSUCCESS;
break;
case KRB_RESPONSE:
if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* the rest of the reply should contain a krb_ap_rep */
krb5_ap_rep_enc_part *reply;
krb5_data inbuf;
krb5_error_code r;
inbuf.length = cnt;
inbuf.data = (char *)data;
if (r = krb5_rd_rep(k5_context, auth_context, &inbuf, &reply)) {
com_err(NULL, r, "while authorizing.");
return KFAILURE;
}
krb5_free_ap_rep_enc_part(k5_context, reply);
#ifdef ENCRYPTION
if (encrypt_flag && session_key) {
skey.type = SK_DES;
skey.length = 8;
skey.data = session_key->contents;
encrypt_session_key(&skey, 0);
}
#endif
mutual_complete = 1;
}
return KSUCCESS;
#ifdef FORWARD
case KRB_FORWARD_ACCEPT:
forwarded_tickets = 1;
return KSUCCESS;
case KRB_FORWARD_REJECT:
forwarded_tickets = 0;
if (cnt > 0) {
char *s;
wsprintf(strTmp,
"Kerberos V5 refuses forwarded credentials because\n\t");
s = strTmp + strlen(strTmp);
strncpy(s, data, cnt);
s[cnt] = 0;
} else
wsprintf(strTmp, "Kerberos V5 refuses forwarded credentials");
MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION);
return KFAILURE;
#endif /* FORWARD */
default:
return KFAILURE; /* Unknown reply type */
}
}
void
kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
{
static int mutual_complete = 0;
if (cnt-- < 1)
return;
switch (*data++) {
case KRB_REJECT:
if (cnt > 0) {
printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
cnt, data);
} else
printf("[ Kerberos V5 refuses authentication ]\r\n");
auth_send_retry();
return;
case KRB_ACCEPT: {
krb5_error_code ret;
Session_Key skey;
krb5_keyblock *keyblock;
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
!mutual_complete) {
printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
auth_send_retry();
return;
}
if (cnt)
printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
else
printf("[ Kerberos V5 accepts you ]\r\n");
ret = krb5_auth_con_getlocalsubkey (context,
auth_context,
&keyblock);
if (ret)
ret = krb5_auth_con_getkey (context,
auth_context,
&keyblock);
if(ret) {
printf("[ krb5_auth_con_getkey: %s ]\r\n",
krb5_get_err_text(context, ret));
auth_send_retry();
return;
}
skey.type = SK_DES;
skey.length = 8;
skey.data = keyblock->keyvalue.data;
encrypt_session_key(&skey, 0);
krb5_free_keyblock_contents (context, keyblock);
auth_finished(ap, AUTH_USER);
#ifdef FORWARD
if (forward_flags & OPTS_FORWARD_CREDS)
kerberos5_forward(ap);
#endif /* FORWARD */
break;
}
case KRB_RESPONSE:
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* the rest of the reply should contain a krb_ap_rep */
krb5_ap_rep_enc_part *reply;
krb5_data inbuf;
krb5_error_code ret;
inbuf.length = cnt;
inbuf.data = (char *)data;
ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
if (ret) {
printf("[ Mutual authentication failed: %s ]\r\n",
krb5_get_err_text (context, ret));
auth_send_retry();
return;
}
krb5_free_ap_rep_enc_part(context, reply);
mutual_complete = 1;
}
return;
#ifdef FORWARD
case KRB_FORWARD_ACCEPT:
printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
return;
case KRB_FORWARD_REJECT:
printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
cnt, data);
return;
#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
return;
}
}
void
kerberos5_reply (TN_Authenticator * ap, unsigned char *data, int cnt)
{
# ifdef ENCRYPTION
Session_Key skey;
# endif
static int mutual_complete = 0;
if (cnt-- < 1)
return;
switch (*data++)
{
case KRB_REJECT:
if (cnt > 0)
printf ("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
cnt, data);
else
printf ("[ Kerberos V5 refuses authentication ]\r\n");
auth_send_retry ();
return;
case KRB_ACCEPT:
if (!mutual_complete)
{
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
{
printf
("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
auth_send_retry ();
break;
}
telnet_encrypt_key (&skey);
}
if (cnt)
printf ("[ Kerberos V5 accepts you as ``%.*s''%s ]\r\n", cnt, data,
mutual_complete ?
" (server authenticated)" : " (server NOT authenticated)");
else
printf ("[ Kerberos V5 accepts you ]\r\n");
auth_finished (ap, AUTH_USER);
# ifdef FORWARD
if (forward_flags & OPTS_FORWARD_CREDS)
kerberos5_forward (ap);
# endif
break;
case KRB_RESPONSE:
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
{
krb5_ap_rep_enc_part *reply;
krb5_data inbuf;
krb5_error_code r;
inbuf.length = cnt;
inbuf.data = (char *) data;
if ((r = krb5_rd_rep (telnet_context, auth_context, &inbuf,
&reply)))
{
printf ("[ Mutual authentication failed: %s ]\r\n",
error_message (r));
auth_send_retry ();
break;
}
krb5_free_ap_rep_enc_part (telnet_context, reply);
telnet_encrypt_key (&skey);
mutual_complete = 1;
}
break;
# ifdef FORWARD
case KRB_FORWARD_ACCEPT:
printf ("[ Kerberos V5 accepted forwarded credentials ]\r\n");
break;
case KRB_FORWARD_REJECT:
printf
("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
cnt, data);
break;
# endif /* FORWARD */
default:
DEBUG (("Unknown Kerberos option %d\r\n", data[-1]));
}
}
