1 /*-
2 * Copyright (c) 1991 The Regents of the University of California.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef lint
35 static char sccsid[] = "@(#)kerberos5.c 5.2 (Berkeley) 3/22/91";
36 #endif /* not lint */
37
38 /*
39 * Copyright (C) 1990 by the Massachusetts Institute of Technology
40 *
41 * Export of this software from the United States of America is assumed
42 * to require a specific license from the United States Government.
43 * It is the responsibility of any person or organization contemplating
44 * export to obtain such a license before exporting.
45 *
46 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
47 * distribute this software and its documentation for any purpose and
48 * without fee is hereby granted, provided that the above copyright
49 * notice appear in all copies and that both that copyright notice and
50 * this permission notice appear in supporting documentation, and that
51 * the name of M.I.T. not be used in advertising or publicity pertaining
52 * to distribution of the software without specific, written prior
53 * permission. M.I.T. makes no representations about the suitability of
54 * this software for any purpose. It is provided "as is" without express
55 * or implied warranty.
56 */
57
58
59 #ifdef KRB5
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <krb5/krb5.h>
63 #include <krb5/crc-32.h>
64 #include <krb5/libos-proto.h>
65 #include <netdb.h>
66 #include <ctype.h>
67
68 #ifdef __STDC__
69 #include <stdlib.h>
70 #endif
71 #ifdef NO_STRING_H
72 #include <strings.h>
73 #else
74 #include <string.h>
75 #endif
76
77 #include "encrypt.h"
78 #include "auth.h"
79 #include "misc.h"
80
81 extern auth_debug_mode;
82
83 char *malloc();
84
85 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
86 AUTHTYPE_KERBEROS_V5, };
87 static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
88 TELQUAL_NAME, };
89
90 #define KRB_AUTH 0 /* Authentication data follows */
91 #define KRB_REJECT 1 /* Rejected (reason might follow) */
92 #define KRB_ACCEPT 2 /* Accepted */
93 #define KRB_CHALLANGE 3 /* Challange for mutual auth. */
94 #define KRB_RESPONSE 4 /* Response for mutual auth. */
95
96 static krb5_data auth;
97 /* telnetd gets session key from here */
98 static krb5_tkt_authent *authdat = NULL;
99
100 #if defined(ENCRYPT)
101 Block session_key;
102 #endif
103 static Schedule sched;
104 static Block challange;
105
106 static int
Data(ap,type,d,c)107 Data(ap, type, d, c)
108 Authenticator *ap;
109 int type;
110 void *d;
111 int c;
112 {
113 unsigned char *p = str_data + 4;
114 unsigned char *cd = (unsigned char *)d;
115
116 if (c == -1)
117 c = strlen((char *)cd);
118
119 if (auth_debug_mode) {
120 printf("%s:%d: [%d] (%d)",
121 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
122 str_data[3],
123 type, c);
124 printd(d, c);
125 printf("\r\n");
126 }
127 *p++ = ap->type;
128 *p++ = ap->way;
129 *p++ = type;
130 while (c-- > 0) {
131 if ((*p++ = *cd++) == IAC)
132 *p++ = IAC;
133 }
134 *p++ = IAC;
135 *p++ = SE;
136 if (str_data[3] == TELQUAL_IS)
137 printsub('>', &str_data[2], p - &str_data[2]);
138 return(net_write(str_data, p - str_data));
139 }
140
141 int
kerberos5_init(ap,server)142 kerberos5_init(ap, server)
143 Authenticator *ap;
144 int server;
145 {
146 if (server)
147 str_data[3] = TELQUAL_REPLY;
148 else
149 str_data[3] = TELQUAL_IS;
150 krb5_init_ets();
151 return(1);
152 }
153
154 int
kerberos5_send(ap)155 kerberos5_send(ap)
156 Authenticator *ap;
157 {
158 char **realms;
159 char *name;
160 char *p1, *p2;
161 krb5_checksum ksum;
162 krb5_octet sum[CRC32_CKSUM_LENGTH];
163 krb5_data *server[4];
164 krb5_data srvdata[3];
165 krb5_error_code r;
166 krb5_ccache ccache;
167 krb5_creds creds; /* telnet gets session key from here */
168 extern krb5_flags krb5_kdc_default_options;
169
170 ksum.checksum_type = CKSUMTYPE_CRC32;
171 ksum.contents = sum;
172 ksum.length = sizeof(sum);
173 bzero((void *)sum, sizeof(sum));
174
175 if (!UserNameRequested) {
176 if (auth_debug_mode) {
177 printf("Kerberos V5: no user name supplied\r\n");
178 }
179 return(0);
180 }
181
182 if (r = krb5_cc_default(&ccache)) {
183 if (auth_debug_mode) {
184 printf("Kerberos V5: could not get default ccache\r\n");
185 }
186 return(0);
187 }
188
189 if ((name = malloc(strlen(RemoteHostName)+1)) == NULL) {
190 if (auth_debug_mode)
191 printf("Out of memory for hostname in Kerberos V5\r\n");
192 return(0);
193 }
194
195 if (r = krb5_get_host_realm(RemoteHostName, &realms)) {
196 if (auth_debug_mode)
197 printf("Kerberos V5: no realm for %s\r\n", RemoteHostName);
198 free(name);
199 return(0);
200 }
201
202 p1 = RemoteHostName;
203 p2 = name;
204
205 while (*p2 = *p1++) {
206 if (isupper(*p2))
207 *p2 |= 040;
208 ++p2;
209 }
210
211 srvdata[0].data = realms[0];
212 srvdata[0].length = strlen(realms[0]);
213 srvdata[1].data = "rcmd";
214 srvdata[1].length = 4;
215 srvdata[2].data = name;
216 srvdata[2].length = p2 - name;
217
218 server[0] = &srvdata[0];
219 server[1] = &srvdata[1];
220 server[2] = &srvdata[2];
221 server[3] = 0;
222
223 bzero((char *)&creds, sizeof(creds));
224 creds.server = (krb5_principal)server;
225
226 if (r = krb5_cc_get_principal(ccache, &creds.client)) {
227 if (auth_debug_mode) {
228 printf("Keberos V5: failure on principal (%d)\r\n",
229 error_message(r));
230 }
231 free(name);
232 krb5_free_host_realm(realms);
233 return(0);
234 }
235
236 if (r = krb5_get_credentials(krb5_kdc_default_options, ccache, &creds)) {
237 if (auth_debug_mode) {
238 printf("Keberos V5: failure on credentials(%d)\r\n",r);
239 }
240 free(name);
241 krb5_free_host_realm(realms);
242 return(0);
243 }
244
245 r = krb5_mk_req_extended(0, &ksum, &creds.times,
246 krb5_kdc_default_options,
247 ccache, &creds, 0, &auth);
248
249 free(name);
250 krb5_free_host_realm(realms);
251 if (r) {
252 if (auth_debug_mode) {
253 printf("Keberos V5: mk_req failed\r\n");
254 }
255 return(0);
256 }
257
258 if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
259 if (auth_debug_mode)
260 printf("Not enough room for user name\r\n");
261 return(0);
262 }
263 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
264 if (auth_debug_mode)
265 printf("Not enough room for authentication data\r\n");
266 return(0);
267 }
268 /*
269 * If we are doing mutual authentication, get set up to send
270 * the challange, and verify it when the response comes back.
271 */
272 if (((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
273 && (creds.keyblock.keytype == KEYTYPE_DES)) {
274 register int i;
275
276 des_key_sched(creds.keyblock.contents, sched);
277 des_set_random_generator_seed(creds.keyblock.contents);
278 des_new_random_key(challange);
279 des_ecb_encrypt(challange, session_key, sched, 1);
280 /*
281 * Increment the challange by 1, and encrypt it for
282 * later comparison.
283 */
284 for (i = 7; i >= 0; --i) {
285 register int x;
286 x = (unsigned int)challange[i] + 1;
287 challange[i] = x; /* ignore overflow */
288 if (x < 256) /* if no overflow, all done */
289 break;
290 }
291 des_ecb_encrypt(challange, challange, sched, 1);
292 }
293
294 if (auth_debug_mode) {
295 printf("Sent Kerberos V5 credentials to server\r\n");
296 }
297 return(1);
298 }
299
300 void
kerberos5_is(ap,data,cnt)301 kerberos5_is(ap, data, cnt)
302 Authenticator *ap;
303 unsigned char *data;
304 int cnt;
305 {
306 int r;
307 struct hostent *hp;
308 char *p1, *p2;
309 static char *realm = NULL;
310 krb5_data *server[4];
311 krb5_data srvdata[3];
312 Session_Key skey;
313 char *name;
314 char *getenv();
315
316 if (cnt-- < 1)
317 return;
318 switch (*data++) {
319 case KRB_AUTH:
320 auth.data = (char *)data;
321 auth.length = cnt;
322
323 if (!(hp = gethostbyname(LocalHostName))) {
324 if (auth_debug_mode)
325 printf("Cannot resolve local host name\r\n");
326 Data(ap, KRB_REJECT, "Unknown local hostname.", -1);
327 auth_finished(ap, AUTH_REJECT);
328 return;
329 }
330
331 if (!realm && (krb5_get_default_realm(&realm))) {
332 if (auth_debug_mode)
333 printf("Could not get defualt realm\r\n");
334 Data(ap, KRB_REJECT, "Could not get default realm.", -1);
335 auth_finished(ap, AUTH_REJECT);
336 return;
337 }
338
339 if ((name = malloc(strlen(hp->h_name)+1)) == NULL) {
340 if (auth_debug_mode)
341 printf("Out of memory for hostname in Kerberos V5\r\n");
342 Data(ap, KRB_REJECT, "Out of memory.", -1);
343 auth_finished(ap, AUTH_REJECT);
344 return;
345 }
346
347 p1 = hp->h_name;
348 p2 = name;
349
350 while (*p2 = *p1++) {
351 if (isupper(*p2))
352 *p2 |= 040;
353 ++p2;
354 }
355
356 srvdata[0].data = realm;
357 srvdata[0].length = strlen(realm);
358 srvdata[1].data = "rcmd";
359 srvdata[1].length = 4;
360 srvdata[2].data = name;
361 srvdata[2].length = p2 - name;
362
363 server[0] = &srvdata[0];
364 server[1] = &srvdata[1];
365 server[2] = &srvdata[2];
366 server[3] = 0;
367
368 if (authdat)
369 krb5_free_tkt_authent(authdat);
370 if (r = krb5_rd_req_simple(&auth, server, 0, &authdat)) {
371 char errbuf[128];
372
373 authdat = 0;
374 (void) strcpy(errbuf, "Read req failed: ");
375 (void) strcat(errbuf, error_message(r));
376 Data(ap, KRB_REJECT, errbuf, -1);
377 if (auth_debug_mode)
378 printf("%s\r\n", errbuf);
379 return;
380 }
381 free(name);
382 if (krb5_unparse_name(authdat->ticket->enc_part2 ->client,
383 &name))
384 name = 0;
385 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
386 if (auth_debug_mode) {
387 printf("Kerberos5 accepting him as ``%s''\r\n",
388 name ? name : "");
389 }
390 auth_finished(ap, AUTH_USER);
391 if (authdat->ticket->enc_part2->session->keytype != KEYTYPE_DES)
392 break;
393 bcopy((void *)authdat->ticket->enc_part2->session->contents,
394 (void *)session_key, sizeof(Block));
395 break;
396
397 case KRB_CHALLANGE:
398 if (!VALIDKEY(session_key)) {
399 /*
400 * We don't have a valid session key, so just
401 * send back a response with an empty session
402 * key.
403 */
404 Data(ap, KRB_RESPONSE, (void *)0, 0);
405 break;
406 }
407
408 des_key_sched(session_key, sched);
409 bcopy((void *)data, (void *)datablock, sizeof(Block));
410 /*
411 * Take the received encrypted challange, and encrypt
412 * it again to get a unique session_key for the
413 * ENCRYPT option.
414 */
415 des_ecb_encrypt(datablock, session_key, sched, 1);
416 skey.type = SK_DES;
417 skey.length = 8;
418 skey.data = session_key;
419 encrypt_session_key(&skey, 1);
420 /*
421 * Now decrypt the received encrypted challange,
422 * increment by one, re-encrypt it and send it back.
423 */
424 des_ecb_encrypt(datablock, challange, sched, 0);
425 for (r = 7; r >= 0; r++) {
426 register int t;
427 t = (unsigned int)challange[r] + 1;
428 challange[r] = t; /* ignore overflow */
429 if (t < 256) /* if no overflow, all done */
430 break;
431 }
432 des_ecb_encrypt(challange, challange, sched, 1);
433 Data(ap, KRB_RESPONSE, (void *)challange, sizeof(challange));
434 break;
435
436 default:
437 if (auth_debug_mode)
438 printf("Unknown Kerberos option %d\r\n", data[-1]);
439 Data(ap, KRB_REJECT, 0, 0);
440 break;
441 }
442 }
443
444 void
kerberos5_reply(ap,data,cnt)445 kerberos5_reply(ap, data, cnt)
446 Authenticator *ap;
447 unsigned char *data;
448 int cnt;
449 {
450 Session_Key skey;
451
452 if (cnt-- < 1)
453 return;
454 switch (*data++) {
455 case KRB_REJECT:
456 if (cnt > 0) {
457 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
458 cnt, data);
459 } else
460 printf("[ Kerberos V5 refuses authentication ]\r\n");
461 auth_send_retry();
462 return;
463 case KRB_ACCEPT:
464 printf("[ Kerberos V5 accepts you ]\n", cnt, data);
465 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
466 /*
467 * Send over the encrypted challange.
468 */
469 Data(ap, KRB_CHALLANGE, (void *)session_key,
470 sizeof(session_key));
471 #if defined(ENCRYPT)
472 des_ecb_encrypt(session_key, session_key, sched, 1);
473 skey.type = SK_DES;
474 skey.length = 8;
475 skey.data = session_key;
476 encrypt_session_key(&skey, 0);
477 #endif
478 return;
479 }
480 auth_finished(ap, AUTH_USER);
481 return;
482 case KRB_RESPONSE:
483 /*
484 * Verify that the response to the challange is correct.
485 */
486 if ((cnt != sizeof(Block)) ||
487 (0 != memcmp((void *)data, (void *)challange,
488 sizeof(challange))))
489 {
490 printf("[ Kerberos V5 challange failed!!! ]\r\n");
491 auth_send_retry();
492 return;
493 }
494 printf("[ Kerberos V5 challange successful ]\r\n");
495 auth_finished(ap, AUTH_USER);
496 break;
497 default:
498 if (auth_debug_mode)
499 printf("Unknown Kerberos option %d\r\n", data[-1]);
500 return;
501 }
502 }
503
504 int
kerberos5_status(ap,name,level)505 kerberos5_status(ap, name, level)
506 Authenticator *ap;
507 char *name;
508 int level;
509 {
510 if (level < AUTH_USER)
511 return(level);
512
513 if (UserNameRequested &&
514 krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested))
515 {
516 strcpy(name, UserNameRequested);
517 return(AUTH_VALID);
518 } else
519 return(AUTH_USER);
520 }
521
522 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
523 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len));}
524
525 void
kerberos5_printsub(data,cnt,buf,buflen)526 kerberos5_printsub(data, cnt, buf, buflen)
527 unsigned char *data, *buf;
528 int cnt, buflen;
529 {
530 char lbuf[32];
531 register int i;
532
533 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
534 buflen -= 1;
535
536 switch(data[3]) {
537 case KRB_REJECT: /* Rejected (reason might follow) */
538 strncpy((char *)buf, " REJECT ", buflen);
539 goto common;
540
541 case KRB_ACCEPT: /* Accepted (name might follow) */
542 strncpy((char *)buf, " ACCEPT ", buflen);
543 common:
544 BUMP(buf, buflen);
545 if (cnt <= 4)
546 break;
547 ADDC(buf, buflen, '"');
548 for (i = 4; i < cnt; i++)
549 ADDC(buf, buflen, data[i]);
550 ADDC(buf, buflen, '"');
551 ADDC(buf, buflen, '\0');
552 break;
553
554 case KRB_AUTH: /* Authentication data follows */
555 strncpy((char *)buf, " AUTH", buflen);
556 goto common2;
557
558 case KRB_CHALLANGE:
559 strncpy((char *)buf, " CHALLANGE", buflen);
560 goto common2;
561
562 case KRB_RESPONSE:
563 strncpy((char *)buf, " RESPONSE", buflen);
564 goto common2;
565
566 default:
567 sprintf(lbuf, " %d (unknown)", data[3]);
568 strncpy((char *)buf, lbuf, buflen);
569 common2:
570 BUMP(buf, buflen);
571 for (i = 4; i < cnt; i++) {
572 sprintf(lbuf, " %d", data[i]);
573 strncpy((char *)buf, lbuf, buflen);
574 BUMP(buf, buflen);
575 }
576 break;
577 }
578 }
579 #endif
580