krb5_error_code KRB5_LIB_FUNCTION
krb5_rd_req_with_keyblock(krb5_context context,
krb5_auth_context *auth_context,
const krb5_data *inbuf,
krb5_const_principal server,
krb5_keyblock *keyblock,
krb5_flags *ap_req_options,
krb5_ticket **ticket)
{
krb5_error_code ret;
krb5_ap_req ap_req;
if (*auth_context == NULL) {
ret = krb5_auth_con_init(context, auth_context);
if (ret)
return ret;
}
ret = krb5_decode_ap_req(context, inbuf, &ap_req);
if(ret)
return ret;
ret = krb5_verify_ap_req(context,
auth_context,
&ap_req,
server,
keyblock,
0,
ap_req_options,
ticket);
free_AP_REQ(&ap_req);
return ret;
}
static krb5_error_code armor_ap_request
(struct kdc_request_state *state, krb5_fast_armor *armor)
{
krb5_error_code retval = 0;
krb5_auth_context authcontext = NULL;
krb5_ticket *ticket = NULL;
krb5_keyblock *subkey = NULL;
kdc_realm_t *kdc_active_realm = state->realm_data;
assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST);
krb5_clear_error_message(kdc_context);
retval = krb5_auth_con_init(kdc_context, &authcontext);
if (retval == 0)
retval = krb5_auth_con_setflags(kdc_context,
authcontext, 0); /*disable replay cache*/
retval = krb5_rd_req(kdc_context, &authcontext,
&armor->armor_value, NULL /*server*/,
kdc_active_realm->realm_keytab, NULL, &ticket);
if (retval != 0) {
const char * errmsg = krb5_get_error_message(kdc_context, retval);
krb5_set_error_message(kdc_context, retval,
_("%s while handling ap-request armor"),
errmsg);
krb5_free_error_message(kdc_context, errmsg);
}
if (retval == 0) {
if (!krb5_principal_compare_any_realm(kdc_context,
tgs_server,
ticket->server)) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
_("ap-request armor for something other "
"than the local TGS"));
retval = KRB5KDC_ERR_SERVER_NOMATCH;
}
}
if (retval == 0) {
retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey);
if (retval != 0 || subkey == NULL) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
_("ap-request armor without subkey"));
retval = KRB5KDC_ERR_POLICY;
}
}
if (retval == 0)
retval = krb5_c_fx_cf2_simple(kdc_context,
subkey, "subkeyarmor",
ticket->enc_part2->session, "ticketarmor",
&state->armor_key);
if (ticket)
krb5_free_ticket(kdc_context, ticket);
if (subkey)
krb5_free_keyblock(kdc_context, subkey);
if (authcontext)
krb5_auth_con_free(kdc_context, authcontext);
return retval;
}
//----------------------------------------------------------------------
// Initialze some general structures for kerberos
//----------------------------------------------------------------------
int Condor_Auth_Kerberos :: init_kerberos_context()
{
krb5_error_code code = 0;
krb5_address ** localAddr = NULL;
krb5_address ** remoteAddr = NULL;
// kerberos context_
if (krb_context_ == NULL) {
if ((code = krb5_init_context(&krb_context_))) {
goto error;
}
}
if ((code = krb5_auth_con_init(krb_context_, &auth_context_))) {
goto error;
}
if ((code = krb5_auth_con_setflags(krb_context_,
auth_context_,
KRB5_AUTH_CONTEXT_DO_SEQUENCE))) {
goto error;
}
if ((code = krb5_auth_con_genaddrs(krb_context_,
auth_context_,
mySock_->get_file_desc(),
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR|
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR
))) {
goto error;
}
if ((code = krb5_auth_con_getaddrs(krb_context_,
auth_context_,
localAddr,
remoteAddr))) {
goto error;
}
// stash location
defaultStash_ = param(STR_CONDOR_CACHE_DIR);
if (defaultStash_ == NULL) {
defaultStash_ = strdup(STR_DEFAULT_CONDOR_SPOOL);
}
return TRUE;
error:
dprintf( D_ALWAYS, "Unable to initialize kerberos: %s\n",
error_message(code) );
return FALSE;
}
static void
kerberos_authenticate(krb5_context context, krb5_auth_context *auth_context,
int fd, krb5_principal me, krb5_creds **new_creds)
{
krb5_error_code retval;
krb5_error *error = NULL;
krb5_ap_rep_enc_part *rep_result;
retval = krb5_auth_con_init(context, auth_context);
if (retval)
exit(1);
krb5_auth_con_setflags(context, *auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
retval = krb5_auth_con_setaddrs(context, *auth_context, sender_addr,
receiver_addr);
if (retval) {
com_err(progname, retval, _("in krb5_auth_con_setaddrs"));
exit(1);
}
retval = krb5_sendauth(context, auth_context, &fd, kprop_version,
me, creds.server, AP_OPTS_MUTUAL_REQUIRED, NULL,
&creds, NULL, &error, &rep_result, new_creds);
if (retval) {
com_err(progname, retval, _("while authenticating to server"));
if (error != NULL) {
if (error->error == KRB_ERR_GENERIC) {
if (error->text.data) {
fprintf(stderr, _("Generic remote error: %s\n"),
error->text.data);
}
} else if (error->error) {
com_err(progname,
(krb5_error_code)error->error + ERROR_TABLE_BASE_krb5,
_("signalled from server"));
if (error->text.data) {
fprintf(stderr, _("Error text from server: %s\n"),
error->text.data);
}
}
krb5_free_error(context, error);
}
exit(1);
}
krb5_free_ap_rep_enc_part(context, rep_result);
}
static int krb5_build_auth_context(rlm_krb5_t *inst,
krb5_context context,
krb5_auth_context *auth_context)
{
int ret;
krb5_int32 flags;
ret = krb5_auth_con_init(context, auth_context);
if (ret)
return ret;
ret = krb5_auth_con_getflags(context, *auth_context, &flags);
if (ret)
return ret;
if (!inst->cache && (flags & KRB5_AUTH_CONTEXT_DO_TIME)) {
ret = krb5_auth_con_setflags(context, *auth_context, flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
if (ret)
return ret;
}
return 0;
}
static int
proto (int sock, const char *hostname, const char *svc,
char *message, size_t len)
{
krb5_auth_context auth_context;
krb5_error_code status;
krb5_principal server;
krb5_data data;
krb5_data data_send;
krb5_ccache ccache;
krb5_creds creds;
krb5_kdc_flags flags;
krb5_principal principal;
status = krb5_auth_con_init (context, &auth_context);
if (status) {
krb5_warn (context, status, "krb5_auth_con_init");
return 1;
}
status = krb5_auth_con_setaddrs_from_fd (context,
auth_context,
&sock);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_auth_con_setaddr");
return 1;
}
status = krb5_sname_to_principal (context,
hostname,
svc,
KRB5_NT_SRV_HST,
&server);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_sname_to_principal");
return 1;
}
status = krb5_sendauth (context,
&auth_context,
&sock,
KF_VERSION_1,
NULL,
server,
AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn(context, status, "krb5_sendauth");
return 1;
}
if (ccache_name == NULL)
ccache_name = "";
data_send.data = (void *)remote_name;
data_send.length = strlen(remote_name) + 1;
status = krb5_write_priv_message(context, auth_context, &sock, &data_send);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_write_message");
return 1;
}
data_send.data = (void *)ccache_name;
data_send.length = strlen(ccache_name)+1;
status = krb5_write_priv_message(context, auth_context, &sock, &data_send);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_write_message");
return 1;
}
memset (&creds, 0, sizeof(creds));
status = krb5_cc_default (context, &ccache);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_cc_default");
return 1;
}
status = krb5_cc_get_principal (context, ccache, &principal);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_cc_get_principal");
return 1;
}
creds.client = principal;
status = krb5_make_principal (context,
&creds.server,
principal->realm,
KRB5_TGS_NAME,
principal->realm,
NULL);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_make_principal");
return 1;
}
creds.times.endtime = 0;
flags.i = 0;
flags.b.forwarded = 1;
flags.b.forwardable = forwardable;
status = krb5_get_forwarded_creds (context,
auth_context,
ccache,
flags.i,
hostname,
&creds,
&data);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_get_forwarded_creds");
return 1;
}
status = krb5_write_priv_message(context, auth_context, &sock, &data);
if (status) {
krb5_auth_con_free(context, auth_context);
krb5_warn (context, status, "krb5_mk_priv");
return 1;
}
krb5_data_free (&data);
status = krb5_read_priv_message(context, auth_context, &sock, &data);
krb5_auth_con_free(context, auth_context);
if (status) {
krb5_warn (context, status, "krb5_mk_priv");
return 1;
}
if(data.length >= len) {
krb5_warnx (context, "returned string is too long, truncating");
memcpy(message, data.data, len);
message[len - 1] = '\0';
} else {
memcpy(message, data.data, data.length);
message[data.length] = '\0';
}
krb5_data_free (&data);
return(strcmp(message, "ok"));
}
/**
* @brief
* Get a kerberos credential set up to send to a remote host.
*
* @param[in] remote - server name
* @param[in] pjob - pointer to job structure
* @param[out] data - kerberos credential
* @param[out] dsize - kerberos credential data length
*
* @return int
* @retval 0 - success
* @retval -1 - error
*/
static int
get_kerb_cred(char *remote, job *pjob, char **data, size_t *dsize)
{
int ret = -1;
#ifdef PBS_CRED_DCE_KRB5
krb5_error_code err;
int got_auth = 0;
char server_name[512];
char namebuf[MAXPATHLEN+1];
krb5_context ktext = 0;
krb5_auth_context kauth = 0;
krb5_ccache kache = 0;
krb5_principal client = 0;
krb5_principal server = 0;
krb5_data forw_creds;
krb5_data packet;
extern char *path_jobs;
DBPRT(("%s: entered %s\n", id, remote))
memset(&forw_creds, 0, sizeof(forw_creds));
memset(&packet, 0, sizeof(packet));
if ((err = krb5_init_context(&ktext)) != 0) {
sprintf(log_buffer,
"krb5_init_context(%s)", error_message(err));
log_err(-1, __func__, log_buffer);
return ret;
}
if ((err = krb5_auth_con_init(ktext, &kauth)) != 0) {
sprintf(log_buffer,
"krb5_auth_con_init(%s)", error_message(err));
log_err(-1, __func__, log_buffer);
return ret;
}
got_auth = 1;
krb5_auth_con_setflags(ktext, kauth, KRB5_AUTH_CONTEXT_RET_TIME);
(void)strcpy(namebuf, path_jobs);
if (*pjob->ji_qs.ji_fileprefix != '\0')
(void)strcat(namebuf, pjob->ji_qs.ji_fileprefix);
else
(void)strcat(namebuf, pjob->ji_qs.ji_jobid);
(void)strcat(namebuf, JOB_CRED_SUFFIX);
if ((err = krb5_cc_resolve(ktext, namebuf, &kache)) != 0) {
sprintf(log_buffer,
"krb5_cc_resolve(%s)", error_message(err));
log_err(-1, __func__, log_buffer);
goto done;
}
if ((err = krb5_cc_get_principal(ktext, kache, &client)) != 0) {
sprintf(log_buffer,
"krb5_cc_get_principal(%s)", error_message(err));
log_err(-1, __func__, log_buffer);
goto done;
}
snprintf(server_name, sizeof(server_name), "host/%s@", remote);
strncat(server_name, client->realm.data, client->realm.length);
krb5_parse_name(ktext, server_name, &server);
server->type = KRB5_NT_SRV_HST;
if ((err = fwd_tgt_creds(ktext, kauth,
client, server, kache, &forw_creds)) != 0) {
sprintf(log_buffer, "no usable cred(%s)", error_message(err));
log_err(-1, __func__, log_buffer);
goto done;
}
*dsize = forw_creds.length;
*data = forw_creds.data;
ret = 0;
done:
if (forw_creds.data && *data != forw_creds.data)
free(forw_creds.data);
if (client)
krb5_free_principal(ktext, client);
if (server)
krb5_free_principal(ktext, server);
if (got_auth)
krb5_auth_con_free(ktext, kauth);
krb5_free_context(ktext);
#endif /* PBS_CRED_DCE_KRB5 */
return ret;
}
void
kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
{
krb5_error_code ret;
krb5_data outbuf;
krb5_keyblock *key_block;
char *name;
krb5_principal server;
krb5_authenticator authenticator;
int zero = 0;
if (cnt-- < 1)
return;
switch (*data++) {
case KRB_AUTH:
auth.data = (char *)data;
auth.length = cnt;
auth_context = NULL;
ret = krb5_auth_con_init (context, &auth_context);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_auth_con_setaddrs_from_fd (context,
auth_context,
&zero);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_sock_to_principal (context,
0,
"host",
KRB5_NT_SRV_HST,
&server);
if (ret) {
Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_sock_to_principal failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_rd_req(context,
&auth_context,
&auth,
server,
NULL,
NULL,
&ticket);
krb5_free_principal (context, server);
if (ret) {
char *errbuf;
asprintf(&errbuf,
"Read req failed: %s",
krb5_get_err_text(context, ret));
Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode)
printf("%s\r\n", errbuf);
free (errbuf);
return;
}
ret = krb5_auth_con_getkey(context, auth_context, &key_block);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_getkey failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_auth_getauthenticator (context,
auth_context,
&authenticator);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_getauthenticator failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_getauthenticator failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
if (authenticator->cksum) {
char foo[2];
foo[0] = ap->type;
foo[1] = ap->way;
ret = krb5_verify_checksum (context,
foo,
sizeof(foo),
key_block,
authenticator->cksum);
if (ret) {
Data(ap, KRB_REJECT, "No checksum", -1);
if (auth_debug_mode)
printf ("No checksum\r\n");
krb5_free_authenticator (context,
&authenticator);
return;
}
}
krb5_free_authenticator (context,
&authenticator);
ret = krb5_auth_con_getremotesubkey (context,
auth_context,
&key_block);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_getremotesubkey failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
ret = krb5_mk_rep(context, &auth_context, &outbuf);
if (ret) {
Data(ap, KRB_REJECT,
"krb5_mk_rep failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_mk_rep failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
}
if (krb5_unparse_name(context, ticket->client, &name))
name = 0;
if(UserNameRequested && krb5_kuserok(context,
ticket->client,
UserNameRequested)) {
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
if(key_block->keytype == KEYTYPE_DES) {
Session_Key skey;
skey.type = SK_DES;
skey.length = 8;
skey.data = key_block->keyvalue.data;
encrypt_session_key(&skey, 0);
}
} else {
char *msg;
asprintf (&msg, "user `%s' is not authorized to "
"login as `%s'",
name ? name : "<unknown>",
UserNameRequested ? UserNameRequested : "<nobody>");
if (msg == NULL)
Data(ap, KRB_REJECT, NULL, 0);
else {
Data(ap, KRB_REJECT, (void *)msg, -1);
free(msg);
}
}
auth_finished(ap, AUTH_USER);
krb5_free_keyblock_contents(context, key_block);
break;
#ifdef FORWARD
case KRB_FORWARD: {
struct passwd *pwd;
char ccname[1024]; /* XXX */
krb5_data inbuf;
krb5_ccache ccache;
inbuf.data = (char *)data;
inbuf.length = cnt;
pwd = getpwnam (UserNameRequested);
if (pwd == NULL)
break;
snprintf (ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%u", pwd->pw_uid);
ret = krb5_cc_resolve (context, ccname, &ccache);
if (ret) {
if (auth_debug_mode)
printf ("Kerberos V5: could not get ccache: %s\r\n",
krb5_get_err_text(context, ret));
break;
}
ret = krb5_cc_initialize (context,
ccache,
ticket->client);
if (ret) {
if (auth_debug_mode)
printf ("Kerberos V5: could not init ccache: %s\r\n",
krb5_get_err_text(context, ret));
break;
}
ret = krb5_rd_cred (context,
auth_context,
ccache,
&inbuf);
if(ret) {
char *errbuf;
asprintf (&errbuf,
"Read forwarded creds failed: %s",
krb5_get_err_text (context, ret));
if(errbuf == NULL)
Data(ap, KRB_FORWARD_REJECT, NULL, 0);
else
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
printf("Could not read forwarded credentials: %s\r\n",
errbuf);
free (errbuf);
} else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
chown (ccname + 5, pwd->pw_uid, -1);
if (auth_debug_mode)
printf("Forwarded credentials obtained\r\n");
break;
}
#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
}
OM_uint32
_gsskrb5_create_ctx(
OM_uint32 * minor_status,
gss_ctx_id_t * context_handle,
const gss_channel_bindings_t input_chan_bindings,
enum gss_ctx_id_t_state state)
{
krb5_error_code kret;
gsskrb5_ctx ctx;
*context_handle = NULL;
ctx = malloc(sizeof(*ctx));
if (ctx == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ctx->auth_context = NULL;
ctx->source = NULL;
ctx->target = NULL;
ctx->state = state;
ctx->flags = 0;
ctx->more_flags = 0;
ctx->service_keyblock = NULL;
ctx->ticket = NULL;
krb5_data_zero(&ctx->fwd_data);
ctx->lifetime = GSS_C_INDEFINITE;
ctx->order = NULL;
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (_gsskrb5_context, &ctx->auth_context);
if (kret) {
*minor_status = kret;
_gsskrb5_set_error_string ();
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
kret = set_addresses(ctx->auth_context, input_chan_bindings);
if (kret) {
*minor_status = kret;
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
krb5_auth_con_free(_gsskrb5_context, ctx->auth_context);
return GSS_S_BAD_BINDINGS;
}
/*
* We need a sequence number
*/
krb5_auth_con_addflags(_gsskrb5_context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE |
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
NULL);
*context_handle = (gss_ctx_id_t)ctx;
return GSS_S_COMPLETE;
}
int
main(int argc, char **argv)
{
const char *hostname;
krb5_context context;
krb5_auth_context ac;
krb5_error_code ret;
krb5_creds cred;
krb5_ccache id;
krb5_data data;
int optidx = 0;
setprogname (argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc < 1)
usage(1);
hostname = argv[0];
memset(&cred, 0, sizeof(cred));
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
ret = krb5_cc_default(context, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_default failed: %d", ret);
ret = krb5_auth_con_init(context, &ac);
if (ret)
krb5_err(context, 1, ret, "krb5_auth_con_init failed: %d", ret);
krb5_auth_con_addflags(context, ac,
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, NULL);
ret = krb5_cc_get_principal(context, id, &cred.client);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
ret = krb5_make_principal(context,
&cred.server,
krb5_principal_get_realm(context, cred.client),
KRB5_TGS_NAME,
krb5_principal_get_realm(context, cred.client),
NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_make_principal(server)");
ret = krb5_get_forwarded_creds (context,
ac,
id,
KDC_OPT_FORWARDABLE,
hostname,
&cred,
&data);
if (ret)
krb5_err (context, 1, ret, "krb5_get_forwarded_creds");
krb5_data_free(&data);
krb5_free_context(context);
return 0;
}
static int
proto (int sock, const char *hostname, const char *service)
{
struct sockaddr_in remote, local;
socklen_t addrlen;
krb5_address remote_addr, local_addr;
krb5_context context;
krb5_ccache ccache;
krb5_auth_context auth_context;
krb5_error_code status;
krb5_principal client;
krb5_data data;
krb5_data packet;
krb5_creds mcred, cred;
krb5_ticket *ticket;
addrlen = sizeof(local);
if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
|| addrlen != sizeof(local))
err (1, "getsockname(%s)", hostname);
addrlen = sizeof(remote);
if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
|| addrlen != sizeof(remote))
err (1, "getpeername(%s)", hostname);
status = krb5_init_context(&context);
if (status)
errx(1, "krb5_init_context failed: %d", status);
status = krb5_cc_default (context, &ccache);
if (status)
krb5_err(context, 1, status, "krb5_cc_default");
status = krb5_auth_con_init (context, &auth_context);
if (status)
krb5_err(context, 1, status, "krb5_auth_con_init");
local_addr.addr_type = AF_INET;
local_addr.address.length = sizeof(local.sin_addr);
local_addr.address.data = &local.sin_addr;
remote_addr.addr_type = AF_INET;
remote_addr.address.length = sizeof(remote.sin_addr);
remote_addr.address.data = &remote.sin_addr;
status = krb5_auth_con_setaddrs (context,
auth_context,
&local_addr,
&remote_addr);
if (status)
krb5_err(context, 1, status, "krb5_auth_con_setaddr");
krb5_cc_clear_mcred(&mcred);
status = krb5_cc_get_principal(context, ccache, &client);
if(status)
krb5_err(context, 1, status, "krb5_cc_get_principal");
status = krb5_make_principal(context, &mcred.server,
krb5_principal_get_realm(context, client),
"krbtgt",
krb5_principal_get_realm(context, client),
NULL);
if(status)
krb5_err(context, 1, status, "krb5_make_principal");
mcred.client = client;
status = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
if(status)
krb5_err(context, 1, status, "krb5_cc_retrieve_cred");
{
char *client_name;
krb5_data data;
status = krb5_unparse_name(context, cred.client, &client_name);
if(status)
krb5_err(context, 1, status, "krb5_unparse_name");
data.data = client_name;
data.length = strlen(client_name) + 1;
status = krb5_write_message(context, &sock, &data);
if(status)
krb5_err(context, 1, status, "krb5_write_message");
free(client_name);
}
status = krb5_write_message(context, &sock, &cred.ticket);
if(status)
krb5_err(context, 1, status, "krb5_write_message");
status = krb5_auth_con_setuserkey(context, auth_context, &cred.session);
if(status)
krb5_err(context, 1, status, "krb5_auth_con_setuserkey");
status = krb5_recvauth(context, &auth_context, &sock,
VERSION, client, 0, NULL, &ticket);
if (status)
krb5_err(context, 1, status, "krb5_recvauth");
if (ticket->ticket.authorization_data) {
AuthorizationData *authz;
int i;
printf("Authorization data:\n");
authz = ticket->ticket.authorization_data;
for (i = 0; i < authz->len; i++) {
printf("\ttype %d, length %lu\n",
authz->val[i].ad_type,
(unsigned long)authz->val[i].ad_data.length);
}
}
data.data = "hej";
data.length = 3;
krb5_data_zero (&packet);
status = krb5_mk_safe (context,
auth_context,
&data,
&packet,
NULL);
if (status)
krb5_err(context, 1, status, "krb5_mk_safe");
status = krb5_write_message(context, &sock, &packet);
if(status)
krb5_err(context, 1, status, "krb5_write_message");
data.data = "hemligt";
data.length = 7;
krb5_data_free (&packet);
status = krb5_mk_priv (context,
auth_context,
&data,
&packet,
NULL);
if (status)
krb5_err(context, 1, status, "krb5_mk_priv");
status = krb5_write_message(context, &sock, &packet);
if(status)
krb5_err(context, 1, status, "krb5_write_message");
return 0;
}
OM_uint32 GSSAPI_CALLCONV
_gsskrb5_import_sec_context (
OM_uint32 * minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t * context_handle
)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_context context;
krb5_error_code kret;
krb5_storage *sp;
krb5_auth_context ac;
krb5_address local, remote;
krb5_address *localp, *remotep;
krb5_data data;
gss_buffer_desc buffer;
krb5_keyblock keyblock;
int32_t flags, tmp;
gsskrb5_ctx ctx;
gss_name_t name;
GSSAPI_KRB5_INIT (&context);
*context_handle = GSS_C_NO_CONTEXT;
localp = remotep = NULL;
sp = krb5_storage_from_mem (interprocess_token->value,
interprocess_token->length);
if (sp == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
ctx = calloc(1, sizeof(*ctx));
if (ctx == NULL) {
*minor_status = ENOMEM;
krb5_storage_free (sp);
return GSS_S_FAILURE;
}
HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
kret = krb5_auth_con_init (context,
&ctx->auth_context);
if (kret) {
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
/* flags */
*minor_status = 0;
if (krb5_ret_int32 (sp, &flags) != 0)
goto failure;
/* retrieve the auth context */
ac = ctx->auth_context;
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->flags = tmp;
if (flags & SC_LOCAL_ADDRESS) {
if (krb5_ret_address (sp, localp = &local) != 0)
goto failure;
}
if (flags & SC_REMOTE_ADDRESS) {
if (krb5_ret_address (sp, remotep = &remote) != 0)
goto failure;
}
krb5_auth_con_setaddrs (context, ac, localp, remotep);
if (localp)
krb5_free_address (context, localp);
if (remotep)
krb5_free_address (context, remotep);
localp = remotep = NULL;
if (krb5_ret_int16 (sp, &ac->local_port) != 0)
goto failure;
if (krb5_ret_int16 (sp, &ac->remote_port) != 0)
goto failure;
if (flags & SC_KEYBLOCK) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (flags & SC_LOCAL_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setlocalsubkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (flags & SC_REMOTE_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setremotesubkey (context, ac, &keyblock);
krb5_free_keyblock_contents (context, &keyblock);
}
if (krb5_ret_uint32 (sp, &ac->local_seqnumber))
goto failure;
if (krb5_ret_uint32 (sp, &ac->remote_seqnumber))
goto failure;
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->keytype = tmp;
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->cksumtype = tmp;
/* names */
if (krb5_ret_data (sp, &data))
goto failure;
buffer.value = data.data;
buffer.length = data.length;
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&name);
if (ret) {
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
&name);
if (ret) {
krb5_data_free (&data);
goto failure;
}
}
ctx->source = (krb5_principal)name;
krb5_data_free (&data);
if (krb5_ret_data (sp, &data) != 0)
goto failure;
buffer.value = data.data;
buffer.length = data.length;
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&name);
if (ret) {
ret = _gsskrb5_import_name (minor_status, &buffer, GSS_C_NO_OID,
&name);
if (ret) {
krb5_data_free (&data);
goto failure;
}
}
ctx->target = (krb5_principal)name;
krb5_data_free (&data);
if (krb5_ret_int32 (sp, &tmp))
goto failure;
ctx->flags = tmp;
if (krb5_ret_int32 (sp, &tmp))
goto failure;
ctx->more_flags = tmp;
if (krb5_ret_int32 (sp, &tmp))
goto failure;
ctx->endtime = tmp;
ret = _gssapi_msg_order_import(minor_status, sp, &ctx->gk5c.order);
if (ret)
goto failure;
krb5_storage_free (sp);
_gsskrb5i_is_cfx(context, ctx, (ctx->more_flags & LOCAL) == 0);
*context_handle = (gss_ctx_id_t)ctx;
return GSS_S_COMPLETE;
failure:
krb5_auth_con_free (context,
ctx->auth_context);
if (ctx->source != NULL)
krb5_free_principal(context, ctx->source);
if (ctx->target != NULL)
krb5_free_principal(context, ctx->target);
if (localp)
krb5_free_address (context, localp);
if (remotep)
krb5_free_address (context, remotep);
if(ctx->gk5c.order)
_gssapi_msg_order_destroy(&ctx->gk5c.order);
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
krb5_storage_free (sp);
free (ctx);
*context_handle = GSS_C_NO_CONTEXT;
return ret;
}
static int
proto (int sock, const char *hostname, const char *service)
{
krb5_auth_context auth_context;
krb5_error_code status;
krb5_principal server;
krb5_data data;
krb5_data packet;
u_int32_t len, net_len;
status = krb5_auth_con_init (context, &auth_context);
if (status)
krb5_err (context, 1, status, "krb5_auth_con_init");
status = krb5_auth_con_setaddrs_from_fd (context,
auth_context,
&sock);
if (status)
krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd");
status = krb5_sname_to_principal (context,
hostname,
service,
KRB5_NT_SRV_HST,
&server);
if (status)
krb5_err (context, 1, status, "krb5_sname_to_principal");
status = krb5_sendauth (context,
&auth_context,
&sock,
VERSION,
NULL,
server,
AP_OPTS_MUTUAL_REQUIRED,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL);
if (status)
krb5_err (context, 1, status, "krb5_sendauth");
data.data = "hej";
data.length = 3;
krb5_data_zero (&packet);
status = krb5_mk_safe (context,
auth_context,
&data,
&packet,
NULL);
if (status)
krb5_err (context, 1, status, "krb5_mk_safe");
len = packet.length;
net_len = htonl(len);
if (krb5_net_write (context, &sock, &net_len, 4) != 4)
err (1, "krb5_net_write");
if (krb5_net_write (context, &sock, packet.data, len) != len)
err (1, "krb5_net_write");
data.data = "hemligt";
data.length = 7;
krb5_data_free (&packet);
status = krb5_mk_priv (context,
auth_context,
&data,
&packet,
NULL);
if (status)
krb5_err (context, 1, status, "krb5_mk_priv");
len = packet.length;
net_len = htonl(len);
if (krb5_net_write (context, &sock, &net_len, 4) != 4)
err (1, "krb5_net_write");
if (krb5_net_write (context, &sock, packet.data, len) != len)
err (1, "krb5_net_write");
return 0;
}
static int
proto (int sock, const char *service)
{
krb5_auth_context auth_context;
krb5_error_code status;
krb5_principal server;
krb5_ticket *ticket;
char *name;
char hostname[MAXHOSTNAMELEN];
krb5_data packet;
krb5_data data;
u_int32_t len, net_len;
ssize_t n;
status = krb5_auth_con_init (context, &auth_context);
if (status)
krb5_err (context, 1, status, "krb5_auth_con_init");
status = krb5_auth_con_setaddrs_from_fd (context,
auth_context,
&sock);
if (status)
krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd");
if(gethostname (hostname, sizeof(hostname)) < 0)
krb5_err (context, 1, errno, "gethostname");
status = krb5_sname_to_principal (context,
hostname,
service,
KRB5_NT_SRV_HST,
&server);
if (status)
krb5_err (context, 1, status, "krb5_sname_to_principal");
status = krb5_recvauth (context,
&auth_context,
&sock,
VERSION,
server,
0,
NULL,
&ticket);
if (status)
krb5_err (context, 1, status, "krb5_recvauth");
status = krb5_unparse_name (context,
ticket->client,
&name);
if (status)
krb5_err (context, 1, status, "krb5_unparse_name");
fprintf (stderr, "User is `%s'\n", name);
free (name);
krb5_data_zero (&data);
krb5_data_zero (&packet);
n = krb5_net_read (context, &sock, &net_len, 4);
if (n == 0)
krb5_errx (context, 1, "EOF in krb5_net_read");
if (n < 0)
krb5_err (context, 1, errno, "krb5_net_read");
len = ntohl(net_len);
krb5_data_alloc (&packet, len);
n = krb5_net_read (context, &sock, packet.data, len);
if (n == 0)
krb5_errx (context, 1, "EOF in krb5_net_read");
if (n < 0)
krb5_err (context, 1, errno, "krb5_net_read");
status = krb5_rd_safe (context,
auth_context,
&packet,
&data,
NULL);
if (status)
krb5_err (context, 1, status, "krb5_rd_safe");
fprintf (stderr, "safe packet: %.*s\n", (int)data.length,
(char *)data.data);
n = krb5_net_read (context, &sock, &net_len, 4);
if (n == 0)
krb5_errx (context, 1, "EOF in krb5_net_read");
if (n < 0)
krb5_err (context, 1, errno, "krb5_net_read");
len = ntohl(net_len);
krb5_data_alloc (&packet, len);
n = krb5_net_read (context, &sock, packet.data, len);
if (n == 0)
krb5_errx (context, 1, "EOF in krb5_net_read");
if (n < 0)
krb5_err (context, 1, errno, "krb5_net_read");
status = krb5_rd_priv (context,
auth_context,
&packet,
&data,
NULL);
if (status)
krb5_err (context, 1, status, "krb5_rd_priv");
fprintf (stderr, "priv packet: %.*s\n", (int)data.length,
(char *)data.data);
return 0;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_rd_req_ctx(krb5_context context,
krb5_auth_context *auth_context,
const krb5_data *inbuf,
krb5_const_principal server,
krb5_rd_req_in_ctx inctx,
krb5_rd_req_out_ctx *outctx)
{
krb5_error_code ret;
krb5_ap_req ap_req;
krb5_principal service = NULL;
krb5_rd_req_out_ctx o = NULL;
ret = _krb5_rd_req_out_ctx_alloc(context, &o);
if (ret)
goto out;
if (*auth_context == NULL) {
ret = krb5_auth_con_init(context, auth_context);
if (ret)
goto out;
}
ret = krb5_decode_ap_req(context, inbuf, &ap_req);
if(ret)
goto out;
if(server == NULL){
ret = _krb5_principalname2krb5_principal(context,
&service,
ap_req.ticket.sname,
ap_req.ticket.realm);
if (ret)
goto out;
server = service;
}
if (ap_req.ap_options.use_session_key &&
(*auth_context)->keyblock == NULL) {
krb5_set_error_string(context, "krb5_rd_req: user to user auth "
"without session key given");
ret = KRB5KRB_AP_ERR_NOKEY;
goto out;
}
if((*auth_context)->keyblock){
ret = krb5_copy_keyblock(context,
(*auth_context)->keyblock,
&o->keyblock);
if (ret)
goto out;
} else if(inctx->keyblock){
ret = krb5_copy_keyblock(context,
inctx->keyblock,
&o->keyblock);
if (ret)
goto out;
} else {
krb5_keytab keytab = NULL;
if (inctx && inctx->keytab)
keytab = inctx->keytab;
ret = get_key_from_keytab(context,
auth_context,
&ap_req,
server,
keytab,
&o->keyblock);
if(ret)
goto out;
}
ret = krb5_verify_ap_req2(context,
auth_context,
&ap_req,
server,
o->keyblock,
0,
&o->ap_req_options,
&o->ticket,
KRB5_KU_AP_REQ_AUTH);
if (ret)
goto out;
/* If there is a PAC, verify its server signature */
if (inctx->check_pac) {
krb5_pac pac;
krb5_data data;
ret = krb5_ticket_get_authorization_data_type(context,
o->ticket,
KRB5_AUTHDATA_WIN2K_PAC,
&data);
if (ret == 0) {
ret = krb5_pac_parse(context, data.data, data.length, &pac);
krb5_data_free(&data);
if (ret)
goto out;
ret = krb5_pac_verify(context,
pac,
o->ticket->ticket.authtime,
o->ticket->client,
o->keyblock,
NULL);
krb5_pac_free(context, pac);
if (ret)
goto out;
}
ret = 0;
}
out:
if (ret || outctx == NULL) {
krb5_rd_req_out_ctx_free(context, o);
} else
*outctx = o;
free_AP_REQ(&ap_req);
if(service)
krb5_free_principal(context, service);
return ret;
}
krb5_error_code
_krb5_mk_req_internal(krb5_context context,
krb5_auth_context *auth_context,
const krb5_flags ap_req_options,
krb5_data *in_data,
krb5_creds *in_creds,
krb5_data *outbuf,
krb5_key_usage checksum_usage,
krb5_key_usage encrypt_usage)
{
krb5_error_code ret;
krb5_data authenticator;
Checksum c;
Checksum *c_opt;
krb5_auth_context ac;
if(auth_context) {
if(*auth_context == NULL)
ret = krb5_auth_con_init(context, auth_context);
else
ret = 0;
ac = *auth_context;
} else
ret = krb5_auth_con_init(context, &ac);
if(ret)
return ret;
if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
ret = krb5_auth_con_generatelocalsubkey(context,
ac,
&in_creds->session);
if(ret)
goto out;
}
krb5_free_keyblock(context, ac->keyblock);
ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
if (ret)
goto out;
/* it's unclear what type of checksum we can use. try the best one, except:
* a) if it's configured differently for the current realm, or
* b) if the session key is des-cbc-crc
*/
if (in_data) {
if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
/* this is to make DCE secd (and older MIT kdcs?) happy */
ret = krb5_create_checksum(context,
NULL,
0,
CKSUMTYPE_RSA_MD4,
in_data->data,
in_data->length,
&c);
} else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
/* this is to make MS kdc happy */
ret = krb5_create_checksum(context,
NULL,
0,
CKSUMTYPE_RSA_MD5,
in_data->data,
in_data->length,
&c);
} else {
krb5_crypto crypto;
ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
if (ret)
goto out;
ret = krb5_create_checksum(context,
crypto,
checksum_usage,
0,
in_data->data,
in_data->length,
&c);
krb5_crypto_destroy(context, crypto);
}
c_opt = &c;
} else {
c_opt = NULL;
}
if (ret)
goto out;
ret = _krb5_build_authenticator(context,
ac,
ac->keyblock->keytype,
in_creds,
c_opt,
&authenticator,
encrypt_usage);
if (c_opt)
free_Checksum (c_opt);
if (ret)
goto out;
ret = krb5_build_ap_req (context, ac->keyblock->keytype,
in_creds, ap_req_options, authenticator, outbuf);
out:
if(auth_context == NULL)
krb5_auth_con_free(context, ac);
return ret;
}
int mr_krb5_auth(char *prog)
{
mr_params params, reply;
char host[BUFSIZ], *p;
char *args[2];
int argl[2];
krb5_ccache ccache = NULL;
krb5_data auth;
krb5_error_code problem = 0;
CHECK_CONNECTED;
memset(&auth, 0, sizeof(auth));
if ((problem = mr_host(host, sizeof(host) - 1)))
return problem;
if (!context)
{
problem = krb5_init_context(&context);
if (problem)
goto out;
}
problem = krb5_auth_con_init(context, &auth_con);
if (problem)
goto out;
problem = krb5_cc_default(context, &ccache);
if (problem)
goto out;
problem = krb5_mk_req(context, &auth_con, 0, MOIRA_SNAME, host, NULL,
ccache, &auth);
if (problem)
goto out;
params.u.mr_procno = MR_KRB5_AUTH;
params.mr_argc = 2;
params.mr_argv = args;
params.mr_argl = argl;
params.mr_argv[0] = (char *)auth.data;
params.mr_argl[0] = auth.length;
params.mr_argv[1] = prog;
params.mr_argl[1] = strlen(prog) + 1;
if ((problem = mr_do_call(¶ms, &reply)) == MR_SUCCESS)
problem = reply.u.mr_status;
mr_destroy_reply(reply);
out:
if (ccache)
krb5_cc_close(context, ccache);
krb5_free_data_contents(context, &auth);
if (auth_con)
krb5_auth_con_free(context, auth_con);
auth_con = NULL;
return problem;
}
NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
const char *realm,
time_t time_offset,
const DATA_BLOB *ticket,
char **principal,
struct PAC_DATA **pac_data,
DATA_BLOB *ap_rep,
DATA_BLOB *session_key,
bool use_replay_cache)
{
NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
NTSTATUS pac_ret;
DATA_BLOB auth_data;
krb5_context context = NULL;
krb5_auth_context auth_context = NULL;
krb5_data packet;
krb5_ticket *tkt = NULL;
krb5_rcache rcache = NULL;
krb5_keyblock *keyblock = NULL;
time_t authtime;
krb5_error_code ret = 0;
int flags = 0;
krb5_principal host_princ = NULL;
krb5_const_principal client_principal = NULL;
char *host_princ_s = NULL;
bool auth_ok = False;
bool got_auth_data = False;
struct named_mutex *mutex = NULL;
ZERO_STRUCT(packet);
ZERO_STRUCT(auth_data);
*principal = NULL;
*pac_data = NULL;
*ap_rep = data_blob_null;
*session_key = data_blob_null;
initialize_krb5_error_table();
ret = krb5_init_context(&context);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_init_context failed (%s)\n", error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
if (time_offset != 0) {
krb5_set_real_time(context, time(NULL) + time_offset, 0);
}
ret = krb5_set_default_realm(context, realm);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
goto out;
}
/* This whole process is far more complex than I would
like. We have to go through all this to allow us to store
the secret internally, instead of using /etc/krb5.keytab */
ret = krb5_auth_con_init(context, &auth_context);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_auth_con_init failed (%s)\n", error_message(ret)));
goto out;
}
krb5_auth_con_getflags( context, auth_context, &flags );
if ( !use_replay_cache ) {
/* Disable default use of a replay cache */
flags &= ~KRB5_AUTH_CONTEXT_DO_TIME;
krb5_auth_con_setflags( context, auth_context, flags );
}
if (asprintf(&host_princ_s, "%s$", global_myname()) == -1) {
goto out;
}
strlower_m(host_princ_s);
ret = smb_krb5_parse_name(context, host_princ_s, &host_princ);
if (ret) {
DEBUG(1,("ads_verify_ticket: smb_krb5_parse_name(%s) failed (%s)\n",
host_princ_s, error_message(ret)));
goto out;
}
if ( use_replay_cache ) {
/* Lock a mutex surrounding the replay as there is no
locking in the MIT krb5 code surrounding the replay
cache... */
mutex = grab_named_mutex(talloc_tos(), "replay cache mutex",
10);
if (mutex == NULL) {
DEBUG(1,("ads_verify_ticket: unable to protect "
"replay cache with mutex.\n"));
ret = KRB5_CC_IO;
goto out;
}
/* JRA. We must set the rcache here. This will prevent
replay attacks. */
ret = krb5_get_server_rcache(context,
krb5_princ_component(context, host_princ, 0),
&rcache);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache "
"failed (%s)\n", error_message(ret)));
goto out;
}
ret = krb5_auth_con_setrcache(context, auth_context, rcache);
if (ret) {
DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache "
"failed (%s)\n", error_message(ret)));
goto out;
}
}
/* Try secrets.tdb first and fallback to the krb5.keytab if
necessary */
auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
ticket, &tkt, &keyblock, &ret);
if (!auth_ok &&
(ret == KRB5KRB_AP_ERR_TKT_NYV ||
ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
ret == KRB5KRB_AP_ERR_SKEW)) {
goto auth_failed;
}
if (!auth_ok && lp_use_kerberos_keytab()) {
auth_ok = ads_keytab_verify_ticket(context, auth_context,
ticket, &tkt, &keyblock, &ret);
}
if ( use_replay_cache ) {
TALLOC_FREE(mutex);
#if 0
/* Heimdal leaks here, if we fix the leak, MIT crashes */
if (rcache) {
krb5_rc_close(context, rcache);
}
#endif
}
auth_failed:
if (!auth_ok) {
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
/* Try map the error return in case it's something like
* a clock skew error.
*/
sret = krb5_to_nt_status(ret);
if (NT_STATUS_IS_OK(sret) || NT_STATUS_EQUAL(sret,NT_STATUS_UNSUCCESSFUL)) {
sret = NT_STATUS_LOGON_FAILURE;
}
DEBUG(10,("ads_verify_ticket: returning error %s\n",
nt_errstr(sret) ));
goto out;
}
authtime = get_authtime_from_tkt(tkt);
client_principal = get_principal_from_tkt(tkt);
ret = krb5_mk_rep(context, auth_context, &packet);
if (ret) {
DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
error_message(ret)));
goto out;
}
*ap_rep = data_blob(packet.data, packet.length);
if (packet.data) {
kerberos_free_data_contents(context, &packet);
ZERO_STRUCT(packet);
}
get_krb5_smb_session_key(context, auth_context, session_key, True);
dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
#if 0
file_save("/tmp/ticket.dat", ticket->data, ticket->length);
#endif
/* continue when no PAC is retrieved or we couldn't decode the PAC
(like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, or
Kerberos tickets encrypted using a DES key) - Guenther */
got_auth_data = get_auth_data_from_tkt(mem_ctx, &auth_data, tkt);
if (!got_auth_data) {
DEBUG(3,("ads_verify_ticket: did not retrieve auth data. continuing without PAC\n"));
}
if (got_auth_data) {
pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
if (!NT_STATUS_IS_OK(pac_ret)) {
DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
*pac_data = NULL;
}
data_blob_free(&auth_data);
}
#if 0
#if defined(HAVE_KRB5_TKT_ENC_PART2)
/* MIT */
if (tkt->enc_part2) {
file_save("/tmp/authdata.dat",
tkt->enc_part2->authorization_data[0]->contents,
tkt->enc_part2->authorization_data[0]->length);
}
#else
/* Heimdal */
if (tkt->ticket.authorization_data) {
file_save("/tmp/authdata.dat",
tkt->ticket.authorization_data->val->ad_data.data,
tkt->ticket.authorization_data->val->ad_data.length);
}
#endif
#endif
if ((ret = smb_krb5_unparse_name(context, client_principal, principal))) {
DEBUG(3,("ads_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
error_message(ret)));
sret = NT_STATUS_LOGON_FAILURE;
goto out;
}
sret = NT_STATUS_OK;
out:
TALLOC_FREE(mutex);
if (!NT_STATUS_IS_OK(sret)) {
data_blob_free(&auth_data);
}
if (!NT_STATUS_IS_OK(sret)) {
data_blob_free(ap_rep);
}
if (host_princ) {
krb5_free_principal(context, host_princ);
}
if (keyblock) {
krb5_free_keyblock(context, keyblock);
}
if (tkt != NULL) {
krb5_free_ticket(context, tkt);
}
SAFE_FREE(host_princ_s);
if (auth_context) {
krb5_auth_con_free(context, auth_context);
}
if (context) {
krb5_free_context(context);
}
return sret;
}
static krb5_error_code
change_password_loop (krb5_context context,
krb5_creds *creds,
krb5_principal targprinc,
char *newpw,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string,
struct kpwd_proc *proc)
{
krb5_error_code ret;
krb5_auth_context auth_context = NULL;
krb5_krbhst_handle handle = NULL;
krb5_krbhst_info *hi;
int sock;
int i;
int done = 0;
krb5_realm realm = creds->client->realm;
ret = krb5_auth_con_init (context, &auth_context);
if (ret)
return ret;
krb5_auth_con_setflags (context, auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
ret = krb5_krbhst_init (context, realm, KRB5_KRBHST_CHANGEPW, &handle);
if (ret)
goto out;
while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) {
struct addrinfo *ai, *a;
int is_stream;
switch (hi->proto) {
case KRB5_KRBHST_UDP:
if ((proc->flags & SUPPORT_UDP) == 0)
continue;
is_stream = 0;
break;
case KRB5_KRBHST_TCP:
if ((proc->flags & SUPPORT_TCP) == 0)
continue;
is_stream = 1;
break;
default:
continue;
}
ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
if (ret)
continue;
for (a = ai; !done && a != NULL; a = a->ai_next) {
int replied = 0;
sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
if (sock < 0)
continue;
ret = connect(sock, a->ai_addr, a->ai_addrlen);
if (ret < 0) {
close (sock);
goto out;
}
ret = krb5_auth_con_genaddrs (context, auth_context, sock,
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR);
if (ret) {
close (sock);
goto out;
}
for (i = 0; !done && i < 5; ++i) {
fd_set fdset;
struct timeval tv;
if (!replied) {
replied = 0;
ret = (*proc->send_req) (context,
&auth_context,
creds,
targprinc,
is_stream,
sock,
newpw,
hi->hostname);
if (ret) {
close(sock);
goto out;
}
}
if (sock >= FD_SETSIZE) {
krb5_set_error_string(context, "fd %d too large", sock);
ret = ERANGE;
close (sock);
goto out;
}
FD_ZERO(&fdset);
FD_SET(sock, &fdset);
tv.tv_usec = 0;
tv.tv_sec = 1 + (1 << i);
ret = select (sock + 1, &fdset, NULL, NULL, &tv);
if (ret < 0 && errno != EINTR) {
close(sock);
goto out;
}
if (ret == 1) {
ret = (*proc->process_rep) (context,
auth_context,
is_stream,
sock,
result_code,
result_code_string,
result_string,
hi->hostname);
if (ret == 0)
done = 1;
else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
replied = 1;
} else {
ret = KRB5_KDC_UNREACH;
}
}
close (sock);
}
}
out:
krb5_krbhst_free (context, handle);
krb5_auth_con_free (context, auth_context);
if (done)
return 0;
else {
if (ret == KRB5_KDC_UNREACH) {
krb5_set_error_string(context,
"unable to reach any changepw server "
" in realm %s", realm);
*result_code = KRB5_KPASSWD_HARDERROR;
}
return ret;
}
}
int auks_cred_init(auks_cred_t * credential, char *data, size_t length)
{
int fstatus = AUKS_ERROR ;
char *tmp_string = NULL;
size_t tmp_size = 0;
/* kerberos related variables */
krb5_error_code err_code;
krb5_context context;
krb5_auth_context auth_context;
krb5_data kdata;
krb5_creds **creds;
krb5_replay_data krdata;
char username[AUKS_PRINCIPAL_MAX_LENGTH + 1];
struct passwd user_pwent;
struct passwd *p_pwent;
size_t pwnam_buffer_length = sysconf(_SC_GETPW_R_SIZE_MAX);
char pwnam_buffer[pwnam_buffer_length];
credential->info.principal[0] = '\0';
credential->info.uid = AUKS_CRED_INVALID_UID;
credential->info.starttime = AUKS_CRED_INVALID_TIME;
credential->info.endtime = AUKS_CRED_INVALID_TIME;
credential->info.renew_till = AUKS_CRED_INVALID_TIME;
credential->info.addressless = 1;
credential->data[1] = '\0';
credential->length = 0;
credential->max_length = AUKS_CRED_DATA_MAX_LENGTH;
credential->status = AUKS_SUCCESS;
/* check input buffer length versus auks credential internal buffer */
/* max length */
if ((unsigned int) length > (unsigned int) credential->max_length) {
auks_error("input buffer is bigger than auks credential internal "
"buffer (%u versus %u)",length, credential->max_length);
fstatus = AUKS_ERROR_CRED_INIT_BUFFER_TOO_LARGE ;
goto exit;
}
/* extract informations from buffer */
if (data == NULL) {
auks_error("input buffer is NULL");
fstatus = AUKS_ERROR_CRED_INIT_BUFFER_IS_NULL ;
goto exit;
}
fstatus = AUKS_ERROR ;
/* initialize kerberos context */
err_code = krb5_init_context(&context);
if (err_code) {
auks_error("unable to initialize kerberos context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_CTX_INIT ;
goto exit;
}
auks_log("kerberos context successfully initialized");
/* initialize a nullified kerberos authentication context
in order to decode credential from buffer */
err_code =
krb5_auth_con_init(context,&auth_context);
if (err_code) {
auks_error("unable to initialize connection "
"authentication context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_AUTH_CTX_INIT ;
goto ctx_exit;
}
/* clear kerberos authentication context flags */
krb5_auth_con_setflags(context,auth_context,0);
/* set a kerberos data structure with input buffer */
kdata.data = data ;
kdata.length = (unsigned int) length ;
/* build kerberos credential structure using this data structure */
err_code = krb5_rd_cred(context,auth_context,&kdata, &creds,&krdata);
if (err_code) {
auks_error("unable to deserialize input buffer credential : %s",
error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_RD_BUFFER ;
goto auth_ctx_exit;
}
auks_log("input buffer credential successfully unserialized");
err_code = krb5_unparse_name_ext(context,(*creds)->client,&tmp_string,
(unsigned int *) &tmp_size);
if (err_code) {
auks_error("unable to unparse principal : %s",
error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_RD_PRINC ;
goto creds_exit;
} else if (tmp_size > AUKS_PRINCIPAL_MAX_LENGTH) {
auks_error("unable to unparse principal : %s",
"principal is too long (more than %d characters)",
AUKS_PRINCIPAL_MAX_LENGTH);
free(tmp_string);
fstatus = AUKS_ERROR_CRED_INIT_KRB_PRINC_TOO_LONG ;
goto creds_exit;
}
auks_log("principal successfully unparse");
memcpy(credential->info.principal,tmp_string,tmp_size);
credential->info.principal[tmp_size] = '\0';
/* associated username from principal */
err_code = krb5_aname_to_localname(context,(*creds)->client,
AUKS_PRINCIPAL_MAX_LENGTH,username);
if (err_code) {
auks_error("unable to get username from principal %s : %s",
credential->info.principal,error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_PRINC_TO_UNAME ;
goto string_exit;
}
/* associated uid from username */
fstatus = getpwnam_r(username,&user_pwent,pwnam_buffer,
pwnam_buffer_length,&p_pwent) ;
if (fstatus) {
auks_log("unable to get %s pwnam entry : %s",username,
strerror(fstatus)) ;
fstatus = AUKS_ERROR_CRED_INIT_GETPWNAM ;
goto string_exit;
}
/* uid information */
credential->info.uid = user_pwent.pw_uid;
credential->info.starttime = (time_t) (*creds)->times.starttime ;
credential->info.endtime = (time_t) (*creds)->times.endtime ;
credential->info.renew_till = (time_t) (*creds)->times.renew_till ;
/* addresslessness */
if (((*creds)->addresses) != NULL)
credential->info.addressless = 0;
/* duplicate input buffer */
credential->length = (unsigned int) length;
memcpy(credential->data,data,(unsigned int) length);
fstatus = AUKS_SUCCESS;
string_exit:
free(tmp_string);
creds_exit:
krb5_free_creds(context,*creds);
free(creds);
auth_ctx_exit:
krb5_auth_con_free(context,auth_context);
ctx_exit:
krb5_free_context(context);
exit:
/* if valid buffer, store it */
if (fstatus != 0) {
/* bad credential buffer in input, clean this auks credential */
auks_cred_free_contents(credential);
}
return fstatus;
}
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
krb5_flags ap_req_options, krb5_data *in_data,
krb5_creds *in_creds, krb5_data *outbuf)
{
krb5_error_code retval;
krb5_checksum checksum;
krb5_checksum *checksump = 0;
krb5_auth_context new_auth_context;
krb5_enctype *desired_etypes = NULL;
krb5_ap_req request;
krb5_data *scratch = 0;
krb5_data *toutbuf;
request.ap_options = ap_req_options & AP_OPTS_WIRE_MASK;
request.authenticator.ciphertext.data = NULL;
request.ticket = 0;
if (!in_creds->ticket.length)
return(KRB5_NO_TKT_SUPPLIED);
if ((ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) &&
!(ap_req_options & AP_OPTS_MUTUAL_REQUIRED))
return(EINVAL);
/* we need a native ticket */
if ((retval = decode_krb5_ticket(&(in_creds)->ticket, &request.ticket)))
return(retval);
/* verify that the ticket is not expired */
if ((retval = krb5int_validate_times(context, &in_creds->times)) != 0)
goto cleanup;
/* generate auth_context if needed */
if (*auth_context == NULL) {
if ((retval = krb5_auth_con_init(context, &new_auth_context)))
goto cleanup;
*auth_context = new_auth_context;
}
if ((*auth_context)->key != NULL) {
krb5_k_free_key(context, (*auth_context)->key);
(*auth_context)->key = NULL;
}
/* set auth context keyblock */
if ((retval = krb5_k_create_key(context, &in_creds->keyblock,
&((*auth_context)->key))))
goto cleanup;
/* generate seq number if needed */
if ((((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
|| ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
&& ((*auth_context)->local_seq_number == 0)) {
if ((retval = krb5_generate_seq_number(context, &in_creds->keyblock,
&(*auth_context)->local_seq_number)))
goto cleanup;
}
/* generate subkey if needed */
if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
retval = k5_generate_and_save_subkey(context, *auth_context,
&in_creds->keyblock,
in_creds->keyblock.enctype);
if (retval)
goto cleanup;
}
if (!in_data && (*auth_context)->checksum_func) {
retval = (*auth_context)->checksum_func( context,
*auth_context,
(*auth_context)->checksum_func_data,
&in_data);
if (retval)
goto cleanup;
}
if (in_data) {
if ((*auth_context)->req_cksumtype == 0x8003) {
/* XXX Special hack for GSSAPI */
checksum.checksum_type = 0x8003;
checksum.length = in_data->length;
checksum.contents = (krb5_octet *) in_data->data;
} else {
krb5_enctype enctype = krb5_k_key_enctype(context,
(*auth_context)->key);
krb5_cksumtype cksumtype = ap_req_cksum(context, *auth_context,
enctype);
if ((retval = krb5_k_make_checksum(context,
cksumtype,
(*auth_context)->key,
KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
in_data, &checksum)))
goto cleanup_cksum;
}
checksump = &checksum;
}
/* Generate authenticator */
if (((*auth_context)->authentp = (krb5_authenticator *)malloc(sizeof(
krb5_authenticator))) == NULL) {
retval = ENOMEM;
goto cleanup_cksum;
}
if (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) {
if ((*auth_context)->permitted_etypes == NULL) {
retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes);
if (retval)
goto cleanup_cksum;
} else
desired_etypes = (*auth_context)->permitted_etypes;
}
TRACE_MK_REQ(context, in_creds, (*auth_context)->local_seq_number,
(*auth_context)->send_subkey, &in_creds->keyblock);
if ((retval = generate_authenticator(context,
(*auth_context)->authentp,
in_creds->client, checksump,
(*auth_context)->send_subkey,
(*auth_context)->local_seq_number,
in_creds->authdata,
(*auth_context)->ad_context,
desired_etypes,
in_creds->keyblock.enctype)))
goto cleanup_cksum;
/* encode the authenticator */
if ((retval = encode_krb5_authenticator((*auth_context)->authentp,
&scratch)))
goto cleanup_cksum;
/* call the encryption routine */
if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock,
KRB5_KEYUSAGE_AP_REQ_AUTH,
scratch, &request.authenticator)))
goto cleanup_cksum;
if ((retval = encode_krb5_ap_req(&request, &toutbuf)))
goto cleanup_cksum;
*outbuf = *toutbuf;
free(toutbuf);
cleanup_cksum:
/* Null out these fields, to prevent pointer sharing problems;
* they were supplied by the caller
*/
if ((*auth_context)->authentp != NULL) {
(*auth_context)->authentp->client = NULL;
(*auth_context)->authentp->checksum = NULL;
}
if (checksump && checksump->checksum_type != 0x8003)
free(checksump->contents);
cleanup:
if (desired_etypes &&
desired_etypes != (*auth_context)->permitted_etypes)
free(desired_etypes);
if (request.ticket)
krb5_free_ticket(context, request.ticket);
if (request.authenticator.ciphertext.data) {
(void) memset(request.authenticator.ciphertext.data, 0,
request.authenticator.ciphertext.length);
free(request.authenticator.ciphertext.data);
}
if (scratch) {
memset(scratch->data, 0, scratch->length);
free(scratch->data);
free(scratch);
}
return retval;
}
OM_uint32
gss_import_sec_context (
OM_uint32 * minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t * context_handle
)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_error_code kret;
krb5_storage *sp;
krb5_auth_context ac;
krb5_address local, remote;
krb5_address *localp, *remotep;
krb5_data data;
gss_buffer_desc buffer;
krb5_keyblock keyblock;
int32_t tmp;
int32_t flags;
OM_uint32 minor;
int is_cfx = 0;
GSSAPI_KRB5_INIT ();
localp = remotep = NULL;
sp = krb5_storage_from_mem (interprocess_token->value,
interprocess_token->length);
if (sp == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
*context_handle = malloc(sizeof(**context_handle));
if (*context_handle == NULL) {
*minor_status = ENOMEM;
krb5_storage_free (sp);
return GSS_S_FAILURE;
}
memset (*context_handle, 0, sizeof(**context_handle));
HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex);
kret = krb5_auth_con_init (gssapi_krb5_context,
&(*context_handle)->auth_context);
if (kret) {
gssapi_krb5_set_error_string ();
*minor_status = kret;
ret = GSS_S_FAILURE;
goto failure;
}
/* flags */
*minor_status = 0;
if (krb5_ret_int32 (sp, &flags) != 0)
goto failure;
/* retrieve the auth context */
ac = (*context_handle)->auth_context;
krb5_ret_int32 (sp, &ac->flags);
if (flags & SC_LOCAL_ADDRESS) {
if (krb5_ret_address (sp, localp = &local) != 0)
goto failure;
}
if (flags & SC_REMOTE_ADDRESS) {
if (krb5_ret_address (sp, remotep = &remote) != 0)
goto failure;
}
krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep);
if (localp)
krb5_free_address (gssapi_krb5_context, localp);
if (remotep)
krb5_free_address (gssapi_krb5_context, remotep);
localp = remotep = NULL;
if (krb5_ret_int16 (sp, &ac->local_port) != 0)
goto failure;
if (krb5_ret_int16 (sp, &ac->remote_port) != 0)
goto failure;
if (flags & SC_KEYBLOCK) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock);
krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
}
if (flags & SC_LOCAL_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock);
krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
}
if (flags & SC_REMOTE_SUBKEY) {
if (krb5_ret_keyblock (sp, &keyblock) != 0)
goto failure;
krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock);
krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock);
}
if (krb5_ret_int32 (sp, &ac->local_seqnumber))
goto failure;
if (krb5_ret_int32 (sp, &ac->remote_seqnumber))
goto failure;
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->keytype = tmp;
if (krb5_ret_int32 (sp, &tmp) != 0)
goto failure;
ac->cksumtype = tmp;
/* names */
if (krb5_ret_data (sp, &data))
goto failure;
buffer.value = data.data;
buffer.length = data.length;
ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&(*context_handle)->source);
if (ret) {
ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID,
&(*context_handle)->source);
if (ret) {
krb5_data_free (&data);
goto failure;
}
}
krb5_data_free (&data);
if (krb5_ret_data (sp, &data) != 0)
goto failure;
buffer.value = data.data;
buffer.length = data.length;
ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME,
&(*context_handle)->target);
if (ret) {
ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID,
&(*context_handle)->target);
if (ret) {
krb5_data_free (&data);
goto failure;
}
}
krb5_data_free (&data);
if (krb5_ret_int32 (sp, &tmp))
goto failure;
(*context_handle)->flags = tmp;
if (krb5_ret_int32 (sp, &tmp))
goto failure;
(*context_handle)->more_flags = tmp;
if (krb5_ret_int32 (sp, &tmp) == 0)
(*context_handle)->lifetime = tmp;
else
(*context_handle)->lifetime = GSS_C_INDEFINITE;
gsskrb5_is_cfx(*context_handle, &is_cfx);
ret = _gssapi_msg_order_create(minor_status,
&(*context_handle)->order,
_gssapi_msg_order_f((*context_handle)->flags),
0, 0, is_cfx);
if (ret)
goto failure;
krb5_storage_free (sp);
return GSS_S_COMPLETE;
failure:
krb5_auth_con_free (gssapi_krb5_context,
(*context_handle)->auth_context);
if ((*context_handle)->source != NULL)
gss_release_name(&minor, &(*context_handle)->source);
if ((*context_handle)->target != NULL)
gss_release_name(&minor, &(*context_handle)->target);
if (localp)
krb5_free_address (gssapi_krb5_context, localp);
if (remotep)
krb5_free_address (gssapi_krb5_context, remotep);
if((*context_handle)->order)
_gssapi_msg_order_destroy(&(*context_handle)->order);
HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex);
krb5_storage_free (sp);
free (*context_handle);
*context_handle = GSS_C_NO_CONTEXT;
return ret;
}
int
do_krb5_login (int infd, struct auth_data *ap, const char **err_msg)
{
krb5_auth_context auth_ctx = NULL;
krb5_error_code status;
krb5_data inbuf;
krb5_data version;
krb5_authenticator *authenticator;
krb5_rcache rcache;
krb5_keyblock *key;
krb5_ticket *ticket;
struct sockaddr_in laddr;
int len;
struct passwd *pwd;
char *name;
if (status = krb5_init_context (&ap->context))
{
syslog (LOG_ERR, "Error initializing krb5: %s", error_message (status));
return status;
}
if ((status = krb5_auth_con_init (ap->context, &auth_ctx))
|| (status = krb5_auth_con_genaddrs (ap->context, auth_ctx, infd,
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR))
|| (status = krb5_auth_con_getrcache (ap->context, auth_ctx, &rcache)))
return status;
if (!rcache)
{
krb5_principal server;
status = krb5_sname_to_principal (ap->context, 0, 0, KRB5_NT_SRV_HST,
&server);
if (status)
return status;
status = krb5_get_server_rcache (ap->context,
krb5_princ_component (ap->context,
server, 0),
&rcache);
krb5_free_principal (ap->context, server);
if (status)
return status;
status = krb5_auth_con_setrcache (ap->context, auth_ctx, rcache);
if (status)
return status;
}
len = sizeof (laddr);
if (getsockname (infd, (struct sockaddr *) &laddr, &len))
return errno;
status = krb5_recvauth (ap->context, &auth_ctx, &infd, NULL, 0,
0, ap->keytab, &ticket);
if (status)
return status;
if ((status = krb5_auth_con_getauthenticator (ap->context, auth_ctx,
&authenticator)))
return status;
getstr (infd, &ap->lusername, NULL);
getstr (infd, &ap->term, "TERM=");
pwd = getpwnam (ap->lusername);
if (pwd == NULL)
{
*err_msg = "getpwnam failed";
syslog (LOG_ERR, "getpwnam failed: %m");
return 1;
}
getstr (infd, &ap->rusername, NULL);
if ((status = krb5_copy_principal (ap->context,
ticket->enc_part2->client, &ap->client)))
return status;
/*OK:: */
if (ap->client && !krb5_kuserok (ap->context, ap->client, ap->lusername))
return 1;
krb5_unparse_name (ap->context, ap->client, &name);
syslog (LOG_INFO | LOG_AUTH,
"%sKerberos V login from %s on %s\n",
(pwd->pw_uid == 0) ? "ROOT " : "", name, ap->hostname);
free (name);
return 0;
}
static int
proto (int sock, const char *service)
{
struct sockaddr_in remote, local;
socklen_t addrlen;
krb5_address remote_addr, local_addr;
krb5_ccache ccache;
krb5_auth_context auth_context;
krb5_error_code status;
krb5_data packet;
krb5_data data;
krb5_data client_name;
krb5_creds in_creds, *out_creds;
addrlen = sizeof(local);
if (getsockname (sock, (struct sockaddr *)&local, &addrlen) < 0
|| addrlen != sizeof(local))
err (1, "getsockname)");
addrlen = sizeof(remote);
if (getpeername (sock, (struct sockaddr *)&remote, &addrlen) < 0
|| addrlen != sizeof(remote))
err (1, "getpeername");
status = krb5_auth_con_init (context, &auth_context);
if (status)
errx (1, "krb5_auth_con_init: %s",
krb5_get_err_text(context, status));
local_addr.addr_type = AF_INET;
local_addr.address.length = sizeof(local.sin_addr);
local_addr.address.data = &local.sin_addr;
remote_addr.addr_type = AF_INET;
remote_addr.address.length = sizeof(remote.sin_addr);
remote_addr.address.data = &remote.sin_addr;
status = krb5_auth_con_setaddrs (context,
auth_context,
&local_addr,
&remote_addr);
if (status)
errx (1, "krb5_auth_con_setaddr: %s",
krb5_get_err_text(context, status));
status = krb5_read_message(context, &sock, &client_name);
if(status)
krb5_err(context, 1, status, "krb5_read_message");
memset(&in_creds, 0, sizeof(in_creds));
status = krb5_cc_default(context, &ccache);
if(status)
krb5_err(context, 1, status, "krb5_cc_default");
status = krb5_cc_get_principal(context, ccache, &in_creds.client);
if(status)
krb5_err(context, 1, status, "krb5_cc_get_principal");
status = krb5_read_message(context, &sock, &in_creds.second_ticket);
if(status)
krb5_err(context, 1, status, "krb5_read_message");
status = krb5_parse_name(context, client_name.data, &in_creds.server);
if(status)
krb5_err(context, 1, status, "krb5_parse_name");
status = krb5_get_credentials(context, KRB5_GC_USER_USER, ccache,
&in_creds, &out_creds);
if(status)
krb5_err(context, 1, status, "krb5_get_credentials");
status = krb5_cc_default(context, &ccache);
if(status)
krb5_err(context, 1, status, "krb5_cc_default");
status = krb5_sendauth(context,
&auth_context,
&sock,
VERSION,
in_creds.client,
in_creds.server,
AP_OPTS_USE_SESSION_KEY,
NULL,
out_creds,
ccache,
NULL,
NULL,
NULL);
if (status)
krb5_err(context, 1, status, "krb5_sendauth");
{
char *str;
krb5_unparse_name(context, in_creds.server, &str);
printf ("User is `%s'\n", str);
free(str);
krb5_unparse_name(context, in_creds.client, &str);
printf ("Server is `%s'\n", str);
free(str);
}
krb5_data_zero (&data);
krb5_data_zero (&packet);
status = krb5_read_message(context, &sock, &packet);
if(status)
krb5_err(context, 1, status, "krb5_read_message");
status = krb5_rd_safe (context,
auth_context,
&packet,
&data,
NULL);
if (status)
errx (1, "krb5_rd_safe: %s",
krb5_get_err_text(context, status));
printf ("safe packet: %.*s\n", (int)data.length,
(char *)data.data);
status = krb5_read_message(context, &sock, &packet);
if(status)
krb5_err(context, 1, status, "krb5_read_message");
status = krb5_rd_priv (context,
auth_context,
&packet,
&data,
NULL);
if (status)
errx (1, "krb5_rd_priv: %s",
krb5_get_err_text(context, status));
printf ("priv packet: %.*s\n", (int)data.length,
(char *)data.data);
return 0;
}
krb5_error_code
_krb5_init_tgs_req(krb5_context context,
krb5_ccache ccache,
krb5_addresses *addresses,
krb5_kdc_flags flags,
krb5_const_principal impersonate_principal,
Ticket *second_ticket,
krb5_creds *in_creds,
krb5_creds *krbtgt,
unsigned nonce,
METHOD_DATA *padata,
krb5_keyblock **subkey,
TGS_REQ *t)
{
krb5_auth_context ac = NULL;
krb5_error_code ret = 0;
/* inherit the forwardable/proxyable flags from the krbtgt */
flags.b.forwardable = krbtgt->flags.b.forwardable;
flags.b.proxiable = krbtgt->flags.b.proxiable;
if (ccache->ops->tgt_req) {
KERB_TGS_REQ_OUT out;
KERB_TGS_REQ_IN in;
memset(&in, 0, sizeof(in));
memset(&out, 0, sizeof(out));
ret = ccache->ops->tgt_req(context, ccache, &in, &out);
if (ret)
return ret;
free_KERB_TGS_REQ_OUT(&out);
return 0;
}
memset(t, 0, sizeof(*t));
if (impersonate_principal) {
krb5_crypto crypto;
PA_S4U2Self self;
krb5_data data;
void *buf;
size_t size, len;
self.name = impersonate_principal->name;
self.realm = impersonate_principal->realm;
self.auth = rk_UNCONST("Kerberos");
ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
if (ret)
goto fail;
ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);
if (ret) {
krb5_data_free(&data);
goto fail;
}
ret = krb5_create_checksum(context,
crypto,
KRB5_KU_OTHER_CKSUM,
0,
data.data,
data.length,
&self.cksum);
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
if (ret)
goto fail;
ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);
free_Checksum(&self.cksum);
if (ret)
goto fail;
if (len != size)
krb5_abortx(context, "internal asn1 error");
ret = krb5_padata_add(context, padata, KRB5_PADATA_FOR_USER, buf, len);
if (ret)
goto fail;
}
t->pvno = 5;
t->msg_type = krb_tgs_req;
if (in_creds->session.keytype) {
ALLOC_SEQ(&t->req_body.etype, 1);
if(t->req_body.etype.val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
t->req_body.etype.val[0] = in_creds->session.keytype;
} else {
ret = _krb5_init_etype(context,
KRB5_PDU_TGS_REQUEST,
&t->req_body.etype.len,
&t->req_body.etype.val,
NULL);
}
if (ret)
goto fail;
t->req_body.addresses = addresses;
t->req_body.kdc_options = flags.b;
ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
if (ret)
goto fail;
ALLOC(t->req_body.sname, 1);
if (t->req_body.sname == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
/* some versions of some code might require that the client be
present in TGS-REQs, but this is clearly against the spec */
ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
if (ret)
goto fail;
/* req_body.till should be NULL if there is no endtime specified,
but old MIT code (like DCE secd) doesn't like that */
ALLOC(t->req_body.till, 1);
if(t->req_body.till == NULL){
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
*t->req_body.till = in_creds->times.endtime;
t->req_body.nonce = nonce;
if(second_ticket){
ALLOC(t->req_body.additional_tickets, 1);
if (t->req_body.additional_tickets == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
ALLOC_SEQ(t->req_body.additional_tickets, 1);
if (t->req_body.additional_tickets->val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val);
if (ret)
goto fail;
}
ALLOC(t->padata, 1);
if (t->padata == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
ALLOC_SEQ(t->padata, 1 + padata->len);
if (t->padata->val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
{
size_t i;
for (i = 0; i < padata->len; i++) {
ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
if (ret) {
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
}
}
ret = krb5_auth_con_init(context, &ac);
if(ret)
goto fail;
ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
if (ret)
goto fail;
ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
ac->local_subkey);
if (ret)
goto fail;
ret = make_pa_tgs_req(context,
ac,
&t->req_body,
&t->padata->val[0],
ccache,
krbtgt);
if(ret)
goto fail;
ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
if (ret)
goto fail;
fail:
if (ac)
krb5_auth_con_free(context, ac);
if (ret) {
t->req_body.addresses = NULL;
free_TGS_REQ (t);
}
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_rd_req_ctx(krb5_context context,
krb5_auth_context *auth_context,
const krb5_data *inbuf,
krb5_const_principal server,
krb5_rd_req_in_ctx inctx,
krb5_rd_req_out_ctx *outctx)
{
krb5_error_code ret;
krb5_ap_req ap_req;
krb5_rd_req_out_ctx o = NULL;
krb5_keytab id = NULL, keytab = NULL;
krb5_principal service = NULL;
*outctx = NULL;
o = calloc(1, sizeof(*o));
if (o == NULL) {
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
if (*auth_context == NULL) {
ret = krb5_auth_con_init(context, auth_context);
if (ret)
goto out;
}
ret = krb5_decode_ap_req(context, inbuf, &ap_req);
if(ret)
goto out;
/* Save that principal that was in the request */
ret = _krb5_principalname2krb5_principal(context,
&o->server,
ap_req.ticket.sname,
ap_req.ticket.realm);
if (ret)
goto out;
if (ap_req.ap_options.use_session_key &&
(*auth_context)->keyblock == NULL) {
ret = KRB5KRB_AP_ERR_NOKEY;
krb5_set_error_message(context, ret,
N_("krb5_rd_req: user to user auth "
"without session key given", ""));
goto out;
}
if (inctx && inctx->keytab)
id = inctx->keytab;
if((*auth_context)->keyblock){
ret = krb5_copy_keyblock(context,
(*auth_context)->keyblock,
&o->keyblock);
if (ret)
goto out;
} else if(inctx && inctx->keyblock){
ret = krb5_copy_keyblock(context,
inctx->keyblock,
&o->keyblock);
if (ret)
goto out;
} else {
if(id == NULL) {
krb5_kt_default(context, &keytab);
id = keytab;
}
if (id == NULL)
goto out;
if (server == NULL) {
ret = _krb5_principalname2krb5_principal(context,
&service,
ap_req.ticket.sname,
ap_req.ticket.realm);
if (ret)
goto out;
server = service;
}
ret = get_key_from_keytab(context,
&ap_req,
server,
id,
&o->keyblock);
if (ret) {
/* If caller specified a server, fail. */
if (service == NULL && (context->flags & KRB5_CTX_F_RD_REQ_IGNORE) == 0)
goto out;
/* Otherwise, fall back to iterating over the keytab. This
* have serious performace issues for larger keytab.
*/
o->keyblock = NULL;
}
}
if (o->keyblock) {
/*
* We got an exact keymatch, use that.
*/
ret = krb5_verify_ap_req2(context,
auth_context,
&ap_req,
server,
o->keyblock,
0,
&o->ap_req_options,
&o->ticket,
KRB5_KU_AP_REQ_AUTH);
if (ret)
goto out;
} else {
/*
* Interate over keytab to find a key that can decrypt the request.
*/
krb5_keytab_entry entry;
krb5_kt_cursor cursor;
int done = 0, kvno = 0;
memset(&cursor, 0, sizeof(cursor));
if (ap_req.ticket.enc_part.kvno)
kvno = *ap_req.ticket.enc_part.kvno;
ret = krb5_kt_start_seq_get(context, id, &cursor);
if (ret)
goto out;
done = 0;
while (!done) {
krb5_principal p;
ret = krb5_kt_next_entry(context, id, &entry, &cursor);
if (ret) {
_krb5_kt_principal_not_found(context, ret, id, o->server,
ap_req.ticket.enc_part.etype,
kvno);
krb5_kt_end_seq_get(context, id, &cursor);
goto out;
}
if (entry.keyblock.keytype != ap_req.ticket.enc_part.etype) {
krb5_kt_free_entry (context, &entry);
continue;
}
ret = krb5_verify_ap_req2(context,
auth_context,
&ap_req,
server,
&entry.keyblock,
0,
&o->ap_req_options,
&o->ticket,
KRB5_KU_AP_REQ_AUTH);
if (ret) {
krb5_kt_free_entry(context, &entry);
continue;
}
/*
* Found a match, save the keyblock for PAC processing,
* and update the service principal in the ticket to match
* whatever is in the keytab.
*/
ret = krb5_copy_keyblock(context,
&entry.keyblock,
&o->keyblock);
if (ret) {
krb5_kt_free_entry(context, &entry);
krb5_kt_end_seq_get(context, id, &cursor);
goto out;
}
ret = krb5_copy_principal(context, entry.principal, &p);
if (ret) {
krb5_kt_free_entry(context, &entry);
krb5_kt_end_seq_get(context, id, &cursor);
goto out;
}
krb5_free_principal(context, o->ticket->server);
o->ticket->server = p;
krb5_kt_free_entry(context, &entry);
done = 1;
}
krb5_kt_end_seq_get(context, id, &cursor);
}
/* If there is a PAC, verify its server signature */
if (inctx == NULL || inctx->check_pac) {
krb5_pac pac;
krb5_data data;
ret = krb5_ticket_get_authorization_data_type(context,
o->ticket,
KRB5_AUTHDATA_WIN2K_PAC,
&data);
if (ret == 0) {
ret = krb5_pac_parse(context, data.data, data.length, &pac);
krb5_data_free(&data);
if (ret)
goto out;
ret = krb5_pac_verify(context,
pac,
o->ticket->ticket.authtime,
o->ticket->client,
o->keyblock,
NULL);
krb5_pac_free(context, pac);
if (ret == 0)
o->flags |= KRB5_RD_REQ_OUT_PAC_VALID;
ret = 0;
} else
ret = 0;
}
out:
if (ret || outctx == NULL) {
krb5_rd_req_out_ctx_free(context, o);
} else
*outctx = o;
free_AP_REQ(&ap_req);
if (service)
krb5_free_principal(context, service);
if (keytab)
krb5_kt_close(context, keytab);
return ret;
}
/*
* Function: socket_connection
*
* Purpose: Opens the network connection with the mail host, without
* doing any sort of I/O with it or anything.
*
* Arguments:
* host The host to which to connect.
* flags Option flags.
*
* Return value: A file descriptor indicating the connection, or -1
* indicating failure, in which case an error has been copied
* into pop_error.
*/
static int
socket_connection (char *host, int flags)
{
struct addrinfo *res, *it;
struct addrinfo hints;
int ret;
struct servent *servent;
struct sockaddr_in addr;
char found_port = 0;
const char *service;
int sock;
char *realhost;
#ifdef KERBEROS
#ifdef KERBEROS5
krb5_error_code rem;
krb5_context kcontext = 0;
krb5_auth_context auth_context = 0;
krb5_ccache ccdef;
krb5_principal client, server;
krb5_error *err_ret;
register char *cp;
#else
KTEXT ticket;
MSG_DAT msg_data;
CREDENTIALS cred;
Key_schedule schedule;
int rem;
#endif /* KERBEROS5 */
#endif /* KERBEROS */
int try_count = 0;
int connect_ok;
#ifdef WINDOWSNT
{
WSADATA winsockData;
if (WSAStartup (0x101, &winsockData) == 0)
have_winsock = 1;
}
#endif
memset (&addr, 0, sizeof (addr));
addr.sin_family = AF_INET;
/** "kpop" service is never used: look for 20060515 to see why **/
#ifdef KERBEROS
service = (flags & POP_NO_KERBEROS) ? POP_SERVICE : KPOP_SERVICE;
#else
service = POP_SERVICE;
#endif
#ifdef HESIOD
if (! (flags & POP_NO_HESIOD))
{
servent = hes_getservbyname (service, "tcp");
if (servent)
{
addr.sin_port = servent->s_port;
found_port = 1;
}
}
#endif
if (! found_port)
{
servent = getservbyname (service, "tcp");
if (servent)
{
addr.sin_port = servent->s_port;
}
else
{
/** "kpop" service is never used: look for 20060515 to see why **/
#ifdef KERBEROS
addr.sin_port = htons ((flags & POP_NO_KERBEROS) ?
POP_PORT : KPOP_PORT);
#else
addr.sin_port = htons (POP_PORT);
#endif
}
}
#define POP_SOCKET_ERROR "Could not create socket for POP connection: "
sock = socket (PF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
snprintf (pop_error, ERROR_MAX, "%s%s",
POP_SOCKET_ERROR, strerror (errno));
return (-1);
}
memset (&hints, 0, sizeof (hints));
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_CANONNAME;
hints.ai_family = AF_INET;
do
{
ret = getaddrinfo (host, service, &hints, &res);
try_count++;
if (ret != 0 && (ret != EAI_AGAIN || try_count == 5))
{
strcpy (pop_error, "Could not determine POP server's address");
return (-1);
}
} while (ret != 0);
for (it = res; it; it = it->ai_next)
if (it->ai_addrlen == sizeof addr)
{
struct sockaddr_in *in_a = (struct sockaddr_in *) it->ai_addr;
addr.sin_addr = in_a->sin_addr;
if (! connect (sock, (struct sockaddr *) &addr, sizeof addr))
break;
}
connect_ok = it != NULL;
if (connect_ok)
{
realhost = alloca (strlen (it->ai_canonname) + 1);
strcpy (realhost, it->ai_canonname);
}
freeaddrinfo (res);
#define CONNECT_ERROR "Could not connect to POP server: "
if (! connect_ok)
{
CLOSESOCKET (sock);
snprintf (pop_error, ERROR_MAX, "%s%s", CONNECT_ERROR, strerror (errno));
return (-1);
}
#ifdef KERBEROS
#define KRB_ERROR "Kerberos error connecting to POP server: "
if (! (flags & POP_NO_KERBEROS))
{
#ifdef KERBEROS5
rem = krb5_init_context (&kcontext);
if (rem)
{
krb5error:
if (auth_context)
krb5_auth_con_free (kcontext, auth_context);
if (kcontext)
krb5_free_context (kcontext);
snprintf (pop_error, ERROR_MAX, "%s%s",
KRB_ERROR, error_message (rem));
CLOSESOCKET (sock);
return (-1);
}
rem = krb5_auth_con_init (kcontext, &auth_context);
if (rem)
goto krb5error;
rem = krb5_cc_default (kcontext, &ccdef);
if (rem)
goto krb5error;
rem = krb5_cc_get_principal (kcontext, ccdef, &client);
if (rem)
goto krb5error;
for (cp = realhost; *cp; cp++)
*cp = c_tolower (*cp);
rem = krb5_sname_to_principal (kcontext, realhost,
POP_SERVICE, FALSE, &server);
if (rem)
goto krb5error;
rem = krb5_sendauth (kcontext, &auth_context,
(krb5_pointer) &sock, (char *) "KPOPV1.0",
client, server,
AP_OPTS_MUTUAL_REQUIRED,
0, /* no checksum */
0, /* no creds, use ccache instead */
ccdef,
&err_ret,
0, /* don't need subsession key */
0); /* don't need reply */
krb5_free_principal (kcontext, server);
if (rem)
{
int pop_error_len = snprintf (pop_error, ERROR_MAX, "%s%s",
KRB_ERROR, error_message (rem));
#if defined HAVE_KRB5_ERROR_TEXT
if (err_ret && err_ret->text.length)
{
int errlen = err_ret->text.length;
snprintf (pop_error + pop_error_len, ERROR_MAX - pop_error_len,
" [server says '%.*s']", errlen, err_ret->text.data);
}
#elif defined HAVE_KRB5_ERROR_E_TEXT
if (err_ret && err_ret->e_text && **err_ret->e_text)
snprintf (pop_error + pop_error_len, ERROR_MAX - pop_error_len,
" [server says '%s']", *err_ret->e_text);
#endif
if (err_ret)
krb5_free_error (kcontext, err_ret);
krb5_auth_con_free (kcontext, auth_context);
krb5_free_context (kcontext);
CLOSESOCKET (sock);
return (-1);
}
#else /* ! KERBEROS5 */
ticket = (KTEXT) malloc (sizeof (KTEXT_ST));
rem = krb_sendauth (0L, sock, ticket, "pop", realhost,
(char *) krb_realmofhost (realhost),
(unsigned long) 0, &msg_data, &cred, schedule,
(struct sockaddr_in *) 0,
(struct sockaddr_in *) 0,
"KPOPV0.1");
free ((char *) ticket);
if (rem != KSUCCESS)
{
snprintf (pop_error, ERROR_MAX, "%s%s", KRB_ERROR, krb_err_txt[rem]);
CLOSESOCKET (sock);
return (-1);
}
#endif /* KERBEROS5 */
}
#endif /* KERBEROS */
return (sock);
} /* socket_connection */
static int
kerberos5_send(char *name, Authenticator *ap)
{
krb5_error_code ret;
krb5_ccache ccache;
int ap_opts;
krb5_data cksum_data;
char foo[2];
printf("[ Trying %s ... ]\r\n", name);
if (!UserNameRequested) {
if (auth_debug_mode) {
printf("Kerberos V5: no user name supplied\r\n");
}
return(0);
}
ret = krb5_cc_default(context, &ccache);
if (ret) {
if (auth_debug_mode) {
printf("Kerberos V5: could not get default ccache: %s\r\n",
krb5_get_err_text (context, ret));
}
return 0;
}
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
ap_opts = AP_OPTS_MUTUAL_REQUIRED;
else
ap_opts = 0;
ret = krb5_auth_con_init (context, &auth_context);
if (ret) {
if (auth_debug_mode) {
printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
krb5_get_err_text(context, ret));
}
return(0);
}
krb5_auth_setenctype (context, auth_context, ETYPE_DES_CBC_MD5);
foo[0] = ap->type;
foo[1] = ap->way;
cksum_data.length = sizeof(foo);
cksum_data.data = foo;
ret = krb5_mk_req(context, &auth_context, ap_opts,
"host", RemoteHostName,
&cksum_data, ccache, &auth);
if (ret) {
if (auth_debug_mode) {
printf("Kerberos V5: mk_req failed (%s)\r\n",
krb5_get_err_text(context, ret));
}
return(0);
}
if (!auth_sendname((unsigned char *)UserNameRequested,
strlen(UserNameRequested))) {
if (auth_debug_mode)
printf("Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
printf("Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
printf("Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
static krb5_error_code
init_tgs_req (krb5_context context,
krb5_ccache ccache,
krb5_addresses *addresses,
krb5_kdc_flags flags,
Ticket *second_ticket,
krb5_creds *in_creds,
krb5_creds *krbtgt,
unsigned nonce,
const METHOD_DATA *padata,
krb5_keyblock **subkey,
TGS_REQ *t)
{
krb5_auth_context ac = NULL;
krb5_error_code ret = 0;
memset(t, 0, sizeof(*t));
t->pvno = 5;
t->msg_type = krb_tgs_req;
if (in_creds->session.keytype) {
ALLOC_SEQ(&t->req_body.etype, 1);
if(t->req_body.etype.val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
t->req_body.etype.val[0] = in_creds->session.keytype;
} else {
ret = krb5_init_etype(context,
&t->req_body.etype.len,
&t->req_body.etype.val,
NULL);
}
if (ret)
goto fail;
t->req_body.addresses = addresses;
t->req_body.kdc_options = flags.b;
ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
if (ret)
goto fail;
ALLOC(t->req_body.sname, 1);
if (t->req_body.sname == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
/* some versions of some code might require that the client be
present in TGS-REQs, but this is clearly against the spec */
ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
if (ret)
goto fail;
/* req_body.till should be NULL if there is no endtime specified,
but old MIT code (like DCE secd) doesn't like that */
ALLOC(t->req_body.till, 1);
if(t->req_body.till == NULL){
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
*t->req_body.till = in_creds->times.endtime;
t->req_body.nonce = nonce;
if(second_ticket){
ALLOC(t->req_body.additional_tickets, 1);
if (t->req_body.additional_tickets == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
ALLOC_SEQ(t->req_body.additional_tickets, 1);
if (t->req_body.additional_tickets->val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val);
if (ret)
goto fail;
}
ALLOC(t->padata, 1);
if (t->padata == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
ALLOC_SEQ(t->padata, 1 + padata->len);
if (t->padata->val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
{
int i;
for (i = 0; i < padata->len; i++) {
ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
if (ret) {
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
}
}
ret = krb5_auth_con_init(context, &ac);
if(ret)
goto fail;
ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
if (ret)
goto fail;
ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
ac->local_subkey);
if (ret)
goto fail;
ret = make_pa_tgs_req(context,
ac,
&t->req_body,
&t->padata->val[0],
krbtgt);
if(ret)
goto fail;
ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
if (ret)
goto fail;
fail:
if (ac)
krb5_auth_con_free(context, ac);
if (ret) {
t->req_body.addresses = NULL;
free_TGS_REQ (t);
}
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_ap_req2(krb5_context context,
krb5_auth_context *auth_context,
krb5_ap_req *ap_req,
krb5_const_principal server,
krb5_keyblock *keyblock,
krb5_flags flags,
krb5_flags *ap_req_options,
krb5_ticket **ticket,
krb5_key_usage usage)
{
krb5_ticket *t;
krb5_auth_context ac;
krb5_error_code ret;
EtypeList etypes;
memset(&etypes, 0, sizeof(etypes));
if(ticket)
*ticket = NULL;
if (auth_context && *auth_context) {
ac = *auth_context;
} else {
ret = krb5_auth_con_init(context, &ac);
if (ret)
return ret;
}
t = calloc(1, sizeof(*t));
if (t == NULL) {
ret = ENOMEM;
krb5_clear_error_message(context);
goto out;
}
if (ap_req->ap_options.use_session_key && ac->keyblock){
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
ac->keyblock,
&t->ticket,
flags);
krb5_free_keyblock(context, ac->keyblock);
ac->keyblock = NULL;
}else
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
keyblock,
&t->ticket,
flags);
if(ret)
goto out;
ret = _krb5_principalname2krb5_principal(context,
&t->server,
ap_req->ticket.sname,
ap_req->ticket.realm);
if (ret) goto out;
ret = _krb5_principalname2krb5_principal(context,
&t->client,
t->ticket.cname,
t->ticket.crealm);
if (ret) goto out;
ret = decrypt_authenticator(context,
&t->ticket.key,
&ap_req->authenticator,
ac->authenticator,
usage);
if (ret)
goto out;
{
krb5_principal p1, p2;
krb5_boolean res;
_krb5_principalname2krb5_principal(context,
&p1,
ac->authenticator->cname,
ac->authenticator->crealm);
_krb5_principalname2krb5_principal(context,
&p2,
t->ticket.cname,
t->ticket.crealm);
res = krb5_principal_compare(context, p1, p2);
krb5_free_principal(context, p1);
krb5_free_principal(context, p2);
if (!res) {
ret = KRB5KRB_AP_ERR_BADMATCH;
krb5_clear_error_message(context);
goto out;
}
}
/* check addresses */
if (t->ticket.caddr
&& ac->remote_address
&& !krb5_address_search(context,
ac->remote_address,
t->ticket.caddr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
krb5_clear_error_message(context);
goto out;
}
/* check timestamp in authenticator */
{
krb5_timestamp now;
krb5_timeofday(context, &now);
if (krb5_time_abs(ac->authenticator->ctime, now) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
krb5_clear_error_message(context);
goto out;
}
}
if (ac->authenticator->seq_number)
krb5_auth_con_setremoteseqnumber(context, ac,
*ac->authenticator->seq_number);
/* XXX - Xor sequence numbers */
if (ac->authenticator->subkey) {
ret = krb5_auth_con_setremotesubkey(context, ac,
ac->authenticator->subkey);
if (ret)
goto out;
}
ret = find_etypelist(context, ac, &etypes);
if (ret)
goto out;
ac->keytype = (krb5_keytype)ETYPE_NULL;
if (etypes.val) {
size_t i;
for (i = 0; i < etypes.len; i++) {
if (krb5_enctype_valid(context, etypes.val[i]) == 0) {
ac->keytype = etypes.val[i];
break;
}
}
}
/* save key */
ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
if (ret) goto out;
if (ap_req_options) {
*ap_req_options = 0;
if (ac->keytype != ETYPE_NULL)
*ap_req_options |= AP_OPTS_USE_SUBKEY;
if (ap_req->ap_options.use_session_key)
*ap_req_options |= AP_OPTS_USE_SESSION_KEY;
if (ap_req->ap_options.mutual_required)
*ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
}
if(ticket)
*ticket = t;
else
krb5_free_ticket(context, t);
if (auth_context) {
if (*auth_context == NULL)
*auth_context = ac;
} else
krb5_auth_con_free(context, ac);
free_EtypeList(&etypes);
return 0;
out:
free_EtypeList(&etypes);
if (t)
krb5_free_ticket(context, t);
if (auth_context == NULL || *auth_context == NULL)
krb5_auth_con_free(context, ac);
return ret;
}
