static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) { krb5_ccache ccache; krb5_error_code problem; krb5_principal princ; OM_uint32 maj_status, min_status; const char *errmsg; if (client->creds == NULL) { debug("No credentials stored"); return; } if (ssh_gssapi_krb5_init() == 0) return; if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix, NULL, &ccache)) != 0) { errmsg = krb5_get_error_message(krb_context, problem); logit("krb5_cc_new_unique(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); return; } if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { errmsg = krb5_get_error_message(krb_context, problem); logit("krb5_parse_name(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); krb5_cc_destroy(krb_context, ccache); return; } if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { errmsg = krb5_get_error_message(krb_context, problem); logit("krb5_cc_initialize(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); krb5_free_principal(krb_context, princ); krb5_cc_destroy(krb_context, ccache); return; } krb5_free_principal(krb_context, princ); if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, ccache))) { logit("gss_krb5_copy_ccache() failed"); krb5_cc_destroy(krb_context, ccache); return; } client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); client->store.envvar = "KRB5CCNAME"; client->store.envval = xstrdup(client->store.filename); krb5_cc_close(krb_context, ccache); return; }
/** * \brief Establishing Kerberos connection, verifies clients credentials * \param[in] vContextc *C The context of verse server * \param[out] char **u_name user name of client * \return returns 1 if Kerberos authentication was OK 0 if something went wrong */ int vs_kerberos_auth(struct vContext *C, char **u_name){ struct VS_CTX *vs_ctx = CTX_server_ctx(C); struct IO_CTX *io_ctx = CTX_io_ctx(C); struct VStreamConn *stream_conn = CTX_current_stream_conn(C); int flags = 0; int len = MAX_PACKET_SIZE; unsigned char buffer[MAX_PACKET_SIZE]; char *client_principal; krb5_data packet; krb5_error_code krb5err; int flag; /* Make sure socket is blocking */ flag = fcntl(stream_conn->io_ctx.sockfd, F_GETFL, 0); if ((fcntl(stream_conn->io_ctx.sockfd, F_SETFL, flag & ~O_NONBLOCK)) == -1) { if (is_log_level(VRS_PRINT_ERROR)) v_print_log(VRS_PRINT_ERROR, "fcntl(): %s\n", strerror(errno)); return 0; } /* Get KRB_AP_REQ message */ if ((len = recvfrom(stream_conn->io_ctx.sockfd, (char *) buffer, MAX_PACKET_SIZE, flags, NULL, NULL)) < 0) { v_print_log(VRS_PRINT_ERROR, "recvfrom failed.\n"); return 0; } packet.length = len; packet.data = (krb5_pointer) buffer; io_ctx->krb5_auth_ctx = vs_ctx->tcp_io_ctx.krb5_auth_ctx; io_ctx->krb5_ctx = vs_ctx->tcp_io_ctx.krb5_ctx; io_ctx->krb5_ticket = vs_ctx->tcp_io_ctx.krb5_ticket; io_ctx->krb5_keytab = vs_ctx->tcp_io_ctx.krb5_keytab; /* Check authentication info */ if ((krb5err = krb5_rd_req(io_ctx->krb5_ctx, (krb5_auth_context *) &io_ctx->krb5_auth_ctx, &packet, io_ctx->krb5_principal, io_ctx->krb5_keytab, NULL, (krb5_ticket **) &io_ctx->krb5_ticket))) { v_print_log(VRS_PRINT_ERROR, "krb5_rd_req %d: %s\n", (int) krb5err, krb5_get_error_message(io_ctx->krb5_ctx, krb5err)); return 0; } /* Get user name */ if ((krb5err = krb5_unparse_name(io_ctx->krb5_ctx, io_ctx->krb5_ticket->enc_part2->client, &client_principal))) { v_print_log(VRS_PRINT_ERROR, "krb5_unparse_name %d: %s\n", (int) krb5err, krb5_get_error_message(io_ctx->krb5_ctx, krb5err)); return 0; } v_print_log(VRS_PRINT_DEBUG_MSG, "Got authentication info from %s\n", client_principal); *u_name = client_principal; return 1; }
static int do_v5 (const char *host, int port, const char *user, const char *filename, const char *header_str, int leavep, int verbose, int forkp) { krb5_error_code ret; krb5_auth_context auth_context = NULL; krb5_principal server; const char *estr; int s; s = do_connect (host, port, 1); if (s < 0) return 1; ret = krb5_sname_to_principal (context, host, "pop", KRB5_NT_SRV_HST, &server); if (ret) { estr = krb5_get_error_message(context, ret); warnx ("krb5_sname_to_principal: %s", estr); krb5_free_error_message(context, estr); return 1; } ret = krb5_sendauth (context, &auth_context, &s, "KPOPV1.0", NULL, server, 0, NULL, NULL, NULL, NULL, NULL, NULL); krb5_free_principal (context, server); if (ret) { estr = krb5_get_error_message(context, ret); warnx ("krb5_sendauth: %s", estr); krb5_free_error_message(context, estr); return 1; } return doit (s, host, user, filename, header_str, leavep, verbose, forkp); }
krb5_error_code krb5int_fast_as_armor (krb5_context context, struct krb5int_fast_request_state *state, krb5_gic_opt_ext *opte, krb5_kdc_req *request) { krb5_error_code retval = 0; krb5_ccache ccache = NULL; krb5_clear_error_message(context); if (opte->opt_private->fast_ccache_name) { retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, &ccache); if (retval==0) retval = fast_armor_ap_request(context, state, ccache, krb5_princ_realm(context, request->server)); if (retval != 0) { const char * errmsg; errmsg = krb5_get_error_message(context, retval); if (errmsg) { krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); krb5_free_error_message(context, errmsg); } } } if (ccache) krb5_cc_close(context, ccache); return retval; }
static void on_bind_readable(verto_ctx *vctx, verto_ev *ev) { const char *errstr = "error"; LDAPMessage *results; struct otpd_queue_item *item = NULL; int i, rslt; (void)vctx; rslt = ldap_result(verto_get_private(ev), LDAP_RES_ANY, 0, NULL, &results); if (rslt != LDAP_RES_BIND) { if (rslt <= 0) results = NULL; ldap_msgfree(results); otpd_log_err(EIO, "IO error received on bind socket"); verto_break(ctx.vctx); ctx.exitstatus = 1; return; } item = otpd_queue_pop_msgid(&ctx.bind.responses, ldap_msgid(results)); if (item == NULL) { ldap_msgfree(results); return; } item->msgid = -1; rslt = ldap_parse_result(verto_get_private(ev), results, &i, NULL, NULL, NULL, NULL, 0); if (rslt != LDAP_SUCCESS) { errstr = ldap_err2string(rslt); goto error; } rslt = i; if (rslt != LDAP_SUCCESS) { errstr = ldap_err2string(rslt); goto error; } item->sent = 0; i = krad_packet_new_response(ctx.kctx, SECRET, krad_code_name2num("Access-Accept"), NULL, item->req, &item->rsp); if (i != 0) { errstr = krb5_get_error_message(ctx.kctx, i); goto error; } error: if (item != NULL) otpd_log_req(item->req, "bind end: %s", item->rsp != NULL ? "success" : errstr); ldap_msgfree(results); otpd_queue_push(&ctx.stdio.responses, item); verto_set_flags(ctx.stdio.writer, VERTO_EV_FLAG_PERSIST | VERTO_EV_FLAG_IO_ERROR | VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_IO_WRITE); }
/* * krcmd: simplified version of Athena's "kcmd" * returns a socket attached to the destination, -1 or krb error on error * if fd2p is non-NULL, another socket is filled in for it */ # if defined SHISHI # ifdef HAVE_GETPWUID_R static int pwbuflen; static char *pwbuf = NULL; /* Reused after first allocation. */ static struct passwd pwstor, *pwd; # endif /* HAVE_GETPWUID_R */ int krcmd (Shishi ** h, char **ahost, unsigned short rport, char **remuser, char *cmd, int *fd2p, const char *realm, int af) { int sock = -1, err = 0; long authopts = 0L; # ifdef HAVE_GETPWUID_R if (!pwbuf) { pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX); if (pwbuflen <= 0) pwbuflen = 1024; /* Guessing only. */ pwbuf = malloc (pwbuflen); } if (pwbuf) (void) getpwuid_r (getuid (), &pwstor, pwbuf, pwbuflen, &pwd); # endif /* HAVE_GETPWUID_R */ err = kcmd (h, &sock, ahost, rport, # ifdef HAVE_GETPWUID_R pwd ? pwd->pw_name : *remuser, /* locuser */ # else /* !HAVE_GETPWUID_R */ NULL, /* locuser not used */ # endif remuser, cmd, fd2p, SERVICE_NAME, realm, NULL, /* key schedule not used */ NULL, /* local addr not used */ NULL, /* foreign addr not used */ authopts, af); if (err > SHISHI_OK) { fprintf (stderr, "krcmd: error %d, %s\n", err, shishi_strerror (err)); return (-1); } if (err < 0) return (-1); return (sock); } # elif defined(KRB5) /* !SHISHI */ int krcmd (krb5_context *ctx, char **ahost, unsigned short rport, char **remuser, char *cmd, int *fd2p, const char *realm) { int sock = -1; krb5_error_code err = 0; long authopts = 0L; err = kcmd (ctx, &sock, ahost, rport, NULL, /* locuser not used */ remuser, cmd, fd2p, SERVICE_NAME, realm, (krb5_keyblock **) NULL, /* key not used */ (struct sockaddr_in *) NULL, /* local addr not used */ (struct sockaddr_in *) NULL, /* foreign addr not used */ authopts); if (err > 0) { const char *text = krb5_get_error_message (*ctx, err); fprintf (stderr, "krcmd: %s\n", text); krb5_free_error_message (*ctx, text); return (-1); } if (err < 0) return (-1); return (sock); }
static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) { krb5_principal princ; int retval; const char *errmsg; if (ssh_gssapi_krb5_init() == 0) return 0; if ((retval = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { errmsg = krb5_get_error_message(krb_context, retval); logit("krb5_parse_name(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); return 0; } if (krb5_kuserok(krb_context, princ, name)) { retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", name, (char *)client->displayname.value); } else retval = 0; krb5_free_principal(krb_context, princ); return retval; }
krb5_error_code handle_authdata (krb5_context context, unsigned int flags, krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, krb5_keyblock *client_key, krb5_keyblock *server_key, krb5_keyblock *krbtgt_key, krb5_data *req_pkt, krb5_kdc_req *request, krb5_const_principal for_user_princ, krb5_enc_tkt_part *enc_tkt_request, krb5_enc_tkt_part *enc_tkt_reply) { krb5_error_code code = 0; int i; for (i = 0; i < n_authdata_systems; i++) { const krb5_authdata_systems *asys = &authdata_systems[i]; if (isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS) && !isflagset(asys->flags, AUTHDATA_FLAG_ANONYMOUS)) continue; switch (asys->type) { case AUTHDATA_SYSTEM_V0: /* V0 was only in AS-REQ code path */ if (request->msg_type != KRB5_AS_REQ) continue; code = (*asys->handle_authdata.v0)(context, client, req_pkt, request, enc_tkt_reply); break; case AUTHDATA_SYSTEM_V2: code = (*asys->handle_authdata.v2)(context, flags, client, server, krbtgt, client_key, server_key, krbtgt_key, req_pkt, request, for_user_princ, enc_tkt_request, enc_tkt_reply); break; default: code = 0; break; } if (code != 0) { const char *emsg; emsg = krb5_get_error_message (context, code); krb5_klog_syslog(LOG_INFO, _("authdata (%s) handling failure: %s"), asys->name, emsg); krb5_free_error_message (context, emsg); if (asys->flags & AUTHDATA_FLAG_CRITICAL) break; } } return code; }
static int match_rfc_san(krb5_context context, krb5_kdc_configuration *config, hx509_context hx509ctx, hx509_cert client_cert, krb5_const_principal match) { hx509_octet_string_list list; int ret, found = 0; size_t i; memset(&list, 0 , sizeof(list)); ret = hx509_cert_find_subjectAltName_otherName(hx509ctx, client_cert, &asn1_oid_id_pkinit_san, &list); if (ret) goto out; for (i = 0; !found && i < list.len; i++) { krb5_principal_data principal; KRB5PrincipalName kn; size_t size; ret = decode_KRB5PrincipalName(list.val[i].data, list.val[i].length, &kn, &size); if (ret) { const char *msg = krb5_get_error_message(context, ret); kdc_log(context, config, 0, "Decoding kerberos name in certificate failed: %s", msg); krb5_free_error_message(context, msg); break; } if (size != list.val[i].length) { kdc_log(context, config, 0, "Decoding kerberos name have extra bits on the end"); return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; } memset(&principal, 0, sizeof (principal)); principal.name = kn.principalName; principal.realm = kn.realm; if (krb5_principal_compare(context, &principal, match) == TRUE) found = 1; free_KRB5PrincipalName(&kn); } out: hx509_free_octet_string_list(&list); if (ret) return ret; if (!found) return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; return 0; }
void redirect_errors(const char *who, afs_int32 code, const char *fmt, va_list ap) { krb5_context context; if (who) { fputs(who, stderr); fputs(": ", stderr); } if (code) { int freestr = 0; char *str = (char *)afs_error_message(code); if (strncmp(str, "unknown", strlen(str)) == 0) { if (!krb5_init_context(&context)) { str = krb5_get_error_message(NULL, code); freestr = 1; } } fputs(str, stderr); fputs(" ", stderr); if (freestr) { krb5_free_error_message(context, str); krb5_free_context(context); } } if (fmt) { vfprintf(stderr, fmt, ap); } putc('\n', stderr); fflush(stderr); }
krb5_error_code kcm_ccache_resolve_client(krb5_context context, kcm_client *client, kcm_operation opcode, const char *name, kcm_ccache *ccache) { krb5_error_code ret; const char *estr; ret = kcm_ccache_resolve(context, name, ccache); if (ret) { estr = krb5_get_error_message(context, ret); kcm_log(1, "Failed to resolve cache %s: %s", name, estr); krb5_free_error_message(context, estr); return ret; } ret = kcm_access(context, client, opcode, *ccache); if (ret) { ret = KRB5_FCC_NOFILE; /* don't disclose */ kcm_release_ccache(context, *ccache); } return ret; }
krb5_error_code kcm_ccache_destroy_client(krb5_context context, kcm_client *client, const char *name) { krb5_error_code ret; kcm_ccache ccache; const char *estr; ret = kcm_ccache_resolve(context, name, &ccache); if (ret) { estr = krb5_get_error_message(context, ret); kcm_log(1, "Failed to resolve cache %s: %s", name, estr); krb5_free_error_message(context, estr); return ret; } ret = kcm_access(context, client, KCM_OP_DESTROY, ccache); kcm_cleanup_events(context, ccache); kcm_release_ccache(context, ccache); if (ret) return ret; return kcm_ccache_destroy(context, name); }
/** * Prints the error message associated with a failed krb5 call */ void curl_krb5_print_error_message(krb5_context krb_context, int error_code, struct SessionHandle *data) { const char *errormsg = krb5_get_error_message(krb_context, error_code); infof(data, "KRB5_ERROR: %s \n" , errormsg); infof(data, "KRB5_ERROR_CODE: %d", error_code); //for debugging certain scenarios infof(data, "\n Freeing all krb5 related data structures \n"); krb5_free_error_message(krb_context, errormsg); }
krb5_error_code handle_authdata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply) { krb5_error_code retval = 0; krb5_authdata_systems *authdata_sys; int i; const char *emsg; krb5_klog_syslog (LOG_DEBUG, "handling authdata"); for (authdata_sys = authdata_systems, i = 0; authdata_sys != NULL && i < n_authdata_systems; i++) { if (authdata_sys[i].handle_authdata && authdata_sys[i].type != -1) { retval = authdata_sys[i].handle_authdata(context, client, req_pkt, request, enc_tkt_reply); if (retval) { emsg = krb5_get_error_message (context, retval); krb5_klog_syslog (LOG_INFO, "authdata (%s) handling failure: %s", authdata_sys[i].name, emsg); krb5_free_error_message (context, emsg); } else { krb5_klog_syslog (LOG_DEBUG, ".. .. ok"); } } } return 0; }
static void forward_cb(krb5_error_code retval, const krad_packet *request, const krad_packet *response, void *data) { krad_code code, acpt; struct otpd_queue_item *item = data; (void)request; acpt = krad_code_name2num("Access-Accept"); code = krad_packet_get_code(response); if (retval == 0 && code == acpt) { item->sent = 0; retval = krad_packet_new_response(ctx.kctx, SECRET, acpt, NULL, item->req, &item->rsp); } otpd_log_req(item->req, "forward end: %s", retval == 0 ? krad_code_num2name(code) : krb5_get_error_message(ctx.kctx, retval)); otpd_queue_push(&ctx.stdio.responses, item); verto_set_flags(ctx.stdio.writer, VERTO_EV_FLAG_PERSIST | VERTO_EV_FLAG_IO_ERROR | VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_IO_WRITE); }
const char *KRB5_CALLCONV sss_krb5_get_error_message(krb5_context ctx, krb5_error_code ec) { #ifdef HAVE_KRB5_GET_ERROR_MESSAGE return krb5_get_error_message(ctx, ec); #else int ret; char *s = NULL; int size = sizeof("Kerberos error [XXXXXXXXXXXX]"); s = malloc(sizeof(char) * (size)); if (s == NULL) { return NULL; } ret = snprintf(s, size, "Kerberos error [%12d]", ec); if (ret < 0 || ret >= size) { free(s); return NULL; } return s; #endif }
/* * krcmd: simplified version of Athena's "kcmd" * returns a socket attached to the destination, -1 or krb error on error * if fd2p is non-NULL, another socket is filled in for it */ # if defined SHISHI # ifdef HAVE_GETPWUID_R static int pwbuflen; static char *pwbuf = NULL; /* Reused after first allocation. */ static struct passwd pwstor, *pwd; # endif /* HAVE_GETPWUID_R */ int krcmd (Shishi ** h, char **ahost, unsigned short rport, char **remuser, char *cmd, int *fd2p, const char *realm, int af) { int sock = -1, err = 0; long authopts = 0L; # ifdef HAVE_GETPWUID_R if (!pwbuf) { pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX); if (pwbuflen <= 0) pwbuflen = 1024; /* Guessing only. */ pwbuf = malloc (pwbuflen); } if (pwbuf) (void) getpwuid_r (getuid (), &pwstor, pwbuf, pwbuflen, &pwd); # endif /* HAVE_GETPWUID_R */ err = kcmd (h, &sock, ahost, rport, # ifdef HAVE_GETPWUID_R pwd ? pwd->pw_name : *remuser, /* locuser */ # else /* !HAVE_GETPWUID_R */ NULL, /* locuser not used */ # endif remuser, cmd, fd2p, SERVICE_NAME, realm, NULL, /* key schedule not used */ NULL, /* local addr not used */ NULL, /* foreign addr not used */ authopts, af); if (err > SHISHI_OK) { fprintf (stderr, "krcmd: error %d, %s\n", err, shishi_strerror (err)); return (-1); } if (err < 0) return (-1); return (sock); } # elif defined(KRB5) /* !SHISHI */ int krcmd (krb5_context *ctx, char **ahost, unsigned short rport, char **remuser, char *cmd, int *fd2p, const char *realm) { int sock = -1; krb5_error_code err = 0; long authopts = 0L; err = kcmd (ctx, &sock, ahost, rport, NULL, /* locuser not used */ remuser, cmd, fd2p, SERVICE_NAME, realm, (krb5_keyblock **) NULL, /* key not used */ (struct sockaddr_in *) NULL, /* local addr not used */ (struct sockaddr_in *) NULL, /* foreign addr not used */ authopts); if (err > 0) { const char *text = krb5_get_error_message (*ctx, err); fprintf (stderr, "krcmd: %s\n", text); krb5_free_error_message (*ctx, text); return (-1); } if (err < 0) return (-1); return (sock); } # endif /* KRB5 && !SHISHI */ # ifdef ENCRYPTION # if defined SHISHI int krcmd_mutual (Shishi ** h, char **ahost, unsigned short rport, char **remuser, char *cmd, int *fd2p, const char *realm, Shishi_key ** key, int af) { int sock = -1, err = 0; struct sockaddr_storage laddr, faddr; long authopts = SHISHI_APOPTIONS_MUTUAL_REQUIRED; # ifdef HAVE_GETPWUID_R if (!pwbuf) { pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX); if (pwbuflen <= 0) pwbuflen = 1024; /* Guessing only. */ pwbuf = malloc (pwbuflen); } if (pwbuf) (void) getpwuid_r (getuid (), &pwstor, pwbuf, pwbuflen, &pwd); # endif /* HAVE_GETPWUID_R */ err = kcmd (h, &sock, ahost, rport, # ifdef HAVE_GETPWUID_R pwd ? pwd->pw_name : *remuser, /* locuser */ # else /* !HAVE_GETPWUID_R */ NULL, /* locuser not used */ # endif remuser, cmd, fd2p, SERVICE_NAME, realm, key, /* filled in */ &laddr, /* filled in */ &faddr, /* filled in */ authopts, af); if (err > SHISHI_OK) { fprintf (stderr, "krcmd_mutual: error %d, %s\n", err, shishi_strerror (err)); return (-1); } if (err < 0) return (-1); return (sock); } # elif defined(KRB5) /* !SHISHI */ int krcmd_mutual (krb5_context *ctx, char **ahost, unsigned short rport, char **remuser, char *cmd, int *fd2p, const char *realm, krb5_keyblock **key) { int sock; krb5_error_code err = 0; struct sockaddr_in laddr, faddr; long authopts = AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY; err = kcmd (ctx, &sock, ahost, rport, NULL, /* locuser not used */ remuser, cmd, fd2p, SERVICE_NAME, realm, key, /* filled in */ &laddr, /* filled in */ &faddr, /* filled in */ authopts); if (err > 0) { const char *text = krb5_get_error_message (*ctx, err); fprintf (stderr, "krcmd_mutual: %s\n", text); krb5_free_error_message (*ctx, text); return (-1); } if (err < 0) return (-1); return (sock); }
static void log_krb5_errmsg( krb5_context ctx, const char* func, krb5_error_code rc ) { const char* errmsg = krb5_get_error_message(ctx, rc); Log(LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, "slapd-kinit: %s: %s\n", func, errmsg ); krb5_free_error_message(ctx, errmsg); return; }
QString v5::getKrb5ErrorMessage(krb5_context kcontext, krb5_error_code code) { const char *message = krb5_get_error_message(kcontext, code); QString msg(message); krb5_free_error_message(kcontext, message); return msg; }
OM_uint32 GSSAPI_CALLCONV _gsskrb5_display_status (OM_uint32 *minor_status, OM_uint32 status_value, int status_type, const gss_OID mech_type, OM_uint32 *message_context, gss_buffer_t status_string) { krb5_context context; char *buf = NULL; int e = 0; GSSAPI_KRB5_INIT (&context); status_string->length = 0; status_string->value = NULL; if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 && gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) { *minor_status = 0; return GSS_C_GSS_CODE; } if (status_type == GSS_C_GSS_CODE) { if (GSS_SUPPLEMENTARY_INFO(status_value)) e = asprintf(&buf, "%s", supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value))); else e = asprintf (&buf, "%s %s", calling_error(GSS_CALLING_ERROR(status_value)), routine_error(GSS_ROUTINE_ERROR(status_value))); } else if (status_type == GSS_C_MECH_CODE) { const char *buf2 = krb5_get_error_message(context, status_value); if (buf2) { buf = strdup(buf2); krb5_free_error_message(context, buf2); } else { e = asprintf(&buf, "unknown mech error-code %u", (unsigned)status_value); } } else { *minor_status = EINVAL; return GSS_S_BAD_STATUS; } if (e < 0 || buf == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } *message_context = 0; *minor_status = 0; status_string->length = strlen(buf); status_string->value = buf; return GSS_S_COMPLETE; }
krb5_error_code krb5int_fast_as_armor(krb5_context context, struct krb5int_fast_request_state *state, krb5_gic_opt_ext *opte, krb5_kdc_req *request) { krb5_error_code retval = 0; krb5_ccache ccache = NULL; krb5_principal target_principal = NULL; krb5_data *target_realm; krb5_clear_error_message(context); target_realm = krb5_princ_realm(context, request->server); if (opte->opt_private->fast_ccache_name) { TRACE_FAST_ARMOR_CCACHE(context, opte->opt_private->fast_ccache_name); state->fast_state_flags |= KRB5INT_FAST_ARMOR_AVAIL; retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, &ccache); if (retval == 0) { retval = krb5int_tgtname(context, target_realm, target_realm, &target_principal); } if (retval == 0) { krb5_data config_data; config_data.data = NULL; retval = krb5_cc_get_config(context, ccache, target_principal, KRB5_CONF_FAST_AVAIL, &config_data); if ((retval == 0) && config_data.data) { TRACE_FAST_CCACHE_CONFIG(context); state->fast_state_flags |= KRB5INT_FAST_DO_FAST; } krb5_free_data_contents(context, &config_data); retval = 0; } if (opte->opt_private->fast_flags & KRB5_FAST_REQUIRED) { TRACE_FAST_REQUIRED(context); state->fast_state_flags |= KRB5INT_FAST_DO_FAST; } if (retval == 0 && (state->fast_state_flags & KRB5INT_FAST_DO_FAST)) { retval = fast_armor_ap_request(context, state, ccache, target_principal); } if (retval != 0) { const char * errmsg; errmsg = krb5_get_error_message(context, retval); if (errmsg) { krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); krb5_free_error_message(context, errmsg); } } } if (ccache) krb5_cc_close(context, ccache); if (target_principal) krb5_free_principal(context, target_principal); return retval; }
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_mk_error_ext(krb5_context context, krb5_error_code error_code, const char *e_text, const krb5_data *e_data, const krb5_principal server, const PrincipalName *client_name, const Realm *client_realm, time_t *client_time, int *client_usec, krb5_data *reply) { const char *e_text2 = NULL; KRB_ERROR msg; krb5_timestamp sec; int32_t usec; size_t len = 0; krb5_error_code ret = 0; krb5_us_timeofday (context, &sec, &usec); memset(&msg, 0, sizeof(msg)); msg.pvno = 5; msg.msg_type = krb_error; msg.stime = sec; msg.susec = usec; msg.ctime = client_time; msg.cusec = client_usec; /* Make sure we only send `protocol' error codes */ if(error_code < KRB5KDC_ERR_NONE || error_code >= KRB5_ERR_RCSID) { if(e_text == NULL) e_text = e_text2 = krb5_get_error_message(context, error_code); error_code = KRB5KRB_ERR_GENERIC; } msg.error_code = error_code - KRB5KDC_ERR_NONE; if (e_text) msg.e_text = rk_UNCONST(&e_text); if (e_data) msg.e_data = rk_UNCONST(e_data); if(server){ msg.realm = server->realm; msg.sname = server->name; }else{ static char unspec[] = "<unspecified realm>"; msg.realm = unspec; } msg.crealm = rk_UNCONST(client_realm); msg.cname = rk_UNCONST(client_name); ASN1_MALLOC_ENCODE(KRB_ERROR, reply->data, reply->length, &msg, &len, ret); if (e_text2) krb5_free_error_message(context, e_text2); if (ret) return ret; if(reply->length != len) krb5_abortx(context, "internal error in ASN.1 encoder"); return 0; }
static void exim_heimdal_error_debug(const char *label, krb5_context context, krb5_error_code err) { const char *kerrsc; kerrsc = krb5_get_error_message(context, err); debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error"); krb5_free_error_message(context, kerrsc); }
static isc_result_t check_credentials(krb5_context context, krb5_ccache ccache, krb5_principal service) { char *realm = NULL; krb5_creds creds; krb5_creds mcreds; krb5_error_code krberr; krb5_timestamp now; isc_result_t result = ISC_R_FAILURE; memset(&mcreds, 0, sizeof(mcreds)); memset(&creds, 0, sizeof(creds)); krberr = krb5_get_default_realm(context, &realm); CHECK_KRB5(context, krberr, "Failed to retrieve default realm"); krberr = krb5_build_principal(context, &mcreds.server, strlen(realm), realm, "krbtgt", realm, NULL); CHECK_KRB5(context, krberr, "Failed to build 'krbtgt/REALM' principal"); mcreds.client = service; krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds); if (krberr) { const char * errmsg = krb5_get_error_message(context, krberr); log_error("Credentials are not present in cache (%s)\n", errmsg); krb5_free_error_message(context, errmsg); result = ISC_R_FAILURE; goto cleanup; } CHECK_KRB5(context, krberr, "Credentials are not present in cache "); krberr = krb5_timeofday(context, &now); CHECK_KRB5(context, krberr, "Failed to get time of day"); if (now > (creds.times.endtime + KRB_MIN_TIME)) { log_error("Credentials cache expired"); result = ISC_R_FAILURE; goto cleanup; } else { char buf[255]; char fill = ' '; krb5_timestamp_to_sfstring(creds.times.endtime, buf, 16, &fill); log_info("Credentials valid til %s\n", buf); } result = ISC_R_SUCCESS; cleanup: krb5_free_cred_contents(context, &creds); if (mcreds.server) krb5_free_principal(context, mcreds.server); if (realm) krb5_free_default_realm(context, realm); return result; }
static krb5_error_code decrypt_fast_reply (krb5_context context, struct krb5int_fast_request_state *state, krb5_pa_data **in_padata, krb5_fast_response **response) { krb5_error_code retval = 0; krb5_data scratch; krb5_enc_data *encrypted_response = NULL; krb5_pa_data *fx_reply = NULL; krb5_fast_response *local_resp = NULL; assert(state != NULL); assert(state->armor_key); fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); if (fx_reply == NULL) retval = KRB5_ERR_FAST_REQUIRED; if (retval == 0) { scratch.data = (char *) fx_reply->contents; scratch.length = fx_reply->length; retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); } scratch.data = NULL; if (retval == 0) { scratch.data = malloc(encrypted_response->ciphertext.length); if (scratch.data == NULL) retval = ENOMEM; scratch.length = encrypted_response->ciphertext.length; } if (retval == 0) retval = krb5_c_decrypt(context, state->armor_key, KRB5_KEYUSAGE_FAST_REP, NULL, encrypted_response, &scratch); if (retval != 0) { const char * errmsg; errmsg = krb5_get_error_message(context, retval); krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); krb5_free_error_message(context, errmsg); } if (retval == 0) retval = decode_krb5_fast_response(&scratch, &local_resp); if (retval == 0) { if (local_resp->nonce != state->nonce) { retval = KRB5_KDCREP_MODIFIED; krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); } } if (retval == 0) { *response = local_resp; local_resp = NULL; } if (scratch.data) free(scratch.data); if (encrypted_response) krb5_free_enc_data(context, encrypted_response); if (local_resp) krb5_free_fast_response(context, local_resp); return retval; }
static void k5support_log_err(krb5_context context, krb5_error_code code, char const *msg) { const char *k5_msg = krb5_get_error_message(context, code); syslog(LOG_DEBUG, "auth_krb5: %s: %s (%d)\n", msg, k5_msg, code); krb5_free_error_message(context, k5_msg); }
static void print_krb5_error(krb5_context context, krb5_error_code code, const char *msg) { const char *error_message; error_message = krb5_get_error_message(context, code); printf(msg, error_message); krb5_free_error_message(context, error_message); }
static krb5_error_code armor_ap_request (struct kdc_request_state *state, krb5_fast_armor *armor) { krb5_error_code retval = 0; krb5_auth_context authcontext = NULL; krb5_ticket *ticket = NULL; krb5_keyblock *subkey = NULL; kdc_realm_t *kdc_active_realm = state->realm_data; assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST); krb5_clear_error_message(kdc_context); retval = krb5_auth_con_init(kdc_context, &authcontext); if (retval == 0) retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/ retval = krb5_rd_req(kdc_context, &authcontext, &armor->armor_value, NULL /*server*/, kdc_active_realm->realm_keytab, NULL, &ticket); if (retval != 0) { const char * errmsg = krb5_get_error_message(kdc_context, retval); krb5_set_error_message(kdc_context, retval, _("%s while handling ap-request armor"), errmsg); krb5_free_error_message(kdc_context, errmsg); } if (retval == 0) { if (!krb5_principal_compare_any_realm(kdc_context, tgs_server, ticket->server)) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, _("ap-request armor for something other " "than the local TGS")); retval = KRB5KDC_ERR_SERVER_NOMATCH; } } if (retval == 0) { retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); if (retval != 0 || subkey == NULL) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, _("ap-request armor without subkey")); retval = KRB5KDC_ERR_POLICY; } } if (retval == 0) retval = krb5_c_fx_cf2_simple(kdc_context, subkey, "subkeyarmor", ticket->enc_part2->session, "ticketarmor", &state->armor_key); if (ticket) krb5_free_ticket(kdc_context, ticket); if (subkey) krb5_free_keyblock(kdc_context, subkey); if (authcontext) krb5_auth_con_free(kdc_context, authcontext); return retval; }
static void extended_com_err_fn (const char *myprog, errcode_t code, const char *fmt, va_list args) { const char *emsg; emsg = krb5_get_error_message (errctx, code); fprintf (stderr, "%s: %s ", myprog, emsg); krb5_free_error_message (errctx, emsg); vfprintf (stderr, fmt, args); fprintf (stderr, "\n"); }
static void check(krb5_error_code code, int lineno) { const char *errmsg; if (code) { errmsg = krb5_get_error_message(ctx, code); fprintf(stderr, "Unexpected error at line %d: %s\n", lineno, errmsg); krb5_free_error_message(ctx, errmsg); exit(1); } }