KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_rd_cred2 (krb5_context context,
krb5_auth_context auth_context,
krb5_ccache ccache,
krb5_data *in_data)
{
krb5_error_code ret;
krb5_creds **creds;
int i;
ret = krb5_rd_cred(context, auth_context, in_data, &creds, NULL);
if(ret)
return ret;
/* Store the creds in the ccache */
for(i = 0; creds && creds[i]; i++) {
krb5_cc_store_cred(context, ccache, creds[i]);
krb5_free_creds(context, creds[i]);
}
free(creds);
return 0;
}
void
kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
{
krb5_error_code ret;
krb5_data outbuf;
krb5_keyblock *key_block;
char *name;
krb5_principal server;
krb5_authenticator authenticator;
int zero = 0;
if (cnt-- < 1)
return;
switch (*data++) {
case KRB_AUTH:
auth.data = (char *)data;
auth.length = cnt;
auth_context = NULL;
ret = krb5_auth_con_init (context, &auth_context);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_auth_con_setaddrs_from_fd (context,
auth_context,
&zero);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_sock_to_principal (context,
0,
"host",
KRB5_NT_SRV_HST,
&server);
if (ret) {
Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_sock_to_principal failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_rd_req(context,
&auth_context,
&auth,
server,
NULL,
NULL,
&ticket);
krb5_free_principal (context, server);
if (ret) {
char *errbuf;
asprintf(&errbuf,
"Read req failed: %s",
krb5_get_err_text(context, ret));
Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode)
printf("%s\r\n", errbuf);
free (errbuf);
return;
}
ret = krb5_auth_con_getkey(context, auth_context, &key_block);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_getkey failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
ret = krb5_auth_getauthenticator (context,
auth_context,
&authenticator);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_getauthenticator failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_getauthenticator failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
if (authenticator->cksum) {
char foo[2];
foo[0] = ap->type;
foo[1] = ap->way;
ret = krb5_verify_checksum (context,
foo,
sizeof(foo),
key_block,
authenticator->cksum);
if (ret) {
Data(ap, KRB_REJECT, "No checksum", -1);
if (auth_debug_mode)
printf ("No checksum\r\n");
krb5_free_authenticator (context,
&authenticator);
return;
}
}
krb5_free_authenticator (context,
&authenticator);
ret = krb5_auth_con_getremotesubkey (context,
auth_context,
&key_block);
if (ret) {
Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_auth_con_getremotesubkey failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
ret = krb5_mk_rep(context, &auth_context, &outbuf);
if (ret) {
Data(ap, KRB_REJECT,
"krb5_mk_rep failed", -1);
auth_finished(ap, AUTH_REJECT);
if (auth_debug_mode)
printf("Kerberos V5: "
"krb5_mk_rep failed (%s)\r\n",
krb5_get_err_text(context, ret));
return;
}
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
}
if (krb5_unparse_name(context, ticket->client, &name))
name = 0;
if(UserNameRequested && krb5_kuserok(context,
ticket->client,
UserNameRequested)) {
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
if(key_block->keytype == KEYTYPE_DES) {
Session_Key skey;
skey.type = SK_DES;
skey.length = 8;
skey.data = key_block->keyvalue.data;
encrypt_session_key(&skey, 0);
}
} else {
char *msg;
asprintf (&msg, "user `%s' is not authorized to "
"login as `%s'",
name ? name : "<unknown>",
UserNameRequested ? UserNameRequested : "<nobody>");
if (msg == NULL)
Data(ap, KRB_REJECT, NULL, 0);
else {
Data(ap, KRB_REJECT, (void *)msg, -1);
free(msg);
}
}
auth_finished(ap, AUTH_USER);
krb5_free_keyblock_contents(context, key_block);
break;
#ifdef FORWARD
case KRB_FORWARD: {
struct passwd *pwd;
char ccname[1024]; /* XXX */
krb5_data inbuf;
krb5_ccache ccache;
inbuf.data = (char *)data;
inbuf.length = cnt;
pwd = getpwnam (UserNameRequested);
if (pwd == NULL)
break;
snprintf (ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%u", pwd->pw_uid);
ret = krb5_cc_resolve (context, ccname, &ccache);
if (ret) {
if (auth_debug_mode)
printf ("Kerberos V5: could not get ccache: %s\r\n",
krb5_get_err_text(context, ret));
break;
}
ret = krb5_cc_initialize (context,
ccache,
ticket->client);
if (ret) {
if (auth_debug_mode)
printf ("Kerberos V5: could not init ccache: %s\r\n",
krb5_get_err_text(context, ret));
break;
}
ret = krb5_rd_cred (context,
auth_context,
ccache,
&inbuf);
if(ret) {
char *errbuf;
asprintf (&errbuf,
"Read forwarded creds failed: %s",
krb5_get_err_text (context, ret));
if(errbuf == NULL)
Data(ap, KRB_FORWARD_REJECT, NULL, 0);
else
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
printf("Could not read forwarded credentials: %s\r\n",
errbuf);
free (errbuf);
} else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
chown (ccname + 5, pwd->pw_uid, -1);
if (auth_debug_mode)
printf("Forwarded credentials obtained\r\n");
break;
}
#endif /* FORWARD */
default:
if (auth_debug_mode)
printf("Unknown Kerberos option %d\r\n", data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
}
int auks_cred_init(auks_cred_t * credential, char *data, size_t length)
{
int fstatus = AUKS_ERROR ;
char *tmp_string = NULL;
size_t tmp_size = 0;
/* kerberos related variables */
krb5_error_code err_code;
krb5_context context;
krb5_auth_context auth_context;
krb5_data kdata;
krb5_creds **creds;
krb5_replay_data krdata;
char username[AUKS_PRINCIPAL_MAX_LENGTH + 1];
struct passwd user_pwent;
struct passwd *p_pwent;
size_t pwnam_buffer_length = sysconf(_SC_GETPW_R_SIZE_MAX);
char pwnam_buffer[pwnam_buffer_length];
credential->info.principal[0] = '\0';
credential->info.uid = AUKS_CRED_INVALID_UID;
credential->info.starttime = AUKS_CRED_INVALID_TIME;
credential->info.endtime = AUKS_CRED_INVALID_TIME;
credential->info.renew_till = AUKS_CRED_INVALID_TIME;
credential->info.addressless = 1;
credential->data[1] = '\0';
credential->length = 0;
credential->max_length = AUKS_CRED_DATA_MAX_LENGTH;
credential->status = AUKS_SUCCESS;
/* check input buffer length versus auks credential internal buffer */
/* max length */
if ((unsigned int) length > (unsigned int) credential->max_length) {
auks_error("input buffer is bigger than auks credential internal "
"buffer (%u versus %u)",length, credential->max_length);
fstatus = AUKS_ERROR_CRED_INIT_BUFFER_TOO_LARGE ;
goto exit;
}
/* extract informations from buffer */
if (data == NULL) {
auks_error("input buffer is NULL");
fstatus = AUKS_ERROR_CRED_INIT_BUFFER_IS_NULL ;
goto exit;
}
fstatus = AUKS_ERROR ;
/* initialize kerberos context */
err_code = krb5_init_context(&context);
if (err_code) {
auks_error("unable to initialize kerberos context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_CTX_INIT ;
goto exit;
}
auks_log("kerberos context successfully initialized");
/* initialize a nullified kerberos authentication context
in order to decode credential from buffer */
err_code =
krb5_auth_con_init(context,&auth_context);
if (err_code) {
auks_error("unable to initialize connection "
"authentication context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_AUTH_CTX_INIT ;
goto ctx_exit;
}
/* clear kerberos authentication context flags */
krb5_auth_con_setflags(context,auth_context,0);
/* set a kerberos data structure with input buffer */
kdata.data = data ;
kdata.length = (unsigned int) length ;
/* build kerberos credential structure using this data structure */
err_code = krb5_rd_cred(context,auth_context,&kdata, &creds,&krdata);
if (err_code) {
auks_error("unable to deserialize input buffer credential : %s",
error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_RD_BUFFER ;
goto auth_ctx_exit;
}
auks_log("input buffer credential successfully unserialized");
err_code = krb5_unparse_name_ext(context,(*creds)->client,&tmp_string,
(unsigned int *) &tmp_size);
if (err_code) {
auks_error("unable to unparse principal : %s",
error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_RD_PRINC ;
goto creds_exit;
} else if (tmp_size > AUKS_PRINCIPAL_MAX_LENGTH) {
auks_error("unable to unparse principal : %s",
"principal is too long (more than %d characters)",
AUKS_PRINCIPAL_MAX_LENGTH);
free(tmp_string);
fstatus = AUKS_ERROR_CRED_INIT_KRB_PRINC_TOO_LONG ;
goto creds_exit;
}
auks_log("principal successfully unparse");
memcpy(credential->info.principal,tmp_string,tmp_size);
credential->info.principal[tmp_size] = '\0';
/* associated username from principal */
err_code = krb5_aname_to_localname(context,(*creds)->client,
AUKS_PRINCIPAL_MAX_LENGTH,username);
if (err_code) {
auks_error("unable to get username from principal %s : %s",
credential->info.principal,error_message(err_code));
fstatus = AUKS_ERROR_CRED_INIT_KRB_PRINC_TO_UNAME ;
goto string_exit;
}
/* associated uid from username */
fstatus = getpwnam_r(username,&user_pwent,pwnam_buffer,
pwnam_buffer_length,&p_pwent) ;
if (fstatus) {
auks_log("unable to get %s pwnam entry : %s",username,
strerror(fstatus)) ;
fstatus = AUKS_ERROR_CRED_INIT_GETPWNAM ;
goto string_exit;
}
/* uid information */
credential->info.uid = user_pwent.pw_uid;
credential->info.starttime = (time_t) (*creds)->times.starttime ;
credential->info.endtime = (time_t) (*creds)->times.endtime ;
credential->info.renew_till = (time_t) (*creds)->times.renew_till ;
/* addresslessness */
if (((*creds)->addresses) != NULL)
credential->info.addressless = 0;
/* duplicate input buffer */
credential->length = (unsigned int) length;
memcpy(credential->data,data,(unsigned int) length);
fstatus = AUKS_SUCCESS;
string_exit:
free(tmp_string);
creds_exit:
krb5_free_creds(context,*creds);
free(creds);
auth_ctx_exit:
krb5_auth_con_free(context,auth_context);
ctx_exit:
krb5_free_context(context);
exit:
/* if valid buffer, store it */
if (fstatus != 0) {
/* bad credential buffer in input, clean this auks credential */
auks_cred_free_contents(credential);
}
return fstatus;
}
static krb5_error_code
recvauth(int f,
krb5_context krb_context,
unsigned int *valid_checksum,
krb5_ticket **ticket,
int *auth_type,
krb5_principal *client,
int encr_flag,
krb5_keytab keytab)
{
krb5_error_code status = 0;
krb5_auth_context auth_context = NULL;
krb5_rcache rcache;
krb5_authenticator *authenticator;
krb5_data inbuf;
krb5_data auth_version;
*valid_checksum = 0;
if ((status = krb5_auth_con_init(krb_context, &auth_context)))
return (status);
/* Only need remote address for rd_cred() to verify client */
if ((status = krb5_auth_con_genaddrs(krb_context, auth_context, f,
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR)))
return (status);
status = krb5_auth_con_getrcache(krb_context, auth_context, &rcache);
if (status)
return (status);
if (!rcache) {
krb5_principal server;
status = krb5_sname_to_principal(krb_context, 0, 0,
KRB5_NT_SRV_HST, &server);
if (status)
return (status);
status = krb5_get_server_rcache(krb_context,
krb5_princ_component(krb_context, server, 0),
&rcache);
krb5_free_principal(krb_context, server);
if (status)
return (status);
status = krb5_auth_con_setrcache(krb_context, auth_context,
rcache);
if (status)
return (status);
}
if ((status = krb5_compat_recvauth(krb_context,
&auth_context,
&f,
NULL, /* Specify daemon principal */
0, /* no flags */
keytab, /* NULL to use v5srvtab */
ticket, /* return ticket */
auth_type, /* authentication system */
&auth_version))) {
if (*auth_type == KRB5_RECVAUTH_V5) {
/*
* clean up before exiting
*/
getstr(f, rusername, sizeof (rusername), "remuser");
getstr(f, lusername, sizeof (lusername), "locuser");
getstr(f, term, sizeof (term), "Terminal type");
}
return (status);
}
getstr(f, lusername, sizeof (lusername), "locuser");
getstr(f, term, sizeof (term), "Terminal type");
kcmd_protocol = KCMD_UNKNOWN_PROTOCOL;
if (auth_version.length != 9 || auth_version.data == NULL) {
syslog(LOG_ERR, "Bad application protocol version length in "
"KRB5 exchange, exiting");
fatal(f, "Bad application version length, exiting.");
}
/*
* Determine which Kerberos CMD protocol was used.
*/
if (strncmp(auth_version.data, "KCMDV0.1", 9) == 0) {
kcmd_protocol = KCMD_OLD_PROTOCOL;
} else if (strncmp(auth_version.data, "KCMDV0.2", 9) == 0) {
kcmd_protocol = KCMD_NEW_PROTOCOL;
} else {
syslog(LOG_ERR, "Unrecognized KCMD protocol (%s), exiting",
(char *)auth_version.data);
fatal(f, "Unrecognized KCMD protocol, exiting");
}
if ((*auth_type == KRB5_RECVAUTH_V5) && chksum_flag &&
kcmd_protocol == KCMD_OLD_PROTOCOL) {
if ((status = krb5_auth_con_getauthenticator(krb_context,
auth_context,
&authenticator)))
return (status);
if (authenticator->checksum) {
struct sockaddr_storage adr;
int adr_length = sizeof (adr);
int buflen;
krb5_data input;
krb5_keyblock key;
char *chksumbuf;
/*
* Define the lenght of the chksum buffer.
* chksum string = "[portnum]:termstr:username"
* The extra 32 is to hold a integer string for
* the portnumber.
*/
buflen = strlen(term) + strlen(lusername) + 32;
chksumbuf = (char *)malloc(buflen);
if (chksumbuf == 0) {
krb5_free_authenticator(krb_context,
authenticator);
fatal(f, "Out of memory error");
}
if (getsockname(f, (struct sockaddr *)&adr,
&adr_length) != 0) {
krb5_free_authenticator(krb_context,
authenticator);
fatal(f, "getsockname error");
}
(void) snprintf(chksumbuf, buflen,
"%u:%s%s",
ntohs(SOCK_PORT(adr)),
term, lusername);
input.data = chksumbuf;
input.length = strlen(chksumbuf);
key.contents = (*ticket)->enc_part2->session->contents;
key.length = (*ticket)->enc_part2->session->length;
status = krb5_c_verify_checksum(krb_context,
&key, 0,
&input,
authenticator->checksum,
valid_checksum);
if (status == 0 && *valid_checksum == 0)
status = KRB5KRB_AP_ERR_BAD_INTEGRITY;
if (chksumbuf)
krb5_xfree(chksumbuf);
if (status) {
krb5_free_authenticator(krb_context,
authenticator);
return (status);
}
}
krb5_free_authenticator(krb_context, authenticator);
}
if ((status = krb5_copy_principal(krb_context,
(*ticket)->enc_part2->client,
client)))
return (status);
/* Get the Unix username of the remote user */
getstr(f, rusername, sizeof (rusername), "remuser");
/* Get the Kerberos principal name string of the remote user */
if ((status = krb5_unparse_name(krb_context, *client, &krusername)))
return (status);
#ifdef DEBUG
syslog(LOG_DEBUG | LOG_AUTH, "rlogind: got krb5 credentials for %s",
(krusername != NULL ? krusername : "******"));
#endif
if (encr_flag) {
status = krb5_auth_con_getremotesubkey(krb_context,
auth_context,
&session_key);
if (status) {
syslog(LOG_ERR, "Error getting KRB5 session "
"subkey, exiting");
fatal(f, "Error getting KRB5 session subkey, exiting");
}
/*
* The "new" protocol requires that a subkey be sent.
*/
if (session_key == NULL &&
kcmd_protocol == KCMD_NEW_PROTOCOL) {
syslog(LOG_ERR, "No KRB5 session subkey sent, exiting");
fatal(f, "No KRB5 session subkey sent, exiting");
}
/*
* The "old" protocol does not permit an authenticator subkey.
* The key is taken from the ticket instead (see below).
*/
if (session_key != NULL &&
kcmd_protocol == KCMD_OLD_PROTOCOL) {
syslog(LOG_ERR, "KRB5 session subkey not permitted "
"with old KCMD protocol, exiting");
fatal(f, "KRB5 session subkey not permitted "
"with old KCMD protocol, exiting");
}
/*
* If no key at this point, use the session key from
* the ticket.
*/
if (session_key == NULL) {
/*
* Save the session key so we can configure the crypto
* module later.
*/
status = krb5_copy_keyblock(krb_context,
(*ticket)->enc_part2->session,
&session_key);
if (status) {
syslog(LOG_ERR, "krb5_copy_keyblock failed");
fatal(f, "krb5_copy_keyblock failed");
}
}
/*
* If session key still cannot be found, we must
* exit because encryption is required here
* when encr_flag (-x) is set.
*/
if (session_key == NULL) {
syslog(LOG_ERR, "Could not find an encryption key,"
"exiting");
fatal(f, "Encryption required but key not found, "
"exiting");
}
}
/*
* Use krb5_read_message to read the principal stuff.
*/
if ((status = krb5_read_message(krb_context, (krb5_pointer)&f,
&inbuf)))
fatal(f, "Error reading krb5 message");
if (inbuf.length) { /* Forwarding being done, read creds */
krb5_creds **creds = NULL;
if (status = krb5_rd_cred(krb_context, auth_context, &inbuf,
&creds, NULL)) {
if (rcache)
(void) krb5_rc_close(krb_context, rcache);
krb5_free_creds(krb_context, *creds);
fatal(f, "Can't get forwarded credentials");
}
/* Store the forwarded creds in the ccache */
if (status = store_forw_creds(krb_context,
creds, *ticket, lusername,
&ccache)) {
if (rcache)
(void) krb5_rc_close(krb_context, rcache);
krb5_free_creds(krb_context, *creds);
fatal(f, "Can't store forwarded credentials");
}
krb5_free_creds(krb_context, *creds);
}
if (rcache)
(void) krb5_rc_close(krb_context, rcache);
return (status);
}
int
auks_krb5_cred_deladdr_buffer(char *in_buf,size_t in_buf_len,
char** pout_buf,size_t *pout_buf_len)
{
int fstatus = AUKS_ERROR ;
/* kerberos related variables */
krb5_error_code err_code;
krb5_context context;
krb5_auth_context auth_context;
krb5_creds **creds;
krb5_data data;
krb5_replay_data krdata;
krb5_data *p_outbuf;
krb5_creds fwd_cred;
krb5_creds *p_cred_out = NULL;
krb5_address **addresses;
char* buffer;
size_t length;
/* initialize kerberos context */
err_code = krb5_init_context(&context);
if (err_code) {
auks_error("unable to initialize kerberos context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_CTX ;
goto exit;
}
auks_log("kerberos context successfully initialized");
/* initialize a nullified kerberos authentication context in order */
/* to decode credential from buffer */
err_code = krb5_auth_con_init(context, &auth_context);
if (err_code) {
auks_error("unable to initialize kerberos authentication"
" context : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_AUTH_CTX ;
goto ctx_exit;
}
auks_log("kerberos authentication context successfully initialized");
/* clear kerberos authentication context flags */
krb5_auth_con_setflags(context, auth_context, 0);
/* build a kerberos data structure with input buffer */
data.data = in_buf;
data.length = in_buf_len;
/* build kerberos credential structure using this data structure */
err_code = krb5_rd_cred(context, auth_context, &data,&creds,&krdata);
if (err_code) {
auks_error("unable to deserialize credential data : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_RD_CRED ;
goto auth_ctx_exit;
}
auks_log("credential data successfully deserialized");
memset(&fwd_cred, 0,sizeof(fwd_cred));
/* copy client principal in futur credential */
err_code = krb5_copy_principal(context,(*creds)->client,
&fwd_cred.client);
if (err_code) {
auks_error("unable to put client principal into "
"request cred : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_CP_PRINC ;
goto cred_exit;
}
auks_log("client principal successfully put into request cred");
/* copy krbtgt/... principal in futur credential as required */
/* server principal for TGS */
err_code = krb5_copy_principal(context,(*creds)->server,
&fwd_cred.server);
if (err_code) {
auks_error("unable to put server principal into "
"request cred : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_CP_PRINC ;
goto cred_exit;
}
auks_log("server principal successfully put into request cred");
/* get addressless forwarded ticket */
err_code = krb5_get_cred_via_tkt(context,(*creds),
( KDC_OPT_CANONICALIZE |
KDC_OPT_FORWARDED |
( (*creds)->ticket_flags &
KDC_TKT_COMMON_MASK ) ),
addresses=NULL,
&fwd_cred,&p_cred_out);
if (err_code) {
auks_error("unable to get addressless forwarded cred from auks"
" cred buffer : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_GET_FWD_CRED ;
goto cred_exit;
}
auks_log("addressless forwarded cred successfully"
" got using auks cred buffer");
/* extract credential data */
err_code = krb5_mk_1cred(context,auth_context,p_cred_out,
&p_outbuf,&krdata);
if (err_code) {
auks_error("unable to dump credential into working buffer : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_MK_CRED ;
goto fwd_exit;
}
auks_log("credential successfully dumped into buffer");
/* allocate output buffer */
length = p_outbuf->length;
buffer = (char *) malloc(length * sizeof(char));
if (buffer == NULL) {
auks_error("unable to allocate memory for credential data "
"storage");
fstatus = AUKS_ERROR_KRB5_CRED_MALLOC ;
goto mk_exit;
}
/* copy credential data into output buffer */
memcpy(buffer,p_outbuf->data,length);
*pout_buf = buffer;
*pout_buf_len = length;
auks_log("credential successfully stored in output buffer");
fstatus = AUKS_SUCCESS ;
auks_log("in length : %u | out length : %u",
in_buf_len,
p_outbuf->length);
mk_exit:
krb5_free_data(context,p_outbuf);
fwd_exit:
krb5_free_creds(context,p_cred_out);
cred_exit:
krb5_free_cred_contents(context,&fwd_cred);
krb5_free_creds(context, *creds);
free(creds);
auth_ctx_exit:
krb5_auth_con_free(context, auth_context);
ctx_exit:
krb5_free_context(context);
exit:
return fstatus;
}
int
auks_krb5_cred_get_fwd(char *ccachefilename, char *serverName,
char **p_buffer,
size_t * p_buffer_length)
{
int fstatus = AUKS_ERROR ;
/* kerberos related variables */
krb5_error_code err_code;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal;
krb5_creds **out_creds_array = NULL;
krb5_auth_context auth_context;
krb5_flags authopts;
krb5_data outbuf;
krb5_data *p_outbuf;
krb5_replay_data krdata;
authopts = AP_OPTS_MUTUAL_REQUIRED;
authopts &= (~OPTS_FORWARD_CREDS);
authopts &= (~OPTS_FORWARDABLE_CREDS);
if ( serverName == NULL ) {
auks_error("no host specified");
fstatus = AUKS_ERROR_KRB5_CRED_NO_HOST_SPECIFIED ;
goto exit;
}
/* initialize kerberos context */
err_code = krb5_init_context(&context);
if (err_code) {
auks_error("unable to initialize kerberos context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_CTX ;
goto exit;
}
auks_log("kerberos context successfully initialized");
/* initialize kerberos credential cache structure */
if (ccachefilename == NULL)
err_code = krb5_cc_default(context, &ccache);
else
err_code = krb5_cc_resolve(context,ccachefilename,&ccache);
if (err_code) {
auks_error("unable to resolve credential cache : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_OPEN_CC ;
goto ctx_exit ;
}
auks_log("credential cache successfully resolved");
/* get principal using credential cache */
err_code = krb5_cc_get_principal(context,ccache,&principal);
if (err_code) {
auks_error("unable to get principal from credential cache : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_GET_PRINC ;
goto cc_exit ;
}
auks_log("principal successfully extracted from credential cache");
/* initialize kerberos authentication context */
err_code = krb5_auth_con_init(context,&auth_context);
if (err_code) {
auks_error("unable to initialize kerberos authentication "
"context : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_AUTH_CTX ;
goto princ_exit;
}
auks_log("kerberos authentication context successfully initialized");
/* do replay detection using timestamps */
krb5_auth_con_setflags(context,auth_context,KRB5_AUTH_CONTEXT_RET_TIME);
/* get forwarded credential for server */
err_code = krb5_fwd_tgt_creds(context,auth_context,serverName,
principal,NULL,NULL,authopts,&outbuf);
if (err_code) {
auks_error("unable to get serialized and crypted forwarded "
"credential for %s from KDC : %s",
serverName,error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_GET_FWD_CRED ;
goto auth_ctx_exit;
}
auks_log("serialized and crypted forwarded credential for %s "
"successfully got from KDC",serverName);
/* desactive replay detection */
krb5_auth_con_setflags(context,auth_context,0);
/* decrypt (using session key stored in auth context) and */
/* unserialized forwarded credential in a kerberos credential */
/* structure */
err_code = krb5_rd_cred(context,auth_context,&outbuf,&out_creds_array,
&krdata);
if (err_code) {
auks_error("unable to unserialize and decrypt forwarded "
"credential for %s : %s",serverName,
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_RD_CRED ;
goto fwd_exit;
}
auks_log("unserialization and decryption of forwarded "
"credential for %s succesfully done",serverName);
/* Reinitialize kerberos authentication context in order to */
/* write credential to output buffer */
krb5_auth_con_free(context,auth_context);
err_code = krb5_auth_con_init(context,&auth_context);
if (err_code) {
auks_error("unable to reinitialize kerberos connection "
"authentication context : %s",error_message
(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_AUTH_CTX ;
goto rd_cred_exit;
}
auks_log("kerberos connection authentication context "
"reinitialization successfully done");
/* no flags */
krb5_auth_con_setflags(context,auth_context,0);
/* serialize forwarded credential (no encryption because auth */
/* context session key is nullified) */
err_code = krb5_mk_1cred(context,auth_context,*out_creds_array,
&p_outbuf,&krdata);
if (err_code) {
auks_error("unable to serialize forwarded credential for "
"%s : %s",serverName,error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_MK_CRED ;
goto rd_cred_exit;
}
auks_log("forwarded credential for %s successfully serialized",
serverName);
/* allocate output buffer and store serialized credential */
(*p_buffer) = (char *) malloc(p_outbuf->length * sizeof(char));
if ((*p_buffer) == NULL) {
auks_error("unable to allocate serialized credential output "
"buffer for %s",serverName);
*p_buffer_length = 0 ;
fstatus = AUKS_ERROR_KRB5_CRED_MALLOC ;
} else {
/* copy data */
memcpy(*p_buffer,p_outbuf->data,p_outbuf->length);
*p_buffer_length = p_outbuf->length;
auks_log("forwarded credential successfully stored "
"in output buffer");
fstatus = AUKS_SUCCESS ;
}
krb5_free_data(context,p_outbuf);
rd_cred_exit:
krb5_free_creds(context,*out_creds_array);
free(out_creds_array);
fwd_exit:
krb5_free_data_contents(context, &outbuf);
auth_ctx_exit:
krb5_auth_con_free(context,auth_context);
princ_exit:
krb5_free_principal(context, principal);
cc_exit:
krb5_cc_close(context, ccache);
ctx_exit:
krb5_free_context(context);
exit:
return fstatus;
}
int
auks_krb5_cred_store(char *cachefilename, char *buffer,
size_t buffer_length)
{
int fstatus = AUKS_ERROR ;
/* kerberos related variables */
krb5_error_code err_code;
krb5_context context;
krb5_auth_context auth_context;
krb5_ccache ccache;
krb5_creds **creds;
krb5_data data;
krb5_replay_data krdata;
/* initialize kerberos context */
err_code = krb5_init_context(&context);
if (err_code) {
auks_error("unable to initialize kerberos context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_CTX ;
goto exit;
}
auks_log("kerberos context successfully initialized");
/* initialize a nullified kerberos authentication context in order */
/* to decode credential from buffer */
err_code = krb5_auth_con_init(context, &auth_context);
if (err_code) {
auks_error("unable to initialize kerberos authentication"
" context : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_AUTH_CTX ;
goto ctx_exit;
}
auks_log("kerberos authentication context successfully initialized");
/* clear kerberos authentication context flags */
krb5_auth_con_setflags(context, auth_context, 0);
/* build a kerberos data structure with input buffer */
data.data = buffer;
data.length = buffer_length;
/* build kerberos credential structure using this data structure */
err_code = krb5_rd_cred(context, auth_context, &data,&creds,&krdata);
if (err_code) {
auks_error("unable to deserialize credential data : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_RD_CRED ;
goto auth_ctx_exit;
}
auks_log("credential data successfully deserialized");
/* resolve kerberos credential cache */
if (cachefilename == NULL)
err_code = krb5_cc_default(context,&ccache);
else
err_code = krb5_cc_resolve(context,cachefilename,&ccache);
if (err_code) {
auks_error("unable to resolve credential cache : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_OPEN_CC ;
goto cred_exit;
}
auks_log("credential cache successfully resolved");
/* initialize kerberos credential structure */
err_code = krb5_cc_initialize(context,ccache,(*creds)->client);
if (err_code) {
auks_error("unable to initialize credential cache : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_CC ;
goto cc_exit;
}
auks_log("credential cache successfully initialized",cachefilename);
/* store credential in credential cache */
err_code = krb5_cc_store_cred(context,ccache,*creds);
if (err_code) {
auks_error("unable to store credential in credential "
"cache : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_STORE_CRED ;
} else {
auks_log("credential successfully stored in credential cache");
fstatus = AUKS_SUCCESS ;
}
cc_exit:
krb5_cc_close(context, ccache);
cred_exit:
krb5_free_creds(context, *creds);
free(creds);
auth_ctx_exit:
krb5_auth_con_free(context, auth_context);
ctx_exit:
krb5_free_context(context);
exit:
return fstatus;
}
int
auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
{
krb5_error_code problem;
krb5_ccache ccache = NULL;
char *pname;
krb5_creds **creds;
if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
return (0);
temporarily_use_uid(authctxt->pw);
#ifdef HEIMDAL
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
#else
{
char ccname[40];
int tmpfd;
snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
log("mkstemp(): %.100s", strerror(errno));
problem = errno;
goto fail;
}
if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
log("fchmod(): %.100s", strerror(errno));
close(tmpfd);
problem = errno;
goto fail;
}
close(tmpfd);
problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
}
#endif
if (problem)
goto fail;
problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
authctxt->krb5_user);
if (problem)
goto fail;
#ifdef HEIMDAL
problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
ccache, tgt);
if (problem)
goto fail;
#else
problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
tgt, &creds, NULL);
if (problem)
goto fail;
problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
if (problem)
goto fail;
#endif
authctxt->krb5_fwd_ccache = ccache;
ccache = NULL;
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
&pname);
if (problem)
goto fail;
debug("Kerberos v5 TGT accepted (%s)", pname);
restore_uid();
return (1);
fail:
if (problem)
debug("Kerberos v5 TGT passing failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));
if (ccache)
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
restore_uid();
return (0);
}
