OM_uint32 GSSAPI_CALLCONV _gsskrb5_delete_sec_context(OM_uint32 * minor_status, gss_ctx_id_t * context_handle, gss_buffer_t output_token) { krb5_context context; gsskrb5_ctx ctx; GSSAPI_KRB5_INIT (&context); *minor_status = 0; if (output_token) { output_token->length = 0; output_token->value = NULL; } if (*context_handle == GSS_C_NO_CONTEXT) return GSS_S_COMPLETE; ctx = (gsskrb5_ctx) *context_handle; *context_handle = GSS_C_NO_CONTEXT; HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_free (context, ctx->auth_context); krb5_auth_con_free (context, ctx->deleg_auth_context); if (ctx->kcred) krb5_free_creds(context, ctx->kcred); if(ctx->source) krb5_free_principal (context, ctx->source); if(ctx->target) krb5_free_principal (context, ctx->target); if (ctx->ticket) krb5_free_ticket (context, ctx->ticket); if(ctx->order) _gssapi_msg_order_destroy(&ctx->order); if (ctx->service_keyblock) krb5_free_keyblock (context, ctx->service_keyblock); krb5_data_free(&ctx->fwd_data); if (ctx->crypto) krb5_crypto_destroy(context, ctx->crypto); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); memset(ctx, 0, sizeof(*ctx)); free (ctx); return GSS_S_COMPLETE; }
static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state) { if (!gensec_krb5_state->smb_krb5_context) { /* We can't clean anything else up unless we started up this far */ return 0; } if (gensec_krb5_state->enc_ticket.length) { kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->enc_ticket); } if (gensec_krb5_state->ticket) { krb5_free_ticket(gensec_krb5_state->smb_krb5_context->krb5_context, gensec_krb5_state->ticket); } /* ccache freed in a child destructor */ krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context, gensec_krb5_state->keyblock); if (gensec_krb5_state->auth_context) { krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context, gensec_krb5_state->auth_context); } return 0; }
Condor_Auth_Kerberos :: ~Condor_Auth_Kerberos() { if (krb_context_) { if (auth_context_) { krb5_auth_con_free(krb_context_, auth_context_); } if (krb_principal_) { krb5_free_principal(krb_context_, krb_principal_); } if (sessionKey_) { krb5_free_keyblock(krb_context_, sessionKey_); } if (server_) { krb5_free_principal(krb_context_, server_); } krb5_free_context(krb_context_); } if (defaultStash_) { free(defaultStash_); defaultStash_ = NULL; } if (ccname_) { free(ccname_); ccname_ = NULL; } }
static void ksm_decrement_ref_count(long msgid) { struct ksm_cache_entry *entry, *entry1; int bucket; bucket = msgid % HASHSIZE; if (ksm_hash_table[bucket] && ksm_hash_table[bucket]->msgid == msgid) { entry = ksm_hash_table[bucket]; /* * If the reference count is zero, then free it */ if (--entry->refcount <= 0) { DEBUGMSGTL(("ksm", "Freeing entry for msgid %ld\n", msgid)); krb5_auth_con_free(kcontext, entry->auth_context); free(entry->secName); ksm_hash_table[bucket] = entry->next; free(entry); } return; } else if (ksm_hash_table[bucket]) for (entry1 = ksm_hash_table[bucket], entry = entry1->next; entry != NULL; entry1 = entry, entry = entry->next) if (entry->msgid == msgid) { if (--entry->refcount <= 0) { DEBUGMSGTL(("ksm", "Freeing entry for msgid %ld\n", msgid)); krb5_auth_con_free(kcontext, entry->auth_context); free(entry->secName); entry1->next = entry->next; free(entry); } return; } DEBUGMSGTL(("ksm", "KSM: Unable to decrement cache entry for msgid %ld.\n", msgid)); }
static krb5_error_code fast_armor_ap_request(krb5_context context, struct krb5int_fast_request_state *state, krb5_ccache ccache, krb5_principal target_principal) { krb5_error_code retval = 0; krb5_creds creds, *out_creds = NULL; krb5_auth_context authcontext = NULL; krb5_data encoded_authenticator; krb5_fast_armor *armor = NULL; krb5_keyblock *subkey = NULL, *armor_key = NULL; encoded_authenticator.data = NULL; memset(&creds, 0, sizeof(creds)); creds.server = target_principal; retval = krb5_cc_get_principal(context, ccache, &creds.client); if (retval == 0) retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); if (retval == 0) { TRACE_FAST_ARMOR_CCACHE_KEY(context, &out_creds->keyblock); retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, out_creds, &encoded_authenticator); } if (retval == 0) retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); if (retval == 0) retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", &out_creds->keyblock, "ticketarmor", &armor_key); if (retval == 0) { TRACE_FAST_ARMOR_KEY(context, armor_key); armor = calloc(1, sizeof(krb5_fast_armor)); if (armor == NULL) retval = ENOMEM; } if (retval == 0) { armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; armor->armor_value = encoded_authenticator; encoded_authenticator.data = NULL; encoded_authenticator.length = 0; state->armor = armor; armor = NULL; state->armor_key = armor_key; armor_key = NULL; } krb5_free_keyblock(context, armor_key); krb5_free_keyblock(context, subkey); if (out_creds) krb5_free_creds(context, out_creds); /* target_principal is owned by caller. */ creds.server = NULL; krb5_free_cred_contents(context, &creds); if (encoded_authenticator.data) krb5_free_data_contents(context, &encoded_authenticator); krb5_auth_con_free(context, authcontext); return retval; }
static krb5_error_code armor_ap_request (struct kdc_request_state *state, krb5_fast_armor *armor) { krb5_error_code retval = 0; krb5_auth_context authcontext = NULL; krb5_ticket *ticket = NULL; krb5_keyblock *subkey = NULL; kdc_realm_t *kdc_active_realm = state->realm_data; assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST); krb5_clear_error_message(kdc_context); retval = krb5_auth_con_init(kdc_context, &authcontext); if (retval == 0) retval = krb5_auth_con_setflags(kdc_context, authcontext, 0); /*disable replay cache*/ retval = krb5_rd_req(kdc_context, &authcontext, &armor->armor_value, NULL /*server*/, kdc_active_realm->realm_keytab, NULL, &ticket); if (retval != 0) { const char * errmsg = krb5_get_error_message(kdc_context, retval); krb5_set_error_message(kdc_context, retval, _("%s while handling ap-request armor"), errmsg); krb5_free_error_message(kdc_context, errmsg); } if (retval == 0) { if (!krb5_principal_compare_any_realm(kdc_context, tgs_server, ticket->server)) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH, _("ap-request armor for something other " "than the local TGS")); retval = KRB5KDC_ERR_SERVER_NOMATCH; } } if (retval == 0) { retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey); if (retval != 0 || subkey == NULL) { krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY, _("ap-request armor without subkey")); retval = KRB5KDC_ERR_POLICY; } } if (retval == 0) retval = krb5_c_fx_cf2_simple(kdc_context, subkey, "subkeyarmor", ticket->enc_part2->session, "ticketarmor", &state->armor_key); if (ticket) krb5_free_ticket(kdc_context, ticket); if (subkey) krb5_free_keyblock(kdc_context, subkey); if (authcontext) krb5_auth_con_free(kdc_context, authcontext); return retval; }
static void ksm_free_state_ref(void *ptr) { struct ksm_secStateRef *ref = (struct ksm_secStateRef *) ptr; DEBUGMSGTL(("ksm", "KSM: Freeing state reference\n")); krb5_auth_con_free(kcontext, ref->auth_context); free(ref); }
kadm5_ret_t kadm5_c_destroy(void *server_handle) { kadm5_client_context *context = server_handle; free(context->realm); free(context->admin_server); close(context->sock); if (context->client_name) free(context->client_name); if (context->service_name) free(context->service_name); if (context->ac != NULL) krb5_auth_con_free(context->context, context->ac); if(context->my_context) krb5_free_context(context->context); return 0; }
static void remove_slave (krb5_context context, slave *s, slave **root) { slave **p; if (s->fd >= 0) close (s->fd); if (s->name) free (s->name); if (s->ac) krb5_auth_con_free (context, s->ac); for (p = root; *p; p = &(*p)->next) if (*p == s) { *p = s->next; break; } free (s); }
static void remove_slave (krb5_context context, slave *s, slave **root) { slave **p; if (!rk_IS_BAD_SOCKET(s->fd)) rk_closesocket (s->fd); if (s->name) free (s->name); if (s->ac) krb5_auth_con_free (context, s->ac); for (p = root; *p; p = &(*p)->next) if (*p == s) { *p = s->next; break; } free (s); }
void kerberos5_is (TN_Authenticator * ap, unsigned char *data, int cnt) { int r = 0; char errbuf[512]; if (cnt-- < 1) return; errbuf[0] = 0; switch (*data++) { case KRB_AUTH: r = kerberos5_is_auth (ap, data, cnt, errbuf, sizeof errbuf); break; case KRB_FORWARD: r = kerberos5_is_forward (ap, data, cnt, errbuf, sizeof errbuf); break; default: DEBUG (("Unknown Kerberos option %d\r\n", data[-1])); Data (ap, KRB_REJECT, 0, 0); break; } if (r) { if (!errbuf[0]) snprintf (errbuf, sizeof errbuf, "kerberos_is: %s", error_message (r)); Data (ap, KRB_REJECT, errbuf, -1); DEBUG (("%s\r\n", errbuf)); syslog (LOG_ERR, "%s", errbuf); if (auth_context) { krb5_auth_con_free (telnet_context, auth_context); auth_context = 0; } } }
void krb5_cleanup_proc(Authctxt *authctxt) { debug("krb5_cleanup_proc called"); if (authctxt->krb5_fwd_ccache) { krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); authctxt->krb5_fwd_ccache = NULL; } if (authctxt->krb5_user) { krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); authctxt->krb5_user = NULL; } if (authctxt->krb5_auth_ctx) { krb5_auth_con_free(authctxt->krb5_ctx, authctxt->krb5_auth_ctx); authctxt->krb5_auth_ctx = NULL; } if (authctxt->krb5_ctx) { krb5_free_context(authctxt->krb5_ctx); authctxt->krb5_ctx = NULL; } }
krb5_error_code _krb5_init_tgs_req(krb5_context context, krb5_ccache ccache, krb5_addresses *addresses, krb5_kdc_flags flags, krb5_const_principal impersonate_principal, Ticket *second_ticket, krb5_creds *in_creds, krb5_creds *krbtgt, unsigned nonce, METHOD_DATA *padata, krb5_keyblock **subkey, TGS_REQ *t) { krb5_auth_context ac = NULL; krb5_error_code ret = 0; /* inherit the forwardable/proxyable flags from the krbtgt */ flags.b.forwardable = krbtgt->flags.b.forwardable; flags.b.proxiable = krbtgt->flags.b.proxiable; if (ccache->ops->tgt_req) { KERB_TGS_REQ_OUT out; KERB_TGS_REQ_IN in; memset(&in, 0, sizeof(in)); memset(&out, 0, sizeof(out)); ret = ccache->ops->tgt_req(context, ccache, &in, &out); if (ret) return ret; free_KERB_TGS_REQ_OUT(&out); return 0; } memset(t, 0, sizeof(*t)); if (impersonate_principal) { krb5_crypto crypto; PA_S4U2Self self; krb5_data data; void *buf; size_t size, len; self.name = impersonate_principal->name; self.realm = impersonate_principal->realm; self.auth = rk_UNCONST("Kerberos"); ret = _krb5_s4u2self_to_checksumdata(context, &self, &data); if (ret) goto fail; ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto); if (ret) { krb5_data_free(&data); goto fail; } ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0, data.data, data.length, &self.cksum); krb5_crypto_destroy(context, crypto); krb5_data_free(&data); if (ret) goto fail; ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret); free_Checksum(&self.cksum); if (ret) goto fail; if (len != size) krb5_abortx(context, "internal asn1 error"); ret = krb5_padata_add(context, padata, KRB5_PADATA_FOR_USER, buf, len); if (ret) goto fail; } t->pvno = 5; t->msg_type = krb_tgs_req; if (in_creds->session.keytype) { ALLOC_SEQ(&t->req_body.etype, 1); if(t->req_body.etype.val == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } t->req_body.etype.val[0] = in_creds->session.keytype; } else { ret = _krb5_init_etype(context, KRB5_PDU_TGS_REQUEST, &t->req_body.etype.len, &t->req_body.etype.val, NULL); } if (ret) goto fail; t->req_body.addresses = addresses; t->req_body.kdc_options = flags.b; ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm); if (ret) goto fail; ALLOC(t->req_body.sname, 1); if (t->req_body.sname == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } /* some versions of some code might require that the client be present in TGS-REQs, but this is clearly against the spec */ ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname); if (ret) goto fail; /* req_body.till should be NULL if there is no endtime specified, but old MIT code (like DCE secd) doesn't like that */ ALLOC(t->req_body.till, 1); if(t->req_body.till == NULL){ ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } *t->req_body.till = in_creds->times.endtime; t->req_body.nonce = nonce; if(second_ticket){ ALLOC(t->req_body.additional_tickets, 1); if (t->req_body.additional_tickets == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } ALLOC_SEQ(t->req_body.additional_tickets, 1); if (t->req_body.additional_tickets->val == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val); if (ret) goto fail; } ALLOC(t->padata, 1); if (t->padata == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } ALLOC_SEQ(t->padata, 1 + padata->len); if (t->padata->val == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } { size_t i; for (i = 0; i < padata->len; i++) { ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]); if (ret) { krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } } } ret = krb5_auth_con_init(context, &ac); if(ret) goto fail; ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session); if (ret) goto fail; ret = set_auth_data (context, &t->req_body, &in_creds->authdata, ac->local_subkey); if (ret) goto fail; ret = make_pa_tgs_req(context, ac, &t->req_body, &t->padata->val[0], ccache, krbtgt); if(ret) goto fail; ret = krb5_auth_con_getlocalsubkey(context, ac, subkey); if (ret) goto fail; fail: if (ac) krb5_auth_con_free(context, ac); if (ret) { t->req_body.addresses = NULL; free_TGS_REQ (t); } return ret; }
int main(int argc, char **argv) { krb5_error_code ret; krb5_context context; krb5_auth_context auth_context; void *kadm_handle; kadm5_server_context *server_context; kadm5_config_params conf; int master_fd; krb5_ccache ccache; krb5_principal server; char **files; int optidx = 0; time_t reconnect_min; time_t backoff; time_t reconnect_max; time_t reconnect; time_t before = 0; const char *master; setprogname(argv[0]); if(getarg(args, num_args, argc, argv, &optidx)) usage(1); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); setup_signal(); if (config_file == NULL) { asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)); if (config_file == NULL) errx(1, "out of memory"); } ret = krb5_prepend_config_files_default(config_file, &files); if (ret) krb5_err(context, 1, ret, "getting configuration files"); ret = krb5_set_config_files(context, files); krb5_free_config_files(files); if (ret) krb5_err(context, 1, ret, "reading configuration files"); argc -= optidx; argv += optidx; if (argc != 1) usage(1); master = argv[0]; #ifdef SUPPORT_DETACH if (detach_from_console) daemon(0, 0); #endif pidfile (NULL); krb5_openlog (context, "ipropd-slave", &log_facility); krb5_set_warn_dest(context, log_facility); ret = krb5_kt_register(context, &hdb_kt_ops); if(ret) krb5_err(context, 1, ret, "krb5_kt_register"); time_before_lost = parse_time (server_time_lost, "s"); if (time_before_lost < 0) krb5_errx (context, 1, "couldn't parse time: %s", server_time_lost); memset(&conf, 0, sizeof(conf)); if(realm) { conf.mask |= KADM5_CONFIG_REALM; conf.realm = realm; } ret = kadm5_init_with_password_ctx (context, KADM5_ADMIN_SERVICE, NULL, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); if (ret) krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); server_context = (kadm5_server_context *)kadm_handle; ret = kadm5_log_init (server_context); if (ret) krb5_err (context, 1, ret, "kadm5_log_init"); get_creds(context, keytab_str, &ccache, master); ret = krb5_sname_to_principal (context, master, IPROP_NAME, KRB5_NT_SRV_HST, &server); if (ret) krb5_err (context, 1, ret, "krb5_sname_to_principal"); auth_context = NULL; master_fd = -1; krb5_appdefault_time(context, config_name, NULL, "reconnect-min", 10, &reconnect_min); krb5_appdefault_time(context, config_name, NULL, "reconnect-max", 300, &reconnect_max); krb5_appdefault_time(context, config_name, NULL, "reconnect-backoff", 10, &backoff); reconnect = reconnect_min; while (!exit_flag) { time_t now, elapsed; int connected = FALSE; now = time(NULL); elapsed = now - before; if (elapsed < reconnect) { time_t left = reconnect - elapsed; krb5_warnx(context, "sleeping %d seconds before " "retrying to connect", (int)left); sleep(left); } before = now; master_fd = connect_to_master (context, master, port_str); if (master_fd < 0) goto retry; reconnect = reconnect_min; if (auth_context) { krb5_auth_con_free(context, auth_context); auth_context = NULL; krb5_cc_destroy(context, ccache); get_creds(context, keytab_str, &ccache, master); } ret = krb5_sendauth (context, &auth_context, &master_fd, IPROP_VERSION, NULL, server, AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, ccache, NULL, NULL, NULL); if (ret) { krb5_warn (context, ret, "krb5_sendauth"); goto retry; } krb5_warnx(context, "ipropd-slave started at version: %ld", (long)server_context->log_context.version); ret = ihave (context, auth_context, master_fd, server_context->log_context.version); if (ret) goto retry; connected = TRUE; while (connected && !exit_flag) { krb5_data out; krb5_storage *sp; int32_t tmp; fd_set readset; struct timeval to; #ifndef NO_LIMIT_FD_SETSIZE if (master_fd >= FD_SETSIZE) krb5_errx (context, 1, "fd too large"); #endif FD_ZERO(&readset); FD_SET(master_fd, &readset); to.tv_sec = time_before_lost; to.tv_usec = 0; ret = select (master_fd + 1, &readset, NULL, NULL, &to); if (ret < 0) { if (errno == EINTR) continue; else krb5_err (context, 1, errno, "select"); } if (ret == 0) krb5_errx (context, 1, "server didn't send a message " "in %d seconds", time_before_lost); ret = krb5_read_priv_message(context, auth_context, &master_fd, &out); if (ret) { krb5_warn (context, ret, "krb5_read_priv_message"); connected = FALSE; continue; } sp = krb5_storage_from_mem (out.data, out.length); krb5_ret_int32 (sp, &tmp); switch (tmp) { case FOR_YOU : receive (context, sp, server_context); ret = ihave (context, auth_context, master_fd, server_context->log_context.version); if (ret) connected = FALSE; break; case TELL_YOU_EVERYTHING : ret = receive_everything (context, master_fd, server_context, auth_context); if (ret) connected = FALSE; break; case ARE_YOU_THERE : send_im_here (context, master_fd, auth_context); break; case NOW_YOU_HAVE : case I_HAVE : case ONE_PRINC : case I_AM_HERE : default : krb5_warnx (context, "Ignoring command %d", tmp); break; } krb5_storage_free (sp); krb5_data_free (&out); } retry: if (connected == FALSE) krb5_warnx (context, "disconnected for server"); if (exit_flag) krb5_warnx (context, "got an exit signal"); if (master_fd >= 0) close(master_fd); reconnect += backoff; if (reconnect > reconnect_max) reconnect = reconnect_max; } if (0); #ifndef NO_SIGXCPU else if(exit_flag == SIGXCPU) krb5_warnx(context, "%s CPU time limit exceeded", getprogname()); #endif else if(exit_flag == SIGINT || exit_flag == SIGTERM) krb5_warnx(context, "%s terminated", getprogname()); else krb5_warnx(context, "%s unexpected exit reason: %ld", getprogname(), (long)exit_flag); return 0; }
int do_krb5_comm(krb5_context context, krb5_keytab keytab, krb5_principal server, char *cmddir) { struct sockaddr_in c_saddr, s_saddr; socklen_t namelen; int sock = 0; int len; char buff[BUFFSIZE]; char *cname = NULL; krb5_error_code retval; krb5_data kdata, message; krb5_auth_context auth_context = NULL; krb5_ticket *ticket; krb5_address ckaddr, skaddr; krb5_rcache rcache; krb5_data rcache_name; long srand, rrand; int fd[2]; char rcname_piece[RC_PIECE_MAXLEN]; namelen = sizeof(c_saddr); if (getpeername(sock, (struct sockaddr *)&c_saddr, &namelen) < 0) { syslog(LOG_ERR, "getpeername: %m"); return 1; } namelen = sizeof(s_saddr); if (getsockname(sock, (struct sockaddr *)&s_saddr, &namelen) < 0) { syslog(LOG_ERR, "getsockname: %m"); return 1; } /* INIT MSG = random number */ srand = random(); /* Send it */ if (send(sock, &srand, sizeof(srand), 0) < 0) { syslog(LOG_ERR, "%m while sending init message"); return 1; } if (recv(sock, &rrand, sizeof(rrand), 0) < 0) { syslog(LOG_ERR, "%m while receiving init reply"); return 1; } /* Reply should contain the same message (number) */ if (srand != rrand) { syslog(LOG_ERR, "Bad init reply"); return 1; } /* Do authentication */ if (retval = krb5_recvauth(context, &auth_context, (krb5_pointer)&sock, AFSADM_VERSION, server, 0, keytab, &ticket)) { syslog(LOG_ERR, "recvauth failed: %s", error_message(retval)); exit(1); } /* Get client name */ if (retval = krb5_unparse_name(context, ticket->enc_part2->client, &cname)) { syslog(LOG_ERR, "unparse failed: %s", error_message(retval)); return 1; } if (ticket) krb5_free_ticket(context, ticket); if (debug) syslog(LOG_DEBUG, "Principal %s", cname); /*******************************************************************/ ckaddr.addrtype = ADDRTYPE_IPPORT; ckaddr.length = sizeof(c_saddr.sin_port); ckaddr.contents = (krb5_octet *)&c_saddr.sin_port; skaddr.addrtype = ADDRTYPE_IPPORT; skaddr.length = sizeof(s_saddr.sin_port); skaddr.contents = (krb5_octet *)&s_saddr.sin_port; if ((retval = krb5_auth_con_setports(context, auth_context, &skaddr, &ckaddr))) { syslog(LOG_ERR, "%s while setting ports", error_message(retval)); return 1; } /* Set foreign_addr for rd_priv() */ ckaddr.addrtype = ADDRTYPE_INET; ckaddr.length = sizeof(c_saddr.sin_addr); ckaddr.contents = (krb5_octet *)&c_saddr.sin_addr; /* Set local_addr */ skaddr.addrtype = ADDRTYPE_INET; skaddr.length = sizeof(s_saddr.sin_addr); skaddr.contents = (krb5_octet *)&s_saddr.sin_addr; if ((retval = krb5_auth_con_setaddrs(context, auth_context, &skaddr, &ckaddr))) { syslog(LOG_ERR, "%s while setting addrs", error_message(retval)); return 1; } /* Receive a request */ if ((len = recv(sock, (char *)buff, sizeof(buff), 0)) < 0) { syslog(LOG_ERR, "%m while receiving datagram"); return 1; } kdata.length = len; kdata.data = buff; if (debug) syslog(LOG_DEBUG, "Received %d bytes", len); /* Decrypt it */ if ((retval = krb5_rd_priv(context, auth_context, &kdata, &message, NULL))) { syslog(LOG_ERR, "%s while verifying PRIV message", error_message(retval)); return 1; } if (message.length > 0) { #ifdef __osf__ sprintf(rcname_piece, "afsadmd_%d", getpid()); #else snprintf(rcname_piece, RC_PIECE_MAXLEN, "afsadmd_%d", getpid()); #endif rcache_name.data = rcname_piece; rcache_name.length = strlen(rcache_name.data); if ((retval = krb5_get_server_rcache(context, &rcache_name, &rcache))) { syslog(LOG_ERR, "%s while getting server rcache", error_message(retval)); return 1; } /* set auth_context rcache */ if (retval = krb5_auth_con_setrcache(context, auth_context, rcache)) { syslog(LOG_ERR, "%s while setting rcache", error_message(retval)); return 1; } /********************************************************************* * Call the desired command, read stdout/stderr, send it *********************************************************************/ /* create fork */ if (pipe(fd) == -1) printf("Failed create fork with pipe().\n"); if (fork() == 0) { close(fd[0]); close(1); close(2); dup2(fd[1], 1); dup2(fd[1], 2); /* Call required command */ do_command(context, keytab, server, cname, message.data, cmddir ); krb5_xfree(message.data); exit(0); } else { /* Read stdout/stderr from pipe, store it to the buffer, encrypt it a send to the client */ krb5_data message, kdata; char buff[PIPEBUFF]; int n = 0; int len = 0; int sent = 0; int counter = 0; int end = 0; short netlen; time_t starttime, oldtime, newtime; FILE *pipedes; close(fd[1]); pipedes = fdopen(fd[0], "r"); starttime = oldtime = time(NULL); for (n = 0; end == 0; ) { /* Read line from pipe */ if (fgets(buff + n, PIPEBUFF - n, pipedes) == NULL) end++; else n = strlen(buff); /* Get time */ newtime = time(NULL); /* Send buffer when * a) buffer is full * b) buffer contains data and * 1) end-of-file encountered (end flag) * 2) buffer sent before 1s */ if ((n == PIPEBUFF) || (((newtime > oldtime) || end ) && (n != 0))) { /* Prepare data for sending */ message.data = buff; message.length = n; kdata.data = NULL; /* Make the encrypted message */ if ((retval = krb5_mk_priv(context, auth_context, &message, &kdata, NULL))) { syslog(LOG_ERR, "%s while making KRB_PRIV message", error_message(retval)); return 1; } /* Convert byte order */ netlen = htons((short)kdata.length); /* Send len of encrypted data */ if ((len = send(sock, (char *)&netlen, sizeof(netlen), 0)) != sizeof(netlen)) { krb5_xfree(kdata.data); syslog(LOG_ERR, "%m while sending len of PRIV message"); return 1; } /* Send it */ if ((len = send(sock, (char *)kdata.data, kdata.length, 0)) != kdata.length) { syslog(LOG_ERR, "%m while sending PRIV message"); krb5_xfree(kdata.data); return 1; } /* Statistics */ sent += len; counter++; /* Timestanmp */ oldtime = newtime; n = 0; krb5_xfree(kdata.data); } } newtime = time(NULL); if (debug) syslog(LOG_DEBUG, "Sent %d bytes in %ds [%d fragment(s)]", sent, (int)(newtime - starttime), counter); } } //FIXME: There is no way to close or destroy rcache declared in krb5 headers //krb5_rc_destroy(context, rcache); /* set auth_context rcache */ if (retval = krb5_auth_con_setrcache(context, auth_context, rcache)) { syslog(LOG_ERR, "%s while setting rcache to NULL", error_message(retval)); return 1; } free(cname); krb5_auth_con_free(context, auth_context); return 0; }
static krb5_error_code change_password_loop (krb5_context context, krb5_creds *creds, krb5_principal targprinc, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string, struct kpwd_proc *proc) { krb5_error_code ret; krb5_auth_context auth_context = NULL; krb5_krbhst_handle handle = NULL; krb5_krbhst_info *hi; int sock; int i; int done = 0; krb5_realm realm = creds->client->realm; ret = krb5_auth_con_init (context, &auth_context); if (ret) return ret; krb5_auth_con_setflags (context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); ret = krb5_krbhst_init (context, realm, KRB5_KRBHST_CHANGEPW, &handle); if (ret) goto out; while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) { struct addrinfo *ai, *a; int is_stream; switch (hi->proto) { case KRB5_KRBHST_UDP: if ((proc->flags & SUPPORT_UDP) == 0) continue; is_stream = 0; break; case KRB5_KRBHST_TCP: if ((proc->flags & SUPPORT_TCP) == 0) continue; is_stream = 1; break; default: continue; } ret = krb5_krbhst_get_addrinfo(context, hi, &ai); if (ret) continue; for (a = ai; !done && a != NULL; a = a->ai_next) { int replied = 0; sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (sock < 0) continue; ret = connect(sock, a->ai_addr, a->ai_addrlen); if (ret < 0) { close (sock); goto out; } ret = krb5_auth_con_genaddrs (context, auth_context, sock, KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR); if (ret) { close (sock); goto out; } for (i = 0; !done && i < 5; ++i) { fd_set fdset; struct timeval tv; if (!replied) { replied = 0; ret = (*proc->send_req) (context, &auth_context, creds, targprinc, is_stream, sock, newpw, hi->hostname); if (ret) { close(sock); goto out; } } if (sock >= FD_SETSIZE) { krb5_set_error_string(context, "fd %d too large", sock); ret = ERANGE; close (sock); goto out; } FD_ZERO(&fdset); FD_SET(sock, &fdset); tv.tv_usec = 0; tv.tv_sec = 1 + (1 << i); ret = select (sock + 1, &fdset, NULL, NULL, &tv); if (ret < 0 && errno != EINTR) { close(sock); goto out; } if (ret == 1) { ret = (*proc->process_rep) (context, auth_context, is_stream, sock, result_code, result_code_string, result_string, hi->hostname); if (ret == 0) done = 1; else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL) replied = 1; } else { ret = KRB5_KDC_UNREACH; } } close (sock); } } out: krb5_krbhst_free (context, handle); krb5_auth_con_free (context, auth_context); if (done) return 0; else { if (ret == KRB5_KDC_UNREACH) { krb5_set_error_string(context, "unable to reach any changepw server " " in realm %s", realm); *result_code = KRB5_KPASSWD_HARDERROR; } return ret; } }
int auks_cred_init(auks_cred_t * credential, char *data, size_t length) { int fstatus = AUKS_ERROR ; char *tmp_string = NULL; size_t tmp_size = 0; /* kerberos related variables */ krb5_error_code err_code; krb5_context context; krb5_auth_context auth_context; krb5_data kdata; krb5_creds **creds; krb5_replay_data krdata; char username[AUKS_PRINCIPAL_MAX_LENGTH + 1]; struct passwd user_pwent; struct passwd *p_pwent; size_t pwnam_buffer_length = sysconf(_SC_GETPW_R_SIZE_MAX); char pwnam_buffer[pwnam_buffer_length]; credential->info.principal[0] = '\0'; credential->info.uid = AUKS_CRED_INVALID_UID; credential->info.starttime = AUKS_CRED_INVALID_TIME; credential->info.endtime = AUKS_CRED_INVALID_TIME; credential->info.renew_till = AUKS_CRED_INVALID_TIME; credential->info.addressless = 1; credential->data[1] = '\0'; credential->length = 0; credential->max_length = AUKS_CRED_DATA_MAX_LENGTH; credential->status = AUKS_SUCCESS; /* check input buffer length versus auks credential internal buffer */ /* max length */ if ((unsigned int) length > (unsigned int) credential->max_length) { auks_error("input buffer is bigger than auks credential internal " "buffer (%u versus %u)",length, credential->max_length); fstatus = AUKS_ERROR_CRED_INIT_BUFFER_TOO_LARGE ; goto exit; } /* extract informations from buffer */ if (data == NULL) { auks_error("input buffer is NULL"); fstatus = AUKS_ERROR_CRED_INIT_BUFFER_IS_NULL ; goto exit; } fstatus = AUKS_ERROR ; /* initialize kerberos context */ err_code = krb5_init_context(&context); if (err_code) { auks_error("unable to initialize kerberos context : %s", error_message(err_code)); fstatus = AUKS_ERROR_CRED_INIT_KRB_CTX_INIT ; goto exit; } auks_log("kerberos context successfully initialized"); /* initialize a nullified kerberos authentication context in order to decode credential from buffer */ err_code = krb5_auth_con_init(context,&auth_context); if (err_code) { auks_error("unable to initialize connection " "authentication context : %s", error_message(err_code)); fstatus = AUKS_ERROR_CRED_INIT_KRB_AUTH_CTX_INIT ; goto ctx_exit; } /* clear kerberos authentication context flags */ krb5_auth_con_setflags(context,auth_context,0); /* set a kerberos data structure with input buffer */ kdata.data = data ; kdata.length = (unsigned int) length ; /* build kerberos credential structure using this data structure */ err_code = krb5_rd_cred(context,auth_context,&kdata, &creds,&krdata); if (err_code) { auks_error("unable to deserialize input buffer credential : %s", error_message(err_code)); fstatus = AUKS_ERROR_CRED_INIT_KRB_RD_BUFFER ; goto auth_ctx_exit; } auks_log("input buffer credential successfully unserialized"); err_code = krb5_unparse_name_ext(context,(*creds)->client,&tmp_string, (unsigned int *) &tmp_size); if (err_code) { auks_error("unable to unparse principal : %s", error_message(err_code)); fstatus = AUKS_ERROR_CRED_INIT_KRB_RD_PRINC ; goto creds_exit; } else if (tmp_size > AUKS_PRINCIPAL_MAX_LENGTH) { auks_error("unable to unparse principal : %s", "principal is too long (more than %d characters)", AUKS_PRINCIPAL_MAX_LENGTH); free(tmp_string); fstatus = AUKS_ERROR_CRED_INIT_KRB_PRINC_TOO_LONG ; goto creds_exit; } auks_log("principal successfully unparse"); memcpy(credential->info.principal,tmp_string,tmp_size); credential->info.principal[tmp_size] = '\0'; /* associated username from principal */ err_code = krb5_aname_to_localname(context,(*creds)->client, AUKS_PRINCIPAL_MAX_LENGTH,username); if (err_code) { auks_error("unable to get username from principal %s : %s", credential->info.principal,error_message(err_code)); fstatus = AUKS_ERROR_CRED_INIT_KRB_PRINC_TO_UNAME ; goto string_exit; } /* associated uid from username */ fstatus = getpwnam_r(username,&user_pwent,pwnam_buffer, pwnam_buffer_length,&p_pwent) ; if (fstatus) { auks_log("unable to get %s pwnam entry : %s",username, strerror(fstatus)) ; fstatus = AUKS_ERROR_CRED_INIT_GETPWNAM ; goto string_exit; } /* uid information */ credential->info.uid = user_pwent.pw_uid; credential->info.starttime = (time_t) (*creds)->times.starttime ; credential->info.endtime = (time_t) (*creds)->times.endtime ; credential->info.renew_till = (time_t) (*creds)->times.renew_till ; /* addresslessness */ if (((*creds)->addresses) != NULL) credential->info.addressless = 0; /* duplicate input buffer */ credential->length = (unsigned int) length; memcpy(credential->data,data,(unsigned int) length); fstatus = AUKS_SUCCESS; string_exit: free(tmp_string); creds_exit: krb5_free_creds(context,*creds); free(creds); auth_ctx_exit: krb5_auth_con_free(context,auth_context); ctx_exit: krb5_free_context(context); exit: /* if valid buffer, store it */ if (fstatus != 0) { /* bad credential buffer in input, clean this auks credential */ auks_cred_free_contents(credential); } return fstatus; }
static int proto (int sock, const char *hostname, const char *svc, char *message, size_t len) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_data data; krb5_data data_send; krb5_ccache ccache; krb5_creds creds; krb5_kdc_flags flags; krb5_principal principal; status = krb5_auth_con_init (context, &auth_context); if (status) { krb5_warn (context, status, "krb5_auth_con_init"); return 1; } status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_auth_con_setaddr"); return 1; } status = krb5_sname_to_principal (context, hostname, svc, KRB5_NT_SRV_HST, &server); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_sname_to_principal"); return 1; } status = krb5_sendauth (context, &auth_context, &sock, KF_VERSION_1, NULL, server, AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, NULL, NULL, NULL, NULL, NULL, NULL); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn(context, status, "krb5_sendauth"); return 1; } if (ccache_name == NULL) ccache_name = ""; data_send.data = (void *)remote_name; data_send.length = strlen(remote_name) + 1; status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_write_message"); return 1; } data_send.data = (void *)ccache_name; data_send.length = strlen(ccache_name)+1; status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_write_message"); return 1; } memset (&creds, 0, sizeof(creds)); status = krb5_cc_default (context, &ccache); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_cc_default"); return 1; } status = krb5_cc_get_principal (context, ccache, &principal); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_cc_get_principal"); return 1; } creds.client = principal; status = krb5_make_principal (context, &creds.server, principal->realm, KRB5_TGS_NAME, principal->realm, NULL); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_make_principal"); return 1; } creds.times.endtime = 0; flags.i = 0; flags.b.forwarded = 1; flags.b.forwardable = forwardable; status = krb5_get_forwarded_creds (context, auth_context, ccache, flags.i, hostname, &creds, &data); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_get_forwarded_creds"); return 1; } status = krb5_write_priv_message(context, auth_context, &sock, &data); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_mk_priv"); return 1; } krb5_data_free (&data); status = krb5_read_priv_message(context, auth_context, &sock, &data); krb5_auth_con_free(context, auth_context); if (status) { krb5_warn (context, status, "krb5_mk_priv"); return 1; } if(data.length >= len) { krb5_warnx (context, "returned string is too long, truncating"); memcpy(message, data.data, len); message[len - 1] = '\0'; } else { memcpy(message, data.data, data.length); message[data.length] = '\0'; } krb5_data_free (&data); return(strcmp(message, "ok")); }
OM_uint32 gss_import_sec_context ( OM_uint32 * minor_status, const gss_buffer_t interprocess_token, gss_ctx_id_t * context_handle ) { OM_uint32 ret = GSS_S_FAILURE; krb5_error_code kret; krb5_storage *sp; krb5_auth_context ac; krb5_address local, remote; krb5_address *localp, *remotep; krb5_data data; gss_buffer_desc buffer; krb5_keyblock keyblock; int32_t tmp; int32_t flags; OM_uint32 minor; int is_cfx = 0; GSSAPI_KRB5_INIT (); localp = remotep = NULL; sp = krb5_storage_from_mem (interprocess_token->value, interprocess_token->length); if (sp == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } *context_handle = malloc(sizeof(**context_handle)); if (*context_handle == NULL) { *minor_status = ENOMEM; krb5_storage_free (sp); return GSS_S_FAILURE; } memset (*context_handle, 0, sizeof(**context_handle)); HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); kret = krb5_auth_con_init (gssapi_krb5_context, &(*context_handle)->auth_context); if (kret) { gssapi_krb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } /* flags */ *minor_status = 0; if (krb5_ret_int32 (sp, &flags) != 0) goto failure; /* retrieve the auth context */ ac = (*context_handle)->auth_context; krb5_ret_int32 (sp, &ac->flags); if (flags & SC_LOCAL_ADDRESS) { if (krb5_ret_address (sp, localp = &local) != 0) goto failure; } if (flags & SC_REMOTE_ADDRESS) { if (krb5_ret_address (sp, remotep = &remote) != 0) goto failure; } krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep); if (localp) krb5_free_address (gssapi_krb5_context, localp); if (remotep) krb5_free_address (gssapi_krb5_context, remotep); localp = remotep = NULL; if (krb5_ret_int16 (sp, &ac->local_port) != 0) goto failure; if (krb5_ret_int16 (sp, &ac->remote_port) != 0) goto failure; if (flags & SC_KEYBLOCK) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } if (flags & SC_LOCAL_SUBKEY) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } if (flags & SC_REMOTE_SUBKEY) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } if (krb5_ret_int32 (sp, &ac->local_seqnumber)) goto failure; if (krb5_ret_int32 (sp, &ac->remote_seqnumber)) goto failure; if (krb5_ret_int32 (sp, &tmp) != 0) goto failure; ac->keytype = tmp; if (krb5_ret_int32 (sp, &tmp) != 0) goto failure; ac->cksumtype = tmp; /* names */ if (krb5_ret_data (sp, &data)) goto failure; buffer.value = data.data; buffer.length = data.length; ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, &(*context_handle)->source); if (ret) { ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, &(*context_handle)->source); if (ret) { krb5_data_free (&data); goto failure; } } krb5_data_free (&data); if (krb5_ret_data (sp, &data) != 0) goto failure; buffer.value = data.data; buffer.length = data.length; ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, &(*context_handle)->target); if (ret) { ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, &(*context_handle)->target); if (ret) { krb5_data_free (&data); goto failure; } } krb5_data_free (&data); if (krb5_ret_int32 (sp, &tmp)) goto failure; (*context_handle)->flags = tmp; if (krb5_ret_int32 (sp, &tmp)) goto failure; (*context_handle)->more_flags = tmp; if (krb5_ret_int32 (sp, &tmp) == 0) (*context_handle)->lifetime = tmp; else (*context_handle)->lifetime = GSS_C_INDEFINITE; gsskrb5_is_cfx(*context_handle, &is_cfx); ret = _gssapi_msg_order_create(minor_status, &(*context_handle)->order, _gssapi_msg_order_f((*context_handle)->flags), 0, 0, is_cfx); if (ret) goto failure; krb5_storage_free (sp); return GSS_S_COMPLETE; failure: krb5_auth_con_free (gssapi_krb5_context, (*context_handle)->auth_context); if ((*context_handle)->source != NULL) gss_release_name(&minor, &(*context_handle)->source); if ((*context_handle)->target != NULL) gss_release_name(&minor, &(*context_handle)->target); if (localp) krb5_free_address (gssapi_krb5_context, localp); if (remotep) krb5_free_address (gssapi_krb5_context, remotep); if((*context_handle)->order) _gssapi_msg_order_destroy(&(*context_handle)->order); HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); krb5_storage_free (sp); free (*context_handle); *context_handle = GSS_C_NO_CONTEXT; return ret; }
/* * krb5_auth_context_internalize() - Internalize the krb5_auth_context. */ static krb5_error_code krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { krb5_error_code kret; krb5_auth_context auth_context; krb5_int32 ibuf; krb5_octet *bp; size_t remain; krb5_int32 ivlen; krb5_int32 tag; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) ibuf = 0; if (ibuf == KV5M_AUTH_CONTEXT) { kret = ENOMEM; /* Get memory for the auth_context */ if ((remain >= (5*sizeof(krb5_int32))) && (auth_context = (krb5_auth_context) calloc(1, sizeof(struct _krb5_auth_context)))) { /* Get auth_context_flags */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); auth_context->auth_context_flags = ibuf; /* Get remote_seq_number */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); auth_context->remote_seq_number = ibuf; /* Get local_seq_number */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); auth_context->local_seq_number = ibuf; /* Get req_cksumtype */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); auth_context->req_cksumtype = (krb5_cksumtype) ibuf; /* Get safe_cksumtype */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); auth_context->safe_cksumtype = (krb5_cksumtype) ibuf; /* Get length of i_vector */ (void) krb5_ser_unpack_int32(&ivlen, &bp, &remain); if (ivlen) { if ((auth_context->i_vector = (krb5_pointer) malloc((size_t)ivlen))) kret = krb5_ser_unpack_bytes(auth_context->i_vector, (size_t) ivlen, &bp, &remain); else kret = ENOMEM; } else kret = 0; /* Peek at next token */ tag = 0; if (!kret) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); /* This is the remote_addr */ if (!kret && (tag == TOKEN_RADDR)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_ADDRESS, (krb5_pointer *) &auth_context-> remote_addr, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } /* This is the remote_port */ if (!kret && (tag == TOKEN_RPORT)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_ADDRESS, (krb5_pointer *) &auth_context-> remote_port, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } /* This is the local_addr */ if (!kret && (tag == TOKEN_LADDR)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_ADDRESS, (krb5_pointer *) &auth_context-> local_addr, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } /* This is the local_port */ if (!kret && (tag == TOKEN_LPORT)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_ADDRESS, (krb5_pointer *) &auth_context-> local_port, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } /* This is the keyblock */ if (!kret && (tag == TOKEN_KEYBLOCK)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context->keyblock, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } /* This is the send_subkey */ if (!kret && (tag == TOKEN_LSKBLOCK)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context-> send_subkey, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } /* This is the recv_subkey */ if (!kret) { if (tag == TOKEN_RSKBLOCK) { kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context-> recv_subkey, &bp, &remain); } else { /* * We read the next tag, but it's not of any use here, so * we effectively 'unget' it here. */ bp -= sizeof(krb5_int32); remain += sizeof(krb5_int32); } } /* Now find the authentp */ if (!kret) { if ((kret = krb5_internalize_opaque(kcontext, KV5M_AUTHENTICATOR, (krb5_pointer *) &auth_context->authentp, &bp, &remain))) { if (kret == EINVAL) kret = 0; } } /* Finally, find the trailer */ if (!kret) { kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (!kret && (ibuf != KV5M_AUTH_CONTEXT)) kret = EINVAL; } if (!kret) { *buffer = bp; *lenremain = remain; auth_context->magic = KV5M_AUTH_CONTEXT; *argp = (krb5_pointer) auth_context; } else krb5_auth_con_free(kcontext, auth_context); } } return(kret); }
krb5_error_code KRB5_CALLCONV krb5_verify_init_creds(krb5_context context, krb5_creds *creds, krb5_principal server_arg, krb5_keytab keytab_arg, krb5_ccache *ccache_arg, krb5_verify_init_creds_opt *options) { krb5_error_code ret; krb5_principal server; krb5_keytab keytab; krb5_ccache ccache; krb5_keytab_entry kte; krb5_creds in_creds, *out_creds; krb5_auth_context authcon; krb5_data ap_req; /* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN */ server = NULL; keytab = NULL; ccache = NULL; out_creds = NULL; authcon = NULL; ap_req.data = NULL; if (keytab_arg) { keytab = keytab_arg; } else { if ((ret = krb5_kt_default(context, &keytab))) goto cleanup; } if (server_arg) { ret = krb5_copy_principal(context, server_arg, &server); if (ret) goto cleanup; } else { /* Use a principal name from the keytab. */ ret = k5_kt_get_principal(context, keytab, &server); if (ret) { /* There's no keytab, or it's empty, or we can't read it. * Allow this unless configuration demands verification. */ if (!nofail(context, options, creds)) ret = 0; goto cleanup; } } /* first, check if the server is in the keytab. If not, there's no reason to continue. rd_req does all this, but there's no way to know that a given error is caused by a missing keytab or key, and not by some other problem. */ if (krb5_is_referral_realm(&server->realm)) { krb5_free_data_contents(context, &server->realm); ret = krb5_get_default_realm(context, &server->realm.data); if (ret) goto cleanup; server->realm.length = strlen(server->realm.data); } if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) { /* this means there is no keying material. This is ok, as long as it is not prohibited by the configuration */ if (!nofail(context, options, creds)) ret = 0; goto cleanup; } krb5_kt_free_entry(context, &kte); /* If the creds are for the server principal, we're set, just do a mk_req. * Otherwise, do a get_credentials first. */ if (krb5_principal_compare(context, server, creds->server)) { /* make an ap_req */ if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds, &ap_req))) goto cleanup; } else { /* this is unclean, but it's the easiest way without ripping the library into very small pieces. store the client's initial cred in a memory ccache, then call the library. Later, we'll copy everything except the initial cred into the ccache we return to the user. A clean implementation would involve library internals with a coherent idea of "in" and "out". */ /* insert the initial cred into the ccache */ if ((ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) { ccache = NULL; goto cleanup; } if ((ret = krb5_cc_initialize(context, ccache, creds->client))) goto cleanup; if ((ret = krb5_cc_store_cred(context, ccache, creds))) goto cleanup; /* set up for get_creds */ memset(&in_creds, 0, sizeof(in_creds)); in_creds.client = creds->client; in_creds.server = server; if ((ret = krb5_timeofday(context, &in_creds.times.endtime))) goto cleanup; in_creds.times.endtime += 5*60; if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds))) goto cleanup; /* make an ap_req */ if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds, &ap_req))) goto cleanup; } /* wipe the auth context for mk_req */ if (authcon) { krb5_auth_con_free(context, authcon); authcon = NULL; } /* verify the ap_req */ if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, NULL, NULL))) goto cleanup; /* if we get this far, then the verification succeeded. We can still fail if the library stuff here fails, but that's it */ if (ccache_arg && ccache) { if (*ccache_arg == NULL) { krb5_ccache retcc; retcc = NULL; if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req2", &retcc)) || (ret = krb5_cc_initialize(context, retcc, creds->client)) || (ret = copy_creds_except(context, ccache, retcc, creds->server))) { if (retcc) krb5_cc_destroy(context, retcc); } else { *ccache_arg = retcc; } } else { ret = copy_creds_except(context, ccache, *ccache_arg, server); } } /* if any of the above paths returned an errors, then ret is set accordingly. * Either that, or it's zero, which is fine, too */ cleanup: if ( server) krb5_free_principal(context, server); if (!keytab_arg && keytab) krb5_kt_close(context, keytab); if (ccache) krb5_cc_destroy(context, ccache); if (out_creds) krb5_free_creds(context, out_creds); if (authcon) krb5_auth_con_free(context, authcon); if (ap_req.data) free(ap_req.data); return(ret); }
/* * pg_krb5_recvauth -- server routine to receive authentication information * from the client * * We still need to compare the username obtained from the client's setup * packet to the authenticated name, as described in pg_krb4_recvauth. This * is a bit more problematic in v5, as described above in pg_an_to_ln. * * We have our own keytab file because postgres is unlikely to run as root, * and so cannot read the default keytab. */ static int pg_krb5_recvauth(Port *port) { krb5_error_code retval; int ret; krb5_auth_context auth_context = NULL; krb5_ticket *ticket; char *kusername; ret = pg_krb5_init(); if (ret != STATUS_OK) return ret; retval = krb5_recvauth(pg_krb5_context, &auth_context, (krb5_pointer) & port->sock, PG_KRB_SRVNAM, pg_krb5_server, 0, pg_krb5_keytab, &ticket); if (retval) { ereport(LOG, (errmsg("Kerberos recvauth returned error %d", retval))); com_err("postgres", retval, "from krb5_recvauth"); return STATUS_ERROR; } /* * The "client" structure comes out of the ticket and is therefore * authenticated. Use it to check the username obtained from the * postmaster startup packet. * * I have no idea why this is considered necessary. */ #if defined(HAVE_KRB5_TICKET_ENC_PART2) retval = krb5_unparse_name(pg_krb5_context, ticket->enc_part2->client, &kusername); #elif defined(HAVE_KRB5_TICKET_CLIENT) retval = krb5_unparse_name(pg_krb5_context, ticket->client, &kusername); #else #error "bogus configuration" #endif if (retval) { ereport(LOG, (errmsg("Kerberos unparse_name returned error %d", retval))); com_err("postgres", retval, "while unparsing client name"); krb5_free_ticket(pg_krb5_context, ticket); krb5_auth_con_free(pg_krb5_context, auth_context); return STATUS_ERROR; } kusername = pg_an_to_ln(kusername); if (strncmp(port->user_name, kusername, SM_DATABASE_USER)) { ereport(LOG, (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")", port->user_name, kusername))); ret = STATUS_ERROR; } else ret = STATUS_OK; krb5_free_ticket(pg_krb5_context, ticket); krb5_auth_con_free(pg_krb5_context, auth_context); free(kusername); return ret; }
static void test_ap(krb5_context context, krb5_principal target, krb5_principal server, krb5_keytab keytab, krb5_ccache ccache, const krb5_flags client_flags) { krb5_error_code ret; krb5_auth_context client_ac = NULL, server_ac = NULL; krb5_data data; krb5_flags server_flags; krb5_ticket *ticket = NULL; int32_t server_seq, client_seq; ret = krb5_mk_req_exact(context, &client_ac, client_flags, target, NULL, ccache, &data); if (ret) krb5_err(context, 1, ret, "krb5_mk_req_exact"); ret = krb5_rd_req(context, &server_ac, &data, server, keytab, &server_flags, &ticket); if (ret) krb5_err(context, 1, ret, "krb5_rd_req"); if (server_flags & AP_OPTS_MUTUAL_REQUIRED) { krb5_ap_rep_enc_part *repl; krb5_data_free(&data); if ((client_flags & AP_OPTS_MUTUAL_REQUIRED) == 0) krb5_errx(context, 1, "client flag missing mutual req"); ret = krb5_mk_rep (context, server_ac, &data); if (ret) krb5_err(context, 1, ret, "krb5_mk_rep"); ret = krb5_rd_rep (context, client_ac, &data, &repl); if (ret) krb5_err(context, 1, ret, "krb5_rd_rep"); krb5_free_ap_rep_enc_part (context, repl); } else { if (client_flags & AP_OPTS_MUTUAL_REQUIRED) krb5_errx(context, 1, "server flag missing mutual req"); } krb5_auth_con_getremoteseqnumber(context, server_ac, &server_seq); krb5_auth_con_getremoteseqnumber(context, client_ac, &client_seq); if (server_seq != client_seq) krb5_errx(context, 1, "seq num differ"); krb5_auth_con_getlocalseqnumber(context, server_ac, &server_seq); krb5_auth_con_getlocalseqnumber(context, client_ac, &client_seq); if (server_seq != client_seq) krb5_errx(context, 1, "seq num differ"); krb5_data_free(&data); krb5_auth_con_free(context, client_ac); krb5_auth_con_free(context, server_ac); if (verify_pac) { krb5_pac pac; ret = krb5_ticket_get_authorization_data_type(context, ticket, KRB5_AUTHDATA_WIN2K_PAC, &data); if (ret) krb5_err(context, 1, ret, "get pac"); ret = krb5_pac_parse(context, data.data, data.length, &pac); if (ret) krb5_err(context, 1, ret, "pac parse"); krb5_pac_free(context, pac); } krb5_free_ticket(context, ticket); }
/** * @brief * Get a kerberos credential set up to send to a remote host. * * @param[in] remote - server name * @param[in] pjob - pointer to job structure * @param[out] data - kerberos credential * @param[out] dsize - kerberos credential data length * * @return int * @retval 0 - success * @retval -1 - error */ static int get_kerb_cred(char *remote, job *pjob, char **data, size_t *dsize) { int ret = -1; #ifdef PBS_CRED_DCE_KRB5 krb5_error_code err; int got_auth = 0; char server_name[512]; char namebuf[MAXPATHLEN+1]; krb5_context ktext = 0; krb5_auth_context kauth = 0; krb5_ccache kache = 0; krb5_principal client = 0; krb5_principal server = 0; krb5_data forw_creds; krb5_data packet; extern char *path_jobs; DBPRT(("%s: entered %s\n", id, remote)) memset(&forw_creds, 0, sizeof(forw_creds)); memset(&packet, 0, sizeof(packet)); if ((err = krb5_init_context(&ktext)) != 0) { sprintf(log_buffer, "krb5_init_context(%s)", error_message(err)); log_err(-1, __func__, log_buffer); return ret; } if ((err = krb5_auth_con_init(ktext, &kauth)) != 0) { sprintf(log_buffer, "krb5_auth_con_init(%s)", error_message(err)); log_err(-1, __func__, log_buffer); return ret; } got_auth = 1; krb5_auth_con_setflags(ktext, kauth, KRB5_AUTH_CONTEXT_RET_TIME); (void)strcpy(namebuf, path_jobs); if (*pjob->ji_qs.ji_fileprefix != '\0') (void)strcat(namebuf, pjob->ji_qs.ji_fileprefix); else (void)strcat(namebuf, pjob->ji_qs.ji_jobid); (void)strcat(namebuf, JOB_CRED_SUFFIX); if ((err = krb5_cc_resolve(ktext, namebuf, &kache)) != 0) { sprintf(log_buffer, "krb5_cc_resolve(%s)", error_message(err)); log_err(-1, __func__, log_buffer); goto done; } if ((err = krb5_cc_get_principal(ktext, kache, &client)) != 0) { sprintf(log_buffer, "krb5_cc_get_principal(%s)", error_message(err)); log_err(-1, __func__, log_buffer); goto done; } snprintf(server_name, sizeof(server_name), "host/%s@", remote); strncat(server_name, client->realm.data, client->realm.length); krb5_parse_name(ktext, server_name, &server); server->type = KRB5_NT_SRV_HST; if ((err = fwd_tgt_creds(ktext, kauth, client, server, kache, &forw_creds)) != 0) { sprintf(log_buffer, "no usable cred(%s)", error_message(err)); log_err(-1, __func__, log_buffer); goto done; } *dsize = forw_creds.length; *data = forw_creds.data; ret = 0; done: if (forw_creds.data && *data != forw_creds.data) free(forw_creds.data); if (client) krb5_free_principal(ktext, client); if (server) krb5_free_principal(ktext, server); if (got_auth) krb5_auth_con_free(ktext, kauth); krb5_free_context(ktext); #endif /* PBS_CRED_DCE_KRB5 */ return ret; }
/* * Function: socket_connection * * Purpose: Opens the network connection with the mail host, without * doing any sort of I/O with it or anything. * * Arguments: * host The host to which to connect. * flags Option flags. * * Return value: A file descriptor indicating the connection, or -1 * indicating failure, in which case an error has been copied * into pop_error. */ static int socket_connection (char *host, int flags) { struct addrinfo *res, *it; struct addrinfo hints; int ret; struct servent *servent; struct sockaddr_in addr; char found_port = 0; const char *service; int sock; char *realhost; #ifdef KERBEROS #ifdef KERBEROS5 krb5_error_code rem; krb5_context kcontext = 0; krb5_auth_context auth_context = 0; krb5_ccache ccdef; krb5_principal client, server; krb5_error *err_ret; register char *cp; #else KTEXT ticket; MSG_DAT msg_data; CREDENTIALS cred; Key_schedule schedule; int rem; #endif /* KERBEROS5 */ #endif /* KERBEROS */ int try_count = 0; int connect_ok; #ifdef WINDOWSNT { WSADATA winsockData; if (WSAStartup (0x101, &winsockData) == 0) have_winsock = 1; } #endif memset (&addr, 0, sizeof (addr)); addr.sin_family = AF_INET; /** "kpop" service is never used: look for 20060515 to see why **/ #ifdef KERBEROS service = (flags & POP_NO_KERBEROS) ? POP_SERVICE : KPOP_SERVICE; #else service = POP_SERVICE; #endif #ifdef HESIOD if (! (flags & POP_NO_HESIOD)) { servent = hes_getservbyname (service, "tcp"); if (servent) { addr.sin_port = servent->s_port; found_port = 1; } } #endif if (! found_port) { servent = getservbyname (service, "tcp"); if (servent) { addr.sin_port = servent->s_port; } else { /** "kpop" service is never used: look for 20060515 to see why **/ #ifdef KERBEROS addr.sin_port = htons ((flags & POP_NO_KERBEROS) ? POP_PORT : KPOP_PORT); #else addr.sin_port = htons (POP_PORT); #endif } } #define POP_SOCKET_ERROR "Could not create socket for POP connection: " sock = socket (PF_INET, SOCK_STREAM, 0); if (sock < 0) { snprintf (pop_error, ERROR_MAX, "%s%s", POP_SOCKET_ERROR, strerror (errno)); return (-1); } memset (&hints, 0, sizeof (hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_CANONNAME; hints.ai_family = AF_INET; do { ret = getaddrinfo (host, service, &hints, &res); try_count++; if (ret != 0 && (ret != EAI_AGAIN || try_count == 5)) { strcpy (pop_error, "Could not determine POP server's address"); return (-1); } } while (ret != 0); for (it = res; it; it = it->ai_next) if (it->ai_addrlen == sizeof addr) { struct sockaddr_in *in_a = (struct sockaddr_in *) it->ai_addr; addr.sin_addr = in_a->sin_addr; if (! connect (sock, (struct sockaddr *) &addr, sizeof addr)) break; } connect_ok = it != NULL; if (connect_ok) { realhost = alloca (strlen (it->ai_canonname) + 1); strcpy (realhost, it->ai_canonname); } freeaddrinfo (res); #define CONNECT_ERROR "Could not connect to POP server: " if (! connect_ok) { CLOSESOCKET (sock); snprintf (pop_error, ERROR_MAX, "%s%s", CONNECT_ERROR, strerror (errno)); return (-1); } #ifdef KERBEROS #define KRB_ERROR "Kerberos error connecting to POP server: " if (! (flags & POP_NO_KERBEROS)) { #ifdef KERBEROS5 rem = krb5_init_context (&kcontext); if (rem) { krb5error: if (auth_context) krb5_auth_con_free (kcontext, auth_context); if (kcontext) krb5_free_context (kcontext); snprintf (pop_error, ERROR_MAX, "%s%s", KRB_ERROR, error_message (rem)); CLOSESOCKET (sock); return (-1); } rem = krb5_auth_con_init (kcontext, &auth_context); if (rem) goto krb5error; rem = krb5_cc_default (kcontext, &ccdef); if (rem) goto krb5error; rem = krb5_cc_get_principal (kcontext, ccdef, &client); if (rem) goto krb5error; for (cp = realhost; *cp; cp++) *cp = c_tolower (*cp); rem = krb5_sname_to_principal (kcontext, realhost, POP_SERVICE, FALSE, &server); if (rem) goto krb5error; rem = krb5_sendauth (kcontext, &auth_context, (krb5_pointer) &sock, (char *) "KPOPV1.0", client, server, AP_OPTS_MUTUAL_REQUIRED, 0, /* no checksum */ 0, /* no creds, use ccache instead */ ccdef, &err_ret, 0, /* don't need subsession key */ 0); /* don't need reply */ krb5_free_principal (kcontext, server); if (rem) { int pop_error_len = snprintf (pop_error, ERROR_MAX, "%s%s", KRB_ERROR, error_message (rem)); #if defined HAVE_KRB5_ERROR_TEXT if (err_ret && err_ret->text.length) { int errlen = err_ret->text.length; snprintf (pop_error + pop_error_len, ERROR_MAX - pop_error_len, " [server says '%.*s']", errlen, err_ret->text.data); } #elif defined HAVE_KRB5_ERROR_E_TEXT if (err_ret && err_ret->e_text && **err_ret->e_text) snprintf (pop_error + pop_error_len, ERROR_MAX - pop_error_len, " [server says '%s']", *err_ret->e_text); #endif if (err_ret) krb5_free_error (kcontext, err_ret); krb5_auth_con_free (kcontext, auth_context); krb5_free_context (kcontext); CLOSESOCKET (sock); return (-1); } #else /* ! KERBEROS5 */ ticket = (KTEXT) malloc (sizeof (KTEXT_ST)); rem = krb_sendauth (0L, sock, ticket, "pop", realhost, (char *) krb_realmofhost (realhost), (unsigned long) 0, &msg_data, &cred, schedule, (struct sockaddr_in *) 0, (struct sockaddr_in *) 0, "KPOPV0.1"); free ((char *) ticket); if (rem != KSUCCESS) { snprintf (pop_error, ERROR_MAX, "%s%s", KRB_ERROR, krb_err_txt[rem]); CLOSESOCKET (sock); return (-1); } #endif /* KERBEROS5 */ } #endif /* KERBEROS */ return (sock); } /* socket_connection */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_init_creds(krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, krb5_keytab ap_req_keytab, krb5_ccache *ccache, krb5_verify_init_creds_opt *options) { krb5_error_code ret; krb5_data req; krb5_ccache local_ccache = NULL; krb5_creds *new_creds = NULL; krb5_auth_context auth_context = NULL; krb5_principal server = NULL; krb5_keytab keytab = NULL; krb5_data_zero (&req); if (ap_req_server == NULL) { char local_hostname[MAXHOSTNAMELEN]; if (gethostname (local_hostname, sizeof(local_hostname)) < 0) { ret = errno; krb5_set_error_message (context, ret, "gethostname: %s", strerror(ret)); return ret; } ret = krb5_sname_to_principal (context, local_hostname, "host", KRB5_NT_SRV_HST, &server); if (ret) goto cleanup; } else server = ap_req_server; if (ap_req_keytab == NULL) { ret = krb5_kt_default (context, &keytab); if (ret) goto cleanup; } else keytab = ap_req_keytab; if (ccache && *ccache) local_ccache = *ccache; else { ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &local_ccache); if (ret) goto cleanup; ret = krb5_cc_initialize (context, local_ccache, creds->client); if (ret) goto cleanup; ret = krb5_cc_store_cred (context, local_ccache, creds); if (ret) goto cleanup; } if (!krb5_principal_compare (context, server, creds->server)) { krb5_creds match_cred; memset (&match_cred, 0, sizeof(match_cred)); match_cred.client = creds->client; match_cred.server = server; ret = krb5_get_credentials (context, 0, local_ccache, &match_cred, &new_creds); if (ret) { if (fail_verify_is_ok (context, options)) ret = 0; goto cleanup; } creds = new_creds; } ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req); krb5_auth_con_free (context, auth_context); auth_context = NULL; if (ret) goto cleanup; ret = krb5_rd_req (context, &auth_context, &req, server, keytab, 0, NULL); if (ret == KRB5_KT_NOTFOUND && fail_verify_is_ok (context, options)) ret = 0; cleanup: if (auth_context) krb5_auth_con_free (context, auth_context); krb5_data_free (&req); if (new_creds != NULL) krb5_free_creds (context, new_creds); if (ap_req_server == NULL && server) krb5_free_principal (context, server); if (ap_req_keytab == NULL && keytab) krb5_kt_close (context, keytab); if (local_ccache != NULL && (ccache == NULL || (ret != 0 && *ccache == NULL))) krb5_cc_destroy (context, local_ccache); if (ret == 0 && ccache != NULL && *ccache == NULL) *ccache = local_ccache; return ret; }
static krb5_error_code tgs_parse_request(krb5_context context, krb5_kdc_configuration *config, KDC_REQ_BODY *b, const PA_DATA *tgs_req, hdb_entry_ex **krbtgt, krb5_enctype *krbtgt_etype, krb5_ticket **ticket, const char **e_text, const char *from, const struct sockaddr *from_addr, time_t **csec, int **cusec, AuthorizationData **auth_data) { krb5_ap_req ap_req; krb5_error_code ret; krb5_principal princ; krb5_auth_context ac = NULL; krb5_flags ap_req_options; krb5_flags verify_ap_req_flags; krb5_crypto crypto; Key *tkey; *auth_data = NULL; *csec = NULL; *cusec = NULL; memset(&ap_req, 0, sizeof(ap_req)); ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); if(ret){ kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", krb5_get_err_text(context, ret)); goto out; } if(!get_krbtgt_realm(&ap_req.ticket.sname)){ /* XXX check for ticket.sname == req.sname */ kdc_log(context, config, 0, "PA-DATA is not a ticket-granting ticket"); ret = KRB5KDC_ERR_POLICY; /* ? */ goto out; } _krb5_principalname2krb5_principal(context, &princ, ap_req.ticket.sname, ap_req.ticket.realm); ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt); if(ret) { char *p; ret = krb5_unparse_name(context, princ, &p); if (ret != 0) p = "<unparse_name failed>"; krb5_free_principal(context, princ); kdc_log(context, config, 0, "Ticket-granting ticket not found in database: %s: %s", p, krb5_get_err_text(context, ret)); if (ret == 0) free(p); ret = KRB5KRB_AP_ERR_NOT_US; goto out; } if(ap_req.ticket.enc_part.kvno && *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){ char *p; ret = krb5_unparse_name (context, princ, &p); krb5_free_principal(context, princ); if (ret != 0) p = "<unparse_name failed>"; kdc_log(context, config, 0, "Ticket kvno = %d, DB kvno = %d (%s)", *ap_req.ticket.enc_part.kvno, (*krbtgt)->entry.kvno, p); if (ret == 0) free (p); ret = KRB5KRB_AP_ERR_BADKEYVER; goto out; } *krbtgt_etype = ap_req.ticket.enc_part.etype; ret = hdb_enctype2key(context, &(*krbtgt)->entry, ap_req.ticket.enc_part.etype, &tkey); if(ret){ char *str, *p; krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str); krb5_unparse_name(context, princ, &p); kdc_log(context, config, 0, "No server key with enctype %s found for %s", str, p); free(str); free(p); ret = KRB5KRB_AP_ERR_BADKEYVER; goto out; } if (b->kdc_options.validate) verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID; else verify_ap_req_flags = 0; ret = krb5_verify_ap_req2(context, &ac, &ap_req, princ, &tkey->key, verify_ap_req_flags, &ap_req_options, ticket, KRB5_KU_TGS_REQ_AUTH); krb5_free_principal(context, princ); if(ret) { kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", krb5_get_err_text(context, ret)); goto out; } { krb5_authenticator auth; ret = krb5_auth_con_getauthenticator(context, ac, &auth); if (ret == 0) { *csec = malloc(sizeof(**csec)); if (*csec == NULL) { krb5_free_authenticator(context, &auth); kdc_log(context, config, 0, "malloc failed"); goto out; } **csec = auth->ctime; *cusec = malloc(sizeof(**cusec)); if (*cusec == NULL) { krb5_free_authenticator(context, &auth); kdc_log(context, config, 0, "malloc failed"); goto out; } **cusec = auth->cusec; krb5_free_authenticator(context, &auth); } } ret = tgs_check_authenticator(context, config, ac, b, e_text, &(*ticket)->ticket.key); if (ret) { krb5_auth_con_free(context, ac); goto out; } if (b->enc_authorization_data) { krb5_keyblock *subkey; krb5_data ad; ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); if(ret){ krb5_auth_con_free(context, ac); kdc_log(context, config, 0, "Failed to get remote subkey: %s", krb5_get_err_text(context, ret)); goto out; } if(subkey == NULL){ ret = krb5_auth_con_getkey(context, ac, &subkey); if(ret) { krb5_auth_con_free(context, ac); kdc_log(context, config, 0, "Failed to get session key: %s", krb5_get_err_text(context, ret)); goto out; } } if(subkey == NULL){ krb5_auth_con_free(context, ac); kdc_log(context, config, 0, "Failed to get key for enc-authorization-data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; } ret = krb5_crypto_init(context, subkey, 0, &crypto); if (ret) { krb5_auth_con_free(context, ac); kdc_log(context, config, 0, "krb5_crypto_init failed: %s", krb5_get_err_text(context, ret)); goto out; } ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY, b->enc_authorization_data, &ad); krb5_crypto_destroy(context, crypto); if(ret){ krb5_auth_con_free(context, ac); kdc_log(context, config, 0, "Failed to decrypt enc-authorization-data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; } krb5_free_keyblock(context, subkey); ALLOC(*auth_data); if (*auth_data == NULL) { krb5_auth_con_free(context, ac); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; } ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL); if(ret){ krb5_auth_con_free(context, ac); free(*auth_data); *auth_data = NULL; kdc_log(context, config, 0, "Failed to decode authorization data"); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ goto out; } } krb5_auth_con_free(context, ac); out: free_AP_REQ(&ap_req); return ret; }
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_verify_ap_req2(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, krb5_const_principal server, krb5_keyblock *keyblock, krb5_flags flags, krb5_flags *ap_req_options, krb5_ticket **ticket, krb5_key_usage usage) { krb5_ticket *t; krb5_auth_context ac; krb5_error_code ret; EtypeList etypes; memset(&etypes, 0, sizeof(etypes)); if(ticket) *ticket = NULL; if (auth_context && *auth_context) { ac = *auth_context; } else { ret = krb5_auth_con_init(context, &ac); if (ret) return ret; } t = calloc(1, sizeof(*t)); if (t == NULL) { ret = ENOMEM; krb5_clear_error_message(context); goto out; } if (ap_req->ap_options.use_session_key && ac->keyblock){ ret = krb5_decrypt_ticket(context, &ap_req->ticket, ac->keyblock, &t->ticket, flags); krb5_free_keyblock(context, ac->keyblock); ac->keyblock = NULL; }else ret = krb5_decrypt_ticket(context, &ap_req->ticket, keyblock, &t->ticket, flags); if(ret) goto out; ret = _krb5_principalname2krb5_principal(context, &t->server, ap_req->ticket.sname, ap_req->ticket.realm); if (ret) goto out; ret = _krb5_principalname2krb5_principal(context, &t->client, t->ticket.cname, t->ticket.crealm); if (ret) goto out; ret = decrypt_authenticator(context, &t->ticket.key, &ap_req->authenticator, ac->authenticator, usage); if (ret) goto out; { krb5_principal p1, p2; krb5_boolean res; _krb5_principalname2krb5_principal(context, &p1, ac->authenticator->cname, ac->authenticator->crealm); _krb5_principalname2krb5_principal(context, &p2, t->ticket.cname, t->ticket.crealm); res = krb5_principal_compare(context, p1, p2); krb5_free_principal(context, p1); krb5_free_principal(context, p2); if (!res) { ret = KRB5KRB_AP_ERR_BADMATCH; krb5_clear_error_message(context); goto out; } } /* check addresses */ if (t->ticket.caddr && ac->remote_address && !krb5_address_search(context, ac->remote_address, t->ticket.caddr)) { ret = KRB5KRB_AP_ERR_BADADDR; krb5_clear_error_message(context); goto out; } /* check timestamp in authenticator */ { krb5_timestamp now; krb5_timeofday(context, &now); if (krb5_time_abs(ac->authenticator->ctime, now) > context->max_skew) { ret = KRB5KRB_AP_ERR_SKEW; krb5_clear_error_message(context); goto out; } } if (ac->authenticator->seq_number) krb5_auth_con_setremoteseqnumber(context, ac, *ac->authenticator->seq_number); /* XXX - Xor sequence numbers */ if (ac->authenticator->subkey) { ret = krb5_auth_con_setremotesubkey(context, ac, ac->authenticator->subkey); if (ret) goto out; } ret = find_etypelist(context, ac, &etypes); if (ret) goto out; ac->keytype = (krb5_keytype)ETYPE_NULL; if (etypes.val) { size_t i; for (i = 0; i < etypes.len; i++) { if (krb5_enctype_valid(context, etypes.val[i]) == 0) { ac->keytype = etypes.val[i]; break; } } } /* save key */ ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); if (ret) goto out; if (ap_req_options) { *ap_req_options = 0; if (ac->keytype != ETYPE_NULL) *ap_req_options |= AP_OPTS_USE_SUBKEY; if (ap_req->ap_options.use_session_key) *ap_req_options |= AP_OPTS_USE_SESSION_KEY; if (ap_req->ap_options.mutual_required) *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; } if(ticket) *ticket = t; else krb5_free_ticket(context, t); if (auth_context) { if (*auth_context == NULL) *auth_context = ac; } else krb5_auth_con_free(context, ac); free_EtypeList(&etypes); return 0; out: free_EtypeList(&etypes); if (t) krb5_free_ticket(context, t); if (auth_context == NULL || *auth_context == NULL) krb5_auth_con_free(context, ac); return ret; }
static krb5_error_code init_tgs_req (krb5_context context, krb5_ccache ccache, krb5_addresses *addresses, krb5_kdc_flags flags, Ticket *second_ticket, krb5_creds *in_creds, krb5_creds *krbtgt, unsigned nonce, const METHOD_DATA *padata, krb5_keyblock **subkey, TGS_REQ *t) { krb5_auth_context ac = NULL; krb5_error_code ret = 0; memset(t, 0, sizeof(*t)); t->pvno = 5; t->msg_type = krb_tgs_req; if (in_creds->session.keytype) { ALLOC_SEQ(&t->req_body.etype, 1); if(t->req_body.etype.val == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } t->req_body.etype.val[0] = in_creds->session.keytype; } else { ret = krb5_init_etype(context, &t->req_body.etype.len, &t->req_body.etype.val, NULL); } if (ret) goto fail; t->req_body.addresses = addresses; t->req_body.kdc_options = flags.b; ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm); if (ret) goto fail; ALLOC(t->req_body.sname, 1); if (t->req_body.sname == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } /* some versions of some code might require that the client be present in TGS-REQs, but this is clearly against the spec */ ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname); if (ret) goto fail; /* req_body.till should be NULL if there is no endtime specified, but old MIT code (like DCE secd) doesn't like that */ ALLOC(t->req_body.till, 1); if(t->req_body.till == NULL){ ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } *t->req_body.till = in_creds->times.endtime; t->req_body.nonce = nonce; if(second_ticket){ ALLOC(t->req_body.additional_tickets, 1); if (t->req_body.additional_tickets == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } ALLOC_SEQ(t->req_body.additional_tickets, 1); if (t->req_body.additional_tickets->val == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val); if (ret) goto fail; } ALLOC(t->padata, 1); if (t->padata == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } ALLOC_SEQ(t->padata, 1 + padata->len); if (t->padata->val == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } { int i; for (i = 0; i < padata->len; i++) { ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]); if (ret) { krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto fail; } } } ret = krb5_auth_con_init(context, &ac); if(ret) goto fail; ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session); if (ret) goto fail; ret = set_auth_data (context, &t->req_body, &in_creds->authdata, ac->local_subkey); if (ret) goto fail; ret = make_pa_tgs_req(context, ac, &t->req_body, &t->padata->val[0], krbtgt); if(ret) goto fail; ret = krb5_auth_con_getlocalsubkey(context, ac, subkey); if (ret) goto fail; fail: if (ac) krb5_auth_con_free(context, ac); if (ret) { t->req_body.addresses = NULL; free_TGS_REQ (t); } return ret; }
OM_uint32 _gsskrb5_create_ctx( OM_uint32 * minor_status, gss_ctx_id_t * context_handle, const gss_channel_bindings_t input_chan_bindings, enum gss_ctx_id_t_state state) { krb5_error_code kret; gsskrb5_ctx ctx; *context_handle = NULL; ctx = malloc(sizeof(*ctx)); if (ctx == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } ctx->auth_context = NULL; ctx->source = NULL; ctx->target = NULL; ctx->state = state; ctx->flags = 0; ctx->more_flags = 0; ctx->service_keyblock = NULL; ctx->ticket = NULL; krb5_data_zero(&ctx->fwd_data); ctx->lifetime = GSS_C_INDEFINITE; ctx->order = NULL; HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex); kret = krb5_auth_con_init (_gsskrb5_context, &ctx->auth_context); if (kret) { *minor_status = kret; _gsskrb5_set_error_string (); HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } kret = set_addresses(ctx->auth_context, input_chan_bindings); if (kret) { *minor_status = kret; HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); krb5_auth_con_free(_gsskrb5_context, ctx->auth_context); return GSS_S_BAD_BINDINGS; } /* * We need a sequence number */ krb5_auth_con_addflags(_gsskrb5_context, ctx->auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED, NULL); *context_handle = (gss_ctx_id_t)ctx; return GSS_S_COMPLETE; }