static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
const char *errmsg;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
NULL, &ccache)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_new_unique(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_initialize(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
client->store.envvar = "KRB5CCNAME";
client->store.envval = xstrdup(client->store.filename);
krb5_cc_close(krb_context, ccache);
return;
}
/**
* \brief Establishing Kerberos connection, verifies clients credentials
* \param[in] vContextc *C The context of verse server
* \param[out] char **u_name user name of client
* \return returns 1 if Kerberos authentication was OK 0 if something went wrong
*/
int vs_kerberos_auth(struct vContext *C, char **u_name){
struct VS_CTX *vs_ctx = CTX_server_ctx(C);
struct IO_CTX *io_ctx = CTX_io_ctx(C);
struct VStreamConn *stream_conn = CTX_current_stream_conn(C);
int flags = 0;
int len = MAX_PACKET_SIZE;
unsigned char buffer[MAX_PACKET_SIZE];
char *client_principal;
krb5_data packet;
krb5_error_code krb5err;
int flag;
/* Make sure socket is blocking */
flag = fcntl(stream_conn->io_ctx.sockfd, F_GETFL, 0);
if ((fcntl(stream_conn->io_ctx.sockfd, F_SETFL, flag & ~O_NONBLOCK))
== -1) {
if (is_log_level(VRS_PRINT_ERROR))
v_print_log(VRS_PRINT_ERROR, "fcntl(): %s\n", strerror(errno));
return 0;
}
/* Get KRB_AP_REQ message */
if ((len = recvfrom(stream_conn->io_ctx.sockfd, (char *) buffer,
MAX_PACKET_SIZE, flags,
NULL, NULL)) < 0) {
v_print_log(VRS_PRINT_ERROR, "recvfrom failed.\n");
return 0;
}
packet.length = len;
packet.data = (krb5_pointer) buffer;
io_ctx->krb5_auth_ctx = vs_ctx->tcp_io_ctx.krb5_auth_ctx;
io_ctx->krb5_ctx = vs_ctx->tcp_io_ctx.krb5_ctx;
io_ctx->krb5_ticket = vs_ctx->tcp_io_ctx.krb5_ticket;
io_ctx->krb5_keytab = vs_ctx->tcp_io_ctx.krb5_keytab;
/* Check authentication info */
if ((krb5err = krb5_rd_req(io_ctx->krb5_ctx,
(krb5_auth_context *) &io_ctx->krb5_auth_ctx, &packet,
io_ctx->krb5_principal, io_ctx->krb5_keytab,
NULL, (krb5_ticket **) &io_ctx->krb5_ticket))) {
v_print_log(VRS_PRINT_ERROR, "krb5_rd_req %d: %s\n", (int) krb5err,
krb5_get_error_message(io_ctx->krb5_ctx, krb5err));
return 0;
}
/* Get user name */
if ((krb5err = krb5_unparse_name(io_ctx->krb5_ctx,
io_ctx->krb5_ticket->enc_part2->client, &client_principal))) {
v_print_log(VRS_PRINT_ERROR, "krb5_unparse_name %d: %s\n",
(int) krb5err,
krb5_get_error_message(io_ctx->krb5_ctx, krb5err));
return 0;
}
v_print_log(VRS_PRINT_DEBUG_MSG, "Got authentication info from %s\n", client_principal);
*u_name = client_principal;
return 1;
}
static int
do_v5 (const char *host,
int port,
const char *user,
const char *filename,
const char *header_str,
int leavep,
int verbose,
int forkp)
{
krb5_error_code ret;
krb5_auth_context auth_context = NULL;
krb5_principal server;
const char *estr;
int s;
s = do_connect (host, port, 1);
if (s < 0)
return 1;
ret = krb5_sname_to_principal (context,
host,
"pop",
KRB5_NT_SRV_HST,
&server);
if (ret) {
estr = krb5_get_error_message(context, ret);
warnx ("krb5_sname_to_principal: %s", estr);
krb5_free_error_message(context, estr);
return 1;
}
ret = krb5_sendauth (context,
&auth_context,
&s,
"KPOPV1.0",
NULL,
server,
0,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL);
krb5_free_principal (context, server);
if (ret) {
estr = krb5_get_error_message(context, ret);
warnx ("krb5_sendauth: %s", estr);
krb5_free_error_message(context, estr);
return 1;
}
return doit (s, host, user, filename, header_str, leavep, verbose, forkp);
}
krb5_error_code krb5int_fast_as_armor
(krb5_context context, struct krb5int_fast_request_state *state,
krb5_gic_opt_ext *opte,
krb5_kdc_req *request)
{
krb5_error_code retval = 0;
krb5_ccache ccache = NULL;
krb5_clear_error_message(context);
if (opte->opt_private->fast_ccache_name) {
retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name,
&ccache);
if (retval==0)
retval = fast_armor_ap_request(context, state, ccache,
krb5_princ_realm(context, request->server));
if (retval != 0) {
const char * errmsg;
errmsg = krb5_get_error_message(context, retval);
if (errmsg) {
krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg);
krb5_free_error_message(context, errmsg);
}
}
}
if (ccache)
krb5_cc_close(context, ccache);
return retval;
}
static void on_bind_readable(verto_ctx *vctx, verto_ev *ev)
{
const char *errstr = "error";
LDAPMessage *results;
struct otpd_queue_item *item = NULL;
int i, rslt;
(void)vctx;
rslt = ldap_result(verto_get_private(ev), LDAP_RES_ANY, 0, NULL, &results);
if (rslt != LDAP_RES_BIND) {
if (rslt <= 0)
results = NULL;
ldap_msgfree(results);
otpd_log_err(EIO, "IO error received on bind socket");
verto_break(ctx.vctx);
ctx.exitstatus = 1;
return;
}
item = otpd_queue_pop_msgid(&ctx.bind.responses, ldap_msgid(results));
if (item == NULL) {
ldap_msgfree(results);
return;
}
item->msgid = -1;
rslt = ldap_parse_result(verto_get_private(ev), results, &i,
NULL, NULL, NULL, NULL, 0);
if (rslt != LDAP_SUCCESS) {
errstr = ldap_err2string(rslt);
goto error;
}
rslt = i;
if (rslt != LDAP_SUCCESS) {
errstr = ldap_err2string(rslt);
goto error;
}
item->sent = 0;
i = krad_packet_new_response(ctx.kctx, SECRET,
krad_code_name2num("Access-Accept"),
NULL, item->req, &item->rsp);
if (i != 0) {
errstr = krb5_get_error_message(ctx.kctx, i);
goto error;
}
error:
if (item != NULL)
otpd_log_req(item->req, "bind end: %s",
item->rsp != NULL ? "success" : errstr);
ldap_msgfree(results);
otpd_queue_push(&ctx.stdio.responses, item);
verto_set_flags(ctx.stdio.writer, VERTO_EV_FLAG_PERSIST |
VERTO_EV_FLAG_IO_ERROR |
VERTO_EV_FLAG_IO_READ |
VERTO_EV_FLAG_IO_WRITE);
}
/*
* krcmd: simplified version of Athena's "kcmd"
* returns a socket attached to the destination, -1 or krb error on error
* if fd2p is non-NULL, another socket is filled in for it
*/
# if defined SHISHI
# ifdef HAVE_GETPWUID_R
static int pwbuflen;
static char *pwbuf = NULL; /* Reused after first allocation. */
static struct passwd pwstor, *pwd;
# endif /* HAVE_GETPWUID_R */
int
krcmd (Shishi ** h, char **ahost, unsigned short rport, char **remuser,
char *cmd, int *fd2p, const char *realm, int af)
{
int sock = -1, err = 0;
long authopts = 0L;
# ifdef HAVE_GETPWUID_R
if (!pwbuf)
{
pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX);
if (pwbuflen <= 0)
pwbuflen = 1024; /* Guessing only. */
pwbuf = malloc (pwbuflen);
}
if (pwbuf)
(void) getpwuid_r (getuid (), &pwstor, pwbuf, pwbuflen, &pwd);
# endif /* HAVE_GETPWUID_R */
err = kcmd (h, &sock, ahost, rport,
# ifdef HAVE_GETPWUID_R
pwd ? pwd->pw_name : *remuser, /* locuser */
# else /* !HAVE_GETPWUID_R */
NULL, /* locuser not used */
# endif
remuser, cmd, fd2p,
SERVICE_NAME, realm,
NULL, /* key schedule not used */
NULL, /* local addr not used */
NULL, /* foreign addr not used */
authopts, af);
if (err > SHISHI_OK)
{
fprintf (stderr, "krcmd: error %d, %s\n", err, shishi_strerror (err));
return (-1);
}
if (err < 0)
return (-1);
return (sock);
}
# elif defined(KRB5) /* !SHISHI */
int
krcmd (krb5_context *ctx, char **ahost, unsigned short rport,
char **remuser, char *cmd, int *fd2p, const char *realm)
{
int sock = -1;
krb5_error_code err = 0;
long authopts = 0L;
err = kcmd (ctx, &sock, ahost, rport,
NULL, /* locuser not used */
remuser, cmd, fd2p,
SERVICE_NAME, realm,
(krb5_keyblock **) NULL, /* key not used */
(struct sockaddr_in *) NULL, /* local addr not used */
(struct sockaddr_in *) NULL, /* foreign addr not used */
authopts);
if (err > 0)
{
const char *text = krb5_get_error_message (*ctx, err);
fprintf (stderr, "krcmd: %s\n", text);
krb5_free_error_message (*ctx, text);
return (-1);
}
if (err < 0)
return (-1);
return (sock);
}
static int
ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
{
krb5_principal princ;
int retval;
const char *errmsg;
if (ssh_gssapi_krb5_init() == 0)
return 0;
if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
&princ))) {
errmsg = krb5_get_error_message(krb_context, retval);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return 0;
}
if (krb5_kuserok(krb_context, princ, name)) {
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
} else
retval = 0;
krb5_free_principal(krb_context, princ);
return retval;
}
krb5_error_code
handle_authdata (krb5_context context,
unsigned int flags,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code code = 0;
int i;
for (i = 0; i < n_authdata_systems; i++) {
const krb5_authdata_systems *asys = &authdata_systems[i];
if (isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS) &&
!isflagset(asys->flags, AUTHDATA_FLAG_ANONYMOUS))
continue;
switch (asys->type) {
case AUTHDATA_SYSTEM_V0:
/* V0 was only in AS-REQ code path */
if (request->msg_type != KRB5_AS_REQ)
continue;
code = (*asys->handle_authdata.v0)(context, client, req_pkt,
request, enc_tkt_reply);
break;
case AUTHDATA_SYSTEM_V2:
code = (*asys->handle_authdata.v2)(context, flags,
client, server, krbtgt,
client_key, server_key, krbtgt_key,
req_pkt, request, for_user_princ,
enc_tkt_request,
enc_tkt_reply);
break;
default:
code = 0;
break;
}
if (code != 0) {
const char *emsg;
emsg = krb5_get_error_message (context, code);
krb5_klog_syslog(LOG_INFO, _("authdata (%s) handling failure: %s"),
asys->name, emsg);
krb5_free_error_message (context, emsg);
if (asys->flags & AUTHDATA_FLAG_CRITICAL)
break;
}
}
return code;
}
static int
match_rfc_san(krb5_context context,
krb5_kdc_configuration *config,
hx509_context hx509ctx,
hx509_cert client_cert,
krb5_const_principal match)
{
hx509_octet_string_list list;
int ret, found = 0;
size_t i;
memset(&list, 0 , sizeof(list));
ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
client_cert,
&asn1_oid_id_pkinit_san,
&list);
if (ret)
goto out;
for (i = 0; !found && i < list.len; i++) {
krb5_principal_data principal;
KRB5PrincipalName kn;
size_t size;
ret = decode_KRB5PrincipalName(list.val[i].data,
list.val[i].length,
&kn, &size);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
"Decoding kerberos name in certificate failed: %s", msg);
krb5_free_error_message(context, msg);
break;
}
if (size != list.val[i].length) {
kdc_log(context, config, 0,
"Decoding kerberos name have extra bits on the end");
return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
}
memset(&principal, 0, sizeof (principal));
principal.name = kn.principalName;
principal.realm = kn.realm;
if (krb5_principal_compare(context, &principal, match) == TRUE)
found = 1;
free_KRB5PrincipalName(&kn);
}
out:
hx509_free_octet_string_list(&list);
if (ret)
return ret;
if (!found)
return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
return 0;
}
void
redirect_errors(const char *who, afs_int32 code, const char *fmt, va_list ap)
{
krb5_context context;
if (who) {
fputs(who, stderr);
fputs(": ", stderr);
}
if (code) {
int freestr = 0;
char *str = (char *)afs_error_message(code);
if (strncmp(str, "unknown", strlen(str)) == 0) {
if (!krb5_init_context(&context))
{
str = krb5_get_error_message(NULL, code);
freestr = 1;
}
}
fputs(str, stderr);
fputs(" ", stderr);
if (freestr) {
krb5_free_error_message(context, str);
krb5_free_context(context);
}
}
if (fmt) {
vfprintf(stderr, fmt, ap);
}
putc('\n', stderr);
fflush(stderr);
}
krb5_error_code
kcm_ccache_resolve_client(krb5_context context,
kcm_client *client,
kcm_operation opcode,
const char *name,
kcm_ccache *ccache)
{
krb5_error_code ret;
const char *estr;
ret = kcm_ccache_resolve(context, name, ccache);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(1, "Failed to resolve cache %s: %s", name, estr);
krb5_free_error_message(context, estr);
return ret;
}
ret = kcm_access(context, client, opcode, *ccache);
if (ret) {
ret = KRB5_FCC_NOFILE; /* don't disclose */
kcm_release_ccache(context, *ccache);
}
return ret;
}
krb5_error_code
kcm_ccache_destroy_client(krb5_context context,
kcm_client *client,
const char *name)
{
krb5_error_code ret;
kcm_ccache ccache;
const char *estr;
ret = kcm_ccache_resolve(context, name, &ccache);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(1, "Failed to resolve cache %s: %s", name, estr);
krb5_free_error_message(context, estr);
return ret;
}
ret = kcm_access(context, client, KCM_OP_DESTROY, ccache);
kcm_cleanup_events(context, ccache);
kcm_release_ccache(context, ccache);
if (ret)
return ret;
return kcm_ccache_destroy(context, name);
}
/**
* Prints the error message associated with a failed krb5 call
*/
void curl_krb5_print_error_message(krb5_context krb_context, int error_code, struct SessionHandle *data) {
const char *errormsg = krb5_get_error_message(krb_context, error_code);
infof(data, "KRB5_ERROR: %s \n" , errormsg);
infof(data, "KRB5_ERROR_CODE: %d", error_code); //for debugging certain scenarios
infof(data, "\n Freeing all krb5 related data structures \n");
krb5_free_error_message(krb_context, errormsg);
}
krb5_error_code
handle_authdata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code retval = 0;
krb5_authdata_systems *authdata_sys;
int i;
const char *emsg;
krb5_klog_syslog (LOG_DEBUG, "handling authdata");
for (authdata_sys = authdata_systems, i = 0; authdata_sys != NULL && i < n_authdata_systems; i++) {
if (authdata_sys[i].handle_authdata && authdata_sys[i].type != -1) {
retval = authdata_sys[i].handle_authdata(context, client, req_pkt, request,
enc_tkt_reply);
if (retval) {
emsg = krb5_get_error_message (context, retval);
krb5_klog_syslog (LOG_INFO, "authdata (%s) handling failure: %s",
authdata_sys[i].name, emsg);
krb5_free_error_message (context, emsg);
} else {
krb5_klog_syslog (LOG_DEBUG, ".. .. ok");
}
}
}
return 0;
}
static void forward_cb(krb5_error_code retval, const krad_packet *request,
const krad_packet *response, void *data)
{
krad_code code, acpt;
struct otpd_queue_item *item = data;
(void)request;
acpt = krad_code_name2num("Access-Accept");
code = krad_packet_get_code(response);
if (retval == 0 && code == acpt) {
item->sent = 0;
retval = krad_packet_new_response(ctx.kctx, SECRET, acpt,
NULL, item->req, &item->rsp);
}
otpd_log_req(item->req, "forward end: %s",
retval == 0
? krad_code_num2name(code)
: krb5_get_error_message(ctx.kctx, retval));
otpd_queue_push(&ctx.stdio.responses, item);
verto_set_flags(ctx.stdio.writer, VERTO_EV_FLAG_PERSIST |
VERTO_EV_FLAG_IO_ERROR |
VERTO_EV_FLAG_IO_READ |
VERTO_EV_FLAG_IO_WRITE);
}
const char *KRB5_CALLCONV sss_krb5_get_error_message(krb5_context ctx,
krb5_error_code ec)
{
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
return krb5_get_error_message(ctx, ec);
#else
int ret;
char *s = NULL;
int size = sizeof("Kerberos error [XXXXXXXXXXXX]");
s = malloc(sizeof(char) * (size));
if (s == NULL) {
return NULL;
}
ret = snprintf(s, size, "Kerberos error [%12d]", ec);
if (ret < 0 || ret >= size) {
free(s);
return NULL;
}
return s;
#endif
}
/*
* krcmd: simplified version of Athena's "kcmd"
* returns a socket attached to the destination, -1 or krb error on error
* if fd2p is non-NULL, another socket is filled in for it
*/
# if defined SHISHI
# ifdef HAVE_GETPWUID_R
static int pwbuflen;
static char *pwbuf = NULL; /* Reused after first allocation. */
static struct passwd pwstor, *pwd;
# endif /* HAVE_GETPWUID_R */
int
krcmd (Shishi ** h, char **ahost, unsigned short rport, char **remuser,
char *cmd, int *fd2p, const char *realm, int af)
{
int sock = -1, err = 0;
long authopts = 0L;
# ifdef HAVE_GETPWUID_R
if (!pwbuf)
{
pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX);
if (pwbuflen <= 0)
pwbuflen = 1024; /* Guessing only. */
pwbuf = malloc (pwbuflen);
}
if (pwbuf)
(void) getpwuid_r (getuid (), &pwstor, pwbuf, pwbuflen, &pwd);
# endif /* HAVE_GETPWUID_R */
err = kcmd (h, &sock, ahost, rport,
# ifdef HAVE_GETPWUID_R
pwd ? pwd->pw_name : *remuser, /* locuser */
# else /* !HAVE_GETPWUID_R */
NULL, /* locuser not used */
# endif
remuser, cmd, fd2p,
SERVICE_NAME, realm,
NULL, /* key schedule not used */
NULL, /* local addr not used */
NULL, /* foreign addr not used */
authopts, af);
if (err > SHISHI_OK)
{
fprintf (stderr, "krcmd: error %d, %s\n", err, shishi_strerror (err));
return (-1);
}
if (err < 0)
return (-1);
return (sock);
}
# elif defined(KRB5) /* !SHISHI */
int
krcmd (krb5_context *ctx, char **ahost, unsigned short rport,
char **remuser, char *cmd, int *fd2p, const char *realm)
{
int sock = -1;
krb5_error_code err = 0;
long authopts = 0L;
err = kcmd (ctx, &sock, ahost, rport,
NULL, /* locuser not used */
remuser, cmd, fd2p,
SERVICE_NAME, realm,
(krb5_keyblock **) NULL, /* key not used */
(struct sockaddr_in *) NULL, /* local addr not used */
(struct sockaddr_in *) NULL, /* foreign addr not used */
authopts);
if (err > 0)
{
const char *text = krb5_get_error_message (*ctx, err);
fprintf (stderr, "krcmd: %s\n", text);
krb5_free_error_message (*ctx, text);
return (-1);
}
if (err < 0)
return (-1);
return (sock);
}
# endif /* KRB5 && !SHISHI */
# ifdef ENCRYPTION
# if defined SHISHI
int
krcmd_mutual (Shishi ** h, char **ahost, unsigned short rport, char **remuser,
char *cmd, int *fd2p, const char *realm, Shishi_key ** key, int af)
{
int sock = -1, err = 0;
struct sockaddr_storage laddr, faddr;
long authopts = SHISHI_APOPTIONS_MUTUAL_REQUIRED;
# ifdef HAVE_GETPWUID_R
if (!pwbuf)
{
pwbuflen = sysconf (_SC_GETPW_R_SIZE_MAX);
if (pwbuflen <= 0)
pwbuflen = 1024; /* Guessing only. */
pwbuf = malloc (pwbuflen);
}
if (pwbuf)
(void) getpwuid_r (getuid (), &pwstor, pwbuf, pwbuflen, &pwd);
# endif /* HAVE_GETPWUID_R */
err = kcmd (h, &sock, ahost, rport,
# ifdef HAVE_GETPWUID_R
pwd ? pwd->pw_name : *remuser, /* locuser */
# else /* !HAVE_GETPWUID_R */
NULL, /* locuser not used */
# endif
remuser, cmd, fd2p,
SERVICE_NAME, realm,
key, /* filled in */
&laddr, /* filled in */
&faddr, /* filled in */
authopts, af);
if (err > SHISHI_OK)
{
fprintf (stderr, "krcmd_mutual: error %d, %s\n",
err, shishi_strerror (err));
return (-1);
}
if (err < 0)
return (-1);
return (sock);
}
# elif defined(KRB5) /* !SHISHI */
int
krcmd_mutual (krb5_context *ctx, char **ahost, unsigned short rport,
char **remuser, char *cmd, int *fd2p, const char *realm,
krb5_keyblock **key)
{
int sock;
krb5_error_code err = 0;
struct sockaddr_in laddr, faddr;
long authopts = AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY;
err = kcmd (ctx, &sock, ahost, rport,
NULL, /* locuser not used */
remuser, cmd, fd2p,
SERVICE_NAME, realm,
key, /* filled in */
&laddr, /* filled in */
&faddr, /* filled in */
authopts);
if (err > 0)
{
const char *text = krb5_get_error_message (*ctx, err);
fprintf (stderr, "krcmd_mutual: %s\n", text);
krb5_free_error_message (*ctx, text);
return (-1);
}
if (err < 0)
return (-1);
return (sock);
}
static void
log_krb5_errmsg( krb5_context ctx, const char* func, krb5_error_code rc )
{
const char* errmsg = krb5_get_error_message(ctx, rc);
Log(LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, "slapd-kinit: %s: %s\n", func, errmsg );
krb5_free_error_message(ctx, errmsg);
return;
}
QString
v5::getKrb5ErrorMessage(krb5_context kcontext, krb5_error_code code)
{
const char *message = krb5_get_error_message(kcontext, code);
QString msg(message);
krb5_free_error_message(kcontext, message);
return msg;
}
OM_uint32 GSSAPI_CALLCONV _gsskrb5_display_status
(OM_uint32 *minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32 *message_context,
gss_buffer_t status_string)
{
krb5_context context;
char *buf = NULL;
int e = 0;
GSSAPI_KRB5_INIT (&context);
status_string->length = 0;
status_string->value = NULL;
if (gss_oid_equal(mech_type, GSS_C_NO_OID) == 0 &&
gss_oid_equal(mech_type, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_C_GSS_CODE;
}
if (status_type == GSS_C_GSS_CODE) {
if (GSS_SUPPLEMENTARY_INFO(status_value))
e = asprintf(&buf, "%s",
supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value)));
else
e = asprintf (&buf, "%s %s",
calling_error(GSS_CALLING_ERROR(status_value)),
routine_error(GSS_ROUTINE_ERROR(status_value)));
} else if (status_type == GSS_C_MECH_CODE) {
const char *buf2 = krb5_get_error_message(context, status_value);
if (buf2) {
buf = strdup(buf2);
krb5_free_error_message(context, buf2);
} else {
e = asprintf(&buf, "unknown mech error-code %u",
(unsigned)status_value);
}
} else {
*minor_status = EINVAL;
return GSS_S_BAD_STATUS;
}
if (e < 0 || buf == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
*message_context = 0;
*minor_status = 0;
status_string->length = strlen(buf);
status_string->value = buf;
return GSS_S_COMPLETE;
}
krb5_error_code
krb5int_fast_as_armor(krb5_context context,
struct krb5int_fast_request_state *state,
krb5_gic_opt_ext *opte,
krb5_kdc_req *request)
{
krb5_error_code retval = 0;
krb5_ccache ccache = NULL;
krb5_principal target_principal = NULL;
krb5_data *target_realm;
krb5_clear_error_message(context);
target_realm = krb5_princ_realm(context, request->server);
if (opte->opt_private->fast_ccache_name) {
TRACE_FAST_ARMOR_CCACHE(context, opte->opt_private->fast_ccache_name);
state->fast_state_flags |= KRB5INT_FAST_ARMOR_AVAIL;
retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name,
&ccache);
if (retval == 0) {
retval = krb5int_tgtname(context, target_realm, target_realm,
&target_principal);
}
if (retval == 0) {
krb5_data config_data;
config_data.data = NULL;
retval = krb5_cc_get_config(context, ccache, target_principal,
KRB5_CONF_FAST_AVAIL, &config_data);
if ((retval == 0) && config_data.data) {
TRACE_FAST_CCACHE_CONFIG(context);
state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
}
krb5_free_data_contents(context, &config_data);
retval = 0;
}
if (opte->opt_private->fast_flags & KRB5_FAST_REQUIRED) {
TRACE_FAST_REQUIRED(context);
state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
}
if (retval == 0 && (state->fast_state_flags & KRB5INT_FAST_DO_FAST)) {
retval = fast_armor_ap_request(context, state, ccache,
target_principal);
}
if (retval != 0) {
const char * errmsg;
errmsg = krb5_get_error_message(context, retval);
if (errmsg) {
krb5_set_error_message(context, retval,
"%s constructing AP-REQ armor", errmsg);
krb5_free_error_message(context, errmsg);
}
}
}
if (ccache)
krb5_cc_close(context, ccache);
if (target_principal)
krb5_free_principal(context, target_principal);
return retval;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_mk_error_ext(krb5_context context,
krb5_error_code error_code,
const char *e_text,
const krb5_data *e_data,
const krb5_principal server,
const PrincipalName *client_name,
const Realm *client_realm,
time_t *client_time,
int *client_usec,
krb5_data *reply)
{
const char *e_text2 = NULL;
KRB_ERROR msg;
krb5_timestamp sec;
int32_t usec;
size_t len = 0;
krb5_error_code ret = 0;
krb5_us_timeofday (context, &sec, &usec);
memset(&msg, 0, sizeof(msg));
msg.pvno = 5;
msg.msg_type = krb_error;
msg.stime = sec;
msg.susec = usec;
msg.ctime = client_time;
msg.cusec = client_usec;
/* Make sure we only send `protocol' error codes */
if(error_code < KRB5KDC_ERR_NONE || error_code >= KRB5_ERR_RCSID) {
if(e_text == NULL)
e_text = e_text2 = krb5_get_error_message(context, error_code);
error_code = KRB5KRB_ERR_GENERIC;
}
msg.error_code = error_code - KRB5KDC_ERR_NONE;
if (e_text)
msg.e_text = rk_UNCONST(&e_text);
if (e_data)
msg.e_data = rk_UNCONST(e_data);
if(server){
msg.realm = server->realm;
msg.sname = server->name;
}else{
static char unspec[] = "<unspecified realm>";
msg.realm = unspec;
}
msg.crealm = rk_UNCONST(client_realm);
msg.cname = rk_UNCONST(client_name);
ASN1_MALLOC_ENCODE(KRB_ERROR, reply->data, reply->length, &msg, &len, ret);
if (e_text2)
krb5_free_error_message(context, e_text2);
if (ret)
return ret;
if(reply->length != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
return 0;
}
static void
exim_heimdal_error_debug(const char *label,
krb5_context context, krb5_error_code err)
{
const char *kerrsc;
kerrsc = krb5_get_error_message(context, err);
debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
krb5_free_error_message(context, kerrsc);
}
static isc_result_t
check_credentials(krb5_context context, krb5_ccache ccache, krb5_principal service)
{
char *realm = NULL;
krb5_creds creds;
krb5_creds mcreds;
krb5_error_code krberr;
krb5_timestamp now;
isc_result_t result = ISC_R_FAILURE;
memset(&mcreds, 0, sizeof(mcreds));
memset(&creds, 0, sizeof(creds));
krberr = krb5_get_default_realm(context, &realm);
CHECK_KRB5(context, krberr, "Failed to retrieve default realm");
krberr = krb5_build_principal(context, &mcreds.server,
strlen(realm), realm,
"krbtgt", realm, NULL);
CHECK_KRB5(context, krberr, "Failed to build 'krbtgt/REALM' principal");
mcreds.client = service;
krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds);
if (krberr) {
const char * errmsg = krb5_get_error_message(context, krberr);
log_error("Credentials are not present in cache (%s)\n", errmsg);
krb5_free_error_message(context, errmsg);
result = ISC_R_FAILURE;
goto cleanup;
}
CHECK_KRB5(context, krberr, "Credentials are not present in cache ");
krberr = krb5_timeofday(context, &now);
CHECK_KRB5(context, krberr, "Failed to get time of day");
if (now > (creds.times.endtime + KRB_MIN_TIME)) {
log_error("Credentials cache expired");
result = ISC_R_FAILURE;
goto cleanup;
} else {
char buf[255];
char fill = ' ';
krb5_timestamp_to_sfstring(creds.times.endtime, buf, 16, &fill);
log_info("Credentials valid til %s\n", buf);
}
result = ISC_R_SUCCESS;
cleanup:
krb5_free_cred_contents(context, &creds);
if (mcreds.server) krb5_free_principal(context, mcreds.server);
if (realm) krb5_free_default_realm(context, realm);
return result;
}
static krb5_error_code decrypt_fast_reply
(krb5_context context, struct krb5int_fast_request_state *state,
krb5_pa_data **in_padata,
krb5_fast_response **response)
{
krb5_error_code retval = 0;
krb5_data scratch;
krb5_enc_data *encrypted_response = NULL;
krb5_pa_data *fx_reply = NULL;
krb5_fast_response *local_resp = NULL;
assert(state != NULL);
assert(state->armor_key);
fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST);
if (fx_reply == NULL)
retval = KRB5_ERR_FAST_REQUIRED;
if (retval == 0) {
scratch.data = (char *) fx_reply->contents;
scratch.length = fx_reply->length;
retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response);
}
scratch.data = NULL;
if (retval == 0) {
scratch.data = malloc(encrypted_response->ciphertext.length);
if (scratch.data == NULL)
retval = ENOMEM;
scratch.length = encrypted_response->ciphertext.length;
}
if (retval == 0)
retval = krb5_c_decrypt(context, state->armor_key,
KRB5_KEYUSAGE_FAST_REP, NULL,
encrypted_response, &scratch);
if (retval != 0) {
const char * errmsg;
errmsg = krb5_get_error_message(context, retval);
krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg);
krb5_free_error_message(context, errmsg);
}
if (retval == 0)
retval = decode_krb5_fast_response(&scratch, &local_resp);
if (retval == 0) {
if (local_resp->nonce != state->nonce) {
retval = KRB5_KDCREP_MODIFIED;
krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified");
}
}
if (retval == 0) {
*response = local_resp;
local_resp = NULL;
}
if (scratch.data)
free(scratch.data);
if (encrypted_response)
krb5_free_enc_data(context, encrypted_response);
if (local_resp)
krb5_free_fast_response(context, local_resp);
return retval;
}
static void k5support_log_err(krb5_context context,
krb5_error_code code,
char const *msg)
{
const char *k5_msg = krb5_get_error_message(context, code);
syslog(LOG_DEBUG, "auth_krb5: %s: %s (%d)\n", msg, k5_msg, code);
krb5_free_error_message(context, k5_msg);
}
static void
print_krb5_error(krb5_context context, krb5_error_code code, const char *msg)
{
const char *error_message;
error_message = krb5_get_error_message(context, code);
printf(msg, error_message);
krb5_free_error_message(context, error_message);
}
static krb5_error_code armor_ap_request
(struct kdc_request_state *state, krb5_fast_armor *armor)
{
krb5_error_code retval = 0;
krb5_auth_context authcontext = NULL;
krb5_ticket *ticket = NULL;
krb5_keyblock *subkey = NULL;
kdc_realm_t *kdc_active_realm = state->realm_data;
assert(armor->armor_type == KRB5_FAST_ARMOR_AP_REQUEST);
krb5_clear_error_message(kdc_context);
retval = krb5_auth_con_init(kdc_context, &authcontext);
if (retval == 0)
retval = krb5_auth_con_setflags(kdc_context,
authcontext, 0); /*disable replay cache*/
retval = krb5_rd_req(kdc_context, &authcontext,
&armor->armor_value, NULL /*server*/,
kdc_active_realm->realm_keytab, NULL, &ticket);
if (retval != 0) {
const char * errmsg = krb5_get_error_message(kdc_context, retval);
krb5_set_error_message(kdc_context, retval,
_("%s while handling ap-request armor"),
errmsg);
krb5_free_error_message(kdc_context, errmsg);
}
if (retval == 0) {
if (!krb5_principal_compare_any_realm(kdc_context,
tgs_server,
ticket->server)) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_SERVER_NOMATCH,
_("ap-request armor for something other "
"than the local TGS"));
retval = KRB5KDC_ERR_SERVER_NOMATCH;
}
}
if (retval == 0) {
retval = krb5_auth_con_getrecvsubkey(kdc_context, authcontext, &subkey);
if (retval != 0 || subkey == NULL) {
krb5_set_error_message(kdc_context, KRB5KDC_ERR_POLICY,
_("ap-request armor without subkey"));
retval = KRB5KDC_ERR_POLICY;
}
}
if (retval == 0)
retval = krb5_c_fx_cf2_simple(kdc_context,
subkey, "subkeyarmor",
ticket->enc_part2->session, "ticketarmor",
&state->armor_key);
if (ticket)
krb5_free_ticket(kdc_context, ticket);
if (subkey)
krb5_free_keyblock(kdc_context, subkey);
if (authcontext)
krb5_auth_con_free(kdc_context, authcontext);
return retval;
}
static void extended_com_err_fn (const char *myprog, errcode_t code,
const char *fmt, va_list args)
{
const char *emsg;
emsg = krb5_get_error_message (errctx, code);
fprintf (stderr, "%s: %s ", myprog, emsg);
krb5_free_error_message (errctx, emsg);
vfprintf (stderr, fmt, args);
fprintf (stderr, "\n");
}
static void
check(krb5_error_code code, int lineno)
{
const char *errmsg;
if (code) {
errmsg = krb5_get_error_message(ctx, code);
fprintf(stderr, "Unexpected error at line %d: %s\n", lineno, errmsg);
krb5_free_error_message(ctx, errmsg);
exit(1);
}
}
