krb5_error_code
_kdc_pk_rd_padata(krb5_context context,
krb5_kdc_configuration *config,
const KDC_REQ *req,
const PA_DATA *pa,
pk_client_params **ret_params)
{
pk_client_params *client_params;
krb5_error_code ret;
heim_oid eContentType = { 0, NULL }, contentInfoOid = { 0, NULL };
krb5_data eContent = { 0, NULL };
krb5_data signed_content = { 0, NULL };
const char *type = "unknown type";
int have_data = 0;
*ret_params = NULL;
if (!config->enable_pkinit) {
kdc_log(context, config, 0, "PK-INIT request but PK-INIT not enabled");
krb5_clear_error_message(context);
return 0;
}
hx509_verify_set_time(kdc_identity->verify_ctx, kdc_time);
client_params = calloc(1, sizeof(*client_params));
if (client_params == NULL) {
krb5_clear_error_message(context);
ret = ENOMEM;
goto out;
}
if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
PA_PK_AS_REQ_Win2k r;
type = "PK-INIT-Win2k";
ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
pa->padata_value.length,
&r,
NULL);
if (ret) {
krb5_set_error_message(context, ret, "Can't decode "
"PK-AS-REQ-Win2k: %d", ret);
goto out;
}
ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
&contentInfoOid,
&signed_content,
&have_data);
free_PA_PK_AS_REQ_Win2k(&r);
if (ret) {
krb5_set_error_message(context, ret,
"Can't decode PK-AS-REQ: %d", ret);
goto out;
}
} else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
PA_PK_AS_REQ r;
type = "PK-INIT-IETF";
ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
pa->padata_value.length,
&r,
NULL);
if (ret) {
krb5_set_error_message(context, ret, "Can't decode PK-AS-REQ: %d", ret);
goto out;
}
/* XXX look at r.kdcPkId */
if (r.trustedCertifiers) {
ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
unsigned int i;
ret = hx509_certs_init(kdc_identity->hx509ctx,
"MEMORY:client-anchors",
0, NULL,
&client_params->client_anchors);
if (ret) {
krb5_set_error_message(context, ret, "Can't allocate client anchors: %d", ret);
goto out;
}
for (i = 0; i < edi->len; i++) {
IssuerAndSerialNumber iasn;
hx509_query *q;
hx509_cert cert;
size_t size;
if (edi->val[i].issuerAndSerialNumber == NULL)
continue;
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
if (ret) {
krb5_set_error_message(context, ret,
"Failed to allocate hx509_query");
goto out;
}
ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
edi->val[i].issuerAndSerialNumber->length,
&iasn,
&size);
if (ret) {
hx509_query_free(kdc_identity->hx509ctx, q);
continue;
}
ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
free_IssuerAndSerialNumber(&iasn);
if (ret)
continue;
ret = hx509_certs_find(kdc_identity->hx509ctx,
kdc_identity->certs,
q,
&cert);
hx509_query_free(kdc_identity->hx509ctx, q);
if (ret)
continue;
hx509_certs_add(kdc_identity->hx509ctx,
client_params->client_anchors, cert);
hx509_cert_free(cert);
}
}
ret = hx509_cms_unwrap_ContentInfo(&r.signedAuthPack,
&contentInfoOid,
&signed_content,
&have_data);
free_PA_PK_AS_REQ(&r);
if (ret) {
krb5_set_error_message(context, ret,
"Can't unwrap ContentInfo: %d", ret);
goto out;
}
} else {
krb5_clear_error_message(context);
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
goto out;
}
ret = der_heim_oid_cmp(&contentInfoOid, oid_id_pkcs7_signedData());
if (ret != 0) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"PK-AS-REQ-Win2k invalid content type oid");
goto out;
}
if (!have_data) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"PK-AS-REQ-Win2k no signed auth pack");
goto out;
}
{
hx509_certs signer_certs;
ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
kdc_identity->verify_ctx,
signed_content.data,
signed_content.length,
NULL,
kdc_identity->certpool,
&eContentType,
&eContent,
&signer_certs);
if (ret) {
char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret);
krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
s, ret);
free(s);
goto out;
}
ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs,
&client_params->cert);
hx509_certs_free(&signer_certs);
if (ret)
goto out;
}
/* Signature is correct, now verify the signed message */
if (der_heim_oid_cmp(&eContentType, oid_id_pkcs7_data()) != 0 &&
der_heim_oid_cmp(&eContentType, oid_id_pkauthdata()) != 0)
{
ret = KRB5_BADMSGTYPE;
krb5_set_error_message(context, ret, "got wrong oid for pkauthdata");
goto out;
}
if (pa->padata_type == KRB5_PADATA_PK_AS_REQ_WIN) {
AuthPack_Win2k ap;
ret = decode_AuthPack_Win2k(eContent.data,
eContent.length,
&ap,
NULL);
if (ret) {
krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret);
goto out;
}
ret = pk_check_pkauthenticator_win2k(context,
&ap.pkAuthenticator,
req);
if (ret) {
free_AuthPack_Win2k(&ap);
goto out;
}
client_params->type = PKINIT_WIN2K;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "DH not supported for windows");
goto out;
}
free_AuthPack_Win2k(&ap);
} else if (pa->padata_type == KRB5_PADATA_PK_AS_REQ) {
AuthPack ap;
ret = decode_AuthPack(eContent.data,
eContent.length,
&ap,
NULL);
if (ret) {
krb5_set_error_message(context, ret, "can't decode AuthPack: %d", ret);
free_AuthPack(&ap);
goto out;
}
ret = pk_check_pkauthenticator(context,
&ap.pkAuthenticator,
req);
if (ret) {
free_AuthPack(&ap);
goto out;
}
client_params->type = PKINIT_27;
client_params->nonce = ap.pkAuthenticator.nonce;
if (ap.clientPublicValue) {
ret = get_dh_param(context, config,
ap.clientPublicValue, client_params);
if (ret) {
free_AuthPack(&ap);
goto out;
}
}
if (ap.supportedCMSTypes) {
ret = hx509_peer_info_alloc(kdc_identity->hx509ctx,
&client_params->peer);
if (ret) {
free_AuthPack(&ap);
goto out;
}
ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx,
client_params->peer,
ap.supportedCMSTypes->val,
ap.supportedCMSTypes->len);
if (ret) {
free_AuthPack(&ap);
goto out;
}
}
free_AuthPack(&ap);
} else
krb5_abortx(context, "internal pkinit error");
kdc_log(context, config, 0, "PK-INIT request of type %s", type);
out:
if (ret)
krb5_warn(context, ret, "PKINIT");
if (signed_content.data)
free(signed_content.data);
krb5_data_free(&eContent);
der_free_oid(&eContentType);
der_free_oid(&contentInfoOid);
if (ret)
_kdc_pk_free_client_param(context, client_params);
else
*ret_params = client_params;
return ret;
}
kadm5_ret_t
kadm5_get_policy(void *server_handle, kadm5_policy_t name,
kadm5_policy_ent_t entry)
{
osa_policy_ent_t t;
kadm5_ret_t ret;
kadm5_server_handle_t handle = server_handle;
memset(entry, 0, sizeof(*entry));
CHECK_HANDLE(server_handle);
krb5_clear_error_message(handle->context);
if (name == (kadm5_policy_t) NULL)
return EINVAL;
if(strlen(name) == 0)
return KADM5_BAD_POLICY;
ret = krb5_db_get_policy(handle->context, name, &t);
if (ret == KRB5_KDB_NOENTRY)
return KADM5_UNK_POLICY;
else if (ret)
return ret;
if ((entry->policy = strdup(t->name)) == NULL) {
ret = ENOMEM;
goto cleanup;
}
entry->pw_min_life = t->pw_min_life;
entry->pw_max_life = t->pw_max_life;
entry->pw_min_length = t->pw_min_length;
entry->pw_min_classes = t->pw_min_classes;
entry->pw_history_num = t->pw_history_num;
if (handle->api_version >= KADM5_API_VERSION_3) {
entry->pw_max_fail = t->pw_max_fail;
entry->pw_failcnt_interval = t->pw_failcnt_interval;
entry->pw_lockout_duration = t->pw_lockout_duration;
}
if (handle->api_version >= KADM5_API_VERSION_4) {
entry->attributes = t->attributes;
entry->max_life = t->max_life;
entry->max_renewable_life = t->max_renewable_life;
if (t->allowed_keysalts) {
entry->allowed_keysalts = strdup(t->allowed_keysalts);
if (!entry->allowed_keysalts) {
ret = ENOMEM;
goto cleanup;
}
}
ret = copy_tl_data(t->n_tl_data, t->tl_data, &entry->tl_data);
if (ret)
goto cleanup;
entry->n_tl_data = t->n_tl_data;
}
ret = 0;
cleanup:
if (ret)
kadm5_free_policy_ent(handle, entry);
krb5_db_free_policy(handle->context, t);
return ret;
}
static krb5_error_code
get_dh_param(krb5_context context,
krb5_kdc_configuration *config,
SubjectPublicKeyInfo *dh_key_info,
pk_client_params *client_params)
{
DomainParameters dhparam;
DH *dh = NULL;
krb5_error_code ret;
memset(&dhparam, 0, sizeof(dhparam));
if ((dh_key_info->subjectPublicKey.length % 8) != 0) {
ret = KRB5_BADMSGTYPE;
krb5_set_error_message(context, ret,
"PKINIT: subjectPublicKey not aligned "
"to 8 bit boundary");
goto out;
}
if (dh_key_info->algorithm.parameters == NULL) {
krb5_set_error_message(context, KRB5_BADMSGTYPE,
"PKINIT missing algorithm parameter "
"in clientPublicValue");
return KRB5_BADMSGTYPE;
}
ret = decode_DomainParameters(dh_key_info->algorithm.parameters->data,
dh_key_info->algorithm.parameters->length,
&dhparam,
NULL);
if (ret) {
krb5_set_error_message(context, ret, "Can't decode algorithm "
"parameters in clientPublicValue");
goto out;
}
ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
&dhparam.p, &dhparam.g, dhparam.q, moduli,
&client_params->dh_group_name);
if (ret) {
/* XXX send back proposal of better group */
goto out;
}
dh = DH_new();
if (dh == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "Cannot create DH structure");
goto out;
}
ret = KRB5_BADMSGTYPE;
dh->p = integer_to_BN(context, "DH prime", &dhparam.p);
if (dh->p == NULL)
goto out;
dh->g = integer_to_BN(context, "DH base", &dhparam.g);
if (dh->g == NULL)
goto out;
if (dhparam.q) {
dh->q = integer_to_BN(context, "DH p-1 factor", dhparam.q);
if (dh->q == NULL)
goto out;
}
{
heim_integer glue;
size_t size;
ret = decode_DHPublicKey(dh_key_info->subjectPublicKey.data,
dh_key_info->subjectPublicKey.length / 8,
&glue,
&size);
if (ret) {
krb5_clear_error_message(context);
return ret;
}
client_params->u.dh.public_key = integer_to_BN(context,
"subjectPublicKey",
&glue);
der_free_heim_integer(&glue);
if (client_params->u.dh.public_key == NULL) {
ret = KRB5_BADMSGTYPE;
goto out;
}
}
client_params->u.dh.key = dh;
dh = NULL;
ret = 0;
out:
if (dh)
DH_free(dh);
free_DomainParameters(&dhparam);
return ret;
}
int
_krb5_extract_ticket(krb5_context context,
krb5_kdc_rep *rep,
krb5_creds *creds,
krb5_keyblock *key,
krb5_const_pointer keyseed,
krb5_key_usage key_usage,
krb5_addresses *addrs,
unsigned nonce,
unsigned flags,
krb5_decrypt_proc decrypt_proc,
krb5_const_pointer decryptarg)
{
krb5_error_code ret;
krb5_principal tmp_principal;
size_t len = 0;
time_t tmp_time;
krb5_timestamp sec_now;
/* decrypt */
if (decrypt_proc == NULL)
decrypt_proc = decrypt_tkt;
ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
if (ret)
goto out;
/* save session key */
creds->session.keyvalue.length = 0;
creds->session.keyvalue.data = NULL;
creds->session.keytype = rep->enc_part.key.keytype;
ret = krb5_data_copy (&creds->session.keyvalue,
rep->enc_part.key.keyvalue.data,
rep->enc_part.key.keyvalue.length);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
/* compare client and save */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.cname,
rep->kdc_rep.crealm);
if (ret)
goto out;
/* check client referral and save principal */
/* anonymous here ? */
if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) {
ret = check_client_referral(context, rep,
creds->client,
tmp_principal,
&creds->session);
if (ret) {
krb5_free_principal (context, tmp_principal);
goto out;
}
}
krb5_free_principal (context, creds->client);
creds->client = tmp_principal;
/* check server referral and save principal */
ret = _krb5_principalname2krb5_principal (context,
&tmp_principal,
rep->kdc_rep.ticket.sname,
rep->kdc_rep.ticket.realm);
if (ret)
goto out;
if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
ret = check_server_referral(context,
rep,
flags,
creds->server,
tmp_principal,
&creds->session);
if (ret) {
krb5_free_principal (context, tmp_principal);
goto out;
}
}
krb5_free_principal(context, creds->server);
creds->server = tmp_principal;
/* verify names */
if(flags & EXTRACT_TICKET_MATCH_REALM){
const char *srealm = krb5_principal_get_realm(context, creds->server);
const char *crealm = krb5_principal_get_realm(context, creds->client);
if (strcmp(rep->enc_part.srealm, srealm) != 0 ||
strcmp(rep->enc_part.srealm, crealm) != 0)
{
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_clear_error_message(context);
goto out;
}
}
/* compare nonces */
if (nonce != (unsigned)rep->enc_part.nonce) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out;
}
/* set kdc-offset */
krb5_timeofday (context, &sec_now);
if (rep->enc_part.flags.initial
&& (flags & EXTRACT_TICKET_TIMESYNC)
&& context->kdc_sec_offset == 0
&& krb5_config_get_bool (context, NULL,
"libdefaults",
"kdc_timesync",
NULL)) {
context->kdc_sec_offset = rep->enc_part.authtime - sec_now;
krb5_timeofday (context, &sec_now);
}
/* check all times */
if (rep->enc_part.starttime) {
tmp_time = *rep->enc_part.starttime;
} else
tmp_time = rep->enc_part.authtime;
if (creds->times.starttime == 0
&& abs(tmp_time - sec_now) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
krb5_set_error_message (context, ret,
N_("time skew (%d) larger than max (%d)", ""),
abs(tmp_time - sec_now),
(int)context->max_skew);
goto out;
}
if (creds->times.starttime != 0
&& tmp_time != creds->times.starttime) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_MODIFIED;
goto out;
}
creds->times.starttime = tmp_time;
if (rep->enc_part.renew_till) {
tmp_time = *rep->enc_part.renew_till;
} else
tmp_time = 0;
if (creds->times.renew_till != 0
&& tmp_time > creds->times.renew_till) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_MODIFIED;
goto out;
}
creds->times.renew_till = tmp_time;
creds->times.authtime = rep->enc_part.authtime;
if (creds->times.endtime != 0
&& rep->enc_part.endtime > creds->times.endtime) {
krb5_clear_error_message (context);
ret = KRB5KRB_AP_ERR_MODIFIED;
goto out;
}
creds->times.endtime = rep->enc_part.endtime;
if(rep->enc_part.caddr)
krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses);
else if(addrs)
krb5_copy_addresses (context, addrs, &creds->addresses);
else {
creds->addresses.len = 0;
creds->addresses.val = NULL;
}
creds->flags.b = rep->enc_part.flags;
creds->authdata.len = 0;
creds->authdata.val = NULL;
/* extract ticket */
ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
&rep->kdc_rep.ticket, &len, ret);
if(ret)
goto out;
if (creds->ticket.length != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
creds->second_ticket.length = 0;
creds->second_ticket.data = NULL;
out:
memset (rep->enc_part.key.keyvalue.data, 0,
rep->enc_part.key.keyvalue.length);
return ret;
}
/*
* delete a principal from the directory.
*/
krb5_error_code
krb5_ldap_delete_principal(krb5_context context,
krb5_const_principal searchfor)
{
char *user=NULL, *DN=NULL, *strval[10] = {NULL};
LDAPMod **mods=NULL;
LDAP *ld=NULL;
int j=0, ptype=0, pcount=0, attrsetmask=0;
krb5_error_code st=0;
krb5_boolean singleentry=FALSE;
KEY *secretkey=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_db_entry *entry = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
SETUP_CONTEXT();
/* get the principal info */
if ((st=krb5_ldap_get_principal(context, searchfor, 0, &entry)))
goto cleanup;
if (((st=krb5_get_princ_type(context, entry, &(ptype))) != 0) ||
((st=krb5_get_attributes_mask(context, entry, &(attrsetmask))) != 0) ||
((st=krb5_get_princ_count(context, entry, &(pcount))) != 0) ||
((st=krb5_get_userdn(context, entry, &(DN))) != 0))
goto cleanup;
if (DN == NULL) {
st = EINVAL;
krb5_set_error_message(context, st, "DN information missing");
goto cleanup;
}
GET_HANDLE();
if (ptype == KDB_STANDALONE_PRINCIPAL_OBJECT) {
st = ldap_delete_ext_s(ld, DN, NULL, NULL);
if (st != LDAP_SUCCESS) {
st = set_ldap_error (context, st, OP_DEL);
goto cleanup;
}
} else {
if (((st=krb5_unparse_name(context, searchfor, &user)) != 0)
|| ((st=krb5_ldap_unparse_principal_name(user)) != 0))
goto cleanup;
memset(strval, 0, sizeof(strval));
strval[0] = user;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_DELETE,
strval)) != 0)
goto cleanup;
singleentry = (pcount == 1) ? TRUE: FALSE;
if (singleentry == FALSE) {
if (secretkey != NULL) {
if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey", LDAP_MOD_DELETE | LDAP_MOD_BVALUES,
secretkey->keys)) != 0)
goto cleanup;
}
} else {
/*
* If the Kerberos user principal to be deleted happens to be the last one associated
* with the directory user object, then it is time to delete the other kerberos
* specific attributes like krbmaxticketlife, i.e, unkerberize the directory user.
* From the attrsetmask value, identify the attributes set on the directory user
* object and delete them.
* NOTE: krbsecretkey attribute has per principal entries. There can be chances that the
* other principals' keys are exisiting/left-over. So delete all the values.
*/
while (attrsetmask) {
if (attrsetmask & 1) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, attributes_set[j], LDAP_MOD_DELETE,
NULL)) != 0)
goto cleanup;
}
attrsetmask >>= 1;
++j;
}
/* the same should be done with the objectclass attributes */
{
char *attrvalues[] = {"krbticketpolicyaux", "krbprincipalaux", NULL};
/* char *attrvalues[] = {"krbpwdpolicyrefaux", "krbticketpolicyaux", "krbprincipalaux", NULL}; */
int p, q, r=0, amask=0;
if ((st=checkattributevalue(ld, DN, "objectclass", attrvalues, &amask)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
for (p=1, q=0; p<=4; p<<=1, ++q)
if (p & amask)
strval[r++] = attrvalues[q];
strval[r] = NULL;
if (r > 0) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_DELETE,
strval)) != 0)
goto cleanup;
}
}
}
st=ldap_modify_ext_s(ld, DN, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
st = set_ldap_error(context, st, OP_MOD);
goto cleanup;
}
}
cleanup:
if (user)
free (user);
if (DN)
free (DN);
if (secretkey != NULL) {
int i=0;
while (i < secretkey->nkey) {
free (secretkey->keys[i]->bv_val);
free (secretkey->keys[i]);
++i;
}
free (secretkey->keys);
free (secretkey);
}
krb5_ldap_free_principal(context, entry);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_ap_req2(krb5_context context,
krb5_auth_context *auth_context,
krb5_ap_req *ap_req,
krb5_const_principal server,
krb5_keyblock *keyblock,
krb5_flags flags,
krb5_flags *ap_req_options,
krb5_ticket **ticket,
krb5_key_usage usage)
{
krb5_ticket *t;
krb5_auth_context ac;
krb5_error_code ret;
EtypeList etypes;
memset(&etypes, 0, sizeof(etypes));
if (ticket)
*ticket = NULL;
if (auth_context && *auth_context) {
ac = *auth_context;
} else {
ret = krb5_auth_con_init (context, &ac);
if (ret)
return ret;
}
t = calloc(1, sizeof(*t));
if (t == NULL) {
ret = krb5_enomem(context);
goto out;
}
if (ap_req->ap_options.use_session_key && ac->keyblock){
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
ac->keyblock,
&t->ticket,
flags);
krb5_free_keyblock(context, ac->keyblock);
ac->keyblock = NULL;
}else
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
keyblock,
&t->ticket,
flags);
if(ret)
goto out;
ret = _krb5_principalname2krb5_principal(context,
&t->server,
ap_req->ticket.sname,
ap_req->ticket.realm);
if (ret) goto out;
ret = _krb5_principalname2krb5_principal(context,
&t->client,
t->ticket.cname,
t->ticket.crealm);
if (ret) goto out;
ret = decrypt_authenticator (context,
&t->ticket.key,
&ap_req->authenticator,
ac->authenticator,
usage);
if (ret)
goto out;
{
krb5_principal p1, p2;
krb5_boolean res;
_krb5_principalname2krb5_principal(context,
&p1,
ac->authenticator->cname,
ac->authenticator->crealm);
_krb5_principalname2krb5_principal(context,
&p2,
t->ticket.cname,
t->ticket.crealm);
res = krb5_principal_compare (context, p1, p2);
krb5_free_principal (context, p1);
krb5_free_principal (context, p2);
if (!res) {
ret = KRB5KRB_AP_ERR_BADMATCH;
krb5_clear_error_message (context);
goto out;
}
}
/* check addresses */
if (t->ticket.caddr
&& ac->remote_address
&& !krb5_address_search (context,
ac->remote_address,
t->ticket.caddr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
krb5_clear_error_message (context);
goto out;
}
/* check timestamp in authenticator */
{
krb5_timestamp now;
krb5_timeofday (context, &now);
if (labs(ac->authenticator->ctime - now) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
krb5_clear_error_message (context);
goto out;
}
}
if (ac->authenticator->seq_number)
krb5_auth_con_setremoteseqnumber(context, ac,
*ac->authenticator->seq_number);
/* XXX - Xor sequence numbers */
if (ac->authenticator->subkey) {
ret = krb5_auth_con_setremotesubkey(context, ac,
ac->authenticator->subkey);
if (ret)
goto out;
}
ret = find_etypelist(context, ac, &etypes);
if (ret)
goto out;
ac->keytype = ETYPE_NULL;
if (etypes.val) {
size_t i;
for (i = 0; i < etypes.len; i++) {
if (krb5_enctype_valid(context, etypes.val[i]) == 0) {
ac->keytype = etypes.val[i];
break;
}
}
}
/* save key */
ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
if (ret) goto out;
if (ap_req_options) {
*ap_req_options = 0;
if (ac->keytype != (krb5_enctype)ETYPE_NULL)
*ap_req_options |= AP_OPTS_USE_SUBKEY;
if (ap_req->ap_options.use_session_key)
*ap_req_options |= AP_OPTS_USE_SESSION_KEY;
if (ap_req->ap_options.mutual_required)
*ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
}
if(ticket)
*ticket = t;
else
krb5_free_ticket (context, t);
if (auth_context) {
if (*auth_context == NULL)
*auth_context = ac;
} else
krb5_auth_con_free (context, ac);
free_EtypeList(&etypes);
return 0;
out:
free_EtypeList(&etypes);
if (t)
krb5_free_ticket (context, t);
if (auth_context == NULL || *auth_context == NULL)
krb5_auth_con_free (context, ac);
return ret;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache cache;
krb5_creds *out;
int optidx = 0;
int32_t nametype = KRB5_NT_UNKNOWN;
krb5_get_creds_opt opt;
krb5_principal server = NULL;
krb5_principal impersonate;
setprogname(argv[0]);
ret = krb5_init_context(&context);
if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if (version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (debug_flag) {
ret = krb5_set_debug_dest(context, getprogname(), "STDERR");
if (ret)
krb5_warn(context, ret, "krb5_set_debug_dest");
}
if (cache_str) {
ret = krb5_cc_resolve(context, cache_str, &cache);
if (ret)
krb5_err(context, 1, ret, "%s", cache_str);
} else {
ret = krb5_cc_default (context, &cache);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
}
ret = krb5_get_creds_opt_alloc(context, &opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_creds_opt_alloc");
if (etype_str) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context, etype_str, &enctype);
if (ret)
krb5_errx(context, 1, N_("unrecognized enctype: %s", ""),
etype_str);
krb5_get_creds_opt_set_enctype(context, opt, enctype);
}
if (impersonate_str) {
ret = krb5_parse_name(context, impersonate_str, &impersonate);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name %s", impersonate_str);
krb5_get_creds_opt_set_impersonate(context, opt, impersonate);
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
krb5_free_principal(context, impersonate);
}
if (out_cache_str)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
if (forwardable_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_FORWARDABLE);
if (!transit_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_TRANSIT_CHECK);
if (canonicalize_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_CANONICALIZE);
if (!store_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
if (cached_only_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_CACHED);
if (delegation_cred_str) {
krb5_ccache id;
krb5_creds c, mc;
Ticket ticket;
krb5_cc_clear_mcred(&mc);
ret = krb5_cc_get_principal(context, cache, &mc.server);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
ret = krb5_cc_resolve(context, delegation_cred_str, &id);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_retrieve_cred(context, id, 0, &mc, &c);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_retrieve_cred");
ret = decode_Ticket(c.ticket.data, c.ticket.length, &ticket, NULL);
if (ret) {
krb5_clear_error_message(context);
krb5_err(context, 1, ret, "decode_Ticket");
}
krb5_free_cred_contents(context, &c);
ret = krb5_get_creds_opt_set_ticket(context, opt, &ticket);
if(ret)
krb5_err(context, 1, ret, "krb5_get_creds_opt_set_ticket");
free_Ticket(&ticket);
krb5_cc_close(context, id);
krb5_free_principal(context, mc.server);
krb5_get_creds_opt_add_options(context, opt,
KRB5_GC_CONSTRAINED_DELEGATION);
}
if (nametype_str != NULL) {
ret = krb5_parse_nametype(context, nametype_str, &nametype);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_nametype");
}
if (nametype == KRB5_NT_SRV_HST ||
nametype == KRB5_NT_SRV_HST_NEEDS_CANON)
is_hostbased_flag = 1;
if (is_hostbased_flag) {
const char *sname = NULL;
const char *hname = NULL;
if (nametype_str != NULL &&
nametype != KRB5_NT_SRV_HST &&
nametype != KRB5_NT_SRV_HST_NEEDS_CANON)
krb5_errx(context, 1, "--hostbased not compatible with "
"non-hostbased --name-type");
if (is_canonical_flag)
nametype = KRB5_NT_SRV_HST;
else
nametype = KRB5_NT_SRV_HST_NEEDS_CANON;
/*
* Host-based service names can have more than one component.
*
* RFC5179 did not, but should have, assign a Kerberos name-type
* corresponding to GSS_C_NT_DOMAINBASED. But it's basically a
* host-based service name type with one additional component.
*
* So that's how we're treating host-based service names here:
* two or more components.
*/
if (argc == 0) {
usage(1);
} else if (argc == 1) {
krb5_principal server2;
/*
* In this case the one argument is a principal name, not the
* service name.
*
* We parse the argument as a principal name, extract the service
* and hostname components, use krb5_sname_to_principal(), then
* extract the service and hostname components from that.
*/
ret = krb5_parse_name(context, argv[0], &server);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name %s", argv[0]);
sname = krb5_principal_get_comp_string(context, server, 0);
/*
* If a single-component principal name is given, then we'll
* default the hostname, as krb5_principal_get_comp_string()
* returns NULL in this case.
*/
hname = krb5_principal_get_comp_string(context, server, 1);
ret = krb5_sname_to_principal(context, hname, sname,
KRB5_NT_SRV_HST, &server2);
sname = krb5_principal_get_comp_string(context, server2, 0);
hname = krb5_principal_get_comp_string(context, server2, 1);
/*
* Modify the original with the new sname/hname. This way we
* retain any additional principal name components from the given
* principal name.
*
* The name-type is set further below.
*/
ret = krb5_principal_set_comp_string(context, server, 0, sname);
if (ret)
krb5_err(context, 1, ret, "krb5_principal_set_comp_string %s", argv[0]);
ret = krb5_principal_set_comp_string(context, server, 1, hname);
if (ret)
krb5_err(context, 1, ret, "krb5_principal_set_comp_string %s", argv[0]);
krb5_free_principal(context, server2);
} else {
size_t i;
/*
* In this case the arguments are principal name components.
*
* The service and hostname components can be defaulted by passing
* empty strings.
*/
sname = argv[0];
if (*sname == '\0')
sname = NULL;
hname = argv[1];
if (hname == NULL || *hname == '\0')
hname = NULL;
ret = krb5_sname_to_principal(context, hname, sname,
KRB5_NT_SRV_HST, &server);
if (ret)
krb5_err(context, 1, ret, "krb5_sname_to_principal");
for (i = 2; i < argc; i++) {
ret = krb5_principal_set_comp_string(context, server, i, argv[i]);
if (ret)
krb5_err(context, 1, ret, "krb5_principal_set_comp_string");
}
}
} else if (argc == 1) {
ret = krb5_parse_name(context, argv[0], &server);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name %s", argv[0]);
} else {
usage(1);
}
if (nametype != KRB5_NT_UNKNOWN)
server->name.name_type = (NAME_TYPE)nametype;
ret = krb5_get_creds(context, opt, cache, server, &out);
if (ret)
krb5_err(context, 1, ret, "krb5_get_creds");
if (out_cache_str) {
krb5_ccache id;
ret = krb5_cc_resolve(context, out_cache_str, &id);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_initialize(context, id, out->client);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_store_cred(context, id, out);
if(ret)
krb5_err(context, 1, ret, "krb5_cc_store_cred");
krb5_cc_close(context, id);
}
krb5_free_creds(context, out);
krb5_free_principal(context, server);
krb5_get_creds_opt_free(context, opt);
krb5_cc_close (context, cache);
krb5_free_context (context);
return 0;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_rd_rep(krb5_context context,
krb5_auth_context auth_context,
const krb5_data *inbuf,
krb5_ap_rep_enc_part **repl)
{
krb5_error_code ret;
AP_REP ap_rep;
size_t len;
krb5_data data;
krb5_crypto crypto;
krb5_data_zero (&data);
ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len);
if (ret)
return ret;
if (ap_rep.pvno != 5) {
ret = KRB5KRB_AP_ERR_BADVERSION;
krb5_clear_error_message (context);
goto out;
}
if (ap_rep.msg_type != krb_ap_rep) {
ret = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_clear_error_message (context);
goto out;
}
ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret)
goto out;
ret = krb5_decrypt_EncryptedData (context,
crypto,
KRB5_KU_AP_REQ_ENC_PART,
&ap_rep.enc_part,
&data);
krb5_crypto_destroy(context, crypto);
if (ret)
goto out;
*repl = malloc(sizeof(**repl));
if (*repl == NULL) {
ret = krb5_enomem(context);
goto out;
}
ret = decode_EncAPRepPart(data.data, data.length, *repl, &len);
if (ret) {
krb5_set_error_message(context, ret, N_("Failed to decode EncAPRepPart", ""));
return ret;
}
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
if ((*repl)->ctime != auth_context->authenticator->ctime ||
(*repl)->cusec != auth_context->authenticator->cusec)
{
krb5_free_ap_rep_enc_part(context, *repl);
*repl = NULL;
ret = KRB5KRB_AP_ERR_MUT_FAIL;
krb5_clear_error_message (context);
goto out;
}
}
if ((*repl)->seq_number)
krb5_auth_con_setremoteseqnumber(context, auth_context,
*((*repl)->seq_number));
if ((*repl)->subkey)
krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
out:
krb5_data_free (&data);
free_AP_REP (&ap_rep);
return ret;
}
/*
* Parse the IAKERB token in input_token and process the KDC
* response.
*
* Emit the next KDC request, if any, in output_token.
*/
static krb5_error_code
iakerb_initiator_step(iakerb_ctx_id_t ctx,
krb5_gss_cred_id_t cred,
krb5_gss_name_t name,
OM_uint32 time_req,
const gss_buffer_t input_token,
gss_buffer_t output_token)
{
krb5_error_code code = 0;
krb5_data in = empty_data(), out = empty_data(), realm = empty_data();
krb5_data *cookie = NULL;
OM_uint32 tmp;
unsigned int flags = 0;
krb5_ticket_times times;
output_token->length = 0;
output_token->value = NULL;
if (input_token != GSS_C_NO_BUFFER) {
code = iakerb_parse_token(ctx, 0, input_token, NULL, &cookie, &in);
if (code != 0)
goto cleanup;
code = iakerb_save_token(ctx, input_token);
if (code != 0)
goto cleanup;
}
switch (ctx->state) {
case IAKERB_AS_REQ:
if (ctx->icc == NULL) {
code = iakerb_init_creds_ctx(ctx, cred, time_req);
if (code != 0)
goto cleanup;
}
code = krb5_init_creds_step(ctx->k5c, ctx->icc, &in, &out, &realm,
&flags);
if (code != 0) {
if (cred->have_tgt) {
/* We were trying to refresh; keep going with current creds. */
ctx->state = IAKERB_TGS_REQ;
krb5_clear_error_message(ctx->k5c);
} else {
goto cleanup;
}
} else if (!(flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE)) {
krb5_init_creds_get_times(ctx->k5c, ctx->icc, ×);
kg_cred_set_initial_refresh(ctx->k5c, cred, ×);
cred->expire = times.endtime;
krb5_init_creds_free(ctx->k5c, ctx->icc);
ctx->icc = NULL;
ctx->state = IAKERB_TGS_REQ;
} else
break;
in = empty_data();
/* Done with AS request; fall through to TGS request. */
case IAKERB_TGS_REQ:
if (ctx->tcc == NULL) {
code = iakerb_tkt_creds_ctx(ctx, cred, name, time_req);
if (code != 0)
goto cleanup;
}
code = krb5_tkt_creds_step(ctx->k5c, ctx->tcc, &in, &out, &realm,
&flags);
if (code != 0)
goto cleanup;
if (!(flags & KRB5_TKT_CREDS_STEP_FLAG_CONTINUE)) {
krb5_tkt_creds_get_times(ctx->k5c, ctx->tcc, ×);
cred->expire = times.endtime;
krb5_tkt_creds_free(ctx->k5c, ctx->tcc);
ctx->tcc = NULL;
ctx->state = IAKERB_AP_REQ;
} else
break;
/* Done with TGS request; fall through to AP request. */
case IAKERB_AP_REQ:
break;
}
if (out.length != 0) {
assert(ctx->state != IAKERB_AP_REQ);
code = iakerb_make_token(ctx, &realm, cookie, &out,
(input_token == GSS_C_NO_BUFFER),
output_token);
if (code != 0)
goto cleanup;
/* Save the token for generating a future checksum */
code = iakerb_save_token(ctx, output_token);
if (code != 0)
goto cleanup;
ctx->count++;
}
cleanup:
if (code != 0)
gss_release_buffer(&tmp, output_token);
krb5_free_data(ctx->k5c, cookie);
krb5_free_data_contents(ctx->k5c, &out);
krb5_free_data_contents(ctx->k5c, &realm);
return code;
}
static krb5_error_code
init_ccapi(krb5_context context)
{
const char *lib = NULL;
HEIMDAL_MUTEX_lock(&acc_mutex);
if (init_func) {
HEIMDAL_MUTEX_unlock(&acc_mutex);
if (context)
krb5_clear_error_message(context);
return 0;
}
if (context)
lib = krb5_config_get_string(context, NULL,
"libdefaults", "ccapi_library",
NULL);
if (lib == NULL) {
#ifdef __APPLE__
lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
#elif defined(KRB5_USE_PATH_TOKENS) && defined(_WIN32)
lib = "%{LIBDIR}/libkrb5_cc.dll";
#else
lib = "/usr/lib/libkrb5_cc.so";
#endif
}
#ifdef HAVE_DLOPEN
#ifndef RTLD_LAZY
#define RTLD_LAZY 0
#endif
#ifndef RTLD_LOCAL
#define RTLD_LOCAL 0
#endif
#ifdef KRB5_USE_PATH_TOKENS
{
char * explib = NULL;
if (_krb5_expand_path_tokens(context, lib, &explib) == 0) {
cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL);
free(explib);
}
}
#else
cc_handle = dlopen(lib, RTLD_LAZY|RTLD_LOCAL);
#endif
if (cc_handle == NULL) {
HEIMDAL_MUTEX_unlock(&acc_mutex);
if (context)
krb5_set_error_message(context, KRB5_CC_NOSUPP,
N_("Failed to load API cache module %s", "file"),
lib);
return KRB5_CC_NOSUPP;
}
init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize");
set_target_uid = (void (KRB5_CALLCONV *)(uid_t))
dlsym(cc_handle, "krb5_ipc_client_set_target_uid");
clear_target = (void (KRB5_CALLCONV *)(void))
dlsym(cc_handle, "krb5_ipc_client_clear_target");
HEIMDAL_MUTEX_unlock(&acc_mutex);
if (init_func == NULL) {
if (context)
krb5_set_error_message(context, KRB5_CC_NOSUPP,
N_("Failed to find cc_initialize"
"in %s: %s", "file, error"), lib, dlerror());
dlclose(cc_handle);
return KRB5_CC_NOSUPP;
}
return 0;
#else
HEIMDAL_MUTEX_unlock(&acc_mutex);
if (context)
krb5_set_error_message(context, KRB5_CC_NOSUPP,
N_("no support for shared object", ""));
return KRB5_CC_NOSUPP;
#endif
}
/**
* Perform the server side of the sendauth protocol like krb5_recvauth(), but support
* a user-specified callback, \a match_appl_version, to perform the match of the application
* version \a match_data.
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_recvauth_match_version(krb5_context context,
krb5_auth_context *auth_context,
krb5_pointer p_fd,
krb5_boolean (*match_appl_version)(const void *,
const char*),
const void *match_data,
krb5_principal server,
int32_t flags,
krb5_keytab keytab,
krb5_ticket **ticket)
{
krb5_error_code ret;
const char *version = KRB5_SENDAUTH_VERSION;
char her_version[sizeof(KRB5_SENDAUTH_VERSION)];
char *her_appl_version;
uint32_t len;
u_char repl;
krb5_data data;
krb5_flags ap_options;
ssize_t n;
/*
* If there are no addresses in auth_context, get them from `fd'.
*/
if (*auth_context == NULL) {
ret = krb5_auth_con_init (context, auth_context);
if (ret)
return ret;
}
ret = krb5_auth_con_setaddrs_from_fd (context,
*auth_context,
p_fd);
if (ret)
return ret;
/*
* Expect SENDAUTH protocol version.
*/
if(!(flags & KRB5_RECVAUTH_IGNORE_VERSION)) {
n = krb5_net_read (context, p_fd, &len, 4);
if (n < 0) {
ret = errno;
krb5_set_error_message(context, ret, "read: %s", strerror(ret));
return ret;
}
if (n == 0) {
krb5_set_error_message(context, KRB5_SENDAUTH_BADAUTHVERS,
N_("Failed to receive sendauth data", ""));
return KRB5_SENDAUTH_BADAUTHVERS;
}
len = ntohl(len);
if (len != sizeof(her_version)
|| krb5_net_read (context, p_fd, her_version, len) != len
|| strncmp (version, her_version, len)) {
repl = 1;
krb5_net_write (context, p_fd, &repl, 1);
krb5_clear_error_message (context);
return KRB5_SENDAUTH_BADAUTHVERS;
}
}
/*
* Expect application protocol version.
*/
n = krb5_net_read (context, p_fd, &len, 4);
if (n < 0) {
ret = errno;
krb5_set_error_message(context, ret, "read: %s", strerror(ret));
return ret;
}
if (n == 0) {
krb5_clear_error_message (context);
return KRB5_SENDAUTH_BADAPPLVERS;
}
len = ntohl(len);
her_appl_version = malloc (len);
if (her_appl_version == NULL) {
repl = 2;
krb5_net_write (context, p_fd, &repl, 1);
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
if (krb5_net_read (context, p_fd, her_appl_version, len) != len
|| !(*match_appl_version)(match_data, her_appl_version)) {
repl = 2;
krb5_net_write (context, p_fd, &repl, 1);
krb5_set_error_message(context, KRB5_SENDAUTH_BADAPPLVERS,
N_("wrong sendauth application version (%s)", ""),
her_appl_version);
free (her_appl_version);
return KRB5_SENDAUTH_BADAPPLVERS;
}
free (her_appl_version);
/*
* Send OK.
*/
repl = 0;
if (krb5_net_write (context, p_fd, &repl, 1) != 1) {
ret = errno;
krb5_set_error_message(context, ret, "write: %s", strerror(ret));
return ret;
}
/*
* Until here, the fields in the message were in cleartext and unauthenticated.
* From now on, Kerberos kicks in.
*/
/*
* Expect AP_REQ.
*/
krb5_data_zero (&data);
ret = krb5_read_message (context, p_fd, &data);
if (ret)
return ret;
ret = krb5_rd_req (context,
auth_context,
&data,
server,
keytab,
&ap_options,
ticket);
krb5_data_free (&data);
if (ret) {
krb5_data error_data;
krb5_error_code ret2;
ret2 = krb5_mk_error (context,
ret,
NULL,
NULL,
NULL,
server,
NULL,
NULL,
&error_data);
if (ret2 == 0) {
krb5_write_message (context, p_fd, &error_data);
krb5_data_free (&error_data);
}
return ret;
}
/*
* Send OK.
*/
len = 0;
if (krb5_net_write (context, p_fd, &len, 4) != 4) {
ret = errno;
krb5_set_error_message(context, ret, "write: %s", strerror(ret));
krb5_free_ticket(context, *ticket);
*ticket = NULL;
return ret;
}
/*
* If client requires mutual authentication, send AP_REP.
*/
if (ap_options & AP_OPTS_MUTUAL_REQUIRED) {
ret = krb5_mk_rep (context, *auth_context, &data);
if (ret) {
krb5_free_ticket(context, *ticket);
*ticket = NULL;
return ret;
}
ret = krb5_write_message (context, p_fd, &data);
if (ret) {
krb5_free_ticket(context, *ticket);
*ticket = NULL;
return ret;
}
krb5_data_free (&data);
}
return 0;
}
static krb5_error_code
make_ccred_from_cred(krb5_context context,
const krb5_creds *incred,
cc_credentials_v5_t *cred)
{
krb5_error_code ret;
size_t i;
memset(cred, 0, sizeof(*cred));
ret = krb5_unparse_name(context, incred->client, &cred->client);
if (ret)
goto fail;
ret = krb5_unparse_name(context, incred->server, &cred->server);
if (ret)
goto fail;
cred->keyblock.type = incred->session.keytype;
cred->keyblock.length = incred->session.keyvalue.length;
cred->keyblock.data = incred->session.keyvalue.data;
cred->authtime = incred->times.authtime;
cred->starttime = incred->times.starttime;
cred->endtime = incred->times.endtime;
cred->renew_till = incred->times.renew_till;
cred->ticket.length = incred->ticket.length;
cred->ticket.data = incred->ticket.data;
cred->second_ticket.length = incred->second_ticket.length;
cred->second_ticket.data = incred->second_ticket.data;
/* XXX this one should also be filled in */
cred->authdata = NULL;
cred->addresses = calloc(incred->addresses.len + 1,
sizeof(cred->addresses[0]));
if (cred->addresses == NULL) {
ret = ENOMEM;
goto fail;
}
for (i = 0; i < incred->addresses.len; i++) {
cc_data *addr;
addr = malloc(sizeof(*addr));
if (addr == NULL) {
ret = ENOMEM;
goto fail;
}
addr->type = incred->addresses.val[i].addr_type;
addr->length = incred->addresses.val[i].address.length;
addr->data = malloc(addr->length);
if (addr->data == NULL) {
free(addr);
ret = ENOMEM;
goto fail;
}
memcpy(addr->data, incred->addresses.val[i].address.data,
addr->length);
cred->addresses[i] = addr;
}
cred->addresses[i] = NULL;
cred->ticket_flags = 0;
if (incred->flags.b.forwardable)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE;
if (incred->flags.b.forwarded)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED;
if (incred->flags.b.proxiable)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE;
if (incred->flags.b.proxy)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY;
if (incred->flags.b.may_postdate)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE;
if (incred->flags.b.postdated)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED;
if (incred->flags.b.invalid)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID;
if (incred->flags.b.renewable)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE;
if (incred->flags.b.initial)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL;
if (incred->flags.b.pre_authent)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH;
if (incred->flags.b.hw_authent)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH;
if (incred->flags.b.transited_policy_checked)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED;
if (incred->flags.b.ok_as_delegate)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE;
if (incred->flags.b.anonymous)
cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS;
return 0;
fail:
free_ccred(cred);
krb5_clear_error_message(context);
return ret;
}
krb5_error_code
_kdc_pk_mk_pa_reply(krb5_context context,
krb5_kdc_configuration *config,
pk_client_params *client_params,
const hdb_entry_ex *client,
const KDC_REQ *req,
const krb5_data *req_buffer,
krb5_keyblock **reply_key,
METHOD_DATA *md)
{
krb5_error_code ret;
void *buf;
size_t len, size;
krb5_enctype enctype;
int pa_type;
hx509_cert kdc_cert = NULL;
int i;
if (!config->enable_pkinit) {
krb5_clear_error_message(context);
return 0;
}
if (req->req_body.etype.len > 0) {
for (i = 0; i < req->req_body.etype.len; i++)
if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
break;
if (req->req_body.etype.len <= i) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"No valid enctype available from client");
goto out;
}
enctype = req->req_body.etype.val[i];
} else
enctype = ETYPE_DES3_CBC_SHA1;
if (client_params->type == PKINIT_27) {
PA_PK_AS_REP rep;
const char *type, *other = "";
memset(&rep, 0, sizeof(rep));
pa_type = KRB5_PADATA_PK_AS_REP;
if (client_params->dh == NULL) {
ContentInfo info;
type = "enckey";
rep.element = choice_PA_PK_AS_REP_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
config,
client_params,
req,
req_buffer,
&client_params->reply_key,
&info);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
rep.u.encKeyPack.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
} else {
ContentInfo info;
type = "dh";
if (client_params->dh_group_name)
other = client_params->dh_group_name;
rep.element = choice_PA_PK_AS_REP_dhInfo;
ret = generate_dh_keyblock(context, client_params, enctype,
&client_params->reply_key);
if (ret)
return ret;
ret = pk_mk_pa_reply_dh(context, client_params->dh,
client_params,
&client_params->reply_key,
&info,
&kdc_cert);
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data,
rep.u.dhInfo.dhSignedData.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
}
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP(&rep);
if (ret) {
krb5_set_error_message(context, ret, "encode PA-PK-AS-REP failed %d",
ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
} else if (client_params->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k rep;
ContentInfo info;
if (client_params->dh) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "Windows PK-INIT doesn't support DH");
goto out;
}
memset(&rep, 0, sizeof(rep));
pa_type = KRB5_PADATA_PK_AS_REP_19;
rep.element = choice_PA_PK_AS_REP_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
if (ret) {
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
config,
client_params,
req,
req_buffer,
&client_params->reply_key,
&info);
if (ret) {
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
rep.u.encKeyPack.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP_Win2k(&rep);
if (ret) {
krb5_set_error_message(context, ret,
"encode PA-PK-AS-REP-Win2k failed %d", ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
} else
krb5_abortx(context, "PK-INIT internal error");
ret = krb5_padata_add(context, md, pa_type, buf, len);
if (ret) {
krb5_set_error_message(context, ret, "failed adding PA-PK-AS-REP %d", ret);
free(buf);
goto out;
}
if (config->pkinit_kdc_ocsp_file) {
if (ocsp.expire == 0 && ocsp.next_update > kdc_time) {
struct stat sb;
int fd;
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
ocsp.next_update = kdc_time + 60 * 5;
fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
if (fd < 0) {
kdc_log(context, config, 0,
"PK-INIT failed to open ocsp data file %d", errno);
goto out_ocsp;
}
ret = fstat(fd, &sb);
if (ret) {
ret = errno;
close(fd);
kdc_log(context, config, 0,
"PK-INIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
if (ret) {
close(fd);
kdc_log(context, config, 0,
"PK-INIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
ocsp.data.length = sb.st_size;
ret = read(fd, ocsp.data.data, sb.st_size);
close(fd);
if (ret != sb.st_size) {
kdc_log(context, config, 0,
"PK-INIT failed to read ocsp data %d", errno);
goto out_ocsp;
}
ret = hx509_ocsp_verify(kdc_identity->hx509ctx,
kdc_time,
kdc_cert,
0,
ocsp.data.data, ocsp.data.length,
&ocsp.expire);
if (ret) {
kdc_log(context, config, 0,
"PK-INIT failed to verify ocsp data %d", ret);
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
} else if (ocsp.expire > 180) {
ocsp.expire -= 180; /* refetch the ocsp before it expire */
ocsp.next_update = ocsp.expire;
} else {
ocsp.next_update = kdc_time;
}
out_ocsp:
ret = 0;
}
if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
ret = krb5_padata_add(context, md,
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
ocsp.data.data, ocsp.data.length);
if (ret) {
krb5_set_error_message(context, ret,
"Failed adding OCSP response %d", ret);
goto out;
}
}
}
out:
if (kdc_cert)
hx509_cert_free(kdc_cert);
if (ret == 0)
*reply_key = &client_params->reply_key;
return ret;
}
static krb5_error_code
pk_mk_pa_reply_enckey(krb5_context context,
krb5_kdc_configuration *config,
pk_client_params *client_params,
const KDC_REQ *req,
const krb5_data *req_buffer,
krb5_keyblock *reply_key,
ContentInfo *content_info)
{
const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL;
krb5_error_code ret;
krb5_data buf, signed_data;
size_t size;
int do_win2k = 0;
krb5_data_zero(&buf);
krb5_data_zero(&signed_data);
/*
* If the message client is a win2k-type but it send pa data
* 09-binding it expects a IETF (checksum) reply so there can be
* no replay attacks.
*/
switch (client_params->type) {
case PKINIT_WIN2K: {
int i = 0;
if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL
&& config->pkinit_require_binding == 0)
{
do_win2k = 1;
}
sdAlg = oid_id_pkcs7_data();
evAlg = oid_id_pkcs7_data();
envelopedAlg = oid_id_rsadsi_des_ede3_cbc();
break;
}
case PKINIT_27:
sdAlg = oid_id_pkrkeydata();
evAlg = oid_id_pkcs7_signedData();
break;
default:
krb5_abortx(context, "internal pkinit error");
}
if (do_win2k) {
ReplyKeyPack_Win2k kp;
memset(&kp, 0, sizeof(kp));
ret = copy_EncryptionKey(reply_key, &kp.replyKey);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
kp.nonce = client_params->nonce;
ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k,
buf.data, buf.length,
&kp, &size,ret);
free_ReplyKeyPack_Win2k(&kp);
} else {
krb5_crypto ascrypto;
ReplyKeyPack kp;
memset(&kp, 0, sizeof(kp));
ret = copy_EncryptionKey(reply_key, &kp.replyKey);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
ret = krb5_create_checksum(context, ascrypto, 6, 0,
req_buffer->data, req_buffer->length,
&kp.asChecksum);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
ret = krb5_crypto_destroy(context, ascrypto);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
free_ReplyKeyPack(&kp);
}
if (ret) {
krb5_set_error_message(context, ret, "ASN.1 encoding of ReplyKeyPack "
"failed (%d)", ret);
goto out;
}
if (buf.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
{
hx509_query *q;
hx509_cert cert;
ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
if (ret)
goto out;
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
ret = hx509_certs_find(kdc_identity->hx509ctx,
kdc_identity->certs,
q,
&cert);
hx509_query_free(kdc_identity->hx509ctx, q);
if (ret)
goto out;
ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
0,
sdAlg,
buf.data,
buf.length,
NULL,
cert,
client_params->peer,
client_params->client_anchors,
kdc_identity->certpool,
&signed_data);
hx509_cert_free(cert);
}
krb5_data_free(&buf);
if (ret)
goto out;
if (client_params->type == PKINIT_WIN2K) {
ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(),
&signed_data,
&buf);
if (ret)
goto out;
krb5_data_free(&signed_data);
signed_data = buf;
}
ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
0,
client_params->cert,
signed_data.data, signed_data.length,
envelopedAlg,
evAlg, &buf);
if (ret)
goto out;
ret = _krb5_pk_mk_ContentInfo(context,
&buf,
oid_id_pkcs7_envelopedData(),
content_info);
out:
krb5_data_free(&buf);
krb5_data_free(&signed_data);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sendto (krb5_context context,
const krb5_data *send_data,
krb5_krbhst_handle handle,
krb5_data *receive)
{
krb5_error_code ret;
krb5_socket_t fd;
size_t i;
krb5_data_zero(receive);
for (i = 0; i < context->max_retries; ++i) {
krb5_krbhst_info *hi;
while (krb5_krbhst_next(context, handle, &hi) == 0) {
struct addrinfo *ai, *a;
_krb5_debug(context, 2,
"trying to communicate with host %s in realm %s",
hi->hostname, _krb5_krbhst_get_realm(handle));
if (context->send_to_kdc) {
struct send_to_kdc *s = context->send_to_kdc;
ret = (*s->func)(context, s->data, hi,
context->kdc_timeout, send_data, receive);
if (ret == 0 && receive->length != 0)
goto out;
continue;
}
ret = send_via_plugin(context, hi, context->kdc_timeout,
send_data, receive);
if (ret == 0 && receive->length != 0)
goto out;
else if (ret != KRB5_PLUGIN_NO_HANDLE)
continue;
if(hi->proto == KRB5_KRBHST_HTTP && context->http_proxy) {
if (send_via_proxy (context, hi, send_data, receive) == 0) {
ret = 0;
goto out;
}
continue;
}
ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
if (ret)
continue;
for (a = ai; a != NULL; a = a->ai_next) {
fd = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
if (rk_IS_BAD_SOCKET(fd))
continue;
rk_cloexec(fd);
if (timed_connect (fd, a, context->kdc_timeout) < 0) {
rk_closesocket (fd);
continue;
}
switch (hi->proto) {
case KRB5_KRBHST_HTTP :
ret = send_and_recv_http(fd, context->kdc_timeout,
"", send_data, receive);
break;
case KRB5_KRBHST_TCP :
ret = send_and_recv_tcp (fd, context->kdc_timeout,
send_data, receive);
break;
case KRB5_KRBHST_UDP :
ret = send_and_recv_udp (fd, context->kdc_timeout,
send_data, receive);
break;
}
rk_closesocket (fd);
if(ret == 0 && receive->length != 0)
goto out;
}
}
krb5_krbhst_reset(context, handle);
}
krb5_clear_error_message (context);
ret = KRB5_KDC_UNREACH;
out:
_krb5_debug(context, 2,
"result of trying to talk to realm %s = %d",
_krb5_krbhst_get_realm(handle), ret);
return ret;
}
static krb5_error_code
fkt_start_seq_get_int(krb5_context context,
krb5_keytab id,
int flags,
int exclusive,
krb5_kt_cursor *c)
{
int8_t pvno, tag;
krb5_error_code ret;
struct fkt_data *d = id->data;
c->fd = open (d->filename, flags);
if (c->fd < 0) {
ret = errno;
krb5_set_error_message(context, ret,
N_("keytab %s open failed: %s", ""),
d->filename, strerror(ret));
return ret;
}
rk_cloexec(c->fd);
ret = _krb5_xlock(context, c->fd, exclusive, d->filename);
if (ret) {
close(c->fd);
return ret;
}
c->sp = krb5_storage_from_fd(c->fd);
if (c->sp == NULL) {
_krb5_xunlock(context, c->fd);
close(c->fd);
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
krb5_storage_set_eof_code(c->sp, KRB5_KT_END);
ret = krb5_ret_int8(c->sp, &pvno);
if(ret) {
krb5_storage_free(c->sp);
_krb5_xunlock(context, c->fd);
close(c->fd);
krb5_clear_error_message(context);
return ret;
}
if(pvno != 5) {
krb5_storage_free(c->sp);
_krb5_xunlock(context, c->fd);
close(c->fd);
krb5_clear_error_message (context);
return KRB5_KEYTAB_BADVNO;
}
ret = krb5_ret_int8(c->sp, &tag);
if (ret) {
krb5_storage_free(c->sp);
_krb5_xunlock(context, c->fd);
close(c->fd);
krb5_clear_error_message(context);
return ret;
}
id->version = tag;
storage_set_flags(context, c->sp, id->version);
return 0;
}
krb5_error_code
kdc_find_fast(krb5_kdc_req **requestptr,
krb5_data *checksummed_data,
krb5_keyblock *tgs_subkey,
krb5_keyblock *tgs_session,
struct kdc_request_state *state,
krb5_data **inner_body_out)
{
krb5_error_code retval = 0;
krb5_pa_data *fast_padata, *cookie_padata = NULL;
krb5_data scratch, *inner_body = NULL;
krb5_fast_req * fast_req = NULL;
krb5_kdc_req *request = *requestptr;
krb5_fast_armored_req *fast_armored_req = NULL;
krb5_checksum *cksum;
krb5_boolean cksum_valid;
krb5_keyblock empty_keyblock;
kdc_realm_t *kdc_active_realm = state->realm_data;
if (inner_body_out != NULL)
*inner_body_out = NULL;
scratch.data = NULL;
krb5_clear_error_message(kdc_context);
memset(&empty_keyblock, 0, sizeof(krb5_keyblock));
fast_padata = krb5int_find_pa_data(kdc_context,
request->padata, KRB5_PADATA_FX_FAST);
if (fast_padata != NULL){
scratch.length = fast_padata->length;
scratch.data = (char *) fast_padata->contents;
retval = decode_krb5_pa_fx_fast_request(&scratch, &fast_armored_req);
if (retval == 0 &&fast_armored_req->armor) {
switch (fast_armored_req->armor->armor_type) {
case KRB5_FAST_ARMOR_AP_REQUEST:
if (tgs_subkey) {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(kdc_context, retval,
_("Ap-request armor not permitted "
"with TGS"));
break;
}
retval = armor_ap_request(state, fast_armored_req->armor);
break;
default:
krb5_set_error_message(kdc_context, KRB5KDC_ERR_PREAUTH_FAILED,
_("Unknown FAST armor type %d"),
fast_armored_req->armor->armor_type);
retval = KRB5KDC_ERR_PREAUTH_FAILED;
}
}
if (retval == 0 && !state->armor_key) {
if (tgs_subkey)
retval = krb5_c_fx_cf2_simple(kdc_context,
tgs_subkey, "subkeyarmor",
tgs_session, "ticketarmor",
&state->armor_key);
else {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_set_error_message(kdc_context, retval,
_("No armor key but FAST armored "
"request present"));
}
}
if (retval == 0) {
krb5_data plaintext;
plaintext.length = fast_armored_req->enc_part.ciphertext.length;
plaintext.data = malloc(plaintext.length);
if (plaintext.data == NULL)
retval = ENOMEM;
retval = krb5_c_decrypt(kdc_context,
state->armor_key,
KRB5_KEYUSAGE_FAST_ENC, NULL,
&fast_armored_req->enc_part,
&plaintext);
if (retval == 0)
retval = decode_krb5_fast_req(&plaintext, &fast_req);
if (retval == 0 && inner_body_out != NULL) {
retval = fetch_asn1_field((unsigned char *)plaintext.data,
1, 2, &scratch);
if (retval == 0) {
retval = krb5_copy_data(kdc_context, &scratch,
&inner_body);
}
}
if (plaintext.data)
free(plaintext.data);
}
cksum = &fast_armored_req->req_checksum;
if (retval == 0)
retval = krb5_c_verify_checksum(kdc_context, state->armor_key,
KRB5_KEYUSAGE_FAST_REQ_CHKSUM,
checksummed_data, cksum,
&cksum_valid);
if (retval == 0 && !cksum_valid) {
retval = KRB5KRB_AP_ERR_MODIFIED;
krb5_set_error_message(kdc_context, retval,
_("FAST req_checksum invalid; request "
"modified"));
}
if (retval == 0) {
if (!krb5_c_is_keyed_cksum(cksum->checksum_type)) {
retval = KRB5KDC_ERR_POLICY;
krb5_set_error_message(kdc_context, retval,
_("Unkeyed checksum used in fast_req"));
}
}
if (retval == 0) {
if ((fast_req->fast_options & UNSUPPORTED_CRITICAL_FAST_OPTIONS) != 0)
retval = KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION;
}
if (retval == 0)
cookie_padata = krb5int_find_pa_data(kdc_context,
fast_req->req_body->padata,
KRB5_PADATA_FX_COOKIE);
if (retval == 0) {
state->fast_options = fast_req->fast_options;
krb5_free_kdc_req( kdc_context, request);
*requestptr = fast_req->req_body;
fast_req->req_body = NULL;
}
}
else {
cookie_padata = krb5int_find_pa_data(kdc_context,
request->padata,
KRB5_PADATA_FX_COOKIE);
}
if (retval == 0 && cookie_padata != NULL) {
krb5_pa_data *new_padata = malloc(sizeof (krb5_pa_data));
if (new_padata == NULL) {
retval = ENOMEM;
} else {
new_padata->pa_type = KRB5_PADATA_FX_COOKIE;
new_padata->length = cookie_padata->length;
new_padata->contents = malloc(new_padata->length);
if (new_padata->contents == NULL) {
retval = ENOMEM;
free(new_padata);
} else {
memcpy(new_padata->contents, cookie_padata->contents,
new_padata->length);
state->cookie = new_padata;
}
}
}
if (retval == 0 && inner_body_out != NULL) {
*inner_body_out = inner_body;
inner_body = NULL;
}
krb5_free_data(kdc_context, inner_body);
if (fast_req)
krb5_free_fast_req( kdc_context, fast_req);
if (fast_armored_req)
krb5_free_fast_armored_req(kdc_context, fast_armored_req);
return retval;
}
krb5_error_code
krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry,
char **db_args)
{
int l=0, kerberos_principal_object_type=0;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
char *user=NULL, *subtree=NULL, *principal_dn=NULL;
char **values=NULL, *strval[10]= {NULL}, errbuf[1024];
struct berval **bersecretkey=NULL;
LDAPMod **mods=NULL;
krb5_boolean create_standalone_prinicipal=FALSE;
krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE;
char *standalone_principal_dn=NULL;
krb5_tl_data *tl_data=NULL;
krb5_key_data **keys=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
osa_princ_ent_rec princ_ent;
xargs_t xargs = {0};
char *polname = NULL;
OPERATION optype;
krb5_boolean found_entry = FALSE;
/* Clear the global error string */
krb5_clear_error_message(context);
SETUP_CONTEXT();
if (ldap_context->lrparams == NULL || ldap_context->krbcontainer == NULL)
return EINVAL;
/* get ldap handle */
GET_HANDLE();
if (is_principal_in_realm(ldap_context, entry->princ) != 0) {
st = EINVAL;
krb5_set_error_message(context, st, _("Principal does not belong to "
"the default realm"));
goto cleanup;
}
/* get the principal information to act on */
if (entry->princ) {
if (((st=krb5_unparse_name(context, entry->princ, &user)) != 0) ||
((st=krb5_ldap_unparse_principal_name(user)) != 0))
goto cleanup;
}
/* Identity the type of operation, it can be
* add principal or modify principal.
* hack if the entry->mask has KRB_PRINCIPAL flag set
* then it is a add operation
*/
if (entry->mask & KADM5_PRINCIPAL)
optype = ADD_PRINCIPAL;
else
optype = MODIFY_PRINCIPAL;
if (((st=krb5_get_princ_type(context, entry, &kerberos_principal_object_type)) != 0) ||
((st=krb5_get_userdn(context, entry, &principal_dn)) != 0))
goto cleanup;
if ((st=process_db_args(context, db_args, &xargs, optype)) != 0)
goto cleanup;
if (entry->mask & KADM5_LOAD) {
int tree = 0, ntrees = 0, princlen = 0, numlentries = 0;
char **subtreelist = NULL, *filter = NULL;
/* A load operation is special, will do a mix-in (add krbprinc
* attrs to a non-krb object entry) if an object exists with a
* matching krbprincipalname attribute so try to find existing
* object and set principal_dn. This assumes that the
* krbprincipalname attribute is unique (only one object entry has
* a particular krbprincipalname attribute).
*/
if (user == NULL) {
/* must have principal name for search */
st = EINVAL;
krb5_set_error_message(context, st,
_("operation can not continue, principal "
"name not found"));
goto cleanup;
}
princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
snprintf(filter, princlen, FILTER"%s))", user);
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
goto cleanup;
found_entry = FALSE;
/* search for entry with matching krbprincipalname attribute */
for (tree = 0; found_entry == FALSE && tree < ntrees; ++tree) {
result = NULL;
if (principal_dn == NULL) {
LDAP_SEARCH_1(subtreelist[tree], ldap_context->lrparams->search_scope, filter, principal_attributes, IGNORE_STATUS);
} else {
/* just look for entry with principal_dn */
LDAP_SEARCH_1(principal_dn, LDAP_SCOPE_BASE, filter, principal_attributes, IGNORE_STATUS);
}
if (st == LDAP_SUCCESS) {
numlentries = ldap_count_entries(ld, result);
if (numlentries > 1) {
ldap_msgfree(result);
free(filter);
st = EINVAL;
krb5_set_error_message(context, st,
_("operation can not continue, "
"more than one entry with "
"principal name \"%s\" found"),
user);
goto cleanup;
} else if (numlentries == 1) {
found_entry = TRUE;
if (principal_dn == NULL) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
/* setting principal_dn will cause that entry to be modified further down */
if ((principal_dn = ldap_get_dn(ld, ent)) == NULL) {
ldap_get_option (ld, LDAP_OPT_RESULT_CODE, &st);
st = set_ldap_error (context, st, 0);
ldap_msgfree(result);
free(filter);
goto cleanup;
}
}
}
}
if (result)
ldap_msgfree(result);
} else if (st != LDAP_NO_SUCH_OBJECT) {
/* could not perform search, return with failure */
st = set_ldap_error (context, st, 0);
free(filter);
goto cleanup;
}
/*
* If it isn't found then assume a standalone princ entry is to
* be created.
*/
} /* end for (tree = 0; principal_dn == ... */
free(filter);
if (found_entry == FALSE && principal_dn != NULL) {
/*
* if principal_dn is null then there is code further down to
* deal with setting standalone_principal_dn. Also note that
* this will set create_standalone_prinicipal true for
* non-mix-in entries which is okay if loading from a dump.
*/
create_standalone_prinicipal = TRUE;
standalone_principal_dn = strdup(principal_dn);
CHECK_NULL(standalone_principal_dn);
}
} /* end if (entry->mask & KADM5_LOAD */
/* time to generate the DN information with the help of
* containerdn, principalcontainerreference or
* realmcontainerdn information
*/
if (principal_dn == NULL && xargs.dn == NULL) { /* creation of standalone principal */
/* get the subtree information */
if (entry->princ->length == 2 && entry->princ->data[0].length == strlen("krbtgt") &&
strncmp(entry->princ->data[0].data, "krbtgt", entry->princ->data[0].length) == 0) {
/* if the principal is a inter-realm principal, always created in the realm container */
subtree = strdup(ldap_context->lrparams->realmdn);
} else if (xargs.containerdn) {
if ((st=checkattributevalue(ld, xargs.containerdn, NULL, NULL, NULL)) != 0) {
if (st == KRB5_KDB_NOENTRY || st == KRB5_KDB_CONSTRAINT_VIOLATION) {
int ost = st;
st = EINVAL;
snprintf(errbuf, sizeof(errbuf), _("'%s' not found: "),
xargs.containerdn);
prepend_err_str(context, errbuf, st, ost);
}
goto cleanup;
}
subtree = strdup(xargs.containerdn);
} else if (ldap_context->lrparams->containerref && strlen(ldap_context->lrparams->containerref) != 0) {
/*
* Here the subtree should be changed with
* principalcontainerreference attribute value
*/
subtree = strdup(ldap_context->lrparams->containerref);
} else {
subtree = strdup(ldap_context->lrparams->realmdn);
}
CHECK_NULL(subtree);
if (asprintf(&standalone_principal_dn, "krbprincipalname=%s,%s",
user, subtree) < 0)
standalone_principal_dn = NULL;
CHECK_NULL(standalone_principal_dn);
/*
* free subtree when you are done using the subtree
* set the boolean create_standalone_prinicipal to TRUE
*/
create_standalone_prinicipal = TRUE;
free(subtree);
subtree = NULL;
}
/*
* If the DN information is presented by the user, time to
* validate the input to ensure that the DN falls under
* any of the subtrees
*/
if (xargs.dn_from_kbd == TRUE) {
/* make sure the DN falls in the subtree */
int tre=0, dnlen=0, subtreelen=0, ntrees=0;
char **subtreelist=NULL;
char *dn=NULL;
krb5_boolean outofsubtree=TRUE;
if (xargs.dn != NULL) {
dn = xargs.dn;
} else if (xargs.linkdn != NULL) {
dn = xargs.linkdn;
} else if (standalone_principal_dn != NULL) {
/*
* Even though the standalone_principal_dn is constructed
* within this function, there is the containerdn input
* from the user that can become part of the it.
*/
dn = standalone_principal_dn;
}
/* get the current subtree list */
if ((st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees)) != 0)
goto cleanup;
for (tre=0; tre<ntrees; ++tre) {
if (subtreelist[tre] == NULL || strlen(subtreelist[tre]) == 0) {
outofsubtree = FALSE;
break;
} else {
dnlen = strlen (dn);
subtreelen = strlen(subtreelist[tre]);
if ((dnlen >= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) {
outofsubtree = FALSE;
break;
}
}
}
for (tre=0; tre < ntrees; ++tre) {
free(subtreelist[tre]);
}
if (outofsubtree == TRUE) {
st = EINVAL;
krb5_set_error_message(context, st,
_("DN is out of the realm subtree"));
goto cleanup;
}
/*
* dn value will be set either by dn, linkdn or the standalone_principal_dn
* In the first 2 cases, the dn should be existing and in the last case we
* are supposed to create the ldap object. so the below should not be
* executed for the last case.
*/
if (standalone_principal_dn == NULL) {
/*
* If the ldap object is missing, this results in an error.
*/
/*
* Search for krbprincipalname attribute here.
* This is to find if a kerberos identity is already present
* on the ldap object, in which case adding a kerberos identity
* on the ldap object should result in an error.
*/
char *attributes[]= {"krbticketpolicyreference", "krbprincipalname", NULL};
LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS);
if (st == LDAP_SUCCESS) {
ent = ldap_first_entry(ld, result);
if (ent != NULL) {
if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) {
ldap_value_free(values);
}
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
krb_identity_exists = TRUE;
ldap_value_free(values);
}
}
ldap_msgfree(result);
} else {
st = set_ldap_error(context, st, OP_SEARCH);
goto cleanup;
}
}
}
/*
* If xargs.dn is set then the request is to add a
* kerberos principal on a ldap object, but if
* there is one already on the ldap object this
* should result in an error.
*/
if (xargs.dn != NULL && krb_identity_exists == TRUE) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("ldap object is already kerberized"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (xargs.linkdn != NULL) {
/*
* link information can be changed using modprinc.
* However, link information can be changed only on the
* standalone kerberos principal objects. A standalone
* kerberos principal object is of type krbprincipal
* structural objectclass.
*
* NOTE: kerberos principals on an ldap object can't be
* linked to other ldap objects.
*/
if (optype == MODIFY_PRINCIPAL &&
kerberos_principal_object_type != KDB_STANDALONE_PRINCIPAL_OBJECT) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("link information can not be set/updated as the "
"kerberos principal belongs to an ldap object"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
/*
* Check the link information. If there is already a link
* existing then this operation is not allowed.
*/
{
char **linkdns=NULL;
int j=0;
if ((st=krb5_get_linkdn(context, entry, &linkdns)) != 0) {
snprintf(errbuf, sizeof(errbuf),
_("Failed getting object references"));
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (linkdns != NULL) {
st = EINVAL;
snprintf(errbuf, sizeof(errbuf),
_("kerberos principal is already linked to a ldap "
"object"));
krb5_set_error_message(context, st, "%s", errbuf);
for (j=0; linkdns[j] != NULL; ++j)
free (linkdns[j]);
free (linkdns);
goto cleanup;
}
}
establish_links = TRUE;
}
if (entry->mask & KADM5_LAST_SUCCESS) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->last_success)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastSuccessfulAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_LAST_FAILED) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->last_failed)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastFailedAuth", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free(strval[0]);
}
if (entry->mask & KADM5_FAIL_AUTH_COUNT) {
krb5_kvno fail_auth_count;
fail_auth_count = entry->fail_auth_count;
if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
fail_auth_count++;
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_REPLACE,
fail_auth_count);
if (st != 0)
goto cleanup;
} else if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT) {
int attr_mask = 0;
krb5_boolean has_fail_count;
/* Check if the krbLoginFailedCount attribute exists. (Through
* krb5 1.8.1, it wasn't set in new entries.) */
st = krb5_get_attributes_mask(context, entry, &attr_mask);
if (st != 0)
goto cleanup;
has_fail_count = ((attr_mask & KDB_FAIL_AUTH_COUNT_ATTR) != 0);
/*
* If the client library and server supports RFC 4525,
* then use it to increment by one the value of the
* krbLoginFailedCount attribute. Otherwise, assert the
* (provided) old value by deleting it before adding.
*/
#ifdef LDAP_MOD_INCREMENT
if (ldap_server_handle->server_info->modify_increment &&
has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_INCREMENT, 1);
if (st != 0)
goto cleanup;
} else {
#endif /* LDAP_MOD_INCREMENT */
if (has_fail_count) {
st = krb5_add_int_mem_ldap_mod(&mods,
"krbLoginFailedCount",
LDAP_MOD_DELETE,
entry->fail_auth_count);
if (st != 0)
goto cleanup;
}
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_ADD,
entry->fail_auth_count + 1);
if (st != 0)
goto cleanup;
#ifdef LDAP_MOD_INCREMENT
}
#endif
} else if (optype == ADD_PRINCIPAL) {
/* Initialize krbLoginFailedCount in new entries to help avoid a
* race during the first failed login. */
st = krb5_add_int_mem_ldap_mod(&mods, "krbLoginFailedCount",
LDAP_MOD_ADD, 0);
}
if (entry->mask & KADM5_MAX_LIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxticketlife", LDAP_MOD_REPLACE, entry->max_life)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_MAX_RLIFE) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbmaxrenewableage", LDAP_MOD_REPLACE,
entry->max_renewable_life)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_ATTRIBUTES) {
if ((st=krb5_add_int_mem_ldap_mod(&mods, "krbticketflags", LDAP_MOD_REPLACE,
entry->attributes)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_PRINCIPAL) {
memset(strval, 0, sizeof(strval));
strval[0] = user;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalname", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_PRINC_EXPIRE_TIME) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbprincipalexpiration", LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_PW_EXPIRATION) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpasswordexpiration",
LDAP_MOD_REPLACE,
strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
if (entry->mask & KADM5_POLICY) {
memset(&princ_ent, 0, sizeof(princ_ent));
for (tl_data=entry->tl_data; tl_data; tl_data=tl_data->tl_data_next) {
if (tl_data->tl_data_type == KRB5_TL_KADM_DATA) {
/* FIX ME: I guess the princ_ent should be freed after this call */
if ((st = krb5_lookup_tl_kadm_data(tl_data, &princ_ent)) != 0) {
goto cleanup;
}
}
}
if (princ_ent.aux_attributes & KADM5_POLICY) {
memset(strval, 0, sizeof(strval));
if ((st = krb5_ldap_name_to_policydn (context, princ_ent.policy, &polname)) != 0)
goto cleanup;
strval[0] = polname;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
} else {
st = EINVAL;
krb5_set_error_message(context, st, "Password policy value null");
goto cleanup;
}
} else if (entry->mask & KADM5_LOAD && found_entry == TRUE) {
/*
* a load is special in that existing entries must have attrs that
* removed.
*/
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_REPLACE, NULL)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_POLICY_CLR) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbpwdpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
if (entry->mask & KADM5_KEY_DATA || entry->mask & KADM5_KVNO) {
krb5_kvno mkvno;
if ((st=krb5_dbe_lookup_mkvno(context, entry, &mkvno)) != 0)
goto cleanup;
bersecretkey = krb5_encode_krbsecretkey (entry->key_data,
entry->n_key_data, mkvno);
if ((st=krb5_add_ber_mem_ldap_mod(&mods, "krbprincipalkey",
LDAP_MOD_REPLACE | LDAP_MOD_BVALUES, bersecretkey)) != 0)
goto cleanup;
if (!(entry->mask & KADM5_PRINCIPAL)) {
memset(strval, 0, sizeof(strval));
if ((strval[0]=getstringtime(entry->pw_expiration)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods,
"krbpasswordexpiration",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
/* Update last password change whenever a new key is set */
{
krb5_timestamp last_pw_changed;
if ((st=krb5_dbe_lookup_last_pwd_change(context, entry,
&last_pw_changed)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
if ((strval[0] = getstringtime(last_pw_changed)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastPwdChange",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
} /* Modify Key data ends here */
/* Set tl_data */
if (entry->tl_data != NULL) {
int count = 0;
struct berval **ber_tl_data = NULL;
krb5_tl_data *ptr;
krb5_timestamp unlock_time;
for (ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
|| ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL
|| ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK)
continue;
count++;
}
if (count != 0) {
int j;
ber_tl_data = (struct berval **) calloc (count + 1,
sizeof (struct berval*));
if (ber_tl_data == NULL) {
st = ENOMEM;
goto cleanup;
}
for (j = 0, ptr = entry->tl_data; ptr != NULL; ptr = ptr->tl_data_next) {
/* Ignore tl_data that are stored in separate directory
* attributes */
if (ptr->tl_data_type == KRB5_TL_LAST_PWD_CHANGE
#ifdef SECURID
|| ptr->tl_data_type == KRB5_TL_DB_ARGS
#endif
|| ptr->tl_data_type == KRB5_TL_KADM_DATA
|| ptr->tl_data_type == KDB_TL_USER_INFO
|| ptr->tl_data_type == KRB5_TL_CONSTRAINED_DELEGATION_ACL
|| ptr->tl_data_type == KRB5_TL_LAST_ADMIN_UNLOCK)
continue;
if ((st = tl_data2berval (ptr, &ber_tl_data[j])) != 0)
break;
j++;
}
if (st == 0) {
ber_tl_data[count] = NULL;
st=krb5_add_ber_mem_ldap_mod(&mods, "krbExtraData",
LDAP_MOD_REPLACE |
LDAP_MOD_BVALUES, ber_tl_data);
}
for (j = 0; ber_tl_data[j] != NULL; j++) {
free(ber_tl_data[j]->bv_val);
free(ber_tl_data[j]);
}
free(ber_tl_data);
if (st != 0)
goto cleanup;
}
if ((st=krb5_dbe_lookup_last_admin_unlock(context, entry,
&unlock_time)) != 0)
goto cleanup;
if (unlock_time != 0) {
/* Update last admin unlock */
memset(strval, 0, sizeof(strval));
if ((strval[0] = getstringtime(unlock_time)) == NULL)
goto cleanup;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbLastAdminUnlock",
LDAP_MOD_REPLACE, strval)) != 0) {
free (strval[0]);
goto cleanup;
}
free (strval[0]);
}
}
/* Directory specific attribute */
if (xargs.tktpolicydn != NULL) {
int tmask=0;
if (strlen(xargs.tktpolicydn) != 0) {
st = checkattributevalue(ld, xargs.tktpolicydn, "objectclass", policyclass, &tmask);
CHECK_CLASS_VALIDITY(st, tmask, _("ticket policy object value: "));
strval[0] = xargs.tktpolicydn;
strval[1] = NULL;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
} else {
/* if xargs.tktpolicydn is a empty string, then delete
* already existing krbticketpolicyreference attr */
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbticketpolicyreference", LDAP_MOD_DELETE, NULL)) != 0)
goto cleanup;
}
}
if (establish_links == TRUE) {
memset(strval, 0, sizeof(strval));
strval[0] = xargs.linkdn;
if ((st=krb5_add_str_mem_ldap_mod(&mods, "krbObjectReferences", LDAP_MOD_REPLACE, strval)) != 0)
goto cleanup;
}
/*
* in case mods is NULL then return
* not sure but can happen in a modprinc
* so no need to return an error
* addprinc will at least have the principal name
* and the keys passed in
*/
if (mods == NULL)
goto cleanup;
if (create_standalone_prinicipal == TRUE) {
memset(strval, 0, sizeof(strval));
strval[0] = "krbprincipal";
strval[1] = "krbprincipalaux";
strval[2] = "krbTicketPolicyAux";
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
if (st == LDAP_ALREADY_EXISTS && entry->mask & KADM5_LOAD) {
/* a load operation must replace an existing entry */
st = ldap_delete_ext_s(ld, standalone_principal_dn, NULL, NULL);
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf),
_("Principal delete failed (trying to replace "
"entry): %s"), ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
} else {
st = ldap_add_ext_s(ld, standalone_principal_dn, mods, NULL, NULL);
}
}
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf), _("Principal add failed: %s"),
ldap_err2string(st));
st = translate_ldap_error (st, OP_ADD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
} else {
/*
* Here existing ldap object is modified and can be related
* to any attribute, so always ensure that the ldap
* object is extended with all the kerberos related
* objectclasses so that there are no constraint
* violations.
*/
{
char *attrvalues[] = {"krbprincipalaux", "krbTicketPolicyAux", NULL};
int p, q, r=0, amask=0;
if ((st=checkattributevalue(ld, (xargs.dn) ? xargs.dn : principal_dn,
"objectclass", attrvalues, &amask)) != 0)
goto cleanup;
memset(strval, 0, sizeof(strval));
for (p=1, q=0; p<=2; p<<=1, ++q) {
if ((p & amask) == 0)
strval[r++] = attrvalues[q];
}
if (r != 0) {
if ((st=krb5_add_str_mem_ldap_mod(&mods, "objectclass", LDAP_MOD_ADD, strval)) != 0)
goto cleanup;
}
}
if (xargs.dn != NULL)
st=ldap_modify_ext_s(ld, xargs.dn, mods, NULL, NULL);
else
st = ldap_modify_ext_s(ld, principal_dn, mods, NULL, NULL);
if (st != LDAP_SUCCESS) {
snprintf(errbuf, sizeof(errbuf), _("User modification failed: %s"),
ldap_err2string(st));
st = translate_ldap_error (st, OP_MOD);
krb5_set_error_message(context, st, "%s", errbuf);
goto cleanup;
}
if (entry->mask & KADM5_FAIL_AUTH_COUNT_INCREMENT)
entry->fail_auth_count++;
}
cleanup:
if (user)
free(user);
free_xargs(xargs);
if (standalone_principal_dn)
free(standalone_principal_dn);
if (principal_dn)
free (principal_dn);
if (polname != NULL)
free(polname);
if (subtree)
free (subtree);
if (bersecretkey) {
for (l=0; bersecretkey[l]; ++l) {
if (bersecretkey[l]->bv_val)
free (bersecretkey[l]->bv_val);
free (bersecretkey[l]);
}
free (bersecretkey);
}
if (keys)
free (keys);
ldap_mods_free(mods, 1);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return(st);
}
static krb5_error_code
entry2string_int (krb5_context context, krb5_storage *sp, hdb_entry *ent)
{
char *p;
size_t i;
krb5_error_code ret;
/* --- principal */
ret = krb5_unparse_name(context, ent->principal, &p);
if(ret)
return ret;
append_string(context, sp, "%s ", p);
free(p);
/* --- kvno */
append_string(context, sp, "%d", ent->kvno);
/* --- keys */
for(i = 0; i < ent->keys.len; i++){
/* --- mkvno, keytype */
if(ent->keys.val[i].mkvno)
append_string(context, sp, ":%d:%d:",
*ent->keys.val[i].mkvno,
ent->keys.val[i].key.keytype);
else
append_string(context, sp, "::%d:",
ent->keys.val[i].key.keytype);
/* --- keydata */
append_hex(context, sp, &ent->keys.val[i].key.keyvalue);
append_string(context, sp, ":");
/* --- salt */
if(ent->keys.val[i].salt){
append_string(context, sp, "%u/", ent->keys.val[i].salt->type);
append_hex(context, sp, &ent->keys.val[i].salt->salt);
}else
append_string(context, sp, "-");
}
append_string(context, sp, " ");
/* --- created by */
append_event(context, sp, &ent->created_by);
/* --- modified by */
append_event(context, sp, ent->modified_by);
/* --- valid start */
if(ent->valid_start)
append_string(context, sp, "%s ", time2str(*ent->valid_start));
else
append_string(context, sp, "- ");
/* --- valid end */
if(ent->valid_end)
append_string(context, sp, "%s ", time2str(*ent->valid_end));
else
append_string(context, sp, "- ");
/* --- password ends */
if(ent->pw_end)
append_string(context, sp, "%s ", time2str(*ent->pw_end));
else
append_string(context, sp, "- ");
/* --- max life */
if(ent->max_life)
append_string(context, sp, "%d ", *ent->max_life);
else
append_string(context, sp, "- ");
/* --- max renewable life */
if(ent->max_renew)
append_string(context, sp, "%d ", *ent->max_renew);
else
append_string(context, sp, "- ");
/* --- flags */
append_string(context, sp, "%d ", HDBFlags2int(ent->flags));
/* --- generation number */
if(ent->generation) {
append_string(context, sp, "%s:%d:%d ", time2str(ent->generation->time),
ent->generation->usec,
ent->generation->gen);
} else
append_string(context, sp, "- ");
/* --- extensions */
if(ent->extensions && ent->extensions->len > 0) {
for(i = 0; i < ent->extensions->len; i++) {
void *d;
size_t size, sz = 0;
ASN1_MALLOC_ENCODE(HDB_extension, d, size,
&ent->extensions->val[i], &sz, ret);
if (ret) {
krb5_clear_error_message(context);
return ret;
}
if(size != sz)
krb5_abortx(context, "internal asn.1 encoder error");
if (hex_encode(d, size, &p) < 0) {
free(d);
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
free(d);
append_string(context, sp, "%s%s", p,
ent->extensions->len - 1 != i ? ":" : "");
free(p);
}
} else
append_string(context, sp, "-");
return 0;
}
krb5_error_code
krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
unsigned int flags, krb5_db_entry **entry_ptr)
{
char *user=NULL, *filter=NULL, *filtuser=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
char **values=NULL, **subtree=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
krb5_principal cprinc=NULL;
krb5_boolean found=FALSE;
krb5_db_entry *entry = NULL;
*entry_ptr = NULL;
/* Clear the global error string */
krb5_clear_error_message(context);
if (searchfor == NULL)
return EINVAL;
dal_handle = context->dal_handle;
ldap_context = (krb5_ldap_context *) dal_handle->db_context;
CHECK_LDAP_HANDLE(ldap_context);
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
krb5_set_error_message(context, st,
_("Principal does not belong to realm"));
goto cleanup;
}
if ((st=krb5_unparse_name(context, searchfor, &user)) != 0)
goto cleanup;
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
goto cleanup;
filtuser = ldap_filter_correct(user);
if (filtuser == NULL) {
st = ENOMEM;
goto cleanup;
}
princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
snprintf(filter, princlen, FILTER"%s))", filtuser);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
goto cleanup;
GET_HANDLE();
for (tree=0; tree < ntrees && !found; ++tree) {
LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
for (ent=ldap_first_entry(ld, result); ent != NULL && !found; ent=ldap_next_entry(ld, ent)) {
/* get the associated directory user information */
if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) {
int i;
/* a wild-card in a principal name can return a list of kerberos principals.
* Make sure that the correct principal is returned.
* NOTE: a principalname k* in ldap server will return all the principals starting with a k
*/
for (i=0; values[i] != NULL; ++i) {
if (strcmp(values[i], user) == 0) {
found = TRUE;
break;
}
}
ldap_value_free(values);
if (!found) /* no matching principal found */
continue;
}
if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) {
if (values[0] && strcmp(values[0], user) != 0) {
/* We matched an alias, not the canonical name. */
if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
st = krb5_ldap_parse_principal_name(values[0], &cname);
if (st != 0)
goto cleanup;
st = krb5_parse_name(context, cname, &cprinc);
if (st != 0)
goto cleanup;
} else /* No canonicalization, so don't return aliases. */
found = FALSE;
}
ldap_value_free(values);
if (!found)
continue;
}
entry = k5alloc(sizeof(*entry), &st);
if (entry == NULL)
goto cleanup;
if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent,
cprinc ? cprinc : searchfor,
entry)) != 0)
goto cleanup;
}
ldap_msgfree(result);
result = NULL;
} /* for (tree=0 ... */
if (found) {
*entry_ptr = entry;
entry = NULL;
} else
st = KRB5_KDB_NOENTRY;
cleanup:
ldap_msgfree(result);
krb5_ldap_free_principal(context, entry);
if (filter)
free (filter);
if (subtree) {
for (; ntrees; --ntrees)
if (subtree[ntrees-1])
free (subtree[ntrees-1]);
free (subtree);
}
if (ldap_server_handle)
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
if (user)
free(user);
if (filtuser)
free(filtuser);
if (cname)
free(cname);
if (cprinc)
krb5_free_principal(context, cprinc);
return st;
}
static int
find_type_in_ad(krb5_context context,
int type,
krb5_data *data,
krb5_boolean *found,
krb5_boolean failp,
krb5_keyblock *sessionkey,
const AuthorizationData *ad,
int level)
{
krb5_error_code ret = 0;
size_t i;
if (level > 9) {
ret = ENOENT; /* XXX */
krb5_set_error_message(context, ret,
N_("Authorization data nested deeper "
"then %d levels, stop searching", ""),
level);
goto out;
}
/*
* Only copy out the element the first time we get to it, we need
* to run over the whole authorization data fields to check if
* there are any container clases we need to care about.
*/
for (i = 0; i < ad->len; i++) {
if (!*found && ad->val[i].ad_type == type) {
ret = der_copy_octet_string(&ad->val[i].ad_data, data);
if (ret) {
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
*found = TRUE;
continue;
}
switch (ad->val[i].ad_type) {
case KRB5_AUTHDATA_IF_RELEVANT: {
AuthorizationData child;
ret = decode_AuthorizationData(ad->val[i].ad_data.data,
ad->val[i].ad_data.length,
&child,
NULL);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed to decode "
"IF_RELEVANT with %d", ""),
(int)ret);
goto out;
}
ret = find_type_in_ad(context, type, data, found, FALSE,
sessionkey, &child, level + 1);
free_AuthorizationData(&child);
if (ret)
goto out;
break;
}
#if 0 /* XXX test */
case KRB5_AUTHDATA_KDC_ISSUED: {
AD_KDCIssued child;
ret = decode_AD_KDCIssued(ad->val[i].ad_data.data,
ad->val[i].ad_data.length,
&child,
NULL);
if (ret) {
krb5_set_error_message(context, ret,
N_("Failed to decode "
"AD_KDCIssued with %d", ""),
ret);
goto out;
}
if (failp) {
krb5_boolean valid;
krb5_data buf;
size_t len;
ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length,
&child.elements, &len, ret);
if (ret) {
free_AD_KDCIssued(&child);
krb5_clear_error_message(context);
goto out;
}
if(buf.length != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
ret = krb5_c_verify_checksum(context, sessionkey, 19, &buf,
&child.ad_checksum, &valid);
krb5_data_free(&buf);
if (ret) {
free_AD_KDCIssued(&child);
goto out;
}
if (!valid) {
krb5_clear_error_message(context);
ret = ENOENT;
free_AD_KDCIssued(&child);
goto out;
}
}
ret = find_type_in_ad(context, type, data, found, failp, sessionkey,
&child.elements, level + 1);
free_AD_KDCIssued(&child);
if (ret)
goto out;
break;
}
#endif
case KRB5_AUTHDATA_AND_OR:
if (!failp)
break;
ret = ENOENT; /* XXX */
krb5_set_error_message(context, ret,
N_("Authorization data contains "
"AND-OR element that is unknown to the "
"application", ""));
goto out;
default:
if (!failp)
break;
ret = ENOENT; /* XXX */
krb5_set_error_message(context, ret,
N_("Authorization data contains "
"unknown type (%d) ", ""),
ad->val[i].ad_type);
goto out;
}
}
out:
if (ret) {
if (*found) {
krb5_data_free(data);
*found = 0;
}
}
return ret;
}
static krb5_error_code
get_cred_kdc(krb5_context context,
krb5_ccache id,
krb5_kdc_flags flags,
krb5_addresses *addresses,
krb5_creds *in_creds,
krb5_creds *krbtgt,
krb5_principal impersonate_principal,
Ticket *second_ticket,
krb5_creds *out_creds)
{
TGS_REQ req;
krb5_data enc;
krb5_data resp;
krb5_kdc_rep rep;
KRB_ERROR error;
krb5_error_code ret;
unsigned nonce;
krb5_keyblock *subkey = NULL;
size_t len = 0;
Ticket second_ticket_data;
METHOD_DATA padata;
krb5_data_zero(&resp);
krb5_data_zero(&enc);
padata.val = NULL;
padata.len = 0;
krb5_generate_random_block(&nonce, sizeof(nonce));
nonce &= 0xffffffff;
if(flags.b.enc_tkt_in_skey && second_ticket == NULL){
ret = decode_Ticket(in_creds->second_ticket.data,
in_creds->second_ticket.length,
&second_ticket_data, &len);
if(ret)
return ret;
second_ticket = &second_ticket_data;
}
if (impersonate_principal) {
krb5_crypto crypto;
PA_S4U2Self self;
krb5_data data;
void *buf;
size_t size = 0;
self.name = impersonate_principal->name;
self.realm = impersonate_principal->realm;
self.auth = estrdup("Kerberos");
ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
if (ret) {
free(self.auth);
goto out;
}
ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);
if (ret) {
free(self.auth);
krb5_data_free(&data);
goto out;
}
ret = krb5_create_checksum(context,
crypto,
KRB5_KU_OTHER_CKSUM,
0,
data.data,
data.length,
&self.cksum);
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
if (ret) {
free(self.auth);
goto out;
}
ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);
free(self.auth);
free_Checksum(&self.cksum);
if (ret)
goto out;
if (len != size)
krb5_abortx(context, "internal asn1 error");
ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len);
if (ret)
goto out;
}
ret = init_tgs_req (context,
id,
addresses,
flags,
second_ticket,
in_creds,
krbtgt,
nonce,
&padata,
&subkey,
&req);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(TGS_REQ, enc.data, enc.length, &req, &len, ret);
if (ret)
goto out;
if(enc.length != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
/* don't free addresses */
req.req_body.addresses = NULL;
free_TGS_REQ(&req);
/*
* Send and receive
*/
{
krb5_sendto_ctx stctx;
ret = krb5_sendto_ctx_alloc(context, &stctx);
if (ret)
return ret;
krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
ret = krb5_sendto_context (context, stctx, &enc,
krbtgt->server->name.name_string.val[1],
&resp);
krb5_sendto_ctx_free(context, stctx);
}
if(ret)
goto out;
memset(&rep, 0, sizeof(rep));
if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0) {
unsigned eflags = 0;
ret = krb5_copy_principal(context,
in_creds->client,
&out_creds->client);
if(ret)
goto out2;
ret = krb5_copy_principal(context,
in_creds->server,
&out_creds->server);
if(ret)
goto out2;
/* this should go someplace else */
out_creds->times.endtime = in_creds->times.endtime;
/* XXX should do better testing */
if (flags.b.constrained_delegation || impersonate_principal)
eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
ret = _krb5_extract_ticket(context,
&rep,
out_creds,
&krbtgt->session,
NULL,
0,
&krbtgt->addresses,
nonce,
eflags,
NULL,
decrypt_tkt_with_subkey,
subkey);
out2:
krb5_free_kdc_rep(context, &rep);
} else if(krb5_rd_error(context, &resp, &error) == 0) {
ret = krb5_error_from_rd_error(context, &error, in_creds);
krb5_free_error_contents(context, &error);
} else if(resp.length > 0 && ((char*)resp.data)[0] == 4) {
ret = KRB5KRB_AP_ERR_V4_REPLY;
krb5_clear_error_message(context);
} else {
ret = KRB5KRB_AP_ERR_MSG_TYPE;
krb5_clear_error_message(context);
}
out:
if (second_ticket == &second_ticket_data)
free_Ticket(&second_ticket_data);
free_METHOD_DATA(&padata);
krb5_data_free(&resp);
krb5_data_free(&enc);
if(subkey)
krb5_free_keyblock(context, subkey);
return ret;
}
krb5_error_code
krb5_ldap_iterate(krb5_context context, char *match_expr,
krb5_error_code (*func)(krb5_pointer, krb5_db_entry *),
krb5_pointer func_arg)
{
krb5_db_entry entry;
krb5_principal principal;
char **subtree=NULL, *princ_name=NULL, *realm=NULL, **values=NULL, *filter=NULL;
unsigned int tree=0, ntree=1, i=0;
krb5_error_code st=0, tempst=0;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
kdb5_dal_handle *dal_handle=NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_ldap_server_handle *ldap_server_handle=NULL;
char *default_match_expr = "*";
/* Clear the global error string */
krb5_clear_error_message(context);
memset(&entry, 0, sizeof(krb5_db_entry));
SETUP_CONTEXT();
realm = ldap_context->lrparams->realm_name;
if (realm == NULL) {
realm = context->default_realm;
if (realm == NULL) {
st = EINVAL;
krb5_set_error_message(context, st, "Default realm not set");
goto cleanup;
}
}
/*
* If no match_expr then iterate through all krb princs like the db2 plugin
*/
if (match_expr == NULL)
match_expr = default_match_expr;
if (asprintf(&filter, FILTER"%s))", match_expr) < 0)
filter = NULL;
CHECK_NULL(filter);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntree)) != 0)
goto cleanup;
GET_HANDLE();
for (tree=0; tree < ntree; ++tree) {
LDAP_SEARCH(subtree[tree], ldap_context->lrparams->search_scope, filter, principal_attributes);
for (ent=ldap_first_entry(ld, result); ent != NULL; ent=ldap_next_entry(ld, ent)) {
values=ldap_get_values(ld, ent, "krbcanonicalname");
if (values == NULL)
values=ldap_get_values(ld, ent, "krbprincipalname");
if (values != NULL) {
for (i=0; values[i] != NULL; ++i) {
if (krb5_ldap_parse_principal_name(values[i], &princ_name) != 0)
continue;
if (krb5_parse_name(context, princ_name, &principal) != 0)
continue;
if (is_principal_in_realm(ldap_context, principal) == 0) {
if ((st = populate_krb5_db_entry(context, ldap_context, ld, ent, principal,
&entry)) != 0)
goto cleanup;
(*func)(func_arg, &entry);
krb5_dbe_free_contents(context, &entry);
(void) krb5_free_principal(context, principal);
free(princ_name);
break;
}
(void) krb5_free_principal(context, principal);
free(princ_name);
}
ldap_value_free(values);
}
} /* end of for (ent= ... */
ldap_msgfree(result);
} /* end of for (tree= ... */
cleanup:
if (filter)
free (filter);
for (;ntree; --ntree)
if (subtree[ntree-1])
free (subtree[ntree-1]);
krb5_ldap_put_handle_to_pool(ldap_context, ldap_server_handle);
return st;
}
static int
do_ext_keytab(krb5_principal principal, void *data)
{
krb5_error_code ret;
kadm5_principal_ent_rec princ;
struct ext_keytab_data *e = data;
krb5_keytab_entry *keys = NULL;
krb5_keyblock *k = NULL;
int i, n_k;
ret = kadm5_get_principal(kadm_handle, principal, &princ,
KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA);
if(ret)
return ret;
if (princ.n_key_data) {
keys = malloc(sizeof(*keys) * princ.n_key_data);
if (keys == NULL) {
kadm5_free_principal_ent(kadm_handle, &princ);
krb5_clear_error_message(context);
return ENOMEM;
}
for (i = 0; i < princ.n_key_data; i++) {
krb5_key_data *kd = &princ.key_data[i];
keys[i].principal = princ.principal;
keys[i].vno = kd->key_data_kvno;
keys[i].keyblock.keytype = kd->key_data_type[0];
keys[i].keyblock.keyvalue.length = kd->key_data_length[0];
keys[i].keyblock.keyvalue.data = kd->key_data_contents[0];
keys[i].timestamp = time(NULL);
}
n_k = princ.n_key_data;
} else {
ret = kadm5_randkey_principal(kadm_handle, principal, &k, &n_k);
if (ret) {
kadm5_free_principal_ent(kadm_handle, &princ);
return ret;
}
keys = malloc(sizeof(*keys) * n_k);
if (keys == NULL) {
kadm5_free_principal_ent(kadm_handle, &princ);
krb5_clear_error_message(context);
return ENOMEM;
}
for (i = 0; i < n_k; i++) {
keys[i].principal = principal;
keys[i].vno = princ.kvno + 1; /* XXX get entry again */
keys[i].keyblock = k[i];
keys[i].timestamp = time(NULL);
}
}
for(i = 0; i < n_k; i++) {
ret = krb5_kt_add_entry(context, e->keytab, &keys[i]);
if(ret)
krb5_warn(context, ret, "krb5_kt_add_entry(%d)", i);
}
if (k) {
memset(k, 0, n_k * sizeof(*k));
free(k);
}
if (keys)
free(keys);
kadm5_free_principal_ent(kadm_handle, &princ);
return 0;
}
kadm5_ret_t
kadm5_modify_policy(void *server_handle, kadm5_policy_ent_t entry, long mask)
{
kadm5_server_handle_t handle = server_handle;
krb5_tl_data *tl;
osa_policy_ent_t p;
int ret;
size_t len;
CHECK_HANDLE(server_handle);
krb5_clear_error_message(handle->context);
if((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL))
return EINVAL;
if(strlen(entry->policy) == 0)
return KADM5_BAD_POLICY;
if((mask & KADM5_POLICY))
return KADM5_BAD_MASK;
if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS) &&
entry->allowed_keysalts != NULL) {
ret = validate_allowed_keysalts(entry->allowed_keysalts);
if (ret)
return ret;
}
if ((mask & KADM5_POLICY_TL_DATA)) {
tl = entry->tl_data;
while (tl != NULL) {
if (tl->tl_data_type < 256)
return KADM5_BAD_TL_TYPE;
tl = tl->tl_data_next;
}
}
ret = krb5_db_get_policy(handle->context, entry->policy, &p);
if (ret == KRB5_KDB_NOENTRY)
return KADM5_UNK_POLICY;
else if (ret)
return ret;
if ((mask & KADM5_PW_MAX_LIFE))
p->pw_max_life = entry->pw_max_life;
if ((mask & KADM5_PW_MIN_LIFE)) {
if(entry->pw_min_life > p->pw_max_life && p->pw_max_life != 0) {
krb5_db_free_policy(handle->context, p);
return KADM5_BAD_MIN_PASS_LIFE;
}
p->pw_min_life = entry->pw_min_life;
}
if ((mask & KADM5_PW_MIN_LENGTH)) {
if(entry->pw_min_length < MIN_PW_LENGTH) {
krb5_db_free_policy(handle->context, p);
return KADM5_BAD_LENGTH;
}
p->pw_min_length = entry->pw_min_length;
}
if ((mask & KADM5_PW_MIN_CLASSES)) {
if(entry->pw_min_classes > MAX_PW_CLASSES ||
entry->pw_min_classes < MIN_PW_CLASSES) {
krb5_db_free_policy(handle->context, p);
return KADM5_BAD_CLASS;
}
p->pw_min_classes = entry->pw_min_classes;
}
if ((mask & KADM5_PW_HISTORY_NUM)) {
if(entry->pw_history_num < MIN_PW_HISTORY) {
krb5_db_free_policy(handle->context, p);
return KADM5_BAD_HISTORY;
}
p->pw_history_num = entry->pw_history_num;
}
if (handle->api_version >= KADM5_API_VERSION_3) {
if ((mask & KADM5_PW_MAX_FAILURE))
p->pw_max_fail = entry->pw_max_fail;
if ((mask & KADM5_PW_FAILURE_COUNT_INTERVAL))
p->pw_failcnt_interval = entry->pw_failcnt_interval;
if ((mask & KADM5_PW_LOCKOUT_DURATION))
p->pw_lockout_duration = entry->pw_lockout_duration;
}
if (handle->api_version >= KADM5_API_VERSION_4) {
if ((mask & KADM5_POLICY_ATTRIBUTES))
p->attributes = entry->attributes;
if ((mask & KADM5_POLICY_MAX_LIFE))
p->max_life = entry->max_life;
if ((mask & KADM5_POLICY_MAX_RLIFE))
p->max_renewable_life = entry->max_renewable_life;
if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS)) {
krb5_db_free(handle->context, p->allowed_keysalts);
p->allowed_keysalts = NULL;
if (entry->allowed_keysalts != NULL) {
len = strlen(entry->allowed_keysalts) + 1;
p->allowed_keysalts = krb5_db_alloc(handle->context, NULL,
len);
if (p->allowed_keysalts == NULL) {
ret = ENOMEM;
goto cleanup;
}
memcpy(p->allowed_keysalts, entry->allowed_keysalts, len);
}
}
if ((mask & KADM5_POLICY_TL_DATA)) {
for (tl = entry->tl_data; tl != NULL; tl = tl->tl_data_next) {
ret = krb5_db_update_tl_data(handle->context, &p->n_tl_data,
&p->tl_data, tl);
if (ret)
goto cleanup;
}
}
}
ret = krb5_db_put_policy(handle->context, p);
cleanup:
krb5_db_free_policy(handle->context, p);
return ret;
}
kadm5_ret_t
kadm5_s_get_principal(void *server_handle,
krb5_principal princ,
kadm5_principal_ent_t out,
uint32_t mask)
{
kadm5_server_context *context = server_handle;
kadm5_ret_t ret;
hdb_entry_ex ent;
memset(&ent, 0, sizeof(ent));
ret = context->db->hdb_open(context->context, context->db, O_RDONLY, 0);
if(ret)
return ret;
ret = context->db->hdb_fetch_kvno(context->context, context->db, princ,
HDB_F_DECRYPT|HDB_F_GET_ANY|HDB_F_ADMIN_DATA, 0, &ent);
context->db->hdb_close(context->context, context->db);
if(ret)
return _kadm5_error_code(ret);
memset(out, 0, sizeof(*out));
if(mask & KADM5_PRINCIPAL)
ret = krb5_copy_principal(context->context, ent.entry.principal,
&out->principal);
if(ret)
goto out;
if(mask & KADM5_PRINC_EXPIRE_TIME && ent.entry.valid_end)
out->princ_expire_time = *ent.entry.valid_end;
if(mask & KADM5_PW_EXPIRATION && ent.entry.pw_end)
out->pw_expiration = *ent.entry.pw_end;
if(mask & KADM5_LAST_PWD_CHANGE)
hdb_entry_get_pw_change_time(&ent.entry, &out->last_pwd_change);
if(mask & KADM5_ATTRIBUTES){
out->attributes |= ent.entry.flags.postdate ? 0 : KRB5_KDB_DISALLOW_POSTDATED;
out->attributes |= ent.entry.flags.forwardable ? 0 : KRB5_KDB_DISALLOW_FORWARDABLE;
out->attributes |= ent.entry.flags.initial ? KRB5_KDB_DISALLOW_TGT_BASED : 0;
out->attributes |= ent.entry.flags.renewable ? 0 : KRB5_KDB_DISALLOW_RENEWABLE;
out->attributes |= ent.entry.flags.proxiable ? 0 : KRB5_KDB_DISALLOW_PROXIABLE;
out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0;
out->attributes |= ent.entry.flags.trusted_for_delegation ? KRB5_KDB_TRUSTED_FOR_DELEGATION : 0;
out->attributes |= ent.entry.flags.allow_kerberos4 ? KRB5_KDB_ALLOW_KERBEROS4 : 0;
out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
}
if(mask & KADM5_MAX_LIFE) {
if(ent.entry.max_life)
out->max_life = *ent.entry.max_life;
else
out->max_life = INT_MAX;
}
if(mask & KADM5_MOD_TIME) {
if(ent.entry.modified_by)
out->mod_date = ent.entry.modified_by->time;
else
out->mod_date = ent.entry.created_by.time;
}
if(mask & KADM5_MOD_NAME) {
if(ent.entry.modified_by) {
if (ent.entry.modified_by->principal != NULL)
ret = krb5_copy_principal(context->context,
ent.entry.modified_by->principal,
&out->mod_name);
} else if(ent.entry.created_by.principal != NULL)
ret = krb5_copy_principal(context->context,
ent.entry.created_by.principal,
&out->mod_name);
else
out->mod_name = NULL;
}
if(ret)
goto out;
if(mask & KADM5_KVNO)
out->kvno = ent.entry.kvno;
if(mask & KADM5_MKVNO) {
size_t n;
out->mkvno = 0; /* XXX */
for(n = 0; n < ent.entry.keys.len; n++)
if(ent.entry.keys.val[n].mkvno) {
out->mkvno = *ent.entry.keys.val[n].mkvno; /* XXX this isn't right */
break;
}
}
#if 0 /* XXX implement */
if(mask & KADM5_AUX_ATTRIBUTES)
;
if(mask & KADM5_LAST_SUCCESS)
;
if(mask & KADM5_LAST_FAILED)
;
if(mask & KADM5_FAIL_AUTH_COUNT)
;
#endif
if(mask & KADM5_POLICY)
out->policy = NULL;
if(mask & KADM5_MAX_RLIFE) {
if(ent.entry.max_renew)
out->max_renewable_life = *ent.entry.max_renew;
else
out->max_renewable_life = INT_MAX;
}
if(mask & KADM5_KEY_DATA){
size_t i;
Key *key;
krb5_key_data *kd;
krb5_salt salt;
krb5_data *sp;
krb5_get_pw_salt(context->context, ent.entry.principal, &salt);
out->key_data = malloc(ent.entry.keys.len * sizeof(*out->key_data));
if (out->key_data == NULL && ent.entry.keys.len != 0) {
ret = ENOMEM;
goto out;
}
for(i = 0; i < ent.entry.keys.len; i++){
key = &ent.entry.keys.val[i];
kd = &out->key_data[i];
kd->key_data_ver = 2;
kd->key_data_kvno = ent.entry.kvno;
kd->key_data_type[0] = key->key.keytype;
if(key->salt)
kd->key_data_type[1] = key->salt->type;
else
kd->key_data_type[1] = KRB5_PADATA_PW_SALT;
/* setup key */
kd->key_data_length[0] = key->key.keyvalue.length;
kd->key_data_contents[0] = malloc(kd->key_data_length[0]);
if(kd->key_data_contents[0] == NULL && kd->key_data_length[0] != 0){
ret = ENOMEM;
break;
}
memcpy(kd->key_data_contents[0], key->key.keyvalue.data,
kd->key_data_length[0]);
/* setup salt */
if(key->salt)
sp = &key->salt->salt;
else
sp = &salt.saltvalue;
kd->key_data_length[1] = sp->length;
kd->key_data_contents[1] = malloc(kd->key_data_length[1]);
if(kd->key_data_length[1] != 0
&& kd->key_data_contents[1] == NULL) {
memset(kd->key_data_contents[0], 0, kd->key_data_length[0]);
ret = ENOMEM;
break;
}
memcpy(kd->key_data_contents[1], sp->data, kd->key_data_length[1]);
out->n_key_data = i + 1;
}
krb5_free_salt(context->context, salt);
}
if(ret){
kadm5_free_principal_ent(context, out);
goto out;
}
if(mask & KADM5_TL_DATA) {
time_t last_pw_expire;
const HDB_Ext_PKINIT_acl *acl;
const HDB_Ext_Aliases *aliases;
ret = hdb_entry_get_pw_change_time(&ent.entry, &last_pw_expire);
if (ret == 0 && last_pw_expire) {
unsigned char buf[4];
_krb5_put_int(buf, last_pw_expire, sizeof(buf));
ret = add_tl_data(out, KRB5_TL_LAST_PWD_CHANGE, buf, sizeof(buf));
}
if(ret){
kadm5_free_principal_ent(context, out);
goto out;
}
/*
* If the client was allowed to get key data, let it have the
* password too.
*/
if(mask & KADM5_KEY_DATA) {
heim_utf8_string pw;
ret = hdb_entry_get_password(context->context,
context->db, &ent.entry, &pw);
if (ret == 0) {
ret = add_tl_data(out, KRB5_TL_PASSWORD, pw, strlen(pw) + 1);
free(pw);
}
krb5_clear_error_message(context->context);
}
ret = hdb_entry_get_pkinit_acl(&ent.entry, &acl);
if (ret == 0 && acl) {
krb5_data buf;
size_t len;
ASN1_MALLOC_ENCODE(HDB_Ext_PKINIT_acl, buf.data, buf.length,
acl, &len, ret);
if (ret) {
kadm5_free_principal_ent(context, out);
goto out;
}
if (len != buf.length)
krb5_abortx(context->context,
"internal ASN.1 encoder error");
ret = add_tl_data(out, KRB5_TL_PKINIT_ACL, buf.data, buf.length);
free(buf.data);
if (ret) {
kadm5_free_principal_ent(context, out);
goto out;
}
}
if(ret){
kadm5_free_principal_ent(context, out);
goto out;
}
ret = hdb_entry_get_aliases(&ent.entry, &aliases);
if (ret == 0 && aliases) {
krb5_data buf;
size_t len;
ASN1_MALLOC_ENCODE(HDB_Ext_Aliases, buf.data, buf.length,
aliases, &len, ret);
if (ret) {
kadm5_free_principal_ent(context, out);
goto out;
}
if (len != buf.length)
krb5_abortx(context->context,
"internal ASN.1 encoder error");
ret = add_tl_data(out, KRB5_TL_ALIASES, buf.data, buf.length);
free(buf.data);
if (ret) {
kadm5_free_principal_ent(context, out);
goto out;
}
}
if(ret){
kadm5_free_principal_ent(context, out);
goto out;
}
}
out:
hdb_free_entry(context->context, &ent);
return _kadm5_error_code(ret);
}
kadm5_ret_t
kadm5_create_policy(void *server_handle, kadm5_policy_ent_t entry, long mask)
{
kadm5_server_handle_t handle = server_handle;
osa_policy_ent_rec pent;
int ret;
char *p;
CHECK_HANDLE(server_handle);
krb5_clear_error_message(handle->context);
if ((entry == (kadm5_policy_ent_t) NULL) || (entry->policy == NULL))
return EINVAL;
if(strlen(entry->policy) == 0)
return KADM5_BAD_POLICY;
if (!(mask & KADM5_POLICY))
return KADM5_BAD_MASK;
if ((mask & KADM5_POLICY_ALLOWED_KEYSALTS) &&
entry->allowed_keysalts != NULL) {
ret = validate_allowed_keysalts(entry->allowed_keysalts);
if (ret)
return ret;
}
memset(&pent, 0, sizeof(pent));
pent.name = entry->policy;
p = entry->policy;
while(*p != '\0') {
if(*p < ' ' || *p > '~')
return KADM5_BAD_POLICY;
else
p++;
}
if (!(mask & KADM5_PW_MAX_LIFE))
pent.pw_max_life = 0;
else
pent.pw_max_life = entry->pw_max_life;
if (!(mask & KADM5_PW_MIN_LIFE))
pent.pw_min_life = 0;
else {
if((mask & KADM5_PW_MAX_LIFE)) {
if(entry->pw_min_life > entry->pw_max_life && entry->pw_max_life != 0)
return KADM5_BAD_MIN_PASS_LIFE;
}
pent.pw_min_life = entry->pw_min_life;
}
if (!(mask & KADM5_PW_MIN_LENGTH))
pent.pw_min_length = MIN_PW_LENGTH;
else {
if(entry->pw_min_length < MIN_PW_LENGTH)
return KADM5_BAD_LENGTH;
pent.pw_min_length = entry->pw_min_length;
}
if (!(mask & KADM5_PW_MIN_CLASSES))
pent.pw_min_classes = MIN_PW_CLASSES;
else {
if(entry->pw_min_classes > MAX_PW_CLASSES || entry->pw_min_classes < MIN_PW_CLASSES)
return KADM5_BAD_CLASS;
pent.pw_min_classes = entry->pw_min_classes;
}
if (!(mask & KADM5_PW_HISTORY_NUM))
pent.pw_history_num = MIN_PW_HISTORY;
else {
if(entry->pw_history_num < MIN_PW_HISTORY)
return KADM5_BAD_HISTORY;
else
pent.pw_history_num = entry->pw_history_num;
}
if (handle->api_version >= KADM5_API_VERSION_4) {
if (!(mask & KADM5_POLICY_ATTRIBUTES))
pent.attributes = 0;
else
pent.attributes = entry->attributes;
if (!(mask & KADM5_POLICY_MAX_LIFE))
pent.max_life = 0;
else
pent.max_life = entry->max_life;
if (!(mask & KADM5_POLICY_MAX_RLIFE))
pent.max_renewable_life = 0;
else
pent.max_renewable_life = entry->max_renewable_life;
if (!(mask & KADM5_POLICY_ALLOWED_KEYSALTS))
pent.allowed_keysalts = 0;
else
pent.allowed_keysalts = entry->allowed_keysalts;
if (!(mask & KADM5_POLICY_TL_DATA)) {
pent.n_tl_data = 0;
pent.tl_data = NULL;
} else {
pent.n_tl_data = entry->n_tl_data;
pent.tl_data = entry->tl_data;
}
}
if (handle->api_version >= KADM5_API_VERSION_3) {
if (!(mask & KADM5_PW_MAX_FAILURE))
pent.pw_max_fail = 0;
else
pent.pw_max_fail = entry->pw_max_fail;
if (!(mask & KADM5_PW_FAILURE_COUNT_INTERVAL))
pent.pw_failcnt_interval = 0;
else
pent.pw_failcnt_interval = entry->pw_failcnt_interval;
if (!(mask & KADM5_PW_LOCKOUT_DURATION))
pent.pw_lockout_duration = 0;
else
pent.pw_lockout_duration = entry->pw_lockout_duration;
}
if ((ret = krb5_db_create_policy(handle->context, &pent)))
return ret;
else
return KADM5_OK;
}
int
hdb_entry_get_password(krb5_context context, HDB *db,
const hdb_entry *entry, char **p)
{
HDB_extension *ext;
char *str;
int ret;
ext = hdb_find_extension(entry, choice_HDB_extension_data_password);
if (ext) {
heim_utf8_string str;
heim_octet_string pw;
if (db->hdb_master_key_set && ext->data.u.password.mkvno) {
hdb_master_key key;
key = _hdb_find_master_key(ext->data.u.password.mkvno,
db->hdb_master_key);
if (key == NULL) {
krb5_set_error_message(context, HDB_ERR_NO_MKEY,
"master key %d missing",
*ext->data.u.password.mkvno);
return HDB_ERR_NO_MKEY;
}
ret = _hdb_mkey_decrypt(context, key, HDB_KU_MKEY,
ext->data.u.password.password.data,
ext->data.u.password.password.length,
&pw);
} else {
ret = der_copy_octet_string(&ext->data.u.password.password, &pw);
}
if (ret) {
krb5_clear_error_message(context);
return ret;
}
str = pw.data;
if (str[pw.length - 1] != '\0') {
krb5_set_error_message(context, EINVAL, "password malformated");
return EINVAL;
}
*p = strdup(str);
der_free_octet_string(&pw);
if (*p == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
return 0;
}
ret = krb5_unparse_name(context, entry->principal, &str);
if (ret == 0) {
krb5_set_error_message(context, ENOENT, "no password attributefor %s", str);
free(str);
} else
krb5_clear_error_message(context);
return ENOENT;
}
/*
* This function will create a krbcontainer and realm on the LDAP Server, with
* the specified attributes.
*/
krb5_error_code
krb5_ldap_create (krb5_context context, char *conf_section, char **db_args)
{
krb5_error_code status = 0;
char **t_ptr = db_args;
krb5_ldap_realm_params *rparams = NULL;
kdb5_dal_handle *dal_handle = NULL;
krb5_ldap_context *ldap_context=NULL;
krb5_boolean realm_obj_created = FALSE;
krb5_boolean krbcontainer_obj_created = FALSE;
krb5_ldap_krbcontainer_params kparams = {0};
int srv_cnt = 0;
int mask = 0;
#ifdef HAVE_EDIRECTORY
int i = 0, rightsmask = 0;
#endif
/* Clear the global error string */
krb5_clear_error_message(context);
ldap_context = malloc(sizeof(krb5_ldap_context));
if (ldap_context == NULL) {
status = ENOMEM;
goto cleanup;
}
memset(ldap_context, 0, sizeof(*ldap_context));
ldap_context->kcontext = context;
/* populate ldap_context with ldap specific options */
while (t_ptr && *t_ptr) {
char *opt = NULL, *val = NULL;
if ((status = krb5_ldap_get_db_opt(*t_ptr, &opt, &val)) != 0) {
goto cleanup;
}
if (opt && !strcmp(opt, "binddn")) {
if (ldap_context->bind_dn) {
free (opt);
free (val);
status = EINVAL;
krb5_set_error_message (context, status, gettext("'binddn' missing"));
goto cleanup;
}
if (val == NULL) {
status = EINVAL;
krb5_set_error_message (context, status, gettext("'binddn' value missing"));
free(opt);
goto cleanup;
}
ldap_context->bind_dn = strdup(val);
if (ldap_context->bind_dn == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
} else if (opt && !strcmp(opt, "nconns")) {
if (ldap_context->max_server_conns) {
free (opt);
free (val);
status = EINVAL;
krb5_set_error_message (context, status, gettext("'nconns' missing"));
goto cleanup;
}
if (val == NULL) {
status = EINVAL;
krb5_set_error_message (context, status, gettext("'nconns' value missing"));
free(opt);
goto cleanup;
}
ldap_context->max_server_conns = atoi(val) ? atoi(val) : DEFAULT_CONNS_PER_SERVER;
} else if (opt && !strcmp(opt, "bindpwd")) {
if (ldap_context->bind_pwd) {
free (opt);
free (val);
status = EINVAL;
krb5_set_error_message (context, status, gettext("'bindpwd' missing"));
goto cleanup;
}
if (val == NULL) {
status = EINVAL;
krb5_set_error_message (context, status, gettext("'bindpwd' value missing"));
free(opt);
goto cleanup;
}
ldap_context->bind_pwd = strdup(val);
if (ldap_context->bind_pwd == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
} else if (opt && !strcmp(opt, "host")) {
if (val == NULL) {
status = EINVAL;
krb5_set_error_message (context, status, gettext("'host' value missing"));
free(opt);
goto cleanup;
}
if (ldap_context->server_info_list == NULL)
ldap_context->server_info_list =
(krb5_ldap_server_info **) calloc(SERV_COUNT+1, sizeof(krb5_ldap_server_info *));
if (ldap_context->server_info_list == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
ldap_context->server_info_list[srv_cnt] =
(krb5_ldap_server_info *) calloc(1, sizeof(krb5_ldap_server_info));
if (ldap_context->server_info_list[srv_cnt] == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
ldap_context->server_info_list[srv_cnt]->server_status = NOTSET;
ldap_context->server_info_list[srv_cnt]->server_name = strdup(val);
if (ldap_context->server_info_list[srv_cnt]->server_name == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
srv_cnt++;
#ifdef HAVE_EDIRECTORY
} else if (opt && !strcmp(opt, "cert")) {
if (val == NULL) {
status = EINVAL;
krb5_set_error_message (context, status, gettext("'cert' value missing"));
free(opt);
goto cleanup;
}
if (ldap_context->root_certificate_file == NULL) {
ldap_context->root_certificate_file = strdup(val);
if (ldap_context->root_certificate_file == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
} else {
void *tmp=NULL;
char *oldstr = NULL;
unsigned int len=0;
oldstr = strdup(ldap_context->root_certificate_file);
if (oldstr == NULL) {
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
tmp = ldap_context->root_certificate_file;
len = strlen(ldap_context->root_certificate_file) + 2 + strlen(val);
ldap_context->root_certificate_file = realloc(ldap_context->root_certificate_file,
len);
if (ldap_context->root_certificate_file == NULL) {
free (tmp);
free (opt);
free (val);
status = ENOMEM;
goto cleanup;
}
memset(ldap_context->root_certificate_file, 0, len);
sprintf(ldap_context->root_certificate_file,"%s %s", oldstr, val);
free (oldstr);
}
#endif
} else {
/* ignore hash argument. Might have been passed from create */
status = EINVAL;
if (opt && !strcmp(opt, "temporary")) {
/*
* temporary is passed in when kdb5_util load without -update is done.
* This is unsupported by the LDAP plugin.
*/
krb5_set_error_message (context, status,
gettext("creation of LDAP entries aborted, plugin requires -update argument"));
} else {
krb5_set_error_message (context, status, gettext("unknown option \'%s\'"),
opt?opt:val);
}
free(opt);
free(val);
goto cleanup;
}
free(opt);
free(val);
t_ptr++;
}
dal_handle = (kdb5_dal_handle *) context->db_context;
dal_handle->db_context = (kdb5_dal_handle *) ldap_context;
status = krb5_ldap_read_server_params(context, conf_section, KRB5_KDB_SRV_TYPE_ADMIN);
if (status) {
dal_handle->db_context = NULL;
prepend_err_str (context, gettext("Error reading LDAP server params: "), status, status);
goto cleanup;
}
status = krb5_ldap_db_init(context, ldap_context);
if (status) {
goto cleanup;
}
/* read the kerberos container */
if ((status = krb5_ldap_read_krbcontainer_params(context,
&(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
/* Read the kerberos container location from configuration file */
if (ldap_context->conf_section) {
if ((status = profile_get_string(context->profile,
KDB_MODULE_SECTION, ldap_context->conf_section,
"ldap_kerberos_container_dn", NULL,
&kparams.DN)) != 0) {
goto cleanup;
}
}
if (kparams.DN == NULL) {
if ((status = profile_get_string(context->profile,
KDB_MODULE_DEF_SECTION,
"ldap_kerberos_container_dn", NULL,
NULL, &kparams.DN)) != 0) {
goto cleanup;
}
}
/* create the kerberos container */
status = krb5_ldap_create_krbcontainer(context,
((kparams.DN != NULL) ? &kparams : NULL));
if (status)
goto cleanup;
krbcontainer_obj_created = TRUE;
status = krb5_ldap_read_krbcontainer_params(context,
&(ldap_context->krbcontainer));
if (status) {
krb5_set_error_message(context, status, gettext("while reading kerberos container information"));
goto cleanup;
}
} else if (status) {
krb5_set_error_message(context, status, gettext("while reading kerberos container information"));
goto cleanup;
}
rparams = (krb5_ldap_realm_params *) malloc(sizeof(krb5_ldap_realm_params));
if (rparams == NULL) {
status = ENOMEM;
goto cleanup;
}
memset(rparams, 0, sizeof(*rparams));
rparams->realm_name = strdup(context->default_realm);
if (rparams->realm_name == NULL) {
status = ENOMEM;
goto cleanup;
}
if ((status = krb5_ldap_create_realm(context, rparams, mask))) {
krb5_set_error_message(context, status, gettext("while creating realm object entry"));
goto cleanup;
}
/* We just created the Realm container. Here starts our transaction tracking */
realm_obj_created = TRUE;
/* verify realm object */
if ((status = krb5_ldap_read_realm_params(context,
rparams->realm_name,
&(ldap_context->lrparams),
&mask))) {
krb5_set_error_message(context, status, gettext("while reading realm object entry"));
goto cleanup;
}
#ifdef HAVE_EDIRECTORY
if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
(mask & LDAP_REALM_PASSWDSERVERS)) {
rightsmask =0;
rightsmask |= LDAP_REALM_RIGHTS;
rightsmask |= LDAP_SUBTREE_RIGHTS;
if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
for (i=0; (rparams->kdcservers[i] != NULL); i++) {
if ((status=krb5_ldap_add_service_rights(context,
LDAP_KDC_SERVICE, rparams->kdcservers[i],
rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
goto cleanup;
}
}
}
rightsmask = 0;
rightsmask |= LDAP_REALM_RIGHTS;
rightsmask |= LDAP_SUBTREE_RIGHTS;
if ((rparams != NULL) && (rparams->adminservers != NULL)) {
for (i=0; (rparams->adminservers[i] != NULL); i++) {
if ((status=krb5_ldap_add_service_rights(context,
LDAP_ADMIN_SERVICE, rparams->adminservers[i],
rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
goto cleanup;
}
}
}
rightsmask = 0;
rightsmask |= LDAP_REALM_RIGHTS;
rightsmask |= LDAP_SUBTREE_RIGHTS;
if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
for (i=0; (rparams->passwdservers[i] != NULL); i++) {
if ((status=krb5_ldap_add_service_rights(context,
LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
goto cleanup;
}
}
}
}
#endif
cleanup:
/* If the krbcontainer/realm creation is not complete, do the roll-back here */
if ((krbcontainer_obj_created) && (!realm_obj_created)) {
int rc;
rc = krb5_ldap_delete_krbcontainer(context,
((kparams.DN != NULL) ? &kparams : NULL));
krb5_set_error_message(context, rc,
gettext("could not complete roll-back, error deleting Kerberos Container"));
}
/* should call krb5_ldap_free_krbcontainer_params() but can't */
if (kparams.DN != NULL)
krb5_xfree(kparams.DN);
if (rparams)
krb5_ldap_free_realm_params(rparams);
return(status);
}
OM_uint32
_gss_ntlm_have_cred(OM_uint32 *minor,
const ntlm_name target_name,
ntlm_cred *rcred)
{
krb5_context context;
krb5_error_code ret;
krb5_storage *request, *response;
krb5_data response_data;
OM_uint32 major;
ntlm_name cred;
kcmuuid_t uuid;
ssize_t sret;
ret = krb5_init_context(&context);
if (ret) {
*minor = ret;
return GSS_S_FAILURE;
}
ret = krb5_kcm_storage_request(context, KCM_OP_HAVE_NTLM_CRED, &request);
if (ret)
goto out;
ret = krb5_store_stringz(request, target_name->user);
if (ret)
goto out;
ret = krb5_store_stringz(request, target_name->domain);
if (ret)
goto out;
ret = krb5_kcm_call(context, request, &response, &response_data);
krb5_storage_free(request);
if (ret)
goto out;
sret = krb5_storage_read(response, uuid, sizeof(uuid));
krb5_storage_free(response);
krb5_data_free(&response_data);
if (sret != sizeof(uuid)) {
krb5_clear_error_message(context);
return KRB5_CC_IO;
}
major = _gss_ntlm_duplicate_name(minor, (gss_name_t)target_name,
(gss_name_t *)&cred);
if (major)
return major;
cred->flags |= NTLM_UUID;
memcpy(cred->uuid, uuid, sizeof(cred->uuid));
*rcred = (ntlm_cred)cred;
out:
krb5_free_context(context);
if (ret) {
*minor = ret;
major = GSS_S_FAILURE;
}
return major;
}