DWORD
LwTranslateKrb5Error(
krb5_context ctx,
krb5_error_code krbError,
PCSTR pszFunction,
PCSTR pszFile,
DWORD dwLine
)
{
DWORD dwError = LW_ERROR_SUCCESS;
PCSTR pszKrb5Error = NULL;
unsigned int i = 0;
if (ctx)
{
pszKrb5Error = krb5_get_error_message(ctx, krbError);
}
if (pszKrb5Error)
{
LW_RTL_LOG_WARNING("[%s %s:%d] KRB5 Error code: %d (Message: %s)",
pszFunction,
pszFile,
dwLine,
krbError,
pszKrb5Error);
}
else
{
LW_RTL_LOG_WARNING("[%s %s:%d] KRB5 Error code: %d",
pszFunction,
pszFile,
dwLine,
krbError);
}
switch (krbError)
{
case ENOENT:
dwError = LW_ERROR_KRB5_NO_KEYS_FOUND;
break;
default:
for (i = 0; krb5err_lwerr_map[i].pszKrb5errStr; i++)
{
if (krb5err_lwerr_map[i].krb5err == krbError)
{
dwError = krb5err_lwerr_map[i].lwerr;
break;
}
}
if (!dwError)
{
dwError = LW_ERROR_KRB5_CALL_FAILED;
}
break;
}
if (pszKrb5Error)
{
krb5_free_error_message(ctx, pszKrb5Error);
}
return dwError;
}
VOID
ScheduleWorkItem(
PLW_WORK_THREADS pThreads,
PLW_WORK_ITEM pItem,
LW_SCHEDULE_FLAGS Flags
)
{
size_t i = 0;
if (pThreads == NULL)
{
pThreads = pItem->pThreads;
}
LOCK_THREADS(pThreads);
assert(pThreads->ulStarted > 0);
/* Enqueue work item */
if (Flags & LW_SCHEDULE_HIGH_PRIORITY)
{
RingEnqueueFront(&pThreads->WorkItems, &pItem->Ring);
}
else
{
RingEnqueue(&pThreads->WorkItems, &pItem->Ring);
}
pThreads->ulQueued++;
/*
* If there are more pending work items than there
* are available threads, and not all threads are started,
* try to start another one to handle the additional load
*/
if (pThreads->ulAvailable < pThreads->ulQueued &&
pThreads->ulStarted < pThreads->ulWorkThreadCount)
{
for (i = 0; i < pThreads->ulWorkThreadCount; i++)
{
if (!pThreads->pWorkThreads[i].bStarted)
{
if (StartWorkThread(pThreads, &pThreads->pWorkThreads[i]) != STATUS_SUCCESS)
{
LW_RTL_LOG_WARNING("Could not start work item thread");
/* Signal an existing thread instead */
pthread_cond_signal(&pThreads->Event);
}
break;
}
}
}
else if (pThreads->ulAvailable)
{
/* Signal an existing thread */
pthread_cond_signal(&pThreads->Event);
}
UNLOCK_THREADS(pThreads);
}
DWORD
LwKrb5InitializeUserLoginCredentials(
IN PCSTR pszUserPrincipalName,
IN PCSTR pszPassword,
IN uid_t uid,
IN gid_t gid,
IN LW_KRB5_LOGIN_FLAGS Flags,
IN PCSTR pszServicePrincipal,
IN PCSTR pszServiceRealm,
IN PCSTR pszServicePassword,
OUT PVOID* ppNdrPacInfo,
OUT size_t* pNdrPacInfoSize,
OUT PDWORD pdwGoodUntilTime
)
{
DWORD dwError = 0;
krb5_error_code ret = 0;
krb5_context ctx = NULL;
krb5_ccache cc = NULL;
// Free with krb5_free_cred_contents
krb5_creds credsRequest = {0};
krb5_creds *pTgsCreds = NULL;
krb5_ticket *pTgsTicket = NULL;
krb5_ticket *pDecryptedTgs = NULL;
krb5_auth_context authContext = NULL;
krb5_data apReqPacket = {0};
krb5_keyblock serviceKey = {0};
krb5_data salt = {0};
// Do not free
krb5_data machinePassword = {0};
krb5_flags flags = 0;
krb5_int32 authcon_flags = 0;
BOOLEAN bInLock = FALSE;
PCSTR pszTempCacheName = NULL;
PSTR pszTempCachePath = NULL;
PVOID pNdrPacInfo = NULL;
size_t ndrPacInfoSize = 0;
DWORD dwGoodUntilTime = 0;
ret = krb5_init_context(&ctx);
BAIL_ON_KRB_ERROR(ctx, ret);
/* Generates a new filed based credentials cache in /tmp. The file will
* be owned by root and only accessible by root.
*/
ret = krb5_cc_new_unique(
ctx,
"FILE",
"hint",
&cc);
BAIL_ON_KRB_ERROR(ctx, ret);
if (Flags & LW_KRB5_LOGIN_FLAG_SMART_CARD)
{
dwError = LwKrb5GetTgtWithSmartCard(
pszUserPrincipalName,
pszPassword,
krb5_cc_get_name(ctx, cc),
&dwGoodUntilTime);
}
else
{
dwError = LwKrb5GetTgt(
pszUserPrincipalName,
pszPassword,
krb5_cc_get_name(ctx, cc),
&dwGoodUntilTime);
}
BAIL_ON_LW_ERROR(dwError);
ret = krb5_parse_name(ctx, pszServicePrincipal, &credsRequest.server);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_cc_get_principal(ctx, cc, &credsRequest.client);
BAIL_ON_KRB_ERROR(ctx, ret);
/* Get a TGS for our service using the tgt in the cache */
ret = krb5_get_credentials(
ctx,
0, /*no options (not user to user encryption,
and not only cached) */
cc,
&credsRequest,
&pTgsCreds);
// Don't trust pTgsCreds on an unsuccessful return
// This may be non-zero due to the krb5 libs following referrals
// but has been freed in the krb5 libs themselves and any useful
// tickets have already been cached.
if (ret != 0) {
pTgsCreds = NULL;
}
BAIL_ON_KRB_ERROR(ctx, ret);
//No need to store the tgs in the cc. Kerberos does that automatically
/* Generate an ap_req message, but don't send it anywhere. Just decode it
* immediately. This is the only way to get kerberos to decrypt the tgs
* using public APIs */
ret = krb5_mk_req_extended(
ctx,
&authContext,
0, /* no options necessary */
NULL, /* since this isn't a real ap_req, we don't have any
supplemental data to send with it. */
pTgsCreds,
&apReqPacket);
BAIL_ON_KRB_ERROR(ctx, ret);
/* Decode (but not decrypt) the tgs ticket so that we can figure out
* which encryption type was used in it. */
ret = krb5_decode_ticket(&pTgsCreds->ticket, &pTgsTicket);
/* The TGS ticket is encrypted with the machine password and salted with
* the service principal. pszServicePrincipal could probably be used
* directly, but it's safer to unparse pTgsCreds->server, because the KDC
* sent that to us.
*/
salt.magic = KV5M_DATA;
ret = krb5_unparse_name(
ctx,
pTgsCreds->server,
&salt.data);
BAIL_ON_KRB_ERROR(ctx, ret);
salt.length = strlen(salt.data);
machinePassword.magic = KV5M_DATA;
machinePassword.data = (PSTR)pszServicePassword,
machinePassword.length = strlen(pszServicePassword),
/* Generate a key to decrypt the TGS */
ret = krb5_c_string_to_key(
ctx,
pTgsTicket->enc_part.enctype,
&machinePassword,
&salt,
&serviceKey);
BAIL_ON_KRB_ERROR(ctx, ret);
/* Typically krb5_rd_req would decode the AP_REQ using the keytab, but
* we don't want to depend on the keytab. As a side effect of kerberos'
* user to user authentication support, if a key is explictly set on the
* auth context, that key will be used to decrypt the TGS instead of the
* keytab.
*
* By manually generating the key and setting it, we don't require
* a keytab.
*/
if (authContext != NULL)
{
ret = krb5_auth_con_free(ctx, authContext);
BAIL_ON_KRB_ERROR(ctx, ret);
}
ret = krb5_auth_con_init(ctx, &authContext);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_auth_con_setuseruserkey(
ctx,
authContext,
&serviceKey);
BAIL_ON_KRB_ERROR(ctx, ret);
/* Disable replay detection which is unnecessary and
* can fail when authenticating large numbers of users.
*/
krb5_auth_con_getflags(ctx,
authContext,
&authcon_flags);
krb5_auth_con_setflags(ctx,
authContext,
authcon_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
if (pszServiceRealm)
{
ret = krb5_set_default_realm(ctx, pszServiceRealm);
BAIL_ON_KRB_ERROR(ctx, ret);
}
/* This decrypts the TGS. As a side effect it ensures that the KDC that
* the user's TGT came from is in the same realm that the machine was
* joined to (this prevents users from spoofing the KDC).
*/
ret = krb5_rd_req(
ctx,
&authContext,
&apReqPacket,
pTgsCreds->server,
NULL, /* we're not using the keytab */
&flags,
&pDecryptedTgs);
BAIL_ON_KRB_ERROR(ctx, ret);
dwError = LwKrb5FindPac(
ctx,
pDecryptedTgs,
&serviceKey,
&pNdrPacInfo,
&ndrPacInfoSize);
BAIL_ON_LW_ERROR(dwError);
if (Flags & LW_KRB5_LOGIN_FLAG_UPDATE_CACHE)
{
/* 1. Copy old credentials from the existing user creds cache to
* the temporary cache.
* 2. Delete the existing creds cache.
* 3. Move the temporary cache file into the final path.
*/
dwError = pthread_mutex_lock(&gLwKrb5State.UserCacheMutex);
BAIL_ON_LW_ERROR(dwError);
bInLock = TRUE;
dwError = LwKrb5CopyFromUserCache(
ctx,
cc,
uid
);
BAIL_ON_LW_ERROR(dwError);
pszTempCacheName = krb5_cc_get_name(ctx, cc);
if (!strncasecmp(pszTempCacheName, "FILE:", sizeof("FILE:")-1)) {
pszTempCacheName += sizeof("FILE:") - 1;
}
dwError = LwAllocateString(pszTempCacheName, &pszTempCachePath);
BAIL_ON_LW_ERROR(dwError);
krb5_cc_close(ctx, cc);
// Just to make sure no one accesses this now invalid pointer
cc = NULL;
dwError = LwKrb5MoveCCacheToUserPath(
ctx,
pszTempCachePath,
uid,
gid);
if (dwError != LW_ERROR_SUCCESS)
{
/* Let the user login, even if we couldn't create the ccache for
* them. Possible causes are:
* 1. /tmp is readonly
* 2. Another user maliciously setup a weird file (such as a
* directory) where the ccache would go.
* 3. Someone created a ccache in the small window after we delete
* the old one and before we move in the new one.
*/
LW_RTL_LOG_WARNING("Unable to set up credentials cache with tgt for uid %ld", (long)uid);
dwError = LwRemoveFile(pszTempCachePath);
BAIL_ON_LW_ERROR(dwError);
}
}
error:
if (dwError)
{
LW_SAFE_FREE_MEMORY(pNdrPacInfo);
ndrPacInfoSize = 0;
dwGoodUntilTime = 0;
}
if (ctx)
{
// This function skips fields which are NULL
krb5_free_cred_contents(ctx, &credsRequest);
if (pTgsCreds != NULL)
{
krb5_free_creds(ctx, pTgsCreds);
}
if (pTgsTicket != NULL)
{
krb5_free_ticket(ctx, pTgsTicket);
}
if (pDecryptedTgs != NULL)
{
krb5_free_ticket(ctx, pDecryptedTgs);
}
if (authContext != NULL)
{
krb5_auth_con_free(ctx, authContext);
}
krb5_free_data_contents(ctx, &apReqPacket);
krb5_free_data_contents(ctx, &salt);
krb5_free_keyblock_contents(ctx, &serviceKey);
if (cc != NULL)
{
krb5_cc_destroy(ctx, cc);
}
krb5_free_context(ctx);
}
if (bInLock)
{
pthread_mutex_unlock(&gLwKrb5State.UserCacheMutex);
}
LW_SAFE_FREE_STRING(pszTempCachePath);
*ppNdrPacInfo = pNdrPacInfo;
*pNdrPacInfoSize = ndrPacInfoSize;
*pdwGoodUntilTime = dwGoodUntilTime;
return dwError;
}
