/* Decode error_packet as a KRB-ERROR message and retrieve its e-data into
* *edata_out. */
static krb5_error_code
get_error_edata(krb5_context context, const krb5_data *error_packet,
krb5_data **edata_out)
{
krb5_error_code ret;
krb5_error *krberror = NULL;
*edata_out = NULL;
ret = krb5_rd_error(context, error_packet, &krberror);
if (ret)
return ret;
if (krberror->e_data.data == NULL) {
/* Return a krb5 error code based on the error number. */
ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code)krberror->error;
goto cleanup;
}
ret = krb5_copy_data(context, &krberror->e_data, edata_out);
cleanup:
krb5_free_error(context, krberror);
return ret;
}
void smb_krb5_free_error(krb5_context context, krb5_error *krberror)
{
#ifdef HAVE_KRB5_FREE_ERROR_CONTENTS /* Heimdal */
krb5_free_error_contents(context, krberror);
#else /* MIT */
krb5_free_error(context, krberror);
#endif
}
static void
kerberos_authenticate(krb5_context context, krb5_auth_context *auth_context,
int fd, krb5_principal me, krb5_creds **new_creds)
{
krb5_error_code retval;
krb5_error *error = NULL;
krb5_ap_rep_enc_part *rep_result;
retval = krb5_auth_con_init(context, auth_context);
if (retval)
exit(1);
krb5_auth_con_setflags(context, *auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
retval = krb5_auth_con_setaddrs(context, *auth_context, sender_addr,
receiver_addr);
if (retval) {
com_err(progname, retval, _("in krb5_auth_con_setaddrs"));
exit(1);
}
retval = krb5_sendauth(context, auth_context, &fd, kprop_version,
me, creds.server, AP_OPTS_MUTUAL_REQUIRED, NULL,
&creds, NULL, &error, &rep_result, new_creds);
if (retval) {
com_err(progname, retval, _("while authenticating to server"));
if (error != NULL) {
if (error->error == KRB_ERR_GENERIC) {
if (error->text.data) {
fprintf(stderr, _("Generic remote error: %s\n"),
error->text.data);
}
} else if (error->error) {
com_err(progname,
(krb5_error_code)error->error + ERROR_TABLE_BASE_krb5,
_("signalled from server"));
if (error->text.data) {
fprintf(stderr, _("Error text from server: %s\n"),
error->text.data);
}
}
krb5_free_error(context, error);
}
exit(1);
}
krb5_free_ap_rep_enc_part(context, rep_result);
}
static int
check_for_svc_unavailable (krb5_context context,
const krb5_data *reply,
void *msg_handler_data)
{
krb5_error_code *retval = (krb5_error_code *)msg_handler_data;
*retval = 0;
if (krb5_is_krb_error(reply)) {
krb5_error *err_reply;
if (decode_krb5_error(reply, &err_reply) == 0) {
*retval = err_reply->error;
krb5_free_error(context, err_reply);
/* Returning 0 means continue to next KDC */
return (*retval != KDC_ERR_SVC_UNAVAILABLE);
}
}
return 1;
}
/*
* If state contains an armor key and *err_replyptr contains a FAST error,
* decode it and set *err_replyptr to the inner error and *out_padata to the
* padata in the FAST response. Otherwise, leave *err_replyptr alone and set
* *out_padata to the error e_data decoded as pa-data or typed-data, or to NULL
* if it doesn't decode as either. In either case, set *retry to indicate
* whether the client should try to make a follow-up request.
*/
krb5_error_code
krb5int_fast_process_error(krb5_context context,
struct krb5int_fast_request_state *state,
krb5_error **err_replyptr,
krb5_pa_data ***out_padata,
krb5_boolean *retry)
{
krb5_error_code retval = 0;
krb5_error *err_reply = *err_replyptr;
krb5_pa_data *fx_error_pa;
krb5_pa_data **result = NULL;
krb5_data scratch = empty_data();
krb5_error *fx_error = NULL;
krb5_fast_response *fast_response = NULL;
if (out_padata)
*out_padata = NULL;
if (retry)
*retry = 0;
if (state->armor_key) {
retval = decode_krb5_padata_sequence(&err_reply->e_data, &result);
if (retval == 0)
retval = decrypt_fast_reply(context, state, result,
&fast_response);
if (retval) {
/*
* This can happen if the KDC does not understand FAST. We don't
* expect that, but treating it as the fatal error indicated by the
* KDC seems reasonable.
*/
if (retry != NULL)
*retry = 0;
krb5_free_pa_data(context, result);
return 0;
}
if (retval == 0) {
fx_error_pa = krb5int_find_pa_data(context, fast_response->padata,
KRB5_PADATA_FX_ERROR);
if (fx_error_pa == NULL) {
k5_setmsg(context, KRB5KDC_ERR_PREAUTH_FAILED,
_("Expecting FX_ERROR pa-data inside FAST "
"container"));
retval = KRB5KDC_ERR_PREAUTH_FAILED;
}
}
if (retval == 0) {
scratch = make_data(fx_error_pa->contents, fx_error_pa->length);
retval = decode_krb5_error(&scratch, &fx_error);
}
if (retval == 0) {
krb5_free_error(context, err_reply);
*err_replyptr = fx_error;
fx_error = NULL;
if (out_padata) {
*out_padata = fast_response->padata;
fast_response->padata = NULL;
}
/*
* If there is more than the fx_error padata, then we want
* to retry the error if a cookie is present
*/
if (retry != NULL) {
*retry = (*out_padata)[1] != NULL;
if (krb5int_find_pa_data(context, *out_padata,
KRB5_PADATA_FX_COOKIE) == NULL)
*retry = 0;
}
}
} else { /*not FAST*/
/* Possibly retry if there's any e_data to process. */
if (retry)
*retry = (err_reply->e_data.length > 0);
/* Try to decode e_data as pa-data or typed-data for out_padata. */
if (out_padata) {
retval = decode_krb5_padata_sequence(&err_reply->e_data,
out_padata);
if (retval != 0) {
(void)decode_krb5_typed_data(&err_reply->e_data, out_padata);
retval = 0;
}
}
}
krb5_free_pa_data(context, result);
krb5_free_fast_response(context, fast_response);
if (fx_error)
krb5_free_error(context, fx_error);
return retval;
}
/*
* Function: socket_connection
*
* Purpose: Opens the network connection with the mail host, without
* doing any sort of I/O with it or anything.
*
* Arguments:
* host The host to which to connect.
* flags Option flags.
*
* Return value: A file descriptor indicating the connection, or -1
* indicating failure, in which case an error has been copied
* into pop_error.
*/
static int
socket_connection (char *host, int flags)
{
struct addrinfo *res, *it;
struct addrinfo hints;
int ret;
struct servent *servent;
struct sockaddr_in addr;
char found_port = 0;
const char *service;
int sock;
char *realhost;
#ifdef KERBEROS
#ifdef KERBEROS5
krb5_error_code rem;
krb5_context kcontext = 0;
krb5_auth_context auth_context = 0;
krb5_ccache ccdef;
krb5_principal client, server;
krb5_error *err_ret;
register char *cp;
#else
KTEXT ticket;
MSG_DAT msg_data;
CREDENTIALS cred;
Key_schedule schedule;
int rem;
#endif /* KERBEROS5 */
#endif /* KERBEROS */
int try_count = 0;
int connect_ok;
#ifdef WINDOWSNT
{
WSADATA winsockData;
if (WSAStartup (0x101, &winsockData) == 0)
have_winsock = 1;
}
#endif
memset (&addr, 0, sizeof (addr));
addr.sin_family = AF_INET;
/** "kpop" service is never used: look for 20060515 to see why **/
#ifdef KERBEROS
service = (flags & POP_NO_KERBEROS) ? POP_SERVICE : KPOP_SERVICE;
#else
service = POP_SERVICE;
#endif
#ifdef HESIOD
if (! (flags & POP_NO_HESIOD))
{
servent = hes_getservbyname (service, "tcp");
if (servent)
{
addr.sin_port = servent->s_port;
found_port = 1;
}
}
#endif
if (! found_port)
{
servent = getservbyname (service, "tcp");
if (servent)
{
addr.sin_port = servent->s_port;
}
else
{
/** "kpop" service is never used: look for 20060515 to see why **/
#ifdef KERBEROS
addr.sin_port = htons ((flags & POP_NO_KERBEROS) ?
POP_PORT : KPOP_PORT);
#else
addr.sin_port = htons (POP_PORT);
#endif
}
}
#define POP_SOCKET_ERROR "Could not create socket for POP connection: "
sock = socket (PF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
snprintf (pop_error, ERROR_MAX, "%s%s",
POP_SOCKET_ERROR, strerror (errno));
return (-1);
}
memset (&hints, 0, sizeof (hints));
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_CANONNAME;
hints.ai_family = AF_INET;
do
{
ret = getaddrinfo (host, service, &hints, &res);
try_count++;
if (ret != 0 && (ret != EAI_AGAIN || try_count == 5))
{
strcpy (pop_error, "Could not determine POP server's address");
return (-1);
}
} while (ret != 0);
for (it = res; it; it = it->ai_next)
if (it->ai_addrlen == sizeof addr)
{
struct sockaddr_in *in_a = (struct sockaddr_in *) it->ai_addr;
addr.sin_addr = in_a->sin_addr;
if (! connect (sock, (struct sockaddr *) &addr, sizeof addr))
break;
}
connect_ok = it != NULL;
if (connect_ok)
{
realhost = alloca (strlen (it->ai_canonname) + 1);
strcpy (realhost, it->ai_canonname);
}
freeaddrinfo (res);
#define CONNECT_ERROR "Could not connect to POP server: "
if (! connect_ok)
{
CLOSESOCKET (sock);
snprintf (pop_error, ERROR_MAX, "%s%s", CONNECT_ERROR, strerror (errno));
return (-1);
}
#ifdef KERBEROS
#define KRB_ERROR "Kerberos error connecting to POP server: "
if (! (flags & POP_NO_KERBEROS))
{
#ifdef KERBEROS5
rem = krb5_init_context (&kcontext);
if (rem)
{
krb5error:
if (auth_context)
krb5_auth_con_free (kcontext, auth_context);
if (kcontext)
krb5_free_context (kcontext);
snprintf (pop_error, ERROR_MAX, "%s%s",
KRB_ERROR, error_message (rem));
CLOSESOCKET (sock);
return (-1);
}
rem = krb5_auth_con_init (kcontext, &auth_context);
if (rem)
goto krb5error;
rem = krb5_cc_default (kcontext, &ccdef);
if (rem)
goto krb5error;
rem = krb5_cc_get_principal (kcontext, ccdef, &client);
if (rem)
goto krb5error;
for (cp = realhost; *cp; cp++)
*cp = c_tolower (*cp);
rem = krb5_sname_to_principal (kcontext, realhost,
POP_SERVICE, FALSE, &server);
if (rem)
goto krb5error;
rem = krb5_sendauth (kcontext, &auth_context,
(krb5_pointer) &sock, (char *) "KPOPV1.0",
client, server,
AP_OPTS_MUTUAL_REQUIRED,
0, /* no checksum */
0, /* no creds, use ccache instead */
ccdef,
&err_ret,
0, /* don't need subsession key */
0); /* don't need reply */
krb5_free_principal (kcontext, server);
if (rem)
{
int pop_error_len = snprintf (pop_error, ERROR_MAX, "%s%s",
KRB_ERROR, error_message (rem));
#if defined HAVE_KRB5_ERROR_TEXT
if (err_ret && err_ret->text.length)
{
int errlen = err_ret->text.length;
snprintf (pop_error + pop_error_len, ERROR_MAX - pop_error_len,
" [server says '%.*s']", errlen, err_ret->text.data);
}
#elif defined HAVE_KRB5_ERROR_E_TEXT
if (err_ret && err_ret->e_text && **err_ret->e_text)
snprintf (pop_error + pop_error_len, ERROR_MAX - pop_error_len,
" [server says '%s']", *err_ret->e_text);
#endif
if (err_ret)
krb5_free_error (kcontext, err_ret);
krb5_auth_con_free (kcontext, auth_context);
krb5_free_context (kcontext);
CLOSESOCKET (sock);
return (-1);
}
#else /* ! KERBEROS5 */
ticket = (KTEXT) malloc (sizeof (KTEXT_ST));
rem = krb_sendauth (0L, sock, ticket, "pop", realhost,
(char *) krb_realmofhost (realhost),
(unsigned long) 0, &msg_data, &cred, schedule,
(struct sockaddr_in *) 0,
(struct sockaddr_in *) 0,
"KPOPV0.1");
free ((char *) ticket);
if (rem != KSUCCESS)
{
snprintf (pop_error, ERROR_MAX, "%s%s", KRB_ERROR, krb_err_txt[rem]);
CLOSESOCKET (sock);
return (-1);
}
#endif /* KERBEROS5 */
}
#endif /* KERBEROS */
return (sock);
} /* socket_connection */
/*
* FAST separates two concepts: the set of padata we're using to
* decide what pre-auth mechanisms to use and the set of padata we're
* making available to mechanisms in order for them to respond to an
* error. The plugin interface in March 2009 does not permit
* separating these concepts for the plugins. This function makes
* both available for future revisions to the plugin interface. It
* also re-encodes the padata from the current error as a encoded
* typed-data and puts that in the e_data field. That will allow
* existing plugins with the old interface to find the error data.
* The output parameter out_padata contains the padata from the error
* whenever padata is available (all the time with fast).
*/
krb5_error_code
krb5int_fast_process_error(krb5_context context,
struct krb5int_fast_request_state *state,
krb5_error **err_replyptr,
krb5_pa_data ***out_padata,
krb5_boolean *retry)
{
krb5_error_code retval = 0;
krb5_error *err_reply = *err_replyptr;
*out_padata = NULL;
*retry = 0;
if (state->armor_key) {
krb5_pa_data *fx_error_pa;
krb5_pa_data **result = NULL;
krb5_data scratch, *encoded_td = NULL;
krb5_error *fx_error = NULL;
krb5_fast_response *fast_response = NULL;
retval = decode_krb5_padata_sequence(&err_reply->e_data, &result);
if (retval == 0)
retval = decrypt_fast_reply(context, state, result,
&fast_response);
if (retval) {
/*
* This can happen if the KDC does not understand FAST. We don't
* expect that, but treating it as the fatal error indicated by the
* KDC seems reasonable.
*/
*retry = 0;
krb5_free_pa_data(context, result);
return 0;
}
krb5_free_pa_data(context, result);
result = NULL;
if (retval == 0) {
fx_error_pa = krb5int_find_pa_data(context, fast_response->padata,
KRB5_PADATA_FX_ERROR);
if (fx_error_pa == NULL) {
krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
"Expecting FX_ERROR pa-data inside "
"FAST container");
retval = KRB5KDC_ERR_PREAUTH_FAILED;
}
}
if (retval == 0) {
scratch.data = (char *) fx_error_pa->contents;
scratch.length = fx_error_pa->length;
retval = decode_krb5_error(&scratch, &fx_error);
}
/*
* krb5_pa_data and krb5_typed_data are safe to cast between:
* they have the same type fields in the same order.
* (krb5_preauthtype is a krb5_int32). If krb5_typed_data is
* ever changed then this will need to be a copy not a cast.
*/
if (retval == 0)
retval = encode_krb5_typed_data((const krb5_typed_data **)
fast_response->padata,
&encoded_td);
if (retval == 0) {
fx_error->e_data = *encoded_td;
free(encoded_td); /*contents owned by fx_error*/
encoded_td = NULL;
krb5_free_error(context, err_reply);
*err_replyptr = fx_error;
fx_error = NULL;
*out_padata = fast_response->padata;
fast_response->padata = NULL;
/*
* If there is more than the fx_error padata, then we want
* to retry the error if a cookie is present
*/
*retry = (*out_padata)[1] != NULL;
if (krb5int_find_pa_data(context, *out_padata,
KRB5_PADATA_FX_COOKIE) == NULL)
*retry = 0;
}
if (fx_error)
krb5_free_error(context, fx_error);
krb5_free_fast_response(context, fast_response);
} else { /*not FAST*/
*retry = (err_reply->e_data.length > 0);
if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||
err_reply->error == KDC_ERR_PREAUTH_FAILED) &&
err_reply->e_data.length) {
krb5_pa_data **result = NULL;
retval = decode_krb5_padata_sequence(&err_reply->e_data, &result);
if (retval == 0) {
*out_padata = result;
return 0;
}
krb5_free_pa_data(context, result);
krb5_set_error_message(context, retval,
"Error decoding padata in error reply");
return retval;
}
}
return retval;
}
/*
* Solaris Kerberos
* Same as krb5_send_tgs plus an extra arg to return the FQDN
* of the KDC sent the request.
*/
krb5_error_code
krb5_send_tgs2(krb5_context context, krb5_flags kdcoptions,
const krb5_ticket_times *timestruct, const krb5_enctype *ktypes,
krb5_const_principal sname, krb5_address *const *addrs,
krb5_authdata *const *authorization_data,
krb5_pa_data *const *padata, const krb5_data *second_ticket,
krb5_creds *in_cred, krb5_response *rep, char **hostname_used)
{
krb5_error_code retval;
krb5_kdc_req tgsreq;
krb5_data *scratch, scratch2;
krb5_ticket *sec_ticket = 0;
krb5_ticket *sec_ticket_arr[2];
krb5_timestamp time_now;
krb5_pa_data **combined_padata;
krb5_pa_data ap_req_padata;
int tcp_only = 0, use_master;
/*
* in_creds MUST be a valid credential NOT just a partially filled in
* place holder for us to get credentials for the caller.
*/
if (!in_cred->ticket.length)
return(KRB5_NO_TKT_SUPPLIED);
memset((char *)&tgsreq, 0, sizeof(tgsreq));
tgsreq.kdc_options = kdcoptions;
tgsreq.server = (krb5_principal) sname;
tgsreq.from = timestruct->starttime;
tgsreq.till = timestruct->endtime ? timestruct->endtime :
in_cred->times.endtime;
tgsreq.rtime = timestruct->renew_till;
if ((retval = krb5_timeofday(context, &time_now)))
return(retval);
/* XXX we know they are the same size... */
rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now;
rep->request_time = time_now;
tgsreq.addresses = (krb5_address **) addrs;
if (authorization_data) {
/* need to encrypt it in the request */
if ((retval = encode_krb5_authdata(authorization_data,
&scratch)))
return(retval);
if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
scratch,
&tgsreq.authorization_data))) {
krb5_xfree(tgsreq.authorization_data.ciphertext.data);
krb5_free_data(context, scratch);
return retval;
}
krb5_free_data(context, scratch);
}
/* Get the encryption types list */
if (ktypes) {
/* Check passed ktypes and make sure they're valid. */
for (tgsreq.nktypes = 0; ktypes[tgsreq.nktypes]; tgsreq.nktypes++) {
if (!krb5_c_valid_enctype(ktypes[tgsreq.nktypes]))
return KRB5_PROG_ETYPE_NOSUPP;
}
tgsreq.ktype = (krb5_enctype *)ktypes;
} else {
/* Get the default ktypes */
/* Solaris Kerberos */
if ((retval = krb5_get_tgs_ktypes(context, sname, &(tgsreq.ktype))))
goto send_tgs_error_2;
for(tgsreq.nktypes = 0; tgsreq.ktype[tgsreq.nktypes]; tgsreq.nktypes++);
}
if (second_ticket) {
if ((retval = decode_krb5_ticket(second_ticket, &sec_ticket)))
goto send_tgs_error_1;
sec_ticket_arr[0] = sec_ticket;
sec_ticket_arr[1] = 0;
tgsreq.second_ticket = sec_ticket_arr;
} else
tgsreq.second_ticket = 0;
/* encode the body; then checksum it */
if ((retval = encode_krb5_kdc_req_body(&tgsreq, &scratch)))
goto send_tgs_error_2;
/*
* Get an ap_req.
*/
if ((retval = krb5_send_tgs_basic(context, scratch, in_cred, &scratch2))) {
krb5_free_data(context, scratch);
goto send_tgs_error_2;
}
krb5_free_data(context, scratch);
ap_req_padata.pa_type = KRB5_PADATA_AP_REQ;
ap_req_padata.length = scratch2.length;
ap_req_padata.contents = (krb5_octet *)scratch2.data;
/* combine in any other supplied padata */
if (padata) {
krb5_pa_data * const * counter;
register unsigned int i = 0;
for (counter = padata; *counter; counter++, i++);
combined_padata = malloc((i+2) * sizeof(*combined_padata));
if (!combined_padata) {
krb5_xfree(ap_req_padata.contents);
retval = ENOMEM;
goto send_tgs_error_2;
}
combined_padata[0] = &ap_req_padata;
for (i = 1, counter = padata; *counter; counter++, i++)
combined_padata[i] = (krb5_pa_data *) *counter;
combined_padata[i] = 0;
} else {
combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata));
if (!combined_padata) {
krb5_xfree(ap_req_padata.contents);
retval = ENOMEM;
goto send_tgs_error_2;
}
combined_padata[0] = &ap_req_padata;
combined_padata[1] = 0;
}
tgsreq.padata = combined_padata;
/* the TGS_REQ is assembled in tgsreq, so encode it */
if ((retval = encode_krb5_tgs_req(&tgsreq, &scratch))) {
krb5_xfree(ap_req_padata.contents);
krb5_xfree(combined_padata);
goto send_tgs_error_2;
}
krb5_xfree(ap_req_padata.contents);
krb5_xfree(combined_padata);
/* now send request & get response from KDC */
send_again:
use_master = 0;
retval = krb5_sendto_kdc2(context, scratch,
krb5_princ_realm(context, sname),
&rep->response, &use_master, tcp_only,
hostname_used);
if (retval == 0) {
if (krb5_is_krb_error(&rep->response)) {
if (!tcp_only) {
krb5_error *err_reply;
retval = decode_krb5_error(&rep->response, &err_reply);
/* Solaris Kerberos */
if (retval == 0) {
if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) {
tcp_only = 1;
krb5_free_error(context, err_reply);
free(rep->response.data);
rep->response.data = 0;
goto send_again;
}
krb5_free_error(context, err_reply);
}
}
} else if (krb5_is_tgs_rep(&rep->response))
rep->message_type = KRB5_TGS_REP;
else /* XXX: assume it's an error */
rep->message_type = KRB5_ERROR;
}
krb5_free_data(context, scratch);
send_tgs_error_2:;
if (sec_ticket)
krb5_free_ticket(context, sec_ticket);
send_tgs_error_1:;
if (ktypes == NULL)
krb5_xfree(tgsreq.ktype);
if (tgsreq.authorization_data.ciphertext.data) {
memset(tgsreq.authorization_data.ciphertext.data, 0,
tgsreq.authorization_data.ciphertext.length);
krb5_xfree(tgsreq.authorization_data.ciphertext.data);
}
return retval;
}
krb5_error_code
krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet,
int *result_code, krb5_data *result_data )
{
char *ptr;
unsigned int message_length, version_number;
krb5_data ap_rep;
krb5_ap_rep_enc_part *ap_rep_enc;
krb5_error_code ret;
krb5_data cipherresult;
krb5_data clearresult;
krb5_keyblock *tmpkey;
/*
** validate the packet length -
*/
if (packet->length < 4)
return(KRB5KRB_AP_ERR_MODIFIED);
ptr = packet->data;
/*
** see if it is an error
*/
if (krb5_is_krb_error(packet)) {
krb5_error *krberror;
if ((ret = krb5_rd_error(context, packet, &krberror)))
return(ret);
if (krberror->e_data.data == NULL) {
ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
krb5_free_error(context, krberror);
return (ret);
}
clearresult = krberror->e_data;
krberror->e_data.data = NULL; /*So we can free it later*/
krberror->e_data.length = 0;
krb5_free_error(context, krberror);
} else { /* Not an error*/
/*
** validate the message length -
** length is big endian
*/
message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure the message length and packet length agree -
*/
if (message_length != packet->length)
return(KRB5KRB_AP_ERR_MODIFIED);
/*
** get the version number -
*/
version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
ptr += 2;
/*
** make sure we support the version returned -
*/
/*
** set password version is 0xff80, change password version is 1
*/
if (version_number != 1 && version_number != 0xff80)
return(KRB5KDC_ERR_BAD_PVNO);
/*
** now fill in ap_rep with the reply -
*/
/*
** get the reply length -
*/
ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
ptr += 2;
/*
** validate ap_rep length agrees with the packet length -
*/
if (ptr + ap_rep.length >= packet->data + packet->length)
return(KRB5KRB_AP_ERR_MODIFIED);
/*
** if data was returned, set the ap_rep ptr -
*/
if( ap_rep.length ) {
ap_rep.data = ptr;
ptr += ap_rep.length;
/*
* Save send_subkey to later smash recv_subkey.
*/
ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey);
if (ret)
return ret;
ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
if (ret) {
krb5_free_keyblock(context, tmpkey);
return(ret);
}
krb5_free_ap_rep_enc_part(context, ap_rep_enc);
/*
** now decrypt the result -
*/
cipherresult.data = ptr;
cipherresult.length = (packet->data + packet->length) - ptr;
/*
* Smash recv_subkey to be send_subkey, per spec.
*/
ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey);
krb5_free_keyblock(context, tmpkey);
if (ret)
return ret;
ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
NULL);
if (ret)
return(ret);
} /*We got an ap_rep*/
else
return (KRB5KRB_AP_ERR_MODIFIED);
} /*Response instead of error*/
/*
** validate the cleartext length
*/
if (clearresult.length < 2) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
/*
** now decode the result -
*/
ptr = clearresult.data;
*result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
ptr += 2;
/*
** result code 5 is access denied
*/
if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5))
{
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
/*
** all success replies should be authenticated/encrypted
*/
if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) )
{
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
if (result_data) {
result_data->length = (clearresult.data + clearresult.length) - ptr;
if (result_data->length)
{
result_data->data = (char *) malloc(result_data->length);
if (result_data->data)
memcpy(result_data->data, ptr, result_data->length);
}
else
result_data->data = NULL;
}
ret = 0;
cleanup:
krb5_free_data_contents(context, &clearresult);
return(ret);
}
krb5_error_code
krb5_get_cred_via_tkt_ext(krb5_context context, krb5_creds *tkt,
krb5_flags kdcoptions, krb5_address *const *address,
krb5_pa_data **in_padata, krb5_creds *in_cred,
k5_pacb_fn pacb_fn, void *pacb_data,
krb5_pa_data ***out_padata,
krb5_pa_data ***out_enc_padata,
krb5_creds **out_cred, krb5_keyblock **out_subkey)
{
krb5_error_code retval;
krb5_data request_data;
krb5_data response_data;
krb5_timestamp timestamp;
krb5_int32 nonce;
krb5_keyblock *subkey = NULL;
int tcp_only = 0, use_master = 0;
struct krb5int_fast_request_state *fast_state = NULL;
request_data.data = NULL;
request_data.length = 0;
response_data.data = NULL;
response_data.length = 0;
retval = krb5int_fast_make_state(context, &fast_state);
if (retval)
goto cleanup;
TRACE_GET_CRED_VIA_TKT_EXT(context, in_cred->server, tkt->server,
kdcoptions);
retval = k5_make_tgs_req(context, fast_state, tkt, kdcoptions, address,
in_padata, in_cred, pacb_fn, pacb_data,
&request_data, ×tamp, &nonce, &subkey);
if (retval != 0)
goto cleanup;
send_again:
use_master = 0;
retval = krb5_sendto_kdc(context, &request_data, &in_cred->server->realm,
&response_data, &use_master, tcp_only);
if (retval == 0) {
if (krb5_is_krb_error(&response_data)) {
if (!tcp_only) {
krb5_error *err_reply;
retval = decode_krb5_error(&response_data, &err_reply);
if (retval != 0)
goto cleanup;
retval = krb5int_fast_process_error(context, fast_state,
&err_reply, NULL, NULL);
if (retval)
goto cleanup;
if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) {
tcp_only = 1;
krb5_free_error(context, err_reply);
krb5_free_data_contents(context, &response_data);
goto send_again;
}
krb5_free_error(context, err_reply);
}
}
} else
goto cleanup;
retval = krb5int_process_tgs_reply(context, fast_state, &response_data,
tkt, kdcoptions, address,
in_padata, in_cred,
timestamp, nonce, subkey,
out_padata,
out_enc_padata, out_cred);
if (retval != 0)
goto cleanup;
cleanup:
krb5int_fast_free_state(context, fast_state);
TRACE_GET_CRED_VIA_TKT_EXT_RETURN(context, retval);
krb5_free_data_contents(context, &request_data);
krb5_free_data_contents(context, &response_data);
if (subkey != NULL) {
if (retval == 0 && out_subkey != NULL)
*out_subkey = subkey;
else
krb5_free_keyblock(context, subkey);
}
return retval;
}
krb5_error_code
krb5int_process_tgs_reply(krb5_context context,
struct krb5int_fast_request_state *fast_state,
krb5_data *response_data,
krb5_creds *tkt,
krb5_flags kdcoptions,
krb5_address *const *address,
krb5_pa_data **in_padata,
krb5_creds *in_cred,
krb5_timestamp timestamp,
krb5_int32 nonce,
krb5_keyblock *subkey,
krb5_pa_data ***out_padata,
krb5_pa_data ***out_enc_padata,
krb5_creds **out_cred)
{
krb5_error_code retval;
krb5_kdc_rep *dec_rep = NULL;
krb5_error *err_reply = NULL;
krb5_boolean s4u2self;
s4u2self = krb5int_find_pa_data(context, in_padata,
KRB5_PADATA_S4U_X509_USER) ||
krb5int_find_pa_data(context, in_padata,
KRB5_PADATA_FOR_USER);
if (krb5_is_krb_error(response_data)) {
retval = decode_krb5_error(response_data, &err_reply);
if (retval != 0)
goto cleanup;
retval = krb5int_fast_process_error(context, fast_state,
&err_reply, NULL, NULL);
if (retval)
goto cleanup;
retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5;
if (err_reply->text.length > 0) {
switch (err_reply->error) {
case KRB_ERR_GENERIC:
k5_setmsg(context, retval,
_("KDC returned error string: %.*s"),
err_reply->text.length, err_reply->text.data);
break;
case KDC_ERR_S_PRINCIPAL_UNKNOWN:
{
char *s_name;
if (err_reply->server &&
krb5_unparse_name(context, err_reply->server, &s_name) == 0) {
k5_setmsg(context, retval,
_("Server %s not found in Kerberos database"),
s_name);
krb5_free_unparsed_name(context, s_name);
} else
/* In case there's a stale S_PRINCIPAL_UNKNOWN
report already noted. */
krb5_clear_error_message(context);
}
break;
}
}
krb5_free_error(context, err_reply);
goto cleanup;
} else if (!krb5_is_tgs_rep(response_data)) {
retval = KRB5KRB_AP_ERR_MSG_TYPE;
goto cleanup;
}
/* Unfortunately, Heimdal at least up through 1.2 encrypts using
the session key not the subsession key. So we try both. */
retval = krb5int_decode_tgs_rep(context, fast_state, response_data, subkey,
KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY,
&dec_rep);
if (retval) {
TRACE_TGS_REPLY_DECODE_SESSION(context, &tkt->keyblock);
if ((krb5int_decode_tgs_rep(context, fast_state, response_data,
&tkt->keyblock,
KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0)
retval = 0;
else
goto cleanup;
}
if (dec_rep->msg_type != KRB5_TGS_REP) {
retval = KRB5KRB_AP_ERR_MSG_TYPE;
goto cleanup;
}
/*
* Don't trust the ok-as-delegate flag from foreign KDCs unless the
* cross-realm TGT also had the ok-as-delegate flag set.
*/
if (!tgt_is_local_realm(tkt)
&& !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE;
/* make sure the response hasn't been tampered with..... */
retval = 0;
if (s4u2self && !IS_TGS_PRINC(dec_rep->ticket->server)) {
/* Final hop, check whether KDC supports S4U2Self */
if (krb5_principal_compare(context, dec_rep->client, in_cred->server))
retval = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
} else if ((kdcoptions & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) {
/* XXX for constrained delegation this check must be performed by caller
* as we don't have access to the key to decrypt the evidence ticket.
*/
if (!krb5_principal_compare(context, dec_rep->client, tkt->client))
retval = KRB5_KDCREP_MODIFIED;
}
if (retval == 0)
retval = check_reply_server(context, kdcoptions, in_cred, dec_rep);
if (dec_rep->enc_part2->nonce != nonce)
retval = KRB5_KDCREP_MODIFIED;
if ((kdcoptions & KDC_OPT_POSTDATED) &&
(in_cred->times.starttime != 0) &&
(in_cred->times.starttime != dec_rep->enc_part2->times.starttime))
retval = KRB5_KDCREP_MODIFIED;
if ((in_cred->times.endtime != 0) &&
(dec_rep->enc_part2->times.endtime > in_cred->times.endtime))
retval = KRB5_KDCREP_MODIFIED;
if ((kdcoptions & KDC_OPT_RENEWABLE) &&
(in_cred->times.renew_till != 0) &&
(dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till))
retval = KRB5_KDCREP_MODIFIED;
if ((kdcoptions & KDC_OPT_RENEWABLE_OK) &&
(dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
(in_cred->times.endtime != 0) &&
(dec_rep->enc_part2->times.renew_till > in_cred->times.endtime))
retval = KRB5_KDCREP_MODIFIED;
if (retval != 0)
goto cleanup;
if (!in_cred->times.starttime &&
!in_clock_skew(dec_rep->enc_part2->times.starttime,
timestamp)) {
retval = KRB5_KDCREP_SKEW;
goto cleanup;
}
if (out_padata != NULL) {
*out_padata = dec_rep->padata;
dec_rep->padata = NULL;
}
if (out_enc_padata != NULL) {
*out_enc_padata = dec_rep->enc_part2->enc_padata;
dec_rep->enc_part2->enc_padata = NULL;
}
retval = kdcrep2creds(context, dec_rep, address,
&in_cred->second_ticket, out_cred);
if (retval != 0)
goto cleanup;
cleanup:
if (dec_rep != NULL) {
memset(dec_rep->enc_part2->session->contents, 0,
dec_rep->enc_part2->session->length);
krb5_free_kdc_rep(context, dec_rep);
}
return retval;
}
krb5_error_code
krb5_get_cred_via_tkt_ext(krb5_context context, krb5_creds *tkt,
krb5_flags kdcoptions, krb5_address *const *address,
krb5_pa_data **in_padata,
krb5_creds *in_cred,
krb5_error_code (*pacb_fct)(krb5_context,
krb5_keyblock *,
krb5_kdc_req *,
void *),
void *pacb_data,
krb5_pa_data ***out_padata,
krb5_pa_data ***out_enc_padata,
krb5_creds **out_cred,
krb5_keyblock **out_subkey)
{
krb5_error_code retval;
krb5_data request_data;
krb5_data response_data;
krb5_timestamp timestamp;
krb5_int32 nonce;
krb5_keyblock *subkey = NULL;
int tcp_only = 0, use_master = 0;
request_data.data = NULL;
request_data.length = 0;
response_data.data = NULL;
response_data.length = 0;
#ifdef DEBUG_REFERRALS
printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off");
krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server);
krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server);
#endif
retval = krb5int_make_tgs_request(context, tkt, kdcoptions,
address, in_padata, in_cred,
pacb_fct, pacb_data,
&request_data, ×tamp, &nonce,
&subkey);
if (retval != 0)
goto cleanup;
send_again:
use_master = 0;
retval = krb5_sendto_kdc(context, &request_data,
krb5_princ_realm(context, in_cred->server),
&response_data, &use_master, tcp_only);
if (retval == 0) {
if (krb5_is_krb_error(&response_data)) {
if (!tcp_only) {
krb5_error *err_reply;
retval = decode_krb5_error(&response_data, &err_reply);
if (retval != 0)
goto cleanup;
if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) {
tcp_only = 1;
krb5_free_error(context, err_reply);
krb5_free_data_contents(context, &response_data);
goto send_again;
}
krb5_free_error(context, err_reply);
}
}
} else
goto cleanup;
retval = krb5int_process_tgs_reply(context, &response_data,
tkt, kdcoptions, address,
in_padata, in_cred,
timestamp, nonce, subkey,
out_padata,
out_enc_padata, out_cred);
if (retval != 0)
goto cleanup;
cleanup:
#ifdef DEBUG_REFERRALS
printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error");
#endif
krb5_free_data_contents(context, &request_data);
krb5_free_data_contents(context, &response_data);
if (subkey != NULL) {
if (retval == 0 && out_subkey != NULL)
*out_subkey = subkey;
else
krb5_free_keyblock(context, subkey);
}
return retval;
}
krb5_error_code
krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
{
char *ptr;
int plen, vno;
krb5_data ap_rep;
krb5_ap_rep_enc_part *ap_rep_enc;
krb5_error_code ret;
krb5_data cipherresult;
krb5_data clearresult;
krb5_error *krberror;
krb5_replay_data replay;
krb5_keyblock *tmp;
if (packet->length < 4)
/* either this, or the server is printing bad messages,
or the caller passed in garbage */
return(KRB5KRB_AP_ERR_MODIFIED);
ptr = packet->data;
/* verify length */
plen = (*ptr++ & 0xff);
plen = (plen<<8) | (*ptr++ & 0xff);
if (plen != packet->length)
{
/*
* MS KDCs *may* send back a KRB_ERROR. Although
* not 100% correct via RFC3244, it's something
* we can workaround here.
*/
if (krb5_is_krb_error(packet)) {
if ((ret = krb5_rd_error(context, packet, &krberror)))
return(ret);
if (krberror->e_data.data == NULL) {
ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
krb5_free_error(context, krberror);
return (ret);
}
}
else
{
return(KRB5KRB_AP_ERR_MODIFIED);
}
}
/* verify version number */
vno = (*ptr++ & 0xff);
vno = (vno<<8) | (*ptr++ & 0xff);
if (vno != 1)
return(KRB5KDC_ERR_BAD_PVNO);
/* read, check ap-rep length */
ap_rep.length = (*ptr++ & 0xff);
ap_rep.length = (ap_rep.length<<8) | (*ptr++ & 0xff);
if (ptr + ap_rep.length >= packet->data + packet->length)
return(KRB5KRB_AP_ERR_MODIFIED);
if (ap_rep.length) {
/* verify ap_rep */
ap_rep.data = ptr;
ptr += ap_rep.length;
/*
* Save send_subkey to later smash recv_subkey.
*/
ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp);
if (ret)
return ret;
ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
if (ret) {
krb5_free_keyblock(context, tmp);
return(ret);
}
krb5_free_ap_rep_enc_part(context, ap_rep_enc);
/* extract and decrypt the result */
cipherresult.data = ptr;
cipherresult.length = (packet->data + packet->length) - ptr;
/*
* Smash recv_subkey to be send_subkey, per spec.
*/
ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp);
krb5_free_keyblock(context, tmp);
if (ret)
return ret;
ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
&replay);
if (ret)
return(ret);
} else {
cipherresult.data = ptr;
cipherresult.length = (packet->data + packet->length) - ptr;
if ((ret = krb5_rd_error(context, &cipherresult, &krberror)))
return(ret);
clearresult = krberror->e_data;
}
if (clearresult.length < 2) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
ptr = clearresult.data;
*result_code = (*ptr++ & 0xff);
*result_code = (*result_code<<8) | (*ptr++ & 0xff);
if ((*result_code < KRB5_KPASSWD_SUCCESS) ||
(*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
/* all success replies should be authenticated/encrypted */
if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) {
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
result_data->length = (clearresult.data + clearresult.length) - ptr;
if (result_data->length) {
result_data->data = (char *) malloc(result_data->length);
if (result_data->data == NULL) {
ret = ENOMEM;
goto cleanup;
}
memcpy(result_data->data, ptr, result_data->length);
} else {
result_data->data = NULL;
}
ret = 0;
cleanup:
if (ap_rep.length) {
krb5_xfree(clearresult.data);
} else {
krb5_free_error(context, krberror);
}
return(ret);
}
/*
* Now we send over the database. We use the following protocol:
* Send over a KRB_SAFE message with the size. Then we send over the
* database in blocks of KPROP_BLKSIZE, encrypted using KRB_PRIV.
* Then we expect to see a KRB_SAFE message with the size sent back.
*
* At any point in the protocol, we may send a KRB_ERROR message; this
* will abort the entire operation.
*/
static void
xmit_database(krb5_context context, krb5_auth_context auth_context,
krb5_creds *my_creds, int fd, int database_fd,
int in_database_size)
{
krb5_int32 n;
krb5_data inbuf, outbuf;
char buf[KPROP_BUFSIZ];
krb5_error_code retval;
krb5_error *error;
krb5_ui_4 database_size = in_database_size, send_size, sent_size;
/* Send over the size. */
send_size = htonl(database_size);
inbuf.data = (char *)&send_size;
inbuf.length = sizeof(send_size); /* must be 4, really */
/* KPROP_CKSUMTYPE */
retval = krb5_mk_safe(context, auth_context, &inbuf, &outbuf, NULL);
if (retval) {
com_err(progname, retval, _("while encoding database size"));
send_error(context, my_creds, fd, _("while encoding database size"),
retval);
exit(1);
}
retval = krb5_write_message(context, &fd, &outbuf);
if (retval) {
krb5_free_data_contents(context, &outbuf);
com_err(progname, retval, _("while sending database size"));
exit(1);
}
krb5_free_data_contents(context, &outbuf);
/* Initialize the initial vector. */
retval = krb5_auth_con_initivector(context, auth_context);
if (retval) {
send_error(context, my_creds, fd,
"failed while initializing i_vector", retval);
com_err(progname, retval, _("while allocating i_vector"));
exit(1);
}
/* Send over the file, block by block. */
inbuf.data = buf;
sent_size = 0;
while ((n = read(database_fd, buf, sizeof(buf)))) {
inbuf.length = n;
retval = krb5_mk_priv(context, auth_context, &inbuf, &outbuf, NULL);
if (retval) {
snprintf(buf, sizeof(buf),
"while encoding database block starting at %d",
sent_size);
com_err(progname, retval, "%s", buf);
send_error(context, my_creds, fd, buf, retval);
exit(1);
}
retval = krb5_write_message(context, &fd, &outbuf);
if (retval) {
krb5_free_data_contents(context, &outbuf);
com_err(progname, retval,
_("while sending database block starting at %d"),
sent_size);
exit(1);
}
krb5_free_data_contents(context, &outbuf);
sent_size += n;
if (debug)
printf("%d bytes sent.\n", sent_size);
}
if (sent_size != database_size) {
com_err(progname, 0, _("Premature EOF found for database file!"));
send_error(context, my_creds, fd,
"Premature EOF found for database file!",
KRB5KRB_ERR_GENERIC);
exit(1);
}
/*
* OK, we've sent the database; now let's wait for a success
* indication from the remote end.
*/
retval = krb5_read_message(context, &fd, &inbuf);
if (retval) {
com_err(progname, retval, _("while reading response from server"));
exit(1);
}
/*
* If we got an error response back from the server, display
* the error message
*/
if (krb5_is_krb_error(&inbuf)) {
retval = krb5_rd_error(context, &inbuf, &error);
if (retval) {
com_err(progname, retval,
_("while decoding error response from server"));
exit(1);
}
if (error->error == KRB_ERR_GENERIC) {
if (error->text.data) {
fprintf(stderr, _("Generic remote error: %s\n"),
error->text.data);
}
} else if (error->error) {
com_err(progname,
(krb5_error_code)error->error + ERROR_TABLE_BASE_krb5,
_("signalled from server"));
if (error->text.data) {
fprintf(stderr, _("Error text from server: %s\n"),
error->text.data);
}
}
krb5_free_error(context, error);
exit(1);
}
retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL);
if (retval) {
com_err(progname, retval,
"while decoding final size packet from server");
exit(1);
}
memcpy(&send_size, outbuf.data, sizeof(send_size));
send_size = ntohl(send_size);
if (send_size != database_size) {
com_err(progname, 0, _("Kpropd sent database size %d, expecting %d"),
send_size, database_size);
exit(1);
}
free(outbuf.data);
}
/*
* Parse the IAKERB token in input_token and send the contained KDC
* request to the KDC for the realm.
*
* Wrap the KDC reply in output_token.
*/
static krb5_error_code
iakerb_acceptor_step(iakerb_ctx_id_t ctx,
int initialContextToken,
const gss_buffer_t input_token,
gss_buffer_t output_token)
{
krb5_error_code code;
krb5_data request = empty_data(), reply = empty_data();
krb5_data realm = empty_data();
OM_uint32 tmp;
int tcp_only, use_master;
krb5_ui_4 kdc_code;
output_token->length = 0;
output_token->value = NULL;
if (ctx->count >= IAKERB_MAX_HOPS) {
code = KRB5_KDC_UNREACH;
goto cleanup;
}
code = iakerb_parse_token(ctx, initialContextToken, input_token, &realm,
NULL, &request);
if (code != 0)
goto cleanup;
if (realm.length == 0 || request.length == 0) {
code = KRB5_BAD_MSIZE;
goto cleanup;
}
code = iakerb_save_token(ctx, input_token);
if (code != 0)
goto cleanup;
for (tcp_only = 0; tcp_only <= 1; tcp_only++) {
use_master = 0;
code = krb5_sendto_kdc(ctx->k5c, &request, &realm,
&reply, &use_master, tcp_only);
if (code == 0 && krb5_is_krb_error(&reply)) {
krb5_error *error;
code = decode_krb5_error(&reply, &error);
if (code != 0)
goto cleanup;
kdc_code = error->error;
krb5_free_error(ctx->k5c, error);
if (kdc_code == KRB_ERR_RESPONSE_TOO_BIG) {
krb5_free_data_contents(ctx->k5c, &reply);
reply = empty_data();
continue;
}
}
break;
}
if (code == KRB5_KDC_UNREACH || code == KRB5_REALM_UNKNOWN) {
krb5_error error;
memset(&error, 0, sizeof(error));
if (code == KRB5_KDC_UNREACH)
error.error = KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE;
else if (code == KRB5_REALM_UNKNOWN)
error.error = KRB_AP_ERR_IAKERB_KDC_NOT_FOUND;
code = krb5_mk_error(ctx->k5c, &error, &reply);
if (code != 0)
goto cleanup;
} else if (code != 0)
goto cleanup;
code = iakerb_make_token(ctx, &realm, NULL, &reply, 0, output_token);
if (code != 0)
goto cleanup;
code = iakerb_save_token(ctx, output_token);
if (code != 0)
goto cleanup;
ctx->count++;
cleanup:
if (code != 0)
gss_release_buffer(&tmp, output_token);
/* request is a pointer into input_token, no need to free */
krb5_free_data_contents(ctx->k5c, &realm);
krb5_free_data_contents(ctx->k5c, &reply);
return code;
}
/*
* pg_krb5_sendauth -- client routine to send authentication information to
* the server
*/
static int
pg_krb5_sendauth(PGconn *conn)
{
krb5_error_code retval;
int ret;
krb5_principal server;
krb5_auth_context auth_context = NULL;
krb5_error *err_ret = NULL;
struct krb5_info info;
info.pg_krb5_initialised = 0;
if (!(conn->pghost && conn->pghost[0] != '\0'))
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("host name must be specified\n"));
return STATUS_ERROR;
}
ret = pg_krb5_init(&conn->errorMessage, &info);
if (ret != STATUS_OK)
return ret;
retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost,
conn->krbsrvname,
KRB5_NT_SRV_HST, &server);
if (retval)
{
printfPQExpBuffer(&conn->errorMessage,
"pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
error_message(retval));
pg_krb5_destroy(&info);
return STATUS_ERROR;
}
/*
* libpq uses a non-blocking socket. But kerberos needs a blocking socket,
* and we have to block somehow to do mutual authentication anyway. So we
* temporarily make it blocking.
*/
if (!pg_set_block(conn->sock))
{
char sebuf[256];
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf)));
krb5_free_principal(info.pg_krb5_context, server);
pg_krb5_destroy(&info);
return STATUS_ERROR;
}
retval = krb5_sendauth(info.pg_krb5_context, &auth_context,
(krb5_pointer) & conn->sock, (char *) conn->krbsrvname,
info.pg_krb5_client, server,
AP_OPTS_MUTUAL_REQUIRED,
NULL, 0, /* no creds, use ccache instead */
info.pg_krb5_ccache, &err_ret, NULL, NULL);
if (retval)
{
if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
{
#if defined(HAVE_KRB5_ERROR_TEXT_DATA)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
(int) err_ret->text.length, err_ret->text.data);
#elif defined(HAVE_KRB5_ERROR_E_DATA)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
(int) err_ret->e_data->length,
(const char *) err_ret->e_data->data);
#else
#error "bogus configuration"
#endif
}
else
{
printfPQExpBuffer(&conn->errorMessage,
"krb5_sendauth: %s\n", error_message(retval));
}
if (err_ret)
krb5_free_error(info.pg_krb5_context, err_ret);
ret = STATUS_ERROR;
}
krb5_free_principal(info.pg_krb5_context, server);
if (!pg_set_noblock(conn->sock))
{
char sebuf[256];
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not restore non-blocking mode on socket: %s\n"),
pqStrerror(errno, sebuf, sizeof(sebuf)));
ret = STATUS_ERROR;
}
pg_krb5_destroy(&info);
return ret;
}
/*
* pg_krb5_sendauth -- client routine to send authentication information to
* the server
*/
static int
pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
{
krb5_error_code retval;
int ret;
krb5_principal server;
krb5_auth_context auth_context = NULL;
krb5_error *err_ret = NULL;
if (!hostname)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_sendauth: hostname must be specified for Kerberos authentication\n");
return STATUS_ERROR;
}
ret = pg_krb5_init(PQerrormsg);
if (ret != STATUS_OK)
return ret;
retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &server);
if (retval)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
error_message(retval));
return STATUS_ERROR;
}
/*
* libpq uses a non-blocking socket. But kerberos needs a blocking
* socket, and we have to block somehow to do mutual authentication
* anyway. So we temporarily make it blocking.
*/
if (!pg_set_block(sock))
{
char sebuf[256];
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf)));
krb5_free_principal(pg_krb5_context, server);
return STATUS_ERROR;
}
retval = krb5_sendauth(pg_krb5_context, &auth_context,
(krb5_pointer) & sock, PG_KRB_SRVNAM,
pg_krb5_client, server,
AP_OPTS_MUTUAL_REQUIRED,
NULL, 0, /* no creds, use ccache instead */
pg_krb5_ccache, &err_ret, NULL, NULL);
if (retval)
{
if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
{
#if defined(HAVE_KRB5_ERROR_TEXT_DATA)
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
(int) err_ret->text.length, err_ret->text.data);
#elif defined(HAVE_KRB5_ERROR_E_DATA)
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
(int) err_ret->e_data->length,
(const char *) err_ret->e_data->data);
#else
#error "bogus configuration"
#endif
}
else
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"krb5_sendauth: %s\n", error_message(retval));
}
if (err_ret)
krb5_free_error(pg_krb5_context, err_ret);
ret = STATUS_ERROR;
}
krb5_free_principal(pg_krb5_context, server);
if (!pg_set_noblock(sock))
{
char sebuf[256];
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("could not restore non-blocking mode on socket: %s\n"),
pqStrerror(errno, sebuf, sizeof(sebuf)));
ret = STATUS_ERROR;
}
return ret;
}
