/* * Request: * NameZ * Cursor * * Response: * Creds */ static krb5_error_code kcm_get_next (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, krb5_creds *creds) { krb5_error_code ret; krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request, *response; krb5_data response_data; ret = kcm_storage_request(context, KCM_OP_GET_NEXT, &request); if (ret) return ret; ret = krb5_store_stringz(request, k->name); if (ret) { krb5_storage_free(request); return ret; } ret = krb5_store_int32(request, KCMCURSOR(*cursor)); if (ret) { krb5_storage_free(request); return ret; } ret = kcm_call(context, k, request, &response, &response_data); if (ret) { krb5_storage_free(request); return ret; } ret = krb5_ret_creds(response, creds); if (ret) ret = KRB5_CC_IO; krb5_storage_free(request); krb5_storage_free(response); krb5_data_free(&response_data); return ret; }
static OM_uint32 inquire_sec_context_authz_data (OM_uint32 *minor_status, const gsskrb5_ctx context_handle, krb5_context context, unsigned ad_type, gss_buffer_set_t *data_set) { krb5_data data; gss_buffer_desc ad_data; OM_uint32 ret; *minor_status = 0; *data_set = GSS_C_NO_BUFFER_SET; HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex); if (context_handle->ticket == NULL) { HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); *minor_status = EINVAL; _gsskrb5_set_status(EINVAL, "No ticket to obtain authz data from"); return GSS_S_NO_CONTEXT; } ret = krb5_ticket_get_authorization_data_type(context, context_handle->ticket, ad_type, &data); HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex); if (ret) { *minor_status = ret; return GSS_S_FAILURE; } ad_data.value = data.data; ad_data.length = data.length; ret = gss_add_buffer_set_member(minor_status, &ad_data, data_set); krb5_data_free(&data); return ret; }
static int krb_enc_mit(krb5_context context, krb5_enctype enctype, krb5_keyblock *key, unsigned usage, krb5_data *cipher, krb5_data *clear) { #ifndef HEIMDAL_SMALLER krb5_error_code ret; krb5_enc_data e; krb5_data decrypt; size_t len; e.kvno = 0; e.enctype = enctype; e.ciphertext = *cipher; ret = krb5_c_decrypt(context, *key, usage, NULL, &e, &decrypt); if (ret) return ret; if (decrypt.length != clear->length || memcmp(decrypt.data, clear->data, decrypt.length) != 0) { krb5_warnx(context, "clear text not same"); return EINVAL; } krb5_data_free(&decrypt); ret = krb5_c_encrypt_length(context, enctype, clear->length, &len); if (ret) return ret; if (len != cipher->length) { krb5_warnx(context, "c_encrypt_length wrong %lu != %lu", (unsigned long)len, (unsigned long)cipher->length); return EINVAL; } #endif /* HEIMDAL_SMALLER */ return 0; }
static krb5_error_code decrypt_tkt (krb5_context context, krb5_keyblock *key, krb5_key_usage usage, krb5_const_pointer decrypt_arg, krb5_kdc_rep *dec_rep) { krb5_error_code ret; krb5_data data; size_t size; krb5_crypto crypto; ret = krb5_crypto_init(context, key, 0, &crypto); if (ret) return ret; ret = krb5_decrypt_EncryptedData (context, crypto, usage, &dec_rep->kdc_rep.enc_part, &data); krb5_crypto_destroy(context, crypto); if (ret) return ret; ret = krb5_decode_EncASRepPart(context, data.data, data.length, &dec_rep->enc_part, &size); if (ret) ret = krb5_decode_EncTGSRepPart(context, data.data, data.length, &dec_rep->enc_part, &size); krb5_data_free (&data); if (ret) return ret; return 0; }
static krb5_error_code pac_verify(void *ctx, krb5_context context, const krb5_principal client_principal, struct hdb_entry_ex *client, struct hdb_entry_ex *server, krb5_pac *pac) { krb5_error_code ret; krb5_data data; krb5_warnx(context, "pac_verify"); ret = krb5_pac_get_buffer(context, *pac, 1, &data); if (ret) return ret; krb5_data_free(&data); return 0; }
static void free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx) { if (ctx->etypes) free(ctx->etypes); if (ctx->pre_auth_types) free (ctx->pre_auth_types); if (ctx->in_tkt_service) free(ctx->in_tkt_service); if (ctx->keytab_data) free(ctx->keytab_data); krb5_data_free(&ctx->req_buffer); krb5_free_cred_contents(context, &ctx->cred); free_METHOD_DATA(&ctx->md); free_AS_REP(&ctx->as_rep); free_EncKDCRepPart(&ctx->enc_part); free_KRB_ERROR(&ctx->error); free_AS_REQ(&ctx->as_req); memset(ctx, 0, sizeof(*ctx)); }
static void test_mic(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2) { krb5_data msg, mic; int32_t val; msg.data = "foo"; msg.length = 3; krb5_data_zero(&mic); val = get_mic(c1, hc1, &msg, &mic); if (val) errx(1, "get_mic failed to host: %s", c1->moniker); val = verify_mic(c2, hc2, &msg, &mic); if (val) errx(1, "verify_mic failed to host: %s", c2->moniker); krb5_data_free(&mic); }
kadm5_ret_t kadm5_log_replay_rename (kadm5_server_context *context, u_int32_t ver, u_int32_t len, krb5_storage *sp) { krb5_error_code ret; krb5_principal source; hdb_entry source_ent, target_ent; krb5_data value; off_t off; size_t princ_len, data_len; off = krb5_storage_seek(sp, 0, SEEK_CUR); krb5_ret_principal (sp, &source); princ_len = krb5_storage_seek(sp, 0, SEEK_CUR) - off; data_len = len - princ_len; ret = krb5_data_alloc (&value, data_len); if (ret) { krb5_free_principal (context->context, source); return ret; } krb5_storage_read (sp, value.data, data_len); ret = hdb_value2entry (context->context, &value, &target_ent); krb5_data_free(&value); if (ret) { krb5_free_principal (context->context, source); return ret; } ret = context->db->hdb_store (context->context, context->db, 0, &target_ent); hdb_free_entry (context->context, &target_ent); if (ret) { krb5_free_principal (context->context, source); return ret; } source_ent.principal = source; ret = context->db->hdb_remove (context->context, context->db, &source_ent); krb5_free_principal (context->context, source); return ret; }
kadm5_ret_t _kadm5_client_recv(kadm5_client_context *context, krb5_data *reply) { krb5_error_code ret; krb5_data data; krb5_storage *sock; sock = krb5_storage_from_fd(context->sock); if(sock == NULL) return ENOMEM; ret = krb5_ret_data(sock, &data); krb5_storage_free(sock); if(ret == KRB5_CC_END) return KADM5_RPC_ERROR; else if(ret) return ret; ret = krb5_rd_priv(context->context, context->ac, &data, reply, NULL); krb5_data_free(&data); return ret; }
static krb5_error_code KRB5_CALLCONV acc_close(krb5_context context, krb5_ccache id) { krb5_acc *a = ACACHE(id); if (a->ccache) { (*a->ccache->func->release)(a->ccache); a->ccache = NULL; } if (a->cache_name) { free(a->cache_name); a->cache_name = NULL; } if (a->context) { (*a->context->func->release)(a->context); a->context = NULL; } krb5_data_free(&id->data); return 0; }
/* * Request: * * Response: * NameZ */ static krb5_error_code kcm_gen_new(krb5_context context, krb5_ccache *id) { krb5_kcmcache *k; krb5_error_code ret; krb5_storage *request, *response; krb5_data response_data; ret = kcm_alloc(context, NULL, id); if (ret) return ret; k = KCMCACHE(*id); ret = krb5_kcm_storage_request(context, KCM_OP_GEN_NEW, &request); if (ret) { kcm_free(context, id); return ret; } ret = krb5_kcm_call(context, request, &response, &response_data); if (ret) { krb5_storage_free(request); kcm_free(context, id); return ret; } ret = krb5_ret_stringz(response, &k->name); if (ret) ret = KRB5_CC_IO; krb5_storage_free(request); krb5_storage_free(response); krb5_data_free(&response_data); if (ret) kcm_free(context, id); return ret; }
krb5_error_code KRB5_LIB_FUNCTION krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx) { krb5_sendto_ctx stctx = NULL; krb5_krbhst_info *hostinfo = NULL; krb5_error_code ret; krb5_data in, out; unsigned int flags = 0; krb5_data_zero(&in); krb5_data_zero(&out); ret = krb5_sendto_ctx_alloc(context, &stctx); if (ret) goto out; krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL); while (1) { flags = 0; ret = krb5_init_creds_step(context, ctx, &in, &out, hostinfo, &flags); krb5_data_free(&in); if (ret) goto out; if ((flags & 1) == 0) break; ret = krb5_sendto_context (context, stctx, &out, ctx->cred.client->realm, &in); if (ret) goto out; } out: if (stctx) krb5_sendto_ctx_free(context, stctx); return ret; }
static OM_uint32 _gss_ntlm_destroy_kcm_cred(gss_cred_id_t *cred_handle) { krb5_storage *request, *response; krb5_data response_data; krb5_context context; krb5_error_code ret; ntlm_cred cred; cred = (ntlm_cred)*cred_handle; ret = krb5_init_context(&context); if (ret) return ret; ret = krb5_kcm_storage_request(context, KCM_OP_DEL_NTLM_CRED, &request); if (ret) goto out; ret = krb5_store_stringz(request, cred->username); if (ret) goto out; ret = krb5_store_stringz(request, cred->domain); if (ret) goto out; ret = krb5_kcm_call(context, request, &response, &response_data); if (ret) goto out; krb5_storage_free(request); krb5_storage_free(response); krb5_data_free(&response_data); out: krb5_free_context(context); return ret; }
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_read_message (krb5_context context, krb5_pointer p_fd, krb5_data *data) { krb5_error_code ret; krb5_ssize_t sret; uint32_t len; uint8_t buf[4]; krb5_data_zero(data); sret = krb5_net_read (context, p_fd, buf, 4); if(sret == -1) { ret = errno; krb5_clear_error_message (context); return ret; } if(sret < 4) { krb5_clear_error_message(context); return HEIM_ERR_EOF; } len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]; if (len > UINT_MAX / 16) { krb5_set_error_message(context, ERANGE, N_("packet to large", "")); return ERANGE; } ret = krb5_data_alloc (data, len); if (ret) { krb5_clear_error_message(context); return ret; } if (krb5_net_read (context, p_fd, data->data, len) != (ssize_t)len) { ret = errno; krb5_data_free (data); krb5_clear_error_message (context); return ret; } return 0; }
static int HandleOP(Wrap) { OM_uint32 maj_stat, min_stat; int32_t hContext, flags, seqno; krb5_data token; gss_ctx_id_t ctx; gss_buffer_desc input_token, output_token; int conf_state; ret32(c, hContext); ret32(c, flags); ret32(c, seqno); retdata(c, token); ctx = find_handle(c->handles, hContext, handle_context); if (ctx == NULL) errx(1, "wrap: reference to unknown context"); input_token.length = token.length; input_token.value = token.data; maj_stat = gss_wrap(&min_stat, ctx, flags, 0, &input_token, &conf_state, &output_token); if (maj_stat != GSS_S_COMPLETE) errx(1, "gss_wrap failed"); krb5_data_free(&token); token.data = output_token.value; token.length = output_token.length; put32(c, 0); /* XXX fix gsm_error */ putdata(c, token); gss_release_buffer(&min_stat, &output_token); return 0; }
static krb5_error_code kcm_send_request(krb5_context context, krb5_kcmcache *k, krb5_storage *request, krb5_data *response_data) { krb5_error_code ret; krb5_data request_data; int i; response_data->data = NULL; response_data->length = 0; ret = krb5_storage_to_data(request, &request_data); if (ret) { krb5_clear_error_string(context); return KRB5_CC_NOMEM; } ret = KRB5_CC_IO; for (i = 0; i < context->max_retries; i++) { ret = try_door(context, k, &request_data, response_data); if (ret == 0 && response_data->length != 0) break; ret = try_unix_socket(context, k, &request_data, response_data); if (ret == 0 && response_data->length != 0) break; } krb5_data_free(&request_data); if (ret) { krb5_clear_error_string(context); ret = KRB5_CC_IO; } return ret; }
static void build_request(KTEXT req, const char *name, const char *inst, const char *realm, u_int32_t checksum) { struct timeval tv; krb5_storage *sp; krb5_data data; sp = krb5_storage_emem(); krb5_store_stringz(sp, name); krb5_store_stringz(sp, inst); krb5_store_stringz(sp, realm); krb5_store_int32(sp, checksum); gettimeofday(&tv, NULL); krb5_store_int8(sp, tv.tv_usec / 5000); krb5_store_int32(sp, tv.tv_sec); krb5_storage_to_data(sp, &data); krb5_storage_free(sp); memcpy(req->dat, data.data, data.length); req->length = (data.length + 7) & ~7; krb5_data_free(&data); }
kadm5_ret_t kadm5_log_replay_create (kadm5_server_context *context, u_int32_t ver, u_int32_t len, krb5_storage *sp) { krb5_error_code ret; krb5_data data; hdb_entry ent; ret = krb5_data_alloc (&data, len); if (ret) return ret; krb5_storage_read (sp, data.data, len); ret = hdb_value2entry (context->context, &data, &ent); krb5_data_free(&data); if (ret) return ret; ret = context->db->hdb_store(context->context, context->db, 0, &ent); hdb_free_entry (context->context, &ent); return ret; }
static OM_uint32 change_hold(OM_uint32 *minor_status, gsskrb5_cred cred, krb5_error_code (*func)(krb5_context, krb5_ccache)) { krb5_error_code ret; krb5_context context; krb5_data data; *minor_status = 0; krb5_data_zero(&data); GSSAPI_KRB5_INIT (&context); if (cred == NULL) return GSS_S_COMPLETE; if (cred->usage != GSS_C_INITIATE && cred->usage != GSS_C_BOTH) { *minor_status = GSS_KRB5_S_G_BAD_USAGE; return GSS_S_FAILURE; } /* XXX only refcount nah-created credentials */ ret = krb5_cc_get_config(context, cred->ccache, NULL, "nah-created", &data); if (ret) { *minor_status = ret; return GSS_S_FAILURE; } krb5_data_free(&data); ret = func(context, cred->ccache); if (ret) { *minor_status = ret; return GSS_S_FAILURE; } return GSS_S_COMPLETE; }
static void print_and_decode_tkt (krb5_context context, krb5_data *ticket, krb5_principal server, krb5_enctype enctype) { krb5_error_code ret; krb5_crypto crypto; krb5_data dec_data; size_t len; EncTicketPart decr_part; krb5_keyblock key; Ticket tkt; ret = decode_Ticket (ticket->data, ticket->length, &tkt, &len); if (ret) krb5_err (context, 1, ret, "decode_Ticket"); ret = krb5_string_to_key (context, enctype, "foo", server, &key); if (ret) krb5_err (context, 1, ret, "krb5_string_to_key"); ret = krb5_crypto_init(context, &key, 0, &crypto); if (ret) krb5_err (context, 1, ret, "krb5_crypto_init"); ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET, &tkt.enc_part, &dec_data); krb5_crypto_destroy (context, crypto); if (ret) krb5_err (context, 1, ret, "krb5_decrypt_EncryptedData"); ret = decode_EncTicketPart (dec_data.data, dec_data.length, &decr_part, &len); krb5_data_free (&dec_data); if (ret) krb5_err (context, 1, ret, "krb5_decode_EncTicketPart"); free_EncTicketPart(&decr_part); }
static NTSTATUS kdc_proxy_unavailable_error(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, DATA_BLOB *out) { int kret; krb5_data k5_error_blob; kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context, KRB5KDC_ERR_SVC_UNAVAILABLE, NULL, NULL, NULL, NULL, NULL, NULL, &k5_error_blob); if (kret != 0) { DEBUG(2,(__location__ ": Unable to form krb5 error reply\n")); return NT_STATUS_INTERNAL_ERROR; } *out = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length); krb5_data_free(&k5_error_blob); if (!out->data) { return NT_STATUS_NO_MEMORY; } return NT_STATUS_OK; }
static krb5_error_code write_storage(krb5_context context, krb5_storage *sp, int fd) { krb5_error_code ret; krb5_data data; ssize_t sret; ret = krb5_storage_to_data(sp, &data); if (ret) { krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); return ret; } sret = write(fd, data.data, data.length); ret = (sret != data.length); krb5_data_free(&data); if (ret) { ret = errno; krb5_set_error_message(context, ret, N_("Failed to write FILE credential data", "")); return ret; } return 0; }
static krb5_error_code HMAC_MD5_any_checksum(krb5_context context, const krb5_keyblock *key, const void *data, size_t len, unsigned usage, Checksum *result) { struct _krb5_key_data local_key; struct krb5_crypto_iov iov; krb5_error_code ret; memset(&local_key, 0, sizeof(local_key)); ret = krb5_copy_keyblock(context, key, &local_key.key); if (ret) return ret; ret = krb5_data_alloc (&result->checksum, 16); if (ret) { krb5_free_keyblock(context, local_key.key); return ret; } result->cksumtype = CKSUMTYPE_HMAC_MD5; iov.data.data = (void *)data; iov.data.length = len; iov.flags = KRB5_CRYPTO_TYPE_DATA; ret = _krb5_HMAC_MD5_checksum(context, NULL, &local_key, usage, &iov, 1, result); if (ret) krb5_data_free(&result->checksum); krb5_free_keyblock(context, local_key.key); return ret; }
krb5_error_code v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata) { krb5_error_code ret; struct prop_data *pd = appdata; krb5_data data; if(encrypt_flag) { ret = hdb_seal_keys_mkey(context, &entry->entry, mkey5); if (ret) { krb5_warn(context, ret, "hdb_seal_keys_mkey"); return ret; } } if(decrypt_flag) { ret = hdb_unseal_keys_mkey(context, &entry->entry, mkey5); if (ret) { krb5_warn(context, ret, "hdb_unseal_keys_mkey"); return ret; } } ret = hdb_entry2value(context, &entry->entry, &data); if(ret) { krb5_warn(context, ret, "hdb_entry2value"); return ret; } if(to_stdout) ret = krb5_write_message(context, &pd->sock, &data); else ret = krb5_write_priv_message(context, pd->auth_context, &pd->sock, &data); krb5_data_free(&data); return ret; }
static krb5_error_code resolve_by_uuid_oid(krb5_context context, const krb5_cc_ops *ops, krb5_ccache id, krb5_uuid uuid) { krb5_storage *request, *response; krb5_data response_data; krb5_error_code ret; char *name; ssize_t sret; ret = krb5_kcm_storage_request(context, KCM_OP_GET_CACHE_BY_UUID, &request); if (ret) return ret; sret = krb5_storage_write(request, uuid, sizeof(krb5_uuid)); if (sret != sizeof(krb5_uuid)) { krb5_storage_free(request); krb5_clear_error_message(context); return ENOMEM; } ret = krb5_kcm_call(context, request, &response, &response_data); krb5_storage_free(request); if (ret) return ret; ret = krb5_ret_stringz(response, &name); krb5_storage_free(response); krb5_data_free(&response_data); if (ret) return ret; ret = kcm_alloc(context, name, &id); krb5_xfree(name); return ret; }
/* * Request: * NameZ * * Response: * Principal */ static krb5_error_code kcm_get_principal(krb5_context context, krb5_ccache id, krb5_principal *principal) { krb5_error_code ret; krb5_kcmcache *k = KCMCACHE(id); krb5_storage *request, *response; krb5_data response_data; ret = krb5_kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request); if (ret) return ret; ret = krb5_store_stringz(request, k->name); if (ret) { krb5_storage_free(request); return ret; } ret = krb5_kcm_call(context, request, &response, &response_data); if (ret) { krb5_storage_free(request); return ret; } ret = krb5_ret_principal(response, principal); if (ret) ret = KRB5_CC_IO; krb5_storage_free(request); krb5_storage_free(response); krb5_data_free(&response_data); return ret; }
static void send_im_here (krb5_context context, int fd, krb5_auth_context auth_context) { krb5_storage *sp; krb5_data data; int ret; ret = krb5_data_alloc (&data, 4); if (ret) krb5_err (context, 1, ret, "send_im_here"); sp = krb5_storage_from_data (&data); if (sp == NULL) krb5_errx (context, 1, "krb5_storage_from_data"); krb5_store_int32(sp, I_AM_HERE); krb5_storage_free(sp); ret = krb5_write_priv_message(context, auth_context, &fd, &data); krb5_data_free(&data); if (ret) krb5_err (context, 1, ret, "krb5_write_priv_message"); }
static krb5_error_code decrypt_authenticator (krb5_context context, EncryptionKey *key, EncryptedData *enc_part, Authenticator *authenticator, krb5_key_usage usage) { krb5_error_code ret; krb5_data plain; size_t len; krb5_crypto crypto; ret = krb5_crypto_init(context, key, 0, &crypto); if (ret) return ret; ret = krb5_decrypt_EncryptedData (context, crypto, usage /* KRB5_KU_AP_REQ_AUTH */, enc_part, &plain); /* for backwards compatibility, also try the old usage */ if (ret && usage == KRB5_KU_TGS_REQ_AUTH) ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_AP_REQ_AUTH, enc_part, &plain); krb5_crypto_destroy(context, crypto); if (ret) return ret; ret = decode_Authenticator(plain.data, plain.length, authenticator, &len); krb5_data_free (&plain); return ret; }
static krb5_error_code get_cred_kdc(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, krb5_addresses *addresses, krb5_creds *in_creds, krb5_creds *krbtgt, krb5_principal impersonate_principal, Ticket *second_ticket, krb5_creds *out_creds) { TGS_REQ req; krb5_data enc; krb5_data resp; krb5_kdc_rep rep; KRB_ERROR error; krb5_error_code ret; unsigned nonce; krb5_keyblock *subkey = NULL; size_t len; Ticket second_ticket_data; METHOD_DATA padata; krb5_data_zero(&resp); krb5_data_zero(&enc); padata.val = NULL; padata.len = 0; krb5_generate_random_block(&nonce, sizeof(nonce)); nonce &= 0xffffffff; if(flags.b.enc_tkt_in_skey && second_ticket == NULL){ ret = decode_Ticket(in_creds->second_ticket.data, in_creds->second_ticket.length, &second_ticket_data, &len); if(ret) return ret; second_ticket = &second_ticket_data; } if (impersonate_principal) { krb5_crypto crypto; PA_S4U2Self self; krb5_data data; void *buf; size_t size; self.name = impersonate_principal->name; self.realm = impersonate_principal->realm; self.auth = estrdup("Kerberos"); ret = _krb5_s4u2self_to_checksumdata(context, &self, &data); if (ret) { free(self.auth); goto out; } ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto); if (ret) { free(self.auth); krb5_data_free(&data); goto out; } ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0, data.data, data.length, &self.cksum); krb5_crypto_destroy(context, crypto); krb5_data_free(&data); if (ret) { free(self.auth); goto out; } ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret); free(self.auth); free_Checksum(&self.cksum); if (ret) goto out; if (len != size) krb5_abortx(context, "internal asn1 error"); ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len); if (ret) goto out; } ret = init_tgs_req (context, id, addresses, flags, second_ticket, in_creds, krbtgt, nonce, &padata, &subkey, &req); if (ret) goto out; ASN1_MALLOC_ENCODE(TGS_REQ, enc.data, enc.length, &req, &len, ret); if (ret) goto out; if(enc.length != len) krb5_abortx(context, "internal error in ASN.1 encoder"); /* don't free addresses */ req.req_body.addresses = NULL; free_TGS_REQ(&req); /* * Send and receive */ { krb5_sendto_ctx stctx; ret = krb5_sendto_ctx_alloc(context, &stctx); if (ret) return ret; krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL); ret = krb5_sendto_context (context, stctx, &enc, krbtgt->server->name.name_string.val[1], &resp); krb5_sendto_ctx_free(context, stctx); } if(ret) goto out; memset(&rep, 0, sizeof(rep)); if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0) { unsigned eflags = 0; ret = krb5_copy_principal(context, in_creds->client, &out_creds->client); if(ret) goto out2; ret = krb5_copy_principal(context, in_creds->server, &out_creds->server); if(ret) goto out2; /* this should go someplace else */ out_creds->times.endtime = in_creds->times.endtime; /* XXX should do better testing */ if (flags.b.constrained_delegation || impersonate_principal) eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; ret = _krb5_extract_ticket(context, &rep, out_creds, &krbtgt->session, NULL, 0, &krbtgt->addresses, nonce, eflags, decrypt_tkt_with_subkey, subkey); out2: krb5_free_kdc_rep(context, &rep); } else if(krb5_rd_error(context, &resp, &error) == 0) { ret = krb5_error_from_rd_error(context, &error, in_creds); krb5_free_error_contents(context, &error); } else if(resp.length > 0 && ((char*)resp.data)[0] == 4) { ret = KRB5KRB_AP_ERR_V4_REPLY; krb5_clear_error_message(context); } else { ret = KRB5KRB_AP_ERR_MSG_TYPE; krb5_clear_error_message(context); } out: if (second_ticket == &second_ticket_data) free_Ticket(&second_ticket_data); free_METHOD_DATA(&padata); krb5_data_free(&resp); krb5_data_free(&enc); if(subkey) krb5_free_keyblock(context, subkey); return ret; }
OM_uint32 gss_import_sec_context ( OM_uint32 * minor_status, const gss_buffer_t interprocess_token, gss_ctx_id_t * context_handle ) { OM_uint32 ret = GSS_S_FAILURE; krb5_error_code kret; krb5_storage *sp; krb5_auth_context ac; krb5_address local, remote; krb5_address *localp, *remotep; krb5_data data; gss_buffer_desc buffer; krb5_keyblock keyblock; int32_t tmp; int32_t flags; OM_uint32 minor; int is_cfx = 0; GSSAPI_KRB5_INIT (); localp = remotep = NULL; sp = krb5_storage_from_mem (interprocess_token->value, interprocess_token->length); if (sp == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } *context_handle = malloc(sizeof(**context_handle)); if (*context_handle == NULL) { *minor_status = ENOMEM; krb5_storage_free (sp); return GSS_S_FAILURE; } memset (*context_handle, 0, sizeof(**context_handle)); HEIMDAL_MUTEX_init(&(*context_handle)->ctx_id_mutex); kret = krb5_auth_con_init (gssapi_krb5_context, &(*context_handle)->auth_context); if (kret) { gssapi_krb5_set_error_string (); *minor_status = kret; ret = GSS_S_FAILURE; goto failure; } /* flags */ *minor_status = 0; if (krb5_ret_int32 (sp, &flags) != 0) goto failure; /* retrieve the auth context */ ac = (*context_handle)->auth_context; krb5_ret_int32 (sp, &ac->flags); if (flags & SC_LOCAL_ADDRESS) { if (krb5_ret_address (sp, localp = &local) != 0) goto failure; } if (flags & SC_REMOTE_ADDRESS) { if (krb5_ret_address (sp, remotep = &remote) != 0) goto failure; } krb5_auth_con_setaddrs (gssapi_krb5_context, ac, localp, remotep); if (localp) krb5_free_address (gssapi_krb5_context, localp); if (remotep) krb5_free_address (gssapi_krb5_context, remotep); localp = remotep = NULL; if (krb5_ret_int16 (sp, &ac->local_port) != 0) goto failure; if (krb5_ret_int16 (sp, &ac->remote_port) != 0) goto failure; if (flags & SC_KEYBLOCK) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; krb5_auth_con_setkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } if (flags & SC_LOCAL_SUBKEY) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; krb5_auth_con_setlocalsubkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } if (flags & SC_REMOTE_SUBKEY) { if (krb5_ret_keyblock (sp, &keyblock) != 0) goto failure; krb5_auth_con_setremotesubkey (gssapi_krb5_context, ac, &keyblock); krb5_free_keyblock_contents (gssapi_krb5_context, &keyblock); } if (krb5_ret_int32 (sp, &ac->local_seqnumber)) goto failure; if (krb5_ret_int32 (sp, &ac->remote_seqnumber)) goto failure; if (krb5_ret_int32 (sp, &tmp) != 0) goto failure; ac->keytype = tmp; if (krb5_ret_int32 (sp, &tmp) != 0) goto failure; ac->cksumtype = tmp; /* names */ if (krb5_ret_data (sp, &data)) goto failure; buffer.value = data.data; buffer.length = data.length; ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, &(*context_handle)->source); if (ret) { ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, &(*context_handle)->source); if (ret) { krb5_data_free (&data); goto failure; } } krb5_data_free (&data); if (krb5_ret_data (sp, &data) != 0) goto failure; buffer.value = data.data; buffer.length = data.length; ret = gss_import_name (minor_status, &buffer, GSS_C_NT_EXPORT_NAME, &(*context_handle)->target); if (ret) { ret = gss_import_name (minor_status, &buffer, GSS_C_NO_OID, &(*context_handle)->target); if (ret) { krb5_data_free (&data); goto failure; } } krb5_data_free (&data); if (krb5_ret_int32 (sp, &tmp)) goto failure; (*context_handle)->flags = tmp; if (krb5_ret_int32 (sp, &tmp)) goto failure; (*context_handle)->more_flags = tmp; if (krb5_ret_int32 (sp, &tmp) == 0) (*context_handle)->lifetime = tmp; else (*context_handle)->lifetime = GSS_C_INDEFINITE; gsskrb5_is_cfx(*context_handle, &is_cfx); ret = _gssapi_msg_order_create(minor_status, &(*context_handle)->order, _gssapi_msg_order_f((*context_handle)->flags), 0, 0, is_cfx); if (ret) goto failure; krb5_storage_free (sp); return GSS_S_COMPLETE; failure: krb5_auth_con_free (gssapi_krb5_context, (*context_handle)->auth_context); if ((*context_handle)->source != NULL) gss_release_name(&minor, &(*context_handle)->source); if ((*context_handle)->target != NULL) gss_release_name(&minor, &(*context_handle)->target); if (localp) krb5_free_address (gssapi_krb5_context, localp); if (remotep) krb5_free_address (gssapi_krb5_context, remotep); if((*context_handle)->order) _gssapi_msg_order_destroy(&(*context_handle)->order); HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); krb5_storage_free (sp); free (*context_handle); *context_handle = GSS_C_NO_CONTEXT; return ret; }