mirror of https://github.com/FreeRDP/FreeRDP
[winpr,sspi] properly log all kerberos calls
to ease debugging log each failure of a kerberos related function along with location and function name
This commit is contained in:
parent
4c17dfb71d
commit
5298580bbd
|
@ -119,11 +119,34 @@ static const WinPrAsn1_OID kerberos_OID = { 9, (void*)"\x2a\x86\x48\x86\xf7\x12\
|
||||||
static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
|
static const WinPrAsn1_OID kerberos_u2u_OID = { 10,
|
||||||
(void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
|
(void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03" };
|
||||||
|
|
||||||
static void kerberos_log_msg(krb5_context ctx, krb5_error_code code)
|
#define krb_log_exec(fkt, ctx, ...) \
|
||||||
|
kerberos_log_msg(ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
|
||||||
|
#define krb_log_exec_ptr(fkt, ctx, ...) \
|
||||||
|
kerberos_log_msg(*ctx, fkt(ctx, ##__VA_ARGS__), #fkt, __FILE__, __func__, __LINE__)
|
||||||
|
static krb5_error_code kerberos_log_msg(krb5_context ctx, krb5_error_code code, const char* what,
|
||||||
|
const char* file, const char* fkt, size_t line)
|
||||||
{
|
{
|
||||||
const char* msg = krb5_get_error_message(ctx, code);
|
switch (code)
|
||||||
WLog_ERR(TAG, msg);
|
{
|
||||||
krb5_free_error_message(ctx, msg);
|
case 0:
|
||||||
|
case KRB5_KT_END:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
{
|
||||||
|
const DWORD level = WLOG_ERROR;
|
||||||
|
|
||||||
|
wLog* log = WLog_Get(TAG);
|
||||||
|
if (WLog_IsLevelActive(log, level))
|
||||||
|
{
|
||||||
|
const char* msg = krb5_get_error_message(ctx, code);
|
||||||
|
WLog_PrintMessage(log, WLOG_MESSAGE_TEXT, level, line, file, fkt, "%s (%s [%d])",
|
||||||
|
what, msg, code);
|
||||||
|
krb5_free_error_message(ctx, msg);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return code;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
|
static void kerberos_ContextFree(KRB_CONTEXT* ctx, BOOL allocated)
|
||||||
|
@ -184,7 +207,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
#ifdef WITH_KRB5
|
#ifdef WITH_KRB5
|
||||||
SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL;
|
SEC_WINPR_KERBEROS_SETTINGS* krb_settings = NULL;
|
||||||
KRB_CREDENTIALS* credentials = NULL;
|
KRB_CREDENTIALS* credentials = NULL;
|
||||||
krb5_error_code rv = 0;
|
|
||||||
krb5_context ctx = NULL;
|
krb5_context ctx = NULL;
|
||||||
krb5_ccache ccache = NULL;
|
krb5_ccache ccache = NULL;
|
||||||
krb5_keytab keytab = NULL;
|
krb5_keytab keytab = NULL;
|
||||||
|
@ -213,7 +235,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
pszPrincipal = username;
|
pszPrincipal = username;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((rv = krb5_init_context(&ctx)))
|
if (krb_log_exec_ptr(krb5_init_context, &ctx))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (domain)
|
if (domain)
|
||||||
|
@ -224,7 +246,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
|
|
||||||
CharUpperA(udomain);
|
CharUpperA(udomain);
|
||||||
/* Will use domain if realm is not specified in username */
|
/* Will use domain if realm is not specified in username */
|
||||||
rv = krb5_set_default_realm(ctx, udomain);
|
krb5_error_code rv = krb_log_exec(krb5_set_default_realm, ctx, udomain);
|
||||||
free(udomain);
|
free(udomain);
|
||||||
|
|
||||||
if (rv)
|
if (rv)
|
||||||
|
@ -242,7 +264,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
if (p)
|
if (p)
|
||||||
CharUpperA(p);
|
CharUpperA(p);
|
||||||
|
|
||||||
rv = krb5_parse_name(ctx, cpszPrincipal, &principal);
|
krb5_error_code rv = krb_log_exec(krb5_parse_name, ctx, cpszPrincipal, &principal);
|
||||||
free(cpszPrincipal);
|
free(cpszPrincipal);
|
||||||
|
|
||||||
if (rv)
|
if (rv)
|
||||||
|
@ -251,7 +273,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
|
|
||||||
if (krb_settings && krb_settings->cache)
|
if (krb_settings && krb_settings->cache)
|
||||||
{
|
{
|
||||||
if ((rv = krb5_cc_set_default_name(ctx, krb_settings->cache)))
|
if ((krb_log_exec(krb5_cc_set_default_name, ctx, krb_settings->cache)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -264,16 +286,16 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
{
|
{
|
||||||
if (own_ccache)
|
if (own_ccache)
|
||||||
{
|
{
|
||||||
if ((rv = krb5_cc_new_unique(ctx, default_ccache_type, 0, &ccache)))
|
if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if ((rv = krb5_cc_resolve(ctx, krb_settings->cache, &ccache)))
|
if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((rv = krb5_cc_initialize(ctx, ccache, principal)))
|
if (krb_log_exec(krb5_cc_initialize, ctx, ccache, principal))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -282,9 +304,9 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
|
else if (fCredentialUse & SECPKG_CRED_OUTBOUND)
|
||||||
{
|
{
|
||||||
/* Use the default cache with it's default principal */
|
/* Use the default cache with it's default principal */
|
||||||
if ((rv = krb5_cc_default(ctx, &ccache)))
|
if (krb_log_exec(krb5_cc_default, ctx, &ccache))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
if ((rv = krb5_cc_get_principal(ctx, ccache, &principal)))
|
if (krb_log_exec(krb5_cc_get_principal, ctx, ccache, &principal))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
own_ccache = FALSE;
|
own_ccache = FALSE;
|
||||||
}
|
}
|
||||||
|
@ -292,33 +314,33 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
{
|
{
|
||||||
if (own_ccache)
|
if (own_ccache)
|
||||||
{
|
{
|
||||||
if ((rv = krb5_cc_new_unique(ctx, default_ccache_type, 0, &ccache)))
|
if (krb_log_exec(krb5_cc_new_unique, ctx, default_ccache_type, 0, &ccache))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if ((rv = krb5_cc_resolve(ctx, krb_settings->cache, &ccache)))
|
if (krb_log_exec(krb5_cc_resolve, ctx, krb_settings->cache, &ccache))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (krb_settings && krb_settings->keytab)
|
if (krb_settings && krb_settings->keytab)
|
||||||
{
|
{
|
||||||
if ((rv = krb5_kt_resolve(ctx, krb_settings->keytab, &keytab)))
|
if (krb_log_exec(krb5_kt_resolve, ctx, krb_settings->keytab, &keytab))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if (fCredentialUse & SECPKG_CRED_INBOUND)
|
if (fCredentialUse & SECPKG_CRED_INBOUND)
|
||||||
if ((rv = krb5_kt_default(ctx, &keytab)))
|
if (krb_log_exec(krb5_kt_default, ctx, &keytab))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Get initial credentials if required */
|
/* Get initial credentials if required */
|
||||||
if (fCredentialUse & SECPKG_CRED_OUTBOUND)
|
if (fCredentialUse & SECPKG_CRED_OUTBOUND)
|
||||||
{
|
{
|
||||||
if ((rv = krb5glue_get_init_creds(ctx, principal, ccache, krb5_prompter, password,
|
if (krb_log_exec(krb5glue_get_init_creds, ctx, principal, ccache, krb5_prompter, password,
|
||||||
krb_settings)))
|
krb_settings))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -331,9 +353,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
|
||||||
if (rv)
|
|
||||||
kerberos_log_msg(ctx, rv);
|
|
||||||
|
|
||||||
free(domain);
|
free(domain);
|
||||||
free(username);
|
free(username);
|
||||||
free(password);
|
free(password);
|
||||||
|
@ -715,7 +734,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||||
KRB_CREDENTIALS* credentials;
|
KRB_CREDENTIALS* credentials;
|
||||||
KRB_CONTEXT* context;
|
KRB_CONTEXT* context;
|
||||||
KRB_CONTEXT new_context = { 0 };
|
KRB_CONTEXT new_context = { 0 };
|
||||||
krb5_error_code rv = KRB5KDC_ERR_NONE;
|
|
||||||
PSecBuffer input_buffer = NULL;
|
PSecBuffer input_buffer = NULL;
|
||||||
PSecBuffer output_buffer = NULL;
|
PSecBuffer output_buffer = NULL;
|
||||||
PSecBuffer bindings_buffer = NULL;
|
PSecBuffer bindings_buffer = NULL;
|
||||||
|
@ -764,7 +782,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||||
{
|
{
|
||||||
context = &new_context;
|
context = &new_context;
|
||||||
|
|
||||||
if ((rv = krb5_init_context(&context->ctx)))
|
if (krb_log_exec_ptr(krb5_init_context, &context->ctx))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
if (fContextReq & ISC_REQ_USE_SESSION_KEY)
|
if (fContextReq & ISC_REQ_USE_SESSION_KEY)
|
||||||
|
@ -836,26 +854,27 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||||
case KERBEROS_STATE_AP_REQ:
|
case KERBEROS_STATE_AP_REQ:
|
||||||
|
|
||||||
/* Set auth_context options */
|
/* Set auth_context options */
|
||||||
if ((rv = krb5_auth_con_init(context->ctx, &context->auth_ctx)))
|
if (krb_log_exec(krb5_auth_con_init, context->ctx, &context->auth_ctx))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
if ((rv = krb5_auth_con_setflags(context->ctx, context->auth_ctx,
|
if (krb_log_exec(krb5_auth_con_setflags, context->ctx, context->auth_ctx,
|
||||||
KRB5_AUTH_CONTEXT_DO_SEQUENCE |
|
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
|
||||||
KRB5_AUTH_CONTEXT_USE_SUBKEY)))
|
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
if ((rv = krb5glue_auth_con_set_cksumtype(context->ctx, context->auth_ctx,
|
if (krb_log_exec(krb5glue_auth_con_set_cksumtype, context->ctx, context->auth_ctx,
|
||||||
GSS_CHECKSUM_TYPE)))
|
GSS_CHECKSUM_TYPE))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/* Get a service ticket */
|
/* Get a service ticket */
|
||||||
if ((rv = krb5_sname_to_principal(context->ctx, host, sname, KRB5_NT_SRV_HST,
|
if (krb_log_exec(krb5_sname_to_principal, context->ctx, host, sname, KRB5_NT_SRV_HST,
|
||||||
&in_creds.server)))
|
&in_creds.server))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if ((rv = krb5_cc_get_principal(context->ctx, credentials->ccache, &in_creds.client)))
|
if (krb_log_exec(krb5_cc_get_principal, context->ctx, credentials->ccache,
|
||||||
|
&in_creds.client))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if ((rv = krb5_get_credentials(context->ctx, context->u2u ? KRB5_GC_USER_USER : 0,
|
if (krb_log_exec(krb5_get_credentials, context->ctx,
|
||||||
credentials->ccache, &in_creds, &creds)))
|
context->u2u ? KRB5_GC_USER_USER : 0, credentials->ccache, &in_creds,
|
||||||
|
&creds))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/* Write the checksum (delegation not implemented) */
|
/* Write the checksum (delegation not implemented) */
|
||||||
|
@ -896,8 +915,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Make the AP_REQ message */
|
/* Make the AP_REQ message */
|
||||||
if ((rv = krb5_mk_req_extended(context->ctx, &context->auth_ctx, ap_flags, &cksum,
|
if (krb_log_exec(krb5_mk_req_extended, context->ctx, &context->auth_ctx, ap_flags,
|
||||||
creds, &output_token)))
|
&cksum, creds, &output_token))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (!sspi_gss_wrap_token(output_buffer,
|
if (!sspi_gss_wrap_token(output_buffer,
|
||||||
|
@ -907,12 +926,15 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||||
|
|
||||||
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
||||||
{
|
{
|
||||||
krb5_auth_con_getlocalseqnumber(context->ctx, context->auth_ctx,
|
if (krb_log_exec(krb5_auth_con_getlocalseqnumber, context->ctx, context->auth_ctx,
|
||||||
(INT32*)&context->local_seq);
|
(INT32*)&context->local_seq))
|
||||||
|
goto cleanup;
|
||||||
context->remote_seq ^= context->local_seq;
|
context->remote_seq ^= context->local_seq;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5glue_update_keyset(context->ctx, context->auth_ctx, FALSE, &context->keyset);
|
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, FALSE,
|
||||||
|
&context->keyset))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
context->state = KERBEROS_STATE_AP_REP;
|
context->state = KERBEROS_STATE_AP_REP;
|
||||||
|
|
||||||
|
@ -927,23 +949,29 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
|
||||||
|
|
||||||
if (tok_id == TOK_ID_AP_REP)
|
if (tok_id == TOK_ID_AP_REP)
|
||||||
{
|
{
|
||||||
if ((rv = krb5_rd_rep(context->ctx, context->auth_ctx, &input_token, &reply)))
|
if (krb_log_exec(krb5_rd_rep, context->ctx, context->auth_ctx, &input_token,
|
||||||
|
&reply))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
krb5_free_ap_rep_enc_part(context->ctx, reply);
|
krb5_free_ap_rep_enc_part(context->ctx, reply);
|
||||||
}
|
}
|
||||||
else if (tok_id == TOK_ID_ERROR)
|
else if (tok_id == TOK_ID_ERROR)
|
||||||
{
|
{
|
||||||
rv = krb5glue_log_error(context->ctx, &input_token, TAG);
|
krb5glue_log_error(context->ctx, &input_token, TAG);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
goto bad_token;
|
goto bad_token;
|
||||||
|
|
||||||
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
||||||
krb5_auth_con_getremoteseqnumber(context->ctx, context->auth_ctx,
|
{
|
||||||
(INT32*)&context->remote_seq);
|
if (krb_log_exec(krb5_auth_con_getremoteseqnumber, context->ctx, context->auth_ctx,
|
||||||
|
(INT32*)&context->remote_seq))
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
krb5glue_update_keyset(context->ctx, context->auth_ctx, FALSE, &context->keyset);
|
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, FALSE,
|
||||||
|
&context->keyset))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
context->state = KERBEROS_STATE_FINAL;
|
context->state = KERBEROS_STATE_FINAL;
|
||||||
|
|
||||||
|
@ -984,8 +1012,6 @@ cleanup:
|
||||||
in_creds.second_ticket = edata;
|
in_creds.second_ticket = edata;
|
||||||
krb5_free_cred_contents(context->ctx, &in_creds);
|
krb5_free_cred_contents(context->ctx, &in_creds);
|
||||||
}
|
}
|
||||||
if (rv)
|
|
||||||
kerberos_log_msg(context->ctx, rv);
|
|
||||||
|
|
||||||
krb5_free_creds(context->ctx, creds);
|
krb5_free_creds(context->ctx, creds);
|
||||||
if (output_token.data)
|
if (output_token.data)
|
||||||
|
@ -1047,7 +1073,6 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||||
krb5_data input_token = { 0 };
|
krb5_data input_token = { 0 };
|
||||||
krb5_data output_token = { 0 };
|
krb5_data output_token = { 0 };
|
||||||
SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
|
SECURITY_STATUS status = SEC_E_INTERNAL_ERROR;
|
||||||
krb5_error_code rv = 0;
|
|
||||||
krb5_flags ap_flags = 0;
|
krb5_flags ap_flags = 0;
|
||||||
krb5glue_authenticator authenticator;
|
krb5glue_authenticator authenticator;
|
||||||
char* target = NULL;
|
char* target = NULL;
|
||||||
|
@ -1080,7 +1105,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||||
{
|
{
|
||||||
context = &new_context;
|
context = &new_context;
|
||||||
|
|
||||||
if ((rv = krb5_init_context(&context->ctx)))
|
if (krb_log_exec_ptr(krb5_init_context, &context->ctx))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
|
if (sspi_gss_oid_compare(&oid, &kerberos_u2u_OID))
|
||||||
|
@ -1114,59 +1139,73 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||||
realm++;
|
realm++;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((rv = krb5_parse_name_flags(context->ctx, sname ? sname : "",
|
if (krb_log_exec(krb5_parse_name_flags, context->ctx, sname ? sname : "",
|
||||||
KRB5_PRINCIPAL_PARSE_NO_REALM, &principal)))
|
KRB5_PRINCIPAL_PARSE_NO_REALM, &principal))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (realm)
|
if (realm)
|
||||||
if ((rv = krb5glue_set_principal_realm(context->ctx, principal, realm)))
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
if ((rv = krb5_kt_start_seq_get(context->ctx, credentials->keytab, &cur)))
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
while ((rv = krb5_kt_next_entry(context->ctx, credentials->keytab, &entry, &cur)) == 0)
|
|
||||||
{
|
{
|
||||||
if ((!sname ||
|
if (krb_log_exec(krb5glue_set_principal_realm, context->ctx, principal, realm))
|
||||||
krb5_principal_compare_any_realm(context->ctx, principal, entry.principal)) &&
|
goto cleanup;
|
||||||
(!realm || krb5_realm_compare(context->ctx, principal, entry.principal)))
|
|
||||||
break;
|
|
||||||
krb5glue_free_keytab_entry_contents(context->ctx, &entry);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5_kt_end_seq_get(context->ctx, credentials->keytab, &cur);
|
if (krb_log_exec(krb5_kt_start_seq_get, context->ctx, credentials->keytab, &cur))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
do
|
||||||
|
{
|
||||||
|
krb5_error_code rv =
|
||||||
|
krb_log_exec(krb5_kt_next_entry, context->ctx, credentials->keytab, &entry, &cur);
|
||||||
|
if (rv == KRB5_KT_END)
|
||||||
|
break;
|
||||||
|
if (rv != 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
if ((!sname || krb_log_exec(krb5_principal_compare_any_realm, context->ctx, principal,
|
||||||
|
entry.principal)) &&
|
||||||
|
(!realm ||
|
||||||
|
krb_log_exec(krb5_realm_compare, context->ctx, principal, entry.principal)))
|
||||||
|
break;
|
||||||
|
if (krb_log_exec(krb5glue_free_keytab_entry_contents, context->ctx, &entry))
|
||||||
|
goto cleanup;
|
||||||
|
} while (1);
|
||||||
|
|
||||||
|
if (krb_log_exec(krb5_kt_end_seq_get, context->ctx, credentials->keytab, &cur))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
if (!entry.principal)
|
if (!entry.principal)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/* Get the TGT */
|
/* Get the TGT */
|
||||||
if ((rv = krb5_get_init_creds_keytab(context->ctx, &creds, entry.principal,
|
if (krb_log_exec(krb5_get_init_creds_keytab, context->ctx, &creds, entry.principal,
|
||||||
credentials->keytab, 0, NULL, NULL)))
|
credentials->keytab, 0, NULL, NULL))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
|
if (!kerberos_mk_tgt_token(output_buffer, KRB_TGT_REP, NULL, NULL, &creds.ticket))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if ((rv = krb5_auth_con_init(context->ctx, &context->auth_ctx)))
|
if (krb_log_exec(krb5_auth_con_init, context->ctx, &context->auth_ctx))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if ((rv = krb5glue_auth_con_setuseruserkey(context->ctx, context->auth_ctx,
|
if (krb_log_exec(krb5glue_auth_con_setuseruserkey, context->ctx, context->auth_ctx,
|
||||||
&krb5glue_creds_getkey(creds))))
|
&krb5glue_creds_getkey(creds)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
context->state = KERBEROS_STATE_AP_REQ;
|
context->state = KERBEROS_STATE_AP_REQ;
|
||||||
}
|
}
|
||||||
else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
|
else if (context->state == KERBEROS_STATE_AP_REQ && tok_id == TOK_ID_AP_REQ)
|
||||||
{
|
{
|
||||||
if ((rv = krb5_rd_req(context->ctx, &context->auth_ctx, &input_token, NULL,
|
if (krb_log_exec(krb5_rd_req, context->ctx, &context->auth_ctx, &input_token, NULL,
|
||||||
credentials->keytab, &ap_flags, NULL)))
|
credentials->keytab, &ap_flags, NULL))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
krb5_auth_con_setflags(context->ctx, context->auth_ctx,
|
if (krb_log_exec(krb5_auth_con_setflags, context->ctx, context->auth_ctx,
|
||||||
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY);
|
KRB5_AUTH_CONTEXT_DO_SEQUENCE | KRB5_AUTH_CONTEXT_USE_SUBKEY))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
/* Retrieve and validate the checksum */
|
/* Retrieve and validate the checksum */
|
||||||
if ((rv = krb5_auth_con_getauthenticator(context->ctx, context->auth_ctx, &authenticator)))
|
if (krb_log_exec(krb5_auth_con_getauthenticator, context->ctx, context->auth_ctx,
|
||||||
|
&authenticator))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
|
if (!krb5glue_authenticator_validate_chksum(authenticator, GSS_CHECKSUM_TYPE,
|
||||||
&context->flags))
|
&context->flags))
|
||||||
|
@ -1176,7 +1215,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||||
{
|
{
|
||||||
if (!output_buffer)
|
if (!output_buffer)
|
||||||
goto bad_token;
|
goto bad_token;
|
||||||
if ((rv = krb5_mk_rep(context->ctx, context->auth_ctx, &output_token)))
|
if (krb_log_exec(krb5_mk_rep, context->ctx, context->auth_ctx, &output_token))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
if (!sspi_gss_wrap_token(output_buffer,
|
if (!sspi_gss_wrap_token(output_buffer,
|
||||||
context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
|
context->u2u ? &kerberos_u2u_OID : &kerberos_OID,
|
||||||
|
@ -1194,13 +1233,17 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||||
|
|
||||||
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
if (context->flags & SSPI_GSS_C_SEQUENCE_FLAG)
|
||||||
{
|
{
|
||||||
krb5_auth_con_getlocalseqnumber(context->ctx, context->auth_ctx,
|
if (krb_log_exec(krb5_auth_con_getlocalseqnumber, context->ctx, context->auth_ctx,
|
||||||
(INT32*)&context->local_seq);
|
(INT32*)&context->local_seq))
|
||||||
krb5_auth_con_getremoteseqnumber(context->ctx, context->auth_ctx,
|
goto cleanup;
|
||||||
(INT32*)&context->remote_seq);
|
if (krb_log_exec(krb5_auth_con_getremoteseqnumber, context->ctx, context->auth_ctx,
|
||||||
|
(INT32*)&context->remote_seq))
|
||||||
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
krb5glue_update_keyset(context->ctx, context->auth_ctx, TRUE, &context->keyset);
|
if (krb_log_exec(krb5glue_update_keyset, context->ctx, context->auth_ctx, TRUE,
|
||||||
|
&context->keyset))
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
context->state = KERBEROS_STATE_FINAL;
|
context->state = KERBEROS_STATE_FINAL;
|
||||||
}
|
}
|
||||||
|
@ -1233,9 +1276,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_AcceptSecurityContext(
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
|
||||||
if (rv)
|
free(target);
|
||||||
kerberos_log_msg(context->ctx, rv);
|
|
||||||
|
|
||||||
if (output_token.data)
|
if (output_token.data)
|
||||||
krb5glue_free_data_contents(context->ctx, &output_token);
|
krb5glue_free_data_contents(context->ctx, &output_token);
|
||||||
if (entry.principal)
|
if (entry.principal)
|
||||||
|
@ -1312,16 +1353,28 @@ static SECURITY_STATUS SEC_ENTRY kerberos_QueryContextAttributesA(PCtxtHandle ph
|
||||||
|
|
||||||
if (context->flags & SSPI_GSS_C_CONF_FLAG)
|
if (context->flags & SSPI_GSS_C_CONF_FLAG)
|
||||||
{
|
{
|
||||||
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_HEADER, &header);
|
krb5_error_code rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key,
|
||||||
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_PADDING, &pad);
|
KRB5_CRYPTO_TYPE_HEADER, &header);
|
||||||
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_TRAILER, &trailer);
|
if (rv)
|
||||||
|
return rv;
|
||||||
|
rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_PADDING,
|
||||||
|
&pad);
|
||||||
|
if (rv)
|
||||||
|
return rv;
|
||||||
|
rv = krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_TRAILER,
|
||||||
|
&trailer);
|
||||||
|
if (rv)
|
||||||
|
return rv;
|
||||||
/* GSS header (= 16 bytes) + encrypted header = 32 bytes */
|
/* GSS header (= 16 bytes) + encrypted header = 32 bytes */
|
||||||
ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
|
ContextSizes->cbSecurityTrailer = header + pad + trailer + 32;
|
||||||
}
|
}
|
||||||
if (context->flags & SSPI_GSS_C_INTEG_FLAG)
|
if (context->flags & SSPI_GSS_C_INTEG_FLAG)
|
||||||
{
|
{
|
||||||
krb5glue_crypto_length(context->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM,
|
krb5_error_code rv =
|
||||||
&ContextSizes->cbMaxSignature);
|
krb_log_exec(krb5glue_crypto_length, context->ctx, key, KRB5_CRYPTO_TYPE_CHECKSUM,
|
||||||
|
&ContextSizes->cbMaxSignature);
|
||||||
|
if (rv)
|
||||||
|
return rv;
|
||||||
ContextSizes->cbMaxSignature += 16;
|
ContextSizes->cbMaxSignature += 16;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1473,7 +1526,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext,
|
||||||
encrypt_iov[2].data.length = 16;
|
encrypt_iov[2].data.length = 16;
|
||||||
|
|
||||||
/* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
|
/* Get the lengths of the header, trailer, and padding and ensure sig_buffer is large enough */
|
||||||
if (krb5glue_crypto_length_iov(context->ctx, key, encrypt_iov, ARRAYSIZE(encrypt_iov)))
|
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, encrypt_iov,
|
||||||
|
ARRAYSIZE(encrypt_iov)))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
if (sig_buffer->cbBuffer <
|
if (sig_buffer->cbBuffer <
|
||||||
encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
|
encrypt_iov[0].data.length + encrypt_iov[3].data.length + encrypt_iov[4].data.length + 32)
|
||||||
|
@ -1500,7 +1554,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_EncryptMessage(PCtxtHandle phContext,
|
||||||
/* Set the correct RRC */
|
/* Set the correct RRC */
|
||||||
Data_Write_UINT16_BE(header + 6, 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length);
|
Data_Write_UINT16_BE(header + 6, 16 + encrypt_iov[3].data.length + encrypt_iov[4].data.length);
|
||||||
|
|
||||||
if (krb5glue_encrypt_iov(context->ctx, key, usage, encrypt_iov, ARRAYSIZE(encrypt_iov)))
|
if (krb_log_exec(krb5glue_encrypt_iov, context->ctx, key, usage, encrypt_iov,
|
||||||
|
ARRAYSIZE(encrypt_iov)))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
return SEC_E_OK;
|
return SEC_E_OK;
|
||||||
|
@ -1576,7 +1631,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
|
||||||
/* Fill in the lengths of the iov array */
|
/* Fill in the lengths of the iov array */
|
||||||
iov[1].data.length = data_buffer->cbBuffer;
|
iov[1].data.length = data_buffer->cbBuffer;
|
||||||
iov[2].data.length = 16;
|
iov[2].data.length = 16;
|
||||||
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
|
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
/* We don't expect a trailer buffer; everything must be in sig_buffer */
|
/* We don't expect a trailer buffer; everything must be in sig_buffer */
|
||||||
|
@ -1592,7 +1647,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_DecryptMessage(PCtxtHandle phContext,
|
||||||
iov[3].data.data = iov[2].data.data + iov[2].data.length;
|
iov[3].data.data = iov[2].data.data + iov[2].data.length;
|
||||||
iov[4].data.data = iov[3].data.data + iov[3].data.length;
|
iov[4].data.data = iov[3].data.data + iov[3].data.length;
|
||||||
|
|
||||||
if (krb5glue_decrypt_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov)))
|
if (krb_log_exec(krb5glue_decrypt_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov)))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
/* Validate the encrypted header */
|
/* Validate the encrypted header */
|
||||||
|
@ -1647,7 +1702,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, U
|
||||||
/* Fill in the lengths of the iov array */
|
/* Fill in the lengths of the iov array */
|
||||||
iov[0].data.length = data_buffer->cbBuffer;
|
iov[0].data.length = data_buffer->cbBuffer;
|
||||||
iov[1].data.length = 16;
|
iov[1].data.length = 16;
|
||||||
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
|
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
/* Ensure the buffer is big enough */
|
/* Ensure the buffer is big enough */
|
||||||
|
@ -1666,7 +1721,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_MakeSignature(PCtxtHandle phContext, U
|
||||||
iov[1].data.data = header;
|
iov[1].data.data = header;
|
||||||
iov[2].data.data = header + 16;
|
iov[2].data.data = header + 16;
|
||||||
|
|
||||||
if (krb5glue_make_checksum_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov)))
|
if (krb_log_exec(krb5glue_make_checksum_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov)))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
sig_buffer->cbBuffer = iov[2].data.length + 16;
|
sig_buffer->cbBuffer = iov[2].data.length + 16;
|
||||||
|
@ -1736,7 +1791,7 @@ static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
|
||||||
/* Fill in the iov array lengths */
|
/* Fill in the iov array lengths */
|
||||||
iov[0].data.length = data_buffer->cbBuffer;
|
iov[0].data.length = data_buffer->cbBuffer;
|
||||||
iov[1].data.length = 16;
|
iov[1].data.length = 16;
|
||||||
if (krb5glue_crypto_length_iov(context->ctx, key, iov, ARRAYSIZE(iov)))
|
if (krb_log_exec(krb5glue_crypto_length_iov, context->ctx, key, iov, ARRAYSIZE(iov)))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
if (sig_buffer->cbBuffer != iov[2].data.length + 16)
|
if (sig_buffer->cbBuffer != iov[2].data.length + 16)
|
||||||
|
@ -1747,7 +1802,8 @@ static SECURITY_STATUS SEC_ENTRY kerberos_VerifySignature(PCtxtHandle phContext,
|
||||||
iov[1].data.data = header;
|
iov[1].data.data = header;
|
||||||
iov[2].data.data = header + 16;
|
iov[2].data.data = header + 16;
|
||||||
|
|
||||||
if (krb5glue_verify_checksum_iov(context->ctx, key, usage, iov, ARRAYSIZE(iov), &is_valid))
|
if (krb_log_exec(krb5glue_verify_checksum_iov, context->ctx, key, usage, iov, ARRAYSIZE(iov),
|
||||||
|
&is_valid))
|
||||||
return SEC_E_INTERNAL_ERROR;
|
return SEC_E_INTERNAL_ERROR;
|
||||||
|
|
||||||
if (!is_valid)
|
if (!is_valid)
|
||||||
|
|
Loading…
Reference in New Issue