Removed GSS_API error code hacks

This commit is contained in:
akallabeth 2021-04-16 15:47:53 +02:00 committed by akallabeth
parent 959923c633
commit bfbe6b62b5
1 changed files with 5 additions and 108 deletions

View File

@ -58,101 +58,6 @@
#define BUFFER_SIZE 16384 #define BUFFER_SIZE 16384
#ifdef WITH_GSSAPI
#include <krb5.h>
#include <winpr/library.h>
static UINT32 transport_krb5_check_account(rdpTransport* transport, char* username, char* domain,
char* passwd)
{
krb5_error_code ret;
krb5_context context = NULL;
krb5_principal principal = NULL;
char address[256];
krb5_ccache ccache;
krb5_init_creds_context ctx = NULL;
_snprintf(address, sizeof(address), "%s@%s", username, domain);
/* Create a krb5 library context */
if ((ret = krb5_init_context(&context)) != 0)
WLog_Print(transport->log, WLOG_ERROR, "krb5_init_context failed with error %d", (int)ret);
else if ((ret = krb5_parse_name_flags(context, address, 0, &principal)) != 0)
WLog_Print(transport->log, WLOG_ERROR, "krb5_parse_name_flags failed with error %d",
(int)ret);
/* Find a credential cache with a specified client principal */
else if ((ret = krb5_cc_cache_match(context, principal, &ccache)) != 0)
{
if ((ret = krb5_cc_default(context, &ccache)) != 0)
WLog_Print(transport->log, WLOG_ERROR,
"krb5 failed to resolve credentials cache with error %d", (int)ret);
}
if (ret != KRB5KDC_ERR_NONE)
goto out;
/* Create a context for acquiring initial credentials */
else if ((ret = krb5_init_creds_init(context, principal, NULL, NULL, 0, NULL, &ctx)) != 0)
{
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_init returned error %d", (int)ret);
goto out;
}
/* Set a password for acquiring initial credentials */
else if ((ret = krb5_init_creds_set_password(context, ctx, passwd)) != 0)
{
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_set_password returned error %d",
ret);
goto out;
}
/* Acquire credentials using an initial credential context */
ret = krb5_init_creds_get(context, ctx);
out:
switch (ret)
{
case KRB5KDC_ERR_NONE:
break;
case KRB5_KDC_UNREACH:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get: KDC unreachable");
ret = FREERDP_ERROR_CONNECT_KDC_UNREACHABLE;
break;
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5_GET_IN_TKT_LOOP:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get: Password incorrect");
ret = FREERDP_ERROR_AUTHENTICATION_FAILED;
break;
case KRB5KDC_ERR_KEY_EXP:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get: Password has expired");
ret = FREERDP_ERROR_CONNECT_PASSWORD_EXPIRED;
break;
case KRB5KDC_ERR_CLIENT_REVOKED:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get: Password revoked");
ret = FREERDP_ERROR_CONNECT_CLIENT_REVOKED;
break;
case KRB5KDC_ERR_POLICY:
ret = FREERDP_ERROR_INSUFFICIENT_PRIVILEGES;
break;
default:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get");
ret = FREERDP_ERROR_CONNECT_TRANSPORT_FAILED;
break;
}
if (ctx)
krb5_init_creds_free(context, ctx);
krb5_free_context(context);
return ret;
}
#endif /* WITH_GSSAPI */
static void transport_ssl_cb(SSL* ssl, int where, int ret) static void transport_ssl_cb(SSL* ssl, int where, int ret)
{ {
if (where & SSL_CB_ALERT) if (where & SSL_CB_ALERT)
@ -176,21 +81,13 @@ static void transport_ssl_cb(SSL* ssl, int where, int ret)
{ {
if (transport->NlaMode) if (transport->NlaMode)
{ {
UINT32 kret = 0; if (!freerdp_get_last_error(transport->context))
#ifdef WITH_GSSAPI
if ((strlen(transport->settings->Domain) != 0) &&
(strncmp(transport->settings->Domain, ".", 1) != 0))
{ {
kret = transport_krb5_check_account( UINT32 kret = nla_get_error(transport->nla);
transport, transport->settings->Username, transport->settings->Domain, if (kret == 0)
transport->settings->Password); kret = FREERDP_ERROR_CONNECT_PASSWORD_CERTAINLY_EXPIRED;
freerdp_set_last_error_log(transport->context, kret);
} }
else
#endif /* WITH_GSSAPI */
kret = FREERDP_ERROR_CONNECT_PASSWORD_CERTAINLY_EXPIRED;
freerdp_set_last_error_if_not(transport->context, kret);
} }
break; break;