/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
*/
#include <libintl.h>
#include "k5-int.h"
#include "krb5.h"
#include "kerberos_dtrace.h"
/*
* Lookup functions for various Kerberos types - errors, encryption types,
* message types etc. Lookup functions generally take an integer and return a
* string (pointer to static memory). They cannot fail returning only NULL if
* the value cannot be found. Types and their string representations were
* mainly taken from RFC4120 and the mech_krb5 source.
*/
static const char *
switch (type) {
case 10: return ("KRB_AS_REQ(10)");
case 11: return ("KRB_AS_REP(11)");
case 12: return ("KRB_TGS_REQ(12)");
case 13: return ("KRB_TGS_REP(13)");
case 14: return ("KRB_AP_REQ(14)");
case 15: return ("KRB_AP_REP(15)");
case 16: return ("KRB_RESERVED(16)");
case 17: return ("KRB_RESERVED(17)");
case 20: return ("KRB_SAFE(20)");
case 21: return ("KRB_PRIV(21)");
case 22: return ("KRB_CRED(22)");
case 30: return ("KRB_ERROR(30)");
default: return (NULL);
}
}
static const char *
switch (type) {
case 0: return ("KDC_ERR_NONE(0)");
case 1: return ("KDC_ERR_NAME_EXP(1)");
case 2: return ("KDC_ERR_SERVICE_EXP(2)");
case 3: return ("KDC_ERR_BAD_PVNO(3)");
case 4: return ("KDC_ERR_C_OLD_MAST_KVNO(4)");
case 5: return ("KDC_ERR_S_OLD_MAST_KVNO(5)");
case 6: return ("KDC_ERR_C_PRINCIPAL_UNKNOWN(6)");
case 7: return ("KDC_ERR_S_PRINCIPAL_UNKNOWN(7)");
case 8: return ("KDC_ERR_PRINCIPAL_NOT_UNIQUE(8)");
case 9: return ("KDC_ERR_NULL_KEY(9)");
case 10: return ("KDC_ERR_CANNOT_POSTDATE(10)");
case 11: return ("KDC_ERR_NEVER_VALID(11)");
case 12: return ("KDC_ERR_POLICY(12)");
case 13: return ("KDC_ERR_BADOPTION(13)");
case 14: return ("KDC_ERR_ENCTYPE_NOSUPP(14)");
case 15: return ("KDC_ERR_SUMTYPE_NOSUPP(15)");
case 16: return ("KDC_ERR_PADATA_TYPE_NOSUPP(16)");
case 17: return ("KDC_ERR_TRTYPE_NOSUPP(17)");
case 18: return ("KDC_ERR_CLIENT_REVOKED(18)");
case 19: return ("KDC_ERR_SERVICE_REVOKED(19)");
case 20: return ("KDC_ERR_TGT_REVOKED(20)");
case 21: return ("KDC_ERR_CLIENT_NOTYET(21)");
case 22: return ("KDC_ERR_SERVICE_NOTYET(22)");
case 23: return ("KDC_ERR_KEY_EXP(23)");
case 24: return ("KDC_ERR_PREAUTH_FAILED(24)");
case 25: return ("KDC_ERR_PREAUTH_REQUIRED(25)");
case 26: return ("KDC_ERR_SERVER_NOMATCH(26)");
case 27: return ("KDC_ERR_MUST_USE_USER2USER(27)");
case 28: return ("KDC_ERR_PATH_NOT_ACCEPTED(28)");
case 29: return ("KDC_ERR_SVC_UNAVAILABLE(29)");
case 31: return ("KRB_AP_ERR_BAD_INTEGRITY(31)");
case 32: return ("KRB_AP_ERR_TKT_EXPIRED(32)");
case 33: return ("KRB_AP_ERR_TKT_NYV(33)");
case 34: return ("KRB_AP_ERR_REPEAT(34)");
case 35: return ("KRB_AP_ERR_NOT_US(35)");
case 36: return ("KRB_AP_ERR_BADMATCH(36)");
case 37: return ("KRB_AP_ERR_SKEW(37)");
case 38: return ("KRB_AP_ERR_BADADDR(38)");
case 39: return ("KRB_AP_ERR_BADVERSION(39)");
case 40: return ("KRB_AP_ERR_MSG_TYPE(40)");
case 41: return ("KRB_AP_ERR_MODIFIED(41)");
case 42: return ("KRB_AP_ERR_BADORDER(42)");
case 44: return ("KRB_AP_ERR_BADKEYVER(44)");
case 45: return ("KRB_AP_ERR_NOKEY(45)");
case 46: return ("KRB_AP_ERR_MUT_FAIL(46)");
case 47: return ("KRB_AP_ERR_BADDIRECTION(47)");
case 48: return ("KRB_AP_ERR_METHOD(48)");
case 49: return ("KRB_AP_ERR_BADSEQ(49)");
case 50: return ("KRB_AP_ERR_INAPP_CKSUM(50)");
case 51: return ("KRB_AP_PATH_NOT_ACCEPTED(51)");
case 52: return ("KRB_ERR_RESPONSE_TOO_BIG(52)");
case 60: return ("KRB_ERR_GENERIC(60)");
case 61: return ("KRB_ERR_FIELD_TOOLONG(61)");
case 62: return ("KDC_ERR_CLIENT_NOT_TRUSTED(62)");
case 63: return ("KDC_ERR_KDC_NOT_TRUSTED(63)");
case 64: return ("KDC_ERR_INVALID_SIG(64)");
case 65: return ("KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED(65)");
case 66: return ("KDC_ERR_CERTIFICATE_MISMATCH(66)");
case 67: return ("KRB_AP_ERR_NO_TGT(67)");
case 68: return ("KDC_ERR_WRONG_REALM(68)");
case 69: return ("KRB_AP_ERR_USER_TO_USER_REQUIRED(69)");
case 70: return ("KDC_ERR_CANT_VERIFY_CERTIFICATE(70)");
case 71: return ("KDC_ERR_INVALID_CERTIFICATE(71)");
case 72: return ("KDC_ERR_REVOKED_CERTIFICATE(72)");
case 73: return ("KDC_ERR_REVOCATION_STATUS_UNKNOWN(73)");
case 74: return ("KDC_ERR_REVOCATION_STATUS_UNAVAILABLE(74)");
case 75: return ("KDC_ERR_CLIENT_NAME_MISMATCH(75)");
case 76: return ("KDC_ERR_KDC_NAME_MISMATCH(76)");
case 77: return ("KDC_ERR_INCONSISTENT_KEY_PURPOSE(77)");
case 78: return ("KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED(78)");
case 79: return ("KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED(79)");
case 80: return (
"KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED(80)");
case 81: return (
"KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED(81)");
default: return (NULL);
}
}
static const char *
switch (type) {
case 0: return ("NONE(0)");
case 1: return ("AP_REQ(1)");
case 2: return ("ENC_TIMESTAMP(2)");
case 3: return ("PW_SALT(3)");
case 4: return ("ENC_ENCKEY(4)");
case 5: return ("ENC_UNIX_TIME(5)");
case 6: return ("ENC_SANDIA_SECURID(6)");
case 7: return ("SESAME(7)");
case 8: return ("OSF_DCE(8)");
case 9: return ("CYBERSAFE_SECUREID(9)");
case 10: return ("AFS3_SALT(10)");
case 11: return ("ETYPE_INFO(11)");
case 12: return ("SAM_CHALLENGE(12)");
case 13: return ("SAM_RESPONSE(13)");
case 14: return ("PK_AS_REQ_OLD(14)");
case 15: return ("PK_AS_REP_OLD(15)");
case 16: return ("PK_AS_REQ(16)");
case 17: return ("PK_AS_REP(17)");
case 19: return ("PK_ETYPE_INFO2(19)");
case 25: return ("REFERRAL(25)");
case 30: return ("SAM_CHALLENGE_2(30)");
case 31: return ("SAM_RESPONSE_2(31)");
case 128: return ("PAC_REQUEST(128)");
case 129: return ("FOR_USER(129)");
case 130: return ("S4U_X509_USER(130)");
case 133: return ("FX_COOKIE(133)");
case 136: return ("FX_FAST(136)");
case 137: return ("FX_ERROR(137)");
case 138: return ("ENCRYPTED_CHALLENGE(138)");
case 147: return ("PKINIT_KX(147)");
case 149: return ("REQ_ENC_PA_REP(149)");
default: return (NULL);
}
}
static const char *
switch (type) {
case 0x18 : return ("arcfour-hmac-md5-exp(0x18)");
case 0x17 : return ("arcfour-hmac-md5(0x17)");
case 0x12 : return ("aes256-cts-hmac-sha1-96(0x12)");
case 0x11 : return ("aes128-cts-hmac-sha1-96(0x11)");
case 0x10 : return ("des3-cbc-sha1(0x10)");
case 0x8 : return ("des-hmac-sha1(0x8)");
case 0x6 : return ("des3-cbc-raw(0x6)");
case 0x5 : return ("des3-cbc-sha(0x5)");
case 0x4 : return ("des-cbc-raw(0x4)");
case 0x3 : return ("des-cbc-md5(0x3)");
case 0x2 : return ("des-cbc-md4(0x2)");
case 0x1 : return ("des-cbc-crc(0x1)");
case 0x0 : return ("null(0x0)");
default: return (NULL);
}
}
static const char *
switch (type) {
case -138 : return ("hmac-md5-arcfour(-138)");
case 0x8003 : return ("gssapi(0x8003)");
case 0x10 : return ("hmac-sha1-96-aes256(0x10)");
case 0xf : return ("hmac-sha1-96-aes128(0xf)");
case 0xc : return ("hmac-sha1-des3(0xc)");
case 0x9 : return ("sha(0x9)");
case 0x8 : return ("md5-des(0x8)");
case 0x7 : return ("md5(0x7)");
case 0x4 : return ("des-cbc(0x4)");
case 0x3 : return ("md4-des(0x3)");
case 0x2 : return ("md4(0x2)");
case 0x1 : return ("crc32(0x1)");
default: return (NULL);
}
}
static const char *
switch (type) {
case 0 : return ("NONE(0)");
case 1 : return ("AD-IF-RELEVANT(1)");
case 4 : return ("AD-KDCIssued(4)");
case 5 : return ("AD-AND-OR(5)");
case 8 : return ("AD-MANDATORY-FOR-KDC(8)");
case 9 : return ("AD_INITIAL_VERIFIED_CAS(9)");
case 64: return ("AD_OSF_DCE(64)");
case 65: return ("AD_SESAME(65");
case 71: return ("AD_FX_ARMOR(71)");
case 128: return ("AD_WIN2K_PAC(128)");
case 129: return ("AD_ETYPE_NEGOTIATION(129)");
case 512: return ("AD_SIGNTICKET(512)");
default: return (NULL);
}
}
static const char *
switch (type) {
case 0 : return ("NONE(0)");
case 1 : return ("ALL_LAST_TGT(1)");
case -1 : return ("ONE_LAST_TGT(-1)");
case 2 : return ("ALL_LAST_INITIAL(2)");
case -2 : return ("ONE_LAST_INITIAL(-2)");
case 3 : return ("ALL_LAST_TGT_ISSUED(3)");
case -3 : return ("ONE_LAST_TGT_ISSUED(-3)");
case 4 : return ("ALL_LAST_RENEWAL(4)");
case -4 : return ("ONE_LAST_RENEWAL(-4)");
case 5 : return ("ALL_LAST_REQ(5)");
case -5 : return ("ONE_LAST_REQ(-5)");
case 6 : return ("ALL_PW_EXPTIME(6)");
case -6 : return ("ONE_PW_EXPTIME(-6)");
case 7 : return ("ALL_ACCT_EXPTIME(7)");
case -7 : return ("ONE_ACCT_EXPTIME(-7)");
default: return (NULL);
}
}
static const char *
switch (type) {
case 0 : return ("(0)");
case 1 : return ("DOMAIN-X500-COMPRESS(1)");
default: return (NULL);
}
}
static const char *
switch (flag) {
case 0x00000000 : return ("");
case 0x40000000 : return ("forwardable(1)");
case 0x20000000 : return ("forwarded(2)");
case 0x10000000 : return ("proxiable(3)");
case 0x08000000 : return ("proxy(4)");
case 0x04000000 : return ("may-postdate(5)");
case 0x02000000 : return ("postdated(6)");
case 0x01000000 : return ("invalid(7)");
case 0x00800000 : return ("renewable(8)");
case 0x00400000 : return ("initial(9)");
case 0x00200000 : return ("pre-authent(10)");
case 0x00100000 : return ("hw-authent(11)");
case 0x00080000 : return ("transited-policy-checked(12)");
case 0x00040000 : return ("ok-as-delegate(13)");
case 0x00010000 : return ("canonicalize(15)");
case 0x00000020 : return ("disable-transited-check(26)");
case 0x00000010 : return ("renewable-ok(27)");
case 0x00000008 : return ("enc-tkt-in-skey(28)");
case 0x00000002 : return ("renew(30)");
case 0x00000001 : return ("validate(31)");
default: return (NULL);
}
}
/*
* *_to_str functions are similar to the *_lookup functions however the returned
* string must be freed. NULL may be returned due to a memory allocation
* failure. The *to_str functions return a useful string when a *_lookup
* function would return NULL.
*/
/*
* A generic wrapper around *_lookup functions which returns a useful string
* when a type cannot be found.
* e.g. "<unknown(999)>"
* Takes a pointer to a lookup function which returns a string on sucess or NULL
* if the type cannot be found.
* Returned value must be freed.
*/
static char *
else
return (ret);
}
/*
* Given a NULL terminated array ("arr") build up a string by calling "to_str"
* for each element of the array. The returned string (like all *_to_str
* functions) should be freed.
* Returns NULL on memory allocation failure or empty array.
*/
static char *
unsigned int i;
if (t != NULL) {
str = t;
} else {
char *tmp;
}
free(t);
t = NULL;
}
}
}
}
return (str);
}
/*
* Kerberos flags are encoded in a single 32bit integer with each bit
* representing a flag. Each possible flag is tested for by applying a mask
* which is bit-shifted for each iteration.
* Returns a string representation of Kerberos flags which should be freed. Can
* return NULL on memory allocation error.
*/
static char *
const char *t = NULL;
/* Print out "flags" in hex with leading zeros */
for (i = 0; i < sizeof (unsigned int) * 8; i++) {
/*
* k5_flag_lookup() returns "" when passed a zero
* indicating that there is no flag set at that bit.
* Continue on to the next flag.
*/
if (t != NULL && t[0] == '\0')
continue;
if (t != NULL)
else
/*
* Free the old string and make the memory pointed to by
* tmp the new string.
*/
}
}
}
return (str);
}
/*
* Encryption types are stored in an array along with its size (unlike many
* other arrays seen in krb5 which are generally NULL terminated). Given an
* array of encryption types ("enctypes") and a count ("n") return a string
* representation.
* The returned string should be freed. Returns NULL on memory allocation
* failure or empty array
*/
static char *
unsigned int i;
for (i = 0; i < n; i++) {
if (t != NULL) {
str = t;
} else {
char *tmp;
}
free(t);
t = NULL;
}
}
}
return (str);
}
/*
* Convert a krb5_data structure to string.
* Returned string should be freed. Returns NULL on memory allocation failure or
* NULL input.
*/
static char *
}
}
return (str);
}
/*
* Returns a string representation of a krb5_pa_data type. Currently only
* returns type of krb5_pa_data. e.g. "ENC_TIMESTAMP(2)".
* Takes a void pointer "p" as this function is can be passed to
* k5_array_to_str().
* Returned string should be freed. Returns NULL on memory allocation failure or
* NULL input.
*/
static char *
k5_padata_to_str(const void *p) {
return (str);
}
/*
* Returns a string representation of a krb5_authdata type. Currently only
* returns type of krb5_authdata. e.g. "AD-IF-RELEVANT(1)".
* Takes a void pointer "p" as this function is can be passed to
* k5_array_to_str().
* Returned string should be freed. Returns NULL on memory allocation failure or
* NULL input.
*/
static char *
k5_authdata_to_str(const void *a) {
return (str);
}
/*
* Returns a string representation of a krb5_last_req type. Returns type and
* timestamp. e.g. "ALL_LAST_TGT(1):1283180754".
* Takes a void pointer "p" as this function is can be passed to
* k5_array_to_str().
* Returned string should be freed. Returns NULL on memory allocation failure or
* NULL input.
*/
static char *
k5_last_req_to_str(const void *l) {
char *tmp;
}
}
return (str);
}
/*
* Returns a string representation of a krb5_transited type. For
* KRB5_DOMAIN_X500_COMPRESS a string representation of the transited realms
* will be returned. e.g. "DOMAIN-X500-COMPRESS(1):ACME.COM,MIT."
* Takes a void pointer "p" as this function can be passed to
* k5_array_to_str().
* Returned string should be freed. Returns NULL on memory allocation failure or
* NULL input.
*/
static char *
k5_transited_to_str(const void *t) {
} else {
}
}
return (str);
}
/*
* Returns a string representation of a krb5_address type. IPv6 and IPv4
* addresses are supported. e.g. "10.10.10.10"
* Takes a void pointer "p" as this function can be passed to
* k5_array_to_str().
* Returned string should be freed. Returns NULL on memory allocation failure or
* NULL input.
*/
static char *
k5_address_to_str(const void *a) {
case ADDRTYPE_INET:
break;
case ADDRTYPE_INET6:
break;
default:
"unknown address type"),
}
}
return (str);
}
/*
* Count the number of elements in a NULL terminated array.
*/
static int
unsigned int i = 0;
i++;
return (i);
}
/*
* The following functions consist of "build" and "free" functions for each
* argument passed from the Kerberos mech to DTrace.
* These functions support the build-fire-free macros in kerberos_dtrace.h. The
* k5_*info arguments are flat structures closely mimicking their *info DTrace
* counter-parts. They are generally made up of strings and integers.
*/
ki->message_type =
}
}
}
return (ki);
}
void
}
}
/*
* When preauth is required we can treat e_data as a
* list of supported pre-authentication types.
*/
(const void **)pa);
}
}
}
}
return (ke);
}
void
}
}
(const void **)req->unenc_authdata);
(const void **)req->second_ticket);
}
}
return (kr);
}
void
}
}
const krb5_enc_kdc_rep_part *encp) {
}
kr->enc_key_type =
}
&kr->enc_server);
}
}
return (kr);
}
void
}
}
kt->enc_key_length =
kt->enc_key_value =
}
&kt->enc_client);
(const void **)encp->authorization_data);
}
}
}
return (kt);
}
void
}
}
}
}
}
}
return (ka);
}
void
}
}
}
}
return (ka);
}
void
}
}
ka->cksum_type =
}
}
(const void **)auth->authorization_data);
}
}
return (ka);
}
void
}
}
ks->cksum_type =
}
}
}
return (ks);
}
void
}
}
kp->enc_s_address =
kp->enc_r_address =
}
}
}
return (kp);
}
void
}
}
kc->enc_s_address =
kc->enc_r_address =
}
}
}
return (kc);
}
void
}
}
struct sockaddr_storage s;
int t;
} else
s.ss_family);
}
}
}
len = sizeof (t);
switch (t) {
case SOCK_STREAM:
break;
case SOCK_DGRAM:
break;
default:
t);
}
}
}
return (kc);
}
void
}
}
/*
* Some probes should fire in multiple places. In order to ensure that each
* probe is only listed once by DTrace these probes are put into their own
* functions.
*/
}
}
const unsigned int length) {
}
const unsigned int length) {
}