/*
Authors:
Sumit Bose <sbose@redhat.com>
Copyright (C) 2009-2010 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <ctype.h>
#include <stdio.h>
#include <errno.h>
#include <talloc.h>
#include <profile.h>
#include "config.h"
#include "util/sss_iobuf.h"
#include "util/sss_krb5.h"
static char *
const char *pattern,
const char *hostname)
{
char *primary;
char *dot;
char *c;
char *shortname;
if (dot) {
*dot = '\0';
}
for (c=shortname; *c != '\0'; ++c) {
*c = toupper(*c);
}
/* The samAccountName is recommended to be less than 20 characters.
* This is only for users and groups. For machine accounts,
* the real limit is caused by NetBIOS protocol.
* NetBIOS names are limited to 16 (15 + $)
* https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name
*/
return primary;
}
}
const char *hostname,
const char *desired_realm,
const char *keytab_name,
char **_principal,
char **_primary,
char **_realm)
{
int i = 0;
char *principal_string;
const char *realm_name;
int realm_len;
/**
* The %s conversion is passed as-is, the %S conversion is translated to
* "short host name"
*
* Priority of lookup:
* - our.hostname@REALM or host/our.hostname@REALM depending on the input
* - SHORT.HOSTNAME$@REALM (AD domain)
* - host/our.hostname@REALM
* - foobar$@REALM (AD domain)
* - pick the first principal in the keytab
*/
"host/*", NULL};
"trying to select the most appropriate principal from keytab\n");
if (!tmp_ctx) {
return ENOMEM;
}
if (kerr) {
goto done;
}
if (keytab_name != NULL) {
} else {
}
if (kerr) {
"Failed to read keytab [%s]: %s\n",
goto done;
}
if (!desired_realm) {
desired_realm = "*";
}
if (!hostname) {
hostname = "*";
}
do {
if (primary_patterns[i]) {
primary_patterns[i],
hostname);
goto done;
}
} else {
}
if (realm_patterns[i]) {
goto done;
}
} else {
}
&client_princ);
if (kerr == 0) {
break;
}
if (client_princ != NULL) {
client_princ = NULL;
}
i++;
if (kerr == 0) {
if (_principal) {
if (kerr) {
goto done;
}
if (!*_principal) {
goto done;
}
}
if (_primary) {
if (kerr) {
goto done;
}
if (!*_primary) {
goto done;
}
}
if (_realm) {
&realm_len);
if (realm_len == 0) {
goto done;
}
if (!*_realm) {
goto done;
}
}
} else {
}
done:
}
if (client_princ != NULL) {
client_princ = NULL;
}
return ret;
}
/**
* We only have primary and instances stored separately, we need to
* join them to one string and compare that string.
*
* @param ctx Kerberos context
* @param principal principal we want to match
* @param pattern_primary primary part of the principal we want to
* perform matching against. It is possible to use * wildcard
* at the beginning or at the end of the string. If NULL, it
* will act as "*"
* @param pattern_realm realm part of the principal we want to perform
* the matching against. If NULL, it will act as "*"
*/
const char *pattern_primary,
const char *pattern_realm)
{
int primary_str_len = 0;
int tmp_len;
int len_diff;
const char *realm_name;
int realm_len;
bool ret = false;
if (realm_len == 0) {
return false;
}
if (!tmp_ctx) {
return false;
}
if (pattern_primary) {
mode = MODE_PREFIX;
} else if (pattern_primary[0] == '*') {
mode = MODE_POSTFIX;
}
&primary);
if ((mode == MODE_NORMAL &&
(mode == MODE_PREFIX &&
(mode == MODE_POSTFIX &&
goto done;
}
}
"Principal matched to the sample (%s@%s).\n", pattern_primary,
ret = true;
}
done:
return ret;
}
const char *pattern_primary,
const char *pattern_realm,
{
bool principal_found = false;
if (kerr != 0) {
return kerr;
}
if (principal_found) {
break;
}
if (kerr != 0) {
}
}
/* Close the keytab here. Even though we're using cursors, the file
* handle is stored in the krb5_keytab structure, and it gets
* overwritten by other keytab calls, creating a leak. */
if (kerr != 0) {
goto done;
}
if (!principal_found) {
"No principal matching %s@%s found in keytab.\n",
goto done;
}
/* check if we got any errors from krb5_kt_next_entry */
goto done;
}
if (kerr != 0) {
goto done;
}
kerr = 0;
done:
if (kerr_d != 0) {
}
return kerr;
}
{
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
#else
int ret;
char *s = NULL;
int size = sizeof("Kerberos error [XXXXXXXXXXXX]");
if (s == NULL) {
return NULL;
}
free(s);
return NULL;
}
return s;
#endif
}
{
#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
#else
free(s);
#endif
return;
}
{
#else
return ENOMEM;
}
return 0;
#endif
}
{
#else
#endif
return;
}
{
#ifdef HAVE_KRB5_FREE_UNPARSED_NAME
#else
}
#endif
}
void *data)
{
#else
"krb5_get_init_creds_opt_set_expire_callback not available.\n");
return 0;
#endif
}
{
*use_fast = false;
*use_fast = true;
} else {
"please use never, try, or demand.\n", str);
return EINVAL;
}
return EOK;
#else
"Please remove option krb5_use_fast.\n");
return EINVAL;
#endif
}
const char *fast_ccache_name)
{
#else
"krb5_get_init_creds_opt_set_fast_ccache_name not available.\n");
return 0;
#endif
}
{
#else
"krb5_get_init_creds_opt_set_fast_flags not available.\n");
return 0;
#endif
}
#ifndef HAVE_KRB5_UNPARSE_NAME_FLAGS
#ifndef REALM_SEP
#endif
#ifndef COMPONENT_SEP
#endif
static int
{
int j;
char *q = dest;
if (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) {
}
switch (*cp) {
case REALM_SEP:
if (no_realm) {
*q++ = *cp;
break;
}
case COMPONENT_SEP:
case '\\':
*q++ = '\\';
*q++ = *cp;
break;
case '\t':
*q++ = '\\';
*q++ = 't';
break;
case '\n':
*q++ = '\\';
*q++ = 'n';
break;
case '\b':
*q++ = '\\';
*q++ = 'b';
break;
case '\0':
*q++ = '\\';
*q++ = '0';
break;
default:
*q++ = *cp;
}
}
return q - dest;
}
static int
{
int j;
if ((flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) == 0) {
*cp == COMPONENT_SEP ||
size++;
}
return size;
}
#endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
{
#ifdef HAVE_KRB5_PARSE_NAME_FLAGS
#else
if (flags != 0) {
"this plattform, names are parsed " \
"without flags. Some features like " \
"enterprise principals might not work " \
"as expected.\n");
}
#endif
}
{
#ifdef HAVE_KRB5_UNPARSE_NAME_FLAGS
#else
char *cp, *q;
int i;
int length;
unsigned int totalsize = 0;
char *default_realm = NULL;
krb5_error_code ret = 0;
return KRB5_PARSE_MALFORMED;
if (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) {
/* omit realm if local realm */
if (ret != 0)
goto cleanup;
}
if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) {
flags);
totalsize++;
}
for (i = 0; i < (int) nelem; i++) {
totalsize++;
}
if (nelem == 0)
totalsize++;
if (!*name) {
goto cleanup;
}
q = *name;
for (i = 0; i < (int) nelem; i++) {
q += sss_krb5_copy_component_quoting(q,
i),
flags);
*q++ = COMPONENT_SEP;
}
if (i > 0)
q--;
if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) {
*q++ = REALM_SEP;
}
*q++ = '\0';
return ret;
#endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
}
int canonicalize)
{
/* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal
* defining krb5_get_init_creds_opt_set_canonicalize() with a different set of
* arguments. We should use a better configure check in the future.
*/
#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES)
#else
#endif
}
{
} else {
*len = 0;
}
}
#else
{
if (data) {
} else {
*len = 0;
}
}
#endif
{
}
#else
{
}
#endif
#ifdef HAVE_KRB5_SET_TRACE_CALLBACK
#ifndef HAVE_KRB5_TRACE_INFO
/* krb5-1.10 had struct krb5_trace_info, 1.11 has type named krb5_trace_info */
#endif /* HAVE_KRB5_TRACE_INFO */
static void
{
/* Null info means destroy the callback data. */
return;
}
}
{
}
#else /* HAVE_KRB5_SET_TRACE_CALLBACK */
{
return 0;
}
#endif /* HAVE_KRB5_SET_TRACE_CALLBACK */
krb5_authdata *const *ticket_authdata,
krb5_authdata *const *ap_req_authdata,
krb5_authdata ***results)
{
#ifdef HAVE_KRB5_FIND_AUTHDATA
#else
return ENOTSUP;
#endif
}
{
#ifdef HAVE_PAC_RESPONDER
int ret;
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
goto done;
}
goto done;
}
if (kerr != 0) {
goto done;
}
&entry);
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
"sss_pac_make_request will most certainly fail.\n");
}
kerr = 0;
done:
if (kerr != 0) {
}
}
}
return kerr;
#else
return ENOTSUP;
#endif
}
const char *location)
{
#ifdef HAVE_KRB5_CC_COLLECTION
"Location: [%s]\n", location);
if (kerr != 0) {
return NULL;
}
if (kerr != 0) {
return NULL;
}
if (kerr != 0) {
goto done;
}
"tmp_ccname: [%s]\n", tmp_ccname);
if (ret_ccname == NULL) {
}
done:
if (kerr != 0) {
}
}
return ret_ccname;
#else
return NULL;
#endif /* HAVE_KRB5_CC_COLLECTION */
}
{
#ifdef HAVE_KRB5_KT_HAVE_CONTENT
#else
if (kerr != 0) {
"krb5_kt_start_seq_get failed, assuming no entries.\n");
return KRB5_KT_NOTFOUND;
}
if (kerr != 0) {
"krb5_kt_next_entry failed, assuming no entries.\n");
return KRB5_KT_NOTFOUND;
}
if (kerr_end != 0) {
"krb5_kt_end_seq_get failed, ignored.\n");
}
if (kerr != 0) {
"krb5_free_keytab_entry_contents failed, ignored.\n");
}
return 0;
#endif
}
{
bool res = false;
size_t c;
return false;
}
if (kerr != 0) {
return false;
}
if (kerr != 0) {
goto done;
}
goto done;
} else if (kerr != 0) {
goto done;
}
KDC_PROXY_INDICATOR_LEN) == 0) {
"Found KDC Proxy indicator [%s] in [%s].\n",
KDC_PROXY_INDICATOR, list[c]);
res = true;
break;
}
}
done:
return res;
}
{
return ret;
}
return EOK;
}
{
}
{
return ret;
}
return ENOMEM;
}
return ret;
}
return EOK;
}
{
return ret;
}
return EOK;
}
{
return ret;
}
return ret;
}
}
return EOK;
}
/* FIXME - it would be nice if Kerberos exported these APIs.. */
{
return EINVAL;
}
return ENOMEM;
}
goto fail;
}
goto fail;
}
/* Sanity check to avoid large allocations */
goto fail;
}
if (ncomps != 0) {
goto fail;
}
}
goto fail;
}
goto fail;
}
}
return 0;
fail:
return ret;
}
{
return EINVAL;
}
return ret;
}
return ret;
}
return ret;
}
return ret;
}
}
return EOK;
}
{
const char *msg;
if (kerr != 0) {
/* It is safe to call (sss_)krb5_get_error_message() with NULL as first
* argument. */
"Failed to init Kerberos context [%s]\n", msg);
}
return kerr;
}