1 /*
2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
3 */
4 /*
5 * Copyright 2000, 2004 by the Massachusetts Institute of Technology.
6 * All Rights Reserved.
7 *
8 * Export of this software from the United States of America may
9 * require a specific license from the United States Government.
10 * It is the responsibility of any person or organization contemplating
11 * export to obtain such a license before exporting.
12 *
13 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
14 * distribute this software and its documentation for any purpose and
15 * without fee is hereby granted, provided that the above copyright
16 * notice appear in all copies and that both that copyright notice and
17 * this permission notice appear in supporting documentation, and that
18 * the name of M.I.T. not be used in advertising or publicity pertaining
19 * to distribution of the software without specific, written prior
20 * permission. Furthermore if you modify this software you must label
21 * your software as modified software and not distribute it in such a
22 * fashion that it might be confused with the original M.I.T. software.
121 * auth_context contains a pointer to the session key, and the
122 * "recv_subkey" field might contain a session subkey. Either of
123 * these (the "recv_subkey" if it isn't NULL, otherwise the
124 * "keyblock") might have been used to encrypt the encrypted part of
125 * the KRB_CRED message that contains the forwarded credentials. (The
126 * Java Crypto and Security Implementation from the DSTC in Australia
127 * always uses the session key. But apparently it never negotiates a
128 * subkey, so this code works fine against a JCSI client.) Up to the
129 * present, though, GSSAPI clients linked against the MIT code (which
130 * is almost all GSSAPI clients) don't encrypt the KRB_CRED message at
131 * all -- at this level. So if the first call to krb5_rd_cred fails,
132 * we should call it a second time with another auth context freshly
133 * created by krb5_auth_con_init. All of its keyblock fields will be
134 * NULL, so krb5_rd_cred will assume that the KRB_CRED message is
135 * unencrypted. (The MIT code doesn't actually send the KRB_CRED
136 * message in the clear -- the "authenticator" whose "checksum" ends up
137 * containing the KRB_CRED message does get encrypted.)
138 */
139 /* Solaris Kerberos */
140 if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))) {
141 krb5_enctype enctype = ENCTYPE_NULL;
142 /*
143 * If the client is using non-DES enctypes it really ought to
144 * send encrypted KRB-CREDs...
145 */
146 if (auth_context->keyblock != NULL)
147 enctype = auth_context->keyblock->enctype;
148 switch (enctype) {
149 case ENCTYPE_DES_CBC_MD5:
150 case ENCTYPE_DES_CBC_CRC:
151 case ENCTYPE_DES3_CBC_SHA1:
152 break;
153 default:
154 KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error "
155 "krb5_rd_cred() retval = %d\n", retval);
156 goto cleanup;
157 /* NOTREACHED */
158 break;
159 }
160
161 /* Try to krb5_rd_cred() likely unencrypted KRB-CRED */
162 if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
163 goto cleanup;
164 krb5_auth_con_setflags(context, new_auth_ctx, 0);
165 if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
166 &creds, NULL))) {
167 /* Solaris Kerberos */
168 KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error "
169 "krb5_rd_cred() retval = %d\n", retval);
170 goto cleanup;
171 }
172 }
173
174 if ((retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) {
175 ccache = NULL;
176 goto cleanup;
177 }
178
179 if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client))) {
180 /* Solaris Kerberos */
181 KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error "
182 "krb5_cc_initialize() retval = %d\n", retval);
183 goto cleanup;
184 }
185
186 if ((retval = krb5_cc_store_cred(context, ccache, creds[0]))) {
187 /* Solaris Kerberos */
188 KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error "
189 "krb5_cc_store_cred() retval = %d\n", retval);
|
1 /*
2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
3 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
4 */
5 /*
6 * Copyright 2000, 2004 by the Massachusetts Institute of Technology.
7 * All Rights Reserved.
8 *
9 * Export of this software from the United States of America may
10 * require a specific license from the United States Government.
11 * It is the responsibility of any person or organization contemplating
12 * export to obtain such a license before exporting.
13 *
14 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
15 * distribute this software and its documentation for any purpose and
16 * without fee is hereby granted, provided that the above copyright
17 * notice appear in all copies and that both that copyright notice and
18 * this permission notice appear in supporting documentation, and that
19 * the name of M.I.T. not be used in advertising or publicity pertaining
20 * to distribution of the software without specific, written prior
21 * permission. Furthermore if you modify this software you must label
22 * your software as modified software and not distribute it in such a
23 * fashion that it might be confused with the original M.I.T. software.
122 * auth_context contains a pointer to the session key, and the
123 * "recv_subkey" field might contain a session subkey. Either of
124 * these (the "recv_subkey" if it isn't NULL, otherwise the
125 * "keyblock") might have been used to encrypt the encrypted part of
126 * the KRB_CRED message that contains the forwarded credentials. (The
127 * Java Crypto and Security Implementation from the DSTC in Australia
128 * always uses the session key. But apparently it never negotiates a
129 * subkey, so this code works fine against a JCSI client.) Up to the
130 * present, though, GSSAPI clients linked against the MIT code (which
131 * is almost all GSSAPI clients) don't encrypt the KRB_CRED message at
132 * all -- at this level. So if the first call to krb5_rd_cred fails,
133 * we should call it a second time with another auth context freshly
134 * created by krb5_auth_con_init. All of its keyblock fields will be
135 * NULL, so krb5_rd_cred will assume that the KRB_CRED message is
136 * unencrypted. (The MIT code doesn't actually send the KRB_CRED
137 * message in the clear -- the "authenticator" whose "checksum" ends up
138 * containing the KRB_CRED message does get encrypted.)
139 */
140 /* Solaris Kerberos */
141 if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))) {
142 krb5_error_code retval2 = retval;
143
144 /* Try to krb5_rd_cred() likely unencrypted KRB-CRED */
145 if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
146 goto cleanup;
147 krb5_auth_con_setflags(context, new_auth_ctx, 0);
148 if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
149 &creds, NULL))) {
150 /* Solaris Kerberos */
151 KRB5_LOG1(KRB5_ERR, "rd_and_store_for_creds() error "
152 "krb5_rd_cred() retval = %d original = %d\n",
153 retval, retval2);
154 goto cleanup;
155 }
156 }
157
158 if ((retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) {
159 ccache = NULL;
160 goto cleanup;
161 }
162
163 if ((retval = krb5_cc_initialize(context, ccache, creds[0]->client))) {
164 /* Solaris Kerberos */
165 KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error "
166 "krb5_cc_initialize() retval = %d\n", retval);
167 goto cleanup;
168 }
169
170 if ((retval = krb5_cc_store_cred(context, ccache, creds[0]))) {
171 /* Solaris Kerberos */
172 KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error "
173 "krb5_cc_store_cred() retval = %d\n", retval);
|