Skip to content

One way trust patch #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kuchytgj wants to merge 6 commits into
base: master
Choose a base branch
from
Open

One way trust patch #1

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
219d8c5
Patches to iterate through WebKDC keytab in webauth_krb5_init_via_pas…
kuchytgj Mar 23, 2015
9132be4
Merge pull request #2 from rra/help-fix
jonrober Apr 28, 2015
35f6c0a
Patches to iterate through WebKDC keytab in webauth_krb5_init_via_pas…
kuchytgj Mar 23, 2015
d4dc848
Remove realm check, add more logging, and fix memory leaks
kuchytgj Oct 8, 2015
7a2d804
Merge branch 'oneway-realm' of https://github.com/kuchytgj/webauth in…
kuchytgj Oct 20, 2015
ce34719
Improve logging upon failed verification
kuchytgj Dec 15, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 105 additions & 9 deletions lib/krb5.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -587,15 +587,13 @@ webauth_krb5_init_via_password(struct webauth_context *ctx,
/* Verify the credentials if possible. */
if (get_principal == NULL && keytab != NULL) {
krb5_principal princ = NULL;
krb5_keytab kt = NULL;
char *name;

s = open_keytab(ctx, kc, keytab, server_principal, &princ, &kt);
if (s != WA_ERR_NONE) {
krb5_free_cred_contents(kc->ctx, &creds);
return s;
}
code = krb5_verify_init_creds(kc->ctx, &creds, princ, kt, NULL, NULL);
/* Iterate over open_keytab in verify_creds_iterate_keytab to find the
* first princ that will verify our creds. This enables one-way cross-
* realm trusts.
*/
code = verify_creds_iterate_keytab(ctx, kc, &princ, keytab, server_principal, creds);
if (code != 0)
error_set(ctx, kc, code, "credential verification failed for %s",
username);
Expand All @@ -607,9 +605,8 @@ webauth_krb5_init_via_password(struct webauth_context *ctx,
} else {
error_set(ctx, kc, code, "cannot unparse server principal");
}
krb5_free_principal(kc->ctx, princ);
}
krb5_kt_close(kc->ctx, kt);
krb5_free_principal(kc->ctx, princ);
if (code != 0) {
krb5_free_cred_contents(kc->ctx, &creds);
return WA_ERR_KRB5;
Expand All @@ -624,6 +621,105 @@ webauth_krb5_init_via_password(struct webauth_context *ctx,
return WA_ERR_NONE;
}

/*
* Attempt to verify creds against all principals in the supplied keytab.
* Though we only attempt to verify credentials that match the realm of the
* principal in *princ so we don't needlessly try to verify creds.
*/

int
verify_creds_iterate_keytab(struct webauth_context *ctx, struct webauth_krb5 *kc,
krb5_principal *princ, const char *keytab,
const char *server_principal, krb5_creds creds)
{
krb5_error_code code;
krb5_error_code last_verify_code;
krb5_keytab kt;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
bool cursor_valid = false;

code = krb5_kt_resolve(kc->ctx, keytab, &kt);
if (code != 0)
return error_set(ctx, kc, code, "cannot open keytab %s", keytab);

code = krb5_kt_start_seq_get(kc->ctx, kt, &cursor);
if (code != 0)
return error_set(ctx, kc, code, "cannot start sequential get on keytab %s", keytab);

cursor_valid = true;
/*
* If server_principal is given attempt to verify with that first.
* If verification fails or if server_principal is NULL, step through
* the keytab and attempt to verify with each principal if realms match
*/
if (server_principal != NULL) {
code = krb5_parse_name(kc->ctx, server_principal, princ);
Copy link
Contributor

@rra rra May 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

princ is leaked here.

if (code != 0) {
error_set(ctx, kc, code, "cannot parse principal %s", server_principal);
goto fail;
}
code = krb5_verify_init_creds(kc->ctx, &creds, *princ, kt, NULL, NULL);
}

if (server_principal == NULL || code != 0) {
do {
krb5_free_principal(kc->ctx, *princ);
code = krb5_kt_next_entry(kc->ctx, kt, &entry, &cursor);
if (code != 0) {
error_set(ctx, kc, code, "cannot get next keytab entry");
break;
Copy link
Contributor

@rra rra May 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need an error_set here.

}

code = krb5_copy_principal(kc->ctx, entry.principal, princ);
Copy link
Contributor

@rra rra May 3, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

princ is leaked here as well.

if (code != 0) {
error_set(ctx, kc, code, "cannot copy principal");
goto fail;
}

krb5_free_keytab_entry_contents(kc->ctx, &entry);
if (code != 0) {
goto fail;
}

last_verify_code = krb5_verify_init_creds(kc->ctx, &creds, *princ, kt, NULL, NULL);
if (last_verify_code == 0) {
break;
}

const char *err_str = krb5_get_error_message(kc->ctx, last_verify_code);

char * princ_name;
krb5_unparse_name(kc->ctx, *princ, &princ_name);

wai_log_info(ctx, "failed to verify credentials with %s (%s); attempting next keytab entry", princ_name, err_str);
error_set(ctx, kc, code, "failed to verify credentials");
krb5_free_unparsed_name(kc->ctx, princ_name);
krb5_free_error_message(kc->ctx, err_str);
} while (1);
}

krb5_kt_end_seq_get(kc->ctx, kt, &cursor);

krb5_kt_close(kc->ctx, kt);
if (code == KRB5_KT_END) {
return error_set(ctx, kc, last_verify_code, "reached end of keytab without verifying principal");
}

return WA_ERR_NONE;

fail:
if (cursor_valid)
krb5_kt_end_seq_get(kc->ctx, kt, &cursor);

if (kt != NULL)
krb5_kt_close(kc->ctx, kt);

if (princ != NULL)
krb5_free_principal(kc->ctx, *princ);

return WA_ERR_KRB5;
}

/*
* Prepare a context from obtained credentials. This uses existing
Expand Down