kdc: refactor/improve error handling in GSS pa

This commit is contained in:
Luke Howard
2021-08-15 16:06:08 +10:00
parent a2538aeb38
commit 386b8d328a
2 changed files with 29 additions and 25 deletions

View File

@@ -190,7 +190,7 @@ _kdc_gss_rd_padata(astgs_request_t r,
krb5_error_code ret;
size_t size;
OM_uint32 major, minor;
OM_uint32 minor;
gss_client_params *gcp = NULL;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
@@ -216,6 +216,7 @@ _kdc_gss_rd_padata(astgs_request_t r,
goto out;
}
/* errors are fast fail until gss_accept_sec_context() is called */
gcp->major = GSS_S_NO_CONTEXT;
ret = pa_gss_get_context_state(r, gcp);
@@ -234,42 +235,35 @@ _kdc_gss_rd_padata(astgs_request_t r,
heim_assert(ret || size == cb.application_data.length,
"internal asn1 encoder error");
major = gss_accept_sec_context(&minor,
&gcp->context_handle,
cred,
&input_token,
&cb,
&gcp->initiator_name,
&gcp->mech_type,
&gcp->output_token,
&gcp->flags,
&gcp->lifetime,
NULL); /* delegated_cred_handle */
gcp->major = gss_accept_sec_context(&gcp->minor,
&gcp->context_handle,
cred,
&input_token,
&cb,
&gcp->initiator_name,
&gcp->mech_type,
&gcp->output_token,
&gcp->flags,
&gcp->lifetime,
NULL); /* delegated_cred_handle */
gcp->major = major;
gcp->minor = minor;
ret = _krb5_gss_map_error(gcp->major, gcp->minor);
if (GSS_ERROR(gcp->major)) {
pa_gss_display_status(r, major, minor, gcp,
pa_gss_display_status(r, gcp->major, gcp->minor, gcp,
"Failed to accept GSS security context");
ret = _krb5_gss_map_error(major, minor);
goto out;
}
if ((gcp->flags & GSS_C_ANON_FLAG) && !_kdc_is_anon_request(&r->req)) {
} else if ((gcp->flags & GSS_C_ANON_FLAG) && !_kdc_is_anon_request(&r->req)) {
kdc_log(r->context, r->config, 2,
"Anonymous GSS pre-authentication request w/o anonymous flag");
ret = KRB5KDC_ERR_BADOPTION;
goto out;
}
*open = (gcp->major == GSS_S_COMPLETE);
} else
*open = (gcp->major == GSS_S_COMPLETE);
out:
gss_release_cred(&minor, &cred);
gss_release_buffer(&minor, &cb.application_data);
if (ret == 0)
if (gcp->major != GSS_S_NO_CONTEXT)
*pgcp = gcp;
else
_kdc_gss_free_client_param(r, gcp);

View File

@@ -34,6 +34,7 @@
#include "mech_locl.h"
#include <gssapi/gssapi_preauth.h>
#include <heimntlm.h>
#include <preauth/pa-private.h>
@@ -56,10 +57,19 @@ _krb5_gss_map_error(OM_uint32 major, OM_uint32 minor)
case GSS_S_BAD_NAMETYPE:
ret = KRB5_PRINC_NOMATCH;
break;
case GSS_S_NO_CRED:
ret = KRB5_CC_NOTFOUND;
break;
case GSS_S_BAD_MIC:
case GSS_S_DEFECTIVE_CREDENTIAL:
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
break;
case GSS_S_FAILURE:
if (minor == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
minor == HNTLM_ERR_AUTH) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
break;
}
default:
ret = KRB5KDC_ERR_PREAUTH_FAILED;
break;