krb5_error_code KRB5_CALLCONV
krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc)
{
krb5_error_code code;
krb5_flags flags;
krb5_cc_cursor cur = 0;
krb5_creds creds;
flags = 0; /* turns off OPENCLOSE mode */
if ((code = krb5_cc_set_flags(context, incc, flags)))
return(code);
/* the code for this will open the file for reading only, which
is not what I had in mind. So I won't turn off OPENCLOSE
for the output ccache */
#if 0
if ((code = krb5_cc_set_flags(context, outcc, flags)))
return(code);
#endif
if ((code = krb5_cc_start_seq_get(context, incc, &cur)))
goto cleanup;
while (!(code = krb5_cc_next_cred(context, incc, &cur, &creds))) {
code = krb5_cc_store_cred(context, outcc, &creds);
krb5_free_cred_contents(context, &creds);
if (code)
goto cleanup;
}
if (code != KRB5_CC_END)
goto cleanup;
code = krb5_cc_end_seq_get(context, incc, &cur);
cur = 0;
if (code)
goto cleanup;
code = 0;
cleanup:
flags = KRB5_TC_OPENCLOSE;
/* If set then we are in an error pathway */
if (cur)
krb5_cc_end_seq_get(context, incc, &cur);
if (code)
krb5_cc_set_flags(context, incc, flags);
else
code = krb5_cc_set_flags(context, incc, flags);
#if 0
if (code)
krb5_cc_set_flags(context, outcc, flags);
else
code = krb5_cc_set_flags(context, outcc, flags);
#endif
return(code);
}
static int
check_for_tgt(krb5_context context, krb5_ccache ccache,
krb5_principal principal)
{
krb5_error_code ret;
krb5_creds creds;
krb5_cc_cursor cur;
int found = 0;
ret = krb5_cc_start_seq_get(context, ccache, &cur);
if (ret)
return 0;
while (!found &&
(ret = krb5_cc_next_cred(context, ccache, &cur, &creds)) == 0) {
if (creds.server->length == 2 &&
data_is_equal(creds.server->realm,
principal->realm) &&
creds.server->data[0].length == 6 &&
memcmp(creds.server->data[0].data,
"krbtgt", 6) == 0 &&
data_is_equal(creds.server->data[1],
principal->realm) &&
creds.times.endtime > time(NULL))
found = 1;
krb5_free_cred_contents(context, &creds);
}
krb5_cc_end_seq_get(context, ccache, &cur);
return found;
}
krb5_error_code KRB5_CALLCONV
krb5_cccol_have_content(krb5_context context)
{
krb5_cccol_cursor col_cursor;
krb5_cc_cursor cache_cursor;
krb5_ccache cache;
krb5_creds creds;
krb5_boolean found = FALSE;
if (krb5_cccol_cursor_new(context, &col_cursor))
goto no_entries;
while (!found && !krb5_cccol_cursor_next(context, col_cursor, &cache) &&
cache != NULL) {
if (krb5_cc_start_seq_get(context, cache, &cache_cursor))
continue;
while (!found &&
!krb5_cc_next_cred(context, cache, &cache_cursor, &creds)) {
if (!krb5_is_config_principal(context, creds.server))
found = TRUE;
krb5_free_cred_contents(context, &creds);
}
krb5_cc_end_seq_get(context, cache, &cache_cursor);
krb5_cc_close(context, cache);
}
krb5_cccol_cursor_free(context, &col_cursor);
if (found)
return 0;
no_entries:
krb5_set_error_message(context, KRB5_CC_NOTFOUND,
_("No Kerberos credentials available"));
return KRB5_CC_NOTFOUND;
}
/*
* Check if a ccache has any tickets.
*/
static krb5_error_code
cc_has_tickets(krb5_context kcontext, krb5_ccache ccache, int *has_tickets)
{
krb5_error_code code;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_timestamp now = time(0);
*has_tickets = 0;
code = krb5_cc_set_flags(kcontext, ccache, KRB5_TC_NOTICKET);
if (code)
return code;
code = krb5_cc_start_seq_get(kcontext, ccache, &cursor);
if (code)
return code;
while (!*has_tickets) {
code = krb5_cc_next_cred(kcontext, ccache, &cursor, &creds);
if (code)
break;
if (!krb5_is_config_principal(kcontext, creds.server) &&
creds.times.endtime > now)
*has_tickets = 1;
krb5_free_cred_contents(kcontext, &creds);
}
krb5_cc_end_seq_get(kcontext, ccache, &cursor);
return 0;
}
/* Display the contents of cache. */
static int
show_ccache(krb5_ccache cache)
{
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ;
krb5_error_code ret;
ret = krb5_cc_get_principal(context, cache, &princ);
if (ret) {
com_err(progname, ret, "");
return 1;
}
ret = krb5_unparse_name(context, princ, &defname);
if (ret) {
com_err(progname, ret, _("while unparsing principal name"));
return 1;
}
printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"),
krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache),
defname);
/* XXX Translating would disturb table alignment; skip for now. */
fputs("Valid starting", stdout);
fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' ');
fputs("Expires", stdout);
fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' ');
fputs("Service principal\n", stdout);
ret = krb5_cc_start_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while starting to retrieve tickets"));
return 1;
}
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (show_config || !krb5_is_config_principal(context, creds.server))
show_credential(&creds);
krb5_free_cred_contents(context, &creds);
}
krb5_free_principal(context, princ);
krb5_free_unparsed_name(context, defname);
defname = NULL;
if (ret == KRB5_CC_END) {
ret = krb5_cc_end_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while finishing ticket retrieval"));
return 1;
}
return 0;
} else {
com_err(progname, ret, _("while retrieving a ticket"));
return 1;
}
}
static int
print_tickets (krb5_context context,
krb5_ccache ccache,
krb5_principal principal)
{
krb5_error_code ret;
krb5_cc_cursor cursor;
krb5_creds cred;
char *str;
ret = krb5_unparse_name (context, principal, &str);
if (ret) {
lreply(500, "krb5_unparse_name: %d", ret);
return 500;
}
lreply(200, "%17s: %s:%s",
"Credentials cache",
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
lreply(200, "%17s: %s", "Principal", str);
free (str);
ret = krb5_cc_start_seq_get (context, ccache, &cursor);
if (ret) {
lreply(500, "krb5_cc_start_seq_get: %d", ret);
return 500;
}
lreply(200, " Issued Expires Principal");
while ((ret = krb5_cc_next_cred (context,
ccache,
&cursor,
&cred)) == 0) {
if (print_cred(context, &cred))
return 500;
krb5_free_cred_contents (context, &cred);
}
if (ret != KRB5_CC_END) {
lreply(500, "krb5_cc_get_next: %d", ret);
return 500;
}
ret = krb5_cc_end_seq_get (context, ccache, &cursor);
if (ret) {
lreply(500, "krb5_cc_end_seq_get: %d", ret);
return 500;
}
return 200;
}
static void
check_ticket_count(gss_cred_id_t cred, int expected)
{
krb5_error_code ret;
krb5_context context = NULL;
krb5_creds kcred;
krb5_cc_cursor cur;
krb5_ccache ccache;
int count = 0;
gss_key_value_set_desc store;
gss_key_value_element_desc elem;
OM_uint32 major, minor;
const char *ccname = "MEMORY:count";
store.count = 1;
store.elements = &elem;
elem.key = "ccache";
elem.value = ccname;
major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, &mech_krb5, 1, 0,
&store, NULL, NULL);
check_gsserr("gss_store_cred_into", major, minor);
ret = krb5_init_context(&context);
check_k5err(context, "krb5_init_context", ret);
ret = krb5_cc_resolve(context, ccname, &ccache);
check_k5err(context, "krb5_cc_resolve", ret);
ret = krb5_cc_start_seq_get(context, ccache, &cur);
check_k5err(context, "krb5_cc_start_seq_get", ret);
while (!krb5_cc_next_cred(context, ccache, &cur, &kcred)) {
if (!krb5_is_config_principal(context, kcred.server))
count++;
krb5_free_cred_contents(context, &kcred);
}
ret = krb5_cc_end_seq_get(context, ccache, &cur);
check_k5err(context, "krb5_cc_end_seq_get", ret);
if (expected != count) {
printf("Expected %d tickets but got %d\n", expected, count);
exit(1);
}
krb5_cc_destroy(context, ccache);
krb5_free_context(context);
}
/*
* The default unset code path depends on the underlying ccache implementation
* knowing how to remove a credential, which most types don't actually support,
* so we have to jump through some hoops to ensure that when we set a value for
* a key, it'll be the only value for that key that'll be found later. The
* ccache portions of libkrb5 will currently duplicate some of the actual
* tickets.
*/
static void
unset_config(krb5_context context, krb5_ccache ccache,
krb5_principal server, const char *key)
{
krb5_ccache tmp1, tmp2;
krb5_cc_cursor cursor;
krb5_creds mcreds, creds;
memset(&mcreds, 0, sizeof(mcreds));
memset(&creds, 0, sizeof(creds));
bail_on_err(context, "Error while deriving configuration principal names",
k5_build_conf_principals(context, ccache, server, key,
&mcreds));
bail_on_err(context, "Error resolving first in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1));
bail_on_err(context, "Error initializing first in-memory ccache",
krb5_cc_initialize(context, tmp1, mcreds.client));
bail_on_err(context, "Error resolving second in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2));
bail_on_err(context, "Error initializing second in-memory ccache",
krb5_cc_initialize(context, tmp2, mcreds.client));
bail_on_err(context, "Error copying credentials to first in-memory ccache",
krb5_cc_copy_creds(context, ccache, tmp1));
bail_on_err(context, "Error starting traversal of first in-memory ccache",
krb5_cc_start_seq_get(context, tmp1, &cursor));
while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) {
if (!krb5_is_config_principal(context, creds.server) ||
!krb5_principal_compare(context, mcreds.server, creds.server) ||
!krb5_principal_compare(context, mcreds.client, creds.client)) {
bail_on_err(context,
"Error storing non-config item to in-memory ccache",
krb5_cc_store_cred(context, tmp2, &creds));
}
}
bail_on_err(context, "Error ending traversal of first in-memory ccache",
krb5_cc_end_seq_get(context, tmp1, &cursor));
bail_on_err(context, "Error clearing ccache",
krb5_cc_initialize(context, ccache, mcreds.client));
bail_on_err(context, "Error storing creds to the ccache",
krb5_cc_copy_creds(context, tmp2, ccache));
bail_on_err(context, "Error cleaning up first in-memory ccache",
krb5_cc_destroy(context, tmp1));
bail_on_err(context, "Error cleaning up second in-memory ccache",
krb5_cc_destroy(context, tmp2));
}
int
main(int argc, char **argv)
{
krb5_context ctx;
krb5_ccache ccache;
krb5_creds creds;
krb5_cc_cursor cursor;
krb5_error_code ret;
ctx = NULL;
ret = krb5_init_context(&ctx);
if (ret != 0) {
printf("Error initializing Kerberos.\n");
return ret;
}
ccache = NULL;
ret = krb5_cc_default(ctx, &ccache);
if (ret != 0) {
printf("Error initializing ccache.\n");
return ret;
}
cursor = NULL;
ret = krb5_cc_start_seq_get(ctx, ccache, &cursor);
if (ret == 0) {
memset(&creds, 0, sizeof(creds));
while (krb5_cc_next_cred(ctx, ccache, &cursor, &creds) == 0) {
if (creds.times.renew_till != 0) {
printf("%lu\n",
(unsigned long) creds.times.renew_till -
(unsigned long) creds.times.starttime);
} else {
printf("0\n");
}
break;
}
krb5_cc_end_seq_get(ctx, ccache, &cursor);
}
krb5_cc_close(ctx, ccache);
krb5_free_context(ctx);
return 0;
}
/* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */
static int
check_ccache(krb5_ccache cache)
{
krb5_error_code ret;
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ;
krb5_boolean found_tgt, found_current_tgt, found_current_cred;
if (krb5_cc_get_principal(context, cache, &princ) != 0)
return 1;
if (krb5_cc_start_seq_get(context, cache, &cur) != 0)
return 1;
found_tgt = found_current_tgt = found_current_cred = FALSE;
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (is_local_tgt(creds.server, &princ->realm)) {
found_tgt = TRUE;
if (ts_after(creds.times.endtime, now))
found_current_tgt = TRUE;
} else if (!krb5_is_config_principal(context, creds.server) &&
ts_after(creds.times.endtime, now)) {
found_current_cred = TRUE;
}
krb5_free_cred_contents(context, &creds);
}
krb5_free_principal(context, princ);
if (ret != KRB5_CC_END)
return 1;
if (krb5_cc_end_seq_get(context, cache, &cur) != 0)
return 1;
/* If the cache contains at least one local TGT, require that it be
* current. Otherwise accept any current cred. */
if (found_tgt)
return found_current_tgt ? 0 : 1;
return found_current_cred ? 0 : 1;
}
/*
*
* k5_get_num_cred
*
* Returns: number of creds in the credential cache, -1 on error
*
*/
int
k5_get_num_cred(int verbose)
{
krb5_error_code code;
krb5_cc_cursor cursor;
krb5_creds c;
int ncreds = 0;
if (code = krb5_cc_start_seq_get(k5_context, k5_ccache, &cursor)) {
if (code == KRB5_FCC_NOFILE)
return 0;
if (verbose)
com_err(NULL, code, "while starting to retrieve tickets.");
return -1;
}
while (1) { /* Loop and get creds */
code = krb5_cc_next_cred(k5_context, k5_ccache, &cursor, &c);
if (code)
break;
++ncreds;
}
if (code != KRB5_CC_END) { /* Error while looping??? */
if (verbose)
com_err(NULL, code, "while retrieving a ticket.");
return -1;
}
if (code = krb5_cc_end_seq_get(k5_context, k5_ccache, &cursor)) {
if (verbose)
com_err(NULL, code, "while closing ccache.");
}
return ncreds;
}
static int
k5_get_num_cred2()
{
krb5_error_code code;
krb5_cc_cursor cursor;
krb5_creds c;
int ncreds = 0;
code = krb5_cc_start_seq_get(k5_context, k5_ccache, &cursor);
if (code == KRB5_FCC_NOFILE)
return 0;
while (1) {
code = krb5_cc_next_cred(k5_context, k5_ccache, &cursor, &c);
if (code)
break;
++ncreds;
}
if (code == KRB5_CC_END)
krb5_cc_end_seq_get(k5_context, k5_ccache, &cursor);
return ncreds;
}
static kbrccache_t userinitcontext(
const char * user, const char * domain, const char * passwd, const char * cachename, int initialize,
int * outError )
{
krb5_context kcontext = 0;
krb5_ccache kcache = 0;
krb5_creds kcreds;
krb5_principal kme = 0;
krb5_error_code kres;
char * pPass = strdup( passwd );
char * pName = NULL;
char * pCacheName = NULL;
int numCreds = 0;
memset( &kcreds, 0, sizeof(kcreds) );
kres = krb5_init_context( &kcontext );
if( kres )
goto return_error;
if( domain )
kres = krb5_build_principal( kcontext, &kme, strlen(domain), domain, user, (char *) 0 );
else
kres = krb5_parse_name( kcontext, user, &kme );
if( kres )
goto fail;
krb5_unparse_name( kcontext, kme, &pName );
if( cachename )
{
if (asprintf(&pCacheName, "%s%s", cachename, pName) < 0)
{
kres = KRB5_CC_NOMEM;
goto fail;
}
kres = krb5_cc_resolve( kcontext, pCacheName, &kcache );
if( kres )
{
kres = krb5_cc_resolve( kcontext, CCACHE_PREFIX_DEFAULT, &kcache );
if( kres == 0 )
pCacheName = strdup(CCACHE_PREFIX_DEFAULT);
}
}
else
{
kres = krb5_cc_default( kcontext, &kcache );
pCacheName = strdup( krb5_cc_get_name( kcontext, kcache ) );
}
if( kres )
{
krb5_free_context(kcontext);
goto return_error;
}
if( initialize )
krb5_cc_initialize( kcontext, kcache, kme );
if( kres == 0 && user && passwd )
{
long timeneeded = time(0L) +TKTTIMELEFT;
int have_credentials = 0;
krb5_cc_cursor cc_curs = NULL;
numCreds = 0;
if( (kres=krb5_cc_start_seq_get(kcontext, kcache, &cc_curs)) >= 0 )
{
while( (kres=krb5_cc_next_cred(kcontext, kcache, &cc_curs, &kcreds))== 0)
{
numCreds++;
if( krb5_principal_compare( kcontext, kme, kcreds.client ) )
{
if( kcreds.ticket_flags & TKT_FLG_INITIAL && kcreds.times.endtime>timeneeded )
have_credentials = 1;
}
krb5_free_cred_contents( kcontext, &kcreds );
if( have_credentials )
break;
}
krb5_cc_end_seq_get( kcontext, kcache, &cc_curs );
}
else
{
const char * errmsg = error_message(kres);
fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg );
}
if( kres != 0 || have_credentials == 0 )
{
krb5_get_init_creds_opt *options = NULL;
kres = krb5_get_init_creds_opt_alloc(kcontext, &options);
if ( kres == 0 )
{
get_init_creds_opt_init(options);
/*
** no valid credentials - get new ones
*/
kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass,
NULL /*prompter*/,
NULL /*data*/,
0 /*starttime*/,
0 /*in_tkt_service*/,
options /*options*/ );
}
if( kres == 0 )
{
if( numCreds <= 0 )
kres = krb5_cc_initialize( kcontext, kcache, kme );
if( kres == 0 )
kres = krb5_cc_store_cred( kcontext, kcache, &kcreds );
if( kres == 0 )
have_credentials = 1;
}
krb5_get_init_creds_opt_free(kcontext, options);
}
#ifdef NOTUSED
if( have_credentials )
{
int mstat;
kres = gss_krb5_ccache_name( &mstat, pCacheName, NULL );
if( getenv( ENV_DEBUG_LDAPKERB ) )
fprintf( stderr, "gss credentials cache set to %s(%d)\n", pCacheName, kres );
}
#endif
krb5_cc_close( kcontext, kcache );
}
fail:
if( kres )
{
const char * errmsg = error_message(kres);
fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg );
}
krb5_free_principal( kcontext, kme );
krb5_free_cred_contents( kcontext, &kcreds );
if( pName )
free( pName );
free(pPass);
krb5_free_context(kcontext);
return_error:
if( kres )
{
if( pCacheName )
{
free(pCacheName);
pCacheName = NULL;
}
}
if( outError )
*outError = kres;
return pCacheName;
}
int
main(int argc, char *argv[])
{
krb5_context kcontext = NULL;
krb5_error_code code;
krb5_ccache ccache=NULL;
krb5_ccache mslsa_ccache=NULL;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_principal princ = NULL;
int found_tgt = 0;
int has_tickets;
int option;
char * ccachestr = 0;
prog = strrchr(argv[0], '/');
prog = prog ? (prog + 1) : argv[0];
while ((option = getopt(argc, argv, "c:h")) != -1) {
switch (option) {
case 'c':
ccachestr = optarg;
break;
case 'h':
default:
xusage();
break;
}
}
if (code = krb5_init_context(&kcontext)) {
com_err(argv[0], code, "while initializing kerberos library");
goto cleanup;
}
if (code = krb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache)) {
com_err(argv[0], code, "while opening MS LSA ccache");
goto cleanup;
}
/* Enumerate tickets from cache looking for a TGT */
if ((code = krb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor))) {
com_err(argv[0], code, "while initiating the cred sequence of MS LSA ccache");
goto cleanup;
}
while (!found_tgt) {
code = krb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds);
if (code)
break;
/* Check if the ticket is a TGT */
if (is_local_tgt(creds.server))
found_tgt = 1;
krb5_free_cred_contents(kcontext, &creds);
}
krb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor);
if (!found_tgt) {
fprintf(stderr, "%s: Initial Ticket Getting Tickets are not available from the MS LSA\n",
argv[0]);
/* Only set the LSA cache as the default if it actually has tickets. */
code = cc_has_tickets(kcontext, mslsa_ccache, &has_tickets);
if (code)
goto cleanup;
if (has_tickets)
code = krb5int_cc_user_set_default_name(kcontext, "MSLSA:");
goto cleanup;
}
if (code = krb5_cc_get_principal(kcontext, mslsa_ccache, &princ)) {
com_err(argv[0], code, "while obtaining MS LSA principal");
goto cleanup;
}
if (ccachestr)
code = krb5_cc_resolve(kcontext, ccachestr, &ccache);
else
code = krb5_cc_resolve(kcontext, "API:", &ccache);
if (code) {
com_err(argv[0], code, "while getting default ccache");
goto cleanup;
}
if (code = krb5_cc_initialize(kcontext, ccache, princ)) {
com_err (argv[0], code, "when initializing ccache");
goto cleanup;
}
if (code = krb5_cc_copy_creds(kcontext, mslsa_ccache, ccache)) {
com_err (argv[0], code, "while copying MS LSA ccache to default ccache");
goto cleanup;
}
/* Don't try and set the default cache if the cache name was specified. */
if (ccachestr == NULL) {
/* On success set the default cache to API. */
code = krb5int_cc_user_set_default_name(kcontext, "API:");
if (code) {
com_err(argv[0], code, "when setting default to API");
goto cleanup;
}
}
cleanup:
krb5_free_principal(kcontext, princ);
if (ccache != NULL)
krb5_cc_close(kcontext, ccache);
if (mslsa_ccache != NULL)
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
return code ? 1 : 0;
}
~State() {
krb5_context ctx = context_.get();
krb5_free_cred_contents(ctx, &creds_);
krb5_error_code code = krb5_cc_end_seq_get(ctx, cc_->get(), &cursor_);
raiseIf(ctx, code, "ending read of credentials cache");
}
/*
* Class: sun_security_krb5_Credentials
* Method: acquireDefaultNativeCreds
* Signature: ([I])Lsun/security/krb5/Credentials;
*/
JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds
(JNIEnv *env, jclass krbcredsClass, jintArray jetypes)
{
jobject krbCreds = NULL;
krb5_error_code err = 0;
krb5_ccache ccache = NULL;
krb5_cc_cursor cursor = NULL;
krb5_creds creds;
krb5_flags flags = 0;
krb5_context kcontext = NULL;
int netypes;
jint *etypes = NULL;
/* Initialize the Kerberos 5 context */
err = krb5_init_context (&kcontext);
if (!err) {
err = krb5_cc_default (kcontext, &ccache);
}
if (!err) {
err = krb5_cc_set_flags (kcontext, ccache, flags); /* turn off OPENCLOSE */
}
if (!err) {
err = krb5_cc_start_seq_get (kcontext, ccache, &cursor);
}
netypes = (*env)->GetArrayLength(env, jetypes);
etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL);
if (etypes != NULL && !err) {
while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) {
char *serverName = NULL;
if (!err) {
err = krb5_unparse_name (kcontext, creds.server, &serverName);
printiferr (err, "while unparsing server name");
}
if (!err) {
char* slash = strchr(serverName, '/');
char* at = strchr(serverName, '@');
// Make sure the server's name is krbtgt/REALM@REALM, the etype
// is supported, and the ticket has not expired
if (slash && at &&
strncmp (serverName, "krbtgt", slash-serverName) == 0 &&
// the ablove line shows at must be after slash
strncmp (slash+1, at+1, at-slash-1) == 0 &&
isIn (creds.keyblock.enctype, netypes, etypes) &&
creds.times.endtime > time(0)) {
jobject ticket, clientPrincipal, targetPrincipal, encryptionKey;
jobject ticketFlags, startTime, endTime;
jobject authTime, renewTillTime, hostAddresses;
ticket = clientPrincipal = targetPrincipal = encryptionKey = NULL;
ticketFlags = startTime = endTime = NULL;
authTime = renewTillTime = hostAddresses = NULL;
// For the default credentials we're only interested in the krbtgt server.
clientPrincipal = BuildClientPrincipal(env, kcontext, creds.client);
if (clientPrincipal == NULL) goto cleanup;
targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server);
if (targetPrincipal == NULL) goto cleanup;
// Build a sun/security/krb5/internal/Ticket
ticket = BuildTicket(env, &creds.ticket);
if (ticket == NULL) goto cleanup;
// Get the encryption key
encryptionKey = BuildEncryptionKey(env, &creds.keyblock);
if (encryptionKey == NULL) goto cleanup;
// and the ticket flags
ticketFlags = BuildTicketFlags(env, creds.ticket_flags);
if (ticketFlags == NULL) goto cleanup;
// Get the timestamps out.
startTime = BuildKerberosTime(env, creds.times.starttime);
if (startTime == NULL) goto cleanup;
authTime = BuildKerberosTime(env, creds.times.authtime);
if (authTime == NULL) goto cleanup;
endTime = BuildKerberosTime(env, creds.times.endtime);
if (endTime == NULL) goto cleanup;
renewTillTime = BuildKerberosTime(env, creds.times.renew_till);
if (renewTillTime == NULL) goto cleanup;
// Create the addresses object.
hostAddresses = BuildAddressList(env, creds.addresses);
if (krbcredsConstructor == 0) {
krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>",
"(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V");
if (krbcredsConstructor == 0) {
printf("Couldn't find sun.security.krb5.internal.Ticket constructor\n");
break;
}
}
// and now go build a KrbCreds object
krbCreds = (*env)->NewObject(
env,
krbcredsClass,
krbcredsConstructor,
ticket,
clientPrincipal,
targetPrincipal,
encryptionKey,
ticketFlags,
authTime,
startTime,
endTime,
renewTillTime,
hostAddresses);
cleanup:
if (ticket) (*env)->DeleteLocalRef(env, ticket);
if (clientPrincipal) (*env)->DeleteLocalRef(env, clientPrincipal);
if (targetPrincipal) (*env)->DeleteLocalRef(env, targetPrincipal);
if (encryptionKey) (*env)->DeleteLocalRef(env, encryptionKey);
if (ticketFlags) (*env)->DeleteLocalRef(env, ticketFlags);
if (authTime) (*env)->DeleteLocalRef(env, authTime);
if (startTime) (*env)->DeleteLocalRef(env, startTime);
if (endTime) (*env)->DeleteLocalRef(env, endTime);
if (renewTillTime) (*env)->DeleteLocalRef(env, renewTillTime);
if (hostAddresses) (*env)->DeleteLocalRef(env, hostAddresses);
// Stop if there is an exception or we already found the initial TGT
if ((*env)->ExceptionCheck(env) || krbCreds) {
break;
}
}
}
if (serverName != NULL) { krb5_free_unparsed_name (kcontext, serverName); }
krb5_free_cred_contents (kcontext, &creds);
}
if (err == KRB5_CC_END) { err = 0; }
printiferr (err, "while retrieving a ticket");
}
if (!err) {
err = krb5_cc_end_seq_get (kcontext, ccache, &cursor);
printiferr (err, "while finishing ticket retrieval");
}
if (!err) {
flags = KRB5_TC_OPENCLOSE; /* restore OPENCLOSE mode */
err = krb5_cc_set_flags (kcontext, ccache, flags);
printiferr (err, "while finishing ticket retrieval");
}
if (etypes != NULL) {
(*env)->ReleaseIntArrayElements(env, jetypes, etypes, 0);
}
krb5_free_context (kcontext);
return krbCreds;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache src_cc = NULL;
krb5_ccache dst_cc = NULL;
krb5_cc_cursor cursor;
krb5_principal me = NULL;
krb5_creds cred;
const char *during;
Ticket t;
size_t len;
int make_kvno_absent = 0;
int opt;
memset(&cred, 0, sizeof (cred));
during = "init_context";
ret = krb5_init_context(&context);
if (ret) goto err;
while ((opt = getopt(argc, argv, "c:n")) != -1) {
switch (opt) {
case 'c':
during = "cc_resolve of source ccache";
ret = krb5_cc_resolve(context, optarg, &src_cc);
if (ret) goto err;
break;
case 'n':
make_kvno_absent++;
break;
case 'h':
default:
fprintf(stderr, "Usage: %s [-n] [-c ccache]\n"
"\tThis utility edits a ccache, setting all ticket\n"
"\tenc_part kvnos to zero or absent (if -n is set).\n",
argv[0]);
return 1;
}
}
if (!src_cc) {
during = "cc_default";
ret = krb5_cc_default(context, &src_cc);
if (ret) goto err;
}
during = "cc_get_principal";
ret = krb5_cc_get_principal(context, src_cc, &me);
if (ret) goto err;
if (optind != argc) {
fprintf(stderr, "Usage: %s [-n] [-c ccache]\n"
"\tThis utility edits a ccache, setting all ticket\n"
"\tenc_part kvnos to zero or absent (if -n is set).\n",
argv[0]);
return 1;
}
during = "cc_new_unique of temporary ccache";
ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, src_cc),
NULL, &dst_cc);
during = "cc_initialize of temporary ccache";
ret = krb5_cc_initialize(context, dst_cc, me);
if (ret) goto err;
during = "cc_start_seq_get";
ret = krb5_cc_start_seq_get(context, src_cc, &cursor);
if (ret) goto err;
while ((ret = krb5_cc_next_cred(context, src_cc, &cursor, &cred)) == 0) {
krb5_data data;
during = "decode_Ticket";
memset(&t, 0, sizeof (t));
ret = decode_Ticket(cred.ticket.data, cred.ticket.length, &t, &len);
if (ret == ASN1_MISSING_FIELD)
continue;
if (ret) goto err;
if (t.enc_part.kvno) {
*t.enc_part.kvno = 0;
if (make_kvno_absent) {
free(t.enc_part.kvno);
t.enc_part.kvno = NULL;
}
/*
* The new Ticket has to need less or same space as before, so
* we reuse cred->icket.data.
*/
during = "encode_Ticket";
ASN1_MALLOC_ENCODE(Ticket, data.data, data.length, &t, &len, ret);
if (ret) {
free_Ticket(&t);
goto err;
}
krb5_data_free(&cred.ticket);
cred.ticket = data;
}
free_Ticket(&t);
during = "cc_store_cred";
ret = krb5_cc_store_cred(context, dst_cc, &cred);
if (ret) goto err;
krb5_free_cred_contents(context, &cred);
memset(&cred, 0, sizeof (cred));
}
during = "cc_next_cred";
if (ret != KRB5_CC_END) goto err;
during = "cc_end_seq_get";
ret = krb5_cc_end_seq_get(context, src_cc, &cursor);
if (ret) goto err;
during = "cc_move";
ret = krb5_cc_move(context, dst_cc, src_cc);
if (ret) goto err;
dst_cc = NULL;
during = "cc_switch";
ret = krb5_cc_switch(context, src_cc);
if (ret) goto err;
err:
(void) krb5_free_principal(context, me);
if (src_cc)
(void) krb5_cc_close(context, src_cc);
if (dst_cc)
(void) krb5_cc_destroy(context, dst_cc);
if (ret) {
fprintf(stderr, "Failed while doing %s (%d)\n", during, ret);
ret = 1;
}
return (ret);
}
static void
cc_test(krb5_context context, const char *name, krb5_flags flags)
{
krb5_ccache id, id2;
krb5_creds creds;
krb5_error_code kret;
krb5_cc_cursor cursor;
krb5_principal tmp;
const char *c_name;
char newcache[300];
char *save_type;
kret = init_test_cred(context);
CHECK(kret, "init_creds");
kret = krb5_cc_resolve(context, name, &id);
CHECK(kret, "resolve");
kret = krb5_cc_initialize(context, id, test_creds.client);
CHECK(kret, "initialize");
c_name = krb5_cc_get_name(context, id);
CHECK_STR(c_name, "get_name");
c_name = krb5_cc_get_type(context, id);
CHECK_STR(c_name, "get_type");
save_type=strdup(c_name);
CHECK_STR(save_type, "copying type");
kret = krb5_cc_store_cred(context, id, &test_creds);
CHECK(kret, "store");
kret = krb5_cc_get_principal(context, id, &tmp);
CHECK(kret, "get_principal");
CHECK_BOOL(krb5_realm_compare(context, tmp, test_creds.client) != TRUE,
"realms do not match", "realm_compare");
CHECK_BOOL(krb5_principal_compare(context, tmp, test_creds.client) != TRUE,
"principals do not match", "principal_compare");
krb5_free_principal(context, tmp);
kret = krb5_cc_set_flags (context, id, flags);
CHECK(kret, "set_flags");
kret = krb5_cc_start_seq_get(context, id, &cursor);
CHECK(kret, "start_seq_get");
kret = 0;
while (kret != KRB5_CC_END) {
if(debug) printf("Calling next_cred\n");
kret = krb5_cc_next_cred(context, id, &cursor, &creds);
if(kret == KRB5_CC_END) {
if(debug) printf("next_cred: ok at end\n");
}
else {
CHECK(kret, "next_cred");
krb5_free_cred_contents(context, &creds);
}
}
kret = krb5_cc_end_seq_get(context, id, &cursor);
CHECK(kret, "end_seq_get");
kret = krb5_cc_close(context, id);
CHECK(kret, "close");
/* ------------------------------------------------- */
kret = krb5_cc_resolve(context, name, &id);
CHECK(kret, "resolve2");
{
/* Copy the cache test*/
snprintf(newcache, sizeof(newcache), "%s.new", name);
kret = krb5_cc_resolve(context, newcache, &id2);
CHECK(kret, "resolve of new cache");
/* This should fail as the new creds are not initialized */
kret = krb5_cc_copy_creds(context, id, id2);
CHECK_FAIL(KRB5_FCC_NOFILE, kret, "copy_creds");
kret = krb5_cc_initialize(context, id2, test_creds.client);
CHECK(kret, "initialize of id2");
kret = krb5_cc_copy_creds(context, id, id2);
CHECK(kret, "copy_creds");
kret = krb5_cc_destroy(context, id2);
CHECK(kret, "destroy new cache");
}
/* Destroy the first cache */
kret = krb5_cc_destroy(context, id);
CHECK(kret, "destroy");
/* ----------------------------------------------------- */
/* Tests the generate new code */
kret = krb5_cc_new_unique(context, save_type,
NULL, &id2);
CHECK(kret, "new_unique");
kret = krb5_cc_initialize(context, id2, test_creds.client);
CHECK(kret, "initialize");
kret = krb5_cc_store_cred(context, id2, &test_creds);
CHECK(kret, "store");
kret = krb5_cc_destroy(context, id2);
CHECK(kret, "destroy id2");
free(save_type);
free_test_cred(context);
}
static void
print_tickets (krb5_context context,
krb5_ccache ccache,
krb5_principal principal,
int do_verbose,
int do_flags,
int do_hidden)
{
krb5_error_code ret;
char *str, *name;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_deltat sec;
rtbl_t ct = NULL;
ret = krb5_unparse_name (context, principal, &str);
if (ret)
krb5_err (context, 1, ret, "krb5_unparse_name");
printf ("%17s: %s:%s\n",
N_("Credentials cache", ""),
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
printf ("%17s: %s\n", N_("Principal", ""), str);
ret = krb5_cc_get_friendly_name(context, ccache, &name);
if (ret == 0) {
if (strcmp(name, str) != 0)
printf ("%17s: %s\n", N_("Friendly name", ""), name);
free(name);
}
free (str);
if(do_verbose) {
printf ("%17s: %d\n", N_("Cache version", ""),
krb5_cc_get_version(context, ccache));
} else {
krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET);
}
ret = krb5_cc_get_kdc_offset(context, ccache, &sec);
if (ret == 0 && do_verbose && sec != 0) {
char buf[BUFSIZ];
int val;
int sig;
val = sec;
sig = 1;
if (val < 0) {
sig = -1;
val = -val;
}
unparse_time (val, buf, sizeof(buf));
printf ("%17s: %s%s\n", N_("KDC time offset", ""),
sig == -1 ? "-" : "", buf);
}
printf("\n");
ret = krb5_cc_start_seq_get (context, ccache, &cursor);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
if(!do_verbose) {
ct = rtbl_create();
rtbl_add_column(ct, COL_ISSUED, 0);
rtbl_add_column(ct, COL_EXPIRES, 0);
if(do_flags)
rtbl_add_column(ct, COL_FLAGS, 0);
rtbl_add_column(ct, COL_PRINCIPAL, 0);
rtbl_set_separator(ct, " ");
}
while ((ret = krb5_cc_next_cred (context,
ccache,
&cursor,
&creds)) == 0) {
if (!do_hidden && krb5_is_config_principal(context, creds.server)) {
;
}else if(do_verbose){
print_cred_verbose(context, &creds);
}else{
print_cred(context, &creds, ct, do_flags);
}
krb5_free_cred_contents (context, &creds);
}
if(ret != KRB5_CC_END)
krb5_err(context, 1, ret, "krb5_cc_get_next");
ret = krb5_cc_end_seq_get (context, ccache, &cursor);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
if(!do_verbose) {
rtbl_format(ct, stdout);
rtbl_destroy(ct);
}
}
/*
* call-seq:
* list_cache([cache_name]) -> array
*
* Call krb5_cc_next_cred to fetch credentials from a cachefile. With no parameters, it fetches the credentials in the default cachefile. With one parameter, it fetches the credentials in the named cachefile. Returns a list of Krb5Auth::Krb5::Cred objects on success, raises Krb5Auth::Krb5::Exception on failure.
*/
static VALUE Krb5_list_cache_creds(int argc, VALUE *argv, VALUE self)
{
VALUE cache_val;
struct ruby_krb5 *kerb;
krb5_error_code krbret;
char *cache_name;
krb5_ccache cc;
krb5_cc_cursor cur;
krb5_creds creds;
char *name;
char *sname;
krb5_ticket *tkt;
VALUE result;
VALUE line;
rb_scan_args(argc, argv, "01", &cache_val);
cache_name = get_string_or_nil(cache_val);
Data_Get_Struct(self, struct ruby_krb5, kerb);
if (!kerb) {
NOSTRUCT_EXCEPT();
return Qfalse;
}
if (cache_name == NULL) {
krbret = krb5_cc_default(kerb->ctx, &cc);
}
else {
krbret = krb5_cc_resolve(kerb->ctx, cache_name, &cc);
}
if (krbret) {
goto cache_fail_raise;
}
krbret = krb5_cc_start_seq_get(kerb->ctx, cc, &cur);
if (krbret) {
goto cache_fail_close;
}
result = rb_ary_new();
while (!(krbret = krb5_cc_next_cred(kerb->ctx, cc, &cur, &creds))) {
krbret = krb5_unparse_name(kerb->ctx, creds.client, &name);
if (krbret) {
krb5_free_cred_contents(kerb->ctx, &creds);
break;
}
krbret = krb5_unparse_name(kerb->ctx, creds.server, &sname);
if (krbret) {
free(name);
krb5_free_cred_contents(kerb->ctx, &creds);
break;
}
krbret = krb5_decode_ticket(&creds.ticket, &tkt);
if (krbret) {
free(sname);
free(name);
krb5_free_cred_contents(kerb->ctx, &creds);
break;
}
line = rb_class_new_instance(0, NULL, cCred);
rb_iv_set(line, "@client", rb_str_new2(name));
rb_iv_set(line, "@server", rb_str_new2(sname));
rb_iv_set(line, "@starttime", INT2NUM(creds.times.starttime));
rb_iv_set(line, "@authtime", INT2NUM(creds.times.authtime));
rb_iv_set(line, "@endtime", INT2NUM(creds.times.endtime));
rb_iv_set(line, "@ticket_flags", INT2NUM(creds.ticket_flags));
rb_iv_set(line, "@cred_enctype", INT2NUM(creds.keyblock.enctype));
rb_iv_set(line, "@ticket_enctype", INT2NUM(tkt->enc_part.enctype));
rb_ary_push(result, line);
krb5_free_ticket(kerb->ctx, tkt);
free(sname);
free(name);
krb5_free_cred_contents(kerb->ctx, &creds);
}
if (krbret != KRB5_CC_END) {
// FIXME: do we need to free up "result" here? There will be no
// references to it, so I think the garbage collector will pick it up,
// but I'm not sure.
goto cache_fail_close;
}
krbret = krb5_cc_end_seq_get(kerb->ctx, cc, &cur);
krb5_cc_close(kerb->ctx, cc);
return result;
cache_fail_close:
krb5_cc_close(kerb->ctx, cc);
cache_fail_raise:
Krb5_register_error(krbret);
return Qfalse;
}
int
auks_krb5_cred_renew(char *ccachefilename)
{
int fstatus = AUKS_ERROR ;
int read_cred_is_tgt = 0;
int read_cred_is_renewable = 0;
/* kerberos related variables */
krb5_context context;
krb5_error_code err_code;
krb5_ccache ccache;
krb5_creds *p_cred_out = NULL;
krb5_creds read_cred;
krb5_creds renew_cred;
krb5_cc_cursor cc_cursor;
/* initialize kerberos context */
err_code = krb5_init_context(&context);
if (err_code) {
auks_error("unable to initialize kerberos context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_CTX ;
goto exit;
}
auks_log("kerberos context successfully initialized");
/* initialize kerberos credential cache structure */
if (ccachefilename == NULL)
err_code = krb5_cc_default(context,&ccache);
else
err_code = krb5_cc_resolve(context,ccachefilename,&ccache);
if (err_code) {
auks_error("unable to resolve credential cache : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_OPEN_CC ;
goto ctx_exit ;
}
auks_log("credential cache successfully resolved");
/* start credential cache sequential reading */
err_code = krb5_cc_start_seq_get(context, ccache,&cc_cursor);
if (err_code) {
auks_error("unable to start credential cache sequential "
"read : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_READ_CC ;
goto cc_exit;
}
auks_log("credential cache sequential read successfully started");
/* try to get the first renewable TGT of the cache */
do {
err_code = krb5_cc_next_cred(context,ccache,
&cc_cursor,&read_cred);
if (!err_code) {
/* just check initial or forwarded tickets (TGTs) */
if ((read_cred.ticket_flags & TKT_FLG_INITIAL)
|| (read_cred.ticket_flags & TKT_FLG_FORWARDED)) {
read_cred_is_tgt = 1;
if (read_cred.ticket_flags
& TKT_FLG_RENEWABLE) {
read_cred_is_renewable = 1;
break;
}
}
}
}
while (!err_code);
/* stop credential cache sequential reading */
err_code = krb5_cc_end_seq_get(context, ccache,&cc_cursor);
if (err_code) {
auks_error("unable to stop credential cache sequential "
"read : %s",error_message(err_code));
} else
auks_log("credential cache sequential read "
"successfully stopped");
/* try to do renewal if a TGT was found */
if (!read_cred_is_tgt) {
auks_error("no TGT found in credential cache");
fstatus = AUKS_ERROR_KRB5_CRED_NO_TGT_FOUND ;
goto seq_exit;
}
/* try to do renewal if a renewable TGT was found */
if (!read_cred_is_renewable) {
auks_error("no renewable TGT found in credential cache");
fstatus = AUKS_ERROR_KRB5_CRED_TGT_NOT_RENEWABLE ;
goto seq_exit;
}
auks_log("renewable TGT found in credential cache");
/* test if renewal is possible */
if (read_cred.times.endtime >=
read_cred.times.renew_till) {
auks_error("TGT can't be renew anymore");
fstatus = AUKS_ERROR_KRB5_CRED_TGT_HAS_EXPIRED ;
goto seq_exit;
}
auks_log("TGT is still renewable");
/* renew credential cache TGT */
memset(&renew_cred, 0,sizeof(renew_cred));
/* copy client principal in futur credential */
err_code = krb5_copy_principal(context,read_cred.client,
&renew_cred.client);
if (err_code) {
auks_error("unable to put client principal into "
"request cred : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_CP_PRINC ;
goto cred_exit;
}
auks_log("client principal successfully put into request cred");
/* copy krbtgt/... principal in futur credential as required */
/* server principal for TGS */
err_code = krb5_copy_principal(context,read_cred.server,
&renew_cred.server);
if (err_code) {
auks_error("unable to put server principal into "
"request cred : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_CP_PRINC ;
goto cred_exit;
}
auks_log("server principal successfully put into request cred");
/* renew credential cache TGT */
/* err_code = krb5_get_credentials_renew(context,KDC_OPT_RENEW,ccache, */
/* &renew_cred,&p_cred_out); */
err_code = krb5_get_cred_via_tkt(context,&read_cred,KDC_OPT_RENEW,
NULL,&renew_cred,&p_cred_out);
if (err_code) {
auks_error("unable to renew credential cache TGT : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_TGT_RENEW ;
} else {
auks_log("credential cache TGT successfully renewed");
krb5_free_creds(context,p_cred_out);
fstatus = AUKS_SUCCESS ;
}
cred_exit:
/* potential bug to check */
krb5_free_cred_contents(context,&renew_cred);
seq_exit:
krb5_free_cred_contents(context,&read_cred);
cc_exit:
krb5_cc_close(context, ccache);
ctx_exit:
krb5_free_context(context);
exit:
return fstatus;
}
int
auks_krb5_cred_get(char *ccachefilename,char **pbuffer,
size_t * plength)
{
int fstatus = AUKS_ERROR ;
/* kerberos related variables */
krb5_error_code err_code;
krb5_context context;
krb5_auth_context auth_context;
krb5_ccache ccache;
krb5_creds read_cred;
krb5_cc_cursor cc_cursor;
krb5_data *p_outbuf;
krb5_replay_data krdata;
int read_cred_was_used = 0;
int read_cred_is_tgt = 0;
char *buffer;
size_t length;
/* initialize kerberos context */
err_code = krb5_init_context(&context);
if (err_code) {
auks_error("unable to initialize kerberos context : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_CTX ;
goto exit;
}
auks_log("kerberos context successfully initialized");
/* initialize kerberos credential cache structure */
if (ccachefilename == NULL)
err_code = krb5_cc_default(context, &ccache);
else
err_code = krb5_cc_resolve(context, ccachefilename,&ccache);
if (err_code) {
auks_error("unable to resolve credential cache : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_OPEN_CC ;
goto ctx_exit ;
}
auks_log("credential cache successfully resolved");
/* start credential cache sequential reading */
err_code = krb5_cc_start_seq_get(context, ccache,&cc_cursor);
if (err_code) {
auks_error("unable to start credential cache sequential "
"read : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_READ_CC ;
goto cc_exit;
}
auks_log("credential cache sequential read successfully started");
/* look for the first TGT of the cache */
do {
err_code = krb5_cc_next_cred(context,ccache,
&cc_cursor,&read_cred);
if (!err_code) {
/* mark read_cred variable as used */
read_cred_was_used = 1;
/* just check initial or forwarded tickets (TGTs) */
if ((read_cred.ticket_flags & TKT_FLG_INITIAL)
|| (read_cred.ticket_flags & TKT_FLG_FORWARDED)) {
read_cred_is_tgt = 1 ;
break;
}
}
}
while (!err_code);
/* stop credential cache sequential reading */
err_code = krb5_cc_end_seq_get(context,ccache,&cc_cursor);
if (err_code) {
auks_error("unable to stop credential cache sequential "
"read : %s",error_message(err_code));
} else
auks_log("credential cache sequential read "
"successfully stopped");
/* extract credential if a TGT was found */
if (!read_cred_is_tgt) {
auks_error("no TGT found in credential cache");
fstatus = AUKS_ERROR_KRB5_CRED_NO_TGT_FOUND ;
goto seq_exit;
}
auks_log("TGT found in credential cache");
/* initialize a nullified kerberos authentication context in order */
/* to serialize credential into buffer */
err_code = krb5_auth_con_init(context,&auth_context);
if (err_code) {
auks_error("unable to initialize kerberos authentication "
"context : %s",error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_INIT_AUTH_CTX ;
goto seq_exit;
}
auks_log("kerberos authentication context successfully initialized");
/* clear kerberos authentication context flags */
krb5_auth_con_setflags(context,auth_context,0);
/* extract credential data */
err_code = krb5_mk_1cred(context,auth_context,&read_cred,
&p_outbuf,&krdata);
if (err_code) {
auks_error("unable to dump credential into working buffer : %s",
error_message(err_code));
fstatus = AUKS_ERROR_KRB5_CRED_MK_CRED ;
goto auth_ctx_exit;
}
auks_log("credential successfully dumped into buffer");
/* allocate output buffer */
length = p_outbuf->length;
buffer = (char *) malloc(length * sizeof(char));
if (buffer == NULL) {
auks_error("unable to allocate memory for credential data "
"storage");
fstatus = AUKS_ERROR_KRB5_CRED_MALLOC ;
goto cred_exit;
}
/* copy credential data into output buffer */
memcpy(buffer,p_outbuf->data,length);
*pbuffer = buffer;
*plength = length;
auks_log("credential successfully stored in output buffer");
fstatus = AUKS_SUCCESS ;
cred_exit:
krb5_free_data(context,p_outbuf);
auth_ctx_exit:
/* free kerberos authentication context */
krb5_auth_con_free(context,auth_context);
seq_exit:
/* free credential contents */
if (read_cred_was_used)
krb5_free_cred_contents(context,&read_cred);
cc_exit:
krb5_cc_close(context, ccache);
ctx_exit:
krb5_free_context(context);
exit:
return fstatus;
}
DWORD
LwKrb5CopyFromUserCache(
krb5_context ctx,
krb5_ccache destCC,
uid_t uid
)
{
DWORD dwError = LW_ERROR_SUCCESS;
PSTR pszCachePath = NULL;
krb5_ccache srcCC = NULL;
krb5_cc_cursor srcPos = NULL;
krb5_cc_cursor destPos = NULL;
// Free with krb5_free_cred_contents
krb5_creds srcCreds = {0};
// Free with krb5_free_cred_contents
krb5_creds destCreds = {0};
krb5_error_code ret = 0;
krb5_principal destClient = 0;
BOOLEAN bIncludeTicket = TRUE;
DWORD dwTime = 0;
ret = krb5_cc_get_principal(
ctx,
destCC,
&destClient);
BAIL_ON_KRB_ERROR(ctx, ret);
dwError = LwKrb5GetUserCachePath(
uid,
KRB5_File_Cache,
&pszCachePath);
BAIL_ON_LW_ERROR(dwError);
ret = krb5_cc_resolve(
ctx,
pszCachePath,
&srcCC);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_cc_start_seq_get(
ctx,
srcCC,
&srcPos);
if (ret == KRB5_FCC_NOFILE)
{
// The cache file does not exist
ret = 0;
goto cleanup;
}
if (ret == KRB5_CC_FORMAT)
{
// Some other user put a bad cc in place - don't copy anything
// from it.
ret = 0;
goto cleanup;
}
BAIL_ON_KRB_ERROR(ctx, ret);
dwTime = time(NULL);
while (1)
{
krb5_free_cred_contents(
ctx,
&srcCreds);
ret = krb5_cc_next_cred(
ctx,
srcCC,
&srcPos,
&srcCreds);
if (ret == KRB5_CC_FORMAT) {
break;
} else if (ret == KRB5_CC_END) {
break;
} else {
BAIL_ON_KRB_ERROR(ctx, ret);
}
if (!krb5_principal_compare(ctx, destClient, srcCreds.client))
{
/* Can't keep these creds. The client principal doesn't
* match. */
continue;
}
if ( srcCreds.times.endtime < dwTime )
{
/* Credentials are too old. */
continue;
}
if (destPos != NULL)
{
krb5_cc_end_seq_get(
ctx,
destCC,
&destPos);
destPos = NULL;
}
ret = krb5_cc_start_seq_get(
ctx,
destCC,
&destPos);
BAIL_ON_KRB_ERROR(ctx, ret);
bIncludeTicket = TRUE;
while(bIncludeTicket)
{
krb5_free_cred_contents(
ctx,
&destCreds);
ret = krb5_cc_next_cred(
ctx,
destCC,
&destPos,
&destCreds);
if (ret == KRB5_CC_END) {
break;
} else {
BAIL_ON_KRB_ERROR(ctx, ret);
}
if (krb5_principal_compare(
ctx,
destCreds.server,
srcCreds.server))
{
/* These credentials are already in the dest cache
*/
bIncludeTicket = FALSE;
}
}
if (bIncludeTicket)
{
// These creds can go in the new cache
ret = krb5_cc_store_cred(ctx, destCC, &srcCreds);
BAIL_ON_KRB_ERROR(ctx, ret);
}
}
cleanup:
LW_SAFE_FREE_STRING(pszCachePath);
if (ctx != NULL)
{
if (srcPos != NULL)
{
krb5_cc_end_seq_get(
ctx,
srcCC,
&srcPos);
}
if (destPos != NULL)
{
krb5_cc_end_seq_get(
ctx,
destCC,
&destPos);
}
if (srcCC != NULL)
{
krb5_cc_close(ctx, srcCC);
}
krb5_free_cred_contents(ctx, &srcCreds);
krb5_free_cred_contents(ctx, &destCreds);
if (destClient != NULL)
{
krb5_free_principal(ctx, destClient);
}
}
return dwError;
error:
goto cleanup;
}
static krb5_error_code
krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id,
krb5_flags whichfields, krb5_creds *mcreds,
krb5_creds *creds, int nktypes, krb5_enctype *ktypes)
{
/* This function could be considerably faster if it kept indexing */
/* information.. sounds like a "next version" idea to me. :-) */
krb5_cc_cursor cursor;
krb5_error_code kret;
krb5_error_code nomatch_err = KRB5_CC_NOTFOUND;
struct {
krb5_creds creds;
int pref;
} fetched, best;
int have_creds = 0;
krb5_flags oflags = 0;
#define fetchcreds (fetched.creds)
/* Solaris Kerberos */
memset(&best, 0, sizeof (best));
memset(&fetched, 0, sizeof (fetched));
kret = krb5_cc_get_flags(context, id, &oflags);
if (kret != KRB5_OK)
return kret;
if (oflags & KRB5_TC_OPENCLOSE)
(void) krb5_cc_set_flags(context, id, oflags & ~KRB5_TC_OPENCLOSE);
kret = krb5_cc_start_seq_get(context, id, &cursor);
if (kret != KRB5_OK) {
if (oflags & KRB5_TC_OPENCLOSE)
krb5_cc_set_flags(context, id, oflags);
return kret;
}
while ((kret = krb5_cc_next_cred(context, id, &cursor, &fetchcreds)) == KRB5_OK) {
if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds))
{
if (ktypes) {
fetched.pref = pref (fetchcreds.keyblock.enctype,
nktypes, ktypes);
if (fetched.pref < 0)
nomatch_err = KRB5_CC_NOT_KTYPE;
else if (!have_creds || fetched.pref < best.pref) {
if (have_creds)
krb5_free_cred_contents (context, &best.creds);
else
have_creds = 1;
best = fetched;
continue;
}
} else {
krb5_cc_end_seq_get(context, id, &cursor);
*creds = fetchcreds;
/* Solaris Kerberos */
creds->keyblock.hKey = CK_INVALID_HANDLE;
if (oflags & KRB5_TC_OPENCLOSE)
krb5_cc_set_flags(context, id, oflags);
return KRB5_OK;
}
}
/* This one doesn't match */
krb5_free_cred_contents(context, &fetchcreds);
}
/* If we get here, a match wasn't found */
krb5_cc_end_seq_get(context, id, &cursor);
if (oflags & KRB5_TC_OPENCLOSE)
krb5_cc_set_flags(context, id, oflags);
if (have_creds) {
*creds = best.creds;
/* Solaris Kerberos */
creds->keyblock.hKey = CK_INVALID_HANDLE;
return KRB5_OK;
} else
return nomatch_err;
}
OM_uint32 KRB5_CALLCONV
gss_krb5int_copy_ccache(OM_uint32 *minor_status,
gss_cred_id_t cred_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
krb5_gss_cred_id_t k5creds;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_error_code code;
krb5_context context;
krb5_ccache out_ccache;
assert(value->length == sizeof(out_ccache));
if (value->length != sizeof(out_ccache))
return GSS_S_FAILURE;
out_ccache = (krb5_ccache)value->value;
/* cred handle will have been validated by gssspi_set_cred_option() */
k5creds = (krb5_gss_cred_id_t) cred_handle;
code = k5_mutex_lock(&k5creds->lock);
if (code) {
*minor_status = code;
return GSS_S_FAILURE;
}
if (k5creds->usage == GSS_C_ACCEPT) {
k5_mutex_unlock(&k5creds->lock);
*minor_status = (OM_uint32) G_BAD_USAGE;
return(GSS_S_FAILURE);
}
code = krb5_gss_init_context(&context);
if (code) {
k5_mutex_unlock(&k5creds->lock);
*minor_status = code;
return GSS_S_FAILURE;
}
code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor);
if (code) {
k5_mutex_unlock(&k5creds->lock);
*minor_status = code;
save_error_info(*minor_status, context);
krb5_free_context(context);
return(GSS_S_FAILURE);
}
while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor,
&creds)) {
code = krb5_cc_store_cred(context, out_ccache, &creds);
krb5_free_cred_contents(context, &creds);
}
krb5_cc_end_seq_get(context, k5creds->ccache, &cursor);
k5_mutex_unlock(&k5creds->lock);
*minor_status = code;
if (code)
save_error_info(*minor_status, context);
krb5_free_context(context);
return code ? GSS_S_FAILURE : GSS_S_COMPLETE;
}
/*
* Class: sun_security_krb5_Credentials
* Method: acquireDefaultNativeCreds
* Signature: ()Lsun/security/krb5/Credentials;
*/
JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds
(JNIEnv *env, jclass krbcredsClass)
{
jobject krbCreds = NULL;
krb5_error_code err = 0;
krb5_ccache ccache = NULL;
krb5_cc_cursor cursor = NULL;
krb5_creds creds;
krb5_flags flags = 0;
krb5_context kcontext = NULL;
/* Initialize the Kerberos 5 context */
err = krb5_init_context (&kcontext);
if (!err) {
err = krb5_cc_default (kcontext, &ccache);
}
if (!err) {
err = krb5_cc_set_flags (kcontext, ccache, flags); /* turn off OPENCLOSE */
}
if (!err) {
err = krb5_cc_start_seq_get (kcontext, ccache, &cursor);
}
if (!err) {
while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) {
char *serverName = NULL;
if (!err) {
err = krb5_unparse_name (kcontext, creds.server, &serverName);
printiferr (err, "while unparsing server name");
}
if (!err) {
if (strncmp (serverName, "krbtgt", strlen("krbtgt")) == 0) {
jobject ticket, clientPrincipal, targetPrincipal, encryptionKey;
jobject ticketFlags, startTime, endTime;
jobject authTime, renewTillTime, hostAddresses;
ticket = clientPrincipal = targetPrincipal = encryptionKey = NULL;
ticketFlags = startTime = endTime = NULL;
authTime = renewTillTime = hostAddresses = NULL;
// For the default credentials we're only interested in the krbtgt server.
clientPrincipal = BuildClientPrincipal(env, kcontext, creds.client);
if (clientPrincipal == NULL) goto cleanup;
targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server);
if (targetPrincipal == NULL) goto cleanup;
// Build a com.ibm.security.krb5.Ticket
ticket = BuildTicket(env, &creds.ticket);
if (ticket == NULL) goto cleanup;
// Get the encryption key
encryptionKey = BuildEncryptionKey(env, &creds.keyblock);
if (encryptionKey == NULL) goto cleanup;
// and the ticket flags
ticketFlags = BuildTicketFlags(env, creds.ticket_flags);
if (ticketFlags == NULL) goto cleanup;
// Get the timestamps out.
startTime = BuildKerberosTime(env, creds.times.starttime);
if (startTime == NULL) goto cleanup;
authTime = BuildKerberosTime(env, creds.times.authtime);
if (authTime == NULL) goto cleanup;
endTime = BuildKerberosTime(env, creds.times.endtime);
if (endTime == NULL) goto cleanup;
renewTillTime = BuildKerberosTime(env, creds.times.renew_till);
if (renewTillTime == NULL) goto cleanup;
// Create the addresses object.
hostAddresses = BuildAddressList(env, creds.addresses);
if (krbcredsConstructor == 0) {
krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>",
"(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V");
if (krbcredsConstructor == 0) {
printf("Couldn't find com.ibm.security.krb5.Credentials constructor\n");
break;
}
}
// and now go build a KrbCreds object
krbCreds = (*env)->NewObject(
env,
krbcredsClass,
krbcredsConstructor,
ticket,
clientPrincipal,
targetPrincipal,
encryptionKey,
ticketFlags,
authTime,
startTime,
endTime,
renewTillTime,
hostAddresses);
cleanup:
if (ticket) (*env)->DeleteLocalRef(env, ticket);
if (clientPrincipal) (*env)->DeleteLocalRef(env, clientPrincipal);
if (targetPrincipal) (*env)->DeleteLocalRef(env, targetPrincipal);
if (encryptionKey) (*env)->DeleteLocalRef(env, encryptionKey);
if (ticketFlags) (*env)->DeleteLocalRef(env, ticketFlags);
if (authTime) (*env)->DeleteLocalRef(env, authTime);
if (startTime) (*env)->DeleteLocalRef(env, startTime);
if (endTime) (*env)->DeleteLocalRef(env, endTime);
if (renewTillTime) (*env)->DeleteLocalRef(env, renewTillTime);
if (hostAddresses) (*env)->DeleteLocalRef(env, hostAddresses);
}
}
if (serverName != NULL) {
krb5_free_unparsed_name (kcontext, serverName);
}
krb5_free_cred_contents (kcontext, &creds);
}
if (err == KRB5_CC_END) {
err = 0;
}
printiferr (err, "while retrieving a ticket");
}
if (!err) {
err = krb5_cc_end_seq_get (kcontext, ccache, &cursor);
printiferr (err, "while finishing ticket retrieval");
}
if (!err) {
flags = KRB5_TC_OPENCLOSE; /* restore OPENCLOSE mode */
err = krb5_cc_set_flags (kcontext, ccache, flags);
printiferr (err, "while finishing ticket retrieval");
}
krb5_free_context (kcontext);
return krbCreds;
}
static void
store_tickets(struct passwd *pwd, int ticket_newfiles, int ticket_store,
int token_install)
{
char cc_file[MAXPATHLEN];
krb5_ccache ccache_store;
#ifdef KRB524
int get_krb4_ticket = 0;
char krb4_ticket_file[MAXPATHLEN];
#endif
if (ticket_newfiles)
snprintf(cc_file, sizeof(cc_file), "FILE:/tmp/krb5cc_%d",
pwd->pw_uid);
else
snprintf(cc_file, sizeof(cc_file), "%s",
krb5_cc_default_name(context));
if (ticket_store) {
ret = krb5_cc_resolve(context, cc_file, &ccache_store);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"krb5_cc_gen_new");
exit(1);
}
ret = krb5_cc_copy_cache(context, ccache, ccache_store);
if (ret != 0)
krb5_syslog(context, LOG_ERR, ret,
"krb5_cc_copy_cache");
chown(krb5_cc_get_name(context, ccache_store),
pwd->pw_uid, pwd->pw_gid);
fprintf(back, BI_SETENV " KRB5CCNAME %s:%s\n",
krb5_cc_get_type(context, ccache_store),
krb5_cc_get_name(context, ccache_store));
#ifdef KRB524
get_krb4_ticket = krb5_config_get_bool_default (context,
NULL, get_krb4_ticket, "libdefaults",
"krb4_get_tickets", NULL);
if (get_krb4_ticket) {
CREDENTIALS c;
krb5_creds cred;
krb5_cc_cursor cursor;
ret = krb5_cc_start_seq_get(context, ccache, &cursor);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"start seq");
exit(1);
}
ret = krb5_cc_next_cred(context, ccache,
&cursor, &cred);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"next cred");
exit(1);
}
ret = krb5_cc_end_seq_get(context, ccache,
&cursor);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"end seq");
exit(1);
}
ret = krb524_convert_creds_kdc_ccache(context, ccache,
&cred, &c);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"convert");
} else {
snprintf(krb4_ticket_file,
sizeof(krb4_ticket_file),
"%s%d", TKT_ROOT, pwd->pw_uid);
krb_set_tkt_string(krb4_ticket_file);
tf_setup(&c, c.pname, c.pinst);
chown(krb4_ticket_file,
pwd->pw_uid, pwd->pw_gid);
}
}
#endif
}
/* Need to chown the ticket file */
#ifdef KRB524
if (get_krb4_ticket)
fprintf(back, BI_SETENV " KRBTKFILE %s\n",
krb4_ticket_file);
#endif
}
void
main(
int argc,
char *argv[]
)
{
krb5_context kcontext;
krb5_error_code code;
krb5_ccache ccache=NULL;
krb5_ccache mslsa_ccache=NULL;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_principal princ;
int initial_ticket = 0;
int option;
char * ccachestr = 0;
prog = strrchr(argv[0], '/');
prog = prog ? (prog + 1) : argv[0];
while ((option = getopt(argc, argv, "c:h")) != -1) {
switch (option) {
case 'c':
ccachestr = optarg;
break;
case 'h':
default:
xusage();
break;
}
}
if (code = krb5_init_context(&kcontext)) {
com_err(argv[0], code, "while initializing kerberos library");
exit(1);
}
if (code = krb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache)) {
com_err(argv[0], code, "while opening MS LSA ccache");
krb5_free_context(kcontext);
exit(1);
}
if (code = krb5_cc_set_flags(kcontext, mslsa_ccache, KRB5_TC_NOTICKET)) {
com_err(argv[0], code, "while setting KRB5_TC_NOTICKET flag");
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
exit(1);
}
/* Enumerate tickets from cache looking for an initial ticket */
if ((code = krb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor))) {
com_err(argv[0], code, "while initiating the cred sequence of MS LSA ccache");
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
exit(1);
}
while (!(code = krb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds)))
{
if ( creds.ticket_flags & TKT_FLG_INITIAL ) {
krb5_free_cred_contents(kcontext, &creds);
initial_ticket = 1;
break;
}
krb5_free_cred_contents(kcontext, &creds);
}
krb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor);
if (code = krb5_cc_set_flags(kcontext, mslsa_ccache, 0)) {
com_err(argv[0], code, "while clearing flags");
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
exit(1);
}
if ( !initial_ticket ) {
fprintf(stderr, "%s: Initial Ticket Getting Tickets are not available from the MS LSA\n",
argv[0]);
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
exit(1);
}
if (code = krb5_cc_get_principal(kcontext, mslsa_ccache, &princ)) {
com_err(argv[0], code, "while obtaining MS LSA principal");
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
exit(1);
}
if (ccachestr)
code = krb5_cc_resolve(kcontext, ccachestr, &ccache);
else
code = krb5_cc_default(kcontext, &ccache);
if (code) {
com_err(argv[0], code, "while getting default ccache");
krb5_free_principal(kcontext, princ);
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
exit(1);
}
if (code = krb5_cc_initialize(kcontext, ccache, princ)) {
com_err (argv[0], code, "when initializing ccache");
krb5_free_principal(kcontext, princ);
krb5_cc_close(kcontext, mslsa_ccache);
krb5_cc_close(kcontext, ccache);
krb5_free_context(kcontext);
exit(1);
}
if (code = krb5_cc_copy_creds(kcontext, mslsa_ccache, ccache)) {
com_err (argv[0], code, "while copying MS LSA ccache to default ccache");
krb5_free_principal(kcontext, princ);
krb5_cc_close(kcontext, ccache);
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
exit(1);
}
krb5_free_principal(kcontext, princ);
krb5_cc_close(kcontext, ccache);
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
return(0);
}
static int
kinit_check_tgt(kinit_data *kid, int *remaining)
{
int ret=3;
krb5_principal princ;
krb5_error_code rc;
krb5_cc_cursor cursor;
krb5_creds creds;
char *name;
time_t now=time(NULL);
rc = krb5_cc_get_principal(kid->ctx, kid->ccache, &princ);
if (rc) {
log_krb5_errmsg(kid->ctx, "krb5_cc_get_principal", rc);
return 2;
} else {
if (!krb5_principal_compare(kid->ctx, kid->princ, princ)) {
Log(LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
"Principal in ccache does not match requested principal\n");
krb5_free_principal(kid->ctx, princ);
return 2;
}
}
rc = krb5_cc_start_seq_get(kid->ctx, kid->ccache, &cursor);
if (rc) {
log_krb5_errmsg(kid->ctx, "krb5_cc_start_seq_get", rc);
krb5_free_principal(kid->ctx, princ);
return -1;
}
while (!(rc = krb5_cc_next_cred(kid->ctx, kid->ccache, &cursor, &creds))) {
if (krb5_is_config_principal(kid->ctx, creds.server)) {
krb5_free_cred_contents(kid->ctx, &creds);
continue;
}
if (creds.server->length==2 &&
(!strcmp(creds.server->data[0].data, "krbtgt")) &&
(!strcmp(creds.server->data[1].data, princ->realm.data))) {
krb5_unparse_name(kid->ctx, creds.server, &name);
*remaining = (time_t)creds.times.endtime-now;
if ( *remaining <= 0) {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: TGT (%s) expired\n", name);
} else {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: TGT (%s) expires in %dh:%02dm:%02ds\n",
name, *remaining/3600, (*remaining%3600)/60, *remaining%60);
}
free(name);
if (*remaining <= 30) {
if (creds.times.renew_till-60 > now) {
int renewal=creds.times.renew_till-now;
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: Time remaining for renewal: %dh:%02dm:%02ds\n",
renewal/3600, (renewal%3600)/60, renewal%60);
ret = 1;
} else {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: Only short time left for renewal. "
"Trying to re-init.\n");
ret = 2;
}
} else {
ret=0;
}
krb5_free_cred_contents(kid->ctx, &creds);
break;
}
krb5_free_cred_contents(kid->ctx, &creds);
}
krb5_cc_end_seq_get(kid->ctx, kid->ccache, &cursor);
krb5_free_principal(kid->ctx, princ);
return ret;
}
static
NTSTATUS
LwIoCredentialCacheToTgt(
PIO_CREDS pCacheToken,
PIO_CREDS* ppCreds
)
{
NTSTATUS Status = STATUS_SUCCESS;
krb5_context pContext = NULL;
krb5_error_code krb5Error = 0;
krb5_ccache pCache = NULL;
PSTR pszClientPrincipalName = NULL;
PSTR pszServerPrincipalName = NULL;
PSTR pszDesiredPrincipal = NULL;
PSTR pszCredCachePath = NULL;
PIO_CREDS pCreds = NULL;
BOOLEAN bFoundTgt = FALSE;
BOOLEAN bStartSeq = FALSE;
krb5_creds creds;
krb5_cc_cursor cursor;
Status = LwRtlCStringAllocateFromWC16String(
&pszDesiredPrincipal,
pCacheToken->payload.krb5Ccache.pwszPrincipal);
BAIL_ON_NT_STATUS(Status);
Status = LwRtlCStringAllocateFromWC16String(
&pszCredCachePath,
pCacheToken->payload.krb5Ccache.pwszCachePath);
BAIL_ON_NT_STATUS(Status);
/* Open credentials cache */
krb5Error = krb5_init_context(&pContext);
if (krb5Error)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
BAIL_ON_NT_STATUS(Status);
}
krb5Error = krb5_cc_resolve(pContext, pszCredCachePath, &pCache);
if (krb5Error)
{
Status = STATUS_UNSUCCESSFUL;
BAIL_ON_NT_STATUS(Status);
}
/* Look for a TGT */
krb5Error = krb5_cc_start_seq_get(pContext, pCache, &cursor);
if (krb5Error)
{
Status = STATUS_UNSUCCESSFUL;
BAIL_ON_NT_STATUS(Status);
}
bStartSeq = TRUE;
while ((krb5Error = krb5_cc_next_cred(pContext, pCache, &cursor, &creds)) == 0)
{
/* Look tickets with the intial flag set */
if (creds.ticket_flags & TKT_FLG_INITIAL)
{
/* Extract and compare client principal with desired principal */
krb5Error = krb5_unparse_name(pContext, creds.client, &pszClientPrincipalName);
if (krb5Error)
{
Status = STATUS_UNSUCCESSFUL;
BAIL_ON_NT_STATUS(Status);
}
if (!strcmp(pszClientPrincipalName, pszDesiredPrincipal))
{
bFoundTgt = TRUE;
break;
}
krb5_free_unparsed_name(pContext, pszClientPrincipalName);
pszClientPrincipalName = NULL;
}
krb5_free_cred_contents(pContext, &creds);
}
if (!bFoundTgt)
{
Status = STATUS_UNSUCCESSFUL;
BAIL_ON_NT_STATUS(Status);
}
/* Extract server principal name */
krb5Error = krb5_unparse_name(pContext, creds.server, &pszServerPrincipalName);
if (krb5Error)
{
Status = STATUS_UNSUCCESSFUL;
BAIL_ON_NT_STATUS(Status);
}
/* Construct token from krb5 credential data */
Status = LwIoAllocateMemory(sizeof(*pCreds), OUT_PPVOID(&pCreds));
BAIL_ON_NT_STATUS(Status);
pCreds->type = IO_CREDS_TYPE_KRB5_TGT;
/* Copy principal names */
Status = LwRtlWC16StringAllocateFromCString(
&pCreds->payload.krb5Tgt.pwszClientPrincipal,
pszClientPrincipalName);
BAIL_ON_NT_STATUS(Status);
Status = LwRtlWC16StringAllocateFromCString(
&pCreds->payload.krb5Tgt.pwszServerPrincipal,
pszServerPrincipalName);
BAIL_ON_NT_STATUS(Status);
/* Set time fields */
pCreds->payload.krb5Tgt.authTime = creds.times.authtime;
pCreds->payload.krb5Tgt.startTime = creds.times.starttime;
pCreds->payload.krb5Tgt.endTime = creds.times.endtime;
pCreds->payload.krb5Tgt.renewTillTime = creds.times.renew_till;
/* Copy encryption key */
pCreds->payload.krb5Tgt.keyType = creds.keyblock.enctype;
pCreds->payload.krb5Tgt.ulKeySize = creds.keyblock.length;
Status = LwIoAllocateMemory(
creds.keyblock.length,
OUT_PPVOID(&pCreds->payload.krb5Tgt.pKeyData));
BAIL_ON_NT_STATUS(Status);
memcpy(
pCreds->payload.krb5Tgt.pKeyData,
creds.keyblock.contents,
creds.keyblock.length);
/* Copy tgt */
pCreds->payload.krb5Tgt.tgtFlags = creds.ticket_flags;
pCreds->payload.krb5Tgt.ulTgtSize = creds.ticket.length;
Status = LwIoAllocateMemory(
creds.ticket.length,
OUT_PPVOID(&pCreds->payload.krb5Tgt.pTgtData));
BAIL_ON_NT_STATUS(Status);
memcpy(
pCreds->payload.krb5Tgt.pTgtData,
creds.ticket.data,
creds.ticket.length);
*ppCreds = pCreds;
cleanup:
LWIO_SAFE_FREE_MEMORY(pszDesiredPrincipal);
LWIO_SAFE_FREE_MEMORY(pszCredCachePath);
if (pszClientPrincipalName)
{
krb5_free_unparsed_name(pContext, pszClientPrincipalName);
}
if (pszServerPrincipalName)
{
krb5_free_unparsed_name(pContext, pszServerPrincipalName);
}
if (bFoundTgt)
{
krb5_free_cred_contents(pContext, &creds);
}
if (bStartSeq)
{
krb5_cc_end_seq_get(pContext, pCache, &cursor);
}
if (pCache)
{
krb5_cc_close(pContext, pCache);
}
if (pContext)
{
krb5_free_context(pContext);
}
return Status;
error:
*ppCreds = NULL;
if (pCreds)
{
LwIoDeleteCreds(pCreds);
}
goto cleanup;
}