/* Check that krb5_cc_cache_match on princ returns a cache whose name matches
* expected_name, or that the match fails if expected_name is NULL. */
static void
check_match(krb5_principal princ, const char *expected_name)
{
krb5_ccache cache;
if (expected_name != NULL) {
check(krb5_cc_cache_match(ctx, princ, &cache));
check_name(cache, expected_name);
krb5_cc_close(ctx, cache);
} else {
assert(krb5_cc_cache_match(ctx, princ, &cache) != 0);
}
}
char * sss_get_ccache_name_for_principal(TALLOC_CTX *mem_ctx,
krb5_context ctx,
krb5_principal principal,
const char *location)
{
#ifdef HAVE_KRB5_CC_COLLECTION
krb5_error_code kerr;
krb5_ccache tmp_cc = NULL;
char *tmp_ccname = NULL;
char *ret_ccname = NULL;
DEBUG(SSSDBG_TRACE_ALL,
"Location: [%s]\n", location);
kerr = krb5_cc_set_default_name(ctx, location);
if (kerr != 0) {
KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr);
return NULL;
}
kerr = krb5_cc_cache_match(ctx, principal, &tmp_cc);
if (kerr != 0) {
const char *err_msg = sss_krb5_get_error_message(ctx, kerr);
DEBUG(SSSDBG_TRACE_INTERNAL,
"krb5_cc_cache_match failed: [%d][%s]\n", kerr, err_msg);
sss_krb5_free_error_message(ctx, err_msg);
return NULL;
}
kerr = krb5_cc_get_full_name(ctx, tmp_cc, &tmp_ccname);
if (kerr != 0) {
KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr);
goto done;
}
DEBUG(SSSDBG_TRACE_ALL,
"tmp_ccname: [%s]\n", tmp_ccname);
ret_ccname = talloc_strdup(mem_ctx, tmp_ccname);
if (ret_ccname == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed (ENOMEM).\n");
}
done:
if (tmp_cc != NULL) {
kerr = krb5_cc_close(ctx, tmp_cc);
if (kerr != 0) {
KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr);
}
}
krb5_free_string(ctx, tmp_ccname);
return ret_ccname;
#else
return NULL;
#endif /* HAVE_KRB5_CC_COLLECTION */
}
static void
test_cache_find(krb5_context context, const char *principal, int find)
{
krb5_principal client;
krb5_error_code ret;
krb5_ccache id = NULL;
ret = krb5_parse_name(context, principal, &client);
if (ret)
krb5_err(context, 1, ret, "parse_name for %s failed", principal);
ret = krb5_cc_cache_match(context, client, &id);
if (ret && find)
krb5_err(context, 1, ret, "cc_cache_match for %s failed", principal);
if (ret == 0 && !find)
krb5_err(context, 1, ret, "cc_cache_match for %s found", principal);
if (id)
krb5_cc_close(context, id);
krb5_free_principal(context, client);
}
/*
* Acquires an initiator credential from a ccache or using a keytab.
*/
static OM_uint32
acquire_initiator_cred(OM_uint32 *minor_status,
krb5_context context,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_creds cred;
krb5_get_init_creds_opt *opt;
krb5_principal def_princ = NULL;
krb5_ccache def_ccache = NULL;
krb5_ccache ccache = NULL; /* we may store into this ccache */
krb5_keytab keytab = NULL;
krb5_error_code kret = 0;
OM_uint32 left;
time_t lifetime = 0;
time_t now;
memset(&cred, 0, sizeof(cred));
/*
* Get current time early so we can set handle->endtime to a value that
* cannot accidentally be past the real endtime. We need a variant of
* krb5_cc_get_lifetime() that returns absolute endtime.
*/
krb5_timeofday(context, &now);
/*
* First look for a ccache that has the desired_name (which may be
* the default credential name).
*
* If we don't have an unexpired credential, acquire one with a
* keytab.
*
* If we acquire one with a keytab, save it in the ccache we found
* with the expired credential, if any.
*
* If we don't have any such ccache, then use a MEMORY ccache.
*/
if (handle->principal != NULL) {
/*
* Not default credential case. See if we can find a ccache in
* the cccol for the desired_name.
*/
kret = krb5_cc_cache_match(context,
handle->principal,
&ccache);
if (kret == 0) {
kret = krb5_cc_get_lifetime(context, ccache, &lifetime);
if (kret == 0) {
if (lifetime > 0)
goto found;
else
goto try_keytab;
}
}
/*
* Fall through. We shouldn't find this in the default ccache
* either, but we'll give it a try, then we'll try using a keytab.
*/
}
/*
* Either desired_name was GSS_C_NO_NAME (default cred) or
* krb5_cc_cache_match() failed (or found expired).
*/
kret = krb5_cc_default(context, &def_ccache);
if (kret != 0)
goto try_keytab;
kret = krb5_cc_get_lifetime(context, def_ccache, &lifetime);
if (kret != 0)
lifetime = 0;
kret = krb5_cc_get_principal(context, def_ccache, &def_princ);
if (kret != 0)
goto try_keytab;
/*
* Have a default ccache; see if it matches desired_name.
*/
if (handle->principal == NULL ||
krb5_principal_compare(context, handle->principal,
def_princ) == TRUE) {
/*
* It matches.
*
* If we end up trying a keytab then we can write the result to
* the default ccache.
*/
if (handle->principal == NULL) {
kret = krb5_copy_principal(context, def_princ, &handle->principal);
if (kret)
goto end;
}
if (ccache != NULL)
krb5_cc_close(context, ccache);
ccache = def_ccache;
def_ccache = NULL;
if (lifetime > 0)
goto found;
/* else we fall through and try using a keytab */
}
try_keytab:
if (handle->principal == NULL) {
/* We need to know what client principal to use */
kret = krb5_get_default_principal(context, &handle->principal);
if (kret)
goto end;
}
kret = get_keytab(context, &keytab);
if (kret)
goto end;
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
krb5_timeofday(context, &now);
kret = krb5_get_init_creds_keytab(context, &cred, handle->principal,
keytab, 0, NULL, opt);
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
/*
* We got a credential with a keytab. Save it if we can.
*/
if (ccache == NULL) {
/*
* There's no ccache we can overwrite with the credentials we acquired
* with a keytab. We'll use a MEMORY ccache then.
*
* Note that an application that falls into this repeatedly will do an
* AS exchange every time it acquires a credential handle. Hopefully
* this doesn't happen much. A workaround is to kinit -k once so that
* we always re-initialize the matched/default ccache here. I.e., once
* there's a FILE/DIR ccache, we'll keep it frash automatically if we
* have a keytab, but if there's no FILE/DIR ccache, then we'll
* get a fresh credential *every* time we're asked.
*/
kret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache);
if (kret)
goto end;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
} /* else we'll re-initialize whichever ccache we matched above */
kret = krb5_cc_initialize(context, ccache, cred.client);
if (kret)
goto end;
kret = krb5_cc_store_cred(context, ccache, &cred);
if (kret)
goto end;
found:
assert(handle->principal != NULL);
ret = __gsskrb5_ccache_lifetime(minor_status, context, ccache,
handle->principal, &left);
if (ret != GSS_S_COMPLETE)
goto end;
handle->endtime = now + left;
handle->ccache = ccache;
ccache = NULL;
ret = GSS_S_COMPLETE;
kret = 0;
end:
if (ccache != NULL) {
if ((handle->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) != 0)
krb5_cc_destroy(context, ccache);
else
krb5_cc_close(context, ccache);
}
if (def_ccache != NULL)
krb5_cc_close(context, def_ccache);
if (cred.client != NULL)
krb5_free_cred_contents(context, &cred);
if (def_princ != NULL)
krb5_free_principal(context, def_princ);
if (keytab != NULL)
krb5_kt_close(context, keytab);
if (ret != GSS_S_COMPLETE && kret != 0)
*minor_status = kret;
return (ret);
}
int
kswitch(struct kswitch_options *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_ccache id = NULL;
if (opt->cache_string && opt->principal_string)
krb5_errx(kcc_context, 1,
N_("Both --cache and --principal given, choose one", ""));
if (opt->interactive_flag) {
krb5_cc_cache_cursor cursor;
krb5_ccache *ids = NULL;
size_t i, len = 0;
char *name;
rtbl_t ct;
ct = rtbl_create();
rtbl_add_column_by_id(ct, 0, "#", 0);
rtbl_add_column_by_id(ct, 1, "Principal", 0);
rtbl_set_column_affix_by_id(ct, 1, " ", "");
rtbl_add_column_by_id(ct, 2, "Type", 0);
rtbl_set_column_affix_by_id(ct, 2, " ", "");
ret = krb5_cc_cache_get_first(kcc_context, NULL, &cursor);
if (ret)
krb5_err(kcc_context, 1, ret, "krb5_cc_cache_get_first");
while (krb5_cc_cache_next(kcc_context, cursor, &id) == 0) {
krb5_principal p;
char num[10];
ret = krb5_cc_get_principal(kcc_context, id, &p);
if (ret)
continue;
ret = krb5_unparse_name(kcc_context, p, &name);
krb5_free_principal(kcc_context, p);
snprintf(num, sizeof(num), "%d", (int)(len + 1));
rtbl_add_column_entry_by_id(ct, 0, num);
rtbl_add_column_entry_by_id(ct, 1, name);
rtbl_add_column_entry_by_id(ct, 2, krb5_cc_get_type(kcc_context, id));
free(name);
ids = erealloc(ids, (len + 1) * sizeof(ids[0]));
ids[len] = id;
len++;
}
krb5_cc_cache_end_seq_get(kcc_context, cursor);
rtbl_format(ct, stdout);
rtbl_destroy(ct);
name = readline("Select number: ");
if (name) {
i = atoi(name);
if (i == 0)
krb5_errx(kcc_context, 1, "Cache number '%s' is invalid", name);
if (i > len)
krb5_errx(kcc_context, 1, "Cache number '%s' is too large", name);
id = ids[i - 1];
ids[i - 1] = NULL;
} else
krb5_errx(kcc_context, 1, "No cache selected");
for (i = 0; i < len; i++)
if (ids[i])
krb5_cc_close(kcc_context, ids[i]);
} else if (opt->principal_string) {
krb5_principal p;
ret = krb5_parse_name(kcc_context, opt->principal_string, &p);
if (ret)
krb5_err(kcc_context, 1, ret, "krb5_parse_name: %s",
opt->principal_string);
ret = krb5_cc_cache_match(kcc_context, p, &id);
if (ret)
krb5_err(kcc_context, 1, ret,
N_("Did not find principal: %s", ""),
opt->principal_string);
krb5_free_principal(kcc_context, p);
} else if (opt->cache_string) {
const krb5_cc_ops *ops;
char *str;
ops = krb5_cc_get_prefix_ops(kcc_context, opt->type_string);
if (ops == NULL)
krb5_err(kcc_context, 1, 0, "krb5_cc_get_prefix_ops");
asprintf(&str, "%s:%s", ops->prefix, opt->cache_string);
if (str == NULL)
krb5_errx(kcc_context, 1, N_("out of memory", ""));
ret = krb5_cc_resolve(kcc_context, str, &id);
if (ret)
krb5_err(kcc_context, 1, ret, "krb5_cc_resolve: %s", str);
free(str);
} else {
krb5_errx(kcc_context, 1, "missing option for kswitch");
}
ret = krb5_cc_switch(kcc_context, id);
if (ret)
krb5_err(kcc_context, 1, ret, "krb5_cc_switch");
return 0;
}
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
gss_const_OID credential_type,
const void *credential_data,
gss_const_name_t desired_name,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle
)
{
OM_uint32 ret;
krb5_creds cred;
krb5_principal def_princ;
krb5_get_init_creds_opt *opt;
krb5_ccache ccache;
krb5_keytab keytab;
krb5_error_code kret;
keytab = NULL;
ccache = NULL;
def_princ = NULL;
ret = GSS_S_FAILURE;
memset(&cred, 0, sizeof(cred));
/*
* If we have a preferred principal, lets try to find it in all
* caches, otherwise, fall back to default cache, ignore all
* errors while searching.
*/
if (credential_type != GSS_C_NO_OID &&
!gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
kret = KRB5_NOCREDS_SUPPLIED; /* XXX */
goto end;
}
if (handle->principal) {
kret = krb5_cc_cache_match (context,
handle->principal,
&ccache);
if (kret == 0) {
ret = GSS_S_COMPLETE;
goto found;
}
}
if (ccache == NULL) {
kret = krb5_cc_default(context, &ccache);
if (kret)
goto end;
}
kret = krb5_cc_get_principal(context, ccache, &def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_close(context, ccache);
def_princ = NULL;
kret = 0;
} else if (handle->principal == NULL) {
kret = krb5_copy_principal(context, def_princ, &handle->principal);
if (kret)
goto end;
} else if (handle->principal != NULL &&
krb5_principal_compare(context, handle->principal,
def_princ) == FALSE) {
krb5_free_principal(context, def_princ);
def_princ = NULL;
krb5_cc_close(context, ccache);
ccache = NULL;
}
if (def_princ == NULL) {
/* We have no existing credentials cache,
* so attempt to get a TGT using a keytab.
*/
if (handle->principal == NULL) {
kret = krb5_get_default_principal(context, &handle->principal);
if (kret)
goto end;
}
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
if (credential_type != GSS_C_NO_OID &&
gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
gss_buffer_t password = (gss_buffer_t)credential_data;
/* XXX are we requiring password to be NUL terminated? */
kret = krb5_get_init_creds_password(context, &cred,
handle->principal,
password->value,
NULL, NULL, 0, NULL, opt);
} else {
kret = get_keytab(context, &keytab);
if (kret) {
krb5_get_init_creds_opt_free(context, opt);
goto end;
}
kret = krb5_get_init_creds_keytab(context, &cred,
handle->principal, keytab,
0, NULL, opt);
}
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
kret = krb5_cc_new_unique(context, krb5_cc_type_memory,
NULL, &ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(context, ccache, cred.client);
if (kret) {
krb5_cc_destroy(context, ccache);
goto end;
}
kret = krb5_cc_store_cred(context, ccache, &cred);
if (kret) {
krb5_cc_destroy(context, ccache);
goto end;
}
handle->lifetime = cred.times.endtime;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
} else {
ret = __gsskrb5_ccache_lifetime(minor_status,
context,
ccache,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE) {
krb5_cc_close(context, ccache);
goto end;
}
kret = 0;
}
found:
handle->ccache = ccache;
ret = GSS_S_COMPLETE;
end:
if (cred.client != NULL)
krb5_free_cred_contents(context, &cred);
if (def_princ != NULL)
krb5_free_principal(context, def_princ);
if (keytab != NULL)
krb5_kt_close(context, keytab);
if (ret != GSS_S_COMPLETE && kret != 0)
*minor_status = kret;
return (ret);
}
OM_uint32 GSSAPI_CALLCONV
_gss_krb5_acquire_cred_ext(OM_uint32 * minor_status,
const gss_name_t desired_name,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle)
{
krb5_init_creds_context ctx = NULL;
krb5_get_init_creds_opt *opt = NULL;
krb5_principal principal;
krb5_context context;
krb5_error_code kret;
gsskrb5_cred handle = NULL;
krb5_ccache ccache = NULL, ccachereplace = NULL;
char *passwordstr = NULL;
char *cache_name = NULL;
char *lkdc_hostname = NULL;
hx509_cert hxcert = NULL;
heim_array_t bundleacl = NULL;
krb5_principal new_name = NULL;
GSSAPI_KRB5_INIT(&context);
cred_usage &= GSS_C_OPTION_MASK;
if (cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
if (desired_name == GSS_C_NO_NAME)
return GSS_S_FAILURE;
if (gss_oid_equal(credential_type, GSS_C_CRED_HEIMBASE)) {
heim_object_t pw, cname, cert, lkdc;
heim_dict_t dict = (heim_dict_t)credential_data;
pw = heim_dict_copy_value(dict, _gsskrb5_kGSSICPassword);
if (pw) {
if (heim_get_tid(pw) == heim_string_get_type_id()) {
passwordstr = heim_string_copy_utf8(pw);
if (passwordstr == NULL) {
kret = ENOMEM;
goto out;
}
} else if (heim_get_tid(pw) == heim_data_get_type_id()) {
passwordstr = malloc(heim_data_get_length(pw) + 1);
if (passwordstr == NULL) {
kret = ENOMEM;
goto out;
}
memcpy(passwordstr, heim_data_get_bytes(pw), heim_data_get_length(pw));
passwordstr[heim_data_get_length(pw)] = '\0';
}
heim_release(pw);
}
cname = heim_dict_copy_value(dict, _gsskrb5_kGSSICKerberosCacheName);
if (cname) {
cache_name = heim_string_copy_utf8(cname);
heim_release(cname);
}
bundleacl = heim_dict_copy_value(dict, _gsskrb5_kGSSICAppIdentifierACL);
#ifdef PKINIT
cert = heim_dict_copy_value(dict, _gsskrb5_kGSSICCertificate);
if (cert) {
kret = hx509_cert_init_SecFramework(context->hx509ctx, cert, &hxcert);
if (kret)
goto out;
heim_release(cert);
}
#endif
lkdc = heim_dict_copy_value(dict, _gsskrb5_kGSSICLKDCHostname);
if (lkdc) {
lkdc_hostname = heim_string_copy_utf8(lkdc);
heim_release(lkdc);
}
} else if (gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
gss_buffer_t password = (gss_buffer_t)credential_data;
passwordstr = malloc(password->length + 1);
if (passwordstr == NULL) {
kret = ENOMEM;
goto out;
}
memcpy(passwordstr, password->value, password->length);
passwordstr[password->length] = '\0';
} else {
*minor_status = KRB5_NOCREDS_SUPPLIED; /* XXX */
return GSS_S_FAILURE;
}
if (passwordstr == NULL && hxcert == NULL) {
*minor_status = KRB5_NOCREDS_SUPPLIED; /* XXX */
return GSS_S_FAILURE;
}
*output_cred_handle = NULL;
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
principal = (krb5_principal)desired_name;
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
kret = krb5_copy_principal(context, principal, &handle->principal);
if (kret)
goto out;
kret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
if (kret)
goto out;
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto out;
krb5_get_init_creds_opt_set_default_flags(context, "gss", krb5_principal_get_realm(context, principal), opt);
krb5_get_init_creds_opt_set_forwardable(opt, 1);
krb5_get_init_creds_opt_set_proxiable(opt, 1);
krb5_get_init_creds_opt_set_renew_life(opt, 3600 * 24 * 30); /* 1 month */
if (hxcert) {
char *cert_pool[2] = { "KEYCHAIN:", NULL };
kret = krb5_get_init_creds_opt_set_pkinit(context, opt, principal,
NULL, "KEYCHAIN:",
cert_pool, NULL, 8,
NULL, NULL, NULL);
if (kret)
goto out;
}
kret = krb5_init_creds_init(context, handle->principal, NULL, NULL, NULL, opt, &ctx);
if (kret)
goto out;
if (passwordstr) {
kret = krb5_init_creds_set_password(context, ctx, passwordstr);
memset(passwordstr, 0, strlen(passwordstr));
free(passwordstr);
passwordstr = NULL;
if (kret)
goto out;
}
if (hxcert) {
kret = krb5_init_creds_set_pkinit_client_cert(context, ctx, hxcert);
if (kret)
goto out;
}
if (lkdc_hostname) {
kret = krb5_init_creds_set_kdc_hostname(context, ctx, lkdc_hostname);
free(lkdc_hostname);
lkdc_hostname = NULL;
if (kret)
goto out;
}
kret = krb5_init_creds_get(context, ctx);
if (kret)
goto out;
handle->endtime = _krb5_init_creds_get_cred_endtime(context, ctx);
/*
* If we where subjected to a referral, update the name of the credential
*/
new_name = _krb5_init_creds_get_cred_client(context, ctx);
if (new_name && !krb5_principal_compare(context, new_name, handle->principal)) {
krb5_free_principal(context, handle->principal);
kret = krb5_copy_principal(context, new_name, &handle->principal);
if (kret)
goto out;
}
/*
* Now store the credential
*/
if (cache_name) {
/* check if caller told us to use a specific cache */
kret = krb5_cc_resolve(context, cache_name, &ccachereplace);
if (kret)
goto out;
} else {
/*
* check if there an existing cache to overwrite before we lay
* down the new cache
*/
(void)krb5_cc_cache_match(context, principal, &ccachereplace);
}
kret = krb5_init_creds_store(context, ctx, ccache);
if (kret == 0)
kret = krb5_init_creds_store_config(context, ctx, ccache);
if (bundleacl)
krb5_cc_set_acl(context, ccache, "kHEIMAttrBundleIdentifierACL", bundleacl);
krb5_init_creds_free(context, ctx);
ctx = NULL;
if (kret)
goto out;
krb5_get_init_creds_opt_free(context, opt);
opt = NULL;
/*
* If we have a credential with the same naame, lets overwrite it
*/
if (ccachereplace) {
kret = krb5_cc_move(context, ccache, ccachereplace);
if (kret)
goto out;
handle->ccache = ccachereplace;
ccachereplace = NULL;
} else {
handle->ccache = ccache;
}
handle->usage = cred_usage;
*minor_status = 0;
*output_cred_handle = (gss_cred_id_t)handle;
if (cache_name)
free(cache_name);
heim_release(bundleacl);
return GSS_S_COMPLETE;
out:
if (bundleacl)
heim_release(bundleacl);
if (opt)
krb5_get_init_creds_opt_free(context, opt);
if (ctx)
krb5_init_creds_free(context, ctx);
if (lkdc_hostname)
free(lkdc_hostname);
if (cache_name)
free(cache_name);
if (passwordstr) {
memset(passwordstr, 0, strlen(passwordstr));
free(passwordstr);
}
if (ccachereplace)
krb5_cc_close(context, ccachereplace);
if (ccache)
krb5_cc_destroy(context, ccache);
if (handle) {
if (handle->principal)
krb5_free_principal(context, handle->principal);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
}
*minor_status = kret;
return GSS_S_FAILURE;
}
OM_uint32
_gss_iakerb_acquire_cred_ext(OM_uint32 * minor_status,
const gss_name_t desired_name,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle)
{
krb5_context context;
gsskrb5_cred handle;
krb5_error_code ret;
krb5_creds cred;
gss_buffer_t credential_buffer = NULL;
#ifdef PKINIT
hx509_cert cert = NULL;
#endif
memset(&cred, 0, sizeof(cred));
if (cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH)
return GSS_S_FAILURE;
GSSAPI_KRB5_INIT_STATUS(&context, status);
/* pick up the credential */
if (gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
credential_buffer = (gss_buffer_t)credential_data;
if (credential_buffer->length + 1 < credential_buffer->length)
return GSS_S_FAILURE;
#ifdef PKINIT
} else if (gss_oid_equal(credential_type, GSS_C_CRED_CERTIFICATE)) {
cert = (hx509_cert)credential_data;
} else if (gss_oid_equal(credential_type, GSS_C_CRED_SecIdentity)) {
ret = hx509_cert_init_SecFramework(context->hx509ctx, rk_UNCONST(credential_data), &cert);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
#endif
} else {
*minor_status = KRB5_NOCREDS_SUPPLIED;
return GSS_S_FAILURE;
}
if (desired_name == GSS_C_NO_NAME)
return GSS_S_FAILURE;
handle = calloc(1, sizeof(*handle));
if (handle == NULL)
return (GSS_S_FAILURE);
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
handle->usage = GSS_C_INITIATE;
{
krb5_principal princ = (krb5_principal)desired_name;
ret = krb5_copy_principal(context, princ, &handle->principal);
if (ret) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = ret;
return GSS_S_FAILURE;
}
}
if (credential_buffer) {
handle->password = malloc(credential_buffer->length + 1);
if (handle->password == NULL) {
krb5_free_principal(context, handle->principal);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
memcpy(handle->password, credential_buffer->value, credential_buffer->length);
handle->password[credential_buffer->length] = '\0';
}
#ifdef PKINIT
if (cert)
handle->cert = heim_retain(cert);
#endif
handle->keytab = NULL;
handle->ccache = NULL;
handle->endtime = INT_MAX;
/*
* Lets overwrite the same credentials if we already have it
*/
ret = krb5_cc_cache_match(context, handle->principal, &handle->ccache);
if (ret) {
ret = krb5_cc_new_unique(context, krb5_cc_type_api, NULL, &handle->ccache);
if (ret)
goto out;
}
ret = krb5_cc_initialize(context, handle->ccache, handle->principal);
if (ret)
goto out;
{
krb5_data data;
krb5_data_zero(&data);
krb5_cc_set_config(context, handle->ccache, NULL, "iakerb", &data);
}
if (handle->password) {
krb5_data pw;
pw.data = handle->password;
pw.length = strlen(handle->password);
ret = krb5_cc_set_config(context, handle->ccache, NULL, "password", &pw);
if (ret)
goto out;
}
#ifdef PKINIT
if (handle->cert) {
krb5_data pd;
ret = hx509_cert_get_persistent(handle->cert, &pd);
if (ret)
goto out;
ret = krb5_cc_set_config(context, handle->ccache, NULL, "certificate-ref", &pd);
der_free_octet_string(&pd);
if (ret)
goto out;
}
#endif
*output_cred_handle = (gss_cred_id_t) handle;
*minor_status = 0;
return GSS_S_COMPLETE;
out:
krb5_free_principal(context, handle->principal);
if (handle->password) {
memset(handle->password, 0, strlen(handle->password));
free(handle->password);
}
#ifdef PKINIT
if (handle->cert)
hx509_cert_free(handle->cert);
#endif
if (handle->ccache)
krb5_cc_destroy(context, handle->ccache);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
free(handle);
*minor_status = ret;
return GSS_S_FAILURE;
}
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle
)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_creds cred;
krb5_principal def_princ = NULL;
krb5_get_init_creds_opt *opt;
krb5_ccache ccache = NULL;
krb5_error_code kret;
memset(&cred, 0, sizeof(cred));
/*
* If we have a preferred principal, lets try to find it in all
* caches, otherwise, fall back to default cache, ignore all
* errors while searching.
*/
if (handle->principal) {
kret = krb5_cc_cache_match (context,
handle->principal,
&ccache);
if (kret == 0) {
goto found;
}
}
if (ccache == NULL) {
kret = krb5_cc_default(context, &ccache);
if (kret)
goto end;
}
kret = krb5_cc_get_principal(context, ccache, &def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_close(context, ccache);
def_princ = NULL;
kret = 0;
} else if (handle->principal == NULL) {
kret = krb5_copy_principal(context, def_princ, &handle->principal);
if (kret)
goto end;
} else if (handle->principal != NULL &&
krb5_principal_compare(context, handle->principal,
def_princ) == FALSE) {
krb5_free_principal(context, def_princ);
def_princ = NULL;
krb5_cc_close(context, ccache);
ccache = NULL;
}
if (def_princ == NULL) {
/* We have no existing credentials cache,
* so attempt to get a TGT using a keytab.
*/
if (handle->principal == NULL) {
kret = krb5_get_default_principal(context, &handle->principal);
if (kret)
goto end;
}
/*
* Require user is in the keytab before trying to talk to
* the KDC.
*/
kret = get_keytab(context, handle, 0);
if (kret)
goto end;
/* since the name might have changed, let double check the credential cache */
kret = krb5_cc_cache_match(context, handle->principal, &ccache);
if (kret == 0)
goto found;
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
kret = krb5_get_init_creds_keytab(context, &cred,
handle->principal, handle->keytab,
0, NULL, opt);
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
kret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(context, ccache, cred.client);
if (kret) {
krb5_cc_destroy(context, ccache);
goto end;
}
kret = krb5_cc_store_cred(context, ccache, &cred);
if (kret) {
krb5_cc_destroy(context, ccache);
goto end;
}
handle->endtime = cred.times.endtime;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
} else {
found:
ret = __gsskrb5_ccache_lifetime(minor_status,
context,
ccache,
handle->principal,
&handle->endtime);
if (ret != GSS_S_COMPLETE) {
krb5_cc_close(context, ccache);
goto end;
}
kret = 0;
}
handle->ccache = ccache;
ret = GSS_S_COMPLETE;
end:
if (cred.client != NULL)
krb5_free_cred_contents(context, &cred);
if (def_princ != NULL)
krb5_free_principal(context, def_princ);
if (ret != GSS_S_COMPLETE && kret != 0)
*minor_status = kret;
return (ret);
}
int
main (int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal;
int optidx = 0;
krb5_deltat ticket_life = 0;
int parseflags = 0;
setprogname (argv[0]);
setlocale (LC_ALL, "");
#if defined(HEIMDAL_LOCALEDIR)
bindtextdomain ("heimdal_kuser", HEIMDAL_LOCALEDIR);
textdomain("heimdal_kuser");
#endif
ret = krb5_init_context (&context);
if (ret == KRB5_CONFIG_BADFORMAT)
errx (1, "krb5_init_context failed to parse configuration file");
else if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (canonicalize_flag)
parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
if (argv[0]) {
ret = krb5_parse_name_flags (context, argv[0], parseflags, &principal);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name");
} else {
ret = krb5_get_default_principal (context, &principal);
if (ret)
krb5_err (context, 1, ret, "krb5_get_default_principal");
}
if(fcache_version)
krb5_set_fcache_version(context, fcache_version);
if(renewable_flag == -1)
/* this seems somewhat pointless, but whatever */
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"renewable", FALSE, &renewable_flag);
#ifndef HEIMDAL_SMALLER
if(get_v4_tgt == -1)
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"krb4_get_tickets", FALSE, &get_v4_tgt);
#endif
if(do_afslog == -1)
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"afslog", TRUE, &do_afslog);
if(cred_cache)
ret = krb5_cc_resolve(context, cred_cache, &ccache);
else {
if(argc > 1) {
char s[1024];
ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache);
if(ret)
krb5_err(context, 1, ret, "creating cred cache");
snprintf(s, sizeof(s), "%s:%s",
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
setenv("KRB5CCNAME", s, 1);
#ifndef HEIMDAL_SMALLER
if (get_v4_tgt) {
int fd;
if (asprintf(&krb4_cc_name, "%s_XXXXXX", TKT_ROOT) < 0)
krb5_errx(context, 1, "out of memory");
if((fd = mkstemp(krb4_cc_name)) >= 0) {
close(fd);
setenv("KRBTKFILE", krb4_cc_name, 1);
} else {
free(krb4_cc_name);
krb4_cc_name = NULL;
}
}
#endif
} else {
ret = krb5_cc_cache_match(context, principal, &ccache);
if (ret)
ret = krb5_cc_default (context, &ccache);
}
}
if (ret)
krb5_err (context, 1, ret, N_("resolving credentials cache", ""));
if(argc > 1 && k_hasafs ())
k_setpag();
if (lifetime) {
int tmp = parse_time (lifetime, "s");
if (tmp < 0)
errx (1, N_("unparsable time: %s", ""), lifetime);
ticket_life = tmp;
}
if(addrs_flag == 0 && extra_addresses.num_strings > 0)
krb5_errx(context, 1,
N_("specifying both extra addresses and "
"no addresses makes no sense", ""));
{
int i;
krb5_addresses addresses;
memset(&addresses, 0, sizeof(addresses));
for(i = 0; i < extra_addresses.num_strings; i++) {
ret = krb5_parse_address(context, extra_addresses.strings[i],
&addresses);
if (ret == 0) {
krb5_add_extra_addresses(context, &addresses);
krb5_free_addresses(context, &addresses);
}
}
free_getarg_strings(&extra_addresses);
}
if(renew_flag || validate_flag) {
ret = renew_validate(context, renew_flag, validate_flag,
ccache, server_str, ticket_life);
exit(ret != 0);
}
#ifndef HEIMDAL_SMALLER
if(!convert_524)
#endif
get_new_tickets(context, principal, ccache, ticket_life, 1);
#ifndef HEIMDAL_SMALLER
if(get_v4_tgt || convert_524)
do_524init(context, ccache, NULL, server_str);
#endif
if(do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
if(argc > 1) {
struct renew_ctx ctx;
time_t timeout;
timeout = ticket_lifetime(context, ccache, principal, server_str) / 2;
ctx.context = context;
ctx.ccache = ccache;
ctx.principal = principal;
ctx.ticket_life = ticket_life;
ret = simple_execvp_timed(argv[1], argv+1,
renew_func, &ctx, timeout);
#define EX_NOEXEC 126
#define EX_NOTFOUND 127
if(ret == EX_NOEXEC)
krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
else if(ret == EX_NOTFOUND)
krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
krb5_cc_destroy(context, ccache);
#ifndef HEIMDAL_SMALLER
_krb5_krb_dest_tkt(context, krb4_cc_name);
#endif
if(k_hasafs())
k_unlog();
} else {
krb5_cc_close (context, ccache);
ret = 0;
}
krb5_free_principal(context, principal);
krb5_free_context (context);
return ret;
}
static UINT32 transport_krb5_check_account(rdpTransport* transport, char* username, char* domain,
char* passwd)
{
krb5_error_code ret;
krb5_context context = NULL;
krb5_principal principal = NULL;
char address[256];
krb5_ccache ccache;
krb5_init_creds_context ctx = NULL;
_snprintf(address, sizeof(address), "%s@%s", username, domain);
/* Create a krb5 library context */
if ((ret = krb5_init_context(&context)) != 0)
WLog_Print(transport->log, WLOG_ERROR, "krb5_init_context failed with error %d", (int)ret);
else if ((ret = krb5_parse_name_flags(context, address, 0, &principal)) != 0)
WLog_Print(transport->log, WLOG_ERROR, "krb5_parse_name_flags failed with error %d", (int)ret);
/* Find a credential cache with a specified client principal */
else if ((ret = krb5_cc_cache_match(context, principal, &ccache)) != 0)
{
if ((ret = krb5_cc_default(context, &ccache)) != 0)
WLog_Print(transport->log, WLOG_ERROR, "krb5 failed to resolve credentials cache with error %d",
(int)ret);
}
if (ret != KRB5KDC_ERR_NONE)
goto out;
/* Create a context for acquiring initial credentials */
else if ((ret = krb5_init_creds_init(context, principal, NULL, NULL, 0, NULL, &ctx)) != 0)
{
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_init returned error %d", (int)ret);
goto out;
}
/* Set a password for acquiring initial credentials */
else if ((ret = krb5_init_creds_set_password(context, ctx, passwd)) != 0)
{
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_set_password returned error %d", ret);
goto out;
}
/* Acquire credentials using an initial credential context */
ret = krb5_init_creds_get(context, ctx);
out:
switch (ret)
{
case KRB5KDC_ERR_NONE:
break;
case KRB5_KDC_UNREACH:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get: KDC unreachable");
ret = FREERDP_ERROR_CONNECT_KDC_UNREACHABLE;
break;
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5_GET_IN_TKT_LOOP:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get: Password incorrect");
ret = FREERDP_ERROR_AUTHENTICATION_FAILED;
break;
case KRB5KDC_ERR_KEY_EXP:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get: Password has expired");
ret = FREERDP_ERROR_CONNECT_PASSWORD_EXPIRED;
break;
case KRB5KDC_ERR_CLIENT_REVOKED:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get: Password revoked");
ret = FREERDP_ERROR_CONNECT_CLIENT_REVOKED;
break;
case KRB5KDC_ERR_POLICY:
ret = FREERDP_ERROR_INSUFFICIENT_PRIVILEGES;
break;
default:
WLog_Print(transport->log, WLOG_WARN, "krb5_init_creds_get");
ret = FREERDP_ERROR_CONNECT_TRANSPORT_FAILED;
break;
}
if (ctx)
krb5_init_creds_free(context, ctx);
krb5_free_context(context);
return ret;
}
OM_uint32 GSSAPI_CALLCONV
_gsskrb5_store_cred(OM_uint32 *minor_status,
gss_cred_id_t input_cred_handle,
gss_cred_usage_t cred_usage,
const gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
krb5_context context;
krb5_error_code ret;
gsskrb5_cred cred;
krb5_ccache id = NULL;
krb5_ccache def_ccache = NULL;
const char *def_type = NULL;
time_t exp_current;
time_t exp_new;
*minor_status = 0;
if (cred_usage != GSS_C_INITIATE) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
if (desired_mech != GSS_C_NO_OID &&
gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0)
return GSS_S_BAD_MECH;
cred = (gsskrb5_cred)input_cred_handle;
if (cred == NULL)
return GSS_S_NO_CRED;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
ret = krb5_cc_get_lifetime(context, cred->ccache, &exp_new);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_NO_CRED;
}
if (cred->principal == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_KG_TGT_MISSING;
return GSS_S_FAILURE;
}
ret = krb5_cc_default(context, &def_ccache);
if (ret == 0) {
def_type = krb5_cc_get_type(context, def_ccache);
krb5_cc_close(context, def_ccache);
}
def_ccache = NULL;
/* write out cred to credential cache */
ret = krb5_cc_cache_match(context, cred->principal, &id);
if (ret) {
if (default_cred) {
ret = krb5_cc_default(context, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
} else {
if (def_type == NULL ||
!krb5_cc_support_switch(context, def_type)) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0; /* XXX */
return GSS_S_NO_CRED; /* XXX */
}
ret = krb5_cc_new_unique(context, def_type, NULL, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
overwrite_cred = 1;
}
}
if (!overwrite_cred) {
/* If current creds are expired or near it, overwrite */
ret = krb5_cc_get_lifetime(context, id, &exp_current);
if (ret != 0 || exp_new > exp_current)
overwrite_cred = 1;
}
if (!overwrite_cred) {
/* Nothing to do */
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_DUPLICATE_ELEMENT;
}
ret = krb5_cc_initialize(context, id, cred->principal);
if (ret == 0)
ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL);
if (ret) {
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return(GSS_S_FAILURE);
}
if (default_cred && def_type != NULL &&
krb5_cc_support_switch(context, def_type))
krb5_cc_switch(context, id);
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_COMPLETE;
}
int
main(int argc, char **argv)
{
int optind = 0;
int i;
int num;
int ret = 0;
int failed = 0;
struct cell_list *p;
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optind))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
if(!k_hasafs())
errx(1, "AFS does not seem to be present on this machine");
if(unlog_flag){
k_unlog();
exit(0);
}
#ifdef KRB5
ret = krb5_init_context(&context);
if (ret) {
context = NULL;
} else {
if (client_string) {
krb5_principal client;
ret = krb5_parse_name(context, client_string, &client);
if (ret == 0)
ret = krb5_cc_cache_match(context, client, NULL, &id);
if (ret)
id = NULL;
}
if (id == NULL && cache_string) {
if(krb5_cc_resolve(context, cache_string, &id) != 0) {
krb5_warnx(context, "failed to open kerberos 5 cache '%s'",
cache_string);
id = NULL;
}
}
if (id == NULL)
if(krb5_cc_default(context, &id) != 0)
id = NULL;
}
#endif
if (verbose)
kafs_set_verbose(log_func, NULL);
num = 0;
for(i = 0; i < files.num_strings; i++){
afslog_file(files.strings[i]);
num++;
}
free_getarg_strings (&files);
for(i = 0; i < cells.num_strings; i++){
afslog_cell(cells.strings[i], 1);
num++;
}
free_getarg_strings (&cells);
for(i = optind; i < argc; i++){
num++;
if(strcmp(argv[i], ".") == 0 ||
strcmp(argv[i], "..") == 0 ||
strchr(argv[i], '/') ||
access(argv[i], F_OK) == 0)
afslog_file(argv[i]);
else
afslog_cell(argv[i], 1);
}
if(num == 0) {
if(do_afslog(NULL))
failed++;
} else
for(p = cell_list; p; p = p->next) {
if(verbose)
warnx("Getting tokens for cell \"%s\"", p->cell);
if(do_afslog(p->cell))
failed++;
}
return failed;
}
OM_uint32 GSSAPI_CALLCONV
_gsskrb5_store_cred(OM_uint32 *minor_status,
gss_cred_id_t input_cred_handle,
gss_cred_usage_t cred_usage,
const gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
krb5_context context;
krb5_error_code ret;
gsskrb5_cred cred;
krb5_ccache id;
int destroy = 0;
*minor_status = 0;
if (cred_usage != GSS_C_INITIATE) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0)
return GSS_S_BAD_MECH;
cred = (gsskrb5_cred)input_cred_handle;
if (cred == NULL)
return GSS_S_NO_CRED;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return(GSS_S_FAILURE);
}
if (cred->principal == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_KG_TGT_MISSING;
return(GSS_S_FAILURE);
}
/* write out cred to credential cache */
ret = krb5_cc_cache_match(context, cred->principal, &id);
if (ret) {
ret = krb5_cc_new_unique(context, NULL, NULL, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return(GSS_S_FAILURE);
}
destroy = 1;
}
ret = krb5_cc_initialize(context, id, cred->principal);
if (ret == 0)
ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL);
if (ret) {
if (destroy)
krb5_cc_destroy(context, id);
else
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return(GSS_S_FAILURE);
}
if (default_cred)
krb5_cc_switch(context, id);
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_COMPLETE;
}
static krb5_error_code
get_ccache(krb5_context context, int *destroy, krb5_ccache *id)
{
krb5_principal principal = NULL;
krb5_error_code ret;
krb5_keytab kt = NULL;
*id = NULL;
if (!issuid()) {
const char *cache;
cache = getenv("NTLM_ACCEPTOR_CCACHE");
if (cache) {
ret = krb5_cc_resolve(context, cache, id);
if (ret)
goto out;
return 0;
}
}
ret = krb5_sname_to_principal(context, NULL, "host",
KRB5_NT_SRV_HST, &principal);
if (ret)
goto out;
ret = krb5_cc_cache_match(context, principal, id);
if (ret == 0)
return 0;
/* did not find in default credcache, lets try default keytab */
ret = krb5_kt_default(context, &kt);
if (ret)
goto out;
/* XXX check in keytab */
{
krb5_get_init_creds_opt *opt;
krb5_creds cred;
memset(&cred, 0, sizeof(cred));
ret = krb5_cc_new_unique(context, "MEMORY", NULL, id);
if (ret)
goto out;
*destroy = 1;
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret)
goto out;
ret = krb5_get_init_creds_keytab (context,
&cred,
principal,
kt,
0,
NULL,
opt);
krb5_get_init_creds_opt_free(context, opt);
if (ret)
goto out;
ret = krb5_cc_initialize (context, *id, cred.client);
if (ret) {
krb5_free_cred_contents (context, &cred);
goto out;
}
ret = krb5_cc_store_cred (context, *id, &cred);
krb5_free_cred_contents (context, &cred);
if (ret)
goto out;
}
krb5_kt_close(context, kt);
return 0;
out:
if (*id) {
if (*destroy)
krb5_cc_destroy(context, *id);
else
krb5_cc_close(context, *id);
*id = NULL;
}
if (kt)
krb5_kt_close(context, kt);
if (principal)
krb5_free_principal(context, principal);
return ret;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal = NULL;
int optidx = 0;
krb5_deltat ticket_life = 0;
#ifdef HAVE_SIGACTION
struct sigaction sa;
#endif
setprogname(argv[0]);
setlocale(LC_ALL, "");
bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR);
textdomain("heimdal_kuser");
ret = krb5_init_context(&context);
if (ret == KRB5_CONFIG_BADFORMAT)
errx(1, "krb5_init_context failed to parse configuration file");
else if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage(0);
if (version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
/*
* Open the keytab now, we use the keytab to determine the principal's
* realm when the requested principal has no realm.
*/
if (use_keytab || keytab_str) {
if (keytab_str)
ret = krb5_kt_resolve(context, keytab_str, &kt);
else
ret = krb5_kt_default(context, &kt);
if (ret)
krb5_err(context, 1, ret, "resolving keytab");
}
if (pk_enterprise_flag) {
ret = krb5_pk_enterprise_cert(context, pk_user_id,
argv[0], &principal,
&ent_user_id);
if (ret)
krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
pk_user_id = NULL;
} else if (anonymous_flag) {
ret = krb5_make_principal(context, &principal, argv[0],
KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_make_principal");
krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
} else if (use_keytab || keytab_str) {
get_princ_kt(context, &principal, argv[0]);
} else {
get_princ(context, &principal, argv[0]);
}
if (fcache_version)
krb5_set_fcache_version(context, fcache_version);
if (renewable_flag == -1)
/* this seems somewhat pointless, but whatever */
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"renewable", FALSE, &renewable_flag);
if (do_afslog == -1)
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"afslog", TRUE, &do_afslog);
if (cred_cache)
ret = krb5_cc_resolve(context, cred_cache, &ccache);
else {
if (argc > 1) {
char s[1024];
ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
if (ret)
krb5_err(context, 1, ret, "creating cred cache");
snprintf(s, sizeof(s), "%s:%s",
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
setenv("KRB5CCNAME", s, 1);
} else {
ret = krb5_cc_cache_match(context, principal, &ccache);
if (ret) {
const char *type;
ret = krb5_cc_default(context, &ccache);
if (ret)
krb5_err(context, 1, ret,
N_("resolving credentials cache", ""));
/*
* Check if the type support switching, and we do,
* then do that instead over overwriting the current
* default credential
*/
type = krb5_cc_get_type(context, ccache);
if (krb5_cc_support_switch(context, type)) {
krb5_cc_close(context, ccache);
ret = get_switched_ccache(context, type, principal,
&ccache);
}
}
}
}
if (ret)
krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
#ifndef NO_AFS
if (argc > 1 && k_hasafs())
k_setpag();
#endif
if (lifetime) {
int tmp = parse_time(lifetime, "s");
if (tmp < 0)
errx(1, N_("unparsable time: %s", ""), lifetime);
ticket_life = tmp;
}
if (addrs_flag == 0 && extra_addresses.num_strings > 0)
krb5_errx(context, 1,
N_("specifying both extra addresses and "
"no addresses makes no sense", ""));
{
int i;
krb5_addresses addresses;
memset(&addresses, 0, sizeof(addresses));
for(i = 0; i < extra_addresses.num_strings; i++) {
ret = krb5_parse_address(context, extra_addresses.strings[i],
&addresses);
if (ret == 0) {
krb5_add_extra_addresses(context, &addresses);
krb5_free_addresses(context, &addresses);
}
}
free_getarg_strings(&extra_addresses);
}
if (renew_flag || validate_flag) {
ret = renew_validate(context, renew_flag, validate_flag,
ccache, server_str, ticket_life);
#ifndef NO_AFS
if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
#endif
exit(ret != 0);
}
ret = get_new_tickets(context, principal, ccache, ticket_life, 1);
if (ret)
exit(1);
#ifndef NO_AFS
if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
#endif
if (argc > 1) {
struct renew_ctx ctx;
time_t timeout;
timeout = ticket_lifetime(context, ccache, principal,
server_str, NULL) / 2;
ctx.context = context;
ctx.ccache = ccache;
ctx.principal = principal;
ctx.ticket_life = ticket_life;
ctx.timeout = timeout;
#ifdef HAVE_SIGACTION
memset(&sa, 0, sizeof(sa));
sigemptyset(&sa.sa_mask);
sa.sa_handler = handle_siginfo;
sigaction(SIGINFO, &sa, NULL);
#endif
ret = simple_execvp_timed(argv[1], argv+1,
renew_func, &ctx, timeout);
#define EX_NOEXEC 126
#define EX_NOTFOUND 127
if (ret == EX_NOEXEC)
krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
else if (ret == EX_NOTFOUND)
krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
krb5_cc_destroy(context, ccache);
#ifndef NO_AFS
if (k_hasafs())
k_unlog();
#endif
} else {
krb5_cc_close(context, ccache);
ret = 0;
}
krb5_free_principal(context, principal);
if (kt)
krb5_kt_close(context, kt);
krb5_free_context(context);
return ret;
}
int
main (int argc, char **argv)
{
krb5_context context;
krb5_error_code ret;
krb5_ccache id = NULL;
int optidx = 0;
setprogname (argv[0]);
setlocale (LC_ALL, "");
bindtextdomain ("heimdal_kuser", HEIMDAL_LOCALEDIR);
textdomain("heimdal_kuser");
ret = krb5_init_context (&context);
if (ret == KRB5_CONFIG_BADFORMAT)
errx (1, "krb5_init_context failed to parse configuration file");
else if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc != 0)
usage (1);
if (cache && principal)
krb5_errx(context, 1,
N_("Both --cache and --principal given, choose one", ""));
if (principal) {
krb5_principal p;
ret = krb5_parse_name(context, principal, &p);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name: %s", principal);
ret = krb5_cc_cache_match(context, p, &id);
if (ret)
krb5_err (context, 1, ret,
N_("Did not find principal: %s", ""), principal);
krb5_free_principal(context, p);
} else if (cache) {
const krb5_cc_ops *ops;
char *str;
ops = krb5_cc_get_prefix_ops(context, type);
if (ops == NULL)
krb5_err (context, 1, 0, "krb5_cc_get_prefix_ops");
asprintf(&str, "%s:%s", ops->prefix, cache);
if (str == NULL)
krb5_errx(context, 1, N_("out of memory", ""));
ret = krb5_cc_resolve(context, str, &id);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_resolve: %s", str);
free(str);
} else
usage(1);
ret = krb5_cc_switch(context, id);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_switch");
krb5_cc_close(context, id);
return 0;
}