static void
test_mcache(krb5_context context)
{
krb5_error_code ret;
krb5_ccache id, id2;
const char *nc, *tc;
char *c;
krb5_principal p, p2;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, id, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
nc = krb5_cc_get_name(context, id);
if (nc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
tc = krb5_cc_get_type(context, id);
if (tc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
if (asprintf(&c, "%s:%s", tc, nc) < 0 || c == NULL)
errx(1, "malloc");
krb5_cc_close(context, id);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret == 0)
krb5_errx(context, 1, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
free(c);
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_set_password_using_ccache(krb5_context context,
krb5_ccache ccache,
char *newpw,
krb5_principal targprinc,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string)
{
krb5_creds creds, *credsp;
krb5_error_code ret;
krb5_principal principal = NULL;
*result_code = KRB5_KPASSWD_MALFORMED;
result_code_string->data = result_string->data = NULL;
result_code_string->length = result_string->length = 0;
memset(&creds, 0, sizeof(creds));
if (targprinc == NULL) {
ret = krb5_cc_get_principal(context, ccache, &principal);
if (ret)
return ret;
} else
principal = targprinc;
ret = krb5_make_principal(context, &creds.server,
krb5_principal_get_realm(context, principal),
"kadmin", "changepw", NULL);
if (ret)
goto out;
ret = krb5_cc_get_principal(context, ccache, &creds.client);
if (ret) {
krb5_free_principal(context, creds.server);
goto out;
}
ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
krb5_free_principal(context, creds.server);
krb5_free_principal(context, creds.client);
if (ret)
goto out;
ret = krb5_set_password(context,
credsp,
newpw,
principal,
result_code,
result_code_string,
result_string);
krb5_free_creds(context, credsp);
return ret;
out:
if (targprinc == NULL)
krb5_free_principal(context, principal);
return ret;
}
/*
* Function: Initializes ccache and catches illegal caches such as
* bad format or no permissions.
*
* Parameters:
* ccache - credential cache structure to use
*
* Returns: krb5_error_code
*/
krb5_error_code
k5_init_ccache(krb5_ccache *ccache)
{
krb5_error_code code;
krb5_principal princ;
FILE *fp;
code = krb5_cc_default(k5_context, ccache); /* Initialize the ccache */
if (code)
return code;
code = krb5_cc_get_principal(k5_context, *ccache, &princ);
if (code == KRB5_FCC_NOFILE) { /* Doesn't exist yet */
fp = fopen(krb5_cc_get_name(k5_context, *ccache), "w");
if (fp == NULL) /* Can't open it */
return KRB5_FCC_PERM;
fclose (fp);
}
if (code) { /* Bad, delete and try again */
remove(krb5_cc_get_name(k5_context, *ccache));
code = krb5_cc_get_principal(k5_context, *ccache, &princ);
if (code == KRB5_FCC_NOFILE) /* Doesn't exist yet */
return 0;
if (code)
return code;
}
/* krb5_free_principal(k5_context, princ); */
return 0;
}
static void
test_cache_iter_all(krb5_context context)
{
krb5_cccol_cursor cursor;
krb5_error_code ret;
krb5_ccache id;
ret = krb5_cccol_cursor_new (context, &cursor);
if (ret)
krb5_err(context, 1, ret, "krb5_cccol_cursor_new");
while ((ret = krb5_cccol_cursor_next (context, cursor, &id)) == 0 && id != NULL) {
krb5_principal principal;
char *name;
if (debug_flag)
printf("name: %s\n", krb5_cc_get_name(context, id));
ret = krb5_cc_get_principal(context, id, &principal);
if (ret == 0) {
ret = krb5_unparse_name(context, principal, &name);
if (ret == 0) {
if (debug_flag)
printf("\tprincipal: %s\n", name);
free(name);
}
krb5_free_principal(context, principal);
}
krb5_cc_close(context, id);
}
krb5_cccol_cursor_free(context, &cursor);
}
krb5_error_code
k5_build_conf_principals(krb5_context context, krb5_ccache id,
krb5_const_principal principal,
const char *name, krb5_creds *cred)
{
krb5_principal client;
krb5_error_code ret;
char *pname = NULL;
memset(cred, 0, sizeof(*cred));
ret = krb5_cc_get_principal(context, id, &client);
if (ret)
return ret;
if (principal) {
ret = krb5_unparse_name(context, principal, &pname);
if (ret)
return ret;
}
ret = krb5_build_principal(context, &cred->server,
sizeof(conf_realm) - 1, conf_realm,
conf_name, name, pname, (char *)NULL);
krb5_free_unparsed_name(context, pname);
if (ret) {
krb5_free_principal(context, client);
return ret;
}
ret = krb5_copy_principal(context, client, &cred->client);
krb5_free_principal(context, client);
return ret;
}
/* Store the v5 TGT in $KRB5CCNAME. */
static int
sly_v5(krb5_context ctx, const char *v5ccname,
struct _pam_krb5_user_info *userinfo, struct _pam_krb5_stash *stash)
{
krb5_ccache ccache;
krb5_principal princ;
int i;
ccache = NULL;
i = krb5_cc_resolve(ctx, v5ccname, &ccache);
if (i == 0) {
princ = NULL;
if (krb5_cc_get_principal(ctx, ccache, &princ) == 0) {
if (krb5_principal_compare(ctx, princ,
userinfo->principal_name) == FALSE) {
krb5_free_principal(ctx, princ);
krb5_cc_close(ctx, ccache);
return PAM_SERVICE_ERR;
}
krb5_free_principal(ctx, princ);
}
i = krb5_cc_initialize(ctx, ccache, userinfo->principal_name);
if (i == 0) {
i = krb5_cc_store_cred(ctx, ccache, &stash->v5creds);
}
krb5_cc_close(ctx, ccache);
}
return PAM_SUCCESS;
}
static krb5_error_code
krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options,
krb5_ccache ccache, krb5_creds *in_creds,
krb5_creds **out_creds, int which)
{
krb5_error_code retval;
krb5_principal tmp;
krb5_creds **tgts = 0;
switch(which) {
case INT_GC_VALIDATE:
retval = krb5_get_cred_from_kdc_validate(context, ccache,
in_creds, out_creds, &tgts);
break;
case INT_GC_RENEW:
retval = krb5_get_cred_from_kdc_renew(context, ccache,
in_creds, out_creds, &tgts);
break;
default:
/* Should never happen */
retval = 255;
break;
}
if (retval) return retval;
if (tgts) krb5_free_tgt_creds(context, tgts);
retval = krb5_cc_get_principal(context, ccache, &tmp);
if (retval) return retval;
retval = krb5_cc_initialize(context, ccache, tmp);
if (retval) return retval;
retval = krb5_cc_store_cred(context, ccache, *out_creds);
return retval;
}
static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p,
krb5_context kcontext, krb5_ccache delegated_cred)
{
krb5_error_code problem;
krb5_principal princ = NULL;
krb5_ccache ccache = NULL;
problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ);
if (problem) {
mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem);
goto end;
}
if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) {
goto end;
}
problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache);
if (problem) {
mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem);
goto end;
}
krb5_free_principal(kcontext, princ);
krb5_cc_close(kcontext, ccache);
return 0;
end:
if (princ)
krb5_free_principal(kcontext, princ);
if (ccache)
krb5_cc_destroy(kcontext, ccache);
return -1;
}
/*
* call-seq:
* krb5.get_default_principal
*
* Returns the default principal for the current realm based on the current
* credentials cache.
*
* If no credentials cache is found then an error is raised.
*/
static VALUE rkrb5_get_default_principal(VALUE self){
char* princ_name;
RUBY_KRB5* ptr;
krb5_ccache ccache;
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(!ptr->ctx)
rb_raise(cKrb5Exception, "no context has been established");
// Get the default credentials cache
kerror = krb5_cc_default(ptr->ctx, &ccache);
if(kerror)
rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror));
kerror = krb5_cc_get_principal(ptr->ctx, ccache, &ptr->princ);
if(kerror){
krb5_cc_close(ptr->ctx, ccache);
rb_raise(cKrb5Exception, "krb5_cc_get_principal: %s", error_message(kerror));
}
krb5_cc_close(ptr->ctx, ccache);
kerror = krb5_unparse_name(ptr->ctx, ptr->princ, &princ_name);
if(kerror)
rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror));
return rb_str_new2(princ_name);
}
static int
list_ccache(krb5_ccache cache)
{
krb5_error_code ret;
krb5_principal princ = NULL;
char *princname = NULL, *ccname = NULL;
int expired, status = 1;
ret = krb5_cc_get_principal(context, cache, &princ);
if (ret) /* Uninitialized cache file, probably. */
goto cleanup;
ret = krb5_unparse_name(context, princ, &princname);
if (ret)
goto cleanup;
ret = krb5_cc_get_full_name(context, cache, &ccname);
if (ret)
goto cleanup;
expired = check_ccache(cache);
printf("%-30.30s %s", princname, ccname);
if (expired)
printf(" %s", _("(Expired)"));
printf("\n");
status = 0;
cleanup:
krb5_free_principal(context, princ);
krb5_free_unparsed_name(context, princname);
krb5_free_string(context, ccname);
return status;
}
static int
display_v5_ccache (krb5_context context, krb5_ccache ccache,
int do_test, int do_verbose,
int do_flags, int do_hidden)
{
krb5_error_code ret;
krb5_principal principal;
int exit_status = 0;
ret = krb5_cc_get_principal (context, ccache, &principal);
if (ret) {
if(ret == ENOENT) {
if (!do_test)
krb5_warnx(context, N_("No ticket file: %s", ""),
krb5_cc_get_name(context, ccache));
return 1;
} else
krb5_err (context, 1, ret, "krb5_cc_get_principal");
}
if (do_test)
exit_status = check_for_tgt (context, ccache, principal, NULL);
else
print_tickets (context, ccache, principal, do_verbose,
do_flags, do_hidden);
ret = krb5_cc_close (context, ccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_close");
krb5_free_principal (context, principal);
return exit_status;
}
/* Check that when name is resolved, the resulting cache's principal matches
* expected_princ, or has no principal if expected_princ is NULL. */
static void
check_princ(const char *name, krb5_principal expected_princ)
{
krb5_ccache cache;
krb5_principal princ;
check(krb5_cc_resolve(ctx, name, &cache));
if (expected_princ != NULL) {
check(krb5_cc_get_principal(ctx, cache, &princ));
assert(krb5_principal_compare(ctx, princ, expected_princ));
krb5_free_principal(ctx, princ);
} else {
assert(krb5_cc_get_principal(ctx, cache, &princ) != 0);
}
krb5_cc_close(ctx, cache);
}
int
check_krb5_tickets()
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal;
int retval = 1;
ret = krb5_init_context(&context);
if(ret)
errx(1, "krb5_init_context failt: %d", ret);
ret = krb5_cc_default(context, &ccache);
if(ret)
errx(1, "krb5_cc_default: %d", ret);
ret = krb5_cc_get_principal (context, ccache, &principal);
switch(ret) {
case ENOENT:
retval = 0;
goto done;
case 0:
retval = 1;
goto done;
default:
errx(1, "krb5_cc_get_principal: %d", ret);
break;
}
done:
krb5_free_context(context);
return retval;
}
static PyObject *
k5_cc_get_principal(PyObject *self, PyObject *args)
{
krb5_context ctx;
char *ccname, *name;
krb5_error_code code;
krb5_ccache ccache;
krb5_principal principal;
PyObject *ret;
if (!PyArg_ParseTuple( args, "s", &ccname))
return NULL;
code = krb5_init_context(&ctx);
RETURN_ON_ERROR("krb5_init_context()", code);
code = krb5_cc_resolve(ctx, ccname, &ccache);
RETURN_ON_ERROR("krb5_cc_resolve()", code);
code = krb5_cc_get_principal(ctx, ccache, &principal);
RETURN_ON_ERROR("krb5_cc_get_principal()", code);
code = krb5_unparse_name(ctx, principal, &name);
RETURN_ON_ERROR("krb5_unparse_name()", code);
ret = PyString_FromString(name);
if (ret == NULL)
return ret;
code = krb5_cc_close(ctx, ccache);
RETURN_ON_ERROR("krb5_cc_close()", code);
krb5_free_unparsed_name(ctx, name);
krb5_free_principal(ctx, principal);
krb5_free_context(ctx);
return ret;
}
Krb5Principal Krb5CCache::getClientPrincipal() const {
krb5_principal client;
krb5_context ctx = context_.get();
krb5_error_code code = krb5_cc_get_principal(ctx, ccache_, &client);
raiseIf(ctx, code, "getting client from ccache");
return Krb5Principal(ctx, std::move(client));
}
static krb5_error_code
afslog_uid_int(struct kafs_data *data, const char *cell, const char *rh,
uid_t uid, const char *homedir)
{
krb5_error_code ret;
struct kafs_token kt;
krb5_principal princ;
const char *trealm; /* ticket realm */
struct krb5_kafs_data *d = data->data;
if (cell == 0 || cell[0] == 0)
return _kafs_afslog_all_local_cells (data, uid, homedir);
ret = krb5_cc_get_principal (d->context, d->id, &princ);
if (ret)
return ret;
trealm = krb5_principal_get_realm (d->context, princ);
kt.ticket = NULL;
ret = _kafs_get_cred(data, cell, d->realm, trealm, uid, &kt);
krb5_free_principal (d->context, princ);
if(ret == 0) {
ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len);
free(kt.ticket);
}
return ret;
}
static int
get_cred(struct kafs_data *data, const char *name, const char *inst,
const char *realm, uid_t uid, struct kafs_token *kt)
{
krb5_error_code ret;
krb5_creds in_creds, *out_creds;
struct krb5_kafs_data *d = data->data;
memset(&in_creds, 0, sizeof(in_creds));
ret = krb5_make_principal(d->context, &in_creds.server,
realm, name, inst, NULL);
if(ret)
return ret;
ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client);
if(ret){
krb5_free_principal(d->context, in_creds.server);
return ret;
}
in_creds.session.keytype = ETYPE_DES_CBC_CRC;
ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
krb5_free_principal(d->context, in_creds.server);
krb5_free_principal(d->context, in_creds.client);
if(ret)
return ret;
ret = v5_convert(d->context, d->id, out_creds, uid,
(inst != NULL && inst[0] != '\0') ? inst : realm, kt);
krb5_free_creds(d->context, out_creds);
return ret;
}
OM_uint32
krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
krb5_context context)
{
krb5_gss_cred_id_t cred;
krb5_error_code code;
krb5_principal princ;
cred = (krb5_gss_cred_id_t) cred_handle;
code = k5_mutex_lock(&cred->lock);
if (code) {
*minor_status = code;
return GSS_S_FAILURE;
}
if (cred->ccache) {
if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) {
k5_mutex_unlock(&cred->lock);
*minor_status = code;
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
if (!krb5_principal_compare(context, princ, cred->name->princ)) {
k5_mutex_unlock(&cred->lock);
*minor_status = KG_CCACHE_NOMATCH;
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
(void)krb5_free_principal(context, princ);
}
*minor_status = 0;
return GSS_S_COMPLETE;
}
principal::principal(context& _ctx, ccache& _cc):base(),free(TRUE),ctx(_ctx),_principal(NULL){
kerror=krb5_cc_get_principal(ctx(), _cc(), &_principal);
if(kerror)
return;
/*
throw(std::string("Kerberos returned ")+kerror);
*/
};
DWORD
ADUKrb5GetPrincipalName(
PCSTR pszCachePath,
PSTR* ppszPrincipalName
)
{
DWORD dwError = 0;
krb5_error_code ret = 0;
krb5_context ctx = NULL;
krb5_ccache cc = NULL;
krb5_principal pKrb5Principal = NULL;
PSTR pszKrb5PrincipalName = NULL;
PSTR pszPrincipalName = NULL;
ret = krb5_init_context(&ctx);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_cc_resolve(ctx, pszCachePath, &cc);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_cc_get_principal(ctx, cc, &pKrb5Principal);
BAIL_ON_KRB_ERROR(ctx, ret);
ret = krb5_unparse_name(ctx, pKrb5Principal, &pszKrb5PrincipalName);
BAIL_ON_KRB_ERROR(ctx, ret);
dwError = LwAllocateString(pszKrb5PrincipalName, &pszPrincipalName);
BAIL_ON_MAC_ERROR(dwError);
*ppszPrincipalName = pszPrincipalName;
cleanup:
if (ctx)
{
if (pszKrb5PrincipalName)
{
krb5_free_unparsed_name(ctx, pszKrb5PrincipalName);
}
if (pKrb5Principal)
{
krb5_free_principal(ctx, pKrb5Principal);
}
if (cc)
{
krb5_cc_close(ctx, cc);
}
krb5_free_context(ctx);
}
return dwError;
error:
*ppszPrincipalName = NULL;
goto cleanup;
}
static void
do_delegation (krb5_auth_context ac,
krb5_ccache ccache,
krb5_creds *cred,
krb5_const_principal name,
krb5_data *fwd_data,
uint32_t *flags)
{
krb5_creds creds;
KDCOptions fwd_flags;
krb5_error_code kret;
memset (&creds, 0, sizeof(creds));
krb5_data_zero (fwd_data);
kret = krb5_cc_get_principal(_gsskrb5_context, ccache, &creds.client);
if (kret)
goto out;
kret = krb5_build_principal(_gsskrb5_context,
&creds.server,
strlen(creds.client->realm),
creds.client->realm,
KRB5_TGS_NAME,
creds.client->realm,
NULL);
if (kret)
goto out;
creds.times.endtime = 0;
memset(&fwd_flags, 0, sizeof(fwd_flags));
fwd_flags.forwarded = 1;
fwd_flags.forwardable = 1;
if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/
name->name.name_string.len < 2)
goto out;
kret = krb5_get_forwarded_creds(_gsskrb5_context,
ac,
ccache,
KDCOptions2int(fwd_flags),
name->name.name_string.val[1],
&creds,
fwd_data);
out:
if (kret)
*flags &= ~GSS_C_DELEG_FLAG;
else
*flags |= GSS_C_DELEG_FLAG;
if (creds.client)
krb5_free_principal(_gsskrb5_context, creds.client);
if (creds.server)
krb5_free_principal(_gsskrb5_context, creds.server);
}
static krb5_error_code
fast_armor_ap_request(krb5_context context,
struct krb5int_fast_request_state *state,
krb5_ccache ccache, krb5_principal target_principal)
{
krb5_error_code retval = 0;
krb5_creds creds, *out_creds = NULL;
krb5_auth_context authcontext = NULL;
krb5_data encoded_authenticator;
krb5_fast_armor *armor = NULL;
krb5_keyblock *subkey = NULL, *armor_key = NULL;
encoded_authenticator.data = NULL;
memset(&creds, 0, sizeof(creds));
creds.server = target_principal;
retval = krb5_cc_get_principal(context, ccache, &creds.client);
if (retval == 0)
retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds);
if (retval == 0) {
TRACE_FAST_ARMOR_CCACHE_KEY(context, &out_creds->keyblock);
retval = krb5_mk_req_extended(context, &authcontext,
AP_OPTS_USE_SUBKEY, NULL /*data*/,
out_creds, &encoded_authenticator);
}
if (retval == 0)
retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey);
if (retval == 0)
retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor",
&out_creds->keyblock, "ticketarmor",
&armor_key);
if (retval == 0) {
TRACE_FAST_ARMOR_KEY(context, armor_key);
armor = calloc(1, sizeof(krb5_fast_armor));
if (armor == NULL)
retval = ENOMEM;
}
if (retval == 0) {
armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST;
armor->armor_value = encoded_authenticator;
encoded_authenticator.data = NULL;
encoded_authenticator.length = 0;
state->armor = armor;
armor = NULL;
state->armor_key = armor_key;
armor_key = NULL;
}
krb5_free_keyblock(context, armor_key);
krb5_free_keyblock(context, subkey);
if (out_creds)
krb5_free_creds(context, out_creds);
/* target_principal is owned by caller. */
creds.server = NULL;
krb5_free_cred_contents(context, &creds);
if (encoded_authenticator.data)
krb5_free_data_contents(context, &encoded_authenticator);
krb5_auth_con_free(context, authcontext);
return retval;
}
void
kerberos5_forward(kstream ks)
{
krb5_error_code r;
krb5_ccache ccache;
krb5_principal client = 0;
krb5_principal server = 0;
krb5_data forw_creds;
forw_creds.data = 0;
if ((r = krb5_cc_default(k5_context, &ccache))) {
com_err(NULL, r, "Kerberos V5: could not get default ccache");
return;
}
if ((r = krb5_cc_get_principal(k5_context, ccache, &client))) {
com_err(NULL, r, "Kerberos V5: could not get default principal");
goto cleanup;
}
if ((r = krb5_sname_to_principal(k5_context, szHostName, KRB_SERVICE_NAME,
KRB5_NT_SRV_HST, &server))) {
com_err(NULL, r, "Kerberos V5: could not make server principal");
goto cleanup;
}
if ((r = krb5_auth_con_genaddrs(k5_context, auth_context, ks->fd,
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR))) {
com_err(NULL, r, "Kerberos V5: could not gen local full address");
goto cleanup;
}
if (r = krb5_fwd_tgt_creds(k5_context, auth_context, 0, client, server,
ccache, forwardable_flag, &forw_creds)) {
com_err(NULL, r, "Kerberos V5: error getting forwarded creds");
goto cleanup;
}
/* Send forwarded credentials */
if (!Data(ks, KRB_FORWARD, forw_creds.data, forw_creds.length)) {
MessageBox(HWND_DESKTOP,
"Not enough room for authentication data", "",
MB_OK | MB_ICONEXCLAMATION);
}
cleanup:
if (client)
krb5_free_principal(k5_context, client);
if (server)
krb5_free_principal(k5_context, server);
#if 0 /* XXX */
if (forw_creds.data)
free(forw_creds.data);
#endif
krb5_cc_close(k5_context, ccache);
}
static int
pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info)
{
krb5_error_code retval;
if (info->pg_krb5_initialised)
return STATUS_OK;
retval = krb5_init_context(&(info->pg_krb5_context));
if (retval)
{
printfPQExpBuffer(errorMessage,
"pg_krb5_init: krb5_init_context: %s\n",
error_message(retval));
return STATUS_ERROR;
}
retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache));
if (retval)
{
printfPQExpBuffer(errorMessage,
"pg_krb5_init: krb5_cc_default: %s\n",
error_message(retval));
krb5_free_context(info->pg_krb5_context);
return STATUS_ERROR;
}
retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache,
&(info->pg_krb5_client));
if (retval)
{
printfPQExpBuffer(errorMessage,
"pg_krb5_init: krb5_cc_get_principal: %s\n",
error_message(retval));
krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
krb5_free_context(info->pg_krb5_context);
return STATUS_ERROR;
}
retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name));
if (retval)
{
printfPQExpBuffer(errorMessage,
"pg_krb5_init: krb5_unparse_name: %s\n",
error_message(retval));
krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
krb5_free_context(info->pg_krb5_context);
return STATUS_ERROR;
}
info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name);
info->pg_krb5_initialised = 1;
return STATUS_OK;
}
static int
pg_krb5_init(char *PQerrormsg)
{
krb5_error_code retval;
if (pg_krb5_initialised)
return STATUS_OK;
retval = krb5_init_context(&pg_krb5_context);
if (retval)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_init: krb5_init_context: %s\n",
error_message(retval));
return STATUS_ERROR;
}
retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
if (retval)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_init: krb5_cc_default: %s\n",
error_message(retval));
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache,
&pg_krb5_client);
if (retval)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_init: krb5_cc_get_principal: %s\n",
error_message(retval));
krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
if (retval)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_init: krb5_unparse_name: %s\n",
error_message(retval));
krb5_free_principal(pg_krb5_context, pg_krb5_client);
krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
pg_krb5_name = pg_an_to_ln(pg_krb5_name);
pg_krb5_initialised = 1;
return STATUS_OK;
}
static uint32_t retrieve_remote_creds(uint32_t *min, gssx_name *name,
gssx_cred *creds)
{
krb5_context ctx = NULL;
krb5_ccache ccache = NULL;
krb5_creds cred;
krb5_creds icred;
krb5_error_code ret;
XDR xdrctx;
bool xdrok;
memset(&cred, 0, sizeof(krb5_creds));
memset(&icred, 0, sizeof(krb5_creds));
ret = krb5_init_context(&ctx);
if (ret) goto done;
ret = krb5_cc_default(ctx, &ccache);
if (ret) goto done;
if (name) {
ret = krb5_parse_name(ctx,
name->display_name.octet_string_val,
&icred.client);
} else {
ret = krb5_cc_get_principal(ctx, ccache, &icred.client);
}
if (ret) goto done;
ret = krb5_parse_name(ctx, GPKRB_SRV_NAME, &icred.server);
if (ret) goto done;
ret = krb5_cc_retrieve_cred(ctx, ccache, 0, &icred, &cred);
if (ret) goto done;
xdrmem_create(&xdrctx, cred.ticket.data, cred.ticket.length, XDR_DECODE);
xdrok = xdr_gssx_cred(&xdrctx, creds);
if (xdrok) {
ret = 0;
} else {
ret = EIO;
}
done:
if (ctx) {
krb5_free_cred_contents(ctx, &cred);
krb5_free_cred_contents(ctx, &icred);
if (ccache) krb5_cc_close(ctx, ccache);
krb5_free_context(ctx);
}
*min = ret;
return ret ? GSS_S_FAILURE : GSS_S_COMPLETE;
}
/* Display the contents of cache. */
static int
show_ccache(krb5_ccache cache)
{
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ;
krb5_error_code ret;
ret = krb5_cc_get_principal(context, cache, &princ);
if (ret) {
com_err(progname, ret, "");
return 1;
}
ret = krb5_unparse_name(context, princ, &defname);
if (ret) {
com_err(progname, ret, _("while unparsing principal name"));
return 1;
}
printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"),
krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache),
defname);
/* XXX Translating would disturb table alignment; skip for now. */
fputs("Valid starting", stdout);
fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' ');
fputs("Expires", stdout);
fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' ');
fputs("Service principal\n", stdout);
ret = krb5_cc_start_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while starting to retrieve tickets"));
return 1;
}
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (show_config || !krb5_is_config_principal(context, creds.server))
show_credential(&creds);
krb5_free_cred_contents(context, &creds);
}
krb5_free_principal(context, princ);
krb5_free_unparsed_name(context, defname);
defname = NULL;
if (ret == KRB5_CC_END) {
ret = krb5_cc_end_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while finishing ticket retrieval"));
return 1;
}
return 0;
} else {
com_err(progname, ret, _("while retrieving a ticket"));
return 1;
}
}
static int get_v5cred(krb5_context context,
char *name, char *inst, char *realm, CREDENTIALS *c,
krb5_creds **creds)
{
krb5_creds increds;
krb5_error_code r;
static krb5_principal client_principal = 0;
if (client_principal) {
krb5_free_principal(context, client_principal);
client_principal = 0;
}
memset(&increds, 0, sizeof(increds));
if ((r = krb5_build_principal(context, &increds.server,
(int)strlen(realm), realm,
name,
(inst && strlen(inst)) ? inst : 0,
0))) {
return((int)r);
}
if (!_krb425_ccache) {
if ((r = krb5_cc_default(context, &_krb425_ccache)))
return ((int)r);
}
if (!client_principal) {
if ((r = krb5_cc_get_principal(context, _krb425_ccache, &client_principal))) {
krb5_cc_close(context, _krb425_ccache);
return ((int)r);
}
}
increds.client = client_principal;
increds.times.endtime = 0;
/* Ask for DES since that is what V4 understands */
if (c != NULL)
increds.session.keytype = ENCTYPE_DES_CBC_CRC;
r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds);
if (r) {
return((int)r);
}
#ifdef HAVE_KRB4
/* This requires krb524d to be running with the KDC */
if (c != NULL)
r = krb5_524_convert_creds(context, *creds, c);
#endif
return((int)r);
}
static OM_uint32
_acquire_uuid_name(OM_uint32 *minor_status,
krb5_context context,
krb5_const_principal princ,
int *iakerb,
gsskrb5_cred handle)
{
krb5_error_code ret;
krb5_uuid uuid;
*iakerb = 0;
if (princ->name.name_type != KRB5_NT_CACHE_UUID)
return GSS_S_BAD_NAMETYPE;
if (princ->name.name_string.len != 1 || strcmp(princ->realm, "UUID") != 0)
return GSS_S_BAD_NAME;
if (krb5_string_to_uuid(princ->name.name_string.val[0], uuid))
return GSS_S_BAD_NAME;
ret = krb5_cc_resolve_by_uuid(context, NULL,
&handle->ccache, uuid);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_cc_get_principal(context, handle->ccache, &handle->principal);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
{
krb5_data data;
ret = krb5_cc_get_config(context, handle->ccache, NULL, "iakerb", &data);
if (ret == 0) {
*iakerb = 1;
handle->endtime = INT_MAX;
krb5_data_free(&data);
return 0;
}
}
return __gsskrb5_ccache_lifetime(minor_status,
context,
handle->ccache,
handle->principal,
&handle->endtime);
}
int
kssl_tgt_is_available(KSSL_CTX *kssl_ctx)
{
krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
krb5_context krb5context = NULL;
krb5_ccache krb5ccdef = NULL;
krb5_creds krb5creds, *krb5credsp = NULL;
int rc = 0;
memset((char *)&krb5creds, 0, sizeof(krb5creds));
if (!kssl_ctx)
return (0);
if (!kssl_ctx->service_host)
return (0);
if ((krb5rc = krb5_init_context(&krb5context)) != 0)
goto err;
if ((krb5rc = krb5_sname_to_principal(
krb5context, kssl_ctx->service_host,
(kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC,
KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
goto err;
if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
goto err;
if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
&krb5creds.client)) != 0)
goto err;
if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
&krb5creds, &krb5credsp)) != 0)
goto err;
rc = 1;
err:
#ifdef KSSL_DEBUG
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
if (krb5creds.client)
krb5_free_principal(krb5context, krb5creds.client);
if (krb5creds.server)
krb5_free_principal(krb5context, krb5creds.server);
if (krb5context)
krb5_free_context(krb5context);
return (rc);
}
