mit_krb5_error_code KRB5_CALLCONV
krb5_verify_init_creds(mit_krb5_context context,
mit_krb5_creds *creds,
mit_krb5_principal ap_req_server,
mit_krb5_keytab ap_req_keytab,
mit_krb5_ccache *ccache,
mit_krb5_verify_init_creds_opt *options)
{
struct comb_principal *p = (struct comb_principal *)ap_req_server;
krb5_error_code ret;
krb5_creds hcreds;
krb5_verify_init_creds_opt hopts;
memset(&hcreds, 0, sizeof(hcreds));
heim_krb5_verify_init_creds_opt_init(&hopts);
if (options->ap_req_nofail)
heim_krb5_verify_init_creds_opt_set_ap_req_nofail(&hopts, options->ap_req_nofail);
mshim_mcred2hcred(HC(context), creds, &hcreds);
ret = heim_krb5_verify_init_creds(HC(context),
&hcreds, p->heim,
(krb5_keytab)ap_req_keytab,
(krb5_ccache *)ccache,
&hopts);
heim_krb5_free_cred_contents(HC(context), &hcreds);
return ret;
}
mit_krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_keytab(mit_krb5_context context,
mit_krb5_creds *creds,
mit_krb5_principal client,
mit_krb5_keytab arg_keytab,
mit_krb5_deltat start_time,
char *in_tkt_service,
mit_krb5_get_init_creds_opt *mopt)
{
struct comb_principal *p = (struct comb_principal *)client;
krb5_get_init_creds_opt *opt = NULL;
krb5_error_code ret;
krb5_creds hcreds;
LOG_ENTRY();
opt = mshim_gic_opt(HC(context), mopt);
memset(creds, 0, sizeof(*creds));
memset(&hcreds, 0, sizeof(hcreds));
ret = heim_krb5_get_init_creds_keytab(HC(context), &hcreds, p->heim,
(krb5_keytab)arg_keytab,
start_time, in_tkt_service, opt);
if (opt)
heim_krb5_get_init_creds_opt_free(HC(context), opt);
if (ret)
return ret;
mshim_hcred2mcred(HC(context), &hcreds, creds);
heim_krb5_free_cred_contents(HC(context), &hcreds);
return ret;
}
static cc_int32
ccache_store_credentials(cc_ccache_t io_ccache, const cc_credentials_union *in_credentials_union)
{
struct cc_ccache *c = (struct cc_ccache *)io_ccache;
krb5_error_code ret;
krb5_creds hcred;
LOG_ENTRY();
if (in_credentials_union == NULL)
return ccErrBadParam;
if (in_credentials_union->version != cc_credentials_v5)
return LOG_FAILURE(ccErrBadCredentialsVersion, "wrong version");
if (in_credentials_union->credentials.credentials_v5->client == NULL)
return ccErrBadParam;
update_time(&c->change_time);
update_time(&context_change_time);
make_cred_from_ccred(milcontext, in_credentials_union->credentials.credentials_v5, &hcred);
ret = heim_krb5_cc_store_cred(milcontext, c->id, &hcred);
heim_krb5_free_cred_contents(milcontext, &hcred);
if (ret)
return LOG_FAILURE(ccErrInvalidCCache, "store cred");
return ccNoError;
}
KLStatus
KLAcquireNewInitialTicketsWithPassword(KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
const char *inPassword,
char **outCredCacheName)
{
krb5_context context = mshim_ctx();
krb5_error_code ret;
krb5_ccache cache;
krb5_creds creds;
char *service = NULL;
krb5_get_init_creds_opt *opt = NULL;
LOG_ENTRY();
if (inLoginOptions) {
service = inLoginOptions->service;
opt = inLoginOptions->opt;
}
ret = heim_krb5_get_init_creds_password(context, &creds,
inPrincipal, inPassword,
NULL, NULL, 0,
service,
opt);
if (ret)
return ret;
ret = heim_krb5_cc_cache_match(context, inPrincipal, &cache);
if (ret)
ret = heim_krb5_cc_new_unique(context, NULL, NULL, &cache);
if (ret)
goto out;
ret = heim_krb5_cc_initialize(context, cache, creds.client);
if(ret)
goto out;
ret = heim_krb5_cc_store_cred(context, cache, &creds);
if (ret)
goto out;
if (outCredCacheName)
*outCredCacheName = strdup(heim_krb5_cc_get_name(context, cache));
out:
if (cache) {
if (ret)
krb5_cc_destroy((mit_krb5_context)context, (mit_krb5_ccache)cache);
else
heim_krb5_cc_close(context, cache);
}
heim_krb5_free_cred_contents(context, &creds);
return ret;
}
static cc_int32
cred_release(cc_credentials_t io_credentials)
{
struct cred *c = (struct cred *)io_credentials;
heim_krb5_free_cred_contents(milcontext, &c->cred);
free(c->data->credentials.credentials_v5);
free(c->data);
free(c);
return ccNoError;
}
mit_krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_password(mit_krb5_context context,
mit_krb5_creds *creds,
mit_krb5_principal client,
char *password,
mit_krb5_prompter_fct prompter,
void *data,
mit_krb5_deltat start_time,
char *in_tkt_service,
mit_krb5_get_init_creds_opt *mopt)
{
struct comb_principal *p = (struct comb_principal *)client;
krb5_get_init_creds_opt *opt = NULL;
krb5_error_code ret;
krb5_creds hcreds;
krb5_prompter_fct pfct = NULL;
LOG_ENTRY();
opt = mshim_gic_opt(HC(context), mopt);
memset(creds, 0, sizeof(*creds));
memset(&hcreds, 0, sizeof(hcreds));
if (prompter == krb5_prompter_posix)
pfct = heim_krb5_prompter_posix;
else if (prompter == NULL)
pfct = NULL;
else {
if (opt)
heim_krb5_get_init_creds_opt_free(HC(context), opt);
return EINVAL;
}
ret = heim_krb5_get_init_creds_password(HC(context), &hcreds, p->heim, password,
pfct, NULL, start_time, in_tkt_service, opt);
if (opt)
heim_krb5_get_init_creds_opt_free(HC(context), opt);
if (ret)
return ret;
mshim_hcred2mcred(HC(context), &hcreds, creds);
heim_krb5_free_cred_contents(HC(context), &hcreds);
return ret;
}
static cc_int32
ccache_remove_credentials(cc_ccache_t io_ccache, cc_credentials_t in_credentials)
{
struct cc_ccache *c = (struct cc_ccache *)io_ccache;
const cc_credentials_v5_t *incred;
krb5_creds cred;
krb5_error_code ret;
LOG_ENTRY();
update_time(&c->change_time);
update_time(&context_change_time);
memset(&cred, 0, sizeof(cred));
if (c->id == NULL)
return LOG_FAILURE(ccErrBadParam, "bad argument");
if (in_credentials == NULL || in_credentials->data == NULL)
return LOG_FAILURE(ccErrBadParam, "remove with no cred?");
if (in_credentials->data->version != cc_credentials_v5)
return LOG_FAILURE(ccErrBadParam, "wrong version");
incred = in_credentials->data->credentials.credentials_v5;
if (incred->client == NULL)
return LOG_FAILURE(ccErrBadParam, "no client to remove");
if (incred->server == NULL)
return LOG_FAILURE(ccErrBadParam, "no server to remove");
ret = heim_krb5_parse_name(milcontext, incred->client, &cred.client);
if (ret)
goto fail;
ret = heim_krb5_parse_name(milcontext, incred->server, &cred.server);
if (ret)
goto fail;
ret = heim_krb5_cc_remove_cred(milcontext, c->id, 0, &cred);
update_time(&context_change_time);
fail:
heim_krb5_free_cred_contents(milcontext, &cred);
if (ret)
return ccErrCredentialsNotFound;
return ccNoError;
}
mit_krb5_error_code KRB5_CALLCONV
mit_krb5_get_validated_creds(mit_krb5_context context,
mit_krb5_creds *creds,
mit_krb5_principal client,
mit_krb5_ccache ccache,
char *in_tkt_service)
{
struct comb_principal *p = (struct comb_principal *)client;
krb5_error_code ret;
krb5_creds hcreds;
LOG_ENTRY();
mshim_mcred2hcred(HC(context), creds, &hcreds);
ret = heim_krb5_get_validated_creds(HC(context), &hcreds, p->heim,
(krb5_ccache)ccache, in_tkt_service);
heim_krb5_free_cred_contents(HC(context), &hcreds);
return ret;
}
cc_int32
cred_iter_next(cc_credentials_iterator_t in_credentials_iterator, cc_credentials_t *out_credentials)
{
struct cred_iterator *ci = (struct cred_iterator *)in_credentials_iterator;
krb5_error_code ret;
krb5_creds cred;
LOG_ENTRY();
ret = heim_krb5_cc_next_cred(milcontext, ci->id, &ci->cursor, &cred);
if (ret == KRB5_CC_END)
return ccIteratorEnd;
else if (ret)
return ret; /* XXX */
*out_credentials = create_credentials(&cred);
heim_krb5_free_cred_contents(milcontext, &cred);
if (*out_credentials == NULL)
return ccErrNoMem;
return ccNoError;
}
mit_krb5_error_code KRB5_CALLCONV
mit_krb5_get_renewed_creds (mit_krb5_context context,
mit_krb5_creds *creds,
mit_krb5_principal client,
mit_krb5_ccache ccache,
char *in_tkt_service)
{
struct comb_principal *p = (struct comb_principal *)client;
krb5_error_code ret;
krb5_creds hcreds;
LOG_ENTRY();
memset(&hcreds, 0, sizeof(hcreds));
ret = heim_krb5_get_renewed_creds(HC(context), &hcreds, p->heim, (krb5_ccache)ccache,
in_tkt_service);
if (ret == 0)
mshim_hcred2mcred(HC(context), &hcreds, creds);
heim_krb5_free_cred_contents(HC(context), &hcreds);
return ret;
}
mit_krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt_with_password(mit_krb5_context context,
mit_krb5_flags flags,
mit_krb5_address * const *addr,
mit_krb5_enctype *enctype,
mit_krb5_preauthtype *preauth,
const char *password,
mit_krb5_ccache cache,
mit_krb5_creds *cred,
mit_krb5_kdc_rep **rep)
{
struct comb_principal *p;
krb5_error_code ret;
krb5_creds hcreds;
LOG_ENTRY();
if (rep)
*rep = NULL;
if (cred->client)
p = (struct comb_principal *)cred->client;
else
return KRB5_PRINC_NOMATCH;
memset(&hcreds, 0, sizeof(hcreds));
ret = heim_krb5_get_init_creds_password(HC(context), &hcreds, p->heim, password,
NULL, NULL, 0, NULL, NULL);
if (ret)
return ret;
if (cache)
heim_krb5_cc_store_cred(HC(context), (krb5_ccache)cache, &hcreds);
heim_krb5_free_cred_contents(HC(context), &hcreds);
return 0;
}
static krb5_error_code
make_cred_from_ccred(krb5_context context,
const cc_credentials_v5_t *incred,
krb5_creds *cred)
{
krb5_error_code ret;
unsigned int i;
memset(cred, 0, sizeof(*cred));
ret = heim_krb5_parse_name(context, incred->client, &cred->client);
if (ret)
goto fail;
ret = heim_krb5_parse_name(context, incred->server, &cred->server);
if (ret)
goto fail;
cred->session.keytype = incred->keyblock.type;
cred->session.keyvalue.length = incred->keyblock.length;
cred->session.keyvalue.data = malloc(incred->keyblock.length);
if (cred->session.keyvalue.data == NULL)
goto nomem;
memcpy(cred->session.keyvalue.data, incred->keyblock.data,
incred->keyblock.length);
cred->times.authtime = incred->authtime;
cred->times.starttime = incred->starttime;
cred->times.endtime = incred->endtime;
cred->times.renew_till = incred->renew_till;
ret = heim_krb5_data_copy(&cred->ticket,
incred->ticket.data,
incred->ticket.length);
if (ret)
goto nomem;
ret = heim_krb5_data_copy(&cred->second_ticket,
incred->second_ticket.data,
incred->second_ticket.length);
if (ret)
goto nomem;
cred->authdata.val = NULL;
cred->authdata.len = 0;
cred->addresses.val = NULL;
cred->addresses.len = 0;
for (i = 0; incred->authdata && incred->authdata[i]; i++)
;
if (i) {
cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0]));
if (cred->authdata.val == NULL)
goto nomem;
cred->authdata.len = i;
for (i = 0; i < cred->authdata.len; i++) {
cred->authdata.val[i].ad_type = incred->authdata[i]->type;
ret = heim_krb5_data_copy(&cred->authdata.val[i].ad_data,
incred->authdata[i]->data,
incred->authdata[i]->length);
if (ret)
goto nomem;
}
}
for (i = 0; incred->addresses && incred->addresses[i]; i++)
;
if (i) {
cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0]));
if (cred->addresses.val == NULL)
goto nomem;
cred->addresses.len = i;
for (i = 0; i < cred->addresses.len; i++) {
cred->addresses.val[i].addr_type = incred->addresses[i]->type;
ret = heim_krb5_data_copy(&cred->addresses.val[i].address,
incred->addresses[i]->data,
incred->addresses[i]->length);
if (ret)
goto nomem;
}
}
cred->flags.i = 0;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE)
cred->flags.b.forwardable = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED)
cred->flags.b.forwarded = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE)
cred->flags.b.proxiable = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY)
cred->flags.b.proxy = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE)
cred->flags.b.may_postdate = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED)
cred->flags.b.postdated = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID)
cred->flags.b.invalid = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE)
cred->flags.b.renewable = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL)
cred->flags.b.initial = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH)
cred->flags.b.pre_authent = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH)
cred->flags.b.hw_authent = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED)
cred->flags.b.transited_policy_checked = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE)
cred->flags.b.ok_as_delegate = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS)
cred->flags.b.anonymous = 1;
return 0;
nomem:
ret = ENOMEM;
heim_krb5_set_error_message(context, ret, "malloc: out of memory");
fail:
heim_krb5_free_cred_contents(context, cred);
return ret;
}
