mit_krb5_error_code KRB5_CALLCONV krb5_verify_init_creds(mit_krb5_context context, mit_krb5_creds *creds, mit_krb5_principal ap_req_server, mit_krb5_keytab ap_req_keytab, mit_krb5_ccache *ccache, mit_krb5_verify_init_creds_opt *options) { struct comb_principal *p = (struct comb_principal *)ap_req_server; krb5_error_code ret; krb5_creds hcreds; krb5_verify_init_creds_opt hopts; memset(&hcreds, 0, sizeof(hcreds)); heim_krb5_verify_init_creds_opt_init(&hopts); if (options->ap_req_nofail) heim_krb5_verify_init_creds_opt_set_ap_req_nofail(&hopts, options->ap_req_nofail); mshim_mcred2hcred(HC(context), creds, &hcreds); ret = heim_krb5_verify_init_creds(HC(context), &hcreds, p->heim, (krb5_keytab)ap_req_keytab, (krb5_ccache *)ccache, &hopts); heim_krb5_free_cred_contents(HC(context), &hcreds); return ret; }
mit_krb5_error_code KRB5_CALLCONV krb5_get_init_creds_keytab(mit_krb5_context context, mit_krb5_creds *creds, mit_krb5_principal client, mit_krb5_keytab arg_keytab, mit_krb5_deltat start_time, char *in_tkt_service, mit_krb5_get_init_creds_opt *mopt) { struct comb_principal *p = (struct comb_principal *)client; krb5_get_init_creds_opt *opt = NULL; krb5_error_code ret; krb5_creds hcreds; LOG_ENTRY(); opt = mshim_gic_opt(HC(context), mopt); memset(creds, 0, sizeof(*creds)); memset(&hcreds, 0, sizeof(hcreds)); ret = heim_krb5_get_init_creds_keytab(HC(context), &hcreds, p->heim, (krb5_keytab)arg_keytab, start_time, in_tkt_service, opt); if (opt) heim_krb5_get_init_creds_opt_free(HC(context), opt); if (ret) return ret; mshim_hcred2mcred(HC(context), &hcreds, creds); heim_krb5_free_cred_contents(HC(context), &hcreds); return ret; }
static cc_int32 ccache_store_credentials(cc_ccache_t io_ccache, const cc_credentials_union *in_credentials_union) { struct cc_ccache *c = (struct cc_ccache *)io_ccache; krb5_error_code ret; krb5_creds hcred; LOG_ENTRY(); if (in_credentials_union == NULL) return ccErrBadParam; if (in_credentials_union->version != cc_credentials_v5) return LOG_FAILURE(ccErrBadCredentialsVersion, "wrong version"); if (in_credentials_union->credentials.credentials_v5->client == NULL) return ccErrBadParam; update_time(&c->change_time); update_time(&context_change_time); make_cred_from_ccred(milcontext, in_credentials_union->credentials.credentials_v5, &hcred); ret = heim_krb5_cc_store_cred(milcontext, c->id, &hcred); heim_krb5_free_cred_contents(milcontext, &hcred); if (ret) return LOG_FAILURE(ccErrInvalidCCache, "store cred"); return ccNoError; }
KLStatus KLAcquireNewInitialTicketsWithPassword(KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, const char *inPassword, char **outCredCacheName) { krb5_context context = mshim_ctx(); krb5_error_code ret; krb5_ccache cache; krb5_creds creds; char *service = NULL; krb5_get_init_creds_opt *opt = NULL; LOG_ENTRY(); if (inLoginOptions) { service = inLoginOptions->service; opt = inLoginOptions->opt; } ret = heim_krb5_get_init_creds_password(context, &creds, inPrincipal, inPassword, NULL, NULL, 0, service, opt); if (ret) return ret; ret = heim_krb5_cc_cache_match(context, inPrincipal, &cache); if (ret) ret = heim_krb5_cc_new_unique(context, NULL, NULL, &cache); if (ret) goto out; ret = heim_krb5_cc_initialize(context, cache, creds.client); if(ret) goto out; ret = heim_krb5_cc_store_cred(context, cache, &creds); if (ret) goto out; if (outCredCacheName) *outCredCacheName = strdup(heim_krb5_cc_get_name(context, cache)); out: if (cache) { if (ret) krb5_cc_destroy((mit_krb5_context)context, (mit_krb5_ccache)cache); else heim_krb5_cc_close(context, cache); } heim_krb5_free_cred_contents(context, &creds); return ret; }
static cc_int32 cred_release(cc_credentials_t io_credentials) { struct cred *c = (struct cred *)io_credentials; heim_krb5_free_cred_contents(milcontext, &c->cred); free(c->data->credentials.credentials_v5); free(c->data); free(c); return ccNoError; }
mit_krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(mit_krb5_context context, mit_krb5_creds *creds, mit_krb5_principal client, char *password, mit_krb5_prompter_fct prompter, void *data, mit_krb5_deltat start_time, char *in_tkt_service, mit_krb5_get_init_creds_opt *mopt) { struct comb_principal *p = (struct comb_principal *)client; krb5_get_init_creds_opt *opt = NULL; krb5_error_code ret; krb5_creds hcreds; krb5_prompter_fct pfct = NULL; LOG_ENTRY(); opt = mshim_gic_opt(HC(context), mopt); memset(creds, 0, sizeof(*creds)); memset(&hcreds, 0, sizeof(hcreds)); if (prompter == krb5_prompter_posix) pfct = heim_krb5_prompter_posix; else if (prompter == NULL) pfct = NULL; else { if (opt) heim_krb5_get_init_creds_opt_free(HC(context), opt); return EINVAL; } ret = heim_krb5_get_init_creds_password(HC(context), &hcreds, p->heim, password, pfct, NULL, start_time, in_tkt_service, opt); if (opt) heim_krb5_get_init_creds_opt_free(HC(context), opt); if (ret) return ret; mshim_hcred2mcred(HC(context), &hcreds, creds); heim_krb5_free_cred_contents(HC(context), &hcreds); return ret; }
static cc_int32 ccache_remove_credentials(cc_ccache_t io_ccache, cc_credentials_t in_credentials) { struct cc_ccache *c = (struct cc_ccache *)io_ccache; const cc_credentials_v5_t *incred; krb5_creds cred; krb5_error_code ret; LOG_ENTRY(); update_time(&c->change_time); update_time(&context_change_time); memset(&cred, 0, sizeof(cred)); if (c->id == NULL) return LOG_FAILURE(ccErrBadParam, "bad argument"); if (in_credentials == NULL || in_credentials->data == NULL) return LOG_FAILURE(ccErrBadParam, "remove with no cred?"); if (in_credentials->data->version != cc_credentials_v5) return LOG_FAILURE(ccErrBadParam, "wrong version"); incred = in_credentials->data->credentials.credentials_v5; if (incred->client == NULL) return LOG_FAILURE(ccErrBadParam, "no client to remove"); if (incred->server == NULL) return LOG_FAILURE(ccErrBadParam, "no server to remove"); ret = heim_krb5_parse_name(milcontext, incred->client, &cred.client); if (ret) goto fail; ret = heim_krb5_parse_name(milcontext, incred->server, &cred.server); if (ret) goto fail; ret = heim_krb5_cc_remove_cred(milcontext, c->id, 0, &cred); update_time(&context_change_time); fail: heim_krb5_free_cred_contents(milcontext, &cred); if (ret) return ccErrCredentialsNotFound; return ccNoError; }
mit_krb5_error_code KRB5_CALLCONV mit_krb5_get_validated_creds(mit_krb5_context context, mit_krb5_creds *creds, mit_krb5_principal client, mit_krb5_ccache ccache, char *in_tkt_service) { struct comb_principal *p = (struct comb_principal *)client; krb5_error_code ret; krb5_creds hcreds; LOG_ENTRY(); mshim_mcred2hcred(HC(context), creds, &hcreds); ret = heim_krb5_get_validated_creds(HC(context), &hcreds, p->heim, (krb5_ccache)ccache, in_tkt_service); heim_krb5_free_cred_contents(HC(context), &hcreds); return ret; }
cc_int32 cred_iter_next(cc_credentials_iterator_t in_credentials_iterator, cc_credentials_t *out_credentials) { struct cred_iterator *ci = (struct cred_iterator *)in_credentials_iterator; krb5_error_code ret; krb5_creds cred; LOG_ENTRY(); ret = heim_krb5_cc_next_cred(milcontext, ci->id, &ci->cursor, &cred); if (ret == KRB5_CC_END) return ccIteratorEnd; else if (ret) return ret; /* XXX */ *out_credentials = create_credentials(&cred); heim_krb5_free_cred_contents(milcontext, &cred); if (*out_credentials == NULL) return ccErrNoMem; return ccNoError; }
mit_krb5_error_code KRB5_CALLCONV mit_krb5_get_renewed_creds (mit_krb5_context context, mit_krb5_creds *creds, mit_krb5_principal client, mit_krb5_ccache ccache, char *in_tkt_service) { struct comb_principal *p = (struct comb_principal *)client; krb5_error_code ret; krb5_creds hcreds; LOG_ENTRY(); memset(&hcreds, 0, sizeof(hcreds)); ret = heim_krb5_get_renewed_creds(HC(context), &hcreds, p->heim, (krb5_ccache)ccache, in_tkt_service); if (ret == 0) mshim_hcred2mcred(HC(context), &hcreds, creds); heim_krb5_free_cred_contents(HC(context), &hcreds); return ret; }
mit_krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_password(mit_krb5_context context, mit_krb5_flags flags, mit_krb5_address * const *addr, mit_krb5_enctype *enctype, mit_krb5_preauthtype *preauth, const char *password, mit_krb5_ccache cache, mit_krb5_creds *cred, mit_krb5_kdc_rep **rep) { struct comb_principal *p; krb5_error_code ret; krb5_creds hcreds; LOG_ENTRY(); if (rep) *rep = NULL; if (cred->client) p = (struct comb_principal *)cred->client; else return KRB5_PRINC_NOMATCH; memset(&hcreds, 0, sizeof(hcreds)); ret = heim_krb5_get_init_creds_password(HC(context), &hcreds, p->heim, password, NULL, NULL, 0, NULL, NULL); if (ret) return ret; if (cache) heim_krb5_cc_store_cred(HC(context), (krb5_ccache)cache, &hcreds); heim_krb5_free_cred_contents(HC(context), &hcreds); return 0; }
static krb5_error_code make_cred_from_ccred(krb5_context context, const cc_credentials_v5_t *incred, krb5_creds *cred) { krb5_error_code ret; unsigned int i; memset(cred, 0, sizeof(*cred)); ret = heim_krb5_parse_name(context, incred->client, &cred->client); if (ret) goto fail; ret = heim_krb5_parse_name(context, incred->server, &cred->server); if (ret) goto fail; cred->session.keytype = incred->keyblock.type; cred->session.keyvalue.length = incred->keyblock.length; cred->session.keyvalue.data = malloc(incred->keyblock.length); if (cred->session.keyvalue.data == NULL) goto nomem; memcpy(cred->session.keyvalue.data, incred->keyblock.data, incred->keyblock.length); cred->times.authtime = incred->authtime; cred->times.starttime = incred->starttime; cred->times.endtime = incred->endtime; cred->times.renew_till = incred->renew_till; ret = heim_krb5_data_copy(&cred->ticket, incred->ticket.data, incred->ticket.length); if (ret) goto nomem; ret = heim_krb5_data_copy(&cred->second_ticket, incred->second_ticket.data, incred->second_ticket.length); if (ret) goto nomem; cred->authdata.val = NULL; cred->authdata.len = 0; cred->addresses.val = NULL; cred->addresses.len = 0; for (i = 0; incred->authdata && incred->authdata[i]; i++) ; if (i) { cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0])); if (cred->authdata.val == NULL) goto nomem; cred->authdata.len = i; for (i = 0; i < cred->authdata.len; i++) { cred->authdata.val[i].ad_type = incred->authdata[i]->type; ret = heim_krb5_data_copy(&cred->authdata.val[i].ad_data, incred->authdata[i]->data, incred->authdata[i]->length); if (ret) goto nomem; } } for (i = 0; incred->addresses && incred->addresses[i]; i++) ; if (i) { cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0])); if (cred->addresses.val == NULL) goto nomem; cred->addresses.len = i; for (i = 0; i < cred->addresses.len; i++) { cred->addresses.val[i].addr_type = incred->addresses[i]->type; ret = heim_krb5_data_copy(&cred->addresses.val[i].address, incred->addresses[i]->data, incred->addresses[i]->length); if (ret) goto nomem; } } cred->flags.i = 0; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE) cred->flags.b.forwardable = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED) cred->flags.b.forwarded = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE) cred->flags.b.proxiable = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY) cred->flags.b.proxy = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE) cred->flags.b.may_postdate = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED) cred->flags.b.postdated = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID) cred->flags.b.invalid = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE) cred->flags.b.renewable = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL) cred->flags.b.initial = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH) cred->flags.b.pre_authent = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH) cred->flags.b.hw_authent = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED) cred->flags.b.transited_policy_checked = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE) cred->flags.b.ok_as_delegate = 1; if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS) cred->flags.b.anonymous = 1; return 0; nomem: ret = ENOMEM; heim_krb5_set_error_message(context, ret, "malloc: out of memory"); fail: heim_krb5_free_cred_contents(context, cred); return ret; }