static krb5_error_code
fetch_creds(KLPrincipal inPrincipal, krb5_creds **ocreds,
char **outCredCacheName)
{
krb5_context context = mshim_ctx();
krb5_principal princ = NULL;
krb5_creds in_creds;
krb5_const_realm realm;
krb5_error_code ret;
krb5_ccache id = NULL;
LOG_ENTRY();
memset(&in_creds, 0, sizeof(in_creds));
if (inPrincipal) {
ret = heim_krb5_cc_cache_match(context, inPrincipal, &id);
} else {
ret = heim_krb5_cc_default(context, &id);
if (ret == 0)
ret = heim_krb5_cc_get_principal(context, id, &princ);
inPrincipal = princ;
}
if (ret)
goto out;
realm = heim_krb5_principal_get_realm(context, inPrincipal);
ret = heim_krb5_make_principal(context, &in_creds.server, realm, KRB5_TGS_NAME, realm, NULL);
if (ret)
goto out;
in_creds.client = inPrincipal;
ret = heim_krb5_get_credentials(context, KRB5_GC_CACHED, id,
&in_creds, ocreds);
heim_krb5_free_principal(context, in_creds.server);
if (outCredCacheName)
*outCredCacheName = strdup(heim_krb5_cc_get_name(context, id));
out:
if (id)
heim_krb5_cc_close(context, id);
if (princ)
heim_krb5_free_principal(context, princ);
return LOG_FAILURE(ret, "fetch_creds");
}
static cc_int32
ccache_set_principal(cc_ccache_t io_ccache, cc_uint32 in_credentials_version, const char *in_principal)
{
struct cc_ccache *c = (struct cc_ccache *)io_ccache;
krb5_error_code ret;
krb5_principal p;
LOG_ENTRY();
if (in_principal == NULL)
return ccErrBadParam;
if (in_credentials_version != cc_credentials_v5)
return LOG_FAILURE(ccErrBadCredentialsVersion, "wrong version");
update_time(&c->change_time);
update_time(&context_change_time);
ret = heim_krb5_parse_name(milcontext, in_principal, &p);
if (ret)
return LOG_FAILURE(ccErrBadParam, "parse name");
ret = heim_krb5_cc_initialize(milcontext, c->id, p);
heim_krb5_free_principal(milcontext, p);
if (ret)
return LOG_FAILURE(ccErrInvalidCCache, "init cache");
return ccNoError;
}
static cc_int32
ccache_get_principal(cc_ccache_t in_ccache, cc_uint32 in_credentials_version, cc_string_t *out_principal)
{
struct cc_ccache *c = (struct cc_ccache *)in_ccache;
krb5_principal princ;
krb5_error_code ret;
char *name;
LOG_ENTRY();
if (out_principal == NULL)
return ccErrBadParam;
if (in_credentials_version != cc_credentials_v5)
return LOG_FAILURE(ccErrBadCredentialsVersion, "wrong version");
if (c->id == NULL)
return ccErrInvalidCCache;
ret = heim_krb5_cc_get_principal(milcontext, c->id, &princ);
if (ret)
return LOG_FAILURE(ret, "get principal");
ret = heim_krb5_unparse_name(milcontext, princ, &name);
heim_krb5_free_principal(milcontext, princ);
if (ret)
return LOG_FAILURE(ret, "unparse name");
*out_principal = create_string(name);
free(name);
return ccNoError;
}
KLStatus
KLDisposePrincipal (KLPrincipal inPrincipal)
{
LOG_ENTRY();
if (inPrincipal == NULL)
return klNoErr;
heim_krb5_free_principal(milcontext, inPrincipal);
return klNoErr;
}
void KRB5_CALLCONV
krb5_free_principal(mit_krb5_context context, mit_krb5_principal principal)
{
struct comb_principal *p = (struct comb_principal *)principal;
LOG_ENTRY();
if (p) {
heim_krb5_free_principal(HC(context), p->heim);
free(p->mit.data);
free(p);
}
}
static cc_int32
context_create_new_ccache(cc_context_t in_context,
cc_uint32 in_cred_vers,
const char *in_principal,
cc_ccache_t *out_ccache)
{
krb5_principal principal;
krb5_error_code ret;
krb5_ccache id;
LOG_ENTRY();
if (in_cred_vers != cc_credentials_v5)
return ccErrBadCredentialsVersion;
if (out_ccache == NULL || in_principal == NULL)
return ccErrBadParam;
update_time(&context_change_time);
ret = heim_krb5_parse_name(milcontext, in_principal, &principal);
if (ret)
return LOG_FAILURE(ret, "parse name");
ret = heim_krb5_cc_new_unique(milcontext, NULL, NULL, &id);
if (ret) {
heim_krb5_free_principal(milcontext, principal);
return LOG_FAILURE(ret, "new unique");
}
ret = heim_krb5_cc_initialize(milcontext, id, principal);
heim_krb5_free_principal(milcontext, principal);
if (ret) {
mit_krb5_cc_destroy((mit_krb5_context)milcontext, (mit_krb5_ccache)id);
return LOG_FAILURE(ret, "cc init");
}
*out_ccache = create_ccache(id);
return ccNoError;
}
static cc_int32
check_exists(krb5_ccache id)
{
krb5_principal princ;
int ret;
ret = heim_krb5_cc_get_principal(milcontext, id, &princ);
if (ret)
return 0;
heim_krb5_free_principal(milcontext, princ);
return 1;
}
static cc_int32
context_create_default_ccache(cc_context_t in_context,
cc_uint32 in_cred_vers,
const char *in_principal,
cc_ccache_t *out_ccache)
{
krb5_principal principal;
krb5_error_code ret;
struct cc_ccache *c;
krb5_ccache id;
LOG_ENTRY();
if (in_cred_vers != cc_credentials_v5)
return ccErrBadCredentialsVersion;
if (out_ccache == NULL || in_principal == NULL)
return ccErrBadParam;
*out_ccache = NULL;
update_time(&context_change_time);
ret = heim_krb5_cc_default(milcontext, &id);
if (ret)
return LOG_FAILURE(ret, "cc default");
ret = heim_krb5_parse_name(milcontext, in_principal, &principal);
if (ret) {
heim_krb5_cc_close(milcontext, id);
return LOG_FAILURE(ret, "parse name");
}
ret = heim_krb5_cc_initialize(milcontext, id, principal);
heim_krb5_free_principal(milcontext, principal);
if (ret) {
mit_krb5_cc_destroy((mit_krb5_context)milcontext, (mit_krb5_ccache)id);
return LOG_FAILURE(ret, "cc init");
}
c = (struct cc_ccache *)create_ccache(id);
update_time(&c->last_default_time);
*out_ccache = (cc_ccache_t)c;
return ccNoError;
}
mit_krb5_error_code KRB5_CALLCONV
krb5_sname_to_principal(mit_krb5_context context,
const char *hostname, const char *service,
mit_krb5_int32 type,
mit_krb5_principal *principal)
{
krb5_error_code ret;
krb5_principal p;
LOG_ENTRY();
*principal = NULL;
ret = heim_krb5_sname_to_principal(HC(context), hostname, service, type, &p);
if (ret)
return ret;
*principal = mshim_hprinc2mprinc(HC(context), p);
heim_krb5_free_principal(HC(context), p);
return 0;
}
KLStatus
KLRenewInitialTickets(KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
KLPrincipal *outPrincipal,
char **outCredCacheName)
{
krb5_context context = mshim_ctx();
krb5_error_code ret;
krb5_creds in, *cred = NULL;
krb5_ccache id;
krb5_kdc_flags flags;
krb5_const_realm realm;
krb5_principal principal = NULL;
memset(&in, 0, sizeof(in));
LOG_ENTRY();
if (outPrincipal)
*outPrincipal = NULL;
if (outCredCacheName)
*outCredCacheName = NULL;
if (inPrincipal) {
principal = inPrincipal;
} else {
ret = heim_krb5_get_default_principal(context, &principal);
if (ret)
return ret;
}
ret = heim_krb5_cc_cache_match(context, principal, &id);
if (ret) {
if (inPrincipal == NULL)
heim_krb5_free_principal(context, principal);
return ret;
}
in.client = principal;
realm = heim_krb5_principal_get_realm(context, in.client);
if (inLoginOptions && inLoginOptions->service)
ret = heim_krb5_make_principal(context, &in.server, realm, inLoginOptions->service, NULL);
else
ret = heim_krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME, realm, NULL);
if (ret) {
if (inPrincipal == NULL)
heim_krb5_free_principal(context, principal);
heim_krb5_cc_close(context, id);
return ret;
}
flags.i = 0;
if (inLoginOptions)
flags.i = inLoginOptions->opt->flags;
/* Pull out renewable from previous ticket */
ret = heim_krb5_get_credentials(context, KRB5_GC_CACHED, id, &in, &cred);
if (inPrincipal == NULL)
heim_krb5_free_principal(context, principal);
if (ret == 0 && cred) {
flags.b.renewable = cred->flags.b.renewable;
heim_krb5_free_creds (context, cred);
cred = NULL;
}
flags.b.renew = 1;
ret = heim_krb5_get_kdc_cred(context, id, flags, NULL, NULL, &in, &cred);
heim_krb5_free_principal(context, in.server);
if (ret)
goto out;
ret = heim_krb5_cc_initialize(context, id, in.client);
if (ret)
goto out;
ret = heim_krb5_cc_store_cred(context, id, cred);
out:
if (cred)
heim_krb5_free_creds (context, cred);
heim_krb5_cc_close(context, id);
return ret;
}
