static void
once_func(void *ctx)
{
int ret;
_gsskrb5_kGSSICPassword = heim_string_create("kGSSICPassword");
_gsskrb5_kGSSICCertificate = heim_string_create("kGSSICCertificate");
_gsskrb5_kGSSICKerberosCacheName = heim_string_create("kGSSICKerberosCacheName");
_gsskrb5_kGSSICLKDCHostname = heim_string_create("kGSSICLKDCHostname");
_gsskrb5_kGSSICAppIdentifierACL = heim_string_create("kGSSICAppIdentifierACL");
HEIMDAL_key_create(&context_key, destroy_context, ret);
}
static heim_array_t
get_realms(void)
{
heim_array_t array;
char **realms, **r;
unsigned int i;
int ret;
array = heim_array_create();
for(i = 0; i < config->num_db; i++) {
if (config->db[i]->hdb_get_realms == NULL)
continue;
ret = (config->db[i]->hdb_get_realms)(context, config->db[i], &realms);
if (ret == 0) {
for (r = realms; r && *r; r++) {
heim_string_t s = heim_string_create(*r);
if (s)
heim_array_append_value(array, s);
heim_release(s);
}
krb5_free_host_realm(context, realms);
}
}
return array;
}
/** heim_db_register
* @brief Registers a DB type for use with heim_db_create().
*
* @param dbtype Name of DB type
* @param data Private data argument to the dbtype's openf method
* @param plugin Structure with DB type methods (function pointers)
*
* Backends that provide begin/commit/rollback methods must provide ACID
* semantics.
*
* The registered DB type will have ACID semantics for backends that do
* not provide begin/commit/rollback methods but do provide lock/unlock
* and rdjournal/wrjournal methods (using a replay log journalling
* scheme).
*
* If the registered DB type does not natively provide read vs. write
* transaction isolation but does provide a lock method then the DB will
* provide read/write transaction isolation.
*
* @return ENOMEM on failure, else 0.
*
* @addtogroup heimbase
*/
int
heim_db_register(const char *dbtype,
void *data,
struct heim_db_type *plugin)
{
heim_dict_t plugins;
heim_string_t s;
db_plugin plug, plug2;
int ret = 0;
if ((plugin->beginf != NULL && plugin->commitf == NULL) ||
(plugin->beginf != NULL && plugin->rollbackf == NULL) ||
(plugin->lockf != NULL && plugin->unlockf == NULL) ||
plugin->copyf == NULL)
heim_abort("Invalid DB plugin; make sure methods are paired");
/* Initialize */
plugins = heim_dict_create(11);
if (plugins == NULL)
return ENOMEM;
heim_base_once_f(&db_plugin_init_once, plugins, db_init_plugins_once);
heim_release(plugins);
heim_assert(db_plugins != NULL, "heim_db plugin table initialized");
s = heim_string_create(dbtype);
if (s == NULL)
return ENOMEM;
plug = heim_alloc(sizeof (*plug), "db_plug", plugin_dealloc);
if (plug == NULL) {
heim_release(s);
return ENOMEM;
}
plug->name = heim_retain(s);
plug->openf = plugin->openf;
plug->clonef = plugin->clonef;
plug->closef = plugin->closef;
plug->lockf = plugin->lockf;
plug->unlockf = plugin->unlockf;
plug->syncf = plugin->syncf;
plug->beginf = plugin->beginf;
plug->commitf = plugin->commitf;
plug->rollbackf = plugin->rollbackf;
plug->copyf = plugin->copyf;
plug->setf = plugin->setf;
plug->delf = plugin->delf;
plug->iterf = plugin->iterf;
plug->data = data;
HEIMDAL_MUTEX_lock(&db_type_mutex);
plug2 = heim_dict_get_value(db_plugins, s);
if (plug2 == NULL)
ret = heim_dict_set_value(db_plugins, s, plug);
HEIMDAL_MUTEX_unlock(&db_type_mutex);
heim_release(plug);
heim_release(s);
return ret;
}
heim_error_t
heim_error_createv(int error_code, const char *fmt, va_list ap)
{
heim_error_t e;
char *str;
int len;
int save_errno = errno;
str = malloc(1024);
errno = save_errno;
if (str == NULL)
return heim_error_create_enomem();
len = vsnprintf(str, 1024, fmt, ap);
errno = save_errno;
if (len < 0) {
free(str);
return NULL; /* XXX We should have a special heim_error_t for this */
}
e = _heim_alloc_object(&_heim_error_object, sizeof(struct heim_error));
if (e) {
e->msg = heim_string_create(str);
e->error_code = error_code;
}
free(str);
errno = save_errno;
return e;
}
heim_error_t
heim_error_createv(int error_code, const char *fmt, va_list ap)
{
heim_error_t e;
char *str;
int len;
str = malloc(1024);
if (str == NULL)
return NULL;
len = vsnprintf(str, 1024, fmt, ap);
if (len < 0) {
free(str);
return NULL;
}
e = _heim_alloc_object(&_heim_error_object, sizeof(struct heim_error));
if (e) {
e->msg = heim_string_create(str);
e->error_code = error_code;
}
free(str);
return e;
}
krb5_error_code
krb5_plugin_run_f(krb5_context context,
const char *module,
const char *name,
int min_version,
int flags,
void *userctx,
krb5_error_code (*func)(krb5_context, const void *, void *, void *))
{
heim_string_t m = heim_string_create(module);
heim_dict_t dict;
struct iter_ctx s;
HEIMDAL_MUTEX_lock(&plugin_mutex);
dict = heim_dict_copy_value(modules, m);
heim_release(m);
if (dict == NULL) {
HEIMDAL_MUTEX_unlock(&plugin_mutex);
return KRB5_PLUGIN_NO_HANDLE;
}
s.context = context;
s.name = name;
s.n = heim_string_create(name);
s.min_version = min_version;
s.result = heim_array_create();
s.func = func;
s.userctx = userctx;
heim_dict_iterate_f(dict, search_modules, &s);
heim_release(dict);
HEIMDAL_MUTEX_unlock(&plugin_mutex);
s.ret = KRB5_PLUGIN_NO_HANDLE;
heim_array_iterate_f(s.result, &s, eval_results);
heim_release(s.result);
heim_release(s.n);
return s.ret;
}
static krb5_error_code KRB5_LIB_CALL
set_res(void *userctx, const char *res)
{
struct plctx *plctx = userctx;
plctx->luser = heim_string_create(res);
if (plctx->luser == NULL)
return ENOMEM;
return 0;
}
heim_string_t
__heim_string_constant(const char *_str)
{
static HEIMDAL_MUTEX mutex = HEIMDAL_MUTEX_INITIALIZER;
static heim_base_once_t once;
static heim_dict_t dict = NULL;
heim_string_t s, s2;
heim_base_once_f(&once, &dict, init_string);
s = heim_string_create(_str);
HEIMDAL_MUTEX_lock(&mutex);
s2 = heim_dict_get_value(dict, s);
if (s2) {
heim_release(s);
s = s2;
} else {
_heim_make_permanent(s);
heim_dict_set_value(dict, s, s);
}
HEIMDAL_MUTEX_unlock(&mutex);
return s;
}
void
krb5_load_plugins(krb5_context context, const char *name, const char **paths)
{
#ifdef HAVE_DLOPEN
heim_string_t s = heim_string_create(name);
heim_dict_t module;
struct dirent *entry;
krb5_error_code ret;
const char **di;
DIR *d;
HEIMDAL_MUTEX_lock(&plugin_mutex);
if (modules == NULL) {
modules = heim_dict_create(11);
if (modules == NULL) {
HEIMDAL_MUTEX_unlock(&plugin_mutex);
return;
}
}
module = heim_dict_copy_value(modules, s);
if (module == NULL) {
module = heim_dict_create(11);
if (module == NULL) {
HEIMDAL_MUTEX_unlock(&plugin_mutex);
heim_release(s);
return;
}
heim_dict_add_value(modules, s, module);
}
heim_release(s);
for (di = paths; *di != NULL; di++) {
d = opendir(*di);
if (d == NULL)
continue;
rk_cloexec_dir(d);
while ((entry = readdir(d)) != NULL) {
char *n = entry->d_name;
char *path = NULL;
heim_string_t spath;
struct plugin2 *p;
/* skip . and .. */
if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0')))
continue;
ret = 0;
#ifdef __APPLE__
{ /* support loading bundles on MacOS */
size_t len = strlen(n);
if (len > 7 && strcmp(&n[len - 7], ".bundle") == 0)
ret = asprintf(&path, "%s/%s/Contents/MacOS/%.*s", *di, n, (int)(len - 7), n);
}
#endif
if (ret < 0 || path == NULL)
ret = asprintf(&path, "%s/%s", *di, n);
if (ret < 0 || path == NULL)
continue;
spath = heim_string_create(n);
if (spath == NULL) {
free(path);
continue;
}
/* check if already cached */
p = heim_dict_copy_value(module, spath);
if (p == NULL) {
p = heim_uniq_alloc(sizeof(*p), "krb5-plugin", plug_dealloc);
if (p)
p->dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY);
if (p && p->dsohandle) {
p->path = heim_retain(spath);
p->names = heim_dict_create(11);
heim_dict_add_value(module, spath, p);
}
}
heim_release(spath);
heim_release(p);
free(path);
}
closedir(d);
}
heim_release(module);
HEIMDAL_MUTEX_unlock(&plugin_mutex);
#endif /* HAVE_DLOPEN */
}
/**
* Open a database of the given dbtype.
*
* Database type names can be composed of one or more pseudo-DB types
* and one concrete DB type joined with a '+' between each. For
* example: "transaction+bdb" might be a Berkeley DB with a layer above
* that provides transactions.
*
* Options may be provided via a dict (an associative array). Existing
* options include:
*
* - "create", with any value (create if DB doesn't exist)
* - "exclusive", with any value (exclusive create)
* - "truncate", with any value (truncate the DB)
* - "read-only", with any value (disallow writes)
* - "sync", with any value (make transactions durable)
* - "journal-name", with a string value naming a journal file name
*
* @param dbtype Name of DB type
* @param dbname Name of DB (likely a file path)
* @param options Options dict
* @param db Output open DB handle
* @param error Output error object
*
* @return a DB handle
*
* @addtogroup heimbase
*/
heim_db_t
heim_db_create(const char *dbtype, const char *dbname,
heim_dict_t options, heim_error_t *error)
{
heim_string_t s;
char *p;
db_plugin plug;
heim_db_t db;
int ret = 0;
if (options == NULL) {
options = heim_dict_create(11);
if (options == NULL) {
if (error)
*error = heim_error_create_enomem();
return NULL;
}
} else {
(void) heim_retain(options);
}
if (db_plugins == NULL) {
heim_release(options);
return NULL;
}
if (dbtype == NULL || *dbtype == '\0') {
struct dbtype_iter iter_ctx = { NULL, dbname, options, error};
/* Try all dbtypes */
heim_dict_iterate_f(db_plugins, &iter_ctx, dbtype_iter2create_f);
heim_release(options);
return iter_ctx.db;
} else if (strstr(dbtype, "json")) {
(void) heim_db_register(dbtype, NULL, &json_dbt);
}
/*
* Allow for dbtypes that are composed from pseudo-dbtypes chained
* to a real DB type with '+'. For example a pseudo-dbtype might
* add locking, transactions, transcoding of values, ...
*/
p = strchr(dbtype, '+');
if (p != NULL)
s = heim_string_create_with_bytes(dbtype, p - dbtype);
else
s = heim_string_create(dbtype);
if (s == NULL) {
heim_release(options);
return NULL;
}
HEIMDAL_MUTEX_lock(&db_type_mutex);
plug = heim_dict_get_value(db_plugins, s);
HEIMDAL_MUTEX_unlock(&db_type_mutex);
heim_release(s);
if (plug == NULL) {
if (error)
*error = heim_error_create(ENOENT,
N_("Heimdal DB plugin not found: %s", ""),
dbtype);
heim_release(options);
return NULL;
}
db = _heim_alloc_object(&db_object, sizeof(*db));
if (db == NULL) {
heim_release(options);
return NULL;
}
db->in_transaction = 0;
db->ro_tx = 0;
db->set_keys = NULL;
db->del_keys = NULL;
db->plug = plug;
db->options = options;
ret = plug->openf(plug->data, dbtype, dbname, options, &db->db_data, error);
if (ret) {
heim_release(db);
if (error && *error == NULL)
*error = heim_error_create(ENOENT,
N_("Heimdal DB could not be opened: %s", ""),
dbname);
return NULL;
}
ret = db_replay_log(db, error);
if (ret) {
heim_release(db);
return NULL;
}
if (plug->clonef == NULL) {
db->dbtype = heim_string_create(dbtype);
db->dbname = heim_string_create(dbname);
if (!db->dbtype || ! db->dbname) {
heim_release(db);
if (error)
*error = heim_error_create_enomem();
return NULL;
}
}
return db;
}
static int
json_db_open(void *plug, const char *dbtype, const char *dbname,
heim_dict_t options, void **db, heim_error_t *error)
{
json_db_t jsondb;
heim_dict_t contents = NULL;
heim_string_t dbname_s = NULL;
heim_string_t bkpname_s = NULL;
if (error)
*error = NULL;
if (dbtype && *dbtype && strcmp(dbtype, "json"))
return HEIM_ERROR(error, EINVAL, (EINVAL, N_("Wrong DB type", "")));
if (dbname && *dbname && strcmp(dbname, "MEMORY") != 0) {
char *ext = strrchr(dbname, '.');
char *bkpname;
size_t len;
int ret;
if (ext == NULL || strcmp(ext, ".json") != 0)
return HEIM_ERROR(error, EINVAL,
(EINVAL, N_("JSON DB files must end in .json",
"")));
if (options) {
heim_object_t vc, ve, vt;
vc = heim_dict_get_value(options, HSTR("create"));
ve = heim_dict_get_value(options, HSTR("exclusive"));
vt = heim_dict_get_value(options, HSTR("truncate"));
if (vc && vt) {
ret = open_file(dbname, 1, ve ? 1 : 0, NULL, error);
if (ret)
return ret;
} else if (vc || ve || vt) {
return HEIM_ERROR(error, EINVAL,
(EINVAL, N_("Invalid JSON DB open options",
"")));
}
/*
* We don't want cloned handles to truncate the DB, eh?
*
* We should really just create a copy of the options dict
* rather than modify the caller's! But for that it'd be
* nicer to have copy utilities in heimbase, something like
* this:
*
* heim_object_t heim_copy(heim_object_t src, int depth,
* heim_error_t *error);
*
* so that options = heim_copy(options, 1); means copy the
* dict but nothing else (whereas depth == 0 would mean
* heim_retain(), and depth > 1 would be copy that many
* levels).
*/
heim_dict_delete_key(options, HSTR("create"));
heim_dict_delete_key(options, HSTR("exclusive"));
heim_dict_delete_key(options, HSTR("truncate"));
}
dbname_s = heim_string_create(dbname);
if (dbname_s == NULL)
return HEIM_ENOMEM(error);
len = snprintf(NULL, 0, "%s~", dbname);
bkpname = malloc(len + 2);
if (bkpname == NULL) {
heim_release(dbname_s);
return HEIM_ENOMEM(error);
}
(void) snprintf(bkpname, len + 1, "%s~", dbname);
bkpname_s = heim_string_create(bkpname);
free(bkpname);
if (bkpname_s == NULL) {
heim_release(dbname_s);
return HEIM_ENOMEM(error);
}
ret = read_json(dbname, (heim_object_t *)&contents, error);
if (ret)
return ret;
if (contents != NULL && heim_get_tid(contents) != HEIM_TID_DICT)
return HEIM_ERROR(error, EINVAL,
(EINVAL, N_("JSON DB contents not valid JSON",
"")));
}
jsondb = heim_alloc(sizeof (*jsondb), "json_db", NULL);
if (jsondb == NULL) {
heim_release(contents);
heim_release(dbname_s);
return ENOMEM;
}
jsondb->last_read_time = time(NULL);
jsondb->fd = -1;
jsondb->dbname = dbname_s;
jsondb->bkpname = bkpname_s;
jsondb->read_only = 0;
if (contents != NULL)
jsondb->dict = contents;
else {
jsondb->dict = heim_dict_create(29);
if (jsondb->dict == NULL) {
heim_release(jsondb);
return ENOMEM;
}
}
*db = jsondb;
return 0;
}
/**
* Run plugins for the given @module (e.g., "krb5") and @name (e.g.,
* "kuserok"). Specifically, the @func is invoked once per-plugin with
* four arguments: the @context, the plugin symbol value (a pointer to a
* struct whose first three fields are the same as struct common_plugin_method),
* a context value produced by the plugin's init method, and @userctx.
*
* @func should unpack arguments for a plugin function and invoke it
* with arguments taken from @userctx. @func should save plugin
* outputs, if any, in @userctx.
*
* All loaded and registered plugins are invoked via @func until @func
* returns something other than KRB5_PLUGIN_NO_HANDLE. Plugins that
* have nothing to do for the given arguments should return
* KRB5_PLUGIN_NO_HANDLE.
*
* Inputs:
*
* @context A krb5_context
* @module Name of module (typically "krb5")
* @name Name of pluggable interface (e.g., "kuserok")
* @min_version Lowest acceptable plugin minor version number
* @flags Flags (none defined at this time)
* @userctx Callback data for the callback function @func
* @func A callback function, invoked once per-plugin
*
* Outputs: None, other than the return value and such outputs as are
* gathered by @func.
*/
krb5_error_code
_krb5_plugin_run_f(krb5_context context,
const char *module,
const char *name,
int min_version,
int flags,
void *userctx,
krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *))
{
heim_string_t m = heim_string_create(module);
heim_dict_t dict;
void *plug_ctx;
struct common_plugin_method *cpm;
struct iter_ctx s;
struct krb5_plugin *registered_plugins = NULL;
struct krb5_plugin *p;
/* Get registered plugins */
(void) _krb5_plugin_find(context, SYMBOL, name, ®istered_plugins);
HEIMDAL_MUTEX_lock(&plugin_mutex);
s.context = context;
s.name = name;
s.n = heim_string_create(name);
s.min_version = min_version;
s.result = heim_array_create();
s.func = func;
s.userctx = userctx;
s.ret = KRB5_PLUGIN_NO_HANDLE;
/* Get loaded plugins */
dict = heim_dict_get_value(modules, m);
heim_release(m);
/* Add loaded plugins to s.result array */
if (dict)
heim_dict_iterate_f(dict, &s, search_modules);
/* We don't need to hold plugin_mutex during plugin invocation */
HEIMDAL_MUTEX_unlock(&plugin_mutex);
/* Invoke registered plugins (old system) */
for (p = registered_plugins; p; p = p->next) {
/*
* XXX This is the wrong way to handle registered plugins, as we
* call init/fini on each invocation! We do this because we
* have nowhere in the struct plugin registered list to store
* the context allocated by the plugin's init function. (But at
* least we do call init/fini!)
*
* What we should do is adapt the old plugin system to the new
* one and change how we register plugins so that we use the new
* struct plug to keep track of their context structures, that
* way we can init once, invoke many times, then fini.
*/
cpm = (struct common_plugin_method *)p->symbol;
s.ret = cpm->init(context, &plug_ctx);
if (s.ret)
continue;
s.ret = s.func(s.context, p->symbol, plug_ctx, s.userctx);
cpm->fini(plug_ctx);
if (s.ret != KRB5_PLUGIN_NO_HANDLE)
break;
}
_krb5_plugin_free(registered_plugins);
/* Invoke loaded plugins (new system) */
if (s.ret != KRB5_PLUGIN_NO_HANDLE)
heim_array_iterate_f(s.result, &s, eval_results);
heim_release(s.result);
heim_release(s.n);
return s.ret;
}
static krb5_error_code
get_new_tickets(krb5_context context,
krb5_principal principal,
krb5_ccache ccache,
krb5_deltat ticket_life,
int interactive)
{
krb5_error_code ret;
krb5_get_init_creds_opt *opt;
krb5_creds cred;
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
const char *renewstr = NULL;
krb5_enctype *enctype = NULL;
krb5_ccache tempccache;
krb5_init_creds_context icc;
krb5_keytab kt = NULL;
int will_use_keytab = (use_keytab || keytab_str);
krb5_prompter_fct prompter = NULL;
int need_prompt;
passwd[0] = '\0';
if (password_file) {
FILE *f;
if (strcasecmp("STDIN", password_file) == 0)
f = stdin;
else
f = fopen(password_file, "r");
if (f == NULL)
krb5_errx(context, 1, "Failed to open the password file %s",
password_file);
if (fgets(passwd, sizeof(passwd), f) == NULL)
krb5_errx(context, 1,
N_("Failed to read password from file %s", ""),
password_file);
if (f != stdin)
fclose(f);
passwd[strcspn(passwd, "\n")] = '\0';
}
#if defined(__APPLE__) && !defined(__APPLE_TARGET_EMBEDDED__)
if (passwd[0] == '\0' && !will_use_keytab && home_directory_flag) {
const char *realm;
OSStatus osret;
UInt32 length;
void *buffer;
char *name;
realm = krb5_principal_get_realm(context, principal);
ret = krb5_unparse_name_flags(context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret)
goto nopassword;
osret = SecKeychainFindGenericPassword(NULL, (UInt32)strlen(realm), realm,
(UInt32)strlen(name), name,
&length, &buffer, &passwordItem);
free(name);
if (osret != noErr)
goto nopassword;
if (length < sizeof(passwd) - 1) {
memcpy(passwd, buffer, length);
passwd[length] = '\0';
}
SecKeychainItemFreeContent(NULL, buffer);
nopassword:
do { } while(0);
}
#endif
need_prompt = !(pk_user_id || ent_user_id || anonymous_flag || will_use_keytab || passwd[0] != '\0') && interactive;
if (need_prompt)
prompter = krb5_prompter_posix;
else
prompter = krb5_prompter_print_only;
memset(&cred, 0, sizeof(cred));
ret = krb5_get_init_creds_opt_alloc (context, &opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
krb5_get_init_creds_opt_set_default_flags(context, "kinit",
krb5_principal_get_realm(context, principal), opt);
if(forwardable_flag != -1)
krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
if(proxiable_flag != -1)
krb5_get_init_creds_opt_set_proxiable (opt, proxiable_flag);
if(anonymous_flag)
krb5_get_init_creds_opt_set_anonymous (opt, anonymous_flag);
if (pac_flag != -1)
krb5_get_init_creds_opt_set_pac_request(context, opt,
pac_flag ? TRUE : FALSE);
if (canonicalize_flag)
krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
if (pk_user_id || ent_user_id || anonymous_flag) {
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
principal,
pk_user_id,
pk_x509_anchors,
NULL,
NULL,
pk_use_enckey ? 2 : 0 |
anonymous_flag ? 4 : 0,
interactive ? krb5_prompter_posix : krb5_prompter_print_only,
NULL,
passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
if (ent_user_id)
krb5_get_init_creds_opt_set_pkinit_user_cert(context, opt, ent_user_id);
}
if (addrs_flag != -1)
krb5_get_init_creds_opt_set_addressless(context, opt,
addrs_flag ? FALSE : TRUE);
if (renew_life == NULL && renewable_flag)
renewstr = "1 month";
if (renew_life)
renewstr = renew_life;
if (renewstr) {
renew = parse_time (renewstr, "s");
if (renew < 0)
errx (1, "unparsable time: %s", renewstr);
krb5_get_init_creds_opt_set_renew_life (opt, renew);
}
if(ticket_life != 0)
krb5_get_init_creds_opt_set_tkt_life (opt, ticket_life);
if(start_str) {
int tmp = parse_time (start_str, "s");
if (tmp < 0)
errx (1, N_("unparsable time: %s", ""), start_str);
start_time = tmp;
}
if(etype_str.num_strings) {
int i;
enctype = malloc(etype_str.num_strings * sizeof(*enctype));
if(enctype == NULL)
errx(1, "out of memory");
for(i = 0; i < etype_str.num_strings; i++) {
ret = krb5_string_to_enctype(context,
etype_str.strings[i],
&enctype[i]);
if(ret)
krb5_err(context, 1, ret, "unrecognized enctype: %s",
etype_str.strings[i]);
}
krb5_get_init_creds_opt_set_etype_list(opt, enctype,
etype_str.num_strings);
}
ret = krb5_init_creds_init(context, principal,
prompter, NULL,
start_time, opt, &icc);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_init");
if (server_str) {
ret = krb5_init_creds_set_service(context, icc, server_str);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_set_service");
}
if (kdc_hostname)
krb5_init_creds_set_kdc_hostname(context, icc, kdc_hostname);
if (fast_armor_cache_string) {
krb5_ccache fastid;
ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve(FAST cache)");
ret = krb5_init_creds_set_fast_ccache(context, icc, fastid);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_fast_ccache");
}
if(will_use_keytab) {
if(keytab_str)
ret = krb5_kt_resolve(context, keytab_str, &kt);
else
ret = krb5_kt_default(context, &kt);
if (ret)
krb5_err (context, 1, ret, "resolving keytab");
ret = krb5_init_creds_set_keytab(context, icc, kt);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_set_keytab");
}
if (passwd[0] == '\0' && need_prompt) {
char *p, *prompt;
krb5_unparse_name(context, principal, &p);
asprintf (&prompt, N_("%s's Password: "******""), p);
free(p);
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
memset(passwd, 0, sizeof(passwd));
errx(1, "failed to read password");
}
free (prompt);
}
if (passwd[0]) {
ret = krb5_init_creds_set_password(context, icc, passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_password");
}
ret = krb5_init_creds_get(context, icc);
#ifdef __APPLE__
/*
* Save password in Keychain
*/
if (ret == 0 && keychain_flag && passwordItem == NULL) {
krb5_error_code ret2;
const char *realm;
char *name;
realm = krb5_principal_get_realm(context, principal);
ret2 = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret2 == 0) {
(void)SecKeychainAddGenericPassword(NULL,
(UInt32)strlen(realm), realm,
(UInt32)strlen(name), name,
(UInt32)strlen(passwd), passwd,
NULL);
free(name);
}
}
#endif
memset(passwd, 0, sizeof(passwd));
switch(ret){
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5_GET_IN_TKT_LOOP:
#ifdef __APPLE__
if (passwordItem)
SecKeychainItemDelete(passwordItem);
#endif
krb5_errx(context, 1, N_("Password incorrect", ""));
case KRB5KRB_AP_ERR_V4_REPLY:
krb5_errx(context, 1, N_("Looks like a Kerberos 4 reply", ""));
case KRB5KDC_ERR_KEY_EXPIRED:
krb5_errx(context, 1, N_("Password expired", ""));
default:
krb5_err(context, 1, ret, "krb5_get_init_creds");
}
ret = krb5_init_creds_get_creds(context, icc, &cred);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_get_creds");
krb5_process_last_request(context, opt, icc);
ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
NULL, &tempccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_new_unique");
ret = krb5_init_creds_store(context, icc, tempccache);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_store");
ret = krb5_init_creds_store_config(context, icc, tempccache);
if (ret)
krb5_warn(context, ret, "krb5_init_creds_store_config");
ret = krb5_init_creds_warn_user(context, icc);
if (ret)
krb5_warn(context, ret, "krb5_init_creds_warn_user");
#ifdef __APPLE__
/*
* Set for this case, default to * so that all processes can use
* this cache.
*/
{
heim_array_t bundleacl = heim_array_create();
heim_string_t ace;
if (bundle_acl_strings.num_strings > 0) {
int i;
for (i = 0; i < bundle_acl_strings.num_strings; i++) {
ace = heim_string_create(bundle_acl_strings.strings[i]);
heim_array_append_value(bundleacl, ace);
heim_release(ace);
}
} else {
ace = heim_string_create("*");
heim_array_append_value(bundleacl, ace);
heim_release(ace);
}
krb5_cc_set_acl(context, tempccache, "kHEIMAttrBundleIdentifierACL", bundleacl);
heim_release(bundleacl);
}
#endif
ret = krb5_cc_move(context, tempccache, ccache);
if (ret) {
(void)krb5_cc_destroy(context, tempccache);
krb5_err (context, 1, ret, "krb5_cc_move");
}
if (switch_cache_flags)
krb5_cc_switch(context, ccache);
if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
unsigned char d = 0;
krb5_data data;
if (ok_as_delegate_flag || windows_flag)
d |= 1;
if (use_referrals_flag || windows_flag)
d |= 2;
data.length = 1;
data.data = &d;
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
if (enctype)
free(enctype);
krb5_init_creds_free(context, icc);
krb5_get_init_creds_opt_free(context, opt);
if (kt)
krb5_kt_close(context, kt);
#ifdef __APPLE__
if (passwordItem)
CFRelease(passwordItem);
#endif
return 0;
}
static int
base2json(heim_object_t obj, struct twojson *j)
{
heim_tid_t type;
int first = 0;
char *str;
if (obj == NULL) {
if (j->flags & HEIM_JSON_F_CNULL2JSNULL) {
obj = heim_null_create();
} else if (j->flags & HEIM_JSON_F_NO_C_NULL) {
return EINVAL;
} else {
indent(j);
j->out(j->ctx, "<NULL>\n"); /* This is NOT valid JSON! */
return 0;
}
}
type = heim_get_tid(obj);
switch (type) {
case HEIM_TID_ARRAY:
indent(j);
j->out(j->ctx, "[\n");
j->indent++;
first = j->first;
j->first = 1;
heim_array_iterate_f(obj, j, array2json);
j->indent--;
if (!j->first)
j->out(j->ctx, "\n");
indent(j);
j->out(j->ctx, "]\n");
j->first = first;
break;
case HEIM_TID_DICT:
indent(j);
j->out(j->ctx, "{\n");
j->indent++;
first = j->first;
j->first = 1;
heim_dict_iterate_f(obj, j, dict2json);
j->indent--;
if (!j->first)
j->out(j->ctx, "\n");
indent(j);
j->out(j->ctx, "}\n");
j->first = first;
break;
case HEIM_TID_STRING:
indent(j);
j->out(j->ctx, "\"");
str = heim_string_copy_utf8(obj);
j->out(j->ctx, str);
free(str);
j->out(j->ctx, "\"");
break;
case HEIM_TID_DATA: {
heim_dict_t d;
heim_string_t v;
char *b64 = NULL;
int ret;
if (j->flags & HEIM_JSON_F_NO_DATA)
return EINVAL; /* JSON doesn't do binary */
ret = base64_encode(heim_data_get_bytes(obj), (int)heim_data_get_length(obj), &b64);
if (ret < 0 || b64 == NULL)
return ENOMEM;
if (j->flags & HEIM_JSON_F_NO_DATA_DICT) {
indent(j);
j->out(j->ctx, "\"");
j->out(j->ctx, b64); /* base64-encode; hope there's no aliasing */
j->out(j->ctx, "\"");
free(b64);
} else {
/*
* JSON has no way to represent binary data, therefore the
* following is a Heimdal-specific convention.
*
* We encode binary data as a dict with a single very magic
* key with a base64-encoded value. The magic key includes
* a uuid, so we're not likely to alias accidentally.
*/
d = heim_dict_create(2);
if (d == NULL) {
free(b64);
return ENOMEM;
}
v = heim_string_create(b64);
free(b64);
if (v == NULL) {
heim_release(d);
return ENOMEM;
}
ret = heim_dict_set_value(d, heim_tid_data_uuid_key, v);
heim_release(v);
if (ret) {
heim_release(d);
return ENOMEM;
}
ret = base2json(d, j);
heim_release(d);
if (ret)
return ret;
}
break;
}
case HEIM_TID_NUMBER: {
char num[32];
indent(j);
snprintf(num, sizeof (num), "%d", heim_number_get_int(obj));
j->out(j->ctx, num);
break;
}
case HEIM_TID_NULL:
indent(j);
j->out(j->ctx, "null");
break;
case HEIM_TID_BOOL:
indent(j);
j->out(j->ctx, heim_bool_val(obj) ? "true" : "false");
break;
default:
return 1;
}
return 0;
}