static krb5_error_code
kcmss_store_cred(krb5_context context,
krb5_ccache id,
krb5_creds *creds)
{
krb5_error_code ret;
kcm_ccache c = KCMCACHE(id);
KCM_ASSERT_VALID(c);
ret = kcm_ccache_store_cred_internal(context, c, creds, NULL, 1);
return ret;
}
krb5_error_code
kcm_ccache_store_cred(krb5_context context,
kcm_ccache ccache,
krb5_creds *creds,
int copy)
{
krb5_error_code ret;
krb5_creds *tmp;
KCM_ASSERT_VALID(ccache);
HEIMDAL_MUTEX_lock(&ccache->mutex);
ret = kcm_ccache_store_cred_internal(context, ccache, creds, copy, &tmp);
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return ret;
}
krb5_error_code
kcm_ccache_acquire(krb5_context context,
kcm_ccache ccache,
time_t *expire)
{
krb5_error_code ret = 0;
krb5_creds cred;
krb5_const_realm realm;
krb5_get_init_creds_opt *opt = NULL;
krb5_ccache_data ccdata;
char *in_tkt_service = NULL;
*expire = 0;
memset(&cred, 0, sizeof(cred));
KCM_ASSERT_VALID(ccache);
/* We need a cached key or keytab to acquire credentials */
if (ccache->flags & KCM_FLAGS_USE_PASSWORD) {
if (ccache->password == NULL)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_PASSWORD without password");
} else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) {
if (ccache->keytab == NULL)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
} else {
kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
ccache->name);
return KRB5_FCC_INTERNAL;
}
/* Fake up an internal ccache */
kcm_internal_ccache(context, ccache, &ccdata);
/* Now, actually acquire the creds */
if (ccache->server != NULL) {
ret = krb5_unparse_name(context, ccache->server, &in_tkt_service);
if (ret) {
kcm_log(0, "Failed to unparse service name for cache %s",
ccache->name);
return ret;
}
}
realm = krb5_principal_get_realm(context, ccache->client);
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret)
goto out;
krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, opt);
if (ccache->tkt_life != 0)
krb5_get_init_creds_opt_set_tkt_life(opt, ccache->tkt_life);
if (ccache->renew_life != 0)
krb5_get_init_creds_opt_set_renew_life(opt, ccache->renew_life);
krb5_get_init_creds_opt_set_forwardable(opt, 1);
if (ccache->flags & KCM_FLAGS_USE_PASSWORD) {
ret = krb5_get_init_creds_password(context,
&cred,
ccache->client,
ccache->password,
NULL,
NULL,
0,
in_tkt_service,
opt);
} else {
ret = krb5_get_init_creds_keytab(context,
&cred,
ccache->client,
ccache->keytab,
0,
in_tkt_service,
opt);
}
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to acquire credentials for cache %s: %s",
ccache->name, msg);
krb5_free_error_message(context, msg);
if (in_tkt_service != NULL)
free(in_tkt_service);
goto out;
}
if (in_tkt_service != NULL)
free(in_tkt_service);
/* Swap them in */
kcm_ccache_remove_creds_internal(context, ccache);
ret = kcm_ccache_store_cred_internal(context, ccache, &cred, NULL, 0);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to store credentials for cache %s: %s",
ccache->name, msg);
krb5_free_error_message(context, msg);
krb5_free_cred_contents(context, &cred);
goto out;
}
*expire = cred.times.endtime;
out:
if (opt)
krb5_get_init_creds_opt_free(context, opt);
return ret;
}
krb5_error_code
kcm_ccache_acquire(krb5_context context,
kcm_ccache ccache,
krb5_creds **credp)
{
krb5_error_code ret = 0;
krb5_creds cred;
krb5_const_realm realm;
krb5_get_init_creds_opt opt;
krb5_ccache_data ccdata;
char *in_tkt_service = NULL;
int done = 0;
memset(&cred, 0, sizeof(cred));
KCM_ASSERT_VALID(ccache);
/* We need a cached key or keytab to acquire credentials */
if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
if (ccache->key.keyblock.keyvalue.length == 0)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_CACHED_KEY without key");
} else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) {
if (ccache->key.keytab == NULL)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
} else {
kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
ccache->name);
return KRB5_FCC_INTERNAL;
}
HEIMDAL_MUTEX_lock(&ccache->mutex);
/* Fake up an internal ccache */
kcm_internal_ccache(context, ccache, &ccdata);
/* Now, actually acquire the creds */
if (ccache->server != NULL) {
ret = krb5_unparse_name(context, ccache->server, &in_tkt_service);
if (ret) {
kcm_log(0, "Failed to unparse service principal name for cache %s: %s",
ccache->name, krb5_get_err_text(context, ret));
return ret;
}
}
realm = krb5_principal_get_realm(context, ccache->client);
krb5_get_init_creds_opt_init(&opt);
krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, &opt);
if (ccache->tkt_life != 0)
krb5_get_init_creds_opt_set_tkt_life(&opt, ccache->tkt_life);
if (ccache->renew_life != 0)
krb5_get_init_creds_opt_set_renew_life(&opt, ccache->renew_life);
if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
ret = krb5_get_init_creds_keyblock(context,
&cred,
ccache->client,
&ccache->key.keyblock,
0,
in_tkt_service,
&opt);
} else {
/* loosely based on lib/krb5/init_creds_pw.c */
while (!done) {
ret = krb5_get_init_creds_keytab(context,
&cred,
ccache->client,
ccache->key.keytab,
0,
in_tkt_service,
&opt);
switch (ret) {
case KRB5KDC_ERR_KEY_EXPIRED:
if (in_tkt_service != NULL &&
strcmp(in_tkt_service, "kadmin/changepw") == 0) {
goto out;
}
ret = change_pw_and_update_keytab(context, ccache);
if (ret)
goto out;
break;
case 0:
default:
done = 1;
break;
}
}
}
if (ret) {
kcm_log(0, "Failed to acquire credentials for cache %s: %s",
ccache->name, krb5_get_err_text(context, ret));
if (in_tkt_service != NULL)
free(in_tkt_service);
goto out;
}
if (in_tkt_service != NULL)
free(in_tkt_service);
/* Swap them in */
kcm_ccache_remove_creds_internal(context, ccache);
ret = kcm_ccache_store_cred_internal(context, ccache, &cred, 0, credp);
if (ret) {
kcm_log(0, "Failed to store credentials for cache %s: %s",
ccache->name, krb5_get_err_text(context, ret));
krb5_free_cred_contents(context, &cred);
goto out;
}
out:
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return ret;
}
krb5_error_code
kcm_ccache_refresh(krb5_context context,
kcm_ccache ccache,
krb5_creds **credp)
{
krb5_error_code ret;
krb5_creds in, *out;
krb5_kdc_flags flags;
krb5_const_realm realm;
krb5_ccache_data ccdata;
const char *estr;
memset(&in, 0, sizeof(in));
KCM_ASSERT_VALID(ccache);
if (ccache->client == NULL) {
/* no primary principal */
kcm_log(0, "Refresh credentials requested but no client principal");
return KRB5_CC_NOTFOUND;
}
HEIMDAL_MUTEX_lock(&ccache->mutex);
/* Fake up an internal ccache */
kcm_internal_ccache(context, ccache, &ccdata);
/* Find principal */
in.client = ccache->client;
if (ccache->server != NULL) {
ret = krb5_copy_principal(context, ccache->server, &in.server);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to copy service principal: %s",
estr);
krb5_free_error_message(context, estr);
goto out;
}
} else {
realm = krb5_principal_get_realm(context, in.client);
ret = krb5_make_principal(context, &in.server, realm,
KRB5_TGS_NAME, realm, NULL);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to make TGS principal for realm %s: %s",
realm, estr);
krb5_free_error_message(context, estr);
goto out;
}
}
if (ccache->tkt_life)
in.times.endtime = time(NULL) + ccache->tkt_life;
if (ccache->renew_life)
in.times.renew_till = time(NULL) + ccache->renew_life;
flags.i = 0;
flags.b.renewable = TRUE;
flags.b.renew = TRUE;
ret = krb5_get_kdc_cred(context,
&ccdata,
flags,
NULL,
NULL,
&in,
&out);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to renew credentials for cache %s: %s",
ccache->name, estr);
krb5_free_error_message(context, estr);
goto out;
}
/* Swap them in */
kcm_ccache_remove_creds_internal(context, ccache);
ret = kcm_ccache_store_cred_internal(context, ccache, out, 0, credp);
if (ret) {
estr = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to store credentials for cache %s: %s",
ccache->name, estr);
krb5_free_error_message(context, estr);
krb5_free_creds(context, out);
goto out;
}
free(out); /* but not contents */
out:
HEIMDAL_MUTEX_unlock(&ccache->mutex);
return ret;
}
