/*
* Serialize krb5_keytab.
*/
static krb5_error_code
ser_keytab_test(krb5_context kcontext, int verbose)
{
krb5_error_code kret;
char ccname[128];
krb5_keytab keytab;
snprintf(ccname, sizeof(ccname), "temp_kt_%d", (int) getpid());
if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) &&
!(kret = ser_data(verbose, "> Resolved default keytab",
(krb5_pointer) keytab, KV5M_KEYTAB)) &&
!(kret = krb5_kt_close(kcontext, keytab))) {
sprintf(ccname, "FILE:temp_kt_%d", (int) getpid());
if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) &&
!(kret = ser_data(verbose, "> Resolved FILE keytab",
(krb5_pointer) keytab, KV5M_KEYTAB)) &&
!(kret = krb5_kt_close(kcontext, keytab))) {
snprintf(ccname, sizeof(ccname),
"WRFILE:temp_kt_%d", (int) getpid());
if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) &&
!(kret = ser_data(verbose, "> Resolved WRFILE keytab",
(krb5_pointer) keytab, KV5M_KEYTAB)) &&
!(kret = krb5_kt_close(kcontext, keytab))) {
if (verbose)
printf("* keytab test succeeded\n");
}
}
}
if (kret)
printf("* krb5_keytab test failed\n");
return(kret);
}
int
kerberos5_init(Authenticator *ap, int server)
{
krb5_error_code ret;
ret = krb5_init_context(&context);
if (ret)
return 0;
if (server) {
krb5_keytab kt;
krb5_kt_cursor cursor;
ret = krb5_kt_default(context, &kt);
if (ret)
return 0;
ret = krb5_kt_start_seq_get (context, kt, &cursor);
if (ret) {
krb5_kt_close (context, kt);
return 0;
}
krb5_kt_end_seq_get (context, kt, &cursor);
krb5_kt_close (context, kt);
str_data[3] = TELQUAL_REPLY;
} else
str_data[3] = TELQUAL_IS;
return(1);
}
/*
* Given two files containing keytab data, second keytab, merge the keys into
* the new file. Currently, this doesn't do any cleanup of old kvnos and
* doesn't handle duplicate kvnos correctly. Dies on any error.
*/
static void
merge_keytab(krb5_context ctx, const char *newfile, const char *file)
{
char *oldfile;
krb5_keytab old = NULL, temp = NULL;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
krb5_error_code status;
memset(&entry, 0, sizeof(entry));
xasprintf(&oldfile, "WRFILE:%s", file);
status = krb5_kt_resolve(ctx, oldfile, &old);
if (status != 0)
die_krb5(ctx, status, "cannot open keytab %s", file);
free(oldfile);
status = krb5_kt_resolve(ctx, newfile, &temp);
if (status != 0)
die_krb5(ctx, status, "cannot open temporary keytab %s", newfile);
status = krb5_kt_start_seq_get(ctx, temp, &cursor);
if (status != 0)
die_krb5(ctx, status, "cannot read temporary keytab %s", newfile);
while ((status = krb5_kt_next_entry(ctx, temp, &entry, &cursor)) == 0) {
status = krb5_kt_add_entry(ctx, old, &entry);
if (status != 0)
die_krb5(ctx, status, "cannot write to keytab %s", file);
krb5_kt_free_entry(ctx, &entry);
}
if (status != KRB5_KT_END)
die_krb5(ctx, status, "error reading temporary keytab %s", newfile);
krb5_kt_end_seq_get(ctx, temp, &cursor);
if (old != NULL)
krb5_kt_close(ctx, old);
if (temp != NULL)
krb5_kt_close(ctx, temp);
}
static void
finish_realm(kdc_realm_t *rdp)
{
if (rdp->realm_dbname)
free(rdp->realm_dbname);
if (rdp->realm_mpname)
free(rdp->realm_mpname);
if (rdp->realm_stash)
free(rdp->realm_stash);
if (rdp->realm_ports)
free(rdp->realm_ports);
if (rdp->realm_tcp_ports)
free(rdp->realm_tcp_ports);
if (rdp->realm_keytab)
krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
if (rdp->realm_context) {
if (rdp->realm_mprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_mprinc);
if (rdp->realm_mkey.length && rdp->realm_mkey.contents) {
memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length);
free(rdp->realm_mkey.contents);
}
krb5_db_fini(rdp->realm_context);
if (rdp->realm_tgsprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc);
krb5_free_context(rdp->realm_context);
}
memset((char *) rdp, 0, sizeof(*rdp));
free(rdp);
}
static int
pg_krb5_init(void)
{
krb5_error_code retval;
char *khostname;
if (pg_krb5_initialised)
return STATUS_OK;
retval = krb5_init_context(&pg_krb5_context);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos initialization returned error %d",
retval)));
com_err("postgres", retval, "while initializing krb5");
return STATUS_ERROR;
}
retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos keytab resolving returned error %d",
retval)));
com_err("postgres", retval, "while resolving keytab file \"%s\"",
pg_krb_server_keyfile);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
/*
* If no hostname was specified, pg_krb_server_hostname is already NULL.
* If it's set to blank, force it to NULL.
*/
khostname = pg_krb_server_hostname;
if (khostname && khostname[0] == '\0')
khostname = NULL;
retval = krb5_sname_to_principal(pg_krb5_context,
khostname,
pg_krb_srvnam,
KRB5_NT_SRV_HST,
&pg_krb5_server);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d",
khostname ? khostname : "server hostname", pg_krb_srvnam, retval)));
com_err("postgres", retval,
"while getting server principal for server \"%s\" for service \"%s\"",
khostname ? khostname : "server hostname", pg_krb_srvnam);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
pg_krb5_initialised = 1;
return STATUS_OK;
}
krb5_error_code
_adcli_krb5_keytab_discover_salt (krb5_context k5,
krb5_principal principal,
krb5_kvno kvno,
krb5_data *password,
krb5_enctype *enctypes,
krb5_data *salts,
int *discovered)
{
krb5_keytab scratch;
krb5_error_code code;
int i;
/* TODO: This should be a unique name */
code = krb5_kt_resolve (k5, "MEMORY:adcli-discover-salt", &scratch);
return_val_if_fail (code == 0, code);
for (i = 0; salts[i].data != NULL; i++) {
code = _adcli_krb5_keytab_test_salt (k5, scratch, principal, kvno,
password, enctypes, &salts[i]);
if (code == 0) {
*discovered = i;
break;
} else if (code != KRB5_PREAUTH_FAILED && code != KRB5KDC_ERR_PREAUTH_FAILED) {
break;
}
}
krb5_kt_close (k5, scratch);
return code;
}
KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV
krb5_keytab_key_proc (krb5_context context,
krb5_enctype enctype,
krb5_salt salt,
krb5_const_pointer keyseed,
krb5_keyblock **key)
{
krb5_keytab_key_proc_args *args = rk_UNCONST(keyseed);
krb5_keytab keytab = args->keytab;
krb5_principal principal = args->principal;
krb5_error_code ret;
krb5_keytab real_keytab;
krb5_keytab_entry entry;
if(keytab == NULL)
krb5_kt_default(context, &real_keytab);
else
real_keytab = keytab;
ret = krb5_kt_get_entry (context, real_keytab, principal,
0, enctype, &entry);
if (keytab == NULL)
krb5_kt_close (context, real_keytab);
if (ret)
return ret;
ret = krb5_copy_keyblock (context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
return ret;
}
int
term_module() {
if (principal)
ch_free(principal);
if (kt_name)
ch_free(kt_name);
if (kid) {
struct re_s *task;
task=ldap_pvt_runqueue_find( &slapd_rq, kinit_qtask, (void*)kid);
if (task) {
if ( ldap_pvt_runqueue_isrunning(&slapd_rq, task) ) {
ldap_pvt_runqueue_stoptask(&slapd_rq, task);
}
ldap_pvt_runqueue_remove(&slapd_rq, task);
}
if ( kid->ctx ) {
if ( kid->princ )
krb5_free_principal(kid->ctx, kid->princ);
if ( kid->ccache )
krb5_cc_close(kid->ctx, kid->ccache);
if ( kid->keytab )
krb5_kt_close(kid->ctx, kid->keytab);
if ( kid->opts )
krb5_get_init_creds_opt_free(kid->ctx, kid->opts);
krb5_free_context(kid->ctx);
}
ch_free(kid);
}
return 0;
}
OM_uint32 gss_release_cred
(OM_uint32 * minor_status,
gss_cred_id_t * cred_handle
)
{
*minor_status = 0;
if (*cred_handle == GSS_C_NO_CREDENTIAL) {
return GSS_S_COMPLETE;
}
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&(*cred_handle)->cred_id_mutex);
if ((*cred_handle)->principal != NULL)
krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
if ((*cred_handle)->keytab != NULL)
krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
if ((*cred_handle)->ccache != NULL) {
const krb5_cc_ops *ops;
ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache);
if (ops == &krb5_mcc_ops)
krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache);
else
krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);
}
gss_release_oid_set(NULL, &(*cred_handle)->mechanisms);
HEIMDAL_MUTEX_unlock(&(*cred_handle)->cred_id_mutex);
HEIMDAL_MUTEX_destroy(&(*cred_handle)->cred_id_mutex);
memset(*cred_handle, 0, sizeof(**cred_handle));
free(*cred_handle);
*cred_handle = GSS_C_NO_CREDENTIAL;
return GSS_S_COMPLETE;
}
/*
* Find the principal of the first entry of a keytab and return it. The
* caller is responsible for freeing the result with krb5_free_principal.
* Exit on error.
*/
krb5_principal
kerberos_keytab_principal(krb5_context ctx, const char *path)
{
krb5_keytab keytab;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
krb5_principal princ;
krb5_error_code status;
status = krb5_kt_resolve(ctx, path, &keytab);
if (status != 0)
bail_krb5(ctx, status, "error opening %s", path);
status = krb5_kt_start_seq_get(ctx, keytab, &cursor);
if (status != 0)
bail_krb5(ctx, status, "error reading %s", path);
status = krb5_kt_next_entry(ctx, keytab, &entry, &cursor);
if (status == 0) {
status = krb5_copy_principal(ctx, entry.principal, &princ);
if (status != 0)
bail_krb5(ctx, status, "error copying principal from %s", path);
krb5_kt_free_entry(ctx, &entry);
}
if (status != 0)
bail("no principal found in keytab file %s", path);
krb5_kt_end_seq_get(ctx, keytab, &cursor);
krb5_kt_close(ctx, keytab);
return princ;
}
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle
)
{
krb5_error_code kret;
kret = get_keytab(context, handle, 0);
if (kret) {
if (handle->keytab != NULL) {
krb5_kt_close(context, handle->keytab);
handle->keytab = NULL;
}
*minor_status = kret;
return GSS_S_FAILURE;
}
handle->endtime = INT_MAX;
return GSS_S_COMPLETE;
}
static void
finish_realm(kdc_realm_t *rdp)
{
if (rdp->realm_name)
free(rdp->realm_name);
if (rdp->realm_mpname)
free(rdp->realm_mpname);
if (rdp->realm_stash)
free(rdp->realm_stash);
if (rdp->realm_listen)
free(rdp->realm_listen);
if (rdp->realm_tcp_listen)
free(rdp->realm_tcp_listen);
if (rdp->realm_keytab)
krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
if (rdp->realm_hostbased)
free(rdp->realm_hostbased);
if (rdp->realm_no_referral)
free(rdp->realm_no_referral);
if (rdp->realm_context) {
if (rdp->realm_mprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_mprinc);
if (rdp->realm_mkey.length && rdp->realm_mkey.contents) {
/* XXX shouldn't memset be zap for safety? */
memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length);
free(rdp->realm_mkey.contents);
}
krb5_db_fini(rdp->realm_context);
if (rdp->realm_tgsprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc);
krb5_free_context(rdp->realm_context);
}
memset(rdp, 0, sizeof(*rdp));
free(rdp);
}
int
ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
{
krb5_error_code ret;
int i;
struct ext_keytab_data data;
if (opt->keytab_string == NULL)
ret = krb5_kt_default(context, &data.keytab);
else
ret = krb5_kt_resolve(context, opt->keytab_string, &data.keytab);
if(ret){
krb5_warn(context, ret, "krb5_kt_resolve");
return 1;
}
for(i = 0; i < argc; i++) {
ret = foreach_principal(argv[i], do_ext_keytab, "ext", &data);
if (ret)
break;
}
krb5_kt_close(context, data.keytab);
return ret != 0;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_kt_read_service_key(krb5_context context,
krb5_pointer keyprocarg,
krb5_principal principal,
krb5_kvno vno,
krb5_enctype enctype,
krb5_keyblock **key)
{
krb5_keytab keytab;
krb5_keytab_entry entry;
krb5_error_code ret;
if (keyprocarg)
ret = krb5_kt_resolve (context, keyprocarg, &keytab);
else
ret = krb5_kt_default (context, &keytab);
if (ret)
return ret;
ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
krb5_kt_close (context, keytab);
if (ret)
return ret;
ret = krb5_copy_keyblock (context, &entry.keyblock, key);
krb5_kt_free_entry(context, &entry);
return ret;
}
mit_krb5_error_code KRB5_CALLCONV
krb5_kt_read_service_key(mit_krb5_context context,
mit_krb5_pointer keyprocarg,
mit_krb5_principal principal,
mit_krb5_kvno vno,
mit_krb5_enctype enctype,
mit_krb5_keyblock **key)
{
mit_krb5_keytab keytab;
mit_krb5_keytab_entry entry;
mit_krb5_error_code ret;
LOG_ENTRY();
if (keyprocarg)
ret = krb5_kt_resolve (context, keyprocarg, &keytab);
else
ret = krb5_kt_default (context, &keytab);
if (ret)
return ret;
ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
krb5_kt_close (context, keytab);
if (ret)
return ret;
ret = krb5_copy_keyblock (context, &entry.key, key);
krb5_kt_free_entry(context, &entry);
return ret;
}
/*
* Given a context, a keytab file, and a realm, return a list of all
* principals in that file.
*/
static struct principal_name *
keytab_principals(krb5_context ctx, const char *file, char *realm)
{
char *princname = NULL, *princrealm = NULL;
bool found;
krb5_keytab keytab = NULL;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
krb5_error_code status;
struct principal_name *names = NULL, *current = NULL, *last = NULL;
memset(&entry, 0, sizeof(entry));
status = krb5_kt_resolve(ctx, file, &keytab);
if (status != 0)
die_krb5(ctx, status, "cannot open keytab %s", file);
status = krb5_kt_start_seq_get(ctx, keytab, &cursor);
if (status != 0)
die_krb5(ctx, status, "cannot read keytab %s", file);
while ((status = krb5_kt_next_entry(ctx, keytab, &entry, &cursor)) == 0) {
status = krb5_unparse_name(ctx, entry.principal, &princname);
if (status != 0)
die_krb5(ctx, status, "cannot unparse name for a principal");
/* Separate into principal and realm. */
princrealm = strchr(princname, '@');
if (princrealm != NULL) {
*princrealm = '\0';
princrealm++;
}
if (princrealm == NULL || strcmp(princrealm, realm) != 0)
continue;
/* Check to see if the principal has already been listed. */
found = false;
for (current = names; current != NULL; current = current->next) {
if (strcmp(current->princ, princname) == 0) {
found = true;
break;
}
last = current;
}
if (found == false) {
current = xmalloc(sizeof(struct principal_name));
current->princ = xstrdup(princname);
current->next = NULL;
if (last == NULL)
names = current;
else
last->next = current;
}
krb5_kt_free_entry(ctx, &entry);
free(princname);
}
if (status != KRB5_KT_END)
die_krb5(ctx, status, "error reading keytab %s", file);
krb5_kt_end_seq_get(ctx, keytab, &cursor);
krb5_kt_close(ctx, keytab);
return names;
}
krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
krb5_address *const *addrs, krb5_enctype *ktypes,
krb5_preauthtype *pre_auth_types,
krb5_keytab arg_keytab, krb5_ccache ccache,
krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
{
krb5_error_code retval;
krb5_gic_opt_ext *opte;
char * server = NULL;
krb5_keytab keytab;
krb5_principal client_princ, server_princ;
int use_master = 0;
retval = krb5int_populate_gic_opt(context, &opte,
options, addrs, ktypes,
pre_auth_types, creds);
if (retval)
return retval;
if (arg_keytab == NULL) {
retval = krb5_kt_default(context, &keytab);
if (retval)
return retval;
}
else keytab = arg_keytab;
retval = krb5_unparse_name( context, creds->server, &server);
if (retval)
goto cleanup;
server_princ = creds->server;
client_princ = creds->client;
retval = krb5_get_init_creds (context,
creds, creds->client,
krb5_prompter_posix, NULL,
0, server, opte,
krb5_get_as_key_keytab, (void *)keytab,
&use_master, ret_as_reply);
krb5_free_unparsed_name( context, server);
krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte);
if (retval) {
goto cleanup;
}
if (creds->server)
krb5_free_principal( context, creds->server);
if (creds->client)
krb5_free_principal( context, creds->client);
creds->client = client_princ;
creds->server = server_princ;
/* store it in the ccache! */
if (ccache)
if ((retval = krb5_cc_store_cred(context, ccache, creds)))
goto cleanup;
cleanup: if (arg_keytab == NULL)
krb5_kt_close(context, keytab);
return retval;
}
krb5_error_code kt_copy (krb5_context context, const char *from, const char *to)
{
krb5_error_code ret;
krb5_keytab src_keytab, dst_keytab;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
ret = krb5_kt_resolve (context, from, &src_keytab);
if (ret) {
krb5_set_error_message (context, ret, "resolving src keytab `%s'", from);
return ret;
}
ret = krb5_kt_resolve (context, to, &dst_keytab);
if (ret) {
krb5_kt_close (context, src_keytab);
krb5_set_error_message (context, ret, "resolving dst keytab `%s'", to);
return ret;
}
ret = krb5_kt_start_seq_get (context, src_keytab, &cursor);
if (ret) {
krb5_set_error_message (context, ret, "krb5_kt_start_seq_get %s", from);
goto out;
}
while((ret = krb5_kt_next_entry(context, src_keytab,
&entry, &cursor)) == 0) {
ret = copy_one_entry(context, src_keytab, dst_keytab, entry);
if (ret) {
break;
}
}
krb5_kt_end_seq_get (context, src_keytab, &cursor);
out:
krb5_kt_close (context, src_keytab);
krb5_kt_close (context, dst_keytab);
if (ret == KRB5_KT_END) {
return 0;
} else if (ret == 0) {
return EINVAL;
}
return ret;
}
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
)
{
OM_uint32 ret;
krb5_error_code kret;
ret = GSS_S_FAILURE;
kret = get_keytab(context, &handle->keytab);
if (kret)
goto end;
/* check that the requested principal exists in the keytab */
if (handle->principal) {
krb5_keytab_entry entry;
kret = krb5_kt_get_entry(context, handle->keytab,
handle->principal, 0, 0, &entry);
if (kret)
goto end;
krb5_kt_free_entry(context, &entry);
ret = GSS_S_COMPLETE;
} else {
/*
* Check if there is at least one entry in the keytab before
* declaring it as an useful keytab.
*/
krb5_keytab_entry tmp;
krb5_kt_cursor c;
kret = krb5_kt_start_seq_get (context, handle->keytab, &c);
if (kret)
goto end;
if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) {
krb5_kt_free_entry(context, &tmp);
ret = GSS_S_COMPLETE; /* ok found one entry */
}
krb5_kt_end_seq_get (context, handle->keytab, &c);
}
end:
if (ret != GSS_S_COMPLETE) {
if (handle->keytab != NULL)
krb5_kt_close(context, handle->keytab);
if (kret != 0) {
*minor_status = kret;
}
}
return (ret);
}
static void
get_creds(krb5_context context, const char *keytab_str,
krb5_ccache *cache, const char *serverhost)
{
krb5_keytab keytab;
krb5_principal client;
krb5_error_code ret;
krb5_get_init_creds_opt *init_opts;
krb5_creds creds;
char *server;
char keytab_buf[256];
int aret;
if (keytab_str == NULL) {
ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
if (ret)
krb5_err (context, 1, ret, "krb5_kt_default_name");
keytab_str = keytab_buf;
}
ret = krb5_kt_resolve(context, keytab_str, &keytab);
if(ret)
krb5_err(context, 1, ret, "%s", keytab_str);
ret = krb5_sname_to_principal (context, slave_str, IPROP_NAME,
KRB5_NT_SRV_HST, &client);
if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal");
ret = krb5_get_init_creds_opt_alloc(context, &init_opts);
if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
aret = asprintf (&server, "%s/%s", IPROP_NAME, serverhost);
if (aret == -1 || server == NULL)
krb5_errx (context, 1, "malloc: no memory");
ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
0, server, init_opts);
free (server);
krb5_get_init_creds_opt_free(context, init_opts);
if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
ret = krb5_kt_close(context, keytab);
if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, cache);
if(ret) krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, *cache, client);
if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_store_cred(context, *cache, &creds);
if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
krb5_free_cred_contents(context, &creds);
krb5_free_principal(context, client);
}
int
kssl_keytab_is_available(KSSL_CTX *kssl_ctx)
{
krb5_context krb5context = NULL;
krb5_keytab krb5keytab = NULL;
krb5_keytab_entry entry;
krb5_principal princ = NULL;
krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
int rc = 0;
if ((krb5rc = krb5_init_context(&krb5context)))
return (0);
/* kssl_ctx->keytab_file == NULL ==> use Kerberos default
*/
if (kssl_ctx->keytab_file) {
krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
&krb5keytab);
if (krb5rc)
goto exit;
} else {
krb5rc = krb5_kt_default(krb5context, &krb5keytab);
if (krb5rc)
goto exit;
}
/* the host key we are looking for */
krb5rc = krb5_sname_to_principal(krb5context, NULL,
kssl_ctx->service_name ? kssl_ctx->service_name : KRB5SVC,
KRB5_NT_SRV_HST, &princ);
if (krb5rc)
goto exit;
krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ,
0 /* IGNORE_VNO */,
0 /* IGNORE_ENCTYPE */,
&entry);
if (krb5rc == KRB5_KT_NOTFOUND) {
rc = 1;
goto exit;
} else if (krb5rc)
goto exit;
krb5_kt_free_entry(krb5context, &entry);
rc = 1;
exit:
if (krb5keytab)
krb5_kt_close(krb5context, krb5keytab);
if (princ)
krb5_free_principal(krb5context, princ);
if (krb5context)
krb5_free_context(krb5context);
return (rc);
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_kt_destroy(krb5_context context,
krb5_keytab id)
{
krb5_error_code ret;
ret = (*id->destroy)(context, id);
krb5_kt_close(context, id);
return ret;
}
int
kt_remove(struct remove_options *opt, int argc, char **argv)
{
krb5_error_code ret = 0;
krb5_keytab_entry entry;
krb5_keytab keytab;
krb5_principal principal = NULL;
krb5_enctype enctype = 0;
if(opt->principal_string) {
ret = krb5_parse_name(context, opt->principal_string, &principal);
if(ret) {
krb5_warn(context, ret, "%s", opt->principal_string);
return 1;
}
}
if(opt->enctype_string) {
ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype);
if(ret) {
int t;
if(sscanf(opt->enctype_string, "%d", &t) == 1)
enctype = t;
else {
krb5_warn(context, ret, "%s", opt->enctype_string);
if(principal)
krb5_free_principal(context, principal);
return 1;
}
}
}
if (!principal && !enctype && !opt->kvno_integer) {
krb5_warnx(context,
"You must give at least one of "
"principal, enctype or kvno.");
ret = EINVAL;
goto out;
}
if((keytab = ktutil_open_keytab()) == NULL) {
ret = 1;
goto out;
}
entry.principal = principal;
entry.keyblock.keytype = enctype;
entry.vno = opt->kvno_integer;
ret = krb5_kt_remove_entry(context, keytab, &entry);
krb5_kt_close(context, keytab);
if(ret)
krb5_warn(context, ret, "remove");
out:
if(principal)
krb5_free_principal(context, principal);
return ret != 0;
}
/** Frees libkrb5 resources associated with the handle
*
* Must not be called directly.
*
* @param conn to free.
* @return 0 (always indicates success).
*/
static int _mod_conn_free(rlm_krb5_handle_t *conn) {
krb5_free_context(conn->context);
if (conn->keytab) krb5_kt_close(conn->context, conn->keytab);
#ifdef HEIMDAL_KRB5
if (conn->ccache) krb5_cc_destroy(conn->context, conn->ccache);
#endif
return 0;
}
static krb5_error_code
hkt_close(krb5_context context, HDB *db)
{
hdb_keytab k = (hdb_keytab)db->hdb_db;
krb5_error_code ret;
assert(k->keytab);
ret = krb5_kt_close(context, k->keytab);
k->keytab = NULL;
return ret;
}
static void
free_list (krb5_context context, struct any_data *a)
{
struct any_data *next;
for (; a != NULL; a = next) {
next = a->next;
free (a->name);
if(a->kt)
krb5_kt_close(context, a->kt);
free (a);
}
}
static void
get_tickets(krb5_context context)
{
char *server;
krb5_error_code retval;
krb5_keytab keytab = NULL;
krb5_principal server_princ = NULL;
/* Figure out what tickets we'll be using to send. */
retval = sn2princ_realm(context, NULL, KPROP_SERVICE_NAME, realm,
&my_principal);
if (retval) {
com_err(progname, errno, _("while setting client principal name"));
exit(1);
}
/* Construct the principal name for the slave host. */
memset(&creds, 0, sizeof(creds));
retval = sn2princ_realm(context, slave_host, KPROP_SERVICE_NAME, realm,
&server_princ);
if (retval) {
com_err(progname, errno, _("while setting server principal name"));
exit(1);
}
retval = krb5_unparse_name_flags(context, server_princ,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &server);
if (retval) {
com_err(progname, retval, _("while unparsing server name"));
exit(1);
}
if (srvtab != NULL) {
retval = krb5_kt_resolve(context, srvtab, &keytab);
if (retval) {
com_err(progname, retval, _("while resolving keytab"));
exit(1);
}
}
retval = krb5_get_init_creds_keytab(context, &creds, my_principal, keytab,
0, server, NULL);
if (retval) {
com_err(progname, retval, _("while getting initial credentials\n"));
exit(1);
}
if (keytab != NULL)
krb5_kt_close(context, keytab);
krb5_free_unparsed_name(context, server);
krb5_free_principal(context, server_princ);
}
/* Dispatch routine for set/change password */
void
dispatch(void *handle, struct sockaddr *local_saddr,
const krb5_fulladdr *remote_faddr, krb5_data *request, int is_tcp,
verto_ctx *vctx, loop_respond_fn respond, void *arg)
{
krb5_error_code ret;
krb5_keytab kt = NULL;
kadm5_server_handle_t server_handle = (kadm5_server_handle_t)handle;
krb5_fulladdr local_faddr;
krb5_address **local_kaddrs = NULL, local_kaddr_buf;
krb5_data *response = NULL;
if (local_saddr == NULL) {
ret = krb5_os_localaddr(server_handle->context, &local_kaddrs);
if (ret != 0)
goto egress;
local_faddr.address = local_kaddrs[0];
local_faddr.port = 0;
} else {
local_faddr.address = &local_kaddr_buf;
init_addr(&local_faddr, local_saddr);
}
ret = krb5_kt_resolve(server_handle->context, "KDB:", &kt);
if (ret != 0) {
krb5_klog_syslog(LOG_ERR, _("chpw: Couldn't open admin keytab %s"),
krb5_get_error_message(server_handle->context, ret));
goto egress;
}
response = k5alloc(sizeof(krb5_data), &ret);
if (response == NULL)
goto egress;
ret = process_chpw_request(server_handle->context,
handle,
server_handle->params.realm,
kt,
&local_faddr,
remote_faddr,
request,
response);
egress:
if (ret)
krb5_free_data(server_handle->context, response);
krb5_free_addresses(server_handle->context, local_kaddrs);
krb5_kt_close(server_handle->context, kt);
(*respond)(arg, ret, ret == 0 ? response : NULL);
}
krb5_error_code libnet_keytab_init(TALLOC_CTX *mem_ctx,
const char *keytab_name,
struct libnet_keytab_context **ctx)
{
krb5_error_code ret = 0;
krb5_context context = NULL;
krb5_keytab keytab = NULL;
const char *keytab_string = NULL;
struct libnet_keytab_context *r;
r = talloc_zero(mem_ctx, struct libnet_keytab_context);
if (!r) {
return ENOMEM;
}
talloc_set_destructor(r, keytab_close);
initialize_krb5_error_table();
ret = krb5_init_context(&context);
if (ret) {
DEBUG(1,("keytab_init: could not krb5_init_context: %s\n",
error_message(ret)));
return ret;
}
ret = smb_krb5_open_keytab(context, keytab_name, true, &keytab);
if (ret) {
DEBUG(1,("keytab_init: smb_krb5_open_keytab failed (%s)\n",
error_message(ret)));
krb5_free_context(context);
return ret;
}
ret = smb_krb5_keytab_name(mem_ctx, context, keytab, &keytab_string);
if (ret) {
krb5_kt_close(context, keytab);
krb5_free_context(context);
return ret;
}
r->context = context;
r->keytab = keytab;
r->keytab_name = keytab_string;
r->clean_old_entries = false;
*ctx = r;
return 0;
}
static int
pg_krb5_init(void)
{
krb5_error_code retval;
if (pg_krb5_initialised)
return STATUS_OK;
retval = krb5_init_context(&pg_krb5_context);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos initialization returned error %d",
retval)));
com_err("postgres", retval, "while initializing krb5");
return STATUS_ERROR;
}
retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos keytab resolving returned error %d",
retval)));
com_err("postgres", retval, "while resolving keytab file \"%s\"",
pg_krb_server_keyfile);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &pg_krb5_server);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
PG_KRB_SRVNAM, retval)));
com_err("postgres", retval,
"while getting server principal for service \"%s\"",
PG_KRB_SRVNAM);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
pg_krb5_initialised = 1;
return STATUS_OK;
}
