static cc_int32 ccache_get_principal(cc_ccache_t in_ccache, cc_uint32 in_credentials_version, cc_string_t *out_principal) { struct cc_ccache *c = (struct cc_ccache *)in_ccache; krb5_principal princ; krb5_error_code ret; char *name; LOG_ENTRY(); if (out_principal == NULL) return ccErrBadParam; if (in_credentials_version != cc_credentials_v5) return LOG_FAILURE(ccErrBadCredentialsVersion, "wrong version"); if (c->id == NULL) return ccErrInvalidCCache; ret = heim_krb5_cc_get_principal(milcontext, c->id, &princ); if (ret) return LOG_FAILURE(ret, "get principal"); ret = heim_krb5_unparse_name(milcontext, princ, &name); heim_krb5_free_principal(milcontext, princ); if (ret) return LOG_FAILURE(ret, "unparse name"); *out_principal = create_string(name); free(name); return ccNoError; }
mit_krb5_error_code KRB5_CALLCONV krb5_unparse_name(mit_krb5_context context, mit_krb5_const_principal principal, char **str) { struct comb_principal *p = (struct comb_principal *)principal; LOG_ENTRY(); return heim_krb5_unparse_name((krb5_context)context, p->heim, str); }
KLStatus KLGetStringFromPrincipal (KLPrincipal inPrincipal, KLKerberosVersion inKerberosVersion, char **outFullPrincipal) { LOG_ENTRY(); if (inPrincipal == NULL) return klParameterErr; if (CHECK_VERSION(inKerberosVersion)) return LOG_FAILURE(klInvalidVersionErr, "wrong version"); return heim_krb5_unparse_name(milcontext, inPrincipal, outFullPrincipal); }
static krb5_error_code make_ccred_from_cred(krb5_context context, const krb5_creds *incred, cc_credentials_v5_t *cred) { krb5_error_code ret; int i; memset(cred, 0, sizeof(*cred)); ret = heim_krb5_unparse_name(context, incred->client, &cred->client); if (ret) goto fail; ret = heim_krb5_unparse_name(context, incred->server, &cred->server); if (ret) goto fail; cred->keyblock.type = incred->session.keytype; cred->keyblock.length = incred->session.keyvalue.length; cred->keyblock.data = incred->session.keyvalue.data; cred->authtime = incred->times.authtime; cred->starttime = incred->times.starttime; cred->endtime = incred->times.endtime; cred->renew_till = incred->times.renew_till; cred->ticket.length = incred->ticket.length; cred->ticket.data = incred->ticket.data; cred->second_ticket.length = incred->second_ticket.length; cred->second_ticket.data = incred->second_ticket.data; /* XXX this one should also be filled in */ cred->authdata = NULL; cred->addresses = calloc(incred->addresses.len + 1, sizeof(cred->addresses[0])); if (cred->addresses == NULL) { ret = ENOMEM; goto fail; } for (i = 0; i < incred->addresses.len; i++) { cc_data *addr; addr = malloc(sizeof(*addr)); if (addr == NULL) { ret = ENOMEM; goto fail; } addr->type = incred->addresses.val[i].addr_type; addr->length = incred->addresses.val[i].address.length; addr->data = malloc(addr->length); if (addr->data == NULL) { free(addr); ret = ENOMEM; goto fail; } memcpy(addr->data, incred->addresses.val[i].address.data, addr->length); cred->addresses[i] = addr; } cred->addresses[i] = NULL; cred->ticket_flags = 0; if (incred->flags.b.forwardable) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDABLE; if (incred->flags.b.forwarded) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_FORWARDED; if (incred->flags.b.proxiable) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXIABLE; if (incred->flags.b.proxy) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PROXY; if (incred->flags.b.may_postdate) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_MAY_POSTDATE; if (incred->flags.b.postdated) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_POSTDATED; if (incred->flags.b.invalid) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INVALID; if (incred->flags.b.renewable) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_RENEWABLE; if (incred->flags.b.initial) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_INITIAL; if (incred->flags.b.pre_authent) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_PRE_AUTH; if (incred->flags.b.hw_authent) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_HW_AUTH; if (incred->flags.b.transited_policy_checked) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED; if (incred->flags.b.ok_as_delegate) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE; if (incred->flags.b.anonymous) cred->ticket_flags |= KRB5_CCAPI_TKT_FLG_ANONYMOUS; return 0; fail: free_ccred(cred); mit_krb5_clear_error_message((mit_krb5_context)context); return ret; }
static OSStatus acquireticket_ui(KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, KLPrincipal *outPrincipal, char **outCredCacheName) { AuthorizationRef auth; OSStatus ret; char *princ = NULL; CFDataRef d = NULL; LOG_ENTRY(); if (outPrincipal) *outPrincipal = NULL; if (outCredCacheName) *outCredCacheName = NULL; if (inPrincipal) { ret = heim_krb5_unparse_name(milcontext, inPrincipal, &princ); if (ret) return ret; } ret = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &auth); if (ret) { free(princ); return ret; } AuthorizationItem rightItems[1] = { kCoreAuthPanelKerberosRight, 0, NULL, 0 }; AuthorizationRights rights = { sizeof(rightItems[0])/sizeof(rightItems) , rightItems }; AuthorizationItem envItems[3]; AuthorizationEnvironment env = { 0 , envItems }; AuthorizationFlags authFlags = kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights; if (princ) { envItems[env.count].name = kCoreAuthPanelKerberosPrincipal; envItems[env.count].valueLength = strlen(princ); envItems[env.count].value = princ; envItems[env.count].flags = 0; env.count++; } if (inLoginOptions && inLoginOptions->opt) { CFMutableDictionaryRef dict; dict = CFDictionaryCreateMutable(NULL, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (dict == NULL) goto out; if (inLoginOptions->opt->renew_life) { CFStringRef t; t = CFStringCreateWithFormat(NULL, 0, CFSTR("%ld"),(long)inLoginOptions->opt->renew_life); CFDictionarySetValue(dict, CFSTR("renewTime"), t); CFRelease(t); } d = CFPropertyListCreateData(NULL, dict, kCFPropertyListBinaryFormat_v1_0, 0, NULL); CFRelease(dict); envItems[env.count].name = kCoreAuthPanelKerberosOptions; envItems[env.count].valueLength = CFDataGetLength(d); envItems[env.count].value = (void *)CFDataGetBytePtr(d); envItems[env.count].flags = 0; env.count++; } ret = AuthorizationCopyRights(auth, &rights, &env, authFlags, NULL); if (ret == 0 && outPrincipal) { AuthorizationItemSet *info; UInt32 i; ret = AuthorizationCopyInfo(auth, NULL, &info); if (ret) goto out; for(i = 0; i < info->count; i++) { if (strcmp(info->items[i].name, "out-principal") == 0) { char *str; asprintf(&str, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value); heim_krb5_parse_name(milcontext, str, outPrincipal); } else if (strcmp(info->items[i].name, "out-cache-name") == 0) { asprintf(outCredCacheName, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value); } } AuthorizationFreeItemSet(info); if (*outPrincipal == NULL) ret = EINVAL; } out: if (d) CFRelease(d); AuthorizationFree(auth, kAuthorizationFlagDestroyRights); free(princ); return ret; }