static void test_mcache(krb5_context context) { krb5_error_code ret; krb5_ccache id, id2; const char *nc, *tc; char *c; krb5_principal p, p2; ret = krb5_parse_name(context, "*****@*****.**", &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id); if (ret) krb5_err(context, 1, ret, "krb5_cc_new_unique"); ret = krb5_cc_initialize(context, id, p); if (ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); nc = krb5_cc_get_name(context, id); if (nc == NULL) krb5_errx(context, 1, "krb5_cc_get_name"); tc = krb5_cc_get_type(context, id); if (tc == NULL) krb5_errx(context, 1, "krb5_cc_get_name"); if (asprintf(&c, "%s:%s", tc, nc) < 0 || c == NULL) errx(1, "malloc"); krb5_cc_close(context, id); ret = krb5_cc_resolve(context, c, &id2); if (ret) krb5_err(context, 1, ret, "krb5_cc_resolve"); ret = krb5_cc_get_principal(context, id2, &p2); if (ret) krb5_err(context, 1, ret, "krb5_cc_get_principal"); if (krb5_principal_compare(context, p, p2) == FALSE) krb5_errx(context, 1, "p != p2"); krb5_cc_destroy(context, id2); krb5_free_principal(context, p); krb5_free_principal(context, p2); ret = krb5_cc_resolve(context, c, &id2); if (ret) krb5_err(context, 1, ret, "krb5_cc_resolve"); ret = krb5_cc_get_principal(context, id2, &p2); if (ret == 0) krb5_errx(context, 1, "krb5_cc_get_principal"); krb5_cc_destroy(context, id2); free(c); }
krb5_error_code KRB5_LIB_FUNCTION krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, char *newpw, krb5_principal targprinc, int *result_code, krb5_data *result_code_string, krb5_data *result_string) { krb5_creds creds, *credsp; krb5_error_code ret; krb5_principal principal = NULL; *result_code = KRB5_KPASSWD_MALFORMED; result_code_string->data = result_string->data = NULL; result_code_string->length = result_string->length = 0; memset(&creds, 0, sizeof(creds)); if (targprinc == NULL) { ret = krb5_cc_get_principal(context, ccache, &principal); if (ret) return ret; } else principal = targprinc; ret = krb5_make_principal(context, &creds.server, krb5_principal_get_realm(context, principal), "kadmin", "changepw", NULL); if (ret) goto out; ret = krb5_cc_get_principal(context, ccache, &creds.client); if (ret) { krb5_free_principal(context, creds.server); goto out; } ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp); krb5_free_principal(context, creds.server); krb5_free_principal(context, creds.client); if (ret) goto out; ret = krb5_set_password(context, credsp, newpw, principal, result_code, result_code_string, result_string); krb5_free_creds(context, credsp); return ret; out: if (targprinc == NULL) krb5_free_principal(context, principal); return ret; }
/* * Function: Initializes ccache and catches illegal caches such as * bad format or no permissions. * * Parameters: * ccache - credential cache structure to use * * Returns: krb5_error_code */ krb5_error_code k5_init_ccache(krb5_ccache *ccache) { krb5_error_code code; krb5_principal princ; FILE *fp; code = krb5_cc_default(k5_context, ccache); /* Initialize the ccache */ if (code) return code; code = krb5_cc_get_principal(k5_context, *ccache, &princ); if (code == KRB5_FCC_NOFILE) { /* Doesn't exist yet */ fp = fopen(krb5_cc_get_name(k5_context, *ccache), "w"); if (fp == NULL) /* Can't open it */ return KRB5_FCC_PERM; fclose (fp); } if (code) { /* Bad, delete and try again */ remove(krb5_cc_get_name(k5_context, *ccache)); code = krb5_cc_get_principal(k5_context, *ccache, &princ); if (code == KRB5_FCC_NOFILE) /* Doesn't exist yet */ return 0; if (code) return code; } /* krb5_free_principal(k5_context, princ); */ return 0; }
static void test_cache_iter_all(krb5_context context) { krb5_cccol_cursor cursor; krb5_error_code ret; krb5_ccache id; ret = krb5_cccol_cursor_new (context, &cursor); if (ret) krb5_err(context, 1, ret, "krb5_cccol_cursor_new"); while ((ret = krb5_cccol_cursor_next (context, cursor, &id)) == 0 && id != NULL) { krb5_principal principal; char *name; if (debug_flag) printf("name: %s\n", krb5_cc_get_name(context, id)); ret = krb5_cc_get_principal(context, id, &principal); if (ret == 0) { ret = krb5_unparse_name(context, principal, &name); if (ret == 0) { if (debug_flag) printf("\tprincipal: %s\n", name); free(name); } krb5_free_principal(context, principal); } krb5_cc_close(context, id); } krb5_cccol_cursor_free(context, &cursor); }
krb5_error_code k5_build_conf_principals(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char *name, krb5_creds *cred) { krb5_principal client; krb5_error_code ret; char *pname = NULL; memset(cred, 0, sizeof(*cred)); ret = krb5_cc_get_principal(context, id, &client); if (ret) return ret; if (principal) { ret = krb5_unparse_name(context, principal, &pname); if (ret) return ret; } ret = krb5_build_principal(context, &cred->server, sizeof(conf_realm) - 1, conf_realm, conf_name, name, pname, (char *)NULL); krb5_free_unparsed_name(context, pname); if (ret) { krb5_free_principal(context, client); return ret; } ret = krb5_copy_principal(context, client, &cred->client); krb5_free_principal(context, client); return ret; }
/* Store the v5 TGT in $KRB5CCNAME. */ static int sly_v5(krb5_context ctx, const char *v5ccname, struct _pam_krb5_user_info *userinfo, struct _pam_krb5_stash *stash) { krb5_ccache ccache; krb5_principal princ; int i; ccache = NULL; i = krb5_cc_resolve(ctx, v5ccname, &ccache); if (i == 0) { princ = NULL; if (krb5_cc_get_principal(ctx, ccache, &princ) == 0) { if (krb5_principal_compare(ctx, princ, userinfo->principal_name) == FALSE) { krb5_free_principal(ctx, princ); krb5_cc_close(ctx, ccache); return PAM_SERVICE_ERR; } krb5_free_principal(ctx, princ); } i = krb5_cc_initialize(ctx, ccache, userinfo->principal_name); if (i == 0) { i = krb5_cc_store_cred(ctx, ccache, &stash->v5creds); } krb5_cc_close(ctx, ccache); } return PAM_SUCCESS; }
static krb5_error_code krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds, int which) { krb5_error_code retval; krb5_principal tmp; krb5_creds **tgts = 0; switch(which) { case INT_GC_VALIDATE: retval = krb5_get_cred_from_kdc_validate(context, ccache, in_creds, out_creds, &tgts); break; case INT_GC_RENEW: retval = krb5_get_cred_from_kdc_renew(context, ccache, in_creds, out_creds, &tgts); break; default: /* Should never happen */ retval = 255; break; } if (retval) return retval; if (tgts) krb5_free_tgt_creds(context, tgts); retval = krb5_cc_get_principal(context, ccache, &tmp); if (retval) return retval; retval = krb5_cc_initialize(context, ccache, tmp); if (retval) return retval; retval = krb5_cc_store_cred(context, ccache, *out_creds); return retval; }
static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p, krb5_context kcontext, krb5_ccache delegated_cred) { krb5_error_code problem; krb5_principal princ = NULL; krb5_ccache ccache = NULL; problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ); if (problem) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem); goto end; } if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) { goto end; } problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache); if (problem) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem); goto end; } krb5_free_principal(kcontext, princ); krb5_cc_close(kcontext, ccache); return 0; end: if (princ) krb5_free_principal(kcontext, princ); if (ccache) krb5_cc_destroy(kcontext, ccache); return -1; }
/* * call-seq: * krb5.get_default_principal * * Returns the default principal for the current realm based on the current * credentials cache. * * If no credentials cache is found then an error is raised. */ static VALUE rkrb5_get_default_principal(VALUE self){ char* princ_name; RUBY_KRB5* ptr; krb5_ccache ccache; krb5_error_code kerror; Data_Get_Struct(self, RUBY_KRB5, ptr); if(!ptr->ctx) rb_raise(cKrb5Exception, "no context has been established"); // Get the default credentials cache kerror = krb5_cc_default(ptr->ctx, &ccache); if(kerror) rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror)); kerror = krb5_cc_get_principal(ptr->ctx, ccache, &ptr->princ); if(kerror){ krb5_cc_close(ptr->ctx, ccache); rb_raise(cKrb5Exception, "krb5_cc_get_principal: %s", error_message(kerror)); } krb5_cc_close(ptr->ctx, ccache); kerror = krb5_unparse_name(ptr->ctx, ptr->princ, &princ_name); if(kerror) rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror)); return rb_str_new2(princ_name); }
static int list_ccache(krb5_ccache cache) { krb5_error_code ret; krb5_principal princ = NULL; char *princname = NULL, *ccname = NULL; int expired, status = 1; ret = krb5_cc_get_principal(context, cache, &princ); if (ret) /* Uninitialized cache file, probably. */ goto cleanup; ret = krb5_unparse_name(context, princ, &princname); if (ret) goto cleanup; ret = krb5_cc_get_full_name(context, cache, &ccname); if (ret) goto cleanup; expired = check_ccache(cache); printf("%-30.30s %s", princname, ccname); if (expired) printf(" %s", _("(Expired)")); printf("\n"); status = 0; cleanup: krb5_free_principal(context, princ); krb5_free_unparsed_name(context, princname); krb5_free_string(context, ccname); return status; }
static int display_v5_ccache (krb5_context context, krb5_ccache ccache, int do_test, int do_verbose, int do_flags, int do_hidden) { krb5_error_code ret; krb5_principal principal; int exit_status = 0; ret = krb5_cc_get_principal (context, ccache, &principal); if (ret) { if(ret == ENOENT) { if (!do_test) krb5_warnx(context, N_("No ticket file: %s", ""), krb5_cc_get_name(context, ccache)); return 1; } else krb5_err (context, 1, ret, "krb5_cc_get_principal"); } if (do_test) exit_status = check_for_tgt (context, ccache, principal, NULL); else print_tickets (context, ccache, principal, do_verbose, do_flags, do_hidden); ret = krb5_cc_close (context, ccache); if (ret) krb5_err (context, 1, ret, "krb5_cc_close"); krb5_free_principal (context, principal); return exit_status; }
/* Check that when name is resolved, the resulting cache's principal matches * expected_princ, or has no principal if expected_princ is NULL. */ static void check_princ(const char *name, krb5_principal expected_princ) { krb5_ccache cache; krb5_principal princ; check(krb5_cc_resolve(ctx, name, &cache)); if (expected_princ != NULL) { check(krb5_cc_get_principal(ctx, cache, &princ)); assert(krb5_principal_compare(ctx, princ, expected_princ)); krb5_free_principal(ctx, princ); } else { assert(krb5_cc_get_principal(ctx, cache, &princ) != 0); } krb5_cc_close(ctx, cache); }
int check_krb5_tickets() { krb5_error_code ret; krb5_context context; krb5_ccache ccache; krb5_principal principal; int retval = 1; ret = krb5_init_context(&context); if(ret) errx(1, "krb5_init_context failt: %d", ret); ret = krb5_cc_default(context, &ccache); if(ret) errx(1, "krb5_cc_default: %d", ret); ret = krb5_cc_get_principal (context, ccache, &principal); switch(ret) { case ENOENT: retval = 0; goto done; case 0: retval = 1; goto done; default: errx(1, "krb5_cc_get_principal: %d", ret); break; } done: krb5_free_context(context); return retval; }
static PyObject * k5_cc_get_principal(PyObject *self, PyObject *args) { krb5_context ctx; char *ccname, *name; krb5_error_code code; krb5_ccache ccache; krb5_principal principal; PyObject *ret; if (!PyArg_ParseTuple( args, "s", &ccname)) return NULL; code = krb5_init_context(&ctx); RETURN_ON_ERROR("krb5_init_context()", code); code = krb5_cc_resolve(ctx, ccname, &ccache); RETURN_ON_ERROR("krb5_cc_resolve()", code); code = krb5_cc_get_principal(ctx, ccache, &principal); RETURN_ON_ERROR("krb5_cc_get_principal()", code); code = krb5_unparse_name(ctx, principal, &name); RETURN_ON_ERROR("krb5_unparse_name()", code); ret = PyString_FromString(name); if (ret == NULL) return ret; code = krb5_cc_close(ctx, ccache); RETURN_ON_ERROR("krb5_cc_close()", code); krb5_free_unparsed_name(ctx, name); krb5_free_principal(ctx, principal); krb5_free_context(ctx); return ret; }
Krb5Principal Krb5CCache::getClientPrincipal() const { krb5_principal client; krb5_context ctx = context_.get(); krb5_error_code code = krb5_cc_get_principal(ctx, ccache_, &client); raiseIf(ctx, code, "getting client from ccache"); return Krb5Principal(ctx, std::move(client)); }
static krb5_error_code afslog_uid_int(struct kafs_data *data, const char *cell, const char *rh, uid_t uid, const char *homedir) { krb5_error_code ret; struct kafs_token kt; krb5_principal princ; const char *trealm; /* ticket realm */ struct krb5_kafs_data *d = data->data; if (cell == 0 || cell[0] == 0) return _kafs_afslog_all_local_cells (data, uid, homedir); ret = krb5_cc_get_principal (d->context, d->id, &princ); if (ret) return ret; trealm = krb5_principal_get_realm (d->context, princ); kt.ticket = NULL; ret = _kafs_get_cred(data, cell, d->realm, trealm, uid, &kt); krb5_free_principal (d->context, princ); if(ret == 0) { ret = kafs_settoken_rxkad(cell, &kt.ct, kt.ticket, kt.ticket_len); free(kt.ticket); } return ret; }
static int get_cred(struct kafs_data *data, const char *name, const char *inst, const char *realm, uid_t uid, struct kafs_token *kt) { krb5_error_code ret; krb5_creds in_creds, *out_creds; struct krb5_kafs_data *d = data->data; memset(&in_creds, 0, sizeof(in_creds)); ret = krb5_make_principal(d->context, &in_creds.server, realm, name, inst, NULL); if(ret) return ret; ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client); if(ret){ krb5_free_principal(d->context, in_creds.server); return ret; } in_creds.session.keytype = ETYPE_DES_CBC_CRC; ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds); krb5_free_principal(d->context, in_creds.server); krb5_free_principal(d->context, in_creds.client); if(ret) return ret; ret = v5_convert(d->context, d->id, out_creds, uid, (inst != NULL && inst[0] != '\0') ? inst : realm, kt); krb5_free_creds(d->context, out_creds); return ret; }
OM_uint32 krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle, krb5_context context) { krb5_gss_cred_id_t cred; krb5_error_code code; krb5_principal princ; cred = (krb5_gss_cred_id_t) cred_handle; code = k5_mutex_lock(&cred->lock); if (code) { *minor_status = code; return GSS_S_FAILURE; } if (cred->ccache) { if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) { k5_mutex_unlock(&cred->lock); *minor_status = code; return(GSS_S_DEFECTIVE_CREDENTIAL); } if (!krb5_principal_compare(context, princ, cred->name->princ)) { k5_mutex_unlock(&cred->lock); *minor_status = KG_CCACHE_NOMATCH; return(GSS_S_DEFECTIVE_CREDENTIAL); } (void)krb5_free_principal(context, princ); } *minor_status = 0; return GSS_S_COMPLETE; }
principal::principal(context& _ctx, ccache& _cc):base(),free(TRUE),ctx(_ctx),_principal(NULL){ kerror=krb5_cc_get_principal(ctx(), _cc(), &_principal); if(kerror) return; /* throw(std::string("Kerberos returned ")+kerror); */ };
DWORD ADUKrb5GetPrincipalName( PCSTR pszCachePath, PSTR* ppszPrincipalName ) { DWORD dwError = 0; krb5_error_code ret = 0; krb5_context ctx = NULL; krb5_ccache cc = NULL; krb5_principal pKrb5Principal = NULL; PSTR pszKrb5PrincipalName = NULL; PSTR pszPrincipalName = NULL; ret = krb5_init_context(&ctx); BAIL_ON_KRB_ERROR(ctx, ret); ret = krb5_cc_resolve(ctx, pszCachePath, &cc); BAIL_ON_KRB_ERROR(ctx, ret); ret = krb5_cc_get_principal(ctx, cc, &pKrb5Principal); BAIL_ON_KRB_ERROR(ctx, ret); ret = krb5_unparse_name(ctx, pKrb5Principal, &pszKrb5PrincipalName); BAIL_ON_KRB_ERROR(ctx, ret); dwError = LwAllocateString(pszKrb5PrincipalName, &pszPrincipalName); BAIL_ON_MAC_ERROR(dwError); *ppszPrincipalName = pszPrincipalName; cleanup: if (ctx) { if (pszKrb5PrincipalName) { krb5_free_unparsed_name(ctx, pszKrb5PrincipalName); } if (pKrb5Principal) { krb5_free_principal(ctx, pKrb5Principal); } if (cc) { krb5_cc_close(ctx, cc); } krb5_free_context(ctx); } return dwError; error: *ppszPrincipalName = NULL; goto cleanup; }
static void do_delegation (krb5_auth_context ac, krb5_ccache ccache, krb5_creds *cred, krb5_const_principal name, krb5_data *fwd_data, uint32_t *flags) { krb5_creds creds; KDCOptions fwd_flags; krb5_error_code kret; memset (&creds, 0, sizeof(creds)); krb5_data_zero (fwd_data); kret = krb5_cc_get_principal(_gsskrb5_context, ccache, &creds.client); if (kret) goto out; kret = krb5_build_principal(_gsskrb5_context, &creds.server, strlen(creds.client->realm), creds.client->realm, KRB5_TGS_NAME, creds.client->realm, NULL); if (kret) goto out; creds.times.endtime = 0; memset(&fwd_flags, 0, sizeof(fwd_flags)); fwd_flags.forwarded = 1; fwd_flags.forwardable = 1; if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/ name->name.name_string.len < 2) goto out; kret = krb5_get_forwarded_creds(_gsskrb5_context, ac, ccache, KDCOptions2int(fwd_flags), name->name.name_string.val[1], &creds, fwd_data); out: if (kret) *flags &= ~GSS_C_DELEG_FLAG; else *flags |= GSS_C_DELEG_FLAG; if (creds.client) krb5_free_principal(_gsskrb5_context, creds.client); if (creds.server) krb5_free_principal(_gsskrb5_context, creds.server); }
static krb5_error_code fast_armor_ap_request(krb5_context context, struct krb5int_fast_request_state *state, krb5_ccache ccache, krb5_principal target_principal) { krb5_error_code retval = 0; krb5_creds creds, *out_creds = NULL; krb5_auth_context authcontext = NULL; krb5_data encoded_authenticator; krb5_fast_armor *armor = NULL; krb5_keyblock *subkey = NULL, *armor_key = NULL; encoded_authenticator.data = NULL; memset(&creds, 0, sizeof(creds)); creds.server = target_principal; retval = krb5_cc_get_principal(context, ccache, &creds.client); if (retval == 0) retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); if (retval == 0) { TRACE_FAST_ARMOR_CCACHE_KEY(context, &out_creds->keyblock); retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, out_creds, &encoded_authenticator); } if (retval == 0) retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); if (retval == 0) retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", &out_creds->keyblock, "ticketarmor", &armor_key); if (retval == 0) { TRACE_FAST_ARMOR_KEY(context, armor_key); armor = calloc(1, sizeof(krb5_fast_armor)); if (armor == NULL) retval = ENOMEM; } if (retval == 0) { armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; armor->armor_value = encoded_authenticator; encoded_authenticator.data = NULL; encoded_authenticator.length = 0; state->armor = armor; armor = NULL; state->armor_key = armor_key; armor_key = NULL; } krb5_free_keyblock(context, armor_key); krb5_free_keyblock(context, subkey); if (out_creds) krb5_free_creds(context, out_creds); /* target_principal is owned by caller. */ creds.server = NULL; krb5_free_cred_contents(context, &creds); if (encoded_authenticator.data) krb5_free_data_contents(context, &encoded_authenticator); krb5_auth_con_free(context, authcontext); return retval; }
void kerberos5_forward(kstream ks) { krb5_error_code r; krb5_ccache ccache; krb5_principal client = 0; krb5_principal server = 0; krb5_data forw_creds; forw_creds.data = 0; if ((r = krb5_cc_default(k5_context, &ccache))) { com_err(NULL, r, "Kerberos V5: could not get default ccache"); return; } if ((r = krb5_cc_get_principal(k5_context, ccache, &client))) { com_err(NULL, r, "Kerberos V5: could not get default principal"); goto cleanup; } if ((r = krb5_sname_to_principal(k5_context, szHostName, KRB_SERVICE_NAME, KRB5_NT_SRV_HST, &server))) { com_err(NULL, r, "Kerberos V5: could not make server principal"); goto cleanup; } if ((r = krb5_auth_con_genaddrs(k5_context, auth_context, ks->fd, KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR))) { com_err(NULL, r, "Kerberos V5: could not gen local full address"); goto cleanup; } if (r = krb5_fwd_tgt_creds(k5_context, auth_context, 0, client, server, ccache, forwardable_flag, &forw_creds)) { com_err(NULL, r, "Kerberos V5: error getting forwarded creds"); goto cleanup; } /* Send forwarded credentials */ if (!Data(ks, KRB_FORWARD, forw_creds.data, forw_creds.length)) { MessageBox(HWND_DESKTOP, "Not enough room for authentication data", "", MB_OK | MB_ICONEXCLAMATION); } cleanup: if (client) krb5_free_principal(k5_context, client); if (server) krb5_free_principal(k5_context, server); #if 0 /* XXX */ if (forw_creds.data) free(forw_creds.data); #endif krb5_cc_close(k5_context, ccache); }
static int pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info) { krb5_error_code retval; if (info->pg_krb5_initialised) return STATUS_OK; retval = krb5_init_context(&(info->pg_krb5_context)); if (retval) { printfPQExpBuffer(errorMessage, "pg_krb5_init: krb5_init_context: %s\n", error_message(retval)); return STATUS_ERROR; } retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache)); if (retval) { printfPQExpBuffer(errorMessage, "pg_krb5_init: krb5_cc_default: %s\n", error_message(retval)); krb5_free_context(info->pg_krb5_context); return STATUS_ERROR; } retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache, &(info->pg_krb5_client)); if (retval) { printfPQExpBuffer(errorMessage, "pg_krb5_init: krb5_cc_get_principal: %s\n", error_message(retval)); krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); krb5_free_context(info->pg_krb5_context); return STATUS_ERROR; } retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name)); if (retval) { printfPQExpBuffer(errorMessage, "pg_krb5_init: krb5_unparse_name: %s\n", error_message(retval)); krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client); krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); krb5_free_context(info->pg_krb5_context); return STATUS_ERROR; } info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name); info->pg_krb5_initialised = 1; return STATUS_OK; }
static int pg_krb5_init(char *PQerrormsg) { krb5_error_code retval; if (pg_krb5_initialised) return STATUS_OK; retval = krb5_init_context(&pg_krb5_context); if (retval) { snprintf(PQerrormsg, PQERRORMSG_LENGTH, "pg_krb5_init: krb5_init_context: %s\n", error_message(retval)); return STATUS_ERROR; } retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache); if (retval) { snprintf(PQerrormsg, PQERRORMSG_LENGTH, "pg_krb5_init: krb5_cc_default: %s\n", error_message(retval)); krb5_free_context(pg_krb5_context); return STATUS_ERROR; } retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache, &pg_krb5_client); if (retval) { snprintf(PQerrormsg, PQERRORMSG_LENGTH, "pg_krb5_init: krb5_cc_get_principal: %s\n", error_message(retval)); krb5_cc_close(pg_krb5_context, pg_krb5_ccache); krb5_free_context(pg_krb5_context); return STATUS_ERROR; } retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name); if (retval) { snprintf(PQerrormsg, PQERRORMSG_LENGTH, "pg_krb5_init: krb5_unparse_name: %s\n", error_message(retval)); krb5_free_principal(pg_krb5_context, pg_krb5_client); krb5_cc_close(pg_krb5_context, pg_krb5_ccache); krb5_free_context(pg_krb5_context); return STATUS_ERROR; } pg_krb5_name = pg_an_to_ln(pg_krb5_name); pg_krb5_initialised = 1; return STATUS_OK; }
static uint32_t retrieve_remote_creds(uint32_t *min, gssx_name *name, gssx_cred *creds) { krb5_context ctx = NULL; krb5_ccache ccache = NULL; krb5_creds cred; krb5_creds icred; krb5_error_code ret; XDR xdrctx; bool xdrok; memset(&cred, 0, sizeof(krb5_creds)); memset(&icred, 0, sizeof(krb5_creds)); ret = krb5_init_context(&ctx); if (ret) goto done; ret = krb5_cc_default(ctx, &ccache); if (ret) goto done; if (name) { ret = krb5_parse_name(ctx, name->display_name.octet_string_val, &icred.client); } else { ret = krb5_cc_get_principal(ctx, ccache, &icred.client); } if (ret) goto done; ret = krb5_parse_name(ctx, GPKRB_SRV_NAME, &icred.server); if (ret) goto done; ret = krb5_cc_retrieve_cred(ctx, ccache, 0, &icred, &cred); if (ret) goto done; xdrmem_create(&xdrctx, cred.ticket.data, cred.ticket.length, XDR_DECODE); xdrok = xdr_gssx_cred(&xdrctx, creds); if (xdrok) { ret = 0; } else { ret = EIO; } done: if (ctx) { krb5_free_cred_contents(ctx, &cred); krb5_free_cred_contents(ctx, &icred); if (ccache) krb5_cc_close(ctx, ccache); krb5_free_context(ctx); } *min = ret; return ret ? GSS_S_FAILURE : GSS_S_COMPLETE; }
/* Display the contents of cache. */ static int show_ccache(krb5_ccache cache) { krb5_cc_cursor cur; krb5_creds creds; krb5_principal princ; krb5_error_code ret; ret = krb5_cc_get_principal(context, cache, &princ); if (ret) { com_err(progname, ret, ""); return 1; } ret = krb5_unparse_name(context, princ, &defname); if (ret) { com_err(progname, ret, _("while unparsing principal name")); return 1; } printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"), krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache), defname); /* XXX Translating would disturb table alignment; skip for now. */ fputs("Valid starting", stdout); fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' '); fputs("Expires", stdout); fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' '); fputs("Service principal\n", stdout); ret = krb5_cc_start_seq_get(context, cache, &cur); if (ret) { com_err(progname, ret, _("while starting to retrieve tickets")); return 1; } while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) { if (show_config || !krb5_is_config_principal(context, creds.server)) show_credential(&creds); krb5_free_cred_contents(context, &creds); } krb5_free_principal(context, princ); krb5_free_unparsed_name(context, defname); defname = NULL; if (ret == KRB5_CC_END) { ret = krb5_cc_end_seq_get(context, cache, &cur); if (ret) { com_err(progname, ret, _("while finishing ticket retrieval")); return 1; } return 0; } else { com_err(progname, ret, _("while retrieving a ticket")); return 1; } }
static int get_v5cred(krb5_context context, char *name, char *inst, char *realm, CREDENTIALS *c, krb5_creds **creds) { krb5_creds increds; krb5_error_code r; static krb5_principal client_principal = 0; if (client_principal) { krb5_free_principal(context, client_principal); client_principal = 0; } memset(&increds, 0, sizeof(increds)); if ((r = krb5_build_principal(context, &increds.server, (int)strlen(realm), realm, name, (inst && strlen(inst)) ? inst : 0, 0))) { return((int)r); } if (!_krb425_ccache) { if ((r = krb5_cc_default(context, &_krb425_ccache))) return ((int)r); } if (!client_principal) { if ((r = krb5_cc_get_principal(context, _krb425_ccache, &client_principal))) { krb5_cc_close(context, _krb425_ccache); return ((int)r); } } increds.client = client_principal; increds.times.endtime = 0; /* Ask for DES since that is what V4 understands */ if (c != NULL) increds.session.keytype = ENCTYPE_DES_CBC_CRC; r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds); if (r) { return((int)r); } #ifdef HAVE_KRB4 /* This requires krb524d to be running with the KDC */ if (c != NULL) r = krb5_524_convert_creds(context, *creds, c); #endif return((int)r); }
static OM_uint32 _acquire_uuid_name(OM_uint32 *minor_status, krb5_context context, krb5_const_principal princ, int *iakerb, gsskrb5_cred handle) { krb5_error_code ret; krb5_uuid uuid; *iakerb = 0; if (princ->name.name_type != KRB5_NT_CACHE_UUID) return GSS_S_BAD_NAMETYPE; if (princ->name.name_string.len != 1 || strcmp(princ->realm, "UUID") != 0) return GSS_S_BAD_NAME; if (krb5_string_to_uuid(princ->name.name_string.val[0], uuid)) return GSS_S_BAD_NAME; ret = krb5_cc_resolve_by_uuid(context, NULL, &handle->ccache, uuid); if (ret) { *minor_status = ret; return GSS_S_FAILURE; } ret = krb5_cc_get_principal(context, handle->ccache, &handle->principal); if (ret) { *minor_status = ret; return GSS_S_FAILURE; } { krb5_data data; ret = krb5_cc_get_config(context, handle->ccache, NULL, "iakerb", &data); if (ret == 0) { *iakerb = 1; handle->endtime = INT_MAX; krb5_data_free(&data); return 0; } } return __gsskrb5_ccache_lifetime(minor_status, context, handle->ccache, handle->principal, &handle->endtime); }
int kssl_tgt_is_available(KSSL_CTX *kssl_ctx) { krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; krb5_context krb5context = NULL; krb5_ccache krb5ccdef = NULL; krb5_creds krb5creds, *krb5credsp = NULL; int rc = 0; memset((char *)&krb5creds, 0, sizeof(krb5creds)); if (!kssl_ctx) return (0); if (!kssl_ctx->service_host) return (0); if ((krb5rc = krb5_init_context(&krb5context)) != 0) goto err; if ((krb5rc = krb5_sname_to_principal( krb5context, kssl_ctx->service_host, (kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC, KRB5_NT_SRV_HST, &krb5creds.server)) != 0) goto err; if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) goto err; if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, &krb5creds.client)) != 0) goto err; if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, &krb5creds, &krb5credsp)) != 0) goto err; rc = 1; err: #ifdef KSSL_DEBUG kssl_ctx_show(kssl_ctx); #endif /* KSSL_DEBUG */ if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client); if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server); if (krb5context) krb5_free_context(krb5context); return (rc); }