/* Process a TGS reply and advance the path traversal to get a foreign TGT. */ static krb5_error_code step_get_tgt(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; const krb5_data *tgt_realm, *path_realm; if (ctx->reply_code != 0) { /* The last request failed. Try the next-closest realm to * ctx->cur_realm. */ ctx->next_realm--; if (ctx->next_realm == ctx->cur_realm) { /* We've tried all the realms we could and couldn't progress beyond * ctx->cur_realm, so it's time to give up. */ return ctx->reply_code; } TRACE_TKT_CREDS_CLOSER_REALM(context, ctx->next_realm); } else { /* Verify that we got a TGT. */ if (!IS_TGS_PRINC(context, ctx->reply_creds->server)) return KRB5_KDCREP_MODIFIED; /* Use this tgt for the next request regardless of what it is. */ krb5_free_creds(context, ctx->cur_tgt); ctx->cur_tgt = ctx->reply_creds; ctx->reply_creds = NULL; /* Remember that we saw this realm. */ tgt_realm = &ctx->cur_tgt->server->data[1]; code = remember_realm(context, ctx, tgt_realm); if (code != 0) return code; /* See where we wound up on the path (or off it). */ path_realm = find_realm_in_path(context, ctx, tgt_realm); if (path_realm != NULL) { /* We got a realm on the expected path, so we can cache it. */ (void) krb5_cc_store_cred(context, ctx->ccache, ctx->cur_tgt); if (path_realm == ctx->last_realm) { /* We received a TGT for the target realm. */ TRACE_TKT_CREDS_TARGET_TGT(context, ctx->cur_tgt->server); return end_get_tgt(context, ctx); } else if (path_realm != NULL) { /* We still have further to go; advance the traversal. */ TRACE_TKT_CREDS_ADVANCE(context, tgt_realm); ctx->cur_realm = path_realm; ctx->next_realm = ctx->last_realm; } } else if (data_eq(*tgt_realm, ctx->client->realm)) { /* We were referred back to the local realm, which is bad. */ return KRB5_KDCREP_MODIFIED; } else { /* We went off the path; start the off-path chase. */ TRACE_TKT_CREDS_OFFPATH(context, tgt_realm); return begin_get_tgt_offpath(context, ctx); } } /* Generate the next request in the path traversal. */ return get_tgt_request(context, ctx); }
krb5_error_code KRB5_CALLCONV krb5_get_credentials(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds) { krb5_error_code code; krb5_creds *ncreds = NULL; krb5_tkt_creds_context ctx = NULL; *out_creds = NULL; /* Allocate a container. */ ncreds = k5alloc(sizeof(*ncreds), &code); if (ncreds == NULL) goto cleanup; /* Make and execute a krb5_tkt_creds context to get the credential. */ code = krb5_tkt_creds_init(context, ccache, in_creds, options, &ctx); if (code != 0) goto cleanup; code = krb5_tkt_creds_get(context, ctx); if (code != 0) goto cleanup; code = krb5_tkt_creds_get_creds(context, ctx, ncreds); if (code != 0) goto cleanup; *out_creds = ncreds; ncreds = NULL; cleanup: krb5_free_creds(context, ncreds); krb5_tkt_creds_free(context, ctx); return code; }
static int kvno5(krb5_context ctx, const char *host, int socktype, krb5_principal princ, krb5_principal sprinc, krb5_ccache ccache) { krb5_error_code kerr = 0; krb5_creds increds; krb5_creds *outcreds = NULL; krb5_ticket *ticket = NULL; VERBOSE(1, (stderr, "initiating kvno5/%s ping to %s\n", socktype == SOCK_DGRAM ? "udp" : "tcp", host)); memset(&increds, 0x0, sizeof(increds)); increds.client = princ; increds.server = sprinc; kerr = krb5_get_credentials(ctx, 0, ccache, &increds, &outcreds); if (kerr) goto bail; kerr = krb5_decode_ticket(&outcreds->ticket, &ticket); if (kerr) goto bail; VERBOSE(2, (stderr, "kvno5 says kvno = %d\n", ticket->enc_part.kvno)); bail: if (kerr) fail_msg("kvno5", socktype, host, error_message(kerr)); if (ticket) krb5_free_ticket(ctx, ticket); if (outcreds) krb5_free_creds(ctx, outcreds); return kerr; }
/* Decode and decrypt a TGS reply, and set the reply_code or reply_creds field * of ctx with the result. Also handle too-big errors. */ static krb5_error_code get_creds_from_tgs_reply(krb5_context context, krb5_tkt_creds_context ctx, krb5_data *reply) { krb5_error_code code; krb5_free_creds(context, ctx->reply_creds); ctx->reply_creds = NULL; code = krb5int_process_tgs_reply(context, reply, ctx->cur_tgt, ctx->kdcopt, ctx->cur_tgt->addresses, NULL, ctx->tgs_in_creds, ctx->timestamp, ctx->nonce, ctx->subkey, NULL, NULL, &ctx->reply_creds); if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) { /* Instruct the caller to re-send the request with TCP. */ code = set_caller_request(context, ctx); if (code != 0) return code; return KRB5KRB_ERR_RESPONSE_TOO_BIG; } /* Depending on our state, we may or may not be able to handle an error. * For now, store it in the context and return success. */ TRACE_TKT_CREDS_RESPONSE_CODE(context, code); ctx->reply_code = code; return 0; }
static int get_cred(struct kafs_data *data, const char *name, const char *inst, const char *realm, uid_t uid, struct kafs_token *kt) { krb5_error_code ret; krb5_creds in_creds, *out_creds; struct krb5_kafs_data *d = data->data; memset(&in_creds, 0, sizeof(in_creds)); ret = krb5_make_principal(d->context, &in_creds.server, realm, name, inst, NULL); if(ret) return ret; ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client); if(ret){ krb5_free_principal(d->context, in_creds.server); return ret; } in_creds.session.keytype = ETYPE_DES_CBC_CRC; ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds); krb5_free_principal(d->context, in_creds.server); krb5_free_principal(d->context, in_creds.client); if(ret) return ret; ret = v5_convert(d->context, d->id, out_creds, uid, (inst != NULL && inst[0] != '\0') ? inst : realm, kt); krb5_free_creds(d->context, out_creds); return ret; }
/* * Generate the next request in the path traversal. If a cached TGT for the * target realm appeared in the ccache since we started the TGT acquisition * process, this function may invoke end_get_tgt(). */ static krb5_error_code get_tgt_request(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; krb5_creds *cached_tgt; while (1) { /* Check if we have a cached TGT for the target realm. */ code = get_cached_tgt(context, ctx, ctx->next_realm, &cached_tgt); if (code != 0) return code; if (cached_tgt != NULL) { /* Advance the current realm and keep going. */ TRACE_TKT_CREDS_CACHED_INTERMEDIATE_TGT(context, cached_tgt); krb5_free_creds(context, ctx->cur_tgt); ctx->cur_tgt = cached_tgt; if (ctx->next_realm == ctx->last_realm) return end_get_tgt(context, ctx); ctx->cur_realm = ctx->next_realm; ctx->next_realm = ctx->last_realm; continue; } return make_request_for_tgt(context, ctx, ctx->next_realm); } }
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_kdc_cred(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, krb5_addresses *addresses, Ticket *second_ticket, krb5_creds *in_creds, krb5_creds **out_creds ) { krb5_error_code ret; krb5_creds *krbtgt; *out_creds = calloc(1, sizeof(**out_creds)); if(*out_creds == NULL) return krb5_enomem(context); ret = _krb5_get_krbtgt (context, id, in_creds->server->realm, &krbtgt); if(ret) { free(*out_creds); *out_creds = NULL; return ret; } ret = get_cred_kdc(context, id, flags, addresses, in_creds, krbtgt, NULL, NULL, *out_creds); krb5_free_creds (context, krbtgt); if(ret) { free(*out_creds); *out_creds = NULL; } return ret; }
krb5_error_code KRB5_LIB_FUNCTION krb5_get_kdc_cred(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, krb5_addresses *addresses, Ticket *second_ticket, krb5_creds *in_creds, krb5_creds **out_creds ) { krb5_error_code ret; krb5_creds *krbtgt; *out_creds = calloc(1, sizeof(**out_creds)); if(*out_creds == NULL) { krb5_set_error_string(context, "malloc: out of memory"); return ENOMEM; } ret = _krb5_get_krbtgt (context, id, in_creds->server->realm, &krbtgt); if(ret) { free(*out_creds); return ret; } ret = get_cred_kdc(context, id, flags, addresses, in_creds, krbtgt, *out_creds); krb5_free_creds (context, krbtgt); if(ret) free(*out_creds); return ret; }
static krb5_error_code fast_armor_ap_request(krb5_context context, struct krb5int_fast_request_state *state, krb5_ccache ccache, krb5_principal target_principal) { krb5_error_code retval = 0; krb5_creds creds, *out_creds = NULL; krb5_auth_context authcontext = NULL; krb5_data encoded_authenticator; krb5_fast_armor *armor = NULL; krb5_keyblock *subkey = NULL, *armor_key = NULL; encoded_authenticator.data = NULL; memset(&creds, 0, sizeof(creds)); creds.server = target_principal; retval = krb5_cc_get_principal(context, ccache, &creds.client); if (retval == 0) retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); if (retval == 0) { TRACE_FAST_ARMOR_CCACHE_KEY(context, &out_creds->keyblock); retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, out_creds, &encoded_authenticator); } if (retval == 0) retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); if (retval == 0) retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", &out_creds->keyblock, "ticketarmor", &armor_key); if (retval == 0) { TRACE_FAST_ARMOR_KEY(context, armor_key); armor = calloc(1, sizeof(krb5_fast_armor)); if (armor == NULL) retval = ENOMEM; } if (retval == 0) { armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; armor->armor_value = encoded_authenticator; encoded_authenticator.data = NULL; encoded_authenticator.length = 0; state->armor = armor; armor = NULL; state->armor_key = armor_key; armor_key = NULL; } krb5_free_keyblock(context, armor_key); krb5_free_keyblock(context, subkey); if (out_creds) krb5_free_creds(context, out_creds); /* target_principal is owned by caller. */ creds.server = NULL; krb5_free_cred_contents(context, &creds); if (encoded_authenticator.data) krb5_free_data_contents(context, &encoded_authenticator); krb5_auth_con_free(context, authcontext); return retval; }
void KRB5_CALLCONV krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx) { if (ctx == NULL) return; krb5_free_creds(context, ctx->in_creds); krb5_cc_close(context, ctx->ccache); krb5_free_principal(context, ctx->req_server); krb5_free_authdata(context, ctx->authdata); krb5_free_creds(context, ctx->cur_tgt); krb5int_free_data_list(context, ctx->realms_seen); krb5_free_principal(context, ctx->tgt_princ); krb5_free_keyblock(context, ctx->subkey); krb5_free_data_contents(context, &ctx->previous_request); krb5int_free_data_list(context, ctx->realm_path); krb5_free_creds(context, ctx->reply_creds); free(ctx); }
/* * Determine the starting IAKERB state for a context. If we already * have a ticket, we may not need to do IAKERB at all. */ static krb5_error_code iakerb_get_initial_state(iakerb_ctx_id_t ctx, krb5_gss_cred_id_t cred, krb5_gss_name_t target, OM_uint32 time_req, enum iakerb_state *state) { krb5_creds in_creds, *out_creds = NULL; krb5_error_code code; memset(&in_creds, 0, sizeof(in_creds)); in_creds.client = cred->name->princ; in_creds.server = target->princ; if (cred->name->ad_context != NULL) { code = krb5_authdata_export_authdata(ctx->k5c, cred->name->ad_context, AD_USAGE_TGS_REQ, &in_creds.authdata); if (code != 0) goto cleanup; } if (time_req != 0 && time_req != GSS_C_INDEFINITE) { krb5_timestamp now; code = krb5_timeofday(ctx->k5c, &now); if (code != 0) goto cleanup; in_creds.times.endtime = now + time_req; } /* Make an AS request if we have no creds or it's time to refresh them. */ if (cred->expire == 0 || kg_cred_time_to_refresh(ctx->k5c, cred)) { *state = IAKERB_AS_REQ; code = 0; goto cleanup; } code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED, cred->ccache, &in_creds, &out_creds); if (code == KRB5_CC_NOTFOUND || code == KRB5_CC_NOT_KTYPE) { *state = cred->have_tgt ? IAKERB_TGS_REQ : IAKERB_AS_REQ; code = 0; } else if (code == 0) { *state = IAKERB_AP_REQ; krb5_free_creds(ctx->k5c, out_creds); } cleanup: krb5_free_authdata(ctx->k5c, in_creds.authdata); return code; }
void KRB5_CALLCONV krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts) { register krb5_creds **tgtpp; if (tgts == NULL) return; for (tgtpp = tgts; *tgtpp; tgtpp++) krb5_free_creds(context, *tgtpp); free(tgts); }
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[]) { char svrnam[MAILTMPLEN],cltnam[MAILTMPLEN]; krb5_context ctx; krb5_timestamp now; krb5_principal service; krb5_ccache ccache; krb5_error_code code; krb5_creds *crd = (krb5_creds *) memset (fs_get (sizeof (krb5_creds)),0, sizeof (krb5_creds)); struct passwd *ret = NIL; if (*pass) { /* only if password non-empty */ /* make service name */ sprintf (svrnam,"%.80s@%.512s", (char *) mail_parameters (NIL,GET_SERVICENAME,NIL), tcp_serverhost ()); /* make client name with principal */ sprintf (cltnam,"%.80s/%.80s",pw->pw_name, (char *) mail_parameters (NIL,GET_SERVICENAME,NIL)); /* get a context */ if (!krb5_init_context (&ctx)) { /* get time, client and server principals */ if (!krb5_timeofday (ctx,&now) && /* Normally, kerb_cp_svr_name (defined/set in env_unix.c) is NIL, so * only the user name is used as a client principal. A few sites want * to have separate client principals for different services, but many * other sites vehemently object... */ !krb5_parse_name (ctx,kerb_cp_svr_name ? cltnam : pw->pw_name, &crd->client) && !krb5_parse_name (ctx,svrnam,&service) && !krb5_build_principal_ext(ctx,&crd->server, krb5_princ_realm (ctx,crd->client)->length, krb5_princ_realm (ctx,crd->client)->data, KRB5_TGS_NAME_SIZE,KRB5_TGS_NAME, krb5_princ_realm (ctx,crd->client)->length, krb5_princ_realm (ctx,crd->client)->data, 0)) { /* expire in 3 minutes */ crd->times.endtime = now + (3 * 60); if (krb5_cc_resolve (ctx,"MEMORY:pwk",&ccache) || krb5_cc_initialize (ctx,ccache,crd->client)) ccache = 0; if (!krb5_get_in_tkt_with_password (ctx,NIL,NIL,NIL,NIL,pass,ccache, crd,0) && !krb5_verify_init_creds (ctx,crd,service,0,ccache ? &ccache : 0,0)) ret = pw; krb5_free_creds (ctx,crd);/* flush creds and service principal */ krb5_free_principal (ctx,service); } krb5_free_context (ctx); /* don't need context any more */ } } return ret; }
/* * try_kdc() * * Using CUR_TGT, attempt to get desired NXT_TGT. Update NXT_KDC if * successful. */ static krb5_error_code try_kdc(struct tr_state *ts, krb5_creds *tgtq) { krb5_error_code retval; krb5_creds ltgtq; krb5_creds *tmp_out_cred; TR_DBG(ts, "try_kdc"); /* This check should probably be in gc_via_tkt. */ if (!krb5_c_valid_enctype(ts->cur_tgt->keyblock.enctype)) return KRB5_PROG_ETYPE_NOSUPP; ltgtq = *tgtq; ltgtq.is_skey = FALSE; ltgtq.ticket_flags = ts->cur_tgt->ticket_flags; /* * Solaris Kerberos: * Store credential in a temporary ticket as we may not * want to add it to ts->kdc_tgts if it is already in * the cache. */ retval = krb5_get_cred_via_tkt(ts->ctx, ts->cur_tgt, FLAGS2OPTS(ltgtq.ticket_flags), ts->cur_tgt->addresses, <gtq, &tmp_out_cred); if (retval) { ts->ntgts--; ts->nxt_tgt = ts->cur_tgt; TR_DBG_RET(ts, "try_kdc", retval); return retval; } /* * Solaris Kerberos: * See if the returned creds are different to the requested creds. * This can happen when the server returns a TGT "closer" to the * desired realm. */ if (!(krb5_principal_compare(ts->ctx, tgtq->server, tmp_out_cred->server))) { /* Not equal, ticket may already be in the cache */ retval = try_ccache(ts, tmp_out_cred); if (!retval) { krb5_free_creds(ts->ctx, tmp_out_cred); retval = find_nxt_kdc(ts); return retval; } } ts->kdc_tgts[ts->ntgts++] = tmp_out_cred; ts->nxt_tgt = ts->kdc_tgts[ts->ntgts-1]; retval = find_nxt_kdc(ts); TR_DBG_RET(ts, "try_kdc", retval); return retval; }
/* * Begin the process of getting a foreign TGT, either for the explicitly * specified server realm or for the fallback realm. Expects that * ctx->server->realm is the realm of the desired TGT, and that * ctx->getting_tgt_for is the state we should advance to after we have the * desired TGT. */ static krb5_error_code begin_get_tgt(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; krb5_creds *cached_tgt; ctx->state = STATE_GET_TGT; /* See if we have a cached TGT for the server realm. */ code = get_cached_tgt(context, ctx, &ctx->server->realm, &cached_tgt); if (code != 0) return code; if (cached_tgt != NULL) { TRACE_TKT_CREDS_CACHED_SERVICE_TGT(context, cached_tgt); krb5_free_creds(context, ctx->cur_tgt); ctx->cur_tgt = cached_tgt; return end_get_tgt(context, ctx); } /* Start with the local tgt. */ krb5_free_creds(context, ctx->cur_tgt); ctx->cur_tgt = NULL; code = get_cached_tgt(context, ctx, &ctx->client->realm, &ctx->cur_tgt); if (code != 0) return code; if (ctx->cur_tgt == NULL) return ctx->cache_code; TRACE_TKT_CREDS_LOCAL_TGT(context, ctx->cur_tgt); /* Initialize the realm path. */ code = init_realm_path(context, ctx); if (code != 0) return code; /* Empty out the realms-seen list for loop checking. */ krb5int_free_data_list(context, ctx->realms_seen); ctx->realms_seen = NULL; /* Generate the first request. */ return get_tgt_request(context, ctx); }
static void store_tgts(krb5_context context, krb5_ccache ccache, krb5_creds **tgts) { size_t n; for (n = 0; tgts && tgts[n]; n++) { krb5_const_principal server = tgts[n]->server; if (krb5_principal_is_krbtgt(context, server) && strcmp(server->name.name_string.val[1], server->realm) != 0) krb5_cc_store_cred(context, ccache, tgts[n]); } for (n = 0; tgts && tgts[n]; n++) krb5_free_creds(context, tgts[n]); }
Krb5Credentials Krb5CCache::getCredentials( const krb5_creds& in_creds, krb5_flags options) { krb5_creds* out_creds; krb5_context ctx = context_.get(); // The krb5 impl doesn't modify in_creds. krb5_error_code code = krb5_get_credentials( ctx, options, ccache_, const_cast<krb5_creds*>(&in_creds), &out_creds); raiseIf(ctx, code, "get credentials"); SCOPE_EXIT { krb5_free_creds(ctx, out_creds); }; return Krb5Credentials(std::move(*out_creds)); }
static void eval_kgetcred(heim_dict_t o) { heim_string_t server, ccache; krb5_get_creds_opt opt; heim_bool_t nostore; krb5_error_code ret; krb5_ccache cc = NULL; krb5_principal s; krb5_creds *out = NULL; if (ptop) ptop->tgs_req++; server = heim_dict_get_value(o, HSTR("server")); if (server == NULL) krb5_errx(kdc_context, 1, "no server"); ccache = heim_dict_get_value(o, HSTR("ccache")); if (ccache == NULL) krb5_errx(kdc_context, 1, "no ccache"); nostore = heim_dict_get_value(o, HSTR("nostore")); if (nostore == NULL) nostore = heim_bool_create(1); ret = krb5_cc_resolve(kdc_context, heim_string_get_utf8(ccache), &cc); if (ret) krb5_err(kdc_context, 1, ret, "krb5_cc_resolve"); ret = krb5_parse_name(kdc_context, heim_string_get_utf8(server), &s); if (ret) krb5_err(kdc_context, 1, ret, "krb5_parse_name"); ret = krb5_get_creds_opt_alloc(kdc_context, &opt); if (ret) krb5_err(kdc_context, 1, ret, "krb5_get_creds_opt_alloc"); if (heim_bool_val(nostore)) krb5_get_creds_opt_add_options(kdc_context, opt, KRB5_GC_NO_STORE); ret = krb5_get_creds(kdc_context, opt, cc, s, &out); if (ret) krb5_err(kdc_context, 1, ret, "krb5_get_creds"); krb5_free_creds(kdc_context, out); krb5_free_principal(kdc_context, s); krb5_get_creds_opt_free(kdc_context, opt); krb5_cc_close(kdc_context, cc); }
OM_uint32 GSSAPI_CALLCONV _gsskrb5_delete_sec_context(OM_uint32 * minor_status, gss_ctx_id_t * context_handle, gss_buffer_t output_token) { krb5_context context; gsskrb5_ctx ctx; GSSAPI_KRB5_INIT (&context); *minor_status = 0; if (output_token) { output_token->length = 0; output_token->value = NULL; } if (*context_handle == GSS_C_NO_CONTEXT) return GSS_S_COMPLETE; ctx = (gsskrb5_ctx) *context_handle; *context_handle = GSS_C_NO_CONTEXT; HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); krb5_auth_con_free (context, ctx->auth_context); krb5_auth_con_free (context, ctx->deleg_auth_context); if (ctx->kcred) krb5_free_creds(context, ctx->kcred); if(ctx->source) krb5_free_principal (context, ctx->source); if(ctx->target) krb5_free_principal (context, ctx->target); if (ctx->ticket) krb5_free_ticket (context, ctx->ticket); if(ctx->order) _gssapi_msg_order_destroy(&ctx->order); if (ctx->service_keyblock) krb5_free_keyblock (context, ctx->service_keyblock); krb5_data_free(&ctx->fwd_data); if (ctx->crypto) krb5_crypto_destroy(context, ctx->crypto); HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex); memset(ctx, 0, sizeof(*ctx)); free (ctx); return GSS_S_COMPLETE; }
/* Remove creds from d, invalidate any existing cursors, and unset the client * principal. The caller is responsible for locking. */ static void empty_mcc_cache(krb5_context context, krb5_mcc_data *d) { krb5_mcc_link *curr, *next; for (curr = d->link; curr != NULL; curr = next) { next = curr->next; krb5_free_creds(context, curr->creds); free(curr); } d->link = NULL; d->generation++; krb5_free_principal(context, d->prin); d->prin = NULL; }
static int get_cred(struct kafs_data *data, const char *name, const char *inst, const char *realm, uid_t uid, struct kafs_token *kt) { krb5_error_code ret; krb5_creds in_creds, *out_creds; struct krb5_kafs_data *d = data->data; int invalid; memset(&in_creds, 0, sizeof(in_creds)); ret = krb5_make_principal(d->context, &in_creds.server, realm, name, inst, NULL); if(ret) return ret; ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client); if(ret){ krb5_free_principal(d->context, in_creds.server); return ret; } in_creds.session.keytype = ETYPE_DES_CBC_CRC; /* check if des is disable, and in that case enable it for afs */ invalid = krb5_enctype_valid(d->context, in_creds.session.keytype); if (invalid) krb5_enctype_enable(d->context, in_creds.session.keytype); ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds); if (ret) { in_creds.session.keytype = ETYPE_DES_CBC_MD5; ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds); } if (invalid) krb5_enctype_disable(d->context, in_creds.session.keytype); krb5_free_principal(d->context, in_creds.server); krb5_free_principal(d->context, in_creds.client); if(ret) return ret; ret = v5_convert(d->context, d->id, out_creds, uid, (inst != NULL && inst[0] != '\0') ? inst : realm, kt); krb5_free_creds(d->context, out_creds); return ret; }
static void krb5_mcc_free(krb5_context context, krb5_ccache id) { krb5_mcc_cursor curr,next; krb5_mcc_data *d; d = (krb5_mcc_data *) id->data; for (curr = d->link; curr;) { krb5_free_creds(context, curr->creds); next = curr->next; free(curr); curr = next; } d->link = NULL; krb5_free_principal(context, d->prin); }
static time_t ticket_lifetime(krb5_context context, krb5_ccache cache, krb5_principal client, const char *server, time_t *renew) { krb5_creds in_cred, *cred; krb5_error_code ret; time_t timeout; time_t curtime; memset(&in_cred, 0, sizeof(in_cred)); ret = krb5_cc_get_principal(context, cache, &in_cred.client); if (ret) { krb5_warn(context, ret, "krb5_cc_get_principal"); return 0; } ret = get_server(context, in_cred.client, server, &in_cred.server); if (ret) { krb5_free_principal(context, in_cred.client); krb5_warn(context, ret, "get_server"); return 0; } ret = krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in_cred, &cred); krb5_free_principal(context, in_cred.client); krb5_free_principal(context, in_cred.server); if (ret) { krb5_warn(context, ret, "krb5_get_credentials"); return 0; } curtime = time(NULL); timeout = cred->times.endtime - curtime; if (timeout < 0) timeout = 0; if (renew) { *renew = cred->times.renew_till - curtime; if (*renew < 0) *renew = 0; } krb5_free_creds(context, cred); return timeout; }
krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_exact(krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, const krb5_principal server, krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) { krb5_error_code ret; krb5_creds this_cred, *cred; memset(&this_cred, 0, sizeof(this_cred)); ret = krb5_cc_get_principal(context, ccache, &this_cred.client); if(ret) return ret; ret = krb5_copy_principal (context, server, &this_cred.server); if (ret) { krb5_free_cred_contents (context, &this_cred); return ret; } this_cred.times.endtime = 0; if (auth_context && *auth_context && (*auth_context)->keytype) this_cred.session.keytype = (*auth_context)->keytype; ret = krb5_get_credentials (context, 0, ccache, &this_cred, &cred); krb5_free_cred_contents(context, &this_cred); if (ret) return ret; ret = krb5_mk_req_extended (context, auth_context, ap_req_options, in_data, cred, outbuf); krb5_free_creds(context, cred); return ret; }
static krb5_error_code do_524init(krb5_context context, krb5_ccache ccache, krb5_creds *creds, const char *server) { krb5_error_code ret; struct credentials c; krb5_creds in_creds, *real_creds; if(creds != NULL) real_creds = creds; else { krb5_principal client; krb5_cc_get_principal(context, ccache, &client); memset(&in_creds, 0, sizeof(in_creds)); ret = get_server(context, client, server, &in_creds.server); if(ret) { krb5_free_principal(context, client); return ret; } in_creds.client = client; ret = krb5_get_credentials(context, 0, ccache, &in_creds, &real_creds); krb5_free_principal(context, client); krb5_free_principal(context, in_creds.server); if(ret) return ret; } ret = krb524_convert_creds_kdc_ccache(context, ccache, real_creds, &c); if(ret) krb5_warn(context, ret, "converting creds"); else { krb5_error_code tret = _krb5_krb_tf_setup(context, &c, NULL, 0); if(tret) krb5_warn(context, tret, "saving v4 creds"); } if(creds == NULL) krb5_free_creds(context, real_creds); memset(&c, 0, sizeof(c)); return ret; }
/* * Modifies: * the memory cache * * Effects: * Remove the given creds from the ccache. */ static krb5_error_code KRB5_CALLCONV krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds *creds) { krb5_mcc_data *data = (krb5_mcc_data *)cache->data; krb5_mcc_link *l; k5_cc_mutex_lock(context, &data->lock); for (l = data->link; l != NULL; l = l->next) { if (l->creds != NULL && krb5int_cc_creds_match_request(context, flags, creds, l->creds)) { krb5_free_creds(context, l->creds); l->creds = NULL; } } k5_cc_mutex_unlock(context, &data->lock); return 0; }
static krb5_error_code get_kadm_ticket(krb5_context context, krb5_ccache id, krb5_principal client, const char *server_name) { krb5_error_code ret; krb5_creds in, *out; memset(&in, 0, sizeof(in)); in.client = client; ret = krb5_parse_name(context, server_name, &in.server); if(ret) return ret; ret = krb5_get_credentials(context, 0, id, &in, &out); if(ret == 0) krb5_free_creds(context, out); krb5_free_principal(context, in.server); return ret; }
krb5_error_code KRB5_CALLCONV krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, krb5_flags ap_req_options, char *service, char *hostname, krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) { krb5_error_code retval; krb5_principal server; krb5_creds * credsp; krb5_creds creds; retval = krb5_sname_to_principal(context, hostname, service, KRB5_NT_SRV_HST, &server); if (retval) return retval; /* obtain ticket & session key */ memset((char *)&creds, 0, sizeof(creds)); if ((retval = krb5_copy_principal(context, server, &creds.server))) goto cleanup_princ; if ((retval = krb5_cc_get_principal(context, ccache, &creds.client)) != 0) goto cleanup_creds; if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp)) != 0) goto cleanup_creds; retval = krb5_mk_req_extended(context, auth_context, ap_req_options, in_data, credsp, outbuf); krb5_free_creds(context, credsp); cleanup_creds: krb5_free_cred_contents(context, &creds); cleanup_princ: krb5_free_principal(context, server); return retval; }
krb5_error_code KRB5_CALLCONV krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, char *newpw, krb5_principal change_password_for, int *result_code, krb5_data *result_code_string, krb5_data *result_string ) { krb5_creds creds; krb5_creds *credsp; krb5_error_code code; /* ** get the proper creds for use with krb5_set_password - */ memset (&creds, 0, sizeof(creds)); /* ** first get the principal for the password service - */ code = krb5_cc_get_principal (context, ccache, &creds.client); if (!code) { code = krb5_build_principal(context, &creds.server, change_password_for->realm.length, change_password_for->realm.data, "kadmin", "changepw", NULL); if (!code) { code = krb5_get_credentials(context, 0, ccache, &creds, &credsp); if (!code) { code = krb5_set_password(context, credsp, newpw, change_password_for, result_code, result_code_string, result_string); krb5_free_creds(context, credsp); } } krb5_free_cred_contents(context, &creds); } return code; }
Code_t ZMakeZcodeRealmAuthentication(register ZNotice_t *notice, char *buffer, int buffer_len, int *phdr_len, char *realm) { #ifdef HAVE_KRB5 Code_t result; krb5_creds *creds = NULL; result = ZGetCredsRealm(&creds, realm); if (!result) result = Z_MakeZcodeAuthentication(notice, buffer, buffer_len, phdr_len, creds); if (creds != NULL) krb5_free_creds(Z_krb5_ctx, creds); return result; #else /* HAVE_KRB5 */ return ZERR_INTERNAL; #endif }