static cc_int32
ccache_set_principal(cc_ccache_t io_ccache, cc_uint32 in_credentials_version, const char *in_principal)
{
struct cc_ccache *c = (struct cc_ccache *)io_ccache;
krb5_error_code ret;
krb5_principal p;
LOG_ENTRY();
if (in_principal == NULL)
return ccErrBadParam;
if (in_credentials_version != cc_credentials_v5)
return LOG_FAILURE(ccErrBadCredentialsVersion, "wrong version");
update_time(&c->change_time);
update_time(&context_change_time);
ret = heim_krb5_parse_name(milcontext, in_principal, &p);
if (ret)
return LOG_FAILURE(ccErrBadParam, "parse name");
ret = heim_krb5_cc_initialize(milcontext, c->id, p);
heim_krb5_free_principal(milcontext, p);
if (ret)
return LOG_FAILURE(ccErrInvalidCCache, "init cache");
return ccNoError;
}
static cc_int32
ccache_remove_credentials(cc_ccache_t io_ccache, cc_credentials_t in_credentials)
{
struct cc_ccache *c = (struct cc_ccache *)io_ccache;
const cc_credentials_v5_t *incred;
krb5_creds cred;
krb5_error_code ret;
LOG_ENTRY();
update_time(&c->change_time);
update_time(&context_change_time);
memset(&cred, 0, sizeof(cred));
if (c->id == NULL)
return LOG_FAILURE(ccErrBadParam, "bad argument");
if (in_credentials == NULL || in_credentials->data == NULL)
return LOG_FAILURE(ccErrBadParam, "remove with no cred?");
if (in_credentials->data->version != cc_credentials_v5)
return LOG_FAILURE(ccErrBadParam, "wrong version");
incred = in_credentials->data->credentials.credentials_v5;
if (incred->client == NULL)
return LOG_FAILURE(ccErrBadParam, "no client to remove");
if (incred->server == NULL)
return LOG_FAILURE(ccErrBadParam, "no server to remove");
ret = heim_krb5_parse_name(milcontext, incred->client, &cred.client);
if (ret)
goto fail;
ret = heim_krb5_parse_name(milcontext, incred->server, &cred.server);
if (ret)
goto fail;
ret = heim_krb5_cc_remove_cred(milcontext, c->id, 0, &cred);
update_time(&context_change_time);
fail:
heim_krb5_free_cred_contents(milcontext, &cred);
if (ret)
return ccErrCredentialsNotFound;
return ccNoError;
}
KLStatus
KLCreatePrincipalFromString (const char *inFullPrincipal,
KLKerberosVersion inKerberosVersion,
KLPrincipal *outPrincipal)
{
LOG_ENTRY();
if (CHECK_VERSION(inKerberosVersion))
return LOG_FAILURE(klInvalidVersionErr, "wrong version");
if (inFullPrincipal == NULL)
return klParameterErr;
return heim_krb5_parse_name(milcontext, inFullPrincipal, outPrincipal);
}
static cc_int32
context_create_default_ccache(cc_context_t in_context,
cc_uint32 in_cred_vers,
const char *in_principal,
cc_ccache_t *out_ccache)
{
krb5_principal principal;
krb5_error_code ret;
struct cc_ccache *c;
krb5_ccache id;
LOG_ENTRY();
if (in_cred_vers != cc_credentials_v5)
return ccErrBadCredentialsVersion;
if (out_ccache == NULL || in_principal == NULL)
return ccErrBadParam;
*out_ccache = NULL;
update_time(&context_change_time);
ret = heim_krb5_cc_default(milcontext, &id);
if (ret)
return LOG_FAILURE(ret, "cc default");
ret = heim_krb5_parse_name(milcontext, in_principal, &principal);
if (ret) {
heim_krb5_cc_close(milcontext, id);
return LOG_FAILURE(ret, "parse name");
}
ret = heim_krb5_cc_initialize(milcontext, id, principal);
heim_krb5_free_principal(milcontext, principal);
if (ret) {
mit_krb5_cc_destroy((mit_krb5_context)milcontext, (mit_krb5_ccache)id);
return LOG_FAILURE(ret, "cc init");
}
c = (struct cc_ccache *)create_ccache(id);
update_time(&c->last_default_time);
*out_ccache = (cc_ccache_t)c;
return ccNoError;
}
mit_krb5_error_code KRB5_CALLCONV
krb5_parse_name(mit_krb5_context context, const char *str, mit_krb5_principal *principal)
{
struct comb_principal *p;
krb5_error_code ret;
LOG_ENTRY();
p = calloc(1, sizeof(*p));
ret = heim_krb5_parse_name((krb5_context)context, str, &p->heim);
if (ret) {
free(p);
return ret;
}
map_mit_principal(p);
*principal = (mit_krb5_principal)p;
return 0;
}
static cc_int32
context_create_new_ccache(cc_context_t in_context,
cc_uint32 in_cred_vers,
const char *in_principal,
cc_ccache_t *out_ccache)
{
krb5_principal principal;
krb5_error_code ret;
krb5_ccache id;
LOG_ENTRY();
if (in_cred_vers != cc_credentials_v5)
return ccErrBadCredentialsVersion;
if (out_ccache == NULL || in_principal == NULL)
return ccErrBadParam;
update_time(&context_change_time);
ret = heim_krb5_parse_name(milcontext, in_principal, &principal);
if (ret)
return LOG_FAILURE(ret, "parse name");
ret = heim_krb5_cc_new_unique(milcontext, NULL, NULL, &id);
if (ret) {
heim_krb5_free_principal(milcontext, principal);
return LOG_FAILURE(ret, "new unique");
}
ret = heim_krb5_cc_initialize(milcontext, id, principal);
heim_krb5_free_principal(milcontext, principal);
if (ret) {
mit_krb5_cc_destroy((mit_krb5_context)milcontext, (mit_krb5_ccache)id);
return LOG_FAILURE(ret, "cc init");
}
*out_ccache = create_ccache(id);
return ccNoError;
}
static krb5_error_code
make_cred_from_ccred(krb5_context context,
const cc_credentials_v5_t *incred,
krb5_creds *cred)
{
krb5_error_code ret;
unsigned int i;
memset(cred, 0, sizeof(*cred));
ret = heim_krb5_parse_name(context, incred->client, &cred->client);
if (ret)
goto fail;
ret = heim_krb5_parse_name(context, incred->server, &cred->server);
if (ret)
goto fail;
cred->session.keytype = incred->keyblock.type;
cred->session.keyvalue.length = incred->keyblock.length;
cred->session.keyvalue.data = malloc(incred->keyblock.length);
if (cred->session.keyvalue.data == NULL)
goto nomem;
memcpy(cred->session.keyvalue.data, incred->keyblock.data,
incred->keyblock.length);
cred->times.authtime = incred->authtime;
cred->times.starttime = incred->starttime;
cred->times.endtime = incred->endtime;
cred->times.renew_till = incred->renew_till;
ret = heim_krb5_data_copy(&cred->ticket,
incred->ticket.data,
incred->ticket.length);
if (ret)
goto nomem;
ret = heim_krb5_data_copy(&cred->second_ticket,
incred->second_ticket.data,
incred->second_ticket.length);
if (ret)
goto nomem;
cred->authdata.val = NULL;
cred->authdata.len = 0;
cred->addresses.val = NULL;
cred->addresses.len = 0;
for (i = 0; incred->authdata && incred->authdata[i]; i++)
;
if (i) {
cred->authdata.val = calloc(i, sizeof(cred->authdata.val[0]));
if (cred->authdata.val == NULL)
goto nomem;
cred->authdata.len = i;
for (i = 0; i < cred->authdata.len; i++) {
cred->authdata.val[i].ad_type = incred->authdata[i]->type;
ret = heim_krb5_data_copy(&cred->authdata.val[i].ad_data,
incred->authdata[i]->data,
incred->authdata[i]->length);
if (ret)
goto nomem;
}
}
for (i = 0; incred->addresses && incred->addresses[i]; i++)
;
if (i) {
cred->addresses.val = calloc(i, sizeof(cred->addresses.val[0]));
if (cred->addresses.val == NULL)
goto nomem;
cred->addresses.len = i;
for (i = 0; i < cred->addresses.len; i++) {
cred->addresses.val[i].addr_type = incred->addresses[i]->type;
ret = heim_krb5_data_copy(&cred->addresses.val[i].address,
incred->addresses[i]->data,
incred->addresses[i]->length);
if (ret)
goto nomem;
}
}
cred->flags.i = 0;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDABLE)
cred->flags.b.forwardable = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_FORWARDED)
cred->flags.b.forwarded = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXIABLE)
cred->flags.b.proxiable = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PROXY)
cred->flags.b.proxy = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_MAY_POSTDATE)
cred->flags.b.may_postdate = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_POSTDATED)
cred->flags.b.postdated = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INVALID)
cred->flags.b.invalid = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_RENEWABLE)
cred->flags.b.renewable = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_INITIAL)
cred->flags.b.initial = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_PRE_AUTH)
cred->flags.b.pre_authent = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_HW_AUTH)
cred->flags.b.hw_authent = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_TRANSIT_POLICY_CHECKED)
cred->flags.b.transited_policy_checked = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_OK_AS_DELEGATE)
cred->flags.b.ok_as_delegate = 1;
if (incred->ticket_flags & KRB5_CCAPI_TKT_FLG_ANONYMOUS)
cred->flags.b.anonymous = 1;
return 0;
nomem:
ret = ENOMEM;
heim_krb5_set_error_message(context, ret, "malloc: out of memory");
fail:
heim_krb5_free_cred_contents(context, cred);
return ret;
}
static OSStatus
acquireticket_ui(KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
KLPrincipal *outPrincipal,
char **outCredCacheName)
{
AuthorizationRef auth;
OSStatus ret;
char *princ = NULL;
CFDataRef d = NULL;
LOG_ENTRY();
if (outPrincipal)
*outPrincipal = NULL;
if (outCredCacheName)
*outCredCacheName = NULL;
if (inPrincipal) {
ret = heim_krb5_unparse_name(milcontext, inPrincipal, &princ);
if (ret)
return ret;
}
ret = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &auth);
if (ret) {
free(princ);
return ret;
}
AuthorizationItem rightItems[1] = { kCoreAuthPanelKerberosRight, 0, NULL, 0 };
AuthorizationRights rights = { sizeof(rightItems[0])/sizeof(rightItems) , rightItems };
AuthorizationItem envItems[3];
AuthorizationEnvironment env = { 0 , envItems };
AuthorizationFlags authFlags = kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
if (princ) {
envItems[env.count].name = kCoreAuthPanelKerberosPrincipal;
envItems[env.count].valueLength = strlen(princ);
envItems[env.count].value = princ;
envItems[env.count].flags = 0;
env.count++;
}
if (inLoginOptions && inLoginOptions->opt) {
CFMutableDictionaryRef dict;
dict = CFDictionaryCreateMutable(NULL, 1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (dict == NULL)
goto out;
if (inLoginOptions->opt->renew_life) {
CFStringRef t;
t = CFStringCreateWithFormat(NULL, 0, CFSTR("%ld"),(long)inLoginOptions->opt->renew_life);
CFDictionarySetValue(dict, CFSTR("renewTime"), t);
CFRelease(t);
}
d = CFPropertyListCreateData(NULL, dict, kCFPropertyListBinaryFormat_v1_0,
0, NULL);
CFRelease(dict);
envItems[env.count].name = kCoreAuthPanelKerberosOptions;
envItems[env.count].valueLength = CFDataGetLength(d);
envItems[env.count].value = (void *)CFDataGetBytePtr(d);
envItems[env.count].flags = 0;
env.count++;
}
ret = AuthorizationCopyRights(auth, &rights, &env, authFlags, NULL);
if (ret == 0 && outPrincipal) {
AuthorizationItemSet *info;
UInt32 i;
ret = AuthorizationCopyInfo(auth, NULL, &info);
if (ret)
goto out;
for(i = 0; i < info->count; i++) {
if (strcmp(info->items[i].name, "out-principal") == 0) {
char *str;
asprintf(&str, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value);
heim_krb5_parse_name(milcontext, str, outPrincipal);
} else if (strcmp(info->items[i].name, "out-cache-name") == 0) {
asprintf(outCredCacheName, "%.*s", (int)info->items[i].valueLength, (char *)info->items[i].value);
}
}
AuthorizationFreeItemSet(info);
if (*outPrincipal == NULL)
ret = EINVAL;
}
out:
if (d)
CFRelease(d);
AuthorizationFree(auth, kAuthorizationFlagDestroyRights);
free(princ);
return ret;
}
