search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / lib / krb5 / get_cred.c
blobc6e6a94cd5b2978a933cc440dfafb6adf74e0e39
1 /*
2 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <krb5_locl.h>
35
36 __RCSID("$Heimdal: get_cred.c 21668 2007-07-22 11:28:05Z lha $"
37 "$NetBSD$");
38
39 /*
40 * Take the `body' and encode it into `padata' using the credentials
41 * in `creds'.
42 */
43
44 static krb5_error_code
45 make_pa_tgs_req(krb5_context context,
46 krb5_auth_context ac,
47 KDC_REQ_BODY *body,
48 PA_DATA *padata,
49 krb5_creds *creds,
50 krb5_key_usage usage)
51 {
52 u_char *buf;
53 size_t buf_size;
54 size_t len;
55 krb5_data in_data;
56 krb5_error_code ret;
57
58 ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
59 if (ret)
60 goto out;
61 if(buf_size != len)
62 krb5_abortx(context, "internal error in ASN.1 encoder");
63
64 in_data.length = len;
65 in_data.data = buf;
66 ret = _krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
67 &padata->padata_value,
68 KRB5_KU_TGS_REQ_AUTH_CKSUM,
69 usage
70 /* KRB5_KU_TGS_REQ_AUTH */);
71 out:
72 free (buf);
73 if(ret)
74 return ret;
75 padata->padata_type = KRB5_PADATA_TGS_REQ;
76 return 0;
77 }
78
79 /*
80 * Set the `enc-authorization-data' in `req_body' based on `authdata'
81 */
82
83 static krb5_error_code
84 set_auth_data (krb5_context context,
85 KDC_REQ_BODY *req_body,
86 krb5_authdata *authdata,
87 krb5_keyblock *key)
88 {
89 if(authdata->len) {
90 size_t len, buf_size;
91 unsigned char *buf;
92 krb5_crypto crypto;
93 krb5_error_code ret;
94
95 ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, authdata,
96 &len, ret);
97 if (ret)
98 return ret;
99 if (buf_size != len)
100 krb5_abortx(context, "internal error in ASN.1 encoder");
101
102 ALLOC(req_body->enc_authorization_data, 1);
103 if (req_body->enc_authorization_data == NULL) {
104 free (buf);
105 krb5_set_error_string(context, "malloc: out of memory");
106 return ENOMEM;
107 }
108 ret = krb5_crypto_init(context, key, 0, &crypto);
109 if (ret) {
110 free (buf);
111 free (req_body->enc_authorization_data);
112 req_body->enc_authorization_data = NULL;
113 return ret;
114 }
115 krb5_encrypt_EncryptedData(context,
116 crypto,
117 KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
118 /* KRB5_KU_TGS_REQ_AUTH_DAT_SESSION? */
119 buf,
120 len,
121 0,
122 req_body->enc_authorization_data);
123 free (buf);
124 krb5_crypto_destroy(context, crypto);
125 } else {
126 req_body->enc_authorization_data = NULL;
127 }
128 return 0;
129 }
130
131 /*
132 * Create a tgs-req in `t' with `addresses', `flags', `second_ticket'
133 * (if not-NULL), `in_creds', `krbtgt', and returning the generated
134 * subkey in `subkey'.
135 */
136
137 static krb5_error_code
138 init_tgs_req (krb5_context context,
139 krb5_ccache ccache,
140 krb5_addresses *addresses,
141 krb5_kdc_flags flags,
142 Ticket *second_ticket,
143 krb5_creds *in_creds,
144 krb5_creds *krbtgt,
145 unsigned nonce,
146 const METHOD_DATA *padata,
147 krb5_keyblock **subkey,
148 TGS_REQ *t,
149 krb5_key_usage usage)
150 {
151 krb5_error_code ret = 0;
152
153 memset(t, 0, sizeof(*t));
154 t->pvno = 5;
155 t->msg_type = krb_tgs_req;
156 if (in_creds->session.keytype) {
157 ALLOC_SEQ(&t->req_body.etype, 1);
158 if(t->req_body.etype.val == NULL) {
159 ret = ENOMEM;
160 krb5_set_error_string(context, "malloc: out of memory");
161 goto fail;
162 }
163 t->req_body.etype.val[0] = in_creds->session.keytype;
164 } else {
165 ret = krb5_init_etype(context,
166 &t->req_body.etype.len,
167 &t->req_body.etype.val,
168 NULL);
169 }
170 if (ret)
171 goto fail;
172 t->req_body.addresses = addresses;
173 t->req_body.kdc_options = flags.b;
174 ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
175 if (ret)
176 goto fail;
177 ALLOC(t->req_body.sname, 1);
178 if (t->req_body.sname == NULL) {
179 ret = ENOMEM;
180 krb5_set_error_string(context, "malloc: out of memory");
181 goto fail;
182 }
183
184 /* some versions of some code might require that the client be
185 present in TGS-REQs, but this is clearly against the spec */
186
187 ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
188 if (ret)
189 goto fail;
190
191 /* req_body.till should be NULL if there is no endtime specified,
192 but old MIT code (like DCE secd) doesn't like that */
193 ALLOC(t->req_body.till, 1);
194 if(t->req_body.till == NULL){
195 ret = ENOMEM;
196 krb5_set_error_string(context, "malloc: out of memory");
197 goto fail;
198 }
199 *t->req_body.till = in_creds->times.endtime;
200
201 t->req_body.nonce = nonce;
202 if(second_ticket){
203 ALLOC(t->req_body.additional_tickets, 1);
204 if (t->req_body.additional_tickets == NULL) {
205 ret = ENOMEM;
206 krb5_set_error_string(context, "malloc: out of memory");
207 goto fail;
208 }
209 ALLOC_SEQ(t->req_body.additional_tickets, 1);
210 if (t->req_body.additional_tickets->val == NULL) {
211 ret = ENOMEM;
212 krb5_set_error_string(context, "malloc: out of memory");
213 goto fail;
214 }
215 ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val);
216 if (ret)
217 goto fail;
218 }
219 ALLOC(t->padata, 1);
220 if (t->padata == NULL) {
221 ret = ENOMEM;
222 krb5_set_error_string(context, "malloc: out of memory");
223 goto fail;
224 }
225 ALLOC_SEQ(t->padata, 1 + padata->len);
226 if (t->padata->val == NULL) {
227 ret = ENOMEM;
228 krb5_set_error_string(context, "malloc: out of memory");
229 goto fail;
230 }
231 {
232 int i;
233 for (i = 0; i < padata->len; i++) {
234 ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
235 if (ret) {
236 krb5_set_error_string(context, "malloc: out of memory");
237 goto fail;
238 }
239 }
240 }
241
242 {
243 krb5_auth_context ac;
244 krb5_keyblock *key = NULL;
245
246 ret = krb5_auth_con_init(context, &ac);
247 if(ret)
248 goto fail;
249
250 if (krb5_config_get_bool_default(context, NULL, FALSE,
251 "realms",
252 krbtgt->server->realm,
253 "tgs_require_subkey",
254 NULL))
255 {
256 ret = krb5_generate_subkey (context, &krbtgt->session, &key);
257 if (ret) {
258 krb5_auth_con_free (context, ac);
259 goto fail;
260 }
261
262 ret = krb5_auth_con_setlocalsubkey(context, ac, key);
263 if (ret) {
264 if (key)
265 krb5_free_keyblock (context, key);
266 krb5_auth_con_free (context, ac);
267 goto fail;
268 }
269 }
270
271 ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
272 key ? key : &krbtgt->session);
273 if (ret) {
274 if (key)
275 krb5_free_keyblock (context, key);
276 krb5_auth_con_free (context, ac);
277 goto fail;
278 }
279
280 ret = make_pa_tgs_req(context,
281 ac,
282 &t->req_body,
283 &t->padata->val[0],
284 krbtgt,
285 usage);
286 if(ret) {
287 if (key)
288 krb5_free_keyblock (context, key);
289 krb5_auth_con_free(context, ac);
290 goto fail;
291 }
292 *subkey = key;
293
294 krb5_auth_con_free(context, ac);
295 }
296 fail:
297 if (ret) {
298 t->req_body.addresses = NULL;
299 free_TGS_REQ (t);
300 }
301 return ret;
302 }
303
304 krb5_error_code
305 _krb5_get_krbtgt(krb5_context context,
306 krb5_ccache id,
307 krb5_realm realm,
308 krb5_creds **cred)
309 {
310 krb5_error_code ret;
311 krb5_creds tmp_cred;
312
313 memset(&tmp_cred, 0, sizeof(tmp_cred));
314
315 ret = krb5_cc_get_principal(context, id, &tmp_cred.client);
316 if (ret)
317 return ret;
318
319 ret = krb5_make_principal(context,
320 &tmp_cred.server,
321 realm,
322 KRB5_TGS_NAME,
323 realm,
324 NULL);
325 if(ret) {
326 krb5_free_principal(context, tmp_cred.client);
327 return ret;
328 }
329 ret = krb5_get_credentials(context,
330 KRB5_GC_CACHED,
331 id,
332 &tmp_cred,
333 cred);
334 krb5_free_principal(context, tmp_cred.client);
335 krb5_free_principal(context, tmp_cred.server);
336 if(ret)
337 return ret;
338 return 0;
339 }
340
341 /* DCE compatible decrypt proc */
342 static krb5_error_code
343 decrypt_tkt_with_subkey (krb5_context context,
344 krb5_keyblock *key,
345 krb5_key_usage usage,
346 krb5_const_pointer subkey,
347 krb5_kdc_rep *dec_rep)
348 {
349 krb5_error_code ret;
350 krb5_data data;
351 size_t size;
352 krb5_crypto crypto;
353
354 ret = krb5_crypto_init(context, key, 0, &crypto);
355 if (ret)
356 return ret;
357 ret = krb5_decrypt_EncryptedData (context,
358 crypto,
359 usage,
360 &dec_rep->kdc_rep.enc_part,
361 &data);
362 krb5_crypto_destroy(context, crypto);
363 if(ret && subkey){
364 /* DCE compat -- try to decrypt with subkey */
365 ret = krb5_crypto_init(context, subkey, 0, &crypto);
366 if (ret)
367 return ret;
368 ret = krb5_decrypt_EncryptedData (context,
369 crypto,
370 KRB5_KU_TGS_REP_ENC_PART_SUB_KEY,
371 &dec_rep->kdc_rep.enc_part,
372 &data);
373 krb5_crypto_destroy(context, crypto);
374 }
375 if (ret)
376 return ret;
377
378 ret = krb5_decode_EncASRepPart(context,
379 data.data,
380 data.length,
381 &dec_rep->enc_part,
382 &size);
383 if (ret)
384 ret = krb5_decode_EncTGSRepPart(context,
385 data.data,
386 data.length,
387 &dec_rep->enc_part,
388 &size);
389 krb5_data_free (&data);
390 return ret;
391 }
392
393 static krb5_error_code
394 get_cred_kdc_usage(krb5_context context,
395 krb5_ccache id,
396 krb5_kdc_flags flags,
397 krb5_addresses *addresses,
398 krb5_creds *in_creds,
399 krb5_creds *krbtgt,
400 krb5_principal impersonate_principal,
401 Ticket *second_ticket,
402 krb5_creds *out_creds,
403 krb5_key_usage usage)
404 {
405 TGS_REQ req;
406 krb5_data enc;
407 krb5_data resp;
408 krb5_kdc_rep rep;
409 KRB_ERROR error;
410 krb5_error_code ret;
411 unsigned nonce;
412 krb5_keyblock *subkey = NULL;
413 size_t len;
414 Ticket second_ticket_data;
415 METHOD_DATA padata;
416
417 krb5_data_zero(&resp);
418 krb5_data_zero(&enc);
419 padata.val = NULL;
420 padata.len = 0;
421
422 krb5_generate_random_block(&nonce, sizeof(nonce));
423 nonce &= 0xffffffff;
424
425 if(flags.b.enc_tkt_in_skey && second_ticket == NULL){
426 ret = decode_Ticket(in_creds->second_ticket.data,
427 in_creds->second_ticket.length,
428 &second_ticket_data, &len);
429 if(ret)
430 return ret;
431 second_ticket = &second_ticket_data;
432 }
433
434
435 if (impersonate_principal) {
436 krb5_crypto crypto;
437 PA_S4U2Self self;
438 krb5_data data;
439 void *buf;
440 size_t size;
441
442 self.name = impersonate_principal->name;
443 self.realm = impersonate_principal->realm;
444 self.auth = estrdup("Kerberos");
445
446 ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
447 if (ret) {
448 free(self.auth);
449 goto out;
450 }
451
452 ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);
453 if (ret) {
454 free(self.auth);
455 krb5_data_free(&data);
456 goto out;
457 }
458
459 ret = krb5_create_checksum(context,
460 crypto,
461 KRB5_KU_OTHER_CKSUM,
462 0,
463 data.data,
464 data.length,
465 &self.cksum);
466 krb5_crypto_destroy(context, crypto);
467 krb5_data_free(&data);
468 if (ret) {
469 free(self.auth);
470 goto out;
471 }
472
473 ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);
474 free(self.auth);
475 free_Checksum(&self.cksum);
476 if (ret)
477 goto out;
478 if (len != size)
479 krb5_abortx(context, "internal asn1 error");
480
481 ret = krb5_padata_add(context, &padata, KRB5_PADATA_S4U2SELF, buf, len);
482 if (ret)
483 goto out;
484 }
485
486 ret = init_tgs_req (context,
487 id,
488 addresses,
489 flags,
490 second_ticket,
491 in_creds,
492 krbtgt,
493 nonce,
494 &padata,
495 &subkey,
496 &req,
497 usage);
498 if (ret)
499 goto out;
500
501 ASN1_MALLOC_ENCODE(TGS_REQ, enc.data, enc.length, &req, &len, ret);
502 if (ret)
503 goto out;
504 if(enc.length != len)
505 krb5_abortx(context, "internal error in ASN.1 encoder");
506
507 /* don't free addresses */
508 req.req_body.addresses = NULL;
509 free_TGS_REQ(&req);
510
511 /*
512 * Send and receive
513 */
514 {
515 krb5_sendto_ctx stctx;
516 ret = krb5_sendto_ctx_alloc(context, &stctx);
517 if (ret)
518 return ret;
519 krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
520
521 ret = krb5_sendto_context (context, stctx, &enc,
522 krbtgt->server->name.name_string.val[1],
523 &resp);
524 krb5_sendto_ctx_free(context, stctx);
525 }
526 if(ret)
527 goto out;
528
529 memset(&rep, 0, sizeof(rep));
530 if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0){
531 ret = krb5_copy_principal(context,
532 in_creds->client,
533 &out_creds->client);
534 if(ret)
535 goto out;
536 ret = krb5_copy_principal(context,
537 in_creds->server,
538 &out_creds->server);
539 if(ret)
540 goto out;
541 /* this should go someplace else */
542 out_creds->times.endtime = in_creds->times.endtime;
543
544 ret = _krb5_extract_ticket(context,
545 &rep,
546 out_creds,
547 &krbtgt->session,
548 NULL,
549 KRB5_KU_TGS_REP_ENC_PART_SESSION,
550 &krbtgt->addresses,
551 nonce,
552 EXTRACT_TICKET_ALLOW_CNAME_MISMATCH|
553 EXTRACT_TICKET_ALLOW_SERVER_MISMATCH,
554 decrypt_tkt_with_subkey,
555 subkey);
556 krb5_free_kdc_rep(context, &rep);
557 } else if(krb5_rd_error(context, &resp, &error) == 0) {
558 ret = krb5_error_from_rd_error(context, &error, in_creds);
559 krb5_free_error_contents(context, &error);
560 } else if(resp.data && ((char*)resp.data)[0] == 4) {
561 ret = KRB5KRB_AP_ERR_V4_REPLY;
562 krb5_clear_error_string(context);
563 } else {
564 ret = KRB5KRB_AP_ERR_MSG_TYPE;
565 krb5_clear_error_string(context);
566 }
567
568 out:
569 if (second_ticket == &second_ticket_data)
570 free_Ticket(&second_ticket_data);
571 free_METHOD_DATA(&padata);
572 krb5_data_free(&resp);
573 krb5_data_free(&enc);
574 if(subkey){
575 krb5_free_keyblock_contents(context, subkey);
576 free(subkey);
577 }
578 return ret;
579
580 }
581
582 static krb5_error_code
583 get_cred_kdc(krb5_context context,
584 krb5_ccache id,
585 krb5_kdc_flags flags,
586 krb5_addresses *addresses,
587 krb5_creds *in_creds,
588 krb5_creds *krbtgt,
589 krb5_principal impersonate_principal,
590 Ticket *second_ticket,
591 krb5_creds *out_creds)
592 {
593 krb5_error_code ret;
594
595 ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds,
596 krbtgt, impersonate_principal, second_ticket,
597 out_creds, KRB5_KU_TGS_REQ_AUTH);
598 if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
599 krb5_clear_error_string (context);
600 ret = get_cred_kdc_usage(context, id, flags, addresses, in_creds,
601 krbtgt, impersonate_principal, second_ticket,
602 out_creds, KRB5_KU_AP_REQ_AUTH);
603 }
604 return ret;
605 }
606
607 /* same as above, just get local addresses first */
608
609 static krb5_error_code
610 get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags,
611 krb5_creds *in_creds, krb5_creds *krbtgt,
612 krb5_principal impersonate_principal, Ticket *second_ticket,
613 krb5_creds *out_creds)
614 {
615 krb5_error_code ret;
616 krb5_addresses addresses, *addrs = &addresses;
617
618 krb5_get_all_client_addrs(context, &addresses);
619 /* XXX this sucks. */
620 if(addresses.len == 0)
621 addrs = NULL;
622 ret = get_cred_kdc(context, id, flags, addrs,
623 in_creds, krbtgt, impersonate_principal, second_ticket,
624 out_creds);
625 krb5_free_addresses(context, &addresses);
626 return ret;
627 }
628
629 krb5_error_code KRB5_LIB_FUNCTION
630 krb5_get_kdc_cred(krb5_context context,
631 krb5_ccache id,
632 krb5_kdc_flags flags,
633 krb5_addresses *addresses,
634 Ticket *second_ticket,
635 krb5_creds *in_creds,
636 krb5_creds **out_creds
637 )
638 {
639 krb5_error_code ret;
640 krb5_creds *krbtgt;
641
642 *out_creds = calloc(1, sizeof(**out_creds));
643 if(*out_creds == NULL) {
644 krb5_set_error_string(context, "malloc: out of memory");
645 return ENOMEM;
646 }
647 ret = _krb5_get_krbtgt (context,
648 id,
649 in_creds->server->realm,
650 &krbtgt);
651 if(ret) {
652 free(*out_creds);
653 return ret;
654 }
655 ret = get_cred_kdc(context, id, flags, addresses,
656 in_creds, krbtgt, NULL, NULL, *out_creds);
657 krb5_free_creds (context, krbtgt);
658 if(ret)
659 free(*out_creds);
660 return ret;
661 }
662
663 static void
664 not_found(krb5_context context, krb5_const_principal p)
665 {
666 krb5_error_code ret;
667 char *str;
668
669 ret = krb5_unparse_name(context, p, &str);
670 if(ret) {
671 krb5_clear_error_string(context);
672 return;
673 }
674 krb5_set_error_string(context, "Matching credential (%s) not found", str);
675 free(str);
676 }
677
678 static krb5_error_code
679 find_cred(krb5_context context,
680 krb5_ccache id,
681 krb5_principal server,
682 krb5_creds **tgts,
683 krb5_creds *out_creds)
684 {
685 krb5_error_code ret;
686 krb5_creds mcreds;
687
688 krb5_cc_clear_mcred(&mcreds);
689 mcreds.server = server;
690 ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_DONT_MATCH_REALM,
691 &mcreds, out_creds);
692 if(ret == 0)
693 return 0;
694 while(tgts && *tgts){
695 if(krb5_compare_creds(context, KRB5_TC_DONT_MATCH_REALM,
696 &mcreds, *tgts)){
697 ret = krb5_copy_creds_contents(context, *tgts, out_creds);
698 return ret;
699 }
700 tgts++;
701 }
702 not_found(context, server);
703 return KRB5_CC_NOTFOUND;
704 }
705
706 static krb5_error_code
707 add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt)
708 {
709 int i;
710 krb5_error_code ret;
711 krb5_creds **tmp = *tgts;
712
713 for(i = 0; tmp && tmp[i]; i++); /* XXX */
714 tmp = realloc(tmp, (i+2)*sizeof(*tmp));
715 if(tmp == NULL) {
716 krb5_set_error_string(context, "malloc: out of memory");
717 return ENOMEM;
718 }
719 *tgts = tmp;
720 ret = krb5_copy_creds(context, tkt, &tmp[i]);
721 tmp[i+1] = NULL;
722 return ret;
723 }
724
725 /*
726 get_cred(server)
727 creds = cc_get_cred(server)
728 if(creds) return creds
729 tgt = cc_get_cred(krbtgt/server_realm@any_realm)
730 if(tgt)
731 return get_cred_tgt(server, tgt)
732 if(client_realm == server_realm)
733 return NULL
734 tgt = get_cred(krbtgt/server_realm@client_realm)
735 while(tgt_inst != server_realm)
736 tgt = get_cred(krbtgt/server_realm@tgt_inst)
737 return get_cred_tgt(server, tgt)
738 */
739
740 static krb5_error_code
741 get_cred_from_kdc_flags(krb5_context context,
742 krb5_kdc_flags flags,
743 krb5_ccache ccache,
744 krb5_creds *in_creds,
745 krb5_principal impersonate_principal,
746 Ticket *second_ticket,
747 krb5_creds **out_creds,
748 krb5_creds ***ret_tgts)
749 {
750 krb5_error_code ret;
751 krb5_creds *tgt, tmp_creds;
752 krb5_const_realm client_realm, server_realm, try_realm;
753
754 *out_creds = NULL;
755
756 client_realm = krb5_principal_get_realm(context, in_creds->client);
757 server_realm = krb5_principal_get_realm(context, in_creds->server);
758 memset(&tmp_creds, 0, sizeof(tmp_creds));
759 ret = krb5_copy_principal(context, in_creds->client, &tmp_creds.client);
760 if(ret)
761 return ret;
762
763 try_realm = krb5_config_get_string(context, NULL, "capaths",
764 client_realm, server_realm, NULL);
765
766 #if 1
767 /* XXX remove in future release */
768 if(try_realm == NULL)
769 try_realm = krb5_config_get_string(context, NULL, "libdefaults",
770 "capath", server_realm, NULL);
771 #endif
772
773 if (try_realm == NULL)
774 try_realm = client_realm;
775
776 ret = krb5_make_principal(context,
777 &tmp_creds.server,
778 try_realm,
779 KRB5_TGS_NAME,
780 server_realm,
781 NULL);
782 if(ret){
783 krb5_free_principal(context, tmp_creds.client);
784 return ret;
785 }
786 {
787 krb5_creds tgts;
788 /* XXX try krb5_cc_retrieve_cred first? */
789 ret = find_cred(context, ccache, tmp_creds.server,
790 *ret_tgts, &tgts);
791 if(ret == 0){
792 *out_creds = calloc(1, sizeof(**out_creds));
793 if(*out_creds == NULL) {
794 krb5_set_error_string(context, "malloc: out of memory");
795 ret = ENOMEM;
796 } else {
797 krb5_boolean noaddr;
798
799 krb5_appdefault_boolean(context, NULL, tgts.server->realm,
800 "no-addresses", FALSE, &noaddr);
801
802 if (noaddr)
803 ret = get_cred_kdc(context, ccache, flags, NULL,
804 in_creds, &tgts,
805 impersonate_principal,
806 second_ticket,
807 *out_creds);
808 else
809 ret = get_cred_kdc_la(context, ccache, flags,
810 in_creds, &tgts,
811 impersonate_principal,
812 second_ticket,
813 *out_creds);
814 if (ret) {
815 free (*out_creds);
816 *out_creds = NULL;
817 }
818 }
819 krb5_free_cred_contents(context, &tgts);
820 krb5_free_principal(context, tmp_creds.server);
821 krb5_free_principal(context, tmp_creds.client);
822 return ret;
823 }
824 }
825 if(krb5_realm_compare(context, in_creds->client, in_creds->server)) {
826 not_found(context, in_creds->server);
827 return KRB5_CC_NOTFOUND;
828 }
829 /* XXX this can loop forever */
830 while(1){
831 heim_general_string tgt_inst;
832
833 ret = get_cred_from_kdc_flags(context, flags, ccache, &tmp_creds,
834 NULL, NULL, &tgt, ret_tgts);
835 if(ret) {
836 krb5_free_principal(context, tmp_creds.server);
837 krb5_free_principal(context, tmp_creds.client);
838 return ret;
839 }
840 ret = add_cred(context, ret_tgts, tgt);
841 if(ret) {
842 krb5_free_principal(context, tmp_creds.server);
843 krb5_free_principal(context, tmp_creds.client);
844 return ret;
845 }
846 tgt_inst = tgt->server->name.name_string.val[1];
847 if(strcmp(tgt_inst, server_realm) == 0)
848 break;
849 krb5_free_principal(context, tmp_creds.server);
850 ret = krb5_make_principal(context, &tmp_creds.server,
851 tgt_inst, KRB5_TGS_NAME, server_realm, NULL);
852 if(ret) {
853 krb5_free_principal(context, tmp_creds.server);
854 krb5_free_principal(context, tmp_creds.client);
855 return ret;
856 }
857 ret = krb5_free_creds(context, tgt);
858 if(ret) {
859 krb5_free_principal(context, tmp_creds.server);
860 krb5_free_principal(context, tmp_creds.client);
861 return ret;
862 }
863 }
864
865 krb5_free_principal(context, tmp_creds.server);
866 krb5_free_principal(context, tmp_creds.client);
867 *out_creds = calloc(1, sizeof(**out_creds));
868 if(*out_creds == NULL) {
869 krb5_set_error_string(context, "malloc: out of memory");
870 ret = ENOMEM;
871 } else {
872 krb5_boolean noaddr;
873
874 krb5_appdefault_boolean(context, NULL, tgt->server->realm,
875 "no-addresses", KRB5_ADDRESSLESS_DEFAULT,
876 &noaddr);
877 if (noaddr)
878 ret = get_cred_kdc (context, ccache, flags, NULL,
879 in_creds, tgt, NULL, NULL,
880 *out_creds);
881 else
882 ret = get_cred_kdc_la(context, ccache, flags,
883 in_creds, tgt, NULL, NULL,
884 *out_creds);
885 if (ret) {
886 free (*out_creds);
887 *out_creds = NULL;
888 }
889 }
890 krb5_free_creds(context, tgt);
891 return ret;
892 }
893
894 krb5_error_code KRB5_LIB_FUNCTION
895 krb5_get_cred_from_kdc_opt(krb5_context context,
896 krb5_ccache ccache,
897 krb5_creds *in_creds,
898 krb5_creds **out_creds,
899 krb5_creds ***ret_tgts,
900 krb5_flags flags)
901 {
902 krb5_kdc_flags f;
903 f.i = flags;
904 return get_cred_from_kdc_flags(context, f, ccache,
905 in_creds, NULL, NULL,
906 out_creds, ret_tgts);
907 }
908
909 krb5_error_code KRB5_LIB_FUNCTION
910 krb5_get_cred_from_kdc(krb5_context context,
911 krb5_ccache ccache,
912 krb5_creds *in_creds,
913 krb5_creds **out_creds,
914 krb5_creds ***ret_tgts)
915 {
916 return krb5_get_cred_from_kdc_opt(context, ccache,
917 in_creds, out_creds, ret_tgts, 0);
918 }
919
920
921 krb5_error_code KRB5_LIB_FUNCTION
922 krb5_get_credentials_with_flags(krb5_context context,
923 krb5_flags options,
924 krb5_kdc_flags flags,
925 krb5_ccache ccache,
926 krb5_creds *in_creds,
927 krb5_creds **out_creds)
928 {
929 krb5_error_code ret;
930 krb5_creds **tgts;
931 krb5_creds *res_creds;
932 int i;
933
934 *out_creds = NULL;
935 res_creds = calloc(1, sizeof(*res_creds));
936 if (res_creds == NULL) {
937 krb5_set_error_string(context, "malloc: out of memory");
938 return ENOMEM;
939 }
940
941 if (in_creds->session.keytype)
942 options |= KRB5_TC_MATCH_KEYTYPE;
943
944 /*
945 * If we got a credential, check if credential is expired before
946 * returning it.
947 */
948 ret = krb5_cc_retrieve_cred(context,
949 ccache,
950 in_creds->session.keytype ?
951 KRB5_TC_MATCH_KEYTYPE : 0,
952 in_creds, res_creds);
953 /*
954 * If we got a credential, check if credential is expired before
955 * returning it, but only if KRB5_GC_EXPIRED_OK is not set.
956 */
957 if (ret == 0) {
958 krb5_timestamp timeret;
959
960 /* If expired ok, don't bother checking */
961 if(options & KRB5_GC_EXPIRED_OK) {
962 *out_creds = res_creds;
963 return 0;
964 }
965
966 krb5_timeofday(context, &timeret);
967 if(res_creds->times.endtime > timeret) {
968 *out_creds = res_creds;
969 return 0;
970 }
971 if(options & KRB5_GC_CACHED)
972 krb5_cc_remove_cred(context, ccache, 0, res_creds);
973
974 } else if(ret != KRB5_CC_END) {
975 free(res_creds);
976 return ret;
977 }
978 free(res_creds);
979 if(options & KRB5_GC_CACHED) {
980 not_found(context, in_creds->server);
981 return KRB5_CC_NOTFOUND;
982 }
983 if(options & KRB5_GC_USER_USER)
984 flags.b.enc_tkt_in_skey = 1;
985 if (flags.b.enc_tkt_in_skey)
986 options |= KRB5_GC_NO_STORE;
987
988 tgts = NULL;
989 ret = get_cred_from_kdc_flags(context, flags, ccache,
990 in_creds, NULL, NULL, out_creds, &tgts);
991 for(i = 0; tgts && tgts[i]; i++) {
992 krb5_cc_store_cred(context, ccache, tgts[i]);
993 krb5_free_creds(context, tgts[i]);
994 }
995 free(tgts);
996 if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
997 krb5_cc_store_cred(context, ccache, *out_creds);
998 return ret;
999 }
1000
1001 krb5_error_code KRB5_LIB_FUNCTION
1002 krb5_get_credentials(krb5_context context,
1003 krb5_flags options,
1004 krb5_ccache ccache,
1005 krb5_creds *in_creds,
1006 krb5_creds **out_creds)
1007 {
1008 krb5_kdc_flags flags;
1009 flags.i = 0;
1010 return krb5_get_credentials_with_flags(context, options, flags,
1011 ccache, in_creds, out_creds);
1012 }
1013
1014 struct krb5_get_creds_opt_data {
1015 krb5_principal self;
1016 krb5_flags options;
1017 krb5_enctype enctype;
1018 Ticket *ticket;
1019 };
1020
1021
1022 krb5_error_code KRB5_LIB_FUNCTION
1023 krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt)
1024 {
1025 *opt = calloc(1, sizeof(**opt));
1026 if (*opt == NULL) {
1027 krb5_set_error_string(context, "malloc: out of memory");
1028 return ENOMEM;
1029 }
1030 return 0;
1031 }
1032
1033 void KRB5_LIB_FUNCTION
1034 krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt)
1035 {
1036 if (opt->self)
1037 krb5_free_principal(context, opt->self);
1038 memset(opt, 0, sizeof(*opt));
1039 free(opt);
1040 }
1041
1042 void KRB5_LIB_FUNCTION
1043 krb5_get_creds_opt_set_options(krb5_context context,
1044 krb5_get_creds_opt opt,
1045 krb5_flags options)
1046 {
1047 opt->options = options;
1048 }
1049
1050 void KRB5_LIB_FUNCTION
1051 krb5_get_creds_opt_add_options(krb5_context context,
1052 krb5_get_creds_opt opt,
1053 krb5_flags options)
1054 {
1055 opt->options |= options;
1056 }
1057
1058 void KRB5_LIB_FUNCTION
1059 krb5_get_creds_opt_set_enctype(krb5_context context,
1060 krb5_get_creds_opt opt,
1061 krb5_enctype enctype)
1062 {
1063 opt->enctype = enctype;
1064 }
1065
1066 krb5_error_code KRB5_LIB_FUNCTION
1067 krb5_get_creds_opt_set_impersonate(krb5_context context,
1068 krb5_get_creds_opt opt,
1069 krb5_const_principal self)
1070 {
1071 if (opt->self)
1072 krb5_free_principal(context, opt->self);
1073 return krb5_copy_principal(context, self, &opt->self);
1074 }
1075
1076 krb5_error_code KRB5_LIB_FUNCTION
1077 krb5_get_creds_opt_set_ticket(krb5_context context,
1078 krb5_get_creds_opt opt,
1079 const Ticket *ticket)
1080 {
1081 if (opt->ticket) {
1082 free_Ticket(opt->ticket);
1083 free(opt->ticket);
1084 opt->ticket = NULL;
1085 }
1086 if (ticket) {
1087 krb5_error_code ret;
1088
1089 opt->ticket = malloc(sizeof(*ticket));
1090 if (opt->ticket == NULL) {
1091 krb5_set_error_string(context, "malloc: out of memory");
1092 return ENOMEM;
1093 }
1094 ret = copy_Ticket(ticket, opt->ticket);
1095 if (ret) {
1096 free(opt->ticket);
1097 opt->ticket = NULL;
1098 krb5_set_error_string(context, "malloc: out of memory");
1099 return ret;
1100 }
1101 }
1102 return 0;
1103 }
1104
1105
1106
1107 krb5_error_code KRB5_LIB_FUNCTION
1108 krb5_get_creds(krb5_context context,
1109 krb5_get_creds_opt opt,
1110 krb5_ccache ccache,
1111 krb5_const_principal inprinc,
1112 krb5_creds **out_creds)
1113 {
1114 krb5_kdc_flags flags;
1115 krb5_flags options;
1116 krb5_creds in_creds;
1117 krb5_error_code ret;
1118 krb5_creds **tgts;
1119 krb5_creds *res_creds;
1120 int i;
1121
1122 memset(&in_creds, 0, sizeof(in_creds));
1123 in_creds.server = rk_UNCONST(inprinc);
1124
1125 ret = krb5_cc_get_principal(context, ccache, &in_creds.client);
1126 if (ret)
1127 return ret;
1128
1129 options = opt->options;
1130 flags.i = 0;
1131
1132 *out_creds = NULL;
1133 res_creds = calloc(1, sizeof(*res_creds));
1134 if (res_creds == NULL) {
1135 krb5_free_principal(context, in_creds.client);
1136 krb5_set_error_string(context, "malloc: out of memory");
1137 return ENOMEM;
1138 }
1139
1140 if (opt->enctype) {
1141 in_creds.session.keytype = opt->enctype;
1142 options |= KRB5_TC_MATCH_KEYTYPE;
1143 }
1144
1145 /*
1146 * If we got a credential, check if credential is expired before
1147 * returning it.
1148 */
1149 ret = krb5_cc_retrieve_cred(context,
1150 ccache,
1151 opt->enctype ? KRB5_TC_MATCH_KEYTYPE : 0,
1152 &in_creds, res_creds);
1153 /*
1154 * If we got a credential, check if credential is expired before
1155 * returning it, but only if KRB5_GC_EXPIRED_OK is not set.
1156 */
1157 if (ret == 0) {
1158 krb5_timestamp timeret;
1159
1160 /* If expired ok, don't bother checking */
1161 if(options & KRB5_GC_EXPIRED_OK) {
1162 *out_creds = res_creds;
1163 krb5_free_principal(context, in_creds.client);
1164 return 0;
1165 }
1166
1167 krb5_timeofday(context, &timeret);
1168 if(res_creds->times.endtime > timeret) {
1169 *out_creds = res_creds;
1170 krb5_free_principal(context, in_creds.client);
1171 return 0;
1172 }
1173 if(options & KRB5_GC_CACHED)
1174 krb5_cc_remove_cred(context, ccache, 0, res_creds);
1175
1176 } else if(ret != KRB5_CC_END) {
1177 free(res_creds);
1178 krb5_free_principal(context, in_creds.client);
1179 return ret;
1180 }
1181 free(res_creds);
1182 if(options & KRB5_GC_CACHED) {
1183 not_found(context, in_creds.server);
1184 krb5_free_principal(context, in_creds.client);
1185 return KRB5_CC_NOTFOUND;
1186 }
1187 if(options & KRB5_GC_USER_USER) {
1188 flags.b.enc_tkt_in_skey = 1;
1189 options |= KRB5_GC_NO_STORE;
1190 }
1191 if (options & KRB5_GC_FORWARDABLE)
1192 flags.b.forwardable = 1;
1193 if (options & KRB5_GC_NO_TRANSIT_CHECK)
1194 flags.b.disable_transited_check = 1;
1195 if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
1196 flags.b.request_anonymous = 1; /* XXX ARGH confusion */
1197 flags.b.constrained_delegation = 1;
1198 }
1199
1200 tgts = NULL;
1201 ret = get_cred_from_kdc_flags(context, flags, ccache,
1202 &in_creds, opt->self, opt->ticket,
1203 out_creds, &tgts);
1204 krb5_free_principal(context, in_creds.client);
1205 for(i = 0; tgts && tgts[i]; i++) {
1206 krb5_cc_store_cred(context, ccache, tgts[i]);
1207 krb5_free_creds(context, tgts[i]);
1208 }
1209 free(tgts);
1210 if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
1211 krb5_cc_store_cred(context, ccache, *out_creds);
1212 return ret;
1213 }
1214
1215 /*
1216 *
1217 */
1218
1219 krb5_error_code KRB5_LIB_FUNCTION
1220 krb5_get_renewed_creds(krb5_context context,
1221 krb5_creds *creds,
1222 krb5_const_principal client,
1223 krb5_ccache ccache,
1224 const char *in_tkt_service)
1225 {
1226 krb5_error_code ret;
1227 krb5_kdc_flags flags;
1228 krb5_creds in, *template, *out = NULL;
1229
1230 memset(&in, 0, sizeof(in));
1231 memset(creds, 0, sizeof(*creds));
1232
1233 ret = krb5_copy_principal(context, client, &in.client);
1234 if (ret)
1235 return ret;
1236
1237 if (in_tkt_service) {
1238 ret = krb5_parse_name(context, in_tkt_service, &in.server);
1239 if (ret) {
1240 krb5_free_principal(context, in.client);
1241 return ret;
1242 }
1243 } else {
1244 const char *realm = krb5_principal_get_realm(context, client);
1245
1246 ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME,
1247 realm, NULL);
1248 if (ret) {
1249 krb5_free_principal(context, in.client);
1250 return ret;
1251 }
1252 }
1253
1254 flags.i = 0;
1255 flags.b.renewable = flags.b.renew = 1;
1256
1257 /*
1258 * Get template from old credential cache for the same entry, if
1259 * this failes, no worries.
1260 */
1261 ret = krb5_get_credentials(context, KRB5_GC_CACHED, ccache, &in, &template);
1262 if (ret == 0) {
1263 flags.b.forwardable = template->flags.b.forwardable;
1264 flags.b.proxiable = template->flags.b.proxiable;
1265 krb5_free_creds (context, template);
1266 }
1267
1268 ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out);
1269 krb5_free_principal(context, in.client);
1270 krb5_free_principal(context, in.server);
1271 if (ret)
1272 return ret;
1273
1274 ret = krb5_copy_creds_contents(context, out, creds);
1275 krb5_free_creds(context, out);
1276
1277 return ret;
1278 }
NetBSD on the FriendlyARM MINI2440