search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Clean up connection tracking functions
[samba4-gss.git] / third_party / heimdal / kuser / kinit.c
blobfe54fd99baf7a3aaa96dbeb5770ef2a473ebc7e6
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kuser_locl.h"
37 #undef HC_DEPRECATED_CRYPTO
38 #include <krb5_locl.h>
39
40 #ifdef HAVE_FRAMEWORK_SECURITY
41 #include <Security/Security.h>
42 #endif
43
44 #ifndef NO_NTLM
45 #include "heimntlm.h"
46 #endif
47
48 #ifndef SIGINFO
49 #define SIGINFO SIGUSR1
50 #endif
51
52 int forwardable_flag = -1;
53 int proxiable_flag = -1;
54 int renewable_flag = -1;
55 int renew_flag = 0;
56 int pac_flag = -1;
57 int validate_flag = 0;
58 int version_flag = 0;
59 int help_flag = 0;
60 int addrs_flag = -1;
61 struct getarg_strings extra_addresses;
62 int anonymous_flag = 0;
63 char *lifetime = NULL;
64 char *renew_life = NULL;
65 char *server_str = NULL;
66 static krb5_principal tgs_service;
67 char *cred_cache = NULL;
68 char *start_str = NULL;
69 static int default_for = 0;
70 static int switch_cache_flags = -1;
71 struct getarg_strings etype_str;
72 int use_keytab = 0;
73 char *keytab_str = NULL;
74 static krb5_keytab kt = NULL;
75 int do_afslog = -1;
76 int fcache_version;
77 char *password_file = NULL;
78 char *pk_user_id = NULL;
79 int pk_enterprise_flag = 0;
80 struct hx509_certs_data *ent_user_id = NULL;
81 char *pk_x509_anchors = NULL;
82 int pk_use_enckey = 0;
83 int pk_anon_fast_armor = -1;
84 char *gss_preauth_mech = NULL;
85 char *gss_preauth_name = NULL;
86 char *kdc_hostname = NULL;
87 static int canonicalize_flag = 0;
88 static int enterprise_flag = 0;
89 static int ok_as_delegate_flag = 0;
90 static char *fast_armor_cache_string = NULL;
91 static int use_referrals_flag = 0;
92 static int windows_flag = 0;
93 #ifndef NO_NTLM
94 static char *ntlm_domain;
95 #endif
96
97
98 static struct getargs args[] = {
99 /*
100 * used by MIT
101 * a: ~A
102 * V: verbose
103 * F: ~f
104 * P: ~p
105 * C: v4 cache name?
106 * 5:
107 *
108 * old flags
109 * 4:
110 * 9:
111 */
112 { "afslog", 0 , arg_flag, &do_afslog,
113 NP_("obtain afs tokens", ""), NULL },
114
115 { "cache", 'c', arg_string, &cred_cache,
116 NP_("credentials cache", ""), "cachename" },
117
118 { "forwardable", 'F', arg_negative_flag, &forwardable_flag,
119 NP_("get tickets not forwardable", ""), NULL },
120
121 { NULL, 'f', arg_flag, &forwardable_flag,
122 NP_("get forwardable tickets", ""), NULL },
123
124 { "keytab", 't', arg_string, &keytab_str,
125 NP_("keytab to use", ""), "keytabname" },
126
127 { "lifetime", 'l', arg_string, &lifetime,
128 NP_("lifetime of tickets", ""), "time" },
129
130 { "proxiable", 'p', arg_flag, &proxiable_flag,
131 NP_("get proxiable tickets", ""), NULL },
132
133 { "renew", 'R', arg_flag, &renew_flag,
134 NP_("renew TGT", ""), NULL },
135
136 { "renewable", 0, arg_flag, &renewable_flag,
137 NP_("get renewable tickets", ""), NULL },
138
139 { "renewable-life", 'r', arg_string, &renew_life,
140 NP_("renewable lifetime of tickets", ""), "time" },
141
142 { "server", 'S', arg_string, &server_str,
143 NP_("server to get ticket for", ""), "principal" },
144
145 { "start-time", 's', arg_string, &start_str,
146 NP_("when ticket gets valid", ""), "time" },
147
148 { "use-keytab", 'k', arg_flag, &use_keytab,
149 NP_("get key from keytab", ""), NULL },
150
151 { "validate", 'v', arg_flag, &validate_flag,
152 NP_("validate TGT", ""), NULL },
153
154 { "enctypes", 'e', arg_strings, &etype_str,
155 NP_("encryption types to use", ""), "enctypes" },
156
157 { "fcache-version", 0, arg_integer, &fcache_version,
158 NP_("file cache version to create", ""), NULL },
159
160 { "addresses", 'A', arg_negative_flag, &addrs_flag,
161 NP_("request a ticket with no addresses", ""), NULL },
162
163 { "extra-addresses",'a', arg_strings, &extra_addresses,
164 NP_("include these extra addresses", ""), "addresses" },
165
166 { "anonymous", 'n', arg_flag, &anonymous_flag,
167 NP_("request an anonymous ticket", ""), NULL },
168
169 { "request-pac", 0, arg_flag, &pac_flag,
170 NP_("request a Windows PAC", ""), NULL },
171
172 { "password-file", 0, arg_string, &password_file,
173 NP_("read the password from a file", ""), NULL },
174
175 { "canonicalize",0, arg_flag, &canonicalize_flag,
176 NP_("canonicalize client principal", ""), NULL },
177
178 { "enterprise",0, arg_flag, &enterprise_flag,
179 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
180 #ifdef PKINIT
181 { "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
182 NP_("use enterprise name from certificate", ""), NULL },
183
184 { "pk-user", 'C', arg_string, &pk_user_id,
185 NP_("principal's public/private/certificate identifier", ""), "id" },
186
187 { "x509-anchors", 'D', arg_string, &pk_x509_anchors,
188 NP_("directory with CA certificates", ""), "directory" },
189
190 { "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
191 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
192
193 { "pk-anon-fast-armor", 0, arg_flag, &pk_anon_fast_armor,
194 NP_("use unauthenticated anonymous PKINIT as FAST armor", ""), NULL },
195 #endif
196
197 { "gss-mech", 0, arg_string, &gss_preauth_mech,
198 NP_("use GSS mechanism for pre-authentication", ""), NULL },
199
200 { "gss-name", 0, arg_string, &gss_preauth_name,
201 NP_("use distinct GSS identity for pre-authentication", ""), NULL },
202
203 { "kdc-hostname", 0, arg_string, &kdc_hostname,
204 NP_("KDC host name", ""), "hostname" },
205
206 #ifndef NO_NTLM
207 { "ntlm-domain", 0, arg_string, &ntlm_domain,
208 NP_("NTLM domain", ""), "domain" },
209 #endif
210
211 { "change-default", 0, arg_negative_flag, &switch_cache_flags,
212 NP_("switch the default cache to the new credentials cache", ""), NULL },
213
214 { "default-for-principal", 0, arg_flag, &default_for,
215 NP_("Use a default cache appropriate for the client principal", ""), NULL },
216
217 { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
218 NP_("honor ok-as-delegate on tickets", ""), NULL },
219
220 { "fast-armor-cache", 0, arg_string, &fast_armor_cache_string,
221 NP_("use this credential cache as FAST armor cache", ""), "cache" },
222
223 { "use-referrals", 0, arg_flag, &use_referrals_flag,
224 NP_("only use referrals, no dns canonicalisation", ""), NULL },
225
226 { "windows", 0, arg_flag, &windows_flag,
227 NP_("get windows behavior", ""), NULL },
228
229 { "version", 0, arg_flag, &version_flag, NULL, NULL },
230 { "help", 0, arg_flag, &help_flag, NULL, NULL }
231 };
232
233 static char *
234 get_default_realm(krb5_context context);
235
236 static void
237 usage(int ret)
238 {
239 arg_printusage_i18n(args, sizeof(args)/sizeof(*args), N_("Usage: ", ""),
240 NULL, "[principal [command]]", getarg_i18n);
241 exit(ret);
242 }
243
244 static krb5_error_code
245 tgs_principal(krb5_context context,
246 krb5_ccache cache,
247 krb5_principal client,
248 krb5_const_realm tgs_realm,
249 krb5_principal *out_princ)
250 {
251 krb5_error_code ret;
252 krb5_principal tgs_princ;
253 krb5_creds creds;
254 krb5_creds *tick;
255 krb5_flags options;
256
257 ret = krb5_make_principal(context, &tgs_princ, tgs_realm,
258 KRB5_TGS_NAME, tgs_realm, NULL);
259 if (ret)
260 return ret;
261
262 /*
263 * Don't fail-over to a different realm just because a TGT expired
264 */
265 options = KRB5_GC_CACHED | KRB5_GC_EXPIRED_OK;
266
267 memset(&creds, 0, sizeof(creds));
268 creds.client = client;
269 creds.server = tgs_princ;
270 ret = krb5_get_credentials(context, options, cache, &creds, &tick);
271 if (ret == 0) {
272 krb5_free_creds(context, tick);
273 *out_princ = tgs_princ;
274 } else {
275 krb5_free_principal(context, tgs_princ);
276 }
277
278 return ret;
279 }
280
281
282 /*
283 * Try TGS specified with '-S',
284 * then TGS of client realm,
285 * then if fallback is FALSE: fail,
286 * otherwise try TGS of default realm,
287 * and finally first TGT in ccache.
288 */
289 static krb5_error_code
290 get_server(krb5_context context,
291 krb5_ccache cache,
292 krb5_principal client,
293 const char *server,
294 krb5_boolean fallback,
295 krb5_principal *princ)
296 {
297 krb5_error_code ret = 0;
298 krb5_const_realm realm;
299 krb5_realm def_realm;
300 krb5_cc_cursor cursor;
301 krb5_creds creds;
302 const char *pcomp;
303
304 if (tgs_service)
305 goto done;
306
307 if (server) {
308 ret = krb5_parse_name(context, server, &tgs_service);
309 goto done;
310 }
311
312 /* Try the client realm first */
313 realm = krb5_principal_get_realm(context, client);
314 ret = tgs_principal(context, cache, client, realm, &tgs_service);
315 if (ret == 0 || ret != KRB5_CC_NOTFOUND)
316 goto done;
317
318 if (!fallback)
319 return ret;
320
321 /* Next try the default realm */
322 ret = krb5_get_default_realm(context, &def_realm);
323 if (ret)
324 return ret;
325 ret = tgs_principal(context, cache, client, def_realm, &tgs_service);
326 free(def_realm);
327 if (ret == 0 || ret != KRB5_CC_NOTFOUND)
328 goto done;
329
330 /* Finally try the first TGT with instance == realm in the cache */
331 ret = krb5_cc_start_seq_get(context, cache, &cursor);
332 if (ret)
333 return ret;
334
335 for (/**/; ret == 0; krb5_free_cred_contents (context, &creds)) {
336
337 ret = krb5_cc_next_cred(context, cache, &cursor, &creds);
338 if (ret)
339 break;
340 if (creds.server->name.name_string.len != 2)
341 continue;
342 pcomp = krb5_principal_get_comp_string(context, creds.server, 0);
343 if (strcmp(pcomp, KRB5_TGS_NAME) != 0)
344 continue;
345 realm = krb5_principal_get_realm(context, creds.server);
346 pcomp = krb5_principal_get_comp_string(context, creds.server, 1);
347 if (strcmp(realm, pcomp) != 0)
348 continue;
349 ret = krb5_copy_principal(context, creds.server, &tgs_service);
350 break;
351 }
352 if (ret == KRB5_CC_END) {
353 ret = KRB5_CC_NOTFOUND;
354 krb5_set_error_message(context, ret,
355 N_("Credential cache contains no TGTs", ""));
356 }
357 krb5_cc_end_seq_get(context, cache, &cursor);
358
359 done:
360 if (!ret)
361 ret = krb5_copy_principal(context, tgs_service, princ);
362 return ret;
363 }
364
365 static krb5_error_code
366 copy_configs(krb5_context context,
367 krb5_ccache dst,
368 krb5_ccache src,
369 krb5_principal start_ticket_server)
370 {
371 krb5_error_code ret;
372 const char *cfg_names[] = {"realm-config", "FriendlyName", "anon_pkinit_realm", NULL};
373 const char *cfg_names_w_pname[] = {"fast_avail", NULL};
374 krb5_data cfg_data;
375 size_t i;
376
377 for (i = 0; cfg_names[i]; i++) {
378 ret = krb5_cc_get_config(context, src, NULL, cfg_names[i], &cfg_data);
379 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
380 continue;
381 } else if (ret) {
382 krb5_warn(context, ret, "krb5_cc_get_config");
383 return ret;
384 }
385 ret = krb5_cc_set_config(context, dst, NULL, cfg_names[i], &cfg_data);
386 if (ret)
387 krb5_warn(context, ret, "krb5_cc_set_config");
388 }
389 for (i = 0; start_ticket_server && cfg_names_w_pname[i]; i++) {
390 ret = krb5_cc_get_config(context, src, start_ticket_server,
391 cfg_names_w_pname[i], &cfg_data);
392 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
393 continue;
394 } else if (ret) {
395 krb5_warn(context, ret, "krb5_cc_get_config");
396 return ret;
397 }
398 ret = krb5_cc_set_config(context, dst, start_ticket_server,
399 cfg_names_w_pname[i], &cfg_data);
400 if (ret && ret != KRB5_CC_NOTFOUND)
401 krb5_warn(context, ret, "krb5_cc_set_config");
402 }
403 /*
404 * We don't copy cc configs for any other principals though (mostly
405 * those are per-target time offsets and the like, so it's bad to
406 * lose them, but hardly the end of the world, and as they may not
407 * expire anyways, it's good to let them go).
408 */
409 return 0;
410 }
411
412 static krb5_error_code
413 get_anon_pkinit_tgs_name(krb5_context context,
414 krb5_ccache ccache,
415 krb5_principal *tgs_name)
416 {
417 krb5_error_code ret;
418 krb5_data data;
419 char *realm;
420
421 ret = krb5_cc_get_config(context, ccache, NULL, "anon_pkinit_realm", &data);
422 if (ret == 0)
423 realm = strndup(data.data, data.length);
424 else
425 realm = get_default_realm(context);
426
427 krb5_data_free(&data);
428
429 if (realm == NULL)
430 return krb5_enomem(context);
431
432 ret = krb5_make_principal(context, tgs_name, realm,
433 KRB5_TGS_NAME, realm, NULL);
434
435 free(realm);
436
437 return ret;
438 }
439
440 static krb5_error_code
441 renew_validate(krb5_context context,
442 int renew,
443 int validate,
444 krb5_ccache *cachep,
445 krb5_const_principal principal,
446 krb5_boolean cache_is_default_for,
447 const char *server,
448 krb5_deltat life)
449 {
450 krb5_error_code ret;
451 krb5_ccache tempccache = NULL;
452 krb5_ccache cache = *cachep;
453 krb5_creds in, *out = NULL;
454 krb5_kdc_flags flags;
455
456 memset(&in, 0, sizeof(in));
457
458 ret = krb5_cc_get_principal(context, cache, &in.client);
459 if (ret && cache_is_default_for && principal) {
460 krb5_error_code ret2;
461 krb5_ccache def_ccache = NULL;
462
463 ret2 = krb5_cc_default(context, &def_ccache);
464 if (ret2 == 0)
465 ret2 = krb5_cc_get_principal(context, def_ccache, &in.client);
466 if (ret2 == 0 &&
467 krb5_principal_compare(context, principal, in.client)) {
468 krb5_cc_close(context, *cachep);
469 cache = *cachep = def_ccache;
470 def_ccache = NULL;
471 ret = 0;
472 }
473 krb5_cc_close(context, def_ccache);
474 }
475 if (ret) {
476 krb5_warn(context, ret, "krb5_cc_get_principal");
477 return ret;
478 }
479
480 if (principal && !krb5_principal_compare(context, principal, in.client)) {
481 char *ccname = NULL;
482
483 (void) krb5_cc_get_full_name(context, cache, &ccname);
484 krb5_errx(context, 1, "Credentials in cache %s do not match requested "
485 "principal", ccname ? ccname : "requested");
486 free(ccname);
487 }
488
489 if (server == NULL &&
490 krb5_principal_is_anonymous(context, in.client,
491 KRB5_ANON_MATCH_UNAUTHENTICATED))
492 ret = get_anon_pkinit_tgs_name(context, cache, &in.server);
493 else
494 ret = get_server(context, cache, in.client, server, TRUE, &in.server);
495 if (ret) {
496 krb5_warn(context, ret, "get_server");
497 goto out;
498 }
499
500 if (renew) {
501 /*
502 * no need to check the error here, it's only to be
503 * friendly to the user
504 */
505 (void) krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
506 }
507
508 flags.i = 0;
509 flags.b.renewable = flags.b.renew = renew;
510 flags.b.validate = validate;
511
512 if (forwardable_flag != -1)
513 flags.b.forwardable = forwardable_flag;
514 else if (out)
515 flags.b.forwardable = out->flags.b.forwardable;
516
517 if (proxiable_flag != -1)
518 flags.b.proxiable = proxiable_flag;
519 else if (out)
520 flags.b.proxiable = out->flags.b.proxiable;
521
522 if (anonymous_flag)
523 flags.b.request_anonymous = anonymous_flag;
524 if (life)
525 in.times.endtime = time(NULL) + life;
526
527 if (out) {
528 krb5_free_creds(context, out);
529 out = NULL;
530 }
531
532
533 ret = krb5_get_kdc_cred(context,
534 cache,
535 flags,
536 NULL,
537 NULL,
538 &in,
539 &out);
540 if (ret) {
541 krb5_warn(context, ret, "krb5_get_kdc_cred");
542 goto out;
543 }
544
545 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, cache),
546 NULL, &tempccache);
547 if (ret) {
548 krb5_warn(context, ret, "krb5_cc_new_unique");
549 goto out;
550 }
551
552 ret = krb5_cc_initialize(context, tempccache, in.client);
553 if (ret) {
554 krb5_warn(context, ret, "krb5_cc_initialize");
555 goto out;
556 }
557
558 ret = krb5_cc_store_cred(context, tempccache, out);
559 if (ret) {
560 krb5_warn(context, ret, "krb5_cc_store_cred");
561 goto out;
562 }
563
564 /*
565 * We want to preserve cc configs as some are security-relevant, and
566 * anyways it's the friendly thing to do.
567 */
568 ret = copy_configs(context, tempccache, cache, out->server);
569 if (ret)
570 goto out;
571
572 ret = krb5_cc_move(context, tempccache, cache);
573 if (ret) {
574 krb5_warn(context, ret, "krb5_cc_move");
575 goto out;
576 }
577 tempccache = NULL;
578
579 out:
580 if (tempccache)
581 krb5_cc_destroy(context, tempccache);
582 if (out)
583 krb5_free_creds(context, out);
584 krb5_free_cred_contents(context, &in);
585 return ret;
586 }
587
588 static krb5_error_code
589 make_wellknown_name(krb5_context context,
590 krb5_const_realm realm,
591 const char *instance,
592 krb5_principal *principal)
593 {
594 krb5_error_code ret;
595
596 ret = krb5_make_principal(context, principal, realm,
597 KRB5_WELLKNOWN_NAME, instance, NULL);
598 if (ret == 0)
599 krb5_principal_set_type(context, *principal, KRB5_NT_WELLKNOWN);
600
601 return ret;
602 }
603
604 static krb5_error_code
605 acquire_gss_cred(krb5_context context,
606 krb5_const_principal client,
607 krb5_deltat life,
608 const char *passwd,
609 gss_cred_id_t *cred,
610 gss_OID *mech)
611 {
612 krb5_error_code ret;
613 OM_uint32 major, minor;
614 gss_name_t name = GSS_C_NO_NAME;
615 gss_key_value_element_desc cred_element;
616 gss_key_value_set_desc cred_store;
617 gss_OID_set_desc mechs;
618
619 *cred = GSS_C_NO_CREDENTIAL;
620 *mech = GSS_C_NO_OID;
621
622 if (gss_preauth_mech) {
623 *mech = gss_name_to_oid(gss_preauth_mech);
624 if (*mech == GSS_C_NO_OID)
625 return EINVAL;
626 }
627
628 if (gss_preauth_name) {
629 gss_buffer_desc buf;
630
631 buf.value = gss_preauth_name;
632 buf.length = strlen(gss_preauth_name);
633
634 major = gss_import_name(&minor, &buf, GSS_C_NT_USER_NAME, &name);
635 ret = _krb5_gss_map_error(major, minor);
636 } else if (!krb5_principal_is_federated(context, client)) {
637 ret = _krb5_gss_pa_unparse_name(context, client, &name);
638 } else {
639 /*
640 * WELLKNOWN/FEDERATED is used a placeholder where the user
641 * did not specify either a Kerberos credential or a GSS-API
642 * initiator name. It avoids the expense of acquiring a default
643 * credential purely to interrogate the credential name.
644 */
645 name = GSS_C_NO_NAME;
646 ret = 0;
647 }
648 if (ret)
649 goto out;
650
651 cred_store.count = 1;
652 cred_store.elements = &cred_element;
653
654 if (passwd && passwd[0]) {
655 cred_element.key = "password";
656 cred_element.value = passwd;
657 } else if (keytab_str) {
658 cred_element.key = "client_keytab",
659 cred_element.value = keytab_str;
660 } else {
661 cred_store.count = 0;
662 }
663
664 if (*mech) {
665 mechs.count = 1;
666 mechs.elements = (gss_OID)*mech;
667 }
668
669 major = gss_acquire_cred_from(&minor,
670 name,
671 life ? life : GSS_C_INDEFINITE,
672 *mech ? &mechs : GSS_C_NO_OID_SET,
673 GSS_C_INITIATE,
674 &cred_store,
675 cred,
676 NULL,
677 NULL);
678 if (major != GSS_S_COMPLETE) {
679 ret = _krb5_gss_map_error(major, minor);
680 goto out;
681 }
682
683 out:
684 gss_release_name(&minor, &name);
685 return ret;
686 }
687
688 #ifndef NO_NTLM
689
690 static krb5_error_code
691 store_ntlmkey(krb5_context context, krb5_ccache id,
692 const char *domain, struct ntlm_buf *buf)
693 {
694 krb5_error_code ret;
695 krb5_data data;
696 char *name;
697 int aret;
698
699 ret = krb5_cc_get_config(context, id, NULL, "default-ntlm-domain", &data);
700 if (ret == 0) {
701 krb5_data_free(&data);
702 } else {
703 data.length = strlen(domain);
704 data.data = rk_UNCONST(domain);
705 ret = krb5_cc_set_config(context, id, NULL, "default-ntlm-domain", &data);
706 if (ret != 0)
707 return ret;
708 }
709
710 aret = asprintf(&name, "ntlm-key-%s", domain);
711 if (aret == -1 || name == NULL)
712 return krb5_enomem(context);
713
714 data.length = buf->length;
715 data.data = buf->data;
716
717 ret = krb5_cc_set_config(context, id, NULL, name, &data);
718 free(name);
719 return ret;
720 }
721 #endif
722
723 static krb5_error_code
724 get_new_tickets(krb5_context context,
725 krb5_principal principal,
726 krb5_ccache ccache,
727 krb5_deltat ticket_life,
728 int interactive,
729 int anonymous_pkinit)
730 {
731 krb5_error_code ret;
732 krb5_creds cred;
733 char passwd[256];
734 krb5_deltat start_time = 0;
735 krb5_deltat renew = 0;
736 const char *renewstr = NULL;
737 krb5_enctype *enctype = NULL;
738 krb5_ccache tempccache = NULL;
739 krb5_init_creds_context ctx = NULL;
740 krb5_get_init_creds_opt *opt = NULL;
741 krb5_prompter_fct prompter = krb5_prompter_posix;
742 gss_cred_id_t gss_cred = GSS_C_NO_CREDENTIAL;
743 gss_OID gss_mech = GSS_C_NO_OID;
744 krb5_principal federated_name = NULL;
745 krb5_ccache fastid = NULL;
746
747 #ifndef NO_NTLM
748 struct ntlm_buf ntlmkey;
749 memset(&ntlmkey, 0, sizeof(ntlmkey));
750 #endif
751 passwd[0] = '\0';
752
753 if (!interactive)
754 prompter = NULL;
755
756 if (password_file) {
757 FILE *f;
758
759 if (strcasecmp("STDIN", password_file) == 0)
760 f = stdin;
761 else
762 f = fopen(password_file, "r");
763 if (f == NULL) {
764 krb5_warnx(context, N_("Failed to open the password file %s", ""),
765 password_file);
766 return errno;
767 }
768
769 if (fgets(passwd, sizeof(passwd), f) == NULL) {
770 krb5_warnx(context, N_("Failed to read password from file %s", ""),
771 password_file);
772 if (f != stdin)
773 fclose(f);
774 return EINVAL; /* XXX Need a better error */
775 }
776 if (f != stdin)
777 fclose(f);
778 passwd[strcspn(passwd, "\n")] = '\0';
779 }
780
781 #ifdef HAVE_FRAMEWORK_SECURITY
782 if (passwd[0] == '\0') {
783 enum querykey {
784 qk_class, qk_matchlimit, qk_service, qk_account, qk_secreturndata,
785 };
786 const void *querykeys[] = {
787 [qk_class] = kSecClass,
788 [qk_matchlimit] = kSecMatchLimit,
789 [qk_service] = kSecAttrService,
790 [qk_account] = kSecAttrAccount,
791 [qk_secreturndata] = kSecReturnData,
792 };
793 const void *queryargs[] = {
794 [qk_class] = kSecClassGenericPassword,
795 [qk_matchlimit] = kSecMatchLimitOne,
796 [qk_service] = NULL, /* filled in later */
797 [qk_account] = NULL, /* filled in later */
798 [qk_secreturndata] = kCFBooleanTrue,
799 };
800 CFStringRef service_ref = NULL;
801 CFStringRef account_ref = NULL;
802 CFDictionaryRef query_ref = NULL;
803 const char *realm;
804 OSStatus osret;
805 char *name = NULL;
806 CFTypeRef item_ref = NULL;
807 CFDataRef item;
808 CFIndex length;
809
810 realm = krb5_principal_get_realm(context, principal);
811
812 ret = krb5_unparse_name_flags(context, principal,
813 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
814 if (ret)
815 goto fail;
816
817 service_ref = CFStringCreateWithCString(kCFAllocatorDefault, realm,
818 kCFStringEncodingUTF8);
819 if (service_ref == NULL)
820 goto fail;
821
822 account_ref = CFStringCreateWithCString(kCFAllocatorDefault, name,
823 kCFStringEncodingUTF8);
824 if (account_ref == NULL)
825 goto fail;
826
827 queryargs[qk_service] = service_ref;
828 queryargs[qk_account] = account_ref;
829 query_ref = CFDictionaryCreate(kCFAllocatorDefault,
830 querykeys, queryargs,
831 /*numValues*/sizeof(querykeys)/sizeof(querykeys[0]),
832 /*keyCallbacks*/NULL, /*valueCallbacks*/NULL);
833 if (query_ref == NULL)
834 goto fail;
835
836 osret = SecItemCopyMatching(query_ref, &item_ref);
837 if (osret != noErr)
838 goto fail;
839
840 item = item_ref;
841 length = CFDataGetLength(item);
842 if (length >= sizeof(passwd) - 1)
843 goto fail;
844
845 CFDataGetBytes(item, CFRangeMake(0, length), (UInt8 *)passwd);
846 passwd[length] = '\0';
847
848 fail:
849 if (item_ref)
850 CFRelease(item_ref);
851 if (query_ref)
852 CFRelease(query_ref);
853 if (account_ref)
854 CFRelease(account_ref);
855 if (service_ref)
856 CFRelease(service_ref);
857 free(name);
858 }
859 #endif
860
861 memset(&cred, 0, sizeof(cred));
862
863 ret = krb5_get_init_creds_opt_alloc(context, &opt);
864 if (ret) {
865 krb5_warn(context, ret, "krb5_get_init_creds_opt_alloc");
866 goto out;
867 }
868
869 krb5_get_init_creds_opt_set_default_flags(context, "kinit",
870 krb5_principal_get_realm(context, principal), opt);
871
872 if (forwardable_flag != -1)
873 krb5_get_init_creds_opt_set_forwardable(opt, forwardable_flag);
874 if (proxiable_flag != -1)
875 krb5_get_init_creds_opt_set_proxiable(opt, proxiable_flag);
876 if (anonymous_flag)
877 krb5_get_init_creds_opt_set_anonymous(opt, anonymous_flag);
878 if (pac_flag != -1)
879 krb5_get_init_creds_opt_set_pac_request(context, opt,
880 pac_flag ? TRUE : FALSE);
881 if (canonicalize_flag)
882 krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
883 if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
884 krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
885 if (pk_user_id || ent_user_id || anonymous_pkinit) {
886 if (pk_anon_fast_armor == -1)
887 pk_anon_fast_armor = 0;
888 ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
889 principal,
890 pk_user_id,
891 pk_x509_anchors,
892 NULL,
893 NULL,
894 pk_use_enckey ? KRB5_GIC_OPT_PKINIT_USE_ENCKEY : 0 |
895 anonymous_pkinit ? KRB5_GIC_OPT_PKINIT_ANONYMOUS : 0,
896 prompter,
897 NULL,
898 passwd);
899 if (ret) {
900 krb5_warn(context, ret, "krb5_get_init_creds_opt_set_pkinit");
901 goto out;
902 }
903 if (ent_user_id)
904 krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
905 }
906
907 if (addrs_flag != -1)
908 krb5_get_init_creds_opt_set_addressless(context, opt,
909 addrs_flag ? FALSE : TRUE);
910
911 if (renew_life == NULL && renewable_flag)
912 renewstr = "6 months";
913 if (renew_life)
914 renewstr = renew_life;
915 if (renewstr) {
916 renew = parse_time(renewstr, "s");
917 if (renew < 0)
918 errx(1, "unparsable time: %s", renewstr);
919
920 krb5_get_init_creds_opt_set_renew_life(opt, renew);
921 }
922
923 if (ticket_life != 0)
924 krb5_get_init_creds_opt_set_tkt_life(opt, ticket_life);
925
926 if (start_str) {
927 int tmp = parse_time(start_str, "s");
928 if (tmp < 0)
929 errx(1, N_("unparsable time: %s", ""), start_str);
930
931 start_time = tmp;
932 }
933
934 if (etype_str.num_strings) {
935 int i;
936
937 enctype = malloc(etype_str.num_strings * sizeof(*enctype));
938 if (enctype == NULL)
939 errx(1, "out of memory");
940 for(i = 0; i < etype_str.num_strings; i++) {
941 ret = krb5_string_to_enctype(context,
942 etype_str.strings[i],
943 &enctype[i]);
944 if (ret)
945 errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
946 }
947 krb5_get_init_creds_opt_set_etype_list(opt, enctype,
948 etype_str.num_strings);
949 }
950
951 if (gss_preauth_mech || gss_preauth_name) {
952 ret = acquire_gss_cred(context, principal, ticket_life,
953 passwd, &gss_cred, &gss_mech);
954 if (ret)
955 goto out;
956
957 /*
958 * The principal specified on the command line is used as the GSS-API
959 * initiator name, unless the --gss-name option was present, in which
960 * case the initiator name is specified independently.
961 */
962 if (gss_preauth_name == NULL) {
963 krb5_const_realm realm = krb5_principal_get_realm(context, principal);
964
965 ret = make_wellknown_name(context, realm,
966 KRB5_FEDERATED_NAME, &federated_name);
967 if (ret)
968 goto out;
969
970 principal = federated_name;
971 }
972 }
973
974 if (fast_armor_cache_string) {
975 if (pk_anon_fast_armor > 0)
976 krb5_errx(context, 1,
977 N_("cannot specify FAST armor cache with FAST "
978 "anonymous PKINIT option", ""));
979 pk_anon_fast_armor = 0;
980
981 ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
982 if (ret) {
983 krb5_warn(context, ret, "krb5_cc_resolve(FAST cache)");
984 goto out;
985 }
986
987 ret = krb5_get_init_creds_opt_set_fast_ccache(context, opt, fastid);
988 if (ret) {
989 krb5_warn(context, ret, "krb5_get_init_creds_opt_set_fast_ccache");
990 goto out;
991 }
992
993 ret = krb5_get_init_creds_opt_set_fast_flags(context, opt,
994 KRB5_FAST_REQUIRED);
995 if (ret) {
996 krb5_warn(context, ret, "krb5_get_init_creds_opt_set_fast_flags");
997 goto out;
998 }
999 }
1000
1001 ret = krb5_init_creds_init(context, principal, prompter, NULL, start_time, opt, &ctx);
1002 if (ret) {
1003 krb5_warn(context, ret, "krb5_init_creds_init");
1004 goto out;
1005 }
1006
1007 if (server_str) {
1008 ret = krb5_init_creds_set_service(context, ctx, server_str);
1009 if (ret) {
1010 krb5_warn(context, ret, "krb5_init_creds_set_service");
1011 goto out;
1012 }
1013 }
1014
1015 if (kdc_hostname) {
1016 ret = krb5_init_creds_set_kdc_hostname(context, ctx, kdc_hostname);
1017 if (ret) {
1018 krb5_warn(context, ret, "krb5_init_creds_set_kdc_hostname");
1019 goto out;
1020 }
1021 }
1022
1023 if (anonymous_flag && pk_anon_fast_armor == -1)
1024 pk_anon_fast_armor = 0;
1025 if (!gss_preauth_mech && anonymous_flag && pk_anon_fast_armor) {
1026 krb5_warnx(context, N_("Ignoring --pk-anon-fast-armor because "
1027 "--anonymous given", ""));
1028 pk_anon_fast_armor = 0;
1029 }
1030
1031 if (fast_armor_cache_string) {
1032 /* handled above */
1033 } else if (pk_anon_fast_armor == -1) {
1034 ret = _krb5_init_creds_set_fast_anon_pkinit_optimistic(context, ctx);
1035 if (ret) {
1036 krb5_warn(context, ret, "_krb5_init_creds_set_fast_anon_pkinit_optimistic");
1037 goto out;
1038 }
1039 } else if (pk_anon_fast_armor) {
1040 ret = krb5_init_creds_set_fast_anon_pkinit(context, ctx);
1041 if (ret) {
1042 krb5_warn(context, ret, "krb5_init_creds_set_fast_anon_pkinit");
1043 goto out;
1044 }
1045 }
1046
1047 if (gss_mech != GSS_C_NO_OID) {
1048 ret = krb5_gss_set_init_creds(context, ctx, gss_cred, gss_mech);
1049 if (ret) {
1050 krb5_warn(context, ret, "krb5_gss_set_init_creds");
1051 goto out;
1052 }
1053 } else if (use_keytab || keytab_str) {
1054 ret = krb5_init_creds_set_keytab(context, ctx, kt);
1055 if (ret) {
1056 krb5_warn(context, ret, "krb5_init_creds_set_keytab");
1057 goto out;
1058 }
1059 } else if (pk_user_id || ent_user_id ||
1060 krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY)) {
1061 /* nop */;
1062 } else if (!interactive && passwd[0] == '\0') {
1063 static int already_warned = 0;
1064
1065 if (!already_warned)
1066 krb5_warnx(context, "Not interactive, failed to get "
1067 "initial ticket");
1068 krb5_get_init_creds_opt_free(context, opt);
1069 already_warned = 1;
1070 return 0;
1071 } else {
1072
1073 if (passwd[0] == '\0') {
1074 char *p, *prompt;
1075 int aret = 0;
1076
1077 ret = krb5_unparse_name(context, principal, &p);
1078 if (ret)
1079 errx(1, "failed to generate passwd prompt: not enough memory");
1080
1081 aret = asprintf(&prompt, N_("%s's Password: ", ""), p);
1082 free(p);
1083 if (aret == -1)
1084 errx(1, "failed to generate passwd prompt: not enough memory");
1085
1086 if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
1087 memset(passwd, 0, sizeof(passwd));
1088 errx(1, "failed to read password");
1089 }
1090 free(prompt);
1091 }
1092
1093 if (passwd[0]) {
1094 ret = krb5_init_creds_set_password(context, ctx, passwd);
1095 if (ret) {
1096 krb5_warn(context, ret, "krb5_init_creds_set_password");
1097 goto out;
1098 }
1099 }
1100 }
1101
1102 ret = krb5_init_creds_get(context, ctx);
1103
1104 #ifndef NO_NTLM
1105 if (ntlm_domain && passwd[0])
1106 heim_ntlm_nt_key(passwd, &ntlmkey);
1107 #endif
1108 memset_s(passwd, sizeof(passwd), 0, sizeof(passwd));
1109
1110 switch(ret){
1111 case 0:
1112 break;
1113 case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
1114 exit(1);
1115 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
1116 case KRB5KRB_AP_ERR_MODIFIED:
1117 case KRB5KDC_ERR_PREAUTH_FAILED:
1118 case KRB5_GET_IN_TKT_LOOP:
1119 krb5_warnx(context, N_("Password incorrect", ""));
1120 goto out;
1121 case KRB5KRB_AP_ERR_V4_REPLY:
1122 krb5_warnx(context, N_("Looks like a Kerberos 4 reply", ""));
1123 goto out;
1124 case KRB5KDC_ERR_KEY_EXPIRED:
1125 krb5_warnx(context, N_("Password expired", ""));
1126 goto out;
1127 default:
1128 krb5_warn(context, ret, "krb5_get_init_creds");
1129 goto out;
1130 }
1131
1132 krb5_process_last_request(context, opt, ctx);
1133
1134 ret = krb5_init_creds_get_creds(context, ctx, &cred);
1135 if (ret) {
1136 krb5_warn(context, ret, "krb5_init_creds_get_creds");
1137 goto out;
1138 }
1139
1140 if (ticket_life != 0) {
1141 if (labs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
1142 char life[64];
1143 unparse_time_approx(cred.times.endtime - cred.times.starttime,
1144 life, sizeof(life));
1145 krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
1146 }
1147 }
1148 if (renew_life) {
1149 if (labs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
1150 char life[64];
1151 unparse_time_approx(cred.times.renew_till - cred.times.starttime,
1152 life, sizeof(life));
1153 krb5_warnx(context,
1154 N_("NOTICE: ticket renewable lifetime is %s", ""),
1155 life);
1156 }
1157 }
1158 krb5_free_cred_contents(context, &cred);
1159
1160 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
1161 NULL, &tempccache);
1162 if (ret) {
1163 krb5_warn(context, ret, "krb5_cc_new_unique");
1164 goto out;
1165 }
1166
1167 ret = krb5_init_creds_store(context, ctx, tempccache);
1168 if (ret) {
1169 krb5_warn(context, ret, "krb5_init_creds_store");
1170 goto out;
1171 }
1172
1173 ret = krb5_init_creds_store_config(context, ctx, tempccache);
1174 if (ret) {
1175 krb5_warn(context, ret, "krb5_init_creds_store_config");
1176 goto out;
1177 }
1178
1179 ret = krb5_init_creds_warn_user(context, ctx);
1180 if (ret) {
1181 krb5_warn(context, ret, "krb5_init_creds_warn_user");
1182 goto out;
1183 }
1184
1185 krb5_init_creds_free(context, ctx);
1186 ctx = NULL;
1187
1188 ret = krb5_cc_move(context, tempccache, ccache);
1189 if (ret) {
1190 krb5_warn(context, ret, "krb5_cc_move");
1191 goto out;
1192 }
1193 tempccache = NULL;
1194
1195 if (switch_cache_flags)
1196 krb5_cc_switch(context, ccache);
1197
1198 #ifndef NO_NTLM
1199 if (ntlm_domain && ntlmkey.data)
1200 store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
1201 #endif
1202
1203 if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
1204 unsigned char d = 0;
1205 krb5_data data;
1206
1207 if (ok_as_delegate_flag || windows_flag)
1208 d |= 1;
1209 if (use_referrals_flag || windows_flag)
1210 d |= 2;
1211
1212 data.length = 1;
1213 data.data = &d;
1214
1215 krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
1216 }
1217
1218 if (anonymous_pkinit) {
1219 krb5_data data;
1220
1221 data.length = strlen(principal->realm);
1222 data.data = principal->realm;
1223
1224 krb5_cc_set_config(context, ccache, NULL, "anon_pkinit_realm", &data);
1225 }
1226
1227 out:
1228 {
1229 OM_uint32 minor;
1230 gss_release_cred(&minor, &gss_cred);
1231 }
1232 krb5_free_principal(context, federated_name);
1233 krb5_get_init_creds_opt_free(context, opt);
1234 if (ctx)
1235 krb5_init_creds_free(context, ctx);
1236 if (tempccache)
1237 krb5_cc_destroy(context, tempccache);
1238 if (enctype)
1239 free(enctype);
1240 if (fastid)
1241 krb5_cc_close(context, fastid);
1242
1243 return ret;
1244 }
1245
1246 static time_t
1247 ticket_lifetime(krb5_context context, krb5_ccache cache, krb5_principal client,
1248 const char *server, time_t *renew)
1249 {
1250 krb5_creds in_cred, *cred;
1251 krb5_error_code ret;
1252 time_t timeout;
1253 time_t curtime;
1254
1255 memset(&in_cred, 0, sizeof(in_cred));
1256
1257 if (renew != NULL)
1258 *renew = 0;
1259
1260 ret = krb5_cc_get_principal(context, cache, &in_cred.client);
1261 if (ret) {
1262 krb5_warn(context, ret, "krb5_cc_get_principal");
1263 return 0;
1264 }
1265
1266 /* Determine TGS principal without fallback */
1267 ret = get_server(context, cache, in_cred.client, server, FALSE,
1268 &in_cred.server);
1269 if (ret) {
1270 krb5_free_principal(context, in_cred.client);
1271 krb5_warn(context, ret, "get_server");
1272 return 0;
1273 }
1274
1275 ret = krb5_get_credentials(context, KRB5_GC_CACHED,
1276 cache, &in_cred, &cred);
1277 krb5_free_principal(context, in_cred.client);
1278 krb5_free_principal(context, in_cred.server);
1279 if (ret) {
1280 krb5_warn(context, ret, "krb5_get_credentials");
1281 return 0;
1282 }
1283 curtime = time(NULL);
1284 timeout = cred->times.endtime - curtime;
1285 if (timeout < 0)
1286 timeout = 0;
1287 if (renew) {
1288 *renew = cred->times.renew_till - curtime;
1289 if (*renew < 0)
1290 *renew = 0;
1291 }
1292 krb5_free_creds(context, cred);
1293 return timeout;
1294 }
1295
1296 static time_t expire;
1297
1298 static char siginfo_msg[1024] = "No credentials\n";
1299
1300 static void
1301 update_siginfo_msg(time_t exp, const char *srv)
1302 {
1303 /* Note that exp is relative time */
1304 memset(siginfo_msg, 0, sizeof(siginfo_msg));
1305 memcpy(&siginfo_msg, "Updating...\n", sizeof("Updating...\n"));
1306 if (exp) {
1307 if (srv == NULL) {
1308 snprintf(siginfo_msg, sizeof(siginfo_msg),
1309 N_("kinit: TGT expires in %llu seconds\n", ""),
1310 (unsigned long long)expire);
1311 } else {
1312 snprintf(siginfo_msg, sizeof(siginfo_msg),
1313 N_("kinit: Ticket for %s expired\n", ""), srv);
1314 }
1315 return;
1316 }
1317
1318 /* Expired creds */
1319 if (srv == NULL) {
1320 snprintf(siginfo_msg, sizeof(siginfo_msg),
1321 N_("kinit: TGT expired\n", ""));
1322 } else {
1323 snprintf(siginfo_msg, sizeof(siginfo_msg),
1324 N_("kinit: Ticket for %s expired\n", ""), srv);
1325 }
1326 }
1327
1328 #ifdef HAVE_SIGACTION
1329 static void
1330 handler(int sig)
1331 {
1332 if (sig == SIGINFO) {
1333 struct iovec iov[2];
1334
1335 iov[0].iov_base = rk_UNCONST(siginfo_msg);
1336 iov[0].iov_len = strlen(siginfo_msg);
1337 iov[1].iov_base = "\n";
1338 iov[1].iov_len = 1;
1339
1340 writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
1341 } /* else ignore interrupts; our progeny will not ignore them */
1342 }
1343 #endif
1344
1345 struct renew_ctx {
1346 krb5_context context;
1347 krb5_ccache ccache;
1348 krb5_principal principal;
1349 krb5_deltat ticket_life;
1350 krb5_deltat timeout;
1351 int anonymous_pkinit;
1352 };
1353
1354 static time_t
1355 renew_func(void *ptr)
1356 {
1357 krb5_error_code ret;
1358 struct renew_ctx *ctx = ptr;
1359 time_t renew_expire;
1360 static time_t exp_delay = 1;
1361
1362 /*
1363 * NOTE: We count on the ccache implementation to notice changes to the
1364 * actual ccache filesystem/whatever objects. There should be no ccache
1365 * types for which this is not the case, but it might not hurt to
1366 * re-krb5_cc_resolve() after each successful renew_validate()/
1367 * get_new_tickets() call.
1368 */
1369
1370 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
1371 server_str, &renew_expire);
1372
1373 /*
1374 * When a keytab is available to obtain new tickets, if we are within
1375 * half of the original ticket lifetime of the renew limit, get a new
1376 * TGT instead of renewing the existing TGT. Note, ctx->ticket_life
1377 * is zero by default (without a '-l' option) and cannot be used to
1378 * set the time scale on which we decide whether we're "close to the
1379 * renew limit".
1380 */
1381 if (use_keytab || keytab_str)
1382 expire += ctx->timeout;
1383 if (renew_expire > expire) {
1384 ret = renew_validate(ctx->context, 1, validate_flag, &ctx->ccache,
1385 NULL, FALSE, server_str, ctx->ticket_life);
1386 } else {
1387 ret = get_new_tickets(ctx->context, ctx->principal, ctx->ccache,
1388 ctx->ticket_life, 0, ctx->anonymous_pkinit);
1389 }
1390 if (ret == 0) {
1391 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
1392 server_str, &renew_expire);
1393
1394 #ifndef NO_AFS
1395 if (server_str == NULL && do_afslog && k_hasafs())
1396 krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
1397 #endif
1398 }
1399
1400 update_siginfo_msg(expire, server_str);
1401
1402 /*
1403 * If our tickets have expired and we been able to either renew them
1404 * or obtain new tickets, then we still call this function but we use
1405 * an exponential backoff. This should take care of the case where
1406 * we are using stored credentials but the KDC has been unavailable
1407 * for some reason...
1408 */
1409
1410 if (expire < 1) {
1411 /*
1412 * We can't ask to keep spamming stderr but not syslog, so we warn
1413 * only once.
1414 */
1415 if (exp_delay == 1) {
1416 krb5_warnx(ctx->context, N_("NOTICE: Could not renew/refresh "
1417 "tickets", ""));
1418 }
1419 if (exp_delay < 7200)
1420 exp_delay += exp_delay / 2 + 1;
1421 return exp_delay;
1422 }
1423 exp_delay = 1;
1424
1425 return expire / 2 + 1;
1426 }
1427
1428 static void
1429 set_princ_realm(krb5_context context,
1430 krb5_principal principal,
1431 const char *realm)
1432 {
1433 krb5_error_code ret;
1434
1435 if ((ret = krb5_principal_set_realm(context, principal, realm)) != 0)
1436 krb5_err(context, 1, ret, "krb5_principal_set_realm");
1437 }
1438
1439 static void
1440 parse_name_realm(krb5_context context,
1441 const char *name,
1442 int flags,
1443 const char *realm,
1444 krb5_principal *princ)
1445 {
1446 krb5_error_code ret;
1447
1448 if (realm)
1449 flags |= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1450 if ((ret = krb5_parse_name_flags(context, name, flags, princ)) != 0)
1451 krb5_err(context, 1, ret, "krb5_parse_name_flags");
1452 if (realm && krb5_principal_get_realm(context, *princ) == NULL)
1453 set_princ_realm(context, *princ, realm);
1454 }
1455
1456 static char *
1457 get_default_realm(krb5_context context)
1458 {
1459 char *realm;
1460 krb5_error_code ret;
1461
1462 if ((ret = krb5_get_default_realm(context, &realm)) != 0)
1463 krb5_err(context, 1, ret, "krb5_get_default_realm");
1464 return realm;
1465 }
1466
1467 static void
1468 get_default_principal(krb5_context context, krb5_principal *princ)
1469 {
1470 krb5_error_code ret;
1471
1472 if ((ret = krb5_get_default_principal(context, princ)) != 0)
1473 krb5_err(context, 1, ret, "krb5_get_default_principal");
1474 }
1475
1476 static char *
1477 get_user_realm(krb5_context context)
1478 {
1479 krb5_error_code ret;
1480 char *user_realm = NULL;
1481
1482 /*
1483 * If memory allocation fails, we don't try to use the wrong realm,
1484 * that will trigger misleading error messages complicate support.
1485 */
1486 krb5_appdefault_string(context, "kinit", NULL, "user_realm", "",
1487 &user_realm);
1488 if (user_realm == NULL) {
1489 ret = krb5_enomem(context);
1490 krb5_err(context, 1, ret, "krb5_appdefault_string");
1491 }
1492
1493 if (*user_realm == 0) {
1494 free(user_realm);
1495 user_realm = NULL;
1496 }
1497
1498 return user_realm;
1499 }
1500
1501 static void
1502 get_princ(krb5_context context,
1503 krb5_principal *principal,
1504 const char *ccname,
1505 const char *name)
1506 {
1507 krb5_error_code ret = 0;
1508 krb5_principal tmp;
1509 int parseflags = 0;
1510 char *user_realm;
1511
1512 if (name == NULL) {
1513 krb5_ccache ccache = NULL;
1514
1515 /* If credential cache provides a client principal, use that. */
1516 if (ccname)
1517 ret = krb5_cc_resolve(context, ccname, &ccache);
1518 else
1519 ret = krb5_cc_default(context, &ccache);
1520 if (ret == 0)
1521 ret = krb5_cc_get_principal(context, ccache, principal);
1522 krb5_cc_close(context, ccache);
1523 if (ret == 0)
1524 return;
1525 }
1526
1527 user_realm = get_user_realm(context);
1528
1529 if (name) {
1530 if (enterprise_flag)
1531 parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
1532
1533 parse_name_realm(context, name, parseflags, user_realm, &tmp);
1534
1535 if (user_realm && krb5_principal_get_num_comp(context, tmp) > 1) {
1536 /* Principal is instance qualified, reparse with default realm. */
1537 krb5_free_principal(context, tmp);
1538 parse_name_realm(context, name, parseflags, NULL, principal);
1539 } else {
1540 *principal = tmp;
1541 }
1542 } else {
1543 get_default_principal(context, principal);
1544 if (user_realm)
1545 set_princ_realm(context, *principal, user_realm);
1546 }
1547
1548 if (user_realm)
1549 free(user_realm);
1550 }
1551
1552 static void
1553 get_princ_kt(krb5_context context,
1554 krb5_principal *principal,
1555 char *name)
1556 {
1557 krb5_error_code ret;
1558 krb5_principal tmp;
1559 krb5_ccache ccache;
1560 krb5_kt_cursor cursor;
1561 krb5_keytab_entry entry;
1562 char *def_realm;
1563
1564 if (name == NULL) {
1565 /*
1566 * If the credential cache exists and specifies a client principal,
1567 * use that.
1568 */
1569 if (krb5_cc_default(context, &ccache) == 0) {
1570 ret = krb5_cc_get_principal(context, ccache, principal);
1571 krb5_cc_close(context, ccache);
1572 if (ret == 0)
1573 return;
1574 }
1575 }
1576
1577 if (name) {
1578 /* If the principal specifies an explicit realm, just use that. */
1579 int parseflags = KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1580
1581 parse_name_realm(context, name, parseflags, NULL, &tmp);
1582 if (krb5_principal_get_realm(context, tmp) != NULL) {
1583 *principal = tmp;
1584 return;
1585 }
1586 } else {
1587 /* Otherwise, search keytab for bare name of the default principal. */
1588 get_default_principal(context, &tmp);
1589 set_princ_realm(context, tmp, NULL);
1590 }
1591
1592 def_realm = get_default_realm(context);
1593
1594 ret = krb5_kt_start_seq_get(context, kt, &cursor);
1595 if (ret)
1596 krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
1597
1598 while (ret == 0 &&
1599 krb5_kt_next_entry(context, kt, &entry, &cursor) == 0) {
1600 const char *realm;
1601
1602 if (!krb5_principal_compare_any_realm(context, tmp, entry.principal))
1603 continue;
1604 if (*principal &&
1605 krb5_principal_compare(context, *principal, entry.principal))
1606 continue;
1607 /* The default realm takes precedence */
1608 realm = krb5_principal_get_realm(context, entry.principal);
1609 if (*principal && strcmp(def_realm, realm) == 0) {
1610 krb5_free_principal(context, *principal);
1611 ret = krb5_copy_principal(context, entry.principal, principal);
1612 break;
1613 }
1614 if (!*principal)
1615 ret = krb5_copy_principal(context, entry.principal, principal);
1616 }
1617 if (ret != 0 || (ret = krb5_kt_end_seq_get(context, kt, &cursor)) != 0)
1618 krb5_err(context, 1, ret, "get_princ_kt");
1619 if (!*principal) {
1620 if (name)
1621 parse_name_realm(context, name, 0, NULL, principal);
1622 else
1623 krb5_err(context, 1, KRB5_CC_NOTFOUND, "get_princ_kt");
1624 }
1625
1626 krb5_free_principal(context, tmp);
1627 free(def_realm);
1628 }
1629
1630 static krb5_error_code
1631 get_switched_ccache(krb5_context context,
1632 const char * type,
1633 krb5_principal principal,
1634 krb5_ccache *ccache)
1635 {
1636 krb5_error_code ret;
1637
1638 #ifdef _WIN32
1639 if (strcmp(type, "API") == 0) {
1640 /*
1641 * Windows stores the default ccache name in the
1642 * registry which is shared across multiple logon
1643 * sessions for the same user. The API credential
1644 * cache provides a unique name space per logon
1645 * session. Therefore there is no need to generate
1646 * a unique ccache name. Instead use the principal
1647 * name. This provides a friendlier user experience.
1648 */
1649 char * unparsed_name;
1650 char * cred_cache;
1651
1652 ret = krb5_unparse_name(context, principal,
1653 &unparsed_name);
1654 if (ret)
1655 krb5_err(context, 1, ret,
1656 N_("unparsing principal name", ""));
1657
1658 ret = asprintf(&cred_cache, "API:%s", unparsed_name);
1659 krb5_free_unparsed_name(context, unparsed_name);
1660 if (ret == -1 || cred_cache == NULL)
1661 krb5_err(context, 1, ret,
1662 N_("building credential cache name", ""));
1663
1664 ret = krb5_cc_resolve(context, cred_cache, ccache);
1665 free(cred_cache);
1666 } else if (strcmp(type, "MSLSA") == 0) {
1667 /*
1668 * The Windows MSLSA cache when it is writeable
1669 * stores tickets for multiple client principals
1670 * in a single credential cache.
1671 */
1672 ret = krb5_cc_resolve(context, "MSLSA:", ccache);
1673 } else {
1674 ret = krb5_cc_new_unique(context, type, NULL, ccache);
1675 }
1676 #else /* !_WIN32 */
1677 ret = krb5_cc_new_unique(context, type, NULL, ccache);
1678 #endif /* _WIN32 */
1679
1680 return ret;
1681 }
1682
1683 int
1684 main(int argc, char **argv)
1685 {
1686 krb5_error_code ret;
1687 krb5_context context;
1688 krb5_ccache ccache;
1689 krb5_principal principal = NULL;
1690 int optidx = 0;
1691 krb5_deltat ticket_life = 0;
1692 #ifdef HAVE_SIGACTION
1693 struct sigaction sa;
1694 #endif
1695 krb5_boolean unique_ccache = FALSE;
1696 krb5_boolean historical_anon_pkinit = FALSE;
1697 int anonymous_pkinit = FALSE;
1698
1699 setprogname(argv[0]);
1700
1701 setlocale(LC_ALL, "");
1702 bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR);
1703 textdomain("heimdal_kuser");
1704
1705 ret = krb5_init_context(&context);
1706 if (ret == KRB5_CONFIG_BADFORMAT)
1707 krb5_err(context, 1, ret, "Failed to parse configuration file");
1708 else if (ret == EISDIR)
1709 /* We use EISDIR to mean "not a regular file" */
1710 krb5_errx(context, 1,
1711 "Failed to read configuration file: not a regular file");
1712 else if (ret)
1713 krb5_err(context, 1, ret, "Failed to read configuration file");
1714
1715 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
1716 usage(1);
1717
1718 if (help_flag)
1719 usage(0);
1720
1721 if (version_flag) {
1722 print_version(NULL);
1723 exit(0);
1724 }
1725
1726 argc -= optidx;
1727 argv += optidx;
1728
1729 krb5_appdefault_boolean(context, "kinit", NULL, "historical_anon_pkinit",
1730 FALSE, &historical_anon_pkinit);
1731
1732 /*
1733 * Open the keytab now, we use the keytab to determine the principal's
1734 * realm when the requested principal has no realm.
1735 */
1736 if (use_keytab || keytab_str) {
1737 if (keytab_str)
1738 ret = krb5_kt_resolve(context, keytab_str, &kt);
1739 else
1740 ret = krb5_kt_default(context, &kt);
1741 if (ret)
1742 krb5_err(context, 1, ret, "resolving keytab");
1743 }
1744
1745 if (pk_enterprise_flag) {
1746 ret = krb5_pk_enterprise_cert(context, pk_user_id,
1747 argv[0], &principal,
1748 &ent_user_id);
1749 if (ret)
1750 krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
1751
1752 pk_user_id = NULL;
1753 if (pk_anon_fast_armor > 0)
1754 krb5_warnx(context, N_("Ignoring --pk-anon-fast-armor "
1755 "because --pk-user given", ""));
1756 pk_anon_fast_armor = 0;
1757 } else if (argc && argv[0][0] == '@' &&
1758 (gss_preauth_mech || anonymous_flag)) {
1759 const char *instance = NULL;
1760
1761 if (gss_preauth_mech) {
1762 instance = KRB5_FEDERATED_NAME;
1763 } else if (anonymous_flag) {
1764 instance = KRB5_ANON_NAME;
1765 anonymous_pkinit = TRUE;
1766 }
1767
1768 ret = make_wellknown_name(context, &argv[0][1], instance, &principal);
1769 if (ret)
1770 krb5_err(context, 1, ret, "make_wellknown_name");
1771 if (!gss_preauth_mech && pk_anon_fast_armor > 1) {
1772 krb5_warnx(context, N_("Ignoring --pk-anon-fast-armor "
1773 "because --anonymous given", ""));
1774 pk_anon_fast_armor = 0;
1775 }
1776 } else if (anonymous_flag && historical_anon_pkinit) {
1777 char *realm = argc == 0 ? get_default_realm(context) :
1778 argv[0][0] == '@' ? &argv[0][1] : argv[0];
1779
1780 ret = krb5_make_principal(context, &principal, realm,
1781 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL);
1782 if (ret)
1783 krb5_err(context, 1, ret, "krb5_make_principal");
1784 krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
1785 anonymous_pkinit = TRUE;
1786 } else if (use_keytab || keytab_str) {
1787 get_princ_kt(context, &principal, argv[0]);
1788 } else if (gss_preauth_mech && argc == 0 && gss_preauth_name == NULL) {
1789 /*
1790 * Use the federated name as a placeholder if we have neither a Kerberos
1791 * nor a GSS-API client name, and we are performing GSS-API preauth.
1792 */
1793 ret = make_wellknown_name(context, get_default_realm(context),
1794 KRB5_FEDERATED_NAME, &principal);
1795 if (ret)
1796 krb5_err(context, 1, ret, "make_wellknown_name");
1797 } else {
1798 get_princ(context, &principal, cred_cache, argv[0]);
1799 }
1800
1801 if (fcache_version)
1802 krb5_set_fcache_version(context, fcache_version);
1803
1804 if (renewable_flag == -1)
1805 /* this seems somewhat pointless, but whatever */
1806 krb5_appdefault_boolean(context, "kinit",
1807 krb5_principal_get_realm(context, principal),
1808 "renewable", FALSE, &renewable_flag);
1809 if (do_afslog == -1)
1810 krb5_appdefault_boolean(context, "kinit",
1811 krb5_principal_get_realm(context, principal),
1812 "afslog", TRUE, &do_afslog);
1813
1814 /*
1815 * Cases:
1816 *
1817 * - use the given ccache
1818 * - use a new unique ccache for running a command with (in this case we
1819 * get to set KRB5CCNAME, so a new unique ccache makes sense)
1820 * - use the default ccache for the given principal as requested and do
1821 * not later switch the collection's default/primary to it
1822 * - use the default cache, possibly a new unique one that later gets
1823 * switched to it
1824 *
1825 * The important thing is that, except for the case where we're running a
1826 * command, we _can't set KRB5CCNAME_, and we can't expect the user to read
1827 * our output and figure out to set it (we could have an output-for-shell-
1828 * eval mode, like ssh-agent and such, but we don't). Therefore, in all
1829 * cases where we can't set KRB5CCNAME we must do something that makes
1830 * sense to the user, and that is to either initialize a given ccache, use
1831 * the default, or use a subsidiary ccache named after the principal whose
1832 * creds we're initializing.
1833 */
1834 if (cred_cache) {
1835 /* Use the given ccache */
1836 ret = krb5_cc_resolve(context, cred_cache, &ccache);
1837 } else if (argc > 1) {
1838 char s[1024];
1839
1840 /*
1841 * A command was given, so use a new unique ccache (and destroy it
1842 * later).
1843 */
1844 ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
1845 if (ret)
1846 krb5_err(context, 1, ret, "creating cred cache");
1847 snprintf(s, sizeof(s), "%s:%s",
1848 krb5_cc_get_type(context, ccache),
1849 krb5_cc_get_name(context, ccache));
1850 setenv("KRB5CCNAME", s, 1);
1851 unique_ccache = TRUE;
1852 switch_cache_flags = 0;
1853 } else if (default_for) {
1854 ret = krb5_cc_default_for(context, principal, &ccache);
1855 if (switch_cache_flags == -1)
1856 switch_cache_flags = 0;
1857 } else {
1858 ret = krb5_cc_cache_match(context, principal, &ccache);
1859 if (ret) {
1860 const char *type;
1861 ret = krb5_cc_default(context, &ccache);
1862 if (ret)
1863 krb5_err(context, 1, ret,
1864 N_("resolving credentials cache", ""));
1865
1866 /*
1867 * Check if the type support switching, and we do,
1868 * then do that instead over overwriting the current
1869 * default credential
1870 */
1871 type = krb5_cc_get_type(context, ccache);
1872 if (krb5_cc_support_switch(context, type) &&
1873 strcmp(type, "FILE")) {
1874 krb5_cc_close(context, ccache);
1875 ret = get_switched_ccache(context, type, principal,
1876 &ccache);
1877 if (ret == 0)
1878 unique_ccache = TRUE;
1879 }
1880 }
1881 }
1882 if (ret)
1883 krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
1884
1885 #ifndef NO_AFS
1886 if (argc > 1 && k_hasafs())
1887 k_setpag();
1888 #endif
1889
1890 if (lifetime) {
1891 int tmp = parse_time(lifetime, "s");
1892 if (tmp < 0)
1893 errx(1, N_("unparsable time: %s", ""), lifetime);
1894
1895 ticket_life = tmp;
1896 }
1897
1898 if (addrs_flag == 0 && extra_addresses.num_strings > 0)
1899 krb5_errx(context, 1,
1900 N_("specifying both extra addresses and "
1901 "no addresses makes no sense", ""));
1902 {
1903 int i;
1904 krb5_addresses addresses;
1905 memset(&addresses, 0, sizeof(addresses));
1906 for(i = 0; i < extra_addresses.num_strings; i++) {
1907 ret = krb5_parse_address(context, extra_addresses.strings[i],
1908 &addresses);
1909 if (ret == 0) {
1910 krb5_add_extra_addresses(context, &addresses);
1911 krb5_free_addresses(context, &addresses);
1912 }
1913 }
1914 free_getarg_strings(&extra_addresses);
1915 }
1916
1917 if (renew_flag || validate_flag) {
1918 ret = renew_validate(context, renew_flag, validate_flag,
1919 &ccache, principal,
1920 default_for ? TRUE : FALSE, server_str,
1921 ticket_life);
1922
1923 #ifndef NO_AFS
1924 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1925 krb5_afslog(context, ccache, NULL, NULL);
1926 #endif
1927
1928 if (unique_ccache)
1929 krb5_cc_destroy(context, ccache);
1930 exit(ret != 0);
1931 }
1932
1933 ret = get_new_tickets(context, principal, ccache, ticket_life,
1934 1, anonymous_pkinit);
1935 if (ret) {
1936 if (unique_ccache)
1937 krb5_cc_destroy(context, ccache);
1938 exit(1);
1939 }
1940
1941 #ifndef NO_AFS
1942 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1943 krb5_afslog(context, ccache, NULL, NULL);
1944 #endif
1945
1946 if (argc > 1) {
1947 struct renew_ctx ctx;
1948 time_t timeout;
1949
1950 timeout = ticket_lifetime(context, ccache, principal,
1951 server_str, NULL) / 2;
1952
1953 ctx.context = context;
1954 ctx.ccache = ccache;
1955 ctx.principal = principal;
1956 ctx.ticket_life = ticket_life;
1957 ctx.timeout = timeout;
1958 ctx.anonymous_pkinit = anonymous_pkinit;
1959
1960 #ifdef HAVE_SIGACTION
1961 memset(&sa, 0, sizeof(sa));
1962 sigemptyset(&sa.sa_mask);
1963 sa.sa_handler = handler;
1964
1965 sigaction(SIGINFO, &sa, NULL);
1966 sigaction(SIGINT, &sa, NULL);
1967 sigaction(SIGQUIT, &sa, NULL);
1968 #endif
1969
1970 ret = simple_execvp_timed(argv[1], argv+1,
1971 renew_func, &ctx, timeout);
1972 #define EX_NOEXEC 126
1973 #define EX_NOTFOUND 127
1974 if (ret == EX_NOEXEC)
1975 krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
1976 else if (ret == EX_NOTFOUND)
1977 krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
1978
1979 krb5_cc_destroy(context, ccache);
1980 #ifndef NO_AFS
1981 if (k_hasafs())
1982 k_unlog();
1983 #endif
1984 } else {
1985 krb5_cc_close(context, ccache);
1986 ret = 0;
1987 }
1988 krb5_free_principal(context, principal);
1989 if (kt)
1990 krb5_kt_close(context, kt);
1991 krb5_free_context(context);
1992 return ret;
1993 }
GSS-enabled samba4