2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
36 typedef struct krb5_get_init_creds_ctx
{
39 krb5_addresses
*addrs
;
41 krb5_preauthtype
*pre_auth_types
;
50 /* password and keytab_data is freed on completion */
52 krb5_keytab_key_proc_args
*keytab_data
;
54 krb5_pointer
*keyseed
;
55 krb5_s2k_proc keyproc
;
57 krb5_get_init_creds_tristate req_pac
;
59 krb5_pk_init_ctx pk_init_ctx
;
65 EncKDCRepPart enc_part
;
67 krb5_prompter_fct prompter
;
70 } krb5_get_init_creds_ctx
;
72 static krb5_error_code
73 default_s2k_func(krb5_context context
, krb5_enctype type
,
74 krb5_const_pointer keyseed
,
75 krb5_salt salt
, krb5_data
*s2kparms
,
82 password
.data
= rk_UNCONST(keyseed
);
83 password
.length
= strlen(keyseed
);
87 krb5_data_zero(&opaque
);
89 *key
= malloc(sizeof(**key
));
92 ret
= krb5_string_to_key_data_salt_opaque(context
, type
, password
,
102 free_init_creds_ctx(krb5_context context
, krb5_init_creds_context ctx
)
106 if (ctx
->pre_auth_types
)
107 free (ctx
->pre_auth_types
);
108 if (ctx
->in_tkt_service
)
109 free(ctx
->in_tkt_service
);
112 if (ctx
->keytab_data
)
113 free(ctx
->keytab_data
);
114 krb5_data_free(&ctx
->req_buffer
);
115 krb5_free_cred_contents(context
, &ctx
->cred
);
116 free_METHOD_DATA(&ctx
->md
);
117 free_AS_REP(&ctx
->as_rep
);
118 free_EncKDCRepPart(&ctx
->enc_part
);
119 free_KRB_ERROR(&ctx
->error
);
120 free_AS_REQ(&ctx
->as_req
);
121 memset(ctx
, 0, sizeof(*ctx
));
125 get_config_time (krb5_context context
,
132 ret
= krb5_config_get_time (context
, NULL
,
139 ret
= krb5_config_get_time (context
, NULL
,
148 static krb5_error_code
149 init_cred (krb5_context context
,
151 krb5_principal client
,
152 krb5_deltat start_time
,
153 krb5_get_init_creds_opt
*options
)
159 krb5_timeofday (context
, &now
);
161 memset (cred
, 0, sizeof(*cred
));
164 krb5_copy_principal(context
, client
, &cred
->client
);
166 ret
= krb5_get_default_principal (context
,
173 cred
->times
.starttime
= now
+ start_time
;
175 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_TKT_LIFE
)
176 tmp
= options
->tkt_life
;
179 cred
->times
.endtime
= now
+ tmp
;
181 if ((options
->flags
& KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE
) &&
182 options
->renew_life
> 0) {
183 cred
->times
.renew_till
= now
+ options
->renew_life
;
189 krb5_free_cred_contents (context
, cred
);
194 * Print a message (str) to the user about the expiration in `lr'
198 report_expiration (krb5_context context
,
199 krb5_prompter_fct prompter
,
206 asprintf (&p
, "%s%s", str
, ctime(&now
));
207 (*prompter
) (context
, data
, NULL
, p
, 0, NULL
);
212 * Check the context, and in the case there is a expiration warning,
213 * use the prompter to print the warning.
215 * @param context A Kerberos 5 context.
216 * @param options An GIC options structure
217 * @param ctx The krb5_init_creds_context check for expiration.
220 static krb5_error_code
221 process_last_request(krb5_context context
,
222 krb5_get_init_creds_opt
*options
,
223 krb5_init_creds_context ctx
)
225 krb5_const_realm realm
;
227 krb5_boolean reported
= FALSE
;
233 * First check if there is a API consumer.
236 realm
= krb5_principal_get_realm (context
, ctx
->cred
.client
);
237 lr
= &ctx
->enc_part
.last_req
;
239 if (options
&& options
->opt_private
&& options
->opt_private
->lr
.func
) {
240 krb5_last_req_entry
**lre
;
242 lre
= calloc(lr
->len
+ 1, sizeof(**lre
));
244 krb5_set_error_message(context
, ENOMEM
,
245 N_("malloc: out of memory", ""));
248 for (i
= 0; i
< lr
->len
; i
++) {
249 lre
[i
] = calloc(1, sizeof(*lre
[i
]));
252 lre
[i
]->lr_type
= lr
->val
[i
].lr_type
;
253 lre
[i
]->value
= lr
->val
[i
].lr_value
;
256 (*options
->opt_private
->lr
.func
)(context
, lre
,
257 options
->opt_private
->lr
.ctx
);
259 for (i
= 0; i
< lr
->len
; i
++)
265 * Now check if we should prompt the user
268 if (ctx
->prompter
== NULL
)
271 krb5_timeofday (context
, &sec
);
273 t
= sec
+ get_config_time (context
,
278 for (i
= 0; i
< lr
->len
; ++i
) {
279 if (lr
->val
[i
].lr_value
<= t
) {
280 switch (abs(lr
->val
[i
].lr_type
)) {
282 report_expiration(context
, ctx
->prompter
,
284 "Your password will expire at ",
285 lr
->val
[i
].lr_value
);
288 case LR_ACCT_EXPTIME
:
289 report_expiration(context
, ctx
->prompter
,
291 "Your account will expire at ",
292 lr
->val
[i
].lr_value
);
300 && ctx
->enc_part
.key_expiration
301 && *ctx
->enc_part
.key_expiration
<= t
) {
302 report_expiration(context
, ctx
->prompter
,
304 "Your password/account will expire at ",
305 *ctx
->enc_part
.key_expiration
);
310 static krb5_addresses no_addrs
= { 0, NULL
};
312 static krb5_error_code
313 get_init_creds_common(krb5_context context
,
314 krb5_principal client
,
315 krb5_deltat start_time
,
316 krb5_get_init_creds_opt
*options
,
317 krb5_init_creds_context ctx
)
319 krb5_get_init_creds_opt
*default_opt
= NULL
;
321 krb5_enctype
*etypes
;
322 krb5_preauthtype
*pre_auth_types
;
324 memset(ctx
, 0, sizeof(*ctx
));
326 if (options
== NULL
) {
327 const char *realm
= krb5_principal_get_realm(context
, client
);
329 krb5_get_init_creds_opt_alloc (context
, &default_opt
);
330 options
= default_opt
;
331 krb5_get_init_creds_opt_set_default_flags(context
, NULL
, realm
, options
);
334 if (options
->opt_private
) {
335 if (options
->opt_private
->password
) {
336 ret
= krb5_init_creds_set_password(context
, ctx
,
337 options
->opt_private
->password
);
342 ctx
->keyproc
= options
->opt_private
->key_proc
;
343 ctx
->req_pac
= options
->opt_private
->req_pac
;
344 ctx
->pk_init_ctx
= options
->opt_private
->pk_init_ctx
;
345 ctx
->ic_flags
= options
->opt_private
->flags
;
347 ctx
->req_pac
= KRB5_INIT_CREDS_TRISTATE_UNSET
;
349 if (ctx
->keyproc
== NULL
)
350 ctx
->keyproc
= default_s2k_func
;
352 /* Enterprise name implicitly turns on canonicalize */
353 if ((ctx
->ic_flags
& KRB5_INIT_CREDS_CANONICALIZE
) ||
354 krb5_principal_get_type(context
, client
) == KRB5_NT_ENTERPRISE_PRINCIPAL
)
355 ctx
->flags
.canonicalize
= 1;
357 ctx
->pre_auth_types
= NULL
;
360 ctx
->pre_auth_types
= NULL
;
362 ret
= init_cred(context
, &ctx
->cred
, client
, start_time
, options
);
365 krb5_get_init_creds_opt_free(context
, default_opt
);
369 ret
= krb5_init_creds_set_service(context
, ctx
, NULL
);
373 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_FORWARDABLE
)
374 ctx
->flags
.forwardable
= options
->forwardable
;
376 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_PROXIABLE
)
377 ctx
->flags
.proxiable
= options
->proxiable
;
380 ctx
->flags
.postdated
= 1;
381 if (ctx
->cred
.times
.renew_till
)
382 ctx
->flags
.renewable
= 1;
383 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST
) {
384 ctx
->addrs
= options
->address_list
;
385 } else if (options
->opt_private
) {
386 switch (options
->opt_private
->addressless
) {
387 case KRB5_INIT_CREDS_TRISTATE_UNSET
:
388 #if KRB5_ADDRESSLESS_DEFAULT == TRUE
389 ctx
->addrs
= &no_addrs
;
394 case KRB5_INIT_CREDS_TRISTATE_FALSE
:
397 case KRB5_INIT_CREDS_TRISTATE_TRUE
:
398 ctx
->addrs
= &no_addrs
;
402 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST
) {
406 etypes
= malloc((options
->etype_list_length
+ 1)
407 * sizeof(krb5_enctype
));
408 if (etypes
== NULL
) {
410 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
413 memcpy (etypes
, options
->etype_list
,
414 options
->etype_list_length
* sizeof(krb5_enctype
));
415 etypes
[options
->etype_list_length
] = ETYPE_NULL
;
416 ctx
->etypes
= etypes
;
418 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST
) {
419 pre_auth_types
= malloc((options
->preauth_list_length
+ 1)
420 * sizeof(krb5_preauthtype
));
421 if (pre_auth_types
== NULL
) {
423 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
426 memcpy (pre_auth_types
, options
->preauth_list
,
427 options
->preauth_list_length
* sizeof(krb5_preauthtype
));
428 pre_auth_types
[options
->preauth_list_length
] = KRB5_PADATA_NONE
;
429 ctx
->pre_auth_types
= pre_auth_types
;
431 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_ANONYMOUS
)
432 ctx
->flags
.request_anonymous
= options
->anonymous
;
434 krb5_get_init_creds_opt_free(context
, default_opt
);
438 krb5_get_init_creds_opt_free(context
, default_opt
);
442 static krb5_error_code
443 change_password (krb5_context context
,
444 krb5_principal client
,
445 const char *password
,
448 krb5_prompter_fct prompter
,
450 krb5_get_init_creds_opt
*old_options
)
452 krb5_prompt prompts
[2];
455 char buf1
[BUFSIZ
], buf2
[BUFSIZ
];
456 krb5_data password_data
[2];
458 krb5_data result_code_string
;
459 krb5_data result_string
;
461 krb5_get_init_creds_opt
*options
;
463 memset (&cpw_cred
, 0, sizeof(cpw_cred
));
465 ret
= krb5_get_init_creds_opt_alloc(context
, &options
);
468 krb5_get_init_creds_opt_set_tkt_life (options
, 60);
469 krb5_get_init_creds_opt_set_forwardable (options
, FALSE
);
470 krb5_get_init_creds_opt_set_proxiable (options
, FALSE
);
471 if (old_options
&& old_options
->flags
& KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST
)
472 krb5_get_init_creds_opt_set_preauth_list (options
,
473 old_options
->preauth_list
,
474 old_options
->preauth_list_length
);
476 krb5_data_zero (&result_code_string
);
477 krb5_data_zero (&result_string
);
479 ret
= krb5_get_init_creds_password (context
,
488 krb5_get_init_creds_opt_free(context
, options
);
493 password_data
[0].data
= buf1
;
494 password_data
[0].length
= sizeof(buf1
);
496 prompts
[0].hidden
= 1;
497 prompts
[0].prompt
= "New password: ";
498 prompts
[0].reply
= &password_data
[0];
499 prompts
[0].type
= KRB5_PROMPT_TYPE_NEW_PASSWORD
;
501 password_data
[1].data
= buf2
;
502 password_data
[1].length
= sizeof(buf2
);
504 prompts
[1].hidden
= 1;
505 prompts
[1].prompt
= "Repeat new password: ";
506 prompts
[1].reply
= &password_data
[1];
507 prompts
[1].type
= KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
;
509 ret
= (*prompter
) (context
, data
, NULL
, "Changing password",
512 memset (buf1
, 0, sizeof(buf1
));
513 memset (buf2
, 0, sizeof(buf2
));
517 if (strcmp (buf1
, buf2
) == 0)
519 memset (buf1
, 0, sizeof(buf1
));
520 memset (buf2
, 0, sizeof(buf2
));
523 ret
= krb5_set_password (context
,
532 asprintf (&p
, "%s: %.*s\n",
533 result_code
? "Error" : "Success",
534 (int)result_string
.length
,
535 result_string
.length
> 0 ? (char*)result_string
.data
: "");
537 /* return the result */
538 (*prompter
) (context
, data
, NULL
, p
, 0, NULL
);
541 if (result_code
== 0) {
542 strlcpy (newpw
, buf1
, newpw_sz
);
546 krb5_set_error_message(context
, ret
,
547 N_("failed changing password", ""));
551 memset (buf1
, 0, sizeof(buf1
));
552 memset (buf2
, 0, sizeof(buf2
));
553 krb5_data_free (&result_string
);
554 krb5_data_free (&result_code_string
);
555 krb5_free_cred_contents (context
, &cpw_cred
);
560 krb5_error_code KRB5_LIB_FUNCTION
561 krb5_keyblock_key_proc (krb5_context context
,
564 krb5_const_pointer keyseed
,
567 return krb5_copy_keyblock (context
, keyseed
, key
);
574 static krb5_error_code
575 init_as_req (krb5_context context
,
577 const krb5_creds
*creds
,
578 const krb5_addresses
*addrs
,
579 const krb5_enctype
*etypes
,
584 memset(a
, 0, sizeof(*a
));
587 a
->msg_type
= krb_as_req
;
588 a
->req_body
.kdc_options
= opts
;
589 a
->req_body
.cname
= malloc(sizeof(*a
->req_body
.cname
));
590 if (a
->req_body
.cname
== NULL
) {
592 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
595 a
->req_body
.sname
= malloc(sizeof(*a
->req_body
.sname
));
596 if (a
->req_body
.sname
== NULL
) {
598 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
602 ret
= _krb5_principal2principalname (a
->req_body
.cname
, creds
->client
);
605 ret
= copy_Realm(&creds
->client
->realm
, &a
->req_body
.realm
);
609 ret
= _krb5_principal2principalname (a
->req_body
.sname
, creds
->server
);
613 if(creds
->times
.starttime
) {
614 a
->req_body
.from
= malloc(sizeof(*a
->req_body
.from
));
615 if (a
->req_body
.from
== NULL
) {
617 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
620 *a
->req_body
.from
= creds
->times
.starttime
;
622 if(creds
->times
.endtime
){
623 ALLOC(a
->req_body
.till
, 1);
624 *a
->req_body
.till
= creds
->times
.endtime
;
626 if(creds
->times
.renew_till
){
627 a
->req_body
.rtime
= malloc(sizeof(*a
->req_body
.rtime
));
628 if (a
->req_body
.rtime
== NULL
) {
630 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
633 *a
->req_body
.rtime
= creds
->times
.renew_till
;
635 a
->req_body
.nonce
= 0;
636 ret
= krb5_init_etype (context
,
637 &a
->req_body
.etype
.len
,
638 &a
->req_body
.etype
.val
,
644 * This means no addresses
647 if (addrs
&& addrs
->len
== 0) {
648 a
->req_body
.addresses
= NULL
;
650 a
->req_body
.addresses
= malloc(sizeof(*a
->req_body
.addresses
));
651 if (a
->req_body
.addresses
== NULL
) {
653 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
658 ret
= krb5_copy_addresses(context
, addrs
, a
->req_body
.addresses
);
660 ret
= krb5_get_all_client_addrs (context
, a
->req_body
.addresses
);
661 if(ret
== 0 && a
->req_body
.addresses
->len
== 0) {
662 free(a
->req_body
.addresses
);
663 a
->req_body
.addresses
= NULL
;
670 a
->req_body
.enc_authorization_data
= NULL
;
671 a
->req_body
.additional_tickets
= NULL
;
678 memset(a
, 0, sizeof(*a
));
682 struct pa_info_data
{
685 krb5_data
*s2kparams
;
689 free_paid(krb5_context context
, struct pa_info_data
*ppaid
)
691 krb5_free_salt(context
, ppaid
->salt
);
692 if (ppaid
->s2kparams
)
693 krb5_free_data(context
, ppaid
->s2kparams
);
697 static krb5_error_code
698 set_paid(struct pa_info_data
*paid
, krb5_context context
,
700 krb5_salttype salttype
, void *salt_string
, size_t salt_len
,
701 krb5_data
*s2kparams
)
704 paid
->salt
.salttype
= salttype
;
705 paid
->salt
.saltvalue
.data
= malloc(salt_len
+ 1);
706 if (paid
->salt
.saltvalue
.data
== NULL
) {
707 krb5_clear_error_message(context
);
710 memcpy(paid
->salt
.saltvalue
.data
, salt_string
, salt_len
);
711 ((char *)paid
->salt
.saltvalue
.data
)[salt_len
] = '\0';
712 paid
->salt
.saltvalue
.length
= salt_len
;
716 ret
= krb5_copy_data(context
, s2kparams
, &paid
->s2kparams
);
718 krb5_clear_error_message(context
);
719 krb5_free_salt(context
, paid
->salt
);
723 paid
->s2kparams
= NULL
;
728 static struct pa_info_data
*
729 pa_etype_info2(krb5_context context
,
730 const krb5_principal client
,
732 struct pa_info_data
*paid
,
733 heim_octet_string
*data
)
740 memset(&e
, 0, sizeof(e
));
741 ret
= decode_ETYPE_INFO2(data
->data
, data
->length
, &e
, &sz
);
746 for (j
= 0; j
< asreq
->req_body
.etype
.len
; j
++) {
747 for (i
= 0; i
< e
.len
; i
++) {
748 if (asreq
->req_body
.etype
.val
[j
] == e
.val
[i
].etype
) {
750 if (e
.val
[i
].salt
== NULL
)
751 ret
= krb5_get_pw_salt(context
, client
, &salt
);
753 salt
.saltvalue
.data
= *e
.val
[i
].salt
;
754 salt
.saltvalue
.length
= strlen(*e
.val
[i
].salt
);
758 ret
= set_paid(paid
, context
, e
.val
[i
].etype
,
761 salt
.saltvalue
.length
,
763 if (e
.val
[i
].salt
== NULL
)
764 krb5_free_salt(context
, salt
);
766 free_ETYPE_INFO2(&e
);
773 free_ETYPE_INFO2(&e
);
777 static struct pa_info_data
*
778 pa_etype_info(krb5_context context
,
779 const krb5_principal client
,
781 struct pa_info_data
*paid
,
782 heim_octet_string
*data
)
789 memset(&e
, 0, sizeof(e
));
790 ret
= decode_ETYPE_INFO(data
->data
, data
->length
, &e
, &sz
);
795 for (j
= 0; j
< asreq
->req_body
.etype
.len
; j
++) {
796 for (i
= 0; i
< e
.len
; i
++) {
797 if (asreq
->req_body
.etype
.val
[j
] == e
.val
[i
].etype
) {
799 salt
.salttype
= KRB5_PW_SALT
;
800 if (e
.val
[i
].salt
== NULL
)
801 ret
= krb5_get_pw_salt(context
, client
, &salt
);
803 salt
.saltvalue
= *e
.val
[i
].salt
;
806 if (e
.val
[i
].salttype
)
807 salt
.salttype
= *e
.val
[i
].salttype
;
809 ret
= set_paid(paid
, context
, e
.val
[i
].etype
,
812 salt
.saltvalue
.length
,
814 if (e
.val
[i
].salt
== NULL
)
815 krb5_free_salt(context
, salt
);
829 static struct pa_info_data
*
830 pa_pw_or_afs3_salt(krb5_context context
,
831 const krb5_principal client
,
833 struct pa_info_data
*paid
,
834 heim_octet_string
*data
)
837 if (paid
->etype
== ENCTYPE_NULL
)
839 ret
= set_paid(paid
, context
,
852 krb5_preauthtype type
;
853 struct pa_info_data
*(*salt_info
)(krb5_context
,
854 const krb5_principal
,
856 struct pa_info_data
*,
857 heim_octet_string
*);
860 static struct pa_info pa_prefs
[] = {
861 { KRB5_PADATA_ETYPE_INFO2
, pa_etype_info2
},
862 { KRB5_PADATA_ETYPE_INFO
, pa_etype_info
},
863 { KRB5_PADATA_PW_SALT
, pa_pw_or_afs3_salt
},
864 { KRB5_PADATA_AFS3_SALT
, pa_pw_or_afs3_salt
}
868 find_pa_data(const METHOD_DATA
*md
, int type
)
873 for (i
= 0; i
< md
->len
; i
++)
874 if (md
->val
[i
].padata_type
== type
)
879 static struct pa_info_data
*
880 process_pa_info(krb5_context context
,
881 const krb5_principal client
,
883 struct pa_info_data
*paid
,
886 struct pa_info_data
*p
= NULL
;
889 for (i
= 0; p
== NULL
&& i
< sizeof(pa_prefs
)/sizeof(pa_prefs
[0]); i
++) {
890 PA_DATA
*pa
= find_pa_data(md
, pa_prefs
[i
].type
);
893 paid
->salt
.salttype
= pa_prefs
[i
].type
;
894 p
= (*pa_prefs
[i
].salt_info
)(context
, client
, asreq
,
895 paid
, &pa
->padata_value
);
900 static krb5_error_code
901 make_pa_enc_timestamp(krb5_context context
, METHOD_DATA
*md
,
902 krb5_enctype etype
, krb5_keyblock
*key
)
908 EncryptedData encdata
;
914 krb5_us_timeofday (context
, &p
.patimestamp
, &usec
);
918 ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC
, buf
, buf_size
, &p
, &len
, ret
);
922 krb5_abortx(context
, "internal error in ASN.1 encoder");
924 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
929 ret
= krb5_encrypt_EncryptedData(context
,
931 KRB5_KU_PA_ENC_TIMESTAMP
,
937 krb5_crypto_destroy(context
, crypto
);
941 ASN1_MALLOC_ENCODE(EncryptedData
, buf
, buf_size
, &encdata
, &len
, ret
);
942 free_EncryptedData(&encdata
);
946 krb5_abortx(context
, "internal error in ASN.1 encoder");
948 ret
= krb5_padata_add(context
, md
, KRB5_PADATA_ENC_TIMESTAMP
, buf
, len
);
954 static krb5_error_code
955 add_enc_ts_padata(krb5_context context
,
957 krb5_principal client
,
958 krb5_s2k_proc keyproc
,
959 krb5_const_pointer keyseed
,
960 krb5_enctype
*enctypes
,
963 krb5_data
*s2kparams
)
971 /* default to standard salt */
972 ret
= krb5_get_pw_salt (context
, client
, &salt2
);
978 enctypes
= context
->etypes
;
980 for (ep
= enctypes
; *ep
!= ETYPE_NULL
; ep
++)
984 for (i
= 0; i
< netypes
; ++i
) {
987 ret
= (*keyproc
)(context
, enctypes
[i
], keyseed
,
988 *salt
, s2kparams
, &key
);
991 ret
= make_pa_enc_timestamp (context
, md
, enctypes
[i
], key
);
992 krb5_free_keyblock (context
, key
);
997 krb5_free_salt(context
, salt2
);
1001 static krb5_error_code
1002 pa_data_to_md_ts_enc(krb5_context context
,
1004 const krb5_principal client
,
1005 krb5_get_init_creds_ctx
*ctx
,
1006 struct pa_info_data
*ppaid
,
1009 if (ctx
->keyproc
== NULL
|| ctx
->keyseed
== NULL
)
1013 add_enc_ts_padata(context
, md
, client
,
1014 ctx
->keyproc
, ctx
->keyseed
,
1016 &ppaid
->salt
, ppaid
->s2kparams
);
1020 /* make a v5 salted pa-data */
1021 add_enc_ts_padata(context
, md
, client
,
1022 ctx
->keyproc
, ctx
->keyseed
,
1023 a
->req_body
.etype
.val
, a
->req_body
.etype
.len
,
1026 /* make a v4 salted pa-data */
1027 salt
.salttype
= KRB5_PW_SALT
;
1028 krb5_data_zero(&salt
.saltvalue
);
1029 add_enc_ts_padata(context
, md
, client
,
1030 ctx
->keyproc
, ctx
->keyseed
,
1031 a
->req_body
.etype
.val
, a
->req_body
.etype
.len
,
1037 static krb5_error_code
1038 pa_data_to_key_plain(krb5_context context
,
1039 const krb5_principal client
,
1040 krb5_get_init_creds_ctx
*ctx
,
1042 krb5_data
*s2kparams
,
1044 krb5_keyblock
**key
)
1046 krb5_error_code ret
;
1048 ret
= (*ctx
->keyproc
)(context
, etype
, ctx
->keyseed
,
1049 salt
, s2kparams
, key
);
1054 static krb5_error_code
1055 pa_data_to_md_pkinit(krb5_context context
,
1057 const krb5_principal client
,
1058 krb5_get_init_creds_ctx
*ctx
,
1061 if (ctx
->pk_init_ctx
== NULL
)
1064 return _krb5_pk_mk_padata(context
,
1070 krb5_set_error_message(context
, EINVAL
,
1071 N_("no support for PKINIT compiled in", ""));
1076 static krb5_error_code
1077 pa_data_add_pac_request(krb5_context context
,
1078 krb5_get_init_creds_ctx
*ctx
,
1082 krb5_error_code ret
;
1086 switch (ctx
->req_pac
) {
1087 case KRB5_INIT_CREDS_TRISTATE_UNSET
:
1088 return 0; /* don't bother */
1089 case KRB5_INIT_CREDS_TRISTATE_TRUE
:
1090 req
.include_pac
= 1;
1092 case KRB5_INIT_CREDS_TRISTATE_FALSE
:
1093 req
.include_pac
= 0;
1096 ASN1_MALLOC_ENCODE(PA_PAC_REQUEST
, buf
, length
,
1101 krb5_abortx(context
, "internal error in ASN.1 encoder");
1103 ret
= krb5_padata_add(context
, md
, KRB5_PADATA_PA_PAC_REQUEST
, buf
, len
);
1111 * Assumes caller always will free `out_md', even on error.
1114 static krb5_error_code
1115 process_pa_data_to_md(krb5_context context
,
1116 const krb5_creds
*creds
,
1118 krb5_get_init_creds_ctx
*ctx
,
1120 METHOD_DATA
**out_md
,
1121 krb5_prompter_fct prompter
,
1122 void *prompter_data
)
1124 krb5_error_code ret
;
1127 if (*out_md
== NULL
) {
1128 krb5_set_error_message(context
, ENOMEM
, N_("malloc: out of memory", ""));
1132 (*out_md
)->val
= NULL
;
1135 * Make sure we don't sent both ENC-TS and PK-INIT pa data, no
1136 * need to expose our password protecting our PKCS12 key.
1139 if (ctx
->pk_init_ctx
) {
1141 ret
= pa_data_to_md_pkinit(context
, a
, creds
->client
, ctx
, *out_md
);
1145 } else if (in_md
->len
!= 0) {
1146 struct pa_info_data paid
, *ppaid
;
1148 memset(&paid
, 0, sizeof(paid
));
1150 paid
.etype
= ENCTYPE_NULL
;
1151 ppaid
= process_pa_info(context
, creds
->client
, a
, &paid
, in_md
);
1153 pa_data_to_md_ts_enc(context
, a
, creds
->client
, ctx
, ppaid
, *out_md
);
1155 free_paid(context
, ppaid
);
1158 pa_data_add_pac_request(context
, ctx
, *out_md
);
1160 if ((*out_md
)->len
== 0) {
1168 static krb5_error_code
1169 process_pa_data_to_key(krb5_context context
,
1170 krb5_get_init_creds_ctx
*ctx
,
1174 const krb5_krbhst_info
*hi
,
1175 krb5_keyblock
**key
)
1177 struct pa_info_data paid
, *ppaid
= NULL
;
1178 krb5_error_code ret
;
1182 memset(&paid
, 0, sizeof(paid
));
1184 etype
= rep
->enc_part
.etype
;
1188 ppaid
= process_pa_info(context
, creds
->client
, a
, &paid
,
1191 if (ppaid
== NULL
) {
1192 ret
= krb5_get_pw_salt (context
, creds
->client
, &paid
.salt
);
1196 paid
.s2kparams
= NULL
;
1202 pa
= krb5_find_padata(rep
->padata
->val
,
1204 KRB5_PADATA_PK_AS_REP
,
1208 pa
= krb5_find_padata(rep
->padata
->val
,
1210 KRB5_PADATA_PK_AS_REP_19
,
1214 if (pa
&& ctx
->pk_init_ctx
) {
1216 ret
= _krb5_pk_rd_pa_reply(context
,
1227 krb5_set_error_message(context
, ret
, N_("no support for PKINIT compiled in", ""));
1229 } else if (ctx
->keyseed
)
1230 ret
= pa_data_to_key_plain(context
, creds
->client
, ctx
,
1231 paid
.salt
, paid
.s2kparams
, etype
, key
);
1234 krb5_set_error_message(context
, ret
, N_("No usable pa data type", ""));
1237 free_paid(context
, &paid
);
1242 * Start a new context to get a new initial credential.
1244 * @param context A Kerberos 5 context.
1245 * @param client The Kerberos principal to get the credential for, if
1246 * NULL is given, the default principal is used as determined by
1247 * krb5_get_default_principal().
1249 * @param prompter_data
1250 * @param start_time the time the ticket should start to be valid or 0 for now.
1251 * @param options a options structure, can be NULL for default options.
1252 * @param rctx A new allocated free with krb5_init_creds_free().
1254 * @return 0 for success or an Kerberos 5 error code, see krb5_get_error_message().
1256 * @ingroup krb5_credential
1259 krb5_error_code KRB5_LIB_FUNCTION
1260 krb5_init_creds_init(krb5_context context
,
1261 krb5_principal client
,
1262 krb5_prompter_fct prompter
,
1263 void *prompter_data
,
1264 krb5_deltat start_time
,
1265 krb5_get_init_creds_opt
*options
,
1266 krb5_init_creds_context
*rctx
)
1268 krb5_init_creds_context ctx
;
1269 krb5_error_code ret
;
1273 ctx
= calloc(1, sizeof(*ctx
));
1275 krb5_set_error_message(context
, ENOMEM
, N_("malloc: out of memory", ""));
1279 ret
= get_init_creds_common(context
, client
, start_time
, options
, ctx
);
1285 /* Set a new nonce. */
1286 krb5_generate_random_block (&ctx
->nonce
, sizeof(ctx
->nonce
));
1287 ctx
->nonce
&= 0x7fffffff;
1288 /* XXX these just needs to be the same when using Windows PK-INIT */
1289 ctx
->pk_nonce
= ctx
->nonce
;
1291 ctx
->prompter
= prompter
;
1292 ctx
->prompter_data
= prompter_data
;
1300 * Sets the service that the is requested. This call is only neede for
1301 * special initial tickets, by default the a krbtgt is fetched in the default realm.
1303 * @param context a Kerberos 5 context.
1304 * @param ctx a krb5_init_creds_context context.
1305 * @param service the service given as a string, for example
1306 * "kadmind/admin". If NULL, the default krbtgt in the clients
1309 * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
1310 * @ingroup krb5_credential
1313 krb5_error_code KRB5_LIB_FUNCTION
1314 krb5_init_creds_set_service(krb5_context context
,
1315 krb5_init_creds_context ctx
,
1316 const char *service
)
1318 krb5_const_realm client_realm
;
1319 krb5_principal principal
;
1320 krb5_error_code ret
;
1322 client_realm
= krb5_principal_get_realm (context
, ctx
->cred
.client
);
1325 ret
= krb5_parse_name (context
, service
, &principal
);
1328 krb5_principal_set_realm (context
, principal
, client_realm
);
1330 ret
= krb5_make_principal(context
, &principal
,
1331 client_realm
, KRB5_TGS_NAME
, client_realm
,
1336 krb5_free_principal(context
, ctx
->cred
.server
);
1337 ctx
->cred
.server
= principal
;
1343 * Sets the password that will use for the request.
1345 * @param context a Kerberos 5 context.
1346 * @param ctx ctx krb5_init_creds_context context.
1347 * @param password the password to use.
1349 * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
1350 * @ingroup krb5_credential
1353 krb5_error_code KRB5_LIB_FUNCTION
1354 krb5_init_creds_set_password(krb5_context context
,
1355 krb5_init_creds_context ctx
,
1356 const char *password
)
1359 free(ctx
->password
);
1361 ctx
->password
= strdup(password
);
1362 if (ctx
->password
== NULL
) {
1363 krb5_set_error_message(context
, ENOMEM
, N_("malloc: out of memory", ""));
1366 ctx
->keyseed
= (void *) ctx
->password
;
1368 ctx
->keyseed
= NULL
;
1369 ctx
->password
= NULL
;
1375 static krb5_error_code
1376 keytab_key_proc(krb5_context context
, krb5_enctype enctype
,
1377 krb5_const_pointer keyseed
,
1378 krb5_salt salt
, krb5_data
*s2kparms
,
1379 krb5_keyblock
**key
)
1381 krb5_keytab_key_proc_args
*args
= rk_UNCONST(keyseed
);
1382 krb5_keytab keytab
= args
->keytab
;
1383 krb5_principal principal
= args
->principal
;
1384 krb5_error_code ret
;
1385 krb5_keytab real_keytab
;
1386 krb5_keytab_entry entry
;
1389 krb5_kt_default(context
, &real_keytab
);
1391 real_keytab
= keytab
;
1393 ret
= krb5_kt_get_entry (context
, real_keytab
, principal
,
1394 0, enctype
, &entry
);
1397 krb5_kt_close (context
, real_keytab
);
1402 ret
= krb5_copy_keyblock (context
, &entry
.keyblock
, key
);
1403 krb5_kt_free_entry(context
, &entry
);
1409 * Set the keytab to use for authentication.
1411 * @param context a Kerberos 5 context.
1412 * @param ctx ctx krb5_init_creds_context context.
1413 * @param keytab the keytab to read the key from.
1415 * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
1416 * @ingroup krb5_credential
1419 krb5_error_code KRB5_LIB_FUNCTION
1420 krb5_init_creds_set_keytab(krb5_context context
,
1421 krb5_init_creds_context ctx
,
1424 krb5_keytab_key_proc_args
*a
;
1425 krb5_keytab_entry entry
;
1426 krb5_kt_cursor cursor
;
1427 krb5_enctype
*etypes
= NULL
;
1428 krb5_error_code ret
;
1432 a
= malloc(sizeof(*a
));
1434 krb5_set_error_message(context
, ENOMEM
,
1435 N_("malloc: out of memory", ""));
1439 a
->principal
= ctx
->cred
.client
;
1442 ctx
->keytab_data
= a
;
1443 ctx
->keyseed
= (void *)a
;
1444 ctx
->keyproc
= keytab_key_proc
;
1447 * We need to the KDC what enctypes we support for this keytab,
1448 * esp if the keytab is really a password based entry, then the
1449 * KDC might have more enctypes in the database then what we have
1453 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
1457 while(krb5_kt_next_entry(context
, keytab
, &entry
, &cursor
) == 0){
1460 if (!krb5_principal_compare(context
, entry
.principal
, ctx
->cred
.client
))
1463 /* check if we ahve this kvno already */
1464 if (entry
.vno
> kvno
) {
1465 /* remove old list of etype */
1471 } else if (entry
.vno
!= kvno
)
1474 /* check if enctype is supported */
1475 if (krb5_enctype_valid(context
, entry
.keyblock
.keytype
) != 0)
1478 /* add enctype to supported list */
1479 ptr
= realloc(etypes
, sizeof(etypes
[0]) * (netypes
+ 2));
1484 etypes
[netypes
] = entry
.keyblock
.keytype
;
1485 etypes
[netypes
+ 1] = ETYPE_NULL
;
1488 krb5_kt_free_entry(context
, &entry
);
1490 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
1495 ctx
->etypes
= etypes
;
1502 static krb5_error_code
1503 keyblock_key_proc(krb5_context context
, krb5_enctype enctype
,
1504 krb5_const_pointer keyseed
,
1505 krb5_salt salt
, krb5_data
*s2kparms
,
1506 krb5_keyblock
**key
)
1508 return krb5_copy_keyblock (context
, keyseed
, key
);
1511 krb5_error_code KRB5_LIB_FUNCTION
1512 krb5_init_creds_set_keyblock(krb5_context context
,
1513 krb5_init_creds_context ctx
,
1514 krb5_keyblock
*keyblock
)
1516 ctx
->keyseed
= (void *)keyblock
;
1517 ctx
->keyproc
= keyblock_key_proc
;
1523 * The core loop if krb5_get_init_creds() function family. Create the
1524 * packets and have the caller send them off to the KDC.
1526 * If the caller want all work been done for them, use
1527 * krb5_init_creds_get() instead.
1529 * @param context a Kerberos 5 context.
1530 * @param ctx ctx krb5_init_creds_context context.
1531 * @param in input data from KDC, first round it should be reset by krb5_data_zer().
1532 * @param out reply to KDC.
1533 * @param hostinfo KDC address info, first round it can be NULL.
1534 * @param flags status of the round, if 1 is set, continue one more round.
1536 * @return 0 for success, or an Kerberos 5 error code, see
1537 * krb5_get_error_message().
1539 * @ingroup krb5_credential
1542 krb5_error_code KRB5_LIB_FUNCTION
1543 krb5_init_creds_step(krb5_context context
,
1544 krb5_init_creds_context ctx
,
1547 krb5_krbhst_info
*hostinfo
,
1548 unsigned int *flags
)
1550 krb5_error_code ret
;
1554 krb5_data_zero(out
);
1556 if (ctx
->as_req
.req_body
.cname
== NULL
) {
1557 ret
= init_as_req(context
, ctx
->flags
, &ctx
->cred
,
1558 ctx
->addrs
, ctx
->etypes
, &ctx
->as_req
);
1560 free_init_creds_ctx(context
, ctx
);
1565 #define MAX_PA_COUNTER 10
1566 if (ctx
->pa_counter
> MAX_PA_COUNTER
) {
1567 krb5_set_error_message(context
, KRB5_GET_IN_TKT_LOOP
,
1568 N_("Looping %d times while getting "
1569 "initial credentials", ""),
1571 return KRB5_GET_IN_TKT_LOOP
;
1575 /* Lets process the input packet */
1576 if (in
&& in
->length
) {
1579 memset(&rep
, 0, sizeof(rep
));
1581 ret
= decode_AS_REP(in
->data
, in
->length
, &rep
.kdc_rep
, &size
);
1583 krb5_keyblock
*key
= NULL
;
1584 unsigned eflags
= EXTRACT_TICKET_AS_REQ
;
1586 if (ctx
->flags
.canonicalize
) {
1587 eflags
|= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH
;
1588 eflags
|= EXTRACT_TICKET_MATCH_REALM
;
1590 if (ctx
->ic_flags
& KRB5_INIT_CREDS_NO_C_CANON_CHECK
)
1591 eflags
|= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH
;
1593 ret
= process_pa_data_to_key(context
, ctx
, &ctx
->cred
,
1594 &ctx
->as_req
, &rep
.kdc_rep
, hostinfo
, &key
);
1596 free_AS_REP(&rep
.kdc_rep
);
1600 ret
= _krb5_extract_ticket(context
,
1605 KRB5_KU_AS_REP_ENC_PART
,
1611 krb5_free_keyblock(context
, key
);
1616 ret
= copy_EncKDCRepPart(&rep
.enc_part
, &ctx
->enc_part
);
1618 free_AS_REP(&rep
.kdc_rep
);
1619 free_EncASRepPart(&rep
.enc_part
);
1624 /* let's try to parse it as a KRB-ERROR */
1626 free_KRB_ERROR(&ctx
->error
);
1628 ret
= krb5_rd_error(context
, in
, &ctx
->error
);
1629 if(ret
&& in
->length
&& ((char*)in
->data
)[0] == 4)
1630 ret
= KRB5KRB_AP_ERR_V4_REPLY
;
1634 ret
= krb5_error_from_rd_error(context
, &ctx
->error
, &ctx
->cred
);
1637 * If no preauth was set and KDC requires it, give it one
1641 if (ret
== KRB5KDC_ERR_PREAUTH_REQUIRED
) {
1643 free_METHOD_DATA(&ctx
->md
);
1644 memset(&ctx
->md
, 0, sizeof(ctx
->md
));
1646 if (ctx
->error
.e_data
) {
1647 ret
= decode_METHOD_DATA(ctx
->error
.e_data
->data
,
1648 ctx
->error
.e_data
->length
,
1652 krb5_set_error_message(context
, ret
,
1653 N_("Failed to decode METHOD-DATA", ""));
1655 krb5_set_error_message(context
, ret
,
1656 N_("Preauth required but no preauth "
1657 "options send by KDC", ""));
1659 } else if (ret
== KRB5KRB_AP_ERR_SKEW
&& context
->kdc_sec_offset
== 0) {
1661 * Try adapt to timeskrew when we are using pre-auth, and
1662 * if there was a time skew, try again.
1664 krb5_set_real_time(context
, ctx
->error
.stime
, -1);
1665 if (context
->kdc_sec_offset
)
1667 } else if (ret
== KRB5_KDC_ERR_WRONG_REALM
&& ctx
->flags
.canonicalize
) {
1668 /* client referal to a new realm */
1669 if (ctx
->error
.crealm
== NULL
) {
1670 krb5_set_error_message(context
, ret
,
1671 N_("Got a client referral, not but no realm", ""));
1674 ret
= krb5_principal_set_realm(context
,
1676 *ctx
->error
.crealm
);
1683 if (ctx
->as_req
.padata
) {
1684 free_METHOD_DATA(ctx
->as_req
.padata
);
1685 free(ctx
->as_req
.padata
);
1686 ctx
->as_req
.padata
= NULL
;
1689 /* Set a new nonce. */
1690 ctx
->as_req
.req_body
.nonce
= ctx
->nonce
;
1692 /* fill_in_md_data */
1693 ret
= process_pa_data_to_md(context
, &ctx
->cred
, &ctx
->as_req
, ctx
,
1694 &ctx
->md
, &ctx
->as_req
.padata
,
1695 ctx
->prompter
, ctx
->prompter_data
);
1699 krb5_data_free(&ctx
->req_buffer
);
1701 ASN1_MALLOC_ENCODE(AS_REQ
,
1702 ctx
->req_buffer
.data
, ctx
->req_buffer
.length
,
1703 &ctx
->as_req
, &len
, ret
);
1706 if(len
!= ctx
->req_buffer
.length
)
1707 krb5_abortx(context
, "internal error in ASN.1 encoder");
1709 out
->data
= ctx
->req_buffer
.data
;
1710 out
->length
= ctx
->req_buffer
.length
;
1720 * Extract the newly acquired credentials from krb5_init_creds_context
1723 * @param context A Kerberos 5 context.
1725 * @param cred credentials, free with krb5_free_cred_contents().
1727 * @return 0 for sucess or An Kerberos error code, see krb5_get_error_message().
1730 krb5_error_code KRB5_LIB_FUNCTION
1731 krb5_init_creds_get_creds(krb5_context context
,
1732 krb5_init_creds_context ctx
,
1735 return krb5_copy_creds_contents(context
, &ctx
->cred
, cred
);
1739 * Get the last error from the transaction.
1741 * @return Returns 0 or an error code
1743 * @ingroup krb5_credential
1746 krb5_error_code KRB5_LIB_FUNCTION
1747 krb5_init_creds_get_error(krb5_context context
,
1748 krb5_init_creds_context ctx
,
1751 krb5_error_code ret
;
1753 ret
= copy_KRB_ERROR(&ctx
->error
, error
);
1755 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
1761 * Free the krb5_init_creds_context allocated by krb5_init_creds_init().
1763 * @param context A Kerberos 5 context.
1764 * @param ctx The krb5_init_creds_context to free.
1766 * @ingroup krb5_credential
1769 void KRB5_LIB_FUNCTION
1770 krb5_init_creds_free(krb5_context context
,
1771 krb5_init_creds_context ctx
)
1773 free_init_creds_ctx(context
, ctx
);
1778 * Get new credentials as setup by the krb5_init_creds_context.
1780 * @param context A Kerberos 5 context.
1781 * @param ctx The krb5_init_creds_context to process.
1783 * @ingroup krb5_credential
1786 krb5_error_code KRB5_LIB_FUNCTION
1787 krb5_init_creds_get(krb5_context context
, krb5_init_creds_context ctx
)
1789 krb5_sendto_ctx stctx
= NULL
;
1790 krb5_krbhst_info
*hostinfo
= NULL
;
1791 krb5_error_code ret
;
1793 unsigned int flags
= 0;
1795 krb5_data_zero(&in
);
1796 krb5_data_zero(&out
);
1798 ret
= krb5_sendto_ctx_alloc(context
, &stctx
);
1801 krb5_sendto_ctx_set_func(stctx
, _krb5_kdc_retry
, NULL
);
1805 ret
= krb5_init_creds_step(context
, ctx
, &in
, &out
, hostinfo
, &flags
);
1806 krb5_data_free(&in
);
1810 if ((flags
& 1) == 0)
1813 ret
= krb5_sendto_context (context
, stctx
, &out
,
1814 ctx
->cred
.client
->realm
, &in
);
1822 krb5_sendto_ctx_free(context
, stctx
);
1828 * Get new credentials using password.
1830 * @ingroup krb5_credential
1834 krb5_error_code KRB5_LIB_FUNCTION
1835 krb5_get_init_creds_password(krb5_context context
,
1837 krb5_principal client
,
1838 const char *password
,
1839 krb5_prompter_fct prompter
,
1841 krb5_deltat start_time
,
1842 const char *in_tkt_service
,
1843 krb5_get_init_creds_opt
*options
)
1845 krb5_init_creds_context ctx
;
1847 krb5_error_code ret
;
1851 ret
= krb5_init_creds_init(context
, client
, prompter
, data
, start_time
, options
, &ctx
);
1855 ret
= krb5_init_creds_set_service(context
, ctx
, in_tkt_service
);
1859 if (prompter
!= NULL
&& ctx
->password
== NULL
&& password
== NULL
) {
1861 krb5_data password_data
;
1864 krb5_unparse_name (context
, client
, &p
);
1865 asprintf (&q
, "%s's Password: ", p
);
1868 password_data
.data
= buf
;
1869 password_data
.length
= sizeof(buf
);
1871 prompt
.reply
= &password_data
;
1872 prompt
.type
= KRB5_PROMPT_TYPE_PASSWORD
;
1874 ret
= (*prompter
) (context
, data
, NULL
, NULL
, 1, &prompt
);
1877 memset (buf
, 0, sizeof(buf
));
1878 ret
= KRB5_LIBOS_PWDINTR
;
1879 krb5_clear_error_message (context
);
1882 password
= password_data
.data
;
1886 ret
= krb5_init_creds_set_password(context
, ctx
, password
);
1891 ret
= krb5_init_creds_get(context
, ctx
);
1894 process_last_request(context
, options
, ctx
);
1897 if (ret
== KRB5KDC_ERR_KEY_EXPIRED
&& chpw
== 0) {
1900 /* try to avoid recursion */
1901 if (in_tkt_service
!= NULL
&& strcmp(in_tkt_service
, "kadmin/changepw") == 0)
1904 /* don't try to change password where then where none */
1905 if (prompter
== NULL
)
1908 ret
= change_password (context
,
1919 krb5_init_creds_free(context
, ctx
);
1925 krb5_init_creds_get_creds(context
, ctx
, creds
);
1928 krb5_init_creds_free(context
, ctx
);
1930 memset(buf
, 0, sizeof(buf
));
1935 * Get new credentials using keyblock.
1937 * @ingroup krb5_credential
1940 krb5_error_code KRB5_LIB_FUNCTION
1941 krb5_get_init_creds_keyblock(krb5_context context
,
1943 krb5_principal client
,
1944 krb5_keyblock
*keyblock
,
1945 krb5_deltat start_time
,
1946 const char *in_tkt_service
,
1947 krb5_get_init_creds_opt
*options
)
1949 krb5_init_creds_context ctx
;
1950 krb5_error_code ret
;
1952 memset(creds
, 0, sizeof(*creds
));
1954 ret
= krb5_init_creds_init(context
, client
, NULL
, NULL
, start_time
, options
, &ctx
);
1958 ret
= krb5_init_creds_set_service(context
, ctx
, in_tkt_service
);
1962 ret
= krb5_init_creds_set_keyblock(context
, ctx
, keyblock
);
1966 ret
= krb5_init_creds_get(context
, ctx
);
1969 process_last_request(context
, options
, ctx
);
1973 krb5_init_creds_get_creds(context
, ctx
, creds
);
1976 krb5_init_creds_free(context
, ctx
);
1982 * Get new credentials using keytab.
1984 * @ingroup krb5_credential
1987 krb5_error_code KRB5_LIB_FUNCTION
1988 krb5_get_init_creds_keytab(krb5_context context
,
1990 krb5_principal client
,
1992 krb5_deltat start_time
,
1993 const char *in_tkt_service
,
1994 krb5_get_init_creds_opt
*options
)
1996 krb5_init_creds_context ctx
;
1997 krb5_error_code ret
;
1999 memset(creds
, 0, sizeof(*creds
));
2001 ret
= krb5_init_creds_init(context
, client
, NULL
, NULL
, start_time
, options
, &ctx
);
2005 ret
= krb5_init_creds_set_service(context
, ctx
, in_tkt_service
);
2009 ret
= krb5_init_creds_set_keytab(context
, ctx
, keytab
);
2013 ret
= krb5_init_creds_get(context
, ctx
);
2015 process_last_request(context
, options
, ctx
);
2019 krb5_init_creds_get_creds(context
, ctx
, creds
);
2022 krb5_init_creds_free(context
, ctx
);