2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
39 static krb5_error_code
40 get_cred_kdc_capath(krb5_context
, krb5_kdc_flags
,
41 krb5_ccache
, struct krb5_fast_state
*,
42 krb5_creds
*, krb5_principal
,
43 Ticket
*, const char *, const char *,
44 krb5_creds
**, krb5_creds
***);
47 * Take the `body' and encode it into `padata' using the credentials
51 static krb5_error_code
52 make_pa_tgs_req(krb5_context context
,
53 krb5_auth_context
*ac
,
65 ASN1_MALLOC_ENCODE(KDC_REQ_BODY
, buf
, buf_size
, body
, &len
, ret
);
70 krb5_abortx(context
, "internal error in ASN.1 encoder");
74 ret
= _krb5_mk_req_internal(context
, ac
, 0, &in_data
,
76 KRB5_KU_TGS_REQ_AUTH_CKSUM
,
77 KRB5_KU_TGS_REQ_AUTH
);
83 * Set the `enc-authorization-data' in `req_body' based on `authdata'
86 static krb5_error_code
87 set_auth_data (krb5_context context
,
88 KDC_REQ_BODY
*req_body
,
89 krb5_authdata
*authdata
,
90 krb5_keyblock
*subkey
)
93 size_t len
= 0, buf_size
;
98 ASN1_MALLOC_ENCODE(AuthorizationData
, buf
, buf_size
, authdata
,
103 krb5_abortx(context
, "internal error in ASN.1 encoder");
105 ALLOC(req_body
->enc_authorization_data
, 1);
106 if (req_body
->enc_authorization_data
== NULL
) {
108 return krb5_enomem(context
);
110 ret
= krb5_crypto_init(context
, subkey
, 0, &crypto
);
113 free (req_body
->enc_authorization_data
);
114 req_body
->enc_authorization_data
= NULL
;
117 ret
= krb5_encrypt_EncryptedData(context
,
119 KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY
,
123 req_body
->enc_authorization_data
);
125 krb5_crypto_destroy(context
, crypto
);
128 req_body
->enc_authorization_data
= NULL
;
134 * Create a tgs-req in `t' with `addresses', `flags', `second_ticket'
135 * (if not-NULL), `in_creds', `krbtgt', and returning the generated
136 * subkey in `subkey'.
139 static krb5_error_code
140 init_tgs_req (krb5_context context
,
142 struct krb5_fast_state
*state
,
143 krb5_addresses
*addresses
,
144 krb5_kdc_flags flags
,
145 Ticket
*second_ticket
,
146 krb5_creds
*in_creds
,
149 const METHOD_DATA
*padata
,
150 krb5_keyblock
**subkey
,
153 krb5_auth_context ac
= NULL
;
154 krb5_error_code ret
= 0;
157 krb5_data_zero(&tgs_req
);
158 memset(t
, 0, sizeof(*t
));
161 t
->msg_type
= krb_tgs_req
;
162 if (in_creds
->session
.keytype
) {
163 ALLOC_SEQ(&t
->req_body
.etype
, 1);
164 if(t
->req_body
.etype
.val
== NULL
) {
165 ret
= krb5_enomem(context
);
168 t
->req_body
.etype
.val
[0] = in_creds
->session
.keytype
;
170 ret
= _krb5_init_etype(context
,
171 KRB5_PDU_TGS_REQUEST
,
172 &t
->req_body
.etype
.len
,
173 &t
->req_body
.etype
.val
,
178 t
->req_body
.addresses
= addresses
;
179 t
->req_body
.kdc_options
= flags
.b
;
180 t
->req_body
.kdc_options
.forwardable
= krbtgt
->flags
.b
.forwardable
;
181 t
->req_body
.kdc_options
.renewable
= krbtgt
->flags
.b
.renewable
;
182 t
->req_body
.kdc_options
.proxiable
= krbtgt
->flags
.b
.proxiable
;
183 ret
= copy_Realm(&in_creds
->server
->realm
, &t
->req_body
.realm
);
186 ALLOC(t
->req_body
.sname
, 1);
187 if (t
->req_body
.sname
== NULL
) {
188 ret
= krb5_enomem(context
);
192 /* some versions of some code might require that the client be
193 present in TGS-REQs, but this is clearly against the spec */
195 ret
= copy_PrincipalName(&in_creds
->server
->name
, t
->req_body
.sname
);
199 if (krbtgt
->times
.starttime
) {
200 ALLOC(t
->req_body
.from
, 1);
201 if(t
->req_body
.from
== NULL
){
202 ret
= krb5_enomem(context
);
205 *t
->req_body
.from
= in_creds
->times
.starttime
;
208 /* req_body.till should be NULL if there is no endtime specified,
209 but old MIT code (like DCE secd) doesn't like that */
210 ALLOC(t
->req_body
.till
, 1);
211 if(t
->req_body
.till
== NULL
){
212 ret
= krb5_enomem(context
);
215 *t
->req_body
.till
= in_creds
->times
.endtime
;
217 if (t
->req_body
.kdc_options
.renewable
&& krbtgt
->times
.renew_till
) {
218 ALLOC(t
->req_body
.rtime
, 1);
219 if(t
->req_body
.rtime
== NULL
){
220 ret
= krb5_enomem(context
);
223 *t
->req_body
.rtime
= in_creds
->times
.renew_till
;
226 t
->req_body
.nonce
= nonce
;
228 ALLOC(t
->req_body
.additional_tickets
, 1);
229 if (t
->req_body
.additional_tickets
== NULL
) {
230 ret
= krb5_enomem(context
);
233 ALLOC_SEQ(t
->req_body
.additional_tickets
, 1);
234 if (t
->req_body
.additional_tickets
->val
== NULL
) {
235 ret
= krb5_enomem(context
);
238 ret
= copy_Ticket(second_ticket
, t
->req_body
.additional_tickets
->val
);
243 ret
= krb5_auth_con_init(context
, &ac
);
247 ret
= krb5_auth_con_generatelocalsubkey(context
, ac
, &krbtgt
->session
);
254 krb5_data_zero(&empty
);
255 ret
= krb5_auth_con_add_AuthorizationData(context
, ac
,
256 KRB5_AUTHDATA_FX_FAST_USED
,
262 ret
= set_auth_data(context
, &t
->req_body
,
263 &in_creds
->authdata
, ac
->local_subkey
);
267 ret
= make_pa_tgs_req(context
,
277 * Add KRB5_PADATA_TGS_REQ first
278 * followed by all others.
281 if (t
->padata
== NULL
) {
283 if (t
->padata
== NULL
) {
284 ret
= krb5_enomem(context
);
289 ret
= krb5_padata_add(context
, t
->padata
, KRB5_PADATA_TGS_REQ
,
290 tgs_req
.data
, tgs_req
.length
);
294 krb5_data_zero(&tgs_req
);
298 for (i
= 0; i
< padata
->len
; i
++) {
299 const PA_DATA
*val1
= &padata
->val
[i
];
302 ret
= copy_PA_DATA(val1
, &val2
);
304 krb5_set_error_message(context
, ret
,
305 N_("malloc: out of memory", ""));
309 ret
= krb5_padata_add(context
, t
->padata
,
311 val2
.padata_value
.data
,
312 val2
.padata_value
.length
);
316 krb5_set_error_message(context
, ret
,
317 N_("malloc: out of memory", ""));
324 state
->armor_ac
= ac
;
325 ret
= _krb5_fast_create_armor(context
, state
, NULL
);
326 state
->armor_ac
= NULL
;
330 ret
= _krb5_fast_wrap_req(context
, state
, t
);
334 /* Its ok if there is no fast in the TGS-REP, older heimdal only support it in the AS code path */
335 state
->flags
&= ~KRB5_FAST_EXPECTED
;
338 ret
= krb5_auth_con_getlocalsubkey(context
, ac
, subkey
);
344 krb5_auth_con_free(context
, ac
);
346 t
->req_body
.addresses
= NULL
;
349 krb5_data_free(&tgs_req
);
354 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
355 _krb5_get_krbtgt(krb5_context context
,
363 memset(&tmp_cred
, 0, sizeof(tmp_cred
));
365 ret
= krb5_cc_get_principal(context
, id
, &tmp_cred
.client
);
370 realm
= tmp_cred
.client
->realm
;
372 ret
= krb5_make_principal(context
,
379 krb5_free_principal(context
, tmp_cred
.client
);
383 * The forwardable TGT might not be the start TGT, in which case, it is
384 * generally, but not always already cached. Just in case, get it again if
387 ret
= krb5_get_credentials(context
,
392 krb5_free_principal(context
, tmp_cred
.client
);
393 krb5_free_principal(context
, tmp_cred
.server
);
399 static krb5_error_code
400 fast_tgs_strengthen_key(krb5_context context
,
401 struct krb5_fast_state
*state
,
402 krb5_keyblock
*reply_key
,
403 krb5_keyblock
*extract_key
)
407 if (state
&& state
->strengthen_key
) {
408 _krb5_debug(context
, 5, "_krb5_fast_tgs_strengthen_key");
410 if (state
->strengthen_key
->keytype
!= reply_key
->keytype
) {
411 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
412 N_("strengthen_key %d not same enctype as reply key %d", ""),
413 state
->strengthen_key
->keytype
, reply_key
->keytype
);
414 return KRB5KRB_AP_ERR_MODIFIED
;
417 ret
= _krb5_fast_cf2(context
,
418 state
->strengthen_key
,
427 ret
= krb5_copy_keyblock_contents(context
, reply_key
, extract_key
);
435 /* DCE compatible decrypt proc */
436 static krb5_error_code KRB5_CALLCONV
437 decrypt_tkt_with_subkey (krb5_context context
,
439 krb5_key_usage usage
,
440 krb5_const_pointer skey
,
441 krb5_kdc_rep
*dec_rep
)
443 struct krb5_decrypt_tkt_with_subkey_state
*state
;
444 krb5_error_code ret
= 0;
448 krb5_keyblock extract_key
;
450 state
= (struct krb5_decrypt_tkt_with_subkey_state
*)skey
;
454 krb5_data_zero(&data
);
457 * start out with trying with subkey if we have one
460 ret
= fast_tgs_strengthen_key(context
, state
->fast_state
,
461 state
->subkey
, &extract_key
);
465 ret
= krb5_crypto_init(context
, &extract_key
, 0, &crypto
);
466 krb5_free_keyblock_contents(context
, &extract_key
);
469 ret
= krb5_decrypt_EncryptedData (context
,
471 KRB5_KU_TGS_REP_ENC_PART_SUB_KEY
,
472 &dec_rep
->kdc_rep
.enc_part
,
475 * If the is Windows 2000 DC, we need to retry with key usage
476 * 8 when doing ARCFOUR.
478 if (ret
&& state
->subkey
->keytype
== ETYPE_ARCFOUR_HMAC_MD5
) {
479 ret
= krb5_decrypt_EncryptedData(context
,
482 &dec_rep
->kdc_rep
.enc_part
,
485 krb5_crypto_destroy(context
, crypto
);
487 if (state
->subkey
== NULL
|| ret
) {
488 ret
= fast_tgs_strengthen_key(context
, state
->fast_state
, key
, &extract_key
);
492 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
495 ret
= krb5_decrypt_EncryptedData (context
,
497 KRB5_KU_TGS_REP_ENC_PART_SESSION
,
498 &dec_rep
->kdc_rep
.enc_part
,
500 krb5_crypto_destroy(context
, crypto
);
505 ret
= decode_EncASRepPart(data
.data
,
510 ret
= decode_EncTGSRepPart(data
.data
,
515 krb5_set_error_message(context
, ret
,
516 N_("Failed to decode encpart in ticket", ""));
517 krb5_data_free (&data
);
521 static krb5_error_code
522 get_cred_kdc(krb5_context context
,
524 struct krb5_fast_state
*fast_state
,
525 krb5_kdc_flags flags
,
526 krb5_addresses
*addresses
,
527 krb5_creds
*in_creds
,
529 krb5_principal impersonate_principal
,
530 Ticket
*second_ticket
,
531 const char *kdc_hostname
,
532 const char *sitename
,
533 krb5_creds
*out_creds
)
541 krb5_keyblock
*subkey
= NULL
;
543 Ticket second_ticket_data
;
546 memset(&rep
, 0, sizeof(rep
));
547 krb5_data_zero(&resp
);
548 krb5_data_zero(&enc
);
552 krb5_generate_random_block(&nonce
, sizeof(nonce
));
555 if(flags
.b
.enc_tkt_in_skey
&& second_ticket
== NULL
){
556 ret
= decode_Ticket(in_creds
->second_ticket
.data
,
557 in_creds
->second_ticket
.length
,
558 &second_ticket_data
, &len
);
561 second_ticket
= &second_ticket_data
;
565 if (impersonate_principal
) {
572 self
.name
= impersonate_principal
->name
;
573 self
.realm
= impersonate_principal
->realm
;
574 self
.auth
= estrdup("Kerberos");
576 ret
= _krb5_s4u2self_to_checksumdata(context
, &self
, &data
);
582 ret
= krb5_crypto_init(context
, &krbtgt
->session
, 0, &crypto
);
585 krb5_data_free(&data
);
589 ret
= krb5_create_checksum(context
,
596 krb5_crypto_destroy(context
, crypto
);
597 krb5_data_free(&data
);
603 ASN1_MALLOC_ENCODE(PA_S4U2Self
, buf
, len
, &self
, &size
, ret
);
605 free_Checksum(&self
.cksum
);
609 krb5_abortx(context
, "internal asn1 error");
611 ret
= krb5_padata_add(context
, &padata
, KRB5_PADATA_FOR_USER
, buf
, len
);
616 ret
= init_tgs_req (context
,
631 ASN1_MALLOC_ENCODE(TGS_REQ
, enc
.data
, enc
.length
, &req
, &len
, ret
);
634 if(enc
.length
!= len
)
635 krb5_abortx(context
, "internal error in ASN.1 encoder");
637 /* don't free addresses */
638 req
.req_body
.addresses
= NULL
;
645 krb5_sendto_ctx stctx
;
646 ret
= krb5_sendto_ctx_alloc(context
, &stctx
);
649 krb5_sendto_ctx_set_func(stctx
, _krb5_kdc_retry
, NULL
);
652 krb5_sendto_set_hostname(context
, stctx
, kdc_hostname
);
654 krb5_sendto_set_sitename(context
, stctx
, sitename
);
656 ret
= krb5_sendto_context (context
, stctx
, &enc
,
657 krbtgt
->server
->name
.name_string
.val
[1],
659 krb5_sendto_ctx_free(context
, stctx
);
664 if(decode_TGS_REP(resp
.data
, resp
.length
, &rep
.kdc_rep
, &len
) == 0) {
665 struct krb5_decrypt_tkt_with_subkey_state state
;
670 ASN1_MALLOC_ENCODE(Ticket
, data
.data
, data
.length
,
671 &rep
.kdc_rep
.ticket
, &size
, ret
);
674 heim_assert(data
.length
== size
, "ASN.1 internal error");
676 ret
= _krb5_fast_unwrap_kdc_rep(context
, nonce
, &data
,
677 fast_state
, &rep
.kdc_rep
);
678 krb5_data_free(&data
);
682 ret
= krb5_copy_principal(context
,
687 ret
= krb5_copy_principal(context
,
692 /* this should go someplace else */
693 out_creds
->times
.endtime
= in_creds
->times
.endtime
;
695 /* XXX should do better testing */
696 if (flags
.b
.cname_in_addl_tkt
|| impersonate_principal
)
697 eflags
|= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH
;
698 if (flags
.b
.request_anonymous
)
699 eflags
|= EXTRACT_TICKET_MATCH_ANON
;
701 state
.subkey
= subkey
;
702 state
.fast_state
= fast_state
;
704 ret
= _krb5_extract_ticket(context
,
714 decrypt_tkt_with_subkey
,
716 } else if(krb5_rd_error(context
, &resp
, &rep
.error
) == 0) {
719 memset(&md
, 0, sizeof(md
));
721 if (rep
.error
.e_data
) {
722 ret
= decode_METHOD_DATA(rep
.error
.e_data
->data
,
723 rep
.error
.e_data
->length
,
726 krb5_set_error_message(context
, ret
,
727 N_("Failed to decode METHOD-DATA", ""));
732 ret
= _krb5_fast_unwrap_error(context
, nonce
, fast_state
, &md
, &rep
.error
);
733 free_METHOD_DATA(&md
);
737 ret
= krb5_error_from_rd_error(context
, &rep
.error
, in_creds
);
739 /* log the failure */
740 if (_krb5_have_debug(context
, 5)) {
741 const char *str
= krb5_get_error_message(context
, ret
);
742 _krb5_debug(context
, 5, "parse_tgs_rep: KRB-ERROR %d/%s", ret
, str
);
743 krb5_free_error_message(context
, str
);
745 } else if(resp
.length
> 0 && ((char*)resp
.data
)[0] == 4) {
746 ret
= KRB5KRB_AP_ERR_V4_REPLY
;
747 krb5_clear_error_message(context
);
749 ret
= KRB5KRB_AP_ERR_MSG_TYPE
;
750 krb5_clear_error_message(context
);
754 krb5_free_kdc_rep(context
, &rep
);
755 if (second_ticket
== &second_ticket_data
)
756 free_Ticket(&second_ticket_data
);
757 free_METHOD_DATA(&padata
);
758 krb5_data_free(&resp
);
759 krb5_data_free(&enc
);
761 krb5_free_keyblock(context
, subkey
);
767 * same as above, just get local addresses first if the krbtgt have
768 * them and the realm is not addressless
771 static krb5_error_code
772 get_cred_kdc_address(krb5_context context
,
774 struct krb5_fast_state
*fast_state
,
775 krb5_kdc_flags flags
,
776 krb5_addresses
*addrs
,
777 krb5_creds
*in_creds
,
779 krb5_principal impersonate_principal
,
780 Ticket
*second_ticket
,
781 const char *kdc_hostname
,
782 const char *sitename
,
783 krb5_creds
*out_creds
)
786 krb5_addresses addresses
= { 0, NULL
};
789 * Inherit the address-ness of the krbtgt if the address is not
793 if (addrs
== NULL
&& krbtgt
->addresses
.len
!= 0) {
796 krb5_appdefault_boolean(context
, NULL
, krbtgt
->server
->realm
,
797 "no-addresses", FALSE
, &noaddr
);
800 ret
= krb5_get_all_client_addrs(context
, &addresses
);
803 /* XXX this sucks. */
805 if(addresses
.len
== 0)
809 ret
= get_cred_kdc(context
, id
, fast_state
, flags
, addrs
,
810 in_creds
, krbtgt
, impersonate_principal
,
811 second_ticket
, kdc_hostname
, sitename
, out_creds
);
812 krb5_free_addresses(context
, &addresses
);
816 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
817 krb5_get_kdc_cred(krb5_context context
,
819 krb5_kdc_flags flags
,
820 krb5_addresses
*addresses
,
821 Ticket
*second_ticket
,
822 krb5_creds
*in_creds
,
823 krb5_creds
**out_creds
828 struct krb5_fast_state fast_state
;
830 memset(&fast_state
, 0, sizeof(fast_state
));
832 *out_creds
= calloc(1, sizeof(**out_creds
));
833 if(*out_creds
== NULL
)
834 return krb5_enomem(context
);
835 ret
= _krb5_get_krbtgt (context
,
837 in_creds
->server
->realm
,
844 ret
= get_cred_kdc(context
, id
, &fast_state
, flags
,
845 addresses
, in_creds
, krbtgt
,
846 NULL
, NULL
, NULL
, NULL
, *out_creds
);
847 krb5_free_creds (context
, krbtgt
);
848 _krb5_fast_free(context
, &fast_state
);
857 not_found(krb5_context context
, krb5_const_principal p
, krb5_error_code code
)
863 ret
= krb5_unparse_name(context
, p
, &str
);
865 krb5_clear_error_message(context
);
868 err
= krb5_get_error_message(context
, code
);
869 krb5_set_error_message(context
, code
, N_("%s (%s)", ""), err
, str
);
870 krb5_free_error_message(context
, err
);
875 static krb5_error_code
876 find_cred(krb5_context context
,
878 krb5_principal server
,
880 krb5_creds
*out_creds
)
885 krb5_cc_clear_mcred(&mcreds
);
886 mcreds
.server
= server
;
887 krb5_timeofday(context
, &mcreds
.times
.endtime
);
888 ret
= krb5_cc_retrieve_cred(context
, id
,
889 KRB5_TC_DONT_MATCH_REALM
|
894 while(tgts
&& *tgts
){
895 if(krb5_compare_creds(context
, KRB5_TC_DONT_MATCH_REALM
,
897 ret
= krb5_copy_creds_contents(context
, *tgts
, out_creds
);
902 return not_found(context
, server
, KRB5_CC_NOTFOUND
);
905 static krb5_error_code
906 add_cred(krb5_context context
, krb5_creds
const *tkt
, krb5_creds
***tgts
)
910 krb5_creds
**tmp
= *tgts
;
912 for(i
= 0; tmp
&& tmp
[i
]; i
++); /* XXX */
913 tmp
= realloc(tmp
, (i
+2)*sizeof(*tmp
));
915 return krb5_enomem(context
);
917 ret
= krb5_copy_creds(context
, tkt
, &tmp
[i
]);
922 static krb5_error_code
923 get_cred_kdc_capath_worker(krb5_context context
,
924 krb5_kdc_flags flags
,
926 struct krb5_fast_state
*fast_state
,
927 krb5_creds
*in_creds
,
928 krb5_const_realm try_realm
,
929 krb5_principal impersonate_principal
,
930 Ticket
*second_ticket
,
931 const char *kdc_hostname
,
932 const char *sitename
,
933 krb5_creds
**out_creds
,
934 krb5_creds
***ret_tgts
)
937 krb5_creds
*tgt
= NULL
;
938 krb5_creds tmp_creds
;
939 krb5_const_realm client_realm
, server_realm
;
940 int ok_as_delegate
= 1;
942 *out_creds
= calloc(1, sizeof(**out_creds
));
943 if (*out_creds
== NULL
)
944 return krb5_enomem(context
);
946 memset(&tmp_creds
, 0, sizeof(tmp_creds
));
948 client_realm
= krb5_principal_get_realm(context
, in_creds
->client
);
949 server_realm
= krb5_principal_get_realm(context
, in_creds
->server
);
950 ret
= krb5_copy_principal(context
, in_creds
->client
, &tmp_creds
.client
);
954 ret
= krb5_make_principal(context
,
967 * If we have krbtgt/server_realm@try_realm cached, use it and we're
970 ret
= find_cred(context
, ccache
, tmp_creds
.server
,
973 /* only allow implicit ok_as_delegate if the realm is the clients realm */
974 if (strcmp(try_realm
, client_realm
) != 0
975 || strcmp(try_realm
, server_realm
) != 0) {
976 ok_as_delegate
= tgts
.flags
.b
.ok_as_delegate
;
979 ret
= get_cred_kdc_address(context
, ccache
, fast_state
,
982 impersonate_principal
,
987 krb5_free_cred_contents(context
, &tgts
);
989 !krb5_principal_compare(context
, in_creds
->server
,
990 (*out_creds
)->server
)) {
991 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
993 if (ret
== 0 && ok_as_delegate
== 0)
994 (*out_creds
)->flags
.b
.ok_as_delegate
= 0;
1000 if (krb5_realm_compare(context
, in_creds
->client
, in_creds
->server
)) {
1001 ret
= not_found(context
, in_creds
->server
, KRB5_CC_NOTFOUND
);
1006 * XXX This can loop forever, plus we recurse, so we can't just keep a
1007 * count here. The count would have to get passed around by reference.
1009 * The KDCs check for transit loops for us, and capath data is finite, so
1010 * in fact we'll fall out of this loop at some point. We should do our own
1011 * transit loop checking (like get_cred_kdc_referral()), and we should
1012 * impose a max number of iterations altogether. But barring malicious or
1013 * broken KDCs, this is good enough.
1016 heim_general_string tgt_inst
;
1018 ret
= get_cred_kdc_capath(context
, flags
, ccache
, fast_state
,
1019 &tmp_creds
, NULL
, NULL
,
1020 kdc_hostname
, sitename
,
1026 * if either of the chain or the ok_as_delegate was stripped
1027 * by the kdc, make sure we strip it too.
1029 if (ok_as_delegate
== 0 || tgt
->flags
.b
.ok_as_delegate
== 0) {
1031 tgt
->flags
.b
.ok_as_delegate
= 0;
1034 ret
= add_cred(context
, tgt
, ret_tgts
);
1037 tgt_inst
= tgt
->server
->name
.name_string
.val
[1];
1038 if (strcmp(tgt_inst
, server_realm
) == 0)
1040 krb5_free_principal(context
, tmp_creds
.server
);
1041 tmp_creds
.server
= NULL
;
1042 ret
= krb5_make_principal(context
, &tmp_creds
.server
,
1043 tgt_inst
, KRB5_TGS_NAME
, server_realm
, NULL
);
1046 ret
= krb5_free_creds(context
, tgt
);
1052 ret
= get_cred_kdc_address(context
, ccache
, fast_state
, flags
, NULL
,
1053 in_creds
, tgt
, impersonate_principal
,
1054 second_ticket
, kdc_hostname
, sitename
, *out_creds
);
1056 !krb5_principal_compare(context
, in_creds
->server
,
1057 (*out_creds
)->server
)) {
1058 krb5_free_cred_contents(context
, *out_creds
);
1059 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1061 if (ret
== 0 && ok_as_delegate
== 0)
1062 (*out_creds
)->flags
.b
.ok_as_delegate
= 0;
1066 krb5_free_creds(context
, *out_creds
);
1069 if (tmp_creds
.server
)
1070 krb5_free_principal(context
, tmp_creds
.server
);
1071 if (tmp_creds
.client
)
1072 krb5_free_principal(context
, tmp_creds
.client
);
1074 krb5_free_creds(context
, tgt
);
1080 creds = cc_get_cred(server)
1081 if(creds) return creds
1082 tgt = cc_get_cred(krbtgt/server_realm@any_realm)
1084 return get_cred_tgt(server, tgt)
1085 if(client_realm == server_realm)
1087 tgt = get_cred(krbtgt/server_realm@client_realm)
1088 while(tgt_inst != server_realm)
1089 tgt = get_cred(krbtgt/server_realm@tgt_inst)
1090 return get_cred_tgt(server, tgt)
1093 static krb5_error_code
1094 get_cred_kdc_capath(krb5_context context
,
1095 krb5_kdc_flags flags
,
1097 struct krb5_fast_state
*fast_state
,
1098 krb5_creds
*in_creds
,
1099 krb5_principal impersonate_principal
,
1100 Ticket
*second_ticket
,
1101 const char *kdc_hostname
,
1102 const char *sitename
,
1103 krb5_creds
**out_creds
,
1104 krb5_creds
***ret_tgts
)
1106 krb5_error_code ret
;
1107 krb5_const_realm client_realm
, server_realm
, try_realm
;
1109 client_realm
= krb5_principal_get_realm(context
, in_creds
->client
);
1110 server_realm
= krb5_principal_get_realm(context
, in_creds
->server
);
1112 try_realm
= client_realm
;
1113 ret
= get_cred_kdc_capath_worker(context
, flags
, ccache
, fast_state
,
1114 in_creds
, try_realm
, impersonate_principal
,
1115 second_ticket
, kdc_hostname
, sitename
,
1116 out_creds
, ret_tgts
);
1118 if (ret
== KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
) {
1119 try_realm
= krb5_config_get_string(context
, NULL
, "capaths",
1120 client_realm
, server_realm
, NULL
);
1122 if (try_realm
!= NULL
&& strcmp(try_realm
, client_realm
) != 0) {
1123 ret
= get_cred_kdc_capath_worker(context
, flags
, ccache
, fast_state
,
1124 in_creds
, try_realm
, impersonate_principal
,
1125 second_ticket
, kdc_hostname
, sitename
,
1126 out_creds
, ret_tgts
);
1133 static krb5_boolean
skip_referrals(krb5_principal server
,
1134 krb5_kdc_flags
*flags
)
1136 return server
->name
.name_string
.len
< 2 && !flags
->b
.canonicalize
;
1140 * Get a service ticket from a KDC by chasing referrals from a start realm.
1142 * All referral TGTs produced in the process are thrown away when we're done.
1143 * We don't store them, and we don't allow other search mechanisms (capaths) to
1144 * use referral TGTs produced here.
1146 static krb5_error_code
1147 get_cred_kdc_referral(krb5_context context
,
1148 krb5_kdc_flags flags
,
1150 struct krb5_fast_state
*fast_state
,
1151 krb5_creds
*in_creds
,
1152 krb5_principal impersonate_principal
,
1153 Ticket
*second_ticket
,
1154 const char *kdc_hostname
,
1155 const char *sitename
,
1156 krb5_creds
**out_creds
)
1158 krb5_realm start_realm
= NULL
;
1159 krb5_data config_start_realm
;
1160 krb5_error_code ret
;
1161 krb5_creds tgt
, referral
, ticket
;
1162 krb5_creds
**referral_tgts
= NULL
; /* used for loop detection */
1164 int ok_as_delegate
= 1;
1168 if (skip_referrals(in_creds
->server
, &flags
)) {
1169 krb5_set_error_message(context
, KRB5KDC_ERR_PATH_NOT_ACCEPTED
,
1170 N_("Name too short to do referals, skipping", ""));
1171 return KRB5KDC_ERR_PATH_NOT_ACCEPTED
;
1174 memset(&tgt
, 0, sizeof(tgt
));
1175 memset(&ticket
, 0, sizeof(ticket
));
1177 flags
.b
.canonicalize
= 1;
1182 ret
= krb5_cc_get_config(context
, ccache
, NULL
, "start_realm", &config_start_realm
);
1184 start_realm
= strndup(config_start_realm
.data
, config_start_realm
.length
);
1185 krb5_data_free(&config_start_realm
);
1187 start_realm
= strdup(krb5_principal_get_realm(context
, in_creds
->client
));
1189 if (start_realm
== NULL
)
1190 return krb5_enomem(context
);
1192 /* find tgt for the clients base realm */
1194 krb5_principal tgtname
;
1196 ret
= krb5_make_principal(context
, &tgtname
,
1206 ret
= find_cred(context
, ccache
, tgtname
, NULL
, &tgt
);
1207 krb5_free_principal(context
, tgtname
);
1215 * If the desired service principal service/host@REALM is not a TGT, start
1216 * by asking for a ticket for service/host@START_REALM and process referrals
1219 * However, when we ask for a TGT, krbtgt/A@B, we're actually looking for a
1220 * path to realm B, so that we can explicitly obtain a ticket for krbtgt/A
1221 * from B, and not some other realm. Therefore, in this case our starting
1222 * point will be krbtgt/B@START_REALM. Only once we obtain a ticket for
1223 * krbtgt/B@some-transit, do we switch to requesting krbtgt/A@B on our
1226 referral
= *in_creds
;
1227 want_tgt
= in_creds
->server
->realm
[0] != '\0' &&
1228 krb5_principal_is_krbtgt(context
, in_creds
->server
);
1230 ret
= krb5_copy_principal(context
, in_creds
->server
, &referral
.server
);
1232 ret
= krb5_make_principal(context
, &referral
.server
, start_realm
,
1233 KRB5_TGS_NAME
, in_creds
->server
->realm
, NULL
);
1236 krb5_free_cred_contents(context
, &tgt
);
1241 ret
= krb5_principal_set_realm(context
, referral
.server
, start_realm
);
1245 krb5_free_cred_contents(context
, &tgt
);
1246 krb5_free_principal(context
, referral
.server
);
1250 while (loop
++ < 17) {
1251 krb5_creds
**tickets
;
1253 char *referral_realm
;
1255 /* Use cache if we are not doing impersonation or contrained deleg */
1256 if (impersonate_principal
== NULL
&& !flags
.b
.cname_in_addl_tkt
) {
1257 krb5_cc_clear_mcred(&mcreds
);
1258 mcreds
.server
= referral
.server
;
1259 krb5_timeofday(context
, &mcreds
.times
.endtime
);
1260 ret
= krb5_cc_retrieve_cred(context
, ccache
, KRB5_TC_MATCH_TIMES
,
1266 ret
= get_cred_kdc_address(context
, ccache
, fast_state
, flags
, NULL
,
1267 &referral
, &tgt
, impersonate_principal
,
1268 second_ticket
, kdc_hostname
, sitename
, &ticket
);
1274 * Did we get the right ticket?
1276 * If we weren't asking for a TGT, then we don't mind if we took a realm
1277 * change (referral.server has a referral realm, not necessarily the
1280 * However, if we were looking for a TGT (which wouldn't be the start
1281 * TGT, since that one must be in the ccache) then we actually want the
1282 * one from the realm we wanted, since otherwise a _referral_ will
1283 * confuse us and we will store that referral. In Heimdal we mostly
1284 * never ask krb5_get_cred*() for TGTs, but some sites have code to ask
1285 * for a ktbgt/REMOTE.REALM@REMOTE.REALM, and one could always use
1286 * kgetcred(1) to get here asking for a krbtgt/C@D and we need to handle
1287 * the case where last hop we get is krbtgt/C@B (in which case we must
1288 * stop so we don't beat up on B for the remaining tries).
1291 krb5_principal_compare(context
, referral
.server
, ticket
.server
))
1294 if (!krb5_principal_is_krbtgt(context
, ticket
.server
)) {
1295 krb5_set_error_message(context
, KRB5KRB_AP_ERR_NOT_US
,
1296 N_("Got back an non krbtgt "
1297 "ticket referrals", ""));
1298 ret
= KRB5KRB_AP_ERR_NOT_US
;
1302 referral_realm
= ticket
.server
->name
.name_string
.val
[1];
1304 /* check that there are no referrals loops */
1305 tickets
= referral_tgts
;
1307 krb5_cc_clear_mcred(&mcreds
);
1308 mcreds
.server
= ticket
.server
;
1310 while (tickets
&& *tickets
){
1311 if (krb5_compare_creds(context
,
1312 KRB5_TC_DONT_MATCH_REALM
,
1315 krb5_set_error_message(context
, KRB5_GET_IN_TKT_LOOP
,
1316 N_("Referral from %s "
1317 "loops back to realm %s", ""),
1320 ret
= KRB5_GET_IN_TKT_LOOP
;
1327 * if either of the chain or the ok_as_delegate was stripped
1328 * by the kdc, make sure we strip it too.
1331 if (ok_as_delegate
== 0 || ticket
.flags
.b
.ok_as_delegate
== 0) {
1333 ticket
.flags
.b
.ok_as_delegate
= 0;
1336 _krb5_debug(context
, 6, "get_cred_kdc_referral: got referral "
1337 "to %s from %s", referral_realm
, referral
.server
->realm
);
1338 ret
= add_cred(context
, &ticket
, &referral_tgts
);
1342 /* try realm in the referral */
1343 if (!want_tgt
|| strcmp(referral_realm
, in_creds
->server
->realm
) != 0)
1344 ret
= krb5_principal_set_realm(context
,
1349 * Now that we have a ticket for the desired realm, we reset
1350 * want_tgt and reinstate the desired principal so that the we can
1351 * match it and break out of the loop.
1354 krb5_free_principal(context
, referral
.server
);
1355 referral
.server
= NULL
;
1356 ret
= krb5_copy_principal(context
, in_creds
->server
, &referral
.server
);
1358 krb5_free_cred_contents(context
, &tgt
);
1360 memset(&ticket
, 0, sizeof(ticket
));
1365 ret
= krb5_copy_creds(context
, &ticket
, out_creds
);
1368 for (i
= 0; referral_tgts
&& referral_tgts
[i
]; i
++)
1369 krb5_free_creds(context
, referral_tgts
[i
]);
1370 free(referral_tgts
);
1371 krb5_free_principal(context
, referral
.server
);
1372 krb5_free_cred_contents(context
, &tgt
);
1373 krb5_free_cred_contents(context
, &ticket
);
1379 * Glue function between referrals version and old client chasing
1383 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1384 _krb5_get_cred_kdc_any(krb5_context context
,
1385 krb5_kdc_flags flags
,
1387 struct krb5_fast_state
*fast_state
,
1388 krb5_creds
*in_creds
,
1389 krb5_principal impersonate_principal
,
1390 Ticket
*second_ticket
,
1391 krb5_creds
**out_creds
,
1392 krb5_creds
***ret_tgts
)
1394 char *kdc_hostname
= NULL
;
1395 char *sitename
= NULL
;
1396 krb5_error_code ret
;
1400 krb5_data_zero(&data
);
1403 * If we are using LKDC, lets pull out the addreses from the
1404 * ticket and use that.
1407 ret
= krb5_cc_get_config(context
, ccache
, NULL
, "lkdc-hostname", &data
);
1409 if ((kdc_hostname
= strndup(data
.data
, data
.length
)) == NULL
) {
1410 ret
= krb5_enomem(context
);
1413 krb5_data_free(&data
);
1416 ret
= krb5_cc_get_config(context
, ccache
, NULL
, "sitename", &data
);
1418 if ((sitename
= strndup(data
.data
, data
.length
)) == NULL
) {
1419 ret
= krb5_enomem(context
);
1422 krb5_data_free(&data
);
1425 ret
= krb5_cc_get_kdc_offset(context
, ccache
, &offset
);
1427 context
->kdc_sec_offset
= offset
;
1428 context
->kdc_usec_offset
= 0;
1431 if (strcmp(in_creds
->server
->realm
, "") != 0) {
1433 * Non-empty realm? Try capaths first. We might have local
1434 * policy (capaths) to honor.
1436 ret
= get_cred_kdc_capath(context
,
1441 impersonate_principal
,
1447 if (ret
== 0 || skip_referrals(in_creds
->server
, &flags
))
1451 /* Otherwise try referrals */
1452 ret
= get_cred_kdc_referral(context
,
1457 impersonate_principal
,
1464 krb5_data_free(&data
);
1470 static krb5_error_code
1471 check_cc(krb5_context context
, krb5_flags options
, krb5_ccache ccache
,
1472 krb5_creds
*in_creds
, krb5_creds
*out_creds
)
1474 krb5_error_code ret
;
1476 krb5_creds mcreds
= *in_creds
;
1478 krb5_timeofday(context
, &now
);
1480 if (!(options
& KRB5_GC_EXPIRED_OK
) &&
1481 mcreds
.times
.endtime
< now
) {
1482 mcreds
.times
.renew_till
= 0;
1483 krb5_timeofday(context
, &mcreds
.times
.endtime
);
1484 options
|= KRB5_TC_MATCH_TIMES
;
1487 if (mcreds
.server
->name
.name_type
== KRB5_NT_SRV_HST_NEEDS_CANON
) {
1488 /* Avoid name canonicalization in krb5_cc_retrieve_cred() */
1489 krb5_principal_set_type(context
, mcreds
.server
, KRB5_NT_SRV_HST
);
1492 if (options
& KRB5_GC_ANONYMOUS
) {
1493 ret
= krb5_make_principal(context
,
1495 krb5_principal_get_realm(context
, mcreds
.client
),
1496 KRB5_WELLKNOWN_NAME
,
1503 ret
= krb5_cc_retrieve_cred(context
, ccache
,
1505 (KRB5_TC_DONT_MATCH_REALM
|
1506 KRB5_TC_MATCH_KEYTYPE
|
1507 KRB5_TC_MATCH_TIMES
)),
1508 &mcreds
, out_creds
);
1510 if (options
& KRB5_GC_ANONYMOUS
)
1511 krb5_free_principal(context
, mcreds
.client
);
1513 if (ret
== 0 && out_creds
->server
->realm
&&
1514 out_creds
->server
->realm
[0] == '\0') {
1518 * We only write tickets to the ccache that have been validated, as in,
1519 * the sname/srealm from the KDC-REP enc-part have been checked to
1520 * match the sname/realm from the Ticket from the KDC-REP.
1522 * Our caller needs the canonical realm of the service in order to be
1523 * able to get forwarded credentials for it when destination-TGT
1524 * forwarding is enabled.
1526 * As well, gss_init_sec_context() ought to arrange for
1527 * gss_inquire_context() to output the canonical acceptor name on the
1530 ret
= decode_Ticket(out_creds
->ticket
.data
, out_creds
->ticket
.length
,
1533 ret
= krb5_principal_set_realm(context
, out_creds
->server
,
1535 free_Ticket(&ticket
);
1537 krb5_free_cred_contents(context
, out_creds
);
1544 store_cred(krb5_context context
, krb5_ccache ccache
,
1545 krb5_const_principal server_princ
, krb5_creds
*creds
)
1547 if (context
->no_ticket_store
)
1549 if (!krb5_principal_compare(context
, creds
->server
, server_princ
) &&
1550 !krb5_principal_is_krbtgt(context
, server_princ
)) {
1551 krb5_principal tmp_princ
= creds
->server
;
1553 * Store the cred with the pre-canon server princ first so it
1554 * can be found quickly in the future.
1556 creds
->server
= (krb5_principal
)server_princ
;
1557 krb5_cc_store_cred(context
, ccache
, creds
);
1558 creds
->server
= tmp_princ
;
1559 /* Then store again with the canonicalized server princ */
1561 krb5_cc_store_cred(context
, ccache
, creds
);
1565 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1566 krb5_get_credentials_with_flags(krb5_context context
,
1568 krb5_kdc_flags flags
,
1570 krb5_creds
*in_creds
,
1571 krb5_creds
**out_creds
)
1573 struct krb5_fast_state fast_state
;
1574 krb5_error_code ret
;
1575 krb5_name_canon_iterator name_canon_iter
= NULL
;
1576 krb5_name_canon_rule_options rule_opts
;
1577 krb5_const_principal try_princ
= NULL
;
1578 krb5_principal save_princ
= in_creds
->server
;
1580 krb5_creds
*res_creds
;
1583 memset(&fast_state
, 0, sizeof(fast_state
));
1585 if (_krb5_have_debug(context
, 5)) {
1588 ret
= krb5_unparse_name(context
, in_creds
->server
, &unparsed
);
1590 _krb5_debug(context
, 5, "krb5_get_creds: unable to display "
1591 "requested service principal");
1593 _krb5_debug(context
, 5, "krb5_get_creds: requesting a ticket "
1594 "for %s", unparsed
);
1599 if (in_creds
->session
.keytype
) {
1600 ret
= krb5_enctype_valid(context
, in_creds
->session
.keytype
);
1603 options
|= KRB5_TC_MATCH_KEYTYPE
;
1607 res_creds
= calloc(1, sizeof(*res_creds
));
1608 if (res_creds
== NULL
)
1609 return krb5_enomem(context
);
1611 ret
= krb5_name_canon_iterator_start(context
, in_creds
->server
,
1617 krb5_free_cred_contents(context
, res_creds
);
1618 memset(res_creds
, 0, sizeof (*res_creds
));
1619 ret
= krb5_name_canon_iterate(context
, &name_canon_iter
, &try_princ
,
1621 in_creds
->server
= rk_UNCONST(try_princ
);
1625 if (name_canon_iter
== NULL
) {
1626 if (options
& KRB5_GC_CACHED
)
1627 ret
= KRB5_CC_NOTFOUND
;
1629 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1633 ret
= check_cc(context
, options
, ccache
, in_creds
, res_creds
);
1635 *out_creds
= res_creds
;
1638 } else if(ret
!= KRB5_CC_END
) {
1641 if (options
& KRB5_GC_CACHED
)
1644 if(options
& KRB5_GC_USER_USER
)
1645 flags
.b
.enc_tkt_in_skey
= 1;
1646 if (flags
.b
.enc_tkt_in_skey
)
1647 options
|= KRB5_GC_NO_STORE
;
1650 ret
= _krb5_get_cred_kdc_any(context
, flags
, ccache
, &fast_state
,
1651 in_creds
, NULL
, NULL
, out_creds
, &tgts
);
1652 for (i
= 0; tgts
&& tgts
[i
]; i
++) {
1653 if ((options
& KRB5_GC_NO_STORE
) == 0)
1654 krb5_cc_store_cred(context
, ccache
, tgts
[i
]);
1655 krb5_free_creds(context
, tgts
[i
]);
1659 /* We don't yet have TGS w/ FAST, so we can't protect KBR-ERRORs */
1660 if (ret
== KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
&&
1661 !(rule_opts
& KRB5_NCRO_USE_FAST
))
1664 if(ret
== 0 && (options
& KRB5_GC_NO_STORE
) == 0)
1665 store_cred(context
, ccache
, in_creds
->server
, *out_creds
);
1667 if (ret
== 0 && _krb5_have_debug(context
, 5)) {
1670 ret
= krb5_unparse_name(context
, (*out_creds
)->server
, &unparsed
);
1672 _krb5_debug(context
, 5, "krb5_get_creds: unable to display "
1673 "service principal");
1675 _krb5_debug(context
, 5, "krb5_get_creds: got a ticket for %s",
1682 in_creds
->server
= save_princ
;
1683 krb5_free_creds(context
, res_creds
);
1684 krb5_free_name_canon_iterator(context
, name_canon_iter
);
1685 _krb5_fast_free(context
, &fast_state
);
1687 return not_found(context
, in_creds
->server
, ret
);
1691 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1692 krb5_get_credentials(krb5_context context
,
1695 krb5_creds
*in_creds
,
1696 krb5_creds
**out_creds
)
1698 krb5_kdc_flags flags
;
1700 return krb5_get_credentials_with_flags(context
, options
, flags
,
1701 ccache
, in_creds
, out_creds
);
1704 struct krb5_get_creds_opt_data
{
1705 krb5_principal self
;
1707 krb5_enctype enctype
;
1712 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1713 krb5_get_creds_opt_alloc(krb5_context context
, krb5_get_creds_opt
*opt
)
1715 *opt
= calloc(1, sizeof(**opt
));
1717 return krb5_enomem(context
);
1721 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1722 krb5_get_creds_opt_free(krb5_context context
, krb5_get_creds_opt opt
)
1725 krb5_free_principal(context
, opt
->self
);
1727 free_Ticket(opt
->ticket
);
1730 memset(opt
, 0, sizeof(*opt
));
1734 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1735 krb5_get_creds_opt_set_options(krb5_context context
,
1736 krb5_get_creds_opt opt
,
1739 opt
->options
= options
;
1742 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1743 krb5_get_creds_opt_add_options(krb5_context context
,
1744 krb5_get_creds_opt opt
,
1747 opt
->options
|= options
;
1750 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1751 krb5_get_creds_opt_set_enctype(krb5_context context
,
1752 krb5_get_creds_opt opt
,
1753 krb5_enctype enctype
)
1755 opt
->enctype
= enctype
;
1758 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1759 krb5_get_creds_opt_set_impersonate(krb5_context context
,
1760 krb5_get_creds_opt opt
,
1761 krb5_const_principal self
)
1764 krb5_free_principal(context
, opt
->self
);
1765 return krb5_copy_principal(context
, self
, &opt
->self
);
1768 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1769 krb5_get_creds_opt_set_ticket(krb5_context context
,
1770 krb5_get_creds_opt opt
,
1771 const Ticket
*ticket
)
1774 free_Ticket(opt
->ticket
);
1779 krb5_error_code ret
;
1781 opt
->ticket
= malloc(sizeof(*ticket
));
1782 if (opt
->ticket
== NULL
)
1783 return krb5_enomem(context
);
1784 ret
= copy_Ticket(ticket
, opt
->ticket
);
1788 krb5_set_error_message(context
, ret
,
1789 N_("malloc: out of memory", ""));
1797 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1798 krb5_get_creds(krb5_context context
,
1799 krb5_get_creds_opt opt
,
1801 krb5_const_principal inprinc
,
1802 krb5_creds
**out_creds
)
1804 struct krb5_fast_state fast_state
;
1805 krb5_kdc_flags flags
;
1807 krb5_creds in_creds
;
1808 krb5_error_code ret
;
1810 krb5_creds
*res_creds
;
1811 krb5_const_principal try_princ
= NULL
;
1812 krb5_name_canon_iterator name_canon_iter
= NULL
;
1813 krb5_name_canon_rule_options rule_opts
;
1818 memset(&fast_state
, 0, sizeof(fast_state
));
1819 memset(&in_creds
, 0, sizeof(in_creds
));
1820 in_creds
.server
= rk_UNCONST(inprinc
);
1822 if (_krb5_have_debug(context
, 5)) {
1825 ret
= krb5_unparse_name(context
, in_creds
.server
, &unparsed
);
1827 _krb5_debug(context
, 5, "krb5_get_creds: unable to display "
1828 "requested service principal");
1830 _krb5_debug(context
, 5, "krb5_get_creds: requesting a ticket "
1831 "for %s", unparsed
);
1836 if (opt
&& opt
->enctype
) {
1837 ret
= krb5_enctype_valid(context
, opt
->enctype
);
1842 ret
= krb5_cc_get_principal(context
, ccache
, &in_creds
.client
);
1847 options
= opt
->options
;
1853 res_creds
= calloc(1, sizeof(*res_creds
));
1854 if (res_creds
== NULL
) {
1855 krb5_free_principal(context
, in_creds
.client
);
1856 return krb5_enomem(context
);
1859 if (opt
&& opt
->enctype
) {
1860 in_creds
.session
.keytype
= opt
->enctype
;
1861 options
|= KRB5_TC_MATCH_KEYTYPE
;
1864 ret
= krb5_name_canon_iterator_start(context
, in_creds
.server
,
1870 ret
= krb5_name_canon_iterate(context
, &name_canon_iter
, &try_princ
,
1872 in_creds
.server
= rk_UNCONST(try_princ
);
1876 if (name_canon_iter
== NULL
) {
1877 if (options
& KRB5_GC_CACHED
)
1878 ret
= KRB5_CC_NOTFOUND
;
1880 ret
= KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
;
1884 if ((options
& KRB5_GC_CONSTRAINED_DELEGATION
) == 0) {
1885 ret
= check_cc(context
, options
, ccache
, &in_creds
, res_creds
);
1887 *out_creds
= res_creds
;
1890 } else if (ret
!= KRB5_CC_END
) {
1894 if (options
& KRB5_GC_CACHED
)
1897 type
= krb5_principal_get_type(context
, try_princ
);
1898 comp
= krb5_principal_get_comp_string(context
, try_princ
, 0);
1899 if ((type
== KRB5_NT_SRV_HST
|| type
== KRB5_NT_UNKNOWN
) &&
1900 comp
!= NULL
&& strcmp(comp
, "host") == 0)
1901 flags
.b
.canonicalize
= 1;
1902 if (rule_opts
& KRB5_NCRO_NO_REFERRALS
)
1903 flags
.b
.canonicalize
= 0;
1905 flags
.b
.canonicalize
= (options
& KRB5_GC_CANONICALIZE
) ? 1 : 0;
1906 if (options
& KRB5_GC_USER_USER
) {
1907 flags
.b
.enc_tkt_in_skey
= 1;
1908 options
|= KRB5_GC_NO_STORE
;
1910 if (options
& KRB5_GC_FORWARDABLE
)
1911 flags
.b
.forwardable
= 1;
1912 if (options
& KRB5_GC_NO_TRANSIT_CHECK
)
1913 flags
.b
.disable_transited_check
= 1;
1914 if (options
& KRB5_GC_CONSTRAINED_DELEGATION
)
1915 flags
.b
.cname_in_addl_tkt
= 1;
1916 if (options
& KRB5_GC_ANONYMOUS
)
1917 flags
.b
.request_anonymous
= 1;
1920 ret
= _krb5_get_cred_kdc_any(context
, flags
, ccache
, &fast_state
,
1921 &in_creds
, opt
? opt
->self
: 0,
1922 opt
? opt
->ticket
: 0, out_creds
,
1924 for (i
= 0; tgts
&& tgts
[i
]; i
++) {
1925 if ((options
& KRB5_GC_NO_STORE
) == 0)
1926 krb5_cc_store_cred(context
, ccache
, tgts
[i
]);
1927 krb5_free_creds(context
, tgts
[i
]);
1931 /* We don't yet have TGS w/ FAST, so we can't protect KBR-ERRORs */
1932 if (ret
== KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
&&
1933 !(rule_opts
& KRB5_NCRO_USE_FAST
))
1936 if (ret
== 0 && (options
& KRB5_GC_NO_STORE
) == 0)
1937 store_cred(context
, ccache
, inprinc
, *out_creds
);
1939 if (ret
== 0 && _krb5_have_debug(context
, 5)) {
1942 ret
= krb5_unparse_name(context
, (*out_creds
)->server
, &unparsed
);
1944 _krb5_debug(context
, 5, "krb5_get_creds: unable to display "
1945 "service principal");
1947 _krb5_debug(context
, 5, "krb5_get_creds: got a ticket for %s",
1954 _krb5_fast_free(context
, &fast_state
);
1955 krb5_free_creds(context
, res_creds
);
1956 krb5_free_principal(context
, in_creds
.client
);
1957 krb5_free_name_canon_iterator(context
, name_canon_iter
);
1959 return not_found(context
, inprinc
, ret
);
1967 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1968 krb5_get_renewed_creds(krb5_context context
,
1970 krb5_const_principal client
,
1972 const char *in_tkt_service
)
1974 krb5_error_code ret
;
1975 krb5_kdc_flags flags
;
1976 krb5_creds in
, *template, *out
= NULL
;
1978 memset(&in
, 0, sizeof(in
));
1979 memset(creds
, 0, sizeof(*creds
));
1981 ret
= krb5_copy_principal(context
, client
, &in
.client
);
1985 if (in_tkt_service
) {
1986 ret
= krb5_parse_name(context
, in_tkt_service
, &in
.server
);
1988 krb5_free_principal(context
, in
.client
);
1992 const char *realm
= krb5_principal_get_realm(context
, client
);
1994 ret
= krb5_make_principal(context
, &in
.server
, realm
, KRB5_TGS_NAME
,
1997 krb5_free_principal(context
, in
.client
);
2003 flags
.b
.renewable
= flags
.b
.renew
= 1;
2006 * Get template from old credential cache for the same entry, if
2007 * this failes, no worries.
2009 ret
= krb5_get_credentials(context
, KRB5_GC_CACHED
, ccache
, &in
, &template);
2011 flags
.b
.forwardable
= template->flags
.b
.forwardable
;
2012 flags
.b
.proxiable
= template->flags
.b
.proxiable
;
2013 krb5_free_creds (context
, template);
2016 ret
= krb5_get_kdc_cred(context
, ccache
, flags
, NULL
, NULL
, &in
, &out
);
2017 krb5_free_principal(context
, in
.client
);
2018 krb5_free_principal(context
, in
.server
);
2022 ret
= krb5_copy_creds_contents(context
, out
, creds
);
2023 krb5_free_creds(context
, out
);