2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
38 typedef struct krb5_get_init_creds_ctx
{
41 krb5_addresses
*addrs
;
43 krb5_preauthtype
*pre_auth_types
;
52 /* password and keytab_data is freed on completion */
54 krb5_keytab_key_proc_args
*keytab_data
;
56 krb5_pointer
*keyseed
;
57 krb5_s2k_proc keyproc
;
59 krb5_get_init_creds_tristate req_pac
;
61 krb5_pk_init_ctx pk_init_ctx
;
66 #define USED_PKINIT_W2K 2
67 #define USED_ENC_TS_GUESS 4
68 #define USED_ENC_TS_INFO 8
73 EncKDCRepPart enc_part
;
75 krb5_prompter_fct prompter
;
78 struct pa_info_data
*ppaid
;
81 #define KRB5_FAST_REPLY_KEY_USE_TO_ENCRYPT_THE_REPLY 1
82 #define KRB5_FAST_REPLY_KEY_USE_IN_TRANSACTION 2
83 #define KRB5_FAST_KDC_REPLY_KEY_REPLACED 4
84 #define KRB5_FAST_REPLY_REPLY_VERIFED 8
85 #define KRB5_FAST_STRONG 16
86 krb5_keyblock
*reply_key
;
89 } krb5_get_init_creds_ctx
;
99 free_paid(krb5_context context
, struct pa_info_data
*ppaid
)
101 krb5_free_salt(context
, ppaid
->salt
);
102 if (ppaid
->s2kparams
)
103 krb5_free_data(context
, ppaid
->s2kparams
);
106 static krb5_error_code KRB5_CALLCONV
107 default_s2k_func(krb5_context context
, krb5_enctype type
,
108 krb5_const_pointer keyseed
,
109 krb5_salt salt
, krb5_data
*s2kparms
,
116 _krb5_debug(context
, 5, "krb5_get_init_creds: using default_s2k_func");
118 password
.data
= rk_UNCONST(keyseed
);
119 password
.length
= strlen(keyseed
);
123 krb5_data_zero(&opaque
);
125 *key
= malloc(sizeof(**key
));
128 ret
= krb5_string_to_key_data_salt_opaque(context
, type
, password
,
138 free_init_creds_ctx(krb5_context context
, krb5_init_creds_context ctx
)
142 if (ctx
->pre_auth_types
)
143 free (ctx
->pre_auth_types
);
144 if (ctx
->in_tkt_service
)
145 free(ctx
->in_tkt_service
);
146 if (ctx
->keytab_data
)
147 free(ctx
->keytab_data
);
149 memset(ctx
->password
, 0, strlen(ctx
->password
));
152 krb5_data_free(&ctx
->req_buffer
);
153 krb5_free_cred_contents(context
, &ctx
->cred
);
154 free_METHOD_DATA(&ctx
->md
);
155 free_AS_REP(&ctx
->as_rep
);
156 free_EncKDCRepPart(&ctx
->enc_part
);
157 free_KRB_ERROR(&ctx
->error
);
158 free_AS_REQ(&ctx
->as_req
);
160 free_paid(context
, ctx
->ppaid
);
163 memset(ctx
, 0, sizeof(*ctx
));
167 get_config_time (krb5_context context
,
174 ret
= krb5_config_get_time (context
, NULL
,
181 ret
= krb5_config_get_time (context
, NULL
,
190 static krb5_error_code
191 init_cred (krb5_context context
,
193 krb5_principal client
,
194 krb5_deltat start_time
,
195 krb5_get_init_creds_opt
*options
)
201 krb5_timeofday (context
, &now
);
203 memset (cred
, 0, sizeof(*cred
));
206 krb5_copy_principal(context
, client
, &cred
->client
);
208 ret
= krb5_get_default_principal (context
,
215 cred
->times
.starttime
= now
+ start_time
;
217 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_TKT_LIFE
)
218 tmp
= options
->tkt_life
;
221 cred
->times
.endtime
= now
+ tmp
;
223 if ((options
->flags
& KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE
) &&
224 options
->renew_life
> 0) {
225 cred
->times
.renew_till
= now
+ options
->renew_life
;
231 krb5_free_cred_contents (context
, cred
);
236 * Print a message (str) to the user about the expiration in `lr'
240 report_expiration (krb5_context context
,
241 krb5_prompter_fct prompter
,
248 if (asprintf(&p
, "%s%s", str
, ctime(&now
)) < 0 || p
== NULL
)
250 (*prompter
)(context
, data
, NULL
, p
, 0, NULL
);
255 * Check the context, and in the case there is a expiration warning,
256 * use the prompter to print the warning.
258 * @param context A Kerberos 5 context.
259 * @param options An GIC options structure
260 * @param ctx The krb5_init_creds_context check for expiration.
263 static krb5_error_code
264 process_last_request(krb5_context context
,
265 krb5_get_init_creds_opt
*options
,
266 krb5_init_creds_context ctx
)
268 krb5_const_realm realm
;
270 krb5_boolean reported
= FALSE
;
276 * First check if there is a API consumer.
279 realm
= krb5_principal_get_realm (context
, ctx
->cred
.client
);
280 lr
= &ctx
->enc_part
.last_req
;
282 if (options
&& options
->opt_private
&& options
->opt_private
->lr
.func
) {
283 krb5_last_req_entry
**lre
;
285 lre
= calloc(lr
->len
+ 1, sizeof(**lre
));
287 krb5_set_error_message(context
, ENOMEM
,
288 N_("malloc: out of memory", ""));
291 for (i
= 0; i
< lr
->len
; i
++) {
292 lre
[i
] = calloc(1, sizeof(*lre
[i
]));
295 lre
[i
]->lr_type
= lr
->val
[i
].lr_type
;
296 lre
[i
]->value
= lr
->val
[i
].lr_value
;
299 (*options
->opt_private
->lr
.func
)(context
, lre
,
300 options
->opt_private
->lr
.ctx
);
302 for (i
= 0; i
< lr
->len
; i
++)
308 * Now check if we should prompt the user
311 if (ctx
->prompter
== NULL
)
314 krb5_timeofday (context
, &sec
);
316 t
= sec
+ get_config_time (context
,
321 for (i
= 0; i
< lr
->len
; ++i
) {
322 if (lr
->val
[i
].lr_value
<= t
) {
323 switch (abs(lr
->val
[i
].lr_type
)) {
325 report_expiration(context
, ctx
->prompter
,
327 "Your password will expire at ",
328 lr
->val
[i
].lr_value
);
331 case LR_ACCT_EXPTIME
:
332 report_expiration(context
, ctx
->prompter
,
334 "Your account will expire at ",
335 lr
->val
[i
].lr_value
);
343 && ctx
->enc_part
.key_expiration
344 && *ctx
->enc_part
.key_expiration
<= t
) {
345 report_expiration(context
, ctx
->prompter
,
347 "Your password/account will expire at ",
348 *ctx
->enc_part
.key_expiration
);
353 static krb5_addresses no_addrs
= { 0, NULL
};
355 static krb5_error_code
356 get_init_creds_common(krb5_context context
,
357 krb5_principal client
,
358 krb5_deltat start_time
,
359 krb5_get_init_creds_opt
*options
,
360 krb5_init_creds_context ctx
)
362 krb5_get_init_creds_opt
*default_opt
= NULL
;
364 krb5_enctype
*etypes
;
365 krb5_preauthtype
*pre_auth_types
;
367 memset(ctx
, 0, sizeof(*ctx
));
369 if (options
== NULL
) {
370 const char *realm
= krb5_principal_get_realm(context
, client
);
372 krb5_get_init_creds_opt_alloc (context
, &default_opt
);
373 options
= default_opt
;
374 krb5_get_init_creds_opt_set_default_flags(context
, NULL
, realm
, options
);
377 if (options
->opt_private
) {
378 if (options
->opt_private
->password
) {
379 ret
= krb5_init_creds_set_password(context
, ctx
,
380 options
->opt_private
->password
);
385 ctx
->keyproc
= options
->opt_private
->key_proc
;
386 ctx
->req_pac
= options
->opt_private
->req_pac
;
387 ctx
->pk_init_ctx
= options
->opt_private
->pk_init_ctx
;
388 ctx
->ic_flags
= options
->opt_private
->flags
;
390 ctx
->req_pac
= KRB5_INIT_CREDS_TRISTATE_UNSET
;
392 if (ctx
->keyproc
== NULL
)
393 ctx
->keyproc
= default_s2k_func
;
395 /* Enterprise name implicitly turns on canonicalize */
396 if ((ctx
->ic_flags
& KRB5_INIT_CREDS_CANONICALIZE
) ||
397 krb5_principal_get_type(context
, client
) == KRB5_NT_ENTERPRISE_PRINCIPAL
)
398 ctx
->flags
.canonicalize
= 1;
400 ctx
->pre_auth_types
= NULL
;
403 ctx
->pre_auth_types
= NULL
;
405 ret
= init_cred(context
, &ctx
->cred
, client
, start_time
, options
);
408 krb5_get_init_creds_opt_free(context
, default_opt
);
412 ret
= krb5_init_creds_set_service(context
, ctx
, NULL
);
416 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_FORWARDABLE
)
417 ctx
->flags
.forwardable
= options
->forwardable
;
419 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_PROXIABLE
)
420 ctx
->flags
.proxiable
= options
->proxiable
;
423 ctx
->flags
.postdated
= 1;
424 if (ctx
->cred
.times
.renew_till
)
425 ctx
->flags
.renewable
= 1;
426 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST
) {
427 ctx
->addrs
= options
->address_list
;
428 } else if (options
->opt_private
) {
429 switch (options
->opt_private
->addressless
) {
430 case KRB5_INIT_CREDS_TRISTATE_UNSET
:
431 #if KRB5_ADDRESSLESS_DEFAULT == TRUE
432 ctx
->addrs
= &no_addrs
;
437 case KRB5_INIT_CREDS_TRISTATE_FALSE
:
440 case KRB5_INIT_CREDS_TRISTATE_TRUE
:
441 ctx
->addrs
= &no_addrs
;
445 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST
) {
449 etypes
= malloc((options
->etype_list_length
+ 1)
450 * sizeof(krb5_enctype
));
451 if (etypes
== NULL
) {
453 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
456 memcpy (etypes
, options
->etype_list
,
457 options
->etype_list_length
* sizeof(krb5_enctype
));
458 etypes
[options
->etype_list_length
] = ETYPE_NULL
;
459 ctx
->etypes
= etypes
;
461 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST
) {
462 pre_auth_types
= malloc((options
->preauth_list_length
+ 1)
463 * sizeof(krb5_preauthtype
));
464 if (pre_auth_types
== NULL
) {
466 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
469 memcpy (pre_auth_types
, options
->preauth_list
,
470 options
->preauth_list_length
* sizeof(krb5_preauthtype
));
471 pre_auth_types
[options
->preauth_list_length
] = KRB5_PADATA_NONE
;
472 ctx
->pre_auth_types
= pre_auth_types
;
474 if (options
->flags
& KRB5_GET_INIT_CREDS_OPT_ANONYMOUS
)
475 ctx
->flags
.request_anonymous
= options
->anonymous
;
477 krb5_get_init_creds_opt_free(context
, default_opt
);
481 krb5_get_init_creds_opt_free(context
, default_opt
);
485 static krb5_error_code
486 change_password (krb5_context context
,
487 krb5_principal client
,
488 const char *password
,
491 krb5_prompter_fct prompter
,
493 krb5_get_init_creds_opt
*old_options
)
495 krb5_prompt prompts
[2];
498 char buf1
[BUFSIZ
], buf2
[BUFSIZ
];
499 krb5_data password_data
[2];
501 krb5_data result_code_string
;
502 krb5_data result_string
;
504 krb5_get_init_creds_opt
*options
;
506 memset (&cpw_cred
, 0, sizeof(cpw_cred
));
508 ret
= krb5_get_init_creds_opt_alloc(context
, &options
);
511 krb5_get_init_creds_opt_set_tkt_life (options
, 60);
512 krb5_get_init_creds_opt_set_forwardable (options
, FALSE
);
513 krb5_get_init_creds_opt_set_proxiable (options
, FALSE
);
514 if (old_options
&& old_options
->flags
& KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST
)
515 krb5_get_init_creds_opt_set_preauth_list (options
,
516 old_options
->preauth_list
,
517 old_options
->preauth_list_length
);
519 krb5_data_zero (&result_code_string
);
520 krb5_data_zero (&result_string
);
522 ret
= krb5_get_init_creds_password (context
,
531 krb5_get_init_creds_opt_free(context
, options
);
536 password_data
[0].data
= buf1
;
537 password_data
[0].length
= sizeof(buf1
);
539 prompts
[0].hidden
= 1;
540 prompts
[0].prompt
= "New password: ";
541 prompts
[0].reply
= &password_data
[0];
542 prompts
[0].type
= KRB5_PROMPT_TYPE_NEW_PASSWORD
;
544 password_data
[1].data
= buf2
;
545 password_data
[1].length
= sizeof(buf2
);
547 prompts
[1].hidden
= 1;
548 prompts
[1].prompt
= "Repeat new password: ";
549 prompts
[1].reply
= &password_data
[1];
550 prompts
[1].type
= KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
;
552 ret
= (*prompter
) (context
, data
, NULL
, "Changing password",
555 memset (buf1
, 0, sizeof(buf1
));
556 memset (buf2
, 0, sizeof(buf2
));
560 if (strcmp (buf1
, buf2
) == 0)
562 memset (buf1
, 0, sizeof(buf1
));
563 memset (buf2
, 0, sizeof(buf2
));
566 ret
= krb5_set_password (context
,
575 if (asprintf(&p
, "%s: %.*s\n",
576 result_code
? "Error" : "Success",
577 (int)result_string
.length
,
578 result_string
.length
> 0 ? (char*)result_string
.data
: "") < 0)
584 /* return the result */
585 (*prompter
) (context
, data
, NULL
, p
, 0, NULL
);
588 if (result_code
== 0) {
589 strlcpy (newpw
, buf1
, newpw_sz
);
593 krb5_set_error_message(context
, ret
,
594 N_("failed changing password", ""));
598 memset (buf1
, 0, sizeof(buf1
));
599 memset (buf2
, 0, sizeof(buf2
));
600 krb5_data_free (&result_string
);
601 krb5_data_free (&result_code_string
);
602 krb5_free_cred_contents (context
, &cpw_cred
);
607 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
608 krb5_keyblock_key_proc (krb5_context context
,
611 krb5_const_pointer keyseed
,
614 return krb5_copy_keyblock (context
, keyseed
, key
);
621 static krb5_error_code
622 init_as_req (krb5_context context
,
624 const krb5_creds
*creds
,
625 const krb5_addresses
*addrs
,
626 const krb5_enctype
*etypes
,
631 memset(a
, 0, sizeof(*a
));
634 a
->msg_type
= krb_as_req
;
635 a
->req_body
.kdc_options
= opts
;
636 a
->req_body
.cname
= malloc(sizeof(*a
->req_body
.cname
));
637 if (a
->req_body
.cname
== NULL
) {
639 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
642 a
->req_body
.sname
= malloc(sizeof(*a
->req_body
.sname
));
643 if (a
->req_body
.sname
== NULL
) {
645 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
649 ret
= _krb5_principal2principalname (a
->req_body
.cname
, creds
->client
);
652 ret
= copy_Realm(&creds
->client
->realm
, &a
->req_body
.realm
);
656 ret
= _krb5_principal2principalname (a
->req_body
.sname
, creds
->server
);
660 if(creds
->times
.starttime
) {
661 a
->req_body
.from
= malloc(sizeof(*a
->req_body
.from
));
662 if (a
->req_body
.from
== NULL
) {
664 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
667 *a
->req_body
.from
= creds
->times
.starttime
;
669 if(creds
->times
.endtime
){
670 ALLOC(a
->req_body
.till
, 1);
671 *a
->req_body
.till
= creds
->times
.endtime
;
673 if(creds
->times
.renew_till
){
674 a
->req_body
.rtime
= malloc(sizeof(*a
->req_body
.rtime
));
675 if (a
->req_body
.rtime
== NULL
) {
677 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
680 *a
->req_body
.rtime
= creds
->times
.renew_till
;
682 a
->req_body
.nonce
= 0;
683 ret
= _krb5_init_etype(context
,
685 &a
->req_body
.etype
.len
,
686 &a
->req_body
.etype
.val
,
692 * This means no addresses
695 if (addrs
&& addrs
->len
== 0) {
696 a
->req_body
.addresses
= NULL
;
698 a
->req_body
.addresses
= malloc(sizeof(*a
->req_body
.addresses
));
699 if (a
->req_body
.addresses
== NULL
) {
701 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
706 ret
= krb5_copy_addresses(context
, addrs
, a
->req_body
.addresses
);
708 ret
= krb5_get_all_client_addrs (context
, a
->req_body
.addresses
);
709 if(ret
== 0 && a
->req_body
.addresses
->len
== 0) {
710 free(a
->req_body
.addresses
);
711 a
->req_body
.addresses
= NULL
;
718 a
->req_body
.enc_authorization_data
= NULL
;
719 a
->req_body
.additional_tickets
= NULL
;
726 memset(a
, 0, sizeof(*a
));
731 static krb5_error_code
732 set_paid(struct pa_info_data
*paid
, krb5_context context
,
734 krb5_salttype salttype
, void *salt_string
, size_t salt_len
,
735 krb5_data
*s2kparams
)
738 paid
->salt
.salttype
= salttype
;
739 paid
->salt
.saltvalue
.data
= malloc(salt_len
+ 1);
740 if (paid
->salt
.saltvalue
.data
== NULL
) {
741 krb5_clear_error_message(context
);
744 memcpy(paid
->salt
.saltvalue
.data
, salt_string
, salt_len
);
745 ((char *)paid
->salt
.saltvalue
.data
)[salt_len
] = '\0';
746 paid
->salt
.saltvalue
.length
= salt_len
;
750 ret
= krb5_copy_data(context
, s2kparams
, &paid
->s2kparams
);
752 krb5_clear_error_message(context
);
753 krb5_free_salt(context
, paid
->salt
);
757 paid
->s2kparams
= NULL
;
762 static struct pa_info_data
*
763 pa_etype_info2(krb5_context context
,
764 const krb5_principal client
,
766 struct pa_info_data
*paid
,
767 heim_octet_string
*data
)
774 memset(&e
, 0, sizeof(e
));
775 ret
= decode_ETYPE_INFO2(data
->data
, data
->length
, &e
, &sz
);
780 for (j
= 0; j
< asreq
->req_body
.etype
.len
; j
++) {
781 for (i
= 0; i
< e
.len
; i
++) {
782 if (asreq
->req_body
.etype
.val
[j
] == e
.val
[i
].etype
) {
784 if (e
.val
[i
].salt
== NULL
)
785 ret
= krb5_get_pw_salt(context
, client
, &salt
);
787 salt
.saltvalue
.data
= *e
.val
[i
].salt
;
788 salt
.saltvalue
.length
= strlen(*e
.val
[i
].salt
);
792 ret
= set_paid(paid
, context
, e
.val
[i
].etype
,
795 salt
.saltvalue
.length
,
797 if (e
.val
[i
].salt
== NULL
)
798 krb5_free_salt(context
, salt
);
800 free_ETYPE_INFO2(&e
);
807 free_ETYPE_INFO2(&e
);
811 static struct pa_info_data
*
812 pa_etype_info(krb5_context context
,
813 const krb5_principal client
,
815 struct pa_info_data
*paid
,
816 heim_octet_string
*data
)
823 memset(&e
, 0, sizeof(e
));
824 ret
= decode_ETYPE_INFO(data
->data
, data
->length
, &e
, &sz
);
829 for (j
= 0; j
< asreq
->req_body
.etype
.len
; j
++) {
830 for (i
= 0; i
< e
.len
; i
++) {
831 if (asreq
->req_body
.etype
.val
[j
] == e
.val
[i
].etype
) {
833 salt
.salttype
= KRB5_PW_SALT
;
834 if (e
.val
[i
].salt
== NULL
)
835 ret
= krb5_get_pw_salt(context
, client
, &salt
);
837 salt
.saltvalue
= *e
.val
[i
].salt
;
840 if (e
.val
[i
].salttype
)
841 salt
.salttype
= *e
.val
[i
].salttype
;
843 ret
= set_paid(paid
, context
, e
.val
[i
].etype
,
846 salt
.saltvalue
.length
,
848 if (e
.val
[i
].salt
== NULL
)
849 krb5_free_salt(context
, salt
);
863 static struct pa_info_data
*
864 pa_pw_or_afs3_salt(krb5_context context
,
865 const krb5_principal client
,
867 struct pa_info_data
*paid
,
868 heim_octet_string
*data
)
871 if (paid
->etype
== KRB5_ENCTYPE_NULL
)
873 ret
= set_paid(paid
, context
,
886 krb5_preauthtype type
;
887 struct pa_info_data
*(*salt_info
)(krb5_context
,
888 const krb5_principal
,
890 struct pa_info_data
*,
891 heim_octet_string
*);
894 static struct pa_info pa_prefs
[] = {
895 { KRB5_PADATA_ETYPE_INFO2
, pa_etype_info2
},
896 { KRB5_PADATA_ETYPE_INFO
, pa_etype_info
},
897 { KRB5_PADATA_PW_SALT
, pa_pw_or_afs3_salt
},
898 { KRB5_PADATA_AFS3_SALT
, pa_pw_or_afs3_salt
}
902 find_pa_data(const METHOD_DATA
*md
, unsigned type
)
907 for (i
= 0; i
< md
->len
; i
++)
908 if (md
->val
[i
].padata_type
== type
)
913 static struct pa_info_data
*
914 process_pa_info(krb5_context context
,
915 const krb5_principal client
,
917 struct pa_info_data
*paid
,
920 struct pa_info_data
*p
= NULL
;
923 for (i
= 0; p
== NULL
&& i
< sizeof(pa_prefs
)/sizeof(pa_prefs
[0]); i
++) {
924 PA_DATA
*pa
= find_pa_data(md
, pa_prefs
[i
].type
);
927 paid
->salt
.salttype
= (krb5_salttype
)pa_prefs
[i
].type
;
928 p
= (*pa_prefs
[i
].salt_info
)(context
, client
, asreq
,
929 paid
, &pa
->padata_value
);
934 static krb5_error_code
935 make_pa_enc_timestamp(krb5_context context
, METHOD_DATA
*md
,
936 krb5_enctype etype
, krb5_keyblock
*key
)
942 EncryptedData encdata
;
948 krb5_us_timeofday (context
, &p
.patimestamp
, &usec
);
952 ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC
, buf
, buf_size
, &p
, &len
, ret
);
956 krb5_abortx(context
, "internal error in ASN.1 encoder");
958 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
963 ret
= krb5_encrypt_EncryptedData(context
,
965 KRB5_KU_PA_ENC_TIMESTAMP
,
971 krb5_crypto_destroy(context
, crypto
);
975 ASN1_MALLOC_ENCODE(EncryptedData
, buf
, buf_size
, &encdata
, &len
, ret
);
976 free_EncryptedData(&encdata
);
980 krb5_abortx(context
, "internal error in ASN.1 encoder");
982 ret
= krb5_padata_add(context
, md
, KRB5_PADATA_ENC_TIMESTAMP
, buf
, len
);
988 static krb5_error_code
989 add_enc_ts_padata(krb5_context context
,
991 krb5_principal client
,
992 krb5_s2k_proc keyproc
,
993 krb5_const_pointer keyseed
,
994 krb5_enctype
*enctypes
,
997 krb5_data
*s2kparams
)
1005 /* default to standard salt */
1006 ret
= krb5_get_pw_salt (context
, client
, &salt2
);
1012 enctypes
= context
->etypes
;
1014 for (ep
= enctypes
; *ep
!= ETYPE_NULL
; ep
++)
1018 for (i
= 0; i
< netypes
; ++i
) {
1021 _krb5_debug(context
, 5, "krb5_get_init_creds: using ENC-TS with enctype %d", enctypes
[i
]);
1023 ret
= (*keyproc
)(context
, enctypes
[i
], keyseed
,
1024 *salt
, s2kparams
, &key
);
1027 ret
= make_pa_enc_timestamp (context
, md
, enctypes
[i
], key
);
1028 krb5_free_keyblock (context
, key
);
1033 krb5_free_salt(context
, salt2
);
1037 static krb5_error_code
1038 pa_data_to_md_ts_enc(krb5_context context
,
1040 const krb5_principal client
,
1041 krb5_get_init_creds_ctx
*ctx
,
1042 struct pa_info_data
*ppaid
,
1045 if (ctx
->keyproc
== NULL
|| ctx
->keyseed
== NULL
)
1049 add_enc_ts_padata(context
, md
, client
,
1050 ctx
->keyproc
, ctx
->keyseed
,
1052 &ppaid
->salt
, ppaid
->s2kparams
);
1056 _krb5_debug(context
, 5, "krb5_get_init_creds: pa-info not found, guessing salt");
1058 /* make a v5 salted pa-data */
1059 add_enc_ts_padata(context
, md
, client
,
1060 ctx
->keyproc
, ctx
->keyseed
,
1061 a
->req_body
.etype
.val
, a
->req_body
.etype
.len
,
1064 /* make a v4 salted pa-data */
1065 salt
.salttype
= KRB5_PW_SALT
;
1066 krb5_data_zero(&salt
.saltvalue
);
1067 add_enc_ts_padata(context
, md
, client
,
1068 ctx
->keyproc
, ctx
->keyseed
,
1069 a
->req_body
.etype
.val
, a
->req_body
.etype
.len
,
1075 static krb5_error_code
1076 pa_data_to_key_plain(krb5_context context
,
1077 const krb5_principal client
,
1078 krb5_get_init_creds_ctx
*ctx
,
1080 krb5_data
*s2kparams
,
1082 krb5_keyblock
**key
)
1084 krb5_error_code ret
;
1086 ret
= (*ctx
->keyproc
)(context
, etype
, ctx
->keyseed
,
1087 salt
, s2kparams
, key
);
1092 static krb5_error_code
1093 pa_data_to_md_pkinit(krb5_context context
,
1095 const krb5_principal client
,
1097 krb5_get_init_creds_ctx
*ctx
,
1100 if (ctx
->pk_init_ctx
== NULL
)
1103 return _krb5_pk_mk_padata(context
,
1111 krb5_set_error_message(context
, EINVAL
,
1112 N_("no support for PKINIT compiled in", ""));
1117 static krb5_error_code
1118 pa_data_add_pac_request(krb5_context context
,
1119 krb5_get_init_creds_ctx
*ctx
,
1122 size_t len
= 0, length
;
1123 krb5_error_code ret
;
1127 switch (ctx
->req_pac
) {
1128 case KRB5_INIT_CREDS_TRISTATE_UNSET
:
1129 return 0; /* don't bother */
1130 case KRB5_INIT_CREDS_TRISTATE_TRUE
:
1131 req
.include_pac
= 1;
1133 case KRB5_INIT_CREDS_TRISTATE_FALSE
:
1134 req
.include_pac
= 0;
1137 ASN1_MALLOC_ENCODE(PA_PAC_REQUEST
, buf
, length
,
1142 krb5_abortx(context
, "internal error in ASN.1 encoder");
1144 ret
= krb5_padata_add(context
, md
, KRB5_PADATA_PA_PAC_REQUEST
, buf
, len
);
1152 * Assumes caller always will free `out_md', even on error.
1155 static krb5_error_code
1156 process_pa_data_to_md(krb5_context context
,
1157 const krb5_creds
*creds
,
1159 krb5_get_init_creds_ctx
*ctx
,
1161 METHOD_DATA
**out_md
,
1162 krb5_prompter_fct prompter
,
1163 void *prompter_data
)
1165 krb5_error_code ret
;
1168 if (*out_md
== NULL
) {
1169 krb5_set_error_message(context
, ENOMEM
, N_("malloc: out of memory", ""));
1173 (*out_md
)->val
= NULL
;
1175 if (_krb5_have_debug(context
, 5)) {
1177 _krb5_debug(context
, 5, "KDC send %d patypes", in_md
->len
);
1178 for (i
= 0; i
< in_md
->len
; i
++)
1179 _krb5_debug(context
, 5, "KDC send PA-DATA type: %d", in_md
->val
[i
].padata_type
);
1183 * Make sure we don't sent both ENC-TS and PK-INIT pa data, no
1184 * need to expose our password protecting our PKCS12 key.
1187 if (ctx
->pk_init_ctx
) {
1189 _krb5_debug(context
, 5, "krb5_get_init_creds: "
1190 "prepareing PKINIT padata (%s)",
1191 (ctx
->used_pa_types
& USED_PKINIT_W2K
) ? "win2k" : "ietf");
1193 if (ctx
->used_pa_types
& USED_PKINIT_W2K
) {
1194 krb5_set_error_message(context
, KRB5_GET_IN_TKT_LOOP
,
1195 "Already tried pkinit, looping");
1196 return KRB5_GET_IN_TKT_LOOP
;
1199 ret
= pa_data_to_md_pkinit(context
, a
, creds
->client
,
1200 (ctx
->used_pa_types
& USED_PKINIT
),
1205 if (ctx
->used_pa_types
& USED_PKINIT
)
1206 ctx
->used_pa_types
|= USED_PKINIT_W2K
;
1208 ctx
->used_pa_types
|= USED_PKINIT
;
1210 } else if (in_md
->len
!= 0) {
1211 struct pa_info_data
*paid
, *ppaid
;
1214 paid
= calloc(1, sizeof(*paid
));
1216 paid
->etype
= KRB5_ENCTYPE_NULL
;
1217 ppaid
= process_pa_info(context
, creds
->client
, a
, paid
, in_md
);
1220 flag
= USED_ENC_TS_INFO
;
1222 flag
= USED_ENC_TS_GUESS
;
1224 if (ctx
->used_pa_types
& flag
) {
1226 free_paid(context
, ppaid
);
1227 krb5_set_error_message(context
, KRB5_GET_IN_TKT_LOOP
,
1228 "Already tried ENC-TS-%s, looping",
1229 flag
== USED_ENC_TS_INFO
? "info" : "guess");
1230 return KRB5_GET_IN_TKT_LOOP
;
1233 pa_data_to_md_ts_enc(context
, a
, creds
->client
, ctx
, ppaid
, *out_md
);
1235 ctx
->used_pa_types
|= flag
;
1239 free_paid(context
, ctx
->ppaid
);
1247 pa_data_add_pac_request(context
, ctx
, *out_md
);
1249 if ((*out_md
)->len
== 0) {
1257 static krb5_error_code
1258 process_pa_data_to_key(krb5_context context
,
1259 krb5_get_init_creds_ctx
*ctx
,
1263 const krb5_krbhst_info
*hi
,
1264 krb5_keyblock
**key
)
1266 struct pa_info_data paid
, *ppaid
= NULL
;
1267 krb5_error_code ret
;
1271 memset(&paid
, 0, sizeof(paid
));
1273 etype
= rep
->enc_part
.etype
;
1277 ppaid
= process_pa_info(context
, creds
->client
, a
, &paid
,
1282 if (ppaid
== NULL
) {
1283 ret
= krb5_get_pw_salt (context
, creds
->client
, &paid
.salt
);
1287 paid
.s2kparams
= NULL
;
1294 pa
= krb5_find_padata(rep
->padata
->val
,
1296 KRB5_PADATA_PK_AS_REP
,
1300 pa
= krb5_find_padata(rep
->padata
->val
,
1302 KRB5_PADATA_PK_AS_REP_19
,
1306 if (pa
&& ctx
->pk_init_ctx
) {
1308 _krb5_debug(context
, 5, "krb5_get_init_creds: using PKINIT");
1310 ret
= _krb5_pk_rd_pa_reply(context
,
1321 krb5_set_error_message(context
, ret
, N_("no support for PKINIT compiled in", ""));
1323 } else if (ctx
->keyseed
) {
1324 _krb5_debug(context
, 5, "krb5_get_init_creds: using keyproc");
1325 ret
= pa_data_to_key_plain(context
, creds
->client
, ctx
,
1326 ppaid
->salt
, ppaid
->s2kparams
, etype
, key
);
1329 krb5_set_error_message(context
, ret
, N_("No usable pa data type", ""));
1332 free_paid(context
, &paid
);
1337 * Start a new context to get a new initial credential.
1339 * @param context A Kerberos 5 context.
1340 * @param client The Kerberos principal to get the credential for, if
1341 * NULL is given, the default principal is used as determined by
1342 * krb5_get_default_principal().
1344 * @param prompter_data
1345 * @param start_time the time the ticket should start to be valid or 0 for now.
1346 * @param options a options structure, can be NULL for default options.
1347 * @param rctx A new allocated free with krb5_init_creds_free().
1349 * @return 0 for success or an Kerberos 5 error code, see krb5_get_error_message().
1351 * @ingroup krb5_credential
1354 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1355 krb5_init_creds_init(krb5_context context
,
1356 krb5_principal client
,
1357 krb5_prompter_fct prompter
,
1358 void *prompter_data
,
1359 krb5_deltat start_time
,
1360 krb5_get_init_creds_opt
*options
,
1361 krb5_init_creds_context
*rctx
)
1363 krb5_init_creds_context ctx
;
1364 krb5_error_code ret
;
1368 ctx
= calloc(1, sizeof(*ctx
));
1370 krb5_set_error_message(context
, ENOMEM
, N_("malloc: out of memory", ""));
1374 ret
= get_init_creds_common(context
, client
, start_time
, options
, ctx
);
1380 /* Set a new nonce. */
1381 krb5_generate_random_block (&ctx
->nonce
, sizeof(ctx
->nonce
));
1382 ctx
->nonce
&= 0x7fffffff;
1383 /* XXX these just needs to be the same when using Windows PK-INIT */
1384 ctx
->pk_nonce
= ctx
->nonce
;
1386 ctx
->prompter
= prompter
;
1387 ctx
->prompter_data
= prompter_data
;
1395 * Sets the service that the is requested. This call is only neede for
1396 * special initial tickets, by default the a krbtgt is fetched in the default realm.
1398 * @param context a Kerberos 5 context.
1399 * @param ctx a krb5_init_creds_context context.
1400 * @param service the service given as a string, for example
1401 * "kadmind/admin". If NULL, the default krbtgt in the clients
1404 * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
1405 * @ingroup krb5_credential
1408 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1409 krb5_init_creds_set_service(krb5_context context
,
1410 krb5_init_creds_context ctx
,
1411 const char *service
)
1413 krb5_const_realm client_realm
;
1414 krb5_principal principal
;
1415 krb5_error_code ret
;
1417 client_realm
= krb5_principal_get_realm (context
, ctx
->cred
.client
);
1420 ret
= krb5_parse_name (context
, service
, &principal
);
1423 krb5_principal_set_realm (context
, principal
, client_realm
);
1425 ret
= krb5_make_principal(context
, &principal
,
1426 client_realm
, KRB5_TGS_NAME
, client_realm
,
1433 * This is for Windows RODC that are picky about what name type
1434 * the server principal have, and the really strange part is that
1435 * they are picky about the AS-REQ name type and not the TGS-REQ
1439 if (krb5_principal_is_krbtgt(context
, principal
))
1440 krb5_principal_set_type(context
, principal
, KRB5_NT_SRV_INST
);
1442 krb5_free_principal(context
, ctx
->cred
.server
);
1443 ctx
->cred
.server
= principal
;
1449 * Sets the password that will use for the request.
1451 * @param context a Kerberos 5 context.
1452 * @param ctx ctx krb5_init_creds_context context.
1453 * @param password the password to use.
1455 * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
1456 * @ingroup krb5_credential
1459 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1460 krb5_init_creds_set_password(krb5_context context
,
1461 krb5_init_creds_context ctx
,
1462 const char *password
)
1464 if (ctx
->password
) {
1465 memset(ctx
->password
, 0, strlen(ctx
->password
));
1466 free(ctx
->password
);
1469 ctx
->password
= strdup(password
);
1470 if (ctx
->password
== NULL
) {
1471 krb5_set_error_message(context
, ENOMEM
, N_("malloc: out of memory", ""));
1474 ctx
->keyseed
= (void *) ctx
->password
;
1476 ctx
->keyseed
= NULL
;
1477 ctx
->password
= NULL
;
1483 static krb5_error_code KRB5_CALLCONV
1484 keytab_key_proc(krb5_context context
, krb5_enctype enctype
,
1485 krb5_const_pointer keyseed
,
1486 krb5_salt salt
, krb5_data
*s2kparms
,
1487 krb5_keyblock
**key
)
1489 krb5_keytab_key_proc_args
*args
= rk_UNCONST(keyseed
);
1490 krb5_keytab keytab
= args
->keytab
;
1491 krb5_principal principal
= args
->principal
;
1492 krb5_error_code ret
;
1493 krb5_keytab real_keytab
;
1494 krb5_keytab_entry entry
;
1497 krb5_kt_default(context
, &real_keytab
);
1499 real_keytab
= keytab
;
1501 ret
= krb5_kt_get_entry (context
, real_keytab
, principal
,
1502 0, enctype
, &entry
);
1505 krb5_kt_close (context
, real_keytab
);
1510 ret
= krb5_copy_keyblock (context
, &entry
.keyblock
, key
);
1511 krb5_kt_free_entry(context
, &entry
);
1517 * Set the keytab to use for authentication.
1519 * @param context a Kerberos 5 context.
1520 * @param ctx ctx krb5_init_creds_context context.
1521 * @param keytab the keytab to read the key from.
1523 * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
1524 * @ingroup krb5_credential
1527 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1528 krb5_init_creds_set_keytab(krb5_context context
,
1529 krb5_init_creds_context ctx
,
1532 krb5_keytab_key_proc_args
*a
;
1533 krb5_keytab_entry entry
;
1534 krb5_kt_cursor cursor
;
1535 krb5_enctype
*etypes
= NULL
;
1536 krb5_error_code ret
;
1540 a
= malloc(sizeof(*a
));
1542 krb5_set_error_message(context
, ENOMEM
,
1543 N_("malloc: out of memory", ""));
1547 a
->principal
= ctx
->cred
.client
;
1550 ctx
->keytab_data
= a
;
1551 ctx
->keyseed
= (void *)a
;
1552 ctx
->keyproc
= keytab_key_proc
;
1555 * We need to the KDC what enctypes we support for this keytab,
1556 * esp if the keytab is really a password based entry, then the
1557 * KDC might have more enctypes in the database then what we have
1561 ret
= krb5_kt_start_seq_get(context
, keytab
, &cursor
);
1565 while(krb5_kt_next_entry(context
, keytab
, &entry
, &cursor
) == 0){
1568 if (!krb5_principal_compare(context
, entry
.principal
, ctx
->cred
.client
))
1571 /* check if we ahve this kvno already */
1572 if (entry
.vno
> kvno
) {
1573 /* remove old list of etype */
1579 } else if (entry
.vno
!= kvno
)
1582 /* check if enctype is supported */
1583 if (krb5_enctype_valid(context
, entry
.keyblock
.keytype
) != 0)
1586 /* add enctype to supported list */
1587 ptr
= realloc(etypes
, sizeof(etypes
[0]) * (netypes
+ 2));
1592 etypes
[netypes
] = entry
.keyblock
.keytype
;
1593 etypes
[netypes
+ 1] = ETYPE_NULL
;
1596 krb5_kt_free_entry(context
, &entry
);
1598 krb5_kt_end_seq_get(context
, keytab
, &cursor
);
1603 ctx
->etypes
= etypes
;
1610 static krb5_error_code KRB5_CALLCONV
1611 keyblock_key_proc(krb5_context context
, krb5_enctype enctype
,
1612 krb5_const_pointer keyseed
,
1613 krb5_salt salt
, krb5_data
*s2kparms
,
1614 krb5_keyblock
**key
)
1616 return krb5_copy_keyblock (context
, keyseed
, key
);
1619 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1620 krb5_init_creds_set_keyblock(krb5_context context
,
1621 krb5_init_creds_context ctx
,
1622 krb5_keyblock
*keyblock
)
1624 ctx
->keyseed
= (void *)keyblock
;
1625 ctx
->keyproc
= keyblock_key_proc
;
1631 * The core loop if krb5_get_init_creds() function family. Create the
1632 * packets and have the caller send them off to the KDC.
1634 * If the caller want all work been done for them, use
1635 * krb5_init_creds_get() instead.
1637 * @param context a Kerberos 5 context.
1638 * @param ctx ctx krb5_init_creds_context context.
1639 * @param in input data from KDC, first round it should be reset by krb5_data_zer().
1640 * @param out reply to KDC.
1641 * @param hostinfo KDC address info, first round it can be NULL.
1642 * @param flags status of the round, if
1643 * KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
1645 * @return 0 for success, or an Kerberos 5 error code, see
1646 * krb5_get_error_message().
1648 * @ingroup krb5_credential
1651 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1652 krb5_init_creds_step(krb5_context context
,
1653 krb5_init_creds_context ctx
,
1656 krb5_krbhst_info
*hostinfo
,
1657 unsigned int *flags
)
1659 krb5_error_code ret
;
1663 krb5_data_zero(out
);
1665 if (ctx
->as_req
.req_body
.cname
== NULL
) {
1666 ret
= init_as_req(context
, ctx
->flags
, &ctx
->cred
,
1667 ctx
->addrs
, ctx
->etypes
, &ctx
->as_req
);
1669 free_init_creds_ctx(context
, ctx
);
1674 #define MAX_PA_COUNTER 10
1675 if (ctx
->pa_counter
> MAX_PA_COUNTER
) {
1676 krb5_set_error_message(context
, KRB5_GET_IN_TKT_LOOP
,
1677 N_("Looping %d times while getting "
1678 "initial credentials", ""),
1680 return KRB5_GET_IN_TKT_LOOP
;
1684 _krb5_debug(context
, 5, "krb5_get_init_creds: loop %d", ctx
->pa_counter
);
1686 /* Lets process the input packet */
1687 if (in
&& in
->length
) {
1690 memset(&rep
, 0, sizeof(rep
));
1692 _krb5_debug(context
, 5, "krb5_get_init_creds: processing input");
1694 ret
= decode_AS_REP(in
->data
, in
->length
, &rep
.kdc_rep
, &size
);
1696 krb5_keyblock
*key
= NULL
;
1697 unsigned eflags
= EXTRACT_TICKET_AS_REQ
| EXTRACT_TICKET_TIMESYNC
;
1699 if (ctx
->flags
.canonicalize
) {
1700 eflags
|= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH
;
1701 eflags
|= EXTRACT_TICKET_MATCH_REALM
;
1703 if (ctx
->ic_flags
& KRB5_INIT_CREDS_NO_C_CANON_CHECK
)
1704 eflags
|= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH
;
1706 ret
= process_pa_data_to_key(context
, ctx
, &ctx
->cred
,
1707 &ctx
->as_req
, &rep
.kdc_rep
,
1708 hostinfo
, &ctx
->reply_key
);
1710 free_AS_REP(&rep
.kdc_rep
);
1714 _krb5_debug(context
, 5, "krb5_get_init_creds: extracting ticket");
1716 ret
= _krb5_extract_ticket(context
,
1721 KRB5_KU_AS_REP_ENC_PART
,
1727 krb5_free_keyblock(context
, ctx
->reply_key
);
1728 ctx
->reply_key
= NULL
;
1732 ret
= copy_EncKDCRepPart(&rep
.enc_part
, &ctx
->enc_part
);
1734 free_AS_REP(&rep
.kdc_rep
);
1735 free_EncASRepPart(&rep
.enc_part
);
1740 /* let's try to parse it as a KRB-ERROR */
1742 _krb5_debug(context
, 5, "krb5_get_init_creds: got an error");
1744 free_KRB_ERROR(&ctx
->error
);
1746 ret
= krb5_rd_error(context
, in
, &ctx
->error
);
1747 if(ret
&& in
->length
&& ((char*)in
->data
)[0] == 4)
1748 ret
= KRB5KRB_AP_ERR_V4_REPLY
;
1750 _krb5_debug(context
, 5, "krb5_get_init_creds: failed to read error");
1754 ret
= krb5_error_from_rd_error(context
, &ctx
->error
, &ctx
->cred
);
1756 _krb5_debug(context
, 5, "krb5_get_init_creds: KRB-ERROR %d", ret
);
1759 * If no preauth was set and KDC requires it, give it one
1763 if (ret
== KRB5KDC_ERR_PREAUTH_REQUIRED
) {
1765 free_METHOD_DATA(&ctx
->md
);
1766 memset(&ctx
->md
, 0, sizeof(ctx
->md
));
1768 if (ctx
->error
.e_data
) {
1769 ret
= decode_METHOD_DATA(ctx
->error
.e_data
->data
,
1770 ctx
->error
.e_data
->length
,
1774 krb5_set_error_message(context
, ret
,
1775 N_("Failed to decode METHOD-DATA", ""));
1777 krb5_set_error_message(context
, ret
,
1778 N_("Preauth required but no preauth "
1779 "options send by KDC", ""));
1781 } else if (ret
== KRB5KRB_AP_ERR_SKEW
&& context
->kdc_sec_offset
== 0) {
1783 * Try adapt to timeskrew when we are using pre-auth, and
1784 * if there was a time skew, try again.
1786 krb5_set_real_time(context
, ctx
->error
.stime
, -1);
1787 if (context
->kdc_sec_offset
)
1790 _krb5_debug(context
, 10, "init_creds: err skew updateing kdc offset to %d",
1791 context
->kdc_sec_offset
);
1793 ctx
->used_pa_types
= 0;
1795 } else if (ret
== KRB5_KDC_ERR_WRONG_REALM
&& ctx
->flags
.canonicalize
) {
1796 /* client referal to a new realm */
1798 if (ctx
->error
.crealm
== NULL
) {
1799 krb5_set_error_message(context
, ret
,
1800 N_("Got a client referral, not but no realm", ""));
1803 _krb5_debug(context
, 5,
1804 "krb5_get_init_creds: got referal to realm %s",
1805 *ctx
->error
.crealm
);
1807 ret
= krb5_principal_set_realm(context
,
1809 *ctx
->error
.crealm
);
1811 ctx
->used_pa_types
= 0;
1818 if (ctx
->as_req
.padata
) {
1819 free_METHOD_DATA(ctx
->as_req
.padata
);
1820 free(ctx
->as_req
.padata
);
1821 ctx
->as_req
.padata
= NULL
;
1824 /* Set a new nonce. */
1825 ctx
->as_req
.req_body
.nonce
= ctx
->nonce
;
1827 /* fill_in_md_data */
1828 ret
= process_pa_data_to_md(context
, &ctx
->cred
, &ctx
->as_req
, ctx
,
1829 &ctx
->md
, &ctx
->as_req
.padata
,
1830 ctx
->prompter
, ctx
->prompter_data
);
1834 krb5_data_free(&ctx
->req_buffer
);
1836 ASN1_MALLOC_ENCODE(AS_REQ
,
1837 ctx
->req_buffer
.data
, ctx
->req_buffer
.length
,
1838 &ctx
->as_req
, &len
, ret
);
1841 if(len
!= ctx
->req_buffer
.length
)
1842 krb5_abortx(context
, "internal error in ASN.1 encoder");
1844 out
->data
= ctx
->req_buffer
.data
;
1845 out
->length
= ctx
->req_buffer
.length
;
1847 *flags
= KRB5_INIT_CREDS_STEP_FLAG_CONTINUE
;
1855 * Extract the newly acquired credentials from krb5_init_creds_context
1858 * @param context A Kerberos 5 context.
1860 * @param cred credentials, free with krb5_free_cred_contents().
1862 * @return 0 for sucess or An Kerberos error code, see krb5_get_error_message().
1865 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1866 krb5_init_creds_get_creds(krb5_context context
,
1867 krb5_init_creds_context ctx
,
1870 return krb5_copy_creds_contents(context
, &ctx
->cred
, cred
);
1874 * Get the last error from the transaction.
1876 * @return Returns 0 or an error code
1878 * @ingroup krb5_credential
1881 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1882 krb5_init_creds_get_error(krb5_context context
,
1883 krb5_init_creds_context ctx
,
1886 krb5_error_code ret
;
1888 ret
= copy_KRB_ERROR(&ctx
->error
, error
);
1890 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
1896 * Free the krb5_init_creds_context allocated by krb5_init_creds_init().
1898 * @param context A Kerberos 5 context.
1899 * @param ctx The krb5_init_creds_context to free.
1901 * @ingroup krb5_credential
1904 KRB5_LIB_FUNCTION
void KRB5_LIB_CALL
1905 krb5_init_creds_free(krb5_context context
,
1906 krb5_init_creds_context ctx
)
1908 free_init_creds_ctx(context
, ctx
);
1913 * Get new credentials as setup by the krb5_init_creds_context.
1915 * @param context A Kerberos 5 context.
1916 * @param ctx The krb5_init_creds_context to process.
1918 * @ingroup krb5_credential
1921 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1922 krb5_init_creds_get(krb5_context context
, krb5_init_creds_context ctx
)
1924 krb5_sendto_ctx stctx
= NULL
;
1925 krb5_krbhst_info
*hostinfo
= NULL
;
1926 krb5_error_code ret
;
1928 unsigned int flags
= 0;
1930 krb5_data_zero(&in
);
1931 krb5_data_zero(&out
);
1933 ret
= krb5_sendto_ctx_alloc(context
, &stctx
);
1936 krb5_sendto_ctx_set_func(stctx
, _krb5_kdc_retry
, NULL
);
1940 ret
= krb5_init_creds_step(context
, ctx
, &in
, &out
, hostinfo
, &flags
);
1941 krb5_data_free(&in
);
1945 if ((flags
& 1) == 0)
1948 ret
= krb5_sendto_context (context
, stctx
, &out
,
1949 ctx
->cred
.client
->realm
, &in
);
1957 krb5_sendto_ctx_free(context
, stctx
);
1963 * Get new credentials using password.
1965 * @ingroup krb5_credential
1969 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
1970 krb5_get_init_creds_password(krb5_context context
,
1972 krb5_principal client
,
1973 const char *password
,
1974 krb5_prompter_fct prompter
,
1976 krb5_deltat start_time
,
1977 const char *in_tkt_service
,
1978 krb5_get_init_creds_opt
*options
)
1980 krb5_init_creds_context ctx
;
1982 krb5_error_code ret
;
1986 ret
= krb5_init_creds_init(context
, client
, prompter
, data
, start_time
, options
, &ctx
);
1990 ret
= krb5_init_creds_set_service(context
, ctx
, in_tkt_service
);
1994 if (prompter
!= NULL
&& ctx
->password
== NULL
&& password
== NULL
) {
1996 krb5_data password_data
;
1999 krb5_unparse_name (context
, client
, &p
);
2000 asprintf (&q
, "%s's Password: ", p
);
2003 password_data
.data
= buf
;
2004 password_data
.length
= sizeof(buf
);
2006 prompt
.reply
= &password_data
;
2007 prompt
.type
= KRB5_PROMPT_TYPE_PASSWORD
;
2009 ret
= (*prompter
) (context
, data
, NULL
, NULL
, 1, &prompt
);
2012 memset (buf
, 0, sizeof(buf
));
2013 ret
= KRB5_LIBOS_PWDINTR
;
2014 krb5_clear_error_message (context
);
2017 password
= password_data
.data
;
2021 ret
= krb5_init_creds_set_password(context
, ctx
, password
);
2026 ret
= krb5_init_creds_get(context
, ctx
);
2029 process_last_request(context
, options
, ctx
);
2032 if (ret
== KRB5KDC_ERR_KEY_EXPIRED
&& chpw
== 0) {
2035 /* try to avoid recursion */
2036 if (in_tkt_service
!= NULL
&& strcmp(in_tkt_service
, "kadmin/changepw") == 0)
2039 /* don't try to change password where then where none */
2040 if (prompter
== NULL
)
2043 ret
= change_password (context
,
2054 krb5_init_creds_free(context
, ctx
);
2060 krb5_init_creds_get_creds(context
, ctx
, creds
);
2063 krb5_init_creds_free(context
, ctx
);
2065 memset(buf
, 0, sizeof(buf
));
2070 * Get new credentials using keyblock.
2072 * @ingroup krb5_credential
2075 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2076 krb5_get_init_creds_keyblock(krb5_context context
,
2078 krb5_principal client
,
2079 krb5_keyblock
*keyblock
,
2080 krb5_deltat start_time
,
2081 const char *in_tkt_service
,
2082 krb5_get_init_creds_opt
*options
)
2084 krb5_init_creds_context ctx
;
2085 krb5_error_code ret
;
2087 memset(creds
, 0, sizeof(*creds
));
2089 ret
= krb5_init_creds_init(context
, client
, NULL
, NULL
, start_time
, options
, &ctx
);
2093 ret
= krb5_init_creds_set_service(context
, ctx
, in_tkt_service
);
2097 ret
= krb5_init_creds_set_keyblock(context
, ctx
, keyblock
);
2101 ret
= krb5_init_creds_get(context
, ctx
);
2104 process_last_request(context
, options
, ctx
);
2108 krb5_init_creds_get_creds(context
, ctx
, creds
);
2111 krb5_init_creds_free(context
, ctx
);
2117 * Get new credentials using keytab.
2119 * @ingroup krb5_credential
2122 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
2123 krb5_get_init_creds_keytab(krb5_context context
,
2125 krb5_principal client
,
2127 krb5_deltat start_time
,
2128 const char *in_tkt_service
,
2129 krb5_get_init_creds_opt
*options
)
2131 krb5_init_creds_context ctx
;
2132 krb5_error_code ret
;
2134 memset(creds
, 0, sizeof(*creds
));
2136 ret
= krb5_init_creds_init(context
, client
, NULL
, NULL
, start_time
, options
, &ctx
);
2140 ret
= krb5_init_creds_set_service(context
, ctx
, in_tkt_service
);
2144 ret
= krb5_init_creds_set_keytab(context
, ctx
, keytab
);
2148 ret
= krb5_init_creds_get(context
, ctx
);
2150 process_last_request(context
, options
, ctx
);
2154 krb5_init_creds_get_creds(context
, ctx
, creds
);
2157 krb5_init_creds_free(context
, ctx
);