2 * Copyright (c) 2005, PADL Software Pty Ltd.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of PADL Software nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * Get a new ticket using a keytab/cached key and swap it into
39 * an existing redentials cache
43 kcm_ccache_acquire(krb5_context context
,
47 krb5_error_code ret
= 0;
49 krb5_const_realm realm
;
50 krb5_get_init_creds_opt
*opt
= NULL
;
51 krb5_ccache_data ccdata
;
52 char *in_tkt_service
= NULL
;
54 memset(&cred
, 0, sizeof(cred
));
56 KCM_ASSERT_VALID(ccache
);
58 /* We need a cached key or keytab to acquire credentials */
59 if (ccache
->flags
& KCM_FLAGS_USE_CACHED_KEY
) {
60 if (ccache
->key
.keyblock
.keyvalue
.length
== 0)
62 "kcm_ccache_acquire: KCM_FLAGS_USE_CACHED_KEY without key");
63 } else if (ccache
->flags
& KCM_FLAGS_USE_KEYTAB
) {
64 if (ccache
->key
.keytab
== NULL
)
66 "kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
68 kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
70 return KRB5_FCC_INTERNAL
;
73 HEIMDAL_MUTEX_lock(&ccache
->mutex
);
75 /* Fake up an internal ccache */
76 kcm_internal_ccache(context
, ccache
, &ccdata
);
78 /* Now, actually acquire the creds */
79 if (ccache
->server
!= NULL
) {
80 ret
= krb5_unparse_name(context
, ccache
->server
, &in_tkt_service
);
82 kcm_log(0, "Failed to unparse service principal name for cache %s: %s",
83 ccache
->name
, krb5_get_err_text(context
, ret
));
88 realm
= krb5_principal_get_realm(context
, ccache
->client
);
90 krb5_get_init_creds_opt_alloc(context
, &opt
);
91 krb5_get_init_creds_opt_set_default_flags(context
, "kcm", realm
, opt
);
92 if (ccache
->tkt_life
!= 0)
93 krb5_get_init_creds_opt_set_tkt_life(opt
, ccache
->tkt_life
);
94 if (ccache
->renew_life
!= 0)
95 krb5_get_init_creds_opt_set_renew_life(opt
, ccache
->renew_life
);
97 if (ccache
->flags
& KCM_FLAGS_USE_CACHED_KEY
) {
98 ret
= krb5_get_init_creds_keyblock(context
,
101 &ccache
->key
.keyblock
,
106 /* loosely based on lib/krb5/init_creds_pw.c */
107 ret
= krb5_get_init_creds_keytab(context
,
117 kcm_log(0, "Failed to acquire credentials for cache %s: %s",
118 ccache
->name
, krb5_get_err_text(context
, ret
));
119 if (in_tkt_service
!= NULL
)
120 free(in_tkt_service
);
124 if (in_tkt_service
!= NULL
)
125 free(in_tkt_service
);
128 kcm_ccache_remove_creds_internal(context
, ccache
);
130 ret
= kcm_ccache_store_cred_internal(context
, ccache
, &cred
, 0, credp
);
132 kcm_log(0, "Failed to store credentials for cache %s: %s",
133 ccache
->name
, krb5_get_err_text(context
, ret
));
134 krb5_free_cred_contents(context
, &cred
);
140 krb5_get_init_creds_opt_free(context
, opt
);
142 HEIMDAL_MUTEX_unlock(&ccache
->mutex
);