#include <time.h>
#include "kadmin.h"
-#if defined(USE_LOGIN_LIBRARY)
-#include <Kerberos/KerberosLoginPrivate.h>
+#if defined(USE_KIM)
+#include <kim/kim.h>
#endif
/* special struct to convert flag names for principals
memset((char *) ¶ms, 0, sizeof(params));
-#if defined(USE_LOGIN_LIBRARY)
+#if defined(USE_KIM)
/* Turn off all password prompting from the KLL */
- retval = __KLSetPromptMechanism (klPromptMechanism_None);
+ retval = kim_library_set_allow_automatic_prompting (0);
if (retval) {
- com_err(whoami, retval, "while calling __KLSetPromptMechanism()");
+ com_err(whoami, retval,
+ "while calling kim_library_set_allow_automatic_prompting()");
exit(1);
}
#endif
kim_options in_options)
{
kim_error err = KIM_NO_ERROR;
+ kim_ccache ccache = NULL;
if (!err && !out_ccache ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_client_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err) {
- err = kim_ccache_create_from_client_identity (out_ccache, in_client_identity);
+ kim_credential_state state;
- if (err) {
- /* ccache does not already exist, create a new one */
- err = kim_ccache_create_new (out_ccache, in_client_identity, in_options);
+ err = kim_ccache_create_from_client_identity (&ccache, in_client_identity);
+
+ if (!err) {
+ err = kim_ccache_get_state (ccache, &state);
}
+
+ if (!err && state != kim_credentials_state_valid) {
+ if (state == kim_credentials_state_needs_validation) {
+ err = kim_ccache_validate (ccache, in_options);
+ } else {
+ kim_ccache_free (&ccache);
+ ccache = NULL;
+ }
+ }
+
+ if (!ccache) {
+ /* ccache does not already exist, create a new one */
+ err = kim_ccache_create_new (&ccache, in_client_identity, in_options);
+ }
}
+ if (!err) {
+ *out_ccache = ccache;
+ ccache = NULL;
+ }
+
+ kim_ccache_free (&ccache);
+
return check_error (err);
}
* or implied warranty.
*/
+#ifndef LEAN_CLIENT
+
#define KERBEROSLOGIN_DEPRECATED
#include "CredentialsCache.h"
#include "KerberosLogin.h"
+#include "KerberosLoginPrivate.h"
#include <kim/kim.h>
#include "kim_private.h"
-#define kl_check_error(x) (x)
+krb5_get_init_creds_opt *__KLLoginOptionsGetKerberos5Options (KLLoginOptions ioOptions);
+KLTime __KLLoginOptionsGetStartTime (KLLoginOptions ioOptions);
+char *__KLLoginOptionsGetServiceName (KLLoginOptions ioOptions);
+
+/* ------------------------------------------------------------------------ */
+
+static KLStatus kl_check_error_ (kim_error inError, const char *function, const char *file, int line)
+{
+ kim_error err = inError;
+
+ switch (err) {
+ case ccNoError:
+ err = klNoErr;
+ break;
+
+ case ccErrBadName:
+ err = klPrincipalDoesNotExistErr;
+ break;
+
+ case ccErrCCacheNotFound:
+ err = klCacheDoesNotExistErr;
+ break;
+
+ case ccErrCredentialsNotFound:
+ err = klNoCredentialsErr;
+ break;
+
+ case KIM_OUT_OF_MEMORY_ERR:
+ case ccErrNoMem:
+ err = klMemFullErr;
+ break;
+
+ case ccErrBadCredentialsVersion:
+ err = klInvalidVersionErr;
+ break;
+
+ case KIM_NULL_PARAMETER_ERR:
+ case ccErrBadParam:
+ case ccIteratorEnd:
+ case ccErrInvalidContext:
+ case ccErrInvalidCCache:
+ case ccErrInvalidString:
+ case ccErrInvalidCredentials:
+ case ccErrInvalidCCacheIterator:
+ case ccErrInvalidCredentialsIterator:
+ case ccErrInvalidLock:
+ case ccErrBadAPIVersion:
+ case ccErrContextLocked:
+ case ccErrContextUnlocked:
+ case ccErrCCacheLocked:
+ case ccErrCCacheUnlocked:
+ case ccErrBadLockType:
+ case ccErrNeverDefault:
+ err = klParameterErr;
+ break;
+
+ case KIM_USER_CANCELED_ERR:
+ case KRB5_LIBOS_PWDINTR:
+ err = klUserCanceledErr;
+ break;
+ }
+
+ if (err) {
+ kim_debug_printf ("%s() remapped %d to %d ('%s') at %s: %d",
+ function, inError, err, kim_error_message (err),
+ file, line);
+ }
+
+ return err;
+}
+#define kl_check_error(err) kl_check_error_(err, __FUNCTION__, __FILE__, __LINE__)
/* ------------------------------------------------------------------------ */
kim_string_free (&new_identity_string);
kim_identity_free (&old_identity);
kim_identity_free (&new_identity);
-
+
} else if (!err && inOption == loginOption_LoginInstance) {
/* Ignored */
/* ------------------------------------------------------------------------ */
-
-/* Misc function */
-
KLStatus KLDisposeString (char *inStringToDispose)
{
kim_string_free ((kim_string *)&inStringToDispose);
return klNoErr;
}
+
+#pragma mark -
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLSetApplicationPrompter (KLPrompterProcPtr inPrompter)
+{
+ /* Deprecated */
+ return klNoErr;
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLSetHomeDirectoryAccess (KLBoolean inAllowHomeDirectoryAccess)
+{
+ return kl_check_error (kim_library_set_allow_home_directory_access (inAllowHomeDirectoryAccess));
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLBoolean __KLAllowHomeDirectoryAccess (void)
+{
+ return kim_library_allow_home_directory_access ();
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLSetAutomaticPrompting (KLBoolean inAllowAutomaticPrompting)
+{
+ return kl_check_error (kim_library_set_allow_automatic_prompting (inAllowAutomaticPrompting));
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLBoolean __KLAllowAutomaticPrompting (void)
+{
+ return kl_check_error (kim_library_allow_automatic_prompting ());
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLSetPromptMechanism (KLPromptMechanism inPromptMechanism)
+{
+ kim_error err = KIM_NO_ERROR;
+
+ if (inPromptMechanism == klPromptMechanism_None) {
+ err = kim_library_set_allow_automatic_prompting (0);
+ } else {
+ err = kim_library_set_allow_automatic_prompting (1);
+ }
+
+ return kl_check_error (err);
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLPromptMechanism __KLPromptMechanism (void)
+{
+ kim_ui_environment environment = kim_library_ui_environment ();
+
+ if (environment == KIM_UI_ENVIRONMENT_GUI) {
+ return klPromptMechanism_GUI;
+ } else if (environment == KIM_UI_ENVIRONMENT_CLI) {
+ return klPromptMechanism_CLI;
+ }
+ return klPromptMechanism_None;
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLBoolean __KLAllowRememberPassword (void)
+{
+ return kl_check_error (kim_os_identity_allow_save_password ());
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLCreatePrincipalFromTriplet (const char *inName,
+ const char *inInstance,
+ const char *inRealm,
+ KLKerberosVersion inKerberosVersion,
+ KLPrincipal *outPrincipal)
+{
+ return kl_check_error (kim_identity_create_from_components (outPrincipal,
+ inRealm,
+ inName,
+ inInstance,
+ NULL));
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLGetTripletFromPrincipal (KLPrincipal inPrincipal,
+ KLKerberosVersion inKerberosVersion,
+ char **outName,
+ char **outInstance,
+ char **outRealm)
+{
+ return KLGetTripletFromPrincipal (inPrincipal,
+ outName, outInstance, outRealm);
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLCreatePrincipalFromKerberos5Principal (krb5_principal inPrincipal,
+ KLPrincipal *outPrincipal)
+{
+ return KLCreatePrincipalFromKerberos5Principal (inPrincipal, outPrincipal);
+
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLGetKerberos5PrincipalFromPrincipal (KLPrincipal inPrincipal,
+ krb5_context inContext,
+ krb5_principal *outKrb5Principal)
+{
+ return kl_check_error (kim_identity_get_krb5_principal (inPrincipal,
+ inContext,
+ outKrb5Principal));
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLBoolean __KLPrincipalIsTicketGrantingService (KLPrincipal inPrincipal)
+{
+ kim_boolean is_tgt = FALSE;
+ kim_error err = kim_identity_is_tgt_service (inPrincipal, &is_tgt);
+
+ return !err ? is_tgt : FALSE;
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLGetKeychainPasswordForPrincipal (KLPrincipal inPrincipal,
+ char **outPassword)
+{
+ return kl_check_error (kim_os_identity_get_saved_password (inPrincipal,
+ (kim_string *) outPassword));
+}
+
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLPrincipalSetKeychainPassword (KLPrincipal inPrincipal,
+ const char *inPassword)
+{
+ return kl_check_error (kim_os_identity_set_saved_password (inPrincipal,
+ inPassword));
+}
+
+/* ------------------------------------------------------------------------ */
+
+KLStatus __KLRemoveKeychainPasswordForPrincipal (KLPrincipal inPrincipal)
+{
+ return kl_check_error (kim_os_identity_remove_saved_password (inPrincipal));
+}
+
+#pragma mark -
+
+// ---------------------------------------------------------------------------
+
+krb5_get_init_creds_opt *__KLLoginOptionsGetKerberos5Options (KLLoginOptions ioOptions)
+{
+ return kim_options_init_cred_options (ioOptions);
+}
+
+// ---------------------------------------------------------------------------
+
+KLTime __KLLoginOptionsGetStartTime (KLLoginOptions ioOptions)
+{
+ return kim_options_start_time (ioOptions);
+}
+
+// ---------------------------------------------------------------------------
+
+char *__KLLoginOptionsGetServiceName (KLLoginOptions ioOptions)
+{
+ return kim_options_service_name (ioOptions);
+}
+
+
+
+#endif /* LEAN_CLIENT */
--- /dev/null
+
+# Public API:
+
+KLAcquireTickets
+KLAcquireNewTickets
+KLAcquireTicketsWithPassword
+KLAcquireNewTicketsWithPassword
+
+KLAcquireInitialTickets
+KLAcquireNewInitialTickets
+KLAcquireInitialTicketsWithPassword
+KLAcquireNewInitialTicketsWithPassword
+KLAcquireNewInitialTicketCredentialsWithPassword
+KLStoreNewInitialTicketCredentials
+
+KLVerifyInitialTickets
+KLVerifyInitialTicketCredentials
+KLAcquireNewInitialTicketsWithKeytab
+
+KLChangePassword
+KLChangePasswordWithPasswords
+KLRenewInitialTickets
+KLValidateInitialTickets
+KLDestroyTickets
+
+KLLastChangedTime
+KLCacheHasValidTickets
+KLTicketStartTime
+KLTicketExpirationTime
+KLSetSystemDefaultCache
+
+KLHandleError
+KLGetErrorString
+
+KLCancelAllDialogs
+
+KLSetApplicationOptions
+KLGetApplicationOptions
+
+KLSetIdleCallback
+KLGetIdleCallback
+
+KLGetDefaultLoginOption
+KLSetDefaultLoginOption
+
+KLFindKerberosRealmByName
+KLGetKerberosRealm
+KLSetKerberosRealm
+KLRemoveKerberosRealm
+KLInsertKerberosRealm
+KLRemoveAllKerberosRealms
+KLCountKerberosRealms
+KLGetKerberosDefaultRealm
+KLGetKerberosDefaultRealmByName
+KLSetKerberosDefaultRealm
+KLSetKerberosDefaultRealmByName
+
+KLCreatePrincipalFromTriplet
+KLCreatePrincipalFromString
+KLGetTripletFromPrincipal
+KLGetStringFromPrincipal
+KLGetDisplayStringFromPrincipal
+KLComparePrincipal
+KLDisposePrincipal
+
+KLCreateLoginOptions
+KLLoginOptionsSetTicketLifetime
+KLLoginOptionsSetForwardable
+KLLoginOptionsSetProxiable
+KLLoginOptionsSetRenewableLifetime
+KLLoginOptionsSetAddressless
+KLLoginOptionsSetTicketStartTime
+KLLoginOptionsSetServiceName
+KLDisposeLoginOptions
+
+KLDisposeString
+
+# Private APIs being used by external callers:
+
+#__KLChangePasswordWithPasswordsCompat
+#__KLAcquireInitialTicketsForCache
+#__KLPrompter
+
+__KLSetApplicationPrompter
+
+__KLSetHomeDirectoryAccess
+__KLAllowHomeDirectoryAccess
+
+__KLSetAutomaticPrompting
+__KLAllowAutomaticPrompting
+__KLSetPromptMechanism
+__KLPromptMechanism
+__KLAllowRememberPassword
+
+__KLCreatePrincipalFromTriplet
+__KLGetTripletFromPrincipal
+__KLCreatePrincipalFromKerberos5Principal
+__KLGetKerberos5PrincipalFromPrincipal
+__KLPrincipalIsTicketGrantingService
+
+__KLGetKeychainPasswordForPrincipal
+__KLPrincipalSetKeychainPassword
+__KLRemoveKeychainPasswordForPrincipal
+
+__KLLoginOptionsGetKerberos5Options
+__KLLoginOptionsGetStartTime
+__KLLoginOptionsGetServiceName
--- /dev/null
+/*
+* Copyright 1998-2008 Massachusetts Institute of Technology.
+* All Rights Reserved.
+*
+* Export of this software from the United States of America may
+* require a specific license from the United States Government.
+* It is the responsibility of any person or organization contemplating
+* export to obtain such a license before exporting.
+*
+* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+* distribute this software and its documentation for any purpose and
+* without fee is hereby granted, provided that the above copyright
+* notice appear in all copies and that both that copyright notice and
+* this permission notice appear in supporting documentation, and that
+* the name of M.I.T. not be used in advertising or publicity pertaining
+* to distribution of the software without specific, written prior
+* permission. Furthermore if you modify this software you must label
+* your software as modified software and not distribute it in such a
+* fashion that it might be confused with the original M.I.T. software.
+* M.I.T. makes no representations about the suitability of
+* this software for any purpose. It is provided "as is" without express
+* or implied warranty.
+*/
+
+#ifndef __KERBEROSLOGINPRIVATE__
+#define __KERBEROSLOGINPRIVATE__
+
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+# include <TargetConditionals.h>
+# if TARGET_RT_MAC_CFM
+# error "Use KfM 4.0 SDK headers for CFM compilation."
+# endif
+#endif
+
+#include <Kerberos/KerberosLogin.h>
+#include <Kerberos/krb5.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+enum {
+ klPromptMechanism_Autodetect = 0,
+ klPromptMechanism_GUI = 1,
+ klPromptMechanism_CLI = 2,
+ klPromptMechanism_None = 0xFFFFFFFF
+};
+typedef uint32_t KLPromptMechanism;
+
+/*************/
+/*** Types ***/
+/*************/
+
+#ifdef KERBEROSLOGIN_DEPRECATED
+
+typedef krb5_error_code (*KLPrompterProcPtr) (krb5_context context,
+ void *data,
+ const char *name,
+ const char *banner,
+ int num_prompts,
+ krb5_prompt prompts[]);
+KLStatus __KLSetApplicationPrompter (KLPrompterProcPtr inPrompter);
+
+#endif /* KERBEROSLOGIN_DEPRECATED */
+
+/*****************/
+/*** Functions ***/
+/*****************/
+
+KLStatus __KLSetHomeDirectoryAccess (KLBoolean inAllowHomeDirectoryAccess);
+KLBoolean __KLAllowHomeDirectoryAccess (void);
+
+KLStatus __KLSetAutomaticPrompting (KLBoolean inAllowAutomaticPrompting);
+KLBoolean __KLAllowAutomaticPrompting (void);
+
+KLBoolean __KLAllowRememberPassword (void);
+
+KLStatus __KLSetPromptMechanism (KLPromptMechanism inPromptMechanism);
+KLPromptMechanism __KLPromptMechanism (void);
+
+KLStatus __KLCreatePrincipalFromTriplet (const char *inName,
+ const char *inInstance,
+ const char *inRealm,
+ KLKerberosVersion inKerberosVersion,
+ KLPrincipal *outPrincipal);
+
+KLStatus __KLGetTripletFromPrincipal (KLPrincipal inPrincipal,
+ KLKerberosVersion inKerberosVersion,
+ char **outName,
+ char **outInstance,
+ char **outRealm);
+
+KLStatus __KLCreatePrincipalFromKerberos5Principal (krb5_principal inPrincipal,
+ KLPrincipal *outPrincipal);
+
+KLStatus __KLGetKerberos5PrincipalFromPrincipal (KLPrincipal inPrincipal,
+ krb5_context inContext,
+ krb5_principal *outKrb5Principal);
+
+KLStatus __KLGetRealmFromPrincipal (KLPrincipal inPrincipal, char **outRealm);
+
+KLBoolean __KLPrincipalIsTicketGrantingService (KLPrincipal inPrincipal);
+
+KLStatus __KLGetKeychainPasswordForPrincipal (KLPrincipal inPrincipal,
+ char **outPassword);
+
+KLStatus __KLPrincipalSetKeychainPassword (KLPrincipal inPrincipal,
+ const char *inPassword);
+
+KLStatus __KLRemoveKeychainPasswordForPrincipal (KLPrincipal inPrincipal);
+
+#if TARGET_OS_MAC
+# if defined(__MWERKS__)
+# pragma import reset
+# endif
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __KERBEROSLOGINPRIVATE__ */
+
#include <strings.h>
#endif
-#if defined(USE_LOGIN_LIBRARY)
-#include <Kerberos/KerberosLoginPrivate.h>
+#if defined(USE_KIM)
+#include <kim/kim.h>
#elif defined(USE_LEASH)
#ifdef _WIN64
#define LEASH_DLL "leashw64.dll"
return(GSS_S_FAILURE);
}
-#if defined(USE_LOGIN_LIBRARY) || defined(USE_LEASH)
+#if defined(USE_KIM) || defined(USE_LEASH)
if (desired_name && !caller_provided_ccache_name) {
-#if defined(USE_LOGIN_LIBRARY)
- KLStatus err = klNoErr;
- char *ccache_name = NULL;
- KLPrincipal kl_desired_princ = NULL;
-
- err = __KLCreatePrincipalFromKerberos5Principal ((krb5_principal) desired_name,
- &kl_desired_princ);
+#if defined(USE_KIM)
+ kim_error err = KIM_NO_ERROR;
+ kim_ccache kimccache = NULL;
+ kim_identity identity = NULL;
+
+ err = kim_identity_create_from_krb5_principal (&identity,
+ context,
+ (krb5_principal) desired_name);
if (!err) {
- err = KLAcquireInitialTickets (kl_desired_princ, NULL, NULL, &ccache_name);
+ err = kim_ccache_create_new_if_needed (&kimccache,
+ identity,
+ KIM_OPTIONS_DEFAULT);
}
-
+
if (!err) {
- err = krb5_cc_resolve (context, ccache_name, &ccache);
+ err = kim_ccache_get_krb5_ccache (kimccache, context, &ccache);
}
+ kim_ccache_free (&kimccache);
+ kim_identity_free (&identity);
+
if (err) {
*minor_status = err;
return(GSS_S_CRED_UNAVAIL);
}
- if (kl_desired_princ != NULL) { KLDisposePrincipal (kl_desired_princ); }
- if (ccache_name != NULL) { KLDisposeString (ccache_name); }
-
#elif defined(USE_LEASH)
if ( hLeashDLL == INVALID_HANDLE_VALUE ) {
hLeashDLL = LoadLibrary(LEASH_DLL);
}
#endif /* USE_LEASH */
} else
-#endif /* USE_LOGIN_LIBRARY || USE_LEASH */
+#endif /* USE_KIM || USE_LEASH */
{
/* open the default credential cache */
#include "k5-int.h"
-#if defined(USE_LOGIN_LIBRARY)
-#include "KerberosLoginPrivate.h"
+#if defined(USE_KIM)
+#include <kim/kim.h>
#elif defined(USE_LEASH)
static void (*pLeash_AcquireInitialTicketsIfNeeded)(krb5_context,krb5_principal,char*,int) = NULL;
static HANDLE hLeashDLL = INVALID_HANDLE_VALUE;
return KV5M_CONTEXT;
}
-#ifdef USE_LOGIN_LIBRARY
+#ifdef USE_KIM
{
- /* make sure the default cache has tix before you open it */
- KLStatus err = klNoErr;
- char *outCacheName = NULL;
+ kim_error err = KIM_NO_ERROR;
+ kim_ccache kimccache = NULL;
+ kim_identity identity = KIM_IDENTITY_ANY;
+ kim_credential_state state;
+ kim_string name = NULL;
- /* Try to make sure a krb5 tgt is in the cache */
- err = __KLInternalAcquireInitialTicketsForCache (krb5_cc_default_name (context), kerberosVersion_V5,
- NULL, NULL, &outCacheName);
- if (err == klNoErr) {
- /* This function tries to get tickets and put them in the specified
- cache, however, if the cache does not exist, it may choose to put
- them elsewhere (ie: the system default) so we set that here */
- const char * ccdefname = krb5_cc_default_name (context);
- if (!ccdefname || strcmp (ccdefname, outCacheName) != 0) {
- krb5_cc_set_default_name (context, outCacheName);
- }
- KLDisposeString (outCacheName);
+ err = kim_ccache_create_from_display_name (&kimccache,
+ krb5_cc_default_name (context));
+
+ if (!err) {
+ err = kim_ccache_get_client_identity (kimccache, &identity);
+ }
+
+ if (!err) {
+ err = kim_ccache_get_state (kimccache, &state);
+ }
+
+ if (err || state != kim_credentials_state_valid) {
+ /* Either the ccache is does not exist or is invalid. Get new
+ * tickets. Use the identity in the ccache if there was one. */
+ kim_ccache_free (&kimccache);
+ err = kim_ccache_create_new (&kimccache,
+ identity, KIM_OPTIONS_DEFAULT);
}
+
+ if (!err) {
+ err = kim_ccache_get_display_name (kimccache, &name);
+ }
+
+ if (!err) {
+ krb5_cc_set_default_name (context, name);
+ }
+
+ kim_string_free (&name);
+ kim_ccache_free (&kimccache);
}
#else
#ifdef USE_LEASH
use_master = 0;
}
-#ifdef USE_LOGIN_LIBRARY
+#ifdef USE_KIM
if (ret == KRB5KDC_ERR_KEY_EXP)
goto cleanup; /* Login library will deal appropriately with this error */
#endif
#include "os-proto.h"
#include "prof_int.h" /* XXX for profile_copy, not public yet */
-#ifdef USE_LOGIN_LIBRARY
-#include "KerberosLoginPrivate.h"
+#ifdef USE_KIM
+#include "kim/kim_library.h"
#endif
#if defined(_WIN32)
unsigned int ent_len;
const char *s, *t;
-#ifdef USE_LOGIN_LIBRARY
- /* If __KLAllowHomeDirectoryAccess() == FALSE, we are probably
+#ifdef USE_KIM
+ /* If kim_library_allow_home_directory_access() == FALSE, we are probably
trying to authenticate to a fileserver for the user's homedir. */
- if (!__KLAllowHomeDirectoryAccess ())
+ if (!kim_library_allow_home_directory_access ())
secure = 1;
#endif
if (secure) {