1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* lib/krb5/krb/gic_keytab.c */
4 * Copyright (C) 2002, 2003, 2008 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
29 #include "int-proto.h"
30 #include "init_creds_ctx.h"
32 static krb5_error_code
33 get_as_key_keytab(krb5_context context,
34 krb5_principal client,
36 krb5_prompter_fct prompter,
40 krb5_keyblock *as_key,
43 krb5_keytab keytab = (krb5_keytab) gak_data;
45 krb5_keytab_entry kt_ent;
46 krb5_keyblock *kt_key;
48 /* if there's already a key of the correct etype, we're done.
49 if the etype is wrong, free the existing key, and make
53 if (as_key->enctype == etype)
56 krb5_free_keyblock_contents(context, as_key);
60 if (!krb5_c_valid_enctype(etype))
61 return(KRB5_PROG_ETYPE_NOSUPP);
63 if ((ret = krb5_kt_get_entry(context, keytab, client,
64 0, /* don't have vno available */
68 ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key);
70 /* again, krb5's memory management is lame... */
75 (void) krb5_kt_free_entry(context, &kt_ent);
80 krb5_error_code KRB5_CALLCONV
81 krb5_init_creds_set_keytab(krb5_context context,
82 krb5_init_creds_context ctx,
85 ctx->gak_fct = get_as_key_keytab;
86 ctx->gak_data = keytab;
91 static krb5_error_code
92 get_init_creds_keytab(krb5_context context, krb5_creds *creds,
93 krb5_principal client, krb5_keytab keytab,
94 krb5_deltat start_time, char *in_tkt_service,
95 krb5_get_init_creds_opt *options, int *use_master)
98 krb5_init_creds_context ctx = NULL;
100 ret = krb5_init_creds_init(context, client, NULL, NULL, start_time,
105 if (in_tkt_service) {
106 ret = krb5_init_creds_set_service(context, ctx, in_tkt_service);
111 ret = krb5_init_creds_set_keytab(context, ctx, keytab);
115 ret = k5_init_creds_get(context, ctx, use_master);
119 ret = krb5_init_creds_get_creds(context, ctx, creds);
124 krb5_init_creds_free(context, ctx);
129 krb5_error_code KRB5_CALLCONV
130 krb5_get_init_creds_keytab(krb5_context context,
132 krb5_principal client,
133 krb5_keytab arg_keytab,
134 krb5_deltat start_time,
135 char *in_tkt_service,
136 krb5_get_init_creds_opt *options)
138 krb5_error_code ret, ret2;
142 if (arg_keytab == NULL) {
143 if ((ret = krb5_kt_default(context, &keytab)))
151 /* first try: get the requested tkt from any kdc */
153 ret = get_init_creds_keytab(context, creds, client, keytab, start_time,
154 in_tkt_service, options, &use_master);
156 /* check for success */
161 /* If all the kdc's are unavailable fail */
163 if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
166 /* if the reply did not come from the master kdc, try again with
172 ret2 = get_init_creds_keytab(context, creds, client, keytab,
173 start_time, in_tkt_service, options,
181 /* if the master is unreachable, return the error from the
182 slave we were able to contact */
184 if ((ret2 == KRB5_KDC_UNREACH) ||
185 (ret2 == KRB5_REALM_CANT_RESOLVE) ||
186 (ret2 == KRB5_REALM_UNKNOWN))
192 /* at this point, we have a response from the master. Since we don't
193 do any prompting or changing for keytabs, that's it. */
196 if (arg_keytab == NULL)
197 krb5_kt_close(context, keytab);
201 krb5_error_code KRB5_CALLCONV
202 krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
203 krb5_address *const *addrs, krb5_enctype *ktypes,
204 krb5_preauthtype *pre_auth_types,
205 krb5_keytab arg_keytab, krb5_ccache ccache,
206 krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
208 krb5_error_code retval;
209 krb5_get_init_creds_opt *opts;
210 char * server = NULL;
212 krb5_principal client_princ, server_princ;
215 retval = krb5int_populate_gic_opt(context, &opts,
216 options, addrs, ktypes,
217 pre_auth_types, creds);
221 if (arg_keytab == NULL) {
222 retval = krb5_kt_default(context, &keytab);
226 else keytab = arg_keytab;
228 retval = krb5_unparse_name( context, creds->server, &server);
231 server_princ = creds->server;
232 client_princ = creds->client;
233 retval = krb5int_get_init_creds(context, creds, creds->client,
234 krb5_prompter_posix, NULL,
236 get_as_key_keytab, (void *)keytab,
237 &use_master, ret_as_reply);
238 krb5_free_unparsed_name( context, server);
242 krb5_free_principal(context, creds->server);
243 krb5_free_principal(context, creds->client);
244 creds->client = client_princ;
245 creds->server = server_princ;
247 /* store it in the ccache! */
249 if ((retval = krb5_cc_store_cred(context, ccache, creds)))
252 krb5_get_init_creds_opt_free(context, opts);
253 if (arg_keytab == NULL)
254 krb5_kt_close(context, keytab);
258 #endif /* LEAN_CLIENT */