1 /* $NetBSD: init_creds.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 #include "krb5_locl.h" 39 40 #undef __attribute__ 41 #define __attribute__(x) 42 43 /** 44 * @page krb5_init_creds_intro The initial credential handing functions 45 * @section section_krb5_init_creds Initial credential 46 * 47 * Functions to get initial credentials: @ref krb5_credential . 48 */ 49 50 /** 51 * Allocate a new krb5_get_init_creds_opt structure, free with 52 * krb5_get_init_creds_opt_free(). 53 * 54 * @ingroup krb5_credential 55 */ 56 57 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 58 krb5_get_init_creds_opt_alloc(krb5_context context, 59 krb5_get_init_creds_opt **opt) 60 { 61 krb5_get_init_creds_opt *o; 62 63 *opt = NULL; 64 o = calloc(1, sizeof(*o)); 65 if (o == NULL) 66 return krb5_enomem(context); 67 68 o->opt_private = calloc(1, sizeof(*o->opt_private)); 69 if (o->opt_private == NULL) { 70 free(o); 71 return krb5_enomem(context); 72 } 73 o->opt_private->refcount = 1; 74 *opt = o; 75 return 0; 76 } 77 78 /** 79 * Free krb5_get_init_creds_opt structure. 80 * 81 * @ingroup krb5_credential 82 */ 83 84 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 85 krb5_get_init_creds_opt_free(krb5_context context, 86 krb5_get_init_creds_opt *opt) 87 { 88 if (opt == NULL || opt->opt_private == NULL) 89 return; 90 if (opt->opt_private->refcount < 1) /* abort ? */ 91 return; 92 if (--opt->opt_private->refcount == 0) { 93 _krb5_get_init_creds_opt_free_pkinit(opt); 94 free(opt->opt_private); 95 } 96 memset(opt, 0, sizeof(*opt)); 97 free(opt); 98 } 99 100 static int 101 get_config_time (krb5_context context, 102 const char *realm, 103 const char *name, 104 int def) 105 { 106 int ret; 107 108 ret = krb5_config_get_time (context, NULL, 109 "realms", 110 realm, 111 name, 112 NULL); 113 if (ret >= 0) 114 return ret; 115 ret = krb5_config_get_time (context, NULL, 116 "libdefaults", 117 name, 118 NULL); 119 if (ret >= 0) 120 return ret; 121 return def; 122 } 123 124 static krb5_boolean 125 get_config_bool (krb5_context context, 126 krb5_boolean def_value, 127 const char *realm, 128 const char *name) 129 { 130 krb5_boolean b; 131 132 b = krb5_config_get_bool_default(context, NULL, def_value, 133 "realms", realm, name, NULL); 134 if (b != def_value) 135 return b; 136 b = krb5_config_get_bool_default (context, NULL, def_value, 137 "libdefaults", name, NULL); 138 if (b != def_value) 139 return b; 140 return def_value; 141 } 142 143 /* 144 * set all the values in `opt' to the appropriate values for 145 * application `appname' (default to getprogname() if NULL), and realm 146 * `realm'. First looks in [appdefaults] but falls back to 147 * [realms] or [libdefaults] for some of the values. 148 */ 149 150 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 151 krb5_get_init_creds_opt_set_default_flags(krb5_context context, 152 const char *appname, 153 krb5_const_realm realm, 154 krb5_get_init_creds_opt *opt) 155 { 156 krb5_boolean b; 157 time_t t; 158 159 b = get_config_bool (context, KRB5_FORWARDABLE_DEFAULT, 160 realm, "forwardable"); 161 krb5_appdefault_boolean(context, appname, realm, "forwardable", b, &b); 162 krb5_get_init_creds_opt_set_forwardable(opt, b); 163 164 b = get_config_bool (context, FALSE, realm, "proxiable"); 165 krb5_appdefault_boolean(context, appname, realm, "proxiable", b, &b); 166 krb5_get_init_creds_opt_set_proxiable (opt, b); 167 168 krb5_appdefault_time(context, appname, realm, "ticket_lifetime", 0, &t); 169 if (t == 0) 170 t = get_config_time (context, realm, "ticket_lifetime", 0); 171 if(t != 0) 172 krb5_get_init_creds_opt_set_tkt_life(opt, t); 173 174 krb5_appdefault_time(context, appname, realm, "renew_lifetime", 0, &t); 175 if (t == 0) 176 t = get_config_time (context, realm, "renew_lifetime", 0); 177 if(t != 0) 178 krb5_get_init_creds_opt_set_renew_life(opt, t); 179 180 krb5_appdefault_boolean(context, appname, realm, "no-addresses", 181 KRB5_ADDRESSLESS_DEFAULT, &b); 182 krb5_get_init_creds_opt_set_addressless (context, opt, b); 183 184 #if 0 185 krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); 186 krb5_get_init_creds_opt_set_anonymous (opt, b); 187 188 krb5_get_init_creds_opt_set_etype_list(opt, enctype, 189 etype_str.num_strings); 190 191 krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, 192 krb5_data *salt); 193 194 krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, 195 krb5_preauthtype *preauth_list, 196 int preauth_list_length); 197 #endif 198 } 199 200 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 201 krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, 202 int change_password_prompt) 203 { 204 opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT; 205 opt->change_password_prompt = change_password_prompt; 206 } 207 208 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 209 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, 210 krb5_deltat tkt_life) 211 { 212 opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE; 213 opt->tkt_life = tkt_life; 214 } 215 216 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 217 krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, 218 krb5_deltat renew_life) 219 { 220 opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE; 221 opt->renew_life = renew_life; 222 } 223 224 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 225 krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, 226 int forwardable) 227 { 228 opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE; 229 opt->forwardable = forwardable; 230 } 231 232 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 233 krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, 234 int proxiable) 235 { 236 opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE; 237 opt->proxiable = proxiable; 238 } 239 240 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 241 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, 242 krb5_enctype *etype_list, 243 int etype_list_length) 244 { 245 opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST; 246 opt->etype_list = etype_list; 247 opt->etype_list_length = etype_list_length; 248 } 249 250 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 251 krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, 252 krb5_addresses *addresses) 253 { 254 opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; 255 opt->address_list = addresses; 256 } 257 258 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 259 krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, 260 krb5_preauthtype *preauth_list, 261 int preauth_list_length) 262 { 263 opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST; 264 opt->preauth_list_length = preauth_list_length; 265 opt->preauth_list = preauth_list; 266 } 267 268 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 269 krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, 270 krb5_data *salt) 271 { 272 opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; 273 opt->salt = salt; 274 } 275 276 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 277 krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, 278 int anonymous) 279 { 280 opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS; 281 opt->anonymous = anonymous; 282 } 283 284 static krb5_error_code 285 require_ext_opt(krb5_context context, 286 krb5_get_init_creds_opt *opt, 287 const char *type) 288 { 289 if (opt->opt_private == NULL) { 290 krb5_set_error_message(context, EINVAL, 291 N_("%s on non extendable opt", ""), type); 292 return EINVAL; 293 } 294 return 0; 295 } 296 297 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 298 krb5_get_init_creds_opt_set_pa_password(krb5_context context, 299 krb5_get_init_creds_opt *opt, 300 const char *password, 301 krb5_s2k_proc key_proc) 302 { 303 krb5_error_code ret; 304 ret = require_ext_opt(context, opt, "init_creds_opt_set_pa_password"); 305 if (ret) 306 return ret; 307 opt->opt_private->password = password; 308 opt->opt_private->key_proc = key_proc; 309 return 0; 310 } 311 312 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 313 krb5_get_init_creds_opt_set_pac_request(krb5_context context, 314 krb5_get_init_creds_opt *opt, 315 krb5_boolean req_pac) 316 { 317 krb5_error_code ret; 318 ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req"); 319 if (ret) 320 return ret; 321 opt->opt_private->req_pac = req_pac ? 322 KRB5_INIT_CREDS_TRISTATE_TRUE : 323 KRB5_INIT_CREDS_TRISTATE_FALSE; 324 return 0; 325 } 326 327 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 328 krb5_get_init_creds_opt_set_addressless(krb5_context context, 329 krb5_get_init_creds_opt *opt, 330 krb5_boolean addressless) 331 { 332 krb5_error_code ret; 333 ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req"); 334 if (ret) 335 return ret; 336 if (addressless) 337 opt->opt_private->addressless = KRB5_INIT_CREDS_TRISTATE_TRUE; 338 else 339 opt->opt_private->addressless = KRB5_INIT_CREDS_TRISTATE_FALSE; 340 return 0; 341 } 342 343 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 344 krb5_get_init_creds_opt_set_canonicalize(krb5_context context, 345 krb5_get_init_creds_opt *opt, 346 krb5_boolean req) 347 { 348 krb5_error_code ret; 349 ret = require_ext_opt(context, opt, "init_creds_opt_set_canonicalize"); 350 if (ret) 351 return ret; 352 if (req) 353 opt->opt_private->flags |= KRB5_INIT_CREDS_CANONICALIZE; 354 else 355 opt->opt_private->flags &= ~KRB5_INIT_CREDS_CANONICALIZE; 356 return 0; 357 } 358 359 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 360 krb5_get_init_creds_opt_set_win2k(krb5_context context, 361 krb5_get_init_creds_opt *opt, 362 krb5_boolean req) 363 { 364 krb5_error_code ret; 365 ret = require_ext_opt(context, opt, "init_creds_opt_set_win2k"); 366 if (ret) 367 return ret; 368 if (req) { 369 opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK; 370 opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK; 371 } else { 372 opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_CANON_CHECK; 373 opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK; 374 } 375 return 0; 376 } 377 378 379 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 380 krb5_get_init_creds_opt_set_process_last_req(krb5_context context, 381 krb5_get_init_creds_opt *opt, 382 krb5_gic_process_last_req func, 383 void *ctx) 384 { 385 krb5_error_code ret; 386 ret = require_ext_opt(context, opt, "init_creds_opt_set_process_last_req"); 387 if (ret) 388 return ret; 389 390 opt->opt_private->lr.func = func; 391 opt->opt_private->lr.ctx = ctx; 392 393 return 0; 394 } 395 396 397 #ifndef HEIMDAL_SMALLER 398 399 /** 400 * Deprecated: use krb5_get_init_creds_opt_alloc(). 401 * 402 * The reason krb5_get_init_creds_opt_init() is deprecated is that 403 * krb5_get_init_creds_opt is a static structure and for ABI reason it 404 * can't grow, ie can't add new functionality. 405 * 406 * @ingroup krb5_deprecated 407 */ 408 409 KRB5_LIB_FUNCTION void KRB5_LIB_CALL 410 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) 411 KRB5_DEPRECATED_FUNCTION("Use X instead") 412 { 413 memset (opt, 0, sizeof(*opt)); 414 } 415 416 /** 417 * Deprecated: use the new krb5_init_creds_init() and 418 * krb5_init_creds_get_error(). 419 * 420 * @ingroup krb5_deprecated 421 */ 422 423 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 424 krb5_get_init_creds_opt_get_error(krb5_context context, 425 krb5_get_init_creds_opt *opt, 426 KRB_ERROR **error) 427 KRB5_DEPRECATED_FUNCTION("Use X instead") 428 { 429 *error = calloc(1, sizeof(**error)); 430 if (*error == NULL) 431 return krb5_enomem(context); 432 433 return 0; 434 } 435 436 #endif /* HEIMDAL_SMALLER */ 437