2 * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
38 typedef struct krb5_get_init_creds_ctx {
41 krb5_addresses *addrs;
43 krb5_preauthtype *pre_auth_types;
44 const char *in_tkt_service;
52 krb5_s2k_proc key_proc;
54 krb5_get_init_creds_req_pac req_pac;
56 krb5_pk_init_ctx pk_init_ctx;
57 } krb5_get_init_creds_ctx;
59 static krb5_error_code
60 default_s2k_func(krb5_context context, krb5_enctype type,
61 krb5_const_pointer keyseed,
62 krb5_salt salt, krb5_data *s2kparms,
69 password.data = (void *)keyseed;
70 password.length = strlen(keyseed);
74 krb5_data_zero(&opaque);
76 *key = malloc(sizeof(**key));
79 ret = krb5_string_to_key_data_salt_opaque(context, type, password,
87 free_init_creds_ctx(krb5_context context, krb5_get_init_creds_ctx *ctx)
91 if (ctx->pre_auth_types)
92 free (ctx->pre_auth_types);
93 free_AS_REQ(&ctx->as_req);
94 memset(&ctx->as_req, 0, sizeof(ctx->as_req));
98 get_config_time (krb5_context context,
105 ret = krb5_config_get_time (context, NULL,
112 ret = krb5_config_get_time (context, NULL,
121 static krb5_error_code
122 init_cred (krb5_context context,
124 krb5_principal client,
125 krb5_deltat start_time,
126 const char *in_tkt_service,
127 krb5_get_init_creds_opt *options)
130 krb5_const_realm client_realm;
134 krb5_timeofday (context, &now);
136 memset (cred, 0, sizeof(*cred));
139 krb5_copy_principal(context, client, &cred->client);
141 ret = krb5_get_default_principal (context,
147 client_realm = krb5_principal_get_realm (context, cred->client);
150 cred->times.starttime = now + start_time;
152 if (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)
153 tmp = options->tkt_life;
156 cred->times.endtime = now + tmp;
158 if ((options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE) &&
159 options->renew_life > 0) {
160 cred->times.renew_till = now + options->renew_life;
163 if (in_tkt_service) {
164 krb5_realm server_realm;
166 ret = krb5_parse_name (context, in_tkt_service, &cred->server);
169 server_realm = strdup (client_realm);
170 free (*krb5_princ_realm(context, cred->server));
171 krb5_princ_set_realm (context, cred->server, &server_realm);
173 ret = krb5_make_principal(context, &cred->server,
174 client_realm, KRB5_TGS_NAME, client_realm,
182 krb5_free_cred_contents (context, cred);
187 * Print a message (str) to the user about the expiration in `lr'
191 report_expiration (krb5_context context,
192 krb5_prompter_fct prompter,
199 asprintf (&p, "%s%s", str, ctime(&time));
200 (*prompter) (context, data, NULL, p, 0, NULL);
205 * Parse the last_req data and show it to the user if it's interesting
209 print_expire (krb5_context context,
210 krb5_const_realm realm,
212 krb5_prompter_fct prompter,
216 LastReq *lr = &rep->enc_part.last_req;
219 krb5_boolean reported = FALSE;
221 krb5_timeofday (context, &sec);
223 t = sec + get_config_time (context,
228 for (i = 0; i < lr->len; ++i) {
229 if (lr->val[i].lr_value <= t) {
230 switch (abs(lr->val[i].lr_type)) {
232 report_expiration(context, prompter, data,
233 "Your password will expire at ",
234 lr->val[i].lr_value);
237 case LR_ACCT_EXPTIME :
238 report_expiration(context, prompter, data,
239 "Your account will expire at ",
240 lr->val[i].lr_value);
248 && rep->enc_part.key_expiration
249 && *rep->enc_part.key_expiration <= t) {
250 report_expiration(context, prompter, data,
251 "Your password/account will expire at ",
252 *rep->enc_part.key_expiration);
256 static krb5_error_code
257 get_init_creds_common(krb5_context context,
259 krb5_principal client,
260 krb5_deltat start_time,
261 const char *in_tkt_service,
262 krb5_get_init_creds_opt *options,
263 krb5_get_init_creds_ctx *ctx)
265 krb5_get_init_creds_opt default_opt;
267 krb5_enctype *etypes;
268 krb5_preauthtype *pre_auth_types;
270 memset(ctx, 0, sizeof(*ctx));
272 if (options == NULL) {
273 krb5_get_init_creds_opt_init (&default_opt);
274 options = &default_opt;
277 if (options->private) {
278 ctx->password = options->private->password;
279 ctx->key_proc = options->private->key_proc;
280 ctx->req_pac = options->private->req_pac;
281 ctx->pk_init_ctx = options->private->pk_init_ctx;
283 ctx->req_pac = KRB5_PA_PAC_DONT_CARE;
285 if (ctx->key_proc == NULL)
286 ctx->key_proc = default_s2k_func;
288 ctx->pre_auth_types = NULL;
292 ctx->pre_auth_types = NULL;
293 ctx->in_tkt_service = in_tkt_service;
295 ret = init_cred (context, &ctx->cred, client, start_time,
296 in_tkt_service, options);
302 if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)
303 ctx->flags.b.forwardable = options->forwardable;
305 if (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)
306 ctx->flags.b.proxiable = options->proxiable;
309 ctx->flags.b.postdated = 1;
310 if (ctx->cred.times.renew_till)
311 ctx->flags.b.renewable = 1;
312 if (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)
313 ctx->addrs = options->address_list;
314 if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) {
315 etypes = malloc((options->etype_list_length + 1)
316 * sizeof(krb5_enctype));
317 if (etypes == NULL) {
318 krb5_set_error_string(context, "malloc: out of memory");
321 memcpy (etypes, options->etype_list,
322 options->etype_list_length * sizeof(krb5_enctype));
323 etypes[options->etype_list_length] = ETYPE_NULL;
324 ctx->etypes = etypes;
326 if (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) {
327 pre_auth_types = malloc((options->preauth_list_length + 1)
328 * sizeof(krb5_preauthtype));
329 if (pre_auth_types == NULL) {
330 krb5_set_error_string(context, "malloc: out of memory");
333 memcpy (pre_auth_types, options->preauth_list,
334 options->preauth_list_length * sizeof(krb5_preauthtype));
335 pre_auth_types[options->preauth_list_length] = KRB5_PADATA_NONE;
336 ctx->pre_auth_types = pre_auth_types;
338 if (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)
340 if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS)
341 ctx->flags.b.request_anonymous = options->anonymous;
345 static krb5_error_code
346 change_password (krb5_context context,
347 krb5_principal client,
348 const char *password,
351 krb5_prompter_fct prompter,
353 krb5_get_init_creds_opt *old_options)
355 krb5_prompt prompts[2];
358 char buf1[BUFSIZ], buf2[BUFSIZ];
359 krb5_data password_data[2];
361 krb5_data result_code_string;
362 krb5_data result_string;
364 krb5_get_init_creds_opt options;
366 memset (&cpw_cred, 0, sizeof(cpw_cred));
368 krb5_get_init_creds_opt_init (&options);
369 krb5_get_init_creds_opt_set_tkt_life (&options, 60);
370 krb5_get_init_creds_opt_set_forwardable (&options, FALSE);
371 krb5_get_init_creds_opt_set_proxiable (&options, FALSE);
372 if (old_options && old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)
373 krb5_get_init_creds_opt_set_preauth_list (&options,
374 old_options->preauth_list,
375 old_options->preauth_list_length);
377 krb5_data_zero (&result_code_string);
378 krb5_data_zero (&result_string);
380 ret = krb5_get_init_creds_password (context,
393 password_data[0].data = buf1;
394 password_data[0].length = sizeof(buf1);
396 prompts[0].hidden = 1;
397 prompts[0].prompt = "New password: ";
398 prompts[0].reply = &password_data[0];
399 prompts[0].type = KRB5_PROMPT_TYPE_NEW_PASSWORD;
401 password_data[1].data = buf2;
402 password_data[1].length = sizeof(buf2);
404 prompts[1].hidden = 1;
405 prompts[1].prompt = "Repeat new password: ";
406 prompts[1].reply = &password_data[1];
407 prompts[1].type = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN;
409 ret = (*prompter) (context, data, NULL, "Changing password",
412 memset (buf1, 0, sizeof(buf1));
413 memset (buf2, 0, sizeof(buf2));
417 if (strcmp (buf1, buf2) == 0)
419 memset (buf1, 0, sizeof(buf1));
420 memset (buf2, 0, sizeof(buf2));
423 ret = krb5_change_password (context,
431 asprintf (&p, "%s: %.*s\n",
432 result_code ? "Error" : "Success",
433 (int)result_string.length,
434 result_string.length > 0 ? (char*)result_string.data : "");
436 ret = (*prompter) (context, data, NULL, p, 0, NULL);
438 if (result_code == 0) {
439 strlcpy (newpw, buf1, newpw_sz);
442 krb5_set_error_string (context, "failed changing password");
447 memset (buf1, 0, sizeof(buf1));
448 memset (buf2, 0, sizeof(buf2));
449 krb5_data_free (&result_string);
450 krb5_data_free (&result_code_string);
451 krb5_free_cred_contents (context, &cpw_cred);
455 krb5_error_code KRB5_LIB_FUNCTION
456 krb5_keyblock_key_proc (krb5_context context,
459 krb5_const_pointer keyseed,
462 return krb5_copy_keyblock (context, keyseed, key);
465 krb5_error_code KRB5_LIB_FUNCTION
466 krb5_get_init_creds_keytab(krb5_context context,
468 krb5_principal client,
470 krb5_deltat start_time,
471 const char *in_tkt_service,
472 krb5_get_init_creds_opt *options)
474 krb5_get_init_creds_ctx ctx;
476 krb5_keytab_key_proc_args *a;
478 ret = get_init_creds_common(context, creds, client, start_time,
479 in_tkt_service, options, &ctx);
483 a = malloc (sizeof(*a));
485 krb5_set_error_string(context, "malloc: out of memory");
489 a->principal = ctx.cred.client;
492 ret = krb5_get_in_cred (context,
498 krb5_keytab_key_proc,
506 if (ret == 0 && creds)
509 krb5_free_cred_contents (context, &ctx.cred);
512 free_init_creds_ctx(context, &ctx);
520 static krb5_error_code
521 init_creds_init_as_req (krb5_context context,
523 const krb5_creds *creds,
524 const krb5_addresses *addrs,
525 const krb5_enctype *etypes,
530 memset(a, 0, sizeof(*a));
533 a->msg_type = krb_as_req;
534 a->req_body.kdc_options = opts.b;
535 a->req_body.cname = malloc(sizeof(*a->req_body.cname));
536 if (a->req_body.cname == NULL) {
538 krb5_set_error_string(context, "malloc: out of memory");
541 a->req_body.sname = malloc(sizeof(*a->req_body.sname));
542 if (a->req_body.sname == NULL) {
544 krb5_set_error_string(context, "malloc: out of memory");
548 ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
551 ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
557 a->req_body.cname = NULL;
558 ret = krb5_get_default_realm(context, &realm);
561 ret = copy_Realm(&realm, &a->req_body.realm);
564 ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
568 if(creds->times.starttime) {
569 a->req_body.from = malloc(sizeof(*a->req_body.from));
570 if (a->req_body.from == NULL) {
572 krb5_set_error_string(context, "malloc: out of memory");
575 *a->req_body.from = creds->times.starttime;
577 if(creds->times.endtime){
578 ALLOC(a->req_body.till, 1);
579 *a->req_body.till = creds->times.endtime;
581 if(creds->times.renew_till){
582 a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
583 if (a->req_body.rtime == NULL) {
585 krb5_set_error_string(context, "malloc: out of memory");
588 *a->req_body.rtime = creds->times.renew_till;
590 a->req_body.nonce = 0;
591 ret = krb5_init_etype (context,
592 &a->req_body.etype.len,
593 &a->req_body.etype.val,
599 * This means no addresses
602 if (addrs && addrs->len == 0) {
603 a->req_body.addresses = NULL;
605 a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
606 if (a->req_body.addresses == NULL) {
608 krb5_set_error_string(context, "malloc: out of memory");
613 ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
615 ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
616 if(ret == 0 && a->req_body.addresses->len == 0) {
617 free(a->req_body.addresses);
618 a->req_body.addresses = NULL;
625 a->req_body.enc_authorization_data = NULL;
626 a->req_body.additional_tickets = NULL;
633 memset(a, 0, sizeof(*a));
637 struct pa_info_data {
640 krb5_data *s2kparams;
644 free_paid(krb5_context context, struct pa_info_data *ppaid)
646 krb5_free_salt(context, ppaid->salt);
647 if (ppaid->s2kparams)
648 krb5_data_free(ppaid->s2kparams);
652 static krb5_error_code
653 set_paid(struct pa_info_data *paid, krb5_context context,
655 krb5_salttype salttype, void *salt_string, size_t salt_len,
656 krb5_data *s2kparams)
659 paid->salt.salttype = salttype;
660 paid->salt.saltvalue.data = malloc(salt_len + 1);
661 if (paid->salt.saltvalue.data == NULL) {
662 krb5_clear_error_string(context);
665 memcpy(paid->salt.saltvalue.data, salt_string, salt_len);
666 ((char *)paid->salt.saltvalue.data)[salt_len] = '\0';
667 paid->salt.saltvalue.length = salt_len;
671 ret = krb5_copy_data(context, s2kparams, &paid->s2kparams);
673 krb5_clear_error_string(context);
674 krb5_free_salt(context, paid->salt);
678 paid->s2kparams = NULL;
683 static struct pa_info_data *
684 pa_etype_info2(krb5_context context,
685 const krb5_principal client,
687 struct pa_info_data *paid,
688 heim_octet_string *data)
695 memset(&e, 0, sizeof(e));
696 ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz);
701 for (j = 0; j < asreq->req_body.etype.len; j++) {
702 for (i = 0; i < e.len; i++) {
703 if (asreq->req_body.etype.val[j] == e.val[i].etype) {
705 if (e.val[i].salt == NULL)
706 ret = krb5_get_pw_salt(context, client, &salt);
708 salt.saltvalue.data = *e.val[i].salt;
709 salt.saltvalue.length = strlen(*e.val[i].salt);
713 ret = set_paid(paid, context, e.val[i].etype,
716 salt.saltvalue.length,
718 if (e.val[i].salt == NULL)
719 krb5_free_salt(context, salt);
721 free_ETYPE_INFO2(&e);
728 free_ETYPE_INFO2(&e);
732 static struct pa_info_data *
733 pa_etype_info(krb5_context context,
734 const krb5_principal client,
736 struct pa_info_data *paid,
737 heim_octet_string *data)
744 memset(&e, 0, sizeof(e));
745 ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz);
750 for (j = 0; j < asreq->req_body.etype.len; j++) {
751 for (i = 0; i < e.len; i++) {
752 if (asreq->req_body.etype.val[j] == e.val[i].etype) {
754 salt.salttype = KRB5_PW_SALT;
755 if (e.val[i].salt == NULL)
756 ret = krb5_get_pw_salt(context, client, &salt);
758 salt.saltvalue = *e.val[i].salt;
761 if (e.val[i].salttype)
762 salt.salttype = *e.val[i].salttype;
764 ret = set_paid(paid, context, e.val[i].etype,
767 salt.saltvalue.length,
769 if (e.val[i].salt == NULL)
770 krb5_free_salt(context, salt);
784 static struct pa_info_data *
785 pa_pw_or_afs3_salt(krb5_context context,
786 const krb5_principal client,
788 struct pa_info_data *paid,
789 heim_octet_string *data)
792 if (paid->etype == ENCTYPE_NULL)
794 ret = set_paid(paid, context,
807 krb5_preauthtype type;
808 struct pa_info_data *(*salt_info)(krb5_context,
809 const krb5_principal,
811 struct pa_info_data *,
812 heim_octet_string *);
815 static struct pa_info pa_prefs[] = {
816 { KRB5_PADATA_ETYPE_INFO2, pa_etype_info2 },
817 { KRB5_PADATA_ETYPE_INFO, pa_etype_info },
818 { KRB5_PADATA_PW_SALT, pa_pw_or_afs3_salt },
819 { KRB5_PADATA_AFS3_SALT, pa_pw_or_afs3_salt }
823 find_pa_data(const METHOD_DATA *md, int type)
826 for (i = 0; i < md->len; i++)
827 if (md->val[i].padata_type == type)
832 static struct pa_info_data *
833 process_pa_info(krb5_context context,
834 const krb5_principal client,
836 struct pa_info_data *paid,
839 struct pa_info_data *p = NULL;
842 for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) {
843 PA_DATA *pa = find_pa_data(md, pa_prefs[i].type);
846 paid->salt.salttype = pa_prefs[i].type;
847 p = (*pa_prefs[i].salt_info)(context, client, asreq,
848 paid, &pa->padata_value);
853 static krb5_error_code
854 make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md,
855 krb5_enctype etype, krb5_keyblock *key)
861 EncryptedData encdata;
867 krb5_us_timeofday (context, &p.patimestamp, &usec);
871 ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
875 krb5_abortx(context, "internal error in ASN.1 encoder");
877 ret = krb5_crypto_init(context, key, 0, &crypto);
882 ret = krb5_encrypt_EncryptedData(context,
884 KRB5_KU_PA_ENC_TIMESTAMP,
890 krb5_crypto_destroy(context, crypto);
894 ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
895 free_EncryptedData(&encdata);
899 krb5_abortx(context, "internal error in ASN.1 encoder");
901 ret = krb5_padata_add(context, md, KRB5_PADATA_ENC_TIMESTAMP, buf, len);
907 static krb5_error_code
908 add_enc_ts_padata(krb5_context context,
910 krb5_principal client,
911 krb5_s2k_proc key_proc,
912 krb5_const_pointer keyseed,
913 krb5_enctype *enctypes,
916 krb5_data *s2kparams)
924 /* default to standard salt */
925 ret = krb5_get_pw_salt (context, client, &salt2);
929 enctypes = context->etypes;
931 for (ep = enctypes; *ep != ETYPE_NULL; ep++)
935 for (i = 0; i < netypes; ++i) {
938 ret = (*key_proc)(context, enctypes[i], keyseed,
939 *salt, s2kparams, &key);
942 ret = make_pa_enc_timestamp (context, md, enctypes[i], key);
943 krb5_free_keyblock (context, key);
948 krb5_free_salt(context, salt2);
952 static krb5_error_code
953 pa_data_to_md_ts_enc(krb5_context context,
955 const krb5_principal client,
956 krb5_get_init_creds_ctx *ctx,
957 struct pa_info_data *ppaid,
960 if (ctx->key_proc == NULL || ctx->password == NULL)
964 add_enc_ts_padata(context, md, client,
965 ctx->key_proc, ctx->password,
967 &ppaid->salt, ppaid->s2kparams);
971 /* make a v5 salted pa-data */
972 add_enc_ts_padata(context, md, client,
973 ctx->key_proc, ctx->password,
974 a->req_body.etype.val, a->req_body.etype.len,
977 /* make a v4 salted pa-data */
978 salt.salttype = KRB5_PW_SALT;
979 krb5_data_zero(&salt.saltvalue);
980 add_enc_ts_padata(context, md, client,
981 ctx->key_proc, ctx->password,
982 a->req_body.etype.val, a->req_body.etype.len,
988 static krb5_error_code
989 pa_data_to_key_plain(krb5_context context,
990 const krb5_principal client,
991 krb5_get_init_creds_ctx *ctx,
993 krb5_data *s2kparams,
999 ret = (*ctx->key_proc)(context, etype, ctx->password,
1000 salt, s2kparams, key);
1005 static krb5_error_code
1006 pa_data_to_md_pkinit(krb5_context context,
1008 const krb5_principal client,
1009 krb5_get_init_creds_ctx *ctx,
1012 if (ctx->pk_init_ctx == NULL)
1015 return _krb5_pk_mk_padata(context,
1021 krb5_set_error_string(context, "no support for PKINIT compiled in");
1026 static krb5_error_code
1027 pa_data_add_pac_request(krb5_context context,
1028 krb5_get_init_creds_ctx *ctx,
1032 krb5_error_code ret;
1036 switch (ctx->req_pac) {
1037 case KRB5_PA_PAC_DONT_CARE:
1038 return 0; /* don't bother */
1039 case KRB5_PA_PAC_REQ_TRUE:
1040 req.include_pac = 1;
1042 case KRB5_PA_PAC_REQ_FALSE:
1043 req.include_pac = 0;
1046 ASN1_MALLOC_ENCODE(PA_PAC_REQUEST, buf, length,
1051 krb5_abortx(context, "internal error in ASN.1 encoder");
1053 ret = krb5_padata_add(context, md, KRB5_PADATA_PA_PAC_REQUEST, buf, len);
1060 static krb5_error_code
1061 process_pa_data_to_md(krb5_context context,
1062 const krb5_creds *creds,
1064 krb5_get_init_creds_ctx *ctx,
1066 METHOD_DATA **out_md,
1067 krb5_prompter_fct prompter,
1068 void *prompter_data)
1070 krb5_error_code ret;
1073 if (*out_md == NULL) {
1074 krb5_set_error_string(context, "malloc: out of memory");
1078 (*out_md)->val = NULL;
1080 if (in_md->len != 0) {
1081 struct pa_info_data paid, *ppaid;
1083 memset(&paid, 0, sizeof(paid));
1085 paid.etype = ENCTYPE_NULL;
1086 ppaid = process_pa_info(context, creds->client, a, &paid, in_md);
1088 pa_data_to_md_ts_enc(context, a, creds->client, ctx, ppaid, *out_md);
1090 free_paid(context, ppaid);
1093 pa_data_add_pac_request(context, ctx, *out_md);
1094 ret = pa_data_to_md_pkinit(context, a, creds->client, ctx, *out_md);
1096 return ret; /* XXX memory leak */
1098 if ((*out_md)->len == 0) {
1106 static krb5_error_code
1107 process_pa_data_to_key(krb5_context context,
1108 krb5_get_init_creds_ctx *ctx,
1112 krb5_keyblock **key)
1114 struct pa_info_data paid, *ppaid = NULL;
1115 krb5_error_code ret;
1120 memset(&paid, 0, sizeof(paid));
1122 etype = rep->kdc_rep.enc_part.etype;
1124 if (rep->kdc_rep.padata) {
1126 ppaid = process_pa_info(context, creds->client, a, &paid,
1127 rep->kdc_rep.padata);
1129 if (ppaid == NULL) {
1130 ret = krb5_get_pw_salt (context, creds->client, &paid.salt);
1134 paid.s2kparams = NULL;
1138 if (rep->kdc_rep.padata)
1139 pa = krb5_find_padata(rep->kdc_rep.padata->val,
1140 rep->kdc_rep.padata->len,
1141 KRB5_PADATA_PK_AS_REP,
1143 if (pa && ctx->pk_init_ctx) {
1145 ret = _krb5_pk_rd_pa_reply(context,
1152 krb5_set_error_string(context, "no support for PKINIT compiled in");
1155 } else if (ctx->password)
1156 ret = pa_data_to_key_plain(context, creds->client, ctx,
1157 paid.salt, paid.s2kparams, etype, key);
1159 krb5_set_error_string(context, "No usable pa data type");
1163 free_paid(context, &paid);
1167 static krb5_error_code
1168 init_cred_loop(krb5_context context,
1169 const krb5_get_init_creds_opt *init_cred_opts,
1170 const krb5_prompter_fct prompter,
1171 void *prompter_data,
1172 krb5_get_init_creds_ctx *ctx,
1174 krb5_kdc_rep *ret_as_reply)
1176 krb5_error_code ret;
1182 int send_to_kdc_flags = 0;
1184 memset(&md, 0, sizeof(md));
1185 memset(&rep, 0, sizeof(rep));
1188 memset(ret_as_reply, 0, sizeof(*ret_as_reply));
1190 ret = init_creds_init_as_req(context, ctx->flags, creds,
1191 ctx->addrs, ctx->etypes, &ctx->as_req);
1196 * Increase counter when we want other pre-auth types then
1197 * KRB5_PA_ENC_TIMESTAMP.
1200 /* Set a new nonce. */
1201 krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
1202 ctx->nonce &= 0xffffffff;
1203 ctx->as_req.req_body.nonce = ctx->nonce;
1205 krb5_generate_random_block (&ctx->pk_nonce, sizeof(ctx->pk_nonce));
1206 ctx->pk_nonce &= 0xffffffff;
1208 ctx->pk_nonce = ctx->nonce;
1211 #define MAX_PA_COUNTER 3
1213 ctx->pa_counter = 0;
1214 while (ctx->pa_counter < MAX_PA_COUNTER) {
1219 if (ctx->as_req.padata) {
1220 free_METHOD_DATA(ctx->as_req.padata);
1221 ctx->as_req.padata = NULL;
1224 /* Set a new nonce. */
1225 ctx->as_req.req_body.nonce = ctx->nonce;
1227 /* fill_in_md_data */
1228 ret = process_pa_data_to_md(context, creds, &ctx->as_req, ctx,
1229 &md, &ctx->as_req.padata,
1230 prompter, prompter_data);
1233 ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length,
1234 &ctx->as_req, &len, ret);
1237 if(len != req.length)
1238 krb5_abortx(context, "internal error in ASN.1 encoder");
1240 ret = krb5_sendto_kdc_flags (context, &req,
1241 &creds->client->realm, &resp,
1243 krb5_data_free(&req);
1247 memset (&rep, 0, sizeof(rep));
1248 ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
1250 krb5_data_free(&resp);
1251 krb5_clear_error_string(context);
1254 /* let's try to parse it as a KRB-ERROR */
1257 ret = krb5_rd_error(context, &resp, &error);
1258 if(ret && resp.data && ((char*)resp.data)[0] == 4)
1259 ret = KRB5KRB_AP_ERR_V4_REPLY;
1260 krb5_data_free(&resp);
1264 ret = krb5_error_from_rd_error(context, &error, creds);
1267 * If no preauth was set and KDC requires it, give it one
1271 if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED) {
1272 free_METHOD_DATA(&md);
1273 memset(&md, 0, sizeof(md));
1276 ret = decode_METHOD_DATA(error.e_data->data,
1277 error.e_data->length,
1281 krb5_set_error_string(context,
1282 "failed to decode METHOD DATA");
1284 /* XXX guess what the server want here add add md */
1286 krb5_free_error_contents(context, &error);
1289 } else if (ret == KRB5KRB_ERR_RESPONSE_TOO_BIG) {
1290 if (send_to_kdc_flags & KRB5_KRBHST_FLAGS_LARGE_MSG) {
1294 krb5_free_error_contents(context, &error);
1297 krb5_free_error_contents(context, &error);
1298 send_to_kdc_flags |= KRB5_KRBHST_FLAGS_LARGE_MSG;
1303 krb5_free_error_contents(context, &error);
1310 krb5_keyblock *key = NULL;
1312 ret = process_pa_data_to_key(context, ctx, creds,
1313 &ctx->as_req, &rep, &key);
1317 ret = _krb5_extract_ticket(context,
1322 KRB5_KU_AS_REP_ENC_PART,
1326 ctx->flags.b.request_anonymous,
1329 krb5_free_keyblock(context, key);
1332 free_METHOD_DATA(&md);
1333 memset(&md, 0, sizeof(md));
1335 if (ret == 0 && ret_as_reply)
1336 *ret_as_reply = rep;
1338 krb5_free_kdc_rep (context, &rep);
1342 krb5_error_code KRB5_LIB_FUNCTION
1343 krb5_get_init_creds(krb5_context context,
1345 krb5_principal client,
1346 krb5_prompter_fct prompter,
1348 krb5_deltat start_time,
1349 const char *in_tkt_service,
1350 krb5_get_init_creds_opt *options)
1352 krb5_get_init_creds_ctx ctx;
1353 krb5_kdc_rep kdc_reply;
1354 krb5_error_code ret;
1358 memset(&kdc_reply, 0, sizeof(kdc_reply));
1360 ret = get_init_creds_common(context, creds, client, start_time,
1361 in_tkt_service, options, &ctx);
1367 memset(&kdc_reply, 0, sizeof(kdc_reply));
1369 ret = init_cred_loop(context,
1381 case KRB5KDC_ERR_KEY_EXPIRED :
1382 /* try to avoid recursion */
1384 /* don't try to change password where then where none */
1385 if (prompter == NULL || ctx.password == NULL)
1388 krb5_clear_error_string (context);
1390 if (ctx.in_tkt_service != NULL
1391 && strcmp (ctx.in_tkt_service, "kadmin/changepw") == 0)
1394 ret = change_password (context,
1412 print_expire (context,
1413 krb5_principal_get_realm (context, ctx.cred.client),
1419 memset (buf, 0, sizeof(buf));
1420 free_init_creds_ctx(context, &ctx);
1421 krb5_free_kdc_rep (context, &kdc_reply);
1425 krb5_free_cred_contents (context, &ctx.cred);
1430 krb5_error_code KRB5_LIB_FUNCTION
1431 krb5_get_init_creds_password(krb5_context context,
1433 krb5_principal client,
1434 const char *password,
1435 krb5_prompter_fct prompter,
1437 krb5_deltat start_time,
1438 const char *in_tkt_service,
1439 krb5_get_init_creds_opt *in_options)
1441 krb5_get_init_creds_opt *options;
1443 krb5_error_code ret;
1445 if (in_options == NULL)
1446 ret = krb5_get_init_creds_opt_alloc(context, &options);
1448 ret = _krb5_get_init_creds_opt_copy(context, in_options, &options);
1452 if (password == NULL &&
1453 options->private->password == NULL &&
1454 options->private->pk_init_ctx == NULL)
1457 krb5_data password_data;
1460 krb5_unparse_name (context, client, &p);
1461 asprintf (&q, "%s's Password: ", p);
1464 password_data.data = buf;
1465 password_data.length = sizeof(buf);
1467 prompt.reply = &password_data;
1468 prompt.type = KRB5_PROMPT_TYPE_PASSWORD;
1470 ret = (*prompter) (context, data, NULL, NULL, 1, &prompt);
1473 memset (buf, 0, sizeof(buf));
1474 krb5_get_init_creds_opt_free(options);
1475 ret = KRB5_LIBOS_PWDINTR;
1476 krb5_clear_error_string (context);
1479 password = password_data.data;
1482 if (options->private->password == NULL) {
1483 ret = krb5_get_init_creds_opt_set_pa_password(context, options,
1486 krb5_get_init_creds_opt_free(options);
1487 memset(buf, 0, sizeof(buf));
1492 ret = krb5_get_init_creds(context, creds, client, prompter,
1493 data, start_time, in_tkt_service, options);
1494 krb5_get_init_creds_opt_free(options);
1495 memset(buf, 0, sizeof(buf));
1499 static krb5_error_code
1500 init_creds_keyblock_key_proc (krb5_context context,
1503 krb5_const_pointer keyseed,
1504 krb5_keyblock **key)
1506 return krb5_copy_keyblock (context, keyseed, key);
1509 krb5_error_code KRB5_LIB_FUNCTION
1510 krb5_get_init_creds_keyblock(krb5_context context,
1512 krb5_principal client,
1513 krb5_keyblock *keyblock,
1514 krb5_deltat start_time,
1515 const char *in_tkt_service,
1516 krb5_get_init_creds_opt *options)
1518 struct krb5_get_init_creds_ctx ctx;
1519 krb5_error_code ret;
1521 ret = get_init_creds_common(context, creds, client, start_time,
1522 in_tkt_service, options, &ctx);
1526 ret = krb5_get_in_cred (context,
1532 init_creds_keyblock_key_proc,
1539 if (ret == 0 && creds)
1542 krb5_free_cred_contents (context, &ctx.cred);
1545 free_init_creds_ctx(context, &ctx);