Implement krb5_get_in_tkt_with_password and

krb5_get_in_tkt_with_keytab in terms of krb5_get_init_creds.
 It turns out that these do in fact need to use get_init_creds not
get_init_creds_{password,keytab} because of those functions do not
allow the AS request to be returned.

Ticket: 1480
Status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15461 dc483132-0cff-0310-8789-dd5450dbe970

9 files changed, 165 insertions, 258 deletions

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index 05817aea1..af9217efd 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,7 @@
+2003-05-19  Sam Hartman  <hartmans@mit.edu>
+
+	* k5-int.h: Prototype krb5int_populate_gic_opt
+
 2003-05-18  Tom Yu  <tlyu@mit.edu>
 
 	* k5-int.h: Sequence numbers are now unsigned.
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 08c7a7a4f..f9a15ef3a 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001 by the Massachusetts Institute of Technology,
+ * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003 by the Massachusetts Institute of Technology,
  * Cambridge, MA, USA.  All Rights Reserved.
  * 
  * This software is being provided to you, the LICENSEE, by the 
@@ -935,6 +935,11 @@ krb5_get_init_creds
 		int master,
 		krb5_kdc_rep **as_reply);
 
+krb5_error_code krb5int_populate_gic_opt (
+    krb5_context, krb5_get_init_creds_opt *,
+    krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+    krb5_preauthtype *pre_auth_types);
+
 
 krb5_error_code krb5_do_preauth
 (krb5_context, krb5_kdc_req *,
diff --git a/src/lib/krb5/krb/.Sanitize b/src/lib/krb5/krb/.Sanitize
index 7457c8407..79bbf8259 100644
--- a/src/lib/krb5/krb/.Sanitize
+++ b/src/lib/krb5/krb/.Sanitize
@@ -60,8 +60,6 @@ gen_seqnum.c
 gen_subkey.c
 get_creds.c
 get_in_tkt.c
-in_tkt_ktb.c
-in_tkt_pwd.c
 in_tkt_sky.c
 init_ctx.c
 int-proto.h
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 8f34cf0bb..a0942a46c 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,17 @@
+2003-05-20  Sam Hartman  <hartmans@mit.edu>
+
+	* Makefile.in (SRCS): Remove in_ktb.c
+
+	* gic_keytab.c (krb5_get_in_tkt_with_keytab): Move from
+	in_tkt_keytab.c and rewrite to use krb5_get_init_creds 
+
+	* gic_pwd.c (krb5_get_in_tkt_with_password): Moved here from
+	in_tkt_pwd.c so it can share code with
+	krb5_get_init_creds_password.  Rewritten to call
+	krb5_get_in_tkt_password 
+
+	* Makefile.in (SRCS): Delete in_tkt_pwd.c
+
 2003-05-18  Tom Yu  <tlyu@mit.edu>
 
 	* auth_con.h: Sequence numbers are now unsigned.
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 18627b12a..b3f81a30e 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -51,8 +51,6 @@ STLIBOBJS= \
 	gic_keytab.o	\
 	gic_opt.o	\
 	gic_pwd.o	\
-	in_tkt_ktb.o	\
-	in_tkt_pwd.o	\
 	in_tkt_sky.o	\
 	init_ctx.o	\
 	init_keyblock.o \
@@ -137,8 +135,6 @@ OBJS=	$(OUTPRE)addr_comp.$(OBJEXT)	\
 	$(OUTPRE)gic_keytab.$(OBJEXT)	\
 	$(OUTPRE)gic_opt.$(OBJEXT)	\
 	$(OUTPRE)gic_pwd.$(OBJEXT)	\
-	$(OUTPRE)in_tkt_ktb.$(OBJEXT)	\
-	$(OUTPRE)in_tkt_pwd.$(OBJEXT)	\
 	$(OUTPRE)in_tkt_sky.$(OBJEXT)	\
 	$(OUTPRE)init_ctx.$(OBJEXT)	\
 	$(OUTPRE)init_keyblock.$(OBJEXT) \
@@ -224,8 +220,6 @@ SRCS=	$(srcdir)/addr_comp.c	\
 	$(srcdir)/gic_keytab.c	\
 	$(srcdir)/gic_opt.c	\
 	$(srcdir)/gic_pwd.c	\
-	$(srcdir)/in_tkt_ktb.c	\
-	$(srcdir)/in_tkt_pwd.c	\
 	$(srcdir)/in_tkt_sky.c	\
 	$(srcdir)/init_ctx.c	\
 	$(srcdir)/init_keyblock.c \
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index e7fb1aec6..dc8d47395 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -116,3 +116,47 @@ cleanup:
 
    return(ret);
 }
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
+			      krb5_address *const *addrs, krb5_enctype *ktypes,
+			      krb5_preauthtype *pre_auth_types,
+			      krb5_keytab arg_keytab, krb5_ccache ccache,
+			      krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+    krb5_error_code retval;
+    krb5_get_init_creds_opt opt;
+    char * server = NULL;
+    krb5_keytab keytab;
+    krb5int_populate_gic_opt(context, &opt,
+			     options, addrs, ktypes,
+			     pre_auth_types);
+    if (arg_keytab == NULL) {
+	retval = krb5_kt_default(context, &keytab);
+	if (retval)
+	    return retval;
+    }
+    else keytab = arg_keytab;
+    
+    retval = krb5_unparse_name( context, creds->server, &server);
+    if (retval)
+	goto cleanup;
+    retval = krb5_get_init_creds (context,
+				  creds, creds->client,  
+				  krb5_prompter_posix,  NULL,
+				  0, server, &opt,
+				  krb5_get_as_key_keytab, &keytab,
+				  0, ret_as_reply);
+    krb5_free_unparsed_name( context, server);
+    if (retval) {
+	goto cleanup;
+    }
+	
+    /* store it in the ccache! */
+    if (ccache)
+	if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+	    goto cleanup;
+ cleanup:    if (arg_keytab == NULL)
+     krb5_kt_close(context, keytab);
+    return retval;
+}
+
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 54cf5f461..97db38e19 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -43,7 +43,7 @@ krb5_get_as_key_password(
 	    return(EIO);
 
 	if ((ret = krb5_unparse_name(context, client, &clientstr)))
-	    return(ret);
+	  return(ret);
 
 	strcpy(promptstr, "Password for ");
 	strncat(promptstr, clientstr, sizeof(promptstr)-strlen(promptstr)-1);
@@ -368,3 +368,99 @@ cleanup:
 
    return(ret);
 }
+krb5_error_code krb5int_populate_gic_opt (
+    krb5_context context, krb5_get_init_creds_opt *opt,
+    krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+    krb5_preauthtype *pre_auth_types)
+{
+  int i;
+    krb5_get_init_creds_opt_init(opt);
+    if (addrs)
+      krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs);
+    if (ktypes) {
+	for (i=0; ktypes[i]; i++);
+	if (i)
+	    krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i);
+    }
+    if (pre_auth_types) {
+	for (i=0; pre_auth_types[i]; i++);
+	if (i)
+	    krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i);
+    }
+    if (options&KDC_OPT_FORWARDABLE)
+	krb5_get_init_creds_opt_set_forwardable(opt, 1);
+    else krb5_get_init_creds_opt_set_forwardable(opt, 0);
+    if (options&KDC_OPT_PROXIABLE)
+	krb5_get_init_creds_opt_set_proxiable(opt, 1);
+    else krb5_get_init_creds_opt_set_proxiable(opt, 0);
+    
+
+}
+
+/*
+  Rewrites get_in_tkt in terms of newer get_init_creds API.
+ Attempts to get an initial ticket for creds->client to use server
+ creds->server, (realm is taken from creds->client), with options
+ options, and using creds->times.starttime, creds->times.endtime,
+ creds->times.renew_till as from, till, and rtime.  
+ creds->times.renew_till is ignored unless the RENEWABLE option is requested.
+
+ If addrs is non-NULL, it is used for the addresses requested.  If it is
+ null, the system standard addresses are used.
+
+ If password is non-NULL, it is converted using the cryptosystem entry
+ point for a string conversion routine, seeded with the client's name.
+ If password is passed as NULL, the password is read from the terminal,
+ and then converted into a key.
+
+ A succesful call will place the ticket in the credentials cache ccache.
+
+ returns system errors, encryption errors
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
+			      krb5_address *const *addrs, krb5_enctype *ktypes,
+			      krb5_preauthtype *pre_auth_types,
+			      const char *password, krb5_ccache ccache,
+			      krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+    krb5_error_code retval;
+    krb5_data pw0;
+    char pw0array[1024];
+    krb5_get_init_creds_opt opt;
+    char * server;
+
+    pw0array[0] = '\0';
+    pw0.data = pw0array;
+    if (password) {
+	if (strlen(password) >= sizeof(pw0array))
+	    return EINVAL;
+	strncpy(pw0.data, password, sizeof(pw0array));
+	pw0array[strlen(password)] = '\0';
+    }
+    pw0.length = sizeof(pw0array);
+    
+    krb5int_populate_gic_opt(context, &opt,
+			     options, addrs, ktypes,
+			     pre_auth_types);
+    retval = krb5_unparse_name( context, creds->server, &server);
+    if (retval)
+      return (retval);
+        retval = krb5_get_init_creds (context,
+					   creds, creds->client,  
+					   krb5_prompter_posix,  NULL,
+					   0, server, &opt,
+				      krb5_get_as_key_password, &pw0,
+				      0, ret_as_reply);
+	  krb5_free_unparsed_name( context, server);
+	if (retval) {
+	  return (retval);
+	}
+	
+	/* store it in the ccache! */
+	if (ccache)
+	  if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+	    return (retval);
+	return retval;
+  }
+
diff --git a/src/lib/krb5/krb/in_tkt_ktb.c b/src/lib/krb5/krb/in_tkt_ktb.c
deleted file mode 100644
index db4f3b411..000000000
--- a/src/lib/krb5/krb/in_tkt_ktb.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * lib/krb5/krb/in_tkt_ktb.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- *
- * krb5_get_in_tkt_with_keytab()
- *	
- */
-
-#include "k5-int.h"
-
-struct keytab_keyproc_arg {
-    krb5_keytab	keytab;
-    krb5_principal client;
-};
-
-/*
- * Key-generator for in_tkt_keytab, below.
- * "keyseed" is actually a krb5_keytab, or NULL if we should fetch
- * from system area.
- */
-static krb5_error_code keytab_keyproc
-    (krb5_context,
-               const krb5_enctype,
-               krb5_data *,
-               krb5_const_pointer,
-               krb5_keyblock **);
-
-static krb5_error_code
-keytab_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
-	       krb5_const_pointer keyseed, krb5_keyblock **key)
-{
-    const struct keytab_keyproc_arg * arg = 
-	(const struct keytab_keyproc_arg *)keyseed;
-    krb5_keyblock *realkey;
-    krb5_error_code retval = 0;
-    krb5_keytab kt_id;
-    krb5_keytab_entry kt_ent;
-
-    kt_id = arg->keytab;
-
-    if (!krb5_c_valid_enctype(type))
-	return KRB5_PROG_ETYPE_NOSUPP;
-
-    if (kt_id == NULL)
-	/* Fetch from default keytab location */
-	if ((retval = krb5_kt_default(context, &kt_id)))
-	    return retval;
-
-
-    if ((retval = krb5_kt_get_entry(context, kt_id, arg->client,
-				    0, /* don't have vno available */
-				    type, &kt_ent)))
-	    goto cleanup;
-
-    if ((retval = krb5_copy_keyblock(context, &kt_ent.key, &realkey))) {
-	(void) krb5_kt_free_entry(context, &kt_ent);
-	goto cleanup;
-    }
-
-    (void) krb5_kt_free_entry(context, &kt_ent);
-    *key = realkey;
-    
-cleanup:
-    if (! arg->keytab) 
-	krb5_kt_close(context, kt_id);
-    return retval;
-}
-
-/*
- Similar to krb5_get_in_tkt_with_skey.
-
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime, 
- creds->times.renew_till as from, till, and rtime. 
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- If addrs is non-NULL, it is used for the addresses requested.  If it is
- null, the system standard addresses are used.
-
- A succesful call will place the ticket in the credentials cache ccache.
-
- returns system errors, encryption errors
-
- */
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
-			    krb5_address *const *addrs, krb5_enctype *ktypes,
-			    krb5_preauthtype *pre_auth_types,
-			    krb5_keytab keytab, krb5_ccache ccache,
-			    krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
-{
-    struct keytab_keyproc_arg arg;
-
-    arg.keytab = keytab;
-    arg.client = creds->client;
-
-    return(krb5_get_in_tkt(context, options, addrs, ktypes,
-			   pre_auth_types,
-			   keytab_keyproc, (krb5_pointer)&arg,
-			   krb5_kdc_rep_decrypt_proc, 0, creds,
-			   ccache, ret_as_reply));
-}
diff --git a/src/lib/krb5/krb/in_tkt_pwd.c b/src/lib/krb5/krb/in_tkt_pwd.c
deleted file mode 100644
index 1d9ad2ef4..000000000
--- a/src/lib/krb5/krb/in_tkt_pwd.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * lib/krb5/krb/in_tkt_pwd.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- *
- * krb5_get_in_tkt_with_password()
- */
-
-#include "k5-int.h"
-
-extern char *krb5_default_pwd_prompt1;
-
-/* 
- * key-producing procedure for use by krb5_get_in_tkt_with_password.
- */
-static krb5_error_code pwd_keyproc
-    (krb5_context,
-               const krb5_enctype,
-               krb5_data *,
-               krb5_const_pointer,
-               krb5_keyblock **);
-
-static krb5_error_code
-pwd_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
-	    krb5_const_pointer keyseed, krb5_keyblock **key)
-{
-    krb5_error_code retval;
-    krb5_data * password;
-    unsigned int pwsize;
-
-    password = (krb5_data *)keyseed;
-
-    if (!password->length) {
-	pwsize = BUFSIZ;
-	if ((password->data = malloc(pwsize)) == NULL)
-	    return ENOMEM;
-	
-	if ((retval = krb5_read_password(context, krb5_default_pwd_prompt1, 0,
-					 password->data, &pwsize))) {
-	    return retval;
-	}
-	password->length = pwsize;
-    }
-
-    if (!(*key = (krb5_keyblock *)malloc(sizeof(**key))))
-	return ENOMEM;
-
-    if ((retval = krb5_c_string_to_key(context, type, password, salt, *key)))
-	krb5_xfree(*key);
-
-    return(retval);
-}
-
-/*
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime,
- creds->times.renew_till as from, till, and rtime.  
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- If addrs is non-NULL, it is used for the addresses requested.  If it is
- null, the system standard addresses are used.
-
- If password is non-NULL, it is converted using the cryptosystem entry
- point for a string conversion routine, seeded with the client's name.
- If password is passed as NULL, the password is read from the terminal,
- and then converted into a key.
-
- A succesful call will place the ticket in the credentials cache ccache.
-
- returns system errors, encryption errors
- */
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
-			      krb5_address *const *addrs, krb5_enctype *ktypes,
-			      krb5_preauthtype *pre_auth_types,
-			      const char *password, krb5_ccache ccache,
-			      krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
-{
-    krb5_error_code retval;
-    krb5_data data;
-
-
-    if ((data.data = (char *)password)) {
-	data.length = strlen(password);
-    } else {
-	data.length = 0;
-    }
-
-    retval = krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, 
-			     pwd_keyproc, (krb5_pointer) &data,
-			     krb5_kdc_rep_decrypt_proc, 0,
-			     creds, ccache, ret_as_reply);
-
-    if ((password == NULL) && (data.data)) {
-	memset(data.data, 0, strlen(data.data));
-	free(data.data);
-    }
-
-    return retval;
-}
-