summaryrefslogtreecommitdiffstats
path: root/src/kim/lib/kim_credential.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/kim/lib/kim_credential.c')
-rw-r--r--src/kim/lib/kim_credential.c160
1 files changed, 52 insertions, 108 deletions
diff --git a/src/kim/lib/kim_credential.c b/src/kim/lib/kim_credential.c
index 8a8b6cd0b..c1d48e1b7 100644
--- a/src/kim/lib/kim_credential.c
+++ b/src/kim/lib/kim_credential.c
@@ -209,9 +209,6 @@ kim_error kim_credential_create_new (kim_credential *out_credential,
kim_credential credential = NULL;
kim_options options = NULL;
kim_ui_context context;
- kim_string service = NULL;
- krb5_principal principal = NULL;
- krb5_get_init_creds_opt *init_cred_options = NULL;
kim_boolean ui_inited = 0;
kim_boolean done = 0;
@@ -234,22 +231,6 @@ kim_error kim_credential_create_new (kim_credential *out_credential,
}
if (!err) {
- err = kim_options_get_init_cred_options (options,
- credential->context,
- &init_cred_options);
- }
-
- if (!err) {
- kim_options_get_service_name (options, &service);
- }
-
- if (!err) {
- err = kim_identity_get_krb5_principal (in_identity,
- credential->context,
- &principal);
- }
-
- if (!err) {
err = kim_ui_init (&context);
if (!err) {
context.identity = in_identity; /* used by kim_ui_prompter */
@@ -261,6 +242,10 @@ kim_error kim_credential_create_new (kim_credential *out_credential,
krb5_creds creds;
kim_boolean free_creds = 0;
kim_count prompt_count;
+ krb5_principal principal = kim_identity_krb5_principal (in_identity);
+ krb5_get_init_creds_opt *opts = kim_options_init_cred_options (options);
+ char *service = kim_options_service_name (options);
+ kim_time start_time = kim_options_start_time (options);
/* set counter to zero so we can tell if we got prompted */
context.prompt_count = 0;
@@ -271,9 +256,10 @@ kim_error kim_credential_create_new (kim_credential *out_credential,
principal,
NULL,
kim_ui_prompter,
- &context, 0,
- (char *) service,
- init_cred_options));
+ &context,
+ start_time,
+ service,
+ opts));
prompt_count = context.prompt_count; /* remember if we got prompts */
if (!err) { free_creds = 1; }
@@ -316,20 +302,12 @@ kim_error kim_credential_create_new (kim_credential *out_credential,
if (!err) { err = check_error (fini_err); }
}
- /* free before credential is passed back to caller */
- if (credential && init_cred_options) {
- kim_options_free_init_cred_options (credential->context, &init_cred_options);
- }
-
- if (credential && principal) { krb5_free_principal (credential->context, principal); }
-
if (!err) {
*out_credential = credential;
credential = NULL;
}
- if (!in_options) { kim_options_free (&options); }
- kim_string_free (&service);
+ if (options != in_options) { kim_options_free (&options); }
kim_credential_free (&credential);
return check_error (err);
@@ -350,9 +328,7 @@ kim_error kim_credential_create_from_keytab (kim_credential *out_credential,
krb5_creds creds;
kim_boolean free_creds = FALSE;
krb5_principal principal = NULL;
- kim_time start_time = 0;
- kim_string service_name = NULL;
- krb5_get_init_creds_opt *init_cred_options = NULL;
+ kim_options options = in_options;
if (!err && !out_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); }
@@ -364,28 +340,8 @@ kim_error kim_credential_create_from_keytab (kim_credential *out_credential,
err = krb5_error (NULL, krb5_init_context (&credential->context));
}
- if (!err) {
- kim_options options = in_options;
-
- if (!options) {
- err = kim_options_create (&options);
- }
-
- if (!err) {
- err = kim_options_get_start_time (options, &start_time);
- }
-
- if (!err) {
- err = kim_options_get_service_name (options, &service_name);
- }
-
- if (!err) {
- err = kim_options_get_init_cred_options (options,
- credential->context,
- &init_cred_options);
- }
-
- if (options != in_options) { kim_options_free (&options); }
+ if (!err && !options) {
+ err = kim_options_create (&options);
}
if (!err) {
@@ -436,14 +392,18 @@ kim_error kim_credential_create_from_keytab (kim_credential *out_credential,
}
if (!err) {
+ krb5_get_init_creds_opt *opts = kim_options_init_cred_options (options);
+ char *service = kim_options_service_name (options);
+ kim_time start_time = kim_options_start_time (options);
+
err = krb5_error (credential->context,
krb5_get_init_creds_keytab (credential->context,
&creds,
principal,
keytab,
start_time,
- (char *) service_name,
- init_cred_options));
+ service,
+ opts));
if (!err) { free_creds = TRUE; }
}
@@ -454,15 +414,15 @@ kim_error kim_credential_create_from_keytab (kim_credential *out_credential,
&credential->creds));
}
+ if (principal ) { krb5_free_principal (credential->context, principal); }
+
if (!err) {
*out_credential = credential;
credential = NULL;
}
- if (principal ) { krb5_free_principal (credential->context, principal); }
+ if (options != in_options) { kim_options_free (&options); }
if (free_creds) { krb5_free_cred_contents (credential->context, &creds); }
- kim_options_free_init_cred_options (credential->context, &init_cred_options);
- kim_string_free (&service_name);
kim_credential_free (&credential);
return check_error (err);
@@ -519,7 +479,6 @@ kim_error kim_credential_create_for_change_password (kim_credential *out_creden
kim_credential credential = NULL;
kim_string realm = NULL;
kim_string service = NULL;
- krb5_principal principal = NULL;
kim_string service_format = "kadmin/changepw@%s";
if (!err && !out_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
@@ -536,12 +495,6 @@ kim_error kim_credential_create_for_change_password (kim_credential *out_creden
}
if (!err) {
- err = kim_identity_get_krb5_principal (in_identity,
- credential->context,
- &principal);
- }
-
- if (!err) {
err = kim_identity_get_realm (in_identity, &realm);
}
@@ -552,6 +505,7 @@ kim_error kim_credential_create_for_change_password (kim_credential *out_creden
if (!err) {
krb5_creds creds;
kim_boolean free_creds = 0;
+ krb5_principal principal = kim_identity_krb5_principal (in_identity);
krb5_get_init_creds_opt opts;
krb5_get_init_creds_opt_init (&opts);
@@ -585,8 +539,6 @@ kim_error kim_credential_create_for_change_password (kim_credential *out_creden
if (free_creds) { krb5_free_cred_contents (credential->context, &creds); }
}
- if (principal) { krb5_free_principal (credential->context, principal); }
-
if (!err) {
*out_user_was_prompted = (in_ui_context->prompt_count > 0);
*out_credential = credential;
@@ -952,50 +904,41 @@ kim_error kim_credential_get_options (kim_credential in_credential,
/* ------------------------------------------------------------------------ */
kim_error kim_credential_store (kim_credential in_credential,
- kim_identity in_client_identity,
+ kim_identity in_identity,
kim_ccache *out_ccache)
{
kim_error err = KIM_NO_ERROR;
- krb5_context context = NULL;
krb5_ccache k5ccache = NULL;
- kim_string type = NULL;
- krb5_principal client_principal = NULL;
kim_boolean destroy_ccache_on_error = FALSE;
- if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
- if (!err && !in_client_identity) { err = check_error (KIM_NULL_PARAMETER_ERR); }
-
- if (!err) {
- err = krb5_error (NULL, krb5_init_context (&context));
- }
-
- if (!err) {
- err = kim_identity_get_krb5_principal (in_client_identity, context,
- &client_principal);
- }
+ if (!err && !in_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); }
+ if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err) {
char *environment_ccache = getenv ("KRB5CCNAME");
if (environment_ccache) {
- err = krb5_error (context,
- krb5_cc_resolve (context, environment_ccache,
+ err = krb5_error (in_credential->context,
+ krb5_cc_resolve (in_credential->context,
+ environment_ccache,
&k5ccache));
} else {
kim_ccache ccache = NULL;
err = kim_ccache_create_from_client_identity (&ccache,
- in_client_identity);
+ in_identity);
if (!err) {
- err = kim_ccache_get_krb5_ccache (ccache, context, &k5ccache);
+ err = kim_ccache_get_krb5_ccache (ccache,
+ in_credential->context,
+ &k5ccache);
} else if (err == KIM_NO_SUCH_PRINCIPAL_ERR) {
/* Nothing to replace, create a new ccache */
- err = krb5_error (context,
- krb5_cc_new_unique (context, "API", NULL,
- &k5ccache));
+ err = krb5_error (in_credential->context,
+ krb5_cc_new_unique (in_credential->context,
+ "API", NULL, &k5ccache));
if (!err) { destroy_ccache_on_error = TRUE; }
}
@@ -1004,9 +947,11 @@ kim_error kim_credential_store (kim_credential in_credential,
}
if (!err) {
+ krb5_principal principal = kim_identity_krb5_principal (in_identity);
+
err = krb5_error (in_credential->context,
krb5_cc_initialize (in_credential->context,
- k5ccache, client_principal));
+ k5ccache, principal));
}
if (!err) {
@@ -1016,7 +961,9 @@ kim_error kim_credential_store (kim_credential in_credential,
}
if (!err && out_ccache) {
- err = kim_ccache_create_from_krb5_ccache (out_ccache, context, k5ccache);
+ err = kim_ccache_create_from_krb5_ccache (out_ccache,
+ in_credential->context,
+ k5ccache);
}
if (k5ccache) {
@@ -1026,9 +973,6 @@ kim_error kim_credential_store (kim_credential in_credential,
krb5_cc_close (in_credential->context, k5ccache);
}
}
- if (client_principal) { krb5_free_principal (context, client_principal); }
- if (context ) { krb5_free_context (context); }
- kim_string_free (&type);
return check_error (err);
}
@@ -1044,7 +988,6 @@ kim_error kim_credential_verify (kim_credential in_credential,
{
kim_error err = KIM_NO_ERROR;
krb5_context scontext = NULL;
- krb5_principal service_principal = NULL;
krb5_keytab keytab = NULL;
if (!err && !in_credential) { err = check_error (KIM_NULL_PARAMETER_ERR); }
@@ -1053,30 +996,32 @@ kim_error kim_credential_verify (kim_credential in_credential,
err = krb5_error (NULL, krb5_init_secure_context (&scontext));
}
- if (!err && in_service_identity) {
- err = kim_identity_get_krb5_principal (in_service_identity, scontext, &service_principal);
- }
-
if (in_keytab) {
err = krb5_error (scontext,
krb5_kt_resolve (scontext, in_keytab, &keytab));
}
if (!err) {
+ krb5_principal sprincipal = NULL;
krb5_verify_init_creds_opt options;
/* That's "no key == fail" not "no fail" >.< */
krb5_verify_init_creds_opt_init (&options);
krb5_verify_init_creds_opt_set_ap_req_nofail (&options, in_fail_if_no_service_key);
+ if (in_service_identity) {
+ sprincipal = kim_identity_krb5_principal (in_service_identity);
+ }
+
err = krb5_error (scontext,
- krb5_verify_init_creds (scontext, in_credential->creds,
- service_principal,
+ krb5_verify_init_creds (scontext,
+ in_credential->creds,
+ sprincipal,
keytab,
NULL /* don't store creds in ccache */,
&options));
- if (err && !service_principal && in_fail_if_no_service_key) {
+ if (err && !in_service_identity && in_fail_if_no_service_key) {
/* If the service principal wasn't specified but we are supposed to
* fail without a key we should walk the keytab trying to find one
* that succeeds. */
@@ -1124,9 +1069,8 @@ kim_error kim_credential_verify (kim_credential in_credential,
}
}
- if (keytab ) { krb5_kt_close (scontext, keytab); }
- if (service_principal) { krb5_free_principal (scontext, service_principal); }
- if (scontext ) { krb5_free_context (scontext); }
+ if (keytab ) { krb5_kt_close (scontext, keytab); }
+ if (scontext) { krb5_free_context (scontext); }
return check_error (err);
}