diff options
-rw-r--r-- | src/include/k5-int.h | 2 | ||||
-rw-r--r-- | src/include/krb5/krb5.hin | 31 | ||||
-rw-r--r-- | src/lib/krb5/krb/gic_opt.c | 55 | ||||
-rw-r--r-- | src/lib/krb5/libkrb5.exports | 3 |
4 files changed, 85 insertions, 6 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 70e80c7..0773e64 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1158,6 +1158,8 @@ typedef struct _krb5_gic_opt_private { int num_preauth_data; krb5_gic_opt_pa_data *preauth_data; char * fast_ccache_name; + krb5_ccache out_ccache; + krb5_flags fast_flags; } krb5_gic_opt_private; /* diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index d569bcd..24e7173 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -2261,15 +2261,34 @@ krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, +/**This API sets a ccache name that will contain some TGT on calls to + get_init_creds functions. If set, this ccache will be used for FAST + (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from + observation and active attack. If the fast_ccache_name is set, then FAST + may be required by the client library. In this and future versions, FAST + will be used if available; krb5_get_init_creds_opt_set_fast_flags() may be + used to require that the request fail is FAST is unavailable. In MIT + Kerberos 1.7 setting the fast ccache at all required that FAST be present + or the request would fail.*/ krb5_get_init_creds_opt *opt, const char *fast_ccache_name); -/* This API sets a ccache name that will contain some TGT on - calls to get_init_creds functions. If set, this ccache will - be used for FAST (draft-ietf-krb-wg-preauth-framework) to - protect the AS-REQ from observation and active attack. If - the fast_ccache_name is set, then FAST may be required by the - client library. In this version FAST is required.*/ +/**Set a ccache where resulting credentials will be stored. If set, then the + * krb5_get_init_creds family of APIs will write out credentials to the given + * ccache. Setting an output ccache is desirable both because it simplifies + * calling code and because it permits the krb5_get_init_creds APIs to write + * out configuration information about the realm to the ccache. + */ +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_out_ccache +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache); +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_fast_flags +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags); +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_get_fast_flags +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags); + krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_principal client, char *password, diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index bff4539..f1d9479 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -149,6 +149,8 @@ krb5int_gic_opte_private_free(krb5_context context, krb5_gic_opt_ext *opte) free_gic_opt_ext_preauth_data(context, opte); if (opte->opt_private->fast_ccache_name) free(opte->opt_private->fast_ccache_name); + if (opte->opt_private->out_ccache) + krb5_cc_close(context, opte->opt_private->out_ccache); free(opte->opt_private); opte->opt_private = NULL; return 0; @@ -486,3 +488,56 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name retval = ENOMEM; return retval; } + +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_out_ccache +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_set_out_ccache"); + if (retval) + return retval; + if (opte->opt_private->out_ccache) { + krb5_cc_close(context, opte->opt_private->out_ccache); + opte->opt_private->out_ccache = NULL; + } + retval = krb5_cc_resolve(context, krb5_cc_get_name(context, ccache), + &opte->opt_private->out_ccache); + return retval; +} + +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_fast_flags +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_set_fast_flags"); + if (retval) + return retval; + opte->opt_private->fast_flags = flags; + return retval; +} + +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_get_fast_flags +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + if (out_flags == NULL) + return EINVAL; + *out_flags = 0; + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_get_fast_flags"); + if (retval) + return retval; + *out_flags = opte->opt_private->fast_flags; + return retval; +} + diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index f27a86e..9f26150 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -331,6 +331,7 @@ krb5_get_init_creds_keytab krb5_get_init_creds_opt_alloc krb5_get_init_creds_opt_free krb5_get_init_creds_opt_free_pa +krb5_get_init_creds_opt_get_fast_flags krb5_get_init_creds_opt_get_pa krb5_get_init_creds_opt_init krb5_get_init_creds_opt_set_address_list @@ -338,7 +339,9 @@ krb5_get_init_creds_opt_set_canonicalize krb5_get_init_creds_opt_set_change_password_prompt krb5_get_init_creds_opt_set_etype_list krb5_get_init_creds_opt_set_fast_ccache_name +krb5_get_init_creds_opt_set_fast_flags krb5_get_init_creds_opt_set_forwardable +krb5_get_init_creds_opt_set_out_ccache krb5_get_init_creds_opt_set_pa krb5_get_init_creds_opt_set_preauth_list krb5_get_init_creds_opt_set_proxiable |