From 1f857634ae3b549e8c328727adbdaa9e9f403d4f Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Tue, 30 Jan 2007 21:38:47 +0000
Subject: get_init_creds_opt extensibility

 r18922@cathode-dark-space:  coffman | 2006-12-04 18:30:15 -0500
 First cut at making the get_init_creds_opt structure extendable
 and adding library functions to set options for preauthentication
 plugins.

 This does *not* include a compatibility function to work like
 Heimdal's krb5_get_init_creds_opt_set_pkinit() function.

 Hopefully, the test code that doesn't belong in kinit.c is
 obvious.


 r18929@cathode-dark-space:  coffman | 2006-12-07 10:01:20 -0500
 Remove extra "user_id" parameter.

 Add function which duplicates the Heimdal interface (if we can agree on
 what the matching attribute names should be).

 r18934@cathode-dark-space:  coffman | 2006-12-08 15:28:03 -0500
 Update to use the simplified interface for krb5_get_init_creds_opt_set_pa()

 Add code in kinit to process "-X" options as preauth options and pass
 them along.



 r18936@cathode-dark-space:  coffman | 2006-12-11 12:04:26 -0500
 Move prototypes for get_init_creds_opt_get_pa() and
 krb5_get_init_creds_opt_free_pa() into the
 preauth_plugin.h header rather than krb5.hin.



ticket: new
status: open
component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19127 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/clients/kpasswd/kpasswd.c | 22 +++++++++++++++-------
 src/clients/kpasswd/ksetpwd.c | 23 +++++++++++++----------
 2 files changed, 28 insertions(+), 17 deletions(-)

(limited to 'src/clients/kpasswd')

diff --git a/src/clients/kpasswd/kpasswd.c b/src/clients/kpasswd/kpasswd.c
index 95e33ff..204a8bf 100644
--- a/src/clients/kpasswd/kpasswd.c
+++ b/src/clients/kpasswd/kpasswd.c
@@ -49,7 +49,7 @@ int main(int argc, char *argv[])
    krb5_principal princ;
    char *pname;
    krb5_ccache ccache;
-   krb5_get_init_creds_opt opts;
+   krb5_get_init_creds_opt *opts = NULL;
    krb5_creds creds;
 
    char pw[1024];
@@ -102,26 +102,31 @@ int main(int argc, char *argv[])
        get_name_from_passwd_file(argv[0], context, &princ);
    }
 
-   krb5_get_init_creds_opt_init(&opts);
-   krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
-   krb5_get_init_creds_opt_set_renew_life(&opts, 0);
-   krb5_get_init_creds_opt_set_forwardable(&opts, 0);
-   krb5_get_init_creds_opt_set_proxiable(&opts, 0);
+   if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
+	 com_err(argv[0], ret, "allocating krb5_get_init_creds_opt");
+	 exit(1);
+   }
+   krb5_get_init_creds_opt_set_tkt_life(opts, 5*60);
+   krb5_get_init_creds_opt_set_renew_life(opts, 0);
+   krb5_get_init_creds_opt_set_forwardable(opts, 0);
+   krb5_get_init_creds_opt_set_proxiable(opts, 0);
 
    if ((ret = krb5_get_init_creds_password(context, &creds, princ, NULL,
 					   krb5_prompter_posix, NULL, 
-					   0, "kadmin/changepw", &opts))) {
+					   0, "kadmin/changepw", opts))) {
       if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
 	 com_err(argv[0], 0,
 		 "Password incorrect while getting initial ticket");
       else
 	 com_err(argv[0], ret, "getting initial ticket");
+      krb5_get_init_creds_opt_free(context, opts);
       exit(1);
    }
 
    pwlen = sizeof(pw);
    if ((ret = krb5_read_password(context, P1, P2, pw, &pwlen))) {
       com_err(argv[0], ret, "while reading password");
+      krb5_get_init_creds_opt_free(context, opts);
       exit(1);
    }
 
@@ -129,6 +134,7 @@ int main(int argc, char *argv[])
 				   &result_code, &result_code_string,
 				   &result_string))) {
       com_err(argv[0], ret, "changing password");
+      krb5_get_init_creds_opt_free(context, opts);
       exit(1);
    }
 
@@ -138,6 +144,7 @@ int main(int argc, char *argv[])
 	     result_string.length?": ":"",
 	     (int) result_string.length,
 	     result_string.data ? result_string.data : "");
+      krb5_get_init_creds_opt_free(context, opts);
       exit(2);
    }
 
@@ -145,6 +152,7 @@ int main(int argc, char *argv[])
        free(result_string.data);
    if (result_code_string.data != NULL)
        free(result_code_string.data);
+   krb5_get_init_creds_opt_free(context, opts);
 
    printf("Password changed.\n");
    exit(0);
diff --git a/src/clients/kpasswd/ksetpwd.c b/src/clients/kpasswd/ksetpwd.c
index 148e686..2eec397 100644
--- a/src/clients/kpasswd/ksetpwd.c
+++ b/src/clients/kpasswd/ksetpwd.c
@@ -34,8 +34,6 @@ static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions )
 {
     krb5_preauthtype    preauth[] = { KRB5_PADATA_ENC_TIMESTAMP };
     krb5_enctype        etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC};
-    memset( outOptions, 0, sizeof(*outOptions) );
-    krb5_get_init_creds_opt_init(outOptions);
     krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
     krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) );
     krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) );
@@ -128,17 +126,21 @@ static kbrccache_t userinitcontext(
 		}
 		if( kres != 0 || have_credentials == 0 )
 		{
-			krb5_get_init_creds_opt options;
-			get_init_creds_opt_init(&options);
+			krb5_get_init_creds_opt *options = NULL;
+			kres = krb5_get_init_creds_opt_alloc(kcontext, &options);
+			if ( kres == 0 )
+			{
+				get_init_creds_opt_init(options);
 /*
 ** no valid credentials - get new ones
 */
-			kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass,
-					NULL /*prompter*/, 
-					NULL /*data*/,
-					0 /*starttime*/,
-					0 /*in_tkt_service*/,
-					&options /*options*/ );
+				kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass,
+						NULL /*prompter*/, 
+						NULL /*data*/,
+						0 /*starttime*/,
+						0 /*in_tkt_service*/,
+						options /*options*/ );
+			}
 			if( kres == 0 )
 			{
 				if( numCreds <= 0 )
@@ -148,6 +150,7 @@ static kbrccache_t userinitcontext(
 				if( kres == 0 )
 					have_credentials = 1;
 			}
+			krb5_get_init_creds_opt_free(kcontext, options);
 		}
 #ifdef NOTUSED
 		if( have_credentials )
-- 
cgit v1.1