2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gsskrb5_locl.h"
37 __gsskrb5_ccache_lifetime(OM_uint32
*minor_status
,
40 krb5_principal principal
,
43 krb5_creds in_cred
, *out_cred
;
44 krb5_const_realm realm
;
47 memset(&in_cred
, 0, sizeof(in_cred
));
48 in_cred
.client
= principal
;
50 realm
= krb5_principal_get_realm(context
, principal
);
52 _gsskrb5_clear_status ();
53 *minor_status
= KRB5_PRINC_NOMATCH
; /* XXX */
57 kret
= krb5_make_principal(context
, &in_cred
.server
,
58 realm
, KRB5_TGS_NAME
, realm
, NULL
);
64 kret
= krb5_get_credentials(context
, 0,
65 id
, &in_cred
, &out_cred
);
66 krb5_free_principal(context
, in_cred
.server
);
72 *lifetime
= out_cred
->times
.endtime
;
73 krb5_free_creds(context
, out_cred
);
75 return GSS_S_COMPLETE
;
81 static krb5_error_code
82 get_keytab(krb5_context context
, krb5_keytab
*keytab
)
87 HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex
);
89 if (_gsskrb5_keytab
!= NULL
) {
90 kret
= krb5_kt_get_name(context
,
92 kt_name
, sizeof(kt_name
));
94 kret
= krb5_kt_resolve(context
, kt_name
, keytab
);
96 kret
= krb5_kt_default(context
, keytab
);
98 HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex
);
103 static OM_uint32 acquire_initiator_cred
104 (OM_uint32
* minor_status
,
105 krb5_context context
,
106 const gss_name_t desired_name
,
108 const gss_OID_set desired_mechs
,
109 gss_cred_usage_t cred_usage
,
111 gss_OID_set
* actual_mechs
,
117 krb5_principal def_princ
;
118 krb5_get_init_creds_opt
*opt
;
121 krb5_error_code kret
;
127 memset(&cred
, 0, sizeof(cred
));
130 * If we have a preferred principal, lets try to find it in all
131 * caches, otherwise, fall back to default cache, ignore all
132 * errors while searching.
135 if (handle
->principal
) {
136 kret
= krb5_cc_cache_match (context
,
140 ret
= GSS_S_COMPLETE
;
145 if (ccache
== NULL
) {
146 kret
= krb5_cc_default(context
, &ccache
);
150 kret
= krb5_cc_get_principal(context
, ccache
, &def_princ
);
152 /* we'll try to use a keytab below */
153 krb5_cc_close(context
, ccache
);
156 } else if (handle
->principal
== NULL
) {
157 kret
= krb5_copy_principal(context
, def_princ
, &handle
->principal
);
160 } else if (handle
->principal
!= NULL
&&
161 krb5_principal_compare(context
, handle
->principal
,
162 def_princ
) == FALSE
) {
163 krb5_free_principal(context
, def_princ
);
165 krb5_cc_close(context
, ccache
);
168 if (def_princ
== NULL
) {
169 /* We have no existing credentials cache,
170 * so attempt to get a TGT using a keytab.
172 if (handle
->principal
== NULL
) {
173 kret
= krb5_get_default_principal(context
, &handle
->principal
);
177 kret
= get_keytab(context
, &keytab
);
180 kret
= krb5_get_init_creds_opt_alloc(context
, &opt
);
183 kret
= krb5_get_init_creds_keytab(context
, &cred
,
184 handle
->principal
, keytab
, 0, NULL
, opt
);
185 krb5_get_init_creds_opt_free(context
, opt
);
188 kret
= krb5_cc_new_unique(context
, krb5_cc_type_memory
,
192 kret
= krb5_cc_initialize(context
, ccache
, cred
.client
);
194 krb5_cc_destroy(context
, ccache
);
197 kret
= krb5_cc_store_cred(context
, ccache
, &cred
);
199 krb5_cc_destroy(context
, ccache
);
202 handle
->lifetime
= cred
.times
.endtime
;
203 handle
->cred_flags
|= GSS_CF_DESTROY_CRED_ON_RELEASE
;
206 ret
= __gsskrb5_ccache_lifetime(minor_status
,
211 if (ret
!= GSS_S_COMPLETE
) {
212 krb5_cc_close(context
, ccache
);
218 handle
->ccache
= ccache
;
219 ret
= GSS_S_COMPLETE
;
222 if (cred
.client
!= NULL
)
223 krb5_free_cred_contents(context
, &cred
);
224 if (def_princ
!= NULL
)
225 krb5_free_principal(context
, def_princ
);
227 krb5_kt_close(context
, keytab
);
228 if (ret
!= GSS_S_COMPLETE
&& kret
!= 0)
229 *minor_status
= kret
;
233 static OM_uint32 acquire_acceptor_cred
234 (OM_uint32
* minor_status
,
235 krb5_context context
,
236 const gss_name_t desired_name
,
238 const gss_OID_set desired_mechs
,
239 gss_cred_usage_t cred_usage
,
241 gss_OID_set
* actual_mechs
,
246 krb5_error_code kret
;
249 kret
= get_keytab(context
, &handle
->keytab
);
253 /* check that the requested principal exists in the keytab */
254 if (handle
->principal
) {
255 krb5_keytab_entry entry
;
257 kret
= krb5_kt_get_entry(context
, handle
->keytab
,
258 handle
->principal
, 0, 0, &entry
);
261 krb5_kt_free_entry(context
, &entry
);
262 ret
= GSS_S_COMPLETE
;
265 * Check if there is at least one entry in the keytab before
266 * declaring it as an useful keytab.
268 krb5_keytab_entry tmp
;
271 kret
= krb5_kt_start_seq_get (context
, handle
->keytab
, &c
);
274 if (krb5_kt_next_entry(context
, handle
->keytab
, &tmp
, &c
) == 0) {
275 krb5_kt_free_entry(context
, &tmp
);
276 ret
= GSS_S_COMPLETE
; /* ok found one entry */
278 krb5_kt_end_seq_get (context
, handle
->keytab
, &c
);
281 if (ret
!= GSS_S_COMPLETE
) {
282 if (handle
->keytab
!= NULL
)
283 krb5_kt_close(context
, handle
->keytab
);
285 *minor_status
= kret
;
291 OM_uint32 _gsskrb5_acquire_cred
292 (OM_uint32
* minor_status
,
293 const gss_name_t desired_name
,
295 const gss_OID_set desired_mechs
,
296 gss_cred_usage_t cred_usage
,
297 gss_cred_id_t
* output_cred_handle
,
298 gss_OID_set
* actual_mechs
,
302 krb5_context context
;
306 if (cred_usage
!= GSS_C_ACCEPT
&& cred_usage
!= GSS_C_INITIATE
&& cred_usage
!= GSS_C_BOTH
) {
307 *minor_status
= GSS_KRB5_S_G_BAD_USAGE
;
308 return GSS_S_FAILURE
;
311 GSSAPI_KRB5_INIT(&context
);
313 *output_cred_handle
= NULL
;
317 *actual_mechs
= GSS_C_NO_OID_SET
;
322 ret
= gss_test_oid_set_member(minor_status
, GSS_KRB5_MECHANISM
,
323 desired_mechs
, &present
);
328 return GSS_S_BAD_MECH
;
332 handle
= calloc(1, sizeof(*handle
));
333 if (handle
== NULL
) {
334 *minor_status
= ENOMEM
;
335 return (GSS_S_FAILURE
);
338 HEIMDAL_MUTEX_init(&handle
->cred_id_mutex
);
340 if (desired_name
!= GSS_C_NO_NAME
) {
342 ret
= _gsskrb5_canon_name(minor_status
, context
, 0, desired_name
,
345 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
350 if (cred_usage
== GSS_C_INITIATE
|| cred_usage
== GSS_C_BOTH
) {
351 ret
= acquire_initiator_cred(minor_status
, context
,
352 desired_name
, time_req
,
353 desired_mechs
, cred_usage
, handle
,
354 actual_mechs
, time_rec
);
355 if (ret
!= GSS_S_COMPLETE
) {
356 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
357 krb5_free_principal(context
, handle
->principal
);
362 if (cred_usage
== GSS_C_ACCEPT
|| cred_usage
== GSS_C_BOTH
) {
363 ret
= acquire_acceptor_cred(minor_status
, context
,
364 desired_name
, time_req
,
365 desired_mechs
, cred_usage
, handle
, actual_mechs
, time_rec
);
366 if (ret
!= GSS_S_COMPLETE
) {
367 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
368 krb5_free_principal(context
, handle
->principal
);
373 ret
= gss_create_empty_oid_set(minor_status
, &handle
->mechanisms
);
374 if (ret
== GSS_S_COMPLETE
)
375 ret
= gss_add_oid_set_member(minor_status
, GSS_KRB5_MECHANISM
,
376 &handle
->mechanisms
);
377 if (ret
== GSS_S_COMPLETE
)
378 ret
= _gsskrb5_inquire_cred(minor_status
, (gss_cred_id_t
)handle
,
379 NULL
, time_rec
, NULL
, actual_mechs
);
380 if (ret
!= GSS_S_COMPLETE
) {
381 if (handle
->mechanisms
!= NULL
)
382 gss_release_oid_set(NULL
, &handle
->mechanisms
);
383 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
384 krb5_free_principal(context
, handle
->principal
);
390 ret
= _gsskrb5_lifetime_left(minor_status
,
398 handle
->usage
= cred_usage
;
399 *output_cred_handle
= (gss_cred_id_t
)handle
;
400 return (GSS_S_COMPLETE
);