search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types.
[heimdal.git] / lib / gssapi / krb5 / acquire_cred.c
blob4f6f38e6743d8edba818a661d25c7d6affeea457
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gsskrb5_locl.h"
35
36 OM_uint32
37 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
38 krb5_context context,
39 krb5_ccache id,
40 krb5_principal principal,
41 OM_uint32 *lifetime)
42 {
43 krb5_creds in_cred, *out_cred;
44 krb5_const_realm realm;
45 krb5_error_code kret;
46
47 memset(&in_cred, 0, sizeof(in_cred));
48 in_cred.client = principal;
49
50 realm = krb5_principal_get_realm(context, principal);
51 if (realm == NULL) {
52 _gsskrb5_clear_status ();
53 *minor_status = KRB5_PRINC_NOMATCH; /* XXX */
54 return GSS_S_FAILURE;
55 }
56
57 kret = krb5_make_principal(context, &in_cred.server,
58 realm, KRB5_TGS_NAME, realm, NULL);
59 if (kret) {
60 *minor_status = kret;
61 return GSS_S_FAILURE;
62 }
63
64 kret = krb5_get_credentials(context, 0,
65 id, &in_cred, &out_cred);
66 krb5_free_principal(context, in_cred.server);
67 if (kret) {
68 *minor_status = kret;
69 return GSS_S_FAILURE;
70 }
71
72 *lifetime = out_cred->times.endtime;
73 krb5_free_creds(context, out_cred);
74
75 return GSS_S_COMPLETE;
76 }
77
78
79
80
81 static krb5_error_code
82 get_keytab(krb5_context context, krb5_keytab *keytab)
83 {
84 char kt_name[256];
85 krb5_error_code kret;
86
87 HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
88
89 if (_gsskrb5_keytab != NULL) {
90 kret = krb5_kt_get_name(context,
91 _gsskrb5_keytab,
92 kt_name, sizeof(kt_name));
93 if (kret == 0)
94 kret = krb5_kt_resolve(context, kt_name, keytab);
95 } else
96 kret = krb5_kt_default(context, keytab);
97
98 HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
99
100 return (kret);
101 }
102
103 static OM_uint32 acquire_initiator_cred
104 (OM_uint32 * minor_status,
105 krb5_context context,
106 const gss_name_t desired_name,
107 OM_uint32 time_req,
108 const gss_OID_set desired_mechs,
109 gss_cred_usage_t cred_usage,
110 gsskrb5_cred handle,
111 gss_OID_set * actual_mechs,
112 OM_uint32 * time_rec
113 )
114 {
115 OM_uint32 ret;
116 krb5_creds cred;
117 krb5_principal def_princ;
118 krb5_get_init_creds_opt *opt;
119 krb5_ccache ccache;
120 krb5_keytab keytab;
121 krb5_error_code kret;
122
123 keytab = NULL;
124 ccache = NULL;
125 def_princ = NULL;
126 ret = GSS_S_FAILURE;
127 memset(&cred, 0, sizeof(cred));
128
129 /*
130 * If we have a preferred principal, lets try to find it in all
131 * caches, otherwise, fall back to default cache, ignore all
132 * errors while searching.
133 */
134
135 if (handle->principal) {
136 kret = krb5_cc_cache_match (context,
137 handle->principal,
138 &ccache);
139 if (kret == 0) {
140 ret = GSS_S_COMPLETE;
141 goto found;
142 }
143 }
144
145 if (ccache == NULL) {
146 kret = krb5_cc_default(context, &ccache);
147 if (kret)
148 goto end;
149 }
150 kret = krb5_cc_get_principal(context, ccache, &def_princ);
151 if (kret != 0) {
152 /* we'll try to use a keytab below */
153 krb5_cc_close(context, ccache);
154 def_princ = NULL;
155 kret = 0;
156 } else if (handle->principal == NULL) {
157 kret = krb5_copy_principal(context, def_princ, &handle->principal);
158 if (kret)
159 goto end;
160 } else if (handle->principal != NULL &&
161 krb5_principal_compare(context, handle->principal,
162 def_princ) == FALSE) {
163 krb5_free_principal(context, def_princ);
164 def_princ = NULL;
165 krb5_cc_close(context, ccache);
166 ccache = NULL;
167 }
168 if (def_princ == NULL) {
169 /* We have no existing credentials cache,
170 * so attempt to get a TGT using a keytab.
171 */
172 if (handle->principal == NULL) {
173 kret = krb5_get_default_principal(context, &handle->principal);
174 if (kret)
175 goto end;
176 }
177 kret = get_keytab(context, &keytab);
178 if (kret)
179 goto end;
180 kret = krb5_get_init_creds_opt_alloc(context, &opt);
181 if (kret)
182 goto end;
183 kret = krb5_get_init_creds_keytab(context, &cred,
184 handle->principal, keytab, 0, NULL, opt);
185 krb5_get_init_creds_opt_free(context, opt);
186 if (kret)
187 goto end;
188 kret = krb5_cc_new_unique(context, krb5_cc_type_memory,
189 NULL, &ccache);
190 if (kret)
191 goto end;
192 kret = krb5_cc_initialize(context, ccache, cred.client);
193 if (kret) {
194 krb5_cc_destroy(context, ccache);
195 goto end;
196 }
197 kret = krb5_cc_store_cred(context, ccache, &cred);
198 if (kret) {
199 krb5_cc_destroy(context, ccache);
200 goto end;
201 }
202 handle->lifetime = cred.times.endtime;
203 handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
204 } else {
205
206 ret = __gsskrb5_ccache_lifetime(minor_status,
207 context,
208 ccache,
209 handle->principal,
210 &handle->lifetime);
211 if (ret != GSS_S_COMPLETE) {
212 krb5_cc_close(context, ccache);
213 goto end;
214 }
215 kret = 0;
216 }
217 found:
218 handle->ccache = ccache;
219 ret = GSS_S_COMPLETE;
220
221 end:
222 if (cred.client != NULL)
223 krb5_free_cred_contents(context, &cred);
224 if (def_princ != NULL)
225 krb5_free_principal(context, def_princ);
226 if (keytab != NULL)
227 krb5_kt_close(context, keytab);
228 if (ret != GSS_S_COMPLETE && kret != 0)
229 *minor_status = kret;
230 return (ret);
231 }
232
233 static OM_uint32 acquire_acceptor_cred
234 (OM_uint32 * minor_status,
235 krb5_context context,
236 const gss_name_t desired_name,
237 OM_uint32 time_req,
238 const gss_OID_set desired_mechs,
239 gss_cred_usage_t cred_usage,
240 gsskrb5_cred handle,
241 gss_OID_set * actual_mechs,
242 OM_uint32 * time_rec
243 )
244 {
245 OM_uint32 ret;
246 krb5_error_code kret;
247
248 ret = GSS_S_FAILURE;
249 kret = get_keytab(context, &handle->keytab);
250 if (kret)
251 goto end;
252
253 /* check that the requested principal exists in the keytab */
254 if (handle->principal) {
255 krb5_keytab_entry entry;
256
257 kret = krb5_kt_get_entry(context, handle->keytab,
258 handle->principal, 0, 0, &entry);
259 if (kret)
260 goto end;
261 krb5_kt_free_entry(context, &entry);
262 ret = GSS_S_COMPLETE;
263 } else {
264 /*
265 * Check if there is at least one entry in the keytab before
266 * declaring it as an useful keytab.
267 */
268 krb5_keytab_entry tmp;
269 krb5_kt_cursor c;
270
271 kret = krb5_kt_start_seq_get (context, handle->keytab, &c);
272 if (kret)
273 goto end;
274 if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) {
275 krb5_kt_free_entry(context, &tmp);
276 ret = GSS_S_COMPLETE; /* ok found one entry */
277 }
278 krb5_kt_end_seq_get (context, handle->keytab, &c);
279 }
280 end:
281 if (ret != GSS_S_COMPLETE) {
282 if (handle->keytab != NULL)
283 krb5_kt_close(context, handle->keytab);
284 if (kret != 0) {
285 *minor_status = kret;
286 }
287 }
288 return (ret);
289 }
290
291 OM_uint32 _gsskrb5_acquire_cred
292 (OM_uint32 * minor_status,
293 const gss_name_t desired_name,
294 OM_uint32 time_req,
295 const gss_OID_set desired_mechs,
296 gss_cred_usage_t cred_usage,
297 gss_cred_id_t * output_cred_handle,
298 gss_OID_set * actual_mechs,
299 OM_uint32 * time_rec
300 )
301 {
302 krb5_context context;
303 gsskrb5_cred handle;
304 OM_uint32 ret;
305
306 if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
307 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
308 return GSS_S_FAILURE;
309 }
310
311 GSSAPI_KRB5_INIT(&context);
312
313 *output_cred_handle = NULL;
314 if (time_rec)
315 *time_rec = 0;
316 if (actual_mechs)
317 *actual_mechs = GSS_C_NO_OID_SET;
318
319 if (desired_mechs) {
320 int present = 0;
321
322 ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
323 desired_mechs, &present);
324 if (ret)
325 return ret;
326 if (!present) {
327 *minor_status = 0;
328 return GSS_S_BAD_MECH;
329 }
330 }
331
332 handle = calloc(1, sizeof(*handle));
333 if (handle == NULL) {
334 *minor_status = ENOMEM;
335 return (GSS_S_FAILURE);
336 }
337
338 HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
339
340 if (desired_name != GSS_C_NO_NAME) {
341
342 ret = _gsskrb5_canon_name(minor_status, context, 0, desired_name,
343 &handle->principal);
344 if (ret) {
345 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
346 free(handle);
347 return ret;
348 }
349 }
350 if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
351 ret = acquire_initiator_cred(minor_status, context,
352 desired_name, time_req,
353 desired_mechs, cred_usage, handle,
354 actual_mechs, time_rec);
355 if (ret != GSS_S_COMPLETE) {
356 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
357 krb5_free_principal(context, handle->principal);
358 free(handle);
359 return (ret);
360 }
361 }
362 if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
363 ret = acquire_acceptor_cred(minor_status, context,
364 desired_name, time_req,
365 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
366 if (ret != GSS_S_COMPLETE) {
367 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
368 krb5_free_principal(context, handle->principal);
369 free(handle);
370 return (ret);
371 }
372 }
373 ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
374 if (ret == GSS_S_COMPLETE)
375 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
376 &handle->mechanisms);
377 if (ret == GSS_S_COMPLETE)
378 ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
379 NULL, time_rec, NULL, actual_mechs);
380 if (ret != GSS_S_COMPLETE) {
381 if (handle->mechanisms != NULL)
382 gss_release_oid_set(NULL, &handle->mechanisms);
383 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
384 krb5_free_principal(context, handle->principal);
385 free(handle);
386 return (ret);
387 }
388 *minor_status = 0;
389 if (time_rec) {
390 ret = _gsskrb5_lifetime_left(minor_status,
391 context,
392 handle->lifetime,
393 time_rec);
394
395 if (ret)
396 return ret;
397 }
398 handle->usage = cred_usage;
399 *output_cred_handle = (gss_cred_id_t)handle;
400 return (GSS_S_COMPLETE);
401 }
Heimdal