search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
x
[heimdal.git] / lib / gssapi / krb5 / acquire_cred.c
blob84814f5a7b213196ec94c023f1911264930c2ac3
1 /*
2 * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gssapi_locl.h"
35
36 RCSID("$Id$");
37
38 static krb5_error_code
39 get_keytab(krb5_keytab *keytab)
40 {
41 char kt_name[256];
42 krb5_error_code kret;
43
44 if (gssapi_krb5_keytab != NULL) {
45 kret = krb5_kt_get_name(gssapi_krb5_context,
46 gssapi_krb5_keytab,
47 kt_name, sizeof(kt_name));
48 if (kret == 0)
49 kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab);
50 } else
51 kret = krb5_kt_default(gssapi_krb5_context, keytab);
52 return (kret);
53 }
54
55 static OM_uint32 acquire_initiator_cred
56 (OM_uint32 * minor_status,
57 const gss_name_t desired_name,
58 OM_uint32 time_req,
59 const gss_OID_set desired_mechs,
60 gss_cred_usage_t cred_usage,
61 gss_cred_id_t handle,
62 gss_OID_set * actual_mechs,
63 OM_uint32 * time_rec
64 )
65 {
66 OM_uint32 ret;
67 krb5_creds cred;
68 krb5_principal def_princ;
69 krb5_get_init_creds_opt opt;
70 krb5_ccache ccache;
71 krb5_keytab keytab;
72 krb5_error_code kret;
73
74 keytab = NULL;
75 ccache = NULL;
76 def_princ = NULL;
77 ret = GSS_S_FAILURE;
78 memset(&cred, 0, sizeof(cred));
79
80 kret = krb5_cc_default(gssapi_krb5_context, &ccache);
81 if (kret)
82 goto end;
83 kret = krb5_cc_get_principal(gssapi_krb5_context, ccache,
84 &def_princ);
85 if (kret != 0) {
86 /* we'll try to use a keytab below */
87 krb5_cc_destroy(gssapi_krb5_context, ccache);
88 ccache = NULL;
89 kret = 0;
90 } else if (handle->principal == NULL) {
91 kret = krb5_copy_principal(gssapi_krb5_context, def_princ,
92 &handle->principal);
93 if (kret)
94 goto end;
95 } else if (handle->principal != NULL &&
96 krb5_principal_compare(gssapi_krb5_context, handle->principal,
97 def_princ) == FALSE) {
98 kret = KRB5_PRINC_NOMATCH;
99 goto end;
100 }
101 if (def_princ == NULL) {
102 /* We have no existing credentials cache,
103 * so attempt to get a TGT using a keytab.
104 */
105 if (handle->principal == NULL) {
106 kret = krb5_get_default_principal(gssapi_krb5_context,
107 &handle->principal);
108 if (kret)
109 goto end;
110 }
111 kret = get_keytab(&keytab);
112 if (kret)
113 goto end;
114 krb5_get_init_creds_opt_init(&opt);
115 kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
116 handle->principal, keytab, 0, NULL, &opt);
117 if (kret)
118 goto end;
119 kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
120 &ccache);
121 if (kret)
122 goto end;
123 kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
124 if (kret)
125 goto end;
126 kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
127 if (kret)
128 goto end;
129 }
130 handle->ccache = ccache;
131 ret = GSS_S_COMPLETE;
132
133 end:
134 if (cred.client != NULL)
135 krb5_free_creds_contents(gssapi_krb5_context, &cred);
136 if (def_princ != NULL)
137 krb5_free_principal(gssapi_krb5_context, def_princ);
138 if (keytab != NULL)
139 krb5_kt_close(gssapi_krb5_context, keytab);
140 if (ret != GSS_S_COMPLETE) {
141 if (ccache != NULL)
142 krb5_cc_close(gssapi_krb5_context, ccache);
143 if (kret != 0) {
144 *minor_status = kret;
145 gssapi_krb5_set_error_string ();
146 }
147 }
148 return (ret);
149 }
150
151 static OM_uint32 acquire_acceptor_cred
152 (OM_uint32 * minor_status,
153 const gss_name_t desired_name,
154 OM_uint32 time_req,
155 const gss_OID_set desired_mechs,
156 gss_cred_usage_t cred_usage,
157 gss_cred_id_t handle,
158 gss_OID_set * actual_mechs,
159 OM_uint32 * time_rec
160 )
161 {
162 OM_uint32 ret;
163 krb5_error_code kret;
164
165 kret = 0;
166 ret = GSS_S_FAILURE;
167 kret = get_keytab(&handle->keytab);
168 if (kret)
169 goto end;
170 ret = GSS_S_COMPLETE;
171
172 end:
173 if (ret != GSS_S_COMPLETE) {
174 if (handle->keytab != NULL)
175 krb5_kt_close(gssapi_krb5_context, handle->keytab);
176 if (kret != 0) {
177 *minor_status = kret;
178 gssapi_krb5_set_error_string ();
179 }
180 }
181 return (ret);
182 }
183
184 OM_uint32 gss_acquire_cred
185 (OM_uint32 * minor_status,
186 const gss_name_t desired_name,
187 OM_uint32 time_req,
188 const gss_OID_set desired_mechs,
189 gss_cred_usage_t cred_usage,
190 gss_cred_id_t * output_cred_handle,
191 gss_OID_set * actual_mechs,
192 OM_uint32 * time_rec
193 )
194 {
195 gss_cred_id_t handle;
196 OM_uint32 ret;
197
198 gssapi_krb5_init ();
199
200 *minor_status = 0;
201 handle = (gss_cred_id_t)malloc(sizeof(*handle));
202 if (handle == GSS_C_NO_CREDENTIAL)
203 return (GSS_S_FAILURE);
204
205 memset(handle, 0, sizeof (*handle));
206
207 if (desired_name != GSS_C_NO_NAME) {
208 ret = gss_duplicate_name(minor_status, desired_name,
209 &handle->principal);
210 if (ret != GSS_S_COMPLETE) {
211 free(handle);
212 return (ret);
213 }
214 }
215 if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
216 ret = acquire_initiator_cred(minor_status, desired_name, time_req,
217 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
218 if (ret != GSS_S_COMPLETE) {
219 free(handle);
220 return (ret);
221 }
222 }
223 if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
224 ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
225 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
226 if (ret != GSS_S_COMPLETE) {
227 free(handle);
228 return (ret);
229 }
230 }
231 ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
232 if (ret == GSS_S_COMPLETE)
233 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
234 &handle->mechanisms);
235 if (ret == GSS_S_COMPLETE)
236 ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL,
237 actual_mechs);
238 if (ret != GSS_S_COMPLETE) {
239 if (handle->mechanisms != NULL)
240 gss_release_oid_set(NULL, &handle->mechanisms);
241 free(handle);
242 return (ret);
243 }
244 /* XXX */
245 handle->lifetime = time_req;
246 handle->usage = cred_usage;
247 *output_cred_handle = handle;
248 return (GSS_S_COMPLETE);
249 }
Heimdal