search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
remove unused type
[Samba.git] / lib / gssapi / krb5 / acquire_cred.c
blobbfab5667beb5cd6403b9a5cf39f5a3dfaac9b549
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "gsskrb5_locl.h"
35
36 RCSID("$Id$");
37
38 OM_uint32
39 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
40 krb5_context context,
41 krb5_ccache id,
42 krb5_principal principal,
43 OM_uint32 *lifetime)
44 {
45 krb5_creds in_cred, *out_cred;
46 krb5_const_realm realm;
47 krb5_error_code kret;
48
49 memset(&in_cred, 0, sizeof(in_cred));
50 in_cred.client = principal;
51
52 realm = krb5_principal_get_realm(context, principal);
53 if (realm == NULL) {
54 _gsskrb5_clear_status ();
55 *minor_status = KRB5_PRINC_NOMATCH; /* XXX */
56 return GSS_S_FAILURE;
57 }
58
59 kret = krb5_make_principal(context, &in_cred.server,
60 realm, KRB5_TGS_NAME, realm, NULL);
61 if (kret) {
62 *minor_status = kret;
63 return GSS_S_FAILURE;
64 }
65
66 kret = krb5_get_credentials(context, 0,
67 id, &in_cred, &out_cred);
68 krb5_free_principal(context, in_cred.server);
69 if (kret) {
70 *minor_status = kret;
71 return GSS_S_FAILURE;
72 }
73
74 *lifetime = out_cred->times.endtime;
75 krb5_free_creds(context, out_cred);
76
77 return GSS_S_COMPLETE;
78 }
79
80
81
82
83 static krb5_error_code
84 get_keytab(krb5_context context, krb5_keytab *keytab)
85 {
86 char kt_name[256];
87 krb5_error_code kret;
88
89 HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
90
91 if (_gsskrb5_keytab != NULL) {
92 kret = krb5_kt_get_name(context,
93 _gsskrb5_keytab,
94 kt_name, sizeof(kt_name));
95 if (kret == 0)
96 kret = krb5_kt_resolve(context, kt_name, keytab);
97 } else
98 kret = krb5_kt_default(context, keytab);
99
100 HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
101
102 return (kret);
103 }
104
105 static OM_uint32 acquire_initiator_cred
106 (OM_uint32 * minor_status,
107 krb5_context context,
108 const gss_name_t desired_name,
109 OM_uint32 time_req,
110 const gss_OID_set desired_mechs,
111 gss_cred_usage_t cred_usage,
112 gsskrb5_cred handle,
113 gss_OID_set * actual_mechs,
114 OM_uint32 * time_rec
115 )
116 {
117 OM_uint32 ret;
118 krb5_creds cred;
119 krb5_principal def_princ;
120 krb5_get_init_creds_opt *opt;
121 krb5_ccache ccache;
122 krb5_keytab keytab;
123 krb5_error_code kret;
124
125 keytab = NULL;
126 ccache = NULL;
127 def_princ = NULL;
128 ret = GSS_S_FAILURE;
129 memset(&cred, 0, sizeof(cred));
130
131 /*
132 * If we have a preferred principal, lets try to find it in all
133 * caches, otherwise, fall back to default cache, ignore all
134 * errors while searching.
135 */
136
137 if (handle->principal) {
138 kret = krb5_cc_cache_match (context,
139 handle->principal,
140 &ccache);
141 if (kret == 0) {
142 ret = GSS_S_COMPLETE;
143 goto found;
144 }
145 }
146
147 if (ccache == NULL) {
148 kret = krb5_cc_default(context, &ccache);
149 if (kret)
150 goto end;
151 }
152 kret = krb5_cc_get_principal(context, ccache, &def_princ);
153 if (kret != 0) {
154 /* we'll try to use a keytab below */
155 krb5_cc_close(context, ccache);
156 def_princ = NULL;
157 kret = 0;
158 } else if (handle->principal == NULL) {
159 kret = krb5_copy_principal(context, def_princ, &handle->principal);
160 if (kret)
161 goto end;
162 } else if (handle->principal != NULL &&
163 krb5_principal_compare(context, handle->principal,
164 def_princ) == FALSE) {
165 krb5_free_principal(context, def_princ);
166 def_princ = NULL;
167 krb5_cc_close(context, ccache);
168 ccache = NULL;
169 }
170 if (def_princ == NULL) {
171 /* We have no existing credentials cache,
172 * so attempt to get a TGT using a keytab.
173 */
174 if (handle->principal == NULL) {
175 kret = krb5_get_default_principal(context, &handle->principal);
176 if (kret)
177 goto end;
178 }
179 kret = get_keytab(context, &keytab);
180 if (kret)
181 goto end;
182 kret = krb5_get_init_creds_opt_alloc(context, &opt);
183 if (kret)
184 goto end;
185 kret = krb5_get_init_creds_keytab(context, &cred,
186 handle->principal, keytab, 0, NULL, opt);
187 krb5_get_init_creds_opt_free(context, opt);
188 if (kret)
189 goto end;
190 kret = krb5_cc_new_unique(context, krb5_cc_type_memory,
191 NULL, &ccache);
192 if (kret)
193 goto end;
194 kret = krb5_cc_initialize(context, ccache, cred.client);
195 if (kret) {
196 krb5_cc_destroy(context, ccache);
197 goto end;
198 }
199 kret = krb5_cc_store_cred(context, ccache, &cred);
200 if (kret) {
201 krb5_cc_destroy(context, ccache);
202 goto end;
203 }
204 handle->lifetime = cred.times.endtime;
205 handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
206 } else {
207
208 ret = __gsskrb5_ccache_lifetime(minor_status,
209 context,
210 ccache,
211 handle->principal,
212 &handle->lifetime);
213 if (ret != GSS_S_COMPLETE) {
214 krb5_cc_close(context, ccache);
215 goto end;
216 }
217 kret = 0;
218 }
219 found:
220 handle->ccache = ccache;
221 ret = GSS_S_COMPLETE;
222
223 end:
224 if (cred.client != NULL)
225 krb5_free_cred_contents(context, &cred);
226 if (def_princ != NULL)
227 krb5_free_principal(context, def_princ);
228 if (keytab != NULL)
229 krb5_kt_close(context, keytab);
230 if (ret != GSS_S_COMPLETE && kret != 0)
231 *minor_status = kret;
232 return (ret);
233 }
234
235 static OM_uint32 acquire_acceptor_cred
236 (OM_uint32 * minor_status,
237 krb5_context context,
238 const gss_name_t desired_name,
239 OM_uint32 time_req,
240 const gss_OID_set desired_mechs,
241 gss_cred_usage_t cred_usage,
242 gsskrb5_cred handle,
243 gss_OID_set * actual_mechs,
244 OM_uint32 * time_rec
245 )
246 {
247 OM_uint32 ret;
248 krb5_error_code kret;
249
250 ret = GSS_S_FAILURE;
251 kret = get_keytab(context, &handle->keytab);
252 if (kret)
253 goto end;
254
255 /* check that the requested principal exists in the keytab */
256 if (handle->principal) {
257 krb5_keytab_entry entry;
258
259 kret = krb5_kt_get_entry(context, handle->keytab,
260 handle->principal, 0, 0, &entry);
261 if (kret)
262 goto end;
263 krb5_kt_free_entry(context, &entry);
264 ret = GSS_S_COMPLETE;
265 } else {
266 /*
267 * Check if there is at least one entry in the keytab before
268 * declaring it as an useful keytab.
269 */
270 krb5_keytab_entry tmp;
271 krb5_kt_cursor c;
272
273 kret = krb5_kt_start_seq_get (context, handle->keytab, &c);
274 if (kret)
275 goto end;
276 if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) {
277 krb5_kt_free_entry(context, &tmp);
278 ret = GSS_S_COMPLETE; /* ok found one entry */
279 }
280 krb5_kt_end_seq_get (context, handle->keytab, &c);
281 }
282 end:
283 if (ret != GSS_S_COMPLETE) {
284 if (handle->keytab != NULL)
285 krb5_kt_close(context, handle->keytab);
286 if (kret != 0) {
287 *minor_status = kret;
288 }
289 }
290 return (ret);
291 }
292
293 OM_uint32 _gsskrb5_acquire_cred
294 (OM_uint32 * minor_status,
295 const gss_name_t desired_name,
296 OM_uint32 time_req,
297 const gss_OID_set desired_mechs,
298 gss_cred_usage_t cred_usage,
299 gss_cred_id_t * output_cred_handle,
300 gss_OID_set * actual_mechs,
301 OM_uint32 * time_rec
302 )
303 {
304 krb5_context context;
305 gsskrb5_cred handle;
306 OM_uint32 ret;
307
308 if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
309 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
310 return GSS_S_FAILURE;
311 }
312
313 GSSAPI_KRB5_INIT(&context);
314
315 *output_cred_handle = NULL;
316 if (time_rec)
317 *time_rec = 0;
318 if (actual_mechs)
319 *actual_mechs = GSS_C_NO_OID_SET;
320
321 if (desired_mechs) {
322 int present = 0;
323
324 ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
325 desired_mechs, &present);
326 if (ret)
327 return ret;
328 if (!present) {
329 *minor_status = 0;
330 return GSS_S_BAD_MECH;
331 }
332 }
333
334 handle = calloc(1, sizeof(*handle));
335 if (handle == NULL) {
336 *minor_status = ENOMEM;
337 return (GSS_S_FAILURE);
338 }
339
340 HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
341
342 if (desired_name != GSS_C_NO_NAME) {
343
344 ret = _gsskrb5_canon_name(minor_status, context, 0, desired_name,
345 &handle->principal);
346 if (ret) {
347 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
348 free(handle);
349 return ret;
350 }
351 }
352 if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
353 ret = acquire_initiator_cred(minor_status, context,
354 desired_name, time_req,
355 desired_mechs, cred_usage, handle,
356 actual_mechs, time_rec);
357 if (ret != GSS_S_COMPLETE) {
358 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
359 krb5_free_principal(context, handle->principal);
360 free(handle);
361 return (ret);
362 }
363 }
364 if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
365 ret = acquire_acceptor_cred(minor_status, context,
366 desired_name, time_req,
367 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
368 if (ret != GSS_S_COMPLETE) {
369 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
370 krb5_free_principal(context, handle->principal);
371 free(handle);
372 return (ret);
373 }
374 }
375 ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
376 if (ret == GSS_S_COMPLETE)
377 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
378 &handle->mechanisms);
379 if (ret == GSS_S_COMPLETE)
380 ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
381 NULL, time_rec, NULL, actual_mechs);
382 if (ret != GSS_S_COMPLETE) {
383 if (handle->mechanisms != NULL)
384 gss_release_oid_set(NULL, &handle->mechanisms);
385 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
386 krb5_free_principal(context, handle->principal);
387 free(handle);
388 return (ret);
389 }
390 *minor_status = 0;
391 if (time_rec) {
392 ret = _gsskrb5_lifetime_left(minor_status,
393 context,
394 handle->lifetime,
395 time_rec);
396
397 if (ret)
398 return ret;
399 }
400 handle->usage = cred_usage;
401 *output_cred_handle = (gss_cred_id_t)handle;
402 return (GSS_S_COMPLETE);
403 }
Samba GIT mirror