| blob | 211dcaa7f7532b467e6b76a3c54673e2cad806b8 |
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
36 /*
37 * Find an element in a cred store. Returns GSS_S_COMPLETE if the cred store
38 * is absent or well formed, irrespective of whether the element exists. The
39 * caller should check for *value != NULL before using; values are typically
40 * optional, hence this behavior. (The caller should validate the return
41 * value at least once though, to check it is well-formed.)
42 */
43 OM_uint32
45 gss_const_key_value_set_t cred_store,
48 {
58 }
66 }
68 }
69 }
72 }
74 OM_uint32
76 krb5_context context,
77 krb5_ccache id,
78 krb5_principal principal,
80 {
81 krb5_error_code kret;
88 }
93 }
98 static krb5_error_code
100 gss_const_key_value_set_t cred_store,
102 {
103 krb5_error_code kret;
105 OM_uint32 tmp;
120 }
127 }
129 static krb5_error_code
131 gss_const_key_value_set_t cred_store,
132 krb5_const_principal principal,
134 {
135 krb5_error_code ret;
137 OM_uint32 tmp;
149 }
152 krb5_keytab_entry entry;
158 }
164 }
167 }
170 }
172 static krb5_boolean
174 {
180 /* XXX don't check keytab, someday we will allow password+acceptor creds */
185 }
188 }
190 /*
191 * This function produces a cred with a MEMORY ccache containing a TGT
192 * acquired with a password.
193 */
194 static OM_uint32
196 krb5_context context,
198 OM_uint32 time_req,
199 gss_OID_set desired_mechs,
200 gss_cred_usage_t cred_usage,
201 gss_const_key_value_set_t cred_store,
202 gsskrb5_cred handle)
203 {
205 krb5_creds cred;
209 krb5_error_code kret;
211 OM_uint32 left;
217 }
220 /*
221 * TODO: Here we should eventually support user2user (when we get
222 * support for that via an extension to the mechanism
223 * allowing for more than two security context tokens),
224 * and/or new unique MEMORY keytabs (we have MEMORY keytab
225 * support, but we don't have a keytab equivalent of
226 * krb5_cc_new_unique()). Either way, for now we can't
227 * support this.
228 */
231 }
239 }
245 opt);
248 }
254 /*
255 * Get the current time before the AS exchange so we don't
256 * accidentally end up returning a value that puts advertised
257 * expiration past the real expiration.
258 *
259 * We need to do this because krb5_cc_get_lifetime() returns a
260 * relative time that we need to add to the current time. We ought
261 * to have a version of krb5_cc_get_lifetime() that returns absolute
262 * time...
263 */
292 end:
303 }
305 /*
306 * Acquires an initiator credential from a ccache or using a keytab.
307 */
308 static OM_uint32
310 krb5_context context,
311 OM_uint32 time_req,
312 gss_OID_set desired_mechs,
313 gss_cred_usage_t cred_usage,
314 gss_const_key_value_set_t cred_store,
315 gsskrb5_cred handle)
316 {
317 OM_uint32 ret;
318 krb5_creds cred;
325 OM_uint32 left;
339 /*
340 * Get current time early so we can set handle->endtime to a value that
341 * cannot accidentally be past the real endtime. We need a variant of
342 * krb5_cc_get_lifetime() that returns absolute endtime.
343 */
346 /*
347 * First look for a ccache that has the desired_name (which may be
348 * the default credential name), unless a specific credential cache
349 * was included in cred_store.
350 *
351 * If we don't have an unexpired credential, acquire one with a
352 * keytab.
353 *
354 * If we acquire one with a keytab, save it in the ccache we found
355 * with the expired credential, if any.
356 *
357 * If we don't have any such ccache, then use a MEMORY ccache.
358 */
361 /*
362 * Not default credential case. See if we can find a ccache in
363 * the cccol for the desired_name.
364 */
373 else
375 }
376 }
377 /*
378 * Fall through. We shouldn't find this in the default ccache
379 * either, but we'll give it a try, then we'll try using a keytab.
380 */
381 }
383 /*
384 * Either desired_name was GSS_C_NO_NAME (default cred) or
385 * krb5_cc_cache_match() failed (or found expired).
386 */
389 else
399 /*
400 * Have a default ccache; see if it matches desired_name.
401 */
405 /*
406 * It matches.
407 *
408 * If we end up trying a keytab then we can write the result to
409 * the default ccache.
410 */
415 }
422 /* else we fall through and try using a keytab */
423 }
425 try_keytab:
427 /* We need to know what client principal to use */
431 }
446 /*
447 * We got a credential with a keytab. Save it if we can.
448 */
450 /*
451 * There's no ccache we can overwrite with the credentials we acquired
452 * with a keytab. We'll use a MEMORY ccache then.
453 *
454 * Note that an application that falls into this repeatedly will do an
455 * AS exchange every time it acquires a credential handle. Hopefully
456 * this doesn't happen much. A workaround is to kinit -k once so that
457 * we always re-initialize the matched/default ccache here. I.e., once
458 * there's a FILE/DIR ccache, we'll keep it frash automatically if we
459 * have a keytab, but if there's no FILE/DIR ccache, then we'll
460 * get a fresh credential *every* time we're asked.
461 */
475 found:
487 end:
491 else
493 }
505 }
507 static OM_uint32
509 krb5_context context,
510 OM_uint32 time_req,
511 gss_OID_set desired_mechs,
512 gss_cred_usage_t cred_usage,
513 gss_const_key_value_set_t cred_store,
514 gsskrb5_cred handle)
515 {
516 OM_uint32 ret;
517 krb5_error_code kret;
525 /* check that the requested principal exists in the keytab */
527 krb5_keytab_entry entry;
536 /*
537 * Check if there is at least one entry in the keytab before
538 * declaring it as an useful keytab.
539 */
540 krb5_keytab_entry tmp;
541 krb5_kt_cursor c;
549 }
551 }
552 end:
558 }
559 }
561 }
564 OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_from
566 gss_const_name_t desired_name,
567 OM_uint32 time_req,
568 gss_OID_set desired_mechs,
569 gss_cred_usage_t cred_usage,
570 gss_const_key_value_set_t cred_store,
573 OM_uint32 *time_rec
574 )
575 {
576 krb5_context context;
577 gsskrb5_cred handle;
578 OM_uint32 ret;
591 }
592 }
600 }
615 }
627 }
628 }
638 }
640 /*
641 * Acquire a credential from the specified or background credential
642 * store (ccache, keytab).
643 */
653 }
654 }
664 }
665 }
666 }
682 }
686 }