2 * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gsskrb5_locl.h"
36 OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred
37 (OM_uint32
* minor_status
,
38 gss_const_cred_id_t cred_handle
,
39 gss_name_t
* output_name
,
41 gss_cred_usage_t
* cred_usage
,
42 gss_OID_set
* mechanisms
46 gss_cred_id_t aqcred_init
= GSS_C_NO_CREDENTIAL
;
47 gss_cred_id_t aqcred_accept
= GSS_C_NO_CREDENTIAL
;
48 gsskrb5_cred cred
= (gsskrb5_cred
)cred_handle
;
49 gss_OID_set amechs
= GSS_C_NO_OID_SET
;
50 gss_OID_set imechs
= GSS_C_NO_OID_SET
;
55 OM_uint32 alife
= GSS_C_INDEFINITE
;
56 OM_uint32 ilife
= GSS_C_INDEFINITE
;
59 * XXX This function is more complex than it has to be. It should call
60 * _gsskrb5_inquire_cred_by_mech() twice and merge the results in the
61 * cred_handle == GSS_C_NO_CREDENTIAL case, but since
62 * _gsskrb5_inquire_cred_by_mech() is implemented in terms of this
63 * function, first we must fix _gsskrb5_inquire_cred_by_mech().
69 *output_name
= GSS_C_NO_NAME
;
71 *cred_usage
= GSS_C_BOTH
; /* There's no NONE */
73 *mechanisms
= GSS_C_NO_OID_SET
;
75 GSSAPI_KRB5_INIT (&context
);
77 if (cred_handle
== GSS_C_NO_CREDENTIAL
) {
79 * From here to the end of this if we should refactor into a separate
82 /* Get the info for the default ACCEPT credential */
83 aret
= _gsskrb5_acquire_cred_from(&aminor
,
92 if (aret
== GSS_S_COMPLETE
) {
93 aret
= _gsskrb5_inquire_cred(&aminor
,
99 (void) _gsskrb5_release_cred(&junk
, &aqcred_accept
);
100 if (aret
== GSS_S_COMPLETE
) {
101 output_name
= NULL
; /* Can't merge names; output only one */
103 *cred_usage
= GSS_C_ACCEPT
;
107 *mechanisms
= amechs
;
108 amechs
= GSS_C_NO_OID_SET
;
110 (void) gss_release_oid_set(&junk
, &amechs
);
111 } else if (aret
!= GSS_S_NO_CRED
) {
112 *minor_status
= aminor
;
115 alife
= GSS_C_INDEFINITE
;
119 /* Get the info for the default INITIATE credential */
120 ret
= _gsskrb5_acquire_cred_from(minor_status
,
129 if (ret
== GSS_S_COMPLETE
) {
130 ret
= _gsskrb5_inquire_cred(minor_status
,
136 (void) _gsskrb5_release_cred(&junk
, &aqcred_init
);
137 if (ret
== GSS_S_COMPLETE
) {
139 * Merge results for INITIATE with ACCEPT if we had ACCEPT and
140 * for those outputs that are desired.
143 *cred_usage
= (*cred_usage
== GSS_C_ACCEPT
) ?
144 GSS_C_BOTH
: GSS_C_INITIATE
;
147 *lifetime
= min(alife
, ilife
);
150 * This is just one mechanism (IAKERB and such would live
151 * elsewhere). imechs will be equal to amechs, though not
154 if (aret
!= GSS_S_COMPLETE
) {
155 *mechanisms
= imechs
;
156 imechs
= GSS_C_NO_OID_SET
;
159 (void) gss_release_oid_set(&junk
, &amechs
);
160 } else if (ret
!= GSS_S_NO_CRED
) {
161 *minor_status
= aminor
;
166 if (aret
!= GSS_S_COMPLETE
&& ret
!= GSS_S_COMPLETE
) {
167 *minor_status
= aminor
;
170 *minor_status
= 0; /* Even though 0 is not specified to be special */
171 return GSS_S_COMPLETE
;
174 HEIMDAL_MUTEX_lock(&cred
->cred_id_mutex
);
176 if (output_name
!= NULL
) {
177 if (cred
->principal
!= NULL
) {
178 gss_name_t name
= (gss_name_t
)cred
->principal
;
179 ret
= _gsskrb5_duplicate_name(minor_status
, name
, output_name
);
182 } else if (cred
->usage
== GSS_C_ACCEPT
) {
184 * Keytab case, princ may not be set (yet, ever, whatever).
186 * We used to unconditionally output the krb5_sname_to_principal()
187 * of the host service for the hostname, but we didn't know if we
188 * had keytab entries for it, so it was incorrect. We can't be
189 * breaking anything in tree by outputting GSS_C_NO_NAME, but we
190 * might be breaking other callers.
192 *output_name
= GSS_C_NO_NAME
;
194 /* This shouldn't happen */
195 *minor_status
= KRB5_NOCREDS_SUPPLIED
; /* XXX */
200 if (lifetime
!= NULL
) {
201 ret
= _gsskrb5_lifetime_left(minor_status
,
208 if (cred_usage
!= NULL
)
209 *cred_usage
= cred
->usage
;
210 if (mechanisms
!= NULL
) {
211 ret
= gss_create_empty_oid_set(minor_status
, mechanisms
);
214 ret
= gss_add_oid_set_member(minor_status
,
215 &cred
->mechanisms
->elements
[0],
220 ret
= GSS_S_COMPLETE
;
223 HEIMDAL_MUTEX_unlock(&cred
->cred_id_mutex
);