allow keytab specifiction to gsskrb5_register_acceptor_identity
[heimdal.git] / lib / gssapi / krb5 / acquire_cred.c
blob3116f0d9524a43c347cc0f3538e41e8e3a04f229
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
34 #include "gsskrb5_locl.h"
36 OM_uint32
37 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
38 krb5_context context,
39 krb5_ccache id,
40 krb5_principal principal,
41 OM_uint32 *lifetime)
43 krb5_creds in_cred, out_cred;
44 krb5_const_realm realm;
45 krb5_error_code kret;
47 memset(&in_cred, 0, sizeof(in_cred));
48 in_cred.client = principal;
50 realm = krb5_principal_get_realm(context, principal);
51 if (realm == NULL) {
52 _gsskrb5_clear_status ();
53 *minor_status = KRB5_PRINC_NOMATCH; /* XXX */
54 return GSS_S_FAILURE;
57 kret = krb5_make_principal(context, &in_cred.server,
58 realm, KRB5_TGS_NAME, realm, NULL);
59 if (kret) {
60 *minor_status = kret;
61 return GSS_S_FAILURE;
64 kret = krb5_cc_retrieve_cred(context, id, 0, &in_cred, &out_cred);
65 krb5_free_principal(context, in_cred.server);
66 if (kret) {
67 *minor_status = 0;
68 *lifetime = 0;
69 return GSS_S_COMPLETE;
72 *lifetime = out_cred.times.endtime;
73 krb5_free_cred_contents(context, &out_cred);
75 return GSS_S_COMPLETE;
81 static krb5_error_code
82 get_keytab(krb5_context context, krb5_keytab *keytab)
84 krb5_error_code kret;
86 HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
88 if (_gsskrb5_keytab != NULL) {
89 char *name = NULL;
91 kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name);
92 if (kret == 0) {
93 kret = krb5_kt_resolve(context, name, keytab);
94 krb5_xfree(name);
96 } else
97 kret = krb5_kt_default(context, keytab);
99 HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
101 return (kret);
104 static OM_uint32 acquire_initiator_cred
105 (OM_uint32 * minor_status,
106 krb5_context context,
107 const gss_name_t desired_name,
108 OM_uint32 time_req,
109 const gss_OID_set desired_mechs,
110 gss_cred_usage_t cred_usage,
111 gsskrb5_cred handle,
112 gss_OID_set * actual_mechs,
113 OM_uint32 * time_rec
116 OM_uint32 ret;
117 krb5_creds cred;
118 krb5_principal def_princ;
119 krb5_get_init_creds_opt *opt;
120 krb5_ccache ccache;
121 krb5_keytab keytab;
122 krb5_error_code kret;
124 keytab = NULL;
125 ccache = NULL;
126 def_princ = NULL;
127 ret = GSS_S_FAILURE;
128 memset(&cred, 0, sizeof(cred));
131 * If we have a preferred principal, lets try to find it in all
132 * caches, otherwise, fall back to default cache, ignore all
133 * errors while searching.
136 if (handle->principal) {
137 kret = krb5_cc_cache_match (context,
138 handle->principal,
139 &ccache);
140 if (kret == 0) {
141 ret = GSS_S_COMPLETE;
142 goto found;
146 if (ccache == NULL) {
147 kret = krb5_cc_default(context, &ccache);
148 if (kret)
149 goto end;
151 kret = krb5_cc_get_principal(context, ccache, &def_princ);
152 if (kret != 0) {
153 /* we'll try to use a keytab below */
154 krb5_cc_close(context, ccache);
155 def_princ = NULL;
156 kret = 0;
157 } else if (handle->principal == NULL) {
158 kret = krb5_copy_principal(context, def_princ, &handle->principal);
159 if (kret)
160 goto end;
161 } else if (handle->principal != NULL &&
162 krb5_principal_compare(context, handle->principal,
163 def_princ) == FALSE) {
164 krb5_free_principal(context, def_princ);
165 def_princ = NULL;
166 krb5_cc_close(context, ccache);
167 ccache = NULL;
169 if (def_princ == NULL) {
170 /* We have no existing credentials cache,
171 * so attempt to get a TGT using a keytab.
173 if (handle->principal == NULL) {
174 kret = krb5_get_default_principal(context, &handle->principal);
175 if (kret)
176 goto end;
178 kret = get_keytab(context, &keytab);
179 if (kret)
180 goto end;
181 kret = krb5_get_init_creds_opt_alloc(context, &opt);
182 if (kret)
183 goto end;
184 kret = krb5_get_init_creds_keytab(context, &cred,
185 handle->principal, keytab, 0, NULL, opt);
186 krb5_get_init_creds_opt_free(context, opt);
187 if (kret)
188 goto end;
189 kret = krb5_cc_new_unique(context, krb5_cc_type_memory,
190 NULL, &ccache);
191 if (kret)
192 goto end;
193 kret = krb5_cc_initialize(context, ccache, cred.client);
194 if (kret) {
195 krb5_cc_destroy(context, ccache);
196 goto end;
198 kret = krb5_cc_store_cred(context, ccache, &cred);
199 if (kret) {
200 krb5_cc_destroy(context, ccache);
201 goto end;
203 handle->lifetime = cred.times.endtime;
204 handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
205 } else {
207 ret = __gsskrb5_ccache_lifetime(minor_status,
208 context,
209 ccache,
210 handle->principal,
211 &handle->lifetime);
212 if (ret != GSS_S_COMPLETE) {
213 krb5_cc_close(context, ccache);
214 goto end;
216 kret = 0;
218 found:
219 handle->ccache = ccache;
220 ret = GSS_S_COMPLETE;
222 end:
223 if (cred.client != NULL)
224 krb5_free_cred_contents(context, &cred);
225 if (def_princ != NULL)
226 krb5_free_principal(context, def_princ);
227 if (keytab != NULL)
228 krb5_kt_close(context, keytab);
229 if (ret != GSS_S_COMPLETE && kret != 0)
230 *minor_status = kret;
231 return (ret);
234 static OM_uint32 acquire_acceptor_cred
235 (OM_uint32 * minor_status,
236 krb5_context context,
237 const gss_name_t desired_name,
238 OM_uint32 time_req,
239 const gss_OID_set desired_mechs,
240 gss_cred_usage_t cred_usage,
241 gsskrb5_cred handle,
242 gss_OID_set * actual_mechs,
243 OM_uint32 * time_rec
246 OM_uint32 ret;
247 krb5_error_code kret;
249 ret = GSS_S_FAILURE;
250 kret = get_keytab(context, &handle->keytab);
251 if (kret)
252 goto end;
254 /* check that the requested principal exists in the keytab */
255 if (handle->principal) {
256 krb5_keytab_entry entry;
258 kret = krb5_kt_get_entry(context, handle->keytab,
259 handle->principal, 0, 0, &entry);
260 if (kret)
261 goto end;
262 krb5_kt_free_entry(context, &entry);
263 ret = GSS_S_COMPLETE;
264 } else {
266 * Check if there is at least one entry in the keytab before
267 * declaring it as an useful keytab.
269 krb5_keytab_entry tmp;
270 krb5_kt_cursor c;
272 kret = krb5_kt_start_seq_get (context, handle->keytab, &c);
273 if (kret)
274 goto end;
275 if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) {
276 krb5_kt_free_entry(context, &tmp);
277 ret = GSS_S_COMPLETE; /* ok found one entry */
279 krb5_kt_end_seq_get (context, handle->keytab, &c);
281 end:
282 if (ret != GSS_S_COMPLETE) {
283 if (handle->keytab != NULL)
284 krb5_kt_close(context, handle->keytab);
285 if (kret != 0) {
286 *minor_status = kret;
289 return (ret);
292 OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
293 (OM_uint32 * minor_status,
294 const gss_name_t desired_name,
295 OM_uint32 time_req,
296 const gss_OID_set desired_mechs,
297 gss_cred_usage_t cred_usage,
298 gss_cred_id_t * output_cred_handle,
299 gss_OID_set * actual_mechs,
300 OM_uint32 * time_rec
303 krb5_context context;
304 gsskrb5_cred handle;
305 OM_uint32 ret;
307 if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
308 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
309 return GSS_S_FAILURE;
312 GSSAPI_KRB5_INIT(&context);
314 *output_cred_handle = NULL;
315 if (time_rec)
316 *time_rec = 0;
317 if (actual_mechs)
318 *actual_mechs = GSS_C_NO_OID_SET;
320 if (desired_mechs) {
321 int present = 0;
323 ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
324 desired_mechs, &present);
325 if (ret)
326 return ret;
327 if (!present) {
328 *minor_status = 0;
329 return GSS_S_BAD_MECH;
333 handle = calloc(1, sizeof(*handle));
334 if (handle == NULL) {
335 *minor_status = ENOMEM;
336 return (GSS_S_FAILURE);
339 HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
341 if (desired_name != GSS_C_NO_NAME) {
343 ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
344 desired_name, &handle->principal);
345 if (ret) {
346 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
347 free(handle);
348 return ret;
351 if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
352 ret = acquire_initiator_cred(minor_status, context,
353 desired_name, time_req,
354 desired_mechs, cred_usage, handle,
355 actual_mechs, time_rec);
356 if (ret != GSS_S_COMPLETE) {
357 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
358 krb5_free_principal(context, handle->principal);
359 free(handle);
360 return (ret);
363 if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
364 ret = acquire_acceptor_cred(minor_status, context,
365 desired_name, time_req,
366 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
367 if (ret != GSS_S_COMPLETE) {
368 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
369 krb5_free_principal(context, handle->principal);
370 free(handle);
371 return (ret);
374 ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
375 if (ret == GSS_S_COMPLETE)
376 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
377 &handle->mechanisms);
378 if (ret == GSS_S_COMPLETE)
379 ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
380 NULL, time_rec, NULL, actual_mechs);
381 if (ret != GSS_S_COMPLETE) {
382 if (handle->mechanisms != NULL)
383 gss_release_oid_set(NULL, &handle->mechanisms);
384 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
385 krb5_free_principal(context, handle->principal);
386 free(handle);
387 return (ret);
389 *minor_status = 0;
390 if (time_rec) {
391 ret = _gsskrb5_lifetime_left(minor_status,
392 context,
393 handle->lifetime,
394 time_rec);
396 if (ret)
397 return ret;
399 handle->usage = cred_usage;
400 *output_cred_handle = (gss_cred_id_t)handle;
401 return (GSS_S_COMPLETE);