kcm/acquire.c

   1 /*
   2  * Copyright (c) 2005, PADL Software Pty Ltd.
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of PADL Software nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
  21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32
  33 #include "kcm_locl.h"
  34
  35 /*
  36  * Get a new ticket using a keytab/cached key and swap it into
  37  * an existing redentials cache
  38  */
  39
  40 krb5_error_code
  41 kcm_ccache_acquire(krb5_context context,
  42                    kcm_ccache ccache,
  43                    krb5_creds **credp)
  44 {
  45     krb5_error_code ret = 0;
  46     krb5_creds cred;
  47     krb5_const_realm realm;
  48     krb5_get_init_creds_opt *opt = NULL;
  49     krb5_ccache_data ccdata;
  50     char *in_tkt_service = NULL;
  51
  52     memset(&cred, 0, sizeof(cred));
  53
  54     KCM_ASSERT_VALID(ccache);
  55
  56     /* We need a cached key or keytab to acquire credentials */
  57     if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
  58         if (ccache->key.keyblock.keyvalue.length == 0)
  59             krb5_abortx(context,
  60                         "kcm_ccache_acquire: KCM_FLAGS_USE_CACHED_KEY without key");
  61     } else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) {
  62         if (ccache->key.keytab == NULL)
  63             krb5_abortx(context,
  64                         "kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
  65     } else {
  66         kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
  67                 ccache->name);
  68         return KRB5_FCC_INTERNAL;
  69     }
  70
  71     HEIMDAL_MUTEX_lock(&ccache->mutex);
  72
  73     /* Fake up an internal ccache */
  74     kcm_internal_ccache(context, ccache, &ccdata);
  75
  76     /* Now, actually acquire the creds */
  77     if (ccache->server != NULL) {
  78         ret = krb5_unparse_name(context, ccache->server, &in_tkt_service);
  79         if (ret) {
  80             kcm_log(0, "Failed to unparse service principal name for cache %s: %s",
  81                     ccache->name, krb5_get_err_text(context, ret));
  82             return ret;
  83         }
  84     }
  85
  86     realm = krb5_principal_get_realm(context, ccache->client);
  87
  88     ret = krb5_get_init_creds_opt_alloc(context, &opt);
  89     if (ret)
  90         goto out;
  91     krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, opt);
  92     if (ccache->tkt_life != 0)
  93         krb5_get_init_creds_opt_set_tkt_life(opt, ccache->tkt_life);
  94     if (ccache->renew_life != 0)
  95         krb5_get_init_creds_opt_set_renew_life(opt, ccache->renew_life);
  96
  97     if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
  98         ret = krb5_get_init_creds_keyblock(context,
  99                                            &cred,
 100                                            ccache->client,
 101                                            &ccache->key.keyblock,
 102                                            0,
 103                                            in_tkt_service,
 104                                            opt);
 105     } else {
 106         /* loosely based on lib/krb5/init_creds_pw.c */
 107         ret = krb5_get_init_creds_keytab(context,
 108                                          &cred,
 109                                          ccache->client,
 110                                          ccache->key.keytab,
 111                                          0,
 112                                          in_tkt_service,
 113                                          opt);
 114     }
 115
 116     if (ret) {
 117         kcm_log(0, "Failed to acquire credentials for cache %s: %s",
 118                 ccache->name, krb5_get_err_text(context, ret));
 119         if (in_tkt_service != NULL)
 120             free(in_tkt_service);
 121         goto out;
 122     }
 123
 124     if (in_tkt_service != NULL)
 125         free(in_tkt_service);
 126
 127     /* Swap them in */
 128     kcm_ccache_remove_creds_internal(context, ccache);
 129
 130     ret = kcm_ccache_store_cred_internal(context, ccache, &cred, 0, credp);
 131     if (ret) {
 132         kcm_log(0, "Failed to store credentials for cache %s: %s",
 133                 ccache->name, krb5_get_err_text(context, ret));
 134         krb5_free_cred_contents(context, &cred);
 135         goto out;
 136     }
 137
 138 out:
 139     if (opt)
 140         krb5_get_init_creds_opt_free(context, opt);
 141
 142     HEIMDAL_MUTEX_unlock(&ccache->mutex);
 143
 144     return ret;
 145 }