search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
1.2.2rc2
[heimdal.git] / lib / gssapi / krb5 / acquire_cred.c
blob7be6a0ab6266f17e1ad8736e14cb2f7cb33537e6
1 /*
2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5/gsskrb5_locl.h"
35
36 RCSID("$Id$");
37
38 OM_uint32
39 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
40 krb5_context context,
41 krb5_ccache id,
42 krb5_principal principal,
43 OM_uint32 *lifetime)
44 {
45 krb5_creds in_cred, *out_cred;
46 krb5_const_realm realm;
47 krb5_error_code kret;
48
49 memset(&in_cred, 0, sizeof(in_cred));
50 in_cred.client = principal;
51
52 realm = krb5_principal_get_realm(context, principal);
53 if (realm == NULL) {
54 _gsskrb5_clear_status ();
55 *minor_status = KRB5_PRINC_NOMATCH; /* XXX */
56 return GSS_S_FAILURE;
57 }
58
59 kret = krb5_make_principal(context, &in_cred.server,
60 realm, KRB5_TGS_NAME, realm, NULL);
61 if (kret) {
62 *minor_status = kret;
63 return GSS_S_FAILURE;
64 }
65
66 kret = krb5_get_credentials(context, 0,
67 id, &in_cred, &out_cred);
68 krb5_free_principal(context, in_cred.server);
69 if (kret) {
70 *minor_status = kret;
71 return GSS_S_FAILURE;
72 }
73
74 *lifetime = out_cred->times.endtime;
75 krb5_free_creds(context, out_cred);
76
77 return GSS_S_COMPLETE;
78 }
79
80
81
82
83 static krb5_error_code
84 get_keytab(krb5_context context, krb5_keytab *keytab)
85 {
86 char kt_name[256];
87 krb5_error_code kret;
88
89 HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
90
91 if (_gsskrb5_keytab != NULL) {
92 kret = krb5_kt_get_name(context,
93 _gsskrb5_keytab,
94 kt_name, sizeof(kt_name));
95 if (kret == 0)
96 kret = krb5_kt_resolve(context, kt_name, keytab);
97 } else
98 kret = krb5_kt_default(context, keytab);
99
100 HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
101
102 return (kret);
103 }
104
105 static OM_uint32 acquire_initiator_cred
106 (OM_uint32 * minor_status,
107 krb5_context context,
108 const gss_name_t desired_name,
109 OM_uint32 time_req,
110 const gss_OID_set desired_mechs,
111 gss_cred_usage_t cred_usage,
112 gsskrb5_cred handle,
113 gss_OID_set * actual_mechs,
114 OM_uint32 * time_rec
115 )
116 {
117 OM_uint32 ret;
118 krb5_creds cred;
119 krb5_principal def_princ;
120 krb5_get_init_creds_opt *opt;
121 krb5_ccache ccache;
122 krb5_keytab keytab;
123 krb5_error_code kret;
124
125 keytab = NULL;
126 ccache = NULL;
127 def_princ = NULL;
128 ret = GSS_S_FAILURE;
129 memset(&cred, 0, sizeof(cred));
130
131 /*
132 * If we have a preferred principal, lets try to find it in all
133 * caches, otherwise, fall back to default cache, ignore all
134 * errors while searching.
135 */
136
137 if (handle->principal)
138 kret = krb5_cc_cache_match (context,
139 handle->principal,
140 NULL,
141 &ccache);
142
143 if (ccache == NULL) {
144 kret = krb5_cc_default(context, &ccache);
145 if (kret)
146 goto end;
147 }
148 kret = krb5_cc_get_principal(context, ccache, &def_princ);
149 if (kret != 0) {
150 /* we'll try to use a keytab below */
151 krb5_cc_close(context, ccache);
152 def_princ = NULL;
153 kret = 0;
154 } else if (handle->principal == NULL) {
155 kret = krb5_copy_principal(context, def_princ, &handle->principal);
156 if (kret)
157 goto end;
158 } else if (handle->principal != NULL &&
159 krb5_principal_compare(context, handle->principal,
160 def_princ) == FALSE) {
161 krb5_free_principal(context, def_princ);
162 def_princ = NULL;
163 krb5_cc_close(context, ccache);
164 ccache = NULL;
165 }
166 if (def_princ == NULL) {
167 /* We have no existing credentials cache,
168 * so attempt to get a TGT using a keytab.
169 */
170 if (handle->principal == NULL) {
171 kret = krb5_get_default_principal(context, &handle->principal);
172 if (kret)
173 goto end;
174 }
175 kret = get_keytab(context, &keytab);
176 if (kret)
177 goto end;
178 kret = krb5_get_init_creds_opt_alloc(context, &opt);
179 if (kret)
180 goto end;
181 kret = krb5_get_init_creds_keytab(context, &cred,
182 handle->principal, keytab, 0, NULL, opt);
183 krb5_get_init_creds_opt_free(context, opt);
184 if (kret)
185 goto end;
186 kret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
187 if (kret)
188 goto end;
189 kret = krb5_cc_initialize(context, ccache, cred.client);
190 if (kret) {
191 krb5_cc_destroy(context, ccache);
192 goto end;
193 }
194 kret = krb5_cc_store_cred(context, ccache, &cred);
195 if (kret) {
196 krb5_cc_destroy(context, ccache);
197 goto end;
198 }
199 handle->lifetime = cred.times.endtime;
200 handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
201 } else {
202
203 ret = __gsskrb5_ccache_lifetime(minor_status,
204 context,
205 ccache,
206 handle->principal,
207 &handle->lifetime);
208 if (ret != GSS_S_COMPLETE) {
209 krb5_cc_close(context, ccache);
210 goto end;
211 }
212 kret = 0;
213 }
214
215 handle->ccache = ccache;
216 ret = GSS_S_COMPLETE;
217
218 end:
219 if (cred.client != NULL)
220 krb5_free_cred_contents(context, &cred);
221 if (def_princ != NULL)
222 krb5_free_principal(context, def_princ);
223 if (keytab != NULL)
224 krb5_kt_close(context, keytab);
225 if (ret != GSS_S_COMPLETE && kret != 0)
226 *minor_status = kret;
227 return (ret);
228 }
229
230 static OM_uint32 acquire_acceptor_cred
231 (OM_uint32 * minor_status,
232 krb5_context context,
233 const gss_name_t desired_name,
234 OM_uint32 time_req,
235 const gss_OID_set desired_mechs,
236 gss_cred_usage_t cred_usage,
237 gsskrb5_cred handle,
238 gss_OID_set * actual_mechs,
239 OM_uint32 * time_rec
240 )
241 {
242 OM_uint32 ret;
243 krb5_error_code kret;
244
245 kret = 0;
246 ret = GSS_S_FAILURE;
247 kret = get_keytab(context, &handle->keytab);
248 if (kret)
249 goto end;
250
251 /* check that the requested principal exists in the keytab */
252 if (handle->principal) {
253 krb5_keytab_entry entry;
254
255 kret = krb5_kt_get_entry(context, handle->keytab,
256 handle->principal, 0, 0, &entry);
257 if (kret)
258 goto end;
259 krb5_kt_free_entry(context, &entry);
260 ret = GSS_S_COMPLETE;
261 } else {
262 /*
263 * Check if there is at least one entry in the keytab before
264 * declaring it as an useful keytab.
265 */
266 krb5_keytab_entry tmp;
267 krb5_kt_cursor c;
268
269 kret = krb5_kt_start_seq_get (context, handle->keytab, &c);
270 if (kret)
271 goto end;
272 if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) {
273 krb5_kt_free_entry(context, &tmp);
274 ret = GSS_S_COMPLETE; /* ok found one entry */
275 }
276 krb5_kt_end_seq_get (context, handle->keytab, &c);
277 }
278 end:
279 if (ret != GSS_S_COMPLETE) {
280 if (handle->keytab != NULL)
281 krb5_kt_close(context, handle->keytab);
282 if (kret != 0) {
283 *minor_status = kret;
284 }
285 }
286 return (ret);
287 }
288
289 OM_uint32 _gsskrb5_acquire_cred
290 (OM_uint32 * minor_status,
291 const gss_name_t desired_name,
292 OM_uint32 time_req,
293 const gss_OID_set desired_mechs,
294 gss_cred_usage_t cred_usage,
295 gss_cred_id_t * output_cred_handle,
296 gss_OID_set * actual_mechs,
297 OM_uint32 * time_rec
298 )
299 {
300 krb5_context context;
301 gsskrb5_cred handle;
302 OM_uint32 ret;
303
304 if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
305 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
306 return GSS_S_FAILURE;
307 }
308
309 GSSAPI_KRB5_INIT(&context);
310
311 *output_cred_handle = NULL;
312 if (time_rec)
313 *time_rec = 0;
314 if (actual_mechs)
315 *actual_mechs = GSS_C_NO_OID_SET;
316
317 if (desired_mechs) {
318 int present = 0;
319
320 ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
321 desired_mechs, &present);
322 if (ret)
323 return ret;
324 if (!present) {
325 *minor_status = 0;
326 return GSS_S_BAD_MECH;
327 }
328 }
329
330 handle = calloc(1, sizeof(*handle));
331 if (handle == NULL) {
332 *minor_status = ENOMEM;
333 return (GSS_S_FAILURE);
334 }
335
336 HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
337
338 if (desired_name != GSS_C_NO_NAME) {
339 krb5_principal name = (krb5_principal)desired_name;
340 ret = krb5_copy_principal(context, name, &handle->principal);
341 if (ret) {
342 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
343 *minor_status = ret;
344 free(handle);
345 return GSS_S_FAILURE;
346 }
347 }
348 if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
349 ret = acquire_initiator_cred(minor_status, context,
350 desired_name, time_req,
351 desired_mechs, cred_usage, handle,
352 actual_mechs, time_rec);
353 if (ret != GSS_S_COMPLETE) {
354 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
355 krb5_free_principal(context, handle->principal);
356 free(handle);
357 return (ret);
358 }
359 }
360 if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
361 ret = acquire_acceptor_cred(minor_status, context,
362 desired_name, time_req,
363 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
364 if (ret != GSS_S_COMPLETE) {
365 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
366 krb5_free_principal(context, handle->principal);
367 free(handle);
368 return (ret);
369 }
370 }
371 ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
372 if (ret == GSS_S_COMPLETE)
373 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
374 &handle->mechanisms);
375 if (ret == GSS_S_COMPLETE)
376 ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
377 NULL, time_rec, NULL, actual_mechs);
378 if (ret != GSS_S_COMPLETE) {
379 if (handle->mechanisms != NULL)
380 gss_release_oid_set(NULL, &handle->mechanisms);
381 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
382 krb5_free_principal(context, handle->principal);
383 free(handle);
384 return (ret);
385 }
386 *minor_status = 0;
387 if (time_rec) {
388 ret = _gsskrb5_lifetime_left(minor_status,
389 context,
390 handle->lifetime,
391 time_rec);
392
393 if (ret)
394 return ret;
395 }
396 handle->usage = cred_usage;
397 *output_cred_handle = (gss_cred_id_t)handle;
398 return (GSS_S_COMPLETE);
399 }
Heimdal