2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5/gsskrb5_locl.h"
39 __gsskrb5_ccache_lifetime(OM_uint32
*minor_status
,
42 krb5_principal principal
,
45 krb5_creds in_cred
, *out_cred
;
46 krb5_const_realm realm
;
49 memset(&in_cred
, 0, sizeof(in_cred
));
50 in_cred
.client
= principal
;
52 realm
= krb5_principal_get_realm(context
, principal
);
54 _gsskrb5_clear_status ();
55 *minor_status
= KRB5_PRINC_NOMATCH
; /* XXX */
59 kret
= krb5_make_principal(context
, &in_cred
.server
,
60 realm
, KRB5_TGS_NAME
, realm
, NULL
);
66 kret
= krb5_get_credentials(context
, 0,
67 id
, &in_cred
, &out_cred
);
68 krb5_free_principal(context
, in_cred
.server
);
74 *lifetime
= out_cred
->times
.endtime
;
75 krb5_free_creds(context
, out_cred
);
77 return GSS_S_COMPLETE
;
83 static krb5_error_code
84 get_keytab(krb5_context context
, krb5_keytab
*keytab
)
89 HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex
);
91 if (_gsskrb5_keytab
!= NULL
) {
92 kret
= krb5_kt_get_name(context
,
94 kt_name
, sizeof(kt_name
));
96 kret
= krb5_kt_resolve(context
, kt_name
, keytab
);
98 kret
= krb5_kt_default(context
, keytab
);
100 HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex
);
105 static OM_uint32 acquire_initiator_cred
106 (OM_uint32
* minor_status
,
107 krb5_context context
,
108 const gss_name_t desired_name
,
110 const gss_OID_set desired_mechs
,
111 gss_cred_usage_t cred_usage
,
113 gss_OID_set
* actual_mechs
,
119 krb5_principal def_princ
;
120 krb5_get_init_creds_opt
*opt
;
123 krb5_error_code kret
;
129 memset(&cred
, 0, sizeof(cred
));
132 * If we have a preferred principal, lets try to find it in all
133 * caches, otherwise, fall back to default cache, ignore all
134 * errors while searching.
137 if (handle
->principal
)
138 kret
= krb5_cc_cache_match (context
,
143 if (ccache
== NULL
) {
144 kret
= krb5_cc_default(context
, &ccache
);
148 kret
= krb5_cc_get_principal(context
, ccache
, &def_princ
);
150 /* we'll try to use a keytab below */
151 krb5_cc_close(context
, ccache
);
154 } else if (handle
->principal
== NULL
) {
155 kret
= krb5_copy_principal(context
, def_princ
, &handle
->principal
);
158 } else if (handle
->principal
!= NULL
&&
159 krb5_principal_compare(context
, handle
->principal
,
160 def_princ
) == FALSE
) {
161 krb5_free_principal(context
, def_princ
);
163 krb5_cc_close(context
, ccache
);
166 if (def_princ
== NULL
) {
167 /* We have no existing credentials cache,
168 * so attempt to get a TGT using a keytab.
170 if (handle
->principal
== NULL
) {
171 kret
= krb5_get_default_principal(context
, &handle
->principal
);
175 kret
= get_keytab(context
, &keytab
);
178 kret
= krb5_get_init_creds_opt_alloc(context
, &opt
);
181 kret
= krb5_get_init_creds_keytab(context
, &cred
,
182 handle
->principal
, keytab
, 0, NULL
, opt
);
183 krb5_get_init_creds_opt_free(context
, opt
);
186 kret
= krb5_cc_gen_new(context
, &krb5_mcc_ops
, &ccache
);
189 kret
= krb5_cc_initialize(context
, ccache
, cred
.client
);
191 krb5_cc_destroy(context
, ccache
);
194 kret
= krb5_cc_store_cred(context
, ccache
, &cred
);
196 krb5_cc_destroy(context
, ccache
);
199 handle
->lifetime
= cred
.times
.endtime
;
200 handle
->cred_flags
|= GSS_CF_DESTROY_CRED_ON_RELEASE
;
203 ret
= __gsskrb5_ccache_lifetime(minor_status
,
208 if (ret
!= GSS_S_COMPLETE
) {
209 krb5_cc_close(context
, ccache
);
215 handle
->ccache
= ccache
;
216 ret
= GSS_S_COMPLETE
;
219 if (cred
.client
!= NULL
)
220 krb5_free_cred_contents(context
, &cred
);
221 if (def_princ
!= NULL
)
222 krb5_free_principal(context
, def_princ
);
224 krb5_kt_close(context
, keytab
);
225 if (ret
!= GSS_S_COMPLETE
&& kret
!= 0)
226 *minor_status
= kret
;
230 static OM_uint32 acquire_acceptor_cred
231 (OM_uint32
* minor_status
,
232 krb5_context context
,
233 const gss_name_t desired_name
,
235 const gss_OID_set desired_mechs
,
236 gss_cred_usage_t cred_usage
,
238 gss_OID_set
* actual_mechs
,
243 krb5_error_code kret
;
247 kret
= get_keytab(context
, &handle
->keytab
);
251 /* check that the requested principal exists in the keytab */
252 if (handle
->principal
) {
253 krb5_keytab_entry entry
;
255 kret
= krb5_kt_get_entry(context
, handle
->keytab
,
256 handle
->principal
, 0, 0, &entry
);
259 krb5_kt_free_entry(context
, &entry
);
260 ret
= GSS_S_COMPLETE
;
263 * Check if there is at least one entry in the keytab before
264 * declaring it as an useful keytab.
266 krb5_keytab_entry tmp
;
269 kret
= krb5_kt_start_seq_get (context
, handle
->keytab
, &c
);
272 if (krb5_kt_next_entry(context
, handle
->keytab
, &tmp
, &c
) == 0) {
273 krb5_kt_free_entry(context
, &tmp
);
274 ret
= GSS_S_COMPLETE
; /* ok found one entry */
276 krb5_kt_end_seq_get (context
, handle
->keytab
, &c
);
279 if (ret
!= GSS_S_COMPLETE
) {
280 if (handle
->keytab
!= NULL
)
281 krb5_kt_close(context
, handle
->keytab
);
283 *minor_status
= kret
;
289 OM_uint32 _gsskrb5_acquire_cred
290 (OM_uint32
* minor_status
,
291 const gss_name_t desired_name
,
293 const gss_OID_set desired_mechs
,
294 gss_cred_usage_t cred_usage
,
295 gss_cred_id_t
* output_cred_handle
,
296 gss_OID_set
* actual_mechs
,
300 krb5_context context
;
304 if (cred_usage
!= GSS_C_ACCEPT
&& cred_usage
!= GSS_C_INITIATE
&& cred_usage
!= GSS_C_BOTH
) {
305 *minor_status
= GSS_KRB5_S_G_BAD_USAGE
;
306 return GSS_S_FAILURE
;
309 GSSAPI_KRB5_INIT(&context
);
311 *output_cred_handle
= NULL
;
315 *actual_mechs
= GSS_C_NO_OID_SET
;
320 ret
= gss_test_oid_set_member(minor_status
, GSS_KRB5_MECHANISM
,
321 desired_mechs
, &present
);
326 return GSS_S_BAD_MECH
;
330 handle
= calloc(1, sizeof(*handle
));
331 if (handle
== NULL
) {
332 *minor_status
= ENOMEM
;
333 return (GSS_S_FAILURE
);
336 HEIMDAL_MUTEX_init(&handle
->cred_id_mutex
);
338 if (desired_name
!= GSS_C_NO_NAME
) {
339 krb5_principal name
= (krb5_principal
)desired_name
;
340 ret
= krb5_copy_principal(context
, name
, &handle
->principal
);
342 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
345 return GSS_S_FAILURE
;
348 if (cred_usage
== GSS_C_INITIATE
|| cred_usage
== GSS_C_BOTH
) {
349 ret
= acquire_initiator_cred(minor_status
, context
,
350 desired_name
, time_req
,
351 desired_mechs
, cred_usage
, handle
,
352 actual_mechs
, time_rec
);
353 if (ret
!= GSS_S_COMPLETE
) {
354 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
355 krb5_free_principal(context
, handle
->principal
);
360 if (cred_usage
== GSS_C_ACCEPT
|| cred_usage
== GSS_C_BOTH
) {
361 ret
= acquire_acceptor_cred(minor_status
, context
,
362 desired_name
, time_req
,
363 desired_mechs
, cred_usage
, handle
, actual_mechs
, time_rec
);
364 if (ret
!= GSS_S_COMPLETE
) {
365 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
366 krb5_free_principal(context
, handle
->principal
);
371 ret
= gss_create_empty_oid_set(minor_status
, &handle
->mechanisms
);
372 if (ret
== GSS_S_COMPLETE
)
373 ret
= gss_add_oid_set_member(minor_status
, GSS_KRB5_MECHANISM
,
374 &handle
->mechanisms
);
375 if (ret
== GSS_S_COMPLETE
)
376 ret
= _gsskrb5_inquire_cred(minor_status
, (gss_cred_id_t
)handle
,
377 NULL
, time_rec
, NULL
, actual_mechs
);
378 if (ret
!= GSS_S_COMPLETE
) {
379 if (handle
->mechanisms
!= NULL
)
380 gss_release_oid_set(NULL
, &handle
->mechanisms
);
381 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
382 krb5_free_principal(context
, handle
->principal
);
388 ret
= _gsskrb5_lifetime_left(minor_status
,
396 handle
->usage
= cred_usage
;
397 *output_cred_handle
= (gss_cred_id_t
)handle
;
398 return (GSS_S_COMPLETE
);