2 * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gssapi_locl.h"
38 static krb5_error_code
39 get_keytab(krb5_keytab
*keytab
)
44 HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex
);
46 if (gssapi_krb5_keytab
!= NULL
) {
47 kret
= krb5_kt_get_name(gssapi_krb5_context
,
49 kt_name
, sizeof(kt_name
));
51 kret
= krb5_kt_resolve(gssapi_krb5_context
, kt_name
, keytab
);
53 kret
= krb5_kt_default(gssapi_krb5_context
, keytab
);
55 HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex
);
60 static OM_uint32 acquire_initiator_cred
61 (OM_uint32
* minor_status
,
62 const gss_name_t desired_name
,
64 const gss_OID_set desired_mechs
,
65 gss_cred_usage_t cred_usage
,
67 gss_OID_set
* actual_mechs
,
73 krb5_principal def_princ
;
74 krb5_get_init_creds_opt
*opt
;
83 memset(&cred
, 0, sizeof(cred
));
85 kret
= krb5_cc_default(gssapi_krb5_context
, &ccache
);
88 kret
= krb5_cc_get_principal(gssapi_krb5_context
, ccache
,
91 /* we'll try to use a keytab below */
92 krb5_cc_destroy(gssapi_krb5_context
, ccache
);
95 } else if (handle
->principal
== NULL
) {
96 kret
= krb5_copy_principal(gssapi_krb5_context
, def_princ
,
100 } else if (handle
->principal
!= NULL
&&
101 krb5_principal_compare(gssapi_krb5_context
, handle
->principal
,
102 def_princ
) == FALSE
) {
103 /* Before failing, lets check the keytab */
104 krb5_free_principal(gssapi_krb5_context
, def_princ
);
107 if (def_princ
== NULL
) {
108 /* We have no existing credentials cache,
109 * so attempt to get a TGT using a keytab.
111 if (handle
->principal
== NULL
) {
112 kret
= krb5_get_default_principal(gssapi_krb5_context
,
117 kret
= get_keytab(&keytab
);
120 kret
= krb5_get_init_creds_opt_alloc(gssapi_krb5_context
, &opt
);
123 kret
= krb5_get_init_creds_keytab(gssapi_krb5_context
, &cred
,
124 handle
->principal
, keytab
, 0, NULL
, opt
);
125 krb5_get_init_creds_opt_free(opt
);
128 kret
= krb5_cc_gen_new(gssapi_krb5_context
, &krb5_mcc_ops
,
132 kret
= krb5_cc_initialize(gssapi_krb5_context
, ccache
, cred
.client
);
135 kret
= krb5_cc_store_cred(gssapi_krb5_context
, ccache
, &cred
);
138 handle
->lifetime
= cred
.times
.endtime
;
140 krb5_creds in_cred
, *out_cred
;
141 krb5_const_realm realm
;
143 memset(&in_cred
, 0, sizeof(in_cred
));
144 in_cred
.client
= handle
->principal
;
146 realm
= krb5_principal_get_realm(gssapi_krb5_context
,
149 kret
= KRB5_PRINC_NOMATCH
; /* XXX */
153 kret
= krb5_make_principal(gssapi_krb5_context
, &in_cred
.server
,
154 realm
, KRB5_TGS_NAME
, realm
, NULL
);
158 kret
= krb5_get_credentials(gssapi_krb5_context
, 0,
159 ccache
, &in_cred
, &out_cred
);
160 krb5_free_principal(gssapi_krb5_context
, in_cred
.server
);
164 handle
->lifetime
= out_cred
->times
.endtime
;
165 krb5_free_creds(gssapi_krb5_context
, out_cred
);
168 handle
->ccache
= ccache
;
169 ret
= GSS_S_COMPLETE
;
172 if (cred
.client
!= NULL
)
173 krb5_free_cred_contents(gssapi_krb5_context
, &cred
);
174 if (def_princ
!= NULL
)
175 krb5_free_principal(gssapi_krb5_context
, def_princ
);
177 krb5_kt_close(gssapi_krb5_context
, keytab
);
178 if (ret
!= GSS_S_COMPLETE
) {
180 krb5_cc_close(gssapi_krb5_context
, ccache
);
182 *minor_status
= kret
;
183 gssapi_krb5_set_error_string ();
189 static OM_uint32 acquire_acceptor_cred
190 (OM_uint32
* minor_status
,
191 const gss_name_t desired_name
,
193 const gss_OID_set desired_mechs
,
194 gss_cred_usage_t cred_usage
,
195 gss_cred_id_t handle
,
196 gss_OID_set
* actual_mechs
,
201 krb5_error_code kret
;
205 kret
= get_keytab(&handle
->keytab
);
208 ret
= GSS_S_COMPLETE
;
211 if (ret
!= GSS_S_COMPLETE
) {
212 if (handle
->keytab
!= NULL
)
213 krb5_kt_close(gssapi_krb5_context
, handle
->keytab
);
215 *minor_status
= kret
;
216 gssapi_krb5_set_error_string ();
222 OM_uint32 gss_acquire_cred
223 (OM_uint32
* minor_status
,
224 const gss_name_t desired_name
,
226 const gss_OID_set desired_mechs
,
227 gss_cred_usage_t cred_usage
,
228 gss_cred_id_t
* output_cred_handle
,
229 gss_OID_set
* actual_mechs
,
233 gss_cred_id_t handle
;
236 if (cred_usage
!= GSS_C_ACCEPT
&& cred_usage
!= GSS_C_INITIATE
&& cred_usage
!= GSS_C_BOTH
) {
237 *minor_status
= GSS_KRB5_S_G_BAD_USAGE
;
238 return GSS_S_FAILURE
;
243 *output_cred_handle
= NULL
;
247 *actual_mechs
= GSS_C_NO_OID_SET
;
252 ret
= gss_test_oid_set_member(minor_status
, GSS_KRB5_MECHANISM
,
253 desired_mechs
, &present
);
258 return GSS_S_BAD_MECH
;
262 handle
= (gss_cred_id_t
)malloc(sizeof(*handle
));
263 if (handle
== GSS_C_NO_CREDENTIAL
) {
264 *minor_status
= ENOMEM
;
265 return (GSS_S_FAILURE
);
268 memset(handle
, 0, sizeof (*handle
));
269 HEIMDAL_MUTEX_init(&handle
->cred_id_mutex
);
271 if (desired_name
!= GSS_C_NO_NAME
) {
272 ret
= gss_duplicate_name(minor_status
, desired_name
,
274 if (ret
!= GSS_S_COMPLETE
) {
275 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
280 if (cred_usage
== GSS_C_INITIATE
|| cred_usage
== GSS_C_BOTH
) {
281 ret
= acquire_initiator_cred(minor_status
, desired_name
, time_req
,
282 desired_mechs
, cred_usage
, handle
, actual_mechs
, time_rec
);
283 if (ret
!= GSS_S_COMPLETE
) {
284 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
285 krb5_free_principal(gssapi_krb5_context
, handle
->principal
);
290 if (cred_usage
== GSS_C_ACCEPT
|| cred_usage
== GSS_C_BOTH
) {
291 ret
= acquire_acceptor_cred(minor_status
, desired_name
, time_req
,
292 desired_mechs
, cred_usage
, handle
, actual_mechs
, time_rec
);
293 if (ret
!= GSS_S_COMPLETE
) {
294 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
295 krb5_free_principal(gssapi_krb5_context
, handle
->principal
);
300 ret
= gss_create_empty_oid_set(minor_status
, &handle
->mechanisms
);
301 if (ret
== GSS_S_COMPLETE
)
302 ret
= gss_add_oid_set_member(minor_status
, GSS_KRB5_MECHANISM
,
303 &handle
->mechanisms
);
304 if (ret
== GSS_S_COMPLETE
)
305 ret
= gss_inquire_cred(minor_status
, handle
, NULL
, time_rec
, NULL
,
307 if (ret
!= GSS_S_COMPLETE
) {
308 if (handle
->mechanisms
!= NULL
)
309 gss_release_oid_set(NULL
, &handle
->mechanisms
);
310 HEIMDAL_MUTEX_destroy(&handle
->cred_id_mutex
);
311 krb5_free_principal(gssapi_krb5_context
, handle
->principal
);
317 ret
= gssapi_lifetime_left(minor_status
,
324 handle
->usage
= cred_usage
;
325 *output_cred_handle
= handle
;
326 return (GSS_S_COMPLETE
);