kcm/acquire.c

   1 /*
   2  * Copyright (c) 2005, PADL Software Pty Ltd.
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of PADL Software nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
  21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32
  33 #include "kcm_locl.h"
  34
  35 RCSID("$Id$");
  36
  37 /*
  38  * Get a new ticket using a keytab/cached key and swap it into
  39  * an existing redentials cache
  40  */
  41
  42 krb5_error_code
  43 kcm_ccache_acquire(krb5_context context,
  44                    kcm_ccache ccache,
  45                    krb5_creds **credp)
  46 {
  47     krb5_error_code ret = 0;
  48     krb5_creds cred;
  49     krb5_const_realm realm;
  50     krb5_get_init_creds_opt *opt = NULL;
  51     krb5_ccache_data ccdata;
  52     char *in_tkt_service = NULL;
  53
  54     memset(&cred, 0, sizeof(cred));
  55
  56     KCM_ASSERT_VALID(ccache);
  57
  58     /* We need a cached key or keytab to acquire credentials */
  59     if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
  60         if (ccache->key.keyblock.keyvalue.length == 0)
  61             krb5_abortx(context,
  62                         "kcm_ccache_acquire: KCM_FLAGS_USE_CACHED_KEY without key");
  63     } else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) {
  64         if (ccache->key.keytab == NULL)
  65             krb5_abortx(context,
  66                         "kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
  67     } else {
  68         kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
  69                 ccache->name);
  70         return KRB5_FCC_INTERNAL;
  71     }
  72
  73     HEIMDAL_MUTEX_lock(&ccache->mutex);
  74
  75     /* Fake up an internal ccache */
  76     kcm_internal_ccache(context, ccache, &ccdata);
  77
  78     /* Now, actually acquire the creds */
  79     if (ccache->server != NULL) {
  80         ret = krb5_unparse_name(context, ccache->server, &in_tkt_service);
  81         if (ret) {
  82             kcm_log(0, "Failed to unparse service principal name for cache %s: %s",
  83                     ccache->name, krb5_get_err_text(context, ret));
  84             return ret;
  85         }
  86     }
  87
  88     realm = krb5_principal_get_realm(context, ccache->client);
  89
  90     ret = krb5_get_init_creds_opt_alloc(context, &opt);
  91     if (ret)
  92         goto out;
  93     krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, opt);
  94     if (ccache->tkt_life != 0)
  95         krb5_get_init_creds_opt_set_tkt_life(opt, ccache->tkt_life);
  96     if (ccache->renew_life != 0)
  97         krb5_get_init_creds_opt_set_renew_life(opt, ccache->renew_life);
  98
  99     if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) {
 100         ret = krb5_get_init_creds_keyblock(context,
 101                                            &cred,
 102                                            ccache->client,
 103                                            &ccache->key.keyblock,
 104                                            0,
 105                                            in_tkt_service,
 106                                            opt);
 107     } else {
 108         /* loosely based on lib/krb5/init_creds_pw.c */
 109         ret = krb5_get_init_creds_keytab(context,
 110                                          &cred,
 111                                          ccache->client,
 112                                          ccache->key.keytab,
 113                                          0,
 114                                          in_tkt_service,
 115                                          opt);
 116     }
 117
 118     if (ret) {
 119         kcm_log(0, "Failed to acquire credentials for cache %s: %s",
 120                 ccache->name, krb5_get_err_text(context, ret));
 121         if (in_tkt_service != NULL)
 122             free(in_tkt_service);
 123         goto out;
 124     }
 125
 126     if (in_tkt_service != NULL)
 127         free(in_tkt_service);
 128
 129     /* Swap them in */
 130     kcm_ccache_remove_creds_internal(context, ccache);
 131
 132     ret = kcm_ccache_store_cred_internal(context, ccache, &cred, 0, credp);
 133     if (ret) {
 134         kcm_log(0, "Failed to store credentials for cache %s: %s",
 135                 ccache->name, krb5_get_err_text(context, ret));
 136         krb5_free_cred_contents(context, &cred);
 137         goto out;
 138     }
 139
 140 out:
 141     if (opt)
 142         krb5_get_init_creds_opt_free(context, opt);
 143
 144     HEIMDAL_MUTEX_unlock(&ccache->mutex);
 145
 146     return ret;
 147 }