2 * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gssapi_locl.h"
36 RCSID("$Id: acquire_cred.c,v 1.13.2.1 2003/08/15 14:18:24 lha Exp $");
38 static krb5_error_code
39 get_keytab(krb5_keytab *keytab)
44 if (gssapi_krb5_keytab != NULL) {
45 kret = krb5_kt_get_name(gssapi_krb5_context,
47 kt_name, sizeof(kt_name));
49 kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab);
51 kret = krb5_kt_default(gssapi_krb5_context, keytab);
55 static OM_uint32 acquire_initiator_cred
56 (OM_uint32 * minor_status,
57 const gss_name_t desired_name,
59 const gss_OID_set desired_mechs,
60 gss_cred_usage_t cred_usage,
62 gss_OID_set * actual_mechs,
68 krb5_principal def_princ;
69 krb5_get_init_creds_opt opt;
78 memset(&cred, 0, sizeof(cred));
80 kret = krb5_cc_default(gssapi_krb5_context, &ccache);
83 kret = krb5_cc_get_principal(gssapi_krb5_context, ccache,
86 /* we'll try to use a keytab below */
87 krb5_cc_destroy(gssapi_krb5_context, ccache);
90 } else if (handle->principal == NULL) {
91 kret = krb5_copy_principal(gssapi_krb5_context, def_princ,
95 } else if (handle->principal != NULL &&
96 krb5_principal_compare(gssapi_krb5_context, handle->principal,
97 def_princ) == FALSE) {
98 /* Before failing, lets check the keytab */
99 krb5_free_principal(gssapi_krb5_context, def_princ);
102 if (def_princ == NULL) {
103 /* We have no existing credentials cache,
104 * so attempt to get a TGT using a keytab.
106 if (handle->principal == NULL) {
107 kret = krb5_get_default_principal(gssapi_krb5_context,
112 kret = get_keytab(&keytab);
115 krb5_get_init_creds_opt_init(&opt);
116 kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
117 handle->principal, keytab, 0, NULL, &opt);
120 kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
124 kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
127 kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
130 handle->lifetime = cred.times.endtime;
132 krb5_creds in_cred, *out_cred;
133 krb5_const_realm realm;
135 memset(&in_cred, 0, sizeof(in_cred));
136 in_cred.client = handle->principal;
138 realm = krb5_principal_get_realm(gssapi_krb5_context,
141 kret = KRB5_PRINC_NOMATCH; /* XXX */
145 kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server,
146 realm, KRB5_TGS_NAME, realm, NULL);
150 kret = krb5_get_credentials(gssapi_krb5_context, 0,
151 ccache, &in_cred, &out_cred);
152 krb5_free_principal(gssapi_krb5_context, in_cred.server);
156 handle->lifetime = out_cred->times.endtime;
157 krb5_free_creds(gssapi_krb5_context, out_cred);
160 handle->ccache = ccache;
161 ret = GSS_S_COMPLETE;
164 if (cred.client != NULL)
165 krb5_free_creds_contents(gssapi_krb5_context, &cred);
166 if (def_princ != NULL)
167 krb5_free_principal(gssapi_krb5_context, def_princ);
169 krb5_kt_close(gssapi_krb5_context, keytab);
170 if (ret != GSS_S_COMPLETE) {
172 krb5_cc_close(gssapi_krb5_context, ccache);
174 *minor_status = kret;
175 gssapi_krb5_set_error_string ();
181 static OM_uint32 acquire_acceptor_cred
182 (OM_uint32 * minor_status,
183 const gss_name_t desired_name,
185 const gss_OID_set desired_mechs,
186 gss_cred_usage_t cred_usage,
187 gss_cred_id_t handle,
188 gss_OID_set * actual_mechs,
193 krb5_error_code kret;
197 kret = get_keytab(&handle->keytab);
200 ret = GSS_S_COMPLETE;
203 if (ret != GSS_S_COMPLETE) {
204 if (handle->keytab != NULL)
205 krb5_kt_close(gssapi_krb5_context, handle->keytab);
207 *minor_status = kret;
208 gssapi_krb5_set_error_string ();
214 OM_uint32 gss_acquire_cred
215 (OM_uint32 * minor_status,
216 const gss_name_t desired_name,
218 const gss_OID_set desired_mechs,
219 gss_cred_usage_t cred_usage,
220 gss_cred_id_t * output_cred_handle,
221 gss_OID_set * actual_mechs,
225 gss_cred_id_t handle;
230 *output_cred_handle = NULL;
234 *actual_mechs = GSS_C_NO_OID_SET;
237 OM_uint32 present = 0;
239 ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
240 desired_mechs, &present);
245 return GSS_S_BAD_MECH;
249 handle = (gss_cred_id_t)malloc(sizeof(*handle));
250 if (handle == GSS_C_NO_CREDENTIAL) {
251 *minor_status = ENOMEM;
252 return (GSS_S_FAILURE);
255 memset(handle, 0, sizeof (*handle));
257 if (desired_name != GSS_C_NO_NAME) {
258 ret = gss_duplicate_name(minor_status, desired_name,
260 if (ret != GSS_S_COMPLETE) {
265 if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
266 ret = acquire_initiator_cred(minor_status, desired_name, time_req,
267 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
268 if (ret != GSS_S_COMPLETE) {
272 } else if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
273 ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
274 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
275 if (ret != GSS_S_COMPLETE) {
281 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
282 return GSS_S_FAILURE;
284 ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
285 if (ret == GSS_S_COMPLETE)
286 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
287 &handle->mechanisms);
288 if (ret == GSS_S_COMPLETE)
289 ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL,
291 if (ret != GSS_S_COMPLETE) {
292 if (handle->mechanisms != NULL)
293 gss_release_oid_set(NULL, &handle->mechanisms);
299 ret = gssapi_lifetime_left(minor_status,
306 handle->usage = cred_usage;
307 *output_cred_handle = handle;
308 return (GSS_S_COMPLETE);