crypto/heimdal-0.6.3/lib/gssapi/acquire_cred.c

   1 /*
   2  * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "gssapi_locl.h"
  35
  36 RCSID("$Id: acquire_cred.c,v 1.13.2.1 2003/08/15 14:18:24 lha Exp $");
  37
  38 static krb5_error_code
  39 get_keytab(krb5_keytab *keytab)
  40 {
  41     char kt_name[256];
  42     krb5_error_code kret;
  43
  44     if (gssapi_krb5_keytab != NULL) {
  45         kret = krb5_kt_get_name(gssapi_krb5_context,
  46                                 gssapi_krb5_keytab,
  47                                 kt_name, sizeof(kt_name));
  48         if (kret == 0)
  49             kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab);
  50     } else
  51         kret = krb5_kt_default(gssapi_krb5_context, keytab);
  52     return (kret);
  53 }
  54
  55 static OM_uint32 acquire_initiator_cred
  56                   (OM_uint32 * minor_status,
  57                    const gss_name_t desired_name,
  58                    OM_uint32 time_req,
  59                    const gss_OID_set desired_mechs,
  60                    gss_cred_usage_t cred_usage,
  61                    gss_cred_id_t handle,
  62                    gss_OID_set * actual_mechs,
  63                    OM_uint32 * time_rec
  64                   )
  65 {
  66     OM_uint32 ret;
  67     krb5_creds cred;
  68     krb5_principal def_princ;
  69     krb5_get_init_creds_opt opt;
  70     krb5_ccache ccache;
  71     krb5_keytab keytab;
  72     krb5_error_code kret;
  73
  74     keytab = NULL;
  75     ccache = NULL;
  76     def_princ = NULL;
  77     ret = GSS_S_FAILURE;
  78     memset(&cred, 0, sizeof(cred));
  79
  80     kret = krb5_cc_default(gssapi_krb5_context, &ccache);
  81     if (kret)
  82         goto end;
  83     kret = krb5_cc_get_principal(gssapi_krb5_context, ccache,
  84         &def_princ);
  85     if (kret != 0) {
  86         /* we'll try to use a keytab below */
  87         krb5_cc_destroy(gssapi_krb5_context, ccache);
  88         ccache = NULL;
  89         kret = 0;
  90     } else if (handle->principal == NULL)  {
  91         kret = krb5_copy_principal(gssapi_krb5_context, def_princ,
  92             &handle->principal);
  93         if (kret)
  94             goto end;
  95     } else if (handle->principal != NULL &&
  96         krb5_principal_compare(gssapi_krb5_context, handle->principal,
  97         def_princ) == FALSE) {
  98         /* Before failing, lets check the keytab */
  99         krb5_free_principal(gssapi_krb5_context, def_princ);
 100         def_princ = NULL;
 101     }
 102     if (def_princ == NULL) {
 103         /* We have no existing credentials cache,
 104          * so attempt to get a TGT using a keytab.
 105          */
 106         if (handle->principal == NULL) {
 107             kret = krb5_get_default_principal(gssapi_krb5_context,
 108                 &handle->principal);
 109             if (kret)
 110                 goto end;
 111         }
 112         kret = get_keytab(&keytab);
 113         if (kret)
 114             goto end;
 115         krb5_get_init_creds_opt_init(&opt);
 116         kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
 117             handle->principal, keytab, 0, NULL, &opt);
 118         if (kret)
 119             goto end;
 120         kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
 121                 &ccache);
 122         if (kret)
 123             goto end;
 124         kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
 125         if (kret)
 126             goto end;
 127         kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
 128         if (kret)
 129             goto end;
 130         handle->lifetime = cred.times.endtime;
 131     } else {
 132         krb5_creds in_cred, *out_cred;
 133         krb5_const_realm realm;
 134
 135         memset(&in_cred, 0, sizeof(in_cred));
 136         in_cred.client = handle->principal;
 137
 138         realm = krb5_principal_get_realm(gssapi_krb5_context,
 139                                          handle->principal);
 140         if (realm == NULL) {
 141             kret = KRB5_PRINC_NOMATCH; /* XXX */
 142             goto end;
 143         }
 144
 145         kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server,
 146                                    realm, KRB5_TGS_NAME, realm, NULL);
 147         if (kret)
 148             goto end;
 149
 150         kret = krb5_get_credentials(gssapi_krb5_context, 0,
 151                                     ccache, &in_cred, &out_cred);
 152         krb5_free_principal(gssapi_krb5_context, in_cred.server);
 153         if (kret)
 154             goto end;
 155
 156         handle->lifetime = out_cred->times.endtime;
 157         krb5_free_creds(gssapi_krb5_context, out_cred);
 158     }
 159
 160     handle->ccache = ccache;
 161     ret = GSS_S_COMPLETE;
 162
 163 end:
 164     if (cred.client != NULL)
 165         krb5_free_creds_contents(gssapi_krb5_context, &cred);
 166     if (def_princ != NULL)
 167         krb5_free_principal(gssapi_krb5_context, def_princ);
 168     if (keytab != NULL)
 169         krb5_kt_close(gssapi_krb5_context, keytab);
 170     if (ret != GSS_S_COMPLETE) {
 171         if (ccache != NULL)
 172             krb5_cc_close(gssapi_krb5_context, ccache);
 173         if (kret != 0) {
 174             *minor_status = kret;
 175             gssapi_krb5_set_error_string ();
 176         }
 177     }
 178     return (ret);
 179 }
 180
 181 static OM_uint32 acquire_acceptor_cred
 182                   (OM_uint32 * minor_status,
 183                    const gss_name_t desired_name,
 184                    OM_uint32 time_req,
 185                    const gss_OID_set desired_mechs,
 186                    gss_cred_usage_t cred_usage,
 187                    gss_cred_id_t handle,
 188                    gss_OID_set * actual_mechs,
 189                    OM_uint32 * time_rec
 190                   )
 191 {
 192     OM_uint32 ret;
 193     krb5_error_code kret;
 194
 195     kret = 0;
 196     ret = GSS_S_FAILURE;
 197     kret = get_keytab(&handle->keytab);
 198     if (kret)
 199         goto end;
 200     ret = GSS_S_COMPLETE;
 201
 202 end:
 203     if (ret != GSS_S_COMPLETE) {
 204         if (handle->keytab != NULL)
 205             krb5_kt_close(gssapi_krb5_context, handle->keytab);
 206         if (kret != 0) {
 207             *minor_status = kret;
 208             gssapi_krb5_set_error_string ();
 209         }
 210     }
 211     return (ret);
 212 }
 213
 214 OM_uint32 gss_acquire_cred
 215            (OM_uint32 * minor_status,
 216             const gss_name_t desired_name,
 217             OM_uint32 time_req,
 218             const gss_OID_set desired_mechs,
 219             gss_cred_usage_t cred_usage,
 220             gss_cred_id_t * output_cred_handle,
 221             gss_OID_set * actual_mechs,
 222             OM_uint32 * time_rec
 223            )
 224 {
 225     gss_cred_id_t handle;
 226     OM_uint32 ret;
 227
 228     GSSAPI_KRB5_INIT ();
 229
 230     *output_cred_handle = NULL;
 231     if (time_rec)
 232         *time_rec = 0;
 233     if (actual_mechs)
 234         *actual_mechs = GSS_C_NO_OID_SET;
 235
 236     if (desired_mechs) {
 237         OM_uint32 present = 0;
 238
 239         ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
 240                                       desired_mechs, &present);
 241         if (ret)
 242             return ret;
 243         if (!present) {
 244             *minor_status = 0;
 245             return GSS_S_BAD_MECH;
 246         }
 247     }
 248
 249     handle = (gss_cred_id_t)malloc(sizeof(*handle));
 250     if (handle == GSS_C_NO_CREDENTIAL) {
 251         *minor_status = ENOMEM;
 252         return (GSS_S_FAILURE);
 253     }
 254
 255     memset(handle, 0, sizeof (*handle));
 256
 257     if (desired_name != GSS_C_NO_NAME) {
 258         ret = gss_duplicate_name(minor_status, desired_name,
 259             &handle->principal);
 260         if (ret != GSS_S_COMPLETE) {
 261             free(handle);
 262             return (ret);
 263         }
 264     }
 265     if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
 266         ret = acquire_initiator_cred(minor_status, desired_name, time_req,
 267             desired_mechs, cred_usage, handle, actual_mechs, time_rec);
 268         if (ret != GSS_S_COMPLETE) {
 269             free(handle);
 270             return (ret);
 271         }
 272     } else if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
 273         ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
 274             desired_mechs, cred_usage, handle, actual_mechs, time_rec);
 275         if (ret != GSS_S_COMPLETE) {
 276             free(handle);
 277             return (ret);
 278         }
 279     } else {
 280         free(handle);
 281         *minor_status = GSS_KRB5_S_G_BAD_USAGE;
 282         return GSS_S_FAILURE;
 283     }
 284     ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
 285     if (ret == GSS_S_COMPLETE)
 286         ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
 287                                  &handle->mechanisms);
 288     if (ret == GSS_S_COMPLETE)
 289         ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL,
 290                            actual_mechs);
 291     if (ret != GSS_S_COMPLETE) {
 292         if (handle->mechanisms != NULL)
 293                 gss_release_oid_set(NULL, &handle->mechanisms);
 294         free(handle);
 295         return (ret);
 296     }
 297     *minor_status = 0;
 298     if (time_rec) {
 299         ret = gssapi_lifetime_left(minor_status,
 300                                    handle->lifetime,
 301                                    time_rec);
 302
 303         if (ret)
 304             return ret;
 305     }
 306     handle->usage = cred_usage;
 307     *output_cred_handle = handle;
 308     return (GSS_S_COMPLETE);
 309 }