crypto/heimdal/lib/gssapi/acquire_cred.c

   1 /*
   2  * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "gssapi_locl.h"
  35
  36 RCSID("$Id: acquire_cred.c,v 1.10 2002/08/20 12:02:45 nectar Exp $");
  37
  38 static krb5_error_code
  39 get_keytab(krb5_keytab *keytab)
  40 {
  41     char kt_name[256];
  42     krb5_error_code kret;
  43
  44     if (gssapi_krb5_keytab != NULL) {
  45         kret = krb5_kt_get_name(gssapi_krb5_context,
  46                                 gssapi_krb5_keytab,
  47                                 kt_name, sizeof(kt_name));
  48         if (kret == 0)
  49             kret = krb5_kt_resolve(gssapi_krb5_context, kt_name, keytab);
  50     } else
  51         kret = krb5_kt_default(gssapi_krb5_context, keytab);
  52     return (kret);
  53 }
  54
  55 static OM_uint32 acquire_initiator_cred
  56                   (OM_uint32 * minor_status,
  57                    const gss_name_t desired_name,
  58                    OM_uint32 time_req,
  59                    const gss_OID_set desired_mechs,
  60                    gss_cred_usage_t cred_usage,
  61                    gss_cred_id_t handle,
  62                    gss_OID_set * actual_mechs,
  63                    OM_uint32 * time_rec
  64                   )
  65 {
  66     OM_uint32 ret;
  67     krb5_creds cred;
  68     krb5_principal def_princ;
  69     krb5_get_init_creds_opt opt;
  70     krb5_ccache ccache;
  71     krb5_keytab keytab;
  72     krb5_error_code kret;
  73
  74     keytab = NULL;
  75     ccache = NULL;
  76     def_princ = NULL;
  77     ret = GSS_S_FAILURE;
  78     memset(&cred, 0, sizeof(cred));
  79
  80     kret = krb5_cc_default(gssapi_krb5_context, &ccache);
  81     if (kret)
  82         goto end;
  83     kret = krb5_cc_get_principal(gssapi_krb5_context, ccache,
  84         &def_princ);
  85     if (kret != 0) {
  86         /* we'll try to use a keytab below */
  87         krb5_cc_destroy(gssapi_krb5_context, ccache);
  88         ccache = NULL;
  89         kret = 0;
  90     } else if (handle->principal == NULL)  {
  91         kret = krb5_copy_principal(gssapi_krb5_context, def_princ,
  92             &handle->principal);
  93         if (kret)
  94             goto end;
  95     } else if (handle->principal != NULL &&
  96         krb5_principal_compare(gssapi_krb5_context, handle->principal,
  97         def_princ) == FALSE) {
  98         kret = KRB5_PRINC_NOMATCH;
  99         goto end;
 100     }
 101     if (def_princ == NULL) {
 102         /* We have no existing credentials cache,
 103          * so attempt to get a TGT using a keytab.
 104          */
 105         if (handle->principal == NULL) {
 106             kret = krb5_get_default_principal(gssapi_krb5_context,
 107                 &handle->principal);
 108             if (kret)
 109                 goto end;
 110         }
 111         kret = get_keytab(&keytab);
 112         if (kret)
 113             goto end;
 114         krb5_get_init_creds_opt_init(&opt);
 115         kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
 116             handle->principal, keytab, 0, NULL, &opt);
 117         if (kret)
 118             goto end;
 119         kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
 120                 &ccache);
 121         if (kret)
 122             goto end;
 123         kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
 124         if (kret)
 125             goto end;
 126         kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
 127         if (kret)
 128             goto end;
 129     }
 130     handle->ccache = ccache;
 131     ret = GSS_S_COMPLETE;
 132
 133 end:
 134     if (cred.client != NULL)
 135         krb5_free_creds_contents(gssapi_krb5_context, &cred);
 136     if (def_princ != NULL)
 137         krb5_free_principal(gssapi_krb5_context, def_princ);
 138     if (keytab != NULL)
 139         krb5_kt_close(gssapi_krb5_context, keytab);
 140     if (ret != GSS_S_COMPLETE) {
 141         if (ccache != NULL)
 142             krb5_cc_close(gssapi_krb5_context, ccache);
 143         if (kret != 0) {
 144             *minor_status = kret;
 145             gssapi_krb5_set_error_string ();
 146         }
 147     }
 148     return (ret);
 149 }
 150
 151 static OM_uint32 acquire_acceptor_cred
 152                   (OM_uint32 * minor_status,
 153                    const gss_name_t desired_name,
 154                    OM_uint32 time_req,
 155                    const gss_OID_set desired_mechs,
 156                    gss_cred_usage_t cred_usage,
 157                    gss_cred_id_t handle,
 158                    gss_OID_set * actual_mechs,
 159                    OM_uint32 * time_rec
 160                   )
 161 {
 162     OM_uint32 ret;
 163     krb5_error_code kret;
 164
 165     kret = 0;
 166     ret = GSS_S_FAILURE;
 167     kret = get_keytab(&handle->keytab);
 168     if (kret)
 169         goto end;
 170     ret = GSS_S_COMPLETE;
 171
 172 end:
 173     if (ret != GSS_S_COMPLETE) {
 174         if (handle->keytab != NULL)
 175             krb5_kt_close(gssapi_krb5_context, handle->keytab);
 176         if (kret != 0) {
 177             *minor_status = kret;
 178             gssapi_krb5_set_error_string ();
 179         }
 180     }
 181     return (ret);
 182 }
 183
 184 OM_uint32 gss_acquire_cred
 185            (OM_uint32 * minor_status,
 186             const gss_name_t desired_name,
 187             OM_uint32 time_req,
 188             const gss_OID_set desired_mechs,
 189             gss_cred_usage_t cred_usage,
 190             gss_cred_id_t * output_cred_handle,
 191             gss_OID_set * actual_mechs,
 192             OM_uint32 * time_rec
 193            )
 194 {
 195     gss_cred_id_t handle;
 196     OM_uint32 ret;
 197
 198     gssapi_krb5_init ();
 199
 200     *minor_status = 0;
 201     handle = (gss_cred_id_t)malloc(sizeof(*handle));
 202     if (handle == GSS_C_NO_CREDENTIAL)
 203         return (GSS_S_FAILURE);
 204
 205     memset(handle, 0, sizeof (*handle));
 206
 207     if (desired_name != GSS_C_NO_NAME) {
 208         ret = gss_duplicate_name(minor_status, desired_name,
 209             &handle->principal);
 210         if (ret != GSS_S_COMPLETE) {
 211             free(handle);
 212             return (ret);
 213         }
 214     }
 215     if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
 216         ret = acquire_initiator_cred(minor_status, desired_name, time_req,
 217             desired_mechs, cred_usage, handle, actual_mechs, time_rec);
 218         if (ret != GSS_S_COMPLETE) {
 219             free(handle);
 220             return (ret);
 221         }
 222     }
 223     if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
 224         ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
 225             desired_mechs, cred_usage, handle, actual_mechs, time_rec);
 226         if (ret != GSS_S_COMPLETE) {
 227             free(handle);
 228             return (ret);
 229         }
 230     }
 231     ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
 232     if (ret == GSS_S_COMPLETE)
 233         ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
 234                                  &handle->mechanisms);
 235     if (ret == GSS_S_COMPLETE)
 236         ret = gss_inquire_cred(minor_status, handle, NULL, time_rec, NULL,
 237                            actual_mechs);
 238     if (ret != GSS_S_COMPLETE) {
 239         if (handle->mechanisms != NULL)
 240                 gss_release_oid_set(NULL, &handle->mechanisms);
 241         free(handle);
 242         return (ret);
 243     }
 244     /* XXX */
 245     handle->lifetime = time_req;
 246     handle->usage = cred_usage;
 247     *output_cred_handle = handle;
 248     return (GSS_S_COMPLETE);
 249 }