2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5/gsskrb5_locl.h"
36 RCSID("$Id: acquire_cred.c,v 1.31 2006/10/07 22:13:55 lha Exp $");
39 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
41 krb5_principal principal,
44 krb5_creds in_cred, *out_cred;
45 krb5_const_realm realm;
48 memset(&in_cred, 0, sizeof(in_cred));
49 in_cred.client = principal;
51 realm = krb5_principal_get_realm(_gsskrb5_context, principal);
53 _gsskrb5_clear_status ();
54 *minor_status = KRB5_PRINC_NOMATCH; /* XXX */
58 kret = krb5_make_principal(_gsskrb5_context, &in_cred.server,
59 realm, KRB5_TGS_NAME, realm, NULL);
61 _gsskrb5_set_error_string();
66 kret = krb5_get_credentials(_gsskrb5_context, 0,
67 id, &in_cred, &out_cred);
68 krb5_free_principal(_gsskrb5_context, in_cred.server);
70 _gsskrb5_set_error_string();
75 *lifetime = out_cred->times.endtime;
76 krb5_free_creds(_gsskrb5_context, out_cred);
78 return GSS_S_COMPLETE;
84 static krb5_error_code
85 get_keytab(krb5_keytab *keytab)
90 HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
92 if (_gsskrb5_keytab != NULL) {
93 kret = krb5_kt_get_name(_gsskrb5_context,
95 kt_name, sizeof(kt_name));
97 kret = krb5_kt_resolve(_gsskrb5_context, kt_name, keytab);
99 kret = krb5_kt_default(_gsskrb5_context, keytab);
101 HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
106 static OM_uint32 acquire_initiator_cred
107 (OM_uint32 * minor_status,
108 const gss_name_t desired_name,
110 const gss_OID_set desired_mechs,
111 gss_cred_usage_t cred_usage,
113 gss_OID_set * actual_mechs,
119 krb5_principal def_princ;
120 krb5_get_init_creds_opt *opt;
123 krb5_error_code kret;
129 memset(&cred, 0, sizeof(cred));
131 /* If we have a preferred principal, lets try to find it in all
132 * caches, otherwise, fall back to default cache. Ignore
134 if (handle->principal)
135 kret = krb5_cc_cache_match (_gsskrb5_context,
140 if (ccache == NULL) {
141 kret = krb5_cc_default(_gsskrb5_context, &ccache);
145 kret = krb5_cc_get_principal(_gsskrb5_context, ccache,
148 /* we'll try to use a keytab below */
149 krb5_cc_destroy(_gsskrb5_context, ccache);
152 } else if (handle->principal == NULL) {
153 kret = krb5_copy_principal(_gsskrb5_context, def_princ,
157 } else if (handle->principal != NULL &&
158 krb5_principal_compare(_gsskrb5_context, handle->principal,
159 def_princ) == FALSE) {
160 /* Before failing, lets check the keytab */
161 krb5_free_principal(_gsskrb5_context, def_princ);
164 if (def_princ == NULL) {
165 /* We have no existing credentials cache,
166 * so attempt to get a TGT using a keytab.
168 if (handle->principal == NULL) {
169 kret = krb5_get_default_principal(_gsskrb5_context,
174 kret = get_keytab(&keytab);
177 kret = krb5_get_init_creds_opt_alloc(_gsskrb5_context, &opt);
180 kret = krb5_get_init_creds_keytab(_gsskrb5_context, &cred,
181 handle->principal, keytab, 0, NULL, opt);
182 krb5_get_init_creds_opt_free(opt);
185 kret = krb5_cc_gen_new(_gsskrb5_context, &krb5_mcc_ops,
189 kret = krb5_cc_initialize(_gsskrb5_context, ccache, cred.client);
192 kret = krb5_cc_store_cred(_gsskrb5_context, ccache, &cred);
195 handle->lifetime = cred.times.endtime;
196 handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
199 ret = __gsskrb5_ccache_lifetime(minor_status,
203 if (ret != GSS_S_COMPLETE)
208 handle->ccache = ccache;
209 ret = GSS_S_COMPLETE;
212 if (cred.client != NULL)
213 krb5_free_cred_contents(_gsskrb5_context, &cred);
214 if (def_princ != NULL)
215 krb5_free_principal(_gsskrb5_context, def_princ);
217 krb5_kt_close(_gsskrb5_context, keytab);
218 if (ret != GSS_S_COMPLETE) {
220 krb5_cc_close(_gsskrb5_context, ccache);
222 *minor_status = kret;
223 _gsskrb5_set_error_string ();
229 static OM_uint32 acquire_acceptor_cred
230 (OM_uint32 * minor_status,
231 const gss_name_t desired_name,
233 const gss_OID_set desired_mechs,
234 gss_cred_usage_t cred_usage,
236 gss_OID_set * actual_mechs,
241 krb5_error_code kret;
245 kret = get_keytab(&handle->keytab);
249 /* check that the requested principal exists in the keytab */
250 if (handle->principal) {
251 krb5_keytab_entry entry;
253 kret = krb5_kt_get_entry(_gsskrb5_context, handle->keytab,
254 handle->principal, 0, 0, &entry);
257 krb5_kt_free_entry(_gsskrb5_context, &entry);
259 ret = GSS_S_COMPLETE;
262 if (ret != GSS_S_COMPLETE) {
263 if (handle->keytab != NULL)
264 krb5_kt_close(_gsskrb5_context, handle->keytab);
266 *minor_status = kret;
267 _gsskrb5_set_error_string ();
273 OM_uint32 _gsskrb5_acquire_cred
274 (OM_uint32 * minor_status,
275 const gss_name_t desired_name,
277 const gss_OID_set desired_mechs,
278 gss_cred_usage_t cred_usage,
279 gss_cred_id_t * output_cred_handle,
280 gss_OID_set * actual_mechs,
287 if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
288 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
289 return GSS_S_FAILURE;
294 *output_cred_handle = NULL;
298 *actual_mechs = GSS_C_NO_OID_SET;
303 ret = _gsskrb5_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
304 desired_mechs, &present);
309 return GSS_S_BAD_MECH;
313 handle = calloc(1, sizeof(*handle));
314 if (handle == NULL) {
315 *minor_status = ENOMEM;
316 return (GSS_S_FAILURE);
319 HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
321 if (desired_name != GSS_C_NO_NAME) {
322 krb5_principal name = (krb5_principal)desired_name;
323 ret = krb5_copy_principal(_gsskrb5_context, name, &handle->principal);
325 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
326 _gsskrb5_set_error_string();
329 return GSS_S_FAILURE;
332 if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
333 ret = acquire_initiator_cred(minor_status, desired_name, time_req,
334 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
335 if (ret != GSS_S_COMPLETE) {
336 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
337 krb5_free_principal(_gsskrb5_context, handle->principal);
342 if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
343 ret = acquire_acceptor_cred(minor_status, desired_name, time_req,
344 desired_mechs, cred_usage, handle, actual_mechs, time_rec);
345 if (ret != GSS_S_COMPLETE) {
346 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
347 krb5_free_principal(_gsskrb5_context, handle->principal);
352 ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
353 if (ret == GSS_S_COMPLETE)
354 ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
355 &handle->mechanisms);
356 if (ret == GSS_S_COMPLETE)
357 ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
358 NULL, time_rec, NULL, actual_mechs);
359 if (ret != GSS_S_COMPLETE) {
360 if (handle->mechanisms != NULL)
361 _gsskrb5_release_oid_set(NULL, &handle->mechanisms);
362 HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
363 krb5_free_principal(_gsskrb5_context, handle->principal);
369 ret = _gsskrb5_lifetime_left(minor_status,
376 handle->usage = cred_usage;
377 *output_cred_handle = (gss_cred_id_t)handle;
378 return (GSS_S_COMPLETE);