2 * Copyright (c) 2003 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "gsskrb5_locl.h"
36 OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred_from (
37 OM_uint32 *minor_status,
38 gss_cred_id_t input_cred_handle,
39 gss_const_name_t desired_name,
40 const gss_OID desired_mech,
41 gss_cred_usage_t cred_usage,
42 OM_uint32 initiator_time_req,
43 OM_uint32 acceptor_time_req,
44 gss_const_key_value_set_t cred_store,
45 gss_cred_id_t *output_cred_handle,
46 gss_OID_set *actual_mechs,
47 OM_uint32 *initiator_time_rec,
48 OM_uint32 *acceptor_time_rec)
51 OM_uint32 major, lifetime;
52 gsskrb5_cred cred, handle;
53 krb5_const_principal dname;
56 cred = (gsskrb5_cred)input_cred_handle;
57 dname = (krb5_const_principal)desired_name;
59 if (cred == NULL && output_cred_handle == NULL) {
60 *minor_status = EINVAL;
61 return GSS_S_CALL_INACCESSIBLE_WRITE;
64 GSSAPI_KRB5_INIT (&context);
66 if (desired_mech != GSS_C_NO_OID &&
67 gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) {
69 return GSS_S_BAD_MECH;
74 * Acquire a credential; output_cred_handle can't be NULL, see above.
76 heim_assert(output_cred_handle != NULL,
77 "internal error in _gsskrb5_add_cred()");
79 major = _gsskrb5_acquire_cred_from(minor_status, desired_name,
80 min(initiator_time_req,
86 actual_mechs, &lifetime);
87 if (major != GSS_S_COMPLETE)
92 * Check that we're done or copy input to output if
93 * output_cred_handle != NULL.
96 HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
98 /* Check if requested output usage is compatible with output usage */
99 if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
100 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
101 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
102 return(GSS_S_FAILURE);
105 /* Check that we have the same name */
107 krb5_principal_compare(context, dname,
108 cred->principal) != FALSE) {
109 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
111 return GSS_S_BAD_NAME;
114 if (output_cred_handle == NULL) {
116 * This case is basically useless as we implement a single
117 * mechanism here, so we can't add elements to the
120 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
122 return GSS_S_COMPLETE;
126 * Copy input to output -- this works as if we were a
127 * GSS_Duplicate_cred() for one mechanism element.
130 handle = calloc(1, sizeof(*handle));
131 if (handle == NULL) {
133 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
134 *minor_status = ENOMEM;
135 return (GSS_S_FAILURE);
138 handle->usage = cred_usage;
139 handle->endtime = cred->endtime;
140 handle->principal = NULL;
141 handle->destination_realm = NULL;
142 handle->keytab = NULL;
143 handle->ccache = NULL;
144 handle->mechanisms = NULL;
145 HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
147 major = GSS_S_FAILURE;
149 *minor_status = krb5_copy_principal(context, cred->principal,
152 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
154 return GSS_S_FAILURE;
160 *minor_status = krb5_kt_get_full_name(context, cred->keytab,
165 *minor_status = krb5_kt_resolve(context, name, &handle->keytab);
172 const char *type, *name;
173 char *type_name = NULL;
175 type = krb5_cc_get_type(context, cred->ccache);
177 *minor_status = ENOMEM;
181 if (strcmp(type, "MEMORY") == 0) {
182 *minor_status = krb5_cc_new_unique(context, type,
183 NULL, &handle->ccache);
187 *minor_status = krb5_cc_copy_cache(context, cred->ccache,
193 name = krb5_cc_get_name(context, cred->ccache);
195 *minor_status = ENOMEM;
199 if (asprintf(&type_name, "%s:%s", type, name) == -1 ||
201 *minor_status = ENOMEM;
205 *minor_status = krb5_cc_resolve(context, type_name,
212 major = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
213 if (major != GSS_S_COMPLETE)
216 major = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
217 &handle->mechanisms);
218 if (major != GSS_S_COMPLETE)
221 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
223 major = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred,
224 NULL, &lifetime, NULL, actual_mechs);
225 if (major != GSS_S_COMPLETE)
228 *output_cred_handle = (gss_cred_id_t)handle;
231 if (initiator_time_rec)
232 *initiator_time_rec = lifetime;
233 if (acceptor_time_rec)
234 *acceptor_time_rec = lifetime;
241 if (handle->principal)
242 krb5_free_principal(context, handle->principal);
244 krb5_kt_close(context, handle->keytab);
246 krb5_cc_destroy(context, handle->ccache);
247 if (handle->mechanisms)
248 gss_release_oid_set(NULL, &handle->mechanisms);
251 if (cred && output_cred_handle)
252 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);