2 * Copyright (c) 2005 Doug Rabson
3 * Copyright (c) 2018 Kungliga Tekniska Högskolan
4 * Copyright (c) 2018 AuriStor, Inc.
5 * (Royal Institute of Technology, Stockholm, Sweden).
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * $FreeBSD: src/lib/libgssapi/gss_add_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
32 #include "mech_locl.h"
35 _gss_mg_add_mech_cred(OM_uint32 *minor_status,
36 gssapi_mech_interface m,
37 const struct _gss_mechanism_cred *mc,
38 const struct _gss_mechanism_name *mn,
39 gss_cred_usage_t cred_usage,
40 OM_uint32 initiator_time_req,
41 OM_uint32 acceptor_time_req,
42 gss_const_key_value_set_t cred_store,
43 struct _gss_mechanism_cred **out,
44 OM_uint32 *initiator_time_rec,
45 OM_uint32 *acceptor_time_rec)
47 OM_uint32 major_status;
48 struct _gss_mechanism_cred *new_mc = NULL;
53 new_mc = calloc(1, sizeof(struct _gss_mechanism_cred));
55 *minor_status = ENOMEM;
60 new_mc->gmc_mech_oid = &m->gm_mech_oid;
63 if (m->gm_add_cred_from) {
64 major_status = m->gm_add_cred_from(minor_status,
65 mc ? mc->gmc_cred : GSS_C_NO_CREDENTIAL,
66 mn ? mn->gmn_name : GSS_C_NO_NAME,
72 new_mc ? &new_mc->gmc_cred : NULL,
76 } else if (cred_store == GSS_C_NO_CRED_STORE && m->gm_add_cred) {
77 major_status = m->gm_add_cred(minor_status,
78 mc ? mc->gmc_cred : GSS_C_NO_CREDENTIAL,
79 mn ? mn->gmn_name : GSS_C_NO_NAME,
84 new_mc ? &new_mc->gmc_cred : NULL,
89 major_status = GSS_S_UNAVAILABLE;
91 if (major_status == GSS_S_COMPLETE && out) {
92 heim_assert(new_mc->gmc_cred != GSS_C_NO_CREDENTIAL,
93 "mechanism gss_add_cred did not return a cred");
102 add_mech_cred_internal(OM_uint32 *minor_status,
103 gss_const_name_t desired_name,
104 gssapi_mech_interface m,
105 gss_cred_usage_t cred_usage,
106 OM_uint32 initiator_time_req,
107 OM_uint32 acceptor_time_req,
108 gss_const_key_value_set_t cred_store,
109 struct _gss_cred *mut_cred,
110 OM_uint32 *initiator_time_rec,
111 OM_uint32 *acceptor_time_rec)
113 OM_uint32 major_status;
114 struct _gss_mechanism_cred *mc;
115 struct _gss_mechanism_name *mn;
117 heim_assert((m->gm_flags & GM_USE_MG_CRED) == 0,
118 "add_mech_cred_internal must be called with concrete mechanism");
120 if (desired_name != GSS_C_NO_NAME) {
121 major_status = _gss_find_mn(minor_status,
122 (struct _gss_name *)desired_name,
123 &m->gm_mech_oid, &mn);
124 if (major_status != GSS_S_COMPLETE)
130 * If we have an existing mechanism credential for mechanism m, then
131 * add the desired credential to it; otherwise, create a new one and
132 * add it to mut_cred.
134 HEIM_TAILQ_FOREACH(mc, &mut_cred->gc_mc, gmc_link) {
135 if (gss_oid_equal(&m->gm_mech_oid, mc->gmc_mech_oid))
140 major_status = _gss_mg_add_mech_cred(minor_status, m,
142 initiator_time_req, acceptor_time_req,
144 initiator_time_rec, acceptor_time_rec);
146 struct _gss_mechanism_cred *new_mc = NULL;
148 major_status = _gss_mg_add_mech_cred(minor_status, m,
149 NULL, mn, cred_usage,
150 initiator_time_req, acceptor_time_req,
152 initiator_time_rec, acceptor_time_rec);
153 if (major_status == GSS_S_COMPLETE)
154 HEIM_TAILQ_INSERT_TAIL(&mut_cred->gc_mc, new_mc, gmc_link);
160 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
161 gss_add_cred_from(OM_uint32 *minor_status,
162 gss_cred_id_t input_cred_handle,
163 gss_const_name_t desired_name,
164 const gss_OID desired_mech,
165 gss_cred_usage_t cred_usage,
166 OM_uint32 initiator_time_req,
167 OM_uint32 acceptor_time_req,
168 gss_const_key_value_set_t cred_store,
169 gss_cred_id_t *output_cred_handle,
170 gss_OID_set *actual_mechs,
171 OM_uint32 *initiator_time_rec,
172 OM_uint32 *acceptor_time_rec)
174 OM_uint32 major_status;
175 gssapi_mech_interface m;
176 gss_cred_id_t release_cred = GSS_C_NO_CREDENTIAL;
177 struct _gss_cred *mut_cred;
182 /* Input validation */
183 if (output_cred_handle)
184 *output_cred_handle = GSS_C_NO_CREDENTIAL;
185 if (initiator_time_rec)
186 *initiator_time_rec = 0;
187 if (acceptor_time_rec)
188 *acceptor_time_rec = 0;
190 *actual_mechs = GSS_C_NO_OID_SET;
191 if ((m = __gss_get_mechanism(desired_mech)) == NULL)
192 return GSS_S_BAD_MECH;
193 if (input_cred_handle == GSS_C_NO_CREDENTIAL &&
194 output_cred_handle == NULL) {
195 return GSS_S_CALL_INACCESSIBLE_WRITE;
198 /* Setup mut_cred to be the credential we mutate */
199 if (input_cred_handle != GSS_C_NO_CREDENTIAL &&
200 output_cred_handle != NULL) {
201 gss_cred_id_t new_cred;
203 /* Duplicate the input credential */
204 major_status = gss_duplicate_cred(minor_status, input_cred_handle,
206 if (major_status != GSS_S_COMPLETE)
208 mut_cred = (struct _gss_cred *)new_cred;
209 release_cred = (gss_cred_id_t)mut_cred;
210 } else if (input_cred_handle != GSS_C_NO_CREDENTIAL) {
211 /* Mutate the input credentials */
212 mut_cred = rk_UNCONST(input_cred_handle);
214 mut_cred = _gss_mg_alloc_cred();
215 if (mut_cred == NULL) {
216 *minor_status = ENOMEM;
217 return GSS_S_UNAVAILABLE;
219 release_cred = (gss_cred_id_t)mut_cred;
222 if (m->gm_flags & GM_USE_MG_CRED) {
223 struct _gss_mech_switch *ms;
224 OM_uint32 initiator_time_min = GSS_C_INDEFINITE;
225 OM_uint32 acceptor_time_min = GSS_C_INDEFINITE;
227 major_status = GSS_S_UNAVAILABLE; /* in case of no mechs */
229 if (input_cred_handle == GSS_C_NO_CREDENTIAL) {
230 HEIM_TAILQ_FOREACH(ms, &_gss_mechs, gm_link) {
231 m = &ms->gm_mech; /* for _gss_mg_error() */
233 if (m->gm_flags & GM_USE_MG_CRED)
236 major_status = add_mech_cred_internal(minor_status, desired_name, m,
238 initiator_time_req, acceptor_time_req,
239 cred_store, mut_cred,
240 initiator_time_rec, acceptor_time_rec);
241 if (major_status != GSS_S_COMPLETE)
244 if (initiator_time_rec && *initiator_time_rec < initiator_time_min)
245 initiator_time_min = *initiator_time_rec;
246 if (acceptor_time_rec && *acceptor_time_rec < acceptor_time_min)
247 acceptor_time_min = *acceptor_time_rec;
251 gss_cred_usage_t usage = GSS_C_BOTH;
253 major_status = gss_inquire_cred(minor_status, input_cred_handle,
254 NULL, &lifetime, &usage, NULL);
255 if (major_status == GSS_S_COMPLETE) {
256 if (usage == GSS_C_BOTH || usage == GSS_C_INITIATE)
257 initiator_time_min = lifetime;
258 if (usage == GSS_C_BOTH || usage == GSS_C_ACCEPT)
259 acceptor_time_min = lifetime;
263 if (initiator_time_rec)
264 *initiator_time_rec = initiator_time_min;
265 if (acceptor_time_rec)
266 *acceptor_time_rec = acceptor_time_min;
268 major_status = add_mech_cred_internal(minor_status, desired_name, m,
270 initiator_time_req, acceptor_time_req,
271 cred_store, mut_cred,
272 initiator_time_rec, acceptor_time_rec);
275 if (major_status != GSS_S_COMPLETE)
276 _gss_mg_error(m, *minor_status);
278 /* Lastly, we have to inquire the cred to get the actual_mechs */
279 if (major_status == GSS_S_COMPLETE && actual_mechs != NULL) {
280 major_status = gss_inquire_cred(minor_status,
281 (gss_const_cred_id_t)mut_cred, NULL,
282 NULL, NULL, actual_mechs);
284 if (major_status == GSS_S_COMPLETE) {
285 if (output_cred_handle != NULL)
286 *output_cred_handle = (gss_cred_id_t)mut_cred;
288 gss_release_cred(&junk, &release_cred);