source4/heimdal/lib/gssapi/krb5/acquire_cred.c

   1 /*
   2  * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "gsskrb5_locl.h"
  35
  36 OM_uint32
  37 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
  38                           krb5_context context,
  39                           krb5_ccache id,
  40                           krb5_principal principal,
  41                           OM_uint32 *lifetime)
  42 {
  43     krb5_creds in_cred, *out_cred;
  44     krb5_const_realm realm;
  45     krb5_error_code kret;
  46
  47     memset(&in_cred, 0, sizeof(in_cred));
  48     in_cred.client = principal;
  49
  50     realm = krb5_principal_get_realm(context,  principal);
  51     if (realm == NULL) {
  52         _gsskrb5_clear_status ();
  53         *minor_status = KRB5_PRINC_NOMATCH; /* XXX */
  54         return GSS_S_FAILURE;
  55     }
  56
  57     kret = krb5_make_principal(context, &in_cred.server,
  58                                realm, KRB5_TGS_NAME, realm, NULL);
  59     if (kret) {
  60         *minor_status = kret;
  61         return GSS_S_FAILURE;
  62     }
  63
  64     kret = krb5_get_credentials(context, 0,
  65                                 id, &in_cred, &out_cred);
  66     krb5_free_principal(context, in_cred.server);
  67     if (kret) {
  68         *minor_status = kret;
  69         return GSS_S_FAILURE;
  70     }
  71
  72     *lifetime = out_cred->times.endtime;
  73     krb5_free_creds(context, out_cred);
  74
  75     return GSS_S_COMPLETE;
  76 }
  77
  78
  79
  80
  81 static krb5_error_code
  82 get_keytab(krb5_context context, krb5_keytab *keytab)
  83 {
  84     char kt_name[256];
  85     krb5_error_code kret;
  86
  87     HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
  88
  89     if (_gsskrb5_keytab != NULL) {
  90         kret = krb5_kt_get_name(context,
  91                                 _gsskrb5_keytab,
  92                                 kt_name, sizeof(kt_name));
  93         if (kret == 0)
  94             kret = krb5_kt_resolve(context, kt_name, keytab);
  95     } else
  96         kret = krb5_kt_default(context, keytab);
  97
  98     HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
  99
 100     return (kret);
 101 }
 102
 103 static OM_uint32 acquire_initiator_cred
 104                   (OM_uint32 * minor_status,
 105                    krb5_context context,
 106                    const gss_name_t desired_name,
 107                    OM_uint32 time_req,
 108                    const gss_OID_set desired_mechs,
 109                    gss_cred_usage_t cred_usage,
 110                    gsskrb5_cred handle,
 111                    gss_OID_set * actual_mechs,
 112                    OM_uint32 * time_rec
 113                   )
 114 {
 115     OM_uint32 ret;
 116     krb5_creds cred;
 117     krb5_principal def_princ;
 118     krb5_get_init_creds_opt *opt;
 119     krb5_ccache ccache;
 120     krb5_keytab keytab;
 121     krb5_error_code kret;
 122
 123     keytab = NULL;
 124     ccache = NULL;
 125     def_princ = NULL;
 126     ret = GSS_S_FAILURE;
 127     memset(&cred, 0, sizeof(cred));
 128
 129     /*
 130      * If we have a preferred principal, lets try to find it in all
 131      * caches, otherwise, fall back to default cache, ignore all
 132      * errors while searching.
 133      */
 134
 135     if (handle->principal) {
 136         kret = krb5_cc_cache_match (context,
 137                                     handle->principal,
 138                                     &ccache);
 139         if (kret == 0) {
 140             ret = GSS_S_COMPLETE;
 141             goto found;
 142         }
 143     }
 144
 145     if (ccache == NULL) {
 146         kret = krb5_cc_default(context, &ccache);
 147         if (kret)
 148             goto end;
 149     }
 150     kret = krb5_cc_get_principal(context, ccache, &def_princ);
 151     if (kret != 0) {
 152         /* we'll try to use a keytab below */
 153         krb5_cc_close(context, ccache);
 154         def_princ = NULL;
 155         kret = 0;
 156     } else if (handle->principal == NULL)  {
 157         kret = krb5_copy_principal(context, def_princ, &handle->principal);
 158         if (kret)
 159             goto end;
 160     } else if (handle->principal != NULL &&
 161                krb5_principal_compare(context, handle->principal,
 162                                       def_princ) == FALSE) {
 163         krb5_free_principal(context, def_princ);
 164         def_princ = NULL;
 165         krb5_cc_close(context, ccache);
 166         ccache = NULL;
 167     }
 168     if (def_princ == NULL) {
 169         /* We have no existing credentials cache,
 170          * so attempt to get a TGT using a keytab.
 171          */
 172         if (handle->principal == NULL) {
 173             kret = krb5_get_default_principal(context, &handle->principal);
 174             if (kret)
 175                 goto end;
 176         }
 177         kret = get_keytab(context, &keytab);
 178         if (kret)
 179             goto end;
 180         kret = krb5_get_init_creds_opt_alloc(context, &opt);
 181         if (kret)
 182             goto end;
 183         kret = krb5_get_init_creds_keytab(context, &cred,
 184             handle->principal, keytab, 0, NULL, opt);
 185         krb5_get_init_creds_opt_free(context, opt);
 186         if (kret)
 187             goto end;
 188         kret = krb5_cc_new_unique(context, krb5_cc_type_memory,
 189                                   NULL, &ccache);
 190         if (kret)
 191             goto end;
 192         kret = krb5_cc_initialize(context, ccache, cred.client);
 193         if (kret) {
 194             krb5_cc_destroy(context, ccache);
 195             goto end;
 196         }
 197         kret = krb5_cc_store_cred(context, ccache, &cred);
 198         if (kret) {
 199             krb5_cc_destroy(context, ccache);
 200             goto end;
 201         }
 202         handle->lifetime = cred.times.endtime;
 203         handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
 204     } else {
 205
 206         ret = __gsskrb5_ccache_lifetime(minor_status,
 207                                         context,
 208                                         ccache,
 209                                         handle->principal,
 210                                         &handle->lifetime);
 211         if (ret != GSS_S_COMPLETE) {
 212             krb5_cc_close(context, ccache);
 213             goto end;
 214         }
 215         kret = 0;
 216     }
 217  found:
 218     handle->ccache = ccache;
 219     ret = GSS_S_COMPLETE;
 220
 221 end:
 222     if (cred.client != NULL)
 223         krb5_free_cred_contents(context, &cred);
 224     if (def_princ != NULL)
 225         krb5_free_principal(context, def_princ);
 226     if (keytab != NULL)
 227         krb5_kt_close(context, keytab);
 228     if (ret != GSS_S_COMPLETE && kret != 0)
 229         *minor_status = kret;
 230     return (ret);
 231 }
 232
 233 static OM_uint32 acquire_acceptor_cred
 234                   (OM_uint32 * minor_status,
 235                    krb5_context context,
 236                    const gss_name_t desired_name,
 237                    OM_uint32 time_req,
 238                    const gss_OID_set desired_mechs,
 239                    gss_cred_usage_t cred_usage,
 240                    gsskrb5_cred handle,
 241                    gss_OID_set * actual_mechs,
 242                    OM_uint32 * time_rec
 243                   )
 244 {
 245     OM_uint32 ret;
 246     krb5_error_code kret;
 247
 248     ret = GSS_S_FAILURE;
 249     kret = get_keytab(context, &handle->keytab);
 250     if (kret)
 251         goto end;
 252
 253     /* check that the requested principal exists in the keytab */
 254     if (handle->principal) {
 255         krb5_keytab_entry entry;
 256
 257         kret = krb5_kt_get_entry(context, handle->keytab,
 258                                  handle->principal, 0, 0, &entry);
 259         if (kret)
 260             goto end;
 261         krb5_kt_free_entry(context, &entry);
 262         ret = GSS_S_COMPLETE;
 263     } else {
 264         /*
 265          * Check if there is at least one entry in the keytab before
 266          * declaring it as an useful keytab.
 267          */
 268         krb5_keytab_entry tmp;
 269         krb5_kt_cursor c;
 270
 271         kret = krb5_kt_start_seq_get (context, handle->keytab, &c);
 272         if (kret)
 273             goto end;
 274         if (krb5_kt_next_entry(context, handle->keytab, &tmp, &c) == 0) {
 275             krb5_kt_free_entry(context, &tmp);
 276             ret = GSS_S_COMPLETE; /* ok found one entry */
 277         }
 278         krb5_kt_end_seq_get (context, handle->keytab, &c);
 279     }
 280 end:
 281     if (ret != GSS_S_COMPLETE) {
 282         if (handle->keytab != NULL)
 283             krb5_kt_close(context, handle->keytab);
 284         if (kret != 0) {
 285             *minor_status = kret;
 286         }
 287     }
 288     return (ret);
 289 }
 290
 291 OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
 292 (OM_uint32 * minor_status,
 293  const gss_name_t desired_name,
 294  OM_uint32 time_req,
 295  const gss_OID_set desired_mechs,
 296  gss_cred_usage_t cred_usage,
 297  gss_cred_id_t * output_cred_handle,
 298  gss_OID_set * actual_mechs,
 299  OM_uint32 * time_rec
 300     )
 301 {
 302     krb5_context context;
 303     gsskrb5_cred handle;
 304     OM_uint32 ret;
 305
 306     if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
 307         *minor_status = GSS_KRB5_S_G_BAD_USAGE;
 308         return GSS_S_FAILURE;
 309     }
 310
 311     GSSAPI_KRB5_INIT(&context);
 312
 313     *output_cred_handle = NULL;
 314     if (time_rec)
 315         *time_rec = 0;
 316     if (actual_mechs)
 317         *actual_mechs = GSS_C_NO_OID_SET;
 318
 319     if (desired_mechs) {
 320         int present = 0;
 321
 322         ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
 323                                       desired_mechs, &present);
 324         if (ret)
 325             return ret;
 326         if (!present) {
 327             *minor_status = 0;
 328             return GSS_S_BAD_MECH;
 329         }
 330     }
 331
 332     handle = calloc(1, sizeof(*handle));
 333     if (handle == NULL) {
 334         *minor_status = ENOMEM;
 335         return (GSS_S_FAILURE);
 336     }
 337
 338     HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
 339
 340     if (desired_name != GSS_C_NO_NAME) {
 341
 342         ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
 343                                   desired_name, &handle->principal);
 344         if (ret) {
 345             HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
 346             free(handle);
 347             return ret;
 348         }
 349     }
 350     if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
 351         ret = acquire_initiator_cred(minor_status, context,
 352                                      desired_name, time_req,
 353                                      desired_mechs, cred_usage, handle,
 354                                      actual_mechs, time_rec);
 355         if (ret != GSS_S_COMPLETE) {
 356             HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
 357             krb5_free_principal(context, handle->principal);
 358             free(handle);
 359             return (ret);
 360         }
 361     }
 362     if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
 363         ret = acquire_acceptor_cred(minor_status, context,
 364                                     desired_name, time_req,
 365                                     desired_mechs, cred_usage, handle, actual_mechs, time_rec);
 366         if (ret != GSS_S_COMPLETE) {
 367             HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
 368             krb5_free_principal(context, handle->principal);
 369             free(handle);
 370             return (ret);
 371         }
 372     }
 373     ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
 374     if (ret == GSS_S_COMPLETE)
 375         ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
 376                                      &handle->mechanisms);
 377     if (ret == GSS_S_COMPLETE)
 378         ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
 379                                     NULL, time_rec, NULL, actual_mechs);
 380     if (ret != GSS_S_COMPLETE) {
 381         if (handle->mechanisms != NULL)
 382             gss_release_oid_set(NULL, &handle->mechanisms);
 383         HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
 384         krb5_free_principal(context, handle->principal);
 385         free(handle);
 386         return (ret);
 387     }
 388     *minor_status = 0;
 389     if (time_rec) {
 390         ret = _gsskrb5_lifetime_left(minor_status,
 391                                      context,
 392                                      handle->lifetime,
 393                                      time_rec);
 394
 395         if (ret)
 396             return ret;
 397     }
 398     handle->usage = cred_usage;
 399     *output_cred_handle = (gss_cred_id_t)handle;
 400     return (GSS_S_COMPLETE);
 401 }