1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <k5-int.h> 28 #include <gssapiP_krb5.h> 29 #include <memory.h> 30 #include <assert.h> 31 #include <syslog.h> 32 33 extern uint_t kwarn_add_warning(char *, int); 34 extern uint_t kwarn_del_warning(char *); 35 36 static 37 OM_uint32 38 store_init_cred(ct, minor_status, cred, dflt) 39 krb5_context ct; 40 OM_uint32 *minor_status; 41 const krb5_gss_cred_id_t cred; 42 int dflt; 43 { 44 OM_uint32 maj = GSS_S_COMPLETE; 45 krb5_error_code code; 46 krb5_ccache ccache = NULL; /* current [file] ccache */ 47 krb5_principal ccprinc = NULL; /* default princ of current ccache */ 48 49 if (minor_status == NULL) 50 return (GSS_S_CALL_INACCESSIBLE_WRITE); 51 *minor_status = 0; 52 53 /* Get current ccache -- respect KRB5CCNAME, or use OS default */ 54 if ((code = krb5_cc_default(ct, &ccache))) { 55 *minor_status = code; 56 return (GSS_S_FAILURE); 57 } 58 59 /* 60 * Here we should do something like: 61 * 62 * a) take all the initial tickets from the current ccache for 63 * client principals other than the given cred's 64 * b) copy them to a tmp MEMORY ccache 65 * c) copy the given cred's tickets to that same tmp ccache 66 * d) initialize the current ccache with either the same default 67 * princ as before (!dflt) or with the input cred's princ as the 68 * default princ (dflt) and copy the tmp ccache's creds to it. 69 * 70 * However, for now we just initialize the current ccache, if 71 * (dflt), and copy the input cred's tickets to it. 72 * 73 * To support the above ideal we'd need a variant of 74 * krb5_cc_copy_creds(). But then, preserving any tickets from 75 * the current ccache may be problematic if the ccache has many, 76 * many service tickets in it as that makes ccache enumeration 77 * really, really slow; we might want to address ccache perf 78 * first. 79 * 80 * So storing of non-default credentials is not supported. 81 */ 82 if (dflt) { 83 /* Treat this as "caller asks to initialize ccache" */ 84 /* LINTED */ 85 if ((code = krb5_cc_initialize(ct, ccache, cred->princ))) { 86 *minor_status = code; 87 maj = GSS_S_FAILURE; 88 goto cleanup; 89 } 90 } else { 91 *minor_status = (OM_uint32) G_STORE_NON_DEFAULT_CRED_NOSUPP; 92 maj = GSS_S_FAILURE; 93 goto cleanup; 94 } 95 96 if ((code = krb5_cc_copy_creds(ct, cred->ccache, ccache))) { 97 *minor_status = code; 98 maj = GSS_S_FAILURE; 99 goto cleanup; 100 } 101 102 cleanup: 103 if (ccprinc != NULL) 104 krb5_free_principal(ct, ccprinc); 105 if (ccache != NULL) 106 /* LINTED */ 107 krb5_cc_close(ct, ccache); 108 109 return (maj); 110 } 111 112 OM_uint32 113 krb5_gss_store_cred(minor_status, input_cred, cred_usage, 114 desired_mech, overwrite_cred, default_cred, elements_stored, 115 cred_usage_stored) 116 OM_uint32 *minor_status; 117 const gss_cred_id_t input_cred; 118 gss_cred_usage_t cred_usage; 119 gss_OID desired_mech; 120 OM_uint32 overwrite_cred; 121 OM_uint32 default_cred; 122 gss_OID_set *elements_stored; 123 gss_cred_usage_t *cred_usage_stored; 124 { 125 OM_uint32 maj, maj2, min; 126 krb5_context ctx = NULL; 127 krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)input_cred; 128 krb5_gss_cred_id_t cur_cred = (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL; 129 gss_OID_set desired_mechs = GSS_C_NULL_OID_SET; 130 OM_uint32 in_time_rec; /* lifetime of input cred */ 131 OM_uint32 cur_time_rec; /* lifetime of current cred */ 132 gss_cred_usage_t in_usage; /* usage of input cred */ 133 gss_name_t in_name = GSS_C_NO_NAME; /* name of input cred */ 134 char *client_name = NULL; 135 136 if (input_cred == GSS_C_NO_CREDENTIAL) 137 return (GSS_S_CALL_INACCESSIBLE_READ); 138 139 /* Initialize output parameters */ 140 if (minor_status == NULL) 141 return (GSS_S_CALL_INACCESSIBLE_WRITE); 142 *minor_status = 0; 143 144 if (elements_stored != NULL) 145 *elements_stored = GSS_C_NULL_OID_SET; 146 147 if (cred_usage_stored != NULL) 148 *cred_usage_stored = -1; /* need GSS_C_NEITHER! */ 149 150 /* Sanity check cred_usage */ 151 if (cred_usage != GSS_C_BOTH && cred_usage != GSS_C_INITIATE && 152 cred_usage != GSS_C_ACCEPT) { 153 *minor_status = (OM_uint32) G_BAD_USAGE; 154 return (GSS_S_CALL_BAD_STRUCTURE); 155 } 156 157 /* Not supported: storing acceptor creds -- short cut now */ 158 if (cred_usage == GSS_C_ACCEPT) { 159 *minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP; 160 return (GSS_S_FAILURE); 161 } 162 if (cred_usage == GSS_C_BOTH) 163 cred_usage = GSS_C_INITIATE; 164 165 min = krb5_gss_init_context(&ctx); 166 if (min) { 167 *minor_status = min; 168 return (GSS_S_FAILURE); 169 } 170 171 /* * Find out the name, lifetime and cred usage of the input cred */ 172 maj = krb5_gss_inquire_cred(minor_status, input_cred, 173 &in_name, &in_time_rec, &in_usage, NULL); 174 if (GSS_ERROR(maj)) 175 goto cleanup; 176 177 /* Check that the input cred isn't expired */ 178 if (in_time_rec == 0) { 179 maj = GSS_S_CREDENTIALS_EXPIRED; 180 goto cleanup; 181 } 182 183 /* The requested and input cred usage must agree */ 184 if (in_usage != cred_usage && cred_usage != GSS_C_BOTH) { 185 *minor_status = (OM_uint32) G_CRED_USAGE_MISMATCH; 186 maj = GSS_S_NO_CRED; 187 goto cleanup; 188 } 189 190 if (in_usage == GSS_C_ACCEPT) { 191 *minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP; 192 maj = GSS_S_FAILURE; 193 goto cleanup; 194 } 195 196 /* Get current cred, if any */ 197 if (desired_mech != GSS_C_NULL_OID) { 198 /* assume that libgss gave us one of our mech OIDs */ 199 maj = gss_create_empty_oid_set(minor_status, &desired_mechs); 200 if (GSS_ERROR(maj)) 201 return (maj); 202 203 maj = gss_add_oid_set_member(minor_status, desired_mech, 204 &desired_mechs); 205 if (GSS_ERROR(maj)) 206 goto cleanup; 207 } 208 209 /* 210 * Handle overwrite_cred option. If overwrite_cred == FALSE 211 * then we must be careful not to overwrite an existing 212 * unexpired credential. 213 */ 214 maj2 = krb5_gss_acquire_cred(&min, 215 (default_cred) ? GSS_C_NO_NAME : in_name, 216 0, desired_mechs, cred_usage, 217 (gss_cred_id_t *)&cur_cred, NULL, &cur_time_rec); 218 219 if (GSS_ERROR(maj2)) 220 overwrite_cred = 1; /* nothing to overwrite */ 221 222 if (cur_time_rec > 0 && !overwrite_cred) { 223 maj = GSS_S_DUPLICATE_ELEMENT; /* would overwrite */ 224 goto cleanup; 225 } 226 227 /* Ready to store -- store_init_cred() handles default_cred */ 228 maj = store_init_cred(ctx, minor_status, cred, default_cred); 229 if (GSS_ERROR(maj)) 230 goto cleanup; 231 232 /* Alert ktkt_warnd(8) */ 233 maj = krb5_unparse_name(ctx, cred->princ, &client_name); 234 if (GSS_ERROR(maj)) 235 goto cleanup; 236 (void) kwarn_del_warning(client_name); 237 if (kwarn_add_warning(client_name, cred->tgt_expire) != 0) { 238 syslog(LOG_AUTH|LOG_NOTICE, 239 "store_cred: kwarn_add_warning" 240 " failed: ktkt_warnd(8) down? "); 241 } 242 free(client_name); 243 client_name = NULL; 244 245 /* Output parameters */ 246 if (cred_usage_stored != NULL) 247 *cred_usage_stored = GSS_C_INITIATE; 248 249 if (elements_stored != NULL) { 250 maj = gss_create_empty_oid_set(minor_status, elements_stored); 251 if (GSS_ERROR(maj)) 252 goto cleanup; 253 254 maj = gss_add_oid_set_member(minor_status, 255 (const gss_OID)gss_mech_krb5, elements_stored); 256 if (GSS_ERROR(maj)) { 257 (void) gss_release_oid_set(&min, elements_stored); 258 *elements_stored = GSS_C_NULL_OID_SET; 259 goto cleanup; 260 } 261 } 262 263 cleanup: 264 if (desired_mechs != GSS_C_NULL_OID_SET) 265 (void) gss_release_oid_set(&min, &desired_mechs); 266 if (cur_cred != (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL) 267 (void) krb5_gss_release_cred(&min, 268 (gss_cred_id_t *)&cur_cred); 269 if (in_name != GSS_C_NO_NAME) 270 (void) krb5_gss_release_name(&min, &in_name); 271 272 if (ctx) 273 krb5_free_context(ctx); 274 275 return (maj); 276 } 277