1 /* 2 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 #include <k5-int.h> 9 #include <gssapiP_krb5.h> 10 #include <memory.h> 11 #include <assert.h> 12 13 static 14 OM_uint32 15 store_init_cred(ct, minor_status, cred, dflt) 16 krb5_context ct; 17 OM_uint32 *minor_status; 18 const krb5_gss_cred_id_t cred; 19 int dflt; 20 { 21 OM_uint32 maj = GSS_S_COMPLETE; 22 krb5_error_code code; 23 krb5_ccache ccache = NULL; /* current [file] ccache */ 24 krb5_principal ccprinc = NULL; /* default princ of current ccache */ 25 26 if (minor_status == NULL) 27 return (GSS_S_CALL_INACCESSIBLE_WRITE); 28 *minor_status = 0; 29 30 /* Get current ccache -- respect KRB5CCNAME, or use OS default */ 31 if ((code = krb5_cc_default(ct, &ccache))) { 32 *minor_status = code; 33 return (GSS_S_FAILURE); 34 } 35 36 /* 37 * Here we should do something like: 38 * 39 * a) take all the initial tickets from the current ccache for 40 * client principals other than the given cred's 41 * b) copy them to a tmp MEMORY ccache 42 * c) copy the given cred's tickets to that same tmp ccache 43 * d) initialize the current ccache with either the same default 44 * princ as before (!dflt) or with the input cred's princ as the 45 * default princ (dflt) and copy the tmp ccache's creds to it. 46 * 47 * However, for now we just initialize the current ccache, if 48 * (dflt), and copy the input cred's tickets to it. 49 * 50 * To support the above ideal we'd need a variant of 51 * krb5_cc_copy_creds(). But then, preserving any tickets from 52 * the current ccache may be problematic if the ccache has many, 53 * many service tickets in it as that makes ccache enumeration 54 * really, really slow; we might want to address ccache perf 55 * first. 56 * 57 * So storing of non-default credentials is not supported. 58 */ 59 if (dflt) { 60 /* Treat this as "caller asks to initialize ccache" */ 61 /* LINTED */ 62 if ((code = krb5_cc_initialize(ct, ccache, cred->princ))) { 63 *minor_status = code; 64 maj = GSS_S_FAILURE; 65 goto cleanup; 66 } 67 } else { 68 *minor_status = (OM_uint32) G_STORE_NON_DEFAULT_CRED_NOSUPP; 69 maj = GSS_S_FAILURE; 70 goto cleanup; 71 } 72 73 if ((code = krb5_cc_copy_creds(ct, cred->ccache, ccache))) { 74 *minor_status = code; 75 maj = GSS_S_FAILURE; 76 goto cleanup; 77 } 78 79 cleanup: 80 if (ccprinc != NULL) 81 krb5_free_principal(ct, ccprinc); 82 if (ccache != NULL) 83 /* LINTED */ 84 krb5_cc_close(ct, ccache); 85 86 return (maj); 87 } 88 89 OM_uint32 90 krb5_gss_store_cred(ct, minor_status, input_cred, cred_usage, desired_mech, 91 overwrite_cred, default_cred, elements_stored, 92 cred_usage_stored) 93 void *ct; 94 OM_uint32 *minor_status; 95 const gss_cred_id_t input_cred; 96 gss_cred_usage_t cred_usage; 97 gss_OID desired_mech; 98 OM_uint32 overwrite_cred; 99 OM_uint32 default_cred; 100 gss_OID_set *elements_stored; 101 gss_cred_usage_t *cred_usage_stored; 102 { 103 OM_uint32 ret; 104 mutex_lock(&krb5_mutex); 105 ret = krb5_gss_store_cred_no_lock(ct, minor_status, input_cred, 106 cred_usage, desired_mech, overwrite_cred, default_cred, 107 elements_stored, cred_usage_stored); 108 mutex_unlock(&krb5_mutex); 109 return (ret); 110 } 111 112 OM_uint32 113 krb5_gss_store_cred_no_lock(ct, minor_status, input_cred, cred_usage, 114 desired_mech, overwrite_cred, default_cred, elements_stored, 115 cred_usage_stored) 116 void *ct; 117 OM_uint32 *minor_status; 118 const gss_cred_id_t input_cred; 119 gss_cred_usage_t cred_usage; 120 gss_OID desired_mech; 121 OM_uint32 overwrite_cred; 122 OM_uint32 default_cred; 123 gss_OID_set *elements_stored; 124 gss_cred_usage_t *cred_usage_stored; 125 { 126 OM_uint32 maj, min; 127 krb5_context ctx = (krb5_context)ct; 128 krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)input_cred; 129 krb5_gss_cred_id_t cur_cred = (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL; 130 gss_OID_set desired_mechs = GSS_C_NULL_OID_SET; 131 OM_uint32 in_time_rec; /* lifetime of input cred */ 132 OM_uint32 cur_time_rec; /* lifetime of current cred */ 133 gss_cred_usage_t in_usage; /* usage of input cred */ 134 gss_name_t in_name = GSS_C_NO_NAME; /* name of input cred */ 135 gss_name_t cur_name = GSS_C_NO_NAME; /* name of current cred */ 136 137 if (input_cred == GSS_C_NO_CREDENTIAL) 138 return (GSS_S_CALL_INACCESSIBLE_READ); 139 140 /* Initialize output parameters */ 141 if (minor_status == NULL) 142 return (GSS_S_CALL_INACCESSIBLE_WRITE); 143 *minor_status = 0; 144 145 if (elements_stored != NULL) 146 *elements_stored = GSS_C_NULL_OID_SET; 147 148 if (cred_usage_stored != NULL) 149 *cred_usage_stored = -1; /* need GSS_C_NEITHER! */ 150 151 /* Sanity check cred_usage */ 152 if (cred_usage != GSS_C_BOTH && cred_usage != GSS_C_INITIATE && 153 cred_usage != GSS_C_ACCEPT) { 154 *minor_status = (OM_uint32) G_BAD_USAGE; 155 return (GSS_S_CALL_BAD_STRUCTURE); 156 } 157 158 /* Not supported: storing acceptor creds -- short cut now */ 159 if (cred_usage == GSS_C_ACCEPT) { 160 *minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP; 161 return (GSS_S_FAILURE); 162 } 163 if (cred_usage == GSS_C_BOTH) 164 cred_usage = GSS_C_INITIATE; 165 166 /* * Find out the name, lifetime and cred usage of the input cred */ 167 maj = krb5_gss_inquire_cred_no_lock(ctx, minor_status, input_cred, 168 &in_name, &in_time_rec, &in_usage, NULL); 169 if (GSS_ERROR(maj)) 170 goto cleanup; 171 172 /* Check that the input cred isn't expired */ 173 if (in_time_rec == 0) { 174 maj = GSS_S_CREDENTIALS_EXPIRED; 175 goto cleanup; 176 } 177 178 /* The requested and input cred usage must agree */ 179 if (in_usage != cred_usage && cred_usage != GSS_C_BOTH) { 180 *minor_status = (OM_uint32) G_CRED_USAGE_MISMATCH; 181 maj = GSS_S_NO_CRED; 182 goto cleanup; 183 } 184 185 if (in_usage == GSS_C_ACCEPT) { 186 *minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP; 187 maj = GSS_S_FAILURE; 188 goto cleanup; 189 } 190 191 /* Get current cred, if any */ 192 if (desired_mech != GSS_C_NULL_OID) { 193 /* assume that libgss gave us one of our mech OIDs */ 194 maj = gss_create_empty_oid_set(minor_status, &desired_mechs); 195 if (GSS_ERROR(maj)) 196 return (maj); 197 198 maj = gss_add_oid_set_member(minor_status, desired_mech, 199 &desired_mechs); 200 if (GSS_ERROR(maj)) 201 goto cleanup; 202 } 203 maj = krb5_gss_acquire_cred_no_lock(ctx, &min, 204 (default_cred) ? GSS_C_NO_NAME : in_name, 205 0, desired_mechs, cred_usage, 206 (gss_cred_id_t *)&cur_cred, NULL, &cur_time_rec); 207 if (maj == GSS_S_COMPLETE) { 208 maj = krb5_gss_inquire_cred_no_lock(ctx, minor_status, 209 (gss_cred_id_t)cur_cred, &cur_name, 210 NULL, NULL, NULL); 211 if (GSS_ERROR(maj)) 212 goto cleanup; 213 } 214 215 /* 216 * Handle overwrite_cred option. If overwrite_cred == FALSE 217 * then we must be careful not to overwrite an existing 218 * credential for the same name. 219 */ 220 if (cur_cred == (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL) 221 overwrite_cred = 1; /* nothing to overwrite */ 222 223 if (cur_time_rec > 0 && !overwrite_cred) { 224 maj = GSS_S_DUPLICATE_ELEMENT; /* would overwrite */ 225 goto cleanup; 226 } 227 228 /* Ready to store -- store_init_cred() handles default_cred */ 229 maj = store_init_cred(ctx, minor_status, cred, default_cred); 230 if (GSS_ERROR(maj)) 231 goto cleanup; 232 233 /* Output parameters */ 234 if (cred_usage_stored != NULL) 235 *cred_usage_stored = GSS_C_INITIATE; 236 237 if (elements_stored != NULL) { 238 maj = gss_create_empty_oid_set(minor_status, elements_stored); 239 if (GSS_ERROR(maj)) 240 goto cleanup; 241 242 maj = gss_add_oid_set_member(minor_status, 243 (const gss_OID)gss_mech_krb5, elements_stored); 244 if (GSS_ERROR(maj)) { 245 (void) gss_release_oid_set(&min, elements_stored); 246 *elements_stored = GSS_C_NULL_OID_SET; 247 goto cleanup; 248 } 249 } 250 251 cleanup: 252 if (desired_mechs != GSS_C_NULL_OID_SET) 253 (void) gss_release_oid_set(&min, &desired_mechs); 254 if (cur_cred != (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL) 255 (void) krb5_gss_release_cred_no_lock(ctx, &min, 256 (gss_cred_id_t *)&cur_cred); 257 if (in_name != GSS_C_NO_NAME) 258 (void) krb5_gss_release_name_no_lock(ctx, &min, &in_name); 259 if (cur_name != GSS_C_NO_NAME) 260 (void) krb5_gss_release_name_no_lock(ctx, &min, &cur_name); 261 262 return (maj); 263 } 264