/crypto/heimdal/lib/gssapi/krb5/add_cred.c

  1/*
  2 * Copyright (c) 2003 Kungliga Tekniska Hรถgskolan
  3 * (Royal Institute of Technology, Stockholm, Sweden).
  4 * All rights reserved.
  5 *
  6 * Redistribution and use in source and binary forms, with or without
  7 * modification, are permitted provided that the following conditions
  8 * are met:
  9 *
 10 * 1. Redistributions of source code must retain the above copyright
 11 *    notice, this list of conditions and the following disclaimer.
 12 *
 13 * 2. Redistributions in binary form must reproduce the above copyright
 14 *    notice, this list of conditions and the following disclaimer in the
 15 *    documentation and/or other materials provided with the distribution.
 16 *
 17 * 3. Neither the name of the Institute nor the names of its contributors
 18 *    may be used to endorse or promote products derived from this software
 19 *    without specific prior written permission.
 20 *
 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 31 * SUCH DAMAGE.
 32 */
 33
 34#include "gsskrb5_locl.h"
 35
 36OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
 37     OM_uint32           *minor_status,
 38     const gss_cred_id_t input_cred_handle,
 39     const gss_name_t    desired_name,
 40     const gss_OID       desired_mech,
 41     gss_cred_usage_t    cred_usage,
 42     OM_uint32           initiator_time_req,
 43     OM_uint32           acceptor_time_req,
 44     gss_cred_id_t       *output_cred_handle,
 45     gss_OID_set         *actual_mechs,
 46     OM_uint32           *initiator_time_rec,
 47     OM_uint32           *acceptor_time_rec)
 48{
 49    krb5_context context;
 50    OM_uint32 ret, lifetime;
 51    gsskrb5_cred cred, handle;
 52    krb5_const_principal dname;
 53
 54    handle = NULL;
 55    cred = (gsskrb5_cred)input_cred_handle;
 56    dname = (krb5_const_principal)desired_name;
 57
 58    GSSAPI_KRB5_INIT (&context);
 59
 60    if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) {
 61	*minor_status = 0;
 62	return GSS_S_BAD_MECH;
 63    }
 64
 65    if (cred == NULL && output_cred_handle == NULL) {
 66	*minor_status = 0;
 67	return GSS_S_NO_CRED;
 68    }
 69
 70    if (cred == NULL) { /* XXX standard conformance failure */
 71	*minor_status = 0;
 72	return GSS_S_NO_CRED;
 73    }
 74
 75    /* check if requested output usage is compatible with output usage */
 76    if (output_cred_handle != NULL) {
 77	HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
 78	if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
 79	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
 80	    *minor_status = GSS_KRB5_S_G_BAD_USAGE;
 81	    return(GSS_S_FAILURE);
 82	}
 83    }
 84
 85    /* check that we have the same name */
 86    if (dname != NULL &&
 87	krb5_principal_compare(context, dname,
 88			       cred->principal) != FALSE) {
 89	if (output_cred_handle)
 90	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
 91	*minor_status = 0;
 92	return GSS_S_BAD_NAME;
 93    }
 94
 95    /* make a copy */
 96    if (output_cred_handle) {
 97	krb5_error_code kret;
 98
 99	handle = calloc(1, sizeof(*handle));
100	if (handle == NULL) {
101	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
102	    *minor_status = ENOMEM;
103	    return (GSS_S_FAILURE);
104	}
105
106	handle->usage = cred_usage;
107	handle->lifetime = cred->lifetime;
108	handle->principal = NULL;
109	handle->keytab = NULL;
110	handle->ccache = NULL;
111	handle->mechanisms = NULL;
112	HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
113
114	ret = GSS_S_FAILURE;
115
116	kret = krb5_copy_principal(context, cred->principal,
117				  &handle->principal);
118	if (kret) {
119	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
120	    free(handle);
121	    *minor_status = kret;
122	    return GSS_S_FAILURE;
123	}
124
125	if (cred->keytab) {
126	    char *name = NULL;
127
128	    ret = GSS_S_FAILURE;
129
130	    kret = krb5_kt_get_full_name(context, cred->keytab, &name);
131	    if (kret) {
132		*minor_status = kret;
133		goto failure;
134	    }
135
136	    kret = krb5_kt_resolve(context, name,
137				   &handle->keytab);
138	    krb5_xfree(name);
139	    if (kret){
140		*minor_status = kret;
141		goto failure;
142	    }
143	}
144
145	if (cred->ccache) {
146	    const char *type, *name;
147	    char *type_name = NULL;
148
149	    ret = GSS_S_FAILURE;
150
151	    type = krb5_cc_get_type(context, cred->ccache);
152	    if (type == NULL){
153		*minor_status = ENOMEM;
154		goto failure;
155	    }
156
157	    if (strcmp(type, "MEMORY") == 0) {
158		ret = krb5_cc_new_unique(context, type,
159					 NULL, &handle->ccache);
160		if (ret) {
161		    *minor_status = ret;
162		    goto failure;
163		}
164
165		ret = krb5_cc_copy_cache(context, cred->ccache,
166					 handle->ccache);
167		if (ret) {
168		    *minor_status = ret;
169		    goto failure;
170		}
171
172	    } else {
173		name = krb5_cc_get_name(context, cred->ccache);
174		if (name == NULL) {
175		    *minor_status = ENOMEM;
176		    goto failure;
177		}
178
179		kret = asprintf(&type_name, "%s:%s", type, name);
180		if (kret < 0 || type_name == NULL) {
181		    *minor_status = ENOMEM;
182		    goto failure;
183		}
184
185		kret = krb5_cc_resolve(context, type_name,
186				       &handle->ccache);
187		free(type_name);
188		if (kret) {
189		    *minor_status = kret;
190		    goto failure;
191		}
192	    }
193	}
194	ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
195	if (ret)
196	    goto failure;
197
198	ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
199				     &handle->mechanisms);
200	if (ret)
201	    goto failure;
202    }
203
204    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
205
206    ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred,
207				NULL, &lifetime, NULL, actual_mechs);
208    if (ret)
209	goto failure;
210
211    if (initiator_time_rec)
212	*initiator_time_rec = lifetime;
213    if (acceptor_time_rec)
214	*acceptor_time_rec = lifetime;
215
216    if (output_cred_handle) {
217	*output_cred_handle = (gss_cred_id_t)handle;
218    }
219
220    *minor_status = 0;
221    return ret;
222
223 failure:
224
225    if (handle) {
226	if (handle->principal)
227	    krb5_free_principal(context, handle->principal);
228	if (handle->keytab)
229	    krb5_kt_close(context, handle->keytab);
230	if (handle->ccache)
231	    krb5_cc_destroy(context, handle->ccache);
232	if (handle->mechanisms)
233	    gss_release_oid_set(NULL, &handle->mechanisms);
234	free(handle);
235    }
236    if (output_cred_handle)
237	HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
238    return ret;
239}