xref: /titanic_52/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c (revision 32885d593baf8bac788fa78885893a51b3ad0f28)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <k5-int.h>
30 #include <gssapiP_krb5.h>
31 #include <memory.h>
32 #include <assert.h>
33 #include <syslog.h>
34 
35 extern uint_t kwarn_add_warning(char *, int);
36 extern uint_t kwarn_del_warning(char *);
37 
38 static
39 OM_uint32
40 store_init_cred(ct, minor_status, cred, dflt)
41 krb5_context ct;
42 OM_uint32 *minor_status;
43 const krb5_gss_cred_id_t cred;
44 int dflt;
45 {
46 	OM_uint32 maj = GSS_S_COMPLETE;
47 	krb5_error_code code;
48 	krb5_ccache ccache = NULL; /* current [file] ccache */
49 	krb5_principal ccprinc = NULL; /* default princ of current ccache */
50 
51 	if (minor_status == NULL)
52 		return (GSS_S_CALL_INACCESSIBLE_WRITE);
53 	*minor_status = 0;
54 
55 	/* Get current ccache -- respect KRB5CCNAME, or use OS default */
56 	if ((code = krb5_cc_default(ct, &ccache))) {
57 		*minor_status = code;
58 		return (GSS_S_FAILURE);
59 	}
60 
61 	/*
62 	 * Here we should do something like:
63 	 *
64 	 * a) take all the initial tickets from the current ccache for
65 	 * client principals other than the given cred's
66 	 * b) copy them to a tmp MEMORY ccache
67 	 * c) copy the given cred's tickets to that same tmp ccache
68 	 * d) initialize the current ccache with either the same default
69 	 * princ as before (!dflt) or with the input cred's princ as the
70 	 * default princ (dflt) and copy the tmp ccache's creds to it.
71 	 *
72 	 * However, for now we just initialize the current ccache, if
73 	 * (dflt), and copy the input cred's tickets to it.
74 	 *
75 	 * To support the above ideal we'd need a variant of
76 	 * krb5_cc_copy_creds().  But then, preserving any tickets from
77 	 * the current ccache may be problematic if the ccache has many,
78 	 * many service tickets in it as that makes ccache enumeration
79 	 * really, really slow; we might want to address ccache perf
80 	 * first.
81 	 *
82 	 * So storing of non-default credentials is not supported.
83 	 */
84 	if (dflt) {
85 		/* Treat this as "caller asks to initialize ccache" */
86 		/* LINTED */
87 		if ((code = krb5_cc_initialize(ct, ccache, cred->princ))) {
88 			*minor_status = code;
89 			maj = GSS_S_FAILURE;
90 			goto cleanup;
91 		}
92 	} else {
93 		*minor_status = (OM_uint32) G_STORE_NON_DEFAULT_CRED_NOSUPP;
94 		maj = GSS_S_FAILURE;
95 		goto cleanup;
96 	}
97 
98 	if ((code = krb5_cc_copy_creds(ct, cred->ccache, ccache))) {
99 		*minor_status = code;
100 		maj = GSS_S_FAILURE;
101 		goto cleanup;
102 	}
103 
104 cleanup:
105 	if (ccprinc != NULL)
106 		krb5_free_principal(ct, ccprinc);
107 	if (ccache != NULL)
108 		/* LINTED */
109 		krb5_cc_close(ct, ccache);
110 
111 	return (maj);
112 }
113 
114 OM_uint32
115 krb5_gss_store_cred(minor_status, input_cred, cred_usage,
116 		desired_mech, overwrite_cred, default_cred, elements_stored,
117 		cred_usage_stored)
118 OM_uint32 *minor_status;
119 const gss_cred_id_t input_cred;
120 gss_cred_usage_t cred_usage;
121 gss_OID desired_mech;
122 OM_uint32 overwrite_cred;
123 OM_uint32 default_cred;
124 gss_OID_set *elements_stored;
125 gss_cred_usage_t *cred_usage_stored;
126 {
127 	OM_uint32 maj, maj2, min;
128 	krb5_context ctx = NULL;
129 	krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)input_cred;
130 	krb5_gss_cred_id_t cur_cred = (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL;
131 	gss_OID_set desired_mechs = GSS_C_NULL_OID_SET;
132 	OM_uint32 in_time_rec;			/* lifetime of input cred */
133 	OM_uint32 cur_time_rec;			/* lifetime of current cred */
134 	gss_cred_usage_t in_usage;		/* usage of input cred */
135 	gss_name_t in_name = GSS_C_NO_NAME;	/* name of input cred */
136 	char *client_name = NULL;
137 
138 	if (input_cred == GSS_C_NO_CREDENTIAL)
139 		return (GSS_S_CALL_INACCESSIBLE_READ);
140 
141 	/* Initialize output parameters */
142 	if (minor_status == NULL)
143 		return (GSS_S_CALL_INACCESSIBLE_WRITE);
144 	*minor_status = 0;
145 
146 	if (elements_stored != NULL)
147 		*elements_stored = GSS_C_NULL_OID_SET;
148 
149 	if (cred_usage_stored != NULL)
150 		*cred_usage_stored = -1; /* need GSS_C_NEITHER! */
151 
152 	/* Sanity check cred_usage */
153 	if (cred_usage != GSS_C_BOTH && cred_usage != GSS_C_INITIATE &&
154 	    cred_usage != GSS_C_ACCEPT) {
155 		*minor_status = (OM_uint32) G_BAD_USAGE;
156 		return (GSS_S_CALL_BAD_STRUCTURE);
157 	}
158 
159 	/* Not supported: storing acceptor creds -- short cut now */
160 	if (cred_usage == GSS_C_ACCEPT) {
161 		*minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP;
162 		return (GSS_S_FAILURE);
163 	}
164 	if (cred_usage == GSS_C_BOTH)
165 		cred_usage = GSS_C_INITIATE;
166 
167 	min = krb5_gss_init_context(&ctx);
168 	if (min) {
169 		*minor_status = min;
170 		return (GSS_S_FAILURE);
171 	}
172 
173 	/* * Find out the name, lifetime and cred usage of the input cred */
174 	maj = krb5_gss_inquire_cred(minor_status, input_cred,
175 			&in_name, &in_time_rec, &in_usage, NULL);
176 	if (GSS_ERROR(maj))
177 		goto cleanup;
178 
179 	/* Check that the input cred isn't expired */
180 	if (in_time_rec == 0) {
181 		maj = GSS_S_CREDENTIALS_EXPIRED;
182 		goto cleanup;
183 	}
184 
185 	/* The requested and input cred usage must agree */
186 	if (in_usage != cred_usage && cred_usage != GSS_C_BOTH) {
187 		*minor_status = (OM_uint32) G_CRED_USAGE_MISMATCH;
188 		maj = GSS_S_NO_CRED;
189 		goto cleanup;
190 	}
191 
192 	if (in_usage == GSS_C_ACCEPT) {
193 		*minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP;
194 		maj = GSS_S_FAILURE;
195 		goto cleanup;
196 	}
197 
198 	/* Get current cred, if any */
199 	if (desired_mech != GSS_C_NULL_OID) {
200 		/* assume that libgss gave us one of our mech OIDs */
201 		maj = gss_create_empty_oid_set(minor_status, &desired_mechs);
202 		if (GSS_ERROR(maj))
203 			return (maj);
204 
205 		maj = gss_add_oid_set_member(minor_status, desired_mech,
206 				&desired_mechs);
207 		if (GSS_ERROR(maj))
208 			goto cleanup;
209 	}
210 
211 	/*
212 	 * Handle overwrite_cred option.  If overwrite_cred == FALSE
213 	 * then we must be careful not to overwrite an existing
214 	 * unexpired credential.
215 	 */
216 	maj2 = krb5_gss_acquire_cred(&min,
217 			(default_cred) ?  GSS_C_NO_NAME : in_name,
218 			0, desired_mechs, cred_usage,
219 			(gss_cred_id_t *)&cur_cred, NULL, &cur_time_rec);
220 
221 	if (GSS_ERROR(maj2))
222 		overwrite_cred = 1; /* nothing to overwrite */
223 
224 	if (cur_time_rec > 0 && !overwrite_cred) {
225 		maj = GSS_S_DUPLICATE_ELEMENT; /* would overwrite */
226 		goto cleanup;
227 	}
228 
229 	/* Ready to store -- store_init_cred() handles default_cred */
230 	maj = store_init_cred(ctx, minor_status, cred, default_cred);
231 	if (GSS_ERROR(maj))
232 		goto cleanup;
233 
234 	/* Alert ktkt_warnd(1M) */
235 	maj = krb5_unparse_name(ctx, cred->princ, &client_name);
236 	if (GSS_ERROR(maj))
237 		goto cleanup;
238 	(void) kwarn_del_warning(client_name);
239 	if (kwarn_add_warning(client_name, cred->tgt_expire) != 0) {
240 		syslog(LOG_AUTH|LOG_NOTICE,
241 		    "store_cred: kwarn_add_warning"
242 		    " failed: ktkt_warnd(1M) down? ");
243 	}
244 	free(client_name);
245 	client_name = NULL;
246 
247 	/* Output parameters */
248 	if (cred_usage_stored != NULL)
249 		*cred_usage_stored = GSS_C_INITIATE;
250 
251 	if (elements_stored != NULL) {
252 		maj = gss_create_empty_oid_set(minor_status, elements_stored);
253 		if (GSS_ERROR(maj))
254 			goto cleanup;
255 
256 		maj = gss_add_oid_set_member(minor_status,
257 			    (const gss_OID)gss_mech_krb5, elements_stored);
258 		if (GSS_ERROR(maj)) {
259 			(void) gss_release_oid_set(&min, elements_stored);
260 			*elements_stored = GSS_C_NULL_OID_SET;
261 			goto cleanup;
262 		}
263 	}
264 
265 cleanup:
266 	if (desired_mechs != GSS_C_NULL_OID_SET)
267 		(void) gss_release_oid_set(&min, &desired_mechs);
268 	if (cur_cred != (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL)
269 		(void) krb5_gss_release_cred(&min,
270 				    (gss_cred_id_t *)&cur_cred);
271 	if (in_name != GSS_C_NO_NAME)
272 		(void) krb5_gss_release_name(&min, &in_name);
273 
274 	if (ctx)
275 		krb5_free_context(ctx);
276 
277 	return (maj);
278 }
279