xref: /illumos-gate/usr/src/lib/gss_mechs/mech_krb5/mech/store_cred.c (revision bea83d026ee1bd1b2a2419e1d0232f107a5d7d9b) 
1 /*
2  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 #include <k5-int.h>
9 #include <gssapiP_krb5.h>
10 #include <memory.h>
11 #include <assert.h>
12 
13 static
14 OM_uint32
15 store_init_cred(ct, minor_status, cred, dflt)
16 krb5_context ct;
17 OM_uint32 *minor_status;
18 const krb5_gss_cred_id_t cred;
19 int dflt;
20 {
21 	OM_uint32 maj = GSS_S_COMPLETE;
22 	krb5_error_code code;
23 	krb5_ccache ccache = NULL; /* current [file] ccache */
24 	krb5_principal ccprinc = NULL; /* default princ of current ccache */
25 
26 	if (minor_status == NULL)
27 		return (GSS_S_CALL_INACCESSIBLE_WRITE);
28 	*minor_status = 0;
29 
30 	/* Get current ccache -- respect KRB5CCNAME, or use OS default */
31 	if ((code = krb5_cc_default(ct, &ccache))) {
32 		*minor_status = code;
33 		return (GSS_S_FAILURE);
34 	}
35 
36 	/*
37 	 * Here we should do something like:
38 	 *
39 	 * a) take all the initial tickets from the current ccache for
40 	 * client principals other than the given cred's
41 	 * b) copy them to a tmp MEMORY ccache
42 	 * c) copy the given cred's tickets to that same tmp ccache
43 	 * d) initialize the current ccache with either the same default
44 	 * princ as before (!dflt) or with the input cred's princ as the
45 	 * default princ (dflt) and copy the tmp ccache's creds to it.
46 	 *
47 	 * However, for now we just initialize the current ccache, if
48 	 * (dflt), and copy the input cred's tickets to it.
49 	 *
50 	 * To support the above ideal we'd need a variant of
51 	 * krb5_cc_copy_creds().  But then, preserving any tickets from
52 	 * the current ccache may be problematic if the ccache has many,
53 	 * many service tickets in it as that makes ccache enumeration
54 	 * really, really slow; we might want to address ccache perf
55 	 * first.
56 	 *
57 	 * So storing of non-default credentials is not supported.
58 	 */
59 	if (dflt) {
60 		/* Treat this as "caller asks to initialize ccache" */
61 		/* LINTED */
62 		if ((code = krb5_cc_initialize(ct, ccache, cred->princ))) {
63 			*minor_status = code;
64 			maj = GSS_S_FAILURE;
65 			goto cleanup;
66 		}
67 	} else {
68 		*minor_status = (OM_uint32) G_STORE_NON_DEFAULT_CRED_NOSUPP;
69 		maj = GSS_S_FAILURE;
70 		goto cleanup;
71 	}
72 
73 	if ((code = krb5_cc_copy_creds(ct, cred->ccache, ccache))) {
74 		*minor_status = code;
75 		maj = GSS_S_FAILURE;
76 		goto cleanup;
77 	}
78 
79 cleanup:
80 	if (ccprinc != NULL)
81 		krb5_free_principal(ct, ccprinc);
82 	if (ccache != NULL)
83 		/* LINTED */
84 		krb5_cc_close(ct, ccache);
85 
86 	return (maj);
87 }
88 
89 OM_uint32
90 krb5_gss_store_cred(minor_status, input_cred, cred_usage,
91 		desired_mech, overwrite_cred, default_cred, elements_stored,
92 		cred_usage_stored)
93 OM_uint32 *minor_status;
94 const gss_cred_id_t input_cred;
95 gss_cred_usage_t cred_usage;
96 gss_OID desired_mech;
97 OM_uint32 overwrite_cred;
98 OM_uint32 default_cred;
99 gss_OID_set *elements_stored;
100 gss_cred_usage_t *cred_usage_stored;
101 {
102 	OM_uint32 maj, maj2, min;
103 	krb5_context ctx = NULL;
104 	krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)input_cred;
105 	krb5_gss_cred_id_t cur_cred = (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL;
106 	gss_OID_set desired_mechs = GSS_C_NULL_OID_SET;
107 	OM_uint32 in_time_rec;			/* lifetime of input cred */
108 	OM_uint32 cur_time_rec;			/* lifetime of current cred */
109 	gss_cred_usage_t in_usage;		/* usage of input cred */
110 	gss_name_t in_name = GSS_C_NO_NAME;	/* name of input cred */
111 
112 	if (input_cred == GSS_C_NO_CREDENTIAL)
113 		return (GSS_S_CALL_INACCESSIBLE_READ);
114 
115 	/* Initialize output parameters */
116 	if (minor_status == NULL)
117 		return (GSS_S_CALL_INACCESSIBLE_WRITE);
118 	*minor_status = 0;
119 
120 	if (elements_stored != NULL)
121 		*elements_stored = GSS_C_NULL_OID_SET;
122 
123 	if (cred_usage_stored != NULL)
124 		*cred_usage_stored = -1; /* need GSS_C_NEITHER! */
125 
126 	/* Sanity check cred_usage */
127 	if (cred_usage != GSS_C_BOTH && cred_usage != GSS_C_INITIATE &&
128 	    cred_usage != GSS_C_ACCEPT) {
129 		*minor_status = (OM_uint32) G_BAD_USAGE;
130 		return (GSS_S_CALL_BAD_STRUCTURE);
131 	}
132 
133 	/* Not supported: storing acceptor creds -- short cut now */
134 	if (cred_usage == GSS_C_ACCEPT) {
135 		*minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP;
136 		return (GSS_S_FAILURE);
137 	}
138 	if (cred_usage == GSS_C_BOTH)
139 		cred_usage = GSS_C_INITIATE;
140 
141 	min = krb5_gss_init_context(&ctx);
142 	if (min) {
143 		*minor_status = min;
144 		return (GSS_S_FAILURE);
145 	}
146 
147 	/* * Find out the name, lifetime and cred usage of the input cred */
148 	maj = krb5_gss_inquire_cred(minor_status, input_cred,
149 			&in_name, &in_time_rec, &in_usage, NULL);
150 	if (GSS_ERROR(maj))
151 		goto cleanup;
152 
153 	/* Check that the input cred isn't expired */
154 	if (in_time_rec == 0) {
155 		maj = GSS_S_CREDENTIALS_EXPIRED;
156 		goto cleanup;
157 	}
158 
159 	/* The requested and input cred usage must agree */
160 	if (in_usage != cred_usage && cred_usage != GSS_C_BOTH) {
161 		*minor_status = (OM_uint32) G_CRED_USAGE_MISMATCH;
162 		maj = GSS_S_NO_CRED;
163 		goto cleanup;
164 	}
165 
166 	if (in_usage == GSS_C_ACCEPT) {
167 		*minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP;
168 		maj = GSS_S_FAILURE;
169 		goto cleanup;
170 	}
171 
172 	/* Get current cred, if any */
173 	if (desired_mech != GSS_C_NULL_OID) {
174 		/* assume that libgss gave us one of our mech OIDs */
175 		maj = gss_create_empty_oid_set(minor_status, &desired_mechs);
176 		if (GSS_ERROR(maj))
177 			return (maj);
178 
179 		maj = gss_add_oid_set_member(minor_status, desired_mech,
180 				&desired_mechs);
181 		if (GSS_ERROR(maj))
182 			goto cleanup;
183 	}
184 
185 	/*
186 	 * Handle overwrite_cred option.  If overwrite_cred == FALSE
187 	 * then we must be careful not to overwrite an existing
188 	 * unexpired credential.
189 	 */
190 	maj2 = krb5_gss_acquire_cred(&min,
191 			(default_cred) ?  GSS_C_NO_NAME : in_name,
192 			0, desired_mechs, cred_usage,
193 			(gss_cred_id_t *)&cur_cred, NULL, &cur_time_rec);
194 
195 	if (GSS_ERROR(maj2))
196 		overwrite_cred = 1; /* nothing to overwrite */
197 
198 	if (cur_time_rec > 0 && !overwrite_cred) {
199 		maj = GSS_S_DUPLICATE_ELEMENT; /* would overwrite */
200 		goto cleanup;
201 	}
202 
203 	/* Ready to store -- store_init_cred() handles default_cred */
204 	maj = store_init_cred(ctx, minor_status, cred, default_cred);
205 	if (GSS_ERROR(maj))
206 		goto cleanup;
207 
208 	/* Output parameters */
209 	if (cred_usage_stored != NULL)
210 		*cred_usage_stored = GSS_C_INITIATE;
211 
212 	if (elements_stored != NULL) {
213 		maj = gss_create_empty_oid_set(minor_status, elements_stored);
214 		if (GSS_ERROR(maj))
215 			goto cleanup;
216 
217 		maj = gss_add_oid_set_member(minor_status,
218 			    (const gss_OID)gss_mech_krb5, elements_stored);
219 		if (GSS_ERROR(maj)) {
220 			(void) gss_release_oid_set(&min, elements_stored);
221 			*elements_stored = GSS_C_NULL_OID_SET;
222 			goto cleanup;
223 		}
224 	}
225 
226 cleanup:
227 	if (desired_mechs != GSS_C_NULL_OID_SET)
228 		(void) gss_release_oid_set(&min, &desired_mechs);
229 	if (cur_cred != (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL)
230 		(void) krb5_gss_release_cred(&min,
231 				    (gss_cred_id_t *)&cur_cred);
232 	if (in_name != GSS_C_NO_NAME)
233 		(void) krb5_gss_release_name(&min, &in_name);
234 
235 	if (ctx)
236 		krb5_free_context(ctx);
237 
238 	return (maj);
239 }
240