xref: /illumos-gate/usr/src/uts/common/gssapi/mechs/krb5/mech/val_cred.c (revision 7c478bd95313f5f23a4c958a745db2134aa03244) 
1 /*
2  * Copyright 2001-2002 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * Copyright 1997 by Massachusetts Institute of Technology
10  * All Rights Reserved.
11  *
12  * Export of this software from the United States of America may
13  *   require a specific license from the United States Government.
14  *   It is the responsibility of any person or organization contemplating
15  *   export to obtain such a license before exporting.
16  *
17  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18  * distribute this software and its documentation for any purpose and
19  * without fee is hereby granted, provided that the above copyright
20  * notice appear in all copies and that both that copyright notice and
21  * this permission notice appear in supporting documentation, and that
22  * the name of M.I.T. not be used in advertising or publicity pertaining
23  * to distribution of the software without specific, written prior
24  * permission.  Furthermore if you modify this software you must label
25  * your software as modified software and not distribute it in such a
26  * fashion that it might be confused with the original M.I.T. software.
27  * M.I.T. makes no representations about the suitability of
28  * this software for any purpose.  It is provided "as is" without express
29  * or implied warranty.
30  *
31  */
32 
33 #include <gssapiP_krb5.h>
34 
35 OM_uint32
36 krb5_gss_validate_cred(ct, minor_status, cred_handle)
37      void *ct;
38      OM_uint32 *minor_status;
39      gss_cred_id_t cred_handle;
40 {
41     OM_uint32 major_status;
42 
43     mutex_lock(&krb5_mutex);
44     major_status = krb5_gss_validate_cred_no_lock(ct, minor_status,
45 						  cred_handle);
46     mutex_unlock(&krb5_mutex);
47 
48     return(major_status);
49 }
50 
51 /*
52  * Check to see whether or not a GSSAPI krb5 credential is valid.  If
53  * it is not, return an error.
54  */
55 
56 /*ARGSUSED*/
57 OM_uint32
58 krb5_gss_validate_cred_no_lock(ct, minor_status, cred_handle)
59      void *ct;
60      OM_uint32 *minor_status;
61      gss_cred_id_t cred_handle;
62 {
63     krb5_context context = ct;
64     krb5_gss_cred_id_t cred;
65     krb5_error_code code;
66     krb5_principal princ;
67     OM_uint32 major_status = GSS_S_FAILURE;
68 
69    /* Solaris Kerberos:  for MT safety, we avoid the use of a default
70     * context via kg_get_context() */
71 #if 0
72     if (GSS_ERROR(kg_get_context(minor_status, &context)))
73 	return (major_status);
74 #endif
75 
76     if (!kg_validate_cred_id(cred_handle)) {
77 	*minor_status = (OM_uint32) G_VALIDATE_FAILED;
78 	major_status = (GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL);
79 	return (major_status);
80     }
81 
82     cred = (krb5_gss_cred_id_t) cred_handle;
83 
84     if (cred->ccache) {
85 	code = krb5_cc_get_principal(context, cred->ccache, &princ);
86 	if (code) {
87 	    *minor_status = code;
88 	    major_status = GSS_S_DEFECTIVE_CREDENTIAL;
89 	    return (major_status);
90 	}
91 	if (!krb5_principal_compare(context, princ, cred->princ)) {
92 	    *minor_status = KG_CCACHE_NOMATCH;
93 	    major_status = GSS_S_DEFECTIVE_CREDENTIAL;
94 	    return (major_status);
95 	}
96 	(void)krb5_free_principal(context, princ);
97     }
98     *minor_status = 0;
99     major_status = GSS_S_COMPLETE;
100     return (major_status);
101 }
102