1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 #include <k5-int.h>
28 #include <gssapiP_krb5.h>
29 #include <memory.h>
30 #include <assert.h>
31 #include <syslog.h>
32
33 extern uint_t kwarn_add_warning(char *, int);
34 extern uint_t kwarn_del_warning(char *);
35
36 static
37 OM_uint32
store_init_cred(ct,minor_status,cred,dflt)38 store_init_cred(ct, minor_status, cred, dflt)
39 krb5_context ct;
40 OM_uint32 *minor_status;
41 const krb5_gss_cred_id_t cred;
42 int dflt;
43 {
44 OM_uint32 maj = GSS_S_COMPLETE;
45 krb5_error_code code;
46 krb5_ccache ccache = NULL; /* current [file] ccache */
47 krb5_principal ccprinc = NULL; /* default princ of current ccache */
48
49 if (minor_status == NULL)
50 return (GSS_S_CALL_INACCESSIBLE_WRITE);
51 *minor_status = 0;
52
53 /* Get current ccache -- respect KRB5CCNAME, or use OS default */
54 if ((code = krb5_cc_default(ct, &ccache))) {
55 *minor_status = code;
56 return (GSS_S_FAILURE);
57 }
58
59 /*
60 * Here we should do something like:
61 *
62 * a) take all the initial tickets from the current ccache for
63 * client principals other than the given cred's
64 * b) copy them to a tmp MEMORY ccache
65 * c) copy the given cred's tickets to that same tmp ccache
66 * d) initialize the current ccache with either the same default
67 * princ as before (!dflt) or with the input cred's princ as the
68 * default princ (dflt) and copy the tmp ccache's creds to it.
69 *
70 * However, for now we just initialize the current ccache, if
71 * (dflt), and copy the input cred's tickets to it.
72 *
73 * To support the above ideal we'd need a variant of
74 * krb5_cc_copy_creds(). But then, preserving any tickets from
75 * the current ccache may be problematic if the ccache has many,
76 * many service tickets in it as that makes ccache enumeration
77 * really, really slow; we might want to address ccache perf
78 * first.
79 *
80 * So storing of non-default credentials is not supported.
81 */
82 if (dflt) {
83 /* Treat this as "caller asks to initialize ccache" */
84 /* LINTED */
85 if ((code = krb5_cc_initialize(ct, ccache, cred->princ))) {
86 *minor_status = code;
87 maj = GSS_S_FAILURE;
88 goto cleanup;
89 }
90 } else {
91 *minor_status = (OM_uint32) G_STORE_NON_DEFAULT_CRED_NOSUPP;
92 maj = GSS_S_FAILURE;
93 goto cleanup;
94 }
95
96 if ((code = krb5_cc_copy_creds(ct, cred->ccache, ccache))) {
97 *minor_status = code;
98 maj = GSS_S_FAILURE;
99 goto cleanup;
100 }
101
102 cleanup:
103 if (ccprinc != NULL)
104 krb5_free_principal(ct, ccprinc);
105 if (ccache != NULL)
106 /* LINTED */
107 krb5_cc_close(ct, ccache);
108
109 return (maj);
110 }
111
112 OM_uint32
krb5_gss_store_cred(minor_status,input_cred,cred_usage,desired_mech,overwrite_cred,default_cred,elements_stored,cred_usage_stored)113 krb5_gss_store_cred(minor_status, input_cred, cred_usage,
114 desired_mech, overwrite_cred, default_cred, elements_stored,
115 cred_usage_stored)
116 OM_uint32 *minor_status;
117 const gss_cred_id_t input_cred;
118 gss_cred_usage_t cred_usage;
119 gss_OID desired_mech;
120 OM_uint32 overwrite_cred;
121 OM_uint32 default_cred;
122 gss_OID_set *elements_stored;
123 gss_cred_usage_t *cred_usage_stored;
124 {
125 OM_uint32 maj, maj2, min;
126 krb5_context ctx = NULL;
127 krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)input_cred;
128 krb5_gss_cred_id_t cur_cred = (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL;
129 gss_OID_set desired_mechs = GSS_C_NULL_OID_SET;
130 OM_uint32 in_time_rec; /* lifetime of input cred */
131 OM_uint32 cur_time_rec; /* lifetime of current cred */
132 gss_cred_usage_t in_usage; /* usage of input cred */
133 gss_name_t in_name = GSS_C_NO_NAME; /* name of input cred */
134 char *client_name = NULL;
135
136 if (input_cred == GSS_C_NO_CREDENTIAL)
137 return (GSS_S_CALL_INACCESSIBLE_READ);
138
139 /* Initialize output parameters */
140 if (minor_status == NULL)
141 return (GSS_S_CALL_INACCESSIBLE_WRITE);
142 *minor_status = 0;
143
144 if (elements_stored != NULL)
145 *elements_stored = GSS_C_NULL_OID_SET;
146
147 if (cred_usage_stored != NULL)
148 *cred_usage_stored = -1; /* need GSS_C_NEITHER! */
149
150 /* Sanity check cred_usage */
151 if (cred_usage != GSS_C_BOTH && cred_usage != GSS_C_INITIATE &&
152 cred_usage != GSS_C_ACCEPT) {
153 *minor_status = (OM_uint32) G_BAD_USAGE;
154 return (GSS_S_CALL_BAD_STRUCTURE);
155 }
156
157 /* Not supported: storing acceptor creds -- short cut now */
158 if (cred_usage == GSS_C_ACCEPT) {
159 *minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP;
160 return (GSS_S_FAILURE);
161 }
162 if (cred_usage == GSS_C_BOTH)
163 cred_usage = GSS_C_INITIATE;
164
165 min = krb5_gss_init_context(&ctx);
166 if (min) {
167 *minor_status = min;
168 return (GSS_S_FAILURE);
169 }
170
171 /* * Find out the name, lifetime and cred usage of the input cred */
172 maj = krb5_gss_inquire_cred(minor_status, input_cred,
173 &in_name, &in_time_rec, &in_usage, NULL);
174 if (GSS_ERROR(maj))
175 goto cleanup;
176
177 /* Check that the input cred isn't expired */
178 if (in_time_rec == 0) {
179 maj = GSS_S_CREDENTIALS_EXPIRED;
180 goto cleanup;
181 }
182
183 /* The requested and input cred usage must agree */
184 if (in_usage != cred_usage && cred_usage != GSS_C_BOTH) {
185 *minor_status = (OM_uint32) G_CRED_USAGE_MISMATCH;
186 maj = GSS_S_NO_CRED;
187 goto cleanup;
188 }
189
190 if (in_usage == GSS_C_ACCEPT) {
191 *minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP;
192 maj = GSS_S_FAILURE;
193 goto cleanup;
194 }
195
196 /* Get current cred, if any */
197 if (desired_mech != GSS_C_NULL_OID) {
198 /* assume that libgss gave us one of our mech OIDs */
199 maj = gss_create_empty_oid_set(minor_status, &desired_mechs);
200 if (GSS_ERROR(maj))
201 return (maj);
202
203 maj = gss_add_oid_set_member(minor_status, desired_mech,
204 &desired_mechs);
205 if (GSS_ERROR(maj))
206 goto cleanup;
207 }
208
209 /*
210 * Handle overwrite_cred option. If overwrite_cred == FALSE
211 * then we must be careful not to overwrite an existing
212 * unexpired credential.
213 */
214 maj2 = krb5_gss_acquire_cred(&min,
215 (default_cred) ? GSS_C_NO_NAME : in_name,
216 0, desired_mechs, cred_usage,
217 (gss_cred_id_t *)&cur_cred, NULL, &cur_time_rec);
218
219 if (GSS_ERROR(maj2))
220 overwrite_cred = 1; /* nothing to overwrite */
221
222 if (cur_time_rec > 0 && !overwrite_cred) {
223 maj = GSS_S_DUPLICATE_ELEMENT; /* would overwrite */
224 goto cleanup;
225 }
226
227 /* Ready to store -- store_init_cred() handles default_cred */
228 maj = store_init_cred(ctx, minor_status, cred, default_cred);
229 if (GSS_ERROR(maj))
230 goto cleanup;
231
232 /* Alert ktkt_warnd(8) */
233 maj = krb5_unparse_name(ctx, cred->princ, &client_name);
234 if (GSS_ERROR(maj))
235 goto cleanup;
236 (void) kwarn_del_warning(client_name);
237 if (kwarn_add_warning(client_name, cred->tgt_expire) != 0) {
238 syslog(LOG_AUTH|LOG_NOTICE,
239 "store_cred: kwarn_add_warning"
240 " failed: ktkt_warnd(8) down? ");
241 }
242 free(client_name);
243 client_name = NULL;
244
245 /* Output parameters */
246 if (cred_usage_stored != NULL)
247 *cred_usage_stored = GSS_C_INITIATE;
248
249 if (elements_stored != NULL) {
250 maj = gss_create_empty_oid_set(minor_status, elements_stored);
251 if (GSS_ERROR(maj))
252 goto cleanup;
253
254 maj = gss_add_oid_set_member(minor_status,
255 (const gss_OID)gss_mech_krb5, elements_stored);
256 if (GSS_ERROR(maj)) {
257 (void) gss_release_oid_set(&min, elements_stored);
258 *elements_stored = GSS_C_NULL_OID_SET;
259 goto cleanup;
260 }
261 }
262
263 cleanup:
264 if (desired_mechs != GSS_C_NULL_OID_SET)
265 (void) gss_release_oid_set(&min, &desired_mechs);
266 if (cur_cred != (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL)
267 (void) krb5_gss_release_cred(&min,
268 (gss_cred_id_t *)&cur_cred);
269 if (in_name != GSS_C_NO_NAME)
270 (void) krb5_gss_release_name(&min, &in_name);
271
272 if (ctx)
273 krb5_free_context(ctx);
274
275 return (maj);
276 }
277