17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * Copyright 2000 by the Massachusetts Institute of Technology.
37c478bd9Sstevel@tonic-gate * All Rights Reserved.
47c478bd9Sstevel@tonic-gate *
57c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may
67c478bd9Sstevel@tonic-gate * require a specific license from the United States Government.
77c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating
87c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting.
9*55fea89dSDan Cross *
107c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
117c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
127c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
137c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
147c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
157c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining
167c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior
177c478bd9Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label
187c478bd9Sstevel@tonic-gate * your software as modified software and not distribute it in such a
197c478bd9Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software.
207c478bd9Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of
217c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
227c478bd9Sstevel@tonic-gate * or implied warranty.
23*55fea89dSDan Cross *
247c478bd9Sstevel@tonic-gate */
257c478bd9Sstevel@tonic-gate /*
267c478bd9Sstevel@tonic-gate * Copyright 1993 by OpenVision Technologies, Inc.
27*55fea89dSDan Cross *
287c478bd9Sstevel@tonic-gate * Permission to use, copy, modify, distribute, and sell this software
297c478bd9Sstevel@tonic-gate * and its documentation for any purpose is hereby granted without fee,
307c478bd9Sstevel@tonic-gate * provided that the above copyright notice appears in all copies and
317c478bd9Sstevel@tonic-gate * that both that copyright notice and this permission notice appear in
327c478bd9Sstevel@tonic-gate * supporting documentation, and that the name of OpenVision not be used
337c478bd9Sstevel@tonic-gate * in advertising or publicity pertaining to distribution of the software
347c478bd9Sstevel@tonic-gate * without specific, written prior permission. OpenVision makes no
357c478bd9Sstevel@tonic-gate * representations about the suitability of this software for any
367c478bd9Sstevel@tonic-gate * purpose. It is provided "as is" without express or implied warranty.
37*55fea89dSDan Cross *
387c478bd9Sstevel@tonic-gate * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
397c478bd9Sstevel@tonic-gate * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
407c478bd9Sstevel@tonic-gate * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
417c478bd9Sstevel@tonic-gate * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
427c478bd9Sstevel@tonic-gate * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
437c478bd9Sstevel@tonic-gate * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
447c478bd9Sstevel@tonic-gate * PERFORMANCE OF THIS SOFTWARE.
457c478bd9Sstevel@tonic-gate */
467c478bd9Sstevel@tonic-gate
477c478bd9Sstevel@tonic-gate /*
487c478bd9Sstevel@tonic-gate * Copyright (C) 1998 by the FundsXpress, INC.
49*55fea89dSDan Cross *
507c478bd9Sstevel@tonic-gate * All rights reserved.
51*55fea89dSDan Cross *
527c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may require
537c478bd9Sstevel@tonic-gate * a specific license from the United States Government. It is the
547c478bd9Sstevel@tonic-gate * responsibility of any person or organization contemplating export to
557c478bd9Sstevel@tonic-gate * obtain such a license before exporting.
56*55fea89dSDan Cross *
577c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
587c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
597c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
607c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
617c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
627c478bd9Sstevel@tonic-gate * the name of FundsXpress. not be used in advertising or publicity pertaining
637c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior
647c478bd9Sstevel@tonic-gate * permission. FundsXpress makes no representations about the suitability of
657c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
667c478bd9Sstevel@tonic-gate * or implied warranty.
67*55fea89dSDan Cross *
687c478bd9Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
697c478bd9Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
707c478bd9Sstevel@tonic-gate * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
717c478bd9Sstevel@tonic-gate */
727c478bd9Sstevel@tonic-gate
73ab9b2e15Sgtb #include "gssapiP_krb5.h"
74ab9b2e15Sgtb #include "mglueP.h"
757c478bd9Sstevel@tonic-gate
767c478bd9Sstevel@tonic-gate OM_uint32
krb5_gss_inquire_cred(minor_status,cred_handle,name,lifetime_ret,cred_usage,mechanisms)77ab9b2e15Sgtb krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
787c478bd9Sstevel@tonic-gate cred_usage, mechanisms)
797c478bd9Sstevel@tonic-gate OM_uint32 *minor_status;
807c478bd9Sstevel@tonic-gate gss_cred_id_t cred_handle;
817c478bd9Sstevel@tonic-gate gss_name_t *name;
827c478bd9Sstevel@tonic-gate OM_uint32 *lifetime_ret;
837c478bd9Sstevel@tonic-gate gss_cred_usage_t *cred_usage;
847c478bd9Sstevel@tonic-gate gss_OID_set *mechanisms;
857c478bd9Sstevel@tonic-gate {
867c478bd9Sstevel@tonic-gate krb5_context context;
877c478bd9Sstevel@tonic-gate krb5_gss_cred_id_t cred;
887c478bd9Sstevel@tonic-gate krb5_error_code code;
897c478bd9Sstevel@tonic-gate krb5_timestamp now;
907c478bd9Sstevel@tonic-gate krb5_deltat lifetime;
917c478bd9Sstevel@tonic-gate krb5_principal ret_name;
92ab9b2e15Sgtb gss_OID_set mechs;
937c478bd9Sstevel@tonic-gate OM_uint32 ret;
947c478bd9Sstevel@tonic-gate
95ab9b2e15Sgtb ret = GSS_S_FAILURE;
96ab9b2e15Sgtb ret_name = NULL;
977c478bd9Sstevel@tonic-gate
98ab9b2e15Sgtb code = krb5_gss_init_context(&context);
99ab9b2e15Sgtb if (code) {
100ab9b2e15Sgtb *minor_status = code;
101ab9b2e15Sgtb return GSS_S_FAILURE;
102ab9b2e15Sgtb }
1037c478bd9Sstevel@tonic-gate
1047c478bd9Sstevel@tonic-gate if (name) *name = NULL;
1057c478bd9Sstevel@tonic-gate if (mechanisms) *mechanisms = NULL;
1067c478bd9Sstevel@tonic-gate
1077c478bd9Sstevel@tonic-gate /* check for default credential */
1087c478bd9Sstevel@tonic-gate /*SUPPRESS 29*/
1097c478bd9Sstevel@tonic-gate if (cred_handle == GSS_C_NO_CREDENTIAL) {
1107c478bd9Sstevel@tonic-gate OM_uint32 major;
111ab9b2e15Sgtb
112ab9b2e15Sgtb if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) &&
1137c478bd9Sstevel@tonic-gate GSS_ERROR(major)) {
114ab9b2e15Sgtb krb5_free_context(context);
1157c478bd9Sstevel@tonic-gate return(major);
1167c478bd9Sstevel@tonic-gate }
1177c478bd9Sstevel@tonic-gate } else {
1187c478bd9Sstevel@tonic-gate OM_uint32 major;
119*55fea89dSDan Cross
120ab9b2e15Sgtb major = krb5_gss_validate_cred(minor_status, cred_handle);
1217c478bd9Sstevel@tonic-gate if (GSS_ERROR(major)) {
122ab9b2e15Sgtb krb5_free_context(context);
1237c478bd9Sstevel@tonic-gate return(major);
1247c478bd9Sstevel@tonic-gate }
125ab9b2e15Sgtb cred = (krb5_gss_cred_id_t) cred_handle;
1267c478bd9Sstevel@tonic-gate }
1277c478bd9Sstevel@tonic-gate
1287c478bd9Sstevel@tonic-gate if ((code = krb5_timeofday(context, &now))) {
1297c478bd9Sstevel@tonic-gate *minor_status = code;
130ab9b2e15Sgtb ret = GSS_S_FAILURE;
131ab9b2e15Sgtb goto fail;
1327c478bd9Sstevel@tonic-gate }
1337c478bd9Sstevel@tonic-gate
134ab9b2e15Sgtb code = k5_mutex_lock(&cred->lock);
135ab9b2e15Sgtb if (code != 0) {
136ab9b2e15Sgtb *minor_status = code;
137ab9b2e15Sgtb ret = GSS_S_FAILURE;
138ab9b2e15Sgtb goto fail;
139ab9b2e15Sgtb }
1407c478bd9Sstevel@tonic-gate if (cred->tgt_expire > 0) {
1417c478bd9Sstevel@tonic-gate if ((lifetime = cred->tgt_expire - now) < 0)
1427c478bd9Sstevel@tonic-gate lifetime = 0;
1437c478bd9Sstevel@tonic-gate }
1447c478bd9Sstevel@tonic-gate else
1457c478bd9Sstevel@tonic-gate lifetime = GSS_C_INDEFINITE;
1467c478bd9Sstevel@tonic-gate
1477c478bd9Sstevel@tonic-gate if (name) {
148ab9b2e15Sgtb if (cred->princ &&
149ab9b2e15Sgtb (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
150ab9b2e15Sgtb k5_mutex_unlock(&cred->lock);
1517c478bd9Sstevel@tonic-gate *minor_status = code;
152ab9b2e15Sgtb ret = GSS_S_FAILURE;
153ab9b2e15Sgtb goto fail;
1547c478bd9Sstevel@tonic-gate }
1557c478bd9Sstevel@tonic-gate }
1567c478bd9Sstevel@tonic-gate
1577c478bd9Sstevel@tonic-gate if (mechanisms) {
158159d09a2SMark Phalan /* Solaris Kerberos */
159ab9b2e15Sgtb if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
1607c478bd9Sstevel@tonic-gate &mechs)) ||
1617c478bd9Sstevel@tonic-gate (cred->prerfc_mech &&
162ab9b2e15Sgtb GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
163159d09a2SMark Phalan (const gss_OID) gss_mech_krb5_old,
1647c478bd9Sstevel@tonic-gate &mechs))) ||
1657c478bd9Sstevel@tonic-gate (cred->rfc_mech &&
166ab9b2e15Sgtb GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
167159d09a2SMark Phalan (const gss_OID) gss_mech_krb5,
1687c478bd9Sstevel@tonic-gate &mechs)))) {
169ab9b2e15Sgtb k5_mutex_unlock(&cred->lock);
170ab9b2e15Sgtb if (ret_name)
171ab9b2e15Sgtb krb5_free_principal(context, ret_name);
1727c478bd9Sstevel@tonic-gate /* *minor_status set above */
173ab9b2e15Sgtb goto fail;
1747c478bd9Sstevel@tonic-gate }
1757c478bd9Sstevel@tonic-gate }
1767c478bd9Sstevel@tonic-gate
177ab9b2e15Sgtb if (name) {
178159d09a2SMark Phalan if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
179ab9b2e15Sgtb k5_mutex_unlock(&cred->lock);
180ab9b2e15Sgtb if (cred_handle == GSS_C_NO_CREDENTIAL)
181ab9b2e15Sgtb krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
182ab9b2e15Sgtb
1837c478bd9Sstevel@tonic-gate (void) gss_release_oid_set(minor_status, &mechs);
1847c478bd9Sstevel@tonic-gate krb5_free_principal(context, ret_name);
1857c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_VALIDATE_FAILED;
186ab9b2e15Sgtb krb5_free_context(context);
1877c478bd9Sstevel@tonic-gate return(GSS_S_FAILURE);
1887c478bd9Sstevel@tonic-gate }
189ab9b2e15Sgtb if (ret_name != NULL)
190ab9b2e15Sgtb *name = (gss_name_t) ret_name;
191ab9b2e15Sgtb else
192ab9b2e15Sgtb *name = GSS_C_NO_NAME;
1937c478bd9Sstevel@tonic-gate }
1947c478bd9Sstevel@tonic-gate
1957c478bd9Sstevel@tonic-gate if (lifetime_ret)
1967c478bd9Sstevel@tonic-gate *lifetime_ret = lifetime;
1977c478bd9Sstevel@tonic-gate
1987c478bd9Sstevel@tonic-gate if (cred_usage)
1997c478bd9Sstevel@tonic-gate *cred_usage = cred->usage;
200ab9b2e15Sgtb k5_mutex_unlock(&cred->lock);
2017c478bd9Sstevel@tonic-gate
2027c478bd9Sstevel@tonic-gate if (mechanisms)
2037c478bd9Sstevel@tonic-gate *mechanisms = mechs;
2047c478bd9Sstevel@tonic-gate
205ab9b2e15Sgtb if (cred_handle == GSS_C_NO_CREDENTIAL)
206ab9b2e15Sgtb krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
207ab9b2e15Sgtb
208ab9b2e15Sgtb krb5_free_context(context);
2097c478bd9Sstevel@tonic-gate *minor_status = 0;
2107c478bd9Sstevel@tonic-gate return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
211ab9b2e15Sgtb fail:
212ab9b2e15Sgtb if (cred_handle == GSS_C_NO_CREDENTIAL) {
213ab9b2e15Sgtb OM_uint32 tmp_min_stat;
214ab9b2e15Sgtb
215ab9b2e15Sgtb krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
216ab9b2e15Sgtb }
217ab9b2e15Sgtb krb5_free_context(context);
218ab9b2e15Sgtb return ret;
2197c478bd9Sstevel@tonic-gate }
2207c478bd9Sstevel@tonic-gate
2217c478bd9Sstevel@tonic-gate /* V2 interface */
2227c478bd9Sstevel@tonic-gate OM_uint32
krb5_gss_inquire_cred_by_mech(minor_status,cred_handle,mech_type,name,initiator_lifetime,acceptor_lifetime,cred_usage)223ab9b2e15Sgtb krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
2247c478bd9Sstevel@tonic-gate mech_type, name, initiator_lifetime,
2257c478bd9Sstevel@tonic-gate acceptor_lifetime, cred_usage)
2267c478bd9Sstevel@tonic-gate OM_uint32 *minor_status;
2277c478bd9Sstevel@tonic-gate gss_cred_id_t cred_handle;
2287c478bd9Sstevel@tonic-gate gss_OID mech_type;
2297c478bd9Sstevel@tonic-gate gss_name_t *name;
2307c478bd9Sstevel@tonic-gate OM_uint32 *initiator_lifetime;
2317c478bd9Sstevel@tonic-gate OM_uint32 *acceptor_lifetime;
2327c478bd9Sstevel@tonic-gate gss_cred_usage_t *cred_usage;
2337c478bd9Sstevel@tonic-gate {
2347c478bd9Sstevel@tonic-gate krb5_gss_cred_id_t cred;
2357c478bd9Sstevel@tonic-gate OM_uint32 lifetime;
2367c478bd9Sstevel@tonic-gate OM_uint32 mstat;
2377c478bd9Sstevel@tonic-gate
2387c478bd9Sstevel@tonic-gate /*
2397c478bd9Sstevel@tonic-gate * We only know how to handle our own creds.
2407c478bd9Sstevel@tonic-gate */
2417c478bd9Sstevel@tonic-gate if ((mech_type != GSS_C_NULL_OID) &&
2427c478bd9Sstevel@tonic-gate !g_OID_equal(gss_mech_krb5_old, mech_type) &&
243ab9b2e15Sgtb !g_OID_equal(gss_mech_krb5, mech_type)) {
2447c478bd9Sstevel@tonic-gate *minor_status = 0;
2457c478bd9Sstevel@tonic-gate return(GSS_S_NO_CRED);
2467c478bd9Sstevel@tonic-gate }
2477c478bd9Sstevel@tonic-gate
2487c478bd9Sstevel@tonic-gate cred = (krb5_gss_cred_id_t) cred_handle;
249ab9b2e15Sgtb mstat = krb5_gss_inquire_cred(minor_status,
2507c478bd9Sstevel@tonic-gate cred_handle,
2517c478bd9Sstevel@tonic-gate name,
2527c478bd9Sstevel@tonic-gate &lifetime,
2537c478bd9Sstevel@tonic-gate cred_usage,
2547c478bd9Sstevel@tonic-gate (gss_OID_set *) NULL);
2557c478bd9Sstevel@tonic-gate if (mstat == GSS_S_COMPLETE) {
2567c478bd9Sstevel@tonic-gate if (cred &&
2577c478bd9Sstevel@tonic-gate ((cred->usage == GSS_C_INITIATE) ||
2587c478bd9Sstevel@tonic-gate (cred->usage == GSS_C_BOTH)) &&
2597c478bd9Sstevel@tonic-gate initiator_lifetime)
2607c478bd9Sstevel@tonic-gate *initiator_lifetime = lifetime;
2617c478bd9Sstevel@tonic-gate if (cred &&
2627c478bd9Sstevel@tonic-gate ((cred->usage == GSS_C_ACCEPT) ||
2637c478bd9Sstevel@tonic-gate (cred->usage == GSS_C_BOTH)) &&
2647c478bd9Sstevel@tonic-gate acceptor_lifetime)
2657c478bd9Sstevel@tonic-gate *acceptor_lifetime = lifetime;
2667c478bd9Sstevel@tonic-gate }
2677c478bd9Sstevel@tonic-gate return(mstat);
2687c478bd9Sstevel@tonic-gate }
269ab9b2e15Sgtb
270