17c478bd9Sstevel@tonic-gate /*
232885d59Sgtb * CDDL HEADER START
332885d59Sgtb *
432885d59Sgtb * The contents of this file are subject to the terms of the
532885d59Sgtb * Common Development and Distribution License (the "License").
632885d59Sgtb * You may not use this file except in compliance with the License.
732885d59Sgtb *
832885d59Sgtb * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
932885d59Sgtb * or http://www.opensolaris.org/os/licensing.
1032885d59Sgtb * See the License for the specific language governing permissions
1132885d59Sgtb * and limitations under the License.
1232885d59Sgtb *
1332885d59Sgtb * When distributing Covered Code, include this CDDL HEADER in each
1432885d59Sgtb * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
1532885d59Sgtb * If applicable, add the following below this CDDL HEADER, with the
1632885d59Sgtb * fields enclosed by brackets "[]" replaced with your own identifying
1732885d59Sgtb * information: Portions Copyright [yyyy] [name of copyright owner]
1832885d59Sgtb *
1932885d59Sgtb * CDDL HEADER END
2032885d59Sgtb */
2132885d59Sgtb
2232885d59Sgtb /*
2332885d59Sgtb * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
247c478bd9Sstevel@tonic-gate * Use is subject to license terms.
257c478bd9Sstevel@tonic-gate */
267c478bd9Sstevel@tonic-gate
277c478bd9Sstevel@tonic-gate #include <k5-int.h>
287c478bd9Sstevel@tonic-gate #include <gssapiP_krb5.h>
297c478bd9Sstevel@tonic-gate #include <memory.h>
307c478bd9Sstevel@tonic-gate #include <assert.h>
3132885d59Sgtb #include <syslog.h>
3232885d59Sgtb
3332885d59Sgtb extern uint_t kwarn_add_warning(char *, int);
3432885d59Sgtb extern uint_t kwarn_del_warning(char *);
357c478bd9Sstevel@tonic-gate
367c478bd9Sstevel@tonic-gate static
377c478bd9Sstevel@tonic-gate OM_uint32
store_init_cred(ct,minor_status,cred,dflt)387c478bd9Sstevel@tonic-gate store_init_cred(ct, minor_status, cred, dflt)
397c478bd9Sstevel@tonic-gate krb5_context ct;
407c478bd9Sstevel@tonic-gate OM_uint32 *minor_status;
417c478bd9Sstevel@tonic-gate const krb5_gss_cred_id_t cred;
427c478bd9Sstevel@tonic-gate int dflt;
437c478bd9Sstevel@tonic-gate {
447c478bd9Sstevel@tonic-gate OM_uint32 maj = GSS_S_COMPLETE;
457c478bd9Sstevel@tonic-gate krb5_error_code code;
467c478bd9Sstevel@tonic-gate krb5_ccache ccache = NULL; /* current [file] ccache */
477c478bd9Sstevel@tonic-gate krb5_principal ccprinc = NULL; /* default princ of current ccache */
487c478bd9Sstevel@tonic-gate
497c478bd9Sstevel@tonic-gate if (minor_status == NULL)
507c478bd9Sstevel@tonic-gate return (GSS_S_CALL_INACCESSIBLE_WRITE);
517c478bd9Sstevel@tonic-gate *minor_status = 0;
527c478bd9Sstevel@tonic-gate
537c478bd9Sstevel@tonic-gate /* Get current ccache -- respect KRB5CCNAME, or use OS default */
547c478bd9Sstevel@tonic-gate if ((code = krb5_cc_default(ct, &ccache))) {
557c478bd9Sstevel@tonic-gate *minor_status = code;
567c478bd9Sstevel@tonic-gate return (GSS_S_FAILURE);
577c478bd9Sstevel@tonic-gate }
587c478bd9Sstevel@tonic-gate
597c478bd9Sstevel@tonic-gate /*
607c478bd9Sstevel@tonic-gate * Here we should do something like:
617c478bd9Sstevel@tonic-gate *
627c478bd9Sstevel@tonic-gate * a) take all the initial tickets from the current ccache for
637c478bd9Sstevel@tonic-gate * client principals other than the given cred's
647c478bd9Sstevel@tonic-gate * b) copy them to a tmp MEMORY ccache
657c478bd9Sstevel@tonic-gate * c) copy the given cred's tickets to that same tmp ccache
667c478bd9Sstevel@tonic-gate * d) initialize the current ccache with either the same default
677c478bd9Sstevel@tonic-gate * princ as before (!dflt) or with the input cred's princ as the
687c478bd9Sstevel@tonic-gate * default princ (dflt) and copy the tmp ccache's creds to it.
697c478bd9Sstevel@tonic-gate *
707c478bd9Sstevel@tonic-gate * However, for now we just initialize the current ccache, if
717c478bd9Sstevel@tonic-gate * (dflt), and copy the input cred's tickets to it.
727c478bd9Sstevel@tonic-gate *
737c478bd9Sstevel@tonic-gate * To support the above ideal we'd need a variant of
747c478bd9Sstevel@tonic-gate * krb5_cc_copy_creds(). But then, preserving any tickets from
757c478bd9Sstevel@tonic-gate * the current ccache may be problematic if the ccache has many,
767c478bd9Sstevel@tonic-gate * many service tickets in it as that makes ccache enumeration
777c478bd9Sstevel@tonic-gate * really, really slow; we might want to address ccache perf
787c478bd9Sstevel@tonic-gate * first.
797c478bd9Sstevel@tonic-gate *
807c478bd9Sstevel@tonic-gate * So storing of non-default credentials is not supported.
817c478bd9Sstevel@tonic-gate */
827c478bd9Sstevel@tonic-gate if (dflt) {
837c478bd9Sstevel@tonic-gate /* Treat this as "caller asks to initialize ccache" */
847c478bd9Sstevel@tonic-gate /* LINTED */
857c478bd9Sstevel@tonic-gate if ((code = krb5_cc_initialize(ct, ccache, cred->princ))) {
867c478bd9Sstevel@tonic-gate *minor_status = code;
877c478bd9Sstevel@tonic-gate maj = GSS_S_FAILURE;
887c478bd9Sstevel@tonic-gate goto cleanup;
897c478bd9Sstevel@tonic-gate }
907c478bd9Sstevel@tonic-gate } else {
917c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_STORE_NON_DEFAULT_CRED_NOSUPP;
927c478bd9Sstevel@tonic-gate maj = GSS_S_FAILURE;
937c478bd9Sstevel@tonic-gate goto cleanup;
947c478bd9Sstevel@tonic-gate }
957c478bd9Sstevel@tonic-gate
967c478bd9Sstevel@tonic-gate if ((code = krb5_cc_copy_creds(ct, cred->ccache, ccache))) {
977c478bd9Sstevel@tonic-gate *minor_status = code;
987c478bd9Sstevel@tonic-gate maj = GSS_S_FAILURE;
997c478bd9Sstevel@tonic-gate goto cleanup;
1007c478bd9Sstevel@tonic-gate }
1017c478bd9Sstevel@tonic-gate
1027c478bd9Sstevel@tonic-gate cleanup:
1037c478bd9Sstevel@tonic-gate if (ccprinc != NULL)
1047c478bd9Sstevel@tonic-gate krb5_free_principal(ct, ccprinc);
1057c478bd9Sstevel@tonic-gate if (ccache != NULL)
1067c478bd9Sstevel@tonic-gate /* LINTED */
1077c478bd9Sstevel@tonic-gate krb5_cc_close(ct, ccache);
1087c478bd9Sstevel@tonic-gate
1097c478bd9Sstevel@tonic-gate return (maj);
1107c478bd9Sstevel@tonic-gate }
1117c478bd9Sstevel@tonic-gate
1127c478bd9Sstevel@tonic-gate OM_uint32
krb5_gss_store_cred(minor_status,input_cred,cred_usage,desired_mech,overwrite_cred,default_cred,elements_stored,cred_usage_stored)113ab9b2e15Sgtb krb5_gss_store_cred(minor_status, input_cred, cred_usage,
1147c478bd9Sstevel@tonic-gate desired_mech, overwrite_cred, default_cred, elements_stored,
1157c478bd9Sstevel@tonic-gate cred_usage_stored)
1167c478bd9Sstevel@tonic-gate OM_uint32 *minor_status;
1177c478bd9Sstevel@tonic-gate const gss_cred_id_t input_cred;
1187c478bd9Sstevel@tonic-gate gss_cred_usage_t cred_usage;
1197c478bd9Sstevel@tonic-gate gss_OID desired_mech;
1207c478bd9Sstevel@tonic-gate OM_uint32 overwrite_cred;
1217c478bd9Sstevel@tonic-gate OM_uint32 default_cred;
1227c478bd9Sstevel@tonic-gate gss_OID_set *elements_stored;
1237c478bd9Sstevel@tonic-gate gss_cred_usage_t *cred_usage_stored;
1247c478bd9Sstevel@tonic-gate {
125841a5ea8Snw OM_uint32 maj, maj2, min;
126ab9b2e15Sgtb krb5_context ctx = NULL;
1277c478bd9Sstevel@tonic-gate krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)input_cred;
1287c478bd9Sstevel@tonic-gate krb5_gss_cred_id_t cur_cred = (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL;
1297c478bd9Sstevel@tonic-gate gss_OID_set desired_mechs = GSS_C_NULL_OID_SET;
1307c478bd9Sstevel@tonic-gate OM_uint32 in_time_rec; /* lifetime of input cred */
1317c478bd9Sstevel@tonic-gate OM_uint32 cur_time_rec; /* lifetime of current cred */
1327c478bd9Sstevel@tonic-gate gss_cred_usage_t in_usage; /* usage of input cred */
1337c478bd9Sstevel@tonic-gate gss_name_t in_name = GSS_C_NO_NAME; /* name of input cred */
13432885d59Sgtb char *client_name = NULL;
1357c478bd9Sstevel@tonic-gate
1367c478bd9Sstevel@tonic-gate if (input_cred == GSS_C_NO_CREDENTIAL)
1377c478bd9Sstevel@tonic-gate return (GSS_S_CALL_INACCESSIBLE_READ);
1387c478bd9Sstevel@tonic-gate
1397c478bd9Sstevel@tonic-gate /* Initialize output parameters */
1407c478bd9Sstevel@tonic-gate if (minor_status == NULL)
1417c478bd9Sstevel@tonic-gate return (GSS_S_CALL_INACCESSIBLE_WRITE);
1427c478bd9Sstevel@tonic-gate *minor_status = 0;
1437c478bd9Sstevel@tonic-gate
1447c478bd9Sstevel@tonic-gate if (elements_stored != NULL)
1457c478bd9Sstevel@tonic-gate *elements_stored = GSS_C_NULL_OID_SET;
1467c478bd9Sstevel@tonic-gate
1477c478bd9Sstevel@tonic-gate if (cred_usage_stored != NULL)
1487c478bd9Sstevel@tonic-gate *cred_usage_stored = -1; /* need GSS_C_NEITHER! */
1497c478bd9Sstevel@tonic-gate
1507c478bd9Sstevel@tonic-gate /* Sanity check cred_usage */
1517c478bd9Sstevel@tonic-gate if (cred_usage != GSS_C_BOTH && cred_usage != GSS_C_INITIATE &&
1527c478bd9Sstevel@tonic-gate cred_usage != GSS_C_ACCEPT) {
1537c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_BAD_USAGE;
1547c478bd9Sstevel@tonic-gate return (GSS_S_CALL_BAD_STRUCTURE);
1557c478bd9Sstevel@tonic-gate }
1567c478bd9Sstevel@tonic-gate
1577c478bd9Sstevel@tonic-gate /* Not supported: storing acceptor creds -- short cut now */
1587c478bd9Sstevel@tonic-gate if (cred_usage == GSS_C_ACCEPT) {
1597c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP;
1607c478bd9Sstevel@tonic-gate return (GSS_S_FAILURE);
1617c478bd9Sstevel@tonic-gate }
1627c478bd9Sstevel@tonic-gate if (cred_usage == GSS_C_BOTH)
1637c478bd9Sstevel@tonic-gate cred_usage = GSS_C_INITIATE;
1647c478bd9Sstevel@tonic-gate
165ab9b2e15Sgtb min = krb5_gss_init_context(&ctx);
166ab9b2e15Sgtb if (min) {
167ab9b2e15Sgtb *minor_status = min;
168ab9b2e15Sgtb return (GSS_S_FAILURE);
169ab9b2e15Sgtb }
170ab9b2e15Sgtb
1717c478bd9Sstevel@tonic-gate /* * Find out the name, lifetime and cred usage of the input cred */
172ab9b2e15Sgtb maj = krb5_gss_inquire_cred(minor_status, input_cred,
1737c478bd9Sstevel@tonic-gate &in_name, &in_time_rec, &in_usage, NULL);
1747c478bd9Sstevel@tonic-gate if (GSS_ERROR(maj))
1757c478bd9Sstevel@tonic-gate goto cleanup;
1767c478bd9Sstevel@tonic-gate
1777c478bd9Sstevel@tonic-gate /* Check that the input cred isn't expired */
1787c478bd9Sstevel@tonic-gate if (in_time_rec == 0) {
1797c478bd9Sstevel@tonic-gate maj = GSS_S_CREDENTIALS_EXPIRED;
1807c478bd9Sstevel@tonic-gate goto cleanup;
1817c478bd9Sstevel@tonic-gate }
1827c478bd9Sstevel@tonic-gate
1837c478bd9Sstevel@tonic-gate /* The requested and input cred usage must agree */
1847c478bd9Sstevel@tonic-gate if (in_usage != cred_usage && cred_usage != GSS_C_BOTH) {
1857c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_CRED_USAGE_MISMATCH;
1867c478bd9Sstevel@tonic-gate maj = GSS_S_NO_CRED;
1877c478bd9Sstevel@tonic-gate goto cleanup;
1887c478bd9Sstevel@tonic-gate }
1897c478bd9Sstevel@tonic-gate
1907c478bd9Sstevel@tonic-gate if (in_usage == GSS_C_ACCEPT) {
1917c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_STORE_ACCEPTOR_CRED_NOSUPP;
1927c478bd9Sstevel@tonic-gate maj = GSS_S_FAILURE;
1937c478bd9Sstevel@tonic-gate goto cleanup;
1947c478bd9Sstevel@tonic-gate }
1957c478bd9Sstevel@tonic-gate
1967c478bd9Sstevel@tonic-gate /* Get current cred, if any */
1977c478bd9Sstevel@tonic-gate if (desired_mech != GSS_C_NULL_OID) {
1987c478bd9Sstevel@tonic-gate /* assume that libgss gave us one of our mech OIDs */
1997c478bd9Sstevel@tonic-gate maj = gss_create_empty_oid_set(minor_status, &desired_mechs);
2007c478bd9Sstevel@tonic-gate if (GSS_ERROR(maj))
2017c478bd9Sstevel@tonic-gate return (maj);
2027c478bd9Sstevel@tonic-gate
2037c478bd9Sstevel@tonic-gate maj = gss_add_oid_set_member(minor_status, desired_mech,
2047c478bd9Sstevel@tonic-gate &desired_mechs);
2057c478bd9Sstevel@tonic-gate if (GSS_ERROR(maj))
2067c478bd9Sstevel@tonic-gate goto cleanup;
2077c478bd9Sstevel@tonic-gate }
2087c478bd9Sstevel@tonic-gate
2097c478bd9Sstevel@tonic-gate /*
2107c478bd9Sstevel@tonic-gate * Handle overwrite_cred option. If overwrite_cred == FALSE
2117c478bd9Sstevel@tonic-gate * then we must be careful not to overwrite an existing
212841a5ea8Snw * unexpired credential.
2137c478bd9Sstevel@tonic-gate */
214ab9b2e15Sgtb maj2 = krb5_gss_acquire_cred(&min,
215841a5ea8Snw (default_cred) ? GSS_C_NO_NAME : in_name,
216841a5ea8Snw 0, desired_mechs, cred_usage,
217841a5ea8Snw (gss_cred_id_t *)&cur_cred, NULL, &cur_time_rec);
218841a5ea8Snw
219841a5ea8Snw if (GSS_ERROR(maj2))
2207c478bd9Sstevel@tonic-gate overwrite_cred = 1; /* nothing to overwrite */
2217c478bd9Sstevel@tonic-gate
2227c478bd9Sstevel@tonic-gate if (cur_time_rec > 0 && !overwrite_cred) {
2237c478bd9Sstevel@tonic-gate maj = GSS_S_DUPLICATE_ELEMENT; /* would overwrite */
2247c478bd9Sstevel@tonic-gate goto cleanup;
2257c478bd9Sstevel@tonic-gate }
2267c478bd9Sstevel@tonic-gate
2277c478bd9Sstevel@tonic-gate /* Ready to store -- store_init_cred() handles default_cred */
2287c478bd9Sstevel@tonic-gate maj = store_init_cred(ctx, minor_status, cred, default_cred);
2297c478bd9Sstevel@tonic-gate if (GSS_ERROR(maj))
2307c478bd9Sstevel@tonic-gate goto cleanup;
2317c478bd9Sstevel@tonic-gate
232*bbf21555SRichard Lowe /* Alert ktkt_warnd(8) */
23332885d59Sgtb maj = krb5_unparse_name(ctx, cred->princ, &client_name);
23432885d59Sgtb if (GSS_ERROR(maj))
23532885d59Sgtb goto cleanup;
23632885d59Sgtb (void) kwarn_del_warning(client_name);
23732885d59Sgtb if (kwarn_add_warning(client_name, cred->tgt_expire) != 0) {
23832885d59Sgtb syslog(LOG_AUTH|LOG_NOTICE,
23932885d59Sgtb "store_cred: kwarn_add_warning"
240*bbf21555SRichard Lowe " failed: ktkt_warnd(8) down? ");
24132885d59Sgtb }
24232885d59Sgtb free(client_name);
24332885d59Sgtb client_name = NULL;
24432885d59Sgtb
2457c478bd9Sstevel@tonic-gate /* Output parameters */
2467c478bd9Sstevel@tonic-gate if (cred_usage_stored != NULL)
2477c478bd9Sstevel@tonic-gate *cred_usage_stored = GSS_C_INITIATE;
2487c478bd9Sstevel@tonic-gate
2497c478bd9Sstevel@tonic-gate if (elements_stored != NULL) {
2507c478bd9Sstevel@tonic-gate maj = gss_create_empty_oid_set(minor_status, elements_stored);
2517c478bd9Sstevel@tonic-gate if (GSS_ERROR(maj))
2527c478bd9Sstevel@tonic-gate goto cleanup;
2537c478bd9Sstevel@tonic-gate
2547c478bd9Sstevel@tonic-gate maj = gss_add_oid_set_member(minor_status,
25599f2222bSwillf (const gss_OID)gss_mech_krb5, elements_stored);
25699f2222bSwillf if (GSS_ERROR(maj)) {
25799f2222bSwillf (void) gss_release_oid_set(&min, elements_stored);
25899f2222bSwillf *elements_stored = GSS_C_NULL_OID_SET;
2597c478bd9Sstevel@tonic-gate goto cleanup;
26099f2222bSwillf }
2617c478bd9Sstevel@tonic-gate }
2627c478bd9Sstevel@tonic-gate
2637c478bd9Sstevel@tonic-gate cleanup:
2647c478bd9Sstevel@tonic-gate if (desired_mechs != GSS_C_NULL_OID_SET)
2657c478bd9Sstevel@tonic-gate (void) gss_release_oid_set(&min, &desired_mechs);
2667c478bd9Sstevel@tonic-gate if (cur_cred != (krb5_gss_cred_id_t)GSS_C_NO_CREDENTIAL)
267ab9b2e15Sgtb (void) krb5_gss_release_cred(&min,
2687c478bd9Sstevel@tonic-gate (gss_cred_id_t *)&cur_cred);
2697c478bd9Sstevel@tonic-gate if (in_name != GSS_C_NO_NAME)
270ab9b2e15Sgtb (void) krb5_gss_release_name(&min, &in_name);
271ab9b2e15Sgtb
272ab9b2e15Sgtb if (ctx)
273ab9b2e15Sgtb krb5_free_context(ctx);
2747c478bd9Sstevel@tonic-gate
2757c478bd9Sstevel@tonic-gate return (maj);
2767c478bd9Sstevel@tonic-gate }
277