acquire_cred.c revision 3dba6097f91d71408b4a7c824521f8f0687ab6ff
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
* Copyright 2000 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*/
/*
* Copyright 1993 by OpenVision Technologies, Inc.
*
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* that both that copyright notice and this permission notice appear in
* supporting documentation, and that the name of OpenVision not be used
* in advertising or publicity pertaining to distribution of the software
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
*
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
* CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
* USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
* OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Copyright (C) 1998 by the FundsXpress, INC.
*
* All rights reserved.
*
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of FundsXpress. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#include <gssapiP_krb5.h>
#include <k5-int.h>
#ifdef HAVE_STRING_H
#include <string.h>
#else
#include <strings.h>
#endif
/*
* $Id: acquire_cred.c,v 1.25.6.2 2000/05/22 20:41:32 meeroh Exp $
*/
/* get credentials corresponding to a key in the krb5 keytab.
If the default name is requested, return the name in output_princ.
If output_princ is non-NULL, the caller will use or free it, regardless
of the return value.
If successful, set the keytab-specific fields in cred
*/
static OM_uint32
{
*output_princ = NULL;
/* open the default keytab */
*minor_status = code;
/* NOTE: GSS_S_CRED_UNAVAIL is not RFC 2743 compliant */
return(GSS_S_NO_CRED);
}
if (desired_name != GSS_C_NO_NAME) {
if (code == KRB5_KT_NOTFOUND)
else
*minor_status = code;
/* NOTE: GSS_S_CRED_UNAVAIL is not RFC 2743 compliant */
return(GSS_S_NO_CRED);
}
/* Open the replay cache for this principal. */
*minor_status = code;
return(GSS_S_FAILURE);
}
}
/* hooray. we made it */
return(GSS_S_COMPLETE);
}
/* get credentials corresponding to the default credential cache.
If the default name is requested, return the name in output_princ.
If output_princ is non-NULL, the caller will use or free it, regardless
of the return value.
If successful, set the ccache-specific fields in cred.
*/
static OM_uint32
{
int got_endtime;
/* SUNW14resync - do we need this? */
#if 0
/* load the GSS ccache name into the kg_context */
return(GSS_S_FAILURE);
#endif
/* open the default credential cache */
if (code) {
*minor_status = code;
return(GSS_S_NO_CRED);
}
/* turn off OPENCLOSE mode while extensive frobbing is going on */
/*
* SUNW14resync
* Added calls to krb5_cc_set_flags(... KRB5_TC_OPENCLOSE)
* on the error returns cuz the 1.4 krb5_cc_close does not always close
* the file like it used to and caused STC test gss.27 to fail.
*/
flags = 0; /* turns off OPENCLOSE mode */
*minor_status = code;
return(GSS_S_NO_CRED);
}
/* get out the principal name and see if it matches */
*minor_status = code;
return(GSS_S_FAILURE);
}
return(GSS_S_NO_CRED);
}
} else {
*output_princ = princ;
}
/* iterate over the ccache, find the tgt */
*minor_status = code;
return(GSS_S_FAILURE);
}
/* this is hairy. If there's a tgt for the principal's local realm
in here, that's what we want for the expire time. But if
there's not, then we want to use the first key. */
got_endtime = 0;
6, "krbtgt",
0);
if (code) {
*minor_status = code;
return(GSS_S_FAILURE);
}
got_endtime = 1;
*minor_status = 0;
code = 0;
break;
}
if (got_endtime == 0) {
got_endtime = 1;
}
}
/* this means some error occurred reading the ccache */
*minor_status = code;
return(GSS_S_FAILURE);
} else if (! got_endtime) {
/* this means the ccache was entirely empty */
return(GSS_S_FAILURE);
} else {
/* this means that we found an endtime to use. */
*minor_status = code;
return(GSS_S_FAILURE);
}
*minor_status = code;
return(GSS_S_FAILURE);
}
}
/* the credentials match and are valid */
/* minor_status is set while we are iterating over the ccache */
return(GSS_S_COMPLETE);
}
void *ctx;
{
return(ret);
}
/*ARGSUSED*/
void *ctx;
{
size_t i;
const gss_OID_set_desc * valid_mechs;
/* Solaris Kerberos: for MT safety, we avoid the use of a default
* context via kg_get_context() */
#if 0
return(GSS_S_FAILURE);
#endif
/* make sure all outputs are valid */
if (actual_mechs)
*actual_mechs = NULL;
if (time_rec)
*time_rec = 0;
/* validate the name */
/*SUPPRESS 29*/
(! kg_validate_name(desired_name))) {
return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
}
/* verify that the requested mechanism set is the default, or
contains krb5 */
if (desired_mechs == GSS_C_NULL_OID_SET) {
req_old = 1;
req_new = 1;
} else {
req_old = 0;
req_new = 0;
for (i=0; i<desired_mechs->count; i++) {
req_old++;
req_new++;
}
*minor_status = 0;
return(GSS_S_BAD_MECH);
}
}
/* create the gss cred structure */
if ((cred =
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}
if ((cred_usage != GSS_C_INITIATE) &&
(cred_usage != GSS_C_ACCEPT) &&
(cred_usage != GSS_C_BOTH)) {
return(GSS_S_FAILURE);
}
/* if requested, acquire credentials for accepting */
/* this will fill in cred->princ if the desired_name is not specified */
if ((cred_usage == GSS_C_ACCEPT) ||
(cred_usage == GSS_C_BOTH))
!= GSS_S_COMPLETE) {
/* minor_status set by acquire_accept_cred() */
return(ret);
}
/* if requested, acquire credentials for initiation */
/* this will fill in cred->princ if it wasn't set above, and
the desired_name is not specified */
if ((cred_usage == GSS_C_INITIATE) ||
(cred_usage == GSS_C_BOTH))
if ((ret =
!= GSS_S_COMPLETE) {
/* minor_status set by acquire_init_cred() */
return(ret);
}
/* Solaris Kerberos:
* if the princ wasn't filled in already, fill it in now unless
* a cred with no associated princ is requested (will invoke default
* behaviour when gss_accept_init_context() is called).
*/
*minor_status = code;
return(GSS_S_FAILURE);
}
/*** at this point, the cred structure has been completely created */
/* compute time_rec */
if (cred_usage == GSS_C_ACCEPT) {
if (time_rec)
} else {
*minor_status = code;
return(GSS_S_FAILURE);
}
if (time_rec)
}
/* create mechs */
if (actual_mechs) {
&ret_mechs)) ||
(cred->prerfc_mech &&
&ret_mechs))) ||
&ret_mechs)))) {
/* (*minor_status) set above */
return(ret);
}
}
/* intern the credential handle */
return(GSS_S_FAILURE);
}
/* return success */
*minor_status = 0;
if (actual_mechs)
return(GSS_S_COMPLETE);
}