1/* 2 * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "gsskrb5_locl.h" 37 38OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred 39(OM_uint32 * minor_status, 40 const gss_cred_id_t cred_handle, 41 gss_name_t * output_name, 42 OM_uint32 * lifetime, 43 gss_cred_usage_t * cred_usage, 44 gss_OID_set * mechanisms 45 ) 46{ 47 krb5_context context; 48 gss_cred_id_t aqcred_init = GSS_C_NO_CREDENTIAL; 49 gss_cred_id_t aqcred_accept = GSS_C_NO_CREDENTIAL; 50 gsskrb5_cred acred = NULL, icred = NULL; 51 OM_uint32 ret; 52 53 *minor_status = 0; 54 55 if (output_name) 56 *output_name = NULL; 57 if (mechanisms) 58 *mechanisms = GSS_C_NO_OID_SET; 59 60 GSSAPI_KRB5_INIT (&context); 61 62 if (cred_handle == GSS_C_NO_CREDENTIAL) { 63 ret = _gsskrb5_acquire_cred(minor_status, 64 GSS_C_NO_NAME, 65 GSS_C_INDEFINITE, 66 GSS_C_NO_OID_SET, 67 GSS_C_ACCEPT, 68 &aqcred_accept, 69 NULL, 70 NULL); 71 if (ret == GSS_S_COMPLETE) 72 acred = (gsskrb5_cred)aqcred_accept; 73 74 ret = _gsskrb5_acquire_cred(minor_status, 75 GSS_C_NO_NAME, 76 GSS_C_INDEFINITE, 77 GSS_C_NO_OID_SET, 78 GSS_C_INITIATE, 79 &aqcred_init, 80 NULL, 81 NULL); 82 if (ret == GSS_S_COMPLETE) 83 icred = (gsskrb5_cred)aqcred_init; 84 85 if (icred == NULL && acred == NULL) { 86 *minor_status = 0; 87 return GSS_S_NO_CRED; 88 } 89 } else { 90 gsskrb5_cred handle; 91 92 handle = (gsskrb5_cred)cred_handle; 93 94 if (handle->keytab) 95 acred = handle; 96 else 97 icred = handle; 98 99 /* 100 * double check that the credential is still in the cache if 101 * we have a initiator only cache. 102 */ 103 104 if (handle->usage == GSS_C_INITIATE && handle->principal != NULL) { 105 krb5_error_code kret; 106 krb5_ccache ccache; 107 108 kret = krb5_cc_cache_match(context, handle->principal, &ccache); 109 if (kret == 0) { 110 krb5_cc_close(context, ccache); 111 } else { 112 *minor_status = kret; 113 return GSS_S_DEFECTIVE_CREDENTIAL; 114 } 115 } 116 } 117 118 if (acred) 119 HEIMDAL_MUTEX_lock(&acred->cred_id_mutex); 120 if (icred) 121 HEIMDAL_MUTEX_lock(&icred->cred_id_mutex); 122 123 if (output_name != NULL) { 124 if (icred && icred->principal != NULL) { 125 gss_name_t name; 126 127 if (acred && acred->principal) 128 name = (gss_name_t)acred->principal; 129 else 130 name = (gss_name_t)icred->principal; 131 132 ret = _gsskrb5_duplicate_name(minor_status, name, output_name); 133 if (ret) 134 goto out; 135 } else if (acred && acred->usage == GSS_C_ACCEPT) { 136 krb5_principal princ; 137 *minor_status = krb5_sname_to_principal(context, NULL, 138 NULL, KRB5_NT_SRV_HST, 139 &princ); 140 if (*minor_status) { 141 ret = GSS_S_FAILURE; 142 goto out; 143 } 144 *output_name = (gss_name_t)princ; 145 } else { 146 krb5_principal princ; 147 *minor_status = krb5_get_default_principal(context, 148 &princ); 149 if (*minor_status) { 150 ret = GSS_S_FAILURE; 151 goto out; 152 } 153 *output_name = (gss_name_t)princ; 154 } 155 } 156 if (lifetime != NULL) { 157 time_t aendtime = INT_MAX, iendtime = INT_MAX; 158 159 if (acred) aendtime = acred->endtime; 160 if (icred) iendtime = icred->endtime; 161 162 ret = _gsskrb5_lifetime_left(minor_status, 163 context, 164 min(aendtime, iendtime), 165 lifetime); 166 if (ret) 167 goto out; 168 } 169 if (cred_usage != NULL) { 170 if (acred && icred) 171 *cred_usage = GSS_C_BOTH; 172 else if (acred) 173 *cred_usage = GSS_C_ACCEPT; 174 else if (icred) 175 *cred_usage = GSS_C_INITIATE; 176 else 177 abort(); 178 } 179 180 if (mechanisms != NULL) { 181 ret = gss_create_empty_oid_set(minor_status, mechanisms); 182 if (ret) 183 goto out; 184 ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, 185 mechanisms); 186 if (ret) 187 goto out; 188 } 189 ret = GSS_S_COMPLETE; 190out: 191 if (acred) 192 HEIMDAL_MUTEX_unlock(&acred->cred_id_mutex); 193 if (icred) 194 HEIMDAL_MUTEX_unlock(&icred->cred_id_mutex); 195 196 if (aqcred_init != GSS_C_NO_CREDENTIAL) 197 ret = _gsskrb5_release_cred(minor_status, &aqcred_init); 198 if (aqcred_accept != GSS_C_NO_CREDENTIAL) 199 ret = _gsskrb5_release_cred(minor_status, &aqcred_accept); 200 201 return ret; 202} 203