Line data Source code
1 : /*-
2 : * Copyright (c) 2005 Doug Rabson
3 : * All rights reserved.
4 : *
5 : * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
6 : * Portions Copyright (c) 2011, 2018 PADL Software Pty Ltd.
7 : *
8 : * Redistribution and use in source and binary forms, with or without
9 : * modification, are permitted provided that the following conditions
10 : * are met:
11 : * 1. Redistributions of source code must retain the above copyright
12 : * notice, this list of conditions and the following disclaimer.
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 : * SUCH DAMAGE.
28 : *
29 : * $FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
30 : */
31 :
32 : #include "mech_locl.h"
33 :
34 : /*
35 : * Shim for gss_acquire_cred_with_password()
36 : */
37 : static const char *
38 0 : find_password_in_cred_store(gss_const_key_value_set_t cred_store)
39 : {
40 0 : size_t i;
41 :
42 0 : if (cred_store == GSS_C_NO_CRED_STORE)
43 0 : return NULL;
44 :
45 0 : for (i = 0; i < cred_store->count; i++) {
46 0 : if (strcmp(cred_store->elements[i].key, "password") == 0)
47 0 : return cred_store->elements[i].value;
48 : }
49 :
50 0 : return NULL;
51 : }
52 :
53 : static OM_uint32
54 0 : acquire_mech_cred(OM_uint32 *minor_status,
55 : gssapi_mech_interface m,
56 : const struct _gss_mechanism_name *mn,
57 : OM_uint32 time_req,
58 : gss_cred_usage_t cred_usage,
59 : gss_const_key_value_set_t cred_store,
60 : struct _gss_mechanism_cred **out,
61 : OM_uint32 *time_rec)
62 : {
63 0 : OM_uint32 major_status;
64 0 : struct _gss_mechanism_cred *mc;
65 0 : gss_OID_set_desc mech;
66 0 : const char *spassword;
67 :
68 0 : *out = NULL;
69 0 : if (time_rec)
70 0 : *time_rec = 0;
71 :
72 0 : mc = calloc(1, sizeof(struct _gss_mechanism_cred));
73 0 : if (mc == NULL) {
74 0 : *minor_status = ENOMEM;
75 0 : return GSS_S_FAILURE;
76 : }
77 :
78 0 : mc->gmc_mech = m;
79 0 : mc->gmc_mech_oid = &m->gm_mech_oid;
80 :
81 0 : mech.count = 1;
82 0 : mech.elements = mc->gmc_mech_oid;
83 :
84 0 : if (m->gm_acquire_cred_from) {
85 0 : major_status = m->gm_acquire_cred_from(minor_status,
86 : mn ? mn->gmn_name : GSS_C_NO_NAME,
87 : time_req,
88 : &mech,
89 : cred_usage,
90 : cred_store,
91 : &mc->gmc_cred,
92 : NULL,
93 : time_rec);
94 0 : } else if ((cred_store == GSS_C_NO_CRED_STORE || cred_store->count == 0) &&
95 0 : m->gm_acquire_cred) {
96 0 : major_status = m->gm_acquire_cred(minor_status,
97 : mn ? mn->gmn_name : GSS_C_NO_NAME,
98 : time_req,
99 : &mech,
100 : cred_usage,
101 : &mc->gmc_cred,
102 : NULL,
103 : time_rec);
104 0 : } else if (m->gm_compat &&
105 0 : m->gm_compat->gmc_acquire_cred_with_password &&
106 0 : (spassword = find_password_in_cred_store(cred_store)) != NULL) {
107 0 : gss_buffer_desc password;
108 :
109 0 : password.length = strlen(spassword);
110 0 : password.value = rk_UNCONST(spassword);
111 :
112 : /* compat glue for loadable mechanisms that implement API-as-SPI */
113 0 : major_status = m->gm_compat->gmc_acquire_cred_with_password(minor_status,
114 : mn ? mn->gmn_name : GSS_C_NO_NAME,
115 : &password,
116 : time_req,
117 : &mech,
118 : cred_usage,
119 : &mc->gmc_cred,
120 : NULL,
121 : time_rec);
122 : } else
123 0 : major_status = GSS_S_UNAVAILABLE;
124 :
125 0 : heim_assert(major_status == GSS_S_COMPLETE || mc->gmc_cred == NULL,
126 : "gss_acquire_cred_from: mech succeeded but did not return a credential");
127 :
128 0 : if (major_status == GSS_S_COMPLETE)
129 0 : *out = mc;
130 : else
131 0 : free(mc);
132 :
133 0 : return major_status;
134 : }
135 :
136 : GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
137 0 : gss_acquire_cred_from(OM_uint32 *minor_status,
138 : gss_const_name_t desired_name,
139 : OM_uint32 time_req,
140 : const gss_OID_set desired_mechs,
141 : gss_cred_usage_t cred_usage,
142 : gss_const_key_value_set_t cred_store,
143 : gss_cred_id_t *output_cred_handle,
144 : gss_OID_set *actual_mechs,
145 : OM_uint32 *time_rec)
146 : {
147 0 : OM_uint32 major_status, minor;
148 0 : struct _gss_name *name = (struct _gss_name *)desired_name;
149 0 : gssapi_mech_interface m;
150 0 : struct _gss_cred *cred = NULL;
151 0 : size_t i;
152 0 : OM_uint32 min_time = GSS_C_INDEFINITE;
153 0 : gss_OID_set mechs = GSS_C_NO_OID_SET;
154 :
155 0 : *minor_status = 0;
156 0 : if (output_cred_handle == NULL)
157 0 : return GSS_S_CALL_INACCESSIBLE_READ;
158 0 : *output_cred_handle = GSS_C_NO_CREDENTIAL;
159 0 : if (actual_mechs)
160 0 : *actual_mechs = GSS_C_NO_OID_SET;
161 0 : if (time_rec)
162 0 : *time_rec = 0;
163 :
164 0 : _gss_load_mech();
165 :
166 0 : if (desired_mechs != GSS_C_NO_OID_SET) {
167 0 : int only_mg_cred_mechs = -1;
168 :
169 0 : for (i = 0; i < desired_mechs->count; i++) {
170 0 : m = __gss_get_mechanism(&desired_mechs->elements[i]);
171 0 : if (m != NULL) {
172 0 : if ((m->gm_flags & GM_USE_MG_CRED) == 0)
173 0 : only_mg_cred_mechs = 0;
174 0 : else if (only_mg_cred_mechs == -1)
175 0 : only_mg_cred_mechs = 1;
176 : }
177 : }
178 : /*
179 : * Now SPNEGO supports GM_USE_MG_CRED it's no longer necessary
180 : * to specifically acquire SPNEGO credentials. If the caller
181 : * did not specify any concrete mechanisms then we will acquire
182 : * credentials for all of them.
183 : */
184 0 : if (only_mg_cred_mechs == -1) {
185 0 : *minor_status = 0;
186 0 : major_status = GSS_S_BAD_MECH;
187 0 : goto cleanup;
188 0 : } else if (only_mg_cred_mechs == 0)
189 0 : mechs = desired_mechs;
190 : else
191 0 : mechs = _gss_mech_oids;
192 : } else
193 0 : mechs = _gss_mech_oids;
194 :
195 0 : cred = _gss_mg_alloc_cred();
196 0 : if (cred == NULL) {
197 0 : *minor_status = ENOMEM;
198 0 : major_status = GSS_S_FAILURE;
199 0 : goto cleanup;
200 : }
201 :
202 0 : if (actual_mechs) {
203 0 : major_status = gss_create_empty_oid_set(minor_status, actual_mechs);
204 0 : if (GSS_ERROR(major_status))
205 0 : goto cleanup;
206 : }
207 :
208 0 : major_status = GSS_S_UNAVAILABLE; /* in case of no mechs */
209 :
210 0 : for (i = 0; i < mechs->count; i++) {
211 0 : struct _gss_mechanism_name *mn = NULL;
212 0 : struct _gss_mechanism_cred *mc = NULL;
213 0 : OM_uint32 cred_time;
214 :
215 0 : m = __gss_get_mechanism(&mechs->elements[i]);
216 0 : if (m == NULL || (m->gm_flags & GM_USE_MG_CRED) != 0)
217 0 : continue;
218 :
219 0 : if (desired_name != GSS_C_NO_NAME) {
220 0 : major_status = _gss_find_mn(minor_status, name,
221 0 : &mechs->elements[i], &mn);
222 0 : if (major_status != GSS_S_COMPLETE)
223 0 : continue;
224 : }
225 :
226 0 : major_status = acquire_mech_cred(minor_status, m, mn,
227 : time_req, cred_usage,
228 : cred_store, &mc, &cred_time);
229 0 : if (major_status != GSS_S_COMPLETE) {
230 0 : if (mechs->count == 1)
231 0 : _gss_mg_error(m, *minor_status);
232 0 : continue;
233 : }
234 :
235 0 : _gss_mg_log_name(10, name, &mechs->elements[i],
236 : "gss_acquire_cred %s name: %ld/%ld",
237 : m->gm_name,
238 0 : (long)major_status, (long)*minor_status);
239 :
240 0 : HEIM_TAILQ_INSERT_TAIL(&cred->gc_mc, mc, gmc_link);
241 :
242 0 : if (cred_time < min_time)
243 0 : min_time = cred_time;
244 0 : if (actual_mechs != NULL) {
245 0 : major_status = gss_add_oid_set_member(minor_status,
246 0 : mc->gmc_mech_oid,
247 : actual_mechs);
248 0 : if (GSS_ERROR(major_status))
249 0 : goto cleanup;
250 : }
251 : }
252 :
253 : /*
254 : * If we didn't manage to create a single credential, return
255 : * an error.
256 : */
257 0 : if (!HEIM_TAILQ_FIRST(&cred->gc_mc)) {
258 0 : if (mechs->count > 1) {
259 0 : *minor_status = 0;
260 0 : major_status = GSS_S_NO_CRED;
261 : }
262 0 : heim_assert(major_status != GSS_S_COMPLETE,
263 : "lack of credentials must result in an error");
264 0 : goto cleanup;
265 : }
266 :
267 : /* add all GM_USE_MG_CRED mechs such as SPNEGO */
268 0 : if (actual_mechs != NULL) {
269 0 : struct _gss_mech_switch *ms;
270 :
271 0 : HEIM_TAILQ_FOREACH(ms, &_gss_mechs, gm_link) {
272 0 : m = &ms->gm_mech;
273 :
274 0 : if ((m->gm_flags & GM_USE_MG_CRED) == 0)
275 0 : continue;
276 :
277 0 : major_status = gss_add_oid_set_member(minor_status,
278 0 : &m->gm_mech_oid,
279 : actual_mechs);
280 0 : if (GSS_ERROR(major_status))
281 0 : goto cleanup;
282 : }
283 : }
284 :
285 0 : *minor_status = 0;
286 0 : major_status = GSS_S_COMPLETE;
287 :
288 0 : *output_cred_handle = (gss_cred_id_t)cred;
289 0 : if (time_rec)
290 0 : *time_rec = min_time;
291 :
292 0 : _gss_mg_log_cred(10, cred, "gss_acquire_cred_from");
293 :
294 0 : cleanup:
295 0 : if (major_status != GSS_S_COMPLETE) {
296 0 : gss_release_cred(&minor, (gss_cred_id_t *)&cred);
297 0 : if (actual_mechs)
298 0 : gss_release_oid_set(&minor, actual_mechs);
299 : }
300 :
301 0 : return major_status;
302 : }
|
