1 /* $NetBSD: store_cred.c,v 1.2 2017/01/28 21:31:46 christos Exp $ */
2
3 /*
4 * Copyright (c) 2003 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "gsskrb5_locl.h"
37
38 OM_uint32 GSSAPI_CALLCONV
_gsskrb5_store_cred(OM_uint32 * minor_status,gss_cred_id_t input_cred_handle,gss_cred_usage_t cred_usage,const gss_OID desired_mech,OM_uint32 overwrite_cred,OM_uint32 default_cred,gss_OID_set * elements_stored,gss_cred_usage_t * cred_usage_stored)39 _gsskrb5_store_cred(OM_uint32 *minor_status,
40 gss_cred_id_t input_cred_handle,
41 gss_cred_usage_t cred_usage,
42 const gss_OID desired_mech,
43 OM_uint32 overwrite_cred,
44 OM_uint32 default_cred,
45 gss_OID_set *elements_stored,
46 gss_cred_usage_t *cred_usage_stored)
47 {
48 krb5_context context;
49 krb5_error_code ret;
50 gsskrb5_cred cred;
51 krb5_ccache id = NULL;
52 krb5_ccache def_ccache = NULL;
53 const char *def_type = NULL;
54 time_t exp_current;
55 time_t exp_new;
56
57 *minor_status = 0;
58
59 if (cred_usage != GSS_C_INITIATE) {
60 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
61 return GSS_S_FAILURE;
62 }
63
64 if (desired_mech != GSS_C_NO_OID &&
65 gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0)
66 return GSS_S_BAD_MECH;
67
68 cred = (gsskrb5_cred)input_cred_handle;
69 if (cred == NULL)
70 return GSS_S_NO_CRED;
71
72 GSSAPI_KRB5_INIT (&context);
73
74 HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
75 if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
76 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
77 *minor_status = GSS_KRB5_S_G_BAD_USAGE;
78 return GSS_S_FAILURE;
79 }
80
81 ret = krb5_cc_get_lifetime(context, cred->ccache, &exp_new);
82 if (ret) {
83 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
84 *minor_status = ret;
85 return GSS_S_NO_CRED;
86 }
87
88 if (cred->principal == NULL) {
89 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
90 *minor_status = GSS_KRB5_S_KG_TGT_MISSING;
91 return GSS_S_FAILURE;
92 }
93
94 ret = krb5_cc_default(context, &def_ccache);
95 if (ret == 0) {
96 def_type = krb5_cc_get_type(context, def_ccache);
97 krb5_cc_close(context, def_ccache);
98 }
99 def_ccache = NULL;
100
101 /* write out cred to credential cache */
102 ret = krb5_cc_cache_match(context, cred->principal, &id);
103 if (ret) {
104 if (default_cred) {
105 ret = krb5_cc_default(context, &id);
106 if (ret) {
107 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
108 *minor_status = ret;
109 return GSS_S_FAILURE;
110 }
111 } else {
112 if (def_type == NULL ||
113 !krb5_cc_support_switch(context, def_type)) {
114 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
115 *minor_status = 0; /* XXX */
116 return GSS_S_NO_CRED; /* XXX */
117 }
118 ret = krb5_cc_new_unique(context, def_type, NULL, &id);
119 if (ret) {
120 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
121 *minor_status = ret;
122 return GSS_S_FAILURE;
123 }
124 overwrite_cred = 1;
125 }
126 }
127
128 if (!overwrite_cred) {
129 /* If current creds are expired or near it, overwrite */
130 ret = krb5_cc_get_lifetime(context, id, &exp_current);
131 if (ret != 0 || exp_new > exp_current)
132 overwrite_cred = 1;
133 }
134
135 if (!overwrite_cred) {
136 /* Nothing to do */
137 krb5_cc_close(context, id);
138 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
139 *minor_status = 0;
140 return GSS_S_DUPLICATE_ELEMENT;
141 }
142
143 ret = krb5_cc_initialize(context, id, cred->principal);
144 if (ret == 0)
145 ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL);
146 if (ret) {
147 krb5_cc_close(context, id);
148 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
149 *minor_status = ret;
150 return(GSS_S_FAILURE);
151 }
152
153 if (default_cred && def_type != NULL &&
154 krb5_cc_support_switch(context, def_type))
155 krb5_cc_switch(context, id);
156
157 krb5_cc_close(context, id);
158 HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
159 *minor_status = 0;
160 return GSS_S_COMPLETE;
161 }
162