10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * Copyright 2000 by the Massachusetts Institute of Technology.
30Sstevel@tonic-gate * All Rights Reserved.
40Sstevel@tonic-gate *
50Sstevel@tonic-gate * Export of this software from the United States of America may
60Sstevel@tonic-gate * require a specific license from the United States Government.
70Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating
80Sstevel@tonic-gate * export to obtain such a license before exporting.
95053Sgtb *
100Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
110Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
120Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
130Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
140Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
150Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining
160Sstevel@tonic-gate * to distribution of the software without specific, written prior
170Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label
180Sstevel@tonic-gate * your software as modified software and not distribute it in such a
190Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software.
200Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of
210Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
220Sstevel@tonic-gate * or implied warranty.
235053Sgtb *
240Sstevel@tonic-gate */
250Sstevel@tonic-gate /*
260Sstevel@tonic-gate * Copyright 1993 by OpenVision Technologies, Inc.
275053Sgtb *
280Sstevel@tonic-gate * Permission to use, copy, modify, distribute, and sell this software
290Sstevel@tonic-gate * and its documentation for any purpose is hereby granted without fee,
300Sstevel@tonic-gate * provided that the above copyright notice appears in all copies and
310Sstevel@tonic-gate * that both that copyright notice and this permission notice appear in
320Sstevel@tonic-gate * supporting documentation, and that the name of OpenVision not be used
330Sstevel@tonic-gate * in advertising or publicity pertaining to distribution of the software
340Sstevel@tonic-gate * without specific, written prior permission. OpenVision makes no
350Sstevel@tonic-gate * representations about the suitability of this software for any
360Sstevel@tonic-gate * purpose. It is provided "as is" without express or implied warranty.
375053Sgtb *
380Sstevel@tonic-gate * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
390Sstevel@tonic-gate * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
400Sstevel@tonic-gate * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
410Sstevel@tonic-gate * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
420Sstevel@tonic-gate * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
430Sstevel@tonic-gate * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
440Sstevel@tonic-gate * PERFORMANCE OF THIS SOFTWARE.
450Sstevel@tonic-gate */
460Sstevel@tonic-gate
470Sstevel@tonic-gate /*
480Sstevel@tonic-gate * Copyright (C) 1998 by the FundsXpress, INC.
495053Sgtb *
500Sstevel@tonic-gate * All rights reserved.
515053Sgtb *
520Sstevel@tonic-gate * Export of this software from the United States of America may require
530Sstevel@tonic-gate * a specific license from the United States Government. It is the
540Sstevel@tonic-gate * responsibility of any person or organization contemplating export to
550Sstevel@tonic-gate * obtain such a license before exporting.
565053Sgtb *
570Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
580Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
590Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
600Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
610Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
620Sstevel@tonic-gate * the name of FundsXpress. not be used in advertising or publicity pertaining
630Sstevel@tonic-gate * to distribution of the software without specific, written prior
640Sstevel@tonic-gate * permission. FundsXpress makes no representations about the suitability of
650Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
660Sstevel@tonic-gate * or implied warranty.
675053Sgtb *
680Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
690Sstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
700Sstevel@tonic-gate * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
710Sstevel@tonic-gate */
720Sstevel@tonic-gate
735053Sgtb #include "gssapiP_krb5.h"
745053Sgtb #include "mglueP.h"
750Sstevel@tonic-gate
760Sstevel@tonic-gate OM_uint32
krb5_gss_inquire_cred(minor_status,cred_handle,name,lifetime_ret,cred_usage,mechanisms)775053Sgtb krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
780Sstevel@tonic-gate cred_usage, mechanisms)
790Sstevel@tonic-gate OM_uint32 *minor_status;
800Sstevel@tonic-gate gss_cred_id_t cred_handle;
810Sstevel@tonic-gate gss_name_t *name;
820Sstevel@tonic-gate OM_uint32 *lifetime_ret;
830Sstevel@tonic-gate gss_cred_usage_t *cred_usage;
840Sstevel@tonic-gate gss_OID_set *mechanisms;
850Sstevel@tonic-gate {
860Sstevel@tonic-gate krb5_context context;
870Sstevel@tonic-gate krb5_gss_cred_id_t cred;
880Sstevel@tonic-gate krb5_error_code code;
890Sstevel@tonic-gate krb5_timestamp now;
900Sstevel@tonic-gate krb5_deltat lifetime;
910Sstevel@tonic-gate krb5_principal ret_name;
925053Sgtb gss_OID_set mechs;
930Sstevel@tonic-gate OM_uint32 ret;
940Sstevel@tonic-gate
955053Sgtb ret = GSS_S_FAILURE;
965053Sgtb ret_name = NULL;
970Sstevel@tonic-gate
985053Sgtb code = krb5_gss_init_context(&context);
995053Sgtb if (code) {
1005053Sgtb *minor_status = code;
1015053Sgtb return GSS_S_FAILURE;
1025053Sgtb }
1030Sstevel@tonic-gate
1040Sstevel@tonic-gate if (name) *name = NULL;
1050Sstevel@tonic-gate if (mechanisms) *mechanisms = NULL;
1060Sstevel@tonic-gate
1070Sstevel@tonic-gate /* check for default credential */
1080Sstevel@tonic-gate /*SUPPRESS 29*/
1090Sstevel@tonic-gate if (cred_handle == GSS_C_NO_CREDENTIAL) {
1100Sstevel@tonic-gate OM_uint32 major;
1115053Sgtb
1125053Sgtb if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) &&
1130Sstevel@tonic-gate GSS_ERROR(major)) {
1145053Sgtb krb5_free_context(context);
1150Sstevel@tonic-gate return(major);
1160Sstevel@tonic-gate }
1170Sstevel@tonic-gate } else {
1180Sstevel@tonic-gate OM_uint32 major;
1195053Sgtb
1205053Sgtb major = krb5_gss_validate_cred(minor_status, cred_handle);
1210Sstevel@tonic-gate if (GSS_ERROR(major)) {
1225053Sgtb krb5_free_context(context);
1230Sstevel@tonic-gate return(major);
1240Sstevel@tonic-gate }
1255053Sgtb cred = (krb5_gss_cred_id_t) cred_handle;
1260Sstevel@tonic-gate }
1270Sstevel@tonic-gate
1280Sstevel@tonic-gate if ((code = krb5_timeofday(context, &now))) {
1290Sstevel@tonic-gate *minor_status = code;
1305053Sgtb ret = GSS_S_FAILURE;
1315053Sgtb goto fail;
1320Sstevel@tonic-gate }
1330Sstevel@tonic-gate
1345053Sgtb code = k5_mutex_lock(&cred->lock);
1355053Sgtb if (code != 0) {
1365053Sgtb *minor_status = code;
1375053Sgtb ret = GSS_S_FAILURE;
1385053Sgtb goto fail;
1395053Sgtb }
1400Sstevel@tonic-gate if (cred->tgt_expire > 0) {
1410Sstevel@tonic-gate if ((lifetime = cred->tgt_expire - now) < 0)
1420Sstevel@tonic-gate lifetime = 0;
1430Sstevel@tonic-gate }
1440Sstevel@tonic-gate else
1450Sstevel@tonic-gate lifetime = GSS_C_INDEFINITE;
1460Sstevel@tonic-gate
1470Sstevel@tonic-gate if (name) {
1485053Sgtb if (cred->princ &&
1495053Sgtb (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
1505053Sgtb k5_mutex_unlock(&cred->lock);
1510Sstevel@tonic-gate *minor_status = code;
1525053Sgtb ret = GSS_S_FAILURE;
1535053Sgtb goto fail;
1540Sstevel@tonic-gate }
1550Sstevel@tonic-gate }
1560Sstevel@tonic-gate
1570Sstevel@tonic-gate if (mechanisms) {
158*7934SMark.Phalan@Sun.COM /* Solaris Kerberos */
1595053Sgtb if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
1600Sstevel@tonic-gate &mechs)) ||
1610Sstevel@tonic-gate (cred->prerfc_mech &&
1625053Sgtb GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
163*7934SMark.Phalan@Sun.COM (const gss_OID) gss_mech_krb5_old,
1640Sstevel@tonic-gate &mechs))) ||
1650Sstevel@tonic-gate (cred->rfc_mech &&
1665053Sgtb GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
167*7934SMark.Phalan@Sun.COM (const gss_OID) gss_mech_krb5,
1680Sstevel@tonic-gate &mechs)))) {
1695053Sgtb k5_mutex_unlock(&cred->lock);
1705053Sgtb if (ret_name)
1715053Sgtb krb5_free_principal(context, ret_name);
1720Sstevel@tonic-gate /* *minor_status set above */
1735053Sgtb goto fail;
1740Sstevel@tonic-gate }
1750Sstevel@tonic-gate }
1760Sstevel@tonic-gate
1775053Sgtb if (name) {
178*7934SMark.Phalan@Sun.COM if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
1795053Sgtb k5_mutex_unlock(&cred->lock);
1805053Sgtb if (cred_handle == GSS_C_NO_CREDENTIAL)
1815053Sgtb krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
1825053Sgtb
1830Sstevel@tonic-gate (void) gss_release_oid_set(minor_status, &mechs);
1840Sstevel@tonic-gate krb5_free_principal(context, ret_name);
1850Sstevel@tonic-gate *minor_status = (OM_uint32) G_VALIDATE_FAILED;
1865053Sgtb krb5_free_context(context);
1870Sstevel@tonic-gate return(GSS_S_FAILURE);
1880Sstevel@tonic-gate }
1895053Sgtb if (ret_name != NULL)
1905053Sgtb *name = (gss_name_t) ret_name;
1915053Sgtb else
1925053Sgtb *name = GSS_C_NO_NAME;
1930Sstevel@tonic-gate }
1940Sstevel@tonic-gate
1950Sstevel@tonic-gate if (lifetime_ret)
1960Sstevel@tonic-gate *lifetime_ret = lifetime;
1970Sstevel@tonic-gate
1980Sstevel@tonic-gate if (cred_usage)
1990Sstevel@tonic-gate *cred_usage = cred->usage;
2005053Sgtb k5_mutex_unlock(&cred->lock);
2010Sstevel@tonic-gate
2020Sstevel@tonic-gate if (mechanisms)
2030Sstevel@tonic-gate *mechanisms = mechs;
2040Sstevel@tonic-gate
2055053Sgtb if (cred_handle == GSS_C_NO_CREDENTIAL)
2065053Sgtb krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
2075053Sgtb
2085053Sgtb krb5_free_context(context);
2090Sstevel@tonic-gate *minor_status = 0;
2100Sstevel@tonic-gate return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
2115053Sgtb fail:
2125053Sgtb if (cred_handle == GSS_C_NO_CREDENTIAL) {
2135053Sgtb OM_uint32 tmp_min_stat;
2145053Sgtb
2155053Sgtb krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
2165053Sgtb }
2175053Sgtb krb5_free_context(context);
2185053Sgtb return ret;
2190Sstevel@tonic-gate }
2200Sstevel@tonic-gate
2210Sstevel@tonic-gate /* V2 interface */
2220Sstevel@tonic-gate OM_uint32
krb5_gss_inquire_cred_by_mech(minor_status,cred_handle,mech_type,name,initiator_lifetime,acceptor_lifetime,cred_usage)2235053Sgtb krb5_gss_inquire_cred_by_mech(minor_status, cred_handle,
2240Sstevel@tonic-gate mech_type, name, initiator_lifetime,
2250Sstevel@tonic-gate acceptor_lifetime, cred_usage)
2260Sstevel@tonic-gate OM_uint32 *minor_status;
2270Sstevel@tonic-gate gss_cred_id_t cred_handle;
2280Sstevel@tonic-gate gss_OID mech_type;
2290Sstevel@tonic-gate gss_name_t *name;
2300Sstevel@tonic-gate OM_uint32 *initiator_lifetime;
2310Sstevel@tonic-gate OM_uint32 *acceptor_lifetime;
2320Sstevel@tonic-gate gss_cred_usage_t *cred_usage;
2330Sstevel@tonic-gate {
2340Sstevel@tonic-gate krb5_gss_cred_id_t cred;
2350Sstevel@tonic-gate OM_uint32 lifetime;
2360Sstevel@tonic-gate OM_uint32 mstat;
2370Sstevel@tonic-gate
2380Sstevel@tonic-gate /*
2390Sstevel@tonic-gate * We only know how to handle our own creds.
2400Sstevel@tonic-gate */
2410Sstevel@tonic-gate if ((mech_type != GSS_C_NULL_OID) &&
2420Sstevel@tonic-gate !g_OID_equal(gss_mech_krb5_old, mech_type) &&
2435053Sgtb !g_OID_equal(gss_mech_krb5, mech_type)) {
2440Sstevel@tonic-gate *minor_status = 0;
2450Sstevel@tonic-gate return(GSS_S_NO_CRED);
2460Sstevel@tonic-gate }
2470Sstevel@tonic-gate
2480Sstevel@tonic-gate cred = (krb5_gss_cred_id_t) cred_handle;
2495053Sgtb mstat = krb5_gss_inquire_cred(minor_status,
2500Sstevel@tonic-gate cred_handle,
2510Sstevel@tonic-gate name,
2520Sstevel@tonic-gate &lifetime,
2530Sstevel@tonic-gate cred_usage,
2540Sstevel@tonic-gate (gss_OID_set *) NULL);
2550Sstevel@tonic-gate if (mstat == GSS_S_COMPLETE) {
2560Sstevel@tonic-gate if (cred &&
2570Sstevel@tonic-gate ((cred->usage == GSS_C_INITIATE) ||
2580Sstevel@tonic-gate (cred->usage == GSS_C_BOTH)) &&
2590Sstevel@tonic-gate initiator_lifetime)
2600Sstevel@tonic-gate *initiator_lifetime = lifetime;
2610Sstevel@tonic-gate if (cred &&
2620Sstevel@tonic-gate ((cred->usage == GSS_C_ACCEPT) ||
2630Sstevel@tonic-gate (cred->usage == GSS_C_BOTH)) &&
2640Sstevel@tonic-gate acceptor_lifetime)
2650Sstevel@tonic-gate *acceptor_lifetime = lifetime;
2660Sstevel@tonic-gate }
2670Sstevel@tonic-gate return(mstat);
2680Sstevel@tonic-gate }
2695053Sgtb
270