From e0bb9c10cad0fd98245caecf8af8fca855b2df49 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 3 Jan 2019 09:26:41 +1100 Subject: [PATCH] gssapi: credential store extensions (#451) Implement the GSS-API credential store API extensions defined by MIT here: https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions Note: we kill off gss_acquire_cred_ext() here. This was never a public API, although mechanisms could have implemented it and I briefly used it in my BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place in the dispatch table where gss_acquire_cred_ext() used to, but this structure was never visible outside Heimdal (i.e. it is only used by internal mechanisms); (Mechanisms that need to accept arbitrary key/value dictionaries from applications should now implement gss_acquire_cred_from().) --- lib/gssapi/Makefile.am | 4 +- lib/gssapi/NTMakefile | 8 +- lib/gssapi/gssapi/gssapi.h | 64 ++++- lib/gssapi/gssapi/gssapi_oid.h | 7 - lib/gssapi/gssapi_mech.h | 76 ++--- lib/gssapi/krb5/acquire_cred.c | 238 +++++++++------- lib/gssapi/krb5/add_cred.c | 20 +- lib/gssapi/krb5/duplicate_cred.c | 13 +- lib/gssapi/krb5/external.c | 10 +- lib/gssapi/krb5/gkrb5_err.et | 2 + lib/gssapi/krb5/inquire_cred.c | 34 +-- lib/gssapi/krb5/store_cred.c | 89 +++--- lib/gssapi/libgssapi-exports.def | 5 +- lib/gssapi/mech/cred.h | 23 +- lib/gssapi/mech/gss_acquire_cred.c | 136 +-------- lib/gssapi/mech/gss_acquire_cred_ext.c | 203 -------------- lib/gssapi/mech/gss_acquire_cred_from.c | 265 ++++++++++++++++++ .../mech/gss_acquire_cred_with_password.c | 96 ++----- lib/gssapi/mech/gss_add_cred.c | 173 +----------- lib/gssapi/mech/gss_add_cred_from.c | 229 +++++++++++++++ lib/gssapi/mech/gss_add_cred_with_password.c | 132 +++------ lib/gssapi/mech/gss_cred.c | 1 + lib/gssapi/mech/gss_duplicate_cred.c | 94 +++++-- lib/gssapi/mech/gss_mech_switch.c | 4 +- lib/gssapi/mech/gss_oid.c | 8 - lib/gssapi/mech/gss_store_cred.c | 64 +---- lib/gssapi/mech/gss_store_cred_into.c | 130 +++++++++ lib/gssapi/netlogon/external.c | 4 +- lib/gssapi/ntlm/acquire_cred.c | 17 +- lib/gssapi/ntlm/duplicate_cred.c | 8 +- lib/gssapi/ntlm/external.c | 6 +- lib/gssapi/oid.txt | 6 +- lib/gssapi/spnego/cred_stubs.c | 15 +- lib/gssapi/spnego/external.c | 6 +- lib/gssapi/test_acquire_cred.c | 44 ++- lib/gssapi/test_add_store_cred.c | 33 +-- lib/gssapi/test_context.c | 46 ++- lib/gssapi/version-script.map | 5 +- tests/gss/check-spnego.in | 25 ++ 39 files changed, 1289 insertions(+), 1054 deletions(-) delete mode 100644 lib/gssapi/mech/gss_acquire_cred_ext.c create mode 100644 lib/gssapi/mech/gss_acquire_cred_from.c create mode 100644 lib/gssapi/mech/gss_add_cred_from.c create mode 100644 lib/gssapi/mech/gss_store_cred_into.c diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index 3c059afdb..e94465d18 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -82,9 +82,10 @@ mechsrc = \ mech/doxygen.c \ mech/gss_accept_sec_context.c \ mech/gss_acquire_cred.c \ - mech/gss_acquire_cred_ext.c \ + mech/gss_acquire_cred_from.c \ mech/gss_acquire_cred_with_password.c \ mech/gss_add_cred.c \ + mech/gss_add_cred_from.c \ mech/gss_add_cred_with_password.c \ mech/gss_add_oid_set_member.c \ mech/gss_aeap.c \ @@ -141,6 +142,7 @@ mechsrc = \ mech/gss_set_sec_context_option.c \ mech/gss_sign.c \ mech/gss_store_cred.c \ + mech/gss_store_cred_into.c \ mech/gss_test_oid_set_member.c \ mech/gss_unseal.c \ mech/gss_unwrap.c \ diff --git a/lib/gssapi/NTMakefile b/lib/gssapi/NTMakefile index 9a9f6d728..871f07422 100644 --- a/lib/gssapi/NTMakefile +++ b/lib/gssapi/NTMakefile @@ -98,9 +98,10 @@ mechsrc = \ mech/cred.h \ mech/gss_accept_sec_context.c \ mech/gss_acquire_cred.c \ - mech/gss_acquire_cred_ext.c \ + mech/gss_acquire_cred_from.c \ mech/gss_acquire_cred_with_password.c \ mech/gss_add_cred.c \ + mech/gss_add_cred_from.c \ mech/gss_add_cred_with_password.c \ mech/gss_add_oid_set_member.c \ mech/gss_aeap.c \ @@ -158,6 +159,7 @@ mechsrc = \ mech/gss_set_sec_context_option.c \ mech/gss_sign.c \ mech/gss_store_cred.c \ + mech/gss_store_cred_into.c \ mech/gss_test_oid_set_member.c \ mech/gss_unseal.c \ mech/gss_unwrap.c \ @@ -328,9 +330,10 @@ libgssapi_OBJs = \ $(OBJ)\mech/context.obj \ $(OBJ)\mech/gss_accept_sec_context.obj \ $(OBJ)\mech/gss_acquire_cred.obj \ - $(OBJ)\mech/gss_acquire_cred_ext.obj \ + $(OBJ)\mech/gss_acquire_cred_from.obj \ $(OBJ)\mech/gss_acquire_cred_with_password.obj \ $(OBJ)\mech/gss_add_cred.obj \ + $(OBJ)\mech/gss_add_cred_from.obj \ $(OBJ)\mech/gss_add_cred_with_password.obj \ $(OBJ)\mech/gss_add_oid_set_member.obj \ $(OBJ)\mech/gss_aeap.obj \ @@ -388,6 +391,7 @@ libgssapi_OBJs = \ $(OBJ)\mech/gss_set_sec_context_option.obj \ $(OBJ)\mech/gss_sign.obj \ $(OBJ)\mech/gss_store_cred.obj \ + $(OBJ)\mech/gss_store_cred_into.obj \ $(OBJ)\mech/gss_test_oid_set_member.obj \ $(OBJ)\mech/gss_unseal.obj \ $(OBJ)\mech/gss_unwrap.obj \ diff --git a/lib/gssapi/gssapi/gssapi.h b/lib/gssapi/gssapi/gssapi.h index 59eb717ce..704777a33 100644 --- a/lib/gssapi/gssapi/gssapi.h +++ b/lib/gssapi/gssapi/gssapi.h @@ -141,13 +141,25 @@ typedef struct gss_iov_buffer_desc_struct { gss_buffer_desc buffer; } gss_iov_buffer_desc, *gss_iov_buffer_t; +/* Credential store extensions */ +typedef struct gss_key_value_element_struct { + const char *key; + const char *value; +} gss_key_value_element_desc; + +typedef struct gss_key_value_set_struct { + OM_uint32 count; /* should be size_t, but for MIT compat */ + gss_key_value_element_desc *elements; +} gss_key_value_set_desc, *gss_key_value_set_t; + +typedef const gss_key_value_set_desc *gss_const_key_value_set_t; + /* * For now, define a QOP-type as an OM_uint32 */ typedef OM_uint32 gss_qop_t; - /* * Flag bits for context-level services. */ @@ -220,6 +232,7 @@ typedef OM_uint32 gss_qop_t; #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0) #define GSS_C_EMPTY_BUFFER {0, NULL} #define GSS_C_NO_IOV_BUFFER ((gss_iov_buffer_t)0) +#define GSS_C_NO_CRED_STORE ((gss_key_value_set_t)0) /* * Some alternate names for a couple of the above @@ -1123,16 +1136,57 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_duplicate_cred ( gss_const_cred_id_t /*input_cred_handle*/, gss_cred_id_t * /*output_cred_handle*/ ); -/* - * - */ - GSSAPI_LIB_FUNCTION const char * GSSAPI_LIB_CALL gss_oid_to_name(gss_const_OID oid); GSSAPI_LIB_FUNCTION gss_OID GSSAPI_LIB_CALL gss_name_to_oid(const char *name); +/* + * Credential store extensions + */ +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_acquire_cred_from( + OM_uint32 * /* minor_status */, + gss_const_name_t /* desired_name */, + OM_uint32 /* time_req */, + const gss_OID_set /* desired_mechs */, + gss_cred_usage_t /* cred_usage */, + gss_const_key_value_set_t /* cred_store */, + gss_cred_id_t * /* output_cred_handle */, + gss_OID_set * /* actual_mechs */, + OM_uint32 * /* time_rec */ + ); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_add_cred_from( + OM_uint32 * /* minor_status */, + gss_cred_id_t /* input_cred_handle */, + gss_const_name_t /* desired_name */, + const gss_OID /* desired_mech */, + gss_cred_usage_t /* cred_usage */, + OM_uint32 /* initiator_time_req */, + OM_uint32 /* acceptor_time_req */, + gss_const_key_value_set_t /* cred_store */, + gss_cred_id_t * /* output_cred_handle */, + gss_OID_set * /* actual_mechs */, + OM_uint32 * /* initiator_time_rec */, + OM_uint32 * /*acceptor_time_rec */ + ); + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_store_cred_into( + OM_uint32 * /* minor_status */, + gss_const_cred_id_t /* input_cred_handle */, + gss_cred_usage_t /* input_usage */, + const gss_OID /* desired_mech */, + OM_uint32 /* overwrite_cred */, + OM_uint32 /* default_cred */, + gss_const_key_value_set_t /* cred_store */, + gss_OID_set * /* elements_stored */, + gss_cred_usage_t * /* cred_usage_stored */ + ); + GSSAPI_CPP_END #if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) diff --git a/lib/gssapi/gssapi/gssapi_oid.h b/lib/gssapi/gssapi/gssapi_oid.h index 3d00c060d..a61466144 100644 --- a/lib/gssapi/gssapi/gssapi_oid.h +++ b/lib/gssapi/gssapi/gssapi_oid.h @@ -109,13 +109,6 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_name_oid_desc; extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc; #define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc) - /* credential types */ -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc; -#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc) - -extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc; -#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc) - /* Heimdal mechanisms - 1.2.752.43.14 */ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc; #define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc) diff --git a/lib/gssapi/gssapi_mech.h b/lib/gssapi/gssapi_mech.h index ee86d7899..ed71c0b4b 100644 --- a/lib/gssapi/gssapi_mech.h +++ b/lib/gssapi/gssapi_mech.h @@ -360,18 +360,7 @@ typedef OM_uint32 GSSAPI_CALLCONV _gss_import_cred_t(OM_uint32 * minor_status, gss_buffer_t cred_token, gss_cred_id_t * cred_handle); - - -typedef OM_uint32 GSSAPI_CALLCONV -_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */, - gss_const_name_t /* desired_name */, - gss_const_OID /* credential_type */, - const void * /* credential_data */, - OM_uint32 /* time_req */, - gss_const_OID /* desired_mech */, - gss_cred_usage_t /* cred_usage */, - gss_cred_id_t * /* output_cred_handle */); - + typedef void GSSAPI_CALLCONV _gss_iter_creds_t(OM_uint32 /* flags */, void * /* userctx */, @@ -447,6 +436,42 @@ typedef OM_uint32 GSSAPI_CALLCONV _gss_export_name_composite_t ( gss_buffer_t /* exp_composite_name */ ); +typedef OM_uint32 GSSAPI_CALLCONV +_gss_acquire_cred_from_t(OM_uint32 *minor_status, + gss_const_name_t desired_name, + OM_uint32 time_req, + gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec); + +typedef OM_uint32 GSSAPI_CALLCONV +_gss_add_cred_from_t(OM_uint32 *minor_status, + gss_cred_id_t input_cred_handle, + gss_const_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_const_key_value_set_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec); + +typedef OM_uint32 GSSAPI_CALLCONV +_gss_store_cred_into_t(OM_uint32 *minor_status, + gss_const_cred_id_t input_cred_handle, + gss_cred_usage_t input_usage, + gss_OID desired_mech, + OM_uint32 overwrite_cred, + OM_uint32 default_cred, + gss_const_key_value_set_t cred_store, + gss_OID_set *elements_stored, + gss_cred_usage_t *cred_usage_stored); + /* * */ @@ -485,7 +510,7 @@ typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t ( /* mechglue internal */ struct gss_mech_compat_desc_struct; -#define GMI_VERSION 5 +#define GMI_VERSION 6 /* gm_flags */ #define GM_USE_MG_CRED 1 /* uses mech glue credentials */ @@ -535,7 +560,7 @@ typedef struct gssapi_mech_interface_desc { _gss_store_cred_t *gm_store_cred; _gss_export_cred_t *gm_export_cred; _gss_import_cred_t *gm_import_cred; - _gss_acquire_cred_ext_t *gm_acquire_cred_ext; + _gss_acquire_cred_from_t *gm_acquire_cred_from; /* was acquire_cred_ext */ _gss_iter_creds_t *gm_iter_creds; _gss_destroy_cred_t *gm_destroy_cred; _gss_cred_hold_t *gm_cred_hold; @@ -553,6 +578,8 @@ typedef struct gssapi_mech_interface_desc { _gss_delete_name_attribute_t *gm_delete_name_attribute; _gss_export_name_composite_t *gm_export_name_composite; _gss_duplicate_cred_t *gm_duplicate_cred; + _gss_add_cred_from_t *gm_add_cred_from; + _gss_store_cred_into_t *gm_store_cred_into; struct gss_mech_compat_desc_struct *gm_compat; } gssapi_mech_interface_desc, *gssapi_mech_interface; @@ -582,25 +609,4 @@ struct _gss_oid_name_table { extern struct _gss_oid_name_table _gss_ont_mech[]; extern struct _gss_oid_name_table _gss_ont_ma[]; -/* - * Extended credentials acqusition API, not to be exported until - * it or something equivalent has been standardised. - */ -extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc; -#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc) - -extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc; -#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc) - -OM_uint32 _gss_acquire_cred_ext - (OM_uint32 * /*minor_status*/, - gss_const_name_t /*desired_name*/, - gss_const_OID /*credential_type*/, - const void * /*credential_data*/, - OM_uint32 /*time_req*/, - gss_const_OID /*desired_mech*/, - gss_cred_usage_t /*cred_usage*/, - gss_cred_id_t * /*output_cred_handle*/ - ); - #endif /* GSSAPI_MECH_H */ diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c index 4c5ec35a3..4ccad45dd 100644 --- a/lib/gssapi/krb5/acquire_cred.c +++ b/lib/gssapi/krb5/acquire_cred.c @@ -33,6 +33,44 @@ #include "gsskrb5_locl.h" +/* + * Find an element in a cred store. Returns GSS_S_COMPLETE if the cred store + * is absent or well formed, irrespective of whether the element exists. The + * caller should check for *value != NULL before using; values are typically + * optional, hence this behavior. (The caller should validate the return + * value at least once though, to check it is well-formed.) + */ +OM_uint32 +__gsskrb5_cred_store_find(OM_uint32 *minor_status, + gss_const_key_value_set_t cred_store, + const char *key, + const char **value) +{ + size_t i; + + *value = NULL; + + if (cred_store == GSS_C_NO_CRED_STORE) + return GSS_S_COMPLETE; + else if (cred_store->count == 0) { + *minor_status = GSS_KRB5_S_G_BAD_USAGE; + return GSS_S_NO_CRED; + } + + for (i = 0; i < cred_store->count; i++) { + if (strcmp(key, cred_store->elements[i].key) == 0) { + if (*value) { + *value = NULL; + *minor_status = GSS_KRB5_S_G_BAD_USAGE; + return GSS_S_DUPLICATE_ELEMENT; + } + *value = cred_store->elements[i].value; + } + } + + return GSS_S_COMPLETE; +} + OM_uint32 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, krb5_context context, @@ -58,13 +96,21 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status, static krb5_error_code -get_system_keytab(krb5_context context, krb5_keytab *keytab) +get_system_keytab(krb5_context context, + gss_const_key_value_set_t cred_store, + krb5_keytab *keytab) { krb5_error_code kret; + const char *cs_ktname; + OM_uint32 tmp; + + __gsskrb5_cred_store_find(&tmp, cred_store, "keytab", &cs_ktname); HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex); - if (_gsskrb5_keytab != NULL) { + if (cs_ktname) + kret = krb5_kt_resolve(context, cs_ktname, keytab); + else if (_gsskrb5_keytab != NULL) { char *name = NULL; kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name); @@ -82,15 +128,26 @@ get_system_keytab(krb5_context context, krb5_keytab *keytab) static krb5_error_code get_client_keytab(krb5_context context, + gss_const_key_value_set_t cred_store, krb5_const_principal principal, krb5_keytab *keytab) { krb5_error_code ret; - char *name = NULL; + const char *cs_ktname; + OM_uint32 tmp; + + __gsskrb5_cred_store_find(&tmp, cred_store, "client_keytab", &cs_ktname); + + if (cs_ktname) + ret = krb5_kt_resolve(context, cs_ktname, keytab); + else { + char *name = NULL; + ret = _krb5_kt_client_default_name(context, &name); + if (ret == 0) + ret = krb5_kt_resolve(context, name, keytab); + krb5_xfree(name); + } - ret = _krb5_kt_client_default_name(context, &name); - if (ret == 0) - ret = krb5_kt_resolve(context, name, keytab); if (ret == 0 && principal) { krb5_keytab_entry entry; @@ -99,14 +156,31 @@ get_client_keytab(krb5_context context, if (ret == 0) krb5_kt_free_entry(context, &entry); } - krb5_xfree(name); if (ret) - ret = get_system_keytab(context, keytab); + ret = get_system_keytab(context, GSS_C_NO_CRED_STORE, keytab); return ret; } +static krb5_boolean +is_valid_password_cred_store(gss_const_key_value_set_t cred_store) +{ + size_t i; + + if (cred_store == GSS_C_NO_CRED_STORE) + return TRUE; + + /* XXX don't check keytab, someday we will allow password+acceptor creds */ + for (i = 0; i < cred_store->count; i++) { + if (strcmp(cred_store->elements[i].key, "ccache") == 0 || + strcmp(cred_store->elements[i].key, "client_keytab") == 0) + return FALSE; + } + + return TRUE; +} + /* * This function produces a cred with a MEMORY ccache containing a TGT * acquired with a password. @@ -116,8 +190,9 @@ acquire_cred_with_password(OM_uint32 *minor_status, krb5_context context, const char *password, OM_uint32 time_req, - gss_const_OID desired_mech, + gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, gsskrb5_cred handle) { OM_uint32 ret = GSS_S_FAILURE; @@ -128,6 +203,11 @@ acquire_cred_with_password(OM_uint32 *minor_status, time_t now; OM_uint32 left; + if (!is_valid_password_cred_store(cred_store)) { + *minor_status = GSS_KRB5_S_G_BAD_PASSWORD_CRED_STORE; + return GSS_S_NO_CRED; + } + if (cred_usage == GSS_C_ACCEPT) { /* * TODO: Here we should eventually support user2user (when we get @@ -212,11 +292,12 @@ static OM_uint32 acquire_initiator_cred(OM_uint32 *minor_status, krb5_context context, OM_uint32 time_req, - gss_const_OID desired_mech, + gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, gsskrb5_cred handle) { - OM_uint32 ret = GSS_S_FAILURE; + OM_uint32 ret; krb5_creds cred; krb5_get_init_creds_opt *opt; krb5_principal def_princ = NULL; @@ -225,11 +306,19 @@ acquire_initiator_cred(OM_uint32 *minor_status, krb5_keytab keytab = NULL; krb5_error_code kret = 0; OM_uint32 left; + const char *cs_ccache_name; time_t lifetime = 0; time_t now; memset(&cred, 0, sizeof(cred)); + ret = __gsskrb5_cred_store_find(minor_status, cred_store, + "ccache", &cs_ccache_name); + if (GSS_ERROR(ret)) + return ret; + + ret = GSS_S_FAILURE; + /* * Get current time early so we can set handle->endtime to a value that * cannot accidentally be past the real endtime. We need a variant of @@ -239,7 +328,8 @@ acquire_initiator_cred(OM_uint32 *minor_status, /* * First look for a ccache that has the desired_name (which may be - * the default credential name). + * the default credential name), unless a specific credential cache + * was included in cred_store. * * If we don't have an unexpired credential, acquire one with a * keytab. @@ -250,7 +340,7 @@ acquire_initiator_cred(OM_uint32 *minor_status, * If we don't have any such ccache, then use a MEMORY ccache. */ - if (handle->principal != NULL) { + if (handle->principal != NULL && cs_ccache_name == NULL) { /* * Not default credential case. See if we can find a ccache in * the cccol for the desired_name. @@ -277,7 +367,10 @@ acquire_initiator_cred(OM_uint32 *minor_status, * Either desired_name was GSS_C_NO_NAME (default cred) or * krb5_cc_cache_match() failed (or found expired). */ - kret = krb5_cc_default(context, &def_ccache); + if (cs_ccache_name) + kret = krb5_cc_resolve(context, cs_ccache_name, &def_ccache); + else + kret = krb5_cc_default(context, &def_ccache); if (kret != 0) goto try_keytab; kret = krb5_cc_get_lifetime(context, def_ccache, &lifetime); @@ -319,7 +412,7 @@ try_keytab: if (kret) goto end; } - kret = get_client_keytab(context, handle->principal, &keytab); + kret = get_client_keytab(context, cred_store, handle->principal, &keytab); if (kret) goto end; @@ -398,8 +491,9 @@ static OM_uint32 acquire_acceptor_cred(OM_uint32 * minor_status, krb5_context context, OM_uint32 time_req, - gss_const_OID desired_mech, + gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, gsskrb5_cred handle) { OM_uint32 ret; @@ -407,7 +501,7 @@ acquire_acceptor_cred(OM_uint32 * minor_status, ret = GSS_S_FAILURE; - kret = get_system_keytab(context, &handle->keytab); + kret = get_system_keytab(context, cred_store, &handle->keytab); if (kret) goto end; @@ -449,18 +543,23 @@ end: return (ret); } -OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred + +OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_from (OM_uint32 * minor_status, gss_const_name_t desired_name, OM_uint32 time_req, - const gss_OID_set desired_mechs, + gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, gss_cred_id_t * output_cred_handle, - gss_OID_set * actual_mechs, - OM_uint32 * time_rec + gss_OID_set *actual_mechs, + OM_uint32 *time_rec ) { + krb5_context context; + gsskrb5_cred handle; OM_uint32 ret; + const char *password = NULL; if (desired_mechs) { int present = 0; @@ -475,43 +574,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred } } - ret = _gsskrb5_acquire_cred_ext(minor_status, - desired_name, - GSS_C_NO_OID, - NULL, - time_req, - GSS_KRB5_MECHANISM, - cred_usage, - output_cred_handle); - if (ret) - return ret; - - - ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle, - NULL, time_rec, NULL, actual_mechs); - if (ret) { - OM_uint32 tmp; - _gsskrb5_release_cred(&tmp, output_cred_handle); - } - - return ret; -} - -OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext -(OM_uint32 * minor_status, - gss_const_name_t desired_name, - gss_const_OID credential_type, - const void *credential_data, - OM_uint32 time_req, - gss_const_OID desired_mech, - gss_cred_usage_t cred_usage, - gss_cred_id_t * output_cred_handle - ) -{ - krb5_context context; - gsskrb5_cred handle; - OM_uint32 ret; - cred_usage &= GSS_C_OPTION_MASK; if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && @@ -520,6 +582,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext return GSS_S_FAILURE; } + ret = __gsskrb5_cred_store_find(minor_status, cred_store, + "password", &password); + if (GSS_ERROR(ret)) + return ret; + GSSAPI_KRB5_INIT(&context); *output_cred_handle = GSS_C_NO_CREDENTIAL; @@ -542,57 +609,24 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext } } - if (credential_type != GSS_C_NO_OID && - gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) { - /* Acquire a cred with a password */ - gss_const_buffer_t pwbuf = credential_data; - char *pw; - - if (pwbuf == NULL) { - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - free(handle); - *minor_status = KRB5_NOCREDS_SUPPLIED; /* see below */ - return GSS_S_CALL_INACCESSIBLE_READ; - } - - /* NUL-terminate the password, if it wasn't already */ - pw = strndup(pwbuf->value, pwbuf->length); - if (pw == NULL) { - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - free(handle); - *minor_status = krb5_enomem(context); - return GSS_S_CALL_INACCESSIBLE_READ; - } - ret = acquire_cred_with_password(minor_status, context, pw, time_req, - desired_mech, cred_usage, handle); - free(pw); + if (password) { + ret = acquire_cred_with_password(minor_status, context, password, time_req, + desired_mechs, cred_usage, cred_store, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); free(handle); return (ret); } - } else if (credential_type != GSS_C_NO_OID) { - /* - * _gss_acquire_cred_ext() called with something other than a password. - * - * Not supported. - * - * _gss_acquire_cred_ext() is not a supported public interface, so - * we don't have to try too hard as to minor status codes here. - */ - HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); - free(handle); - *minor_status = ENOTSUP; - return GSS_S_FAILURE; } else { /* - * Acquire a credential from the background credential store (ccache, - * keytab). + * Acquire a credential from the specified or background credential + * store (ccache, keytab). */ if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { ret = acquire_initiator_cred(minor_status, context, time_req, - desired_mech, cred_usage, handle); + desired_mechs, cred_usage, + cred_store, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); @@ -602,7 +636,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext } if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { ret = acquire_acceptor_cred(minor_status, context, time_req, - desired_mech, cred_usage, handle); + desired_mechs, cred_usage, + cred_store, handle); if (ret != GSS_S_COMPLETE) { HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); krb5_free_principal(context, handle->principal); @@ -615,6 +650,10 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext if (ret == GSS_S_COMPLETE) ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, &handle->mechanisms); + handle->usage = cred_usage; + if (ret == GSS_S_COMPLETE) + ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, + NULL, time_rec, NULL, actual_mechs); if (ret != GSS_S_COMPLETE) { if (handle->mechanisms != NULL) gss_release_oid_set(NULL, &handle->mechanisms); @@ -623,7 +662,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext free(handle); return (ret); } - handle->usage = cred_usage; *minor_status = 0; *output_cred_handle = (gss_cred_id_t)handle; return (GSS_S_COMPLETE); diff --git a/lib/gssapi/krb5/add_cred.c b/lib/gssapi/krb5/add_cred.c index 42f6b4818..8ec316948 100644 --- a/lib/gssapi/krb5/add_cred.c +++ b/lib/gssapi/krb5/add_cred.c @@ -33,14 +33,15 @@ #include "gsskrb5_locl.h" -OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( +OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred_from ( OM_uint32 *minor_status, - gss_const_cred_id_t input_cred_handle, + gss_cred_id_t input_cred_handle, gss_const_name_t desired_name, const gss_OID desired_mech, gss_cred_usage_t cred_usage, OM_uint32 initiator_time_req, OM_uint32 acceptor_time_req, + gss_const_key_value_set_t cred_store, gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs, OM_uint32 *initiator_time_rec, @@ -75,13 +76,14 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred ( heim_assert(output_cred_handle != NULL, "internal error in _gsskrb5_add_cred()"); - major = _gsskrb5_acquire_cred(minor_status, desired_name, - min(initiator_time_req, - acceptor_time_req), - GSS_C_NO_OID_SET, - cred_usage, - output_cred_handle, - actual_mechs, &lifetime); + major = _gsskrb5_acquire_cred_from(minor_status, desired_name, + min(initiator_time_req, + acceptor_time_req), + GSS_C_NO_OID_SET, + cred_usage, + cred_store, + output_cred_handle, + actual_mechs, &lifetime); if (major != GSS_S_COMPLETE) goto failure; diff --git a/lib/gssapi/krb5/duplicate_cred.c b/lib/gssapi/krb5/duplicate_cred.c index d7819ef32..8d07c51b8 100644 --- a/lib/gssapi/krb5/duplicate_cred.c +++ b/lib/gssapi/krb5/duplicate_cred.c @@ -53,12 +53,13 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_duplicate_cred ( if (input_cred_handle == GSS_C_NO_CREDENTIAL) { /* Duplicate the default credential */ - return _gsskrb5_acquire_cred(minor_status, GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_BOTH, - output_cred_handle, - NULL, NULL); + return _gsskrb5_acquire_cred_from(minor_status, GSS_C_NO_NAME, + GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, + GSS_C_BOTH, + GSS_C_NO_CRED_STORE, + output_cred_handle, + NULL, NULL); } /* Duplicate the input credential */ diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c index bc57da288..2b97f06d5 100644 --- a/lib/gssapi/krb5/external.c +++ b/lib/gssapi/krb5/external.c @@ -339,7 +339,7 @@ static gssapi_mech_interface_desc krb5_mech = { "kerberos 5", {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }, 0, - _gsskrb5_acquire_cred, + NULL, /* gm_acquire_cred */ _gsskrb5_release_cred, _gsskrb5_init_sec_context, _gsskrb5_accept_sec_context, @@ -360,7 +360,7 @@ static gssapi_mech_interface_desc krb5_mech = { _gsskrb5_inquire_cred, _gsskrb5_inquire_context, _gsskrb5_wrap_size_limit, - _gsskrb5_add_cred, + NULL, /* gm_add_cred */ _gsskrb5_inquire_cred_by_mech, _gsskrb5_export_sec_context, _gsskrb5_import_sec_context, @@ -376,10 +376,10 @@ static gssapi_mech_interface_desc krb5_mech = { _gk_wrap_iov, _gk_unwrap_iov, _gk_wrap_iov_length, - _gsskrb5_store_cred, + NULL, /* gm_store_cred */ _gsskrb5_export_cred, _gsskrb5_import_cred, - _gsskrb5_acquire_cred_ext, + _gsskrb5_acquire_cred_from, NULL, NULL, NULL, @@ -397,6 +397,8 @@ static gssapi_mech_interface_desc krb5_mech = { NULL, /* gm_delete_name_attribute */ NULL, /* gm_export_name_composite */ _gsskrb5_duplicate_cred, + _gsskrb5_add_cred_from, + _gsskrb5_store_cred_into, NULL /* gm_compat */ }; diff --git a/lib/gssapi/krb5/gkrb5_err.et b/lib/gssapi/krb5/gkrb5_err.et index 3c23412a6..109876ef9 100644 --- a/lib/gssapi/krb5/gkrb5_err.et +++ b/lib/gssapi/krb5/gkrb5_err.et @@ -17,6 +17,8 @@ error_code G_BAD_MSG_CTX, "Message context invalid" error_code G_WRONG_SIZE, "Buffer is the wrong size" error_code G_BAD_USAGE, "Credential usage type is unknown" error_code G_UNKNOWN_QOP, "Unknown quality of protection specified" +error_code G_UNKNOWN_CRED_STORE_ELEMENT, "Credential store contained unknown elements" +error_code G_BAD_PASSWORD_CRED_STORE, "Credential store cannot contain both a password and a credentials cache or client keytab" index 128 diff --git a/lib/gssapi/krb5/inquire_cred.c b/lib/gssapi/krb5/inquire_cred.c index 1770fec76..b7b67f783 100644 --- a/lib/gssapi/krb5/inquire_cred.c +++ b/lib/gssapi/krb5/inquire_cred.c @@ -80,14 +80,15 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred * function. */ /* Get the info for the default ACCEPT credential */ - aret = _gsskrb5_acquire_cred(&aminor, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_ACCEPT, - &aqcred_accept, - NULL, - NULL); + aret = _gsskrb5_acquire_cred_from(&aminor, + GSS_C_NO_NAME, + GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, + GSS_C_ACCEPT, + GSS_C_NO_CRED_STORE, + &aqcred_accept, + NULL, + NULL); if (aret == GSS_S_COMPLETE) { aret = _gsskrb5_inquire_cred(&aminor, aqcred_accept, @@ -116,14 +117,15 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred } /* Get the info for the default INITIATE credential */ - ret = _gsskrb5_acquire_cred(minor_status, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_INITIATE, - &aqcred_init, - NULL, - NULL); + ret = _gsskrb5_acquire_cred_from(minor_status, + GSS_C_NO_NAME, + GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, + GSS_C_INITIATE, + GSS_C_NO_CRED_STORE, + &aqcred_init, + NULL, + NULL); if (ret == GSS_S_COMPLETE) { ret = _gsskrb5_inquire_cred(minor_status, aqcred_init, diff --git a/lib/gssapi/krb5/store_cred.c b/lib/gssapi/krb5/store_cred.c index 40b75771d..8e80730b1 100644 --- a/lib/gssapi/krb5/store_cred.c +++ b/lib/gssapi/krb5/store_cred.c @@ -34,23 +34,25 @@ #include "gsskrb5_locl.h" OM_uint32 GSSAPI_CALLCONV -_gsskrb5_store_cred(OM_uint32 *minor_status, - gss_cred_id_t input_cred_handle, - gss_cred_usage_t cred_usage, - const gss_OID desired_mech, - OM_uint32 overwrite_cred, - OM_uint32 default_cred, - gss_OID_set *elements_stored, - gss_cred_usage_t *cred_usage_stored) +_gsskrb5_store_cred_into(OM_uint32 *minor_status, + gss_const_cred_id_t input_cred_handle, + gss_cred_usage_t cred_usage, + const gss_OID desired_mech, + OM_uint32 overwrite_cred, + OM_uint32 default_cred, + gss_const_key_value_set_t cred_store, + gss_OID_set *elements_stored, + gss_cred_usage_t *cred_usage_stored) { krb5_context context; krb5_error_code ret; gsskrb5_cred cred; krb5_ccache id = NULL; - krb5_ccache def_ccache = NULL; const char *def_type = NULL; time_t exp_current; time_t exp_new; + const char *cs_ccache_name = NULL; + OM_uint32 major_status; *minor_status = 0; @@ -89,38 +91,47 @@ _gsskrb5_store_cred(OM_uint32 *minor_status, return GSS_S_FAILURE; } - ret = krb5_cc_default(context, &def_ccache); - if (ret == 0) { - def_type = krb5_cc_get_type(context, def_ccache); - krb5_cc_close(context, def_ccache); + if (cred_store != GSS_C_NO_CRED_STORE) { + major_status = __gsskrb5_cred_store_find(minor_status, cred_store, + "ccache", &cs_ccache_name); + if (major_status == GSS_S_COMPLETE && cs_ccache_name == NULL) { + *minor_status = GSS_KRB5_S_G_UNKNOWN_CRED_STORE_ELEMENT; + major_status = GSS_S_NO_CRED; + } + if (GSS_ERROR(major_status)) { + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + return major_status; + } } - def_ccache = NULL; - /* write out cred to credential cache */ - ret = krb5_cc_cache_match(context, cred->principal, &id); - if (ret) { - if (default_cred) { - ret = krb5_cc_default(context, &id); - if (ret) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = ret; - return GSS_S_FAILURE; - } - } else { - if (def_type == NULL || - !krb5_cc_support_switch(context, def_type)) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = 0; /* XXX */ - return GSS_S_NO_CRED; /* XXX */ - } - ret = krb5_cc_new_unique(context, def_type, NULL, &id); - if (ret) { - HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); - *minor_status = ret; - return GSS_S_FAILURE; - } - overwrite_cred = 1; - } + if (cs_ccache_name) + ret = krb5_cc_resolve(context, cs_ccache_name, &id); + else { + krb5_ccache def_ccache = NULL; + + if (krb5_cc_default(context, &def_ccache) == 0) { + def_type = krb5_cc_get_type(context, def_ccache); + krb5_cc_close(context, def_ccache); + } + + /* write out cred to credential cache */ + ret = krb5_cc_cache_match(context, cred->principal, &id); + if (ret) { + if (default_cred) + ret = krb5_cc_default(context, &id); + else if (def_type && + krb5_cc_support_switch(context, def_type)) { + ret = krb5_cc_new_unique(context, def_type, NULL, &id); + overwrite_cred = 1; + } else + ret = 0; /* == GSS_C_NO_CRED */ + } + } + + if (ret || id == NULL) { + HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex); + *minor_status = ret; + return ret == 0 ? GSS_S_NO_CRED : GSS_S_FAILURE; } if (!overwrite_cred) { diff --git a/lib/gssapi/libgssapi-exports.def b/lib/gssapi/libgssapi-exports.def index b8e4dce41..02da963b0 100644 --- a/lib/gssapi/libgssapi-exports.def +++ b/lib/gssapi/libgssapi-exports.def @@ -9,13 +9,13 @@ EXPORTS __gss_krb5_nt_principal_name_oid_desc DATA __gss_c_attr_stream_sizes_oid_desc DATA __gss_c_attr_local_login_user DATA - __gss_c_cred_certificate_oid_desc DATA - __gss_c_cred_password_oid_desc DATA gss_accept_sec_context gss_acquire_cred + gss_acquire_cred_from gss_acquire_cred_with_password gss_add_buffer_set_member gss_add_cred + gss_add_cred_from gss_add_cred_with_password gss_add_oid_set_member gss_authorize_localname @@ -91,6 +91,7 @@ EXPORTS gss_set_sec_context_option gss_sign gss_store_cred + gss_store_cred_into gss_test_oid_set_member gss_unseal gss_unwrap diff --git a/lib/gssapi/mech/cred.h b/lib/gssapi/mech/cred.h index 5661b5323..8dda8c668 100644 --- a/lib/gssapi/mech/cred.h +++ b/lib/gssapi/mech/cred.h @@ -39,19 +39,18 @@ struct _gss_cred { struct _gss_mechanism_cred_list gc_mc; }; -struct _gss_mechanism_cred * -_gss_copy_cred(struct _gss_mechanism_cred *mc); - struct _gss_mechanism_name; OM_uint32 -_gss_acquire_mech_cred(OM_uint32 *minor_status, - gssapi_mech_interface m, - const struct _gss_mechanism_name *mn, - gss_const_OID credential_type, - const void *credential_data, - OM_uint32 time_req, - gss_const_OID desired_mech, - gss_cred_usage_t cred_usage, - struct _gss_mechanism_cred **output_cred_handle); +_gss_mg_add_mech_cred(OM_uint32 *minor_status, + gssapi_mech_interface m, + const struct _gss_mechanism_cred *mc, + const struct _gss_mechanism_name *mn, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_const_key_value_set_t cred_store, + struct _gss_mechanism_cred **output_cred_handle, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec); diff --git a/lib/gssapi/mech/gss_acquire_cred.c b/lib/gssapi/mech/gss_acquire_cred.c index 095f9056c..fd92a25c7 100644 --- a/lib/gssapi/mech/gss_acquire_cred.c +++ b/lib/gssapi/mech/gss_acquire_cred.c @@ -38,131 +38,13 @@ gss_acquire_cred(OM_uint32 *minor_status, gss_OID_set *actual_mechs, OM_uint32 *time_rec) { - OM_uint32 major_status; - gss_OID_set mechs = desired_mechs; - gss_OID_set_desc set; - struct _gss_name *name = (struct _gss_name *) desired_name; - gssapi_mech_interface m; - struct _gss_cred *cred; - struct _gss_mechanism_cred *mc; - OM_uint32 min_time, cred_time; - size_t i; - - *minor_status = 0; - if (output_cred_handle == NULL) - return GSS_S_CALL_INACCESSIBLE_READ; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - if (time_rec) - *time_rec = 0; - - _gss_load_mech(); - - /* - * First make sure that at least one of the requested - * mechanisms is one that we support. - */ - if (mechs) { - for (i = 0; i < mechs->count; i++) { - int t; - gss_test_oid_set_member(minor_status, - &mechs->elements[i], _gss_mech_oids, &t); - if (t) - break; - } - if (i == mechs->count) { - *minor_status = 0; - return (GSS_S_BAD_MECH); - } - } - - if (actual_mechs) { - major_status = gss_create_empty_oid_set(minor_status, - actual_mechs); - if (major_status) - return (major_status); - } - - cred = malloc(sizeof(struct _gss_cred)); - if (!cred) { - if (actual_mechs) - gss_release_oid_set(minor_status, actual_mechs); - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - HEIM_SLIST_INIT(&cred->gc_mc); - - if (mechs == GSS_C_NO_OID_SET) - mechs = _gss_mech_oids; - - set.count = 1; - min_time = GSS_C_INDEFINITE; - for (i = 0; i < mechs->count; i++) { - struct _gss_mechanism_name *mn = NULL; - - m = __gss_get_mechanism(&mechs->elements[i]); - if (!m) - continue; - - if (desired_name != GSS_C_NO_NAME) { - major_status = _gss_find_mn(minor_status, name, - &mechs->elements[i], &mn); - if (major_status != GSS_S_COMPLETE) - continue; - } - - mc = malloc(sizeof(struct _gss_mechanism_cred)); - if (!mc) { - continue; - } - mc->gmc_mech = m; - mc->gmc_mech_oid = &m->gm_mech_oid; - - /* - * XXX Probably need to do something with actual_mechs. - */ - set.elements = &mechs->elements[i]; - major_status = m->gm_acquire_cred(minor_status, - (desired_name != GSS_C_NO_NAME - ? mn->gmn_name : GSS_C_NO_NAME), - time_req, &set, cred_usage, - &mc->gmc_cred, NULL, &cred_time); - if (major_status) { - free(mc); - continue; - } - if (cred_time < min_time) - min_time = cred_time; - - if (actual_mechs) { - major_status = gss_add_oid_set_member(minor_status, - mc->gmc_mech_oid, actual_mechs); - if (major_status) { - m->gm_release_cred(minor_status, - &mc->gmc_cred); - free(mc); - continue; - } - } - - HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); - } - - /* - * If we didn't manage to create a single credential, return - * an error. - */ - if (!HEIM_SLIST_FIRST(&cred->gc_mc)) { - free(cred); - if (actual_mechs) - gss_release_oid_set(minor_status, actual_mechs); - *minor_status = 0; - return (GSS_S_NO_CRED); - } - - if (time_rec) - *time_rec = min_time; - *output_cred_handle = (gss_cred_id_t) cred; - *minor_status = 0; - return (GSS_S_COMPLETE); + return gss_acquire_cred_from(minor_status, + desired_name, + time_req, + desired_mechs, + cred_usage, + GSS_C_NO_CRED_STORE, + output_cred_handle, + actual_mechs, + time_rec); } diff --git a/lib/gssapi/mech/gss_acquire_cred_ext.c b/lib/gssapi/mech/gss_acquire_cred_ext.c deleted file mode 100644 index 9f2674c26..000000000 --- a/lib/gssapi/mech/gss_acquire_cred_ext.c +++ /dev/null @@ -1,203 +0,0 @@ -/*- - * Copyright (c) 2005 Doug Rabson - * All rights reserved. - * - * Portions Copyright (c) 2011 PADL Software Pty Ltd. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ - */ - -#include "mech_locl.h" - -OM_uint32 -_gss_acquire_mech_cred(OM_uint32 *minor_status, - gssapi_mech_interface m, - const struct _gss_mechanism_name *mn, - gss_const_OID credential_type, - const void *credential_data, - OM_uint32 time_req, - gss_const_OID desired_mech, - gss_cred_usage_t cred_usage, - struct _gss_mechanism_cred **output_cred_handle) -{ - OM_uint32 major_status; - struct _gss_mechanism_cred *mc; - gss_OID_set_desc set2; - - *output_cred_handle = NULL; - - mc = calloc(1, sizeof(struct _gss_mechanism_cred)); - if (mc == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - mc->gmc_mech = m; - mc->gmc_mech_oid = &m->gm_mech_oid; - - set2.count = 1; - set2.elements = mc->gmc_mech_oid; - - if (m->gm_acquire_cred_ext) { - major_status = m->gm_acquire_cred_ext(minor_status, - mn->gmn_name, - credential_type, - credential_data, - time_req, - mc->gmc_mech_oid, - cred_usage, - &mc->gmc_cred); - } else if (gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD) && - m->gm_compat && - m->gm_compat->gmc_acquire_cred_with_password) { - /* - * Shim for mechanisms that adhere to API-as-SPI and do not - * implement gss_acquire_cred_ext(). - */ - - major_status = m->gm_compat->gmc_acquire_cred_with_password(minor_status, - mn->gmn_name, - (const gss_buffer_t)credential_data, - time_req, - &set2, - cred_usage, - &mc->gmc_cred, - NULL, - NULL); - } else if (credential_type == GSS_C_NO_OID) { - major_status = m->gm_acquire_cred(minor_status, - mn->gmn_name, - time_req, - &set2, - cred_usage, - &mc->gmc_cred, - NULL, - NULL); - } else { - major_status = GSS_S_UNAVAILABLE; - free(mc); - mc= NULL; - } - - if (major_status != GSS_S_COMPLETE) - free(mc); - else - *output_cred_handle = mc; - return major_status; -} - -/** - * This function is not a public interface and is deprecated anyways, do - * not use. Use gss_acquire_cred_with_password() instead for now. - * - * @deprecated - */ -OM_uint32 -_gss_acquire_cred_ext(OM_uint32 *minor_status, - gss_const_name_t desired_name, - gss_const_OID credential_type, - const void *credential_data, - OM_uint32 time_req, - gss_const_OID desired_mech, - gss_cred_usage_t cred_usage, - gss_cred_id_t *output_cred_handle) -{ - OM_uint32 major_status; - struct _gss_name *name = (struct _gss_name *) desired_name; - gssapi_mech_interface m; - struct _gss_cred *cred; - gss_OID_set_desc set, *mechs; - size_t i; - - *minor_status = 0; - if (output_cred_handle == NULL) - return GSS_S_CALL_INACCESSIBLE_READ; - - _gss_load_mech(); - - if (desired_mech != GSS_C_NO_OID) { - int match = 0; - - gss_test_oid_set_member(minor_status, (gss_OID)desired_mech, - _gss_mech_oids, &match); - if (!match) - return GSS_S_BAD_MECH; - - set.count = 1; - set.elements = (gss_OID)desired_mech; - mechs = &set; - } else - mechs = _gss_mech_oids; - - cred = calloc(1, sizeof(*cred)); - if (cred == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - - HEIM_SLIST_INIT(&cred->gc_mc); - - for (i = 0; i < mechs->count; i++) { - struct _gss_mechanism_name *mn = NULL; - struct _gss_mechanism_cred *mc = NULL; - - m = __gss_get_mechanism(&mechs->elements[i]); - if (!m) - continue; - - if (desired_name != GSS_C_NO_NAME) { - major_status = _gss_find_mn(minor_status, name, - &mechs->elements[i], &mn); - if (major_status != GSS_S_COMPLETE) - continue; - } - - major_status = _gss_acquire_mech_cred(minor_status, m, mn, - credential_type, credential_data, - time_req, desired_mech, cred_usage, - &mc); - if (GSS_ERROR(major_status)) { - if (mechs->count == 1) - _gss_mg_error(m, major_status, *minor_status); - continue; - } - - HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); - } - - /* - * If we didn't manage to create a single credential, return - * an error. - */ - if (!HEIM_SLIST_FIRST(&cred->gc_mc)) { - free(cred); - if (mechs->count > 1) - *minor_status = 0; - return GSS_S_NO_CRED; - } - - *output_cred_handle = (gss_cred_id_t) cred; - *minor_status = 0; - return GSS_S_COMPLETE; -} diff --git a/lib/gssapi/mech/gss_acquire_cred_from.c b/lib/gssapi/mech/gss_acquire_cred_from.c new file mode 100644 index 000000000..0c8b7871f --- /dev/null +++ b/lib/gssapi/mech/gss_acquire_cred_from.c @@ -0,0 +1,265 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * All rights reserved. + * + * Portions Copyright (c) 2011, 2018 PADL Software Pty Ltd. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" + +/* + * Shim for gss_acquire_cred_with_password() + */ +static const char * +find_password_in_cred_store(gss_const_key_value_set_t cred_store) +{ + size_t i; + + if (cred_store == GSS_C_NO_CRED_STORE) + return NULL; + + for (i = 0; i < cred_store->count; i++) { + if (strcmp(cred_store->elements[i].key, "password") == 0) + return cred_store->elements[i].value; + } + + return NULL; +} + +static OM_uint32 +acquire_mech_cred(OM_uint32 *minor_status, + gssapi_mech_interface m, + const struct _gss_mechanism_name *mn, + OM_uint32 time_req, + gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, + struct _gss_mechanism_cred **out, + OM_uint32 *time_rec) +{ + OM_uint32 major_status; + struct _gss_mechanism_cred *mc; + gss_OID_set_desc mech; + const char *spassword; + + *out = NULL; + if (time_rec) + *time_rec = 0; + + mc = calloc(1, sizeof(struct _gss_mechanism_cred)); + if (mc == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + mc->gmc_mech = m; + mc->gmc_mech_oid = &m->gm_mech_oid; + + mech.count = 1; + mech.elements = mc->gmc_mech_oid; + + if (m->gm_acquire_cred_from) { + major_status = m->gm_acquire_cred_from(minor_status, + mn ? mn->gmn_name : GSS_C_NO_NAME, + time_req, + &mech, + cred_usage, + cred_store, + &mc->gmc_cred, + NULL, + time_rec); + } else if (cred_store == GSS_C_NO_CRED_STORE && m->gm_acquire_cred) { + major_status = m->gm_acquire_cred(minor_status, + mn ? mn->gmn_name : GSS_C_NO_NAME, + time_req, + &mech, + cred_usage, + &mc->gmc_cred, + NULL, + time_rec); + } else if (m->gm_compat && + m->gm_compat->gmc_acquire_cred_with_password && + (spassword = find_password_in_cred_store(cred_store)) != NULL) { + gss_buffer_desc password; + + password.length = strlen(spassword); + password.value = rk_UNCONST(spassword); + + /* compat glue for loadable mechanisms that implement API-as-SPI */ + major_status = m->gm_compat->gmc_acquire_cred_with_password(minor_status, + mn ? mn->gmn_name : GSS_C_NO_NAME, + &password, + time_req, + &mech, + cred_usage, + &mc->gmc_cred, + NULL, + time_rec); + } else + major_status = GSS_S_UNAVAILABLE; + + heim_assert(major_status == GSS_S_COMPLETE || mc->gmc_cred == NULL, + "gss_acquire_cred_from: mech succeeded but did not return a credential"); + + if (major_status == GSS_S_COMPLETE) + *out = mc; + else + free(mc); + + return major_status; +} + +OM_uint32 +gss_acquire_cred_from(OM_uint32 *minor_status, + gss_const_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) +{ + OM_uint32 major_status, minor; + struct _gss_name *name = (struct _gss_name *)desired_name; + gssapi_mech_interface m; + struct _gss_cred *cred = NULL; + size_t i; + OM_uint32 min_time = GSS_C_INDEFINITE; + gss_OID_set mechs; + + *minor_status = 0; + if (output_cred_handle == NULL) + return GSS_S_CALL_INACCESSIBLE_READ; + *output_cred_handle = GSS_C_NO_CREDENTIAL; + if (actual_mechs) + *actual_mechs = GSS_C_NO_OID_SET; + if (time_rec) + *time_rec = 0; + + _gss_load_mech(); + + if (desired_mechs) { + int match = 0; + + for (i = 0; i < desired_mechs->count; i++) { + gss_test_oid_set_member(minor_status, &desired_mechs->elements[i], + _gss_mech_oids, &match); + if (match) + break; + } + if (!match) { + *minor_status = 0; + major_status = GSS_S_BAD_MECH; + goto cleanup; + } + mechs = desired_mechs; + } else + mechs = _gss_mech_oids; + + cred = calloc(1, sizeof(*cred)); + if (cred == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + HEIM_SLIST_INIT(&cred->gc_mc); + + if (actual_mechs) { + major_status = gss_create_empty_oid_set(minor_status, actual_mechs); + if (GSS_ERROR(major_status)) + goto cleanup; + } + + major_status = GSS_S_UNAVAILABLE; /* in case of no mechs */ + + for (i = 0; i < mechs->count; i++) { + struct _gss_mechanism_name *mn = NULL; + struct _gss_mechanism_cred *mc = NULL; + OM_uint32 cred_time; + + m = __gss_get_mechanism(&mechs->elements[i]); + if (m == NULL) + continue; + + if (desired_name != GSS_C_NO_NAME) { + major_status = _gss_find_mn(minor_status, name, + &mechs->elements[i], &mn); + if (major_status != GSS_S_COMPLETE) + continue; + } + + major_status = acquire_mech_cred(minor_status, m, mn, + time_req, cred_usage, + cred_store, &mc, &cred_time); + if (major_status != GSS_S_COMPLETE) { + if (mechs->count == 1) + _gss_mg_error(m, major_status, *minor_status); + continue; + } + + HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link); + + if (cred_time < min_time) + min_time = cred_time; + if (actual_mechs != NULL) { + major_status = gss_add_oid_set_member(minor_status, + mc->gmc_mech_oid, + actual_mechs); + if (GSS_ERROR(major_status)) + goto cleanup; + } + } + + /* + * If we didn't manage to create a single credential, return + * an error. + */ + if (!HEIM_SLIST_FIRST(&cred->gc_mc)) { + if (mechs->count > 1) { + *minor_status = 0; + major_status = GSS_S_NO_CRED; + } + heim_assert(major_status != GSS_S_COMPLETE, + "lack of credentials must result in an error"); + goto cleanup; + } + + *minor_status = 0; + major_status = GSS_S_COMPLETE; + + *output_cred_handle = (gss_cred_id_t)cred; + if (time_rec) + *time_rec = min_time; + +cleanup: + if (major_status != GSS_S_COMPLETE) { + gss_release_cred(&minor, (gss_cred_id_t *)&cred); + if (actual_mechs) + gss_release_oid_set(&minor, actual_mechs); + } + + return major_status; +} diff --git a/lib/gssapi/mech/gss_acquire_cred_with_password.c b/lib/gssapi/mech/gss_acquire_cred_with_password.c index 2f41f8906..4e6138b48 100644 --- a/lib/gssapi/mech/gss_acquire_cred_with_password.c +++ b/lib/gssapi/mech/gss_acquire_cred_with_password.c @@ -43,77 +43,43 @@ gss_acquire_cred_with_password(OM_uint32 *minor_status, gss_OID_set *actual_mechs, OM_uint32 *time_rec) { - OM_uint32 major_status, tmp_minor; + OM_uint32 major_status; + gss_key_value_element_desc kv; + gss_key_value_set_desc store; + char *spassword = NULL; - if (desired_mechs == GSS_C_NO_OID_SET) { - major_status = _gss_acquire_cred_ext(minor_status, - desired_name, - GSS_C_CRED_PASSWORD, - password, - time_req, - GSS_C_NO_OID, - cred_usage, - output_cred_handle); - if (GSS_ERROR(major_status)) - return major_status; - } else { - size_t i; - struct _gss_cred *new_cred; + *output_cred_handle = GSS_C_NO_CREDENTIAL; - new_cred = calloc(1, sizeof(*new_cred)); - if (new_cred == NULL) { - *minor_status = ENOMEM; - return GSS_S_FAILURE; - } - HEIM_SLIST_INIT(&new_cred->gc_mc); + if (password == GSS_C_NO_BUFFER || password->value == NULL) + return GSS_S_CALL_INACCESSIBLE_READ; - for (i = 0; i < desired_mechs->count; i++) { - struct _gss_cred *tmp_cred = NULL; - struct _gss_mechanism_cred *mc; + spassword = malloc(password->length + 1); + if (spassword == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy(spassword, password->value, password->length); + spassword[password->length] = '\0'; - major_status = _gss_acquire_cred_ext(minor_status, - desired_name, - GSS_C_CRED_PASSWORD, - password, - time_req, - &desired_mechs->elements[i], - cred_usage, - (gss_cred_id_t *)&tmp_cred); - if (GSS_ERROR(major_status)) - continue; + kv.key = "password"; + kv.value = spassword; - mc = HEIM_SLIST_FIRST(&tmp_cred->gc_mc); - if (mc) { - HEIM_SLIST_REMOVE_HEAD(&tmp_cred->gc_mc, gmc_link); - HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link); - } + store.count = 1; + store.elements = &kv; - gss_release_cred(&tmp_minor, (gss_cred_id_t *)&tmp_cred); - } - - if (!HEIM_SLIST_FIRST(&new_cred->gc_mc)) { - free(new_cred); - if (desired_mechs->count > 1) - *minor_status = 0; - return GSS_S_NO_CRED; - } - - *output_cred_handle = (gss_cred_id_t)new_cred; + major_status = gss_acquire_cred_from(minor_status, + desired_name, + time_req, + desired_mechs, + cred_usage, + &store, + output_cred_handle, + actual_mechs, + time_rec); + if (spassword) { + memset_s(spassword, password->length, 0, password->length); + free(spassword); } - if (actual_mechs != NULL || time_rec != NULL) { - major_status = gss_inquire_cred(minor_status, - *output_cred_handle, - NULL, - time_rec, - NULL, - actual_mechs); - if (GSS_ERROR(major_status)) { - gss_release_cred(&tmp_minor, output_cred_handle); - return major_status; - } - } - - *minor_status = 0; - return GSS_S_COMPLETE; + return major_status; } diff --git a/lib/gssapi/mech/gss_add_cred.c b/lib/gssapi/mech/gss_add_cred.c index 8cbe7bb69..6d44f5c2d 100644 --- a/lib/gssapi/mech/gss_add_cred.c +++ b/lib/gssapi/mech/gss_add_cred.c @@ -30,49 +30,6 @@ #include "mech_locl.h" -struct _gss_mechanism_cred * -_gss_copy_cred(struct _gss_mechanism_cred *mc) -{ - struct _gss_mechanism_cred *new_mc; - gssapi_mech_interface m = mc->gmc_mech; - OM_uint32 major_status, minor_status; - gss_name_t name; - gss_cred_id_t cred; - OM_uint32 initiator_lifetime, acceptor_lifetime; - gss_cred_usage_t cred_usage; - - major_status = m->gm_inquire_cred_by_mech(&minor_status, mc->gmc_cred, - mc->gmc_mech_oid, &name, - &initiator_lifetime, - &acceptor_lifetime, &cred_usage); - if (major_status) { - _gss_mg_error(m, major_status, minor_status); - return 0; - } - - major_status = m->gm_add_cred(&minor_status, - GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid, - cred_usage, initiator_lifetime, acceptor_lifetime, - &cred, 0, 0, 0); - m->gm_release_name(&minor_status, &name); - - if (major_status) { - _gss_mg_error(m, major_status, minor_status); - return 0; - } - - new_mc = malloc(sizeof(struct _gss_mechanism_cred)); - if (!new_mc) { - m->gm_release_cred(&minor_status, &cred); - return 0; - } - new_mc->gmc_mech = m; - new_mc->gmc_mech_oid = &m->gm_mech_oid; - new_mc->gmc_cred = cred; - - return new_mc; -} - GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred(OM_uint32 *minor_status, gss_const_cred_id_t input_cred_handle, @@ -86,122 +43,16 @@ gss_add_cred(OM_uint32 *minor_status, OM_uint32 *initiator_time_rec, OM_uint32 *acceptor_time_rec) { - OM_uint32 major_status; - gssapi_mech_interface m; - gss_cred_id_t release_cred = GSS_C_NO_CREDENTIAL; - struct _gss_cred *mut_cred; - struct _gss_mechanism_cred *mc; - struct _gss_mechanism_cred *new_mc = NULL; - struct _gss_mechanism_name *mn = NULL; - OM_uint32 junk; - - *minor_status = 0; - - /* Input validation */ - if (output_cred_handle) - *output_cred_handle = GSS_C_NO_CREDENTIAL; - if (initiator_time_rec) - *initiator_time_rec = 0; - if (acceptor_time_rec) - *acceptor_time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; - if ((m = __gss_get_mechanism(desired_mech)) == NULL) - return GSS_S_BAD_MECH; - if (input_cred_handle == GSS_C_NO_CREDENTIAL && - output_cred_handle == NULL) { - return GSS_S_CALL_INACCESSIBLE_WRITE; - } - - /* Setup mut_cred to be the credential we mutate */ - if (input_cred_handle != GSS_C_NO_CREDENTIAL && - output_cred_handle != NULL) { - gss_cred_id_t new_cred; - - /* Duplicate the input credential */ - major_status = gss_duplicate_cred(minor_status, input_cred_handle, - &new_cred); - if (major_status != GSS_S_COMPLETE) - return major_status; - mut_cred = (struct _gss_cred *)new_cred; - release_cred = (gss_cred_id_t)mut_cred; - } else if (input_cred_handle != GSS_C_NO_CREDENTIAL) { - /* Mutate the input credentials */ - mut_cred = rk_UNCONST(input_cred_handle); - } else { - if ((mut_cred = malloc(sizeof(*mut_cred))) == NULL) { - *minor_status = ENOMEM; - return GSS_S_UNAVAILABLE; - } - HEIM_SLIST_INIT(&mut_cred->gc_mc); - release_cred = (gss_cred_id_t)mut_cred; - } - - /* Find an MN, if any */ - if (desired_name) { - major_status = _gss_find_mn(minor_status, - (struct _gss_name *)desired_name, - desired_mech, &mn); - if (major_status != GSS_S_COMPLETE) - goto done; - } - - /* - * We go through all the mc attached to the input_cred_handle and check the - * mechanism. If it matches, we call gss_add_cred for that mechanism, - * otherwise we just add a new mc. - */ - HEIM_SLIST_FOREACH(mc, &mut_cred->gc_mc, gmc_link) { - if (!gss_oid_equal(mc->gmc_mech_oid, desired_mech)) - continue; - major_status = m->gm_add_cred(minor_status, - (gss_const_cred_id_t)mc, - mn ? mn->gmn_name : GSS_C_NO_NAME, - desired_mech, cred_usage, - initiator_time_req, acceptor_time_req, - NULL, NULL, initiator_time_rec, - acceptor_time_rec); - if (major_status != GSS_S_COMPLETE) - _gss_mg_error(m, major_status, *minor_status); - goto done; - } - - new_mc = malloc(sizeof(struct _gss_mechanism_cred)); - if (!new_mc) { - *minor_status = ENOMEM; - major_status = GSS_S_FAILURE; - goto done; - } - new_mc->gmc_mech = m; - new_mc->gmc_mech_oid = &m->gm_mech_oid; - - major_status = m->gm_add_cred(minor_status, - GSS_C_NO_CREDENTIAL, mn ? mn->gmn_name : GSS_C_NO_NAME, - desired_mech, cred_usage, initiator_time_req, acceptor_time_req, - &new_mc->gmc_cred, NULL, initiator_time_rec, acceptor_time_rec); - if (major_status != GSS_S_COMPLETE) { - _gss_mg_error(m, major_status, *minor_status); - goto done; - } - HEIM_SLIST_INSERT_HEAD(&mut_cred->gc_mc, new_mc, gmc_link); - new_mc = NULL; - -done: - /* Lastly, we have to inquire the cred to get the actual_mechs */ - if (major_status == GSS_S_COMPLETE && actual_mechs != NULL) { - major_status = gss_inquire_cred(minor_status, - (gss_const_cred_id_t)mut_cred, NULL, - NULL, NULL, actual_mechs); - if (major_status != GSS_S_COMPLETE) - _gss_mg_error(m, major_status, *minor_status); - } - if (major_status == GSS_S_COMPLETE) { - if (output_cred_handle != NULL) - *output_cred_handle = (gss_cred_id_t)mut_cred; - } else { - gss_release_cred(&junk, &release_cred); - } - free(new_mc); - return major_status; + return gss_add_cred_from(minor_status, + rk_UNCONST(input_cred_handle), + desired_name, + desired_mech, + cred_usage, + initiator_time_req, + acceptor_time_req, + GSS_C_NO_CRED_STORE, + output_cred_handle, + actual_mechs, + initiator_time_rec, + acceptor_time_rec); } - diff --git a/lib/gssapi/mech/gss_add_cred_from.c b/lib/gssapi/mech/gss_add_cred_from.c new file mode 100644 index 000000000..6569da1d6 --- /dev/null +++ b/lib/gssapi/mech/gss_add_cred_from.c @@ -0,0 +1,229 @@ +/*- + * Copyright (c) 2005 Doug Rabson + * Copyright (c) 2018 Kungliga Tekniska Högskolan + * Copyright (c) 2018 AuriStor, Inc. + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libgssapi/gss_add_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $ + */ + +#include "mech_locl.h" + +OM_uint32 +_gss_mg_add_mech_cred(OM_uint32 *minor_status, + gssapi_mech_interface m, + const struct _gss_mechanism_cred *mc, + const struct _gss_mechanism_name *mn, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_const_key_value_set_t cred_store, + struct _gss_mechanism_cred **out, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec) +{ + OM_uint32 major_status; + struct _gss_mechanism_cred *new_mc = NULL; + + if (out) { + *out = NULL; + + new_mc = calloc(1, sizeof(struct _gss_mechanism_cred)); + if (new_mc == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + + new_mc->gmc_mech = m; + new_mc->gmc_mech_oid = &m->gm_mech_oid; + } + + if (m->gm_add_cred_from) { + major_status = m->gm_add_cred_from(minor_status, + mc ? mc->gmc_cred : GSS_C_NO_CREDENTIAL, + mn ? mn->gmn_name : GSS_C_NO_NAME, + &m->gm_mech_oid, + cred_usage, + initiator_time_req, + acceptor_time_req, + cred_store, + new_mc ? &new_mc->gmc_cred : NULL, + NULL, + initiator_time_rec, + acceptor_time_rec); + } else if (cred_store == GSS_C_NO_CRED_STORE && m->gm_add_cred) { + major_status = m->gm_add_cred(minor_status, + mc ? mc->gmc_cred : GSS_C_NO_CREDENTIAL, + mn ? mn->gmn_name : GSS_C_NO_NAME, + &m->gm_mech_oid, + cred_usage, + initiator_time_req, + acceptor_time_req, + new_mc ? &new_mc->gmc_cred : NULL, + NULL, + initiator_time_rec, + acceptor_time_rec); + } else + major_status = GSS_S_UNAVAILABLE; + + if (major_status == GSS_S_COMPLETE && out) + *out = new_mc; + else + free(new_mc); + + return major_status; +} + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_add_cred_from(OM_uint32 *minor_status, + gss_cred_id_t input_cred_handle, + gss_const_name_t desired_name, + const gss_OID desired_mech, + gss_cred_usage_t cred_usage, + OM_uint32 initiator_time_req, + OM_uint32 acceptor_time_req, + gss_const_key_value_set_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *initiator_time_rec, + OM_uint32 *acceptor_time_rec) +{ + OM_uint32 major_status; + gssapi_mech_interface m; + gss_cred_id_t release_cred = GSS_C_NO_CREDENTIAL; + struct _gss_cred *mut_cred; + struct _gss_mechanism_cred *mc; + struct _gss_mechanism_cred *new_mc = NULL; + struct _gss_mechanism_name *mn = NULL; + OM_uint32 junk; + + *minor_status = 0; + + /* Input validation */ + if (output_cred_handle) + *output_cred_handle = GSS_C_NO_CREDENTIAL; + if (initiator_time_rec) + *initiator_time_rec = 0; + if (acceptor_time_rec) + *acceptor_time_rec = 0; + if (actual_mechs) + *actual_mechs = GSS_C_NO_OID_SET; + if ((m = __gss_get_mechanism(desired_mech)) == NULL) + return GSS_S_BAD_MECH; + if (input_cred_handle == GSS_C_NO_CREDENTIAL && + output_cred_handle == NULL) { + return GSS_S_CALL_INACCESSIBLE_WRITE; + } + + /* Setup mut_cred to be the credential we mutate */ + if (input_cred_handle != GSS_C_NO_CREDENTIAL && + output_cred_handle != NULL) { + gss_cred_id_t new_cred; + + /* Duplicate the input credential */ + major_status = gss_duplicate_cred(minor_status, input_cred_handle, + &new_cred); + if (major_status != GSS_S_COMPLETE) + return major_status; + mut_cred = (struct _gss_cred *)new_cred; + release_cred = (gss_cred_id_t)mut_cred; + } else if (input_cred_handle != GSS_C_NO_CREDENTIAL) { + /* Mutate the input credentials */ + mut_cred = rk_UNCONST(input_cred_handle); + } else { + if ((mut_cred = calloc(1, sizeof(*mut_cred))) == NULL) { + *minor_status = ENOMEM; + return GSS_S_UNAVAILABLE; + } + HEIM_SLIST_INIT(&mut_cred->gc_mc); + release_cred = (gss_cred_id_t)mut_cred; + } + + /* Find an MN, if any */ + if (desired_name) { + major_status = _gss_find_mn(minor_status, + (struct _gss_name *)desired_name, + desired_mech, &mn); + if (major_status != GSS_S_COMPLETE) + goto done; + } + + /* + * We go through all the mc attached to the input_cred_handle and check the + * mechanism. If it matches, we call gss_add_cred for that mechanism, + * otherwise we just add a new mc. + */ + HEIM_SLIST_FOREACH(mc, &mut_cred->gc_mc, gmc_link) { + if (!gss_oid_equal(mc->gmc_mech_oid, desired_mech)) + continue; + major_status = _gss_mg_add_mech_cred(minor_status, m, + mc, mn, cred_usage, + initiator_time_req, acceptor_time_req, + cred_store, NULL, + initiator_time_rec, acceptor_time_rec); + if (major_status != GSS_S_COMPLETE) + _gss_mg_error(m, major_status, *minor_status); + goto done; + } + + new_mc = calloc(1, sizeof(struct _gss_mechanism_cred)); + if (new_mc == NULL) { + *minor_status = ENOMEM; + major_status = GSS_S_FAILURE; + goto done; + } + new_mc->gmc_mech = m; + new_mc->gmc_mech_oid = &m->gm_mech_oid; + + major_status = _gss_mg_add_mech_cred(minor_status, m, NULL, mn, cred_usage, + initiator_time_req, acceptor_time_req, + cred_store, &new_mc, + initiator_time_rec, acceptor_time_rec); + if (major_status != GSS_S_COMPLETE) { + _gss_mg_error(m, major_status, *minor_status); + goto done; + } + HEIM_SLIST_INSERT_HEAD(&mut_cred->gc_mc, new_mc, gmc_link); + new_mc = NULL; + +done: + /* Lastly, we have to inquire the cred to get the actual_mechs */ + if (major_status == GSS_S_COMPLETE && actual_mechs != NULL) { + major_status = gss_inquire_cred(minor_status, + (gss_const_cred_id_t)mut_cred, NULL, + NULL, NULL, actual_mechs); + if (major_status != GSS_S_COMPLETE) + _gss_mg_error(m, major_status, *minor_status); + } + if (major_status == GSS_S_COMPLETE) { + if (output_cred_handle != NULL) + *output_cred_handle = (gss_cred_id_t)mut_cred; + } else { + gss_release_cred(&junk, &release_cred); + } + free(new_mc); + return major_status; +} + diff --git a/lib/gssapi/mech/gss_add_cred_with_password.c b/lib/gssapi/mech/gss_add_cred_with_password.c index b20f64f77..eeb59497f 100644 --- a/lib/gssapi/mech/gss_add_cred_with_password.c +++ b/lib/gssapi/mech/gss_add_cred_with_password.c @@ -42,109 +42,47 @@ gss_add_cred_with_password(OM_uint32 *minor_status, OM_uint32 *initiator_time_rec, OM_uint32 *acceptor_time_rec) { - OM_uint32 major_status; - gssapi_mech_interface m; - struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle; - struct _gss_cred *new_cred; - struct _gss_mechanism_cred *mc; - struct _gss_mechanism_name *mn = NULL; - OM_uint32 junk, time_req; + OM_uint32 major_status; + gss_key_value_element_desc kv; + gss_key_value_set_desc store; + char *spassword = NULL; - *minor_status = 0; - *output_cred_handle = GSS_C_NO_CREDENTIAL; - if (initiator_time_rec) - *initiator_time_rec = 0; - if (acceptor_time_rec) - *acceptor_time_rec = 0; - if (actual_mechs) - *actual_mechs = GSS_C_NO_OID_SET; + *output_cred_handle = GSS_C_NO_CREDENTIAL; - m = __gss_get_mechanism(desired_mech); - if (m == NULL) { - *minor_status = 0; - return (GSS_S_BAD_MECH); - } + if (password == GSS_C_NO_BUFFER || password->value == NULL) + return GSS_S_CALL_INACCESSIBLE_READ; - new_cred = calloc(1, sizeof(struct _gss_cred)); - if (new_cred == NULL) { - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - HEIM_SLIST_INIT(&new_cred->gc_mc); + spassword = malloc(password->length + 1); + if (spassword == NULL) { + *minor_status = ENOMEM; + return GSS_S_FAILURE; + } + memcpy(spassword, password->value, password->length); + spassword[password->length] = '\0'; - /* - * Copy credentials from un-desired mechanisms to the new credential. - */ - if (cred) { - HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { - struct _gss_mechanism_cred *copy_mc; + kv.key = "password"; + kv.value = spassword; - if (gss_oid_equal(mc->gmc_mech_oid, desired_mech)) { - continue; - } - copy_mc = _gss_copy_cred(mc); - if (copy_mc == NULL) { - gss_release_cred(&junk, (gss_cred_id_t *)&new_cred); - *minor_status = ENOMEM; - return (GSS_S_FAILURE); - } - HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link); - } - } + store.count = 1; + store.elements = &kv; - /* - * Figure out a suitable mn, if any. - */ - if (desired_name != GSS_C_NO_NAME) { - major_status = _gss_find_mn(minor_status, - (struct _gss_name *) desired_name, - desired_mech, - &mn); - if (major_status != GSS_S_COMPLETE) { - gss_release_cred(&junk, (gss_cred_id_t *)&new_cred); - return (major_status); - } - } + major_status = gss_add_cred_from(minor_status, + rk_UNCONST(input_cred_handle), + desired_name, + desired_mech, + cred_usage, + initiator_time_req, + acceptor_time_req, + &store, + output_cred_handle, + actual_mechs, + initiator_time_rec, + acceptor_time_rec); - if (cred_usage == GSS_C_BOTH) - time_req = initiator_time_req > acceptor_time_req ? acceptor_time_req : initiator_time_req; - else if (cred_usage == GSS_C_INITIATE) - time_req = initiator_time_req; - else - time_req = acceptor_time_req; + if (spassword) { + memset_s(spassword, password->length, 0, password->length); + free(spassword); + } - major_status = _gss_acquire_mech_cred(minor_status, m, mn, - GSS_C_CRED_PASSWORD, password, - time_req, desired_mech, - cred_usage, &mc); - if (major_status != GSS_S_COMPLETE) { - gss_release_cred(&junk, (gss_cred_id_t *)&new_cred); - return (major_status); - } - - HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link); - - if (actual_mechs || initiator_time_rec || acceptor_time_rec) { - OM_uint32 time_rec; - - major_status = gss_inquire_cred(minor_status, - (gss_cred_id_t)new_cred, - NULL, - &time_rec, - NULL, - actual_mechs); - if (GSS_ERROR(major_status)) { - gss_release_cred(&junk, (gss_cred_id_t *)&new_cred); - return (major_status); - } - if (initiator_time_rec && - (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH)) - *initiator_time_rec = time_rec; - if (acceptor_time_rec && - (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH)) - *acceptor_time_rec = time_rec; - } - - *output_cred_handle = (gss_cred_id_t) new_cred; - return (GSS_S_COMPLETE); + return major_status; } diff --git a/lib/gssapi/mech/gss_cred.c b/lib/gssapi/mech/gss_cred.c index cc7d2ccaa..e16829c0f 100644 --- a/lib/gssapi/mech/gss_cred.c +++ b/lib/gssapi/mech/gss_cred.c @@ -223,3 +223,4 @@ gss_import_cred(OM_uint32 * minor_status, return major; } + diff --git a/lib/gssapi/mech/gss_duplicate_cred.c b/lib/gssapi/mech/gss_duplicate_cred.c index 6e2672a24..b780d1759 100644 --- a/lib/gssapi/mech/gss_duplicate_cred.c +++ b/lib/gssapi/mech/gss_duplicate_cred.c @@ -31,24 +31,58 @@ #include "mech_locl.h" static OM_uint32 -_gss_copy_cred_element(OM_uint32 *minor_status, - struct _gss_mechanism_cred *mc, - struct _gss_mechanism_cred **out) +copy_cred_element(OM_uint32 *minor_status, + struct _gss_mechanism_cred *mc, + struct _gss_mechanism_cred **out) { gssapi_mech_interface m = mc->gmc_mech; - OM_uint32 major_status; - gss_name_t name; - gss_cred_id_t cred; + OM_uint32 major_status, tmp; + struct _gss_mechanism_name mn; + struct _gss_mechanism_cred *new_mc; OM_uint32 initiator_lifetime, acceptor_lifetime; gss_cred_usage_t cred_usage; + gss_cred_id_t dup_cred = GSS_C_NO_CREDENTIAL; - if (m->gm_duplicate_cred) - return m->gm_duplicate_cred(minor_status, (gss_const_cred_id_t)mc, - (gss_cred_id_t *)out); + if (m->gm_duplicate_cred) { + major_status = m->gm_duplicate_cred(minor_status, + mc->gmc_cred, &dup_cred); + } else if (m->gm_import_cred && m->gm_export_cred) { + gss_buffer_desc export; - /* This path won't work for ephemeral creds */ + major_status = m->gm_export_cred(minor_status, mc->gmc_cred, &export); + if (major_status == GSS_S_COMPLETE) { + major_status = m->gm_import_cred(minor_status, &export, &dup_cred); + gss_release_buffer(&tmp, &export); + } + } else + major_status = GSS_S_UNAVAILABLE; + + if (major_status != GSS_S_UNAVAILABLE) { + if (dup_cred != GSS_C_NO_CREDENTIAL) { + new_mc = calloc(1, sizeof(*new_mc)); + if (new_mc == NULL) { + *minor_status = ENOMEM; + m->gm_release_cred(&tmp, &dup_cred); + return GSS_S_FAILURE; + } + + new_mc->gmc_mech = m; + new_mc->gmc_mech_oid = mc->gmc_mech_oid; + new_mc->gmc_cred = dup_cred; + + *out = new_mc; + } + + return major_status; + } + + mn.gmn_mech = m; + mn.gmn_mech_oid = mc->gmc_mech_oid; + mn.gmn_name = GSS_C_NO_NAME; + + /* This path won't work for ephemeral creds or cred stores */ major_status = m->gm_inquire_cred_by_mech(minor_status, mc->gmc_cred, - mc->gmc_mech_oid, &name, + mc->gmc_mech_oid, &mn.gmn_name, &initiator_lifetime, &acceptor_lifetime, &cred_usage); if (major_status) { @@ -56,27 +90,25 @@ _gss_copy_cred_element(OM_uint32 *minor_status, return major_status; } - major_status = m->gm_add_cred(minor_status, - GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid, - cred_usage, initiator_lifetime, acceptor_lifetime, - &cred, 0, 0, 0); - m->gm_release_name(minor_status, &name); - - if (major_status) { + major_status = _gss_mg_add_mech_cred(minor_status, + m, + NULL, /* mc */ + &mn, + cred_usage, + initiator_lifetime, + acceptor_lifetime, + GSS_C_NO_CRED_STORE, + &new_mc, + NULL, + NULL); + if (major_status) _gss_mg_error(m, major_status, *minor_status); - return major_status; - } - *out = malloc(sizeof(struct _gss_mechanism_cred)); - if (!*out) { - *minor_status = ENOMEM; - m->gm_release_cred(minor_status, &cred); - return GSS_S_FAILURE; - } - (*out)->gmc_mech = m; - (*out)->gmc_mech_oid = &m->gm_mech_oid; - (*out)->gmc_cred = cred; - return GSS_S_COMPLETE; + m->gm_release_name(&tmp, &mn.gmn_name); + + *out = new_mc; + + return major_status; } GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL @@ -111,7 +143,7 @@ gss_duplicate_cred(OM_uint32 *minor_status, major_status = GSS_S_NO_CRED; HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { - major_status = _gss_copy_cred_element(minor_status, mc, ©_mc); + major_status = copy_cred_element(minor_status, mc, ©_mc); if (major_status != GSS_S_COMPLETE) { _gss_mg_error(mc->gmc_mech, major_status, *minor_status); break; diff --git a/lib/gssapi/mech/gss_mech_switch.c b/lib/gssapi/mech/gss_mech_switch.c index 60c71e14b..99768b7b0 100644 --- a/lib/gssapi/mech/gss_mech_switch.c +++ b/lib/gssapi/mech/gss_mech_switch.c @@ -386,8 +386,8 @@ _gss_load_mech(void) OPTSYM(store_cred); OPTSYM(export_cred); OPTSYM(import_cred); + OPTSYM(acquire_cred_from); #if 0 - OPTSYM(acquire_cred_ext); OPTSYM(iter_creds); OPTSYM(destroy_cred); OPTSYM(cred_hold); @@ -403,6 +403,8 @@ _gss_load_mech(void) OPTSYM(export_name_composite); OPTSYM(localname); OPTSYM(duplicate_cred); + OPTSYM(add_cred_from); + OPTSYM(store_cred_into); OPTSPISYM(authorize_localname); mi = (_gss_mo_init *)dlsym(so, "gss_mo_init"); diff --git a/lib/gssapi/mech/gss_oid.c b/lib/gssapi/mech/gss_oid.c index c6583bf22..f2e1562e4 100644 --- a/lib/gssapi/mech/gss_oid.c +++ b/lib/gssapi/mech/gss_oid.c @@ -103,12 +103,6 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST /* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") }; -/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x81\x48") }; - -/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x81\x49") }; - /* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; @@ -299,8 +293,6 @@ gss_OID _gss_ot_internal[] = { &__gss_c_ma_sasl_mech_name_oid_desc, &__gss_c_ma_mech_name_oid_desc, &__gss_c_ma_mech_description_oid_desc, - &__gss_c_cred_password_oid_desc, - &__gss_c_cred_certificate_oid_desc, &__gss_sasl_digest_md5_mechanism_oid_desc, &__gss_netlogon_mechanism_oid_desc, &__gss_netlogon_set_session_key_x_oid_desc, diff --git a/lib/gssapi/mech/gss_store_cred.c b/lib/gssapi/mech/gss_store_cred.c index a92611570..54494edf7 100644 --- a/lib/gssapi/mech/gss_store_cred.c +++ b/lib/gssapi/mech/gss_store_cred.c @@ -43,58 +43,14 @@ gss_store_cred(OM_uint32 *minor_status, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored) { - struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle; - struct _gss_mechanism_cred *mc; - OM_uint32 maj = GSS_S_FAILURE; - OM_uint32 junk; - size_t successes = 0; - - if (minor_status == NULL) - return GSS_S_FAILURE; - if (elements_stored) - *elements_stored = NULL; - if (cred_usage_stored) - *cred_usage_stored = 0; - - if (cred == NULL) - return GSS_S_NO_CONTEXT; - - if (elements_stored) { - maj = gss_create_empty_oid_set(minor_status, elements_stored); - if (maj != GSS_S_COMPLETE) - return maj; - } - - HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { - gssapi_mech_interface m = mc->gmc_mech; - - if (m == NULL || m->gm_store_cred == NULL) - continue; - - if (desired_mech != GSS_C_NO_OID && - !gss_oid_equal(&m->gm_mech_oid, desired_mech)) - continue; - - maj = (m->gm_store_cred)(minor_status, mc->gmc_cred, - cred_usage, desired_mech, overwrite_cred, - default_cred, NULL, cred_usage_stored); - if (maj == GSS_S_COMPLETE) { - if (elements_stored) - gss_add_oid_set_member(&junk, desired_mech, elements_stored); - successes++; - } else if (desired_mech != GSS_C_NO_OID) { - gss_release_oid_set(&junk, elements_stored); - return maj; - } - - } - - if (successes == 0) { - if (maj != GSS_S_COMPLETE) - return maj; /* last failure */ - return GSS_S_FAILURE; - } - - *minor_status = 0; - return GSS_S_COMPLETE; + return gss_store_cred_into(minor_status, + input_cred_handle, + cred_usage, + desired_mech, + overwrite_cred, + default_cred, + GSS_C_NO_CRED_STORE, + elements_stored, + cred_usage_stored); } + diff --git a/lib/gssapi/mech/gss_store_cred_into.c b/lib/gssapi/mech/gss_store_cred_into.c new file mode 100644 index 000000000..0884fa060 --- /dev/null +++ b/lib/gssapi/mech/gss_store_cred_into.c @@ -0,0 +1,130 @@ +/* + * Copyright (c) 2009 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "mech_locl.h" + +static OM_uint32 +store_mech_cred(OM_uint32 *minor_status, + gssapi_mech_interface m, + const struct _gss_mechanism_cred *mc, + gss_cred_usage_t input_usage, + OM_uint32 overwrite_cred, + OM_uint32 default_cred, + gss_const_key_value_set_t cred_store, + gss_cred_usage_t *usage_stored) +{ + OM_uint32 major_status; + + if (m->gm_store_cred_into) + major_status = m->gm_store_cred_into(minor_status, mc->gmc_cred, + input_usage, &m->gm_mech_oid, + overwrite_cred, default_cred, + cred_store, NULL, usage_stored); + else if (cred_store == GSS_C_NO_CRED_STORE && m->gm_store_cred) + major_status = m->gm_store_cred(minor_status, mc->gmc_cred, + input_usage, &m->gm_mech_oid, + overwrite_cred, default_cred, + NULL, usage_stored); + else + major_status = GSS_S_UNAVAILABLE; + + return major_status; +} + +GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL +gss_store_cred_into(OM_uint32 *minor_status, + gss_const_cred_id_t input_cred_handle, + gss_cred_usage_t input_usage, + const gss_OID desired_mech, + OM_uint32 overwrite_cred, + OM_uint32 default_cred, + gss_const_key_value_set_t cred_store, + gss_OID_set *elements_stored, + gss_cred_usage_t *cred_usage_stored) +{ + struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle; + struct _gss_mechanism_cred *mc; + OM_uint32 maj = GSS_S_FAILURE; + OM_uint32 junk; + size_t successes = 0; + + if (minor_status == NULL) + return GSS_S_FAILURE; + if (elements_stored) + *elements_stored = NULL; + if (cred_usage_stored) + *cred_usage_stored = 0; + + if (cred == NULL) + return GSS_S_NO_CONTEXT; + + if (elements_stored) { + maj = gss_create_empty_oid_set(minor_status, elements_stored); + if (maj != GSS_S_COMPLETE) + return maj; + } + + HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { + gssapi_mech_interface m = mc->gmc_mech; + + if (m == NULL) + continue; + + if (desired_mech != GSS_C_NO_OID && + !gss_oid_equal(&m->gm_mech_oid, desired_mech)) + continue; + + maj = store_mech_cred(minor_status, m, mc, + input_usage, overwrite_cred, + default_cred, cred_store, + cred_usage_stored); + if (maj == GSS_S_COMPLETE) { + if (elements_stored) + gss_add_oid_set_member(&junk, desired_mech, elements_stored); + successes++; + } else if (desired_mech != GSS_C_NO_OID) { + gss_release_oid_set(&junk, elements_stored); + return maj; + } + } + + if (successes == 0) { + if (maj != GSS_S_COMPLETE) + return maj; /* last failure */ + return GSS_S_FAILURE; + } + + *minor_status = 0; + return GSS_S_COMPLETE; +} + diff --git a/lib/gssapi/netlogon/external.c b/lib/gssapi/netlogon/external.c index 4b4799dbe..7c0f81b1d 100644 --- a/lib/gssapi/netlogon/external.c +++ b/lib/gssapi/netlogon/external.c @@ -80,7 +80,7 @@ static gssapi_mech_interface_desc netlogon_mech = { NULL, /* gm_store_cred */ NULL, /* gm_export_cred */ NULL, /* gm_import_cred */ - NULL, /* gm_acquire_cred_ext */ + NULL, /* gm_acquire_cred_from */ NULL, /* gm_iter_creds */ NULL, /* gm_destroy_cred */ NULL, /* gm_cred_hold */ @@ -98,6 +98,8 @@ static gssapi_mech_interface_desc netlogon_mech = { NULL, /* gm_delete_name_attribute */ NULL, /* gm_export_name_composite */ NULL, /* gm_duplicate_cred */ + NULL, /* gm_add_cred_from */ + NULL, /* gm_store_cred_into */ NULL /* gm_compat */ }; diff --git a/lib/gssapi/ntlm/acquire_cred.c b/lib/gssapi/ntlm/acquire_cred.c index 9e2cca4ff..f4e571e2e 100644 --- a/lib/gssapi/ntlm/acquire_cred.c +++ b/lib/gssapi/ntlm/acquire_cred.c @@ -34,14 +34,15 @@ #include "ntlm.h" OM_uint32 GSSAPI_CALLCONV -_gss_ntlm_acquire_cred(OM_uint32 *min_stat, - gss_const_name_t desired_name, - OM_uint32 time_req, - const gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t *output_cred_handle, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec) +_gss_ntlm_acquire_cred_from(OM_uint32 *min_stat, + gss_const_name_t desired_name, + OM_uint32 time_req, + const gss_OID_set desired_mechs, + gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, + gss_cred_id_t *output_cred_handle, + gss_OID_set *actual_mechs, + OM_uint32 *time_rec) { ntlm_name name = (ntlm_name) desired_name; const char *domain = NULL; diff --git a/lib/gssapi/ntlm/duplicate_cred.c b/lib/gssapi/ntlm/duplicate_cred.c index e0263a393..d05f9fad8 100644 --- a/lib/gssapi/ntlm/duplicate_cred.c +++ b/lib/gssapi/ntlm/duplicate_cred.c @@ -43,10 +43,10 @@ _gss_ntlm_duplicate_cred(OM_uint32 *minor_status, OM_uint32 junk; if (input_cred_handle == GSS_C_NO_CREDENTIAL) - return _gss_ntlm_acquire_cred(minor_status, GSS_C_NO_NAME, - GSS_C_INDEFINITE, GSS_C_NO_OID_SET, - GSS_C_BOTH, output_cred_handle, NULL, - NULL); + return _gss_ntlm_acquire_cred_from(minor_status, GSS_C_NO_NAME, + GSS_C_INDEFINITE, GSS_C_NO_OID_SET, + GSS_C_BOTH, GSS_C_NO_CRED_STORE, + output_cred_handle, NULL, NULL); *output_cred_handle = GSS_C_NO_CREDENTIAL; diff --git a/lib/gssapi/ntlm/external.c b/lib/gssapi/ntlm/external.c index f438ad1f4..4d133cfd7 100644 --- a/lib/gssapi/ntlm/external.c +++ b/lib/gssapi/ntlm/external.c @@ -65,7 +65,7 @@ static gssapi_mech_interface_desc ntlm_mech = { "ntlm", {10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") }, 0, - _gss_ntlm_acquire_cred, + NULL, _gss_ntlm_release_cred, _gss_ntlm_init_sec_context, _gss_ntlm_accept_sec_context, @@ -105,7 +105,7 @@ static gssapi_mech_interface_desc ntlm_mech = { NULL, NULL, NULL, - NULL, + _gss_ntlm_acquire_cred_from, _gss_ntlm_iter_creds_f, _gss_ntlm_destroy_cred, NULL, @@ -123,6 +123,8 @@ static gssapi_mech_interface_desc ntlm_mech = { NULL, /* gm_delete_name_attribute */ NULL, /* gm_export_name_composite */ NULL, /* gm_duplicate_cred */ + NULL, /* gm_add_cred_from */ + NULL, /* gm_store_cred_into */ NULL, /* gm_compat */ }; diff --git a/lib/gssapi/oid.txt b/lib/gssapi/oid.txt index cd6c2fa04..263202759 100644 --- a/lib/gssapi/oid.txt +++ b/lib/gssapi/oid.txt @@ -1,7 +1,7 @@ # /* contact Love Hörnquist Ã…strand for new oid arcs */ # /* -# * 1.2.752.43.13 Heimdal GSS-API Extentions +# * 1.2.752.43.13 Heimdal GSS-API Extensions # */ oid base GSS_KRB5_COPY_CCACHE_X 1.2.752.43.13.1 @@ -41,10 +41,6 @@ oid base GSS_C_MA_SASL_MECH_NAME 1.2.752.43.13.100 oid base GSS_C_MA_MECH_NAME 1.2.752.43.13.101 oid base GSS_C_MA_MECH_DESCRIPTION 1.2.752.43.13.102 -# /* credential types */ -oid base GSS_C_CRED_PASSWORD 1.2.752.43.13.200 -oid base GSS_C_CRED_CERTIFICATE 1.2.752.43.13.201 - #/* Heimdal mechanisms - 1.2.752.43.14 */ oid base GSS_SASL_DIGEST_MD5_MECHANISM 1.2.752.43.14.1 diff --git a/lib/gssapi/spnego/cred_stubs.c b/lib/gssapi/spnego/cred_stubs.c index 6f7feccf8..545b3e8b8 100644 --- a/lib/gssapi/spnego/cred_stubs.c +++ b/lib/gssapi/spnego/cred_stubs.c @@ -54,12 +54,13 @@ _gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle) * we support gss_{get,set}_neg_mechs() we will need to expose * more functionality. */ -OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred +OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred_from (OM_uint32 *minor_status, gss_const_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, + gss_const_key_value_set_t cred_store, gss_cred_id_t * output_cred_handle, gss_OID_set * actual_mechs, OM_uint32 * time_rec @@ -106,16 +107,16 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred } actual_desired_mechs.count = j; - ret = gss_acquire_cred(minor_status, name, - time_req, &actual_desired_mechs, - cred_usage, - output_cred_handle, - actual_mechs, time_rec); + ret = gss_acquire_cred_from(minor_status, name, + time_req, &actual_desired_mechs, + cred_usage, cred_store, + output_cred_handle, + actual_mechs, time_rec); if (ret != GSS_S_COMPLETE) goto out; out: - gss_release_name(minor_status, &name); + gss_release_name(&tmp, &name); gss_release_oid_set(&tmp, &mechs); if (actual_desired_mechs.elements != NULL) { free(actual_desired_mechs.elements); diff --git a/lib/gssapi/spnego/external.c b/lib/gssapi/spnego/external.c index 4bc5030bb..6b818dfe0 100644 --- a/lib/gssapi/spnego/external.c +++ b/lib/gssapi/spnego/external.c @@ -89,7 +89,7 @@ static gssapi_mech_interface_desc spnego_mech = { "spnego", {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") }, 0, - _gss_spnego_acquire_cred, + NULL, /* gm_acquire_cred */ _gss_spnego_release_cred, _gss_spnego_init_sec_context, _gss_spnego_accept_sec_context, @@ -129,7 +129,7 @@ static gssapi_mech_interface_desc spnego_mech = { NULL, _gss_spnego_export_cred, _gss_spnego_import_cred, - NULL, + _gss_spnego_acquire_cred_from, NULL, NULL, NULL, @@ -147,6 +147,8 @@ static gssapi_mech_interface_desc spnego_mech = { NULL, /* gm_delete_name_attribute */ NULL, /* gm_export_name_composite */ NULL, /* gm_duplicate_cred */ + gss_add_cred_from, + NULL, /* gm_store_cred_into */ NULL /* gm_compat */ }; diff --git a/lib/gssapi/test_acquire_cred.c b/lib/gssapi/test_acquire_cred.c index 485d23bdb..0e3c7ee1b 100644 --- a/lib/gssapi/test_acquire_cred.c +++ b/lib/gssapi/test_acquire_cred.c @@ -126,7 +126,8 @@ static gss_cred_id_t acquire_cred_service(const char *service, gss_OID nametype, gss_OID_set oidset, - gss_cred_usage_t usage) + gss_cred_usage_t usage, + gss_const_key_value_set_t cred_store) { OM_uint32 major_status, minor_status; gss_cred_id_t cred_handle; @@ -146,14 +147,15 @@ acquire_cred_service(const char *service, errx(1, "import_name failed"); } - major_status = gss_acquire_cred(&minor_status, - name, - 0, - oidset, - usage, - &cred_handle, - NULL, - &time_rec); + major_status = gss_acquire_cred_from(&minor_status, + name, + 0, + oidset, + usage, + cred_store, + &cred_handle, + NULL, + &time_rec); if (GSS_ERROR(major_status)) { warnx("acquire_cred failed: %s", gssapi_err(major_status, minor_status, GSS_C_NO_OID)); @@ -180,6 +182,7 @@ static char *acquire_type; static char *target_name; static char *name_type; static char *ccache; +static char *client_keytab; static int num_loops = 1; static struct getargs args[] = { @@ -190,6 +193,7 @@ static struct getargs args[] = { {"kerberos", 0, arg_flag, &kerberos_flag, "enctype-num", NULL }, {"target-name", 0, arg_string, &target_name, "name", NULL }, {"ccache", 0, arg_string, &ccache, "name", NULL }, + {"client-keytab", 0,arg_string, &client_keytab, "name", NULL }, {"name-type", 0, arg_string, &name_type, "type", NULL }, {"version", 0, arg_flag, &version_flag, "print version", NULL }, {"help", 0, arg_flag, &help_flag, NULL, NULL } @@ -213,6 +217,11 @@ main(int argc, char **argv) int i, optidx = 0; gss_cred_usage_t cred_usage = GSS_C_BOTH; gss_OID type = GSS_C_NT_HOSTBASED_SERVICE; + gss_key_value_set_desc store, *storep = GSS_C_NO_CRED_STORE; + gss_key_value_element_desc elements[2]; + + store.count = 0; + store.elements = elements; setprogname(argv[0]); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) @@ -253,11 +262,18 @@ main(int argc, char **argv) } if (ccache) { - maj_stat = gss_krb5_ccache_name(&min_stat, ccache, NULL); - if (GSS_ERROR(maj_stat)) - errx(1, "gss_krb5_ccache_name %s", - gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); + store.elements[store.count].key = "ccache"; + store.elements[store.count].value = ccache; + store.count++; } + if (client_keytab) { + store.elements[store.count].key = "client_keytab"; + store.elements[store.count].value = client_keytab; + store.count++; + } + + if (store.count) + storep = &store; if (kerberos_flag) { mechoid = GSS_KRB5_MECHANISM; @@ -287,7 +303,7 @@ main(int argc, char **argv) for (i = 0; i < num_loops; i++) { - cred = acquire_cred_service(acquire_name, type, oidset, cred_usage); + cred = acquire_cred_service(acquire_name, type, oidset, cred_usage, storep); if (enctype) { int32_t enctypelist = enctype; diff --git a/lib/gssapi/test_add_store_cred.c b/lib/gssapi/test_add_store_cred.c index 981e8fc6e..95ef7440d 100644 --- a/lib/gssapi/test_add_store_cred.c +++ b/lib/gssapi/test_add_store_cred.c @@ -117,8 +117,8 @@ main(int argc, char **argv) gss_cred_id_t from_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t to_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; - char *from_env; - char *to_env; + gss_key_value_element_desc from_elements, to_elements; + gss_key_value_set_desc from, to; int optidx = 0; setprogname(argv[0]); @@ -141,22 +141,26 @@ main(int argc, char **argv) if (argc > 2) errx(1, "too many arguments"); - if (asprintf(&from_env, "KRB5CCNAME=%s", argv[0]) == -1 || from_env == NULL) - err(1, "out of memory"); - if (asprintf(&to_env, "KRB5CCNAME=%s", argv[1]) == -1 || to_env == NULL) - err(1, "out of memory"); + from_elements.key = "ccache"; + from_elements.value = argv[0]; + from.count = 1; + from.elements = &from_elements; - putenv(from_env); - major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, - GSS_KRB5_MECHANISM, GSS_C_INITIATE, GSS_C_INDEFINITE, - GSS_C_INDEFINITE, &from_cred, NULL, NULL, NULL); + to_elements.key = "ccache"; + to_elements.value = argv[1]; + to.count = 1; + to.elements = &to_elements; + + major = gss_add_cred_from(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, + GSS_KRB5_MECHANISM, GSS_C_INITIATE, + GSS_C_INDEFINITE, GSS_C_INDEFINITE, + &from, &from_cred, NULL, NULL, NULL); if (major != GSS_S_COMPLETE) gss_err(1, major, minor, GSS_KRB5_MECHANISM, "failed to acquire creds from %s", argv[0]); - putenv(to_env); - major = gss_store_cred(&minor, from_cred, GSS_C_INITIATE, - GSS_KRB5_MECHANISM, 1, 1, NULL, NULL); + major = gss_store_cred_into(&minor, from_cred, GSS_C_INITIATE, + GSS_KRB5_MECHANISM, 1, 1, &to, NULL, NULL); if (major != GSS_S_COMPLETE) gss_err(1, major, minor, GSS_KRB5_MECHANISM, "failed to store creds into %s", argv[1]); @@ -171,9 +175,6 @@ main(int argc, char **argv) gss_err(1, major, minor, GSS_KRB5_MECHANISM, "failed to acquire creds from %s", argv[1]); (void) gss_release_cred(&minor, &cred); - putenv("KRB5CCNAME"); - free(from_env); - free(to_env); return 0; } diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index ea62f2b6d..7cbe73b8b 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -57,6 +57,8 @@ static int deleg_flag = 0; static int policy_deleg_flag = 0; static int server_no_deleg_flag = 0; static int ei_flag = 0; +static char *client_ccache = NULL; +static char *client_keytab = NULL; static char *gsskrb5_acceptor_identity = NULL; static char *session_enctype_string = NULL; static int client_time_offset = 0; @@ -565,6 +567,8 @@ static struct getargs args[] = { {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag, "use dns to canonicalize", NULL }, {"mutual-auth",0, arg_flag, &mutual_auth_flag,"mutual auth", NULL }, + {"client-ccache",0, arg_string, &client_ccache, "client credentials cache", NULL }, + {"client-keytab",0, arg_string, &client_keytab, "client keytab", NULL }, {"client-name", 0, arg_string, &client_name, "client name", NULL }, {"client-password", 0, arg_string, &client_password, "client password", NULL }, {"limit-enctype",0, arg_string, &limit_enctype_string, "enctype", NULL }, @@ -611,6 +615,8 @@ main(int argc, char **argv) gss_OID_desc oids[4]; gss_OID_set_desc mechoid_descs; gss_OID_set mechoids = GSS_C_NO_OID_SET; + gss_key_value_element_desc client_cred_elements[2]; + gss_key_value_set_desc client_cred_store; setprogname(argv[0]); @@ -687,17 +693,39 @@ main(int argc, char **argv) } if (gsskrb5_acceptor_identity) { + /* XXX replace this with cred store, but test suites will need work */ maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity); if (maj_stat) errx(1, "gsskrb5_acceptor_identity: %s", gssapi_err(maj_stat, 0, GSS_C_NO_OID)); } + if (client_password && (client_ccache || client_keytab)) { + errx(1, "password option mutually exclusive with ccache or keytab option"); + } + if (client_password) { credential_data.value = client_password; credential_data.length = strlen(client_password); } + client_cred_store.count = 0; + client_cred_store.elements = client_cred_elements; + + if (client_ccache) { + client_cred_store.elements[client_cred_store.count].key = "ccache"; + client_cred_store.elements[client_cred_store.count].value = client_ccache; + + client_cred_store.count++; + } + + if (client_keytab) { + client_cred_store.elements[client_cred_store.count].key = "client_keytab"; + client_cred_store.elements[client_cred_store.count].value = client_keytab; + + client_cred_store.count++; + } + if (client_name) { gss_buffer_desc cn; @@ -729,14 +757,16 @@ main(int argc, char **argv) gssapi_err(maj_stat, min_stat, mechoid)); } } else { - maj_stat = gss_acquire_cred(&min_stat, - cname, - GSS_C_INDEFINITE, - mechoids, - GSS_C_INITIATE, - &client_cred, - NULL, - NULL); + maj_stat = gss_acquire_cred_from(&min_stat, + cname, + GSS_C_INDEFINITE, + mechoids, + GSS_C_INITIATE, + client_cred_store.count ? &client_cred_store + : GSS_C_NO_CRED_STORE, + &client_cred, + NULL, + NULL); if (GSS_ERROR(maj_stat)) errx(1, "gss_acquire_cred: %s", gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); diff --git a/lib/gssapi/version-script.map b/lib/gssapi/version-script.map index daff44e65..7359db7ee 100644 --- a/lib/gssapi/version-script.map +++ b/lib/gssapi/version-script.map @@ -12,14 +12,14 @@ HEIMDAL_GSS_2.0 { __gss_c_nt_user_name_oid_desc; __gss_krb5_nt_principal_name_oid_desc; __gss_c_attr_stream_sizes_oid_desc; - __gss_c_cred_password_oid_desc; - __gss_c_cred_certificate_oid_desc; __gss_c_attr_local_login_user; gss_accept_sec_context; gss_acquire_cred; + gss_acquire_cred_from; gss_acquire_cred_with_password; gss_add_buffer_set_member; gss_add_cred; + gss_add_cred_from; gss_add_cred_with_password; gss_add_oid_set_member; gss_authorize_localname; @@ -85,6 +85,7 @@ HEIMDAL_GSS_2.0 { gss_set_sec_context_option; gss_sign; gss_store_cred; + gss_store_cred_into; gss_test_oid_set_member; gss_unseal; gss_unwrap; diff --git a/tests/gss/check-spnego.in b/tests/gss/check-spnego.in index e2982d4f7..04ae119ad 100644 --- a/tests/gss/check-spnego.in +++ b/tests/gss/check-spnego.in @@ -122,12 +122,15 @@ echo "======context building for each mech" for mech in ntlm krb5 ; do echo "${mech}" ${context} --mech-type=${mech} --ret-mech-type=${mech} \ + --client-ccache="${cache}" \ + --gsskrb5-acceptor-identity="${keytab}" \ --name-type=hostbased-service host@host.test.h5l.se || \ { exitcode=1 ; echo test failed; } done echo "spnego" ${context} \ + --client-ccache="${cache}" \ --mech-type=spnego \ --ret-mech-type=krb5 \ --name-type=hostbased-service \ @@ -136,10 +139,12 @@ ${context} \ echo "test failure cases" ${context} --mech-type=ntlm --ret-mech-type=krb5 \ + --client-ccache="${cache}" \ --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \ { exitcode=1 ; echo test failed; } ${context} --mech-type=krb5 --ret-mech-type=ntlm \ + --client-ccache="${cache}" \ --name-type=hostbased-service host@host.test.h5l.se 2> /dev/null && \ { exitcode=1 ; echo test failed; } @@ -185,6 +190,16 @@ for arg in \ { exitcode=1 ; echo test failed; } KRB5_KTNAME="${keytab}" + echo "no explicit krb5 acceptor cred ${arg}" + ${context} --mech-type=spnego \ + $arg \ + --gsskrb5-acceptor-identity="${keytab}-no" \ + --server-no-delegate \ + --name-type=hostbased-service \ + --ret-mech-type=krb5 \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + echo "no krb5 initiator cred ${arg}" KRB5CCNAME="${cache}-no" ${context} --mech-type=spnego \ @@ -196,6 +211,16 @@ for arg in \ { exitcode=1 ; echo test failed; } KRB5CCNAME="${cache}" + echo "no explicit krb5 initiator cred ${arg}" + ${context} --mech-type=spnego \ + $arg \ + --client-ccache="${cache}-no" \ + --server-no-delegate \ + --name-type=hostbased-service \ + --ret-mech-type=krb5 \ + host@host.test.h5l.se 2>/dev/null && \ + { exitcode=1 ; echo test failed; } + done trap "" EXIT