util_cred.c

   1 /*
   2  * Copyright (c) 2010, JANET(UK)
   3  * All rights reserved.
   4  *
   5  * Redistribution and use in source and binary forms, with or without
   6  * modification, are permitted provided that the following conditions
   7  * are met:
   8  *
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  *
  12  * 2. Redistributions in binary form must reproduce the above copyright
  13  *    notice, this list of conditions and the following disclaimer in the
  14  *    documentation and/or other materials provided with the distribution.
  15  *
  16  * 3. Neither the name of JANET(UK) nor the names of its contributors
  17  *    may be used to endorse or promote products derived from this software
  18  *    without specific prior written permission.
  19  *
  20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  30  * SUCH DAMAGE.
  31  */
  32
  33 #include "gssapiP_eap.h"
  34
  35 OM_uint32
  36 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred)
  37 {
  38     OM_uint32 tmpMinor;
  39     gss_cred_id_t cred;
  40
  41     *pCred = GSS_C_NO_CREDENTIAL;
  42
  43     cred = (gss_cred_id_t)GSSEAP_CALLOC(1, sizeof(*cred));
  44     if (cred == NULL) {
  45         *minor = ENOMEM;
  46         return GSS_S_FAILURE;
  47     }
  48
  49     if (GSSEAP_MUTEX_INIT(&cred->mutex) != 0) {
  50         *minor = errno;
  51         gssEapReleaseCred(&tmpMinor, &cred);
  52         return GSS_S_FAILURE;
  53     }
  54
  55     *pCred = cred;
  56
  57     *minor = 0;
  58     return GSS_S_COMPLETE;
  59 }
  60
  61 OM_uint32
  62 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred)
  63 {
  64     OM_uint32 tmpMinor;
  65     gss_cred_id_t cred = *pCred;
  66     krb5_context krbContext = NULL;
  67
  68     if (cred == GSS_C_NO_CREDENTIAL) {
  69         return GSS_S_COMPLETE;
  70     }
  71
  72     GSSEAP_KRB_INIT(&krbContext);
  73
  74     gssEapReleaseName(&tmpMinor, &cred->name);
  75
  76     if (cred->password.value != NULL) {
  77         memset(cred->password.value, 0, cred->password.length);
  78         GSSEAP_FREE(cred->password.value);
  79     }
  80
  81     if (cred->radiusConfigFile != NULL)
  82         GSSEAP_FREE(cred->radiusConfigFile);
  83     if (cred->radiusConfigStanza != NULL)
  84         GSSEAP_FREE(cred->radiusConfigStanza);
  85
  86 #ifdef GSSEAP_ENABLE_REAUTH
  87     if (cred->krbCredCache != NULL) {
  88         if (cred->flags & CRED_FLAG_DEFAULT_CCACHE)
  89             krb5_cc_close(krbContext, cred->krbCredCache);
  90         else
  91             krb5_cc_destroy(krbContext, cred->krbCredCache);
  92     }
  93     if (cred->krbCred != GSS_C_NO_CREDENTIAL)
  94         gssReleaseCred(&tmpMinor, &cred->krbCred);
  95 #endif
  96
  97     GSSEAP_MUTEX_DESTROY(&cred->mutex);
  98     memset(cred, 0, sizeof(*cred));
  99     GSSEAP_FREE(cred);
 100     *pCred = NULL;
 101
 102     *minor = 0;
 103     return GSS_S_COMPLETE;
 104 }
 105
 106 OM_uint32
 107 gssEapAcquireCred(OM_uint32 *minor,
 108                   const gss_name_t desiredName,
 109                   const gss_buffer_t password,
 110                   OM_uint32 timeReq,
 111                   const gss_OID_set desiredMechs,
 112                   int credUsage,
 113                   gss_cred_id_t *pCred,
 114                   gss_OID_set *pActualMechs,
 115                   OM_uint32 *timeRec)
 116 {
 117     OM_uint32 major, tmpMinor;
 118     gss_cred_id_t cred;
 119
 120     /* XXX TODO validate with changed set_cred_option API */
 121     *pCred = GSS_C_NO_CREDENTIAL;
 122
 123     major = gssEapAllocCred(minor, &cred);
 124     if (GSS_ERROR(major))
 125         goto cleanup;
 126
 127     if (desiredName != GSS_C_NO_NAME) {
 128         GSSEAP_MUTEX_LOCK(&desiredName->mutex);
 129
 130         major = gssEapDuplicateName(minor, desiredName, &cred->name);
 131         if (GSS_ERROR(major)) {
 132             GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
 133             goto cleanup;
 134         }
 135
 136         GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
 137     } else {
 138         if (cred->flags & CRED_FLAG_INITIATE) {
 139             gss_buffer_desc buf;
 140
 141             buf.value = getlogin(); /* XXX */
 142             buf.length = strlen((char *)buf.value);
 143
 144             major = gssEapImportName(minor, &buf,
 145                                      GSS_C_NT_USER_NAME, &cred->name);
 146             if (GSS_ERROR(major))
 147                 goto cleanup;
 148         }
 149
 150         cred->flags |= CRED_FLAG_DEFAULT_IDENTITY;
 151     }
 152
 153     if (password != GSS_C_NO_BUFFER) {
 154         major = duplicateBuffer(minor, password, &cred->password);
 155         if (GSS_ERROR(major))
 156             goto cleanup;
 157
 158         cred->flags |= CRED_FLAG_PASSWORD;
 159     } else if (credUsage == GSS_C_INITIATE) {
 160         /*
 161          * OK, here we need to ask the supplicant if we have creds or it
 162          * will acquire them, so GS2 can know whether to prompt for a
 163          * password or not.
 164          */
 165 #if 0
 166         && !gssEapCanReauthP(cred, GSS_C_NO_NAME, timeReq)
 167 #endif
 168         major = GSS_S_CRED_UNAVAIL;
 169         goto cleanup;
 170     }
 171
 172     switch (credUsage) {
 173     case GSS_C_BOTH:
 174         cred->flags |= CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT;
 175         break;
 176     case GSS_C_INITIATE:
 177         cred->flags |= CRED_FLAG_INITIATE;
 178         break;
 179     case GSS_C_ACCEPT:
 180         cred->flags |= CRED_FLAG_ACCEPT;
 181         break;
 182     default:
 183         *minor = GSSEAP_BAD_USAGE;
 184         major = GSS_S_FAILURE;
 185         goto cleanup;
 186         break;
 187     }
 188
 189     major = gssEapValidateMechs(minor, desiredMechs);
 190     if (GSS_ERROR(major))
 191         goto cleanup;
 192
 193     major = duplicateOidSet(minor, desiredMechs, &cred->mechanisms);
 194     if (GSS_ERROR(major))
 195         goto cleanup;
 196
 197     if (pActualMechs != NULL) {
 198         major = duplicateOidSet(minor, cred->mechanisms, pActualMechs);
 199         if (GSS_ERROR(major))
 200             goto cleanup;
 201     }
 202
 203     if (timeRec != NULL)
 204         *timeRec = GSS_C_INDEFINITE;
 205
 206     *pCred = cred;
 207     major = GSS_S_COMPLETE;
 208
 209 cleanup:
 210     if (GSS_ERROR(major))
 211         gssEapReleaseCred(&tmpMinor, &cred);
 212
 213     return major;
 214 }
 215
 216 /*
 217  * Return TRUE if cred available for mechanism. Caller need no acquire
 218  * lock because mechanisms list is immutable.
 219  */
 220 int
 221 gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech)
 222 {
 223     OM_uint32 minor;
 224     int present = 0;
 225
 226     assert(mech != GSS_C_NO_OID);
 227
 228     if (cred == GSS_C_NO_CREDENTIAL || cred->mechanisms == GSS_C_NO_OID_SET)
 229         return TRUE;
 230
 231     gss_test_oid_set_member(&minor, mech, cred->mechanisms, &present);
 232
 233     return present;
 234 }