OM_uint32 GSSAPI_CALLCONV
_gsskrb5_store_cred(OM_uint32 *minor_status,
gss_cred_id_t input_cred_handle,
gss_cred_usage_t cred_usage,
const gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
krb5_context context;
krb5_error_code ret;
gsskrb5_cred cred;
krb5_ccache id = NULL;
krb5_ccache def_ccache = NULL;
const char *def_type = NULL;
time_t exp_current;
time_t exp_new;
*minor_status = 0;
if (cred_usage != GSS_C_INITIATE) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
if (desired_mech != GSS_C_NO_OID &&
gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0)
return GSS_S_BAD_MECH;
cred = (gsskrb5_cred)input_cred_handle;
if (cred == NULL)
return GSS_S_NO_CRED;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
ret = krb5_cc_get_lifetime(context, cred->ccache, &exp_new);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_NO_CRED;
}
if (cred->principal == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_KG_TGT_MISSING;
return GSS_S_FAILURE;
}
ret = krb5_cc_default(context, &def_ccache);
if (ret == 0) {
def_type = krb5_cc_get_type(context, def_ccache);
krb5_cc_close(context, def_ccache);
}
def_ccache = NULL;
/* write out cred to credential cache */
ret = krb5_cc_cache_match(context, cred->principal, &id);
if (ret) {
if (default_cred) {
ret = krb5_cc_default(context, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
} else {
if (def_type == NULL ||
!krb5_cc_support_switch(context, def_type)) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0; /* XXX */
return GSS_S_NO_CRED; /* XXX */
}
ret = krb5_cc_new_unique(context, def_type, NULL, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return GSS_S_FAILURE;
}
overwrite_cred = 1;
}
}
if (!overwrite_cred) {
/* If current creds are expired or near it, overwrite */
ret = krb5_cc_get_lifetime(context, id, &exp_current);
if (ret != 0 || exp_new > exp_current)
overwrite_cred = 1;
}
if (!overwrite_cred) {
/* Nothing to do */
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_DUPLICATE_ELEMENT;
}
ret = krb5_cc_initialize(context, id, cred->principal);
if (ret == 0)
ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL);
if (ret) {
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return(GSS_S_FAILURE);
}
if (default_cred && def_type != NULL &&
krb5_cc_support_switch(context, def_type))
krb5_cc_switch(context, id);
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_COMPLETE;
}
OM_uint32 GSSAPI_CALLCONV
_gsskrb5_store_cred(OM_uint32 *minor_status,
gss_cred_id_t input_cred_handle,
gss_cred_usage_t cred_usage,
const gss_OID desired_mech,
OM_uint32 overwrite_cred,
OM_uint32 default_cred,
gss_OID_set *elements_stored,
gss_cred_usage_t *cred_usage_stored)
{
krb5_context context;
krb5_error_code ret;
gsskrb5_cred cred;
krb5_ccache id;
int destroy = 0;
*minor_status = 0;
if (cred_usage != GSS_C_INITIATE) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0)
return GSS_S_BAD_MECH;
cred = (gsskrb5_cred)input_cred_handle;
if (cred == NULL)
return GSS_S_NO_CRED;
GSSAPI_KRB5_INIT (&context);
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return(GSS_S_FAILURE);
}
if (cred->principal == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_KG_TGT_MISSING;
return(GSS_S_FAILURE);
}
/* write out cred to credential cache */
ret = krb5_cc_cache_match(context, cred->principal, &id);
if (ret) {
ret = krb5_cc_new_unique(context, NULL, NULL, &id);
if (ret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return(GSS_S_FAILURE);
}
destroy = 1;
}
ret = krb5_cc_initialize(context, id, cred->principal);
if (ret == 0)
ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL);
if (ret) {
if (destroy)
krb5_cc_destroy(context, id);
else
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ret;
return(GSS_S_FAILURE);
}
if (default_cred)
krb5_cc_switch(context, id);
krb5_cc_close(context, id);
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_COMPLETE;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
int optidx = 0;
const char *from_name, *to_name;
krb5_ccache from_ccache, to_ccache;
unsigned int matched;
struct ctx ctx;
setprogname(argv[0]);
memset(&ctx, 0, sizeof(ctx));
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage(0);
if (version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc < 1 || argc > 2)
usage(1);
if (krb5_init_context(&context))
errx(1, "krb5_init_context failed");
if (service_string) {
ret = krb5_parse_name(context, service_string, &ctx.mcreds.server);
if (ret)
krb5_err(context, 1, ret, "%s", service_string);
}
if (enctype_string) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context, enctype_string, &enctype);
if (ret)
krb5_err(context, 1, ret, "%s", enctype_string);
ctx.whichfields |= KRB5_TC_MATCH_KEYTYPE;
ctx.mcreds.session.keytype = enctype;
}
if (flags_string) {
parse_ticket_flags(context, flags_string, &ctx.mcreds.flags);
ctx.whichfields |= KRB5_TC_MATCH_FLAGS;
}
if (valid_string) {
time_t t = parse_time(valid_string, "s");
if(t < 0)
errx(1, "unknown time \"%s\"", valid_string);
ctx.mcreds.times.endtime = time(NULL) + t;
ctx.whichfields |= KRB5_TC_MATCH_TIMES;
}
if (fcache_version)
krb5_set_fcache_version(context, fcache_version);
if (argc == 1) {
from_name = krb5_cc_default_name(context);
to_name = argv[0];
} else {
from_name = argv[0];
to_name = argv[1];
}
ret = krb5_cc_resolve(context, from_name, &from_ccache);
if (ret)
krb5_err(context, 1, ret, "%s", from_name);
if (krbtgt_only_flag) {
krb5_principal client;
ret = krb5_cc_get_principal(context, from_ccache, &client);
if (ret)
krb5_err(context, 1, ret, "getting default principal");
ret = krb5_make_principal(context, &ctx.mcreds.server,
krb5_principal_get_realm(context, client),
KRB5_TGS_NAME,
krb5_principal_get_realm(context, client),
NULL);
if (ret)
krb5_err(context, 1, ret, "constructing krbtgt principal");
krb5_free_principal(context, client);
}
ret = krb5_cc_resolve(context, to_name, &to_ccache);
if (ret)
krb5_err(context, 1, ret, "%s", to_name);
ret = krb5_cc_copy_match_f(context, from_ccache, to_ccache,
matchfunc, &ctx, &matched);
if (ret)
krb5_err(context, 1, ret, "copying cred cache");
krb5_cc_close(context, from_ccache);
if(matched == 0)
krb5_cc_destroy(context, to_ccache);
else
krb5_cc_close(context, to_ccache);
krb5_free_context(context);
return matched == 0;
}
